RedSwarm Adversarial AI 보안 스캐너, 하나의 파일, 제로 뎁스

Adversarial AI swarm that attacks your codebase before hackers do. Quickstart • How it works • Attack agents • Output • Why RedSwarm spawns hundreds of adversarial AI agents that simulate real-world attacks against your codebase. Supply chain attacks, credential theft, prompt injection, insider threats, data exfiltration — all in one scan. Zero dependencies. One file. Works on any project. $ python3 redswarm.py ./my-app --agents 500 RedSwarm v0.1.0 Adversarial AI Security Scanner ============================================================ RedSwarm — Adversarial AI Security Audit ============================================================ Project: /home/user/my-app Agents: 500 Files: 441 Deps: 41 Time: 4.8s ============================================================ Risk Score: 12/100 CRITICAL: 20 HIGH: 1 MEDIUM: 52 LOW: 318 [!!!] CRITICAL: COMPROMISED PACKAGE: litellm Agent #3 (supply-chain) Supply chain attack via Trivy CI/CD compromise. Credential stealer + K8s lateral movement. Attack chain: -> Attacker compromises litellm on PyPI -> Malicious code executes on pip install -> Credentials, SSH keys, and secrets exfiltrated -> Lateral movement to connected infrastructure [!!!] CRITICAL: EXPOSED SECRET: Hardcoded API key Agent #112 (credential-theft) Found Hardcoded API key in config.py: api_key="sk-... # Clone git clone https://github.com/mayawalcher/redswarm.git cd redswarm # Scan any project python3 redswarm.py /path/to/your/project # More agents = more thorough python3 redswarm.py . --agents 500 # HTML report python3 redswarm.py . --agents 500 --output report.html # JSON for CI/CD python3 redswarm.py . --json # Focus on specific attack type python3 redswarm.py . --focus supply-chain No dependencies. No API keys. Just Python 3.10+. ┌─────────────────────────────────────────────────────────┐ │ PROJECT SCANNER │ │ Collects intelligence: files, deps, secrets, endpoints │ │ LLM calls, env files, API surface │ └──────────────────────┬──────────────────────────────────┘ │ ▼ ┌─────────────────────────────────────────────────────────┐ │ SWARM ENGINE │ │ Spawns N attacker agents across 5 attack categories │ │ │ │ ┌──────────┐ ┌──────────┐ ┌──────────┐ ┌──────────┐ │ │ │ Supply │ │Credential│ │ Prompt │ │ Insider │ │ │ │ Chain │ │ Theft │ │Injection │ │ Threat │ │ │ │ x100 │ │ x100 │ │ x100 │ │ x100 │ │ │ └──────────┘ └──────────┘ └──────────┘ └──────────┘ │ │ ┌──────────┐ │ │ │ Exfil │ Each agent runs independently, │ │ │ x100 │ findings are deduplicated │ │ └──────────┘ │ └──────────────────────┬──────────────────────────────────┘ │ ▼ ┌─────────────────────────────────────────────────────────┐ │ RISK ASSESSMENT │ │ 0-100 score, severity classification, attack chains │ │ Terminal output, HTML report, or JSON for CI/CD │ └─────────────────────────────────────────────────────────┘ Inspired by the LiteLLM supply chain attack (March 2026). Detects: - Known compromised packages — litellm, ultralytics, event-stream, ua-parser-js, colors, faker - Typosquatting — packages with names suspiciously similar to popular ones - Unpinned versions — dependencies without version locks that could auto-update to malicious releases - Hardcoded secrets — API keys (OpenAI, Anthropic, AWS, GitHub, Slack, Google, etc.) - Leaked credentials — JWT tokens, database connection strings, private keys - Env file exposure — .env files with sensitive keys that might be committed to git - Default fallbacks — API keys hardcoded as os.getenv() fallback values - Direct injection — user input flowing into LLM system prompts - Indirect injection — request data reaching chat completion calls - Unvalidated outputs — LLM calls without output sanitization - Admin endpoints — unprotected administrative API routes - Debug mode — Flask/Django debug mode enabled, app.run(host="0.0.0.0") - Test credentials — hardcoded passwords, default accounts - Suspicious outbound calls — HTTP requests to unrecognized domains - Data exfiltration endpoints — unexpected external API calls in source code Color-coded findings with severity badges, attack chains, and remediation steps. Dark-themed security report with risk score dashboard, severity breakdown, and detailed findings. Machine-readable output for CI/CD integration. Exit code 1 if any CRITICAL findings. { "risk_score": 37, "total_agents": 100, "findings": [ { "severity": "critical", "title": "EXPOSED SECRET: Hardcoded API key", "file": "config.py", "cwe": "CWE-798", "remediation": "Remove secret from source code..." } ] } # GitHub Actions - name: RedSwarm Security Scan run: | python3 redswarm.py . --json --agents 200 > redswarm.json # Fails on critical findings (exit code 1) On March 24, 2026, LiteLLM — a package used by thousands of AI companies — was compromised via a supply chain attack. A credential stealer was injected through a Trivy CI/CD compromise, and the malicious package was downloaded before PyPI quarantined it. Traditional scanners check a database of known CVEs. RedSwarm thinks like an attacker — it s