The Collicutt Software Company
Software products, developer tools, and applied security engineering
Stegwav
Detect hidden payloads inside WAV audio files
WAV files show up everywhere: ringtones, sound effects, hold music, test fixtures, and random downloads. Because they are usually treated as just audio, network filters and security scanners can let them pass with less scrutiny than scripts or executables.
In early 2026, TeamPCP started hiding malicious Python scripts and Windows executables inside WAV files as part of supply chain attacks against open-source packages. The files had valid headers, correct MIME types, and looked like audio to ordinary tooling, but the audio data had been replaced with obfuscated code.
Stegwav is an experimental detector for that problem. It parses WAV structure, checks whether the data is actually audio, extracts identifiable payloads, and also looks for LSB steganography hidden inside real audio.
Stegwav is a Go command-line detector for WAV files with hidden payloads. It validates WAV structure, analyzes whether sample data looks like real audio, extracts and identifies embedded payloads such as TeamPCP-style XOR/base64 content, and flags LSB steganography with statistical checks. The public release includes the detector only; the generator is a separate private plugin for authorized research and detection testing.
Stegwav supports commercial plugins for production use. See Stegwav Generator below for authorized generator access.
Features
| Capability | Description |
|---|---|
| Four-phase detection pipeline | Checks WAV structure, audio content, payload extraction, and LSB steganography |
| TeamPCP payload detection | Finds XOR/base64 payloads written into WAV frame data and extracts identified code |
| LSB steganalysis | Uses chi-square and RS-style statistical analysis to detect hidden data inside real audio |
| CI-friendly output | Provides deterministic exit codes plus JSON output for artifact scanning pipelines |
| Single binary | Public detector builds as one Go binary with no runtime dependencies |
| Experimental signal | Results are intended as a signal for further analysis, not a final production verdict |
Commercial Plugins
Production-ready extensions for Stegwav
Stegwav Generator
Authorized WAV Payload Generation
Stegwav Generator is a private plugin for creating controlled WAV samples with embedded payloads. It is intended for authorized research, detector validation, training labs, and regression testing against known steganography and payload patterns.
The open source Stegwav CLI focuses on finding and extracting suspicious payloads. Stegwav Generator adds controlled sample creation so security teams can build reproducible test corpuses, validate detections, and exercise response workflows without relying on unknown samples from the wild.
Open Source vs Commercial
| Capability | Stegwav OSS | Stegwav Generator |
|---|---|---|
| WAV structure validation | ||
| Audio-content anomaly detection | ||
| Payload extraction and identification | ||
| LSB steganalysis | ||
| Generate TeamPCP-style test samples | ||
| Generate LSB WAV fixtures | ||
| Detection regression corpus workflow | ||
| Private distribution for authorized research |
Use Stegwav OSS for detection, artifact triage, and CI scanning. Use Stegwav Generator when you need controlled WAV fixtures for authorized research and detection testing.
Stegwav Generator Features
Get Stegwav Generator
Stegwav Generator is available for authorized research, security training, and detection testing use cases.
Curtis Collicutt
Curtis Collicutt runs The Collicutt Software Company. He works across product engineering, developer experience, and cybersecurity, with a bias toward tools that make complex systems easier to reason about and safer to run.