CVE-2025-54313 Splunk · SPL

Detect Prettier eslint-config-prettier Embedded Malicious Code (CVE-2025-54313) in Splunk

Detects exploitation indicators related to CVE-2025-54313, a supply chain compromise affecting the eslint-config-prettier npm package (Prettier). The package was trojanized with embedded malicious code (CWE-506), enabling arbitrary code execution during npm install or build processes. This vulnerability is listed in CISA's Known Exploited Vulnerabilities catalog.

MITRE ATT&CK

Tactic
Initial Access Execution Persistence

SPL Detection Query

Splunk (SPL)
spl 
index=* sourcetype IN ("xmlwineventlog", "WinEventLog:Security", "linux_secure", "osquery:results", "endpoint", "npm_audit")
| eval cmd=coalesce(CommandLine, command, process)
| where (match(cmd, "(?i)eslint-config-prettier") OR match(EventName, "(?i)eslint-config-prettier"))
   OR (sourcetype="endpoint" AND match(file_path, "(?i)eslint-config-prettier") AND match(file_name, "(?i)\.(sh|ps1|bat|exe|dll)$"))
   OR (sourcetype IN ("stream:tcp","stream:udp") AND match(app, "(?i)(node|npm)") AND NOT match(dest_host, "(registry\.npmjs\.org|localhost|127\.0\.0\.1)"))
| eval severity=case(
    match(file_name, "(?i)\.(exe|dll)$"), "critical",
    sourcetype IN ("stream:tcp","stream:udp"), "high",
    true(), "medium"
  )
| table _time, host, user, cmd, file_path, file_name, dest_host, dest_port, severity
| sort - _time
critical severity high confidence

Detects malicious activity from the trojanized eslint-config-prettier package: suspicious process commands, unexpected binary drops in node_modules, and outbound network connections from node/npm to non-registry hosts.

Data Sources

Windows Event LogsLinux SyslogOsqueryNetwork Stream

Required Sourcetypes

xmlwineventlogWinEventLog:Securitylinux_secureosquery:resultsendpointstream:tcp

False Positives & Tuning

  • Legitimate CI/CD pipelines running npm install before patch was applied
  • Security scanners traversing node_modules and triggering file events
  • Build servers making outbound calls to npm mirrors or private registries

Other platforms for CVE-2025-54313

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Simulate Malicious postinstall Hook Execution via eslint-config-prettier

    Expected signal: EDR should record: npm parent process spawning bash, bash executing malicious.sh, file creation of pwned.txt, outbound network attempt to 127.0.0.1:9999

  2. Test 2Detect eslint-config-prettier in Installed Node Modules

    Expected signal: Process events showing find and python3 spawned from shell; file read events on node_modules/eslint-config-prettier/package.json across filesystem

  3. Test 3Simulate Outbound Exfiltration from Node Process Post-Install

    Expected signal: EDR network telemetry showing node process initiating outbound TCP connection; process command line containing 'process.env' and network connection attempt

Last updated: 2026-06-19 Research depth: standard
References (3)

Unlock Pro Content

Get the full detection package for CVE-2025-54313 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0001Initial AccessTA0002ExecutionTA0003Persistence

Related Techniques

T1195.002Compromise Software Supply ChainT1059.007JavaScriptT1020Automated Exfiltration

Same Tactic: Initial Access

Popular Detections