Think of litmus as ClamAV for AI-based malware detection: a local scanner backed by open models that improve as newly observed malware behavior is captured, labeled, and folded back through cyclotron, Atomdrift's live training loop.

Hand it a path; it scans, classifies, and exits with a status code your CI can act on. Whatever cleave decomposes, litmus classifies — across 20+ languages and six binary formats.

Today it runs scan-v16 from litmus-models. The default model is beta quality at best — false positives are real, false negatives are real, and the thresholds will move. Use it for triage and evaluation; don't wire it into a production gate yet. The eventual reference model is azoth, still in training. Litmus runs any model trained on cleave's capability schema, so if neither the defaults (--threshold-hostile, --threshold-suspicious) nor the model match your threat model, swap them.

Capabilities

• File scanning — files, directories, and archives, classified against a local ML model
• Process scanning — running processes, by way of the on-disk image (memory-resident analysis is not yet implemented)
• Pluggable models — runs any model trained on cleave's capability schema

Differential analysis — comparing two versions of a package to surface newly-introduced malicious capabilities — is in development. It's aimed at catching compromised dependency updates, where the signal is the diff, not the artifact.

Install

Homebrew (macOS or Linux):

brew tap atomdrift/tap https://codeberg.org/atomdrift/homebrew-tap.git

brew install atomdrift/tap/litmus

From source

git clone --depth 1 https://codeberg.org/atomdrift/litmus.git
make install

Usage

$ litmus scan <path>

For more thorough results, install Rizin (binary reverse-engineering) and UPX (unpacker).