Modern software is mostly other people's software: a project declares a few dependencies, each brings its own, and the code you ship is largely code you never wrote. A scanner that looks only at the file in front of it answers a narrow question — is this file hostile? — and Atomdrift Scan has answered it well. But the malware in a supply-chain attack is rarely there. It sits a few levels down, inside something the dependency list merely names. v2.2.0 closes that gap.
It now checks what your project pulls in, by default. Point atomscan at a
project and it reads the packages it declares, downloads them, and scans them
too. Making this automatic was deliberate: a safety check you have to remember
to turn on is one that will be forgotten, and those packages are exactly where a
careful attacker hides.
Fetching other people's code costs time, so a bloom filter sits in front of the
work — a compact structure that answers in one cheap lookup whether a file is
worth scanning or already known safe. --mode sets the appetite (fast,
balanced, slow); results are cached by a file's exact contents, so a shared
dependency is examined once.
A new name, and two ways to skip the download. The tool is now atomscan —
the old ascan clashed with Avast's scan, and a name that quietly shadows
another is worth retiring; the former names still work. Two subcommands drop the
download-it-yourself step, which only invited mistakes: atomscan purl npm/[email protected] scans a package straight from its name and version, and
atomscan url scans a file at a web address in place.
It reads formats it couldn't a month ago — with no new scanner code. Scan doesn't read files itself. cleave takes them apart, filefacts reads the bytes, and Scan judges what they report. So when those two learned WebAssembly, Android apps, more archive formats, and Python source packages, Scan caught malware in all of them, untouched.
And a verdict now points at its evidence. Every observation is tagged with
the bytes it came from, so a hostile call traces to the exact region that
earned it — no need to take it on trust. filefacts' new windowed-entropy check
is the sharpest case: it flags a small scrambled region hidden in a file that
looks ordinary measured whole — the encrypted-payload-in-a-decoy trick. A model
that is confident but can't show why is now held at suspicious rather than
cleared; opacity is a reason to look closer, not a free pass. Underneath,
stng v1.7.1 keeps those byte-ranges correct and lets the pipeline
share one copy of a file's extracted text, killing a slowdown on large inputs.
Release notes: scan v2.2.0 · cleave v2.2.0 · stng v1.7.1 · filefacts v1.2.0.
brew upgrade atomdrift/tap/atomdrift-scan atomdrift/tap/cleave atomdrift/tap/stng atomdrift/tap/filefacts