Bulk Environment Variable Harvesting and Exfiltration - ATR-2026-00115 (594956a4-8ba1-5e1f-9dc3-66eab94e77a6)
Detects tools or agent instructions that perform bulk extraction of environment variables and combine it with network exfiltration. Environment variables commonly hold API keys, database credentials, and service tokens. An attacker gaining access to the full environment can compromise every connected service. This rule targets both the harvesting step (printenv, process.env, os.environ) and the exfiltration step (curl, fetch, http calls) when they appear together or individually.