Which SIEM platforms have a CVE-2025-54313 detection rule?

df00tech provides CVE-2025-54313 (Prettier eslint-config-prettier Embedded Malicious Code (CVE-2025-54313)) detection queries for 7 SIEM platforms: Microsoft Sentinel / Defender, Splunk, Elastic Security (EQL), IBM QRadar (AQL), Sumo Logic CSE, Google Chronicle / SecOps, CrowdStrike LogScale (CQL).

What severity and confidence is the CVE-2025-54313 detection?

The CVE-2025-54313 detection is rated critical severity with high confidence.

What are common false positives for CVE-2025-54313?

Common false positives for CVE-2025-54313 include: Legitimate npm install of eslint-config-prettier in CI/CD pipelines before the malicious version was removed; Security tooling that inspects node_modules directories and triggers file creation events; Node.js applications making outbound calls to known registries during dependency resolution.

CVE-2025-54313 CrowdStrike LogScale · LogScale

Detect Prettier eslint-config-prettier Embedded Malicious Code (CVE-2025-54313) in CrowdStrike LogScale

Q: What data sources are required to detect Prettier eslint-config-prettier Embedded Malicious Code (CVE-2025-54313) (CVE-2025-54313)?

Detecting Prettier eslint-config-prettier Embedded Malicious Code (CVE-2025-54313) requires the following data sources: Microsoft Defender for Endpoint, Microsoft Sentinel DeviceEvents.

Detects exploitation indicators related to CVE-2025-54313, a supply chain compromise affecting the eslint-config-prettier npm package (Prettier). The package was trojanized with embedded malicious code (CWE-506), enabling arbitrary code execution during npm install or build processes. This vulnerability is listed in CISA's Known Exploited Vulnerabilities catalog.

MITRE ATT&CK

Tactic: Initial Access Execution Persistence

LogScale Detection Query

CrowdStrike LogScale (LogScale)

cql

#event_simpleName IN (ProcessRollup2, NetworkConnectIP4, FileOpenInfo)
| $event_simpleName = "ProcessRollup2"
  CommandLine = /(?i)eslint-config-prettier/
  OR ParentCommandLine = /(?i)eslint-config-prettier/
| union (
    #event_simpleName = "NetworkConnectIP4"
    ImageFileName = /(?i)(node|npm)/
    | LocalAddressIP4 != "127.0.0.1"
    | RemoteAddressIP4 != "104.16.0.0/12"
  )
| union (
    #event_simpleName = "FileOpenInfo"
    FilePath = /(?i)eslint-config-prettier/
    | FileName = /\.(?:exe|dll|sh|ps1|bat)$/i
  )
| select timestamp, ComputerName, UserName, CommandLine, ParentCommandLine, ImageFileName, RemoteAddressIP4, RemotePort, FilePath, FileName
| sort timestamp desc

critical severity high confidence

CrowdStrike Falcon query detecting process execution referencing eslint-config-prettier, unexpected outbound network connections from node/npm processes, and binary file operations in package directories.

Data Sources

CrowdStrike Falcon EDRFalcon Data Replicator

Required Tables

ProcessRollup2NetworkConnectIP4FileOpenInfo

False Positives & Tuning

Developer endpoints with eslint-config-prettier present before the malicious version was discovered
CrowdStrike sensor telemetry from CI agents running npm install in sandboxed environments
Legitimate node services connecting to corporate npm proxies not in the allowlist

Other platforms for CVE-2025-54313

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

Test 1Simulate Malicious postinstall Hook Execution via eslint-config-prettier
Expected signal: EDR should record: npm parent process spawning bash, bash executing malicious.sh, file creation of pwned.txt, outbound network attempt to 127.0.0.1:9999
Test 2Detect eslint-config-prettier in Installed Node Modules
Expected signal: Process events showing find and python3 spawned from shell; file read events on node_modules/eslint-config-prettier/package.json across filesystem
Test 3Simulate Outbound Exfiltration from Node Process Post-Install
Expected signal: EDR network telemetry showing node process initiating outbound TCP connection; process command line containing 'process.env' and network connection attempt

Last updated: 2026-06-19 Research depth: standard

References (3)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for CVE-2025-54313 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections

Tactic Hubs

TA0001Initial Access TA0002Execution TA0003Persistence

Related Techniques

T1195.002Compromise Software Supply Chain T1059.007JavaScript T1020Automated Exfiltration

Detect Prettier eslint-config-prettier Embedded Malicious Code (CVE-2025-54313) in CrowdStrike LogScale

MITRE ATT&CK

LogScale Detection Query

Data Sources

Required Tables

False Positives & Tuning

Other platforms for CVE-2025-54313

Testing Methodology

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Tactic Hubs

Related Techniques

Same Tactic: Initial Access

Popular Detections

MITRE ATT&CK

LogScale Detection Query

Data Sources

Required Tables

False Positives & Tuning

Other platforms for CVE-2025-54313

Testing Methodology

Unlock Pro Content

Related Detections

Tactic Hubs

Related Techniques

Same Tactic: Initial Access

Popular Detections

Get new detections in your inbox