Script Interpreter Spawning Credential Scanner
A script interpreter such as node.exe or bun.exe spawning a credential scanning tool like trufflehog or gitleaks indicates potential credential compromise, as seen in the Shai-Hulud campaign.
Attackers are increasingly leveraging script interpreters like Node.js and Bun to execute credential scanning tools within compromised environments. This tactic allows them to search for exposed secrets, API keys, and other sensitive information stored in configuration files, source code, or other accessible locations. The "Shai-Hulud: The Second Coming" campaign exemplifies this trend, where compromised npm packages were used to execute malicious code, ultimately leading to credential theft. The use of credential scanners like TruffleHog and GitLeaks automates the process of identifying these secrets, making it easier for attackers to escalate their access and compromise sensitive data. Defenders should be alert to script interpreters spawning credential scanning tools to mitigate the risk of credential theft.
Attack Chain
- A user downloads and installs a malicious or compromised package containing malicious JavaScript code.
- The malicious package is executed via a script interpreter such as
node.exeorbun.exe. - The script interpreter process spawns a credential scanning tool, such as
trufflehog.exeorgitleaks.exe. - The credential scanner searches local directories, file systems, and potentially network shares for exposed secrets.
- Any identified credentials are then exfiltrated by the attacker.
- The attacker uses the stolen credentials to gain unauthorized access to systems, applications, or data.
- The attacker may further escalate privileges and compromise other parts of the environment.
Impact
Successful exploitation can lead to the compromise of sensitive credentials, allowing attackers to gain unauthorized access to critical systems and data. This can result in data breaches, financial losses, reputational damage, and disruption of services. The "Shai-Hulud" campaign targeted GitHub and cloud credentials, potentially impacting numerous organizations that rely on these services. The number of affected organizations is difficult to quantify but given the widespread use of npm packages, the potential impact is significant.
Recommendation
- Deploy the Sigma rule
Script Interpreter Spawning Credential Scannerto your SIEM to detect suspicious process creation events involving script interpreters and credential scanning tools. - Monitor process creation logs for script interpreters spawning child processes associated with credential scanning tools.
- Implement strict input validation and sanitization practices to prevent the injection of malicious code into script interpreters.
- Regularly scan your codebase and infrastructure for exposed secrets using dedicated secret scanning tools.
- Enforce the principle of least privilege to limit the potential impact of compromised credentials.
Detection coverage 2
Script Interpreter Spawning TruffleHog
highDetects a script interpreter spawning TruffleHog, a credential scanning tool.
Script Interpreter Spawning GitLeaks
highDetects a script interpreter spawning GitLeaks, a credential scanning tool.
Detection queries are available on the platform. Get full rules →