The Problem

Package updates can silently change binary behavior. A maintainer account takeover, a compromised build pipeline, or even a well-intentioned refactor can introduce network calls, process spawning, or data exfiltration into compiled code — and no existing tool will notice.

The Solution

BinShield tracks binary behavior across versions and alerts you when something changes. Set up watchlists for critical packages, configure risk thresholds, and receive email or webhook notifications the moment a new version introduces unexpected behavior.

How Risk Scoring Works

Deterministic, transparent, auditable

Binary extraction — Every .node, .so, .dylib, and .wasm file is identified and isolated from the package tarball.
Decompilation — Ghidra decompiles each binary and extracts symbol tables, imported functions, string literals, and control flow graphs.
AI classification — An LLM analyzes the decompiled output and classifies behaviors into families: network, filesystem, process, crypto, obfuscation, and data exfiltration.
Deterministic scoring — A rules engine produces a 0-100 risk score based on the number, severity, and combination of detected behaviors. The same binary always gets the same score.
Version diffing — When a new version is scanned, BinShield compares the behavior profile against the previous version and flags any changes.

Real Example: bcrypt 5.1.0 to 6.0.0

Behavioral diff between versions

Attribute	v5.1.0	v6.0.0
Native binaries	8	10
Risk score	48	52
New behaviors	—	+filesystem write
Removed behaviors	—	none
Platform coverage	linux-x64, darwin-x64	+linux-arm64, +darwin-arm64

The jump from 8 to 10 binaries reflects new ARM64 prebuild targets. The new filesystem write behavior comes from an updated temp-file strategy in the hashing routine. Both changes are expected — but without BinShield, your team would never know they happened.

Threat Intelligence

The Problem

The Solution

How Risk Scoring Works

Real Example: bcrypt 5.1.0 to 6.0.0

Start monitoring your dependencies