low but possible. generic filenames like cloud.json or environment.json may appear in legitimate contexts. correlate with npm install activity or suspicious parent processes.

Techniques

Sample rules

Shai-Hulud 2 Exfiltration Artifact Files

source: splunk
technicques:
- T1074.001
- T1552.001
- T1195.002

Description

Detects creation of exfiltration artifact files associated with Shai-Hulud 2.0 npm supply chain malware. The malware creates cloud.json, contents.json, environment.json, truffleSecrets.json, and actionsSecrets.json files containing harvested credentials from AWS, Azure, GCP, GitHub secrets, and environment variables. These files are staged before being pushed to attacker-controlled repositories.

Detection logic


| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime

from datamodel=Endpoint.Filesystem where

Filesystem.file_name IN (
  "cloud.json",
  "contents.json",
  "environment.json",
  "truffleSecrets.json",
  "actionsSecrets.json"
)

by Filesystem.action Filesystem.dest Filesystem.file_access_time Filesystem.file_create_time
   Filesystem.file_hash Filesystem.file_modify_time Filesystem.file_name Filesystem.file_path Filesystem.file_acl Filesystem.file_size Filesystem.process_guid Filesystem.process_id Filesystem.user
   Filesystem.vendor_product


| `drop_dm_object_name(Filesystem)`

| `security_content_ctime(firstTime)`

| `security_content_ctime(lastTime)`

| `shai_hulud_2_exfiltration_artifact_files_filter`