[pull] master from Neo23x0:master

yara/gen_powershell_invocation.yar

@@ -5,7 +5,7 @@ rule PowerShell_Susp_Parameter_Combo : HIGHVOL FILE {
       author = "Florian Roth (Nextron Systems)"
       reference = "https://goo.gl/uAic1X"
       date = "2017-03-12"
-      modified = "2022-09-15"
+      modified = "2025-12-16"
       score = 60
       id = "17c707f3-7f51-5772-9874-a96c220960a7"
    strings:
@@ -62,6 +62,7 @@ rule PowerShell_Susp_Parameter_Combo : HIGHVOL FILE {
       $fp11 = "REM " ascii
       $fp12 = "set /p " ascii
       $fp13 = "rxScan Application" wide
+      $fp14 = "psutil.tests"
 
       $fpa1 = "All Rights"
       $fpa2 = "<html"
@@ -73,4 +74,4 @@ rule PowerShell_Susp_Parameter_Combo : HIGHVOL FILE {
       $fpa7 = "COPYRIGHT"
    condition:
       filesize < 3000KB and 4 of ($s*) and not 1 of ($fp*) and uint32be(0) != 0x456C6646 /* EVTX - we don't wish to mix the entries together */
-}
+}

yara/mal_npm_supply_chain_nov25.yar

@@ -3,19 +3,21 @@ rule MAL_JS_NPM_SupplyChain_Attack_Nov25 {
       description = "Detects malicious JavaScript worm bun_environment.js"
       author = "Marius Benthin"
       date = "2025-11-24"
+      modified = "2025-12-15"
       reference = "https://www.aikido.dev/blog/shai-hulud-strikes-again-hitting-zapier-ensdomains"
       hash = "62ee164b9b306250c1172583f138c9614139264f889fa99614903c12755468d0"
       score = 80
    strings:
       $sa1 = "npm publish"
+      $sa2 = "NPM_TOKEN"
+      $sa3 = "NPM_CONFIG_TOKEN"
 
-      $sb1 = "iamcredentials"
-      $sb2 = "secretmanager"
-      $sb3 = "secretsmanager"
-      $sb4 = "-fips."
+      $sb1 = "GITHUB_"
+      $sb2 = "GITLAB_"
+      $sb3 = "TEAMCITY_"
    condition:
       filesize < 20MB
-      and $sa1
+      and all of ($sa*)
       and 2 of ($sb*)
 }
 
@@ -24,12 +26,13 @@ rule SUSP_JS_NPM_Sha1_Hulud_Nov25 {
       description = "Detects suspicious indicators for Sha1 Hulud worm"
       author = "Marius Benthin"
       date = "2025-11-24"
+      modified = "2025-12-15"
       reference = "https://www.aikido.dev/blog/shai-hulud-strikes-again-hitting-zapier-ensdomains"
       hash = "62ee164b9b306250c1172583f138c9614139264f889fa99614903c12755468d0"
-      score = 60
+      score = 70
    strings:
-      $x1 = "Sha1-Hulud:"
-      $x2 = "SHA1HULUD"
+      $x1 = "Sha1-Hulud:\\x"
+      $x2 = "SHA1HULUD\"`"
    condition:
       filesize < 20MB
       and 1 of them
@@ -40,17 +43,21 @@ rule SUSP_JS_NPM_SetupScript_Nov25 {
       description = "Detects suspicious JavaScript which exits silently and checks operating system"
       author = "Marius Benthin"
       date = "2025-11-24"
+      modified = "2025-12-15"
       reference = "https://www.aikido.dev/blog/shai-hulud-strikes-again-hitting-zapier-ensdomains"
       hash = "a3894003ad1d293ba96d77881ccd2071446dc3f65f434669b49b3da92421901a"
       score = 70
    strings:
-      $s1 = "require('child_process')"
-      $s2 = "process.exit(0)"
-      $s3 = "process.platform ==="
-      $s4 = "().catch((e"
+      $sa1 = "require('child_process')"
+      $sa2 = "process.platform ==="
+
+      $sb1 = "().catch((e"
+      $sb2 = "process.exit(0)"
    condition:
       filesize < 100KB
-      and all of them
+      and all of ($sa*)
+      and $sb1 in (filesize - 50..filesize)
+      and $sb2 in (filesize - 30..filesize)
 }
 
 rule MAL_NPM_SupplyChain_Attack_PreInstallScript_Nov25 {

yara/susp_claude_magic_strings.yar

@@ -0,0 +1,53 @@
+rule SUSP_Claude_Refusal_Magic_String_Jan26 {
+   meta:
+      description = "Detects refusal magic string that cause Claude sessions to be terminated. This might indicate that a file tries to prevent being analyzed by LLM agents."
+      author = "Marius Benthin"
+      date = "2026-01-29"
+      reference = "https://x.com/williballenthin/status/2014687699165135150"
+      hash = "ffa48ed4b7b48897f6756c4222b2606399de0bca627cedfddf61e69986580430"
+      score = 75
+   strings:
+      $x1 = "ANTHROPIC_MAGIC_STRING_TRIGGER_REFUSAL_" ascii wide nocase
+   condition:
+      $x1
+}
+
+rule MAL_Claude_Refusal_Magic_String_Jan26 {
+   meta:
+      description = "Detects Base64 variations of refusal magic string that cause Claude sessions to be terminated. This might indicate that a file tries to prevent being analyzed by LLM agents."
+      author = "Marius Benthin"
+      date = "2026-01-29"
+      reference = "Internal Research"
+      score = 80
+   strings:
+      $xb1 = "ANTHROPIC_MAGIC_STRING_TRIGGER_REFUSAL_" ascii wide base64 base64wide
+   condition:
+      $xb1
+}
+
+rule SUSP_Claude_Redacted_Thinking_Magic_String_Jan26_1 {
+   meta:
+      description = "Detects redacted thinking magic string that cause Claude sessions to be terminated. This might indicate that a file tries to prevent being analyzed by LLM agents."
+      author = "Marius Benthin"
+      date = "2026-01-29"
+      reference = "Internal Research"
+      hash = "ffa48ed4b7b48897f6756c4222b2606399de0bca627cedfddf61e69986580430"
+      score = 65
+   strings:
+      $x1 = "ANTHROPIC_MAGIC_STRING_TRIGGER_REDACTED_THINKING_" ascii wide nocase
+   condition:
+      $x1
+}
+
+rule SUSP_Claude_Redacted_Thinking_Magic_String_Jan26_2 {
+   meta:
+      description = "Detects Base64 variations of redacted thinking magic string that cause Claude sessions to be terminated. This might indicate that a file tries to prevent being analyzed by LLM agents."
+      author = "Marius Benthin"
+      date = "2026-01-29"
+      reference = "Internal Research"
+      score = 75
+   strings:
+      $xb1 = "ANTHROPIC_MAGIC_STRING_TRIGGER_REDACTED_THINKING_" ascii wide base64 base64wide
+   condition:
+      $xb1
+}