{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/bun/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Elastic Endpoint"],"_cs_severities":["low"],"_cs_tags":["supply-chain","command-and-control","dns","nodejs","bun"],"_cs_type":"advisory","_cs_vendors":["Elastic"],"content_html":"\u003cp\u003eThis detection identifies unusual DNS requests originating from Node.js or Bun, which may indicate supply chain compromise. Node.js and Bun are JavaScript runtimes popular for web application development. Adversaries could compromise developer packages and inject malicious code, leading to the execution of unauthorized network activities. This rule is designed to detect such anomalous DNS requests, helping to identify potential data exfiltration or command and control activities resulting from compromised dependencies. Elastic recommends using Endpoint 9.3.0 or later.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA developer\u0026rsquo;s machine is compromised through a supply chain attack on a Node.js or Bun package.\u003c/li\u003e\n\u003cli\u003eMalicious code is injected into the application\u0026rsquo;s dependencies.\u003c/li\u003e\n\u003cli\u003eThe application executes the malicious code when a user runs or builds the application.\u003c/li\u003e\n\u003cli\u003eThe malicious code uses Node.js or Bun\u0026rsquo;s networking capabilities to initiate a DNS request to an external domain.\u003c/li\u003e\n\u003cli\u003eThe DNS request targets a domain not typically accessed by the application.\u003c/li\u003e\n\u003cli\u003eThe DNS request is used to beacon to a command-and-control server or exfiltrate sensitive data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eCompromised Node.js or Bun applications can lead to data theft, remote code execution, and unauthorized access to sensitive resources. Supply chain attacks targeting developer tools are a growing concern. This can affect any organization relying on potentially vulnerable packages within their applications.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rules in this brief to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eMonitor network connections from Node.js and Bun processes, especially DNS requests to uncommon domains.\u003c/li\u003e\n\u003cli\u003eImplement software composition analysis (SCA) to identify and manage open-source dependencies and known vulnerabilities.\u003c/li\u003e\n\u003cli\u003eEnforce strict code review processes for changes to application dependencies.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-21T12:42:14Z","date_published":"2026-05-21T12:42:14Z","id":"https://feed.craftedsignal.io/briefs/2026-05-uncommon-dns-nodejs/","summary":"Detection of uncommon DNS requests originating from Bun or Node.js processes, potentially indicating malicious code execution following a supply chain attack.","title":"Uncommon DNS Requests via Bun or Node.js","url":"https://feed.craftedsignal.io/briefs/2026-05-uncommon-dns-nodejs/"}],"language":"en","title":"CraftedSignal Threat Feed — Bun","version":"https://jsonfeed.org/version/1.1"}