A high-performance binary scanner for detecting packages compromised with cryptocurrency-stealing malware. (Just written for macOS, pull requested accepted)
- ⚡ Blazing Fast - Written in Rust for maximum performance
- 🔍 Recursive Scanning - Automatically finds all package lockfiles in your projects
- 📦 Multi-Format Support - Handles npm, yarn, and pnpm lockfiles
- 🎨 Beautiful Output - Color-coded terminal output with clear warnings
- 📊 JSON Export - Machine-readable output for CI/CD pipelines
# Build from source
cargo build --release
# Install to system
make install# Scan current directory
toasted
# Scan specific directory
toasted /path/to/project
# Output as JSON
toasted --format json
# Verbose output
toasted -v
# Use custom IOC file
toasted --ioc /path/to/custom-iocs.yaml
# Use custom IOC directory
toasted --ioc /path/to/ioc-directory/
# Skip default IOCs from ~/.its-toasted/iocs
toasted --no-default-iocs --ioc /path/to/custom.yamlThe scanner supports loading Indicators of Compromise (IOCs) from external YAML or JSON files.
IOC files are automatically loaded from ~/.its-toasted/iocs/ directory. This directory is created during installation with default IOC files.
IOC files can be in YAML or JSON format:
name: "NPM Packages Compromised - September 2024"
description: "Description of the compromise"
source: "https://source-url.com"
date: "2024-09-08"
registry: "npmjs" # Default registry for all packages in this file
packages:
- name: "package-name"
version: "1.0.0"
weekly_downloads: "10m"
severity: "critical" # critical, high, medium, low
registry: "npmjs" # Package registry (npmjs, pypi, rubygems, maven, nuget, packagist, hex, crates, go)
tags:
- malware
- supply-chain-attackSee iocs/REGISTRY_DEFINITIONS.md for a complete list of supported package registries.
- Create a new YAML/JSON file in
~/.its-toasted/iocs/ - Follow the format shown above
- The scanner will automatically load it on next run
You can also specify custom IOC files or directories:
- Single file:
--ioc /path/to/ioc.yaml - Directory:
--ioc /path/to/ioc-directory/
The scanner includes built-in detection for 18 packages that were found to be compromised on September 8th, 2025:
- chalk (299.99m weekly downloads)
- debug (357.6m weekly downloads)
- ansi-styles (371.41m weekly downloads)
- And 15 more...
https://www.aikido.dev/blog/npm-debug-and-chalk-packages-compromised