TruffleHog
TruffleHog is a legitimate open-source secret-scanning tool that threat actors repeatedly abused as part of npm software supply-chain malware campaigns, especially Shai-Hulud and Sha1-Hulud/Shai-Hulud 2.0. In the reported attacks, trojanized npm packages downloaded and executed TruffleHog during install-time malware execution to scan infected developer workstations and CI/CD environments for secrets, including GitHub tokens, npm tokens, AWS credentials, and other cloud or development-environment secrets. Reported execution patterns included commands such as "trufflehog filesystem / --json" and scans of the user home directory or entire filesystem; later variants also reused cached binaries from .truffler-cache directories. The harvested data was then exfiltrated to attacker-controlled infrastructure, including webhook.site endpoints and attacker-created GitHub repositories. The surrounding malware also used stolen credentials to access cloud-hosted repositories and storage, create malicious GitHub Actions workflows, republish additional trojanized npm packages, and self-propagate across maintainer accounts. Content also notes TruffleHog supports extraction of more than 800 credential types and was used by other actors, including Octo Tempest for plaintext key and secret discovery, and by a North Korean-linked npm RAT campaign as a downloaded module. High-confidence indicators directly mentioned include invocation of TruffleHog via child_process.exec("trufflehog filesystem / --json"), hidden execution of TruffleHog binaries from .truffler-cache, and malware artifacts or outputs associated with these campaigns such as truffleSecrets.json.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
To maximize the yield, later variants executed hidden instances of the TruffleHog binary, harvested locally from .truffler-cache directories.
“...contained nine modules enabling keylogging, credential theft, browser and cryptocurrency exfiltration, TruffleHog secrets scanner downloads, and persistence.”
Techniques & procedures
21 distinct techniques documented for this family, organized by ATT&CK tactic.
Reconnaissance
3 techniques
Reconnaissance
PentestMCP on port 8000 focuses on reconnaissance and crawling. Pentest-Recon on port 8001 expands this with secrets detection and historical URL mining using TruffleHog, GitLeaks, and the Wayback Machine.
Resource Development
1 technique
Resource Development
Initial Access
3 techniques
Initial Access
Persistence
2 techniques
Persistence
Privilege Escalation
2 techniques
Privilege Escalation
Stealth
3 techniques
Stealth
Credential Access
5 techniques
Credential Access
The compromise likely began with a credential harvesting campaign, where a postinstall script led to the execution of a malicious bundle.js file... to harvest credentials stored as environment variables or secrets used by continuous integration and continuous delivery (CI/CD) platforms such as GitHub Actions, GitLab CI, Jenkins, and others.
After you identify files that potentially contain credentials, you can go through them manually to find useful ones.
This module spawns TruffleHog via child_process.exec('trufflehog filesystem / --json') to scan the entire filesystem. It parses the output for high-entropy matches, such as AWS keys found in ~/.aws/credentials.
Discovery
4 techniques
Discovery
The attacker then enumerated IAM users, roles, Lambda functions, DynamoDB tables, CloudFormation stacks, and scanned every S3 bucket's ACL and public access configuration.
Downloads and executes Trufflehog, a legitimate security tool, to scan the entire home directory for API keys, passwords, and other secrets hidden in configuration files, source code, or git history
Collection
3 techniques
Collection
The content repeatedly describes threat actors and malware collecting, stealing, identifying, copying, or staging files, documents, credentials, logs, databases, and other information from compromised hosts or local systems.
The malicious JavaScript code ("bundle.js") injected into each of the trojanized package is designed to download and run TruffleHog, a legitimate secret scanning tool, using it to scan the host for tokens and cloud credentials, such as GITHUB_TOKEN, NPM_TOKEN, AWS_ACCESS_KEY_ID, and AWS_SECRET_ACCESS_KEY.
IOCs tracked for this family
5 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
Recent activity
22 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A secrets-scanning tool referenced as being used by the original Shai-Hulud attack to scan for exposed secrets.
A credential-seeking tool referenced as being covertly executed by the payload to harvest secrets from local caches and development environments.
A secret reconnaissance and scanning tool used in the described attack chain to identify exposed secrets.
A secrets-discovery tool used by the worm to harvest credentials and sensitive data from compromised environments before exfiltration.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.