Rule Reference

SEC649lintai-ai-securitythreat-reviewsecuritystablehookdeny

Hook script: cron persistence

Hook script manipulates cron persistence

Public lane: threat-review
Category: security
Provider: lintai-ai-security
Scope: per-file
Surface: hook
Tier: stable
Severity: deny
Confidence: high
Detection: structural
Remediation: message only

How to read this lane

Explicit malicious, secret-bearing, or spyware-like review.

How to read this category

Strong exploit, secret, or unsafe-execution signal.

Activation Model

Preset Activation

These presets explain where this rule appears in the product experience.

threat-reviewsidecar lane

Lifecycle

Stable Lifecycle Contract

State

stable

Graduation rationale

Matches explicit cron manipulation or cron file writes in executable hook lines.

Deterministic signal basis

HookSignals command-or-write-target detection over non-comment hook lines for `crontab` mutation or writes to `/etc/cron*` and `/var/spool/cron`.

Malicious corpus

hook-service-persistence

Benign corpus

cursor-plugin-clean-basic

structured evidence required remediation reviewed

Canonical note

Structural stable rule positioned as an explicit threat-review control: high-signal malicious, credential-bearing, or spyware-like behavior that stays opt-in rather than shaping the quiet default.

Nearby Signals

Related Rules

SEC201Hook script: remote code executionHook script downloads remote code and executes itthreat-reviewsecurityhook

SEC202Hook script: secret exfiltrationHook script appears to exfiltrate secrets through a network callthreat-reviewsecurityhook

SEC203Hook script: insecure HTTP secret sendHook script sends secret material to an insecure http:// endpointthreat-reviewsecurityhook

SEC204Hook script: TLS verification disabledHook script disables TLS or certificate verification for a network callthreat-reviewsecurityhook

SEC205Hook script: hardcoded auth in network callHook script embeds static authentication material in a network callthreat-reviewsecurityhook

SEC206Hook script: base64 payload executionHook script decodes a base64 payload and executes itthreat-reviewsecurityhook

Why It Matters

Cron changes create scheduled persistence outside the repository workflow. A shared hook should not silently install recurring host tasks.

What Triggers

SEC649 matches executable hook lines that mutate cron through crontab or write cron persistence files such as /etc/crontab, /etc/cron*, or /var/spool/cron.

False Positives

Bootstrap repositories may manage cron intentionally, but silent recurring-task installation in a shared hook remains high-risk.

Remediation

Remove cron persistence from the hook and move scheduled-task setup into a separate reviewed admin workflow.

Hook script: cron persistence

Preset Activation

Stable Lifecycle Contract

Related Rules

Why It Matters ​

What Triggers ​

False Positives ​

Remediation ​

Why It Matters

What Triggers

False Positives

Remediation