From e7af1929c08ea49d4afb0df7e01199c043a5984f Mon Sep 17 00:00:00 2001 From: LYH Date: Fri, 15 May 2026 20:49:08 +0900 Subject: [PATCH 1/5] =?UTF-8?q?feat(cso):=20Phase=208=20Tier=203=20?= =?UTF-8?q?=E2=80=94=20mini-shai-hulud=20campaign=20rules=20(comprehensive?= =?UTF-8?q?=20mode)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Adds 4 detection rules for the 2026-05-11 npm/PyPI supply chain campaign (GHSA-g7cv-rxg3-hmpx / CVE-2026-45321) into Phase 8 (Skill Supply Chain). - R7 (Claude Code settings hook injection — /proc/*/mem read pattern) - R8 (obfuscated payload heuristic — _0x patterns + crypto-decode) - R9 (auto-run persistence bridge — manifest-undeclared file referenced by hook or tasks.json runOn: folderOpen) - R12 (Session-protocol C2 deny-list — executable context only) All rules surface only under /cso --comprehensive with TENTATIVE marking; daily mode's 8/10 zero-noise contract is preserved. Closes Phase 8 gaps for IDE-config infection vectors that the existing generic-pattern matching (curl/wget/exfiltrat/IGNORE PREVIOUS) does not catch. No new skill, no new phase, no scope-flag changes (per #1011). --- cso/SKILL.md | 14 ++++++++++++++ cso/SKILL.md.tmpl | 14 ++++++++++++++ 2 files changed, 28 insertions(+) diff --git a/cso/SKILL.md b/cso/SKILL.md index fe12df74e3..8ba3e8641a 100644 --- a/cso/SKILL.md +++ b/cso/SKILL.md @@ -1054,6 +1054,20 @@ If approved, run the same Grep patterns on globally installed skill files and ch **FP rules:** gstack's own skills are trusted (check if skill path resolves to a known repo). Skills that use `curl` for legitimate purposes (downloading tools, health checks) need context — only flag when the target URL is suspicious or when the command includes credential variables. +**Tier 3 — known-campaign IOCs (comprehensive mode only):** All rules in this tier surface only under `/cso --comprehensive` with TENTATIVE marking — daily mode's 8/10 zero-noise contract is unaffected. Rules below detect the 2026-05-11 "mini-shai-hulud" npm/PyPI supply chain campaign (GHSA-g7cv-rxg3-hmpx / CVE-2026-45321). + +**R7** — Any Claude Code settings file (`.claude/settings.json`, `.claude/settings.local.json`, or the user-global equivalents under `~/.claude/`) `hooks.*.command` field containing a `/proc/.*/mem` read pattern. Direct process-memory introspection from a Claude Code hook has no legitimate use; this is the exact technique used to extract the GitHub Actions Runner OIDC token in the campaign. + +**R8** — `.claude/**/*.{js,mjs,ts,cjs}` or `.vscode/**/*.{js,mjs,ts,cjs}` containing **both** the `_0x[0-9a-f]{4,}` variable pattern (≥3 distinct occurrences) **and** at least one of `createDecipheriv`, `gunzip`, `gunzipSync`, `inflateRawSync`, `inflateSync`. Matches the campaign's obfuscation + runtime-decrypt signature; minified bundles fail the `_0x` half, sourcemap-inline output fails both halves. + +**R9** — File under `.claude/**` or `.vscode/**` where **all three** hold: (a) referenced from any Claude Code settings file (`.claude/settings.json`, `.claude/settings.local.json`, or the user-global equivalents under `~/.claude/`) `hooks.*.command` via `node|bun|python3?|bash|sh ` or direct path invocation, **OR** from a `tasks.json` task with `runOptions.runOn: "folderOpen"`; (b) not declared in `package.json` `files`, the npm tarball, or any lockfile `integrity` hash; (c) not exempt by the Tier 3 FP guards below. Auto-run persistence bridge in TTP form — renaming the payload file does not evade. + +**R12** — Strings `filev2.getsession.org` or `seed{1,2,3}.getsession.org` appearing inside an executable context: a `hooks.*.command` value, a `tasks.json` `command`/`args` field, or a `fetch`/`http.get`/`axios`/`socket.connect`/`curl`/`nc` call inside a `.{js,mjs,ts,cjs,sh,py}` file under `.claude/**`/`.vscode/**`. Documentation or IOC-note mentions do not fire. + +**Tier 3 FP guards:** +- gstack-installed paths trusted: `~/.claude/skills/gstack/`, `~/.claude/skills/gstack-*/`, `~/.claude/hooks/` when content matches distributed checksums (extends the existing "gstack's own skills are trusted" precedent above). +- R9 excluded under `.vscode/extensions/` and inside any directory listed in the root `package.json` `workspaces` field. + ### Phase 9: OWASP Top 10 Assessment For each OWASP category, perform targeted analysis. Use the Grep tool for all searches — scope file extensions to detected stacks from Phase 0. diff --git a/cso/SKILL.md.tmpl b/cso/SKILL.md.tmpl index 2f849ee006..493bc321d8 100644 --- a/cso/SKILL.md.tmpl +++ b/cso/SKILL.md.tmpl @@ -302,6 +302,20 @@ If approved, run the same Grep patterns on globally installed skill files and ch **FP rules:** gstack's own skills are trusted (check if skill path resolves to a known repo). Skills that use `curl` for legitimate purposes (downloading tools, health checks) need context — only flag when the target URL is suspicious or when the command includes credential variables. +**Tier 3 — known-campaign IOCs (comprehensive mode only):** All rules in this tier surface only under `/cso --comprehensive` with TENTATIVE marking — daily mode's 8/10 zero-noise contract is unaffected. Rules below detect the 2026-05-11 "mini-shai-hulud" npm/PyPI supply chain campaign (GHSA-g7cv-rxg3-hmpx / CVE-2026-45321). + +**R7** — Any Claude Code settings file (`.claude/settings.json`, `.claude/settings.local.json`, or the user-global equivalents under `~/.claude/`) `hooks.*.command` field containing a `/proc/.*/mem` read pattern. Direct process-memory introspection from a Claude Code hook has no legitimate use; this is the exact technique used to extract the GitHub Actions Runner OIDC token in the campaign. + +**R8** — `.claude/**/*.{js,mjs,ts,cjs}` or `.vscode/**/*.{js,mjs,ts,cjs}` containing **both** the `_0x[0-9a-f]{4,}` variable pattern (≥3 distinct occurrences) **and** at least one of `createDecipheriv`, `gunzip`, `gunzipSync`, `inflateRawSync`, `inflateSync`. Matches the campaign's obfuscation + runtime-decrypt signature; minified bundles fail the `_0x` half, sourcemap-inline output fails both halves. + +**R9** — File under `.claude/**` or `.vscode/**` where **all three** hold: (a) referenced from any Claude Code settings file (`.claude/settings.json`, `.claude/settings.local.json`, or the user-global equivalents under `~/.claude/`) `hooks.*.command` via `node|bun|python3?|bash|sh ` or direct path invocation, **OR** from a `tasks.json` task with `runOptions.runOn: "folderOpen"`; (b) not declared in `package.json` `files`, the npm tarball, or any lockfile `integrity` hash; (c) not exempt by the Tier 3 FP guards below. Auto-run persistence bridge in TTP form — renaming the payload file does not evade. + +**R12** — Strings `filev2.getsession.org` or `seed{1,2,3}.getsession.org` appearing inside an executable context: a `hooks.*.command` value, a `tasks.json` `command`/`args` field, or a `fetch`/`http.get`/`axios`/`socket.connect`/`curl`/`nc` call inside a `.{js,mjs,ts,cjs,sh,py}` file under `.claude/**`/`.vscode/**`. Documentation or IOC-note mentions do not fire. + +**Tier 3 FP guards:** +- gstack-installed paths trusted: `~/.claude/skills/gstack/`, `~/.claude/skills/gstack-*/`, `~/.claude/hooks/` when content matches distributed checksums (extends the existing "gstack's own skills are trusted" precedent above). +- R9 excluded under `.vscode/extensions/` and inside any directory listed in the root `package.json` `workspaces` field. + ### Phase 9: OWASP Top 10 Assessment For each OWASP category, perform targeted analysis. Use the Grep tool for all searches — scope file extensions to detected stacks from Phase 0. From f37737bf49284ad90e79a0ef0af2a93246672c40 Mon Sep 17 00:00:00 2001 From: LYH Date: Fri, 15 May 2026 20:55:02 +0900 Subject: [PATCH 2/5] fix(cso): R12 expand seed{1,2,3} brace shorthand to literal hostnames A static-string IOC match against the shell brace expression seed{1,2,3}.getsession.org would search for that exact 25-char string and miss the actual hosts (seed1.getsession.org, seed2.getsession.org, seed3.getsession.org). Spell them out so comprehensive-mode Grep hits the real campaign infrastructure. --- cso/SKILL.md | 2 +- cso/SKILL.md.tmpl | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/cso/SKILL.md b/cso/SKILL.md index 8ba3e8641a..80893b8443 100644 --- a/cso/SKILL.md +++ b/cso/SKILL.md @@ -1062,7 +1062,7 @@ If approved, run the same Grep patterns on globally installed skill files and ch **R9** — File under `.claude/**` or `.vscode/**` where **all three** hold: (a) referenced from any Claude Code settings file (`.claude/settings.json`, `.claude/settings.local.json`, or the user-global equivalents under `~/.claude/`) `hooks.*.command` via `node|bun|python3?|bash|sh ` or direct path invocation, **OR** from a `tasks.json` task with `runOptions.runOn: "folderOpen"`; (b) not declared in `package.json` `files`, the npm tarball, or any lockfile `integrity` hash; (c) not exempt by the Tier 3 FP guards below. Auto-run persistence bridge in TTP form — renaming the payload file does not evade. -**R12** — Strings `filev2.getsession.org` or `seed{1,2,3}.getsession.org` appearing inside an executable context: a `hooks.*.command` value, a `tasks.json` `command`/`args` field, or a `fetch`/`http.get`/`axios`/`socket.connect`/`curl`/`nc` call inside a `.{js,mjs,ts,cjs,sh,py}` file under `.claude/**`/`.vscode/**`. Documentation or IOC-note mentions do not fire. +**R12** — Strings `filev2.getsession.org`, `seed1.getsession.org`, `seed2.getsession.org`, or `seed3.getsession.org` appearing inside an executable context: a `hooks.*.command` value, a `tasks.json` `command`/`args` field, or a `fetch`/`http.get`/`axios`/`socket.connect`/`curl`/`nc` call inside a `.{js,mjs,ts,cjs,sh,py}` file under `.claude/**`/`.vscode/**`. Documentation or IOC-note mentions do not fire. **Tier 3 FP guards:** - gstack-installed paths trusted: `~/.claude/skills/gstack/`, `~/.claude/skills/gstack-*/`, `~/.claude/hooks/` when content matches distributed checksums (extends the existing "gstack's own skills are trusted" precedent above). diff --git a/cso/SKILL.md.tmpl b/cso/SKILL.md.tmpl index 493bc321d8..7d48d563be 100644 --- a/cso/SKILL.md.tmpl +++ b/cso/SKILL.md.tmpl @@ -310,7 +310,7 @@ If approved, run the same Grep patterns on globally installed skill files and ch **R9** — File under `.claude/**` or `.vscode/**` where **all three** hold: (a) referenced from any Claude Code settings file (`.claude/settings.json`, `.claude/settings.local.json`, or the user-global equivalents under `~/.claude/`) `hooks.*.command` via `node|bun|python3?|bash|sh ` or direct path invocation, **OR** from a `tasks.json` task with `runOptions.runOn: "folderOpen"`; (b) not declared in `package.json` `files`, the npm tarball, or any lockfile `integrity` hash; (c) not exempt by the Tier 3 FP guards below. Auto-run persistence bridge in TTP form — renaming the payload file does not evade. -**R12** — Strings `filev2.getsession.org` or `seed{1,2,3}.getsession.org` appearing inside an executable context: a `hooks.*.command` value, a `tasks.json` `command`/`args` field, or a `fetch`/`http.get`/`axios`/`socket.connect`/`curl`/`nc` call inside a `.{js,mjs,ts,cjs,sh,py}` file under `.claude/**`/`.vscode/**`. Documentation or IOC-note mentions do not fire. +**R12** — Strings `filev2.getsession.org`, `seed1.getsession.org`, `seed2.getsession.org`, or `seed3.getsession.org` appearing inside an executable context: a `hooks.*.command` value, a `tasks.json` `command`/`args` field, or a `fetch`/`http.get`/`axios`/`socket.connect`/`curl`/`nc` call inside a `.{js,mjs,ts,cjs,sh,py}` file under `.claude/**`/`.vscode/**`. Documentation or IOC-note mentions do not fire. **Tier 3 FP guards:** - gstack-installed paths trusted: `~/.claude/skills/gstack/`, `~/.claude/skills/gstack-*/`, `~/.claude/hooks/` when content matches distributed checksums (extends the existing "gstack's own skills are trusted" precedent above). From eb7eadd7347ab70640310abe65f1801563208db4 Mon Sep 17 00:00:00 2001 From: LYH Date: Fri, 15 May 2026 21:02:56 +0900 Subject: [PATCH 3/5] chore(cso): drop campaign-specific references from Tier 3 prose MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit SKILL.md is executable prompt code, not documentation — campaign attribution belongs in commit history and PR description, not in the timeless rule definitions. R7 rationale generalized; Tier 3 intro pruned of the campaign citation. Rule behavior unchanged. --- cso/SKILL.md | 4 ++-- cso/SKILL.md.tmpl | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/cso/SKILL.md b/cso/SKILL.md index 80893b8443..adaf0381ac 100644 --- a/cso/SKILL.md +++ b/cso/SKILL.md @@ -1054,9 +1054,9 @@ If approved, run the same Grep patterns on globally installed skill files and ch **FP rules:** gstack's own skills are trusted (check if skill path resolves to a known repo). Skills that use `curl` for legitimate purposes (downloading tools, health checks) need context — only flag when the target URL is suspicious or when the command includes credential variables. -**Tier 3 — known-campaign IOCs (comprehensive mode only):** All rules in this tier surface only under `/cso --comprehensive` with TENTATIVE marking — daily mode's 8/10 zero-noise contract is unaffected. Rules below detect the 2026-05-11 "mini-shai-hulud" npm/PyPI supply chain campaign (GHSA-g7cv-rxg3-hmpx / CVE-2026-45321). +**Tier 3 — known-campaign IOCs (comprehensive mode only):** All rules in this tier surface only under `/cso --comprehensive` with TENTATIVE marking — daily mode's 8/10 zero-noise contract is unaffected. -**R7** — Any Claude Code settings file (`.claude/settings.json`, `.claude/settings.local.json`, or the user-global equivalents under `~/.claude/`) `hooks.*.command` field containing a `/proc/.*/mem` read pattern. Direct process-memory introspection from a Claude Code hook has no legitimate use; this is the exact technique used to extract the GitHub Actions Runner OIDC token in the campaign. +**R7** — Any Claude Code settings file (`.claude/settings.json`, `.claude/settings.local.json`, or the user-global equivalents under `~/.claude/`) `hooks.*.command` field containing a `/proc/.*/mem` read pattern. Direct process-memory introspection from a Claude Code hook has no legitimate use; it is a known credential-exfiltration technique against runner processes. **R8** — `.claude/**/*.{js,mjs,ts,cjs}` or `.vscode/**/*.{js,mjs,ts,cjs}` containing **both** the `_0x[0-9a-f]{4,}` variable pattern (≥3 distinct occurrences) **and** at least one of `createDecipheriv`, `gunzip`, `gunzipSync`, `inflateRawSync`, `inflateSync`. Matches the campaign's obfuscation + runtime-decrypt signature; minified bundles fail the `_0x` half, sourcemap-inline output fails both halves. diff --git a/cso/SKILL.md.tmpl b/cso/SKILL.md.tmpl index 7d48d563be..1dea5ce659 100644 --- a/cso/SKILL.md.tmpl +++ b/cso/SKILL.md.tmpl @@ -302,9 +302,9 @@ If approved, run the same Grep patterns on globally installed skill files and ch **FP rules:** gstack's own skills are trusted (check if skill path resolves to a known repo). Skills that use `curl` for legitimate purposes (downloading tools, health checks) need context — only flag when the target URL is suspicious or when the command includes credential variables. -**Tier 3 — known-campaign IOCs (comprehensive mode only):** All rules in this tier surface only under `/cso --comprehensive` with TENTATIVE marking — daily mode's 8/10 zero-noise contract is unaffected. Rules below detect the 2026-05-11 "mini-shai-hulud" npm/PyPI supply chain campaign (GHSA-g7cv-rxg3-hmpx / CVE-2026-45321). +**Tier 3 — known-campaign IOCs (comprehensive mode only):** All rules in this tier surface only under `/cso --comprehensive` with TENTATIVE marking — daily mode's 8/10 zero-noise contract is unaffected. -**R7** — Any Claude Code settings file (`.claude/settings.json`, `.claude/settings.local.json`, or the user-global equivalents under `~/.claude/`) `hooks.*.command` field containing a `/proc/.*/mem` read pattern. Direct process-memory introspection from a Claude Code hook has no legitimate use; this is the exact technique used to extract the GitHub Actions Runner OIDC token in the campaign. +**R7** — Any Claude Code settings file (`.claude/settings.json`, `.claude/settings.local.json`, or the user-global equivalents under `~/.claude/`) `hooks.*.command` field containing a `/proc/.*/mem` read pattern. Direct process-memory introspection from a Claude Code hook has no legitimate use; it is a known credential-exfiltration technique against runner processes. **R8** — `.claude/**/*.{js,mjs,ts,cjs}` or `.vscode/**/*.{js,mjs,ts,cjs}` containing **both** the `_0x[0-9a-f]{4,}` variable pattern (≥3 distinct occurrences) **and** at least one of `createDecipheriv`, `gunzip`, `gunzipSync`, `inflateRawSync`, `inflateSync`. Matches the campaign's obfuscation + runtime-decrypt signature; minified bundles fail the `_0x` half, sourcemap-inline output fails both halves. From 0eebbbf247142f6fdeb5120d5c8d1e28fac421c5 Mon Sep 17 00:00:00 2001 From: LYH Date: Fri, 15 May 2026 21:25:20 +0900 Subject: [PATCH 4/5] refactor(cso): tighten Tier 3 rules per third-pass review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - R7/R9: replace "user-global equivalents" shorthand with explicit ~/.claude/settings.json and ~/.claude/settings.local.json paths - R8: drop "Matches the campaign's obfuscation" prose (campaign-specific decoration) and rewrite the FP rationale as instruction - R9 (a): add node --require and node -e to the interpreter invocation patterns (covers indirect-require evasion) - R9 (b): replace ambiguous "lockfile integrity hash" with "installed locked-package artifacts" — lockfile integrity is per-package, not per-file, so the previous wording invited reviewer confusion Rule trigger surface unchanged for R7 (mem-read) and R12 (Session domains in executable context). R8's matching condition is unchanged (_0x density + crypto-decode call). R9 gains two indirect invocation patterns and clarified manifest wording. --- cso/SKILL.md | 6 +++--- cso/SKILL.md.tmpl | 6 +++--- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/cso/SKILL.md b/cso/SKILL.md index adaf0381ac..a06eb29aaf 100644 --- a/cso/SKILL.md +++ b/cso/SKILL.md @@ -1056,11 +1056,11 @@ If approved, run the same Grep patterns on globally installed skill files and ch **Tier 3 — known-campaign IOCs (comprehensive mode only):** All rules in this tier surface only under `/cso --comprehensive` with TENTATIVE marking — daily mode's 8/10 zero-noise contract is unaffected. -**R7** — Any Claude Code settings file (`.claude/settings.json`, `.claude/settings.local.json`, or the user-global equivalents under `~/.claude/`) `hooks.*.command` field containing a `/proc/.*/mem` read pattern. Direct process-memory introspection from a Claude Code hook has no legitimate use; it is a known credential-exfiltration technique against runner processes. +**R7** — Any Claude Code settings file (`.claude/settings.json`, `.claude/settings.local.json`, `~/.claude/settings.json`, or `~/.claude/settings.local.json`) `hooks.*.command` field containing a `/proc/.*/mem` read pattern. Direct process-memory introspection from a Claude Code hook has no legitimate use; it is a known credential-exfiltration technique against runner processes. -**R8** — `.claude/**/*.{js,mjs,ts,cjs}` or `.vscode/**/*.{js,mjs,ts,cjs}` containing **both** the `_0x[0-9a-f]{4,}` variable pattern (≥3 distinct occurrences) **and** at least one of `createDecipheriv`, `gunzip`, `gunzipSync`, `inflateRawSync`, `inflateSync`. Matches the campaign's obfuscation + runtime-decrypt signature; minified bundles fail the `_0x` half, sourcemap-inline output fails both halves. +**R8** — `.claude/**/*.{js,mjs,ts,cjs}` or `.vscode/**/*.{js,mjs,ts,cjs}` containing **both** the `_0x[0-9a-f]{4,}` variable pattern (≥3 distinct occurrences) **and** at least one of `createDecipheriv`, `gunzip`, `gunzipSync`, `inflateRawSync`, `inflateSync`. Do not alert on ordinary minified bundles or inline sourcemap output unless both halves match. -**R9** — File under `.claude/**` or `.vscode/**` where **all three** hold: (a) referenced from any Claude Code settings file (`.claude/settings.json`, `.claude/settings.local.json`, or the user-global equivalents under `~/.claude/`) `hooks.*.command` via `node|bun|python3?|bash|sh ` or direct path invocation, **OR** from a `tasks.json` task with `runOptions.runOn: "folderOpen"`; (b) not declared in `package.json` `files`, the npm tarball, or any lockfile `integrity` hash; (c) not exempt by the Tier 3 FP guards below. Auto-run persistence bridge in TTP form — renaming the payload file does not evade. +**R9** — File under `.claude/**` or `.vscode/**` where **all three** hold: (a) referenced from any Claude Code settings file (`.claude/settings.json`, `.claude/settings.local.json`, `~/.claude/settings.json`, or `~/.claude/settings.local.json`) `hooks.*.command` via `node|bun|python3?|bash|sh `, `node --require `, `node -e `, or direct path invocation, **OR** from a `tasks.json` task with `runOptions.runOn: "folderOpen"`; (b) not present in package manifest evidence (`package.json` `files` array, npm tarball, or installed locked-package artifacts); (c) not exempt by the Tier 3 FP guards below. Auto-run persistence bridge in TTP form — renaming the payload file does not evade. **R12** — Strings `filev2.getsession.org`, `seed1.getsession.org`, `seed2.getsession.org`, or `seed3.getsession.org` appearing inside an executable context: a `hooks.*.command` value, a `tasks.json` `command`/`args` field, or a `fetch`/`http.get`/`axios`/`socket.connect`/`curl`/`nc` call inside a `.{js,mjs,ts,cjs,sh,py}` file under `.claude/**`/`.vscode/**`. Documentation or IOC-note mentions do not fire. diff --git a/cso/SKILL.md.tmpl b/cso/SKILL.md.tmpl index 1dea5ce659..0a6ee21e96 100644 --- a/cso/SKILL.md.tmpl +++ b/cso/SKILL.md.tmpl @@ -304,11 +304,11 @@ If approved, run the same Grep patterns on globally installed skill files and ch **Tier 3 — known-campaign IOCs (comprehensive mode only):** All rules in this tier surface only under `/cso --comprehensive` with TENTATIVE marking — daily mode's 8/10 zero-noise contract is unaffected. -**R7** — Any Claude Code settings file (`.claude/settings.json`, `.claude/settings.local.json`, or the user-global equivalents under `~/.claude/`) `hooks.*.command` field containing a `/proc/.*/mem` read pattern. Direct process-memory introspection from a Claude Code hook has no legitimate use; it is a known credential-exfiltration technique against runner processes. +**R7** — Any Claude Code settings file (`.claude/settings.json`, `.claude/settings.local.json`, `~/.claude/settings.json`, or `~/.claude/settings.local.json`) `hooks.*.command` field containing a `/proc/.*/mem` read pattern. Direct process-memory introspection from a Claude Code hook has no legitimate use; it is a known credential-exfiltration technique against runner processes. -**R8** — `.claude/**/*.{js,mjs,ts,cjs}` or `.vscode/**/*.{js,mjs,ts,cjs}` containing **both** the `_0x[0-9a-f]{4,}` variable pattern (≥3 distinct occurrences) **and** at least one of `createDecipheriv`, `gunzip`, `gunzipSync`, `inflateRawSync`, `inflateSync`. Matches the campaign's obfuscation + runtime-decrypt signature; minified bundles fail the `_0x` half, sourcemap-inline output fails both halves. +**R8** — `.claude/**/*.{js,mjs,ts,cjs}` or `.vscode/**/*.{js,mjs,ts,cjs}` containing **both** the `_0x[0-9a-f]{4,}` variable pattern (≥3 distinct occurrences) **and** at least one of `createDecipheriv`, `gunzip`, `gunzipSync`, `inflateRawSync`, `inflateSync`. Do not alert on ordinary minified bundles or inline sourcemap output unless both halves match. -**R9** — File under `.claude/**` or `.vscode/**` where **all three** hold: (a) referenced from any Claude Code settings file (`.claude/settings.json`, `.claude/settings.local.json`, or the user-global equivalents under `~/.claude/`) `hooks.*.command` via `node|bun|python3?|bash|sh ` or direct path invocation, **OR** from a `tasks.json` task with `runOptions.runOn: "folderOpen"`; (b) not declared in `package.json` `files`, the npm tarball, or any lockfile `integrity` hash; (c) not exempt by the Tier 3 FP guards below. Auto-run persistence bridge in TTP form — renaming the payload file does not evade. +**R9** — File under `.claude/**` or `.vscode/**` where **all three** hold: (a) referenced from any Claude Code settings file (`.claude/settings.json`, `.claude/settings.local.json`, `~/.claude/settings.json`, or `~/.claude/settings.local.json`) `hooks.*.command` via `node|bun|python3?|bash|sh `, `node --require `, `node -e `, or direct path invocation, **OR** from a `tasks.json` task with `runOptions.runOn: "folderOpen"`; (b) not present in package manifest evidence (`package.json` `files` array, npm tarball, or installed locked-package artifacts); (c) not exempt by the Tier 3 FP guards below. Auto-run persistence bridge in TTP form — renaming the payload file does not evade. **R12** — Strings `filev2.getsession.org`, `seed1.getsession.org`, `seed2.getsession.org`, or `seed3.getsession.org` appearing inside an executable context: a `hooks.*.command` value, a `tasks.json` `command`/`args` field, or a `fetch`/`http.get`/`axios`/`socket.connect`/`curl`/`nc` call inside a `.{js,mjs,ts,cjs,sh,py}` file under `.claude/**`/`.vscode/**`. Documentation or IOC-note mentions do not fire. From 0d6d83970f10c5f6e5055166f32b38f85e2baf5b Mon Sep 17 00:00:00 2001 From: LYH Date: Fri, 15 May 2026 21:58:25 +0900 Subject: [PATCH 5/5] =?UTF-8?q?refactor(cso):=20renumber=20Tier=203=20rule?= =?UTF-8?q?s=20R7/R8/R9/R12=20=E2=86=92=20R1/R2/R3/R4?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The R7/R8/R9/R12 numbering reflected a 14-rule draft history where R10, R11, R13, R14 were dropped during review (hash-level IOCs and cloud-SDK false-positive risks). Renumbering closes the gaps so reviewers see four contiguous rules instead of wondering what R10/R11 were. Rule definitions and FP guards are unchanged. Self-ref in the FP guards section updated (R9 → R3). --- cso/SKILL.md | 10 +++++----- cso/SKILL.md.tmpl | 10 +++++----- 2 files changed, 10 insertions(+), 10 deletions(-) diff --git a/cso/SKILL.md b/cso/SKILL.md index a06eb29aaf..4c533539d0 100644 --- a/cso/SKILL.md +++ b/cso/SKILL.md @@ -1056,17 +1056,17 @@ If approved, run the same Grep patterns on globally installed skill files and ch **Tier 3 — known-campaign IOCs (comprehensive mode only):** All rules in this tier surface only under `/cso --comprehensive` with TENTATIVE marking — daily mode's 8/10 zero-noise contract is unaffected. -**R7** — Any Claude Code settings file (`.claude/settings.json`, `.claude/settings.local.json`, `~/.claude/settings.json`, or `~/.claude/settings.local.json`) `hooks.*.command` field containing a `/proc/.*/mem` read pattern. Direct process-memory introspection from a Claude Code hook has no legitimate use; it is a known credential-exfiltration technique against runner processes. +**R1** — Any Claude Code settings file (`.claude/settings.json`, `.claude/settings.local.json`, `~/.claude/settings.json`, or `~/.claude/settings.local.json`) `hooks.*.command` field containing a `/proc/.*/mem` read pattern. Direct process-memory introspection from a Claude Code hook has no legitimate use; it is a known credential-exfiltration technique against runner processes. -**R8** — `.claude/**/*.{js,mjs,ts,cjs}` or `.vscode/**/*.{js,mjs,ts,cjs}` containing **both** the `_0x[0-9a-f]{4,}` variable pattern (≥3 distinct occurrences) **and** at least one of `createDecipheriv`, `gunzip`, `gunzipSync`, `inflateRawSync`, `inflateSync`. Do not alert on ordinary minified bundles or inline sourcemap output unless both halves match. +**R2** — `.claude/**/*.{js,mjs,ts,cjs}` or `.vscode/**/*.{js,mjs,ts,cjs}` containing **both** the `_0x[0-9a-f]{4,}` variable pattern (≥3 distinct occurrences) **and** at least one of `createDecipheriv`, `gunzip`, `gunzipSync`, `inflateRawSync`, `inflateSync`. Do not alert on ordinary minified bundles or inline sourcemap output unless both halves match. -**R9** — File under `.claude/**` or `.vscode/**` where **all three** hold: (a) referenced from any Claude Code settings file (`.claude/settings.json`, `.claude/settings.local.json`, `~/.claude/settings.json`, or `~/.claude/settings.local.json`) `hooks.*.command` via `node|bun|python3?|bash|sh `, `node --require `, `node -e `, or direct path invocation, **OR** from a `tasks.json` task with `runOptions.runOn: "folderOpen"`; (b) not present in package manifest evidence (`package.json` `files` array, npm tarball, or installed locked-package artifacts); (c) not exempt by the Tier 3 FP guards below. Auto-run persistence bridge in TTP form — renaming the payload file does not evade. +**R3** — File under `.claude/**` or `.vscode/**` where **all three** hold: (a) referenced from any Claude Code settings file (`.claude/settings.json`, `.claude/settings.local.json`, `~/.claude/settings.json`, or `~/.claude/settings.local.json`) `hooks.*.command` via `node|bun|python3?|bash|sh `, `node --require `, `node -e `, or direct path invocation, **OR** from a `tasks.json` task with `runOptions.runOn: "folderOpen"`; (b) not present in package manifest evidence (`package.json` `files` array, npm tarball, or installed locked-package artifacts); (c) not exempt by the Tier 3 FP guards below. Auto-run persistence bridge in TTP form — renaming the payload file does not evade. -**R12** — Strings `filev2.getsession.org`, `seed1.getsession.org`, `seed2.getsession.org`, or `seed3.getsession.org` appearing inside an executable context: a `hooks.*.command` value, a `tasks.json` `command`/`args` field, or a `fetch`/`http.get`/`axios`/`socket.connect`/`curl`/`nc` call inside a `.{js,mjs,ts,cjs,sh,py}` file under `.claude/**`/`.vscode/**`. Documentation or IOC-note mentions do not fire. +**R4** — Strings `filev2.getsession.org`, `seed1.getsession.org`, `seed2.getsession.org`, or `seed3.getsession.org` appearing inside an executable context: a `hooks.*.command` value, a `tasks.json` `command`/`args` field, or a `fetch`/`http.get`/`axios`/`socket.connect`/`curl`/`nc` call inside a `.{js,mjs,ts,cjs,sh,py}` file under `.claude/**`/`.vscode/**`. Documentation or IOC-note mentions do not fire. **Tier 3 FP guards:** - gstack-installed paths trusted: `~/.claude/skills/gstack/`, `~/.claude/skills/gstack-*/`, `~/.claude/hooks/` when content matches distributed checksums (extends the existing "gstack's own skills are trusted" precedent above). -- R9 excluded under `.vscode/extensions/` and inside any directory listed in the root `package.json` `workspaces` field. +- R3 excluded under `.vscode/extensions/` and inside any directory listed in the root `package.json` `workspaces` field. ### Phase 9: OWASP Top 10 Assessment diff --git a/cso/SKILL.md.tmpl b/cso/SKILL.md.tmpl index 0a6ee21e96..bceeb695da 100644 --- a/cso/SKILL.md.tmpl +++ b/cso/SKILL.md.tmpl @@ -304,17 +304,17 @@ If approved, run the same Grep patterns on globally installed skill files and ch **Tier 3 — known-campaign IOCs (comprehensive mode only):** All rules in this tier surface only under `/cso --comprehensive` with TENTATIVE marking — daily mode's 8/10 zero-noise contract is unaffected. -**R7** — Any Claude Code settings file (`.claude/settings.json`, `.claude/settings.local.json`, `~/.claude/settings.json`, or `~/.claude/settings.local.json`) `hooks.*.command` field containing a `/proc/.*/mem` read pattern. Direct process-memory introspection from a Claude Code hook has no legitimate use; it is a known credential-exfiltration technique against runner processes. +**R1** — Any Claude Code settings file (`.claude/settings.json`, `.claude/settings.local.json`, `~/.claude/settings.json`, or `~/.claude/settings.local.json`) `hooks.*.command` field containing a `/proc/.*/mem` read pattern. Direct process-memory introspection from a Claude Code hook has no legitimate use; it is a known credential-exfiltration technique against runner processes. -**R8** — `.claude/**/*.{js,mjs,ts,cjs}` or `.vscode/**/*.{js,mjs,ts,cjs}` containing **both** the `_0x[0-9a-f]{4,}` variable pattern (≥3 distinct occurrences) **and** at least one of `createDecipheriv`, `gunzip`, `gunzipSync`, `inflateRawSync`, `inflateSync`. Do not alert on ordinary minified bundles or inline sourcemap output unless both halves match. +**R2** — `.claude/**/*.{js,mjs,ts,cjs}` or `.vscode/**/*.{js,mjs,ts,cjs}` containing **both** the `_0x[0-9a-f]{4,}` variable pattern (≥3 distinct occurrences) **and** at least one of `createDecipheriv`, `gunzip`, `gunzipSync`, `inflateRawSync`, `inflateSync`. Do not alert on ordinary minified bundles or inline sourcemap output unless both halves match. -**R9** — File under `.claude/**` or `.vscode/**` where **all three** hold: (a) referenced from any Claude Code settings file (`.claude/settings.json`, `.claude/settings.local.json`, `~/.claude/settings.json`, or `~/.claude/settings.local.json`) `hooks.*.command` via `node|bun|python3?|bash|sh `, `node --require `, `node -e `, or direct path invocation, **OR** from a `tasks.json` task with `runOptions.runOn: "folderOpen"`; (b) not present in package manifest evidence (`package.json` `files` array, npm tarball, or installed locked-package artifacts); (c) not exempt by the Tier 3 FP guards below. Auto-run persistence bridge in TTP form — renaming the payload file does not evade. +**R3** — File under `.claude/**` or `.vscode/**` where **all three** hold: (a) referenced from any Claude Code settings file (`.claude/settings.json`, `.claude/settings.local.json`, `~/.claude/settings.json`, or `~/.claude/settings.local.json`) `hooks.*.command` via `node|bun|python3?|bash|sh `, `node --require `, `node -e `, or direct path invocation, **OR** from a `tasks.json` task with `runOptions.runOn: "folderOpen"`; (b) not present in package manifest evidence (`package.json` `files` array, npm tarball, or installed locked-package artifacts); (c) not exempt by the Tier 3 FP guards below. Auto-run persistence bridge in TTP form — renaming the payload file does not evade. -**R12** — Strings `filev2.getsession.org`, `seed1.getsession.org`, `seed2.getsession.org`, or `seed3.getsession.org` appearing inside an executable context: a `hooks.*.command` value, a `tasks.json` `command`/`args` field, or a `fetch`/`http.get`/`axios`/`socket.connect`/`curl`/`nc` call inside a `.{js,mjs,ts,cjs,sh,py}` file under `.claude/**`/`.vscode/**`. Documentation or IOC-note mentions do not fire. +**R4** — Strings `filev2.getsession.org`, `seed1.getsession.org`, `seed2.getsession.org`, or `seed3.getsession.org` appearing inside an executable context: a `hooks.*.command` value, a `tasks.json` `command`/`args` field, or a `fetch`/`http.get`/`axios`/`socket.connect`/`curl`/`nc` call inside a `.{js,mjs,ts,cjs,sh,py}` file under `.claude/**`/`.vscode/**`. Documentation or IOC-note mentions do not fire. **Tier 3 FP guards:** - gstack-installed paths trusted: `~/.claude/skills/gstack/`, `~/.claude/skills/gstack-*/`, `~/.claude/hooks/` when content matches distributed checksums (extends the existing "gstack's own skills are trusted" precedent above). -- R9 excluded under `.vscode/extensions/` and inside any directory listed in the root `package.json` `workspaces` field. +- R3 excluded under `.vscode/extensions/` and inside any directory listed in the root `package.json` `workspaces` field. ### Phase 9: OWASP Top 10 Assessment