name: Suspicious Developer Secret Access via Node.js Ecosystem Analytic
signatureid: EDR-SYM931-RUN
category: 'Credential Access'
threatname: 'Unsecured Credentials'
functionality: 'Endpoint Management Systems'
description: |
Detects Node.js ecosystem processes accessing sensitive developer,
cloud, container, and infrastructure credential files. This behavior
is commonly associated with malicious npm packages abusing lifecycle
hooks such as preinstall, install, postinstall, or prepare scripts
to harvest secrets from developer workstations.
Threat actors increasingly target software supply chains by embedding
credential-stealing functionality into npm packages. During execution,
malicious Node.js code may enumerate SSH keys, cloud provider credentials,
Kubernetes configurations, Docker authentication files, package manager
tokens, Terraform state files, and Vault secrets before exfiltrating
them to attacker-controlled infrastructure.
Similar techniques were observed during the Miasma supply-chain attack,
where malicious npm packages attempted to collect and exfiltrate
developer credentials and cloud access tokens.
reference:
- https://whiteintel.io/blog/red-hat-miasma-supply-chain-attack
- https://attack.mitre.org/techniques/T1552/001/
- https://attack.mitre.org/techniques/T1552/004/
- https://attack.mitre.org/techniques/T1555/
labels:
- attack.credential_access
- attack.t1552
- attack.t1552.001
- attack.t1552.004
- attack.t1555
- npm
- nodejs
- supply_chain
- miasma
- developer_credentials
logsource:
category: process_creation
product: windows
detection:
selection_node_ecosystem:
ParentImage|endswith:
- '\node.exe'
- '\nodejs.exe'
- '\npm.exe'
- '\npm.cmd'
- '\npx.cmd'
- '\pnpm.exe'
- '\pnpm.cmd'
- '\yarn.exe'
- '\yarn.cmd'
- '\bun.exe'
selection_sensitive_files:
CommandLine|contains:
- '.ssh\id_rsa'
- '.ssh\id_dsa'
- '.ssh\id_ecdsa'
- '.ssh\id_ed25519'
- '.ssh\config'
- '.aws\credentials'
- '.aws\config'
- '.azure\credentials'
- 'azureProfile.json'
- 'accessTokens.json'
- '.config\gcloud'
- '.kube\config'
- '.docker\config.json'
- '.npmrc'
- '.netrc'
- '.pypirc'
- 'terraform.tfstate'
- 'terraform.tfstate.backup'
- 'vault_token'
- '.env'
- '.env.production'
- '.env.local'
filter_legitimate_tools:
Image|endswith:
- '\terraform.exe'
- '\kubectl.exe'
- '\aws.exe'
- '\az.exe'
- '\gcloud.exe'
condition: selection_node_ecosystem and selection_sensitive_files and not filter_legitimate_tools
criticality: High
saveasthreat: false
violation_summary:
grouping_attribute: 'accountname'
level2_attribute: 'devicehostname'
level2_metadata_attributes:TECHNICAL DETAILS
ATTACK OVERVIEW
Modern software supply-chain attacks frequently target developer
endpoints because they contain privileged credentials capable of
providing access to source code repositories, CI/CD systems,
cloud environments, Kubernetes clusters, and production workloads.
Typical Attack Flow:
1. Developer installs a malicious package:
npm install <package>
2. Package executes a lifecycle hook:
- preinstall
- install
- postinstall
- prepare
3. Node.js process enumerates local credential stores.
4. Sensitive files targeted include:
- SSH private keys
- AWS credentials and configuration
- Azure authentication profiles
- Google Cloud credentials
- Kubernetes kubeconfig files
- Docker authentication files
- npm authentication tokens
- Terraform state files
- Vault tokens
- Environment variable files (.env)
5. Harvested credentials are exfiltrated to attacker-controlled
infrastructure for subsequent cloud compromise, lateral movement,
or persistence.
Detection Strategy:
This analytic identifies Node.js ecosystem tooling acting as the
parent process of commands that reference commonly targeted
credential stores and secret-bearing files.
Why This Works:
Legitimate npm package installation workflows rarely require
direct access to SSH private keys, cloud credential stores,
Docker authentication files, Terraform state files, or Vault
tokens. References to these artifacts during package execution
represent a strong indicator of credential harvesting activity
and should be investigated immediately.
Related Threat Activity:
The Miasma npm supply-chain campaign leveraged malicious package
installation hooks to enumerate developer secrets and cloud
credentials. Similar tradecraft has been observed across multiple
npm, PyPI, and open-source ecosystem attacks targeting software
developers and DevOps engineers.
Policy building walkthrough can be found in this previous post: