{"id":51018666,"url":"https://github.com/ashlrai/binshield","last_synced_at":"2026-06-21T14:01:35.563Z","repository":{"id":358146134,"uuid":"1188290906","full_name":"ashlrai/binshield","owner":"ashlrai","description":"Snyk for binaries. Ghidra-backed decompile + AI classification + YARA for npm supply-chain threats. MIT.","archived":false,"fork":false,"pushed_at":"2026-05-15T22:41:26.000Z","size":2839,"stargazers_count":2,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-05-16T00:59:32.558Z","etag":null,"topics":["ai","ghidra","malware-detection","npm","security","supply-chain","yara"],"latest_commit_sha":null,"homepage":"https://binary-scanner.vercel.app","language":"TypeScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/ashlrai.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-03-21T21:52:38.000Z","updated_at":"2026-05-15T22:41:30.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/ashlrai/binshield","commit_stats":null,"previous_names":["ashlrai/binshield"],"tags_count":1,"template":false,"template_full_name":null,"purl":"pkg:github/ashlrai/binshield","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ashlrai%2Fbinshield","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ashlrai%2Fbinshield/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ashlrai%2Fbinshield/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ashlrai%2Fbinshield/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/ashlrai","download_url":"https://codeload.github.com/ashlrai/binshield/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ashlrai%2Fbinshield/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":34610832,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-06-21T02:00:05.568Z","response_time":54,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["ai","ghidra","malware-detection","npm","security","supply-chain","yara"],"created_at":"2026-06-21T14:01:32.770Z","updated_at":"2026-06-21T14:01:35.558Z","avatar_url":"https://github.com/ashlrai.png","language":"TypeScript","funding_links":[],"categories":[],"sub_categories":[],"readme":"# BinShield\n\n**Catch malicious install scripts and native binaries in your dependencies — before they reach production.**\n\n[![CI](https://github.com/ashlrai/binshield/actions/workflows/ci.yml/badge.svg)](https://github.com/ashlrai/binshield/actions/workflows/ci.yml)\n[![License: MIT](https://img.shields.io/badge/license-MIT-blue.svg)](LICENSE)\n![Node](https://img.shields.io/badge/node-%3E%3D20-brightgreen.svg)\n\nBinShield is a supply-chain security platform for the npm and PyPI ecosystems.\nIt analyzes the two things attackers actually weaponize — **install scripts**\nand **native binaries** — classifies their behavior with AI, cross-references\nknown-malware feeds, and warns you the moment a package you depend on turns\nmalicious.\n\n🌐 **[binshield.dev](https://binshield.dev)** · 🔌 **[GitHub Action](apps/github-action/README.md)** · 📖 **[Docs](docs/)**\n\n## The problem\n\nA wave of supply-chain worms — Shai-Hulud and its kin — has shown how fast a\nsingle compromised npm/PyPI package spreads. Two attack surfaces matter:\n\n- **Install scripts.** A malicious `postinstall` hook (or a PyPI `setup.py`)\n  runs arbitrary code on every machine that installs the package — stealing\n  `NPM_TOKEN`/cloud credentials, opening reverse shells, dropping wipers.\n  Most SCA tools never read the `scripts` field.\n- **Native binaries.** Compiled `.node`/`.so`/`.dylib`/`.wasm` addons hide\n  payloads that no source-level scanner decompiles.\n\nBinShield covers both.\n\n## What BinShield does\n\n| Capability | Detail |\n|---|---|\n| **Install-script analysis** | Scans npm lifecycle hooks (`preinstall`/`install`/`postinstall`/`prepare`) and PyPI `setup.py`/`pyproject.toml` for `curl\\|bash`, `eval` of remote code, credential exfiltration, wipers, reverse shells, and obfuscated payloads. |\n| **Native binary analysis** | Ghidra-powered decompilation (with a heuristic fallback) plus YARA pattern matching on `.node`/`.so`/`.dylib`/`.wasm`. |\n| **AI classification** | xAI Grok classifies decompiled binaries and install scripts into a supply-chain threat taxonomy; a deterministic heuristic floor runs when AI is unavailable. |\n| **Known-malware feed** | Cross-references every scan against OSV malicious-package advisories (`MAL-*`); a confirmed match forces a critical verdict. |\n| **Proactive alerts** | When a malicious package is discovered, BinShield matches it against your watchlists and scanned lockfiles and alerts you via email / Slack / webhook. |\n| **CI gating** | A GitHub Action scans every PR's dependencies and blocks merges on risky packages. |\n| **Reports** | CycloneDX SBOM export and SOC 2 / ISO 27001 / EU CRA compliance reports. |\n\n## Architecture\n\n```mermaid\nflowchart LR\n  subgraph Sources\n    A[API / Dashboard scan] --\u003e Q\n    F[npm registry feed] --\u003e Q\n    C[Crawler / discovery] --\u003e Q\n  end\n  Q[analysis_jobs queue] --\u003e W\n  subgraph W[Analysis worker]\n    direction TB\n    AC[Acquire package] --\u003e EX[Extract binaries]\n    AC --\u003e MS[Install-script analysis]\n    EX --\u003e DC[Decompile + YARA]\n    DC --\u003e CL[AI classify]\n    MS --\u003e CL\n    CL --\u003e RS[Risk score + malware feed]\n  end\n  RS --\u003e DB[(Supabase)]\n  RS --\u003e AL[Alert loop]\n  DB --\u003e WEB[Web app]\n  DB --\u003e ACT[GitHub Action]\n  AL --\u003e N[Email / Slack / Webhook]\n```\n\n## Quickstart\n\n```bash\ncorepack enable          # provides pnpm 10\npnpm install\npnpm dev                 # web app at http://localhost:3000\n```\n\nBinShield ships a **demo fallback** — the web app, API, and worker all run\nwithout live credentials (seeded corpus, in-memory store, bundled fixtures),\nso you can explore the product before wiring up Supabase / xAI / Stripe.\n\n```bash\npnpm --filter @binshield/api dev                     # API server\nBINSHIELD_WORKER_MODE=daemon pnpm --filter @binshield/worker dev   # worker\npnpm typecheck \u0026\u0026 pnpm test \u0026\u0026 pnpm build            # the validation gate\n```\n\n## Scan your repo in CI\n\nAdd the GitHub Action to block malicious dependencies on every PR:\n\n```yaml\n- uses: ashlrai/binshield/apps/github-action@v1\n  with:\n    api-key: ${{ secrets.BINSHIELD_API_KEY }}\n    fail-on: high\n```\n\nSee [`apps/github-action/README.md`](apps/github-action/README.md) for inputs,\nscan modes, and SBOM export.\n\n## Monorepo layout\n\n| Path | Description |\n|---|---|\n| `apps/web` | Next.js 15 frontend — public package database and dashboard |\n| `apps/api` | Hono API — search, scans, orgs, advisories, billing |\n| `apps/worker` | Analysis worker — binary + install-script pipeline, feed, crawler |\n| `apps/github-action` | CI scanner that gates PRs on dependency risk |\n| `apps/video` | Remotion project for the demo video |\n| `packages/analysis-types` | Shared domain types and sample data |\n| `packages/risk-engine` | Deterministic risk scoring |\n| `packages/config` | Environment parsing and product constants |\n| `packages/ui` | Shared UI components |\n| `packages/cli` | Command-line entry points |\n\n## Documentation\n\n- [Architecture](docs/architecture.md)\n- [API reference](docs/api-reference.md)\n- [Integration guide](docs/integration-guide.md)\n- [Contributing](CONTRIBUTING.md) · [Security policy](SECURITY.md) · [Changelog](CHANGELOG.md)\n\n## License\n\nMIT — see [LICENSE](LICENSE).\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fashlrai%2Fbinshield","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fashlrai%2Fbinshield","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fashlrai%2Fbinshield/lists"}