Skip to content
back to the cosmos

Catch the malware before the ecosystem does

ZeroDayShield

An independent zero-day research engine I lead and build from scratch — 50+ custom static-analysis engines (zero open-source libraries) mining live registry traffic across npm, MCP servers, Docker images, and Hugging Face models, with a multi-stage LLM triage pipeline at 100% recall and 93% precision.

Supply-chain malware hides in plain sight — a malicious npm package or a poisoned model looks exactly like a legitimate one until it runs. Catching it means reading the intent behind code across four different ecosystems, at the rate new packages are published, without drowning maintainers in false alarms. That last part is the whole game: a scanner that cries wolf gets turned off.

recall
100%
OSSF corpus
precision
93%
0 false positives
cost reduction
15x
vs triage-everything
static engines
50+
zero OSS libraries
signals mined
49,522
live registry traffic
malicious corpus
228,020
cross-referenced

the bar it had to clear

how it actually works

flagged onlynovelRegistriesnpm · MCP · Docker · HFStatic engines50+, from scratchCross-referenceknown-maliciousLLM triagemulti-stageVerdict100% recall · 93% precision

hover or tab a step to see how it works — or trace a route above.

  1. 01

    Four ecosystems, live

    New packages stream in from npm, MCP servers, Docker images, and Hugging Face models — each with its own format and threat model.

  2. 02

    No black boxes49,522 signals

    50+ purpose-built static-analysis engines — zero open-source libraries — read the intent behind each package and mine 49,522 signals from live traffic.

  3. 03

    Expensive attention, spent wisely15x cheaper

    Only what the cheap static engines flag reaches the multi-stage LLM pipeline — a 15x cost reduction over triaging everything.

  4. 04

    Trustworthy by design0 false positives

    100% recall and 93% precision at zero false positives on the OSSF malicious-packages corpus — a scanner maintainers can actually leave on.

the problem

Existing supply-chain scanners lean on signatures and known-bad lists — good at catching yesterday’s malware, blind to a genuine zero-day. And running an LLM over every package published to four ecosystems is both too slow and too expensive to be real. ZeroDayShield had to find novel malicious behavior across npm, MCP, Docker, and Hugging Face at ecosystem scale, at high recall, without flooding maintainers with false positives.

the approach

  • 50+ custom static-analysis engines — written from scratch, no open-source libraries — mine 49,522 signals from live registry traffic across the four ecosystems.
  • Signals are cross-referenced against 228,020 known-malicious packages to separate novel behavior from the already-catalogued.
  • A multi-stage LLM triage pipeline reviews only what the cheap static engines flag — reserving expensive model attention for genuine candidates, a 15x cost reduction over triaging everything.
  • Tuned to 100% recall and 93% precision at zero false positives on the OSSF malicious-packages corpus.

the calls that mattered

Every architecture is a set of trade-offs taken on purpose. These are the load-bearing ones.

Write the static-analysis engines from scratch — zero open-source libraries.

Off-the-shelf analyzers encode someone else’s threat model and miss what they were never taught to see. 50+ purpose-built engines mean every signal is understood, tunable, and novel-malware-aware — not a black box.

the trade-offFar more to build and maintain than gluing libraries together — accepted because zero-day discovery is exactly where borrowed heuristics fail.

Gate the LLM behind cheap static analysis, not in front of it.

Running an LLM over every package in four ecosystems is unaffordable and slow. Letting the static engines pre-filter, then triaging only candidates with the multi-stage LLM pipeline, cut cost 15x while keeping recall at 100%.

the trade-offThe static layer must not miss — its recall is the ceiling on the whole system — so it is tuned conservatively (flag when unsure) and the LLM removes the false positives.

Optimize for zero false positives, not just high precision.

A supply-chain scanner lives or dies on maintainer trust. One false alarm too many and it gets ignored — so the pipeline is tuned to 0 FP on the OSSF corpus even at the cost of extra triage work.

the trade-offMore LLM triage passes to drive false positives to zero — worth it because a scanner nobody trusts catches nothing.

what shipped

ZeroDayShield mines 49,522 signals from live registry traffic across npm, MCP servers, Docker images, and Hugging Face models with 50+ from-scratch static-analysis engines, cross-referenced against 228,020 known-malicious packages. Its multi-stage LLM triage hits 100% recall and 93% precision at zero false positives on the OSSF malicious-packages corpus — at a 15x cost reduction over triaging everything.

what’s next

  • Runtime and dynamic analysis to catch behavior that only appears on install or execution.
  • A fifth ecosystem (PyPI) reusing the shared signal + triage core.
  • Maintainer-facing explanations so every flag ships with the evidence that raised it.

built with

FastAPINext.jsPostgreSQLDockerPython