Abstract: Aspects of the invention include techniques for correlating distinct phishing campaigns by identifying shared modus operandi. A non-limiting example method includes building, from a source code, an abstract syntax tree and building, from the abstract syntax tree, a decloaked abstract syntax tree. The method includes removing payload data from the decloaked abstract syntax tree to define an obfuscation pattern. The obfuscation pattern is compared to a plurality of predetermined obfuscation patterns. The method includes correlating, based on the comparison, the source code to one or more phishing kits.

Abstract: Aspects of the invention include techniques for correlating distinct phishing campaigns by identifying shared modus operandi. A non-limiting example method includes building, from a source code, an abstract syntax tree and building, from the abstract syntax tree, a decloaked abstract syntax tree. The method includes removing payload data from the decloaked abstract syntax tree to define an obfuscation pattern. The obfuscation pattern is compared to a plurality of predetermined obfuscation patterns. The method includes correlating, based on the comparison, the source code to one or more phishing kits.

Abstract: A computer-implemented method for security scanning application code includes executing, via a processor, a full scan of the application code and generating a program intermediate representation (IR) and a list of security findings determined by the full scan. The processor executes an incremental scan of the application code after at least one change to the application code, and identifies at least one changed file in the application code. The processor then generates an incremental intermediate representation (IR) based at least in part on the at least one changed file. The processor merges the saved scan state and the incremental IR, produces a merged scan state, and outputs security findings based at least in part on the merged scan state and the incremental IR.

Abstract: A computer-implemented method for security scanning application code includes executing, via a processor, a full scan of the application code and generating a program intermediate representation (IR) and a list of security findings determined by the full scan. The processor executes an incremental scan of the application code after at least one change to the application code, and identifies at least one changed file in the application code. The processor then generates an incremental intermediate representation (IR) based at least in part on the at least one changed file. The processor merges the saved scan state and the incremental IR, produces a merged scan state, and outputs security findings based at least in part on the merged scan state and the incremental IR.