CVE-2025-54313 Google Chronicle · YARA-L

Detect Prettier eslint-config-prettier Embedded Malicious Code (CVE-2025-54313) in Google Chronicle

Detects exploitation indicators related to CVE-2025-54313, a supply chain compromise affecting the eslint-config-prettier npm package (Prettier). The package was trojanized with embedded malicious code (CWE-506), enabling arbitrary code execution during npm install or build processes. This vulnerability is listed in CISA's Known Exploited Vulnerabilities catalog.

MITRE ATT&CK

Tactic
Initial Access Execution Persistence

YARA-L Detection Query

Google Chronicle (YARA-L)
yaral 
rule cve_2025_54313_eslint_config_prettier {
  meta:
    author = "df00tech"
    description = "Detects CVE-2025-54313 - Malicious code in eslint-config-prettier npm package"
    severity = "CRITICAL"
    priority = "HIGH"
    reference = "https://nvd.nist.gov/vuln/detail/CVE-2025-54313"

  events:
    (
      $e.metadata.event_type = "PROCESS_LAUNCH"
      and (
        $e.principal.process.command_line = /(?i)eslint-config-prettier/
        or $e.target.process.command_line = /(?i)eslint-config-prettier/
      )
    )
    or (
      $e.metadata.event_type = "FILE_CREATION"
      and $e.target.file.full_path = /(?i)eslint-config-prettier/
      and $e.target.file.full_path = /\.(?:exe|dll|sh|ps1|bat)$/
    )
    or (
      $e.metadata.event_type = "NETWORK_CONNECTION"
      and $e.principal.process.file.full_path = /(?i)(node|npm)/
      and not $e.target.hostname = /(?i)(npmjs\.org|localhost)/
      and not $e.target.ip = "127.0.0.1"
    )

  condition:
    $e
}
critical severity high confidence

Chronicle YARA-L rule detecting process launches referencing eslint-config-prettier, binary file creation in related paths, and outbound network connections from node processes to non-registry hosts.

Data Sources

Google ChronicleEndpoint TelemetryUDM Events

Required Tables

UDM

False Positives & Tuning

  • Legitimate developer workstations with eslint-config-prettier installed pre-patch
  • Automated dependency scanners enumerating installed packages
  • Build pipeline agents making authorized connections to internal npm mirrors

Other platforms for CVE-2025-54313

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Simulate Malicious postinstall Hook Execution via eslint-config-prettier

    Expected signal: EDR should record: npm parent process spawning bash, bash executing malicious.sh, file creation of pwned.txt, outbound network attempt to 127.0.0.1:9999

  2. Test 2Detect eslint-config-prettier in Installed Node Modules

    Expected signal: Process events showing find and python3 spawned from shell; file read events on node_modules/eslint-config-prettier/package.json across filesystem

  3. Test 3Simulate Outbound Exfiltration from Node Process Post-Install

    Expected signal: EDR network telemetry showing node process initiating outbound TCP connection; process command line containing 'process.env' and network connection attempt

Last updated: 2026-06-19 Research depth: standard
References (3)

Unlock Pro Content

Get the full detection package for CVE-2025-54313 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0001Initial AccessTA0002ExecutionTA0003Persistence

Related Techniques

T1195.002Compromise Software Supply ChainT1059.007JavaScriptT1020Automated Exfiltration

Same Tactic: Initial Access

Popular Detections