Crowdstrike queries to look for compromised NPM packages from 8 Sept 2025.

Credit to: https://www.linkedin.com/posts/m-hassoub_eventabrsimplename-activity-7371139449491058688-vx52?utm_source=share&utm_medium=member_ios&rcm=ACoAABhWx6IBSRAPTsOJbrhEkvTkvNveO7XVcOY, for the queries.

Linux query

#event_simpleName = InstalledApplication
| AppName = /node-(ansi-styles|debug|chalk|supports-color|strip-ansi|ansi-regex|wrap-ansi|color-convert|color-name|is-arrayish|slice-ansi|color|color-string|simple-swizzle|supports-hyperlinks|has-ansi|chalk-template|backslash)$/i
| case {
AppName = /ansi-styles$/i and AppVersion = /6\.2\.2/i | Compromised := "True";
AppName = /debug$/i and AppVersion = /4\.4\.2/i | Compromised := "True";
AppName = /chalk$/i and AppVersion = /5\.6\.1/i | Compromised := "True";
AppName = /supports-color$/i and AppVersion = /10\.2\.1/i | Compromised := "True";
AppName = /strip-ansi$/i and AppVersion = /7\.1\.1/i | Compromised := "True";
AppName = /ansi-regex$/i and AppVersion = /6\.2\.1/i | Compromised := "True";
AppName = /wrap-ansi$/i and AppVersion = /9\.0\.1/i | Compromised := "True";
AppName = /color-convert$/i and AppVersion = /3\.1\.1/i | Compromised := "True";
AppName = /color-name$/i and AppVersion = /2\.0\.1/i | Compromised := "True";
AppName = /is-arrayish$/i and AppVersion = /0\.3\.3/i | Compromised := "True";
AppName = /slice-ansi$/i and AppVersion = /7\.1\.1/i | Compromised := "True";
AppName = /color$/i and AppVersion = /5\.0\.1/i | Compromised := "True";
AppName = /color-string$/i and AppVersion = /2\.1\.1/i | Compromised := "True";
AppName = /simple-swizzle$/i and AppVersion = /0\.2\.3/i | Compromised := "True";
AppName = /supports-hyperlinks$/i and AppVersion = /4\.1\.1/i | Compromised := "True";
AppName = /has-ansi$/i and AppVersion = /6\.0\.1/i | Compromised := "True";
AppName = /chalk-template$/i and AppVersion = /1\.1\.1/i | Compromised := "True";
AppName = /backslash$/i and AppVersion = /0\.2\.1/i | Compromised := "True";
*
}
| groupBy([ComputerName, AppName, AppVersion, Compromised, AppVendor, AppSource])

Windows query

⚠️ Windows requires manual validation! The query flags systems for a follow-up check. On a flagged host, run this to find the malicious code signature: rg -u --max-columns=80 _0x112fa8

case {
  #event_simpleName=NewScriptWritten
    | TargetFileName = /node.+\\(ansi-styles|debug|chalk|supports-color|strip-ansi|ansi-regex|wrap-ansi|color-convert|color-name|is-arrayish|slice-ansi|color|color-string|simple-swizzle|supports-hyperlinks|has-ansi|chalk-template|backslash)\\/i
    | regex(field=TargetFileName, regex="node_modules\\\\(?<PackageName>.+?)\\\\");
  #event_simpleName = ProcessRollup2
    | CommandLine = /\s(ansi-styles|debug|chalk|supports-color|strip-ansi|ansi-regex|wrap-ansi|color-convert|color-name|is-arrayish|slice-ansi|color|color-string|simple-swizzle|supports-hyperlinks|has-ansi|chalk-template|backslash)\s\.$/i
    | FileName="rg.exe"
    | regex(field=CommandLine, regex="--json -- (?<PackageName>\\S+)");
}
| ActivityPath := coalesce(TargetFileName, CommandLine)
| groupBy([ComputerName, PackageName, ActivityPath], limit=max)