Detect malicious packages by triggering their behavior in a sandbox

RalianENG · 3 days ago · view on HN · research

quality 7/10 · good

0 net

Tags

malware sandboxing

Most tools rely on static analysis, but many recent supply chain attacks only trigger under specific conditions (CI, time delays, etc).

So I built kojuto, a tool that actually executes packages in a sandbox and tries to trigger malicious behavior.

It simulates CI environments, shifts time forward, and monitors syscalls to detect things like credential access, unexpected network connections, or process execution.

GitHub: https://github.com/RalianENG/kojuto

Would love feedback!

← Back to stories