top | item 45039159

(no title)

grav | 6 months ago

> Interestingly, the malware checks for the presence of Claude Code CLI or Gemini CLI on the system to offload much of the fingerprintable code to a prompt.

Can anyone explain this? Why is it an advantage?

discuss

NitpickLawyer|6 months ago

Some AV / endpoint protection software could flag those files. Some corpo deep inspection software could flag those if downloaded / requested from the web.

The cc/geminicli were just an obfuscation method to basically run a find [...] > dump.txt

Oh, and static analysis tools might flag any code with find .env .wallet (whatever)... but they might not (yet) flag prompts :)

cluckindan|6 months ago

The malware is not delivering any exploits or otherwise malicious-looking code, so endpoint security is unlikely to flag it as malicious.

skybrian|6 months ago

That’s because it’s new. Perhaps feeding prompts into Claude Code and similar tools will be considered suspicious from now on?

sneak|6 months ago

Furthermore most people have probably granted the node binary access to everything in their home directory on macOS. Other processes would pop up a permission dialog.