Script Interpreter Spawning Credential Scanner - Windows

 1title: Script Interpreter Spawning Credential Scanner - Windows
 2id: 0f60b28c-64dd-4e2c-9a63-5334d3e3a6e6
 3related:
 4    - id: f0025a69-e1b7-4dda-a53c-db21fa2d4071
 5      type: similar
 6status: experimental
 7description: |
 8    Detects a script interpreter process (like node.js or bun) spawning a known credential scanning tool (e.g., trufflehog, gitleaks).
 9    This behavior is indicative of an attempt to find and steal secrets, as seen in the "Shai-Hulud: The Second Coming" campaign.    
10references:
11    - https://github.com/asyncapi/cli/blob/2efa4dff59bc3d3cecdf897ccf178f99b115d63d/bun_environment.js
12    - https://www.stepsecurity.io/blog/sha1-hulud-the-second-coming-zapier-ens-domains-and-other-prominent-npm-packages-compromised
13    - https://www.endorlabs.com/learn/shai-hulud-2-malware-campaign-targets-github-and-cloud-credentials-using-bun-runtime
14    - https://semgrep.dev/blog/2025/digging-for-secrets-sha1-hulud-the-second-coming-of-the-npm-worm/
15author: Swachchhanda Shrawan Poudel (Nextron Systems)
16date: 2025-11-25
17tags:
18    - attack.credential-access
19    - attack.t1552
20    - attack.collection
21    - attack.execution
22    - attack.t1005
23    - attack.t1059.007
24logsource:
25    category: process_creation
26    product: windows
27detection:
28    selection_parent:
29        ParentImage|endswith:
30           # Add more script interpreters as needed
31            - '\node.exe'
32            - '\bun.exe'
33    selection_child:
34        - Image|endswith:
35              - 'trufflehog.exe'
36              - 'gitleaks.exe'
37        - CommandLine|contains:
38              - 'trufflehog'
39              - 'gitleaks'
40    condition: all of selection_*
41falsepositives:
42    - Legitimate pre-commit hooks or CI/CD pipeline jobs that use a script to run a credential scanner as part of a security check.
43level: high
44regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_susp_script_interpretor_spawn_credential_scanner/info.yml

References

• https://github.com/asyncapi/cli/blob/2efa4dff59bc3d3cecdf897ccf178f99b115d63d/bun_environment.js

  
  Read More

• Sha1-Hulud: The Second Coming - Zapier, ENS Domains, and Other Prominent NPM Packages Compromised - StepSecurity

  

  Sha1-Hulud: The Second Coming

  
  Read More

• Shai-Hulud 2 Malware Campaign Targets GitHub and Cloud Credentials Using Bun Runtime | Blog | Endor Labs

  

  Analysis of Shai-Hulud 2, a new npm supply chain attack using Bun for execution, credential theft, and CI/CD propagation, with mitigation guidance.

  
  Read More

• Sha1-Hulud: The Second Coming of the NPM Worm is Digging For Secrets

  

  In September incident responders were inundated with breaches all resulting from the npm supply chain. One of these attacks “Shai-Hulud” was a self replicating worm that affected over 180 packages in total. Now it’s back for a second round, with over 500 affecting packages. Like the previous version this worm lea...

  
  Read More

Related rules

• Script Interpreter Spawning Credential Scanner - Linux
• HackTool - Impacket Tools Execution
• ISATAP Router Address Was Set
• Local Privilege Escalation Indicator TabTip
• Potential SMB Relay Attack Tool Execution