Comment on page

Filesystem access

lstn can detect filesystem access by monitoring system calls made by the process executing the npm install command. If lstn detects a system call that reads, writes, or modifies a file on the file system, it will generate a message indicating that the process is accessing the file system.
For example, if lstn detected that a package was attempting to write to sensitive files such as the password file, it could indicate that the package is malicious and attempting to steal sensitive information. The message generated by lstn would contain information about the package metadata, the process metadata, and the priority of the alert. For example:
[medium] unexpected file write
commandline: sh -c node index.js > '/etc/test->::.txt'
executable_path: /bin/sh
file_descriptor: /etc/test->::.txt
Unauthorized filesystem access could indicate signs of malicious activity such as:
  • an attacker trying to access sensitive directories such as .ssh or .aws
  • an attacker trying to exfiltrate sensitive credentials or secrets
Last modified 8mo ago
© 2023 Garnet Labs