Automic VaultAutomic Vault

brew

Install terrapin-scanner with Homebrew, Nix

Vulnerability scanner for the Terrapin attack. Version 1.1.3 via Homebrew; verified from local package data.

install

Additional install commands

macOS

Homebrewverified · 100%
brew install terrapin-scanner

local Homebrew formula metadata

Linux

Nixverified · 92%
nix profile install nixpkgs#terrapin-scanner

nixpkgs package indexes · pkgs/by-name/te/terrapin-scanner/package.nix · source: api.github.com

overview

Package summary

Vulnerability scanner for the Terrapin attack

Commands and aliases

  • Terrapin-Scanner

history

Project history and usage

Terrapin Vulnerability Scanner is the companion command-line scanner for the Terrapin SSH prefix-truncation attack. The official attack site and repository describe it as a small Go console application that tests whether an SSH server or client offers vulnerable encryption modes and whether strict key exchange countermeasures are present.

Project history

The scanner was published by the Ruhr University Bochum Network and Data Security group alongside the Terrapin research disclosure. Its narrow purpose is deliberate: it gathers SSH algorithm support in a single connection, avoids full authentication, and does not perform the attack.

Adoption history

Adoption followed the disclosure pattern of a vulnerability-specific operations tool. The project provides release binaries for major desktop platforms, a container image, and Go installation instructions, making it easy for administrators and package maintainers to run quick checks during SSH patch rollouts.

How it is used

The CLI is used either in connect mode against an SSH server or in listen mode for testing an SSH client. It can emit JSON, which makes it useful for scripted fleet checks and package-manager users who want a reproducible local scanner rather than a web-based test.

Why package nerds care

For package nerds, terrapin-scanner is a compact example of a research artifact becoming a packaged remediation aid. Its Homebrew and Nix packaging matters less as a general-purpose utility and more as a convenient way to reproduce an official scanner during the short operational window after a protocol vulnerability disclosure.

Timeline

  • 2024: Terrapin paper scheduled for Real World Crypto, Black Hat USA, and USENIX Security presentations.
  • 2024: Official scanner released with prebuilt binaries, Docker image, and Go install path.
  • 2024: v1.1.3 listed as latest GitHub release on January 18, 2024.

Related projects

  • The scanner is tied to the Terrapin attack research and to SSH implementations that adopted the strict key exchange countermeasure.

security posture

Risk level: red

escape, surveillance, or offensive capability signal.

Risk classifier

red risk · medium confidence · escape-surveillance-offensive

Why

  • escape, surveillance, or offensive capability signal

Signals

  • text:vulnerability scanner

Install behavior

  • No Homebrew post-install hook is recorded in formula metadata.
  • Homebrew bottle metadata is available for 10 platform targets.
  • Build metadata lists 1 build dependencies.

Recommended review

Before unattended agent use, check whether the tool reads plaintext credentials, writes remote state, publishes artifacts, or shells out to plugins.

executables

Installed executables

CommandKindExposureNote
Terrapin-Scannercliglobal executable

freshness

Version and freshness

These signals separate page generation age, package-manager activity, and upstream release comparison. Version lag is warned only when an evidence URL and comparable versions are present.

page generated2026-07-08
manager version1.1.3
manager updated
local dataok
upstreamcurrent
latest detectedv1.1.3

https://github.com/RUB-NDS/Terrapin-Scanner

  • infoNo package-manager update timestamp was available.low confidence

install metadata

Package metadata

Package keybrew:terrapin-scanner
Version1.1.3
Package managerHomebrew
Package manager pagehttps://formulae.brew.sh/formula/terrapin-scanner
Homepagehttps://terrapin-attack.com/
Repositoryhttps://github.com/RUB-NDS/Terrapin-Scanner
Upstream docshttps://github.com/RUB-NDS/Terrapin-Scanner#readme
LicenseApache-2.0
Source archivehttps://github.com/RUB-NDS/Terrapin-Scanner/archive/refs/tags/v1.1.3.tar.gz
Build dependenciesgo
Bottleavailable (on arm64_linux, arm64_monterey, arm64_sequoia, arm64_sonoma, arm64_tahoe, arm64_ventura, monterey, sonoma, ventura, x86_64_linux)
Homebrew post-installnot defined
Servicenone declared

registry facts

Source database details

Source DatabaseHomebrew formula API
Taphomebrew/core
Full Nameterrapin-scanner
Version Scheme0
Revision0
Head VersionHEAD
Bottle Stable Root URLhttps://ghcr.io/v2/homebrew/core
Deprecatedno
Disabledno
Keg Onlyno
URL Keys
  • head
  • stable

source database matches

Other package-manager records

Matches are pulled from external package-manager indexes and kept separate from local Automic Vault package links.

Nix95%

terrapin-scanner

nix profile install nixpkgs#terrapin-scanner
  • normalized package name match
  • Matched by: Terrapin Scanner
nixpkgs package indexes · api.github.com · nixpkgs package indexes: pkgs/by-name/te/terrapin-scanner/package.nix from https://api.github.com/repos/NixOS/nixpkgs/git/trees/master?recursive=1

source trail

Generated from repository data

This page is generated by av-web from the private package SQLite artifact built by scripts/generate-pkg-sqlite.py.

Used sources

  • Geiger risk classifier
  • Nucleus package database
  • av.db category and tag curation
  • cross-ecosystem install command graph
  • curated package history
  • external package-manager database matches
  • package relationship graph
  • package version freshness
  • package-page enrichment