eslint-config-prettier 8.10.1, 9.1.1, 10.1.6, and 10.1.7 has embedded malicious code for a supply chain compromise. Installing an affected package executes an install.js file that launches the node-gyp.dll malware on Windows.
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:H/A:NAlexghr Got Fetch
APPAlexghr5.1.15.1.2Homarr
APPHomarr1.29.0 – 1.30.0 (bez)Microsoft Windows
OSMicrosoftwszystkie wersjePrettier Eslint Config Prettier
APPPrettier10.1.610.1.78.10.19.1.1Prettier Eslint Plugin Prettier
APPPrettier4.2.24.2.3Un Ts Napi Postinstall
APPUn-Ts0.3.1Un Ts Pkgr\/core
APPUn-Ts0.2.8Un Ts Synckit
APPUn-Ts0.11.9
CISA KEV — detailsi
- Vendori
- Prettier
- Producti
- eslint-config-prettier
- Added to KEVi
- January 22, 2026
- Remediation deadline (US Federal)i
- February 12, 2026(overdue)
Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Prettier eslint-config-prettier contains an embedded malicious code vulnerability. Installing an affected package executes an install.js file that launches the node-gyp.dll malware on Windows.
Related vulnerabilities
Atak na łańcuch dostaw DAEMON Tools Lite — trojanizacja instalatorów
Type confusion w V8 (Google Chrome) — zdalne uszkodzenie sterty
Commvault Command Center – nieuwierzytelniony RCE przez path traversal w ZIP
Path Traversal w Kingsoft WPS Office — ładowanie dowolnej biblioteki Windows
PHP CGI argument injection – RCE na Windows przez mechanizm Best-Fit