CVE-2025-54313 Sumo Logic CSE · Sumo

Detect Prettier eslint-config-prettier Embedded Malicious Code (CVE-2025-54313) in Sumo Logic CSE

Detects exploitation indicators related to CVE-2025-54313, a supply chain compromise affecting the eslint-config-prettier npm package (Prettier). The package was trojanized with embedded malicious code (CWE-506), enabling arbitrary code execution during npm install or build processes. This vulnerability is listed in CISA's Known Exploited Vulnerabilities catalog.

MITRE ATT&CK

Tactic
Initial Access Execution Persistence

Sumo Detection Query

Sumo Logic CSE (Sumo)
sql 
_sourceCategory=* ("eslint-config-prettier" OR "npm install")
| parse regex "(?i)(?P<pkg_ref>eslint-config-prettier[^\s]*)" nodrop
| parse regex "(?P<file_ext>\.(exe|dll|sh|ps1|bat))" nodrop
| parse regex "dest=(?P<dest_host>[^\s]+)" nodrop
| where !isEmpty(pkg_ref) OR !isEmpty(file_ext)
| where if(!isEmpty(dest_host), !(dest_host matches "*npmjs.org*" or dest_host matches "127.0.0.1" or dest_host matches "localhost"), true)
| eval severity = if(!isEmpty(file_ext) AND (file_ext = ".exe" OR file_ext = ".dll"), "critical", "high")
| fields _sourceHost, _sourceCategory, pkg_ref, file_ext, dest_host, severity, _messagetime
| sort by _messagetime desc
critical severity medium confidence

Sumo Logic query searching for log entries referencing eslint-config-prettier, suspicious binary file extensions dropped in related processes, and outbound network connections from node processes to external hosts.

Data Sources

Sumo Logic Cloud SIEMHost MetricsNetwork Logs

Required Tables

_sourceCategory

False Positives & Tuning

  • CI/CD pipeline logs showing eslint-config-prettier installation before patching
  • Security audit logs generated by npm audit commands
  • Log forwarding agents that include package names in metadata fields

Other platforms for CVE-2025-54313

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Simulate Malicious postinstall Hook Execution via eslint-config-prettier

    Expected signal: EDR should record: npm parent process spawning bash, bash executing malicious.sh, file creation of pwned.txt, outbound network attempt to 127.0.0.1:9999

  2. Test 2Detect eslint-config-prettier in Installed Node Modules

    Expected signal: Process events showing find and python3 spawned from shell; file read events on node_modules/eslint-config-prettier/package.json across filesystem

  3. Test 3Simulate Outbound Exfiltration from Node Process Post-Install

    Expected signal: EDR network telemetry showing node process initiating outbound TCP connection; process command line containing 'process.env' and network connection attempt

Last updated: 2026-06-19 Research depth: standard
References (3)

Unlock Pro Content

Get the full detection package for CVE-2025-54313 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0001Initial AccessTA0002ExecutionTA0003Persistence

Related Techniques

T1195.002Compromise Software Supply ChainT1059.007JavaScriptT1020Automated Exfiltration

Same Tactic: Initial Access

Popular Detections