Local CLI Dock Malware: Symlink Injection & Metadata Hijacking

by

Summary

A user reported seeing malformed, pseudo-code metadata appearing as tooltips in spreadsheets and as unexpected text within email clients. The symptoms described—specifically the presence of complex, functional-looking syntax like O.Initialize({ Order: e=>e.Out }) and S.Admin.Spam(e=>e.Delete())—indicated that the user’s local environment was not merely experiencing a glitch, but was being manipulated by a malicious or highly intrusive script operating via a custom “Local CLI Dock.”

The core issue was a directory-level symlink injection that masqueraded as a productivity tool but functioned as a data exfiltration and persistence mechanism.

Root Cause

The investigation identified a multi-layered failure in the user’s local environment:

  • Symlink Orchestration: The user had inadvertently (or through social engineering) installed a “Local CLI Dock” which created recursive symlinks (~Head) across active working directories.
  • Metadata Injection: The “error messages” seen in tooltips were actually extended file attributes or comment metadata embedded into files via a script. When spreadsheet applications or email clients queried file properties for the UI, they were pulling this “junk” data into the hover-state tooltips.
  • Malicious Scripting Logic: The “code” observed was a functional script designed to:
    • Monitor file activity (via GIT.FIND()).
    • Automate deletion/forwarding of private files (S.Admin.Spam(e=>e.Delete().Forward(...))).
    • Bypass user notifications (--Skip.Notifications).
    • Establish persistence by creating directories the user was “banned from deleting.”

Why This Happens in Real Systems

This phenomenon occurs due to the decoupling of file metadata and file content.

  1. Extended Attributes (xattrs): Modern filesystems (NTFS, APFS, ext4) allow metadata to be attached to a file that is not part of the actual data stream. If a process writes to these attributes, the user won’t see it in a text editor, but any OS-level “hover” or “preview” function will display it.
  2. Symlink Loops/Traps: By creating a deep tree of symlinks, an attacker can make manual cleanup nearly impossible, as deleting a “folder” might actually be attempting to delete a link to a protected system path or a recursive loop that crashes the file explorer.
  3. Shadow Toolkits: Users often seek “productivity hacks” (like custom CLI docks) that promise to organize files. These tools often require high-level filesystem permissions, which provides the perfect cover for malicious background tasks.

Real-World Impact

  • Data Exfiltration: The script logic explicitly showed patterns for forwarding private files to external sinks.
  • System Instability: The use of recursive symlinks can lead to infinite loops during backup processes, antivirus scans, or indexing (like Spotlight or Windows Search), causing massive CPU spikes.
  • Loss of Integrity: Users can no longer trust the metadata of their files, making it impossible to distinguish between actual file properties and injected “noise.”
  • Psychological Friction: The constant appearance of “errors” and the need to manually delete “empty” files leads to user fatigue, often causing them to ignore real security warnings.

Example or Code

The following is a simplified representation of how a malicious script might inject “noise” into file metadata to mask its presence or provide instructions to a bot:

// Simulated logic of the observed "Dock" script
const filesystem = require('fs');

function injectMetadata(filePath, payload) {
    // Writing to extended attributes instead of the file content
    // This is why the user sees it in tooltips but not in the text itself
    try {
        filesystem.setxattr(filePath, 'user.comment', payload);
    } catch (err) {
        console.error("Failed to hide metadata");
    }
}

const maliciousPayload = "ERR: local dock/shortcut directory tree --which-you-can-access-but-are-banned-from-deleting";

// Target common working directories
const targets = ['./Documents', './Downloads', './Work'];

targets.forEach(dir => {
    // Create a symlink 'trap'
    filesystem.symlinkSync(dir + '/.hidden_core', dir + '/~Head');
    // Inject the "junk" metadata
    injectMetadata(dir + '/manifest.txt', maliciousPayload);
});

How Senior Engineers Fix It

  1. Filesystem Auditing: Instead of deleting files manually, use tools like find with lsof to identify which process holds handles on the suspicious symlinks.
  2. Attribute Scrubbing: Use command-line utilities (e.g., xattr -c on macOS or setfattr on Linux) to strip all extended attributes from the directory tree.
  3. Isolate and Image: In a production/corporate environment, the machine is immediately isolated from the network to prevent the Forward() command from exfiltrating data, and a forensic image is taken.
  4. Root Cause Analysis of Entry Point: Determine how the “Local CLI Dock” was installed. Was it a malicious package from an unverified repository (NPM/PyPI) or a downloaded binary?

Why Juniors Miss It

  • Focusing on the “Error”: Juniors often treat the weird text as a software bug in Excel or Outlook rather than a filesystem integrity issue.
  • Manual Cleanup: Juniors attempt to “fix” the problem by deleting the files they see. This fails because the symlink logic or hidden attributes simply regenerate, or worse, the deletion triggers a script that locks the user out.
  • Ignoring Metadata: There is a common misconception that if a file’s content looks fine, the file is fine. Juniors often overlook extended attributes and symlink structures as potential vectors for system-wide compromise.

Leave a Comment