CVE-2025-54313

Prettier eslint-config-prettier Embedded Malicious Code (CVE-2025-54313)

Initial Access Execution Persistence Last updated:

Detects exploitation indicators related to CVE-2025-54313, a supply chain compromise affecting the eslint-config-prettier npm package (Prettier). The package was trojanized with embedded malicious code (CWE-506), enabling arbitrary code execution during npm install or build processes. This vulnerability is listed in CISA's Known Exploited Vulnerabilities catalog.

Vulnerability Intelligence

KEV — Known Exploited

Affected Software

Vendor
Prettier
Product
eslint-config-prettier

Weakness (CWE)

CWE-506

Timeline

Disclosed
January 22, 2026

CVSS

Unscored
Write-up coming soon

What is CVE-2025-54313 Prettier eslint-config-prettier Embedded Malicious Code (CVE-2025-54313)?

Prettier eslint-config-prettier Embedded Malicious Code (CVE-2025-54313) (CVE-2025-54313) maps to the Initial Access and Execution and Persistence tactics — the adversary is trying to get into your network in MITRE ATT&CK.

This page provides production-ready detection logic for Prettier eslint-config-prettier Embedded Malicious Code (CVE-2025-54313), covering the data sources and telemetry it touches: Microsoft Defender for Endpoint, Microsoft Sentinel DeviceEvents. The queries below are rated critical severity at high confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.

MITRE ATT&CK

Tactic
Initial Access Execution Persistence
Microsoft Sentinel / Defender
kusto 
union DeviceProcessEvents, DeviceNetworkEvents, DeviceFileEvents
| where TimeGenerated > ago(30d)
| where (
    (ActionType == "ProcessCreated" and (InitiatingProcessCommandLine has "eslint-config-prettier" or ProcessCommandLine has "eslint-config-prettier"))
    or (ActionType == "FileCreated" and FolderPath has "eslint-config-prettier" and FileName matches regex @"(?i)\.(sh|ps1|cmd|bat|exe|dll)$")
    or (ActionType == "NetworkConnectionInitiated" and InitiatingProcessFileName in~ ("node", "npm", "npx") and not(RemoteUrl has_any ("registry.npmjs.org", "localhost", "127.0.0.1")))
)
| extend Risk = case(
    ActionType == "NetworkConnectionInitiated" and InitiatingProcessFileName in~ ("node","npm"), "High",
    ActionType == "FileCreated" and FileName matches regex @"(?i)\.(exe|dll)$", "Critical",
    "Medium"
)
| project TimeGenerated, DeviceName, AccountName, ActionType, InitiatingProcessCommandLine, ProcessCommandLine, RemoteUrl, FolderPath, FileName, Risk
| sort by TimeGenerated desc

Identifies process creation, suspicious file drops, and outbound network connections spawned by node/npm processes associated with eslint-config-prettier, indicative of malicious code execution during package install or build.

critical severity high confidence

Data Sources

Microsoft Defender for Endpoint Microsoft Sentinel DeviceEvents

Required Tables

DeviceProcessEvents DeviceNetworkEvents DeviceFileEvents

False Positives

  • Legitimate npm install of eslint-config-prettier in CI/CD pipelines before the malicious version was removed
  • Security tooling that inspects node_modules directories and triggers file creation events
  • Node.js applications making outbound calls to known registries during dependency resolution

Sigma rule & cross-platform mapping

The detection logic for Prettier eslint-config-prettier Embedded Malicious Code (CVE-2025-54313) (CVE-2025-54313) above is provided in a vendor-neutral form so you can deploy it on any SIEM. The same logic is shipped here as native KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the following logsource: 

logsource:
  category: process_creation
  product: windows

Browse the community-maintained Sigma rules for this technique:

SigmaHQ rules for CVE-2025-54313 Sigma rules on detection.fyi

Platform-specific guides for CVE-2025-54313

Detect in Microsoft Sentinel (KQL) Detect in Splunk (SPL) Detect in Elastic Security (Elastic) Detect in IBM QRadar (QRadar) Detect in Sumo Logic CSE (Sumo) Detect in Google Chronicle (YARA-L) Detect in CrowdStrike LogScale (LogScale)
Last updated: 2026-06-19 Research depth: standard
References (3)

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Simulate Malicious postinstall Hook Execution via eslint-config-prettier

    Expected signal: EDR should record: npm parent process spawning bash, bash executing malicious.sh, file creation of pwned.txt, outbound network attempt to 127.0.0.1:9999

  2. Test 2Detect eslint-config-prettier in Installed Node Modules

    Expected signal: Process events showing find and python3 spawned from shell; file read events on node_modules/eslint-config-prettier/package.json across filesystem

  3. Test 3Simulate Outbound Exfiltration from Node Process Post-Install

    Expected signal: EDR network telemetry showing node process initiating outbound TCP connection; process command line containing 'process.env' and network connection attempt

Unlock Pro Content

Get the full detection package for CVE-2025-54313 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0001Initial AccessTA0002ExecutionTA0003Persistence

Related Techniques

T1195.002Compromise Software Supply ChainT1059.007JavaScriptT1020Automated Exfiltration

Same Tactic: Initial Access

Popular Detections