registry  /  @fased/fased  /  0.1.16

@fased/fased@0.1.16

Fased Agent self-hosted AI gateway with channels, tools, plugins, and operator modules

AI Security Review

scanned 4h ago · by lpm-firewall-ai

The confirmed package-level attack surface is an npm prepare hook that rewrites the installing repository's Git hook path. This is unconsented lifecycle mutation of a broad VCS control surface, even though no hook payload directory is packaged.

Static reason
High-risk behavior combination matched malicious policy.; previous stored version diff introduced dangerous source
Trigger
npm prepare lifecycle when installed from source/git or otherwise run inside a git worktree
Impact
Consumer repository Git hooks can be disabled or redirected, creating a persistent project control-surface change outside the package namespace.
Mechanism
unprompted `git config core.hooksPath git-hooks`
Attack narrative
Installing or preparing the package inside a Git worktree runs the package.json prepare script. That script rewrites the repository-local Git hook configuration to `git-hooks` without checking consent or preserving the existing hook path. Because the package does not include that directory, the immediate effect can be disabling existing hooks; if a matching directory is later introduced, Git will execute hooks from the redirected location.
Rationale
Source inspection confirms unconsented lifecycle mutation of a consumer VCS hook control surface; scanner claims about remote decoded execution were not substantiated in the inspected source. The lifecycle hook alone is concrete install-time abuse with persistent project impact.
Evidence
package.jsonfased.mjsscripts/run-node.mjsscripts/start-managed.shdist/agent-scope-Cb1u7HE7.jsdist/register.start-BbpJgyXr.jsdist/onboarding-mnC5T2b7.js.git/configgit-hooks

Decision evidence

public snapshot
AI called this Malicious at 86.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • package.json defines prepare lifecycle: `git config core.hooksPath git-hooks` when run inside any git worktree.
  • The lifecycle command mutates the consumer repo's `.git/config` without an install prompt or package namespace guard.
  • No `git-hooks` directory exists in the package, so the hook path rewrite can disable existing project hooks or redirect future hooks.
  • dist/onboarding-mnC5T2b7.js can install systemd services/sudoers, but those paths are tied to explicit onboarding prompts rather than import-time execution.
Evidence against
  • fased.mjs only bootstraps local dist entry files and warning filters.
  • dist/register.start-BbpJgyXr.js spawns the package CLI gateway on explicit `fased start`.
  • The inspected `dist/agent-scope-Cb1u7HE7.js` fetch/import matches local model discovery and provider auth flows, not a confirmed remote payload loader.
  • Network endpoints in scripts are package-aligned gateway/tunnel/provider endpoints.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNativeBindingsNetworkShellWebSocket
Supply chain
HighEntropyStringsMinifiedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 1,513 file(s), 36.5 MB of source, external domains: 127.0.0.1, 192.168.1.100, 192.168.1.5, accounts.google.com, agent.example.com, ai-gateway.vercel.sh, aistudio.google.com, albumart.url, api.anthropic.com, api.botframework.com, api.chutes.ai, api.devnet.solana.com, api.elevenlabs.io, api.example.com, api.firecrawl.dev, api.github.com, api.individual.githubcopilot.com, api.jup.ag, api.kimi.com, api.mainnet-beta.solana.com, api.minimax.io, api.minimaxi.com, api.mistral.ai, api.moonshot.ai, api.moonshot.cn, api.openai.com, api.perplexity.ai, api.plivo.com, api.push.apple.com, api.sandbox.push.apple.com, api.synthetic.new, api.telegram.org, api.telnyx.com, api.together.xyz, api.twilio.com, api.venice.ai, api.voyageai.com, api.x.ai, api.xiaomimimo.com, api.z.ai, ark.ap-southeast.bytepluses.com, ark.cn-beijing.volces.com, arweave.net, auth.x.ai, autopush-cloudcode-pa.sandbox.googleapis.com, bot-api.zaloplatforms.com, bot.zaloplatforms.com, brave.com, brew.sh, bun.sh
Oversized source lightweight scan
dist/auth-CvqpAgdd.js4.38 MB file, sampled 256 KB
FilesystemNetworkChildProcessEnvironmentVarsCryptoShellWebSocketUrlStringsapi.telegram.orgdocs.fased.ai
dist/model-catalog-C2vE0j1H.js4.48 MB file, sampled 256 KB
FilesystemNetworkChildProcessEnvironmentVarsCryptoShellWebSocketHighEntropyStringsUrlStringsapi.elevenlabs.ioapi.openai.comapi.telegram.org
dist/pi-embedded-BDeqatzH.js4.38 MB file, sampled 256 KB
FilesystemNetworkChildProcessEnvironmentVarsCryptoShellWebSocketHighEntropyStringsUrlStringsapi.anthropic.comapi.elevenlabs.ioapi.openai.comchatgpt.comdocs.fased.aigithub.comopenrouter.ai
dist/pi-embedded-DHEJ4nof.js4.38 MB file, sampled 256 KB
FilesystemNetworkChildProcessEnvironmentVarsCryptoShellWebSocketHighEntropyStringsUrlStringsapi.anthropic.comapi.elevenlabs.ioapi.openai.comchatgpt.comdocs.fased.aigithub.comopenrouter.ai
dist/plugin-sdk/reply-C91IeI0J.js4.39 MB file, sampled 256 KB
FilesystemNetworkChildProcessEnvironmentVarsCryptoShellWebSocketHighEntropyStringsUrlStringsdocs.fased.aiexample.com
dist/plugin-sdk/status-BG6HUE8E.js4.38 MB file, sampled 256 KB
FilesystemNetworkChildProcessEnvironmentVarsCryptoShellWebSocketHighEntropyStringsUrlStrings127.0.0.1arweave.netipfs.iolite-api.jup.ag
dist/reply-DQi7sZQn.js4.48 MB file, sampled 256 KB
FilesystemNetworkChildProcessEnvironmentVarsCryptoShellWebSocketHighEntropyStringsUrlStrings127.0.0.1api.devnet.solana.comapi.mainnet-beta.solana.comapi.minimax.ioexample.com

Source & flagged code

41 flagged · loading source
dist/register.start-BbpJgyXr.jsView file
10import { i as resolveGatewayStartupMode } from "./daemon-install-helpers-xM3QqMXu.js"; L11: import { spawn } from "node:child_process"; L12:
High
Child Process

Package source references child process execution.

dist/register.start-BbpJgyXr.jsView on unpkg · L10
dist/onboarding-mnC5T2b7.jsView file
1465if (rootServiceActiveSuccessfully) { L1466: const strictExecAfter = await [redacted]("fased-gateway", expectedGatewayStartupMode, runAsUser); L1467: if (!strictExecAfter.ok) {
High
Shell

Package source references shell execution.

dist/onboarding-mnC5T2b7.jsView on unpkg · L1465
2import { H as theme, x as resolveUserPath } from "./agent-paths-BI1hx-tF.js"; L3: import { A as waitForGatewayReachable, C as printWizardHeader, E as resolveControlUiLinks, Ha as CONTROL_UI_BOOT_CHECK_PATH, O as summarizeExistingConfig, S as openUrl, T as random... L4: import { A as defaultRuntime, Ct as resolveStateDir, E as redactSensitiveText, gt as resolveGatewayPort, j as restoreTerminalState } from "./entry.js"; ... L26: import { t as runTui } from "./tui-BvEFlS21.js"; L27: import { spawn, spawnSync } from "node:child_process"; L28: import os from "node:os"; ... L32: import { Writable } from "node:stream"; L33: import net from "node:net"; L34: ... L156: function currentUserName() { L157: return process.env.USER?.trim() || process.env.LOGNAME?.trim() || process.env.SUDO_USER?.trim() || os.userInfo().username; L158: }
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/onboarding-mnC5T2b7.jsView on unpkg · L2
2import { H as theme, x as resolveUserPath } from "./agent-paths-BI1hx-tF.js"; L3: import { A as waitForGatewayReachable, C as printWizardHeader, E as resolveControlUiLinks, Ha as CONTROL_UI_BOOT_CHECK_PATH, O as summarizeExistingConfig, S as openUrl, T as random... L4: import { A as defaultRuntime, Ct as resolveStateDir, E as redactSensitiveText, gt as resolveGatewayPort, j as restoreTerminalState } from "./entry.js"; ... L26: import { t as runTui } from "./tui-BvEFlS21.js"; L27: import { spawn, spawnSync } from "node:child_process"; L28: import os from "node:os"; ... L32: import { Writable } from "node:stream"; L33: import net from "node:net"; L34: ... L156: function currentUserName() { L157: return process.env.USER?.trim() || process.env.LOGNAME?.trim() || process.env.SUDO_USER?.trim() || os.userInfo().username; L158: }
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist/onboarding-mnC5T2b7.jsView on unpkg · L2
dist/agent-scope-Cb1u7HE7.jsView file
14import dotenv from "dotenv"; L15: import { execFile, execFileSync, spawn } from "node:child_process"; L16: import { Readable } from "node:stream"; ... L21: import { getOAuthApiKey, getOAuthProviders } from "@mariozechner/pi-ai"; L22: import { createServer } from "node:http"; L23: import AjvPkg from "ajv"; ... L314: consolePatched: false, L315: forceConsoleToStderr: false, L316: consoleTimestampPrefix: false, ... L325: function resolveEnvLogLevelOverride() { L326: const raw = process.env.FASED_LOG_LEVEL; L327: const trimmed = typeof raw === "string" ? raw.trim() : "";
Critical
Remote Asset Decode Execute

Source fetches a remote non-code asset, decodes its contents, and dynamically executes the decoded payload.

dist/agent-scope-Cb1u7HE7.jsView on unpkg · L14
350const createRequire = typeof moduleNamespace.createRequire === "function" ? moduleNamespace.createRequire : null; L351: return createRequire ? createRequire(metaUrl) : null; L352: } catch {
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/agent-scope-Cb1u7HE7.jsView on unpkg · L350
extensions/voice-call/src/webhook-security.tsView file
76* L77: * @see https://www.twilio.[redacted]-security L78: */ ... L82: url: string, L83: params: URLSearchParams, L84: ): boolean { ... L90: L91: // HMAC-SHA1 with auth token, then base64 encode L92: const expectedSignature = crypto
Low
Weak Crypto

Package source references weak cryptographic algorithms.

extensions/voice-call/src/webhook-security.tsView on unpkg · L76
dist/agent-scope-DHrLr5OF.jsView file
Trigger-reachable chain: manifest.main -> dist/index.js -> dist/agent-scope-DHrLr5OF.js Reachable file contains a blocking source-risk pattern.
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/agent-scope-DHrLr5OF.jsView on unpkg
matchType = previous_version_dangerous_delta matchedPackage = @fased/fased@0.1.15 matchedIdentity = npm:QGZhc2VkL2Zhc2Vk:0.1.15 similarity = 0.675 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/agent-scope-DHrLr5OF.jsView on unpkg
scripts/start-managed.shView file
path = scripts/start-managed.sh kind = build_helper sizeBytes = 56771 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

scripts/start-managed.shView on unpkg
dist/model-catalog-C2vE0j1H.jsView file
path = dist/model-catalog-C2vE0j1H.js kind = oversized_source_file sizeBytes = 4697579 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

dist/model-catalog-C2vE0j1H.jsView on unpkg
docs/zh-CN/gateway/tailscale.mdView file
80patternName = generic_password severity = medium line = 80 matchedText = auth: { ..." },
Medium
Secret Pattern

Hardcoded password in docs/zh-CN/gateway/tailscale.md

docs/zh-CN/gateway/tailscale.mdView on unpkg · L80
docs/zh-CN/gateway/configuration.mdView file
3027patternName = generic_password severity = medium line = 3027 matchedText = password...rd",
Medium
Secret Pattern

Hardcoded password in docs/zh-CN/gateway/configuration.md

docs/zh-CN/gateway/configuration.mdView on unpkg · L3027
docs/zh-CN/channels/bluebubbles.mdView file
43patternName = generic_password severity = medium line = 43 matchedText = password...rd",
Medium
Secret Pattern

Hardcoded password in docs/zh-CN/channels/bluebubbles.md

docs/zh-CN/channels/bluebubbles.mdView on unpkg · L43
docs/gateway/tailscale.mdView file
128patternName = generic_password severity = medium line = 128 matchedText = auth: { ..." },
Medium
Secret Pattern

Hardcoded password in docs/gateway/tailscale.md

docs/gateway/tailscale.mdView on unpkg · L128
docs/gateway/configuration-reference.mdView file
629patternName = generic_password severity = medium line = 629 matchedText = password...D}",
Medium
Secret Pattern

Hardcoded password in docs/gateway/configuration-reference.md

docs/gateway/configuration-reference.mdView on unpkg · L629
2371patternName = generic_password severity = medium line = 2371 matchedText = // passw...WORD
Medium
Secret Pattern

Hardcoded password in docs/gateway/configuration-reference.md

docs/gateway/configuration-reference.mdView on unpkg · L2371
2398patternName = generic_password severity = medium line = 2398 matchedText = // passw...rd",
Medium
Secret Pattern

Hardcoded password in docs/gateway/configuration-reference.md

docs/gateway/configuration-reference.mdView on unpkg · L2398
docs/channels/bluebubbles.mdView file
51patternName = generic_password severity = medium line = 51 matchedText = password...rd",
Medium
Secret Pattern

Hardcoded password in docs/channels/bluebubbles.md

docs/channels/bluebubbles.mdView on unpkg · L51
extensions/irc/src/client.test.tsView file
39patternName = generic_password severity = medium line = 39 matchedText = password...ad",
Medium
Secret Pattern

Hardcoded password in extensions/irc/src/client.test.ts

extensions/irc/src/client.test.tsView on unpkg · L39
extensions/bluebubbles/src/attachments.test.tsView file
90patternName = generic_password severity = medium line = 90 matchedText = password...rd",
Medium
Secret Pattern

Hardcoded password in extensions/bluebubbles/src/attachments.test.ts

extensions/bluebubbles/src/attachments.test.tsView on unpkg · L90
100patternName = generic_password severity = medium line = 100 matchedText = password...rd",
Medium
Secret Pattern

Hardcoded password in extensions/bluebubbles/src/attachments.test.ts

extensions/bluebubbles/src/attachments.test.tsView on unpkg · L100
132patternName = generic_password severity = medium line = 132 matchedText = password...rd",
Medium
Secret Pattern

Hardcoded password in extensions/bluebubbles/src/attachments.test.ts

extensions/bluebubbles/src/attachments.test.tsView on unpkg · L132
154patternName = generic_password severity = medium line = 154 matchedText = password...rd",
Medium
Secret Pattern

Hardcoded password in extensions/bluebubbles/src/attachments.test.ts

extensions/bluebubbles/src/attachments.test.tsView on unpkg · L154
260patternName = generic_password severity = medium line = 260 matchedText = password...rd",
Medium
Secret Pattern

Hardcoded password in extensions/bluebubbles/src/attachments.test.ts

extensions/bluebubbles/src/attachments.test.tsView on unpkg · L260
extensions/bluebubbles/src/send.test.tsView file
733patternName = generic_password severity = medium line = 733 matchedText = password...ss",
Medium
Secret Pattern

Hardcoded password in extensions/bluebubbles/src/send.test.ts

extensions/bluebubbles/src/send.test.tsView on unpkg · L733
extensions/bluebubbles/src/monitor.test.tsView file
303patternName = generic_password severity = medium line = 303 matchedText = password...rd",
Medium
Secret Pattern

Hardcoded password in extensions/bluebubbles/src/monitor.test.ts

extensions/bluebubbles/src/monitor.test.tsView on unpkg · L303
563patternName = generic_password severity = medium line = 563 matchedText = const ac... });
Medium
Secret Pattern

Hardcoded password in extensions/bluebubbles/src/monitor.test.ts

extensions/bluebubbles/src/monitor.test.tsView on unpkg · L563
599patternName = generic_password severity = medium line = 599 matchedText = const ac... });
Medium
Secret Pattern

Hardcoded password in extensions/bluebubbles/src/monitor.test.ts

extensions/bluebubbles/src/monitor.test.tsView on unpkg · L599
639patternName = generic_password severity = medium line = 639 matchedText = const ac... });
Medium
Secret Pattern

Hardcoded password in extensions/bluebubbles/src/monitor.test.ts

extensions/bluebubbles/src/monitor.test.tsView on unpkg · L639
674patternName = generic_password severity = medium line = 674 matchedText = const ac... });
Medium
Secret Pattern

Hardcoded password in extensions/bluebubbles/src/monitor.test.ts

extensions/bluebubbles/src/monitor.test.tsView on unpkg · L674
675patternName = generic_password severity = medium line = 675 matchedText = const ac... });
Medium
Secret Pattern

Hardcoded password in extensions/bluebubbles/src/monitor.test.ts

extensions/bluebubbles/src/monitor.test.tsView on unpkg · L675
728patternName = generic_password severity = medium line = 728 matchedText = const ac... });
Medium
Secret Pattern

Hardcoded password in extensions/bluebubbles/src/monitor.test.ts

extensions/bluebubbles/src/monitor.test.tsView on unpkg · L728
782patternName = generic_password severity = medium line = 782 matchedText = const ac... });
Medium
Secret Pattern

Hardcoded password in extensions/bluebubbles/src/monitor.test.ts

extensions/bluebubbles/src/monitor.test.tsView on unpkg · L782
3088patternName = generic_password severity = medium line = 3088 matchedText = ...creat... }),
Medium
Secret Pattern

Hardcoded password in extensions/bluebubbles/src/monitor.test.ts

extensions/bluebubbles/src/monitor.test.tsView on unpkg · L3088
3092patternName = generic_password severity = medium line = 3092 matchedText = ...creat... }),
Medium
Secret Pattern

Hardcoded password in extensions/bluebubbles/src/monitor.test.ts

extensions/bluebubbles/src/monitor.test.tsView on unpkg · L3092
extensions/bluebubbles/src/actions.test.tsView file
54patternName = generic_password severity = medium line = 54 matchedText = password...rd",
Medium
Secret Pattern

Hardcoded password in extensions/bluebubbles/src/actions.test.ts

extensions/bluebubbles/src/actions.test.tsView on unpkg · L54
95patternName = generic_password severity = medium line = 95 matchedText = password...rd",
Medium
Secret Pattern

Hardcoded password in extensions/bluebubbles/src/actions.test.ts

extensions/bluebubbles/src/actions.test.tsView on unpkg · L95
109patternName = generic_password severity = medium line = 109 matchedText = password...rd",
Medium
Secret Pattern

Hardcoded password in extensions/bluebubbles/src/actions.test.ts

extensions/bluebubbles/src/actions.test.tsView on unpkg · L109
128patternName = generic_password severity = medium line = 128 matchedText = password...rd",
Medium
Secret Pattern

Hardcoded password in extensions/bluebubbles/src/actions.test.ts

extensions/bluebubbles/src/actions.test.tsView on unpkg · L128
207patternName = generic_password severity = medium line = 207 matchedText = password...rd",
Medium
Secret Pattern

Hardcoded password in extensions/bluebubbles/src/actions.test.ts

extensions/bluebubbles/src/actions.test.tsView on unpkg · L207

Findings

3 Critical4 High36 Medium7 Low
CriticalRemote Asset Decode Executedist/agent-scope-Cb1u7HE7.js
CriticalTrigger Reachable Dangerous Capabilitydist/agent-scope-DHrLr5OF.js
CriticalPrevious Version Dangerous Deltadist/agent-scope-DHrLr5OF.js
HighChild Processdist/register.start-BbpJgyXr.js
HighShelldist/onboarding-mnC5T2b7.js
HighSandbox Evasion Gated Capabilitydist/onboarding-mnC5T2b7.js
HighOversized Source Filedist/model-catalog-C2vE0j1H.js
MediumDynamic Requiredist/agent-scope-Cb1u7HE7.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/onboarding-mnC5T2b7.js
MediumShips Build Helperscripts/start-managed.sh
MediumStructural Risk Force Deep Review
MediumSecret Patterndocs/zh-CN/gateway/tailscale.md
MediumSecret Patterndocs/zh-CN/gateway/configuration.md
MediumSecret Patterndocs/zh-CN/channels/bluebubbles.md
MediumSecret Patterndocs/gateway/tailscale.md
MediumSecret Patterndocs/gateway/configuration-reference.md
MediumSecret Patterndocs/gateway/configuration-reference.md
MediumSecret Patterndocs/gateway/configuration-reference.md
MediumSecret Patterndocs/channels/bluebubbles.md
MediumSecret Patternextensions/irc/src/client.test.ts
MediumSecret Patternextensions/bluebubbles/src/attachments.test.ts
MediumSecret Patternextensions/bluebubbles/src/attachments.test.ts
MediumSecret Patternextensions/bluebubbles/src/attachments.test.ts
MediumSecret Patternextensions/bluebubbles/src/attachments.test.ts
MediumSecret Patternextensions/bluebubbles/src/attachments.test.ts
MediumSecret Patternextensions/bluebubbles/src/send.test.ts
MediumSecret Patternextensions/bluebubbles/src/monitor.test.ts
MediumSecret Patternextensions/bluebubbles/src/monitor.test.ts
MediumSecret Patternextensions/bluebubbles/src/monitor.test.ts
MediumSecret Patternextensions/bluebubbles/src/monitor.test.ts
MediumSecret Patternextensions/bluebubbles/src/monitor.test.ts
MediumSecret Patternextensions/bluebubbles/src/monitor.test.ts
MediumSecret Patternextensions/bluebubbles/src/monitor.test.ts
MediumSecret Patternextensions/bluebubbles/src/monitor.test.ts
MediumSecret Patternextensions/bluebubbles/src/monitor.test.ts
MediumSecret Patternextensions/bluebubbles/src/monitor.test.ts
MediumSecret Patternextensions/bluebubbles/src/actions.test.ts
MediumSecret Patternextensions/bluebubbles/src/actions.test.ts
MediumSecret Patternextensions/bluebubbles/src/actions.test.ts
MediumSecret Patternextensions/bluebubbles/src/actions.test.ts
MediumSecret Patternextensions/bluebubbles/src/actions.test.ts
LowNon Install Lifecycle Scripts
LowScripts Present
LowEval
LowWeak Cryptoextensions/voice-call/src/webhook-security.ts
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings