Cli

GitHub CLI versions 2.92.0 and earlier incorrectly include authorization headers in API requests to TUF repository mirrors and external hosts when using the `gh attestation`, `gh release verify`, and `gh release verify-asset` commands, potentially exposing sensitive tokens.

The protobuf.js CLI tool `pbts` is vulnerable to OS command injection via crafted filenames or paths with shell metacharacters, potentially leading to arbitrary command execution with the privileges of the `pbts` process when invoked on attacker-influenced file paths; CVE-2026-42290.

An unauthenticated remote attacker can exploit a hidden function in the CLI prompt to escape the restricted interface of a device, leading to full compromise and root access on the underlying Linux-based OS, as described in CVE-2026-3587.

This rule detects command-line activity indicative of credential access across multiple cloud platforms (GCP, Azure, AWS, GitHub, DigitalOcean, Oracle, Kubernetes), looking for specific commands used to print or access tokens and credentials, flagging hosts where multiple cloud targets are accessed within a five-minute window, suggesting potential credential harvesting activity.

Adversaries may leverage Azure Storage utilities like AzCopy and Storage Explorer post-compromise to stage or extract sensitive data from endpoints, blending malicious activity with legitimate cloud traffic.