# Install malcontent with Homebrew, apk, apt, dnf, Nix, pacman, zypper

Supply Chain Attack Detection, via context differential analysis and YARA. Version 1.25.1 via Homebrew; verified 2026-07-06.

## Install

```sh
sudo av install brew:malcontent
```

Additional install commands:

### macOS

- Homebrew (100%):

```sh
brew install malcontent
```

  Evidence: local Homebrew formula metadata

### Linux

- apk (92%):

```sh
sudo apk add malcontent
```

  Evidence: Alpine Linux edge package indexes: malcontent from https://dl-cdn.alpinelinux.org/alpine/edge/community/x86_64/APKINDEX.tar.gz

- Debian apt (92%):

```sh
sudo apt install gir1.2-malcontent-0
```

  Evidence: Debian stable package indexes: gir1.2-malcontent-0 from https://deb.debian.org/debian/dists/stable/main/binary-amd64/Packages.xz

- dnf (92%):

```sh
sudo dnf install malcontent
```

  Evidence: Fedora Rawhide package metadata: malcontent from https://dl.fedoraproject.org/pub/fedora/linux/development/rawhide/Everything/x86_64/os/repodata/e5ca8ce900cd68f5419e1c39ae517343100b306336cbaeb70a3c153121d95094-primary.xml.zst

- Nix (92%):

```sh
nix profile install nixpkgs#malcontent
```

  Evidence: nixpkgs package indexes: malcontent from https://raw.githubusercontent.com/NixOS/nixpkgs/master/pkgs/top-level/all-packages.nix

- pacman (92%):

```sh
sudo pacman -S malcontent
```

  Evidence: Arch Linux sync databases: malcontent from https://geo.mirror.pkgbuild.com/extra/os/x86_64/extra.db.tar.gz

- zypper (92%):

```sh
sudo zypper install libmalcontent-0-0
```

  Evidence: openSUSE Tumbleweed package metadata: libmalcontent-0-0 from https://download.opensuse.org/tumbleweed/repo/oss/repodata/be8d3611d25469107f32075a1697e69ec57a2b850b42348a658cc671ad5ec2b50760d02c3e59524d50da9a11d5be799bdaffba2e166e8ca8858512e3c0bd665d-primary.xml.zst

## Package facts

- **Package key:** brew:malcontent
- **Package manager:** Homebrew
- **Package manager page:** <https://formulae.brew.sh/formula/malcontent>
- **Version:** 1.25.1
- **Source summary:** Supply Chain Attack Detection, via context differential analysis and YARA
- **Homepage:** <https://github.com/chainguard-dev/malcontent>
- **Repository:** <https://github.com/chainguard-dev/malcontent>
- **Upstream docs:** <https://github.com/chainguard-dev/malcontent#readme>
- **License:** Apache-2.0
- **Source archive:** <https://github.com/chainguard-dev/malcontent/archive/refs/tags/v1.25.1.tar.gz>
- **Last updated:** 2026-07-06T21:40:36Z
- **Generated:** 2026-07-08T18:08:21+00:00

## Executables

- mal (cli)
- mal (alias)

## Dependencies

- yara-x

## Build dependencies

- go
- pkgconf

## Install behavior

- Post-install hook: not defined
- Bottle: available on arm64_linux, arm64_sequoia, arm64_sonoma, arm64_tahoe, sonoma, x86_64_linux

## Freshness

- Page generated: 2026-07-08
- Package-manager version: 1.25.1
- Package-manager updated: 2026-07-06
- Local data: ok
- Upstream repository: https://github.com/chainguard-dev/malcontent
- Upstream latest detected: v1.25.1 (current)
## Project history and usage

malcontent is Chainguard's open source command-line scanner for discovering supply-chain compromises through context, differential analysis, and YARA rules. Its executable is `mal`, and the README describes analyze, diff, and scan modes for binaries, archives, directories, and OCI images.

### Project history

The GitHub repository was created in February 2024 and is maintained under the Chainguard organization. The README presents it as a "subtle malware discovery tool" for supply-chain attack detection, using a large embedded YARA rule set and contextual comparisons rather than only standalone signature hits.

malcontent's project shape reflects the post-SolarWinds and post-3CX supply-chain security era: it is built for CI/CD use, supports container images and archives, and treats behavior changes between releases as a key signal. The README uses the 3CX compromise as an example of differential analysis surfacing newly risky behavior.

### Adoption history

Public adoption is still young but visible through the GitHub repository's releases, stars, forks, and companion GitHub Action. The README emphasizes Linux programs while noting useful coverage for other Unix platforms such as macOS and, to a lesser extent, Windows.

Chainguard also references malcontent in its supply-chain security writing as a binary analysis tool that can surface newly introduced capabilities without requiring full reverse engineering. That positions it as a practical package-review tool for maintainers evaluating suspicious upstream or dependency changes.

### How it is used

`mal analyze` enumerates capabilities in a target, `mal diff` compares two paths, archives, reports, or images, and `mal scan` reports findings above a risk threshold. It supports output formats including JSON, YAML, Markdown, text, terminal, and TUI-style output, and includes an opt-in `--oci-auth` mode for private image pulls.

### Why package nerds care

malcontent matters to package maintainers because it targets the hard question a package diff raises: did this new release gain suspicious behavior? It is especially relevant to registry ecosystems, binary packages, vendored archives, container images, and CI checks where maintainers need quick triage before publishing or upgrading.

### Timeline

- 2024-02-07: The malcontent GitHub repository is created.
- 2024: The README documents analyze, diff, and scan modes for supply-chain compromise discovery.
- 2025: malcontent-action publishes an initial GitHub Action for PR differential scanning.
- 2026: The repository lists over one hundred releases and continued active maintenance.

### Related projects

- Related tools and ecosystems include YARA/YARA-X, VirusTotal rule workflows, Chainguard Images, malcontent-action, container image scanners, and CI/CD supply-chain security checks.

### Sources

- <https://api.github.com/repos/chainguard-dev/malcontent>
- <https://github.com/chainguard-dev/malcontent>
- <https://github.com/chainguard-dev/malcontent-action>
- <https://raw.githubusercontent.com/chainguard-dev/malcontent/main/README.md>
- <https://www.chainguard.dev/unchained/cyber-resiliency-in-practice-lessons-from-recent-supply-chain-attacks>


## Security Notes

No matching local secret-handling manifest was found for malcontent. Nucleus package metadata is still published here so future coverage has a stable package URL.


## Source Database Details

- **Source Database:** Homebrew formula API
- **Tap:** homebrew/core
- **Full Name:** malcontent
- **Version Scheme:** 0
- **Revision:** 0
- **Head Version:** HEAD
- **Bottle Stable Root URL:** <https://ghcr.io/v2/homebrew/core>
- **Deprecated:** no
- **Disabled:** no
- **Keg Only:** no
- **URL Keys:** head, stable

## Other Package-Manager Records

- Debian apt - gir1.2-malcontent-0 - 0.13.0-2+deb13u1: normalized package name match | Debian stable package indexes: gir1.2-malcontent-0 from https://deb.debian.org/debian/dists/stable/main/binary-amd64/Packages.xz | GObject introspection bindings for libmalcontent | https://gitlab.freedesktop.org/pwithnall/malcontent/
- Debian apt - gir1.2-malcontentui-1 - 0.13.0-2+deb13u1: normalized package name match | Debian stable package indexes: gir1.2-malcontentui-1 from https://deb.debian.org/debian/dists/stable/main/binary-amd64/Packages.xz | GObject introspection bindings for libmalcontent-ui | https://gitlab.freedesktop.org/pwithnall/malcontent/
- Debian apt - libmalcontent-0-0 - 0.13.0-2+deb13u1: normalized package name match | Debian stable package indexes: libmalcontent-0-0 from https://deb.debian.org/debian/dists/stable/main/binary-amd64/Packages.xz | library for parental control of applications | https://gitlab.freedesktop.org/pwithnall/malcontent/
- Debian apt - libmalcontent-0-dev - 0.13.0-2+deb13u1: normalized package name match | Debian stable package indexes: libmalcontent-0-dev from https://deb.debian.org/debian/dists/stable/main/binary-amd64/Packages.xz | development files for libmalcontent | https://gitlab.freedesktop.org/pwithnall/malcontent/
- Debian apt - libmalcontent-ui-1-1 - 0.13.0-2+deb13u1: normalized package name match | Debian stable package indexes: libmalcontent-ui-1-1 from https://deb.debian.org/debian/dists/stable/main/binary-amd64/Packages.xz | library for parental control of applications - GTK widgets and dialogs | https://gitlab.freedesktop.org/pwithnall/malcontent/
- Debian apt - libmalcontent-ui-dev - 0.13.0-2+deb13u1: normalized package name match | Debian stable package indexes: libmalcontent-ui-dev from https://deb.debian.org/debian/dists/stable/main/binary-amd64/Packages.xz | development files for libmalcontent-ui | https://gitlab.freedesktop.org/pwithnall/malcontent/
- Debian apt - libpam-malcontent - 0.13.0-2+deb13u1: normalized package name match | Debian stable package indexes: libpam-malcontent from https://deb.debian.org/debian/dists/stable/main/binary-amd64/Packages.xz | PAM module to control the time a user is spending on the computer | https://gitlab.freedesktop.org/pwithnall/malcontent/
- Debian apt - malcontent - 0.13.0-2+deb13u1: normalized package name match | Debian stable package indexes: malcontent from https://deb.debian.org/debian/dists/stable/main/binary-amd64/Packages.xz | framework for parental control of applications | https://gitlab.freedesktop.org/pwithnall/malcontent/
- Debian apt - malcontent-gui - 0.13.0-2+deb13u1: normalized package name match | Debian stable package indexes: malcontent-gui from https://deb.debian.org/debian/dists/stable/main/binary-amd64/Packages.xz | GUI to configure malcontent | https://gitlab.freedesktop.org/pwithnall/malcontent/
- Nix - malcontent: normalized package name match | nixpkgs package indexes: malcontent from https://raw.githubusercontent.com/NixOS/nixpkgs/master/pkgs/top-level/all-packages.nix
- Ubuntu apt - gir1.2-malcontent-0 - 0.11.1-1build4: normalized package name match | Ubuntu 24.04 LTS package indexes: gir1.2-malcontent-0 from https://archive.ubuntu.com/ubuntu/dists/noble/universe/binary-amd64/Packages.gz | GObject introspection bindings for libmalcontent | https://gitlab.freedesktop.org/pwithnall/malcontent/
- Ubuntu apt - gir1.2-malcontentui-1 - 0.11.1-1build4: normalized package name match | Ubuntu 24.04 LTS package indexes: gir1.2-malcontentui-1 from https://archive.ubuntu.com/ubuntu/dists/noble/universe/binary-amd64/Packages.gz | GObject introspection bindings for libmalcontent-ui | https://gitlab.freedesktop.org/pwithnall/malcontent/
- Ubuntu apt - libmalcontent-0-0 - 0.11.1-1build4: normalized package name match | Ubuntu 24.04 LTS package indexes: libmalcontent-0-0 from https://archive.ubuntu.com/ubuntu/dists/noble/universe/binary-amd64/Packages.gz | library for parental control of applications | https://gitlab.freedesktop.org/pwithnall/malcontent/
- Ubuntu apt - libmalcontent-0-dev - 0.11.1-1build4: normalized package name match | Ubuntu 24.04 LTS package indexes: libmalcontent-0-dev from https://archive.ubuntu.com/ubuntu/dists/noble/universe/binary-amd64/Packages.gz | development files for libmalcontent | https://gitlab.freedesktop.org/pwithnall/malcontent/
- Ubuntu apt - libmalcontent-ui-1-1 - 0.11.1-1build4: normalized package name match | Ubuntu 24.04 LTS package indexes: libmalcontent-ui-1-1 from https://archive.ubuntu.com/ubuntu/dists/noble/universe/binary-amd64/Packages.gz | library for parental control of applications - GTK+ widgets and dialogs | https://gitlab.freedesktop.org/pwithnall/malcontent/
- Ubuntu apt - libmalcontent-ui-dev - 0.11.1-1build4: normalized package name match | Ubuntu 24.04 LTS package indexes: libmalcontent-ui-dev from https://archive.ubuntu.com/ubuntu/dists/noble/universe/binary-amd64/Packages.gz | development files for libmalcontent-ui | https://gitlab.freedesktop.org/pwithnall/malcontent/


## Related links

- [Source-control packages](https://www.automicvault.com/pkg/source-control-tools/) - Belongs to a source-control command family.
- [Terminal utility packages](https://www.automicvault.com/pkg/terminal-utilities/) - Matched terminal and command-line workflow metadata.
- [Networking and protocol packages](https://www.automicvault.com/pkg/networking-protocol-tools/) - Matched network, protocol, or remote-service metadata.
- [Security and crypto packages](https://www.automicvault.com/pkg/security-crypto-tools/) - Matched security, identity, cryptography, password, signing, or certificate metadata.
- [yara-x](https://www.automicvault.com/pkg/brew/yara-x/) - Runtime dependency declared by Homebrew.
- [go](https://www.automicvault.com/pkg/brew/go/) - Build dependency declared by Homebrew.
- [pkgconf](https://www.automicvault.com/pkg/brew/pkgconf/) - Build dependency declared by Homebrew.
- [minder](https://www.automicvault.com/pkg/brew/minder/) - Shares av.db curated category or tags: cli, security, supply-chain-security.
- [sh4d0wup](https://www.automicvault.com/pkg/brew/sh4d0wup/) - Shares av.db curated category or tags: cli, security, supply-chain-security.
- [virustotal-cli](https://www.automicvault.com/pkg/brew/virustotal-cli/) - Shares av.db curated category or tags: cli, malware-analysis, security.
- [poutine](https://www.automicvault.com/pkg/brew/poutine/) - Shares av.db curated category or tags: cli, security, security-scanner, supply-chain-security.
- [yara](https://www.automicvault.com/pkg/brew/yara/) - Shares av.db curated category or tags: cli, malware-analysis, security.
- [chain-bench](https://www.automicvault.com/pkg/brew/chain-bench/) - Shares av.db curated category or tags: cli, security, supply-chain-security.
- [cosign](https://www.automicvault.com/pkg/brew/cosign/) - Shares av.db curated category or tags: cli, security, supply-chain-security.
- [lavamoat](https://www.automicvault.com/pkg/npm/lavamoat/) - Security-sensitive metadata or terminology overlaps. Shared terms: chain, cli, security, supply, supply-chain-security.
- [lavamoat-core](https://www.automicvault.com/pkg/npm/lavamoat-core/) - Security-sensitive metadata or terminology overlaps. Shared terms: chain, cli, security, supply, supply-chain-security.

## Combined YAML source

View the package source record on GitHub. [combined/malcontent.yml](https://github.com/automic-vault/db/blob/main/combined/malcontent.yml)


## Sources

- Nucleus package database
- Geiger risk classifier
- package-page enrichment
- curated package history
- package version freshness
- av.db category and tag curation
- package relationship graph
- external package-manager database matches
- cross-ecosystem install command graph
