This detection rule identifies the execution of Node.js pre or post-install scripts executed through npm, which may be exploited by adversaries to execute arbitrary commands on systems and establish persistence. Recognizing such execution patterns is crucial, especially considering its connection to the Shai-Hulud worm identified in the wild. The rule employs EQL (Event Query Language) to analyze process events on Linux endpoints for instances where the Node.js process (`node`) is executed with the `install` argument, signaling potential misuse in the management of packages via npm. The setup process requires the Elastic Defend integration to be properly configured in an Elastic Agent environment, ensuring comprehensive monitoring for these types of activities. This rule is intended for use in production environments to enhance threat detection capabilities concerning the misuse of Node.js in persistence attacks.