Upon running htop I found two strange processes running on my machine which have the following commands:

/bin/sh -c npm run serve and sh -c node src/index.js and some other for a python script.

These were run under "root", to which I have access, but none of those scrips seem to exist.

How exactly can I check on the contents of the script being executed or at the very least check on what those scripts are doing?

I know about /proc but I can't find anything there that could be of any help. Only the cmdline that I've put above. I'd like to know the contents / logic being executed by those scripts and their paths / location from where the command was executed or something of the likes that could help me decide if these processes are legit or malicious.

So how exactly can I do this? Please answer with detail if you mention the usage of some linux command or tool