Bun JavaScript Runtime Executed Via Shell Spawned By Node.js On macOS

Rule Info

Name
Bun JavaScript Runtime Executed Via Shell Spawned By Node.js On macOS
Author
Swachchhanda Shrawan Poudel (Nextron Systems)
Description
Detects a macOS shell process (e.g. zsh, bash, sh) spawned by Node.js with a command line referencing the Bun runtime, indicating a Node.js -> Shell -> Bun execution chain. This pattern is commonly observed in supply chain attacks where a malicious npm package abuses Node.js to launch a shell that invokes Bun as a second-stage JavaScript or TypeScript payload runner. Bun is attractive to attackers due to its native TypeScript support, fast startup, and broad system APIs, while being less scrutinized by EDR/AV solutions compared to Node.js itself.
Reference
https://x.com/MsftSecIntel/status/2056639452999471210
Date
2026-05-26 00:00:00
Modified
None
Id
32c86766-21d1-47cf-aec8-4b278153f912
Tags
attack.execution attack.t1059.007
Type
Nextron Sigma feed only (private)

Rule History

THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022