Filesystem access

lstn can detect filesystem access by monitoring system calls made by the process executing the npm install command. If lstn detects a system call that reads, writes, or modifies a file on the file system, it will generate a message indicating that the process is accessing the file system.

For example, if lstn detected that a package was attempting to write to sensitive files such as the password file, it could indicate that the package is malicious and attempting to steal sensitive information. The message generated by lstn would contain information about the package metadata, the process metadata, and the priority of the alert.

{
    "message": "Unexpected file write detected",
    "priority": "high",
    "package_metadata": {
        "npm_package_name": "evil-module",
        "npm_package_version": "1.0.0"
    },
    "process_metadata": {
        "commandline": "node /usr/local/lib/node_modules/evil-module/malicious-script.js",
        "parent_name": "node"
    },
    "filesystem_metadata": {
    "access_type": "read",
    "file_path": "/etc/passwd"
    }
}

Unauthorized filesystem access could indicate signs of malicious acticity such as:

• an attacker trying to access sensitive directories such as .ssh or .aws
• an attacker trying to exfiltrate sensitive credentials or secrets

• provide an example (e.g. vue-cli)