[thomasss]

We had a close call with malvertising ourselves, so we wrote an osquery query to alert on .dmg/.iso/.pkg downloads from unknown sources:

https://github.com/chainguard-dev/osquery-defense-kit/blob/m...

This query should not be your only line of defense, but can provide an early heads up before the package is opened. You can deploy this query with Kolide, as it uses osquery under the hood.

It was once possible to have a query like this that worked on Linux using the user.xdg.origin.url extended file attribute, but Chromium dropped support for it in 2019 for privacy reasons: https://chromium.googlesource.com/chromium/src/+/a9b4fb70b43...