atomdrift Open-source AI defense against supply-chain attacks
Codeberg Lab
Home Projects News

About

Atomdrift is the open-source AI defense against supply-chain attacks — across binaries, scripts, packages, and extensions.

Think of litmus as ClamAV for AI-based malware detection: a local scanner backed by open models that improve as newly observed malware behavior is captured, labeled, and folded back through cyclotron, Atomdrift's live training loop.

cleave extracts behavioral capabilities from software; azoth classifies them; litmus runs the scanner. Built for security engineers, Atomdrift is inspectable, reproducible, and Apache 2.0.

News

  • 2026-05-08 cleave v1.3 cleave diff is the signal we have been building toward: a structured, scoped delta between two versions of the same software, with an estimated rate of change that nobody else is measuring. kv now covers PE/ELF/Mach-O along with Office, PDF, PyInstaller, CHM, and a long tail of source and archive formats, with much deeper binary provenance.
  • 2026-05-07 Lab outage: btrfs cannot delete its way out of a full disk The lab's PostgreSQL master is offline: btrfs filled up and now refuses to delete files — or even snapshots — because it is out of space. No data was lost, thanks to our distributed replica architecture. We are moving the master to ZFS on OmniOS and teaching the lab to fail over to a replica. ETA back online: today.
  • 2026-05-07 stng v1.3.0 Go and Rust PE recovery, multi-key XOR via lea-near-xor analysis, and a pile of fixes for things that were quietly wrong.
  • 2026-04-28 Release Mania: stng v1.2.1, cleave v1.2.0, litmus v1.1.0 cleave fixes a class of rayon deadlocks, parses Python pickle and MSI-embedded PE, and skips rizin on Go binaries for a real speedup; litmus gains worker-mode fleet scanning behind a hardened HTTP server; stng stops mis-flagging Kotlin as Python.
  • 2026-04-21 stng v1.2.0 Preserve Telegram bot tokens, JWTs, and Swift mangled symbols that the chaos filter was dropping; cut XOR IP false positives inside binary data tables.

All news →

Projects

  • litmus beta
    ClamAV-style local scanner for AI-based malware detection. Classifies binaries, scripts, and source using open models like azoth, fed by capabilities extracted from cleave.
  • azoth preview
    The first open-source AI model for general malware detection — now published in preview. A weighted ensemble over cleave-extracted capabilities across 20+ languages and six binary formats; runs on CPU.
  • cleave stable
    AST-aware software decomposition engine for supply-chain security. Detects capabilities and behaviors across 20+ languages and six binary formats in a single pass.
  • stng stable
    Modern string extraction for binary analysis — all of the good stuff, none of the garbage. Useful for initial triage, C2 enumeration, credential extraction, and signature development.
  • xgboost-ars stable
    Pure Rust XGBoost inference with exact TreeSHAP. No ONNX, no C++ runtime — runs anywhere Rust does.
  • c.diff DESIGN PHASE
    Context-driven molecular drift detection. Tracks how code atoms shift across versions and dependencies.
⚛ Atomdrift Lab

Submit files for free malware analysis. Open to researchers, defenders, and the curious.

Open the Lab →

Get the Code

Project Info

License
Apache 2.0
Languages
Rust, Go
© 2026 The Atomdrift Project