Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to malware
MalwareExploits 1 CVE

node-gyp.dll

node-gyp.dll (also referenced as “node_gypdll”) is Windows malware dropped/executed as part of a malicious-code supply-chain compromise affecting the npm package eslint-config-prettier (Prettier). In the described activity (tracked as CVE-2025-54313), installing affected eslint-config-prettier versions (8.10.1, 9.1.1, 10.1.6, 10.1.7) triggers execution of embedded malicious code during package installation, which runs an install.js script that deploys and/or launches node-gyp.dll on Windows systems. The compromise is characterized as targeting development environments/CI-CD via npm install behavior and is noted as potentially enabling arbitrary code execution on impacted Windows hosts. No specific threat actor attribution, additional capabilities beyond execution via install.js, or concrete IOCs (e.g., hashes, C2 infrastructure) are provided in the source content.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
EXPLOITED CVES

Vulnerabilities exploited

1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.

1 CVES
CVE-2025-54313Embedded Malicious Code in eslint-config-prettier

"The vulnerability triggers an install.js file deployment of node-gyp.dll malware on Windows systems, creating a supply-chain attack vector targeting development environments."

via cyberpress orgcyberpress.org
MITRE ATT&CK

Techniques & procedures

3 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

1 technique
T1195.001Compromise Software Dependencies and Development ToolsEvidence1

"Prettier’s eslint-config-prettier package contains embedded malicious code (CVE-2025-54313) that executes during installation. The vulnerability triggers an install.js file deployment of node-gyp.dll malware on Windows systems, creating a supply-chain attack vector targeting development environments."

Execution

1 technique
T1204User ExecutionEvidence1

The DLL is a Windows malware payload; initial analysis suggests it performs reconnaissance and may establish persistence or exfiltrate data.

Stealth

1 technique
T1218.011Rundll32Evidence1

If so, it spawns a new process using rundll32 to execute the bundled node-gyp.dll file.

ACTIVITY FEED

Recent activity

5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

5 SOURCESView more in app
cyberthroneNews
Jan 24, 2026
CISA KEV Alert: 5 Critical Vulnerabilities Added to Catalog - TheCyberThrone

A malicious DLL payload dropped during a compromised npm package installation (eslint-config-prettier), used to compromise Windows developer/CI environments as part of a supply-chain attack.

Read more
thecyberexpress com vulnerabilitiesNews
Jan 23, 2026
CISA Adds 5 Enterprise Software Flaws To KEV Catalog

Malicious payload referenced as being launched via an install.js script as part of a supply-chain compromise of eslint-config-prettier packages on Windows.

Read more
cyberpress orgNews
Jan 23, 2026
CISA Adds Four Critical Vulnerabilities to KEV Catalog Following Active Exploitation

Malicious payload (named node-gyp.dll) deployed during installation of a compromised development dependency (eslint-config-prettier) on Windows, consistent with a supply-chain compromise targeting developer/CI environments.

Read more
security affairsNews
Jan 23, 2026
U.S. CISA adds Prettier eslint-config-prettier, Vite Vitejs, Versa Concerto SD-WAN orchestration platform and Synacor Zimbra Collaboration Suite flaws to its Known Exploited Vulnerabilities catalog

Malicious Windows payload referenced as being launched during installation of compromised eslint-config-prettier packages, enabling arbitrary code execution.

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities1

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping3

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.