From 905046cd2a3464ad6c88145d6174773c5a152258 Mon Sep 17 00:00:00 2001
From: Thomas Stromberg <t+github@chainguard.dev>
Date: Thu, 20 Oct 2022 14:15:57 -0400
Subject: [PATCH] linux https clients: Add exception for npm exec

---
 detection/c2/unexpected-https-client-linux.sql | 1 +
 1 file changed, 1 insertion(+)

diff --git a/detection/c2/unexpected-https-client-linux.sql b/detection/c2/unexpected-https-client-linux.sql
index dc1bfb5..fcd55be 100644
--- a/detection/c2/unexpected-https-client-linux.sql
+++ b/detection/c2/unexpected-https-client-linux.sql
@@ -94,5 +94,6 @@ WHERE
     '500,/usr/syncthing,0u,0g,syncthing'
   ) -- stay weird, NixOS (Fastly nix mirror)
   AND NOT child_cmd = '/run/current-system/sw/bin/bash'
+  AND NOT exception_key LIKE '500,/usr/node,0u,0g,npm exec %'
 GROUP BY
   p.cmdline