mediumexperimentalLinuxOCIT1588

Linux Agent Executing From Site-Packages Node Modules Or Temporary Paths

Detects AI agent activity originating from Python site-packages, node_modules, or temporary directories, indicating potential execution of recently installed or dropped malicious packages.

Updated Jan 10, 2025 · OCI AI Security Team

agentic-aisupply-chainpackage-executiontemp-pathlinuxociowasp-asi04

Problem Statement

Execution from package directories following a recent package installation is a strong indicator of supply chain compromise. Malicious packages may include post-install hooks or entry points that execute automatically when imported by the agent.

Sample Logs

{"timestamp":"2025-01-10T16:45:00Z","computer_name":"oci-worker-17","user":"agent_svc","image":"/usr/lib/python3/site-packages/malicious_pkg/runner.py","command_line":"python3 runner.py","parent_image":"/usr/bin/python3"}

Required Fields

image

command_line

user

computer_name

False Positives

·Legitimate Python packages with entry-point scripts that execute from site-packages
·Node.js CLI tools installed globally that execute from node_modules

Tuning Guidance

Maintain a hash allowlist of approved package entry points. Alert on executions from recently installed packages (installed within the last 24 hours) or packages not in the approved inventory.