eslint-config-prettier 8.10.1, 9.1.1, 10.1.6, and 10.1.7 has embedded malicious code for a supply chain compromise. Installing an affected package executes an install.js file that launches the node-gyp.dll malware on Windows.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| cve@mitre.org | 7.5 | HIGH | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:H/A:N | 2.2 | 4.7 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| homarr | homarr | * |
| prettier | eslint-config-prettier | 8.10.1 |
| un-ts | napi-postinstall | 0.3.1 |
| prettier | eslint-config-prettier | 9.1.1 |
| prettier | eslint-plugin-prettier | 4.2.3 |
| un-ts | synckit | 0.11.9 |
| prettier | eslint-config-prettier | 10.1.6 |
| prettier | eslint-config-prettier | 10.1.7 |
| alexghr | got-fetch | 5.1.1 |
| alexghr | got-fetch | 5.1.2 |
| prettier | eslint-plugin-prettier | 4.2.2 |
| un-ts | pkgr/core | 0.2.8 |