Resources
Research, engineering, and field reports from the Garnet team.
Five untrusted-execution incidents ran in CI in March 2026. The runtime records — ancestry, egress, and signals — are the durable evidence when attacker cleanup removes local artifacts.
Garnet TeamResearchRuntime profiles live from the kernel, from recent incidents and research.
Self-deleting postinstall dropper; the runtime record is the only durable evidence of what ran.
.pth startup hook drops to a shell and runs credential-harvest commands before any import.
Green Trivy scan beside a sibling branch scraping /proc/<pid>/mem — both in one workflow tree.
KICS scan logs looked clean while a parallel branch reached checkmarx[.]zone.
import telnyx spawns a child, opens C2 egress, and reparents to systemd(1) before the step ends.
One compromised npm install pivots Node→Bun and attempts rogue runner registration end to end.
Technical deep-dives into Garnet's architecture and runtime engine.
