feat: supply chain defense - egress sandbox, dependency auditing, 25 new detection rules

[garagon]

Context

On March 24, 2026, litellm versions 1.82.7 and 1.82.8 were published to PyPI with a malicious .pth file that exfiltrates SSH keys, cloud credentials, Kubernetes configs, environment variables, and installs persistent backdoors. The package has 97M monthly downloads and spreads to any project depending on it. Details: litellm #24512.

This PR adds defenses at three layers: network egress, pre-launch scanning, and detection rules.

Changes

Egress sandbox for MCP servers

New egress_sandbox: true config on MCP server definitions. When enabled, oktsec injects HTTP_PROXY/HTTPS_PROXY environment variables into the child process, routing all HTTP traffic through oktsec's forward proxy. Egress policies then apply - only explicitly allowed domains are reachable.

gateway:
  servers:
    my-server:
      transport: stdio
      command: python
      args: [server.py]
      egress_sandbox: true

The child process inherits the host's PATH, HOME, and other env vars. Custom env entries override sandbox vars. A warning is logged if the forward proxy isn't enabled.

This blocks the exfiltration step of the litellm attack: the POST to models.litellm.cloud fails because the domain isn't in the allowed list.

oktsec audit deps command

New CLI command that scans an MCP server's dependency manifests against the OSV.dev vulnerability database.

oktsec audit deps /path/to/mcp-server/

Parses requirements.txt, package.json, and go.mod. For each package+version, queries the OSV API for known vulnerabilities. Also checks:

• Dependency count (flags >100 as warning, >300 as high risk)
• Lockfile presence (warns if missing)
• Version pinning (warns if >50% of deps use ranges like >= instead of exact pins)

Supports --json for machine consumption and --strict to fail on warnings. Exit codes: 0 = clean, 1 = critical, 2 = error.

Aguara v0.11.0 (10 SC-EX rules)

Upgrades the detection engine to Aguara v0.11.0, which adds 10 supply chain exfiltration rules derived from the litellm malware analysis:

Rule	Severity	What it detects
SC-EX-001	Critical	Python code reading credential files (~/.ssh/, ~/.aws/, etc.)
SC-EX-002	Critical	File content encoding (base64/AES) combined with file reads
SC-EX-003	Critical	Bulk os.environ access combined with HTTP POST
SC-EX-004	Critical	.pth files with executable content (import, subprocess, exec)
SC-EX-005	High	Cloud metadata endpoint access (169.254.169.254) in Python
SC-EX-006	Critical	Kubernetes secrets API access / privileged pod creation
SC-EX-007	Critical	Systemd/cron persistence installation
SC-EX-008	High	Hardcoded RSA/AES key material in source
SC-EX-009	Critical	Tar/zip archive creation combined with HTTP POST
SC-EX-010	Medium	.pth file presence flag for review

Total detection rules: 255 (187 Aguara built-in + 68 oktsec custom).

How these defenses map to the litellm attack

Attack stage	What happens	Defense
Delivery	Poisoned package version published to PyPI	oktsec audit deps flags known-malicious packages via OSV.dev
Delivery	Version bumped from 1.82.7 to 1.82.8	Dependency rug-pull detection warns on manifest change (PR #83)
Collection	.pth file reads credential files at Python startup	SC-EX-001, SC-EX-004 detect the pattern when scanning server directory
Collection	Dumps os.environ and queries cloud IMDS	SC-EX-003, SC-EX-005
Exfiltration	Encrypts with RSA+AES, tars, POSTs to attacker domain	SC-EX-002, SC-EX-008, SC-EX-009 detect the code pattern. Egress sandbox blocks the POST.
Lateral movement	Reads K8s secrets, creates privileged pods	SC-EX-006
Persistence	Installs systemd service at ~/.config/sysmon/	SC-EX-007, TC-011 (PR #83)

Test plan

• make build && make test && make lint && make vet
• 18 egress sandbox tests (env injection, proxy port, inheritance, override)
• 18 audit deps tests (manifest parsing, OSV mock, risk scoring, CLI flags)
• Aguara v0.11.0 builds and loads 255 rules
• CI