Obfuscated Node.js Execution via CommandLine - Linux

Rule Info

Name
Obfuscated Node.js Execution via CommandLine - Linux
Author
Swachchhanda Shrawan Poudel (Nextron Systems)
Description
Detects the execution of Node.js with the '--eval' flag, where the provided script contains common obfuscation patterns.
Reference
https://www.linkedin.com/posts/a-closer-look-at-contagious-interview-a-share-7426656611596705792-qhBh/
Date
2026-03-10 00:00:00
Modified
None
Id
0e15ea1d-8305-435b-8da3-84689e4baf9a
Tags
attack.execution attack.t1059.007 attack.defense-evasion attack.t1027.008 attack.t1027.010
Type
Nextron Sigma feed only (private)

Rule History

THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022