CVE-2025-54313 is a high-severity supply chain vulnerability affecting multiple versions of the npm package eslint-config-prettier, specifically versions 8.10.1, 9.1.1, 10.1.6, and 10.1.7. This package is widely used in JavaScript and TypeScript development environments to disable ESLint rules that conflict with Prettier formatting. The vulnerability involves embedded malicious code introduced during the package installation process. When an affected version of eslint-config-prettier is installed, it executes an install.js script that launches a malicious payload named node-gyp.dll on Windows systems. This DLL is malware that can compromise the integrity of the developer's environment and potentially propagate further into build and deployment pipelines. The vulnerability is classified under CWE-506, which pertains to embedded malicious code, indicating that the malicious payload is intentionally hidden within the legitimate package. The CVSS v3.1 score of 7.5 reflects a high severity due to the network attack vector, no privileges or user interaction required, and a scope change indicating that the vulnerability affects components beyond the initially vulnerable package. The impact on confidentiality is low, but integrity is high since the malware can alter or compromise codebases and build artifacts. Availability impact is none. Although no known exploits are reported in the wild yet, the nature of supply chain attacks and the widespread use of this package make it a critical concern for software development environments.

For European organizations, this vulnerability poses a significant risk to software supply chain security. Many European companies rely on JavaScript and TypeScript development frameworks that incorporate eslint-config-prettier as part of their continuous integration and deployment pipelines. The execution of malicious code during package installation can lead to unauthorized code execution, insertion of backdoors, or tampering with source code and build outputs. This can result in intellectual property theft, insertion of persistent malware, or compromised software releases distributed to customers or internal users. The integrity of software products is at risk, potentially leading to reputational damage, regulatory non-compliance (especially under GDPR if personal data is affected downstream), and operational disruptions. Since the malware targets Windows environments, organizations with Windows-based developer workstations or build servers are particularly vulnerable. The supply chain nature of the attack means that even organizations with strong perimeter defenses can be compromised if they consume the affected package versions without verification. This vulnerability also raises concerns for managed service providers and software vendors in Europe who distribute software built with compromised dependencies.

1. Immediate audit of all development and build environments to identify usage of eslint-config-prettier versions 8.10.1, 9.1.1, 10.1.6, and 10.1.7. 2. Remove and replace affected package versions with either patched versions (once released) or earlier known clean versions after thorough verification. 3. Implement strict package integrity verification using tools such as npm's package-lock.json, yarn.lock, or third-party supply chain security tools that verify package hashes and signatures. 4. Employ runtime monitoring and endpoint detection on developer machines and build servers to detect suspicious DLL loads, especially node-gyp.dll or unexpected child processes spawned during npm installs. 5. Enforce network segmentation and least privilege principles on build infrastructure to limit malware propagation. 6. Educate developers and DevOps teams about supply chain risks and encourage use of private package registries or mirrors with vetted packages. 7. Monitor threat intelligence feeds for any emerging exploits or patches related to this CVE and apply updates promptly. 8. Consider implementing reproducible builds and code signing to detect unauthorized code changes introduced by compromised dependencies.