Detection Rules

Detection Modules

Sandtrace includes the following detection modules:

Credential Scanner

Detects exposed secrets and API keys:

• GitHub tokens (ghp_, gho_, github_pat_)
• npm tokens (from .npmrc)
• OpenAI API keys (sk-proj-)
• Anthropic API keys (sk-ant-api03-)
• AWS credentials
• Crypto private keys and mnemonics

MCP Config Monitor

Watches AI coding assistant configurations for tampering:

• Claude Code (~/.claude/settings.json)
• Claude Desktop (platform-specific paths)
• Cursor (~/.cursor/mcp.json)
• VS Code Continue (~/.continue/config.json)
• Windsurf (~/.windsurf/mcp.json)

Supply Chain Scanner

Detects typosquatted npm packages:

• supports-color variants
• nanoid variants
• hardhat variants
• claude-code impersonators
• secp256k1 variants

Git Template Analyzer

Detects malicious git configurations:

• Module._compile() injection in hooks
• Suspicious init.templateDir modifications
• Unauthorized pre-commit and pre-push hooks

Obfuscation Detector

Finds hidden malicious content:

• Shai-Hulud whitespace encoding
• Base64-encoded payloads
• XOR-encrypted blobs