Detected crypto miners, rebuilt everything, now pretend we're secure

8. Lessons Learned • Patch windows matter for SSR frameworks • App-level RCE can exist without OS-level persistence • Rebuilds are faster and safer than forensic surgery • Random-named CPU-heavy processes are strong crypto-mining signals ⸻ 9. Ongoing Preventative Measures • Proactive dependency monitoring • CPU usage alerts • Periodic npm audit in CI • Git cleanliness checks on production hosts • Clean snapshot retained for recovery ⸻ 10. Statement of Confidence Based on: • Full OS sweep (cron, systemd, timers) • Application and proxy audit • New instance deployment • Post-migration behavior There is high confidence that the current production environment is uncompromised and operating securely.