supply-chain-guard

supply-chain-guard

Open-source supply-chain security scanner for npm, PyPI, Cargo, Go, Docker, Terraform, VS Code extensions, GitHub Actions and GitHub repositories. Detects malware campaigns (GlassWorm, Vidar, Shai-Hulud), fake AI tool repos, account takeovers, and 170+ threat indicators. Generates CycloneDX 1.6 SBOMs with real dependency inventories, verifies SLSA provenance, and correlates findings into attack-chain incidents.

Background

For a deep dive into how GlassWorm infiltrates the software supply chain and the detection techniques behind this tool, read the blog post: How GlassWorm Gets In and How We Locked It Out.

What It Detects

Malware Campaigns

• GlassWorm campaign markers and Solana blockchain C2
• Vidar/GhostSocks infostealers (April 2026 Claude Code leak campaign)
• Shai-Hulud self-replicating npm worm
• XZ Utils backdoor (CVE-2024-3094), SolarWinds SUNBURST, Codecov, ua-parser-js, coa/rc
• Fake AI tool repos (Claude Code, Copilot, Cursor, ChatGPT, OpenClaw lures)

Code-Level Threats

• Obfuscated execution: eval+atob, eval+Buffer.from, template literal eval, dynamic import()
• Invisible Unicode, RTL override, SVG script injection, steganography
• Shannon entropy analysis for encoded payloads
• Proxy handler traps, WebAssembly from external sources

Supply Chain Attacks

• Install hook deep analysis (secret harvesting, download-exec chains, binary blobs)
• Levenshtein-based typosquatting detection against top 100 npm packages with known-safe whitelist
• Dependency confusion and namespace squatting
• Known-bad version blocklist (axios, ua-parser-js, coa, rc, event-stream, node-ipc, colors, faker)
• Publishing anomaly detection (maintainer changes, version gaps, script additions)

Infrastructure & CI/CD

• GitHub Actions: unpinned actions, secrets exfiltration, encoded payloads, curl piping
• Dockerfile: curl pipe, unpinned base images, hardcoded secrets, SUID bits
• Terraform/IaC: inline scripts, external modules, hardcoded secrets
• Package manager configs (.npmrc, .yarnrc, pip.conf): HTTP registries, exposed tokens
• Git hooks and submodule security

Repository Trust Signals

• GitHub repo metadata analysis (account age, star-farming, single-commit repos)
• Release artifact scanning (.exe, .7z, double extensions, LNK shortcuts, PE magic)
• README lure detection (leaked/pirated/urgency language)

Prompt Injection Against AI Coding Agents (v5.2.19)

Detects LLM-control tokens embedded in package READMEs that target downstream AI coding agents (Claude Code, Cursor, Copilot) reading the docs on behalf of a human developer. The example tokens below are HTML-escaped in the raw README so the patterns do not flag this documentation itself - they render normally in any markdown viewer:

• <system-reminder> / <system-prompt> (Anthropic family)
• <|im_start|> / <|im_end|> ChatML (OpenAI, Llama, Mistral, Qwen)
• [INST] / [/INST] (Mistral, Llama instruction-tuned)
• <|system|> / <|user|> / <|assistant|> (Phi, Gemma, Granite, generic role tokens)
• Natural-language jailbreak phrasing ("ignore previous instructions")

Credential Detection

• AWS access keys (AKIA/ASIA), GitHub tokens (ghp_/gho_), npm tokens
• SSH private keys, generic API keys, PEM private keys

Dead-Drop Resolver / C2 Detection

• Steam Community profiles, Telegram channels, Pastebin, GitHub Gists
• DNS TXT records, DNS-over-HTTPS, dynamic WebSocket URLs
• Known C2 domains and IPs (from IOC blocklist)

Correlation Engine (v4.2)

Links individual findings into incident-level attack chains:

• "GlassWorm Campaign" (marker + eval + exfiltration)
• "Vidar Stealer Infection" (dead-drop + browser theft + dropper)
• "npm Account Takeover" (maintainer change + install hooks + C2)
• "Fake Repository Malware" (lure + exe release + new account)
• 15+ correlation rules with confidence scoring

Trust Breakdown (v4.2)

4-dimension trust scoring for every scan:

• Publisher Trust (40%) / Code Quality (30%) / Dependency Trust (20%) / Release Process (10%)

Installation

npm install -g supply-chain-guard

Or use directly with npx:

npx supply-chain-guard scan ./my-project

Quickstart

# Scan a local directory
supply-chain-guard scan ./my-project

# Scan a GitHub repo (includes trust signal analysis)
supply-chain-guard scan https://github.com/user/repo

# Analyze a GitHub repo for trust signals + malware
supply-chain-guard repo https://github.com/user/repo

# Scan an npm package (downloads without installing)
supply-chain-guard npm suspicious-package-name

# Scan a PyPI package
supply-chain-guard pypi suspicious-package

# Scan a VS Code extension
supply-chain-guard vscode publisher.extension-name

# Detect dependency confusion
supply-chain-guard confusion ./my-project

# Scan an entire GitHub organization
supply-chain-guard org my-github-org

# Scan only files changed since a commit (diff mode)
supply-chain-guard scan ./project --since HEAD~5

# Monitor a Solana C2 wallet
supply-chain-guard monitor <wallet-address> --once

Output Formats

supply-chain-guard scan ./project                # Human-readable text (default)
supply-chain-guard scan ./project --format json   # JSON (for CI/CD pipelines)
supply-chain-guard scan ./project --format html   # Standalone HTML report
supply-chain-guard scan ./project --format markdown # Markdown (for PR comments)
supply-chain-guard scan ./project --format sarif  # SARIF 2.1.0 (GitHub Code Scanning)
supply-chain-guard scan ./project --format sbom   # CycloneDX 1.6 SBOM with real dependency inventory
supply-chain-guard scan ./project --sbom-output sbom.json  # Write SBOM to file separately

CI Exit Code Control

supply-chain-guard scan ./project --fail-on critical  # Fail only on critical
supply-chain-guard scan ./project --fail-on high       # Fail on high or above
supply-chain-guard scan ./project --fail-on info       # Fail on any finding

Filtering

supply-chain-guard scan ./project --min-severity high
supply-chain-guard scan ./project --exclude SOLANA_MAINNET,HEX_ARRAY

Policy Configuration (v4.4)

Create .supply-chain-guard.yml in your project root to customize behavior:

rules:
  disable:
    - HEX_ARRAY
    - CHARCODE_OBFUSCATION
  severityOverrides:
    GHA_UNPINNED_ACTION: medium

allowlist:
  packages:
    - internal-utils
  domains:
    - company.internal
  githubOrgs:
    - my-org

suppress:
  - rule: RELEASE_EXE_ARTIFACT
    reason: Legitimate Windows installer

baseline:
  file: .scg-baseline.json

Baseline Diffing (v4.4)

Only report NEW findings (ignore known baseline):

# Save current findings as baseline
supply-chain-guard scan ./project --save-baseline .scg-baseline.json

# On subsequent scans, only show new findings
supply-chain-guard scan ./project --baseline .scg-baseline.json

Example Output

╔══════════════════════════════════════════════════════════════════════════════╗
║  supply-chain-guard                                                  v5.1.0 ║
╚══════════════════════════════════════════════════════════════════════════════╝

  Target      ./suspicious-package
  Type        directory  ·  18 / 18 files scanned
  Duration    142ms
  Time        2026-04-07T12:00:00.000Z

┌─────────────────────────────── RISK SCORE ─────────────────────────────────┐
│                                                                              │
│   83 / 100   █████████████████████████████████░░░░░   CRITICAL             │
│                                                                              │
└──────────────────────────────────────────────────────────────────────────────┘

┌──────────────────────────── FINDINGS SUMMARY ───────────────────────────────┐
│  CRITICAL      3  ████████████████████████████████                          │
│  HIGH          1  ██████████                                                 │
│  MEDIUM        0  ────────────────────────────────                           │
│  LOW           0  ────────────────────────────────                           │
│  INFO          0  ────────────────────────────────                           │
└──────────────────────────────────────────────────────────────────────────────┘

┌──────────────────────────────── FINDINGS ───────────────────────────────────┐
│                                                                              │
│  [CRITICAL]  DEAD_DROP_STEAM                                                │
│              Steam Community profile URL used as dead-drop C2 resolver      │
│              src/config.js:12                                                │
│              match  https://steamcommunity[.]com/profiles/76561198...       │
│              fix    Remove external URL resolution; use static configuration │
│                                                                              │
│ ············································································· │
│                                                                              │
│  [CRITICAL]  VIDAR_BROWSER_THEFT                                            │
│              Browser credential file access (infostealer pattern)           │
│              src/steal.js:45                                                 │
│              match  AppData[...]Google[...]Chrome[...]Login Data             │
│              fix    Never access browser credential stores                   │
│                                                                              │
│ ············································································· │
│                                                                              │
│  [CRITICAL]  DROPPER_TEMP_EXEC                                              │
│              Dropper: file written and executed from temp directory          │
│              src/loader.js:23                                                │
│              match  saveFile(tmpdir, payload); exe‹c›(tmpPath)              │
│              fix    Remove dropper logic; audit all exec() call sites        │
│                                                                              │
└──────────────────────────────────────────────────────────────────────────────┘

┌─────────────────────────── TRUST BREAKDOWN ─────────────────────────────────┐
│  Publisher       ██████░░░░░░░░░░░░░░░░░░░░░░░░░░░░  20/100               │
│  Code            █████████░░░░░░░░░░░░░░░░░░░░░░░░░  30/100               │
│  Dependencies    ████████████████████████████████████ 100/100              │
│  Release         ██████████████████████████░░░░░░░░░  80/100               │
│────────────────────────────────────────────────────────────────────────────│
│  Overall         █████████████░░░░░░░░░░░░░░░░░░░░░░  48/100               │
└──────────────────────────────────────────────────────────────────────────────┘

┌──────────────────────────── CORRELATED INCIDENTS ───────────────────────────┐
│                                                                              │
│  [CRITICAL]  Vidar Stealer Infection  95% confidence                        │
│  Multiple infostealer indicators: dead-drop resolvers for C2,               │
│  browser credential theft, and crypto wallet targeting.                     │
│  Indicators: DEAD_DROP_STEAM, VIDAR_BROWSER_THEFT, DROPPER_TEMP_EXEC       │
│                                                                              │
└──────────────────────────────────────────────────────────────────────────────┘

Supported Ecosystems

Ecosystem	Command	What It Scans
npm	scan, npm	package.json, install scripts, lockfile, tarball
PyPI	pypi	setup.py, setup.cfg, pyproject.toml, install hooks
Cargo/Rust	scan	Cargo.toml, build.rs, proc macros
Go	scan	go.mod, init() functions, CGo, plugin loading
Docker	scan	Dockerfile, docker-compose.yml, Containerfile
Terraform	scan	.tf, .hcl files (provisioners, modules, secrets)
VS Code	vscode	.vsix files, activation events, dangerous APIs
GitHub Actions	scan	.github/workflows/*.yml
GitHub Repos	repo	Trust signals, releases, README lures
Solana	monitor	C2 wallet memo transactions

GitHub Action

name: Supply Chain Security
on: [push, pull_request]

jobs:
  scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: homeofe/supply-chain-guard@v5
        with:
          fail-on: critical
          comment-on-pr: true

Action Inputs

Input	Description	Default
path	Path to scan	.
format	Output format (text/json/markdown/html/sarif/sbom)	markdown
min-severity	Minimum severity to report	low
exclude-rules	Comma-separated rule IDs to exclude
fail-on	Fail check at this severity or above	critical
comment-on-pr	Post findings as PR comment	true

Adding Custom Patterns

Edit src/patterns.ts to add new detection rules:

{
  name: "my-custom-pattern",
  pattern: "regex-pattern-here",
  description: "What this detects",
  severity: "high",
  rule: "MY_CUSTOM_RULE",
}

Architecture

scan() -> collectFiles() -> per-file analysis
  -> Pattern matching (170+ rules across 12 categories)
  -> Entropy analysis (Shannon entropy for encoded payloads)
  -> IOC blocklist check (known C2 domains, IPs, hashes)
  -> Install hook deep analysis (secret harvesting, download-exec)
  -> Dependency risk analysis (Levenshtein typosquatting)
  -> Sub-scanners (lockfile, GitHub Actions, Docker, Cargo, Go, IaC)
  -> SLSA verifier (provenance level 0-3, sigstore/cosign, attestations)
  -> SBOM generator (reads package-lock.json → real CycloneDX 1.6 components)
  -> GitHub trust signal analysis (account age, stars, releases)
  -> Correlation engine (links findings into incidents)
  -> Trust breakdown (4-dimension scoring)
  -> Report generation (text/json/html/markdown/sarif/sbom)

Contributing

See CONTRIBUTING.md for guidelines. The most impactful contribution is adding new detection patterns for emerging threats.

Changelog

v5.2.42 (2026-06-29)

Threat intel: Miasma LeoPlatform / GitHub Actions wave (June 26, 2026)

Adds indicators for the latest evolution of the Mini Shai-Hulud / Miasma / Hades npm worm family, reported by The Hacker News on June 26, 2026. A compromised LeoPlatform npm maintainer account (czirker) republished the LeoPlatform / RStreams SDK packages plus hexo-* plugins with a preinstall credential stealer; the worm also propagated to the Go ecosystem and abused the codfish/semantic-release-action GitHub Action.

• 23 compromised npm package@version pairs pinned in KNOWN_BAD_NPM_VERSIONS (clean upstream versions stay legitimate): leo-sdk@6.0.19, leo-streams@2.0.1, leo-auth@4.0.6, leo-aws@2.0.4, the leo-connector-* set, rstreams-metrics@2.0.2, rstreams-shard-util@1.0.1, serverless-leo@3.0.14, serverless-convention@2.0.4, prism-silq@1.0.1, solo-nav@1.0.1, hexo-deployer-wrangler@1.0.4, and others.
• Go module github.com/verana-labs/verana-blockchain@v0.10.1-dev.20 recorded in the bundled threat-intel feed.
• New campaign signature MIASMA_LEO_REVOKE_KABOOM for the RevokeAndItGoesKaboom token-relay marker.
• Compromised maintainer handle czirker added to the malicious-account blocklist.
• 24 new bundled-feed IOC entries and a campaigns.test.ts regression suite.

v5.2.41 (2026-06-28)

Security: command injection in the GitHub trust scanner

Remediates a finding from the continuous AAHP Swarm review (elvatis/ideabase#24). github-trust-scanner.ts built five gh api repos/${owner}/${repo} calls as shell strings via execSync, with owner and repo unvalidated. Because analyzeGitHubTrust and parseGitHubUrl are public API, a consumer passing crafted values could reach shell command execution. No rule or scan-engine change.

• Every gh api call now uses execFileSync (no shell).
• analyzeGitHubTrust validates owner and repo against GitHub-name allowlists (owner cannot begin with a hyphen; repo forbids ..) before any call, and parseGitHubUrl rejects values that fail the same allowlists.
• Added regression tests.

v5.2.40 (2026-06-28)

Security: org-scanner command injection and suppressed findings in SARIF/SBOM

Remediates findings from the continuous AAHP Swarm review (elvatis/ideabase#24). No rule or scan-engine behavior changed.

• org-scanner.ts: listOrgRepos built gh repo list ${org} and ran it through a shell with the org CLI argument unvalidated (command injection, the same class as the v5.2.38 clone fix, in a sibling path). It now uses execFileSync with an org-name allowlist that also forbids a leading hyphen (no gh flag injection).
• reporter.ts: SARIF results and the fallback SBOM emitted policy-suppressed findings as active results. Both now filter out suppressed findings, matching the primary SBOM path.
• Added regression tests for the rejected-org path and suppressed-finding output.

v5.2.39 (2026-06-28)

Security: harden the GitHub Action and PR-comment report against injection

Remediates findings from an internal AAHP Swarm review of this tool. The composite Action interpolated workflow inputs straight into a bash run block (script injection) and used an unquoted argument string; the markdown report embedded attacker-controlled scan content (finding match, rule, file, description, target, and recommendations) into code spans and headers without escaping, allowing markdown and HTML injection into the PR comment the Action posts. No rule or scan-engine behavior changed.

• action.yml passes inputs via env: and builds a quoted bash array, so a crafted input can no longer reach the shell as code; the report file uses RUNNER_TEMP and a random GITHUB_OUTPUT delimiter.
• reporter.ts escapes every attacker-controlled value in the markdown report (new mdInlineCode, mdText, and table-cell mdCell helpers).
• scanner.ts uses os.tmpdir() instead of a hardcoded /tmp for the clone.
• Added a markdown-injection regression test.

v5.2.38 (2026-06-28)

Security: command injection in GitHub clone and diff scanning

The GitHub clone path and the diff scanner ran git through a shell with the target URL and the --since ref interpolated into the command string, guarded only by a startsWith prefix check. A crafted value could break out of the quoting and run arbitrary shell commands on the host running the scan. Both now invoke git via execFileSync (no shell) with strict input validation, and the git-log anomaly check moved off the shell too. Found by an internal AAHP Swarm review.

• scanner.ts clones via execFileSync plus a strict GitHub-URL allowlist for the clone target.
• diff-scanner.ts runs git diff and ls-files via execFileSync and rejects a sinceCommit that is not a clean git ref.
• Added a regression test for the rejected-ref path.

v5.2.37 (2026-06-27)

Fix: PR-comment step crash on findings containing backticks

The Comment on PR step built a JavaScript template literal from the scan report. Because the report markdown contains backticks, the literal broke and the step threw, failing the check on essentially every consumer pull request (the scan logic itself was never affected). The step now reads the report from a file via fs.readFileSync and is marked continue-on-error, so a comment failure can never fail the scan. No rule, threat-intel, or scan-engine changes in this release.

• Composite action Comment on PR step rewritten to read /tmp/scg-report.txt instead of interpolating the report into an inline template literal (#27).
• Added continue-on-error: true so PR-comment failures are non-fatal.

v5.2.36 (2026-06-25)

Threat-intel update: PostCSS Tools Windows RAT npm campaign

One confirmed campaign ingested from the daily threat-intel sweep (source: The Hacker News, June 23, 2026):

• PostCSS Tools Windows RAT (June 23, 2026): malicious npm packages posing as PostCSS tooling deliver a Windows-based remote access trojan. The two confirmed, fully malicious packages are aes-decode-runner-pro (145 downloads) and postcss-min. The feed excerpt disclosed no C2 infrastructure, file hashes, or publisher account, so the bare package names are the only extractable indicators. Added to MALICIOUS_PACKAGE_PATTERNS (bare-name) and BUNDLED_FEED (confidence 0.9), with a new campaigns.test.ts describe block covering both names.

Deliberately not ingested this sweep: the Operation Endgame Amadey/StealC takedown, the Cisco SD-WAN (CVE-2026-20245) and Ubiquiti/Lantronix CVEs, Edgecution, Mistic RAT, and FortiBleed - none are package-ecosystem compromises with extractable, version-pinned or named-package IOCs.

v5.2.35 (2026-06-21)

Security: fix vite devDependency vulnerabilities

Two new advisories in the transitive vite dependency (via vitest), both devDependencies that do not ship in the published npm tarball (files[] is dist, action.yml, README.md, LICENSE, socket.yml), so package consumers were never exposed.

• vite forced from 7.3.2 to ^7.3.5 via the existing overrides block, resolving GHSA-fx2h-pf6j-xcff (high) and GHSA-v6wh-96g9-6wx3 (medium). Patch-level bump within 7.x; all 803 tests pass unchanged.
• npm audit reports 0 vulnerabilities.

Also documents the GitHub Action distribution model in CLAUDE.md: uses: homeofe/supply-chain-guard@v5 now resolves to a floating v5 branch (kept current by a new update-major-branch CI job via fast-forward push), and the GitHub Marketplace publishing limitation (web-UI only, not automatable).

v5.2.34 (2026-06-21)

Threat-intel update: Mastra npm scope takeover (Sapphire Sleet) + NastyC2 + crypto-javascript worm

Three supply-chain threats ingested from the daily threat-intel sweep:

• Mastra npm scope takeover (June 17, 2026): Microsoft attributes a large-scale npm compromise to Sapphire Sleet (BlueNoroff, DPRK) - the same actor behind the April 2026 axios hijack. A forgotten-contributor npm maintainer account (ehindero) was compromised and used to republish 141 packages across the @mastra scope (0136 UTC), each gaining a single new dependency: easy-day-js, a dayjs clone. Its postinstall hook disables TLS certificate verification, contacts a dropper C2 at 23[.]254[.]164[.]92:8000 (/update/49890878), and downloads a cross-platform Node.js crypto-stealer RAT (RAT C2 23[.]254[.]164[.]123:443, both Hostwinds-hosted) that inventories 166 wallet browser extensions and harvests Chrome/Brave/Edge history. Added: easy-day-js (bare-name pattern), easy-day-js@1.11.22 plus a representative subset of the 143 compromised @mastra package versions to KNOWN_BAD_NPM_VERSIONS, both C2 IPs, two SHA-256 hashes (stage-2 RAT + malicious tarball), the ehindero/sergey2016 accounts, and matching BUNDLED_FEED entries (confidence 1.0). The clean precursor easy-day-js@1.11.21 is deliberately not listed.
• NastyC2 npm framework (June 18, 2026): three fully malicious npm packages (node-ci-utils@2.1.4, win-env-setup@3.0.6, macos-ci-utils@1.0.0) bundling NastyC2, a Rust post-exploitation implant with 80+ commands (credential harvesting, Active Directory attacks, container escape, cloud-metadata theft, fileless execution). Added as bare-name patterns and version-pinned blocklist/feed entries (confidence 0.9; source: The Hacker News ThreatsDay Bulletin).
• crypto-javascript@4.2.5 (June 18, 2026): a self-propagating supply-chain worm spreading across Rust/Cargo, Python, CMake, and npm that drops a Monero cryptominer and the "Dirty Frag" Linux kernel LPE exploit. Version-pinned (common-sounding name) in KNOWN_BAD_NPM_VERSIONS and BUNDLED_FEED (confidence 0.9).

Deliberately not ingested this sweep: the Klue OAuth breach (Icarus), FortiBleed, the NGINX/Splunk CVEs, and the SocGholish takedown - none are package-ecosystem compromises with extractable, version-pinned IOCs. Two new campaigns.test.ts describe blocks cover the Mastra and NastyC2 signatures.

v5.2.33 (2026-06-14)

Security: fix devDependency vulnerabilities (vitest, esbuild)

Dependabot flagged three advisories in the dev/test toolchain. All are devDependencies and none ship in the published npm tarball (files[] is limited to dist, action.yml, README.md, LICENSE, socket.yml), so consumers of the package were never exposed - but a security tool should not carry known-vulnerable dev deps.

• vitest bumped from ^3.0.0 to ^3.2.6, resolving CVE-2026-47429 (critical). Stays within the 3.x line to avoid the breaking changes of the Dependabot-proposed 4.x major bump; all 799 tests pass unchanged.
• esbuild forced to ^0.28.1 via an overrides entry, resolving GHSA-gv7w-rqvm-qjhr (high) and GHSA-g7r4-m6w7-qqqr (low). vitest 3.x's transitive vite otherwise pins an older esbuild; the override pulls the patched build without a vitest major upgrade.
• npm audit now reports 0 vulnerabilities. Supersedes Dependabot PR #25.

Also adds .supply-chain-guard.yml (committed separately) with documented accepted-risk suppressions for the project's own self-scan: GHA_OIDC_WRITE_PERM and WORKFLOW_SECRET_TO_UPLOAD_PATH are by-design tradeoffs for npm Trusted Publishing, LOCKFILE_ORPHANED_DEPENDENCY is informational. Self-scan result: 0/100 clean.

v5.2.32 (2026-06-13)

Threat-intel update: Arch Linux AUR mass-hijack npm dropper (atomic-lockfile)

One confirmed, cross-verified indicator ingested from the daily threat-intel sweep (sources: The Hacker News + BleepingComputer, June 12, 2026):

• atomic-lockfile@1.4.2 (npm): fully malicious package pulled and executed by preinstall hooks added to 400+ hijacked Arch User Repository (AUR) build scripts. It installs a credential stealer and an eBPF rootkit on any machine that builds an affected AUR package. The version was published 2026-06-10 and removed by npm security 2026-06-12 (the registry now serves only the 0.0.1-security holding placeholder), confirming the package had no legitimate history. Added to MALICIOUS_PACKAGE_PATTERNS (bare-name), KNOWN_BAD_NPM_VERSIONS (version 1.4.2), and BUNDLED_FEED (confidence 1.0).

Deliberately not ingested this sweep:

• temp.sh (named as the AUR campaign's HTTP exfiltration host): a legitimate public file-sharing service. Blocking it would false-positive on benign code, same rationale used to omit i.ibb.co previously.
• alvr / premake-git (named compromised AUR packages): legitimate upstream packages that were hijacked, in an ecosystem this scanner does not version-track; the names alone are not safe indicators.
• The single-source SHA-256 reported for the AUR payload was not cross-confirmed by a second source, so it was left out rather than risk a hallucinated hash.
• TeamPCP "Phantom Gyp" wave (@vapi-ai/server-sdk, SANS ISC diary 33060) and the Miasma 73-Microsoft-repos worm (Dark Reading) disclosed no exact compromised versions or extractable host IOCs beyond the @redhat-cloud-services coverage already shipped in v5.2.29.

1 new describe block in campaigns.test.ts covers the atomic-lockfile package-name pattern.

v5.2.31 (2026-06-11)

Threat-intel update: ThreatsDay Bulletin npm cluster (SStar Agent lure + ambar-src)

Two fully-malicious npm packages and two malicious GitHub accounts ingested from the daily threat-intel sweep (source: The Hacker News ThreatsDay Bulletin, June 11, 2026):

• tw-style-utils (npm): poisoned package that delivers the cross-platform SStar Agent RAT (Windows + macOS). Distributed through the star45674/smart-contract-engineer-role fake job-assignment lure (contagious-interview style), tracked as a malicious GitHub account.
• ambar-src (npm): fully malicious package (Tenable) whose download count was artificially "pumped" to 50,000+ in three days to manufacture credibility.
• antoniocastaldo1998 (GitHub account): hosts a malicious Android APK in its app-scuola repository.

Each package is malicious in its entirety, so the package name itself is the indicator: added to MALICIOUS_PACKAGE_PATTERNS and BUNDLED_FEED (confidence 0.9, single-source). The two GitHub accounts were added to KNOWN_MALICIOUS_GITHUB_ACCOUNTS.

Not ingested this sweep: the Shai-Hulud "Hades" Python variant against PyPI is the same Miasma family already covered in v5.2.29/v5.2.30, and the bulletin published no exact compromised package versions or extractable host IOCs (blocking bare names of otherwise-legitimate packages would false-positive on clean installs). The TeamPCP "Phantom Gyp" wave (SANS ISC diary 33060) named @vapi-ai/server-sdk as a victim but disclosed no exact bad version numbers. OnyxC2 stealer (a MaaS builder), the JDY IoT botnet, OceanLotus SPECTRALVIPER, and the Proto6 / protobuf.js RCE CVEs either yielded no extractable package/host IOCs or are outside the developer supply-chain scope.

1 new describe block in campaigns.test.ts covers the two package-name patterns and the two malicious-account references.

v5.2.30 (2026-06-09)

Threat-intel update: THN Weekly Recap npm/PyPI infostealer cluster

Four fully-malicious throwaway packages ingested from the daily threat-intel sweep (source: The Hacker News Weekly Recap, June 8, 2026):

• turbo-axios / faster-axios (npm): trojanized copies of axios whose postinstall hooks deploy Epsilon Stealer.
• cms-store-ren (npm): exfiltrates harvested data to Telegram via an exposed bot API token.
• parsimonius (npm + PyPI): typosquat of parsimonious deploying a Telegram-based backdoor (~2,474 downloads before removal).

Each package is malicious in its entirety, so the package name itself is the indicator: added to MALICIOUS_PACKAGE_PATTERNS (npm), PYPI_TYPOSQUAT_PATTERNS (the parsimonius PyPI typosquat), and BUNDLED_FEED (confidence 0.9, single-source).

Not ingested this sweep: the new Shai-Hulud "Hades" wave against 19 science-focused PyPI packages (Dynamo, Spateo, CoolBox, U-FISH, Napari-UFISH) was confirmed but the affected releases are bad versions of otherwise-legitimate packages and no exact version numbers were published, so blocking the bare names would false-positive on clean installs; its only listed C2 was api.anthropic.com, the legitimate Anthropic API host, which is intentionally not added (same call as v5.2.29). The Miasma worm hitting 73 Microsoft GitHub repositories is the same Miasma: The Spreading Blight campaign already covered in v5.2.29 (the named Microsoft / icflorescu repositories are victims, not malicious accounts). Rust-written IronWorm npm, NFCShare Android, C0XMO botnet, VerdantBamboo BRICKSTORM, and the LiteLLM CVE-2026-42271 RCE flaw either yielded no extractable package/host IOCs or are outside the developer supply-chain scope.

1 new describe block in campaigns.test.ts covers the four package-name patterns.

v5.2.29 (2026-06-02)

Threat-intel update: Miasma / @redhat-cloud-services Mini Shai-Hulud variant

One new campaign ingested from the daily threat-intel sweep (sources: BleepingComputer, Socket.dev, June 1, 2026):

• Miasma / @redhat-cloud-services Mini Shai-Hulud variant (2026-06-01): BleepingComputer and Socket.dev disclosed that 32 packages under Red Hat's @redhat-cloud-services namespace were trojanized (96 versions) via a compromised Red Hat employee GitHub account abusing a GitHub Actions workflow to auto-publish backdoored versions. Payload is a Shai-Hulud descendant labelled Miasma: The Spreading Blight; the preinstall hook runs a ~4.2 MB node index.js that steals GitHub Actions secrets, AWS / GCP / Azure credentials, HashiCorp Vault tokens, Kubernetes SA tokens, npm and PyPI publishing tokens, SSH keys, Docker creds, GPG keys, and .env files into ~309 attacker-controlled GitHub repos. Added the Miasma: The Spreading Blight content-marker pattern, and the Socket-confirmed @redhat-cloud-services/chrome@2.3.1 known-bad version (the namespace itself is deliberately NOT blocked - clean upstream versions remain legitimate).

Not ingested this sweep: DriveSurge ClickFix/FakeUpdates is web-traffic malvertising with no package IOCs; the Operation Dragon Weave / AdaptixC2 cluster, Dutch 17M-device residential-proxy takedown, and the various non-package CVEs (Windows Netlogon CVE-2026-41089, WP Maps Pro CVE-2026-8732, PAN-OS GlobalProtect CVE-2026-0257, the Linux kernel CIFSwitch privesc) are all outside the developer supply-chain scope. The api.anthropic.com endpoint that one threat-intel summary listed as a Miasma "C2 domain" was rejected as either summarizer hallucination or feed poisoning - it is the legitimate Anthropic API host and is intentionally not added.

1 new describe block in campaigns.test.ts covers the campaign-marker detection.

v5.2.28 (2026-06-01)

Threat-intel update: codexui-android Codex stealer, LiteLLM PyPI backdoor, vpmdhaj Sicoob/cloud-secret cluster

Three new campaigns ingested from the daily threat-intel sweep (sources: Aikido, The Hacker News, Trail of Bits, Socket.dev, May 22 - June 1, 2026):

• codexui-android Codex token stealer (2026-05-27): Aikido and The Hacker News disclosed a legitimate-looking Codex remote-UI npm package (~27K-29K weekly downloads) that since version 0.1.82 reads the OpenAI Codex auth file, XOR-encrypts with key anyclaw2026, base64-encodes and POSTs to sentry[.]anyclaw[.]store/startlog. Same endpoint is hit by the bundled Android apps "OpenClaw Codex Claude AI Agent" (gptos.intelligence.assistant) and "Codex" (codex.app) running the package in a PRoot sandbox. Added the C2 domain, the package name regex, 9 known-bad versions (0.1.82-0.1.90), and the publisher GitHub accounts friuns2 / BrutalStrike.
• LiteLLM PyPI compromise (2026-03-24, re-disclosed 2026-05-22): Trail of Bits' "We hardened zizmor" post detailed the TeamPCP-claimed compromise of litellm 1.82.7 / 1.82.8 on PyPI, originating from a poisoned Trivy step in LiteLLM's own CI/CD security workflow. A litellm_init.pth auto-runs on every Python startup; three-stage payload (50+ category credential harvester with RSA-4096 + AES-256 hybrid encryption, Kubernetes lateral-movement toolkit, persistent backdoor) exfils to models[.]litellm[.]cloud and polls checkmarx[.]zone (Checkmarx-brand abuse to bypass DNS allowlists) every 50 minutes. Added the two C2 domains and the two known-bad PyPI versions.
• vpmdhaj Sicoob/Cloud-Secret cluster (2026-05-28): Socket via The Hacker News reported a single actor (vpmdhaj, a39155771[@]gmail[.]com) running two parallel waves. Five NuGet versions Sicoob.Sdk 2.0.0-2.0.4 impersonate a C# SDK for Brazilian cooperative bank Sicoob and exfiltrate PFX certificates + client IDs + PFX passwords to a hardcoded Sentry DSN. Fourteen npm typosquats of OpenSearch / ElasticSearch / DevOps / env-config libraries harvest AWS creds, HashiCorp Vault tokens, npm tokens, CI/CD secrets through preinstall hooks; C2 auth via hardcoded X-Secret header l95HdDaz3kQx1Zsg3WxH6HvKANf51RY1. Added 5 NuGet + 14 npm IOCs, the GitHub org Sicoob-Cooperativa, the contributor joaobcdev, and 2 regex families (scoped @vpmdhaj/* + unscoped typosquats).

3 new describe blocks in campaigns.test.ts cover the surface-level detections (C2 domains + package-name patterns + attacker accounts).

v5.2.27 (2026-05-28)

Threat-intel update: ACR Stealer fake-Claude page, Malware-Slop npm infostealer

Two new campaigns ingested from the daily threat-intel sweep (sources: SANS ISC, The Hacker News / OX Security, May 26-27, 2026):

• ACR Stealer fake Claude page (2026-05-26): per SANS ISC diary 33018, Claude-impersonation pages pushed via Google Search ads serve a corrupted zip that fetches a PowerShell loader leading to ACR Stealer. Added 4 attacker-controlled base domains (fairpoint29[.]com, primemetricsa[.]com, creativecommunityinfo[.]art, enhanceblabber[.]cc) and 3 component SHA-256 hashes to ioc-blocklist.ts + BUNDLED_FEED. Base domains are stored (not the reported random subdomains) so the entries survive subdomain rotation. The legitimate ImgBB host i[.]ibb[.]co (abused to stage init-block.jpg) is deliberately NOT listed, to avoid mass false positives.
• Malware-Slop npm infostealer (2026-05-27): per OX Security via The Hacker News, npm package mouse5212-super-formatter (~676 downloads) masquerades as an archive deployment-sync utility, authenticates to GitHub and recursively uploads files from the Claude AI user directory (/mnt/user-data) into repos created under attacker account unplowed3584 (now removed). Added the package to MALICIOUS_PACKAGE_PATTERNS + BUNDLED_FEED and the account to KNOWN_MALICIOUS_GITHUB_ACCOUNTS.

Not ingested this sweep: the GlassWorm C2 takedown (CrowdStrike/Google/Shadowserver) is defensive news with no new blockable indicators, and BTMOB RAT is an Android banking trojan outside the developer supply-chain scope.

2 new describe blocks in campaigns.test.ts cover the surface-level detections (C2 domain + component hash + attacker account + malicious package name).

v5.2.26 (2026-05-25)

SLSA verifier recognises npm publish --provenance + OIDC as Level 3

The SLSA verifier's L3 patterns required the literal string slsa-framework/slsa-github-generator in a workflow. That predated npm's --provenance flag (added in npm 9.5, mandatory under Trusted Publishing since npm 11.5), which produces Sigstore-signed, Rekor-logged provenance bound to the GitHub Actions OIDC identity - cryptographically the same L3 guarantees the slsa-github-generator reusable workflow produces, just specialised for npm artifacts.

New L3 detection path in slsa-verifier.ts: a workflow corpus containing both

• npm publish ... --provenance, AND
• id-token: write permission

is recognised as Level 3. Without id-token: write the publish would fail at runtime, so the OIDC permission is required defence-in-depth to ensure the workflow can actually mint provenance, not just that someone typed the flag into a non-functional config.

The SLSA_UNSIGNED_ARTIFACTS recommendation now describes both L3 paths (npm-native vs. slsa-github-generator) so projects pick the one that fits their ecosystem.

4 new tests in slsa-verifier.test.ts cover: combined --provenance + OIDC returns L3, --provenance alone stays at L2, OIDC alone stays at L1, and the two signals split across separate workflow files in the same .github/workflows/ directory still register as L3.

Expected impact on the self-scan: the SLSA_UNSIGNED_ARTIFACTS INFO finding drops because our own ci.yml already has the L3 npm-native combination since v5.2.20.

v5.2.25 (2026-05-25)

Threat-intel update: TrapDoor, Polymarket typosquats, durabletask, Megalodon throwaways

Five new campaigns ingested from the daily threat-intel sweep (sources: The Hacker News, SANS ISC, BleepingComputer, May 22-25, 2026):

• TrapDoor cross-ecosystem credential stealer (2026-05-25): single actor ddjidd564 pushing 34+ malicious packages across npm (21), PyPI (7), and Crates.io (6). Targets AI / DeFi / Web3 / Sui Move tooling. Dead-drop hosted at ddjidd564[.]github[.]io. Added 1 domain, 1 GitHub account, 34 package IOCs, 2 regex families (npm + PyPI), 2 test cases.
• Mini Shai-Hulud / TeamPCP durabletask (2026-05-24): per SANS ISC diary 33016, three malicious versions (1.4.1, 1.4.2, 1.4.3) of the officially Microsoft-published durabletask PyPI package were republished by the TeamPCP campaign. First confirmed compromise of an upstream Microsoft-signed package in this wave. Added to KNOWN_BAD_PYPI_VERSIONS and BUNDLED_FEED.
• Polymarket impersonation (2026-05-22): npm publisher polymarketdev pushed 9 typosquats of the Polymarket SDK (polymarket-trading-cli, -terminal, -trade, -auto-trade, -copy-trading, -bot, -claude-code, -ai-agent, -trader). Wallet-key exfiltration via Cloudflare Worker at polymarketbot[.]polymarketdev[.]workers[.]dev/v1/wallets/keys. Added 1 domain, 1 GitHub account, 9 package IOCs, 1 regex family.
• Megalodon throwaway accounts (2026-05-22): three previously unattributed GitHub throwaway accounts (rkb8el9r, bhlru9nr, lo6wt4t6) used in the 5,718-commit workflow-injection blast against 5,561 repos. C2 (216[.]126[.]225[.]129:8443) was already in v5.2.24. Added the three accounts to KNOWN_MALICIOUS_GITHUB_ACCOUNTS.

3 new describe blocks in campaigns.test.ts cover the surface-level detections (C2 domain + attacker GitHub account).

v5.2.24 (2026-05-24)

RISK_TRAJECTORY_UNSTABLE no longer flags monotone improvement as instability

The risk-forecast engine used Math.abs(slope) > 5 to detect "volatile risk", which conflated two opposite situations:

• Score rising fast (real degradation) → should fire
• Score falling fast (active remediation) → should NOT fire, that is exactly what we want
• Score bouncing back and forth (true volatility) → should fire

The v5.2.23 self-scan reported "slope -13.9/scan, highly volatile" after six consecutive releases each fixing real bugs - a strict monotone decrease being labelled as instability.

The detection is now split into orthogonal concerns:

• RISK_TRAJECTORY_DEGRADING (severity high): slope > +5, score consistently rising
• RISK_TRAJECTORY_UNSTABLE (severity medium): high stdev around the linear-fit trend and at least 2 direction reversals in the sequence (true oscillation, not just non-linear improvement)
• Fast improvement (slope < -5 with no oscillation): silent, surfaced in the score itself

5 new tests in bugfix-v5_2_24.test.ts verify:

• Strict monotone decrease (including the v5.2.18-v5.2.23 release trajectory) does NOT fire UNSTABLE
• Fast-rising score DOES fire DEGRADING
• Real oscillation (e.g. [20, 80, 25, 75, 30, 70]) DOES fire UNSTABLE
• Stable flat trajectory fires neither

Expected impact on the self-scan: drops the spurious RISK_TRAJECTORY_UNSTABLE finding. Score should fall from 17/MEDIUM to roughly 5-10/LOW.

v5.2.23 (2026-05-24)

Fix WORKFLOW_UNTRUSTED_ACTION_IN_RELEASE_PATH false positive on npm@latest

The unpinned-action detector in workflow-modeler.ts was firing on any @latest / @main / @master / @dev substring anywhere in a workflow file - including the npm install -g npm@latest step that v5.2.20 introduced as part of the OIDC trusted-publishing setup. That's a Node toolchain install, not a GitHub Action reference.

The regex is now scoped to actual uses: <action>@<branch> declarations using a line-anchored, case-insensitive multiline match:

/^\s*-?\s*uses:\s+\S+@(?:main|master|latest|dev)\b/im

4 new tests in bugfix-v5_2_23.test.ts verify:

• npm install -g npm@latest no longer triggers
• Real uses: actions/checkout@main / @master / @latest / @dev still triggers
• Commit-SHA pinning (the v5.2.22 fix) stays clean

Expected impact on the self-scan: the last false-positive CRITICAL is gone. Remaining 2 mediums (GHA_OIDC_WRITE_PERM for Trusted Publishing, WORKFLOW_SECRET_TO_UPLOAD_PATH for secrets.GITHUB_TOKEN access in the GitHub Release step) are honest by-design tradeoffs.

v5.2.22 (2026-05-24)

Self-scan polish: comment-aware GHA scan, pinned actions, fix changelog self-trigger

Three follow-up fixes to the v5.2.21 self-scan:

• github-actions-scanner strips YAML comments before pattern matching. The previous version flagged the literal text id-token: write inside an OIDC-explanation comment of ci.yml as a real GHA_OIDC_WRITE_PERM finding. New stripYamlComment() helper removes # ... portions before regex matching while preserving # inside quoted strings. 4 new tests in bugfix-v5_2_22.test.ts.
• .github/workflows/ci.yml actions pinned to commit SHAs. actions/checkout and actions/setup-node were on @v4 (mutable major-tag); release pipelines should pin to immutable commit SHAs (actions/checkout@34e11487... and actions/setup-node@49933ea5...) to defend against tag-rewriting attacks. Comments preserve # v4 for human readability. Fixes the legitimate WORKFLOW_UNTRUSTED_ACTION_IN_RELEASE_PATH finding.
• v5.2.21 changelog entry rephrased to remove a self-trigger. The original entry literally quoted the trigger phrase it was documenting the removal of, which then re-triggered CAMPAIGN_CLAUDE_LURE and CAMPAIGN_AI_TOOL_LURE on the new entry. The new wording explains the change abstractly without quoting the offending collocation.

Expected impact on supply-chain-guard's own self-scan: from 3 critical + 3 medium down to 0 critical + 1-2 medium. Remaining: 1x GHA_OIDC_WRITE_PERM (the real one in the publish job - by design for Trusted Publishing) and WORKFLOW_SECRET_TO_UPLOAD_PATH (legitimate secrets.GITHUB_TOKEN access for gh release create). Both are honest acceptable-risk findings.

v5.2.21 (2026-05-24)

Architectural fix: source-marker patterns no longer fire on documentation files

The v5.2.20 self-scan still scored 100/100 CRITICAL despite all previous fixes, with 28 critical + 10 high findings - all triggered by the project's own README documenting the patterns and IOC strings that the scanner detects. Same problem applies to every threat-intel blog post or security research write-up scanned by supply-chain-guard.

Root cause: campaign signatures, IOC hashes, and infostealer markers exist in malware payloads (source code), not in markdown documentation. The patterns did not differentiate.

Fix: a new BENIGN_DOC_FILES constant (/\.(md|markdown|txt|rst)$/i) is now combined with SCANNER_SRC into SCANNER_SRC_OR_DOCS. All source-marker patterns that previously used notFilePattern: SCANNER_SRC now use the combined regex - 47 patterns across CAMPAIGN_PATTERNS, CAMPAIGN_PATTERNS_V2, INFOSTEALER_PATTERNS, C2_EXTENDED_PATTERNS, FILE_PATTERNS, OBFUSCATION_*, IAC_PATTERNS, SECRETS_PATTERNS, PROVENANCE_PATTERNS. The six inline-merged notFilePattern regexes (VIDAR_BROWSER_THEFT, PROXY_BACKCONNECT, DROPPER_TEMP_EXEC, PROXY_HANDLER_TRAP, BEACON_INTERVAL_FETCH, MINER_CONFIG_KEYS) were extended manually.

checkIOCBlocklist() (src/ioc-blocklist.ts) and checkThreatIntel() (src/threat-intel.ts) now early-return for .md/.markdown/.txt/.rst paths.

LURE_PATTERNS and PROMPT_INJECTION_PATTERNS are explicitly excluded from the architectural fix - they target documentation by design (malicious README lures, prompt-injection attacks on AI agents) and continue to fire on .md files within their onlyFilePattern scope.

README cosmetic defang for the residual self-flags:

• Solana RPC reference in v5.2.2 changelog defanged to api[.]mainnet-beta[.]solana[.]com
• Prompt-injection token examples in v5.2.19 changelog + "What It Detects" section HTML-encoded (<system-reminder>, [INST]) - markdown renders them normally but the raw text no longer contains literal </[ characters that match the patterns
• The v5.2.19 changelog sentence describing the WebFetch tag-leakage incident was rephrased to avoid triggering CAMPAIGN_CLAUDE_LURE / CAMPAIGN_AI_TOOL_LURE. The original phrasing combined "Claude Code" with a verb the lure-detection regex looks for; the new phrasing describes the same incident without that verb collocation.

13 new regression tests in src/__tests__/bugfix-v5_2_21.test.ts enforce the doc-exclusion across all affected pattern arrays and the two scanners. Test count: 752 (was 739).

Expected impact on supply-chain-guard's own self-scan: drops from 28 critical + 10 high to roughly 0 critical + 0 high. Remaining findings are by-design GitHub Actions choices (GHA_OIDC_WRITE_PERM and WORKFLOW_SECRET_TO_UPLOAD_PATH for Trusted Publishing) and project handoff notes legitimately referencing Solana - addressable via project policy file if desired, but not bugs.

v5.2.20 (2026-05-24)

Pattern bug fixes uncovered by the v5.2.19 self-scan

Running supply-chain-guard against its own repository surfaced five structural false-positives and detection gaps. Each is now fixed at the source:

• SOLANA_MAINNET self-flagged src/solana-monitor.ts - the pattern had only notTestFile: true and no notFilePattern. SCANNER_SRC regex extended to include solana-monitor, solana-watchlist, slsa-verifier, and sbom-generator; SOLANA_MAINNET now sets notFilePattern: SCANNER_SRC like other scanner-internal-aware patterns do.
• README lure findings reported twice with different recommendations - LURE_PATTERNS was being executed both by the general checkFilePatterns sweep and by the dedicated scanReadmeLures path, producing one finding from each with subtly different recommendation text. LURE_PATTERNS removed from checkFilePatterns; scanReadmeLures routing in scanDirectory expanded from readme* only to the full doc-file family (README / CHANGELOG / CONTRIBUTING / DESCRIPTION / release-notes) so coverage is unchanged.
• CRITICAL_FINDING_NO_OWNER cascaded HIGH findings on every critical FP - the meta-governance rule fired by default even on projects that never opted into the triage system. Now only fires when at least one triage decision has been recorded (decisions.length > 0).
• SLSA_NO_PROVENANCE misreported repos using npm publish --provenance - the SLSA Level-2 detection list recognised slsa-github-generator, cosign, and attest-build-provenance actions but not the modern npm-native provenance flag (standard since npm 9, mandatory with Trusted Publishing since 11.5). Added /npm\s+publish[^\n]*--provenance/i to SLSA_LEVEL2_PATTERNS.
• LOCKFILE_ORPHANED_DEPENDENCY recommendation was wrong for npm v7+ - the message told users to run npm prune, which does not remove transitive dependencies from npm v7+ flat lockfiles (they are present by design). Recommendation rewritten to explain npm v7+ behaviour and direct users to verify publishers / inspect npm ls <name> instead.
• 15 new regression tests in src/__tests__/bugfix-v5_2_20.test.ts plus updated triage-engine.test.ts cover all five fixes. Total test count: 739 passing.

v5.2.19 (2026-05-24)

New detection: prompt injection against downstream AI coding agents

Adds five new patterns under PROMPT_INJECTION_PATTERNS (src/patterns.ts) that flag LLM-control tokens and role markers embedded in package documentation (README, CHANGELOG, CONTRIBUTING, DESCRIPTION, release notes). These tokens target the AI coding agent that reads the README on the human developer's behalf, not the human - a growing supply-chain attack vector as LLM coding tools become standard.

• PROMPT_INJECTION_SYSTEM_REMINDER - Anthropic/Claude Code harness tags (<system-reminder>, <system-prompt>, <system-instruction>)
• PROMPT_INJECTION_CHATML - OpenAI/Llama/Mistral/Qwen ChatML tokens (<|im_start|>, <|im_end|>, <|im_sep|>)
• PROMPT_INJECTION_INST_TAG - Mistral/Llama instruction tags ([INST], [/INST])
• PROMPT_INJECTION_ROLE_TOKEN - generic role tokens used by Phi, Gemma, Granite and others (<|system|>, <|user|>, <|assistant|>, <|developer|>, <|tool|>)
• PROMPT_INJECTION_OVERRIDE_PROSE - natural-language jailbreak phrasing ("ignore previous instructions", "disregard the system prompt", etc.) requiring imperative sentence-start form to avoid false positives in security docs that discuss the attack
• All five are severity HIGH, scoped to README-style files only (onlyFilePattern), exclude scanner source (notFilePattern: SCANNER_SRC) and test files. 39 new tests in src/__tests__/prompt-injection-patterns.test.ts.
• Motivated by a real WebFetch tag-leakage incident in the daily threat-intel routine on 2026-05-24: an internal Claude Code summarisation helper accidentally surfaced its own harness tag inside a fetched-content summary, demonstrating exactly the failure mode a hostile package could weaponise.

v5.2.18 (2026-05-24)

Threat intel: Laravel-Lang DebugElevator + Packagist 8-package GitHub-binary attack (May 23, 2026)

Two coordinated Composer / Packagist supply-chain attacks disclosed within hours of each other on 2026-05-23.

• Laravel-Lang DebugElevator (The Hacker News and BleepingComputer, 2026-05-23): four Composer packages in the laravel-lang namespace (laravel-lang/lang, laravel-lang/http-statuses, laravel-lang/attributes, laravel-lang/actions) had their GitHub version tags abused to republish roughly 700 historical versions, each carrying a malicious src/helpers.php containing a ~5,900-line PHP credential-stealing framework that exfiltrates to flipboxstudio[.]info/exfil. PDB-style references in the artifacts mention developer handles Mero and claude. Added the C2 domain plus two payload SHA-256 hashes (f0d912c1a72e533417d5e158bb9755f848ec678b6448ae7c8fb6e87da78a3053, 23e779555c21beaed6ae8f1f298daf9b00d603f1a6716ce329332aadcb80fbe2) and four composer: package IOCs to the bundled feed, plus a new campaign test block.
• Packagist parikhpreyash4 binary attack (The Hacker News, 2026-05-23): coordinated hit on eight Composer packages (moritz-sauer-13/silverstripe-cms-theme, crosiersource/crosierlib-base, devdojo/wave, devdojo/genesis, katanaui/katana, elitedevsquad/sidecar-laravel, r2luna/brain, baskarcm/tzi-chat-ui) whose dev branches had package.json postinstall hooks added that pull a Linux ELF (gvfsd-network) from github[.]com/parikhpreyash4/systemd-network-helper-aa5c751f and execute it from /tmp/.sshd. Mixing JS toolchain hooks into PHP projects let the payload sidestep Composer-side review. Added the attacker GitHub account to the malicious-accounts list, the eight composer: package IOCs to the bundled feed, and a campaign test block.

v5.2.17 (2026-05-23)

Threat intel: Megalodon GitHub workflow injection + DPRK OtterCookie Node.js stealer (May 22, 2026)

Two May 22 disclosures, both pivoting on adjacent IPs in 216[.]126[.]225[.]0/24 (likely shared DPRK-adjacent infrastructure).

• Megalodon GitHub Actions workflow injection (The Hacker News, 2026-05-22): an automated campaign pushed 5,718 malicious commits to 5,561 GitHub repositories in a six-hour window. The attacker forged author identities as build-bot, auto-ci, ci-bot, and pipeline-bot, then injected GitHub Actions workflows that ran base64-encoded bash to exfiltrate CI env vars, AWS / GCP credentials, SSH private keys, OIDC tokens, and Docker / Kubernetes / Terraform configs to 216[.]126[.]225[.]129:8443. Added the C2 IP plus a new MEGALODON_C2_ENDPOINT rule that catches the endpoint with or without the port.
• DPRK OtterCookie Node.js stealer (SANS ISC diary 33006, 2026-05-22): sample uploaded to VirusTotal as extracted-decoded.js; obfuscator.io-style obfuscation; targets 41 crypto-wallet Chrome extension IDs (MetaMask, Phantom, Coinbase, Ledger) plus 200+ sensitive file patterns (.env, .pem, .p12, .jks, SSH keys, seed phrases) across Windows-via-WSL, macOS, and Linux. C2 over three ports on 216[.]126[.]225[.]243: 8085 (browser creds), 8086 (file uploads), and 8087 with WebSocket reverse shell at /api/notify. Sample SHA-256 049300aa5dd774d6c984779a0570f59610399c71864b5d5c2605906db46ddeb9; highly specific hardcoded HMAC-SHA256 key SuperStr0ngSecret@)@^. Added two new rules (OTTERCOOKIE_HMAC_KEY, OTTERCOOKIE_C2_ENDPOINT) plus IP, URL, and hash IOCs, and a campaign test block.

v5.2.16 (2026-05-22)

Threat intel: Checkmarx Jenkins plugin version correction + postmark-mcp hostile MCP server

Two updates driven by independent disclosures aggregated through 2026-05-22.

• Checkmarx Jenkins AST plugin (correction): SANS ISC diary 32994 (2026-05-18) and the official Checkmarx confirmation from 2026-05-11 establish that the tampered build was Marketplace version 2026.5.09, exposed 2026-05-09 01:25 UTC to 2026-05-10 08:47 UTC. The last known-good build was 2.0.13-829.vc72453fa_1c16 (2025-12-17), and the remediated builds are 2.0.13-848.v76e89de8a_053 and 2.0.13-847.v08c0072b_2fd5. The bundled threat-intel entry has been corrected from the prior placeholder version label, which was the last known-good build rather than the rogue version.
• postmark-mcp hostile MCP server: First documented in-the-wild malicious MCP server (Sep 2025), re-disclosed via Bishop Fox's "Otto-Support - Supply Chain Risks in MCP Servers" post on 2026-05-13. Version 1.0.16 introduces a hidden BCC of every outbound email to an attacker-controlled address while preserving the published tool name, schema, and behavior; versions through 1.0.15 are clean. Added to KNOWN_BAD_NPM_VERSIONS and the bundled threat-intel feed, plus a new campaign test.

v5.2.15 (2026-05-20)

Threat intel: Mini Shai-Hulud @antv + Nx Console + actions-cool triple wave (May 18-19, 2026)

TeamPCP launched a coordinated triple supply-chain wave over 18-19 May 2026, all converging on the same exfiltration endpoint t[.]m-kosche[.]com (masquerading as an OpenTelemetry traces collector).

• @antv ecosystem (npm): compromised maintainer account atool pushed 637 malicious versions across 317 packages in a 22-minute burst (0118 UTC on 2026-05-19). Specific versions added: @antv/g2@5.5.8/5.6.8, @antv/g6@5.2.1/5.3.1, echarts-for-react@3.1.7/3.2.7, timeago.js@4.1.2/4.2.2. Payload: 498KB obfuscated Bun index.js (SHA-256 a68dd1e6a6e35ec3771e1f94fe796f55dfe65a2b94560516ff4ac189390dfa1c).
• Nx Console (VS Code): nrwl.angular-console@18.95.0 published 2026-05-18 (exposure window 1247 UTC) dropped a multi-stage credential stealer from an orphan commit 558b09d7ad0d1660e2a0fb8a06da81a6f42e06d2 in the official nrwl/nx repo. Persistence: ~/.local/share/kitty/cat.py Python daemon + com.user.kitty-monitor LaunchAgent / kitty-monitor.service. Dead-drop polls GitHub Search with marker query firedalazer. Hashes: VSIX 1a4afce3..., main.js b0cefb66..., index.js e7347d90..., dropper package.json 43f2b001....
• actions-cool GitHub Actions: all tags of actions-cool/issues-helper (53 imposter commits) and actions-cool/maintain-one-comment (15 imposter commits) redirected to malicious payloads that read Runner.Worker process memory to harvest in-flight CI/CD secrets, then exfil over HTTPS to the same t[.]m-kosche[.]com C2.
• New ANTV_WAVE_KITTY_PERSISTENCE, ANTV_WAVE_FIREDALAZER, ANTV_WAVE_OTEL_C2 rules in src/patterns.ts; new campaign tests in src/__tests__/campaigns.test.ts.

v5.2.14 (2026-05-19)

Threat intel: Phantom Bot DDoS npm infostealer + Mini Shai-Hulud TanStack follow-up (May 2026)

Leaked Shai-Hulud worm source code was re-weaponized over the weekend of 2026-05-17 by npm publisher deadcode09284814. Four packages (chalk-tempalte, @deadcode09284814/axios-util, axois-utils, color-style-utils) shipped an infostealer plus a Golang Phantom Bot DDoS module (HTTP / TCP / UDP flood and TCP reset). Combined 2,678 downloads before takedown.

• C2 over localhost.run tunnels 87e0bbc636999b[.]lhr[.]life and edcf8b03c84634[.]lhr[.]life, plus direct TCP to 80[.]200[.]28[.]28:2222
• deadcode09284814 added to known malicious GitHub / npm accounts; four packages added to MALICIOUS_PACKAGE_PATTERNS
• Follow-up IOCs from SANS ISC diary 32994 for the TanStack wave: seed1[.]getsession[.]org (second Session messenger exfil node), router_init.js payload SHA-256 ab4fcadaec49c03278063dd269ea5eef82d24f2124a8e15d7b90f2fa8601266c, staging forks github[.]com/voicproducoes and github[.]com/zblgg
• New campaign tests for both clusters in src/__tests__/campaigns.test.ts

v5.2.13 (2026-05-16)

Threat intel: node-ipc credential stealer (May 2026)

Maintainer email hijack of atlantis-software[.]net (re-registered 2026-05-07) led to malicious node-ipc releases 9.1.6, 9.2.3, and 12.0.1.

• DNS exfiltration domain sh[.]azurestaticprovider[.]net (IP 37[.]16[.]75[.]69); payload node-ipc.cjs SHA-256 96097e0612d9575cb133021017fb1a5c68a03b60f9f3d24ebdc0e628d9034144
• 12.0.1 uses hash-targeted activation and harvests 90+ credential categories
• Domains, IP, hash, and npm package IOCs added to bundled threat-intel feed

v5.2.12 (2026-05-14)

Threat intel: Mini Shai-Hulud TanStack / UiPath / Mistral compromise (May 2026)

Continuation of the Mini Shai-Hulud worm via the TanStack ecosystem (CVE-2026-45321, CVSS 9.6).

• 3 C2 domains (filev2[.]getsession[.]org, api[.]masscan[.]cloud, git-tanstack[.]com) and 1 C2 IP (83[.]142[.]209[.]194)
• 9 compromised npm package families: OpenSearch (4 versions), Squawk (3), TallyUI (2)
• 2 compromised PyPI packages: guardrails-ai@0.10.1, mistralai@2.4.6

v5.2.11 (2026-05-12)

Threat intel: Checkmarx Jenkins AST plugin + MacSync Claude variant (May 2026)

• Checkmarx Jenkins AST Plugin compromise by TeamPCP / Mr_Rot13 (malicious version 2.0.13-829.vc72453fa_1c16). Mr_Rot13 and TeamPCP added to known malicious GitHub accounts.
• MacSync Stealer Claude.ai / Google Ads variant: 3 new C2 domains (customroofingcontractors[.]com, bernasibutuwqu2[.]com, briskinternet[.]com) plus loader SHA-256 ed5ed79a... and payload SHA-256 a833ad98...
• New campaign tests for both clusters in src/__tests__/campaigns.test.ts

v5.2.10 (2026-05-10)

Threat intel: JDownloader compromise + fake OpenAI HF repo (May 2026)

• JDownloader site compromise (2026-05-06 to 2026-05-07): Python RAT installers via parkspringshotel[.]com, auraguest[.]lk, checkinnhotels[.]com; bogus "Zipline LLC" and "The Water Team" signers; Linux ELF package plus systemd-exec
• Fake OpenAI Privacy Filter on Hugging Face: Open-OSS/privacy-filter trended; loader.py plus start.bat fetch sefirah infostealer (C2 recargapopular[.]com)

v5.2.9 (2026-05-09)

Threat intel: TCLBANKER Brazilian banking trojan (May 2026)

REF3076 actor distributes trojanized LogiAiPromptBuilder.exe MSI; sideloads screen_retriever_plugin.dll; self-spreads via WhatsApp / Outlook worm modules; targets 59 banks, fintech platforms, and crypto exchanges.

• C2 domains: campagna1-api[.]ef971a42[.]workers[.]dev, documents[.]ef971a42[.]workers[.]dev, mxtestacionamentos[.]com
• C2 IP: 191[.]96[.]224[.]96
• 4 new SHA-256 hashes added to bundled threat-intel feed
• 4 new campaign tests in src/__tests__/campaigns.test.ts

v5.2.8 (2026-05-08)

Threat intel: ZiChatBot PyPI + Beagle backdoor (May 2026)

Two fresh May 2026 supply-chain campaigns are now signatured.

• ZiChatBot PyPI campaign - Three malicious PyPI packages (uuid32-utils, colorinal, termncolor) drop terminate.dll (Windows) / terminate.so (Linux) and abuse Zulip REST APIs as C2. Suspected APT32/OceanLotus link. New rule ZICHATBOT_PACKAGE in src/patterns.ts, MALICIOUS_PACKAGE_PATTERNS entries, and bundled threat-intel package IOCs.
• Beagle backdoor / fake Claude AI site - Drive-by from claude-pro[.]com delivers a 505MB ZIP with DonutLoader plus DLL sideloading via NOVupdate.exe + avk.dll, calling out to license[.]claude-pro[.]com (8[.]217[.]190[.]58). Domains and IP added to KNOWN_C2_DOMAINS / KNOWN_C2_IPS plus bundled threat-intel feed.
• 6 new tests in src/__tests__/campaigns.test.ts.

v5.2.7 (2026-05-08)

Threat intel: DAEMON Tools QUIC RAT supply-chain attack (May 2026)

• Trojanized DAEMON Tools installers (versions 12.5.0.2421-12.5.0.2434) distributed via official website since 2026-04-08
• Selective second-stage QUIC RAT deployed to gov/scientific/manufacturing hosts in Russia, Belarus, Thailand
• C2 domain env-check[.]daemontools[.]cc added to KNOWN_C2_DOMAINS + threat-intel feed
• Suspected Chinese-speaking adversary; patched in version 12.