Crowdstrike queries to look for compromised NPM packages from 8 Sept 2025.

Credit to: https://www.linkedin.com/posts/m-hassoub_eventabrsimplename-activity-7371139449491058688-vx52?utm_source=share&utm_medium=member_ios&rcm=ACoAABhWx6IBSRAPTsOJbrhEkvTkvNveO7XVcOY, for the queries.

Linux query

#event_simpleName = InstalledApplication
| AppName = /node-(ansi-styles|debug|chalk|supports-color|strip-ansi|ansi-regex|wrap-ansi|color-convert|color-name|is-arrayish|slice-ansi|color|color-string|simple-swizzle|supports-hyperlinks|has-ansi|chalk-template|backslash)$/i
| case {
AppName = /ansi-styles$/i and AppVersion = /6\\.2\\.2/i | Compromised := "True";
AppName = /debug$/i and AppVersion = /4\\.4\\.2/i | Compromised := "True";
AppName = /chalk$/i and AppVersion = /5\\.6\\.1/i | Compromised := "True";
AppName = /supports-color$/i and AppVersion = /10\\.2\\.1/i | Compromised := "True";
AppName = /strip-ansi$/i and AppVersion = /7\\.1\\.1/i | Compromised := "True";
AppName = /ansi-regex$/i and AppVersion = /6\\.2\\.1/i | Compromised := "True";
AppName = /wrap-ansi$/i and AppVersion = /9\\.0\\.1/i | Compromised := "True";
AppName = /color-convert$/i and AppVersion = /3\\.1\\.1/i | Compromised := "True";
AppName = /color-name$/i and AppVersion = /2\\.0\\.1/i | Compromised := "True";
AppName = /is-arrayish$/i and AppVersion = /0\\.3\\.3/i | Compromised := "True";
AppName = /slice-ansi$/i and AppVersion = /7\\.1\\.1/i | Compromised := "True";
AppName = /color$/i and AppVersion = /5\\.0\\.1/i | Compromised := "True";
AppName = /color-string$/i and AppVersion = /2\\.1\\.1/i | Compromised := "True";
AppName = /simple-swizzle$/i and AppVersion = /0\\.2\\.3/i | Compromised := "True";
AppName = /supports-hyperlinks$/i and AppVersion = /4\\.1\\.1/i | Compromised := "True";
AppName = /has-ansi$/i and AppVersion = /6\\.0\\.1/i | Compromised := "True";
AppName = /chalk-template$/i and AppVersion = /1\\.1\\.1/i | Compromised := "True";
AppName = /backslash$/i and AppVersion = /0\\.2\\.1/i | Compromised := "True";
*
}
| groupBy([ComputerName, AppName, AppVersion, Compromised, AppVendor, AppSource])

Windows query

⚠️ Windows requires manual validation! The query flags systems for a follow-up check. On a flagged host, run this to find the malicious code signature: rg -u --max-columns=80 _0x112fa8

case {
  #event_simpleName=NewScriptWritten
    | TargetFileName = /node.+\\\\(ansi-styles|debug|chalk|supports-color|strip-ansi|ansi-regex|wrap-ansi|color-convert|color-name|is-arrayish|slice-ansi|color|color-string|simple-swizzle|supports-hyperlinks|has-ansi|chalk-template|backslash)\\\\/i
    | regex(field=TargetFileName, regex="node_modules\\\\\\\\(?<PackageName>.+?)\\\\\\\\");
  #event_simpleName = ProcessRollup2
    | CommandLine = /\\s(ansi-styles|debug|chalk|supports-color|strip-ansi|ansi-regex|wrap-ansi|color-convert|color-name|is-arrayish|slice-ansi|color|color-string|simple-swizzle|supports-hyperlinks|has-ansi|chalk-template|backslash)\\s\\.$/i
    | FileName="rg.exe"
    | regex(field=CommandLine, regex="--json -- (?<PackageName>\\\\S+)");
}
| ActivityPath := coalesce(TargetFileName, CommandLine)
| groupBy([ComputerName, PackageName, ActivityPath], limit=max)