« All posts

Intercept.js brings context-aware YARA scanning to JavaScript runtimes

Intercept.js runs context-aware YARA rules in any JS runtime, adding browser download context to catch 0-day threats before files hit disk.

Intercept.js is an open-source library that runs YARA-syntax malware detection rules anywhere JavaScript executes—browsers, email clients, Office add-ins. Beyond standard byte-pattern matching, it injects runtime context signals into rule evaluation, letting analysts write detections like "encrypted PDF downloaded from an unfamiliar site" rather than relying on file content alone.

The project targets a known gap in browser download security: OS-level file scanners see that a file came from Chrome but have no visibility into the source website, referral chain, or user interaction preceding the download. That missing context makes it harder to catch 0-day threats before signatures exist. To solve this without inventing a new rule language, the author reimplemented a YARA engine in vanilla JavaScript (rather than compiling to WASM) so it could accept custom metadata modules while staying syntax-compatible with standard YARA.

For engineers working on EDR, browser security, or DLP tooling, Intercept.js offers a way to intercept and block downloads inline before they hit disk. The GitHub repo includes implementation details, code samples, and a hosted demo on Cloudflare Workers. The author is presenting the project at BlackHat Arsenal and DEFCON Demo Labs and is looking for collaborators.