mindforge-cc 11.5.1 → 11.6.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (170) hide show
  1. package/.agent/mindforge/skill-tdd.md +53 -0
  2. package/.agent/mindforge/skills-index.md +118 -0
  3. package/.agent/mindforge/systematic-debug.md +60 -0
  4. package/.agent/skills/1password-skill/SKILL.md +156 -0
  5. package/.agent/skills/1password-skill/references/cli-examples.md +31 -0
  6. package/.agent/skills/1password-skill/references/get-started.md +21 -0
  7. package/.agent/skills/article-illustrator/SKILL.md +199 -0
  8. package/.agent/skills/article-illustrator/references/prompt-construction.md +426 -0
  9. package/.agent/skills/article-illustrator/references/style-presets.md +80 -0
  10. package/.agent/skills/article-illustrator/references/styles.md +224 -0
  11. package/.agent/skills/article-illustrator/references/usage.md +50 -0
  12. package/.agent/skills/article-illustrator/references/workflow.md +332 -0
  13. package/.agent/skills/arxiv/SKILL.md +275 -0
  14. package/.agent/skills/blogwatcher/SKILL.md +130 -0
  15. package/.agent/skills/code-wiki/SKILL.md +438 -0
  16. package/.agent/skills/code-wiki/templates/README.md +31 -0
  17. package/.agent/skills/code-wiki/templates/architecture.md +30 -0
  18. package/.agent/skills/code-wiki/templates/getting-started.md +47 -0
  19. package/.agent/skills/code-wiki/templates/module.md +38 -0
  20. package/.agent/skills/codebase-inspection/SKILL.md +109 -0
  21. package/.agent/skills/comic-creator/SKILL.md +240 -0
  22. package/.agent/skills/comic-creator/references/analysis-framework.md +176 -0
  23. package/.agent/skills/comic-creator/references/auto-selection.md +71 -0
  24. package/.agent/skills/comic-creator/references/base-prompt.md +98 -0
  25. package/.agent/skills/comic-creator/references/character-template.md +180 -0
  26. package/.agent/skills/comic-creator/references/ohmsha-guide.md +85 -0
  27. package/.agent/skills/comic-creator/references/partial-workflows.md +106 -0
  28. package/.agent/skills/comic-creator/references/storyboard-template.md +143 -0
  29. package/.agent/skills/comic-creator/references/workflow.md +401 -0
  30. package/.agent/skills/concept-diagrams/SKILL.md +355 -0
  31. package/.agent/skills/concept-diagrams/references/dashboard-patterns.md +43 -0
  32. package/.agent/skills/concept-diagrams/references/infrastructure-patterns.md +144 -0
  33. package/.agent/skills/concept-diagrams/references/physical-shape-cookbook.md +42 -0
  34. package/.agent/skills/creative-ideation/SKILL.md +144 -0
  35. package/.agent/skills/creative-ideation/references/full-prompt-library.md +110 -0
  36. package/.agent/skills/devops-cli/SKILL.md +149 -0
  37. package/.agent/skills/devops-cli/references/app-discovery.md +112 -0
  38. package/.agent/skills/devops-cli/references/authentication.md +59 -0
  39. package/.agent/skills/devops-cli/references/cli-reference.md +104 -0
  40. package/.agent/skills/devops-cli/references/running-apps.md +171 -0
  41. package/.agent/skills/devops-watchers/SKILL.md +103 -0
  42. package/.agent/skills/docker-management/SKILL.md +273 -0
  43. package/.agent/skills/domain-intel/SKILL.md +96 -0
  44. package/.agent/skills/duckduckgo-search/SKILL.md +230 -0
  45. package/.agent/skills/github-auth/SKILL.md +240 -0
  46. package/.agent/skills/github-code-review/SKILL.md +474 -0
  47. package/.agent/skills/github-code-review/references/review-output-template.md +74 -0
  48. package/.agent/skills/github-issues/SKILL.md +363 -0
  49. package/.agent/skills/github-issues/templates/bug-report.md +35 -0
  50. package/.agent/skills/github-issues/templates/feature-request.md +31 -0
  51. package/.agent/skills/github-pr-workflow/SKILL.md +360 -0
  52. package/.agent/skills/github-pr-workflow/references/ci-troubleshooting.md +183 -0
  53. package/.agent/skills/github-pr-workflow/references/conventional-commits.md +71 -0
  54. package/.agent/skills/github-pr-workflow/templates/pr-body-bugfix.md +35 -0
  55. package/.agent/skills/github-pr-workflow/templates/pr-body-feature.md +33 -0
  56. package/.agent/skills/github-repo-management/SKILL.md +509 -0
  57. package/.agent/skills/github-repo-management/references/github-api-cheatsheet.md +161 -0
  58. package/.agent/skills/godmode/SKILL.md +396 -0
  59. package/.agent/skills/godmode/references/jailbreak-templates.md +128 -0
  60. package/.agent/skills/godmode/references/refusal-detection.md +142 -0
  61. package/.agent/skills/hyperframes/SKILL.md +182 -0
  62. package/.agent/skills/hyperframes/references/cli.md +185 -0
  63. package/.agent/skills/hyperframes/references/composition.md +129 -0
  64. package/.agent/skills/hyperframes/references/features.md +289 -0
  65. package/.agent/skills/hyperframes/references/gsap.md +136 -0
  66. package/.agent/skills/hyperframes/references/troubleshooting.md +137 -0
  67. package/.agent/skills/hyperframes/references/website-to-video.md +145 -0
  68. package/.agent/skills/jupyter-live-kernel/SKILL.md +160 -0
  69. package/.agent/skills/kanban-orchestrator/SKILL.md +209 -0
  70. package/.agent/skills/kanban-worker/SKILL.md +188 -0
  71. package/.agent/skills/llm-wiki/SKILL.md +499 -0
  72. package/.agent/skills/meme-generation/SKILL.md +122 -0
  73. package/.agent/skills/node-inspect-debugger/SKILL.md +312 -0
  74. package/.agent/skills/obsidian/SKILL.md +60 -0
  75. package/.agent/skills/osint-investigation/SKILL.md +269 -0
  76. package/.agent/skills/osint-investigation/templates/source-template.md +59 -0
  77. package/.agent/skills/oss-forensics/SKILL.md +422 -0
  78. package/.agent/skills/oss-forensics/references/evidence-types.md +89 -0
  79. package/.agent/skills/oss-forensics/references/github-archive-guide.md +184 -0
  80. package/.agent/skills/oss-forensics/references/investigation-templates.md +131 -0
  81. package/.agent/skills/oss-forensics/references/recovery-techniques.md +164 -0
  82. package/.agent/skills/oss-forensics/templates/forensic-report.md +151 -0
  83. package/.agent/skills/oss-forensics/templates/malicious-package-report.md +43 -0
  84. package/.agent/skills/parallel-cli/SKILL.md +384 -0
  85. package/.agent/skills/pinggy-tunnel/SKILL.md +302 -0
  86. package/.agent/skills/pixel-art/SKILL.md +209 -0
  87. package/.agent/skills/pixel-art/references/palettes.md +49 -0
  88. package/.agent/skills/plan/SKILL.md +331 -0
  89. package/.agent/skills/polymarket/SKILL.md +75 -0
  90. package/.agent/skills/polymarket/references/api-endpoints.md +220 -0
  91. package/.agent/skills/python-debugpy/SKILL.md +368 -0
  92. package/.agent/skills/requesting-code-review/SKILL.md +273 -0
  93. package/.agent/skills/research-paper-writing/SKILL.md +2367 -0
  94. package/.agent/skills/research-paper-writing/references/autoreason-methodology.md +394 -0
  95. package/.agent/skills/research-paper-writing/references/checklists.md +434 -0
  96. package/.agent/skills/research-paper-writing/references/citation-workflow.md +563 -0
  97. package/.agent/skills/research-paper-writing/references/experiment-patterns.md +728 -0
  98. package/.agent/skills/research-paper-writing/references/human-evaluation.md +476 -0
  99. package/.agent/skills/research-paper-writing/references/paper-types.md +481 -0
  100. package/.agent/skills/research-paper-writing/references/reviewer-guidelines.md +433 -0
  101. package/.agent/skills/research-paper-writing/references/sources.md +191 -0
  102. package/.agent/skills/research-paper-writing/references/writing-guide.md +474 -0
  103. package/.agent/skills/research-paper-writing/templates/README.md +251 -0
  104. package/.agent/skills/rest-graphql-debug/SKILL.md +507 -0
  105. package/.agent/skills/s6-container-supervision/SKILL.md +171 -0
  106. package/.agent/skills/scrapling/SKILL.md +328 -0
  107. package/.agent/skills/sherlock/SKILL.md +186 -0
  108. package/.agent/skills/simplify-code/SKILL.md +168 -0
  109. package/.agent/skills/skill-authoring/SKILL.md +158 -0
  110. package/.agent/skills/spike/SKILL.md +190 -0
  111. package/.agent/skills/subagent-driven-development/SKILL.md +345 -0
  112. package/.agent/skills/subagent-driven-development/references/context-budget-discipline.md +53 -0
  113. package/.agent/skills/subagent-driven-development/references/gates-taxonomy.md +93 -0
  114. package/.agent/skills/systematic-debugging/SKILL.md +360 -0
  115. package/.agent/skills/test-driven-development/SKILL.md +336 -0
  116. package/.agent/skills/video-orchestrator/SKILL.md +194 -0
  117. package/.agent/skills/video-orchestrator/references/examples.md +227 -0
  118. package/.agent/skills/video-orchestrator/references/intake.md +166 -0
  119. package/.agent/skills/video-orchestrator/references/kanban-setup.md +278 -0
  120. package/.agent/skills/video-orchestrator/references/monitoring.md +180 -0
  121. package/.agent/skills/video-orchestrator/references/role-archetypes.md +298 -0
  122. package/.agent/skills/video-orchestrator/references/tool-matrix.md +317 -0
  123. package/.agent/skills/web-pentest/SKILL.md +332 -0
  124. package/.agent/skills/web-pentest/references/bypass-techniques.md +133 -0
  125. package/.agent/skills/web-pentest/references/exploitation-techniques.md +204 -0
  126. package/.agent/skills/web-pentest/references/scope-enforcement.md +110 -0
  127. package/.agent/skills/web-pentest/references/vuln-taxonomy.md +81 -0
  128. package/.agent/skills/web-pentest/templates/authorization.md +69 -0
  129. package/.agent/skills/web-pentest/templates/pentest-report.md +178 -0
  130. package/.claude/commands/mindforge/skill-tdd.md +53 -0
  131. package/.claude/commands/mindforge/skills-index.md +118 -0
  132. package/.claude/commands/mindforge/systematic-debug.md +60 -0
  133. package/.mindforge/config.json +2 -2
  134. package/.mindforge/memory/sync-manifest.json +1 -1
  135. package/.mindforge/skills/arxiv/SKILL.md +294 -0
  136. package/.mindforge/skills/blogwatcher/SKILL.md +147 -0
  137. package/.mindforge/skills/code-wiki/SKILL.md +457 -0
  138. package/.mindforge/skills/codebase-inspection/SKILL.md +126 -0
  139. package/.mindforge/skills/concept-diagrams/SKILL.md +373 -0
  140. package/.mindforge/skills/creative-ideation/SKILL.md +162 -0
  141. package/.mindforge/skills/domain-intel/SKILL.md +116 -0
  142. package/.mindforge/skills/duckduckgo-search/SKILL.md +249 -0
  143. package/.mindforge/skills/github-code-review/SKILL.md +493 -0
  144. package/.mindforge/skills/github-issues/SKILL.md +382 -0
  145. package/.mindforge/skills/github-pr-workflow/SKILL.md +379 -0
  146. package/.mindforge/skills/jupyter-live-kernel/SKILL.md +179 -0
  147. package/.mindforge/skills/kanban-orchestrator/SKILL.md +227 -0
  148. package/.mindforge/skills/kanban-worker/SKILL.md +206 -0
  149. package/.mindforge/skills/meme-generation/SKILL.md +141 -0
  150. package/.mindforge/skills/obsidian/SKILL.md +80 -0
  151. package/.mindforge/skills/osint-investigation/SKILL.md +288 -0
  152. package/.mindforge/skills/oss-forensics/SKILL.md +421 -0
  153. package/.mindforge/skills/pixel-art/SKILL.md +228 -0
  154. package/.mindforge/skills/plan/SKILL.md +350 -0
  155. package/.mindforge/skills/requesting-code-review/SKILL.md +292 -0
  156. package/.mindforge/skills/research-paper-writing/SKILL.md +2384 -0
  157. package/.mindforge/skills/scrapling/SKILL.md +345 -0
  158. package/.mindforge/skills/sherlock/SKILL.md +203 -0
  159. package/.mindforge/skills/simplify-code/SKILL.md +187 -0
  160. package/.mindforge/skills/spike/SKILL.md +209 -0
  161. package/.mindforge/skills/subagent-driven-development/SKILL.md +364 -0
  162. package/.mindforge/skills/systematic-debugging/SKILL.md +379 -0
  163. package/.mindforge/skills/test-driven-development/SKILL.md +355 -0
  164. package/.mindforge/skills/web-pentest/SKILL.md +327 -0
  165. package/CHANGELOG.md +43 -0
  166. package/MINDFORGE.md +2 -2
  167. package/README.md +39 -3
  168. package/RELEASENOTES.md +55 -0
  169. package/docs/getting-started.md +42 -5
  170. package/package.json +1 -1
@@ -0,0 +1,184 @@
1
+ # GitHub Archive Query Guide (BigQuery)
2
+
3
+ GitHub Archive records every public event on GitHub as immutable JSON records. This data is accessible via Google BigQuery and is the most reliable source for forensic investigation — events cannot be deleted or modified after recording.
4
+
5
+ ## Public Dataset
6
+
7
+ - **Project**: `githubarchive`
8
+ - **Tables**: `day.YYYYMMDD`, `month.YYYYMM`, `year.YYYY`
9
+ - **Cost**: $6.25 per TiB scanned. Always run dry runs first.
10
+ - **Access**: Requires a Google Cloud account with BigQuery enabled. Free tier includes 1 TiB/month of queries.
11
+
12
+ ---
13
+
14
+ ## The 12 GitHub Event Types
15
+
16
+ | Event Type | What It Records | Forensic Value |
17
+ |------------|-----------------|----------------|
18
+ | `PushEvent` | Commits pushed to a branch | Force-push detection, commit timeline, author attribution |
19
+ | `PullRequestEvent` | PR opened, closed, merged, reopened | Deleted PR recovery, review timeline |
20
+ | `IssuesEvent` | Issue opened, closed, reopened, labeled | Deleted issue recovery, social engineering traces |
21
+ | `IssueCommentEvent` | Comments on issues and PRs | Deleted comment recovery, communication patterns |
22
+ | `CreateEvent` | Branch, tag, or repository creation | Suspicious branch creation, tag timing |
23
+ | `DeleteEvent` | Branch or tag deletion | Evidence of cleanup after compromise |
24
+ | `MemberEvent` | Collaborator added or removed | Permission changes, access escalation |
25
+ | `PublicEvent` | Repository made public | Accidental exposure of private repos |
26
+ | `WatchEvent` | User stars a repository | Actor reconnaissance patterns |
27
+ | `ForkEvent` | Repository forked | Exfiltration of code before cleanup |
28
+ | `ReleaseEvent` | Release published, edited, deleted | Malicious release injection, deleted release recovery |
29
+ | `WorkflowRunEvent` | GitHub Actions workflow triggered | CI/CD abuse, unauthorized workflow runs |
30
+
31
+ ---
32
+
33
+ ## Query Templates
34
+
35
+ ### Basic: All Events for a Repository
36
+
37
+ ```sql
38
+ SELECT
39
+ created_at,
40
+ type,
41
+ actor.login,
42
+ repo.name,
43
+ payload
44
+ FROM
45
+ `githubarchive.day.20240101` -- Adjust date
46
+ WHERE
47
+ repo.name = 'owner/repo'
48
+ AND type IN ('PushEvent', 'DeleteEvent', 'MemberEvent')
49
+ ORDER BY
50
+ created_at ASC
51
+ ```
52
+
53
+ ### Force-Push Detection
54
+
55
+ Force-pushes produce PushEvents where commits are overwritten. Key indicators:
56
+ - `payload.distinct_size = 0` with `payload.size > 0` → commits were erased
57
+ - `payload.before` contains the SHA before the rewrite (recoverable)
58
+
59
+ ```sql
60
+ SELECT
61
+ created_at,
62
+ actor.login,
63
+ JSON_EXTRACT_SCALAR(payload, '$.before') AS before_sha,
64
+ JSON_EXTRACT_SCALAR(payload, '$.head') AS after_sha,
65
+ JSON_EXTRACT_SCALAR(payload, '$.size') AS total_commits,
66
+ JSON_EXTRACT_SCALAR(payload, '$.distinct_size') AS distinct_commits,
67
+ JSON_EXTRACT_SCALAR(payload, '$.ref') AS branch_ref
68
+ FROM
69
+ `githubarchive.month.*`
70
+ WHERE
71
+ _TABLE_SUFFIX BETWEEN '202401' AND '202403'
72
+ AND type = 'PushEvent'
73
+ AND repo.name = 'owner/repo'
74
+ AND CAST(JSON_EXTRACT_SCALAR(payload, '$.distinct_size') AS INT64) = 0
75
+ ORDER BY
76
+ created_at ASC
77
+ ```
78
+
79
+ ### Deleted Branch/Tag Detection
80
+
81
+ ```sql
82
+ SELECT
83
+ created_at,
84
+ actor.login,
85
+ JSON_EXTRACT_SCALAR(payload, '$.ref') AS deleted_ref,
86
+ JSON_EXTRACT_SCALAR(payload, '$.ref_type') AS ref_type
87
+ FROM
88
+ `githubarchive.month.*`
89
+ WHERE
90
+ _TABLE_SUFFIX BETWEEN '202401' AND '202403'
91
+ AND type = 'DeleteEvent'
92
+ AND repo.name = 'owner/repo'
93
+ ORDER BY
94
+ created_at ASC
95
+ ```
96
+
97
+ ### Collaborator Permission Changes
98
+
99
+ ```sql
100
+ SELECT
101
+ created_at,
102
+ actor.login,
103
+ JSON_EXTRACT_SCALAR(payload, '$.action') AS action,
104
+ JSON_EXTRACT_SCALAR(payload, '$.member.login') AS member
105
+ FROM
106
+ `githubarchive.month.*`
107
+ WHERE
108
+ _TABLE_SUFFIX BETWEEN '202401' AND '202403'
109
+ AND type = 'MemberEvent'
110
+ AND repo.name = 'owner/repo'
111
+ ORDER BY
112
+ created_at ASC
113
+ ```
114
+
115
+ ### CI/CD Workflow Activity
116
+
117
+ ```sql
118
+ SELECT
119
+ created_at,
120
+ actor.login,
121
+ JSON_EXTRACT_SCALAR(payload, '$.action') AS action,
122
+ JSON_EXTRACT_SCALAR(payload, '$.workflow_run.name') AS workflow_name,
123
+ JSON_EXTRACT_SCALAR(payload, '$.workflow_run.conclusion') AS conclusion,
124
+ JSON_EXTRACT_SCALAR(payload, '$.workflow_run.head_sha') AS head_sha
125
+ FROM
126
+ `githubarchive.month.*`
127
+ WHERE
128
+ _TABLE_SUFFIX BETWEEN '202401' AND '202403'
129
+ AND type = 'WorkflowRunEvent'
130
+ AND repo.name = 'owner/repo'
131
+ ORDER BY
132
+ created_at ASC
133
+ ```
134
+
135
+ ### Actor Activity Profiling
136
+
137
+ ```sql
138
+ SELECT
139
+ type,
140
+ COUNT(*) AS event_count,
141
+ MIN(created_at) AS first_event,
142
+ MAX(created_at) AS last_event
143
+ FROM
144
+ `githubarchive.month.*`
145
+ WHERE
146
+ _TABLE_SUFFIX BETWEEN '202301' AND '202412'
147
+ AND actor.login = 'suspicious-username'
148
+ GROUP BY type
149
+ ORDER BY event_count DESC
150
+ ```
151
+
152
+ ---
153
+
154
+ ## Cost Optimization (MANDATORY)
155
+
156
+ 1. **Always dry run first**: Add `--dry_run` flag to `bq query` to see estimated bytes scanned before executing.
157
+ 2. **Use `_TABLE_SUFFIX`**: Narrow the date range as much as possible. `day.*` tables are cheapest for narrow windows; `month.*` for broader sweeps.
158
+ 3. **Select only needed columns**: Avoid `SELECT *`. The `payload` column is large — only select specific JSON paths.
159
+ 4. **Add LIMIT**: Use `LIMIT 1000` during exploration. Remove only for final exhaustive queries.
160
+ 5. **Column filtering in WHERE**: Filter on indexed columns (`type`, `repo.name`, `actor.login`) before payload extraction.
161
+
162
+ **Cost estimation**: A single month of GH Archive data is ~1-2 TiB uncompressed. Querying a specific repo + event type with `_TABLE_SUFFIX` typically scans 1-10 GiB ($0.006-$0.06).
163
+
164
+ ---
165
+
166
+ ## Accessing via the agent
167
+
168
+ **Option A: BigQuery CLI** (if `gcloud` is installed)
169
+ ```bash
170
+ bq query --use_legacy_sql=false --format=json "YOUR QUERY"
171
+ ```
172
+
173
+ **Option B: Python** (via `execute_code`)
174
+ ```python
175
+ from google.cloud import bigquery
176
+ client = bigquery.Client()
177
+ query = "YOUR QUERY"
178
+ results = client.query(query).result()
179
+ for row in results:
180
+ print(dict(row))
181
+ ```
182
+
183
+ **Option C: No GCP credentials available**
184
+ If BigQuery is unavailable, document this limitation in the report. Use the other 4 investigators (Git, GitHub API, Wayback Machine, IOC Enrichment) — they cover most investigation needs without BigQuery.
@@ -0,0 +1,131 @@
1
+ # Investigation Templates
2
+
3
+ Pre-built hypothesis and investigation templates for common supply chain attack scenarios.
4
+ Each template includes: attack pattern, key evidence to collect, and hypothesis starters.
5
+
6
+ ---
7
+
8
+ ## Template 1: Maintainer Account Compromise
9
+
10
+ **Pattern**: Attacker gains access to a legitimate maintainer account (phishing, credential stuffing)
11
+ and uses it to push malicious code, create backdoored releases, or exfiltrate CI secrets.
12
+
13
+ **Real-world examples**: XZ Utils (2024), Codecov (2021), event-stream (2018)
14
+
15
+ **Key Evidence to Collect**:
16
+ - [ ] Push events from maintainer account outside normal working hours/timezone
17
+ - [ ] Commits adding new dependencies, obfuscated code, or modified build scripts
18
+ - [ ] Release creation immediately after suspicious push (to maximize package distribution)
19
+ - [ ] MemberEvent adding unknown collaborators (attacker adding backup access)
20
+ - [ ] WorkflowRunEvent with unexpected secret access or exfiltration-like behavior
21
+ - [ ] Account login location changes (check social media, conference talks for corroboration)
22
+
23
+ **Hypothesis Starters**:
24
+ ```
25
+ [HYPOTHESIS] Actor <HANDLE>'s account was compromised on or around <DATE>,
26
+ based on anomalous commit timing [EV-XXXX] and geographic access patterns [EV-YYYY].
27
+ ```
28
+ ```
29
+ [HYPOTHESIS] Release <VERSION> was published by the compromised account to push
30
+ malicious code to downstream users, evidenced by the malicious commit [EV-XXXX]
31
+ being added <N> hours before the release [EV-YYYY].
32
+ ```
33
+
34
+ ---
35
+
36
+ ## Template 2: Malicious Dependency Injection
37
+
38
+ **Pattern**: A trusted package is modified to include malicious code in a dependency,
39
+ or a new malicious dependency is injected into an existing package.
40
+
41
+ **Key Evidence to Collect**:
42
+ - [ ] Diff of `package.json`/`requirements.txt`/`go.mod` before and after suspicious commit
43
+ - [ ] The new dependency's publication timestamp vs. the injection commit timestamp
44
+ - [ ] Whether the new dependency exists on npm/PyPI and who owns it
45
+ - [ ] Any obfuscation patterns in the injected dependency code
46
+ - [ ] Install-time scripts (`postinstall`, `setup.py`, etc.) that execute code on install
47
+
48
+ **Hypothesis Starters**:
49
+ ```
50
+ [HYPOTHESIS] Commit <SHA> [EV-XXXX] introduced dependency <PACKAGE@VERSION>
51
+ which appears to be a malicious package published by actor <HANDLE> [EV-YYYY],
52
+ designed to execute <BEHAVIOR> during installation.
53
+ ```
54
+
55
+ ---
56
+
57
+ ## Template 3: CI/CD Pipeline Injection
58
+
59
+ **Pattern**: Attacker modifies GitHub Actions workflows to steal secrets, exfiltrate code,
60
+ or inject malicious artifacts into the build output.
61
+
62
+ **Key Evidence to Collect**:
63
+ - [ ] Diff of all `.github/workflows/*.yml` files before/after suspicious period
64
+ - [ ] WorkflowRunEvents triggered by the modified workflows
65
+ - [ ] Any `curl`, `wget`, or network calls added to workflow steps
66
+ - [ ] New or modified `env:` sections referencing `secrets.*`
67
+ - [ ] Artifacts produced by modified workflow runs
68
+
69
+ **Hypothesis Starters**:
70
+ ```
71
+ [HYPOTHESIS] Workflow file <FILE> was modified in commit <SHA> [EV-XXXX] to
72
+ exfiltrate repository secrets via <METHOD>, as evidenced by the added network
73
+ call pattern [EV-YYYY].
74
+ ```
75
+
76
+ ---
77
+
78
+ ## Template 4: Typosquatting / Dependency Confusion
79
+
80
+ **Pattern**: Attacker registers a package with a name similar to a popular package
81
+ (or an internal package name) to intercept installs from users who mistype.
82
+
83
+ **Key Evidence to Collect**:
84
+ - [ ] Registration timestamp of the suspicious package on the registry
85
+ - [ ] Package content: does it contain malicious code or is it a stub?
86
+ - [ ] Download statistics for the suspicious package
87
+ - [ ] Names of internal packages that could be targeted (if private repo scope)
88
+ - [ ] Any references to the legitimate package in the malicious one's metadata
89
+
90
+ **Hypothesis Starters**:
91
+ ```
92
+ [HYPOTHESIS] Package <MALICIOUS_NAME> was registered on <DATE> [EV-XXXX] to
93
+ typosquat on <LEGITIMATE_NAME>, targeting users who misspell the package name.
94
+ The package contains <BEHAVIOR> [EV-YYYY].
95
+ ```
96
+
97
+ ---
98
+
99
+ ## Template 5: Force-Push History Rewrite (Evidence Erasure)
100
+
101
+ **Pattern**: After a malicious commit is detected (or before wider notice), the attacker
102
+ force-pushes to remove the malicious commit from branch history.
103
+
104
+ **Detection is key** — this template focuses on proving the erasure happened.
105
+
106
+ **Key Evidence to Collect**:
107
+ - [ ] GH Archive PushEvent with `distinct_size=0` (force push indicator) [EV-XXXX]
108
+ - [ ] The SHA of the commit BEFORE the force push (from GH Archive `payload.before`)
109
+ - [ ] Recovery of the erased commit via direct URL or `git fetch origin SHA`
110
+ - [ ] Wayback Machine snapshot of the commit page before erasure
111
+ - [ ] Timeline gap in git log (N commits visible in archive but M < N in current repo)
112
+
113
+ **Hypothesis Starters**:
114
+ ```
115
+ [HYPOTHESIS] Actor <HANDLE> force-pushed branch <BRANCH> on <DATE> [EV-XXXX]
116
+ to erase commit <SHA> [EV-YYYY], which contained <MALICIOUS_CONTENT>.
117
+ The erased commit was recovered via <METHOD> [EV-ZZZZ].
118
+ ```
119
+
120
+ ---
121
+
122
+ ## Cross-Cutting Investigation Checklist
123
+
124
+ Apply to every investigation regardless of template:
125
+
126
+ - [ ] Check all contributors for newly created accounts (< 30 days old at time of malicious activity)
127
+ - [ ] Check if any maintainer account changed email in the period (sign of account takeover)
128
+ - [ ] Verify GPG signatures on suspicious commits match known maintainer keys
129
+ - [ ] Check if the repository changed ownership or transferred orgs near the incident
130
+ - [ ] Look for "cleanup" commits immediately after the malicious commit (cover-up pattern)
131
+ - [ ] Check related packages/repos by the same author for similar patterns
@@ -0,0 +1,164 @@
1
+ # Deleted Content Recovery Techniques
2
+
3
+ ## Key Insight: GitHub Never Fully Deletes Force-Pushed Commits
4
+
5
+ Force-pushed commits are removed from the branch history but REMAIN on GitHub's servers until garbage collection runs (which can take weeks to months). This is the foundation of deleted commit recovery.
6
+
7
+ ---
8
+
9
+ ## Method 1: Direct GitHub URL (Fastest — No Auth Required)
10
+
11
+ If you have a commit SHA, access it directly even if it was force-pushed off a branch:
12
+
13
+ ```bash
14
+ # View commit metadata
15
+ curl -s "https://github.com/OWNER/REPO/commit/SHA"
16
+
17
+ # Download as patch (includes full diff)
18
+ curl -s "https://github.com/OWNER/REPO/commit/SHA.patch" > recovered_commit.patch
19
+
20
+ # Download as diff
21
+ curl -s "https://github.com/OWNER/REPO/commit/SHA.diff" > recovered_commit.diff
22
+
23
+ # Example (Istio credential leak - real incident):
24
+ curl -s "https://github.com/istio/istio/commit/FORCE_PUSHED_SHA.patch"
25
+ ```
26
+
27
+ **When this works**: SHA is known (from GH Archive, Wayback Machine, or `git fsck`)
28
+ **When this fails**: GitHub has already garbage-collected the object (rare, typically 30–90 days post-force-push)
29
+
30
+ ---
31
+
32
+ ## Method 2: GitHub REST API
33
+
34
+ ```bash
35
+ # Works for commits force-pushed off branches but still on server
36
+ # Note: /commits/SHA may 404, but /git/commits/SHA often succeeds for orphaned commits
37
+ curl -s "https://api.github.com/repos/OWNER/REPO/git/commits/SHA" | jq .
38
+
39
+ # Get the tree (file listing) of a force-pushed commit
40
+ curl -s "https://api.github.com/repos/OWNER/REPO/git/trees/SHA?recursive=1" | jq .
41
+
42
+ # Get a specific file from a force-pushed commit
43
+ curl -s "https://api.github.com/repos/OWNER/REPO/contents/PATH?ref=SHA" | jq .content | base64 -d
44
+ ```
45
+
46
+ ---
47
+
48
+ ## Method 3: Git Fetch by SHA (Local — Requires Clone)
49
+
50
+ ```bash
51
+ # Fetch an orphaned commit directly by SHA into local repo
52
+ cd target_repo
53
+ git fetch origin SHA
54
+ git log FETCH_HEAD -1 # view the commit
55
+ git diff FETCH_HEAD~1 FETCH_HEAD # view the diff
56
+
57
+ # If the SHA was recently force-pushed it will still be fetchable
58
+ # This stops working once GitHub GC runs
59
+ ```
60
+
61
+ ---
62
+
63
+ ## Method 4: Dangling Commits via git fsck
64
+
65
+ ```bash
66
+ cd target_repo
67
+
68
+ # Find all unreachable objects (includes force-pushed commits)
69
+ git fsck --unreachable --no-reflogs 2>&1 | grep "unreachable commit" | awk '{print $3}' > dangling_shas.txt
70
+
71
+ # For each dangling commit, get its metadata
72
+ while read sha; do
73
+ echo "=== $sha ===" >> dangling_details.txt
74
+ git show --stat "$sha" >> dangling_details.txt 2>&1
75
+ done < dangling_shas.txt
76
+
77
+ # Note: dangling objects only exist in LOCAL clone — not the same as GitHub's copies
78
+ # GitHub's copies are accessible via Methods 1-3 until GC runs
79
+ ```
80
+
81
+ ---
82
+
83
+ ## Recovering Deleted GitHub Issues and PRs
84
+
85
+ ### Via Wayback Machine CDX API
86
+
87
+ ```bash
88
+ # Find all archived snapshots of a specific issue
89
+ curl -s "https://web.archive.org/cdx/search/cdx?url=github.com/OWNER/REPO/issues/NUMBER&output=json&limit=50&fl=timestamp,statuscode,original" | python3 -m json.tool
90
+
91
+ # Fetch the best snapshot
92
+ # Use the timestamp from the CDX result:
93
+ # https://web.archive.org/web/TIMESTAMP/https://github.com/OWNER/REPO/issues/NUMBER
94
+ curl -s "https://web.archive.org/web/TIMESTAMP/https://github.com/OWNER/REPO/issues/NUMBER" > issue_NUMBER_archived.html
95
+
96
+ # Find all snapshots of the repo in a date range
97
+ curl -s "https://web.archive.org/cdx/search/cdx?url=github.com/OWNER/REPO*&output=json&from=20240101&to=20240201&limit=200&fl=timestamp,urlkey,statuscode" | python3 -m json.tool
98
+ ```
99
+
100
+ ### Via GitHub API (Limited — Only Non-Deleted Content)
101
+
102
+ ```bash
103
+ # Closed issues (not deleted) are retrievable
104
+ curl -s "https://api.github.com/repos/OWNER/REPO/issues?state=closed&per_page=100" | jq '.[].number'
105
+
106
+ # Note: DELETED issues/PRs do NOT appear in the API. Use Wayback Machine or GH Archive for those.
107
+ ```
108
+
109
+ ### Via GitHub Archive (For Event History — Not Content)
110
+
111
+ ```sql
112
+ -- Find all IssueEvents for a repo in a date range
113
+ SELECT created_at, actor.login, payload.action, payload.issue.number, payload.issue.title
114
+ FROM `githubarchive.day.*`
115
+ WHERE _TABLE_SUFFIX BETWEEN '20240101' AND '20240201'
116
+ AND type = 'IssuesEvent'
117
+ AND repo.name = 'OWNER/REPO'
118
+ ORDER BY created_at
119
+ ```
120
+
121
+ ---
122
+
123
+ ## Recovering Deleted Files from a Known Commit
124
+
125
+ ```bash
126
+ # If you have the commit SHA (even force-pushed):
127
+ git show SHA:path/to/file.py > recovered_file.py
128
+
129
+ # Or via API (base64 encoded content):
130
+ curl -s "https://api.github.com/repos/OWNER/REPO/contents/path/to/file.py?ref=SHA" | python3 -c "
131
+ import sys, json, base64
132
+ d = json.load(sys.stdin)
133
+ print(base64.b64decode(d['content']).decode())
134
+ "
135
+ ```
136
+
137
+ ---
138
+
139
+ ## Evidence Recording
140
+
141
+ After recovering any deleted content, immediately record it:
142
+
143
+ ```bash
144
+ python3 SKILL_DIR/scripts/evidence-store.py --store evidence.json add \
145
+ --source "git fetch origin FORCE_PUSHED_SHA" \
146
+ --content "Recovered commit: FORCE_PUSHED_SHA | Author: attacker@example.com | Date: 2024-01-15 | Added file: malicious.sh" \
147
+ --type git \
148
+ --actor "attacker-handle" \
149
+ --url "https://github.com/OWNER/REPO/commit/FORCE_PUSHED_SHA.patch" \
150
+ --timestamp "2024-01-15T00:00:00Z" \
151
+ --verification single_source \
152
+ --notes "Commit force-pushed off main branch on 2024-01-16. Recovered via direct fetch."
153
+ ```
154
+
155
+ ---
156
+
157
+ ## Recovery Failure Modes
158
+
159
+ | Failure | Cause | Workaround |
160
+ |---------|-------|------------|
161
+ | `git fetch origin SHA` returns "not our ref" | GitHub GC already ran | Try Method 1/2, search Wayback Machine |
162
+ | `github.com/OWNER/REPO/commit/SHA` returns 404 | GC ran or SHA is wrong | Verify SHA via GH Archive; try partial SHA search |
163
+ | Wayback Machine has no snapshots | Page was never crawled by IA | Check `commoncrawl.org`, check Google Cache |
164
+ | BigQuery shows event but no content | GH Archive stores event metadata, not file contents | Recovery only reveals the event occurred, not the content |
@@ -0,0 +1,151 @@
1
+ # Forensic Investigation Report
2
+
3
+ > **Instructions**: Fill in all sections. Every factual claim must cite at least one `[EV-XXXX]` evidence ID.
4
+ > Remove placeholder text and instruction notes before finalizing. Redact all secrets to `[REDACTED]`.
5
+
6
+ ---
7
+
8
+ ## Executive Summary
9
+
10
+ **Target Repository**: `OWNER/REPO`
11
+ **Investigation Period**: YYYY-MM-DD to YYYY-MM-DD
12
+ **Verdict**: <!-- Compromised / Clean / Inconclusive -->
13
+ **Confidence Level**: <!-- High / Medium / Low -->
14
+ **Report Date**: YYYY-MM-DD
15
+ **Investigator**: <!-- Agent session ID or analyst name -->
16
+
17
+ <!-- One paragraph: what was investigated, what was found, what is recommended. -->
18
+
19
+ ---
20
+
21
+ ## Timeline of Events
22
+
23
+ > All timestamps in UTC. Each event must cite at least one evidence ID.
24
+
25
+ | Timestamp (UTC) | Event | Evidence IDs | Source |
26
+ |-----------------|-------|--------------|--------|
27
+ | YYYY-MM-DDTHH:MM:SSZ | _Describe event_ | [EV-XXXX] | git / gh_api / gh_archive / web_archive |
28
+ | | | | |
29
+
30
+ ---
31
+
32
+ ## Validated Hypotheses
33
+
34
+ ### Hypothesis 1: <!-- Short title -->
35
+
36
+ **Status**: <!-- VALIDATED / INCONCLUSIVE / REJECTED -->
37
+
38
+ **Claim**: _Full statement of the hypothesis._
39
+
40
+ **Supporting Evidence**:
41
+ - [EV-XXXX]: _What this evidence shows_
42
+ - [EV-YYYY]: _What this evidence shows_
43
+
44
+ **Counter-Evidence Considered**: _What might disprove this, and why it was ruled out or not._
45
+
46
+ **Confidence**: <!-- High / Medium / Low, and why -->
47
+
48
+ ---
49
+
50
+ ## Indicators of Compromise (IOC List)
51
+
52
+ | Type | Value | Status | Evidence |
53
+ |------|-------|--------|----------|
54
+ | COMMIT_SHA | `abc123...` | Confirmed malicious | [EV-XXXX] |
55
+ | ACTOR_USERNAME | `handle` | Suspected compromised | [EV-YYYY] |
56
+ | FILE_PATH | `src/evil.js` | Confirmed malicious | [EV-ZZZZ] |
57
+ | DOMAIN | `evil-cdn.io` | Confirmed C2 | [EV-WWWW] |
58
+
59
+ ---
60
+
61
+ ## Affected Versions
62
+
63
+ | Version / Tag | Published | Contains Malicious Code | Evidence |
64
+ |---------------|-----------|------------------------|----------|
65
+ | `v1.2.3` | YYYY-MM-DD | Yes / No / Unknown | [EV-XXXX] |
66
+
67
+ ---
68
+
69
+ ## Evidence Registry
70
+
71
+ > Generated by: `python3 SKILL_DIR/scripts/evidence-store.py --store evidence.json export`
72
+
73
+ <!-- Paste the Markdown table output from the evidence-store.py export command here -->
74
+
75
+ | ID | Type | Source | Actor | Verification | Event Timestamp | URL |
76
+ |----|------|--------|-------|--------------|-----------------|-----|
77
+ | EV-0001 | | | | | | |
78
+
79
+ ---
80
+
81
+ ## Chain of Custody
82
+
83
+ > Generated by: `python3 SKILL_DIR/scripts/evidence-store.py --store evidence.json export`
84
+
85
+ <!-- Paste the chain of custody section from the export output here -->
86
+
87
+ | Evidence ID | Action | Timestamp | Source |
88
+ |-------------|--------|-----------|--------|
89
+ | EV-0001 | add | | |
90
+
91
+ ---
92
+
93
+ ## Technical Findings
94
+
95
+ ### Git History Analysis
96
+
97
+ _Summarize findings from local git analysis: dangling commits, reflog anomalies, unsigned commits, binary additions, etc._
98
+
99
+ ### GitHub API Analysis
100
+
101
+ _Summarize findings from GitHub REST API: deleted PRs/issues, contributor changes, release anomalies, etc._
102
+
103
+ ### GitHub Archive Analysis
104
+
105
+ _Summarize findings from BigQuery: force-push events, delete events, workflow anomalies, member changes, etc._
106
+ _Note: If BigQuery was unavailable, state this explicitly._
107
+
108
+ ### Wayback Machine Analysis
109
+
110
+ _Summarize findings from archive.org: recovered deleted pages, historical content differences, etc._
111
+
112
+ ### IOC Enrichment
113
+
114
+ _Summarize enrichment results: WHOIS data for domains, recovered commit content, actor account analysis, etc._
115
+
116
+ ---
117
+
118
+ ## Recommendations
119
+
120
+ ### Immediate Actions (If Compromise Confirmed)
121
+
122
+ - [ ] Rotate all GitHub tokens, API keys, and credentials that may have been exposed
123
+ - [ ] Pin dependency versions to hashes in all affected packages
124
+ - [ ] Publish a security advisory / CVE if applicable
125
+ - [ ] Notify downstream users/package registries (npm, PyPI, etc.)
126
+ - [ ] Revoke access for the compromised account and re-secure with hardware 2FA
127
+ - [ ] Audit all CI/CD workflow files for unauthorized modifications
128
+ - [ ] Review all releases published during the compromise window
129
+
130
+ ### Monitoring Recommendations
131
+
132
+ - [ ] Enable branch protection on `main`/`master` (require code review, disallow force-push)
133
+ - [ ] Enable required commit signing (GPG/SSH)
134
+ - [ ] Set up GitHub audit log streaming for future monitoring
135
+ - [ ] Pin critical dependencies to known-good SHAs in lock files
136
+
137
+ ---
138
+
139
+ ## Limitations and Caveats
140
+
141
+ - _List any data sources that were unavailable (e.g., no BigQuery access)_
142
+ - _Note any evidence that is single-source only (not independently verified)_
143
+ - _Note any hypotheses that could not be confirmed or denied_
144
+
145
+ ---
146
+
147
+ ## References
148
+
149
+ - Evidence store: `evidence.json` (SHA-256 integrity: run `python3 SKILL_DIR/scripts/evidence-store.py --store evidence.json verify`)
150
+ - Related issues: <!-- Link to GitHub issues, CVEs, security advisories -->
151
+ - RAPTOR framework: https://github.com/gadievron/raptor
@@ -0,0 +1,43 @@
1
+ # Malicious Package Investigation Report
2
+
3
+ ---
4
+
5
+ ## 📦 Package Metadata
6
+ - **Package Name**:
7
+ - **Registry**: [NPM / PyPI / RubyGems / etc.]
8
+ - **Affected Versions**:
9
+ - **Malicious Version(s)**:
10
+ - **Downloads at Time of Detection**:
11
+ - **Package URL**:
12
+
13
+ ---
14
+
15
+ ## 🚩 Indicators of Compromise (IOCs)
16
+ - **Malicious URL(s)**:
17
+ - **Exfiltrated Data Types**: [Environment variables, ~/.ssh/id_rsa, /etc/shadow, etc.]
18
+ - **Exfiltration Method**: [DNS tunneling, HTTP POST to C2, etc.]
19
+ - **C2 IP/Domain**:
20
+
21
+ ---
22
+
23
+ ## 🛠️ Analysis Summary
24
+ - **Primary Mechanism**: [Typosquatting / Dependency Confusion / Maintainer Takeover]
25
+ - **Behavior Description**:
26
+ - [Example: Installs a postinstall script that exfiltrates environment variables.]
27
+ - [Example: Patches `setup.py` to download a secondary payload.]
28
+
29
+ ---
30
+
31
+ ## 🔍 Evidence Registry
32
+ | Evidence ID | Type | Source | Description |
33
+ |-------------|------|--------|-------------|
34
+ | EV-XXXX | ioc | NPM | Package install script snapshot |
35
+ | EV-YYYY | web | Wayback| Historical version comparison |
36
+
37
+ ---
38
+
39
+ ## 🛡️ Recommended Mitigations
40
+ 1. [ ] Unpublish/Report the package to the registry.
41
+ 2. [ ] Audit `package-lock.json` or `requirements.txt` across all projects.
42
+ 3. [ ] Rotate secrets exfiltrated via environment variables.
43
+ 4. [ ] Pin specific hashes (SHASUM) for mission-critical dependencies.