This detection rule focuses on the potential exploitation of CVE-2025-48384, a vulnerability within Git that allows attackers to execute arbitrary code by leveraging Git's recursive clone feature to fetch and run malicious scripts from a remote repository. It is particularly relevant for environments using Linux and macOS systems where developers may unwittingly clone repositories containing harmful payloads. The rule triggers on sequences of events where a Git clone command is followed shortly by a shell execution, indicating possible exploitation. Investigations should involve checking the source URLs for repository integrity and probing for any unauthorized shell commands or unexpected behaviors on the affected machines. Mitigation techniques include isolating affected hosts, removing malicious hooks or scripts, rotating credentials, and updating Git to patched versions.