Why
Infostealer logs are the top 2026 exposure vector: a single log harvested from an infected endpoint can leak browser-saved passwords, active session cookies and tokens that bypass MFA. Verizon DBIR: 54% of ransomware victims had credentials in stealer logs; 60%+ of companies >1000 employees have at least one critical infostealer exposure. DataShield today only scans breach dumps, not stealer logs.
Scope
- New scan source type for stealer-log feeds (Telegram/market-sourced datasets via provider APIs).
- Extend the
Breach / BreachRecord model to capture artifact kind (password, cookie, token, autofill) and infection metadata (machine id, malware family, captured-at).
- Surface stealer-log findings distinctly in alerts and reports (session-cookie exposure is higher severity than an old password dump).
Hooks
src/lib/scan/providers/ (new provider), src/lib/scan/normalize.ts, prisma/schema.prisma (Breach, BreachSource enum).
Why
Infostealer logs are the top 2026 exposure vector: a single log harvested from an infected endpoint can leak browser-saved passwords, active session cookies and tokens that bypass MFA. Verizon DBIR: 54% of ransomware victims had credentials in stealer logs; 60%+ of companies >1000 employees have at least one critical infostealer exposure. DataShield today only scans breach dumps, not stealer logs.
Scope
Breach/BreachRecordmodel to capture artifact kind (password, cookie, token, autofill) and infection metadata (machine id, malware family, captured-at).Hooks
src/lib/scan/providers/(new provider),src/lib/scan/normalize.ts,prisma/schema.prisma(Breach,BreachSourceenum).