Skip to content

feat(cso): Phase 8 Tier 3 — mini-shai-hulud campaign rules (comprehensive mode) #1523

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
slash9494 wants to merge 5 commits into
base: main
Choose a base branch
from
+28 −0
Open

feat(cso): Phase 8 Tier 3 — mini-shai-hulud campaign rules (comprehensive mode) #1523

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
e7af192
feat(cso): Phase 8 Tier 3 — mini-shai-hulud campaign rules (comprehen…
slash9494 May 15, 2026
f37737b
fix(cso): R12 expand seed{1,2,3} brace shorthand to literal hostnames
slash9494 May 15, 2026
eb7eadd
chore(cso): drop campaign-specific references from Tier 3 prose
slash9494 May 15, 2026
0eebbbf
refactor(cso): tighten Tier 3 rules per third-pass review
slash9494 May 15, 2026
0d6d839
refactor(cso): renumber Tier 3 rules R7/R8/R9/R12 → R1/R2/R3/R4
slash9494 May 15, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
14 changes: 14 additions & 0 deletions cso/SKILL.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1054,6 +1054,20 @@ If approved, run the same Grep patterns on globally installed skill files and ch

**FP rules:** gstack's own skills are trusted (check if skill path resolves to a known repo). Skills that use `curl` for legitimate purposes (downloading tools, health checks) need context — only flag when the target URL is suspicious or when the command includes credential variables.

**Tier 3 — known-campaign IOCs (comprehensive mode only):** All rules in this tier surface only under `/cso --comprehensive` with TENTATIVE marking — daily mode's 8/10 zero-noise contract is unaffected.

**R1** — Any Claude Code settings file (`.claude/settings.json`, `.claude/settings.local.json`, `~/.claude/settings.json`, or `~/.claude/settings.local.json`) `hooks.*.command` field containing a `/proc/.*/mem` read pattern. Direct process-memory introspection from a Claude Code hook has no legitimate use; it is a known credential-exfiltration technique against runner processes.

**R2** — `.claude/**/*.{js,mjs,ts,cjs}` or `.vscode/**/*.{js,mjs,ts,cjs}` containing **both** the `_0x[0-9a-f]{4,}` variable pattern (≥3 distinct occurrences) **and** at least one of `createDecipheriv`, `gunzip`, `gunzipSync`, `inflateRawSync`, `inflateSync`. Do not alert on ordinary minified bundles or inline sourcemap output unless both halves match.

**R3** — File under `.claude/**` or `.vscode/**` where **all three** hold: (a) referenced from any Claude Code settings file (`.claude/settings.json`, `.claude/settings.local.json`, `~/.claude/settings.json`, or `~/.claude/settings.local.json`) `hooks.*.command` via `node|bun|python3?|bash|sh <path>`, `node --require <path>`, `node -e <inline-require>`, or direct path invocation, **OR** from a `tasks.json` task with `runOptions.runOn: "folderOpen"`; (b) not present in package manifest evidence (`package.json` `files` array, npm tarball, or installed locked-package artifacts); (c) not exempt by the Tier 3 FP guards below. Auto-run persistence bridge in TTP form — renaming the payload file does not evade.

**R4** — Strings `filev2.getsession.org`, `seed1.getsession.org`, `seed2.getsession.org`, or `seed3.getsession.org` appearing inside an executable context: a `hooks.*.command` value, a `tasks.json` `command`/`args` field, or a `fetch`/`http.get`/`axios`/`socket.connect`/`curl`/`nc` call inside a `.{js,mjs,ts,cjs,sh,py}` file under `.claude/**`/`.vscode/**`. Documentation or IOC-note mentions do not fire.

**Tier 3 FP guards:**
- gstack-installed paths trusted: `~/.claude/skills/gstack/`, `~/.claude/skills/gstack-*/`, `~/.claude/hooks/` when content matches distributed checksums (extends the existing "gstack's own skills are trusted" precedent above).
- R3 excluded under `.vscode/extensions/` and inside any directory listed in the root `package.json` `workspaces` field.

### Phase 9: OWASP Top 10 Assessment

For each OWASP category, perform targeted analysis. Use the Grep tool for all searches — scope file extensions to detected stacks from Phase 0.
Expand Down
14 changes: 14 additions & 0 deletions cso/SKILL.md.tmpl
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -302,6 +302,20 @@ If approved, run the same Grep patterns on globally installed skill files and ch

**FP rules:** gstack's own skills are trusted (check if skill path resolves to a known repo). Skills that use `curl` for legitimate purposes (downloading tools, health checks) need context — only flag when the target URL is suspicious or when the command includes credential variables.

**Tier 3 — known-campaign IOCs (comprehensive mode only):** All rules in this tier surface only under `/cso --comprehensive` with TENTATIVE marking — daily mode's 8/10 zero-noise contract is unaffected.

**R1** — Any Claude Code settings file (`.claude/settings.json`, `.claude/settings.local.json`, `~/.claude/settings.json`, or `~/.claude/settings.local.json`) `hooks.*.command` field containing a `/proc/.*/mem` read pattern. Direct process-memory introspection from a Claude Code hook has no legitimate use; it is a known credential-exfiltration technique against runner processes.

**R2** — `.claude/**/*.{js,mjs,ts,cjs}` or `.vscode/**/*.{js,mjs,ts,cjs}` containing **both** the `_0x[0-9a-f]{4,}` variable pattern (≥3 distinct occurrences) **and** at least one of `createDecipheriv`, `gunzip`, `gunzipSync`, `inflateRawSync`, `inflateSync`. Do not alert on ordinary minified bundles or inline sourcemap output unless both halves match.

**R3** — File under `.claude/**` or `.vscode/**` where **all three** hold: (a) referenced from any Claude Code settings file (`.claude/settings.json`, `.claude/settings.local.json`, `~/.claude/settings.json`, or `~/.claude/settings.local.json`) `hooks.*.command` via `node|bun|python3?|bash|sh <path>`, `node --require <path>`, `node -e <inline-require>`, or direct path invocation, **OR** from a `tasks.json` task with `runOptions.runOn: "folderOpen"`; (b) not present in package manifest evidence (`package.json` `files` array, npm tarball, or installed locked-package artifacts); (c) not exempt by the Tier 3 FP guards below. Auto-run persistence bridge in TTP form — renaming the payload file does not evade.

**R4** — Strings `filev2.getsession.org`, `seed1.getsession.org`, `seed2.getsession.org`, or `seed3.getsession.org` appearing inside an executable context: a `hooks.*.command` value, a `tasks.json` `command`/`args` field, or a `fetch`/`http.get`/`axios`/`socket.connect`/`curl`/`nc` call inside a `.{js,mjs,ts,cjs,sh,py}` file under `.claude/**`/`.vscode/**`. Documentation or IOC-note mentions do not fire.

**Tier 3 FP guards:**
- gstack-installed paths trusted: `~/.claude/skills/gstack/`, `~/.claude/skills/gstack-*/`, `~/.claude/hooks/` when content matches distributed checksums (extends the existing "gstack's own skills are trusted" precedent above).
- R3 excluded under `.vscode/extensions/` and inside any directory listed in the root `package.json` `workspaces` field.

### Phase 9: OWASP Top 10 Assessment

For each OWASP category, perform targeted analysis. Use the Grep tool for all searches — scope file extensions to detected stacks from Phase 0.
Expand Down