Emerging Threathighexperimental

Shai-Hulud Malicious Bun Execution - Linux

Detects the execution of `bun_environment.js` via the Bun runtime, a behavior associated with the Shai-Hulud "Second Coming" NPM supply chain attack. The malware uses a `setup_bun.js` script to install the Bun runtime if not present, and then executes the malicious `bun_environment.js` payload.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Swachchhanda Shrawan Poudel (Nextron Systems)Created Tue Nov 25eb827bbd-670a-4d58-8446-c464d8ac23232025

Emerging Threat

Active Threat

Developed to detect an active or emerging threat. Prioritize investigation of any alerts and correlate with threat intelligence.

Log Source

LinuxProcess Creation

ProductLinux← raw: linux

CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic

detection:
    selection_parent:
        ParentImage|endswith: '/node'
    selection_child_bun:
        Image|endswith: '/bun'
        CommandLine|contains:
            - 'bun_environment.js'
            - 'https://github.com/actions/runner/releases/download/v2.330.0'
    selection_child_setup_curl:
        CommandLine|contains|all:
            - 'curl '
            - '-fsSL'
            - 'https://bun.sh/install'
            - 'bash'
    selection_child_path_reload:
        CommandLine|contains|all:
            - 'bash -c "source '
            - '&& echo'
    condition: selection_parent and 1 of selection_child_*