DEV Community: DNSZLSK

I’m in! 🥳🤙🏼 contratz to all!

DNSZLSK — Tue, 10 Mar 2026 06:19:44 +0000

Jess Lee for The DEV Team

Mar 9

Congrats to the GitHub Copilot CLI Challenge Winners!

#devchallenge #githubchallenge #cli #ai

176

Comments 93

4 min read

My npm monitoring flagged SANDWORM_MODE packages -> looking for expert input

DNSZLSK — Mon, 23 Feb 2026 20:20:18 +0000

Socket just published their research on SANDWORM_MODE, a supply chain campaign targeting AI coding tools.

I checked my logs. My scanner MUAD'DIB flagged several of these packages via temporal analysis - it compares versions and detects when dangerous primitives like child_process or https.request are suddenly added.

What my monitoring caught

Package	Date	Severity	Finding
claud-code@0.2.0	Feb 14	CRITICAL	child_process added suddenly
cloude-code@0.2.0	Feb 14	CRITICAL	child_process added suddenly
suport-color@1.0.2	Feb 14	HIGH	https_request + publish_burst
opencraw@2026.2.15	Feb 17	HIGH	AST findings
opencraw@2026.2.16	Feb 17	HIGH	AST findings

Socket published their report on February 22.

How temporal analysis works

MUAD'DIB compares package versions. If a new version suddenly adds sensitive APIs that weren't there before, it flags it.

A color utility package (suport-color) has no reason to suddenly start making HTTPS requests. A typosquat of Claude Code (claud-code) adding child_process out of nowhere is suspicious.

That's what triggered the alerts.

Question for the community

Socket lists claud-code@0.2.1 as malicious. My logs show claud-code@0.2.0.

Were the @0.2.0 versions already infected, or did the injection come in @0.2.1?

About MUAD'DIB

24/7 heuristic monitoring on a VPS. No manual investigation, no attribution - just automatic flagging based on behavioral changes.

14 detection engines + Docker sandbox
96K+ packages scanned
Temporal analysis, typosquatting detection, dataflow tracking

GitHub: https://github.com/DNSZLSK/muad-dib

npx muaddib-scanner scan .

I built a free npm/PyPI supply chain scanner - looking for testers

DNSZLSK — Mon, 09 Feb 2026 23:42:11 +0000

I built MUAD'DIB to catch supply chain attacks before they hit your project. It runs 24/7 on a 4€/month VPS, scanning every new npm and PyPI package published worldwide. It's free, open source, and I'm looking for feedback.

What it does

MUAD'DIB scans npm and PyPI packages for signs of malicious code. Not just known bad packages - it actually reads the code, runs it in an isolated sandbox, and looks for suspicious behavior.

14 detection engines + dynamic sandbox:

AST analysis - parses JavaScript with Acorn and flags dangerous patterns (eval with dynamic args, child_process spawning, credential access)
Dataflow tracking - connects the dots between reading a sensitive file and sending it over HTTP
Shell pattern detection - catches curl | sh, reverse shells, and destructive commands in npm scripts
Typosquatting - flags dependencies that look like popular packages (Levenshtein distance)
Obfuscation detection - spots hex encoding, single-char variables, _0x patterns, base64+eval
Entropy analysis - detects encoded/encrypted payloads
IOC matching - compares against 225,000+ npm and 14,000+ PyPI known malicious packages
Hash verification - SHA-256 matching against known malware files
Package metadata - analyzes package.json for suspicious lifecycle scripts
GitHub Actions - detects injection vulnerabilities in workflow files
AI config injection - detects prompt injection in .cursorrules, CLAUDE.md, copilot-instructions.md
Temporal analysis - detects sudden dangerous API additions between versions
Maintainer analysis - flags suspicious maintainer changes (account takeover)
Publish anomaly - detects burst publishing, dormant package spikes (compromised accounts)

Docker sandbox with behavioral analysis:

Executes packages in isolated container (cap-drop, read-only, memory/cpu limits)
Captures network traffic (DNS, HTTP, TLS) via tcpdump
Traces system calls via strace
Canary tokens - injects fake AWS keys, GitHub tokens, npm tokens as honeypots. If the malware tries to exfiltrate them → instant detection, no false positive possible

Real-time monitoring

I run MUAD'DIB 24/7 on a VPS. It polls npm and PyPI registries every 60 seconds and scans every new package published worldwide.

The flow:

New package appears on npm/PyPI RSS feed
Static analysis (14 scanners) → if HIGH/CRITICAL findings
Automatic Docker sandbox with canary tokens
If sandbox confirms malicious behavior → instant Discord alert
If sandbox is clean → marked as false positive, no alert

96,000+ packages scanned since launch. Daily reports at 08:00 Paris time.

Quick demo

npx muaddib-scanner scan .

That's it. No account, no API key, no quota.

You get a risk score from 0 to 100, a threat breakdown, and response playbooks telling you what to do if something is flagged.

[SCORE] 78/100 [████████████████░░░░] CRITICAL

  1. [CRITICAL] suspicious_dataflow
     Credentials read (GITHUB_TOKEN) + network send (fetch)
     File: node_modules/evil-pkg/index.js
     → CRITICAL: Code reads credentials and sends them over network.
       Isolate machine, regenerate all secrets.

How to use it

CLI:

npm install -g muaddib-scanner
muaddib scan ./my-project
muaddib scan ./my-project --sandbox  # run in Docker sandbox
muaddib scan ./my-project --json     # machine-readable output
muaddib scan ./my-project --sarif    # for GitHub Code Scanning
muaddib scan ./my-project --paranoid # ultra-strict mode

Safe install (scans before installing):

muaddib install some-package

Version diff (compare two versions):

muaddib diff lodash 4.17.20 4.17.21

Update IOC database:

muaddib update

GitHub Action:

- uses: DNSZLSK/muad-dib@master
  with:
    scan_path: '.'
    fail_on: 'high'

VS Code extension: search "MUAD'DIB" in the marketplace.

What I'm looking for

I've tested MUAD'DIB against 51 real-world malware samples (event-stream, ua-parser-js, coa, colors, Shai-Hulud, and more) with 91.8% detection rate. 100% on 78 adversarial test cases. But I need people to run it on real projects and tell me:

False positives - did it flag something legitimate? What was it?
Missed threats - did you find something suspicious that MUAD'DIB didn't catch?
Evasion techniques - can you write a malicious package that bypasses detection?
Performance - how long did it take on large projects? Any hangs?

If you find something, open an issue on GitHub or drop a comment here.

The numbers

Metric	Value
Detection engines	14 + Docker sandbox
npm IOCs	225,000+
PyPI IOCs	14,000+
Detection rules	94
Unit tests	862
Ground truth samples	51 real-world malware
True positive rate	91.8% (45/49)
Adversarial detection	100% (78/78)
False positive rate	~13% (working on it)
Packages scanned (monitoring)	96,000+
Price	Free forever

Transparency

The code was written with Claude (Anthropic). I directed the architecture, made design decisions, did testing and security audits, but the actual code was generated by AI. I prefer to be upfront about that.

I'm in career transition (former plumber/chef), currently in software development training in France, looking for an internship May-July 2026 in cybersecurity or development.

Why not just use Snyk/Socket?

You should, they're professional tools with dedicated security teams. MUAD'DIB is a personal project, not comparable.

What MUAD'DIB offers:

No account, no API key
Open source and auditable
Docker sandbox with canary tokens
24/7 real-time monitoring capability
Free

GitCoach : The Git Mentor That Teaches You While You Work (GitHub Copilot CLI Challenge)

DNSZLSK — Thu, 05 Feb 2026 22:58:59 +0000

What I Built

GitCoach is an interactive CLI tool that replaces raw Git commands with guided, educational menus - and uses GitHub Copilot CLI as its AI backbone for 5 distinct features.

The problem it solves is simple: Git is powerful but hostile to learners. Beginners memorize commands without understanding them. When something breaks - a merge conflict, a detached HEAD, a failed push - they're on their own with cryptic error messages.

GitCoach wraps Git in a TUI that:

Shows what's happening - a status bar with branch, sync status, and staged changes at all times
Prevents mistakes - warns before destructive actions, detects detached HEAD state, catches uncommitted changes before branch switching
Teaches as it goes - every action shows the underlying Git command so you learn while you work
Guides conflict resolution step by step - instead of dumping conflict markers on the user, GitCoach walks through each conflicting file with clear options and explanations
Speaks your language - full i18n support for English, French, and Spanish

The key idea: GitCoach should make itself obsolete. You use it to learn, and eventually you don't need it anymore.

Tech Stack

TypeScript, Node.js
Published on npm: npm install -g gitcoach-cli
522 tests passing
GitHub Copilot CLI (5 integrations - more on that below)

GitHub repo: github.com/DNSZLSK/gitcoach-cli
npm: npmjs.com/package/gitcoach-cli

Demo

Main Menu & Status Bar

GitCoach launches with a real-time status bar showing branch, sync state, and pending changes. Every menu option maps to a Git workflow. The ~1 ?1 indicators tell you at a glance: 1 modified file, 1 untracked file.

Commit Flow

When committing, GitCoach lists staged files, shows educational tips about writing good commit messages, and integrates with Copilot CLI to generate or summarize changes before you commit.

Copilot-Assisted Conflict Resolution

This is the flagship feature. When a merge conflict occurs, GitCoach detects it, shows both versions side by side (local vs remote), and offers 5 resolution options - including "Ask Copilot AI." In this example, Copilot analyzed both versions and recommended a CUSTOM merge, explaining that neither version alone was correct and suggesting a merged version that maintains backward compatibility while accommodating the feature branch changes.

Git Q&A - Ask Anything

Don't know what rebase does? Ask directly from the Help menu. Copilot CLI answers in detail with examples and rules of thumb - all without leaving the terminal, and in your configured language.

My Experience with GitHub Copilot CLI

I integrated GitHub Copilot CLI into GitCoach in 5 distinct ways, each solving a different problem in the Git learning workflow:

1. Commit Message Generation

When a user stages changes and chooses to commit, GitCoach runs git diff --cached and sends it to Copilot CLI with a prompt asking for a concise conventional commit message. The user sees the suggestion, can accept it, edit it, or write their own. This teaches commit message best practices by example.

2. Git Q&A

From the Help menu, users can type any Git-related question in natural language. Copilot CLI answers directly in the terminal, in the user's configured language. I found this particularly useful for concepts like "what's the difference between merge and rebase?" - questions that beginners need answered in context, not in a browser tab.

3. Staged Diff Summary

Before committing, GitCoach can show a Copilot-generated summary of all staged changes. This gives the user a "second pair of eyes" moment before they commit. Copilot receives the full diff and returns a structured summary: files changed, what was added/modified/removed, and the overall intent of the changes.

4. Contextual Error Explanation

When a Git operation fails (push rejected, merge conflict, authentication error), GitCoach catches the error and sends it to Copilot CLI for a plain-language explanation. The user sees both the static, pre-written explanation from GitCoach AND an AI-generated one specific to their exact error. This two-layer approach means the tool works without internet (static messages) but provides richer context when Copilot is available.

5. AI-Assisted Conflict Resolution

This is the flagship integration. When merge conflicts occur, GitCoach already provides a guided resolution menu with options like "Accept local changes," "Accept remote changes," or "Open in editor." The 5th option is "Ask Copilot AI."

When selected, GitCoach reads both the local and remote versions of the conflicting file and sends them to Copilot CLI with context about the conflict. Copilot responds with:

A recommendation (LOCAL, REMOTE, BOTH, or CUSTOM)
An explanation of why that strategy makes sense
If CUSTOM, the actual merged content ready to apply

In testing, Copilot correctly identified that one branch had a version bump while the other had a name change, and recommended a custom merge keeping both modifications. That's not trivial - it understood the semantic intent of each change.

Language-Aware Responses

All 5 Copilot integrations respect the user's language configuration. A getLanguageInstruction() function appends the appropriate instruction ("Respond in French", "Responde en español") to every prompt. Copilot's responses come back in the right language, which matters a lot for the educational mission of the tool.

The Parsing Challenge

One real challenge was parsing Copilot CLI's output reliably. Copilot sometimes returns error messages, version warnings, or unexpected formatting mixed in with actual responses. I built a looksLikeError() detection function that filters out common Copilot error patterns so the UI never shows raw error text to the user. If Copilot fails silently, GitCoach falls back to its static educational content - the user experience is never broken.

Copilot CLI Version Gotcha

During development I hit a compatibility issue with the deprecated gh copilot extension vs the newer standalone copilot CLI. The migration required updating all command invocations and install instructions. It's worth noting for anyone building on top of Copilot CLI - make sure you're using the current copilot command, not the deprecated gh copilot extension.

GitCoach started as my way of learning Git properly during a career transition into software development. I built it because the tools I wanted didn't exist - something between "read the docs" and "just use a GUI client." Adding Copilot CLI turned it from a useful learning tool into something that genuinely adapts to the user's situation. The AI doesn't replace the education - it enhances it.

Try it: npm install -g gitcoach-cli then run gitcoach in any Git repository.