Skip to content

rules: add detection for network tools executed during NPM package install #336

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
dmeetreey wants to merge 1 commit into
base: main
Choose a base branch
from
Open

rules: add detection for network tools executed during NPM package install #336

dmeetreey wants to merge 1 commit into from
+37 −0

Conversation

@dmeetreey
Copy link

@dmeetreey dmeetreey commented Dec 10, 2025

What type of PR is this?

/kind feature

Any specific area of the project related to this PR?

/area rules

Proposed rule maturity level

/area maturity-sandbox

What this PR does / why we need it:

Adds a new sandbox rule to detect network tools (nc, nmap, tcpdump, etc.) spawned during NPM package installations. This detects supply chain attacks where malicious packages execute preinstall/postinstall scripts to download payloads or exfiltrate data.

MITRE ATT&CK: T1195.002 (Supply Chain Compromise)

Which issue(s) this PR fixes:

N/A

@poiana poiana requested review from darryk10 and loresuso December 10, 2025 13:29
@poiana
Copy link

poiana commented Dec 10, 2025

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: dmeetreey
Once this PR has been reviewed and has the lgtm label, please assign darryk10 for approval. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@poiana poiana added the area/maturity-sandbox See the Rules Maturity Framework label Dec 10, 2025
@poiana
Copy link

poiana commented Dec 10, 2025

Welcome @dmeetreey! It looks like this is your first PR to falcosecurity/rules 🎉

@poiana poiana added the size/M label Dec 10, 2025
@dmeetreey dmeetreey force-pushed the feature/rule-network-tool-npm-package-install branch from 293c053 to fd4df1f Compare December 10, 2025 13:30
@dmeetreey dmeetreey force-pushed the feature/rule-network-tool-npm-package-install branch from fd4df1f to 9acbe6a Compare December 10, 2025 13:38
@dmitreeey @dmeetreey
rules: add detection for network tools executed during NPM package in…
075420d 
…stall

Signed-off-by: Dmitrij <dmitrij@linivenko.com>
@dmeetreey dmeetreey force-pushed the feature/rule-network-tool-npm-package-install branch from 9acbe6a to 075420d Compare December 10, 2025 13:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@darryk10 darryk10 Awaiting requested review from darryk10

@loresuso loresuso Awaiting requested review from loresuso

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

area/maturity-sandbox See the Rules Maturity Framework area/rules dco-signoff: yes kind/feature New feature or request size/M

Projects

Falco Roadmap
Status: Todo

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@dmeetreey @poiana @dmitreeey