shellExecution

Rendered from docs/alerts/shellExecution.md

Back to index

shellExecution

Flags usage of APIs that execute shell commands or spawn subprocesses (for example child_process.exec, spawn, execFile).

Implemented in: src/lib/detection/plugins/shell-execution.ts
Enabled by default: yes

What it means

The package includes code that can run system commands.

Why it matters

Process execution expands the blast radius of a compromised dependency and is a common step in multi-stage malware (downloading payloads, modifying the filesystem, persistence).

What to do

  • Confirm the subprocess execution is essential and constrained.
  • Look for user-controlled input flowing into command strings.
  • Inspect any downloaded binaries or scripts executed at runtime.

Common fields

  • filePath, lineStart/lineEnd, codeSnippet
  • metadata may include which API/pattern was detected