Sentinel Secure CLI & Pacman/Yay Security Wrapper

Sentinel Secure CLI is a standalone, lightweight, and high-performance supply-chain auditing command-line utility. It audits local files, GitHub repositories, system installation logs, and installed packages against 1,900+ known compromised entries spanning AUR, npm, PyPI, crates.io, Go, Maven, and Linux distributions.

Published on npm as sentinel-secure-cli.

🛠️ Components Built

1. Standalone Scanner (cli/src/scan.ts): Recovers workspace configurations, walks files to evaluate SHA256/MD5 hashes, scans for C2 network indicators, and audits system configurations (systemd units, active eBPF filesystems) and package manager states.
2. GitHub Repository Scanner (cli/src/scan.ts): Clones any public GitHub repo with --depth 1 and runs the full scan pipeline against its dependencies and files — no manual download needed.
3. Threat Feed Fetcher (cli/src/feed.ts): Fetches threat definitions from the Sentinel Secure API at runtime, caches them to ~/.sentinel-secure-cache.json, and falls back to embedded data covering 11+ major supply-chain campaigns.
4. Transparent Yay Interceptor Wrapper (~/.local/bin/yay): A transparent Python proxy wrapper script that intercepts package manager targets, updates threat feeds, and blocks compromised installations before execution starts.

🚀 Installation

Quick install via npm (recommended)

npm i -g sentinel-secure-cli

Or build from source

git clone https://github.com/LinuxCTRL/malware-scan-cli.git
cd malware-scan-cli
npm install
npm run build
npm link

🛡️ Pacman/Yay Interceptor Setup

The wrapper intercepts package installations, upgrades, and manifest pipelines (yay -S - < list.txt).

1. Set Up the Interceptor Script

Copy the wrapper script into your user's local binary folder (which overrides standard command resolution):

# Verify the wrapper is at ~/.local/bin/yay
# Ensure it is executable:
chmod +x ~/.local/bin/yay

2. How the Wrapper Intercepts Commands

The wrapper triggers on installation/upgrade commands (e.g. yay -S git, yay easy-day-js, yay -Syu, or yay):

1. Syncs Threat Intel: Silently updates your cache from GitHub threat registers with an 8-second timeout/offline safety check.
2. Collects Targets: Evaluates explicit package arguments, piped lists from standard input, and pending updates via yay -Qu.
3. Audits Targets: Runs the CLI tool. If any target is compromised, it prints a malware alarm card and halts the installation process.
4. Delegates Safely: If targets are verified clean, it hands command control to the real /usr/bin/yay via process replacement (os.execv), keeping yay fully interactive.

📖 CLI Command Reference

1. scan

Scan directories, GitHub repos, logs, packages, or the system configuration.

# Quick audit of package.json dependencies in current folder
sentinel-secure scan .

# Walk files recursively with full hash + C2 checks
sentinel-secure scan /path/to/project --mode full

# Direct audit of a specific package list
sentinel-secure scan --packages atomic-lockfile,easy-day-js

# Force offline scanning (uses local signature cache, skips API fetch)
sentinel-secure scan . --offline

# Skip active system configuration audits
sentinel-secure scan . --no-system

# Scan a public GitHub repository remotely
sentinel-secure scan --repo https://github.com/owner/repo

# Full scan of a GitHub repo
sentinel-secure scan --repo https://github.com/owner/repo --mode full

# Audit a specific pacman log file
sentinel-secure scan --log /var/log/pacman.log

# Disable pacman log parsing
sentinel-secure scan . --log none

Options

| Flag | Description | |------|-------------| | -p, --packages <names> | Comma/newline-separated list of packages to check | | -l, --log <path> | Path to pacman log file (default: /var/log/pacman.log) | | -m, --mode <quick\|full> | Scan mode: quick checks names + logs; full adds hash verification + C2 patterns | | -o, --offline | Skip API fetch, use cached threat feed only | | --no-system | Skip active system audit (installed packages, eBPF paths, systemd units) | | -r, --repo <url> | GitHub repository URL to scan (clones with --depth 1) |

2. sync

Fetch the latest threat definitions from the Sentinel Secure API and update the local cache.

sentinel-secure sync

3. status

Show local cache info, threat feed statistics, and API server URL.

sentinel-secure status

🧠 Threat Intelligence Pipeline

Threat data is resolved in priority order:

1. Central API — Fetches from https://sentinel-secure-eight.vercel.app/api/threats (or custom SENTINEL_API_URL env var). Returns the full package list, IOCs, and incident data from the shared database.
2. Local Cache — ~/.sentinel-secure-cache.json stores the last synced feed (1-hour TTL). Used when offline or after a recent sync.
3. Embedded Fallback — Built-in data covers 11+ major campaigns out of the box: AUR June 2026, Shai-Hulud worm, Axios compromise, node-ipc, redhat-cloud-services, Mastra/easy-day-js typosquat, Microsoft dependency confusion, OpenSearch typosquats, Strapi plugins, and more.

Run sentinel-secure sync to force a refresh from the API.

🌐 Environment Variables

| Variable | Default | Description | |----------|---------|-------------| | SENTINEL_API_URL | https://sentinel-secure-eight.vercel.app | Custom API server URL for threat feeds |

🚨 Scanner Findings Categories

| Category | Severity | Description | |----------|----------|-------------| | COMPROMISED DEPENDENCY | High / Critical | Package name matches a known compromised entry in the threat database | | MALICIOUS PAYLOAD | Critical | File SHA256 or MD5 hash matches a known IOC payload signature | | PERSISTENCE UNIT | Critical | Attacker-installed systemd unit configuration detected | | eBPF ROOTKIT | Critical | Active eBPF hidden pid / name / inode artifacts found at known IOC paths | | LOG MATCH | Critical | System pacman log indicates a compromised package was installed or upgraded | | C2 NETWORK INDICATOR | Critical | File content references a known Tor onion C2 address or C2 domain | | NPM LOCKFILE | High | npm lockfile audit detected potential supply-chain risks |