Skip to content

v1.1.0 — anti-evasion hardening (stable)

Choose a tag to compare

View all tags
@HxHippy HxHippy released this 15 Jun 14:07
· 15 commits to main since this release
v1.1.0
This tag was signed with the committer’s verified signature.
HxHippy HxHippy
GPG key ID: 1132BF893C33FB51
Verified
Learn about vigilant mode.
edfa1ae
This commit was signed with the committer’s verified signature.
HxHippy HxHippy
GPG key ID: 1132BF893C33FB51
Verified
Learn about vigilant mode.

Stable. Promotes the 1.1.0 release-candidate line and folds in a second hardening wave that closes the residual evasion classes from an adversarial self-audit.

Detection — evasion classes closed: variable-indirection taint pass (a fetch/exec hidden behind a shell variable now resolves and flags), case-insensitive structural analyzers, host-aware URL/IOC matching, a supply-chain/packaging-metadata analyzer, and quote-aware printed-message filtering.

Hardening: authenticated cache verdicts (per-user MAC), an allowlisted makepkg build environment, --force can never override an unscannable package, and --local scans only attribute a verdict to a name that provably matches.

Quality: a self-adversarial evasion fuzzer now runs as a release gate — every malicious fixture is mutated through a library of semantics-preserving evasion transforms and the gate must still block each one.

Threat reports that informed this line: #2 (@LunarEclipse363) and #10 (@zebulon2). See CHANGELOG.md for the full entry. Report detection weaknesses privately via a GitHub Security Advisory (SECURITY.md).

Contributors

zebulon2 and LunarEclipse363
Assets 2
Loading