What happened

Credential access was detected during a supply chain operation (package installation or CI/CD pipeline execution) on host {{host}}. A process in the supply chain execution context accessed sensitive credentials, such as cloud instance metadata, Kubernetes service account tokens, or credential files, and may have exfiltrated them.

Goal

Detect when a malicious package or compromised CI/CD pipeline step steals and exfiltrates secrets. This is the most common supply chain attack pattern observed in real-world supply chain attacks, including incidents involving ua-parser-js, event-stream, and Codecov.

Strategy

This rule correlates three signal categories within package_install_* or cicd_runner_* execution contexts:

• Credential access: Processes reading cloud IMDS endpoints, Kubernetes tokens, SSH keys, or credential files during package installation or CI/CD execution
• Exfiltration: Outbound connections to known exfiltration domains, file upload by network utilities, DNS TXT queries, or file sync tools
• Persistence: Installation of cron jobs, systemd services, SSH authorized keys, kernel modules, or linker modifications

Persistence is used as a severity amplifier. Credential access combined with exfiltration and persistence indicates a comprehensive supply chain compromise.

Triage and response

1. Identify which package or CI/CD step triggered the alert by examining the correlation key and process tree.
2. Determine which credentials were accessed (cloud metadata, Kubernetes tokens, SSH keys, environment variables).
3. Rotate all potentially compromised credentials immediately.
4. Review outbound network connections for data exfiltration destinations.
5. Check if any persistence mechanisms were installed (cron jobs, systemd units, authorized keys).
6. Remove the malicious package and any artifacts it created.
7. Audit other systems that may have installed the same package or run the same CI/CD pipeline.
8. Follow your organization’s incident response process for credential compromise.