Sigma rules for Shai-Hulud
5 rules · scoped to tool · back to Shai-Hulud
Direct rules mention this entity in their title or description. Related rules cover the techniques this entity is known to use.
title: Script Interpreter Spawning Credential Scanner - Linux
id: f0025a69-e1b7-4dda-a53c-db21fa2d4071
related:
- id: 0f60b28c-64dd-4e2c-9a63-5334d3e3a6e6
type: similar
status: experimental
description: |
Detects a script interpreter process (like node.js or bun) spawning a known credential scanning tool (e.g., trufflehog, gitleaks).
This behavior is indicative of an attempt to find and steal secrets, as seen in the "Shai-Hulud: The Second Coming" campaign.
references:
- https://github.com/asyncapi/cli/blob/2efa4dff59bc3d3cecdf897ccf178f99b115d63d/bun_environment.js
- https://www.stepsecurity.io/blog/sha1-hulud-the-second-coming-zapier-ens-domains-and-other-prominent-npm-packages-compromised
- https://www.endorlabs.com/learn/shai-hulud-2-malware-campaign-targets-github-and-cloud-credentials-using-bun-runtime
- https://semgrep.dev/blog/2025/digging-for-secrets-sha1-hulud-the-second-coming-of-the-npm-worm/
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-11-25
tags:
- attack.credential-access
- attack.t1552
- attack.execution
- attack.collection
- attack.t1005
- attack.t1059.004
logsource:
category: process_creation
product: linux
detection:
selection_parent:
ParentImage|endswith:
# Add more script interpreters as needed
- '/node'
- '/bun'
selection_child:
- Image|endswith:
- '/trufflehog'
- '/gitleaks'
- CommandLine|contains:
- 'trufflehog'
- 'gitleaks'
condition: all of selection_*
falsepositives:
- Legitimate pre-commit hooks or CI/CD pipeline jobs that use a script to run a credential scanner as part of a security check.
level: high
title: Script Interpreter Spawning Credential Scanner - Windows
id: 0f60b28c-64dd-4e2c-9a63-5334d3e3a6e6
related:
- id: f0025a69-e1b7-4dda-a53c-db21fa2d4071
type: similar
status: experimental
description: |
Detects a script interpreter process (like node.js or bun) spawning a known credential scanning tool (e.g., trufflehog, gitleaks).
This behavior is indicative of an attempt to find and steal secrets, as seen in the "Shai-Hulud: The Second Coming" campaign.
references:
- https://github.com/asyncapi/cli/blob/2efa4dff59bc3d3cecdf897ccf178f99b115d63d/bun_environment.js
- https://www.stepsecurity.io/blog/sha1-hulud-the-second-coming-zapier-ens-domains-and-other-prominent-npm-packages-compromised
- https://www.endorlabs.com/learn/shai-hulud-2-malware-campaign-targets-github-and-cloud-credentials-using-bun-runtime
- https://semgrep.dev/blog/2025/digging-for-secrets-sha1-hulud-the-second-coming-of-the-npm-worm/
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-11-25
tags:
- attack.credential-access
- attack.t1552
- attack.collection
- attack.execution
- attack.t1005
- attack.t1059.007
logsource:
category: process_creation
product: windows
detection:
selection_parent:
ParentImage|endswith:
# Add more script interpreters as needed
- '\node.exe'
- '\bun.exe'
selection_child:
- Image|endswith:
- 'trufflehog.exe'
- 'gitleaks.exe'
- CommandLine|contains:
- 'trufflehog'
- 'gitleaks'
condition: all of selection_*
falsepositives:
- Legitimate pre-commit hooks or CI/CD pipeline jobs that use a script to run a credential scanner as part of a security check.
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_susp_script_interpretor_spawn_credential_scanner/info.yml
title: PUA - TruffleHog Execution - Linux
id: d7a650c4-226c-451e-948f-cc490db506aa
related:
- id: 44030449-b0df-4c94-aae1-502359ab28ee
type: similar
status: experimental
description: |
Detects execution of TruffleHog, a tool used to search for secrets in different platforms like Git, Jira, Slack, SharePoint, etc. that could be used maliciously.
While it is a legitimate tool, intended for use in CI pipelines and security assessments,
It was observed in the Shai-Hulud malware campaign targeting npm packages to steal sensitive information.
references:
- https://github.com/trufflesecurity/trufflehog
- https://www.getsafety.com/blog-posts/shai-hulud-npm-attack
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-09-24
tags:
- attack.discovery
- attack.credential-access
- attack.t1083
- attack.t1552.001
logsource:
category: process_creation
product: linux
detection:
selection_img:
Image|endswith: '/trufflehog'
selection_cli_platform:
CommandLine|contains:
- ' docker --image '
- ' Git '
- ' GitHub '
- ' Jira '
- ' Slack '
- ' Confluence '
- ' SharePoint '
- ' s3 '
- ' gcs '
selection_cli_verified:
CommandLine|contains: ' --results=verified'
condition: selection_img or all of selection_cli_*
falsepositives:
- Legitimate use of TruffleHog by security teams or developers.
level: medium
title: PUA - TruffleHog Execution
id: 44030449-b0df-4c94-aae1-502359ab28ee
related:
- id: d7a650c4-226c-451e-948f-cc490db506aa
type: similar
status: experimental
description: |
Detects execution of TruffleHog, a tool used to search for secrets in different platforms like Git, Jira, Slack, SharePoint, etc. that could be used maliciously.
While it is a legitimate tool, intended for use in CI pipelines and security assessments,
It was observed in the Shai-Hulud malware campaign targeting npm packages to steal sensitive information.
references:
- https://github.com/trufflesecurity/trufflehog
- https://www.getsafety.com/blog-posts/shai-hulud-npm-attack
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-09-24
tags:
- attack.discovery
- attack.credential-access
- attack.t1083
- attack.t1552.001
logsource:
category: process_creation
product: windows
detection:
selection_img:
Image|endswith: '\trufflehog.exe'
selection_cli_platform:
CommandLine|contains:
- ' docker --image '
- ' Git '
- ' GitHub '
- ' Jira '
- ' Slack '
- ' Confluence '
- ' SharePoint '
- ' s3 '
- ' gcs '
selection_cli_verified:
CommandLine|contains: ' --results=verified'
condition: selection_img or all of selection_cli_*
falsepositives:
- Legitimate use of TruffleHog by security teams or developers.
level: medium
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_pua_trufflehog/info.yml
title: Github Self-Hosted Runner Execution
id: 5bac7a56-da88-4c27-922e-c81e113b20cb
status: test
description: |
Detects GitHub self-hosted runners executing workflows on local infrastructure that could be abused for persistence and code execution.
Shai-Hulud is an npm supply chain worm targeting CI/CD environments.
It installs runners on compromised systems to maintain access after credential theft, leveraging their access to secrets and internal networks.
references:
- https://about.gitlab.com/blog/gitlab-discovers-widespread-npm-supply-chain-attack/
- https://securitylabs.datadoghq.com/articles/shai-hulud-2.0-npm-worm/
author: Daniel Koifman (KoifSec)
date: 2025-11-29
tags:
- attack.command-and-control
- attack.t1102.002
- attack.t1071
logsource:
category: process_creation
product: windows
detection:
selection_worker_img: # Example command C:\Users\Lab\actions-runner\bin\Runner.Worker.exe spawnclient 1288 1252
- Image|endswith: '\Runner.Worker.exe'
- OriginalFileName: 'Runner.Worker.dll'
selection_worker_cli:
CommandLine|contains: 'spawnclient'
selection_listener_img: # Example command C:\Users\Lab\actions-runner\bin\Runner.Listener.exe configure --url https://github.com/ABC/ABC --token 123123
- Image|endswith: '\Runner.Listener.exe'
- OriginalFileName: 'Runner.Listener.dll'
selection_listener_cli:
CommandLine|contains:
- 'run'
- 'configure'
condition: all of selection_worker_* or all of selection_listener_*
falsepositives:
- Legitimate GitHub self-hosted runner installations on designated CI/CD infrastructure
- Authorized runner deployments by DevOps/Platform teams following change management
- Scheduled runner updates or reconfigurations on existing build agents
- Self-hosted runners that follow expected/known naming patterns
- Installation via expected/known configuration management tools (reflected mostly as parent process name)
level: medium
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_github_self_hosted_runner/info.yml