Tampering (filesystem)

Coming soon

lstn can detect filesystem access by monitoring system calls made by the process executing the npm install command. If lstn detects a system call that reads, writes, or modifies a file on the file system, it will generate a message indicating that the process is accessing the file system.

For example, if lstn detected that a package was attempting to write to sensitive files such as the password file, it could indicate that the package is malicious and attempting to steal sensitive information. The message generated by lstn would contain information about the package metadata, the process metadata, and the priority of the alert. For example:

  [medium] unexpected file write
    commandline: sh -c node index.js > '/etc/test->::.txt'
    executable_path: /bin/sh
    file_descriptor: /etc/test->::.txt

Unauthorized filesystem access could indicate signs of malicious activity such as:

an attacker trying to access sensitive directories such as .ssh or .aws
an attacker trying to exfiltrate sensitive credentials or secrets

Last updated 1 month ago