This analytic detection rule is designed to identify suspicious child processes spawned by React or Next.js application servers running on Linux systems. The rule specifically addresses potential exploitation of vulnerabilities associated with CVE-2025-55182 (React2Shell) and CVE-2025-66478 (Next.js). These vulnerabilities allow for the execution of arbitrary JavaScript code on the server, which can lead to unauthorized execution of OS-level commands via Node.js child_process APIs, such as execSync. Trickster actors often exploit the vulnerable components by invoking commands like 'ping', 'curl', or launching shells using common Linux binaries through the React Server Components. The detection rule leverages Sysmon for Linux Event ID 1 and inspects processes that have a parent process named 'node' and are issuing calls to execute common Linux binaries in a suspicious manner, which can be a strong indicator of exploitation. Given the nature of the exploits, the detection focuses on the unusual spawning of processes in the context of active React and Next.js server components.