Malcontent is a tool designed to uncover malware, particularly focusing on supply-chain compromises. It utilizes context, differential analysis, and YARA rules to identify malicious behaviors in software. There are three main modes of operation: "analyze," which provides an unfiltered view of a program's capabilities; "diff," which compares two sources to highlight risk differences; and "scan," which evaluates a program’s capabilities based on defined risk thresholds. It works best with Linux programs but also supports other UNIX-like systems, including macOS and Windows to a lesser extent. The tool boasts over 14,500 YARA rules from sources like Avast and FireEye, allowing it to analyze a variety of binary formats and programming languages. Output can be generated in formats such as JSON and Markdown, making it adaptable for different reporting needs. Malcontent is designed to integrate with CI/CD pipelines, enhancing its utility in software development environments. However, users should be cautious when using the Docker Keychain for image pulls, as it can expose sensitive credentials to malicious registries. Malcontent’s differential analysis is particularly powerful in identifying unexpected changes in software during builds. It compares new binaries against known-good versions to surface any high-risk alterations. This method is illustrated through the 3CX compromise example, where malicious changes in a library were easily identified. The scan mode filters out lower-risk findings by default, focusing on high-severity issues. Installation requires Go, Rust, and YARA-X, along with a few dependencies typical for UNIX systems. The process involves building the YARA-X C API before compiling the malcontent binary. Users interested in contributing can access the open-source project on GitHub. Caution is recommended as some malware scanners may flag malcontent itself as malicious due to its use of YARA.