{"id":48916684,"url":"https://github.com/loupe-tools/loupe","last_synced_at":"2026-05-02T22:09:08.852Z","repository":{"id":350728540,"uuid":"1207933572","full_name":"Loupe-tools/Loupe","owner":"Loupe-tools","description":"100% offline, single HTML file security analyser for 60+ file formats — Office docs, PDFs, executables (PE/ELF/Mach-O), emails, certificates, OpenPGP, JAR, SVG, archives, scripts, plists, EVTX and SQLite. 475+ built-in YARA rules, VBA macro analysis, IOC extraction, recursive payload decoding, STIX 2.1 / MISP export.","archived":false,"fork":false,"pushed_at":"2026-04-19T03:54:54.000Z","size":31967,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-04-19T05:09:09.237Z","etag":null,"topics":["evtx","file-analysis","incident-response","malware-analysis","offline","security","single-file","static-analysis","threat-detection","yara"],"latest_commit_sha":null,"homepage":"https://loupe.tools/","language":"JavaScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mpl-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Loupe-tools.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":".github/CODEOWNERS","security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-04-11T15:47:08.000Z","updated_at":"2026-04-19T03:54:45.000Z","dependencies_parsed_at":null,"dependency_job_id":"c470090c-4bfb-4e6f-941e-d7dc097dae76","html_url":"https://github.com/Loupe-tools/Loupe","commit_stats":null,"previous_names":["sam-dowling/phishfinder","sam-dowling/glovebox","loupe-tools/loupe"],"tags_count":44,"template":false,"template_full_name":null,"purl":"pkg:github/Loupe-tools/Loupe","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Loupe-tools%2FLoupe","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Loupe-tools%2FLoupe/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Loupe-tools%2FLoupe/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Loupe-tools%2FLoupe/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Loupe-tools","download_url":"https://codeload.github.com/Loupe-tools/Loupe/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Loupe-tools%2FLoupe/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":32117798,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-22T00:31:26.853Z","status":"online","status_checked_at":"2026-04-22T02:00:05.693Z","response_time":58,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["evtx","file-analysis","incident-response","malware-analysis","offline","security","single-file","static-analysis","threat-detection","yara"],"created_at":"2026-04-17T03:04:46.250Z","updated_at":"2026-05-02T22:09:08.844Z","avatar_url":"https://github.com/Loupe-tools.png","language":"JavaScript","funding_links":[],"categories":[],"sub_categories":[],"readme":"# 🕵🏻 Loupe\n\n**A 100% offline, single-file security analyser for suspicious files.**\nNo server, no uploads, no tracking — just drop a file and inspect it.\n\n\u003cp align=\"center\"\u003e\n  \u003ca href=\"FEATURES.md\"\u003e📖 Features\u003c/a\u003e ·\n  \u003ca href=\"SECURITY.md\"\u003e🔒 Security\u003c/a\u003e ·\n  \u003ca href=\"CONTRIBUTING.md\"\u003e🛠️ Contributing\u003c/a\u003e\n\u003c/p\u003e\n\n\u003e **\u003ca href=\"https://loupe.tools/\" target=\"_blank\" rel=\"noopener\"\u003e▶ Launch the live demo\u003c/a\u003e**\n\n\n![License: MPL-2.0](https://img.shields.io/badge/License-MPL%202.0-brightgreen.svg)\n[![OpenSSF Best Practices](https://www.bestpractices.dev/projects/12604/badge)](https://www.bestpractices.dev/projects/12604)\n[![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/Loupe-tools/Loupe/badge)](https://securityscorecards.dev/viewer/?uri=github.com/Loupe-tools/Loupe)\n![100% Offline](https://img.shields.io/badge/100%25-Offline-blueviolet)\n![Single HTML File](https://img.shields.io/badge/Single_File-HTML-orange)\n\n\u003cp align=\"center\"\u003e\n\u003cimg src=\"screenshots/hero.png\" alt=\"Loupe interface — 100% offline static analysis\" width=\"800\"\u003e\n\u003cbr\u003e\n\u003cem\u003eLoupe — drop a file, inspect it safely, entirely in your browser.\u003c/em\u003e\n\u003c/p\u003e\n\n---\n\n## 🤔 Why Loupe?\n\nSOC analysts, MDR responders, phishing teams, and DFIR practitioners need to inspect suspicious files **without uploading them anywhere**. Loupe runs entirely in your browser — nothing ever leaves your machine.\n\n- **Zero network, zero install.** A strict [Content-Security-Policy](SECURITY.md#full-content-security-policy) blocks every outbound request. One HTML file, double-click to open, works on any OS.\n- **Forensics-grade depth in a triage tool.** [50+ formats](FEATURES.md#-supported-formats) with format-specific parsers, recursive deobfuscation, 500+ bundled YARA rules, and one-click STIX / MISP / clipboard export.\n- **A timeline tool too.** CSV, TSV, EVTX, log files, packet captures, and browser-history SQLite open in the [📈 Timeline viewer](FEATURES.md#-timeline) — virtual grid for 1 M rows, scrubber + stacked-bar histogram, DSL query language, EVTX detections with MITRE ATT\u0026CK pivots.\n- **Verifiable supply chain.** Every release is [Sigstore-signed with SLSA v1.0 build provenance](SECURITY.md#verify-your-download), reproducible from source, and ships a CycloneDX SBOM.\n\n---\n\n## 🚀 Quick Start\n\n[⬇️ **Download latest loupe.html**](https://github.com/Loupe-tools/Loupe/releases/latest/download/loupe.html)\n\n1. **Download** — grab `loupe.html` from the release link above, or clone the repo, run `python make.py`, and open `docs/index.html`.\n2. **Open** — double-click in any modern browser (Chrome, Firefox, Edge, Safari). No server.\n3. **Drop a file** — drag a single file or a whole folder onto the drop zone, click **📁 Open File**, or paste with **Ctrl+V**. Multi-file drops and `webkitdirectory` picker selections are bundled into a single tree view; click any leaf to drill in.\n4. *(optional)* **Verify** — every release is Sigstore-signed and reproducible. See [SECURITY.md § Verify Your Download](SECURITY.md#verify-your-download).\n5. **Inspect** — press **S** for the security sidebar, **Y** for the YARA dialog, **?** for all shortcuts.\n\n\u003e Loupe is a **static-analysis triage tool** — it extracts, decodes, and displays file contents for human review. It does **not execute** macros, JavaScript, or embedded code. Use Loupe for initial triage and IOC extraction, then escalate to a sandbox or disassembly environment.\n\n---\n\n## 🎯 When to reach for Loupe\n\n- **Abuse-mailbox triage** — drop a `.eml` or `.msg`; headers, SPF/DKIM/DMARC verdicts, tracking pixels, and embedded URLs are all inspectable, with anchors rendered inert so a hostile URL can't be navigated to by accident.\n- **ClickFix / `osascript` paste** — paste an obfuscated one-liner with `Ctrl+V`; Loupe peels every nested Base64 / hex / gzip / zlib / XOR layer and surfaces the IOCs.\n- **Host-triage timeline** — drop a `.evtx` to auto-flag 4688 / 4624 / 1102 / 4104 with MITRE ATT\u0026CK pills. Browser `History.sqlite` opens into the same timeline.\n- **Airgap / SCIF analyst VM** — single HTML, zero network, usable where VirusTotal and Any.Run are off-limits.\n\n---\n\n## 🛡 Supported Formats\n\nExtensionless and renamed files are auto-routed by magic-byte sniff. Per-format detail in [FEATURES.md](FEATURES.md#-supported-formats).\n\n| Category | Extensions |\n|---|---|\n| **Office** | `.docx` `.docm` `.xlsx` `.xlsm` `.pptx` `.pptm` `.doc` `.xls` `.ppt` `.ods` `.odt` `.odp` `.rtf` `.iqy` `.slk` |\n| **PDF** | `.pdf` |\n| **Email** | `.eml` `.msg` |\n| **Web** | `.html` `.htm` `.mht` `.mhtml` `.xhtml` `.svg` |\n| **Archives** | `.zip` `.gz` `.gzip` `.tar` `.tar.gz` `.tgz` `.rar` `.7z` `.cab` `.iso` `.img` |\n| **OneNote** | `.one` |\n| **Windows** | `.lnk` `.hta` `.url` `.webloc` `.website` `.reg` `.inf` `.sct` `.msi` `.exe` `.dll` `.sys` `.scr` `.cpl` `.ocx` `.drv` `.com` `.xll` `.application` `.manifest` `.msix` `.msixbundle` `.appx` `.appxbundle` `.appinstaller` |\n| **Browser extensions** | `.crx` `.xpi` |\n| **npm** | `.tgz` `package.json` `package-lock.json` `npm-shrinkwrap.json` |\n| **Linux / IoT** | `.so` `.o` `.elf` |\n| **macOS** | `.applescript` `.scpt` `.scptd` `.jxa` `.plist` `.dylib` `.bundle` `.dmg` `.pkg` `.mpkg` |\n| **Certificates** | `.pem` `.der` `.crt` `.cer` `.p12` `.pfx` |\n| **OpenPGP** | `.pgp` `.gpg` `.asc` `.sig` `.key` |\n| **Java** | `.jar` `.war` `.ear` `.class` |\n| **Scripts** | `.wsf` `.wsc` `.wsh` `.vbs` `.ps1` `.bat` `.cmd` `.js` |\n| **Logs** | `.log` `.cef` `.leef` `.evtx` |\n| **Network** | `.pcap` `.pcapng` `.cap` |\n| **Data** | `.csv` `.tsv` `.json` `.ndjson` `.jsonl` `.sqlite` `.db` |\n| **Images** | `.jpg` `.jpeg` `.png` `.gif` `.bmp` `.webp` `.ico` `.tif` `.tiff` `.avif` |\n\n---\n\n## 🎬 Try It Yourself\n\nThe [`examples/`](examples/) directory has a sample file for every supported format — see [`examples/README.md`](examples/README.md) for a guided tour.\n\n---\n\n## 🔍 What it looks like\n\n\u003ctable align=\"center\"\u003e\n  \u003ctr\u003e\n    \u003ctd align=\"center\" width=\"50%\"\u003e\n      \u003ca href=\"FEATURES.md#-security-sidebar\"\u003e\u003cimg src=\"screenshots/analysis.png\" alt=\"File analysis with security sidebar\" width=\"400\"\u003e\u003c/a\u003e\u003cbr\u003e\n      \u003cb\u003e🔬 File analysis\u003c/b\u003e\u003cbr\u003e\n      \u003csub\u003eSecurity sidebar with format-specific findings, IOC clusters, and one-click STIX / MISP export.\u003c/sub\u003e\n    \u003c/td\u003e\n    \u003ctd align=\"center\" width=\"50%\"\u003e\n      \u003ca href=\"FEATURES.md#-yara-rules\"\u003e\u003cimg src=\"screenshots/yara.png\" alt=\"YARA rule editor\" width=\"400\"\u003e\u003c/a\u003e\u003cbr\u003e\n      \u003cb\u003e🔎 YARA rules\u003c/b\u003e\u003cbr\u003e\n      \u003csub\u003e500+ bundled rules plus a live editor for your own rule packs — all evaluated in-browser.\u003c/sub\u003e\n    \u003c/td\u003e\n  \u003c/tr\u003e\n\u003c/table\u003e\n\n\u003cp align=\"center\"\u003e\n  \u003ca href=\"FEATURES.md#-timeline\"\u003e\u003cimg src=\"screenshots/timeline.png\" alt=\"Timeline view of a CSV with stacked-bar histogram\" width=\"800\"\u003e\u003c/a\u003e\u003cbr\u003e\n  \u003cb\u003e📈 Timeline\u003c/b\u003e\u003cbr\u003e\n  \u003csub\u003eMillion-row virtual grid for CSV / TSV / EVTX / PCAP / log files / browser SQLite, with stacked-bar histogram and a query DSL.\u003c/sub\u003e\n\u003c/p\u003e\n\n---\n\n## 🎨 Themes\n\nSix built-in themes, selectable from the **◐ Themes** tab (`T`) in the Settings dialog — your choice persists.\n\n\u003ctable align=\"center\"\u003e\n  \u003ctr\u003e\n    \u003ctd align=\"center\"\u003e\u003cimg src=\"screenshots/light_hero.png\" alt=\"Loupe — Light theme\" width=\"260\"\u003e\u003cbr\u003e\u003cb\u003e☀️ Light\u003c/b\u003e\u003c/td\u003e\n    \u003ctd align=\"center\"\u003e\u003cimg src=\"screenshots/dark_hero.png\" alt=\"Loupe — Dark theme\" width=\"260\"\u003e\u003cbr\u003e\u003cb\u003e🌙 Dark\u003c/b\u003e\u003c/td\u003e\n    \u003ctd align=\"center\"\u003e\u003cimg src=\"screenshots/midnight_hero.png\" alt=\"Loupe — Midnight OLED theme\" width=\"260\"\u003e\u003cbr\u003e\u003cb\u003e🌑 Midnight OLED\u003c/b\u003e\u003c/td\u003e\n  \u003c/tr\u003e\n  \u003ctr\u003e\n    \u003ctd align=\"center\"\u003e\u003cimg src=\"screenshots/solarized_hero.png\" alt=\"Loupe — Solarized theme\" width=\"260\"\u003e\u003cbr\u003e\u003cb\u003e🟡 Solarized\u003c/b\u003e\u003c/td\u003e\n    \u003ctd align=\"center\"\u003e\u003cimg src=\"screenshots/mocha_hero.png\" alt=\"Loupe — Mocha theme\" width=\"260\"\u003e\u003cbr\u003e\u003cb\u003e🌺 Mocha\u003c/b\u003e\u003c/td\u003e\n    \u003ctd align=\"center\"\u003e\u003cimg src=\"screenshots/latte_hero.png\" alt=\"Loupe — Latte theme\" width=\"260\"\u003e\u003cbr\u003e\u003cb\u003e🍵 Latte\u003c/b\u003e\u003c/td\u003e\n  \u003c/tr\u003e\n\u003c/table\u003e\n\n---\n\n## 🔒 Security Model\n\nStrict CSP (`default-src 'none'`), no `eval` / `new Function`, sandboxed HTML \u0026 SVG previews, centralised parser limits against zip-bombs and runaway parsers. Full threat model, numeric limits, signature-verification recipe, and vulnerability reporting → **[SECURITY.md](SECURITY.md)**.\n\n---\n\n## 🤝 Get Involved\n\nLoupe is open source under the [Mozilla Public License 2.0](LICENSE). The codebase is vanilla JavaScript — no frameworks, no bundlers — to keep it auditable.\n\n- ⭐ **Star the repo** — helps others discover the project.\n- 🐛 **Open an issue** — bug reports, feature requests, format support suggestions.\n- 🔀 **Submit a pull request** — YARA rules, new format parsers, and improvements are especially welcome.\n- 📖 **See [CONTRIBUTING.md](CONTRIBUTING.md)** — build instructions, gotchas, and conventions.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Floupe-tools%2Floupe","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Floupe-tools%2Floupe","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Floupe-tools%2Floupe/lists"}