helix-supply-chain-compromise — CI build pipeline poison
Helix Analytics updater build compromised — timestomped PE artifacts, trojanized build agent source, and YARA-detectable backdoor strings in signed release path. Fully synthetic.
what this proves
- all eight supply-chain-compromise primary engines produce deterministic, fixture-locked output — verified by
npm run check:flagship(80/80 fleet · 8 for this scenario). - every output is generated 100% locally in your browser — hash binaries offline, never upload build artifacts.
- YARA backdoor hits, PE import drift vs baseline, compile vs filesystem timestomp conflicts, imphash clustering, and build-agent source stylometry surface without sending evidence to a server.
primary engines locked to this fixture
build the case binder
runs all eight primary engines on the synthetic evidence zip and opens a self-contained html binder. uses the default binder renderer for supply chain — no upload.
runs all 8 primary engines locally on the synthetic evidence zip · opens a self-contained html binder · no upload
download the synthetic evidence
MIT-licensed, fully synthetic. includes poisoned and baseline PE builds, MFT-style artifact inventory, custom YARA rules, and trojanized vs vendor build-agent source.
built deterministically from scripts/fixtures/build-helix-supply-chain-compromise.mjs. seed: helix-supply-chain-compromise:v1.
methodology
supply-chain poison hides behind a valid signature — YARA first, PE diff vs baseline, compile vs filesystem timestomp, then imphash scope and source stylometry on the build agent. read the full supply chain compromise guide →
after the playbook
run each primary locally — or export findings from the binder — then drop every csv/json into fatcousin-multi-tool-super-timeline-correlator. one timestamp-sorted timeline across YARA hits, PE compile vs deploy conflict, and build-agent poison — still zero upload.