NPM Package Install Executed From Suspicious Location - Linux

Rule Info

Name
NPM Package Install Executed From Suspicious Location - Linux
Author
Swachchhanda Shrawan Poudel (Nextron Systems)
Description
Detects the execution of "npm install" via node on Linux from potentially suspicious directories. It might indicate a malicious package being installed or executed from a non-standard location. Attackers might use npm packages to execute malicious code on the victim's machine, potentially leading to data exfiltration, persistence, or further compromise of the system.
Reference
https://www.microsoft.com/en-us/security/blog/2026/06/02/preinstall-persistence-inside-red-hat-npm-miasma-credential-stealing-campaign/
Date
2026-06-08 00:00:00
Modified
None
Id
a7b2c1d4-8e3f-4a5b-9c6d-1e0f2a3b4c5d
Tags
attack.execution attack.t1059.004
Type
Nextron Sigma feed only (private)

Rule History

THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022