@trailofbits/vsix-audit 0.1.0

package/zoo/signatures/yara/crypto_wallet_targeting.yar

@@ -0,0 +1,92 @@
+/*
+    GlassWorm Cryptocurrency Wallet Targeting Detection
+    Detects patterns for targeting cryptocurrency wallet extensions
+
+    IMPORTANT: These rules require CLEAR malicious intent indicators.
+    Many legitimate tools interact with crypto wallets.
+*/
+
+rule MAL_JS_GlassWorm_Wallet_Seed_Extraction_Jan25 {
+  meta:
+    description = "Detects GlassWorm-style wallet seed phrase extraction from storage combined with network exfil"
+    severity    = "critical"
+    score       = "95"
+    author      = "vsix-audit"
+    date        = "2025-01-29"
+    reference   = "https://www.koi.security/blog/glassworm-first-self-propagating-worm-using-invisible-code-hits-openvsx-marketplace"
+
+  strings:
+    // Seed phrase patterns (very specific)
+    $seed1 = "seedPhrase" ascii wide
+    $seed2 = "mnemonic" ascii wide
+    $seed3 = "recoveryPhrase" ascii wide
+
+    // Private key extraction
+    $privkey = "privateKey" ascii wide
+
+    // Storage access
+    $storage1 = "localStorage.getItem" ascii wide
+    $storage2 = "chrome.storage" ascii wide
+
+    // Exfiltration - must send somewhere
+    $exfil1 = "discord.com/api/webhooks" ascii wide
+    $exfil2 = "discordapp.com/api/webhooks" ascii wide
+    $exfil3 = /fetch\s*\(\s*["'][^"']*["']\s*,\s*\{[^}]*body/ ascii wide
+    $exfil4 = "axios.post" ascii wide
+
+  condition:
+    any of ($seed*, $privkey) and any of ($storage*) and any of ($exfil*)
+}
+
+rule MAL_JS_GlassWorm_Multi_Wallet_Enum_Jan25 {
+  meta:
+    description = "Detects GlassWorm-style enumeration of 3+ crypto wallet browser extension IDs for targeting"
+    severity    = "high"
+    score       = "85"
+    author      = "vsix-audit"
+    date        = "2025-01-29"
+    reference   = "https://www.koi.security/blog/glassworm-first-self-propagating-worm-using-invisible-code-hits-openvsx-marketplace"
+
+  strings:
+    // MetaMask extension ID
+    $metamask_id = "nkbihfbeogaeaoehlefnkodbefgpgknn" ascii wide
+
+    // Phantom extension ID
+    $phantom_id = "bfnaelmomeimhlpmgjnjophhpkkoljpa" ascii wide
+
+    // Coinbase Wallet extension ID
+    $coinbase_id = "hnfanknocfeofbddgcijnmhnfnkdnaad" ascii wide
+
+    // Other wallet extension IDs
+    $trust_id  = "egjidjbpglichdcondbcbdnbeeppgdph" ascii wide
+    $exodus_id = "aholpfdialjgjfhomihkjbmgjidlcdno" ascii wide
+
+    // Additional wallet extension IDs
+    $rabby_id    = "acmacodkjbdgmoleebolmdjonilkdbch" ascii wide
+    $keplr_id    = "dmkamcknogkgcdfhhbddcghachkejeap" ascii wide
+    $okx_id      = "mcohilncbfahbmgdjkbpemcciiolgcge" ascii wide
+    $bitget_id   = "jiidiaalihmmhddjgbnbgdfflelocpak" ascii wide
+    $rainbow_id  = "opfgelmcmbiajamepnmloijbpoleiama" ascii wide
+    $zerion_id   = "klghhnkeealcohjjanjjdaeeggmfmlpl" ascii wide
+    $backpack_id = "aflkmfhebedbjioipglgcbcmnbpgliof" ascii wide
+    $solflare_id = "bhhhlbepdkbapadjdnnojkbgioiodbic" ascii wide
+
+    // Must be checking for multiple
+    $check = /chrome\.runtime\.sendMessage|chrome\.management\.get/ ascii wide
+
+  condition:
+    3 of ($metamask_id, $phantom_id, $coinbase_id, $trust_id, $exodus_id,
+      $rabby_id, $keplr_id, $okx_id, $bitget_id, $rainbow_id,
+      $zerion_id, $backpack_id, $solflare_id) and $check
+}
+
+// REMOVED: GlassWorm_Crypto_Wallet_Targeting
+// Too broad - matched "metamask" + "phantom" + "address"
+// which appears in many legitimate dApp extensions.
+
+// REMOVED: GlassWorm_Wallet_Transaction_Interception
+// Too broad - "transaction" + "hook" + "to/from/value" matches
+// virtually all web3 applications.
+
+// REMOVED: GlassWorm_Wallet_Extension_Enumeration
+// Too broad - wallet detection is legitimate for dApps.

package/zoo/signatures/yara/data_exfiltration.yar

@@ -0,0 +1,207 @@
+/*
+    Data Exfiltration Detection
+    Detects patterns for stealing and transmitting sensitive data
+*/
+
+rule C2_JS_Discord_Webhook_Jan25 {
+  meta:
+    description = "Detects Discord webhook URL patterns commonly used for data exfiltration and C2 communication"
+    severity    = "high"
+    score       = 75
+    author      = "vsix-audit"
+    date        = "2025-01-29"
+
+  strings:
+    $webhook1 = /discord\.com\/api\/webhooks\/\d+\/[a-zA-Z0-9_-]+/ ascii wide
+    $webhook2 = /discordapp\.com\/api\/webhooks\/\d+\/[a-zA-Z0-9_-]+/ ascii wide
+    $webhook3 = "discord.com/api/webhooks" ascii wide
+    $webhook4 = "discordapp.com/api/webhooks" ascii wide
+
+  condition:
+    any of them
+}
+
+rule C2_JS_Free_Hosting_Jan25 {
+  meta:
+    description = "Detects free hosting service domains commonly abused for C2 infrastructure and data exfiltration"
+    severity    = "medium"
+    score       = 60
+    author      = "vsix-audit"
+    date        = "2025-01-29"
+
+  strings:
+    // Vercel - commonly abused
+    $vercel = /[a-z0-9-]+\.vercel\.app/ ascii wide
+
+    // PythonAnywhere - commonly abused for exfil
+    $pythonanywhere = /[a-z0-9-]+\.pythonanywhere\.com/ ascii wide
+
+    // Netlify
+    $netlify = /[a-z0-9-]+\.netlify\.app/ ascii wide
+
+    // Glitch
+    $glitch = /[a-z0-9-]+\.glitch\.me/ ascii wide
+
+    // Replit
+    $replit = /[a-z0-9-]+\.repl\.co/ ascii wide
+
+    // Railway
+    $railway = /[a-z0-9-]+\.railway\.app/ ascii wide
+
+    // Render
+    $render = /[a-z0-9-]+\.onrender\.com/ ascii wide
+
+    // Cloudflare Pages
+    $cf_pages = /[a-z0-9-]+\.pages\.dev/ ascii wide
+
+    // Cloudflare Workers
+    $cf_workers = /[a-z0-9-]+\.workers\.dev/ ascii wide
+
+    // Firebase Hosting
+    $firebase1 = /[a-z0-9-]+\.web\.app/ ascii wide
+    $firebase2 = /[a-z0-9-]+\.firebaseapp\.com/ ascii wide
+
+    // AWS Amplify
+    $amplify = /[a-z0-9-]+\.amplifyapp\.com/ ascii wide
+
+    // Heroku
+    $heroku = /[a-z0-9-]+\.herokuapp\.com/ ascii wide
+
+    // Deno Deploy
+    $deno = /[a-z0-9-]+\.deno\.dev/ ascii wide
+
+    // Fly.io
+    $fly = /[a-z0-9-]+\.fly\.dev/ ascii wide
+
+    // Ngrok tunnels
+    $ngrok1 = /[a-z0-9-]+\.ngrok\.io/ ascii wide
+    $ngrok2 = /[a-z0-9-]+\.ngrok-free\.app/ ascii wide
+
+  condition:
+    any of them
+}
+
+rule STEALER_JS_SSH_Key_Exfil_Jan25 {
+  meta:
+    description = "Detects SSH private key file access combined with network transmission for credential theft"
+    severity    = "critical"
+    score       = 90
+    author      = "vsix-audit"
+    date        = "2025-01-29"
+
+  strings:
+    // SSH key paths
+    $ssh1 = ".ssh/id_rsa" ascii wide
+    $ssh2 = ".ssh/id_ed25519" ascii wide
+    $ssh3 = ".ssh/id_ecdsa" ascii wide
+    $ssh4 = ".ssh/id_dsa" ascii wide
+
+    // File reading
+    $read1 = "readFileSync" ascii wide
+    $read2 = "readFile" ascii wide
+    $read3 = "createReadStream" ascii wide
+
+    // Network transmission
+    $net1 = "fetch(" ascii wide
+    $net2 = "axios" ascii wide
+    $net3 = "request(" ascii wide
+    $net4 = "https.request" ascii wide
+    $net5 = "http.request" ascii wide
+    $net6 = ".post(" ascii wide
+    $net7 = ".put(" ascii wide
+
+  condition:
+    any of ($ssh*) and any of ($read*) and any of ($net*)
+}
+
+rule STEALER_JS_Credential_File_Exfil_Jan25 {
+  meta:
+    description = "Detects credential file access (.npmrc, .env, .aws/credentials) combined with network exfiltration"
+    severity    = "critical"
+    score       = 90
+    author      = "vsix-audit"
+    date        = "2025-01-29"
+
+  strings:
+    // Credential files
+    $cred1 = ".npmrc" ascii wide
+    $cred2 = ".netrc" ascii wide
+    $cred3 = ".git-credentials" ascii wide
+    $cred4 = ".env" ascii wide
+    $cred5 = "credentials.json" ascii wide
+    $cred6 = ".aws/credentials" ascii wide
+
+    // File reading
+    $read1 = "readFileSync" ascii wide
+    $read2 = "readFile" ascii wide
+
+    // Network transmission
+    $net1 = "fetch(" ascii wide
+    $net2 = "axios" ascii wide
+    $net3 = ".post(" ascii wide
+    $net4 = "discord.com/api/webhooks" ascii wide
+
+  condition:
+    any of ($cred*) and any of ($read*) and any of ($net*)
+}
+
+rule STEALER_JS_Browser_Data_Theft_Jan25 {
+  meta:
+    description = "Detects browser credential and cookie theft pattern targeting Chrome/Firefox/Edge storage files"
+    severity    = "critical"
+    score       = 95
+    author      = "vsix-audit"
+    date        = "2025-01-29"
+
+  strings:
+    // Browser data paths
+    $chrome1  = "Chrome" ascii wide nocase
+    $chrome2  = "User Data" ascii wide nocase
+    $chrome3  = "Login Data" ascii wide nocase
+    $chrome4  = "Cookies" ascii wide nocase
+    $firefox1 = "Firefox" ascii wide nocase
+    $firefox2 = "logins.json" ascii wide nocase
+    $edge1    = "Edge" ascii wide nocase
+    $brave1   = "BraveSoftware" ascii wide nocase
+
+    // Storage paths
+    $storage1 = "Local Storage" ascii wide nocase
+    $storage2 = "leveldb" ascii wide nocase
+    $storage3 = "IndexedDB" ascii wide nocase
+
+    // File operations
+    $read1 = "readFileSync" ascii wide
+    $read2 = "copyFileSync" ascii wide
+    $read3 = "createReadStream" ascii wide
+
+  condition:
+    (2 of ($chrome*) or any of ($firefox*) or ($edge1 and $chrome3) or $brave1) and
+    any of ($storage*) and any of ($read*)
+}
+
+rule STEALER_JS_Env_Token_Exfil_Jan25 {
+  meta:
+    description = "Detects API token access from process.env variables combined with network transmission"
+    severity    = "high"
+    score       = 80
+    author      = "vsix-audit"
+    date        = "2025-01-29"
+
+  strings:
+    // Token environment variables
+    $env1 = "process.env.GITHUB_TOKEN" ascii wide
+    $env2 = "process.env.NPM_TOKEN" ascii wide
+    $env3 = "process.env.OPENAI_API_KEY" ascii wide
+    $env4 = "process.env.ANTHROPIC_API_KEY" ascii wide
+    $env5 = "process.env.AWS_SECRET" ascii wide
+    $env6 = "process.env.AZURE" ascii wide
+    $env7 = /process\.env\.[A-Z_]*(TOKEN|KEY|SECRET|PASSWORD)/ ascii wide
+
+    // Network transmission
+    $net1 = "fetch(" ascii wide
+    $net2 = "axios" ascii wide
+    $net3 = ".post(" ascii wide
+
+  condition:
+    any of ($env*) and any of ($net*)
+}

package/zoo/signatures/yara/google_calendar_c2.yar

@@ -0,0 +1,187 @@
+/*
+    GlassWorm Google Calendar C2 Detection
+    Detects Google Calendar API usage for command and control fallback
+    Based on GlassWorm using Google Calendar as backup C2 channel
+*/
+
+rule C2_JS_GlassWorm_Google_Calendar_Jan25 {
+  meta:
+    description = "Detects GlassWorm-style Google Calendar API usage for command and control fallback channel"
+    severity    = "high"
+    score       = "80"
+    author      = "vsix-audit"
+    date        = "2025-01-29"
+    reference   = "https://www.koi.security/blog/glassworm-first-self-propagating-worm-using-invisible-code-hits-openvsx-marketplace"
+
+  strings:
+    // Google Calendar API
+    $google_calendar = "google-calendar" ascii wide
+    $calendar_api    = "calendarApi" ascii wide
+    $gcal_api        = "gcalApi" ascii wide
+    $calendar_google = "calendar.google" ascii wide
+
+    // Calendar API endpoints
+    $calendar_app        = "calendar.app.google" ascii wide
+    $googleapis_calendar = "googleapis.com/calendar" ascii wide
+    $calendar_v3         = "calendar/v3" ascii wide
+    $calendar_events     = "calendar/events" ascii wide
+
+    // Calendar authentication
+    $calendar_auth  = "calendarAuth" ascii wide
+    $gcal_auth      = "gcalAuth" ascii wide
+    $calendar_token = "calendarToken" ascii wide
+    $calendar_oauth = "calendarOAuth" ascii wide
+
+    // Calendar event access
+    $calendar_events_list = "calendarEvents" ascii wide
+    $event_list           = "eventList" ascii wide
+    $get_events           = "getEvents" ascii wide
+    $list_events          = "listEvents" ascii wide
+
+    // Event parsing
+    $parse_events    = "parseEvents" ascii wide
+    $event_parser    = "eventParser" ascii wide
+    $calendar_parser = "calendarParser" ascii wide
+    $event_data      = "eventData" ascii wide
+
+  condition:
+    // High confidence: Google Calendar API + event access + parsing
+    (any of ($google_calendar, $calendar_api, $gcal_api, $calendar_google, $calendar_app, $googleapis_calendar, $calendar_v3, $calendar_events)) and
+    (any of ($calendar_auth, $gcal_auth, $calendar_token, $calendar_oauth)) and
+    (any of ($calendar_events_list, $event_list, $get_events, $list_events, $parse_events, $event_parser, $calendar_parser, $event_data))
+}
+
+rule C2_JS_GlassWorm_Calendar_Commands_Jan25 {
+  meta:
+    description = "Detects GlassWorm-style calendar event parsing used to receive and execute C2 commands"
+    severity    = "high"
+    score       = "85"
+    author      = "vsix-audit"
+    date        = "2025-01-29"
+    reference   = "https://www.koi.security/blog/glassworm-first-self-propagating-worm-using-invisible-code-hits-openvsx-marketplace"
+
+  strings:
+    // Event command parsing
+    $event_commands    = "eventCommands" ascii wide
+    $calendar_commands = "calendarCommands" ascii wide
+    $parse_commands    = "parseCommands" ascii wide
+    $command_parser    = "commandParser" ascii wide
+
+    // Event data extraction
+    $event_summary     = "eventSummary" ascii wide
+    $event_description = "eventDescription" ascii wide
+    $event_title       = "eventTitle" ascii wide
+    $event_content     = "eventContent" ascii wide
+
+    // Command execution from events
+    $execute_command = "executeCommand" ascii wide
+    $run_command     = "runCommand" ascii wide
+    $command_exec    = "commandExec" ascii wide
+    $exec_from_event = "execFromEvent" ascii wide
+
+    // Event monitoring
+    $monitor_events   = "monitorEvents" ascii wide
+    $watch_events     = "watchEvents" ascii wide
+    $event_watcher    = "eventWatcher" ascii wide
+    $calendar_monitor = "calendarMonitor" ascii wide
+
+    // Event filtering
+    $filter_events  = "filterEvents" ascii wide
+    $event_filter   = "eventFilter" ascii wide
+    $command_filter = "commandFilter" ascii wide
+    $c2_filter      = "c2Filter" ascii wide
+
+  condition:
+    // Detect event command parsing with execution capabilities
+    (any of ($event_commands, $calendar_commands, $parse_commands, $command_parser)) and
+    (any of ($event_summary, $event_description, $event_title, $event_content)) and
+    (any of ($execute_command, $run_command, $command_exec, $exec_from_event, $monitor_events, $watch_events, $event_watcher, $calendar_monitor, $filter_events, $event_filter, $command_filter, $c2_filter))
+}
+
+rule C2_JS_GlassWorm_Calendar_Backup_Jan25 {
+  meta:
+    description = "Detects GlassWorm-style calendar-based backup C2 mechanism with redundancy and failover patterns"
+    severity    = "medium"
+    score       = "70"
+    author      = "vsix-audit"
+    date        = "2025-01-29"
+    reference   = "https://www.koi.security/blog/glassworm-first-self-propagating-worm-using-invisible-code-hits-openvsx-marketplace"
+
+  strings:
+    // Backup C2 patterns
+    $backup_c2    = "backupC2" ascii wide
+    $fallback_c2  = "fallbackC2" ascii wide
+    $secondary_c2 = "secondaryC2" ascii wide
+    $alternate_c2 = "alternateC2" ascii wide
+
+    // C2 redundancy
+    $c2_redundancy = "c2Redundancy" ascii wide
+    $c2_backup     = "c2Backup" ascii wide
+    $c2_failover   = "c2Failover" ascii wide
+    $c2_resilience = "c2Resilience" ascii wide
+
+    // Calendar C2
+    $calendar_c2      = "calendarC2" ascii wide
+    $gcal_c2          = "gcalC2" ascii wide
+    $calendar_channel = "calendarChannel" ascii wide
+    $event_c2         = "eventC2" ascii wide
+
+    // C2 rotation
+    $c2_rotation  = "c2Rotation" ascii wide
+    $c2_switch    = "c2Switch" ascii wide
+    $c2_alternate = "c2Alternate" ascii wide
+    $c2_cycle     = "c2Cycle" ascii wide
+
+    // C2 resilience
+    $c2_persistence = "c2Persistence" ascii wide
+    $c2_survival    = "c2Survival" ascii wide
+    $c2_durability  = "c2Durability" ascii wide
+    $c2_reliability = "c2Reliability" ascii wide
+
+  condition:
+    // Detect backup C2 with calendar integration
+    (any of ($backup_c2, $fallback_c2, $secondary_c2, $alternate_c2, $c2_redundancy, $c2_backup, $c2_failover, $c2_resilience)) and
+    (any of ($calendar_c2, $gcal_c2, $calendar_channel, $event_c2)) and
+    (any of ($c2_rotation, $c2_switch, $c2_alternate, $c2_cycle, $c2_persistence, $c2_survival, $c2_durability, $c2_reliability))
+}
+
+rule C2_JS_GlassWorm_Calendar_Exfil_Jan25 {
+  meta:
+    description = "Detects GlassWorm-style data exfiltration using calendar events with encoded payloads"
+    severity    = "medium"
+    score       = "75"
+    author      = "vsix-audit"
+    date        = "2025-01-29"
+    reference   = "https://www.koi.security/blog/glassworm-first-self-propagating-worm-using-invisible-code-hits-openvsx-marketplace"
+
+  strings:
+    // Event exfiltration
+    $event_exfil         = "eventExfil" ascii wide
+    $calendar_exfil      = "calendarExfil" ascii wide
+    $event_data_exfil    = "eventDataExfil" ascii wide
+    $calendar_data_exfil = "calendarDataExfil" ascii wide
+
+    // Event creation for exfiltration
+    $create_event = "createEvent" ascii wide
+    $add_event    = "addEvent" ascii wide
+    $insert_event = "insertEvent" ascii wide
+    $post_event   = "postEvent" ascii wide
+
+    // Data encoding in events
+    $encode_in_event   = "encodeInEvent" ascii wide
+    $event_encoding    = "eventEncoding" ascii wide
+    $calendar_encoding = "calendarEncoding" ascii wide
+    $event_base64      = "eventBase64" ascii wide
+
+    // Event data patterns
+    $event_payload    = "eventPayload" ascii wide
+    $event_data       = "eventData" ascii wide
+    $calendar_payload = "calendarPayload" ascii wide
+    $event_content    = "eventContent" ascii wide
+
+  condition:
+    // Detect event-based exfiltration with data encoding
+    (any of ($event_exfil, $calendar_exfil, $event_data_exfil, $calendar_data_exfil)) and
+    (any of ($create_event, $add_event, $insert_event, $post_event)) and
+    (any of ($encode_in_event, $event_encoding, $calendar_encoding, $event_base64, $event_payload, $event_data, $calendar_payload, $event_content))
+}

package/zoo/signatures/yara/messaging_c2.yar

@@ -0,0 +1,103 @@
+/*
+    Messaging Platform C2 Detection
+    Detects use of messaging platforms (Telegram, Slack) for C2 and exfiltration
+*/
+
+rule C2_JS_Telegram_Bot_Jan25 {
+  meta:
+    description = "Detects Telegram bot API used for C2 communication with command execution or system info gathering"
+    severity    = "high"
+    score       = 85
+    author      = "vsix-audit"
+    date        = "2025-01-30"
+
+  strings:
+    // Telegram API
+    $tg1 = "api.telegram.org" ascii wide
+    $tg2 = "/bot" ascii wide
+    $tg3 = "telegram" ascii wide nocase
+
+    // Bot methods
+    $method1 = "sendMessage" ascii wide
+    $method2 = "getUpdates" ascii wide
+    $method3 = "sendDocument" ascii wide
+    $method4 = "sendPhoto" ascii wide
+
+    // Command execution or system info (C2 indicators)
+    $exec1 = "child_process" ascii wide
+    $exec2 = ".exec(" ascii wide
+    $exec3 = ".spawn(" ascii wide
+    $exec4 = "execSync" ascii wide
+    $sys1  = "os.hostname" ascii wide
+    $sys2  = "os.userInfo" ascii wide
+    $sys3  = "os.platform" ascii wide
+    $sys4  = "process.env" ascii wide
+
+  condition:
+    any of ($tg*) and any of ($method*) and any of ($exec*, $sys*)
+}
+
+rule STEALER_JS_Telegram_Exfil_Jan25 {
+  meta:
+    description = "Detects Telegram API used for file exfiltration targeting sensitive credential paths like .ssh"
+    severity    = "high"
+    score       = 80
+    author      = "vsix-audit"
+    date        = "2025-01-30"
+
+  strings:
+    // Telegram API
+    $tg1 = "api.telegram.org" ascii wide
+    $tg2 = "/bot" ascii wide
+
+    // Document sending
+    $send1 = "sendDocument" ascii wide
+    $send2 = "sendFile" ascii wide
+    $send3 = "multipart/form-data" ascii wide
+
+    // File reading
+    $read1 = "readFileSync" ascii wide
+    $read2 = "readFile" ascii wide
+    $read3 = "createReadStream" ascii wide
+
+    // Sensitive paths
+    $path1 = ".ssh" ascii wide
+    $path2 = ".npmrc" ascii wide
+    $path3 = ".env" ascii wide
+    $path4 = "credentials" ascii wide
+    $path5 = ".aws" ascii wide
+    $path6 = ".git-credentials" ascii wide
+
+  condition:
+    any of ($tg*) and any of ($send*) and any of ($read*) and any of ($path*)
+}
+
+rule C2_JS_Slack_Webhook_Jan25 {
+  meta:
+    description = "Detects Slack webhook URL used for data exfiltration with system info or file access patterns"
+    severity    = "high"
+    score       = 75
+    author      = "vsix-audit"
+    date        = "2025-01-30"
+
+  strings:
+    // Slack webhook URL pattern
+    $slack1 = "hooks.slack.com/services" ascii wide
+    $slack2 = "hooks.slack.com" ascii wide
+    $slack3 = /T[A-Z0-9]{8,}\/B[A-Z0-9]{8,}\/[a-zA-Z0-9]{20,}/ ascii wide
+
+    // Data transmission
+    $send1 = "fetch(" ascii wide
+    $send2 = "axios" ascii wide
+    $send3 = ".post(" ascii wide
+    $send4 = "request(" ascii wide
+
+    // Data collection indicators
+    $data1 = "JSON.stringify" ascii wide
+    $data2 = "process.env" ascii wide
+    $data3 = "os.hostname" ascii wide
+    $data4 = "readFileSync" ascii wide
+
+  condition:
+    any of ($slack*) and any of ($send*) and any of ($data*)
+}