This rule detects uncommon DNS queries initiated by Bun or Node.js processes on endpoints across Linux, macOS, and Windows. It targets supply-chain compromise scenarios where attacker-controlled developer tooling or compromised packages trigger DNS lookups for exfiltration or C2 chatter. The detection fires when a network event shows event.category: network, host.os.type is Linux/macOS/Windows, event.action: lookup_requested, and process.name matches bun, bun.exe, node, node.exe, or nodejs, with a DNS query name that is not localhost. It uses a new_terms approach to flag newly observed terms in host.id and dns.question.name within the last seven days (history_window_start: now-7d). The rule is triggered by events ingested within a recent window (from: now-9m) and marked with event.ingested timestamp override. It maps to MITRE ATT&CK Command and Control (TA0011), specifically Web Service (T1102) and Application Layer Protocol with DNS (T1071/T1071.004). The query is expressed in kuery and focuses on network activity tied to common dev tooling. The risk is labeled low with a risk_score of 21, recognizing potential false positives in legitimate development activity. This rule helps detect attempts to abuse Bun/Node.js DNS lookups for covert data transfer or C2 communication.