registry  /  @khy-os/khy-os  /  0.1.181

@khy-os/khy-os@0.1.181

⚠ Under review

khy OS — multi-language AI platform delivered through npm as the unified delivery + cross-language dependency-orchestration hub (Node backend, Python glue, C kernel, MoonBit WASM).

Static Scan Results

scanned 59m ago · by rust-scanner

Static analysis flagged 50 finding(s) at 86.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNativeBindingsNetworkShellWebSocket
Supply chain
HighEntropyStringsMinifiedObfuscatedTelemetryUrlStrings
ManifestNo manifest risk signals triggered.
scanned 4,117 file(s), 36.8 MB of source, external domains: 1.2.3.4, 10.0.0.1, 127.0.0.1, 169.254.169.254, 192.168.1.2, 192.168.1.5, 192.168.1.9, 192.168.2.11, 8.8.8.8, a.com, a.invalid, a.test, adaptive-api.trae.ai, adoptium.net, agnes-ai.com, ai.example.com, ai.google.dev, ai.mindflow.com.cn, aip.baidubce.com, aistudio.google.com, api-ap.trae.ai, api-docs.deepseek.com, api-eu-west.trae.ai, api-inference.huggingface.co, api-us-east.trae.ai, api.agnes.example, api.anthropic.com, api.codeium.com, api.coingecko.com, api.day.app, api.deepseek.com, api.dictionaryapi.dev, api.example.com, api.example.invalid, api.finlight.me, api.frankfurter.app, api.github.com, api.githubcopilot.com, api.groq.com, api.ipify.org, api.khyquant.top, api.money.126.net, api.moonshot.cn, api.open-meteo.com, api.openai.com, api.packyapi.com, api.provider.com, api.quotable.io, api.self-hosted.example, api.siliconflow.cn
Oversized source lightweight scan
bundled/apps/ai-frontend/dist/vendor/khyos-muya.js6.14 MB file, sampled 256 KB
FilesystemChildProcessHighEntropyStringsMinifiedUrlStringswww.w3.org
bundled/apps/ai-frontend/public/vendor/khyos-muya.js6.14 MB file, sampled 256 KB
FilesystemChildProcessHighEntropyStringsMinifiedUrlStringswww.w3.org
bundled/tools/khyos-markdown/vendor/khyos-muya.js6.14 MB file, sampled 256 KB
FilesystemChildProcessHighEntropyStringsMinifiedUrlStringswww.w3.org

Source & flagged code

41 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/postinstall.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node scripts/postinstall.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
bundled/services/backend/tests/repoDisciplineRisk.test.jsView file
19patternName = aws_access_key severity = critical line = 19 matchedText = const re... });
Critical
Critical Secret

Package contains a critical-looking secret pattern.

bundled/services/backend/tests/repoDisciplineRisk.test.jsView on unpkg · L19
19patternName = aws_access_key severity = critical line = 19 matchedText = const re... });
Critical
Secret Pattern

AWS access key ID in bundled/services/backend/tests/repoDisciplineRisk.test.js

bundled/services/backend/tests/repoDisciplineRisk.test.jsView on unpkg · L19
30patternName = aws_access_key severity = critical line = 30 matchedText = '+const ...";',
Critical
Secret Pattern

AWS access key ID in bundled/services/backend/tests/repoDisciplineRisk.test.js

bundled/services/backend/tests/repoDisciplineRisk.test.jsView on unpkg · L30
31patternName = github_pat severity = critical line = 31 matchedText = '+const ...";',
Critical
Secret Pattern

GitHub personal access token in bundled/services/backend/tests/repoDisciplineRisk.test.js

bundled/services/backend/tests/repoDisciplineRisk.test.jsView on unpkg · L31
32patternName = private_key_rsa severity = critical line = 32 matchedText = '+const ...";',
Critical
Secret Pattern

RSA private key in bundled/services/backend/tests/repoDisciplineRisk.test.js

bundled/services/backend/tests/repoDisciplineRisk.test.jsView on unpkg · L32
54patternName = aws_access_key severity = critical line = 54 matchedText = '-const ...";',
Critical
Secret Pattern

AWS access key ID in bundled/services/backend/tests/repoDisciplineRisk.test.js

bundled/services/backend/tests/repoDisciplineRisk.test.jsView on unpkg · L54
61patternName = aws_access_key severity = critical line = 61 matchedText = const hi...;');
Critical
Secret Pattern

AWS access key ID in bundled/services/backend/tests/repoDisciplineRisk.test.js

bundled/services/backend/tests/repoDisciplineRisk.test.jsView on unpkg · L61
63patternName = aws_access_key severity = critical line = 63 matchedText = assert.o...'));
Critical
Secret Pattern

AWS access key ID in bundled/services/backend/tests/repoDisciplineRisk.test.js

bundled/services/backend/tests/repoDisciplineRisk.test.jsView on unpkg · L63
69patternName = aws_access_key severity = critical line = 69 matchedText = '+const ...";',
Critical
Secret Pattern

AWS access key ID in bundled/services/backend/tests/repoDisciplineRisk.test.js

bundled/services/backend/tests/repoDisciplineRisk.test.jsView on unpkg · L69
75patternName = aws_access_key severity = critical line = 75 matchedText = assert.o...'));
Critical
Secret Pattern

AWS access key ID in bundled/services/backend/tests/repoDisciplineRisk.test.js

bundled/services/backend/tests/repoDisciplineRisk.test.jsView on unpkg · L75
128patternName = aws_access_key severity = critical line = 128 matchedText = diffText...";',
Critical
Secret Pattern

AWS access key ID in bundled/services/backend/tests/repoDisciplineRisk.test.js

bundled/services/backend/tests/repoDisciplineRisk.test.jsView on unpkg · L128
41patternName = generic_password severity = medium line = 41 matchedText = const re..."');
Medium
Secret Pattern

Hardcoded password in bundled/services/backend/tests/repoDisciplineRisk.test.js

bundled/services/backend/tests/repoDisciplineRisk.test.jsView on unpkg · L41
70patternName = generic_password severity = medium line = 70 matchedText = '+passwo...7"',
Medium
Secret Pattern

Hardcoded password in bundled/services/backend/tests/repoDisciplineRisk.test.js

bundled/services/backend/tests/repoDisciplineRisk.test.jsView on unpkg · L70
bin/khy.jsView file
20const fs = require('fs'); L21: const { spawnSync } = require('child_process'); L22:
High
Child Process

Package source references child process execution.

bin/khy.jsView on unpkg · L20
18L19: const path = require('path'); L20: const fs = require('fs');
Medium
Dynamic Require

Package source references dynamic require/import behavior.

bin/khy.jsView on unpkg · L18
bundled/scripts/bench/win_cost_compact.jsView file
14const nodeV=()=>cp.execSync('node --version',O); L15: const swap=()=>{if(isWin)cp.execSync('powershell -NoProfile -Command "(Get-CimInstance Win32_PageFileUsage | Measure-Object -Property AllocatedBaseSize -Sum).Sum"',O);else if(os.pl... L16: const nvidia=()=>cp.execSync(`nvidia-smi --query-gpu=name --format=csv,noheader 2>${isWin?'NUL':'/dev/null'}`,O);
High
Shell

Package source references shell execution.

bundled/scripts/bench/win_cost_compact.jsView on unpkg · L14
bundled/software/khyquant/frontend/dist/assets/IntelligentStrategySelector-DPLaZEuV.jsView file
1import{e,j as a,ag as t,H as l,L as n,P as s,M as r,O as i,Y as o,u as c,I as u,F as d,ab as p,Z as m,X as g,V as v,ap as f,n as y,c as h,k as b,R as x,a9 as k}from"./vendor-vue-DL...
Low
Eval

Package source references a known benign dynamic code generation pattern.

bundled/software/khyquant/frontend/dist/assets/IntelligentStrategySelector-DPLaZEuV.jsView on unpkg · L1
bundled/software/khyquant/services/backtestEngine.jsView file
1/** L2: * Real backtest engine
Medium
Unsafe Vm Context

Package source executes code through a VM context API.

bundled/software/khyquant/services/backtestEngine.jsView on unpkg · L1
bundled/platform/packages/shared/src/services/gateway/example_plugins/cache-plugin.jsView file
1/** L2: * Cache Plugin — caches identical prompt responses to avoid redundant API calls.
Low
Weak Crypto

Package source references weak cryptographic algorithms.

bundled/platform/packages/shared/src/services/gateway/example_plugins/cache-plugin.jsView on unpkg · L1
bundled/services/backend/tests/services/additionalDirectories.test.jsView file
28addl._reset(); L29: delete process.env.KHY_ADDITIONAL_DIRS; L30: tmp = fs.mkdtempSync(path.join(os.tmpdir(), 'khy-adddir-')); ... L94: // Grant the home dir, then try to write an SSH key — must remain blocked. L95: const home = os.homedir(); L96: addl.addDirectory(home); L97: const sshKey = path.join(home, '.ssh', 'authorized_keys'); L98: const res = toolGuards.editBoundaryGuard({ params: { file_path: sshKey } });
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

bundled/services/backend/tests/services/additionalDirectories.test.jsView on unpkg · L28
bundled/services/backend/bin/khy.jsView file
740const chalk = chalkModule.default || chalkModule; L741: const net = require('net'); L742: const { spawn } = require('child_process'); L743: L744: const PORT = parseInt(process.env.PORT || '3000', 10); L745: const FRONTEND_PORT = parseInt(process.env.FRONTEND_PORT || '8080', 10);
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

bundled/services/backend/bin/khy.jsView on unpkg · L740
bundled/services/ai-backend/src/services/securityGuardService.jsView file
15L16: const SECURITY_LOG = path.join(os.homedir(), '.khyquant', 'security.log'); L17: ... L169: const lines = fs.readFileSync(SECURITY_LOG, 'utf-8').split('\n').filter(Boolean); L170: const events = lines.map(l => { try { return JSON.parse(l); } catch { return null; } }).filter(Boolean); L171: ... L244: L245: const { execSync } = require('child_process'); L246: ... L259: // Common backdoor / reverse shell patterns L260: 'nc -e', 'bash -i', '/dev/tcp/', 'python -c.*import socket', L261: 'perl -e.*socket', 'ruby -rsocket', 'lua.*socket',
Critical
Reverse Shell

Source matches reverse-shell style process and socket wiring.

bundled/services/ai-backend/src/services/securityGuardService.jsView on unpkg · L15
bundled/scripts/diagnostics/fuzzInputCorpus.jsView file
65contains invisible/control Unicode U+202E (right-to-left override) cases.push(C('rtl-override', 'unicode', 'RTL 覆盖', 'abc<U+202E>def'));
Critical
Trojan Source Unicode

Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.

bundled/scripts/diagnostics/fuzzInputCorpus.jsView on unpkg · L65
bundled/software/khyquant/frontend/dist/wasm/khy-math-demo.wasmView file
path = [redacted]-math-demo.wasm kind = wasm_module sizeBytes = 41 magicHex = [redacted]
Medium
Ships Wasm Module

Package ships WebAssembly modules.

bundled/software/khyquant/frontend/dist/wasm/khy-math-demo.wasmView on unpkg
bundled/tools/khyos-markdown/unregister-linux.shView file
path = bundled/tools/khyos-markdown/unregister-linux.sh kind = build_helper sizeBytes = 1209 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

bundled/tools/khyos-markdown/unregister-linux.shView on unpkg
bundled/extensions/khy-trae-bridge/khy-trae-bridge-0.2.1.vsixView file
path = bundled/extensions/khy-trae-bridge/khy-trae-bridge-0.2.1.vsix kind = compressed_blob sizeBytes = 8053 magicHex = [redacted]
Medium
Ships Compressed Blob

Package ships compressed or archive-like blobs.

bundled/extensions/khy-trae-bridge/khy-trae-bridge-0.2.1.vsixView on unpkg
path = bundled/extensions/khy-trae-bridge/khy-trae-bridge-0.2.1.vsix kind = nested_archive_needs_inspection sizeBytes = 8053 magicHex = [redacted]
Low
Nested Archive Needs Inspection

Package ships a nested archive or MCP bundle that was inventoried but not recursively analyzed.

bundled/extensions/khy-trae-bridge/khy-trae-bridge-0.2.1.vsixView on unpkg
bundled/docs/07_OPS_运维/[OPS-MAN-043] 从0到高手-新手成长路线与pip安装后清单.pdfView file
path = bundled/docs/07_OPS_运维/[OPS-MAN-043] 从0到高手-新手成长路线与pip安装后清单.pdf kind = high_entropy_blob sizeBytes = 1082109 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

bundled/docs/07_OPS_运维/[OPS-MAN-043] 从0到高手-新手成长路线与pip安装后清单.pdfView on unpkg
bundled/services/ai-backend/test/fixtures/coze/sample-linear.zipView file
path = bundled/services/ai-[redacted]-linear.zip kind = payload_in_excluded_dir sizeBytes = 3073 magicHex = [redacted]
High
Payload In Excluded Dir

Package hides binary, compressed, or executable-looking payloads in test/fixture/hidden paths.

bundled/services/ai-backend/test/fixtures/coze/sample-linear.zipView on unpkg
bundled/tools/khyos-markdown/vendor/khyos-muya.jsView file
path = bundled/tools/khyos-markdown/vendor/khyos-muya.js kind = oversized_source_file sizeBytes = 6439218 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

bundled/tools/khyos-markdown/vendor/khyos-muya.jsView on unpkg
bundled/software/khyquant/frontend/dist/assets/Debug--vriC6bB.jsView file
1patternName = generic_password severity = medium line = 1 matchedText = import{_...lt};
Medium
Secret Pattern

Hardcoded password in bundled/software/khyquant/frontend/dist/assets/Debug--vriC6bB.js

bundled/software/khyquant/frontend/dist/assets/Debug--vriC6bB.jsView on unpkg · L1
bundled/apps/ai-frontend/dist/assets/Login-BD-XGBty.jsView file
1patternName = generic_password severity = medium line = 1 matchedText = import{E...lt};
Medium
Secret Pattern

Hardcoded password in bundled/apps/ai-frontend/dist/assets/Login-BD-XGBty.js

bundled/apps/ai-frontend/dist/assets/Login-BD-XGBty.jsView on unpkg · L1
bundled/services/backend/tests/tools/securityScan.test.jsView file
36patternName = private_key_rsa severity = critical line = 36 matchedText = 'const k...--',
Critical
Secret Pattern

RSA private key in bundled/services/backend/tests/tools/securityScan.test.js

bundled/services/backend/tests/tools/securityScan.test.jsView on unpkg · L36
bundled/services/backend/tests/auth.sessionSecurityRoutes.test.jsView file
85patternName = generic_password severity = medium line = 85 matchedText = .send({ ... });
Medium
Secret Pattern

Hardcoded password in bundled/services/backend/tests/auth.sessionSecurityRoutes.test.js

bundled/services/backend/tests/auth.sessionSecurityRoutes.test.jsView on unpkg · L85
bundled/services/backend/tests/proxyServer.https.test.jsView file
10patternName = private_key_rsa severity = critical line = 10 matchedText = const TE...----
Critical
Secret Pattern

RSA private key in bundled/services/backend/tests/proxyServer.https.test.js

bundled/services/backend/tests/proxyServer.https.test.jsView on unpkg · L10
bundled/services/backend/src/constants/commandSchema.jsView file
234patternName = generic_password severity = medium line = 234 matchedText = passwd...
Medium
Secret Pattern

Hardcoded password in bundled/services/backend/src/constants/commandSchema.js

bundled/services/backend/src/constants/commandSchema.jsView on unpkg · L234
bundled/services/backend/src/routes/admin.jsView file
141patternName = generic_password severity = medium line = 141 matchedText = password...23.'
Medium
Secret Pattern

Hardcoded password in bundled/services/backend/src/routes/admin.js

bundled/services/backend/src/routes/admin.jsView on unpkg · L141
bundled/services/backend/src/services/cliAuthService.jsView file
282patternName = generic_password severity = medium line = 282 matchedText = { userna...' },
Medium
Secret Pattern

Hardcoded password in bundled/services/backend/src/services/cliAuthService.js

bundled/services/backend/src/services/cliAuthService.jsView on unpkg · L282
bundled/services/ai-backend/test/workflow.routes.test.jsView file
39patternName = generic_password severity = medium line = 39 matchedText = userA = ... });
Medium
Secret Pattern

Hardcoded password in bundled/services/ai-backend/test/workflow.routes.test.js

bundled/services/ai-backend/test/workflow.routes.test.jsView on unpkg · L39

Findings

15 Critical7 High19 Medium9 Low
CriticalCritical Secretbundled/services/backend/tests/repoDisciplineRisk.test.js
CriticalReverse Shellbundled/services/ai-backend/src/services/securityGuardService.js
CriticalTrojan Source Unicodebundled/scripts/diagnostics/fuzzInputCorpus.js
CriticalSecret Patternbundled/services/backend/tests/tools/securityScan.test.js
CriticalSecret Patternbundled/services/backend/tests/repoDisciplineRisk.test.js
CriticalSecret Patternbundled/services/backend/tests/repoDisciplineRisk.test.js
CriticalSecret Patternbundled/services/backend/tests/repoDisciplineRisk.test.js
CriticalSecret Patternbundled/services/backend/tests/repoDisciplineRisk.test.js
CriticalSecret Patternbundled/services/backend/tests/repoDisciplineRisk.test.js
CriticalSecret Patternbundled/services/backend/tests/repoDisciplineRisk.test.js
CriticalSecret Patternbundled/services/backend/tests/repoDisciplineRisk.test.js
CriticalSecret Patternbundled/services/backend/tests/repoDisciplineRisk.test.js
CriticalSecret Patternbundled/services/backend/tests/repoDisciplineRisk.test.js
CriticalSecret Patternbundled/services/backend/tests/repoDisciplineRisk.test.js
CriticalSecret Patternbundled/services/backend/tests/proxyServer.https.test.js
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processbin/khy.js
HighShellbundled/scripts/bench/win_cost_compact.js
HighSame File Env Network Executionbundled/services/backend/bin/khy.js
HighShips High Entropy Blobbundled/docs/07_OPS_运维/[OPS-MAN-043] 从0到高手-新手成长路线与pip安装后清单.pdf
HighPayload In Excluded Dirbundled/services/ai-backend/test/fixtures/coze/sample-linear.zip
HighOversized Source Filebundled/tools/khyos-markdown/vendor/khyos-muya.js
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumDynamic Requirebin/khy.js
MediumUnsafe Vm Contextbundled/software/khyquant/services/backtestEngine.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencebundled/services/backend/tests/services/additionalDirectories.test.js
MediumShips Wasm Modulebundled/software/khyquant/frontend/dist/wasm/khy-math-demo.wasm
MediumShips Build Helperbundled/tools/khyos-markdown/unregister-linux.sh
MediumShips Compressed Blobbundled/extensions/khy-trae-bridge/khy-trae-bridge-0.2.1.vsix
MediumStructural Risk Force Deep Review
MediumSecret Patternbundled/software/khyquant/frontend/dist/assets/Debug--vriC6bB.js
MediumSecret Patternbundled/apps/ai-frontend/dist/assets/Login-BD-XGBty.js
MediumSecret Patternbundled/services/backend/tests/repoDisciplineRisk.test.js
MediumSecret Patternbundled/services/backend/tests/repoDisciplineRisk.test.js
MediumSecret Patternbundled/services/backend/tests/auth.sessionSecurityRoutes.test.js
MediumSecret Patternbundled/services/backend/src/constants/commandSchema.js
MediumSecret Patternbundled/services/backend/src/routes/admin.js
MediumSecret Patternbundled/services/backend/src/services/cliAuthService.js
MediumSecret Patternbundled/services/ai-backend/test/workflow.routes.test.js
LowScripts Present
LowEvalbundled/software/khyquant/frontend/dist/assets/IntelligentStrategySelector-DPLaZEuV.js
LowWeak Cryptobundled/platform/packages/shared/src/services/gateway/example_plugins/cache-plugin.js
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings
LowNested Archive Needs Inspectionbundled/extensions/khy-trae-bridge/khy-trae-bridge-0.2.1.vsix