alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET HUNTING Javascript Sandbox Escape via Global Object (process)"; flow:established,to_server; http.request_body; content:"process|2e|mainModule|2e|require|28|"; fast_pattern; content:"|2e|exec"; distance:0; pcre:"/^(?:Sync)?\x28[\x22\x27]/R"; reference:url,www.endorlabs.com/learn/happier-doms-the-perils-of-running-untrusted-javascript-code-outside-of-a-web-browser; classtype:unknown; sid:2066030; rev:1; metadata:attack_target Server, tls_state TLSDecrypt, created_at 2025_12_05, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence Medium, signature_severity Major, updated_at 2025_12_05; target:dest_ip;)