> Interestingly, the malware checks for the presence of Claude Code CLI or Gemini CLI on the system to offload much of the fingerprintable code to a prompt.
Furthermore most people have probably granted the node binary access to everything in their home directory on macOS. Other processes would pop up a permission dialog.