Skip to content

feat: supply chain defense phase 1 - credential coverage, dep rug-pull, aguara v0.10.0#83

Merged
garagon merged 3 commits intomainfrom
feat/supply-chain-defense-phase1
Mar 24, 2026
Merged

feat: supply chain defense phase 1 - credential coverage, dep rug-pull, aguara v0.10.0#83
garagon merged 3 commits intomainfrom
feat/supply-chain-defense-phase1

Conversation

@garagon
Copy link
Copy Markdown
Contributor

@garagon garagon commented Mar 24, 2026

Summary

Response to the litellm PyPI supply chain attack (March 24, 2026). Three changes:

  • Aguara v0.10.0: New decoders (URL/Unicode/HTML/hex encoding), NLP for JSON/YAML, aggregate RiskScore, proximity weighting, dynamic confidence, configurable dedup, cross-file toxicflow, library-mode rug-pull
  • TC-002 expansion + TC-011: 6 new credential file patterns (shell history, git creds, npm/pypi auth, CI/CD, crypto wallets, SSL keys) covering all litellm exfiltration targets. New TC-011 rule for persistence detection (systemd services, sysmon backdoor, crontab)
  • Dependency rug-pull detection: Gateway hashes dependency manifests (requirements.txt, package-lock.json, go.sum) on startup, warns when they change between runs. Catches the litellm version bump before the MCP server starts

What this defends against

litellm stage Defense
Stage 1: credential collection via MCP tools TC-002 (14 patterns covering all targeted file types)
Stage 2: exfiltration Existing egress policies block unauthorized domains
Stage 3: persistence installation TC-011 (systemd, sysmon, crontab, shell profile)
Version bump delivery Dependency rug-pull warns before server starts

Test plan

  • make build && make test && make lint && make vet all pass
  • TC-002 new patterns load correctly
  • TC-011 loads and matches persistence patterns
  • 11 dephash tests (baseline, changes, missing dir, multiple manifests, permissions)
  • CI

garagon added 3 commits March 24, 2026 16:50
@garagon
chore: bump aguara to v0.10.0
09e5aab 
New decoders (URL/Unicode/HTML/hex), NLP for JSON/YAML, aggregate
RiskScore, proximity weighting, dynamic confidence, configurable
dedup, cross-file toxicflow, library-mode rug-pull.
@garagon
feat: expand TC-002 credential coverage and add TC-011 persistence de…
0339a81 
…tection

TC-002: 6 new patterns covering shell history, git credentials,
package manager auth (.npmrc, .pypirc), CI/CD configs, crypto wallets,
and SSL/TLS private keys. Closes all credential file gaps exposed by
the litellm supply chain attack.

TC-011: new critical rule detecting persistence mechanisms - systemd
user services, sysmon backdoor path, crontab entries, shell profile
modifications. Based on litellm malware persistence patterns.
@garagon
feat: dependency manifest rug-pull detection on gateway startup
b2e35a7 
Hashes requirements.txt, package-lock.json, go.sum, and other
dependency manifests on gateway startup. Compares to stored hashes
from previous run. Warns when manifests change between runs.

Catches the exact litellm scenario: version bump with malicious
payload detected before the MCP server starts.

Config: gateway.dep_check (bool), servers.*.working_dir (string).
Storage: ~/.oktsec/dep-hashes.json (0600 permissions). 11 tests.
@garagon garagon merged commit 2b8a3f3 into main Mar 24, 2026
1 check passed
@garagon garagon deleted the feat/supply-chain-defense-phase1 branch March 24, 2026 20:05
@garagon garagon mentioned this pull request Mar 24, 2026
Merged
5 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@garagon