Suspicious Child Process Spawned by Node.js

Rule Info

Name
Suspicious Child Process Spawned by Node.js
Author
Swachchhanda Shrawan Poudel (Nextron Systems)
Description
Detects suspicious child processes spawned by Node.js that could indicate compromised npm packages or malicious scripts. Malicious packages often use install/preinstall scripts to execute unauthorized system commands through these child processes. Investigate immediately as this may indicate package compromise or malicious code execution.
Reference
https://www.virustotal.com/gui/file/54d3ae099dcf1a18855f809a9f22ff2d1a802dafec22dcdae098e5878faba9cc/
Date
2025-11-21 00:00:00
Modified
None
Id
4d2551f4-007e-4034-a532-13fc34157c3d
Tags
attack.execution attack.initial-access attack.t1059.007 attack.t1195.002
Type
Nextron Sigma feed only (private)

Rule History

THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022