Think of Atomdrift Scan as ClamAV for AI-powered malware detection: a local scanner backed by open models that improve as newly observed malware behavior is captured, labeled, and folded back through cyclotron, Atomdrift's live training loop. (Scan was previously released as litmus.)

Hand it a path; it scans, classifies, and exits with a status code your CI can act on. Whatever cleave decomposes, Scan classifies — across 20+ languages and six binary formats. Everything runs locally and deterministically: the same input always yields the same verdict — no network, no API keys, no telemetry, no probabilistic LLM output.

Today it scores capabilities with azoth, our weighted-ensemble model for context-free malware detection — now the default. Every verdict ships with a list of the capabilities that drove the score, computed on the live model rather than a post-hoc story. Severity is a false-positive budget, not a fixed scale: tell Scan how many false positives per 100M benign files you'll tolerate (-l, default L50) and that's the gate. Use -l 0 when a single false positive is unacceptable, higher when you'd rather not miss anything.

Capabilities

• File scanning — files, directories, and archives, classified against azoth by default
• Process scanning — running processes, via the on-disk image (memory-resident analysis is not yet implemented)
• Explainable verdicts — every score ships with a ranked list of the capabilities that drove it
• Local-LLM second opinion — --interpret sends tricky samples to a local LLM for a verdict and one-line reason, blended with the ML score
• Pluggable models — runs any model trained on cleave's capability schema; --model-dir swaps in a custom bundle

Differential analysis — comparing two versions of a package to surface newly-introduced malicious capabilities — is in development. It's aimed at catching compromised dependency updates, where the signal is the diff, not the artifact.

Install

Homebrew (macOS or Linux):

brew tap atomdrift/tap https://codeberg.org/atomdrift/homebrew-tap.git

brew install atomdrift-scan

From source:

git clone --depth 1 https://codeberg.org/atomdrift/scan.git
make install

Usage

$ ascan fs <path>

For more thorough results, install Rizin (binary reverse-engineering) and UPX (unpacker).