This rule detects the creation of files associated with the Shai-Hulud 2.0 npm supply chain malware. The malware is known for generating specific artifact files such as cloud.json, contents.json, environment.json, truffleSecrets.json, and actionsSecrets.json, which are utilized to store sensitive information like AWS, Azure, GCP credentials, GitHub secrets, and environment variables. These files are prepared prior to being transmitted to repositories controlled by attackers. The detection provides comprehensive visibility into file creation events through Sysmon data, focusing on identifying these filenames in the file system. Additionally, the implementation requires the proper ingestion of endpoint-related logs, ensuring alignment with the necessary data models and CIM for effective analysis and alerting.