What happened
Microsoft's Prompty markdown-based LLM prompt format loader inherited gray-matter's executable frontmatter feature, letting a malicious .prompty file (e.g., shared or downloaded from a repo) run arbitrary JavaScript the moment it is parsed by an application.
Why it matters
Prompty files are meant to be portable, shareable prompt definitions for LLM applications; if a team pulls in a third-party .prompty file (e.g., from a shared prompt library or repo) expecting only a text template, they instead get arbitrary code execution — a supply-chain risk specific to the emerging prompt-as-code ecosystem.
Attack vector
The @prompty/core loader used the gray-matter library to parse .prompty frontmatter without disabling its executable 'js'/'javascript' frontmatter engines, so an attacker-controlled .prompty file containing JS frontmatter executes arbitrary JavaScript when loaded by the runtime.
Affected systems
@prompty/core TypeScript loader, 2.0.0-alpha.1 – 2.0.0-beta.3
Mitigation
Upgrade to Prompty 2.0.0-beta.3 or later, which disables executable frontmatter engines.