T1059.007JavaScript
T1059.007 — JavaScript is a MITRE ATT&CK technique in the Execution tactic. Clankerusecase tracks 145 detection use cases covering it and 92 threat-intel articles citing it.
Execution
145Use cases
92Articles
0Sub-techniques
1Tactic
↑ Parent technique: T1059 · Command and Scripting Interpreter
Use cases covering this technique (145)
[WEEKLY] Developer/AI tooling runtime spawns shell or egress LOLBin (unauth RCE post-expl) [WEEKLY] Developer/Data-tooling Daemon Spawns Shell Child Seconds After POST to Runner/Exec Endpoint [WEEKLY] Developer interpreter / package-manager process exfiltrating tokens to public code-hosting / worker domains [WEEKLY] Developer package install spawning script-host with non-registry C2 within 5 minutes [WEEKLY] Language-runtime server (node/python/java) spawns OS shell shortly after inbound request — eval / sandbox-escape exploitation chain [WEEKLY] Low-Code / AI Workflow Runtime Sandbox-Escape — Server Process Spawns Shell + Public Egress [WEEKLY] npm-install spawned process performing cred-file fan-out plus IMDS reach [WEEKLY] npm Install-Time Lifecycle Hook Triggers Outbound Egress to Newly-Seen Domain (Shai-Hulud/Miasma/IronWorm pattern) [WEEKLY] npm/yarn/pnpm Install-Hook Spawn → Credential-Store Read or Worm-Payload Drop in node_modules [WEEKLY] Package install lifecycle hook spawns interpreter that reads developer credential stores [WEEKLY] Package-install lifecycle script harvests local credentials and beacons to a non-baselined domain [WEEKLY] Package-manager child process credential fan-out with public egress (Mini Shai-Hulud / TeamPCP worm chain) [WEEKLY] Package-manager install hook spawns interpreter that beacons to non-registry host within 120s [WEEKLY] Package Manager Install Hook Spawns Scripting Interpreter Then Touches Credential Files or Egresses Off-Registry [WEEKLY] Package-Manager Install -> Interpreter Child -> Non-Registry Egress Within 5 Minutes [WEEKLY] Package Manager Install Spawning Outbound Egress to Non-Registry Infrastructure Within 5 Minutes [WEEKLY] Package-manager install-time interpreter spawn with credential-file read and outbound egress within 120s [WEEKLY] Package manager lifecycle hook spawns network-fetching shell or runtime [WEEKLY] Package manager lifecycle hook spawns runtime with outbound egress to non-registry host within 5 minutes [WEEKLY] Package manager spawns network-fetching child to public code-hosting within minutes of install [WEEKLY] Script Interpreter or Package-Install Hook Egress to Free-Tier Edge SaaS Within 5 Minutes of Process Start [WEEKLY] Server / AI-agent process spawns shell or LOLBIN with public egress — post-RCE behavioural chain Jscript Execution Using Cscript App MS Scripting Process Loading Ldap Module MS Scripting Process Loading WMI Module Windows Cmdline Tool Execution From Non-Shell Process Windows GrimResource - MMC Process Accessing APDS DLL Cmdline Tool Not Executed In CMD Shell [LLM] Shai-Hulud bundle.js — known-bad SHA256 written to disk [LLM] AI coding agent (Claude Code / Cursor / Codex) spawning shell that fetch-and-executes remote payload [LLM] Phantom Gyp: small binding.gyp written into node_modules during npm install [LLM] VS Code/Cursor/Claude/Gemini spawns interpreter referencing folderOpen or SessionStart hook script [LLM] Bun runtime egress to npm/PyPI publish endpoints or attacker-controlled GitHub repos [LLM] npm/node install-time spawn downloads Bun runtime (Shai-Hulud worm pattern) [LLM] Miasma worm GitHub commit-search C2 magic strings on command line or script [LLM] Baileys messages.upsert event carrying a requestId field (exploit signature) [LLM] Bun runtime executed from temp directory by Python interpreter (Hades vF203 loader) [LLM] node.exe spawned by Code/Cursor/Claude/Gemini executing .github/setup.js [LLM] Bun or Node runtime spawned by Python package manager (Miasma stealer bootstrap) [LLM] Miasma Phantom Gyp: python.exe (gyp parser) spawning node index.js during npm install [LLM] Python interpreter downloading Bun runtime ZIP from oven-sh GitHub release [LLM] Claude Code Action Read tool exfil: node opens /proc/<pid>/environ on Linux CI runner [LLM] DbGate loadReader functionName code injection (CVE-2026-47670) [LLM] DbGate CVE-2026-47668 — Node.js runner spawning shell/LOLBin children for egress [LLM] DbGate exploit web request — POST /runners/start or /runners/load-reader with child_process injection [LLM] Bun runtime spawned by npm/node preinstall hook (TeamPCP setup.mjs loader) [LLM] AVideo YPTSocket plugin XSS injection via webSocketSelfURI/page_title query strings [LLM] Bun runtime spawned via node→shell→bun chain from npm install (Miasma dropper) [LLM] npm/node lifecycle script fetching Bun runtime from github.com/oven-sh/bun [LLM] Malicious @bitwarden/cli payload artifacts on disk (bw_setup.js, bw1.js, Shai-Hulud markers) [LLM] npm preinstall hook executing oversized node index.js from @redhat-cloud-services package [LLM] Bun spawned from npm install context executing /tmp/p*.js implant [LLM] Nx Console v18.95.0 Malicious Payload Bootstrap via Orphan Commit (npx github:nrwl/nx#558b09d7) [LLM] npm install of dependency-confusion scoped packages (moika.tech actor) [LLM] node.exe spawns detached child from tmpdir after npm install (moika.tech dropper) [LLM] vm2 vulnerable version inventory (CVE-2026-47140) — NodeVM denylist bypass surface [LLM] Node.js process spawning native shell / interpreter — post-vm2-escape host execution [LLM] vm2 NodeVM denylist bypass PoC strings — getBuiltinModule + inspector/promises [LLM] Vulnerable vm2 package (<=3.11.3) present on host — CVE-2026-47137 exposure surface [LLM] Vulnerable vm2 package (<=3.11.3) present on endpoints — CVE-2026-47208 exposure [LLM] node.exe spawning child_process targets — vm2 Promise species sandbox escape post-exploitation [LLM] vm2 Promise species sandbox escape PoC fingerprint in scripts/command lines [LLM] vm2 sandbox-escape PoC strings observed in inbound HTTP request body / WAF [LLM] vpmdhaj typosquat npm package install via preinstall hook (node child of npm) [LLM] npm/yarn/pnpm postinstall hook spawning credential-harvest tooling [LLM] Trojanized axios npm package postinstall: node.exe spawned from plain-crypto-js dependency [LLM] Yamcs MdbOverrideApi algorithm PATCH carrying Nashorn Java.type RCE payload [LLM] npm/pnpm install of trojanized codexui-android package on developer endpoint [LLM] LiquidJS SSTI gadget tokens in inbound HTTP (CVE-2026-45618) [LLM] Compromised @cap-js stealer artefact hash present on disk or in execution [LLM] Nx Console v18.95.0 compromised extension installed (May 2026 supply-chain attack) [LLM] TamperedChef scheduled-task persistence via task.xml + obfuscated JS (appsuite-print.js) [LLM] TeamPCP Nx Console payload SHA256 hash match on developer endpoints [LLM] VS Code child process fetching payload from nrwl/nx orphan commit (Nx Console v18.95.0 dropper) [LLM] Inbound HTTP request to GlassFish gadget.jsf handler (CVE-2026-2587 exploit attempt) [LLM] Postinstall script execution from compromised @opensearch-project/opensearch package [LLM] bun runtime executed on CI runner spawning python3 with sudo escalation [LLM] Compromised node-ipc.cjs bundle write (~117KB) under node_modules [LLM] Mini Shai-Hulud npm preinstall hook spawning bun runtime [LLM] node-ipc stealer __ntw=1 environment marker in process command line [LLM] sanitize-html xmp-tag XSS payload (CVE-2026-44990) in inbound HTTP request [LLM] n8n workflow API request body containing JS prototype pollution tokens (CVE-2026-44789) [LLM] FlowiseAI POST /api/v1/node-custom-function with NodeVM Sandbox-Escape Payload (CVE-2026-46442) [LLM] CVE-2026-8178 exploit attempt: Redshift JDBC URL with class-loading parameter (socketFactory/sslfactory/sslhostnameverifier/sslpasswordcallb [LLM] FrostyNeighbor JS dropper self-relaunch with --update flag [LLM] PicassoLoader scheduled-task creation by wscript/cscript after C2 XML fetch [LLM] TeamPCP Mini Shai-Hulud stealer payload hash match (SHA256/SHA1) [LLM] Bun spawned with tanstack_runner.js via npm prepare lifecycle (Mini Shai-Hulud) [LLM] Mini Shai-Hulud Wave 4 (TanStack/TeamPCP) worm payload file created in node_modules [LLM] Shai-Hulud npm preinstall: node spawns Bun runtime from bun-dl-* tmpdir [LLM] Shai-Hulud known-bad setup.mjs / execution.js SHA256 hash match [LLM] Bun runtime fetched from github.com/oven-sh/bun during npm install (Bitwarden CLI hijack) [LLM] Known-malicious bw_setup.js / bw1.js SHA256 dropped under @bitwarden/cli [LLM] Mini Shai-Hulud: Bun runtime executing `router_runtime.js` (2nd-stage stealer) [LLM] npm preinstall hook executes 'node setup.mjs' / 'bun execution.js' (Mini Shai-Hulud SAP supply chain) [LLM] Mini Shai-Hulud known SHA256 IOC match (setup.mjs / execution.js / runner-memory dumper) [LLM] Malicious tanstack npm postinstall hook executing postinstall.cjs [LLM] Mini Shai-Hulud npm preinstall chain: node setup.mjs → bun execution.js [LLM] Mailcow Autodiscover endpoint receives unauthenticated XSS payload (GHSA-f9xf-vc72-rcgm) [LLM] Mailcow quarantine XSS via EICAR + HTML in attachment filename (GHSA-2xjc-rg88-jvpp) [LLM] Mailcow login with HTML/JS injected into X-Real-IP header (GHSA-jprq-w83q-q62h) [LLM] Shai-Hulud 2.0 npm worm artifact: setup_bun.js / bun_environment.js dropped by node/npm [LLM] Shai-Hulud preinstall: node/npm spawning git/curl/gh pushing to attacker repo or GitHub API [LLM] npm postinstall node setup.js dropper executing from plain-crypto-js with immediate network egress [LLM] npm postinstall chain installs malicious 'openclaw' global package (cline@2.3.0 supply-chain IOC) [LLM] GlassWorm Zig dropper native node addon (win.node/mac.node) written to IDE extension bin/ folder [LLM] Hoppscotch Mock Server stored XSS via GraphQL updateRESTUserRequest content-type override [LLM] npm postinstall hook spawning node init.js or child.js (React Native attack pattern) [LLM] ForceMemo: init.json persistence file or i.js loader dropped by Python in user home root [LLM] GlassWorm Stage-3 RAT installation under %APPDATA%\QtCvyfVWKH\index.js [LLM] Four-way node.exe -e fanout spawned from VSCode shell descendants (BlokTrooper stage-2) [LLM] GlassWorm Mar 2026 wave — compromised npm/VS Code package artifacts on disk [LLM] GlassWorm invisible-Unicode decoder signature (variation-selector eval loader) in process cmdline [LLM] DRILLAPP: Edge launched headless with media/security guardrails disabled [LLM] DRILLAPP variant 2: Edge launched with --remote-debugging-port=9222 for CDP-based file download [LLM] Storybook WebSocket XSS/RCE — malicious .stories file written to src/stories (CVE-2026-27148) [LLM] Installation of unauthorized cline@2.3.0 npm package on developer endpoints [LLM] Installation of sidoraress malicious npm packages (json-bigint-extend/jsonfb/jsonfx) [LLM] s1ngularity Nx postinstall — `gh auth token` spawned by node/npm on CI runner [LLM] Install of Qix-compromised npm package@version (chalk 5.6.1, debug 4.4.2, ansi-styles 6.2.2 et al.) [LLM] Inventory: @kilocode/cli v1.0.0-v1.0.3 affected-release install on dev workstations [LLM] npm/yarn/pnpm postinstall: Node child egressing to non-registry public host [LLM] Scavenger npm supply chain: rundll32 executing node-gyp.dll from node_modules (CVE-2025-54313) [LLM] npx invocation of known phantom package names disclosed by Aikido [LLM] VS Code (Code.exe/node) drops payload to %TEMP%\Lightshot staging directory [LLM] G_Wagon dropper: node.exe spawns system tar.exe extracting from stdin (-x -f - -C) [LLM] Compromised npm package @vietmoney/react-big-calendar@0.26.2 installation (Shai-Hulud 3.0) [LLM] npm/yarn/pnpm/bun lifecycle hook spawning shell or network LOLBin [LLM] Sha1-Hulud npm Worm — Egress to bun.sh / oss.trufflehog.org / keychecker.trufflesecurity.com from npm/node context [LLM] Sha1-Hulud npm Worm — Drop of setup_bun.js / bun_environment.js / discussion.yaml by node or shell [LLM] Bun/Node executing the Sha1-Hulud worm payload (setup_bun.js / bun_environment.js) [LLM] rundll32.exe spawned by Node/npm loading node-gyp.dll or crashreporter.dll (CVE-2025-54313) [LLM] Anomalous POST to Next.js Server Action / RSC endpoint with 5xx error clustering [LLM] SHA1-Hulud worm payload execution via npm preinstall (setup_bun.js / bun_environment.js) [LLM] IndonesianFoods npm spam package install on developer/CI endpoint [LLM] IndonesianFoods auto-publish artifact (auto.js / publishScript.js) dropped in node_modules [LLM] Installation or presence of malicious postmark-mcp npm package (v1.0.16+) [LLM] Shai-Hulud bundle.js postinstall payload by known SHA256 hash [LLM] TruffleHog secret-scanner executed by node/npm postinstall context [LLM] Install / lockfile mention of the 28 compromised Qix-campaign package@versions [LLM] Node/npm postinstall spawning AI coding agent CLI (s1ngularity execution chain) [LLM] rundll32.exe loading node-gyp.dll dropped by Scavenger-infected npm postinstall (CVE-2025-54313) [LLM] Browser/proxy fetch of compromised @lottiefiles/lottie-player from unpkg or jsDelivr CDN [LLM] npm/yarn/pnpm install of himanshutester002 suspicious aliased packages (string-width-cjs et al) [LLM] Jinja2 xmlattr XSS exploitation attempt in HTTP request parameters (CVE-2024-22195)Articles citing this technique (92)
high Miasma and Hades Are Spreading Now: Detect Them on Developer Machines with Suspicious Files art-45
crit [GHSA / CRITICAL] GHSA-jpvj-wpmj-h7rv: Supply chain compromise via malicious @cap-js/openapi art-123
crit [GHSA / CRITICAL] CVE-2026-47208: vm2 is Vulnerable to Sandbox Breakout Through Promise Species art-176
high GitHub breached via a malicious VS Code extension: why developer devices are the real target art-238
crit Malicious node-ipc versions published to npm in suspected maintainer account compromise art-284
crit [GHSA / CRITICAL] CVE-2026-44789: n8n: HTTP Request Node Pagination Prototype Pollution to RCE art-301
crit Mini Shai-Hulud Is Back: npm Worm Hits over 160 Packages, including Mistral and Tanstack art-315
high "A Mini Shai-Hulud Has Appeared": Bun-Based Stealer Hits SAP @cap-js and mbt npm Packages art-348
crit ForceMemo: Hundreds of GitHub Python Repos Compromised via Account Takeover and Force-Push art-434
crit Glassworm Is Back: A New Wave of Invisible Unicode Attacks Hits Hundreds of Repositories art-468
high DRILLAPP: new backdoor targeting Ukrainian entities with possible links to Laundry Bear art-470
high 20+ Popular NPM Packages Compromised (Chalk, Debug, Strip-ANSI, Color-Convert, Wrap-ANSI...) art-537
high How Harden Runner Detected the Sha1-Hulud Supply Chain Attack in CNCF's Backstage Repository art-652