PUA - TruffleHog Execution - Linux

Title: PUA - TruffleHog Execution - Linux
Status: experimental
Description:Detects execution of TruffleHog, a tool used to search for secrets in different platforms like Git, Jira, Slack, SharePoint, etc. that could be used maliciously. While it is a legitimate tool, intended for use in CI pipelines and security assessments, It was observed in the Shai-Hulud malware campaign targeting npm packages to steal sensitive information.
References:
  -https://github.com/trufflesecurity/trufflehog
  -https://www.getsafety.com/blog-posts/shai-hulud-npm-attack
Author: Swachchhanda Shrawan Poudel (Nextron Systems)
Date: 2025-09-24
modified:None
Tags:

• -'attack.discovery'
• -'attack.credential-access'
• -'attack.t1083'
• -'attack.t1552.001'

Logsource:

• category: process_creation
• product: linux

Detection:
  selection_img:
    Image|endswith: '/trufflehog'
  selection_cli_platform:
    CommandLine|contains:
      -' docker --image '
      -' Git '
      -' GitHub '
      -' Jira '
      -' Slack '
      -' Confluence '
      -' SharePoint '
      -' s3 '
      -' gcs '

  selection_cli_verified:
    CommandLine|contains: ' --results=verified'
  condition:selection_img or all of selection_cli_*
Falsepositives:
  -Legitimate use of TruffleHog by security teams or developers.
Level: medium