This rule identifies malicious activity involving GitHub Actions runners by detecting when the `RUNNER_TRACKING_ID` environment variable is altered from its default values. Such modifications are often linked to evasion techniques utilized by attackers to disrupt tracking and cleanup processes on self-hosted runners. It highlights specific behaviors associated with the `Shai-Hulud 2.0` npm worm campaign, where custom identifiers allow for prolonged or concealed executions that may involve executing malicious scripts or software. Investigation steps include analyzing the job/activity on GitHub, checking process persistence after job completion, and assessing any unauthorized outbound connections or modifications to the environment. False positive scenarios are acknowledged, such as legitimate runner setups that may imply a non-default `RUNNER_TRACKING_ID`. The rule necessitates data from Elastic Defend, requiring configuration for environment variable capturing to function accurately.