Shai-Hulud Malicious Bun Execution
Last updated on:
In this page
About the rule
Rule Type
Standard
Rule Description
Detects execution of bun_environment.js via the Bun runtime, associated with the Shai-Hulud "Second Coming" NPM supply chain attack. The malware uses setup_bun.js to install Bun if absent and then runs the malicious bun_environment.js payload.
Severity
Attention
Rule Requirement
Criteria
Action1:
actionname = "Process started" AND ( PARENTPROCESSNAME endswith "node.exe" AND ( PROCESSNAME endswith "bun.exe" OR COMMANDLINE contains "bun_environment.js,https://github.com/actions/runner/releases/download/v2.330.0" ))
select Action1.HOSTNAME,Action1.MESSAGE,Action1.COMMANDLINE,Action1.FILE_NAME,Action1.PROCESSNAME,Action1.USERNAME,Action1.PARENTPROCESSNAME,Action1.DOMAIN,Action1.ORIGINALFILENAME,Action1.PARENTPROCESSID,Action1.PROCESSID,Action1.PRODUCT_NAME,Action1.SECURITYID
Detection
Execution Mode
realtime
Log Sources
Windows
Author
@Swachchhanda Shrawan Poudel (Nextron Systems)


