eslint-config-prettier 8.10.1, 9.1.1, 10.1.6, and 10.1.7 has embedded malicious code for a supply chain compromise. Installing an affected package executes an install.js file that launches the node-gyp.dll malware on Windows.
| Package (Ecosystem) | Introduced | Fixed | Limit |
|---|---|---|---|
| eslint-config-prettier(npm) | 8.10.1 | 8.10.2 | N/A |
| eslint-config-prettier(npm) | 9.1.1 | 9.1.2 | N/A |
| eslint-config-prettier(npm) | 10.1.6 | 10.1.8 | N/A |
| eslint-plugin-prettier(npm) | 4.2.2 | 4.2.4 | N/A |
| synckit(npm) | 0.11.9 | 0.11.10 | N/A |
| @pkgr/core(npm) | 0.2.8 | 0.2.9 | N/A |
| napi-postinstall(npm) | 0.3.1 | 0.3.2 | N/A |
| got-fetch(npm) | 5.1.11 | 6.0.0 | N/A |
CVSS Metrics
