explaingit

0xsv1/ghosttype-bof

Analysis updated 2026-05-18

7CAudience · developerComplexity · 4/5LicenseSetup · hard

TLDR

A red team tool that scans a compromised Windows machine's local AI coding tool histories for leaked credentials.

Mindmap

mindmap
  root((GhostType BOF))
    What it does
      Scans AI tool chat history
      Finds leaked credentials
      Runs inside a C2 agent
    Tech stack
      C
      MinGW
      Windows DPAPI
    Use cases
      Red team credential hunting
      C2 framework integration
      Security assessment reporting
    Audience
      Penetration testers
      Red teamers
    Compatibility
      Cobalt Strike
      Sliver
      Havoc

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

What do people build with it?

USE CASE 1

Search Claude Code, Cursor, Codex, and ChatGPT Desktop histories for accidentally pasted credentials during an authorized penetration test.

USE CASE 2

Load into a C2 framework like Cobalt Strike or Sliver as a Beacon Object File.

USE CASE 3

Export findings as NDJSON with severity and confidence scoring for a security report.

What is it built with?

CMinGWWindows

How does it compare?

0xsv1/ghosttype-boffreertos/freertos-sesipffmpegkit-maintained/ffmpeg
Stars776
LanguageCCC
Last pushed2023-04-27
MaintenanceDormant
Setup difficultyhardmoderateeasy
Complexity4/54/52/5
Audiencedeveloperdeveloperdeveloper

Figures from each repo's GitHub metadata at analysis time.

How do you get it running?

Difficulty · hard Time to first run · 1h+

Requires a C2 framework and Windows target, built with MinGW cross-compilation, no other runtime dependencies.

In plain English

GhostType BOF is a Beacon Object File, a small self-contained piece of compiled code designed to run inside a C2 (command-and-control) agent, the kind of tool used by red teams and penetration testers to maintain access to a compromised Windows machine during an authorized engagement. Specifically, it scans conversation histories stored locally by AI coding tools to look for credentials a developer may have accidentally pasted into a chat. It targets four tools: Claude Code CLI (reads JSONL session files), Cursor IDE (reads SQLite databases via the system's winsqlite3.dll), Codex CLI (reads SQLite state and log databases), and ChatGPT Desktop (decrypts local conversations using Windows DPAPI and AES-256-GCM). Claude Desktop is detected but not yet scanned. The pattern engine has three match classes: 24 prefix-based patterns for well-known credential formats (AWS, Anthropic, GitHub, Stripe, Slack, and others), 7 structure-based patterns (JWTs, PEM private keys, connection strings, Vault tokens), and 10 heuristic matchers that use entropy filtering to catch likely-but-unrecognized keys. It filters out obvious placeholders and low-entropy test strings. Findings are output as NDJSON with severity and confidence levels. It is compatible with Cobalt Strike, Sliver, Havoc, Mythic, and Brute Ratel C2 frameworks. Written in C and cross-compiled with MinGW for 64-bit Windows. No runtime dependencies are dropped: SQLite, DPAPI, and AES all come from system DLLs already present on Windows 10 and later. The MIT license applies.

Copy-paste prompts

Prompt 1
Explain what a Beacon Object File is and how GhostType BOF uses one.
Prompt 2
Which AI coding tools does GhostType BOF scan for leaked credentials, and how does it read each one?
Prompt 3
Describe the three types of credential pattern matching GhostType BOF uses.
Prompt 4
What C2 frameworks is GhostType BOF compatible with?

Frequently asked questions

What is ghosttype-bof?

A red team tool that scans a compromised Windows machine's local AI coding tool histories for leaked credentials.

What language is ghosttype-bof written in?

Mainly C. The stack also includes C, MinGW, Windows.

How hard is ghosttype-bof to set up?

Setup difficulty is rated hard, with roughly 1h+ to a first successful run.

Who is ghosttype-bof for?

Mainly developer.

Open on GitHub → Explain another repo

This repo across BitVibe Labs

Verify against the repo before relying on details.