Detects a Windows script interpreter spawning credential-scanning tools (e.g., trufflehog, gitleaks). The rule triggers when a parent process whose image ends with node.exe or bun.exe launches a child process whose image ends with trufflehog.exe or gitleaks.exe, or when the CommandLine contains references to trufflehog or gitleaks. This is indicative of attempts to discover and exfiltrate credentials from code repositories or cloud sources, consistent with campaigns like Shai-Hulud. The detection relies on process creation data: ParentImage, Image, and CommandLine. It flags an aggressive action path (script runner → credential scanner) and is categorized as high severity. False positives may include legitimate pre-commit hooks or CI/CD jobs that run credential scanners as part of security checks. The rule is marked experimental and intended to help identify stealthy credential discovery activities on Windows hosts."