I started working on this project last year and open-sourced it this year.It’s a library to scan byte payloads within JS using YARA-syntax rules, enabling YARA malware detection rules to run anywhere that JS runs (e.g. browsers, email clients, Office add-ons etc). However, it goes beyond core YARA by adding runtime context signals to the rule evaluation, so users can write detections like “encrypted PDF being downloaded from an unfamiliar website” or “executable downloaded from service-worker enabled site”. It started for security applications, but can also be applied to DLP and compliance.I come from the EDR and web security world, so I take inspiration from gaps that I find there. In this case, I wanted to improve threat detection in payloads downloaded via the browser.File scanners sit outside the browser and rely on OS notifications to trigger a scan when a file is downloaded. The file scanner knows it came from Chrome but doesn’t know the website, referral chain or user interaction preceding the download. This context information could be useful in identifying 0-day threats where signatures are not yet available. I started exploring if it were possible to embed an inline scanner within the browser to use flexible rules and block downloads before they materialized on disk. I did not want to invent a new rule language, so I picked YARA as it is well-established and open-source. I first coded the YARA engine in vanilla JS, including modules, so it could be run in any JS runtime. I thought of cross-compiling to WASM but stuck with vanilla JS because I wanted to add runtime-specific customizations, which were easier to do in vanilla JS. Once the YARA engine was ready, I added an extra metadata object that could be passed and used in the rule syntax. This was done using the custom module route, to maintain compatibility with YARA. This became Intercept.js.The open-source repo includes a lot more information about the implementation, videos, some coding examples and a hosted instance on Cloudflare Workers to try outIt would be great to find collaborators interested in refining the project. I am presenting this at BlackHat Arsenal and DEFCON Demo Labs, so I’m happy to meet folks there to dive into more technical details.Thanks!