PhantomYerra — Tester Downloads

PHANTOMYERRA Tester

v45.1.31 • 2026-04-20

v45.1.31 — CLASS-KILLERS + OWASP 2025 + ASVS v5.0 + CORPORATE POLISH

Obfuscator NameError bug class eliminated (5-release whack-a-mole ended) • 100% traceback capture for autonomous diagnosis • OWASP Top 10:2025 & ASVS v5.0 (17 chapters) & CWE Top 25:2025 live in reports • Corporate muted palette + no emojis • YerraWitness Playwright detector + Ask AI resilience fixes

Tester Downloads

v45.1.31 • 2026-04-20 • Current stable build • Python 3.12 bundled — no install needed on host

What's New in v45.1.31

Class-killers • OWASP 2025 • ASVS v5.0 • CWE Top 25:2025 • Corporate polish • Bug fixes

★Obfuscator NameError CLASS-KILLER — 5-release whack-a-mole ended. Python local-variable name mangling disabled (the source of name 'x<hex>' is not defined crashes in scan_router, ask_ai_router, nuclei_zap, OWASP engine, checklist executor, agentic orchestrator, privacy_filter, business_logic_tester, and 3 other sites since v45.1.22). Remaining obfuscation layers preserved: pyc-only, XOR string encoding, docstring strip, SHA-256 integrity manifest. No more HTTP 500 on report generation, no more "AI engine returned empty response" on Ask AI, no more scan crashes from mangled scope.
✓100% traceback capture (AutoExcInfo) — single logging patch captures sys.exc_info() on every WARNING+ log record emitted inside an except block. Previously 529 catch-sites printed just the exception message with no traceback; now every future error lands in electron.log with full file/line. Autonomous diagnosis without guessing.
✓Finding-shape normalizer — _record_finding coerces 20+ shape-critical fields (severity / type / status / exploitation_status / title / description / remediation / business_impact / affected_component / all snippets / etc.) to strings at ingestion. Kills the 'dict' object has no attribute 'upper' DeepValidator class at the gate — any future rogue adapter producing the same bug is absorbed before it reaches downstream code.
★OWASP Top 10:2025 + ASVS v5.0 + CWE Top 25:2025 — frameworks migrated to LATEST (verified verbatim against official OWASP & MITRE pages, not training memory). Reports + scanner checklists + compliance map all updated: A01:2025 Broken Access Control through A10:2025 Mishandling of Exceptional Conditions (new), ASVS 17 chapters incl. new V3 Web Frontend, V9 Self-contained Tokens, V10 OAuth+OIDC, V17 WebRTC. Back-compat shim for legacy 2021 tags in existing findings DB.
✓Corporate polish sweep — severity palette migrated from neon (#ff2d55 / #ff6b35 / #ffd60a / #30d158 / #64d2ff) to deep muted Big-4 consultancy tones (#991b1b / #b45309 / #ca8a04 / #15803d / #475569). All emoji stripped from reports: ⚡ Remediation Roadmap header, ✓/✗ ASVS PASS/FAIL, ➕/↻/✓/○ Delta buckets, ⚠ 🔍 🔧 technical_report / delta_report / re_report_section. Reports now print clean on grayscale.
✓YerraWitness Playwright fix — chromium detector now accepts chromium-*, chromium_headless_shell-* (Playwright 1.46+ layout), and chromium-headless-shell-* prefixes, plus 3 additional packaged paths. Fixes tester “Executable doesn't exist at ...\chromium_headless_shell-1208\...” error that blocked visual recon entirely on fresh installs.
✓Ask AI resilience — /api/ask/chat wrapped in try/except + empty-message sanity net. If handle_turn ever crashes or returns empty, UI gets a human-readable “switch to Form mode” fallback instead of “AI engine returned empty response (action=unknown · reasoning=none)”.
⚠Test focus for this build — (1) run a web scan end-to-end and confirm NO x<hex> NameError in electron.log; (2) click “Generate Report” on any completed scan — Technical PDF should include Reproduce-with-curl + Evidence (Request + Response) + Exploitation Steps + Proof of Concept + References on every finding card; (3) open Ask PhantomYerra, reply “yes” when prompted for authorization — must NOT return the old empty-response error; (4) YerraWitness visual recon against a live URL must capture screenshots; (5) visually confirm reports use the corporate palette — no neon red/orange/yellow, no ⚡ ✓ ✗ emojis in Remediation Roadmap or ASVS matrix.

Carried forward — prior build notes (v45.1.28 & earlier)

★Obfuscator STRATEGIC fix (v45.1.31 core) — replaced hand-rolled AST scope-analysis heuristic with Python stdlib symtable (CPython's own scope analyzer). Fixes the entire UnboundLocalError / NameError bug class at the root. v45.1.27 was PULLED from the server after 5 obfuscator sites surfaced in the scan engine (scan_router Agentic Orchestrator + Checklist executor, nuclei_zap_adapter, web_scanner OWASP engine, OWASPExploitationEngine). Post-fix smoke: 576 modules loaded, 0 import errors, 0 obfuscator failures; Phase 5b cross-scope regression test PASS; 167 adapter scan() invokes with 0 failures.
✓Corporate UI (dark) — SLDS-grade corporate blue (#2563EB), slate backgrounds replacing vivid indigo. Light-mode toggle still pulled pending the per-component sweep (540+ hardcoded colours). Dark mode is the only theme for this build. Light mode returns in v45.1.29 after the sweep + screenshot audit.
✓Wizard step-order fix — Surface Selection now runs BEFORE Target Scope, so SAST asks for a repo URL (not a web URL), Mobile asks for an APK, Cloud asks for provider credentials, Reverse Engineering asks for a binary. Heals all 13 surfaces with one change.
✓NEW OSINT wizard — 5 target kinds (domain / company / IP / email / GitHub org), 5 profiles (passive / subdomain / identity / code leaks / full), 10 modules, 4 intensity tiers.
✓Legal Disclaimer redesign — three redundant fields removed; Authorized Targets panel now pulls from license server (effective_scope_patterns + target_restrictions); corporate slate styling.
✓Status desync fix + single source of truth — new src/lib/scanStatus.ts; sidebar badges, Active Projects, Completed, LiveScanWidget, ActiveScanIndicator all read from one helper. No more "badge says 12 but page shows 2".
✓Evidence tab never blank — server synthesizes inline evidence from finding record fields (exploitation_steps / PoC / HTTP snippets / remediation) when no file-based capture exists.
✓Per-finding Exploit button — red action on every critical/high/medium finding jumps straight to the Exploit tab (PoC gen, live fire, zero-day classify).
✓AI Contributions modal — Reports page top-right; shows provider + model + 6 impact-count tiles (PoC narratives, exploitation steps, CVSS vectors, business impact, remediation, compliance tags).
✓CVE ↔ findings linking — Threat Intel dashboard shows a "Matched in N scans" blue pill on any CVE that your local scans reference.
✓LiveScanWidget — floating bottom-right panel on every in-shell page with 5 quick actions (Exploit / Zero-Day / Chain / Trace / Ask AI).
✓Integrations page 404 fix + 7 new optional fields — API prefix corrected, number/boolean/list fields type-coerced, 7 previously-hidden optional backend fields now exposed (Jira priority, ServiceNow group, GitHub labels, PagerDuty service_id, Splunk SSL verify, Elastic HTTPS, AWS compliance frameworks).
✓Findings XLSX export is a REAL workbook — openpyxl-backed, with coloured header row and frozen panes. Previously .xlsx was CSV-renamed.
✓Linux fixes — Playwright Chromium now ships inside the AppImage (PLAYWRIGHT_BROWSERS_PATH pinned), CLI bash -- regression resolved.
✓Pentest Activity Log foundation — new ScanActivity table + /api/scans/<id>/activity endpoint. Full Trace-tab UI lands in v45.1.31.
✓Obfuscator defensive hardening — parameter-reassignment bug (cause of v45.1.24 crash-loop) fully healed; AI-key Save rewritten to avoid the pattern entirely; 167 adapter probes zero errors.
⚠Please use the v45.1.31 Tester Checklist — 15 sections, 80+ items, per-platform call-outs. Please log PASS/FAIL per item and submit via in-app Report Issue.

Windows

v45.1.31 • Windows 10 / 11 • x64 • 210 MB

Download .exe Installer PhantomYerra Setup 45.1.31.exe — 210 MB

Linux

v45.1.31 • x64 • Ubuntu / Debian / Fedora / Arch

AppImage — Universal PhantomYerra-45.1.31-linux.AppImage — 433 MB

Setup Notes

Python 3.12 bundled — no install needed — Install from python.org, check "Add to PATH". App installs missing packages on first launch.
Valid license key required — Enter your key on first launch. Contact access@phantomyerra.com if you need one.
Npcap (Windows) — Required for raw packet capture and network scanning. Download from npcap.com.
Log location (Windows) — %APPDATA%\PhantomYerra\data\electron.log — attach when reporting issues.
★ AUTO BUG-REPORT — No manual filing needed (v45.1.31+) — Your installed app automatically ships crashes, sidecar failures, and scan-launch errors to our triage system every 30 minutes. The AI engineering agent polls those reports hourly, fixes the root cause in code, and ships a patch in the next installer — you get the fix via auto-update. What's sent: error type, stack trace, PhantomYerra version, OS, architecture. Each data point is PII-scrubbed on your machine BEFORE anything leaves the box — user paths, full URLs, IPs, emails, tokens, and any hex ≥32 chars are stripped. Machine identifier is a one-way SHA-256 hash that cannot be reversed to identify your device. What's NEVER sent: your AI keys, scan targets, scan findings, credentials, business data. Only the product's own bug signatures. Dedup: repeated crashes of the same issue on your machine don't spam the server — they increment a counter on a single pending record. Opt out: create empty file %APPDATA%\PhantomYerra\data\telemetry-disabled.txt (Windows) or ~/.config/PhantomYerra/data/telemetry-disabled.txt (Linux) and restart the app. No data will ever leave your machine. If you want to add context for an issue you hit, email access@phantomyerra.com with electron.log attached — but the auto-reporter has probably already delivered the technical data by then.
Manual backup bug report (optional) — Email access@phantomyerra.com with subject "Bug Report v45.1.31" and attach electron.log.
What's new in 45.1.22 — 25+ critical hotfixes shipped today — SCAN ENGINE RELIABILITY: SQLite "index already exists" sidecar crash (blocked 2 users from launching) fixed via DDL listener IF NOT EXISTS. Linux name 'sid' is not defined scan launch crash fixed via closure capture. 5 scan adapters that were silently failing on Linux now work: business_logic_tester (tok rename), param_discovery (param rename), nikto + wpscan (shared base helper inlined), web_crawler (12 emit_activity double-pass calls fixed), agentic_orchestrator (AgenticScanConfig surface kwarg moved to context).

DASHBOARD ACCURACY: Severity tiles all-zero-while-21-findings-visible bug fixed (HTTP polling now source of truth, WS = enhancement only). Live Activity panel now reads from BOTH in-memory deque AND on-disk NDJSON streams — never goes silent again. Pentester Assistant blank-panel layout bug fixed. Active Projects badge "5 but list empty" fixed (data.scans precedence). Sidebar URL chip overflow fixed.

SCAN LIFECYCLE: Pause makes scan vanish bug fixed (now sets status=paused + stays in Active Projects). Scan flips to FAILED while findings collected — fixed (treats as completed-with-degraded-phases when findings exist). Launch Assessment idempotency + 35s safety navigation timeout (was: 5 clicks created 5 duplicate scans).

UI/UX: AI Business Logic Interview JSON-leak + never-advances loop fixed (server scrub + client strip + Generate Plan Now escape hatch). Ask PhantomYerra interview loop on URL/yes fixed (defaults auto-fill). Reports "Downloaded ✓" on fake/empty data fixed (honest fallbacks + refuses to generate empty PDFs). CLI Terminal garbled "wWWWW" output + can't-type fix (PowerShell banner via Write-Host + xterm.focus()). Repeater "Scan engine offline" false alarm fixed (dual-form ReplayRequest accepts raw_request + parsed forms). localhost:8731 direct access for debugging now works (?token= query param + same-machine GET bypass).

TELEMETRY (testing-mode cadence): Renderer can now push events (preload bridge added). Critical errors auto-emit field reports immediately. Auto-instrumentation hook fires page_view, session_heartbeat (60s), errors, scan_started. Field-report flush 30min → 5min, usage flush 5min → 90s. Boot dialog now platform-conditional (Windows gets Defender exclusion guidance, Linux gets python3.12-venv install command).

NEW DOC: help/pages/troubleshooting.html covers Defender exclusion (4 paths + admin PowerShell one-liner), Linux Python install, boot recovery (60s watchdog window), and telemetry opt-out.