Skip to content
Threat Feed
high advisory

Script Interpreter Spawning Credential Scanner

A script interpreter such as node.exe or bun.exe spawning a credential scanning tool like trufflehog or gitleaks indicates potential credential compromise, as seen in the Shai-Hulud campaign.

Attackers are increasingly leveraging script interpreters like Node.js and Bun to execute credential scanning tools within compromised environments. This tactic allows them to search for exposed secrets, API keys, and other sensitive information stored in configuration files, source code, or other accessible locations. The "Shai-Hulud: The Second Coming" campaign exemplifies this trend, where compromised npm packages were used to execute malicious code, ultimately leading to credential theft. The use of credential scanners like TruffleHog and GitLeaks automates the process of identifying these secrets, making it easier for attackers to escalate their access and compromise sensitive data. Defenders should be alert to script interpreters spawning credential scanning tools to mitigate the risk of credential theft.

Attack Chain

  1. A user downloads and installs a malicious or compromised package containing malicious JavaScript code.
  2. The malicious package is executed via a script interpreter such as node.exe or bun.exe.
  3. The script interpreter process spawns a credential scanning tool, such as trufflehog.exe or gitleaks.exe.
  4. The credential scanner searches local directories, file systems, and potentially network shares for exposed secrets.
  5. Any identified credentials are then exfiltrated by the attacker.
  6. The attacker uses the stolen credentials to gain unauthorized access to systems, applications, or data.
  7. The attacker may further escalate privileges and compromise other parts of the environment.

Impact

Successful exploitation can lead to the compromise of sensitive credentials, allowing attackers to gain unauthorized access to critical systems and data. This can result in data breaches, financial losses, reputational damage, and disruption of services. The "Shai-Hulud" campaign targeted GitHub and cloud credentials, potentially impacting numerous organizations that rely on these services. The number of affected organizations is difficult to quantify but given the widespread use of npm packages, the potential impact is significant.

Recommendation

  • Deploy the Sigma rule Script Interpreter Spawning Credential Scanner to your SIEM to detect suspicious process creation events involving script interpreters and credential scanning tools.
  • Monitor process creation logs for script interpreters spawning child processes associated with credential scanning tools.
  • Implement strict input validation and sanitization practices to prevent the injection of malicious code into script interpreters.
  • Regularly scan your codebase and infrastructure for exposed secrets using dedicated secret scanning tools.
  • Enforce the principle of least privilege to limit the potential impact of compromised credentials.

Detection coverage 2

Script Interpreter Spawning TruffleHog

high

Detects a script interpreter spawning TruffleHog, a credential scanning tool.

sigma tactics: collection, credential-access, execution techniques: T1005, T1059.007, T1552 sources: process_creation, windows

Script Interpreter Spawning GitLeaks

high

Detects a script interpreter spawning GitLeaks, a credential scanning tool.

sigma tactics: collection, credential-access, execution techniques: T1005, T1059.007, T1552 sources: process_creation, windows

Detection queries are available on the platform. Get full rules →