hunt report

Cross-reference lockfile entries against the bundled Shai-Hulud package@version list. Every hit is high-severity.

Browsers don't legitimately parent interactive shells. Hits suggest post-exploitation via a malicious extension, compromised renderer, or drive-by execution.

curl/wget/Invoke-WebRequest output piped to bash/sh/iex. Classic dropper pattern.

Dynamic-linker injection variable is set in the current process environment. Almost never legitimate on a workstation.

powershell.exe invocation carrying a base64-encoded payload. Common evasion; nearly always worth reading the decoded form.

Keys with a `command="..."` constraint. Legitimate uses (rsync-only, git-shell) exist, but a forced-command shell is a classic SSH backdoor.

Variables read by shells on every startup. An attacker that writes to these gets execution on every new shell.

Cross-references current network connections with the Tor Project bulk-exit list (live intel feed). Not malicious per se, but unusual for most production workloads.

Extensions with <all_urls>, debugger, nativeMessaging, cookies, history, etc. Each is a high-trust component whose maintainer changes are easy to miss.

Domains whose left-most label has high Shannon entropy. Often AWS S3 / CDN URLs (false positives) but also a hallmark of domain-generation-algorithm C2.

>5 active keys in a single authorized_keys file. Audit each key against current personnel and active automation.

LaunchAgents / cron / systemd units / Run keys that point at binaries under /Users/<name>/ or /home/. Plausibly legitimate (many tools install per-user) but each is worth eyeballing.

Anything executable that appeared in a common drop location in the last 14 days. Most are benign developer artifacts; a quick scan often turns up persistence droppers.

Sockets in LISTEN state on a port not in the standard service map. Often benign (dev servers, electron apps) but worth a manual check.