# medusa > AI-first security scanner with 76 analyzers, 9,600+ detection rules, and repo poisoning detection for AI/ML, LLM agents, and MCP servers. Scan any GitHub repo with: medusa scan --git user/repo - **URL**: https://www.freshcrate.ai/projects/medusa - **Author**: Pantheon-Security - **Category**: MCP Servers - **Latest version**: `v2026.5.11` (2026-05-28) - **License**: AGPL-3.0 - **Source**: https://github.com/Pantheon-Security/medusa - **Homepage**: https://pantheonsecurity.io - **Language**: Python - **GitHub**: 256 stars, 40 forks - **Registry**: github - **Tags**: `agent-security`, `ai-security`, `code-analysis`, `cve-detection`, `devsecops`, `llm-security`, `mcp`, `nextjs`, `python` ## Description AI-first security scanner with 76 analyzers, 9,600+ detection rules, and repo poisoning detection for AI/ML, LLM agents, and MCP servers. Scan any GitHub repo with: medusa scan --git user/repo ## Recent releases | Version | Date | Urgency | Changes | | --- | --- | --- | --- | | `v2026.5.11` | 2026-05-28 | High | ## \`medusa scan --git\` hotfix + 54-test ship gate suite ### Fixed - **\`medusa scan --git\` crashed on every invocation** — Every \`medusa scan --git \` in v2026.5.10 failed immediately with \`NameError: name 'include_user_mcp_configs' is not defined\` before scanning a single file. \`_scan_git_repo()\` was missing the parameter in both its function signature and the call site. Two-line fix. ### Tests added - **\`TestScanGitRepoRegression\`** (\`tests/test_git_scan.py\`) — locks in t | | `v2026.5.10` | 2026-05-24 | High | ## Security hardening patch — five fixes from external security review ### Fixed - **VS Code extension command injection** — `exec()` replaced with `execFile` throughout `scanner.ts`. Binary path and args passed as argv array, never interpolated into a shell string. Shell metachar validation added on `medusaPath` (rejects `;\|&\`$()<>`). - **`--fail-on` ignored cached findings** — `total_issues` now counts cached scan results. Previously a re-scan with `--fail-on high` would silently pass if fi | | `v2026.5.8` | 2026-05-20 | High | # v2026.5.8 — `medusa secrets` > **Your PyPI token might be in your Claude chat history right now.** > v2026.5.8 ships the tool to find it — and the tool to fix it. ## The headline Developers paste credentials into AI assistants every day. The assistants keep those conversations in plaintext on disk. Anyone with read access to `$HOME` can harvest production secrets in seconds. **`medusa secrets scan`** finds them. **`medusa secrets purge`** cleans them up. ```bash $ medusa secrets scan .. | | `v2026.5.7` | 2026-05-13 | High | ## What's New in v2026.5.7 ### New Features \| \| Feature \| Details \| \|---\|---\|---\| \| 🕵️ \| **Indirect PI Rules (101/102)** \| 50 new patterns for **social authority injection** and **covert action concealment** — adversarial attack patterns used to manipulate AI agents without triggering obvious injection keywords \| \| 📦 \| **Supply Chain Import Scanner** \| Detects malicious package names in dependency manifests (npm, pypi, go, cargo, maven) without requiring CVE version matching. Rules with `fix | | `v2026.5.5` | 2026-04-18 | High | # MEDUSA v2026.5.5 — Security Hardening Patch release addressing 8 findings from a red-team review of the MEDUSA scanner codebase. No CVEs are disclosed against earlier versions — these are defense-in-depth improvements. ## What changed ### Argument injection defense (C-1) A malicious repo containing a file literally named `--config=https://evil.tld/rce.yaml` would previously have had the filename re-parsed as an option by semgrep and trivy, causing them to fetch attacker-controlled rule YAM | | `v2026.5.4` | 2026-04-16 | High | # MEDUSA v2026.5.4 — FP Patterns YAML Refactor ## Summary Pure refactor release. Moves 583 false positive filter patterns from a 6,746-line Python file (`medusa/core/fp_patterns_db.py`) into 27 per-scanner YAML files under `medusa/core/fp_patterns/`. Zero behavior change — the regression benchmark produces byte-identical findings. ## Why - **Data/logic separation.** FP patterns were data masquerading as Python code. YAML is the right format for data. - **Editable without a Python diff.** Con | | `v2026.5.3` | 2026-04-08 | High | ## CVE Database Update Updated CVEMiner database to 2026-04-08 build. \| \| Previous \| Now \| \|--\|--\|--\| \| CVEs \| 200 \| **184 + 125 critical = 309 total** \| \| Generated \| 2026-03-18 \| **2026-04-08** \| ### Install / Upgrade ```bash pip install --upgrade medusa-security ``` | | `v2026.5.2` | 2026-04-03 | Medium | ## Security Hardening Release This release patches **16 security and bug findings** identified through a multi-agent review (Sentinel, Skeptic, Architect, and Codex). All 289 tests pass. Tested on Linux, macOS, and Windows. ### 🔐 Security Fixes \| Severity \| Fix \| File \| \|----------\|-----\|------\| \| HIGH \| Auth tokens in \`--git\` URLs stripped from **all** console/log output before printing \| \`cli.py\` \| \| HIGH \| Stored XSS — HTML report fields now escaped with \`html.escape()\` \| \`reporter | | `v2026.5.1` | 2026-04-03 | Medium | ## Bug Fixes in v2026.5.1 ### 🔴 Critical - **`--fail-on` severity filtering** — was counting ALL issues regardless of severity level. `--fail-on critical` now correctly exits non-zero only when CRITICAL issues are found. Previously it would exit on any LOW finding and falsely report "Found N issues at CRITICAL+ level". - **`medusa init` next steps** — was recommending deprecated `medusa install --all` (does nothing). Now correctly shows `medusa install --ai-tools`. ### 🟠 High - **`.env` do | | `v2026.5.0` | 2026-04-03 | Medium | ## What's New in v2026.5.0 ### 🤖 9,600+ AI Security Patterns Up from 7,300 in v2026.4.0 — comprehensive coverage for AI/ML, agents, MCP servers, RAG pipelines, and prompt injection. ### 🚨 200 CVEs (CVEMiner v2.0) Expanded CVE database covering AI coding editors, MCP servers, and supply chain attacks. Up from 133. ### 🪟 Windows PATH Auto-Fix Automatically detects and repairs missing PATH entries on Windows install — no more manual `$env:PATH` edits. ### 🔧 79 Scanner Categories Wired Full | ## Citation - HTML: https://www.freshcrate.ai/projects/medusa - Markdown: https://www.freshcrate.ai/projects/medusa.md - Dependencies JSON: https://www.freshcrate.ai/api/projects/medusa/deps _Generated by freshcrate.ai. Indexes github releases for AI-agent ecosystem packages._