Detect Prettier eslint-config-prettier Embedded Malicious Code (CVE-2025-54313) in Microsoft Sentinel
Detects exploitation indicators related to CVE-2025-54313, a supply chain compromise affecting the eslint-config-prettier npm package (Prettier). The package was trojanized with embedded malicious code (CWE-506), enabling arbitrary code execution during npm install or build processes. This vulnerability is listed in CISA's Known Exploited Vulnerabilities catalog.
MITRE ATT&CK
- Tactic
- Initial Access Execution Persistence
KQL Detection Query
union DeviceProcessEvents, DeviceNetworkEvents, DeviceFileEvents
| where TimeGenerated > ago(30d)
| where (
(ActionType == "ProcessCreated" and (InitiatingProcessCommandLine has "eslint-config-prettier" or ProcessCommandLine has "eslint-config-prettier"))
or (ActionType == "FileCreated" and FolderPath has "eslint-config-prettier" and FileName matches regex @"(?i)\.(sh|ps1|cmd|bat|exe|dll)$")
or (ActionType == "NetworkConnectionInitiated" and InitiatingProcessFileName in~ ("node", "npm", "npx") and not(RemoteUrl has_any ("registry.npmjs.org", "localhost", "127.0.0.1")))
)
| extend Risk = case(
ActionType == "NetworkConnectionInitiated" and InitiatingProcessFileName in~ ("node","npm"), "High",
ActionType == "FileCreated" and FileName matches regex @"(?i)\.(exe|dll)$", "Critical",
"Medium"
)
| project TimeGenerated, DeviceName, AccountName, ActionType, InitiatingProcessCommandLine, ProcessCommandLine, RemoteUrl, FolderPath, FileName, Risk
| sort by TimeGenerated descIdentifies process creation, suspicious file drops, and outbound network connections spawned by node/npm processes associated with eslint-config-prettier, indicative of malicious code execution during package install or build.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate npm install of eslint-config-prettier in CI/CD pipelines before the malicious version was removed
- Security tooling that inspects node_modules directories and triggers file creation events
- Node.js applications making outbound calls to known registries during dependency resolution
Other platforms for CVE-2025-54313
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Simulate Malicious postinstall Hook Execution via eslint-config-prettier
Expected signal: EDR should record: npm parent process spawning bash, bash executing malicious.sh, file creation of pwned.txt, outbound network attempt to 127.0.0.1:9999
- Test 2Detect eslint-config-prettier in Installed Node Modules
Expected signal: Process events showing find and python3 spawned from shell; file read events on node_modules/eslint-config-prettier/package.json across filesystem
- Test 3Simulate Outbound Exfiltration from Node Process Post-Install
Expected signal: EDR network telemetry showing node process initiating outbound TCP connection; process command line containing 'process.env' and network connection attempt
Unlock Pro Content
Get the full detection package for CVE-2025-54313 including response playbook, investigation guide, and atomic red team tests.