This detection rule identifies suspicious executions of the 'pbpaste' utility on macOS systems where unusual parent processes such as Node.js, Python, or osascript are involved. The rule aims to flag possible credential theft activities, particularly those reminiscent of malware behavior like OtterCookie, which exploits clipboard access to obtain sensitive information such as passwords and cryptocurrency seed phrases. The criteria for detection specify that the event type must be 'start', the action must be 'exec', and the process must specifically be 'pbpaste' executed under defined parent processes. The rule promotes thorough investigation through analysis of process attributes and network activity surrounding the event to determine whether the clipboard access was legitimate or malicious. Steps are provided to investigate, including reviewing script origins and user behavior patterns. In cases of confirmed malicious activity, response strategies include device isolation, process termination, and credential resets to mitigate potential risks.