lintai docs

Appearance

Rule Reference

SEC206lintai-ai-securitythreat-reviewsecuritystablehookdeny

Hook script: base64 payload execution

Hook script decodes a base64 payload and executes it

Public lane
threat-review
Category
security
Provider
lintai-ai-security
Scope
per-file
Surface
hook
Tier
stable
Severity
deny
Confidence
high
Detection
structural
Remediation
suggestion
How to read this lane

Explicit malicious, secret-bearing, or spyware-like review.

How to read this category

Strong exploit, secret, or unsafe-execution signal.

Activation Model

Preset Activation

These presets explain where this rule appears in the product experience.

threat-reviewsidecar lane

Lifecycle

Stable Lifecycle Contract

State

stable

Graduation rationale

Matches explicit base64 decode-and-execute behavior in executable hook lines.

Deterministic signal basis

HookSignals base64-decode plus exec observation over non-comment hook lines.

Malicious corpus
hook-base64-exec
Benign corpus
hook-base64-decode-safe
structured evidence required remediation reviewed
Canonical note

Structural stable rule positioned as an explicit threat-review control: high-signal malicious, credential-bearing, or spyware-like behavior that stays opt-in rather than shaping the quiet default.

Nearby Signals

Related Rules

SEC201Hook script: remote code executionHook script downloads remote code and executes itthreat-reviewsecurityhook
SEC202Hook script: secret exfiltrationHook script appears to exfiltrate secrets through a network callthreat-reviewsecurityhook
SEC203Hook script: insecure HTTP secret sendHook script sends secret material to an insecure http:// endpointthreat-reviewsecurityhook
SEC204Hook script: TLS verification disabledHook script disables TLS or certificate verification for a network callthreat-reviewsecurityhook
SEC205Hook script: hardcoded auth in network callHook script embeds static authentication material in a network callthreat-reviewsecurityhook
SEC633Hook script: destructive root deletionHook script attempts destructive root deletionthreat-reviewsecurityhook

Why It Matters

Decoding a payload and immediately executing it is a common obfuscation pattern. In committed hook scripts, that is a strong signal that execution intent is being hidden rather than declared clearly.

What Triggers

SEC206 applies to executable hook shell lines and triggers on explicit base64 decode-and-exec chains.

Example that triggers:

sh
echo aGVsbG8= | base64 -d | sh

Example that stays clean:

sh
echo aGVsbG8= | base64 -d >payload.txt

False Positives

The rule is intentionally narrow. Plain base64 decoding without execution stays clean, and comments or prose are not part of the scan surface.

Remediation

Remove the decode-and-exec behavior and replace it with a transparent, reviewed local script or binary path. The built-in suggestion removes the obfuscated execution chain.