| ▲ | grav 6 days ago | |||||||
> Interestingly, the malware checks for the presence of Claude Code CLI or Gemini CLI on the system to offload much of the fingerprintable code to a prompt. Can anyone explain this? Why is it an advantage? | ||||||||
| ▲ | NitpickLawyer 6 days ago | parent | next [-] | |||||||
Some AV / endpoint protection software could flag those files. Some corpo deep inspection software could flag those if downloaded / requested from the web. The cc/geminicli were just an obfuscation method to basically run a find [...] > dump.txt Oh, and static analysis tools might flag any code with find .env .wallet (whatever)... but they might not (yet) flag prompts :) | ||||||||
| ▲ | cluckindan 6 days ago | parent | prev | next [-] | |||||||
The malware is not delivering any exploits or otherwise malicious-looking code, so endpoint security is unlikely to flag it as malicious. | ||||||||
| ||||||||
| ▲ | sneak 6 days ago | parent | prev [-] | |||||||
Furthermore most people have probably granted the node binary access to everything in their home directory on macOS. Other processes would pop up a permission dialog. | ||||||||