Please review the Community Note before submitting
TruffleHog Version
trufflehog dev, main branch as of 2026-05-28 9am pacific
main was at 36f6f6970 when I ran into this issue
Trace Output
https://gist.github.com/johannestaas-trufflesec/6f06a6fb38f8445b09abd818c714e52b
Expected Behavior
- It should parse obfuscated APKs, or handle bad classes without failing on the APK entirely
- It should continue parsing resources.arsc even if one resource type is unrecognized
- It should also log the package name whenever possible if there is an error
Actual Behavior
runtime error: slice bounds out of range [65536:16384]"malformed class def: bad superclass type: invalid string id"- no package name, not very useful debug logging
Steps to Reproduce
- https://f-droid.org/en/packages/ds.pulsar/
- Download the latest (ds.pulsar_7.apk)
- Run
trufflehog filesystem ./ds.pulsar_7.apk
Environment
- OS: OSX/Darwin
- Version Darwin Kernel Version 25.4.0
Additional Context
Internal, just reporting to follow guidelines (I work here so feel free to slack me)
References
Please review the Community Note before submitting
TruffleHog Version
trufflehog dev, main branch as of 2026-05-28 9am pacificmain was at
36f6f6970when I ran into this issueTrace Output
https://gist.github.com/johannestaas-trufflesec/6f06a6fb38f8445b09abd818c714e52b
Expected Behavior
Actual Behavior
runtime error: slice bounds out of range [65536:16384]"malformed class def: bad superclass type: invalid string id"Steps to Reproduce
trufflehog filesystem ./ds.pulsar_7.apkEnvironment
Additional Context
Internal, just reporting to follow guidelines (I work here so feel free to slack me)
References