Suspicious NPM Post-Install Script Execution
Last updated on:
In this page
About the rule
Rule Type
Standard
Rule Description
Detects execution of system-level scripting or command-line utilities spawned by npm/node processes, which may indicate malicious post-install scripts used in supply chain attacks
Severity
Trouble
Rule Requirement
Criteria
Action1:
actionname = "Process started" AND ( PARENTPROCESSNAME endswith "node.exe,npm.exe,npm.cmd" AND ( PROCESSNAME endswith "powershell.exe,powershell_ise.exe,pwsh.exe,cmd.exe,bash.exe,sh.exe,python.exe,pythonw.exe,curl.exe,wget.exe" OR ORIGINALFILENAME = "PowerShell.EXE,PowerShell_ISE.EXE,pwsh.dll,pwsh.exe,Cmd.Exe,bash.exe,sh.exe,python.exe,pythonw.exe,python3.dll,curl.exe,wget.exe" ) AND COMMANDLINE contains "http://,https://,ftp://,Invoke-WebRequest,Invoke-RestMethod,curl,wget,WebClient,DownloadString,Start-BitsTransfer,bitsadmin" )
select Action1.HOSTNAME,Action1.MESSAGE,Action1.COMMANDLINE,Action1.FILE_NAME,Action1.PROCESSNAME,Action1.USERNAME,Action1.PARENTPROCESSNAME,Action1.DOMAIN,Action1.ORIGINALFILENAME,Action1.PARENTPROCESSID,Action1.PROCESSID,Action1.PRODUCT_NAME,Action1.SECURITYID
Detection
Execution Mode
realtime
Log Sources
Windows


