diff --git a/Makefile b/Makefile
index 16249e99b..2dbcc5349 100644
--- a/Makefile
+++ b/Makefile
@@ -69,7 +69,7 @@ fix: $(FIXERS)
# END: lint-install ../malcontent
SAMPLES_REPO ?= chainguard-dev/malcontent-samples
-SAMPLES_COMMIT ?= 1341d420835b4623b847b5ac5cab434e10b85a88
+SAMPLES_COMMIT ?= ec1ba5f2dc0e1f7085a0af73aa0f6fb1043e7534
OUT_DIR=out/samples-$(SAMPLES_COMMIT).tmp
out/samples-$(SAMPLES_COMMIT):
mkdir -p out
diff --git a/test_data/javascript/2024.lottie-player/lottie-player.min.js.mdiff b/test_data/javascript/2024.lottie-player/lottie-player.min.js.mdiff
new file mode 100644
index 000000000..9242de0cf
--- /dev/null
+++ b/test_data/javascript/2024.lottie-player/lottie-player.min.js.mdiff
@@ -0,0 +1,42 @@
+## Changed: javascript/2024.lottie-player/lottie-player.min.js [⚠️ MEDIUM → 🚨 CRITICAL]
+
+### 29 new behaviors
+
+| RISK | KEY | DESCRIPTION | EVIDENCE |
+|-----------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| +CRITICAL | **[exfil/stealer/wallet](https://github.com/chainguard-dev/malcontent/blob/main/rules/exfil/stealer/wallet.yara#crypto_stealer_names)** | makes HTTPS connections and references multiple wallets by name | [BraveWallet](https://github.com/search?q=BraveWallet&type=code)
[Coinbas](https://github.com/search?q=Coinbas&type=code)
[Ronin](https://github.com/search?q=Ronin&type=code)
[http](https://github.com/search?q=http&type=code) |
+| +MEDIUM | **[anti/static/obfuscation/generic/hex_conversion](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/obfuscation/generic/hex_conversion.yara#hex_parse)** | converts hex data to ASCII | [toString("hex");](https://github.com/search?q=toString%28%22hex%22%29%3B&type=code) |
+| +MEDIUM | **[c2/addr/ip](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/ip.yara#hardcoded_ip)** | hardcoded IP address | [114.243.154.69](https://github.com/search?q=114.243.154.69&type=code)
[13.182.181.343](https://github.com/search?q=13.182.181.343&type=code)
[13.23.32.42](https://github.com/search?q=13.23.32.42&type=code)
[14.22.33.243](https://github.com/search?q=14.22.33.243&type=code)
[14.52.54.92](https://github.com/search?q=14.52.54.92&type=code)
[146.288.257.686](https://github.com/search?q=146.288.257.686&type=code)
[15.15.34.34](https://github.com/search?q=15.15.34.34&type=code)
[15.21.28.36](https://github.com/search?q=15.21.28.36&type=code)
[15.34.34.56](https://github.com/search?q=15.34.34.56&type=code)
[153.41.153.567](https://github.com/search?q=153.41.153.567&type=code)
[156.153.41.153](https://github.com/search?q=156.153.41.153&type=code)
[172.14.22.33](https://github.com/search?q=172.14.22.33&type=code)
[178.311.311.743](https://github.com/search?q=178.311.311.743&type=code)
[181.132.465.255](https://github.com/search?q=181.132.465.255&type=code)
[198.172.14.22](https://github.com/search?q=198.172.14.22&type=code)
[21.28.36.36](https://github.com/search?q=21.28.36.36&type=code)
[21.507.477.106](https://github.com/search?q=21.507.477.106&type=code)
[22.33.243.463](https://github.com/search?q=22.33.243.463&type=code)
[23.32.42.47](https://github.com/search?q=23.32.42.47&type=code)
[24.26.45.35](https://github.com/search?q=24.26.45.35&type=code)
[243.427.41.993](https://github.com/search?q=243.427.41.993&type=code)
[25.27.52.74](https://github.com/search?q=25.27.52.74&type=code)
[25.34.35.14](https://github.com/search?q=25.34.35.14&type=code)
[26.45.35.92](https://github.com/search?q=26.45.35.92&type=code)
[26.45.64.83](https://github.com/search?q=26.45.64.83&type=code)
[26.47.64.85](https://github.com/search?q=26.47.64.85&type=code)
[27.52.74.77](https://github.com/search?q=27.52.74.77&type=code)
[288.146.686.257](https://github.com/search?q=288.146.686.257&type=code)
[288.257.686.318](https://github.com/search?q=288.257.686.318&type=code)
[294.169.558.47](https://github.com/search?q=294.169.558.47&type=code)
[311.178.743.311](https://github.com/search?q=311.178.743.311&type=code)
[311.311.743.384](https://github.com/search?q=311.311.743.384&type=code)
[325.737.732.76](https://github.com/search?q=325.737.732.76&type=code)
[335.749.748.752](https://github.com/search?q=335.749.748.752&type=code)
[347.763.768.74](https://github.com/search?q=347.763.768.74&type=code)
[407.325.737.732](https://github.com/search?q=407.325.737.732&type=code)
[414.335.749.748](https://github.com/search?q=414.335.749.748&type=code)
[422.347.763.768](https://github.com/search?q=422.347.763.768&type=code)
[427.41.993.498](https://github.com/search?q=427.41.993.498&type=code)
[486.21.507.477](https://github.com/search?q=486.21.507.477&type=code)
[515.24.49.525](https://github.com/search?q=515.24.49.525&type=code)
[52.14.93.54](https://github.com/search?q=52.14.93.54&type=code)
[585.33.579.602](https://github.com/search?q=585.33.579.602&type=code)
[65.65.98.98](https://github.com/search?q=65.65.98.98&type=code)
[652.193.936.325](https://github.com/search?q=652.193.936.325&type=code)
[662.198.172.14](https://github.com/search?q=662.198.172.14&type=code)
[678.243.427.41](https://github.com/search?q=678.243.427.41&type=code)
[732.76.734.734](https://github.com/search?q=732.76.734.734&type=code)
[737.325.76.732](https://github.com/search?q=737.325.76.732&type=code)
[737.732.76.157](https://github.com/search?q=737.732.76.157&type=code)
[751.338.748.752](https://github.com/search?q=751.338.748.752&type=code)
[76.732.734.734](https://github.com/search?q=76.732.734.734&type=code)
[78.24.65.51](https://github.com/search?q=78.24.65.51&type=code)
[83.26.47.64](https://github.com/search?q=83.26.47.64&type=code)
[88.39.55.87](https://github.com/search?q=88.39.55.87&type=code)
[92.97.47.52](https://github.com/search?q=92.97.47.52&type=code)
[942.12.872.258](https://github.com/search?q=942.12.872.258&type=code)
[97.47.52.84](https://github.com/search?q=97.47.52.84&type=code) |
+| +MEDIUM | **[credential/keychain/keychain](https://github.com/chainguard-dev/malcontent/blob/main/rules/credential/keychain/keychain.yara#keychain)** | May access the macOS keychain | [keychain](https://github.com/search?q=keychain&type=code) |
+| +MEDIUM | **[data/embedded/embedded/base64/url](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/embedded/embedded-base64-url.yara#contains_base64_url)** | Contains base64 url | [odHRwOi8v::$http](https://github.com/search?q=odHRwOi8v%3A%3A%24http&type=code) |
+| +MEDIUM | **[discover/system/platform](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/platform.yara#npm_uname)** | [get system identification](https://nodejs.org/api/process.html) | [process.platform](https://github.com/search?q=process.platform&type=code)
[process.versions](https://github.com/search?q=process.versions&type=code) |
+| +MEDIUM | **[exfil/stealer/browser](https://github.com/chainguard-dev/malcontent/blob/main/rules/exfil/stealer/browser.yara#userdata_browser_archiver)** | Uses HTTP, archives, and references multiple browsers | [.config](https://github.com/search?q=.config&type=code)
[Brave](https://github.com/search?q=Brave&type=code)
[Chrome](https://github.com/search?q=Chrome&type=code)
[Discord](https://github.com/search?q=Discord&type=code)
[Firefox](https://github.com/search?q=Firefox&type=code)
[Opera](https://github.com/search?q=Opera&type=code)
[POST](https://github.com/search?q=POST&type=code)
[Safari](https://github.com/search?q=Safari&type=code)
[https](https://github.com/search?q=https&type=code)
[zip](https://github.com/search?q=zip&type=code) |
+| +MEDIUM | **[fs/path/relative](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/relative.yara#relative_path_val)** | references and possibly executes relative path | [./aes](https://github.com/search?q=.%2Faes&type=code)
[./blowfish](https://github.com/search?q=.%2Fblowfish&type=code)
[./cipher-core](https://github.com/search?q=.%2Fcipher-core&type=code)
[./core](https://github.com/search?q=.%2Fcore&type=code)
[./evpkdf](https://github.com/search?q=.%2Fevpkdf&type=code)
[./format-hex](https://github.com/search?q=.%2Fformat-hex&type=code)
[./hmac](https://github.com/search?q=.%2Fhmac&type=code)
[./lib-typedarrays](https://github.com/search?q=.%2Flib-typedarrays&type=code)
[./mode-cfb](https://github.com/search?q=.%2Fmode-cfb&type=code)
[./mode-ctr-gladman](https://github.com/search?q=.%2Fmode-ctr-gladman&type=code)
[./mode-ecb](https://github.com/search?q=.%2Fmode-ecb&type=code)
[./mode-ofb](https://github.com/search?q=.%2Fmode-ofb&type=code)
[./pad-nopadding](https://github.com/search?q=.%2Fpad-nopadding&type=code)
[./pad-zeropadding](https://github.com/search?q=.%2Fpad-zeropadding&type=code)
[./path](https://github.com/search?q=.%2Fpath&type=code)
[./rabbit-legacy](https://github.com/search?q=.%2Frabbit-legacy&type=code)
[./tripledes](https://github.com/search?q=.%2Ftripledes&type=code) |
+| +MEDIUM | **[impact/words/agent](https://github.com/chainguard-dev/malcontent/blob/main/rules/impact/words/agent.yara#agent)** | references an 'agent' | [useragent](https://github.com/search?q=useragent&type=code) |
+| +MEDIUM | **[impact/words/heartbeat](https://github.com/chainguard-dev/malcontent/blob/main/rules/impact/words/heartbeat.yara#heartbeat)** | references a 'heartbeat' | [heartBeatTimeout](https://github.com/search?q=heartBeatTimeout&type=code)
[heartbeat_pulse](https://github.com/search?q=heartbeat_pulse&type=code)
[lastHeartbeatResponse](https://github.com/search?q=lastHeartbeatResponse&type=code)
[updateLastHeartbeat](https://github.com/search?q=updateLastHeartbeat&type=code) |
+| +MEDIUM | **[net/http/http/form/upload](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/http-form-upload.yara#http_form_upload)** | upload content via HTTP form | [POST](https://github.com/search?q=POST&type=code)
[application/json](https://github.com/search?q=application%2Fjson&type=code)
[application/x-www-form-urlencoded](https://github.com/search?q=application%2Fx-www-form-urlencoded&type=code) |
+| +MEDIUM | **[net/http/http/post](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/http-post.yara#http_post)** | submits content to websites | [Content-Type](https://github.com/search?q=Content-Type&type=code)
[HTTP](https://github.com/search?q=HTTP&type=code)
[POST](https://github.com/search?q=POST&type=code)
[http](https://github.com/search?q=http&type=code) |
+| +MEDIUM | **[net/http/websocket](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/websocket.yara#websocket)** | [supports web sockets](https://www.rfc-editor.org/rfc/rfc6455) | [WalletLinkWebSocket](https://github.com/search?q=WalletLinkWebSocket&type=code)
[WebSocket:gV](https://github.com/search?q=WebSocket%3AgV&type=code)
[WebSocket:typeof](https://github.com/search?q=WebSocket%3Atypeof&type=code)
[WebSocketClass:h](https://github.com/search?q=WebSocketClass%3Ah&type=code)
[WebSocketClass:l](https://github.com/search?q=WebSocketClass%3Al&type=code)
[clearWebSocket](https://github.com/search?q=clearWebSocket&type=code)
[webSocket:e](https://github.com/search?q=webSocket%3Ae&type=code)
[webSocket:r](https://github.com/search?q=webSocket%3Ar&type=code)
[webSocket:t](https://github.com/search?q=webSocket%3At&type=code) |
+| +MEDIUM | **[net/url/encode](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/url/encode.yara#url_encode)** | encodes URL, likely to pass GET variables | [urlencode](https://github.com/search?q=urlencode&type=code) |
+| +MEDIUM | **[net/url/request](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/url/request.yara#requests_urls)** | requests resources via URL | [requests.get(e)](https://github.com/search?q=requests.get%28e%29&type=code) |
+| +LOW | **[c2/addr/url/unusual](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/url-unusual.yara#exotic_tld)** | Contains HTTP hostname with unusual top-level domain | [https://api.mantlescan.xyz/](https://api.mantlescan.xyz/)
[https://mantlescan.xyz/](https://mantlescan.xyz/)
[https://openchain.xyz/](https://openchain.xyz/) |
+| +LOW | **[credential/ssl/private_key](https://github.com/chainguard-dev/malcontent/blob/main/rules/credential/ssl/private_key.yara#private_key_val)** | References private keys | [privateKey](https://github.com/search?q=privateKey&type=code) |
+| +LOW | **[crypto/aes](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/aes.yara#crypto_aes)** | Supports AES (Advanced Encryption Standard) | [AES](https://github.com/search?q=AES&type=code) |
+| +LOW | **[crypto/ed25519](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/ed25519.yara#ed25519)** | Elliptic curve algorithm used by TLS and SSH | [ed25519](https://github.com/search?q=ed25519&type=code) |
+| +LOW | **[data/encoding/base64](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/encoding/base64.yara#b64)** | Supports base64 encoded strings | [base64](https://github.com/search?q=base64&type=code) |
+| +LOW | **[fs/file/open](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file-open.yara#py_open)** | opens files | [open(](https://github.com/search?q=open%28&type=code) |
+| +LOW | **[fs/mount](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/mount.yara#mount)** | mounts file systems | [-o](https://github.com/search?q=-o&type=code)
[mount](https://github.com/search?q=mount&type=code) |
+| +LOW | **[impact/words/password](https://github.com/chainguard-dev/malcontent/blob/main/rules/impact/words/password.yara#password)** | references a 'password' | [PasswordBasedCipher](https://github.com/search?q=PasswordBasedCipher&type=code)
[to countless passwords](https://github.com/search?q=to+countless+passwords&type=code) |
+| +LOW | **[net/resolve/hostport/parse](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/resolve/hostport-parse.yara#getaddrinfo)** | Network address and service translation | [getaddrinfo](https://github.com/search?q=getaddrinfo&type=code) |
+| +LOW | **[net/socket/socket/listen](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-listen.yara#listen)** | listen on a socket | [accept](https://github.com/search?q=accept&type=code)
[socket](https://github.com/search?q=socket&type=code) |
+| +LOW | **[net/socket/socket/send](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-send.yara#sendmsg)** | [send a message to a socket](https://linux.die.net/man/2/sendmsg) | [_send](https://github.com/search?q=_send&type=code) |
+| +LOW | **[os/env/get](https://github.com/chainguard-dev/malcontent/blob/main/rules/os/env/get.yara#get_env_val)** | Retrieve environment variable values | [env.DEBUG](https://github.com/search?q=env.DEBUG&type=code)
[env.MODE](https://github.com/search?q=env.MODE&type=code)
[env.NEXT](https://github.com/search?q=env.NEXT&type=code)
[env.NODE](https://github.com/search?q=env.NODE&type=code) |
+| +LOW | **[os/fd/read](https://github.com/chainguard-dev/malcontent/blob/main/rules/os/fd/read.yara#py_fd_read)** | reads from a file handle | [e.read()](https://github.com/search?q=e.read%28%29&type=code) |
+| +LOW | **[os/fd/write](https://github.com/chainguard-dev/malcontent/blob/main/rules/os/fd/write.yara#py_fd_write)** | writes to a file handle | [a.write(o)](https://github.com/search?q=a.write%28o%29&type=code)
[decoder.write(n)](https://github.com/search?q=decoder.write%28n%29&type=code)
[decoder.write(t)](https://github.com/search?q=decoder.write%28t%29&type=code)
[e.write(t)](https://github.com/search?q=e.write%28t%29&type=code)
[i.write(e)](https://github.com/search?q=i.write%28e%29&type=code)
[t.write(o)](https://github.com/search?q=t.write%28o%29&type=code)
[this.write(e)](https://github.com/search?q=this.write%28e%29&type=code) |
+
+### 1 removed behaviors
+
+| RISK | KEY | DESCRIPTION | EVIDENCE |
+|---------|--------------------------------------------------------------------------------------------------------------------------|--------------------------|----------------------------------------------------------------------|
+| -MEDIUM | [os/time/clock/sleep](https://github.com/chainguard-dev/malcontent/blob/main/rules/os/time/clock-sleep.yara#setInterval) | uses setInterval to wait | [setInterval(](https://github.com/search?q=setInterval%28&type=code) |
+
diff --git a/test_data/refresh-testdata.sh b/test_data/refresh-testdata.sh
index 802456d3b..095f87761 100755
--- a/test_data/refresh-testdata.sh
+++ b/test_data/refresh-testdata.sh
@@ -163,6 +163,13 @@ addq ${malcontent} --format=simple \
linux/clean/aws-c-io/aws-c-io-0.14.10-r0.spdx.json \
linux/clean/aws-c-io/aws-c-io-0.14.11-r0.spdx.json
+addq ${malcontent} --format=markdown \
+ -o "${test_data}/javascript/2024.lottie-player/lottie-player.min.js.mdiff" \
+ diff \
+ --file-risk-increase \
+ javascript/clean/lottie-player.min.js \
+ javascript/2024.lottie-player/lottie-player.min.js
+
for f in $(find "${test_data}" -name "*.simple"); do
prog=$(echo $f | sed -e s#"${test_data}/"## -e s#\.simple\$##)
if [[ -f "${prog}" ]]; then