Emerging Threathighexperimental

Shai-Hulud Malicious Bun Execution

Detects the execution of `bun_environment.js` via the Bun runtime, a behavior associated with the Shai-Hulud "Second Coming" NPM supply chain attack. The malware uses a `setup_bun.js` script to install the Bun runtime if not present, and then executes the malicious `bun_environment.js` payload.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Swachchhanda Shrawan Poudel (Nextron Systems)Created Tue Nov 255299fadf-f228-4526-8274-251db1960be92025

Emerging Threat

Active Threat

Developed to detect an active or emerging threat. Prioritize investigation of any alerts and correlate with threat intelligence.

Log Source

WindowsProcess Creation

ProductWindows← raw: windows

CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic

detection:
    selection_parent:
        ParentImage|endswith: '\node.exe'
    selection_child_bun_script:
        Image|endswith: '\bun.exe'
        CommandLine|contains:
            - 'bun_environment.js'
            - 'https://github.com/actions/runner/releases/download/v2.330.0'
    condition: selection_parent and 1 of selection_child_*