CVE-2025-54313 IBM QRadar · QRadar

Detect Prettier eslint-config-prettier Embedded Malicious Code (CVE-2025-54313) in IBM QRadar

Detects exploitation indicators related to CVE-2025-54313, a supply chain compromise affecting the eslint-config-prettier npm package (Prettier). The package was trojanized with embedded malicious code (CWE-506), enabling arbitrary code execution during npm install or build processes. This vulnerability is listed in CISA's Known Exploited Vulnerabilities catalog.

MITRE ATT&CK

Tactic
Initial Access Execution Persistence

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS 'Event Time', sourceip, destinationip, destinationport, username, "Command" AS cmd, "File Path" AS file_path, LOGSOURCENAME(logsourceid) AS log_source
FROM events
WHERE LAST 30 DAYS
AND (
  (LOWER("Command") ILIKE '%eslint-config-prettier%')
  OR (LOWER("File Path") ILIKE '%eslint-config-prettier%' AND (LOWER("File Path") ILIKE '%.exe' OR LOWER("File Path") ILIKE '%.dll' OR LOWER("File Path") ILIKE '%.sh'))
  OR ("Application" ILIKE '%node%' AND destinationip NOT ILIKE '127.0.0.%' AND destinationport NOT IN (80, 443) AND CATEGORYNAME(category) ILIKE '%network%')
)
ORDER BY starttime DESC
critical severity medium confidence

QRadar AQL query identifying commands and file activity referencing eslint-config-prettier, suspicious binary drops, and node-initiated outbound connections to non-standard destinations.

Data Sources

QRadar SIEMWindows Event CollectorLinux Log SourcesNetwork Flow

Required Tables

events

False Positives & Tuning

  • Legitimate npm installs in developer environments prior to package remediation
  • Vulnerability scanners generating process events containing package names
  • Node.js services with outbound calls to internal package mirrors on non-standard ports

Other platforms for CVE-2025-54313

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Simulate Malicious postinstall Hook Execution via eslint-config-prettier

    Expected signal: EDR should record: npm parent process spawning bash, bash executing malicious.sh, file creation of pwned.txt, outbound network attempt to 127.0.0.1:9999

  2. Test 2Detect eslint-config-prettier in Installed Node Modules

    Expected signal: Process events showing find and python3 spawned from shell; file read events on node_modules/eslint-config-prettier/package.json across filesystem

  3. Test 3Simulate Outbound Exfiltration from Node Process Post-Install

    Expected signal: EDR network telemetry showing node process initiating outbound TCP connection; process command line containing 'process.env' and network connection attempt

Last updated: 2026-06-19 Research depth: standard
References (3)

Unlock Pro Content

Get the full detection package for CVE-2025-54313 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0001Initial AccessTA0002ExecutionTA0003Persistence

Related Techniques

T1195.002Compromise Software Supply ChainT1059.007JavaScriptT1020Automated Exfiltration

Same Tactic: Initial Access

Popular Detections