From a177583ffae36cf8efa7a09830401d3a2bff0d9b Mon Sep 17 00:00:00 2001 From: Marius Benthin Date: Tue, 16 Dec 2025 16:45:29 +0100 Subject: [PATCH 1/3] fix: shai hulud rule --- yara/mal_npm_supply_chain_nov25.yar | 33 +++++++++++++++++------------ 1 file changed, 20 insertions(+), 13 deletions(-) diff --git a/yara/mal_npm_supply_chain_nov25.yar b/yara/mal_npm_supply_chain_nov25.yar index adef478d..77b06fda 100644 --- a/yara/mal_npm_supply_chain_nov25.yar +++ b/yara/mal_npm_supply_chain_nov25.yar @@ -3,19 +3,21 @@ rule MAL_JS_NPM_SupplyChain_Attack_Nov25 { description = "Detects malicious JavaScript worm bun_environment.js" author = "Marius Benthin" date = "2025-11-24" + modified = "2025-12-15" reference = "https://www.aikido.dev/blog/shai-hulud-strikes-again-hitting-zapier-ensdomains" hash = "62ee164b9b306250c1172583f138c9614139264f889fa99614903c12755468d0" score = 80 strings: $sa1 = "npm publish" + $sa2 = "NPM_TOKEN" + $sa3 = "NPM_CONFIG_TOKEN" - $sb1 = "iamcredentials" - $sb2 = "secretmanager" - $sb3 = "secretsmanager" - $sb4 = "-fips." + $sb1 = "GITHUB_" + $sb2 = "GITLAB_" + $sb3 = "TEAMCITY_" condition: filesize < 20MB - and $sa1 + and all of ($sa*) and 2 of ($sb*) } @@ -24,12 +26,13 @@ rule SUSP_JS_NPM_Sha1_Hulud_Nov25 { description = "Detects suspicious indicators for Sha1 Hulud worm" author = "Marius Benthin" date = "2025-11-24" + modified = "2025-12-15" reference = "https://www.aikido.dev/blog/shai-hulud-strikes-again-hitting-zapier-ensdomains" hash = "62ee164b9b306250c1172583f138c9614139264f889fa99614903c12755468d0" - score = 60 + score = 70 strings: - $x1 = "Sha1-Hulud:" - $x2 = "SHA1HULUD" + $x1 = "Sha1-Hulud:\\x" + $x2 = "SHA1HULUD\"`" condition: filesize < 20MB and 1 of them @@ -40,17 +43,21 @@ rule SUSP_JS_NPM_SetupScript_Nov25 { description = "Detects suspicious JavaScript which exits silently and checks operating system" author = "Marius Benthin" date = "2025-11-24" + modified = "2025-12-15" reference = "https://www.aikido.dev/blog/shai-hulud-strikes-again-hitting-zapier-ensdomains" hash = "a3894003ad1d293ba96d77881ccd2071446dc3f65f434669b49b3da92421901a" score = 70 strings: - $s1 = "require('child_process')" - $s2 = "process.exit(0)" - $s3 = "process.platform ===" - $s4 = "().catch((e" + $sa1 = "require('child_process')" + $sa2 = "process.platform ===" + + $sb1 = "().catch((e" + $sb2 = "process.exit(0)" condition: filesize < 100KB - and all of them + and all of ($sa*) + and $sb1 in (filesize - 50..filesize) + and $sb2 in (filesize - 30..filesize) } rule MAL_NPM_SupplyChain_Attack_PreInstallScript_Nov25 { From 2dc270b6ea52227f662051cd77e13a2ecb049fbd Mon Sep 17 00:00:00 2001 From: Marius Benthin Date: Tue, 16 Dec 2025 17:03:34 +0100 Subject: [PATCH 2/3] fix: FP on psutil tests --- yara/gen_powershell_invocation.yar | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/yara/gen_powershell_invocation.yar b/yara/gen_powershell_invocation.yar index a74a36be..43c490f1 100644 --- a/yara/gen_powershell_invocation.yar +++ b/yara/gen_powershell_invocation.yar @@ -5,7 +5,7 @@ rule PowerShell_Susp_Parameter_Combo : HIGHVOL FILE { author = "Florian Roth (Nextron Systems)" reference = "https://goo.gl/uAic1X" date = "2017-03-12" - modified = "2022-09-15" + modified = "2025-12-16" score = 60 id = "17c707f3-7f51-5772-9874-a96c220960a7" strings: @@ -62,6 +62,7 @@ rule PowerShell_Susp_Parameter_Combo : HIGHVOL FILE { $fp11 = "REM " ascii $fp12 = "set /p " ascii $fp13 = "rxScan Application" wide + $fp14 = "psutil.tests" $fpa1 = "All Rights" $fpa2 = " Date: Thu, 29 Jan 2026 11:35:04 +0100 Subject: [PATCH 3/3] new: Claude magic strings --- yara/susp_claude_magic_strings.yar | 53 ++++++++++++++++++++++++++++++ 1 file changed, 53 insertions(+) create mode 100644 yara/susp_claude_magic_strings.yar diff --git a/yara/susp_claude_magic_strings.yar b/yara/susp_claude_magic_strings.yar new file mode 100644 index 00000000..d7266239 --- /dev/null +++ b/yara/susp_claude_magic_strings.yar @@ -0,0 +1,53 @@ +rule SUSP_Claude_Refusal_Magic_String_Jan26 { + meta: + description = "Detects refusal magic string that cause Claude sessions to be terminated. This might indicate that a file tries to prevent being analyzed by LLM agents." + author = "Marius Benthin" + date = "2026-01-29" + reference = "https://x.com/williballenthin/status/2014687699165135150" + hash = "ffa48ed4b7b48897f6756c4222b2606399de0bca627cedfddf61e69986580430" + score = 75 + strings: + $x1 = "ANTHROPIC_MAGIC_STRING_TRIGGER_REFUSAL_" ascii wide nocase + condition: + $x1 +} + +rule MAL_Claude_Refusal_Magic_String_Jan26 { + meta: + description = "Detects Base64 variations of refusal magic string that cause Claude sessions to be terminated. This might indicate that a file tries to prevent being analyzed by LLM agents." + author = "Marius Benthin" + date = "2026-01-29" + reference = "Internal Research" + score = 80 + strings: + $xb1 = "ANTHROPIC_MAGIC_STRING_TRIGGER_REFUSAL_" ascii wide base64 base64wide + condition: + $xb1 +} + +rule SUSP_Claude_Redacted_Thinking_Magic_String_Jan26_1 { + meta: + description = "Detects redacted thinking magic string that cause Claude sessions to be terminated. This might indicate that a file tries to prevent being analyzed by LLM agents." + author = "Marius Benthin" + date = "2026-01-29" + reference = "Internal Research" + hash = "ffa48ed4b7b48897f6756c4222b2606399de0bca627cedfddf61e69986580430" + score = 65 + strings: + $x1 = "ANTHROPIC_MAGIC_STRING_TRIGGER_REDACTED_THINKING_" ascii wide nocase + condition: + $x1 +} + +rule SUSP_Claude_Redacted_Thinking_Magic_String_Jan26_2 { + meta: + description = "Detects Base64 variations of redacted thinking magic string that cause Claude sessions to be terminated. This might indicate that a file tries to prevent being analyzed by LLM agents." + author = "Marius Benthin" + date = "2026-01-29" + reference = "Internal Research" + score = 75 + strings: + $xb1 = "ANTHROPIC_MAGIC_STRING_TRIGGER_REDACTED_THINKING_" ascii wide base64 base64wide + condition: + $xb1 +}