eslint-config-prettier 供应链攻击漏洞

漏洞信息

漏洞名称: eslint-config-prettier 供应链攻击漏洞

漏洞编号:

  • CVE: CVE-2025-54313

漏洞类型: 供应链攻击

漏洞等级: 高危

漏洞描述: 2025年7月18日,多个流行的npm包通过钓鱼攻击被攻陷。攻击者获取了维护者的npm令牌,并发布了包含Windows特定恶意软件的恶意版本。受影响的包包括eslint-config-prettier、eslint-plugin-prettier、synckit、@pkgr/core、napi-postinstall和is。这些包在开发环境中广泛使用,用于代码格式化和静态分析。

漏洞的根本原因是供应链攻击,攻击者通过钓鱼攻击获取了维护者的npm令牌,从而能够发布恶意版本。这些恶意版本包含Windows特定的恶意软件,如node-gyp.dll和其他DLL文件,以及恶意的install.js脚本。这些恶意软件可以执行远程代码、泄露敏感信息,甚至完全控制受影响的系统。

此漏洞的影响非常严重,因为它允许攻击者在受害者的系统上执行任意代码,可能导致数据泄露、服务中断或其他恶意活动。由于这些包在开发环境中广泛使用,攻击面非常大。攻击不需要认证,可以自动利用,尤其是在Windows系统上。因此,建议立即更新到安全版本,并采取其他安全措施,如启用双因素认证和检查.npmrc文件中的未知令牌。

产品厂商: npm

产品名称: eslint-config-prettier, eslint-plugin-prettier, synckit, @pkgr/core, napi-postinstall, is

影响版本: eslint-config-prettier: 8.10.1, 9.1.1, 10.1.6, 10.1.7; eslint-plugin-prettier: 4.2.2, 4.2.3; synckit: 0.11.9; @pkgr/core: 0.2.8; napi-postinstall: 0.3.1; is: 3.3.1, 5.0.0

来源: https://github.com/ShinP451/scavenger_scanner

类型: CVE-2025:github search

仓库文件

  • CVE-2025-54313-Scanner.ps1
  • readme.md

来源概述

CVE-2025-54313 IOC Scanner

A PowerShell-based scanner for detecting Indicators of Compromise (IOCs) related to the eslint-config-prettier supply chain attack (CVE-2025-54313).

🚨 About CVE-2025-54313

On July 18, 2025, several popular npm packages were compromised through a phishing attack. The attacker gained access to the maintainer’s npm tokens and published malicious versions containing Windows-specific malware.

Affected Packages and Versions

Package Compromised Versions
eslint-config-prettier 8.10.1, 9.1.1, 10.1.6, 10.1.7
eslint-plugin-prettier 4.2.2, 4.2.3
synckit 0.11.9
@pkgr/core 0.2.8
napi-postinstall 0.3.1
is 3.3.1, 5.0.0

🔍 What Does This Scanner Do?

The scanner searches Windows systems for known IOCs of the CVE-2025-54313 supply chain attack:

  • Package Scanning: Identifies compromised npm package versions
  • File Analysis: Searches for malicious install.js and DLL files
  • Hash Verification: Compares files with known malware signatures
  • Timeline Analysis: Identifies suspicious activities after July 18, 2025
  • Token Security: Finds .npmrc files for token verification
  • Automatic Cleanup: Option to remove compromised packages

📋 Prerequisites

  • Windows PowerShell 5.1 or higher
  • Administrator privileges (recommended for full system scan)
  • .NET Framework 4.5 or higher

🚀 Installation

  1. Download the script:
1
Invoke-WebRequest -Uri "https://raw.githubusercontent.com/[your-repo]/CVE-2025-54313-Scanner.ps1" -OutFile "CVE-2025-54313-Scanner.ps1"
  1. Unblock the script:
1
Unblock-File -Path ".\CVE-2025-54313-Scanner.ps1"
  1. Set execution policy (if needed):
1
Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope CurrentUser

💻 Usage

Quick Scan (current directory)

1
.\CVE-2025-54313-Scanner.ps1 -QuickScan

Full System Scan

1
.\CVE-2025-54313-Scanner.ps1

Scan Specific Directory

1
.\CVE-2025-54313-Scanner.ps1 -ScanPath "D:\Projects"

With Detailed Output

1
.\CVE-2025-54313-Scanner.ps1 -DetailedOutput

With Custom Report Path

1
.\CVE-2025-54313-Scanner.ps1 -ReportPath "C:\Security\CVE-Report.txt"

📊 What Gets Scanned?

Known IOCs

  1. Malware Files

    • node-gyp.dll (SHA256: c68e42f416f482d43653f36cd14384270b54b68d6496a8e34ce887687de5b441)
    • install.js with suspicious code patterns
    • Additional DLLs: loader.dll, version.dll, umpdc.dll, profapi.dll

  2. Code Patterns

    • Function logDiskSpace()
    • Platform check for Windows
    • Obfuscated strings
    • rundll32 calls

  3. Network Indicators

    • C2 communication patterns
    • XOR key “FuckOff”

  4. Behavioral IOCs

    • Post-install scripts in package.json
    • Temporary files in %TEMP% directory
    • .npmrc files (for token exfiltration)

📄 Report Output

The scanner generates a detailed report containing:

  • Summary of all findings
  • List of compromised packages
  • Suspicious files with hashes
  • Timeline of events
  • Recommendations for countermeasures

  1. Immediate Actions

    • Remove all compromised package versions
    • Delete entire node_modules folder
    • Run npm install with safe versions

  2. Security Measures

    • Rotate all npm access tokens
    • Enable 2FA for npm accounts
    • Check .npmrc files for unknown tokens

  3. System Cleanup

    • Run full antivirus scan
    • Search for Scavenger malware
    • Check network connections

  4. Install Safe Versions

    1
    2
    3
    4
    {
      "eslint-config-prettier": ">=8.10.2 || >=9.1.2 || >=10.1.8",
      "eslint-plugin-prettier": "latest"
    }

⚠️ Important Notes

  • Windows Only: The malware only affects Windows systems
  • False Positives: Not all detected DLLs are necessarily malicious
  • Backup: Create a backup before cleanup
  • Updates: Keep the script updated as new IOCs may be discovered

🤝 Contributing

Found new IOCs or have suggestions for improvement?

  1. Fork this repository
  2. Create a feature branch
  3. Commit your changes
  4. Push to the branch
  5. Open a Pull Request

📚 Further Reading

⚖️ Disclaimer

This tool is provided “as-is” without any warranty. The authors assume no liability for damages that may result from using this tool. Use at your own risk and test in a safe environment first.

Last Updated: 27 July 2025
Version: 1.0

🛡️ Stay Safe!

Github Poc
#CVE-2025:github search #供应链攻击
eslint-config-prettier 供应链攻击漏洞
http://example.com/2025/07/26/github_2971263462/
作者
lianccc
发布于
2025年7月26日
许可协议