fatcousin
// case comparison

supply chain vs key leak

engineering sees suspicious binary or cloud API abuse and assumes 'we got hacked through a dependency.' supply-chain compromise is signed artifact or build-system poisoning; API key leak is credential in git history → CSP abuse window. IR scope and legal notification differ.

primary tools · side by side

ordered entry points from the case-type taxonomy. highlighted rows appear in both case types' editorial tool lists.

case a

supply chain compromise

package compromise, build-system intrusion, signed-update poisoning. needs SBOM + dependency + build artifact analysis.

  1. 01yara scannerwrite YARA-like rules · scan any file locally · string and byte pattern matching · condition logic · export match report · runs locally
  2. 02yara rule scannerwrite YARA rules or use 50+ built-in rules · drop any binary to scan · condition matching · string search · hex patterns · offset anchors · export matches · runs locally
  3. 03pe analyzerdrop a Windows executable · parse PE headers · sections · imports · exports · entropy per section · detect packers · imphash · runs locally
  4. 04pe static analyzerdrop any .exe · .dll · .sys · parse PE headers · import table · suspicious API categories · section entropy · packer fingerprint · anomaly detection · export report · runs locally
  5. 05PE compile timestamp vs filesystem timestamp conflict detectordrop mft csv or file listing with pe headers · extract compile timestamps from pe headers · detect files with filesystem timestamps earlier than their compile timestamp · surface impossible binaries indicating timestomping · runs locally
  6. 06imphash calculatordrop a PE file · compute Mandiant-style import hash · list all imports · compare with known samples · runs locally
  7. 07binary compiler and language identifierdrop pe elf or macho binaries · identify compiled language · go rust nim python compiled dlang zig · detect compiler version · extract build metadata · language-specific string patterns · runs locally
  8. 08source code style forensic fingerprinterdrop source code or decompiled text · analyze indentation · naming · comments · apis · stylometric fingerprint · compare authorship · runs locally
case b

API key leak / repo compromise

leaked credential in git history → cloud abuse window → cost-spike + lateral movement. correlate VCS + CSP audit logs.

  1. 01git repository forensic analyzerdrop a .git directory or git bundle file · extract full commit history · recover deleted commits via reflog · stash contents · author metadata · file change history · detect secret leaks in history · runs locally
  2. 02github audit log parserjson or jsonl audit export · action actor org repo · repo org hook oauth protected branch secret scanning · suspicious flags · export csv · runs locally
  3. 03github audit log analyzerdrop github enterprise audit log json or csv export · parse repository and organization events · surface suspicious access patterns force pushes secret scanning alerts and member changes · reconstruct git activity timeline · runs locally
  4. 04aws cloudtrail forensic deep analyzerdrop cloudtrail json logs · detect privilege escalation paths · credential theft · data exfiltration · lateral movement between services · unusual api patterns · flag attacker ips · runs locally
  5. 05aws cloudtrail log forensic analyzerdrop aws cloudtrail json log files or csv export · parse api call records across all aws services · surface credential abuse privilege escalation data exfiltration and infrastructure manipulation · reconstruct attacker activity timeline · runs locally
  6. 06aws iam policy analyzerpaste iam policy json · effective permissions · wildcard expansion · risks · escalation hints · plain english · runs locally
  7. 07iam escalation graphiam policy json · wildcard expansion · 15 escalation patterns · attack chains · severity · csv + json export · runs locally
  8. 08kubernetes secrets decoderpaste secret yaml or json · decode base64 · credential hints · redact toggle · runs locally · keys stay in browser

editorial overlap

2 tools mapped to both case types in the editorial taxonomy — useful when the investigation spans both surfaces.
fatcousin cross export ioc hash correlatorfatcousin multi tool super timeline correlator

lean toward…

disambiguation signals derived from case-type descriptions and common practitioner confusion points.

lean toward supply chain if you see…

  • compile-timestamp vs deploy-timestamp conflict on shipped binary artifact
  • typosquat package metadata or dependency-confusion signature in SBOM/build export
  • SLSA provenance gap or code-signing chain break on deployed artifact — not git credential pattern

lean toward key leak if you see…

  • AKIA/ghp token in git history, reflog, or secret scanning alert
  • GitHub audit log clone/push event correlated with CloudTrail IAM escalation window
  • IAM escalation or k8s secrets decode from leaked cloud credential — no build-system poisoning artifact
ready