Script Interpreter Spawning Credential Scanner - Linux

Original Source: [Sigma source]
Title: Script Interpreter Spawning Credential Scanner - Linux
Status: experimental
Description:Detects a script interpreter process (like node.js or bun) spawning a known credential scanning tool (e.g., trufflehog, gitleaks). This behavior is indicative of an attempt to find and steal secrets, as seen in the "Shai-Hulud: The Second Coming" campaign.
References:
  -https://github.com/asyncapi/cli/blob/2efa4dff59bc3d3cecdf897ccf178f99b115d63d/bun_environment.js
   -https://www.stepsecurity.io/blog/sha1-hulud-the-second-coming-zapier-ens-domains-and-other-prominent-npm-packages-compromised
   -https://www.endorlabs.com/learn/shai-hulud-2-malware-campaign-targets-github-and-cloud-credentials-using-bun-runtime
   -https://semgrep.dev/blog/2025/digging-for-secrets-sha1-hulud-the-second-coming-of-the-npm-worm/
 Author: Swachchhanda Shrawan Poudel (Nextron Systems)
Date: 2025-11-25
modified:None
Tags:
  • -'attack.credential-access'
  • -'attack.t1552'
  • -'attack.execution'
  • -'attack.collection'
  • -'attack.t1005'
  • -'attack.t1059.004'
Logsource:
  • category: process_creation
  • product: linux
Detection:
  selection_parent:
    ParentImage|endswith:
      -'/node'
      -'/bun'

  selection_child:
    - Image|endswith:
      - '/trufflehog'
      - '/gitleaks'
    - CommandLine|contains:
      - 'trufflehog'
      - 'gitleaks'
  condition:all of selection_*
Falsepositives:
  -Legitimate pre-commit hooks or CI/CD pipeline jobs that use a script to run a credential scanner as part of a security check.
Level: high

© 2024 DetectionCode Website. All Rights Reserved.