Which SIEM platforms have a CVE-2025-54313 detection rule?

df00tech provides CVE-2025-54313 (Prettier eslint-config-prettier Embedded Malicious Code (CVE-2025-54313)) detection queries for 7 SIEM platforms: Microsoft Sentinel / Defender, Splunk, Elastic Security (EQL), IBM QRadar (AQL), Sumo Logic CSE, Google Chronicle / SecOps, CrowdStrike LogScale (CQL).

What severity and confidence is the CVE-2025-54313 detection?

The CVE-2025-54313 detection is rated critical severity with high confidence.

What are common false positives for CVE-2025-54313?

Common false positives for CVE-2025-54313 include: Legitimate npm install of eslint-config-prettier in CI/CD pipelines before the malicious version was removed; Security tooling that inspects node_modules directories and triggers file creation events; Node.js applications making outbound calls to known registries during dependency resolution.

CVE-2025-54313 Elastic Security · Elastic

Detect Prettier eslint-config-prettier Embedded Malicious Code (CVE-2025-54313) in Elastic Security

Q: What data sources are required to detect Prettier eslint-config-prettier Embedded Malicious Code (CVE-2025-54313) (CVE-2025-54313)?

Detecting Prettier eslint-config-prettier Embedded Malicious Code (CVE-2025-54313) requires the following data sources: Microsoft Defender for Endpoint, Microsoft Sentinel DeviceEvents.

Detects exploitation indicators related to CVE-2025-54313, a supply chain compromise affecting the eslint-config-prettier npm package (Prettier). The package was trojanized with embedded malicious code (CWE-506), enabling arbitrary code execution during npm install or build processes. This vulnerability is listed in CISA's Known Exploited Vulnerabilities catalog.

MITRE ATT&CK

Tactic: Initial Access Execution Persistence

Elastic Detection Query

Elastic Security (Elastic)

eql

sequence by host.name with maxspan=5m
  [process where event.action == "start"
    and process.name in ("node", "npm", "npx", "sh", "bash", "powershell.exe", "cmd.exe")
    and (process.command_line like "*eslint-config-prettier*" or process.parent.command_line like "*eslint-config-prettier*")]
  [any where event.category in ("network", "file")
    and (
      (event.category == "network" and not network.destination.domain like "*npmjs.org*" and not network.destination.ip like "127.*")
      or (event.category == "file" and file.extension in ("exe", "dll", "sh", "ps1", "bat"))
    )
  ]

critical severity high confidence

EQL sequence detecting a node/npm process referencing eslint-config-prettier followed within 5 minutes by suspicious file creation or unexpected outbound network connection, indicating malicious payload execution.

Data Sources

Elastic Endpoint SecurityAuditdWinlogbeat

Required Tables

logs-endpoint.events.process-*logs-endpoint.events.network-*logs-endpoint.events.file-*

False Positives & Tuning

Development machines installing eslint-config-prettier from a clean source before remediation
Automated dependency update bots triggering npm installs
Legitimate post-install scripts in unrelated packages running alongside eslint-config-prettier

Other platforms for CVE-2025-54313

Microsoft Sentinel (KQL) Splunk (SPL) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

Test 1Simulate Malicious postinstall Hook Execution via eslint-config-prettier
Expected signal: EDR should record: npm parent process spawning bash, bash executing malicious.sh, file creation of pwned.txt, outbound network attempt to 127.0.0.1:9999
Test 2Detect eslint-config-prettier in Installed Node Modules
Expected signal: Process events showing find and python3 spawned from shell; file read events on node_modules/eslint-config-prettier/package.json across filesystem
Test 3Simulate Outbound Exfiltration from Node Process Post-Install
Expected signal: EDR network telemetry showing node process initiating outbound TCP connection; process command line containing 'process.env' and network connection attempt

Last updated: 2026-06-19 Research depth: standard

References (3)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for CVE-2025-54313 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections

Tactic Hubs

TA0001Initial Access TA0002Execution TA0003Persistence

Related Techniques

T1195.002Compromise Software Supply Chain T1059.007JavaScript T1020Automated Exfiltration

Detect Prettier eslint-config-prettier Embedded Malicious Code (CVE-2025-54313) in Elastic Security

MITRE ATT&CK

Elastic Detection Query

Data Sources

Required Tables

False Positives & Tuning

Other platforms for CVE-2025-54313

Testing Methodology

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Tactic Hubs

Related Techniques

Same Tactic: Initial Access

Popular Detections

MITRE ATT&CK

Elastic Detection Query

Data Sources

Required Tables

False Positives & Tuning

Other platforms for CVE-2025-54313

Testing Methodology

Unlock Pro Content

Related Detections

Tactic Hubs

Related Techniques

Same Tactic: Initial Access

Popular Detections

Get new detections in your inbox