Script Interpreter Spawning Credential Scanner - Linux

 1title: Script Interpreter Spawning Credential Scanner - Linux
 2id: f0025a69-e1b7-4dda-a53c-db21fa2d4071
 3related:
 4    - id: 0f60b28c-64dd-4e2c-9a63-5334d3e3a6e6
 5      type: similar
 6status: experimental
 7description: |
 8    Detects a script interpreter process (like node.js or bun) spawning a known credential scanning tool (e.g., trufflehog, gitleaks).
 9    This behavior is indicative of an attempt to find and steal secrets, as seen in the "Shai-Hulud: The Second Coming" campaign.    
10references:
11    - https://github.com/asyncapi/cli/blob/2efa4dff59bc3d3cecdf897ccf178f99b115d63d/bun_environment.js
12    - https://www.stepsecurity.io/blog/sha1-hulud-the-second-coming-zapier-ens-domains-and-other-prominent-npm-packages-compromised
13    - https://www.endorlabs.com/learn/shai-hulud-2-malware-campaign-targets-github-and-cloud-credentials-using-bun-runtime
14    - https://semgrep.dev/blog/2025/digging-for-secrets-sha1-hulud-the-second-coming-of-the-npm-worm/
15author: Swachchhanda Shrawan Poudel (Nextron Systems)
16date: 2025-11-25
17tags:
18    - attack.credential-access
19    - attack.t1552
20    - attack.execution
21    - attack.collection
22    - attack.t1005
23    - attack.t1059.004
24logsource:
25    category: process_creation
26    product: linux
27detection:
28    selection_parent:
29        ParentImage|endswith:
30         # Add more script interpreters as needed
31            - '/node'
32            - '/bun'
33    selection_child:
34        - Image|endswith:
35              - '/trufflehog'
36              - '/gitleaks'
37        - CommandLine|contains:
38              - 'trufflehog'
39              - 'gitleaks'
40    condition: all of selection_*
41falsepositives:
42    - Legitimate pre-commit hooks or CI/CD pipeline jobs that use a script to run a credential scanner as part of a security check.
43level: high

References

• https://github.com/asyncapi/cli/blob/2efa4dff59bc3d3cecdf897ccf178f99b115d63d/bun_environment.js

  
  Read More

• Sha1-Hulud: The Second Coming - Zapier, ENS Domains, and Other Prominent NPM Packages Compromised - StepSecurity

  

  Sha1-Hulud: The Second Coming

  
  Read More

• Shai-Hulud 2 Malware Campaign Targets GitHub and Cloud Credentials Using Bun Runtime | Blog | Endor Labs

  

  Analysis of Shai-Hulud 2, a new npm supply chain attack using Bun for execution, credential theft, and CI/CD propagation, with mitigation guidance.

  
  Read More

• Sha1-Hulud: The Second Coming of the NPM Worm is Digging For Secrets

  

  In September incident responders were inundated with breaches all resulting from the npm supply chain. One of these attacks “Shai-Hulud” was a self replicating worm that affected over 180 packages in total. Now it’s back for a second round, with over 500 affecting packages. Like the previous version this worm lea...

  
  Read More

Related rules

• Script Interpreter Spawning Credential Scanner - Windows
• HackTool - Impacket Tools Execution
• ISATAP Router Address Was Set
• Local Privilege Escalation Indicator TabTip
• Potential SMB Relay Attack Tool Execution