A team of researchers has developed an open-source CLI tool to detect supply chain attacks like the recent LiteLLM compromise and Telnyx zero-day. Traditional security scanners miss these threats because they rely on signature matching, while attackers like TeamPCP weaponize context by hiding malicious payloads inside mathematically valid .wav audio frames. The new tool, called wtmp, uses LangGraph to analyze dependency graphs and infer intent.

The approach represents a fundamental shift in vulnerability detection. Instead of asking whether a package appears on a blacklist, wtmp examines code behavior and asks contextual questions like "Why is a telephony SDK running an XOR decryption loop on an audio file?" This semantic analysis can catch zero-days that evade conventional CVE databases and content filters. The tool supports Node.js and Python ecosystems with plans to expand.

While not a deterministic CI/CD blocker, wtmp serves as a triage flashlight during active security crises. Users should expect false positives since the tool relies on LLM inference rather than deterministic rules. The researchers encourage the community to test the CLI against local dependency trees and provide feedback on the prompt architecture and logic.