Think of litmus as ClamAV for AI-powered malware detection: a local scanner backed by open models that improve as newly observed malware behavior is captured, labeled, and folded back through cyclotron, Atomdrift's live training loop.

Hand it a path; it scans, classifies, and exits with a status code your CI can act on. Whatever cleave decomposes, litmus classifies — across 20+ languages and six binary formats. Everything runs locally and deterministically: the same input always yields the same verdict — no network, no API keys, no telemetry, no probabilistic LLM output.

Today it runs scan-v16 from litmus-models by default, with preview support for azoth ensemble bundles — a general model plus optional specialists, routed per file. The default model is still beta quality — false positives are real, false negatives are real, and the thresholds will move. Use it for triage and evaluation; don't wire it into a production gate yet. Litmus runs any model trained on cleave's capability schema, so if neither the defaults (--threshold-hostile, --threshold-suspicious) nor the model match your threat model, swap them.

Capabilities

• File scanning — files, directories, and archives, classified against a local AI model
• Process scanning — running processes, by way of the on-disk image (memory-resident analysis is not yet implemented)
• Pluggable models — runs any model trained on cleave's capability schema
• Ensemble bundles (preview) — azoth-style bundles with a general model plus optional per-filetype and per-filegroup specialists, routed at scan time
• Worker telemetry — Hopper workers report litmus and traits versions, RSS, load, and available tools

Differential analysis — comparing two versions of a package to surface newly-introduced malicious capabilities — is in development. It's aimed at catching compromised dependency updates, where the signal is the diff, not the artifact.

Install

Homebrew (macOS or Linux):

brew tap atomdrift/tap https://codeberg.org/atomdrift/homebrew-tap.git

brew install atomdrift/tap/litmus

From source

git clone --depth 1 https://codeberg.org/atomdrift/litmus.git
make install

Usage

$ litmus scan <path>

For more thorough results, install Rizin (binary reverse-engineering) and UPX (unpacker).