Node.js Runtime Added to Current User Run Key
Detects a current-user Windows Run key value whose data invokes Node.js. The rule requires registry-set telemetry with the full target path and written data and does not depend on campaign-specific value names or infrastructure.
Sigma source
Raw YAMLtitle: Node.js Runtime Added to Current User Run Key
id: 935cfd8d-6d2b-4b9d-bea9-7af07e9d9d1f
status: stable
author: FRAME ZERO
date: 2026-07-16
description: Detects a current-user Windows Run key value whose data invokes Node.js. The rule requires registry-set telemetry with the full target path and written data and does not depend on campaign-specific value names or infrastructure.
references:
- https://www.microsoft.com/en-us/security/blog/2026/07/15/unpacking-asyncapi-npm-supply-chain-compromise-import-time-payload-delivery/
logsource:
category: registry_set
product: windows
detection:
selection_path:
TargetObject|contains: '\Software\Microsoft\Windows\CurrentVersion\Run'
selection_runtime:
Details|contains:
- 'node.exe'
- 'node '
condition: selection_path and selection_runtime
falsepositives:
- User-scoped developer tooling or legitimate applications that intentionally start a Node.js service at logon
- Software installation or repair activity that registers an approved Node.js component
level: high
tags:
- attack.persistence
- attack.t1547.001