通过语义分析捕获LiteLLM和Telnyx供应链的零日漏洞
Catching the LiteLLM and Telnyx supply chain zero-days via semantic analysis

原始链接: https://point-wild.github.io/who-touched-my-packages/

## 谁动了我的包？ - 依赖安全摘要 “谁动了我的包？”是一个免费的开源工具，旨在通过识别漏洞来保护你的项目依赖项。它目前支持 npm (package.json) 和 Python (requirements.txt) 项目，并计划支持更多生态系统。该工具使用多个数据源（如 OSV）扫描项目（包括 Git 仓库）以查找漏洞，并通过 SLSA 来源证明来验证包的完整性。它提供用户友好的彩色终端界面，并提供 JSON 输出以用于 CI/CD 集成。主要功能包括递归扫描、严重程度过滤（严重、高、中、低）以及通过并行请求和缓存实现高效性能。安装很简单，通过 npm：`npm install -g who-touched-my-packages`，扫描通过 `wtmp` 命令启动。它优先考虑良好的用户体验、多个数据源、可扩展性和速度——所有这些都不需要 API 密钥或付费订阅。

一个新的开源CLI工具“wtmp”旨在检测复杂的供应链攻击，例如最近的LiteLLM和Telnyx零日漏洞，这些漏洞绕过了传统的软件成分分析（SCA）工具。与依赖黑名单和签名的SCA不同，wtmp使用大型语言模型（LLM）来*理解*代码意图。攻击者将恶意代码（一个可执行的有效载荷）隐藏在看似无害的.wav音频文件中，利用了内容过滤中的漏洞。Wtmp分析依赖关系图，并询问代码行为——例如，为什么一个电话SDK正在解密音频并将其传输到shell。虽然由于可能存在误报，wtmp不能作为万无一失的CI/CD拦截器，但它是在危机期间对潜在漏洞进行分类的宝贵工具。开发者正在积极寻求反馈，以改进工具的提示架构和逻辑。

Skip to content

Who Touched My Packages?

Secure your dependencies with style 🛡️

Get Started View on GitHub

Features

Multi-Ecosystem

Supports npm (package.json) and Python (requirements.txt) with more coming soon

Remote Repository Scanning

Clone and scan any Git repository directly without manual setup

Multiple Data Sources

Queries OSV for comprehensive vulnerability coverage

Provenance Verification

Automatically checks for SLSA provenance attestations to verify package integrity

Beautiful UI

Colorful, emoji-rich terminal output with automatic light/dark mode detection

CI/CD Ready

JSON output and exit codes make it perfect for automation pipelines

Severity Filtering

Filter vulnerabilities by severity level (CRITICAL, HIGH, MEDIUM, LOW)

Recursive Scanning

Automatically finds all dependency files in your project tree

Fast & Efficient

Parallel API requests and smart caching for quick scans

Extensible

Easy to add new data sources and package managers

Quick Start

Install globally:

npm install -g who-touched-my-packages

Scan your project:

wtmp

That’s it! The tool will recursively scan your project and report any vulnerabilities 🎉

Example Output

🛡️ Who Touched My Packages?
  Scanning dependencies for vulnerabilities...

✔ Found 2 dependency file(s)
✔ Parsed 16 package(s)

════════════════════════════════════════════════════════════
🛡️ Security Audit Summary
════════════════════════════════════════════════════════════

Scanned Packages: 16
Total Vulnerabilities: 3

🔴 Critical: 1
🟠 High: 2

════════════════════════════════════════════════════════════

Why Who Touched My Packages?

Beautiful UX: Security tools should be pleasant to use
Multiple Sources: Don’t rely on a single vulnerability database
Extensible: Easy to add new data sources and package managers
Fast: Optimized for large monorepos
Free: No API keys or paid plans required

Next Steps

Installation

Install the tool and run your first scan

Quick Start

Learn the basics and scan your first project

Provenance Verification

Understand how provenance checking works and why it matters

通过语义分析捕获LiteLLM和Telnyx供应链的零日漏洞 Catching the LiteLLM and Telnyx supply chain zero-days via semantic analysis

Who Touched My Packages?

Features

Quick Start

Example Output

Why Who Touched My Packages?

Next Steps

通过语义分析捕获LiteLLM和Telnyx供应链的零日漏洞
Catching the LiteLLM and Telnyx supply chain zero-days via semantic analysis