Bun Runtime Execution Via Node.js Spawned Shell On Windows

Rule Info

Name
Bun Runtime Execution Via Node.js Spawned Shell On Windows
Author
Swachchhanda Shrawan Poudel (Nextron Systems)
Description
Detects a Windows shell process (e.g. cmd.exe, powershell.exe) spawned by Node.js with a command line referencing the Bun runtime, indicating a Node.js -> Shell -> Bun execution chain. This pattern is commonly observed in supply chain attacks where a malicious npm package abuses Node.js child_process APIs to launch a shell that invokes Bun as a second-stage JavaScript or TypeScript payload runner. Bun is attractive to attackers due to its native TypeScript support, fast startup, and broad system APIs, while being less scrutinized by EDR/AV solutions compared to Node.js itself.
Reference
https://x.com/MsftSecIntel/status/2056639452999471210
Date
2026-05-21 00:00:00
Modified
None
Id
948e621f-296f-483e-b962-ab469054dbc2
Tags
attack.execution attack.t1059.007
Type
Nextron Sigma feed only (private)

Rule History

THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022