Comment on page

Spawning child processes

Lstn detects child processes by monitoring process activity on the system where it's installed and running. When a new process is created and spawned by a parent process, lstn collects information about both the parent process and the newly spawned process. This information includes the command line used to start the process and the name of the parent process. The collected information is then used to generate a message indicating that a new process has been spawned by the parent process, in this case "npm install spawned a process".
For example:
[medium] npm install spawned a process (from transitive dependency [email protected])
commandline: sh -c node-gyp rebuild
executable_path: /bin/sh
parent_name: node
During npm install, malicious child processes can be spawned to carry out activities such as:
  • crypto mining
  • reconnoissance
  • sensitive data exfiltration
  • insertion of malicious payloads
Last modified 8mo ago
© 2023 Garnet Labs