This detection rule identifies the execution of unauthorized GitHub self-hosted runners within an organization's local infrastructure, thereby highlighting potential security risks such as persistence and unauthorized code execution related to npm supply chain attacks, particularly the Shai-Hulud worm. The malicious variant installs runners on compromised systems to maintain access following credential theft, exploiting their privileges to access sensitive secrets and internal networks. By monitoring process creation events for known executable images and command-line parameters associated with GitHub runners, the rule aims to flag any suspicious activities that deviate from normal operational patterns within CI/CD environments.