Data

Tools

Indexes

Applications

Experiments

Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

GSA_kwCzR0hTQS1mMjloLXB4dngtZjMzNc4ABKTG

High EPSS: 0.00061% (0.19451 Percentile) EPSS:
Permalink JSON

eslint-config-prettier, eslint-plugin-prettier, synckit, @pkgr/core, napi-postinstall have embedded malicious code

Affected Packages Affected Versions Fixed Versions
npm:got-fetch >= 5.1.11, <= 5.1.12 6.0.0
8 Dependent packages
18 Dependent repositories
189,671 Downloads last month

Affected Version Ranges

All affected versions

5.1.11, 5.1.12

All unaffected versions

1.0.0, 2.0.0, 2.0.1, 2.0.2, 3.0.0, 3.0.1, 4.0.0, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.0.5, 5.0.0, 5.0.1, 5.0.2, 5.1.0, 5.1.1, 5.1.2, 5.1.3, 5.1.4, 5.1.5, 5.1.6, 5.1.7, 5.1.8, 5.1.9, 5.1.10, 6.0.0, 6.0.1, 6.0.2
npm:napi-postinstall = 0.3.1 0.3.2
0 Dependent packages
0 Dependent repositories
37,598,395 Downloads last month

Affected Version Ranges

All affected versions

All unaffected versions

0.1.0, 0.1.1, 0.1.2, 0.1.3, 0.1.4, 0.1.5, 0.1.6, 0.2.0, 0.2.1, 0.2.2, 0.2.3, 0.2.4, 0.2.5, 0.3.0, 0.3.1, 0.3.2
npm:@pkgr/core = 0.2.8 0.2.9
0 Dependent packages
0 Dependent repositories
68,134,455 Downloads last month

Affected Version Ranges

All affected versions

All unaffected versions

0.1.0, 0.1.1, 0.1.2, 0.2.0, 0.2.1, 0.2.2, 0.2.3, 0.2.4, 0.2.5, 0.2.6, 0.2.7, 0.2.8, 0.2.9, 0.3.0, 0.3.1, 0.3.2, 0.3.3, 0.3.4, 0.3.5
npm:synckit = 0.11.9 0.11.10
105 Dependent packages
150,579 Dependent repositories
75,765,028 Downloads last month

Affected Version Ranges

All affected versions

All unaffected versions

0.1.0, 0.1.1, 0.1.2, 0.1.3, 0.1.4, 0.1.5, 0.1.6, 0.2.0, 0.3.0, 0.3.1, 0.3.2, 0.3.3, 0.3.4, 0.4.0, 0.4.1, 0.5.0, 0.6.0, 0.6.1, 0.6.2, 0.7.0, 0.7.1, 0.7.2, 0.7.3, 0.8.0, 0.8.1, 0.8.2, 0.8.3, 0.8.4, 0.8.5, 0.8.6, 0.8.7, 0.8.8, 0.9.0, 0.9.1, 0.9.2, 0.9.3, 0.10.0, 0.10.1, 0.10.2, 0.10.3, 0.10.4, 0.11.0, 0.11.1, 0.11.2, 0.11.3, 0.11.4, 0.11.5, 0.11.6, 0.11.7, 0.11.8, 0.11.9, 0.11.10, 0.11.11
npm:eslint-plugin-prettier >= 4.2.2, <= 4.2.3 4.2.4
101,897 Dependent packages
573,441 Dependent repositories
88,589,665 Downloads last month

Affected Version Ranges

All affected versions

4.2.2, 4.2.3

All unaffected versions

1.0.0, 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.1.2, 2.2.0, 2.3.0, 2.3.1, 2.4.0, 2.5.0, 2.6.0, 2.6.1, 2.6.2, 2.7.0, 3.0.0, 3.0.1, 3.1.0, 3.1.1, 3.1.2, 3.1.3, 3.1.4, 3.2.0, 3.3.0, 3.3.1, 3.4.0, 3.4.1, 4.0.0, 4.1.0, 4.2.0, 4.2.1, 4.2.4, 4.2.5, 5.0.0, 5.0.1, 5.1.0, 5.1.1, 5.1.2, 5.1.3, 5.2.1, 5.2.2, 5.2.3, 5.2.4, 5.2.5, 5.2.6, 5.3.0, 5.3.1, 5.4.0, 5.4.1, 5.5.0, 5.5.1, 5.5.2, 5.5.3
npm:eslint-config-prettier >= 10.1.6, <= 10.1.7, = 9.1.1, = 8.10.1 10.1.8, 9.1.2, 8.10.2
120,517 Dependent packages
777,682 Dependent repositories
129,048,157 Downloads last month

Affected Version Ranges

All affected versions

8.10.1, 9.1.1, 10.1.6, 10.1.7

All unaffected versions

1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.1.0, 1.1.1, 1.2.0, 1.3.0, 1.4.0, 1.4.1, 1.5.0, 1.6.0, 1.7.0, 2.0.0, 2.1.0, 2.1.1, 2.2.0, 2.3.0, 2.4.0, 2.5.0, 2.6.0, 2.7.0, 2.8.0, 2.9.0, 2.10.0, 3.0.0, 3.0.1, 3.1.0, 3.2.0, 3.3.0, 3.4.0, 3.5.0, 3.6.0, 4.0.0, 4.1.0, 4.2.0, 4.3.0, 5.0.0, 5.1.0, 6.0.0, 6.1.0, 6.2.0, 6.3.0, 6.4.0, 6.5.0, 6.6.0, 6.7.0, 6.8.0, 6.9.0, 6.10.0, 6.10.1, 6.11.0, 6.12.0, 6.13.0, 6.14.0, 6.15.0, 7.0.0, 7.1.0, 7.2.0, 8.0.0, 8.1.0, 8.2.0, 8.3.0, 8.4.0, 8.5.0, 8.6.0, 8.7.0, 8.8.0, 8.9.0, 8.10.0, 8.10.2, 9.0.0, 9.1.0, 9.1.2, 10.0.0, 10.0.1, 10.0.2, 10.0.3, 10.1.0, 10.1.1, 10.1.2, 10.1.3, 10.1.4, 10.1.5, 10.1.8

eslint-config-prettier 8.10.1, 9.1.1, 10.1.6, and 10.1.7 has embedded malicious code for a supply chain compromise. Installing an affected package executes an install.js file that launches the node-gyp.dll malware on Windows.

References:

Identifiers

GHSA-f29h-pxvx-f335

CVE-2025-54313

Risk

Severity

High

EPSS

EPSS Percentage: 0.00061

EPSS Percentile: 0.19451

Classification

General

Source

GitHub Advisory Database

Origin

Unspecified

Repository

https://github.com/prettier/eslint-config-prettier

Date and time

Published

11 days ago

Updated

8 days ago

API

JSON