Skills
skills/mukul975/anthropic-cybersecurity-skills/hunting-credential-stuffing-attacks

hunting-credential-stuffing-attacks

SKILL.md

Hunting Credential Stuffing Attacks

Instructions

Analyze authentication logs to detect credential stuffing by identifying patterns of distributed login failures, high IP diversity, and suspicious ASN distribution.

import pandas as pd
from collections import Counter

# Load auth logs
df = pd.read_csv("auth_logs.csv", parse_dates=["timestamp"])

# Credential stuffing indicator: many IPs trying few accounts
ip_per_account = df[df["status"] == "failed"].groupby("username")["source_ip"].nunique()
accounts_under_attack = ip_per_account[ip_per_account > 50]

Key detection indicators:

  1. High unique source IPs per failed username
  2. Low success rate across many accounts (< 1%)
  3. ASN concentration from cloud/proxy providers
  4. Geographic impossibility (same account, distant locations)
  5. User-agent uniformity across distributed IPs

Examples

# Password spray: one password tried across many accounts
spray = df[df["status"] == "failed"].groupby(["source_ip", "password_hash"]).agg(
    accounts=("username", "nunique")).reset_index()
sprays = spray[spray["accounts"] > 10]
Weekly Installs
2
Repository
mukul975/anthro…y-skills
GitHub Stars
2.4K
First Seen
3 days ago
Security Audits
Gen Agent Trust HubPass
SocketPass
SnykPass
Installed on
amp2
cline2
opencode2
cursor2
kimi-cli2
codex2