PUA - TruffleHog Execution - Linux

Rule Info

Name
PUA - TruffleHog Execution - Linux
Author
Swachchhanda Shrawan Poudel (Nextron Systems)
Description
Detects execution of TruffleHog, a tool used to search for secrets in different platforms like Git, Jira, Slack, SharePoint, etc. that could be used maliciously. While it is a legitimate tool, intended for use in CI pipelines and security assessments, It was observed in the Shai-Hulud malware campaign targeting npm packages to steal sensitive information.
Reference
https://github.com/trufflesecurity/trufflehog
Date
2025-09-24 00:00:00
Modified
None
Id
d7a650c4-226c-451e-948f-cc490db506aa
Tags
attack.discovery attack.credential-access attack.t1083 attack.t1552.001
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=d7a650c4-226c-451e-948f-cc490db506aa

Rule History

Author
Title
Date
Commit
RobertN87
Merge PR #5714 from @RobertN87 - Add missing MITRE tactics for 2 rules
2025-10-21
f69ac5c34
Swachchhanda Shrawan Poudel
Merge PR #5658 from @swachchhanda000 - feat: shai hulud worm targeting npm supply chain attack
2025-10-19
208fee50a
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022