About ICU
Methodology, detection rules, and frequently asked questions
Mission
AI development tools are increasingly targeted by supply chain attacks. Malicious MCP servers, poisoned agent plugins, and trojanized npm/PyPI packages can exfiltrate secrets, inject prompts, and execute arbitrary code — all while appearing legitimate.
ICU exists to make these threats visible. We continuously scan AI marketplaces, detect malicious patterns, and publish our findings as a transparency report — naming and shaming bad actors to protect the community.
Scan
Automated scraping of AI package marketplaces every 6 hours
Detect
37 detection rules across 5 categories with tiered analysis
Report
Public threat database with full findings and code context
Detection Rules (19)
| Rule | Severity | Description |
|---|---|---|
| PI-001 | critical | System prompt override / instruction hijacking |
| PI-002 | high | Hidden instructions in tool descriptions |
| PI-003 | high | Invisible Unicode instruction injection |
| PI-004 | medium | User input passed directly to system prompt |
| DE-001 | critical | SSH key / credential file reading |
| DE-002 | critical | Environment variable exfiltration via HTTP |
| DE-003 | critical | API key / secret harvesting and transmission |
| DE-004 | critical | Workspace file upload to external server |
| DE-005 | high | Sensitive file glob patterns (.env, .pem, .key) |
| OB-001 | high | Base64-encoded payload concealing URLs or code |
| OB-002 | medium | Hex-encoded strings concealing data |
| OB-003 | high | Dynamic import / require with encoded module names |
| SC-001 | critical | Arbitrary shell command execution (shell=True) |
| SC-002 | critical | SQL injection via unsanitized query interpolation |
| SC-003 | medium | eval() / exec() on user-provided strings |
| SC-004 | high | Unsandboxed code execution in host namespace |
| NS-001 | high | Requests to raw IP addresses |
| NS-002 | high | Traffic proxied through unknown intermediary |
| NS-003 | low | Phone-home / update check on import |
Frequently Asked Questions
What is ICU?
ICU (I See You) is an open-source AI supply chain firewall. It scans files and packages for prompt injection, data exfiltration, obfuscation, and other malicious patterns targeting AI development tools.
How does the scanning work?
ICU uses a tiered detection pipeline: fast hash-based reputation checks, heuristic pattern matching with 37 detection rules, and deep analysis including entropy measurement and deobfuscation.
What marketplaces are scanned?
Currently we scan npm, PyPI, Smithery (MCP servers), and Glama (AI agents). More marketplaces are planned as the project grows.
How often is data updated?
The scraper pipeline runs every 6 hours via GitHub Actions, scanning new and updated packages across all monitored marketplaces.
Is this open source?
Yes. Both the ICU scanner and this website are open source under the Apache 2.0 license. Contributions are welcome.
How can I protect my project?
Install ICU locally with `pip install icu`, then run `icu scan` on any files before using them. You can also set up git hooks with `icu hook install` for automatic scanning.