Atomdrift Scan v2.2.0: it checks what your code brings with it

Modern software is mostly other people's software: a project declares a few dependencies, each brings its own, and the code you ship is largely code you never wrote. A scanner that looks only at the file in front of it answers a narrow question — is this file hostile? — and Atomdrift Scan has answered it well. But the malware in a supply-chain attack is rarely there. It sits a few levels down, inside something the dependency list merely names. v2.2.0 closes that gap.

It now checks what your project pulls in, by default. Point atomscan at a project and it reads the packages it declares, downloads them, and scans them too. Making this automatic was deliberate: a safety check you have to remember to turn on is one that will be forgotten, and those packages are exactly where a careful attacker hides.

Fetching other people's code costs time, so a bloom filter sits in front of the work — a compact structure that answers in one cheap lookup whether a file is worth scanning or already known safe. --mode sets the appetite (fast, balanced, slow); results are cached by a file's exact contents, so a shared dependency is examined once.

A new name, and two ways to skip the download. The tool is now atomscan — the old ascan clashed with Avast's scan, and a name that quietly shadows another is worth retiring; the former names still work. Two subcommands drop the download-it-yourself step, which only invited mistakes: atomscan purl npm/[email protected] scans a package straight from its name and version, and atomscan url scans a file at a web address in place.

It reads formats it couldn't a month ago — with no new scanner code. Scan doesn't read files itself. cleave takes them apart, filefacts reads the bytes, and Scan judges what they report. So when those two learned WebAssembly, Android apps, more archive formats, and Python source packages, Scan caught malware in all of them, untouched.

And a verdict now points at its evidence. Every observation is tagged with the bytes it came from, so a hostile call traces to the exact region that earned it — no need to take it on trust. filefacts' new windowed-entropy check is the sharpest case: it flags a small scrambled region hidden in a file that looks ordinary measured whole — the encrypted-payload-in-a-decoy trick. A model that is confident but can't show why is now held at suspicious rather than cleared; opacity is a reason to look closer, not a free pass. Underneath, stng v1.7.1 keeps those byte-ranges correct and lets the pipeline share one copy of a file's extracted text, killing a slowdown on large inputs.

Release notes: scan v2.2.0 · cleave v2.2.0 · stng v1.7.1 · filefacts v1.2.0.

brew upgrade atomdrift/tap/atomdrift-scan atomdrift/tap/cleave atomdrift/tap/stng atomdrift/tap/filefacts

← All news