Alertes de Sécurité

Payload delivery from suspicious source: IOC URL + execution capability

• Bulk env-var sweep + shell exec at runtime — credential-stealer
• Bulk env-var sweep (cap-bulk-env-access reads ALL of process.env) + outbound network — credential-stealer
• Manifest version doesn't match any embedded version constant in the bundle — bundle may not have been rebuilt from the published manifest; review release pipeline and corroborating signals

Suspicious install-time execution: 2+ suspicious signals during install

• Install hook writes to user-home dotfiles (~/.bashrc, ~/.ssh/, ~/.local/bin/) — auto-installing persistence

Bulk env-var sweep + shell exec at runtime — credential-stealer

• Bulk env-var sweep (cap-bulk-env-access reads ALL of process.env) + outbound network — credential-stealer
• Install hook writes to system paths (/etc/, /usr/, etc.) — review for persistence
• Install hook + shell + network + obfuscation — high-confidence malware shape (scopes may be install or runtime)
• Dynamic eval + network + shell exec — dropper trio (arbitrary code execution, exfiltration channel, OS access)
• Install hook + shell exec + network — dropper shape (scopes may be install or runtime; install hook can transitively reach runtime caps via the postinstall entrypoint)
• Install hook + shell exec + obfuscation — known malware shape (scopes may be install or runtime)
• Install hook + credential-file reads + network — credential stealer shape (scopes may be install or runtime; install hook can transitively reach runtime caps)
• Sensitive file access with network egress — credential exfiltration pattern
• Obfuscated shell execution — concealment pattern
• Dynamic code evaluation with network access — potential code injection or exfiltration

Payload delivery from suspicious source: IOC URL + execution capability

• Bulk env-var sweep + shell exec at runtime — credential-stealer
• Bulk env-var sweep (cap-bulk-env-access reads ALL of process.env) + outbound network — credential-stealer
• Raw socket usage paired with credential reads — possible TCP exfil bypass
• Sensitive file access with network egress — credential exfiltration pattern

Install-time exfil signature: install hook + credential/env access + outbound network + obfuscated payload

• Dynamic / forked-detached shell paired with code obfuscation — runtime dropper attribution (no install hook required)
• Obfuscated shell execution — concealment pattern

Bulk env-var sweep (cap-bulk-env-access reads ALL of process.env) + outbound network — credential-stealer

Obfuscated payload + credential-harvest capability: javascript-obfuscator-grade output combined with cloud-metadata / bulk-env-sweep / cloud / SSH / browser / wallet credential access

• matched: verdict_obfuscated_credential_exfil, verdict_runtime_payload_delivery

Payload delivery from suspicious source: IOC URL + execution capability

• Install hook spawns dynamic / forked-detached shell — dropper attribution
• Install hook writes to system paths (/etc/, /usr/, etc.) — review for persistence
• Manifest version doesn't match any embedded version constant in the bundle — bundle may not have been rebuilt from the published manifest; review release pipeline and corroborating signals
• Dynamic eval + network + shell exec — dropper trio (arbitrary code execution, exfiltration channel, OS access)
• Install hook + shell exec + network — dropper shape (scopes may be install or runtime; install hook can transitively reach runtime caps via the postinstall entrypoint)
• Sensitive file access with network egress — credential exfiltration pattern
• Install hook writes to user-home dotfiles (~/.bashrc, ~/.ssh/, ~/.local/bin/) — auto-installing persistence
• Dynamic code evaluation with network access — potential code injection or exfiltration