Technical summary: This experimental Linux rule detects credential discovery activity by watching for a script interpreter process (such as node or bun) spawning a known credential-scanning tool (e.g., trufflehog, gitleaks). The detection requires: (1) a parent process image ending with /node or /bun, and (2) a child process image ending with /trufflehog or /gitleaks, or a command line containing trufflehog or gitleaks. When both conditions are met, an alert is raised indicating a potential attempt to locate secrets within code repositories or cloud credentials. This behavior mirrors techniques described in the Shai-Hulud: The Second Coming campaign, which leveraged Bun/npm environments to search for credentials. The rule emphasizes behavior-based detection by correlating process creation lineage with credential-scanning tooling, providing resilience against simple signature evasion. False positives may include legitimate pre-commit hooks or CI/CD jobs that run credential scanners as part of security checks. Analysts should corroborate with additional signals (e.g., repository access patterns, timing, or unusual credential locations) before escalation. Remediation guidance includes restricting script interpreter environments, enforcing least privilege on secret stores, and monitoring repetitive or anomalous invocations of credential-scanning tools.