atomdrift Open-source malware detection, powered by offline AI models
Codeberg Lab
Home News Projects Support

About

Atomdrift is open-source malware detection for the software supply chain — powered by offline AI models, across binaries, scripts, packages, and extensions. Everything runs locally: no network calls, no API keys, no telemetry.

Think of litmus as ClamAV for AI-powered malware detection: a local scanner backed by open models that improve as newly observed malware behavior is captured, labeled, and folded back through cyclotron, Atomdrift's live training loop.

cleave extracts behavioral capabilities from software; azoth classifies them; litmus runs the scanner. Built for security engineers, Atomdrift is inspectable, reproducible, and Apache 2.0.

News

  • 2026-05-10 litmus v1.2.0 Preview support for the azoth ensemble. Multi-seed averaging, per-route isotonic calibration, LightGBM alongside XGBoost. Models route per file from a top-level config.
  • 2026-05-08 cleave v1.3 cleave diff is the signal we have been building toward: a structured, scoped delta between two versions of the same software, with an estimated rate of change that nobody else is measuring. kv now covers PE/ELF/Mach-O along with Office, PDF, PyInstaller, CHM, and a long tail of source and archive formats, with much deeper binary provenance.
  • 2026-05-07 Lab outage: btrfs cannot delete its way out of a full disk The lab's PostgreSQL master is offline: btrfs filled up and now refuses to delete files — or even snapshots — because it is out of space. No data was lost, thanks to our distributed replica architecture. We are moving the master to ZFS on OmniOS and teaching the lab to fail over to a replica. ETA back online: today.

All news →

Projects

  • litmus beta
    ClamAV-style local scanner for AI-powered malware detection. Runs azoth and other open models against capabilities extracted by cleave — across binaries, scripts, and source.
  • azoth preview
    The first open-source AI model for general malware detection — now published in preview. A weighted ensemble over cleave-extracted capabilities across 20+ languages and six binary formats; runs on CPU.
  • cleave stable
    AST-aware software decomposition engine for supply-chain security. Detects capabilities and behaviors across 20+ languages and six binary formats in a single pass.
  • stng stable
    Modern string extraction for binary analysis — all of the good stuff, none of the garbage. Useful for initial triage, C2 enumeration, credential extraction, and signature development.
  • xgboost-ars stable
    Pure Rust XGBoost inference with exact TreeSHAP. No ONNX, no C++ runtime — runs anywhere Rust does.
  • c.diff DESIGN PHASE
    Context-driven molecular drift detection. Tracks how code atoms shift across versions and dependencies.
⚛ Atomdrift Lab

Submit files for free malware analysis. Open to researchers, defenders, and the curious.

Open the Lab →

Get the Code

Project Info

License
Apache 2.0
Languages
Rust, Go
© 2026 The Atomdrift Project