Skip to content

feat: uvx detection + incident response UX improvements#40

Merged
garagon merged 1 commit intomainfrom
feature/uvx-detection-ux-improvements
Mar 25, 2026
Merged

feat: uvx detection + incident response UX improvements#40
garagon merged 1 commit intomainfrom
feature/uvx-detection-ux-improvements

Conversation

@garagon
Copy link
Copy Markdown
Owner

@garagon garagon commented Mar 25, 2026

Summary

Covers the exact litellm attack vector (uvx auto-download of compromised package) and simplifies the incident response workflow.

Source: oktsec engineering spec based on Callum McMahon's analysis of the litellm compromise via uvx in Cursor MCP configs.

New rules

Rule Severity Description
MCPCFG_012 HIGH uvx/uv MCP server without version pin. uvx auto-downloads latest from PyPI on every run.
MCPCFG_013 MEDIUM pip install without --require-hashes in MCP setup instructions.

MCPCFG_012 is HIGH (vs MCPCFG_001/npx which is LOW) because uvx pulls entire Python packages with deep dependency trees. litellm has 300+ transitive deps. The attack surface per uvx invocation is much larger.

UX improvements

  • aguara check always scans caches - removed --include-caches flag, caches are always scanned (uv, pip, npx). Cache scanning now also reads METADATA in dist-info dirs and checks .pth files, not just filenames.
  • aguara clean defaults to Y - confirmation prompt changed from [y/N] to [Y/n]. Press Enter to proceed. Reduces the workflow to 2 commands: aguara check, aguara clean.

Stats

189 rules (was 187), 576 tests, 0 lint issues.

Test plan

  • MCPCFG_012 self-tests pass (TP: uvx without pin, FP: uvx with @Version)
  • MCPCFG_013 self-tests pass (TP: pip install package, FP: --require-hashes)
  • All 189 rule self-tests pass
  • Cache scanning finds dist-info METADATA and .pth files
  • make build && make test && make vet && make lint all pass

@garagon
feat: uvx detection rules + incident response UX improvements
0a8e267 
New rules:
- MCPCFG_012: uvx/uv MCP server without version pin (HIGH). Covers the
  exact litellm attack vector where uvx auto-downloaded the compromised
  package from PyPI.
- MCPCFG_013: pip install without hash verification in MCP setup (MEDIUM).

Incident response improvements:
- aguara check now always scans pip/uv/npx caches (was opt-in with
  --include-caches). Cache scanning also checks METADATA in dist-info
  dirs and .pth files, not just filenames.
- aguara clean confirmation defaults to Y (was N). Press Enter to
  proceed, type n to abort. Removes friction for the common case.

189 rules, 576 tests, 0 lint issues.
@garagon garagon merged commit a7c8f35 into main Mar 25, 2026
1 check passed
@garagon garagon deleted the feature/uvx-detection-ux-improvements branch March 25, 2026 00:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@garagon