malwi 0.0.9

malwi - AI Python Malware Scanner

malwi - AI Python Malware Scanner

Detect Python malware fast - no internet, no expensive hardware, no fees.

malwi is specialized in detecting zero-day vulnerabilities, for classifying code as safe or harmful.

Open-source software made in Europe. Based on open research, open code, open data. 🇪🇺🤘🕊️

# Install
pip install --user malwi

# Run
malwi ./examples

Output:

## examples/__init__.py
- Object: runcommand
- Maliciousness: 0.9620079398155212

def runcommand(value):
    output = subprocess.run(value, shell=True, capture_output=True)
    return [output.stdout, output.stderr]

TARGETED_FILE resume load_global subprocess load_attr run load_fast value load_const INTEGER load_const INTEGER kw_names capture_output shell call store_fast output load_fast output load_attr stdout load_fast output load_attr stderr build_list return_value

...

Why malwi?

The number of malicious open-source packages is growing. This is not just a threat to your business but also to the open-source community.

Typical malware behaviors include:

• Exfiltration of data: Stealing credentials, API keys, or sensitive user data.
• Backdoors: Allowing remote attackers to gain unauthorized access to your system.
• Destructive actions: Deleting files, corrupting databases, or sabotaging applications.

Attention: Malicious packages might execute code during installation (e.g. through setup.py). Make sure to NOT download or install malicious packages from the dataset with commands like uv add, pip install, poetry add.

What's next?

The first iteration focuses on maliciousness of Python source code.

Future iterations will cover malware scanning for more languages (JavaScript, Rust, Go) and more formats (binaries, logs).

How does it work?

malwi applies DistilBert and Support Vector Machines (SVM) based on the design of Zero Day Malware Detection with Alpha: Fast DBI with Transformer Models for Real World Application (2025). Additionally, malwi applies Tree-sitter for creating abstract syntax trees (ASTs) which are mapped to a unified and security sensitive syntax used as training input. The Python malware dataset can be found here. After 3 epochs of training you will get: Loss: 0.0986, Accuracy: 0.9669, F1: 0.9666.

High-level training pipeline:

• Create dataset from malicious/benign repositories and map code to malwi syntax
• Remove code duplications based on hashes
• Train DistilBert based on the malwi samples for categorizing malicious/benign

Support

Do you have access to malicious Rust, Go, whatever packages? Contact me.

Develop

Prerequisites: uv

# Download and process data
cmds/download_and_preprocess.sh

# Only process data
cmds/preprocess.sh

# Preprocess then start training
cmds/preprocess_and_train.sh

# Only start training
cmds/train.sh