PUA - TruffleHog Execution - Linux

calendar Oct 19, 2025 · attack.discovery attack.t1083 attack.t1552.001  ·
Share on: linkedin copy

Detects execution of TruffleHog, a tool used to search for secrets in different platforms like Git, Jira, Slack, SharePoint, etc. that could be used maliciously. While it is a legitimate tool, intended for use in CI pipelines and security assessments, It was observed in the Shai-Hulud malware campaign targeting npm packages to steal sensitive information.

Sigma rule (View on GitHub)

 1title: PUA - TruffleHog Execution - Linux
 2id: d7a650c4-226c-451e-948f-cc490db506aa
 3related:
 4    - id: 44030449-b0df-4c94-aae1-502359ab28ee
 5      type: similar
 6status: experimental
 7description: |
 8    Detects execution of TruffleHog, a tool used to search for secrets in different platforms like Git, Jira, Slack, SharePoint, etc. that could be used maliciously.
 9    While it is a legitimate tool, intended for use in CI pipelines and security assessments,
10    It was observed in the Shai-Hulud malware campaign targeting npm packages to steal sensitive information.    
11references:
12    - https://github.com/trufflesecurity/trufflehog
13    - https://www.getsafety.com/blog-posts/shai-hulud-npm-attack
14author: Swachchhanda Shrawan Poudel (Nextron Systems)
15date: 2025-09-24
16tags:
17    - attack.discovery
18    - attack.t1083
19    - attack.t1552.001
20logsource:
21    category: process_creation
22    product: linux
23detection:
24    selection_img:
25        Image|endswith: '/trufflehog'
26    selection_cli_platform:
27        CommandLine|contains:
28            - ' docker --image '
29            - ' Git '
30            - ' GitHub '
31            - ' Jira '
32            - ' Slack '
33            - ' Confluence '
34            - ' SharePoint '
35            - ' s3 '
36            - ' gcs '
37    selection_cli_verified:
38        CommandLine|contains: ' --results=verified'
39    condition: selection_img or all of selection_cli_*
40falsepositives:
41    - Legitimate use of TruffleHog by security teams or developers.
42level: medium

References

Related rules

to-top