diff --git a/.changeset/dark-garlics-lay.md b/.changeset/dark-garlics-lay.md
new file mode 100644
index 00000000..04405620
--- /dev/null
+++ b/.changeset/dark-garlics-lay.md
@@ -0,0 +1,5 @@
+---
+"@nodesecure/js-x-ray": patch
+---
+
+Handle uname as unsafe-command
diff --git a/workspaces/js-x-ray/src/probes/isUnsafeCommand.ts b/workspaces/js-x-ray/src/probes/isUnsafeCommand.ts
index 3167c728..87d1bbdf 100644
--- a/workspaces/js-x-ray/src/probes/isUnsafeCommand.ts
+++ b/workspaces/js-x-ray/src/probes/isUnsafeCommand.ts
@@ -8,7 +8,7 @@ import { ProbeSignals } from "../ProbeRunner.js";
 import { isLiteral } from "../types/estree.js";
 
 // CONSTANTS
-const kUnsafeCommands = ["csrutil"];
+const kUnsafeCommands = ["csrutil", "uname"];
 
 function isUnsafeCommand(
   command: string
diff --git a/workspaces/js-x-ray/test/probes/isUnsafeCommand.spec.ts b/workspaces/js-x-ray/test/probes/isUnsafeCommand.spec.ts
index 0219514a..58af2df4 100644
--- a/workspaces/js-x-ray/test/probes/isUnsafeCommand.spec.ts
+++ b/workspaces/js-x-ray/test/probes/isUnsafeCommand.spec.ts
@@ -89,3 +89,28 @@ test("should not detect non suspicious command", () => {
     assert.equal(sastAnalysis.warnings().length, 0);
   });
 });
+
+// Note: Until we can safely test with actual malware samples,
+// these tests uses a truncated snippet from a known malicious package.
+
+test("aog-checker detection", () => {
+  // Ref: https://socket.dev/npm/package/aog-checker/files/99.99.99/index.js
+  const maliciousCode = `
+	  const { execSync } = require("child_process");
+    // truncated ...
+    let uname = "";
+    try {
+      uname = execSync("uname -a").toString().trim();
+    } catch (e) {
+      uname = "N/A";
+    }
+  `;
+
+  const ast = parseScript(maliciousCode);
+  const sastAnalysis = getSastAnalysis(maliciousCode, isUnsafeCommand)
+    .execute(ast.body);
+
+  const result = sastAnalysis.getWarning(kWarningUnsafeCommand);
+  assert.equal(result.kind, kWarningUnsafeCommand);
+  assert.equal(result.value, "uname -a");
+});