What Ships in v0.4.13
This release adds 9 new detections across 5 Go modules and the Rust sidecar, plus a polyglot file validator. Every detection uses regex, heuristics, or threshold-based logic — zero external dependencies, zero ML calls, single binary.
The detections target three active CVEs from this week's threat landscape (yt-dlp RCE, Astro SSRF, Cisco auth bypass), four indirect prompt injection techniques that bypass visible-text scanners, agent lateral movement tracking, and a TLS post-quantum readiness check. The Rust sidecar gets matching pattern coverage and a magic byte validator that catches executables disguised as safe file types.
Runtime Watcher: yt-dlp RCE and Library Path Hijacking
Two new detections in the Runtime Watcher module target argument-based command injection and environment variable manipulation.
yt-dlp Argument-Based RCE (CVE-2026-26331)
yt-dlp and youtube-dl accept arguments like --netrc-cmd, --exec, --plugin-dirs, and --exec-before-download that execute arbitrary commands. In agentic workflows where an AI agent downloads media, an attacker can inject these flags through crafted URLs or metadata. The detection flags any yt-dlp invocation containing dangerous arguments at CRITICAL severity. Safe usage like yt-dlp -f best is not flagged.
Library Load Path Hijacking
Detects commands that set LD_PRELOAD, LD_LIBRARY_PATH, PYTHONPATH, or DYLD_INSERT_LIBRARIES to non-system paths. An attacker who controls a writable directory can place a malicious shared library there and hijack any process that loads it. The detection checks whether the referenced path is under standard system library directories (/usr/lib, /lib, /lib64) and alerts on anything else.
LLM Firewall: Zero-Width Injection and RAG Override
Four new patterns bring the LLM Firewall to 72 compiled input patterns, targeting indirect prompt injection techniques that bypass visible-text scanners.
Zero-Width Character Injection
Detects zero-width spaces (U+200B), zero-width joiners (U+200D), byte order marks (U+FEFF), word joiners (U+2060), and Mongolian vowel separators (U+180E) in LLM input. Attackers embed invisible instructions between these characters that the LLM reads but humans cannot see. Flagged at CRITICAL severity.
Hidden Markdown Directives and RAG Context Override
Two patterns detect attempts to override previous instructions via markdown (ignore/skip/disregard previous instructions) and RAG context poisoning where injected documents claim to contain "real" or "actual" instructions. A fourth pattern catches hidden markdown images with null bytes that can exfiltrate data via image URLs.
API Fortress: SSRF Evasion and Stateful Auth Bypass
The API Fortress module gets three SSRF evasion detections and a stateful authentication flow tracker.
SSRF Evasion: Decimal IP, Octal IP, Astro Redirect
Attackers bypass SSRF filters by encoding 169.254.169.254 as its decimal equivalent (2852039166) or using dotted octal notation (0251.0376.0251.0376). The Astro framework redirect SSRF (CVE-2026-25545) uses /_astro/redir?url= to bounce requests to internal endpoints. All three evasion techniques are now detected in both the Go SSRF detector and the Rust sidecar pattern engine.
Stateful Auth Flow Tracking (CVE-2026-20127)
A new LRU-backed auth flow tracker records authentication success events. When a request hits an /admin endpoint, the tracker checks whether that session had a recent authentication event (within 15 minutes). Requests to admin endpoints without a preceding login are flagged at CRITICAL severity. This catches logic-based authentication bypasses like CVE-2026-20127 where attackers skip the login step entirely.
AI Containment: Auto-Hash and Lateral Movement Tracking
Two improvements to the AI Containment module strengthen tool integrity verification and add network-level agent behavior monitoring.
Tool Integrity Auto-Hash
When an agent tool call arrives without a pre-computed hash, the containment module now automatically computes a SHA-256 hash from the tool description and parameters. This means every tool invocation gets integrity tracking even when the agent framework does not provide hashes natively.
Agent Lateral Movement Detection
The web fetch monitor now tracks external-to-internal domain transitions. When an agent fetches from an external domain and then immediately accesses internal infrastructure (localhost, 10.x, 192.168.x, .internal, .local), the lateral movement score increments. A score above 2 triggers an alert. This catches compromised agents that pivot from attacker-controlled servers to internal resources.
Quantum Crypto: PQ Curve Inventory Check
The Quantum Crypto Monitor now inspects TLS handshake supported_groups to flag connections that propose only classical key exchange curves (X25519, secp256r1, secp384r1) without any post-quantum option (ML-KEM, Kyber, X25519Kyber768). Reported at INFO severity as a migration readiness indicator. Hybrid PQ handshakes pass without alerts.
Rust Sidecar: Arg-Based RCE Patterns, SSRF Evasion, Magic Byte Validation
The Rust high-performance engine gets matching pattern coverage for the new Go detections plus a polyglot file validator.
New Pattern Functions
argbased_rce_patterns() adds yt-dlp and ffmpeg argument-based RCE detection with Aho-Corasick pre-filtering for hot-path performance. ssrf_evasion_patterns() adds decimal IP, Astro redirect, and dotted octal IP detection. Both integrate with the existing all_patterns() pipeline and pass AC-vs-regex parity tests.
Polyglot File Magic Byte Validation
validate_magic() checks file content magic bytes against declared file extensions. It detects ELF executables, PE binaries, Java class files, and WebAssembly modules disguised as images, PDFs, CSVs, or other safe file types. It validates 18 file formats with known magic byte signatures and flags any mismatch. This catches polyglot file attacks where an attacker uploads a valid-looking PNG that is actually an ELF binary.
Test Coverage
20 new Go tests across 5 modules and 17 new Rust tests covering all new patterns and the magic byte validator. All 147 Rust tests pass. All 19 Go test packages pass. Tests include false-positive checks to verify safe usage does not trigger alerts.
Full Changelog
Runtime Watcher: yt-dlp argument-based RCE detection (CVE-2026-26331). Library load path hijacking detection (LD_PRELOAD, PYTHONPATH, DYLD_INSERT_LIBRARIES from non-system paths).
LLM Firewall: 4 new patterns (68 → 72 compiled input patterns). Zero-width character injection, hidden markdown image exfiltration, hidden markdown directives, RAG context override.
API Fortress: SSRF evasion detection for decimal IP, dotted octal IP, and Astro redirect (CVE-2026-25545). Stateful auth flow tracker with LRU cache for logic-based auth bypass detection (CVE-2026-20127). Path-level cloud metadata pattern matching.
AI Containment: Auto-hash computation for tool integrity when hash not provided. Lateral movement detection tracking external→internal domain transitions.
Quantum Crypto: PQ curve inventory check on TLS handshake supported_groups.
Rust Sidecar: argbased_rce_patterns() and ssrf_evasion_patterns() with AC pre-filtering. validate_magic() polyglot file validator for 18 file formats.
Tests: 20 new Go tests, 17 new Rust tests. 147 total Rust tests, all passing.
Upgrading
curl -fsSL https://1-sec.dev/get | sh
All new detections activate automatically with default thresholds. No configuration changes required. If you are running a custom enforcement preset, re-apply it after updating to pick up the new module capabilities.