Three weeks ago we broke down the axios npm backdoor. Before that, LiteLLM. Before that, Trivy. Now it's pgserve — an embedded PostgreSQL server for Node.js — compromised with a credential stealer that targets six crypto wallets alongside your SSH keys, cloud credentials, and npm tokens. StepSecurity identified the attack and named it CanisterSprawl, after the blockchain-hosted exfiltration endpoint that can't be taken down by conventional means.

The pattern is always the same: legitimate publisher credentials get stolen, signatures verify, hashes match, and the malicious code sails right through every pre-execution check. SBOMs, lockfiles, provenance attestations — none of it helps when the attacker is publishing with the maintainer's own keys.

Four compromises in six weeks. Each one uses a different delivery mechanism, a different payload shape, a different ecosystem. But they all do the same thing once they land on your machine: open credential files they have no business reading, and send the contents somewhere they have no business sending them.

That's what runtime behavioral detection catches. Not the signature. Not the hash. The behavior.

Why runtime detection matters

EDAMAME can detect these attacks across multiple behavioral signals.

The axios attacker dropped a RAT from /tmp/. We caught that with process-lineage tracking. The pgserve attacker did better and shipped the stealer inline from node_modules/ instead — no temp directory, no second stage.

Any single detection check can be evaded by changing the attack's shape. That's why we also key on file-open breadth: when a single process opens SSH keys, cloud credentials, browser password stores, and crypto wallets simultaneously, that's not normal behavior. No legitimate application does that. pgserve touches six labelled credential categories at once — and our credential_harvest check fires deterministically, without needing to know the package name, the payload signature, or the C2 address.

We just shipped version 1.2 — come try to break it

We thought it would be fun to set up a challenge: can you fool EDAMAME's runtime behavioral detection?

Supply-chain attacks like axios and pgserve work precisely because they use legitimate publisher credentials — signatures are valid, hashes match, provenance is clean. The malicious code still has to do something on the host, though, and that's where we focus: process-to-network attribution, open file-handle correlation against sensitive credential paths, and execution lineages from temp directories.

We built a set of end-to-end test scenarios for our open-source agent_security repo that demonstrate the kinds of payloads we detect — credential harvesting, beaconing, temp-dropper patterns, and so on.

The challenge

Write a test scenario in the style of the existing ones that performs meaningful credential exfiltration and evades our behavioral scanners. You can test it by running your script while the EDAMAME app is active with traffic capture on and the built-in LLM running.

Send your code and a description of your strategy to devs@edamame.tech.

First working evasion wins a $100 Amazon gift card
Most creative evasion wins a separate $100 prize (we have a few possibilities in mind already, but we'd like to be surprised)

Rules

macOS app only, with the EDAMAME helper installed
Scenario must follow the structure of existing tests in agent_security/tests/e2e/triggers
No real credential exfiltration — use the fake demo credentials as the existing tests do
Responsible disclosure — don't post publicly until we've had a chance to look through your contribution
Feel free to test with your own LLM connected, but your script must evade detection with the default LLM on

We're genuinely curious whether the system-plane invariants hold across creative delivery mechanisms.

Quick video walkthrough

Here's a quick video on how to run the app and detect malicious behavior:

Watch the demo on YouTube

Get started

Download EDAMAME Security — free desktop app for macOS, Windows, Linux, iOS, and Android. Four users per tenant on the free plan.
EDAMAME Posture CLI — free CLI for CI/CD pipelines, coding agents, and headless servers.
agent_security E2E test suite — open-source test scenarios with safe, IOC-blocked triggers. This is where you'll add your evasion attempt.
View on GitHub — the full EDAMAME architecture.

Happy hunting.

Questions about how the detectors work? Email us at devs@edamame.tech.

Sources: StepSecurity "CanisterSprawl" incident report.