steganography-mcp
v0.2.0
Published
Steganography analysis MCP server — 128 tools, 17 categories. Image steganalysis, JPEG/F5/JSteg detection, audio steganography, video stego, GIF palette analysis, network covert channels, MP3 stego, spread spectrum, BPCS, archive stego, QR code analysis,
Maintainers
Keywords
Readme
The Problem
Steganography is the art of hiding data in plain sight — inside images, audio files, documents, and even Unicode text. It is used in CTF competitions, digital forensics investigations, covert communication channels, and malware payloads. Detecting it requires a combination of statistical analysis, format-specific parsing, entropy measurement, and domain expertise.
Traditional steganography analysis workflow:
detect image stego -> zsteg + stegsolve (2 tools, Ruby + Java)
chi-square analysis -> custom Python script
RS analysis -> custom MATLAB/Python code
JPEG DCT forensics -> stegdetect (abandoned C tool from 2004)
extract LSB data -> zsteg + steghide + openstego (3 tools)
audio steganography -> Audacity manual + custom scripts
zero-width text detection -> web-based tools + manual inspection
file forensics / binwalk -> binwalk + foremost + xxd (3 tools)
EXIF metadata -> exiftool (Perl dependency)
encoding detection -> CyberChef web UI + manual guessing
─────────────────────────────────
Total: 10+ tools, 5+ languages, hours of manual correlationsteganography-mcp gives your AI agent 60 tools across 7 categories via the Model Context Protocol. The agent performs image steganalysis, JPEG forensics, audio analysis, text steganography detection, file forensics, document analysis, and encoding identification — all in a single conversation, all running 100% locally with zero dependencies on external services.
With steganography-mcp:
You: "Analyze this CTF challenge image for hidden data"
Agent: -> img_detect: Chi-square p=0.0001 (LSB embedding detected),
RS analysis estimates 42% embedding rate, entropy anomaly
in lower-right quadrant
-> img_lsb_extract: Extracted 847 bytes from RGB LSBs
-> crypto_detect: Extracted data is Base64-encoded
-> crypto_decode: Decoded to "FLAG{hidden_in_plain_sight_2024}"
-> img_known_tools: Signature match for OpenStego
"The image contains LSB steganography embedded with OpenStego.
Chi-square test confirms LSB replacement in all three RGB
channels with 42% embedding rate. The hidden payload is
Base64-encoded and decodes to the flag:
FLAG{hidden_in_plain_sight_2024}"How It's Different
Most steganography tools are single-purpose utilities. steganography-mcp gives your AI agent the ability to reason across all steganography techniques simultaneously.
Quick Start
Option 1: npx (no install)
npx -y steganography-mcpAll 60 tools work immediately. No API keys. No configuration. 100% offline.
Option 2: bunx (faster)
bunx steganography-mcpOption 3: Clone
git clone https://github.com/badchars/steganography-mcp.git
cd steganography-mcp
bun installConnect to your AI agent
# With npx
claude mcp add steganography -- npx -y steganography-mcp
# With local clone
claude mcp add steganography -- bun run /path/to/steganography-mcp/src/index.tsAdd to ~/Library/Application Support/Claude/claude_desktop_config.json:
{
"mcpServers": {
"steganography": {
"command": "npx",
"args": ["-y", "steganography-mcp"]
}
}
}Same JSON config format. Point the command to npx -y steganography-mcp or your local installation path.
Start analyzing
You: "Check this image for hidden data"That's it. The agent runs chi-square analysis, RS analysis, entropy mapping, metadata extraction, appended data detection, and tool signature scanning — automatically.
What The AI Can Do
CTF Challenge Solver
You: "Solve this CTF steganography challenge — the image is at challenge.png"
Agent: -> img_detect: Chi-square steganalysis detects LSB embedding
(p=0.00012), RS analysis estimates 38% embedding rate,
entropy anomaly at blocks (12,4)-(15,8)
-> img_lsb_extract: Extracted 1,247 bytes from RGB channel LSBs
-> crypto_detect: Data matches Base64 pattern (confidence: 0.95)
-> crypto_decode: "Q1RGe3N0M2cwX21hc3Rlcn0=" -> "CTF{st3g0_master}"
-> img_known_tools: OpenStego signature detected in PNG chunks
"Found the flag: CTF{st3g0_master}
The image uses LSB steganography embedded by OpenStego.
The payload was Base64-encoded in the RGB least significant
bits with a 38% embedding rate."Digital Forensics Investigation
You: "Analyze suspect.png and suspect.wav for covert communication"
Agent: -> img_detect: No LSB stego detected, but appended data found
(12,847 bytes after PNG IEND marker)
-> file_identify: Appended data starts with ZIP signature (PK)
-> img_metadata: PNG tEXt chunk contains unusual key "comm"
with Base64 value
-> audio_detect: WAV file has LSB chi-square anomaly (p=0.003)
-> audio_silence: 3 silent sections with active LSBs detected
-> audio_lsb_extract: Extracted 2,048 bytes of hidden data
"Both files contain hidden data:
1. suspect.png has a ZIP archive appended after the PNG EOF
marker, plus a Base64-encoded message in metadata
2. suspect.wav contains LSB steganography, specifically in
silent sections — a strong indicator of intentional hiding.
Recommend extracting the ZIP and analyzing WAV payload."Zero-Width Text Detection
You: "This email looks normal but might have hidden text"
Agent: -> text_detect: 847 zero-width characters detected between
visible characters
-> text_zwc_detect: ZWSP (342), ZWNJ (505) found at 127
positions throughout the text
-> text_zwc_extract: Binary decoding yields "EXFIL-ROUTE-7"
-> text_invisible_scan: 3 additional invisible Unicode chars
(U+2060, U+FEFF) found in header section
"The email contains a hidden message encoded with zero-width
characters: 'EXFIL-ROUTE-7'. 847 invisible characters are
dispersed throughout the visible text using ZWSP/ZWNJ binary
encoding. Additionally, 3 Word Joiner and BOM characters
were found in the header — likely metadata artifacts."JPEG Forensic Analysis
You: "Is this JPEG image authentic or has it been tampered with?"
Agent: -> jpeg_structure: 14 markers parsed, normal JFIF structure
-> jpeg_double_compression: Double compression DETECTED —
blocking artifact score 0.73, quantization anomaly ratio 0.81
-> jpeg_quantization: Quality ~75 (luminance), but residual
patterns suggest original was quality ~92
-> jpeg_exif_deep: EXIF says "iPhone 14 Pro" but Software
field says "Adobe Photoshop 25.0"
-> jpeg_thumbnail_compare: Thumbnail dimensions do NOT match
main image (thumbnail: 4032x3024, main: 2048x1536)
"This JPEG has been tampered with. Evidence:
1. Double compression detected — the image was decoded and
re-encoded at lower quality (original ~92, current ~75)
2. EXIF claims iPhone 14 Pro but software field reveals
Photoshop editing
3. Thumbnail is from the original 4032x3024 capture but
the main image was resized to 2048x1536
All three findings independently confirm post-capture
modification."Tools Reference (60 tools)
Category Overview
| Category | Tools | Description | |----------|-------|-------------| | Image Steganalysis | 14 | LSB detection, chi-square, RS analysis, entropy mapping, bit planes, histogram, metadata, tool signatures | | JPEG Analysis | 7 | DCT histogram, double compression, quantization tables, deep EXIF, thumbnail forensics, comment analysis | | Audio Steganalysis | 7 | WAV LSB detection, spectrum analysis, silence region analysis, echo hiding, metadata extraction | | Text & Unicode | 10 | Zero-width chars, whitespace encoding, invisible Unicode, homoglyphs, acrostics, Unicode analysis | | File Forensics | 10 | Magic bytes, polyglot detection, embedded files, appended data, entropy, hex dump, strings, headers | | Document Analysis | 5 | PDF hidden content, PDF metadata, PDF streams, HTML hidden content, XML metadata | | Encoding & Crypto | 7 | Encoding detection, multi-format decoder, frequency analysis, entropy, XOR brute-force, hash ID, cipher patterns |
| Tool | Description |
|------|-------------|
| img_detect | Auto-detect steganography in an image. Runs chi-square, RS analysis, entropy, metadata, appended data, and tool signature checks. Returns a comprehensive JSON report |
| img_lsb_detect | Statistical LSB steganography detection. Runs chi-square and sample pair analysis on each color channel independently |
| img_lsb_extract | Extract hidden data from image LSBs. Extracts bits from specified channels and bit plane, attempts UTF-8 decode, and shows hex dump |
| img_lsb_embed | Embed a message into an image using LSB steganography. Reads a PNG file, embeds the message into the least significant bits, and writes a new PNG file |
| img_bitplane | Extract and visualize a specific bit plane from an image channel. Shows dimensions, percentage of 1-bits, and an ASCII art preview |
| img_chi_square | Chi-square steganalysis attack on each color channel independently. Detects LSB replacement by testing whether adjacent pixel value pairs are equalized |
| img_rs_analysis | RS (Regular-Singular) steganalysis using the Fridrich-Goljan-Du method. Analyzes pixel groups to estimate LSB embedding rate per channel |
| img_histogram | Generate a pixel value histogram with anomaly detection. Detects Pairs-of-Values (PoV) anomalies that indicate LSB steganography |
| img_entropy_map | Per-block entropy analysis of an image. Splits the image into blocks and calculates Shannon entropy per block, flagging high-entropy regions |
| img_metadata | Deep metadata extraction from an image. For PNG: text chunks, chunk list, IHDR info. For JPEG: EXIF, comments, quantization tables, marker list |
| img_appended_data | Detect and extract data appended after the image EOF marker. Checks for hidden data past PNG IEND, JPEG EOI, or BMP file size boundary |
| img_compare | Pixel-by-pixel comparison of two images. Reports identical/different pixel counts, max difference, and which channels are affected |
| img_channel_analysis | Per-channel statistical analysis for R, G, B, and A channels. Reports mean, standard deviation, entropy, min, max, and unique value count |
| img_known_tools | Scan image file bytes for known steganography tool signatures. Checks against a database of patterns from OpenStego, Steghide, JSteg, F5, and others |
| Tool | Description |
|------|-------------|
| jpeg_structure | Parse JPEG markers/segments with offsets and sizes. Shows internal structure including all markers, positions, and segment lengths |
| jpeg_dct_histogram | DCT coefficient distribution analysis for steganography detection. Analyzes Y-channel pixel value distribution and SOS entropy data to detect anomalies caused by JSteg, F5, and OutGuess |
| jpeg_double_compression | Detect double JPEG compression artifacts. Identifies characteristic blocking artifacts and quantization table anomalies — a common indicator of image tampering or stego embedding |
| jpeg_quantization | Quantization table analysis with quality estimation. Displays all quantization tables in 8x8 grid format and estimates the JPEG quality factor |
| jpeg_exif_deep | Deep EXIF analysis including GPS coordinates, timestamps, software info, thumbnails, maker notes, and all IFD entries. Flags forensically interesting fields |
| jpeg_thumbnail_compare | Compare EXIF thumbnail against the main JPEG image. Dimension or content mismatch indicates post-capture modification — a common forensic artifact |
| jpeg_comment | Extract and analyze JPEG COM (comment) markers. Checks for hidden data patterns, unusually large comments, and high-entropy content |
| Tool | Description |
|------|-------------|
| audio_detect | Auto-detect audio steganography in a WAV file. Runs LSB chi-square, entropy analysis, metadata inspection, and checks for appended data |
| audio_lsb_detect | PCM sample LSB statistical analysis. Performs chi-square test on LSBs grouped by value pairs to detect LSB replacement steganography |
| audio_lsb_extract | Extract LSB data from audio samples. Reads the least significant bit of each PCM sample and attempts to decode hidden data |
| audio_spectrum | Spectral analysis for hidden signals in WAV audio. Analyzes sample value distribution, zero-crossing rate, RMS energy per block, and detects anomalous quiet sections |
| audio_metadata | Extract metadata from a WAV file including RIFF INFO chunks, format details, and all chunk information |
| audio_silence | Analyze silent sections in WAV audio for hidden data. Finds near-zero sample regions and checks their LSBs — silent sections with active LSBs are a strong stego indicator |
| audio_echo_detect | Echo hiding detection via autocorrelation analysis. Computes normalized autocorrelation at common echo delays. Regular echo patterns indicate steganographic echo hiding |
| Tool | Description |
|------|-------------|
| text_detect | Auto-detect text steganography. Checks for zero-width characters, whitespace encoding, invisible Unicode, homoglyphs, and unusual patterns |
| text_zwc_detect | Detect zero-width characters (ZWSP, ZWNJ, ZWJ, BOM) in text. Reports positions, counts, and potential encoded message length |
| text_zwc_extract | Decode a zero-width character encoded message. Extracts ZWC chars and decodes binary: ZWSP=0, ZWNJ=1 (attempts both polarities) |
| text_zwc_embed | Embed a secret message into cover text using zero-width characters. Encodes message to binary and maps bits to ZWSP(0)/ZWNJ(1) |
| text_whitespace_detect | Detect whitespace encoding in text. Checks each line for trailing whitespace patterns where space=0 and tab=1 might encode binary data |
| text_whitespace_extract | Extract a whitespace-encoded message from text. Reads trailing whitespace from each line and decodes space=0/tab=1 binary encoding |
| text_invisible_scan | Scan text for ALL invisible Unicode characters. Checks every character against the full invisible character database and reports positions and names |
| text_homoglyph | Detect Unicode homoglyph substitutions in text. Identifies non-ASCII characters that visually resemble ASCII letters (Cyrillic a vs Latin a, etc.) |
| text_unicode_analysis | Full Unicode character distribution analysis. Categorizes all characters by script block, performs entropy analysis, and detects suspicious script mixing |
| text_acrostic | Detect first-letter, first-word, last-letter, last-word, or nth-character patterns (acrostic messages) hidden across lines of text |
| Tool | Description |
|------|-------------|
| file_identify | File type identification via magic bytes. Reads the file header and matches against a comprehensive database of known file signatures. Checks for extension mismatch |
| file_polyglot | Detect polyglot files valid as two or more formats simultaneously. Checks for multiple valid file signatures at different offsets (PDF+ZIP, PNG+PDF, etc.) |
| file_embedded | Scan for embedded files within a binary, similar to binwalk. Searches for known magic byte signatures at every offset to discover hidden or appended files |
| file_appended | Detect data appended after a file's format-specific EOF marker. Supports PNG (IEND), JPEG (FFD9), BMP, ZIP (EOCD), and PDF (%%EOF) |
| file_entropy | Section-by-section entropy analysis. Calculates Shannon entropy per block and overall, flagging anomalous high-entropy sections |
| file_entropy_visual | ASCII entropy visualization of a file. Renders a text-based bar chart showing entropy levels across the file for visual anomaly detection |
| file_strings | Extract printable and Unicode strings from binary files. Scans for runs of printable characters and reports them with file offsets. Supports ASCII, UTF-8, UTF-16 |
| file_hex | Hex dump with ASCII sidebar display. Traditional hex editor format with offset addresses, hex bytes, and printable ASCII representation |
| file_header | Deep header and structure analysis for known formats. Parses PNG IHDR, JPEG SOF, BMP info header, ZIP local file headers, and PDF version/metadata |
| file_compare | Binary diff between two files. Byte-by-byte comparison reporting differences with offsets, percentage identical, and LSB-only difference detection for stego analysis |
| Tool | Description |
|------|-------------|
| doc_pdf_hidden | Hidden PDF content detection. Scans for JavaScript, auto-actions, OpenAction, hidden annotations, invisible text, embedded files, and other covert content |
| doc_pdf_metadata | PDF metadata extraction. Parses the /Info dictionary and XMP metadata blocks for forensic attribution and document provenance analysis |
| doc_pdf_streams | PDF stream analysis. Locates all stream/endstream blocks, attempts zlib decompression, and reports sizes and entropy for finding hidden data |
| doc_html_hidden | Hidden HTML content detection. Scans for comments, display:none elements, data-* attributes, hidden inputs, base64 content, zero-size elements, and invisible text |
| doc_xml_metadata | XML and Office document metadata extraction. Parses Dublin Core, Microsoft Office properties, processing instructions, and other metadata fields |
| Tool | Description |
|------|-------------|
| crypto_detect | Auto-detect encoding type of an input string. Tests against all known patterns (Base64, hex, binary, morse, URL encoding, HTML entities, etc.) and returns matches sorted by confidence |
| crypto_decode | Multi-format decoder supporting Base64, hex, binary, decimal, octal, URL encoding, ROT13, Base32, Morse code, and HTML entities. Auto mode detects encoding first |
| crypto_frequency | Character frequency analysis for cryptanalysis. Counts character occurrences, compares to standard English frequency (ETAOINSHRDLU), and calculates Index of Coincidence |
| crypto_entropy | Shannon entropy calculation and classification for strings. Computes character-level and byte-level entropy, classifying into categories from repeated data to encrypted/random |
| crypto_xor | XOR key brute-force for single-byte and multi-byte keys. Tries all 256 single-byte keys and scores by English text probability. Uses IC for multi-byte key length estimation |
| crypto_hash_id | Hash type identification. Matches input against known hash patterns by length and format (MD5, SHA-1, SHA-256, SHA-512, bcrypt, CRC32, NTLM, etc.) |
| crypto_patterns | Known cipher and encoding pattern detection. Analyzes text for Caesar cipher, substitution cipher, Vigenere, rail fence transposition, Atbash, and reversed text |
CLI Usage
# Show help
npx -y steganography-mcp --help
# List all 60 tools with descriptions
npx -y steganography-mcp --list
# Detect steganography in an image
npx -y steganography-mcp --tool img_detect '{"file_path":"challenge.png"}'
# Extract hidden message from LSBs
npx -y steganography-mcp --tool img_lsb_extract '{"file_path":"stego.png"}'
# Chi-square steganalysis
npx -y steganography-mcp --tool img_chi_square '{"file_path":"suspect.png"}'
# RS analysis (Fridrich-Goljan-Du method)
npx -y steganography-mcp --tool img_rs_analysis '{"file_path":"suspect.png"}'
# JPEG double compression detection
npx -y steganography-mcp --tool jpeg_double_compression '{"file_path":"photo.jpg"}'
# Deep EXIF analysis
npx -y steganography-mcp --tool jpeg_exif_deep '{"file_path":"photo.jpg"}'
# Audio steganography detection
npx -y steganography-mcp --tool audio_detect '{"file_path":"message.wav"}'
# Detect zero-width character encoding
npx -y steganography-mcp --tool text_zwc_detect '{"text":"suspicious text here"}'
# Embed a hidden message with zero-width characters
npx -y steganography-mcp --tool text_zwc_embed '{"text":"cover text","message":"secret"}'
# Identify file type and detect polyglots
npx -y steganography-mcp --tool file_polyglot '{"file_path":"suspicious.pdf"}'
# Scan for embedded files (binwalk-style)
npx -y steganography-mcp --tool file_embedded '{"file_path":"mystery.bin"}'
# Entropy visualization
npx -y steganography-mcp --tool file_entropy_visual '{"file_path":"data.bin"}'
# Auto-detect encoding
npx -y steganography-mcp --tool crypto_detect '{"input":"aGVsbG8gd29ybGQ="}'
# XOR brute-force
npx -y steganography-mcp --tool crypto_xor '{"input":"4f5243484e"}'
# Detect cipher patterns
npx -y steganography-mcp --tool crypto_patterns '{"input":"Gur dhvpx oebja sbk"}'
# Using Bun (faster startup)
bunx steganography-mcp --tool img_detect '{"file_path":"image.png"}'Use Cases
CTF Challenges
Solve steganography challenges in capture-the-flag competitions. The AI agent can systematically apply all detection techniques — LSB analysis, metadata inspection, appended data, encoding detection, and cipher identification — to find hidden flags in images, audio files, documents, and text.
Digital Forensics
Detect covert communication channels in forensic investigations. Analyze suspect files for hidden data using statistical steganalysis (chi-square, RS analysis), check for data appended after EOF markers, scan for embedded files, and identify steganography tool signatures.
Security Research
Analyze steganography tools and techniques. Compare original and stego images pixel-by-pixel, study DCT coefficient distributions in JPEG stego, measure entropy changes from embedding, and reverse-engineer encoding schemes.
Education
Learn how steganography techniques work. Embed and extract LSB messages, encode text with zero-width characters, visualize bit planes and entropy maps, analyze file structures with hex dumps, and study cipher patterns with frequency analysis.
Incident Response
During incident response, check documents and images for hidden exfiltration channels. Scan PDFs for hidden JavaScript and embedded files, detect zero-width character encoding in emails, identify polyglot files, and analyze suspicious encodings.
Architecture
src/
index.ts # CLI entrypoint (--help, --list, --tool, stdio server)
protocol/
mcp-server.ts # MCP server setup (stdio transport)
tools.ts # Tool registry — all 60 tools assembled here
types/
index.ts # Shared types (ToolDef, ToolContext, ToolResult)
utils/
binary.ts # Binary file reading, hex dump, format detection
stats.ts # Shannon entropy, chi-square, byte frequency
cache.ts # TTL cache
png-parser.ts # Pure TS PNG parser (IHDR, chunks, pixel data)
jpeg-parser.ts # Pure TS JPEG parser (markers, EXIF, quantization)
wav-parser.ts # Pure TS WAV parser (RIFF chunks, PCM samples)
bmp-parser.ts # Pure TS BMP parser (header, pixel data)
image/ # Image Steganalysis tools (14)
jpeg/ # JPEG Analysis tools (7)
audio/ # Audio Steganalysis tools (7)
text/ # Text & Unicode tools (10)
file/ # File Forensics tools (10)
document/ # Document Analysis tools (5)
crypto/ # Encoding & Crypto tools (7)
data/
encoding-patterns.ts # Encoding regex patterns + decoders
magic-bytes.ts # File signature database (100+ formats)
stego-signatures.ts # Known steganography tool signatures
unicode-invisible.ts # Invisible Unicode character databaseDesign decisions:
- 4 dependencies, nothing else —
@modelcontextprotocol/sdkfor the MCP protocol,zodfor input validation,pngjsfor PNG pixel access,jpeg-jsfor JPEG decoding. No bloated dependency tree. No native modules. No C bindings. No Python. No Java. - 100% offline — Every tool runs entirely locally. No HTTP requests. No API calls. No telemetry. No cloud dependencies. Your files never leave your machine.
- Pure TypeScript statistical analysis — Chi-square test, RS analysis (Fridrich-Goljan-Du), Sample Pair Analysis, Shannon entropy, Index of Coincidence, and frequency analysis are all implemented in pure TypeScript. No external math libraries.
- Custom format parsers — PNG chunks, JPEG markers/EXIF/quantization tables, WAV RIFF chunks, and BMP headers are parsed with zero external dependencies using the
utils/parsers. This allows deep format-specific analysis that general-purpose libraries cannot provide. - 7 providers, 1 server — Each analysis category is an independent module. The AI agent picks which tools to use based on the investigation context.
- Clean ToolDef pattern — Every tool follows the same
{ name, description, schema, execute }pattern. Adding a new tool is a single object in the appropriate module. - Zod validation on every field — Every schema field has
.describe()for AI agent context. Invalid inputs are caught before execution with clear error messages.
Part of the MCP Security Suite
| Project | Domain | Tools | |---|---|---| | hackbrowser-mcp | Browser-based security testing | 39 tools | | cloud-audit-mcp | Cloud security (AWS/Azure/GCP) | 38 tools | | github-security-mcp | GitHub security posture | 39 tools | | cve-mcp | Vulnerability intelligence | 23 tools | | osint-mcp-server | OSINT & reconnaissance | 37 tools | | darknet-mcp-server | Dark web & threat intelligence | 66 tools | | dns-security-mcp | DNS security intelligence | 103 tools | | steganography-mcp | Steganography analysis | 60 tools |
Contributing
Contributions are welcome. See CONTRIBUTING.md for guidelines.
