registry  /  @khy-os/khy-os  /  0.1.185

@khy-os/khy-os@0.1.185

khy OS — multi-language AI platform delivered through npm as the unified delivery + cross-language dependency-orchestration hub (Node backend, Python glue, C kernel, MoonBit WASM).

AI Security Review

scanned 3h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. No confirmed malicious attack chain was established, but the package has install-time dependency self-healing and first-party agent/IDE credential bridge behavior. The risk is lifecycle and credential-handling exposure rather than observed exfiltration or hijack.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
npm postinstall, first khy launch fallback, or activating bundled KHY Trae Bridge extension
Impact
May install backend dependencies, restore bundled backend source files, and store Trae access tokens for KHY CLI use; no confirmed unauthorized external transmission.
Mechanism
package-owned dependency/source self-heal and IDE auth token bridge
Rationale
Source inspection supports a warning for install-time self-heal plus first-party agent/IDE credential bridge risk, but not a malicious block. The suspicious scanner hits are mostly package-aligned runtime, fixtures, archives, or explicit user-invoked/admin functionality.
Evidence
package.jsonscripts/postinstall.jsscripts/devenv.jsbin/khy.jsindex.jsbundled/services/backend/src/services/sourceHealService.jsbundled/extensions/khy-trae-bridge/extension.jsbundled/services/backend/src/routes/aiGatewayAdmin.jsbundled/services/backend/node_modulesbundled/services/backend/srcglobalStorage/khy-trae-bridge/auth.jsonsource_heal_manifest.jsonsource_heal_state.json
Network endpoints4
grow-normal.trae.aigrowsg-normal.trae.aigrowva-normal.trae.aigrow-normal.traeapi.us

Decision evidence

public snapshot
AI called this Suspicious at 78.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • package.json defines postinstall: node scripts/postinstall.js.
  • scripts/devenv.js postinstall runs npm ci/install inside bundled/services/backend and can write backend node_modules.
  • scripts/devenv.js calls sourceHealService.runStartupHeal during postinstall, which may restore package-owned bundled/services/backend/src files from encrypted snapshot.
  • bundled/extensions/khy-trae-bridge/extension.js obtains Trae session.accessToken and writes it to globalStorage/khy-trae-bridge/auth.json on activation/timer.
Evidence against
  • index.js only exports install and bundle paths.
  • bin/khy.js delegates to bundled backend CLI and only runs postinstall fallback when backend deps are missing.
  • sourceHealService write scope is package-owned backend src with version/plan guardrails and no remote fetch.
  • No credential exfiltration or remote payload download found in inspected lifecycle code.
  • Codex/Claude config mutations are explicit runtime/admin routes or opt-in flags, not install-time behavior.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNativeBindingsNetworkShellWebSocket
Supply chain
HighEntropyStringsMinifiedObfuscatedTelemetryUrlStrings
ManifestNo manifest risk signals triggered.
scanned 4,150 file(s), 37.0 MB of source, external domains: 1.2.3.4, 10.0.0.1, 127.0.0.1, 169.254.169.254, 192.168.1.2, 192.168.1.5, 192.168.1.9, 192.168.2.11, 8.8.8.8, a.com, a.invalid, a.test, adaptive-api.trae.ai, adoptium.net, agnes-ai.com, ai.example.com, ai.google.dev, ai.mindflow.com.cn, aip.baidubce.com, aistudio.google.com, api-ap.trae.ai, api-docs.deepseek.com, api-eu-west.trae.ai, api-inference.huggingface.co, api-us-east.trae.ai, api.agnes.example, api.anthropic.com, api.codeium.com, api.coingecko.com, api.day.app, api.deepseek.com, api.dictionaryapi.dev, api.example.com, api.example.invalid, api.finlight.me, api.frankfurter.app, api.github.com, api.githubcopilot.com, api.groq.com, api.ipify.org, api.khyquant.top, api.money.126.net, api.moonshot.cn, api.open-meteo.com, api.openai.com, api.packyapi.com, api.provider.com, api.quotable.io, api.self-hosted.example, api.siliconflow.cn
Oversized source lightweight scan
bundled/apps/ai-frontend/dist/vendor/khyos-muya.js6.14 MB file, sampled 256 KB
FilesystemChildProcessHighEntropyStringsMinifiedUrlStringswww.w3.org
bundled/apps/ai-frontend/public/vendor/khyos-muya.js6.14 MB file, sampled 256 KB
FilesystemChildProcessHighEntropyStringsMinifiedUrlStringswww.w3.org
bundled/tools/khyos-markdown/vendor/khyos-muya.js6.14 MB file, sampled 256 KB
FilesystemChildProcessHighEntropyStringsMinifiedUrlStringswww.w3.org

Source & flagged code

41 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/postinstall.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node scripts/postinstall.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
bundled/services/backend/tests/repoDisciplineRisk.test.jsView file
19patternName = aws_access_key severity = critical line = 19 matchedText = const re... });
Critical
Critical Secret

Package contains a critical-looking secret pattern.

bundled/services/backend/tests/repoDisciplineRisk.test.jsView on unpkg · L19
19patternName = aws_access_key severity = critical line = 19 matchedText = const re... });
Critical
Secret Pattern

AWS access key ID in bundled/services/backend/tests/repoDisciplineRisk.test.js

bundled/services/backend/tests/repoDisciplineRisk.test.jsView on unpkg · L19
30patternName = aws_access_key severity = critical line = 30 matchedText = '+const ...";',
Critical
Secret Pattern

AWS access key ID in bundled/services/backend/tests/repoDisciplineRisk.test.js

bundled/services/backend/tests/repoDisciplineRisk.test.jsView on unpkg · L30
31patternName = github_pat severity = critical line = 31 matchedText = '+const ...";',
Critical
Secret Pattern

GitHub personal access token in bundled/services/backend/tests/repoDisciplineRisk.test.js

bundled/services/backend/tests/repoDisciplineRisk.test.jsView on unpkg · L31
32patternName = private_key_rsa severity = critical line = 32 matchedText = '+const ...";',
Critical
Secret Pattern

RSA private key in bundled/services/backend/tests/repoDisciplineRisk.test.js

bundled/services/backend/tests/repoDisciplineRisk.test.jsView on unpkg · L32
54patternName = aws_access_key severity = critical line = 54 matchedText = '-const ...";',
Critical
Secret Pattern

AWS access key ID in bundled/services/backend/tests/repoDisciplineRisk.test.js

bundled/services/backend/tests/repoDisciplineRisk.test.jsView on unpkg · L54
61patternName = aws_access_key severity = critical line = 61 matchedText = const hi...;');
Critical
Secret Pattern

AWS access key ID in bundled/services/backend/tests/repoDisciplineRisk.test.js

bundled/services/backend/tests/repoDisciplineRisk.test.jsView on unpkg · L61
63patternName = aws_access_key severity = critical line = 63 matchedText = assert.o...'));
Critical
Secret Pattern

AWS access key ID in bundled/services/backend/tests/repoDisciplineRisk.test.js

bundled/services/backend/tests/repoDisciplineRisk.test.jsView on unpkg · L63
69patternName = aws_access_key severity = critical line = 69 matchedText = '+const ...";',
Critical
Secret Pattern

AWS access key ID in bundled/services/backend/tests/repoDisciplineRisk.test.js

bundled/services/backend/tests/repoDisciplineRisk.test.jsView on unpkg · L69
75patternName = aws_access_key severity = critical line = 75 matchedText = assert.o...'));
Critical
Secret Pattern

AWS access key ID in bundled/services/backend/tests/repoDisciplineRisk.test.js

bundled/services/backend/tests/repoDisciplineRisk.test.jsView on unpkg · L75
128patternName = aws_access_key severity = critical line = 128 matchedText = diffText...";',
Critical
Secret Pattern

AWS access key ID in bundled/services/backend/tests/repoDisciplineRisk.test.js

bundled/services/backend/tests/repoDisciplineRisk.test.jsView on unpkg · L128
41patternName = generic_password severity = medium line = 41 matchedText = const re..."');
Medium
Secret Pattern

Hardcoded password in bundled/services/backend/tests/repoDisciplineRisk.test.js

bundled/services/backend/tests/repoDisciplineRisk.test.jsView on unpkg · L41
70patternName = generic_password severity = medium line = 70 matchedText = '+passwo...7"',
Medium
Secret Pattern

Hardcoded password in bundled/services/backend/tests/repoDisciplineRisk.test.js

bundled/services/backend/tests/repoDisciplineRisk.test.jsView on unpkg · L70
bin/khy.jsView file
20const fs = require('fs'); L21: const { spawnSync } = require('child_process'); L22:
High
Child Process

Package source references child process execution.

bin/khy.jsView on unpkg · L20
18L19: const path = require('path'); L20: const fs = require('fs');
Medium
Dynamic Require

Package source references dynamic require/import behavior.

bin/khy.jsView on unpkg · L18
bundled/scripts/bench/win_cost_compact.jsView file
14const nodeV=()=>cp.execSync('node --version',O); L15: const swap=()=>{if(isWin)cp.execSync('powershell -NoProfile -Command "(Get-CimInstance Win32_PageFileUsage | Measure-Object -Property AllocatedBaseSize -Sum).Sum"',O);else if(os.pl... L16: const nvidia=()=>cp.execSync(`nvidia-smi --query-gpu=name --format=csv,noheader 2>${isWin?'NUL':'/dev/null'}`,O);
High
Shell

Package source references shell execution.

bundled/scripts/bench/win_cost_compact.jsView on unpkg · L14
bundled/software/khyquant/frontend/dist/assets/IntelligentStrategySelector-DPLaZEuV.jsView file
1import{e,j as a,ag as t,H as l,L as n,P as s,M as r,O as i,Y as o,u as c,I as u,F as d,ab as p,Z as m,X as g,V as v,ap as f,n as y,c as h,k as b,R as x,a9 as k}from"./vendor-vue-DL...
Low
Eval

Package source references a known benign dynamic code generation pattern.

bundled/software/khyquant/frontend/dist/assets/IntelligentStrategySelector-DPLaZEuV.jsView on unpkg · L1
bundled/software/khyquant/services/backtestEngine.jsView file
1/** L2: * Real backtest engine
Medium
Unsafe Vm Context

Package source executes code through a VM context API.

bundled/software/khyquant/services/backtestEngine.jsView on unpkg · L1
bundled/platform/packages/shared/src/services/gateway/example_plugins/cache-plugin.jsView file
1/** L2: * Cache Plugin — caches identical prompt responses to avoid redundant API calls.
Low
Weak Crypto

Package source references weak cryptographic algorithms.

bundled/platform/packages/shared/src/services/gateway/example_plugins/cache-plugin.jsView on unpkg · L1
bundled/services/backend/tests/services/additionalDirectories.test.jsView file
28addl._reset(); L29: delete process.env.KHY_ADDITIONAL_DIRS; L30: tmp = fs.mkdtempSync(path.join(os.tmpdir(), 'khy-adddir-')); ... L94: // Grant the home dir, then try to write an SSH key — must remain blocked. L95: const home = os.homedir(); L96: addl.addDirectory(home); L97: const sshKey = path.join(home, '.ssh', 'authorized_keys'); L98: const res = toolGuards.editBoundaryGuard({ params: { file_path: sshKey } });
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

bundled/services/backend/tests/services/additionalDirectories.test.jsView on unpkg · L28
bundled/services/backend/bin/khy.jsView file
740const chalk = chalkModule.default || chalkModule; L741: const net = require('net'); L742: const { spawn } = require('child_process'); L743: L744: const PORT = parseInt(process.env.PORT || '3000', 10); L745: const FRONTEND_PORT = parseInt(process.env.FRONTEND_PORT || '8080', 10);
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

bundled/services/backend/bin/khy.jsView on unpkg · L740
bundled/services/ai-backend/src/services/securityGuardService.jsView file
15L16: const SECURITY_LOG = path.join(os.homedir(), '.khyquant', 'security.log'); L17: ... L169: const lines = fs.readFileSync(SECURITY_LOG, 'utf-8').split('\n').filter(Boolean); L170: const events = lines.map(l => { try { return JSON.parse(l); } catch { return null; } }).filter(Boolean); L171: ... L244: L245: const { execSync } = require('child_process'); L246: ... L259: // Common backdoor / reverse shell patterns L260: 'nc -e', 'bash -i', '/dev/tcp/', 'python -c.*import socket', L261: 'perl -e.*socket', 'ruby -rsocket', 'lua.*socket',
Critical
Reverse Shell

Source matches reverse-shell style process and socket wiring.

bundled/services/ai-backend/src/services/securityGuardService.jsView on unpkg · L15
bundled/scripts/diagnostics/fuzzInputCorpus.jsView file
65contains invisible/control Unicode U+202E (right-to-left override) cases.push(C('rtl-override', 'unicode', 'RTL 覆盖', 'abc<U+202E>def'));
Critical
Trojan Source Unicode

Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.

bundled/scripts/diagnostics/fuzzInputCorpus.jsView on unpkg · L65
bundled/software/khyquant/frontend/dist/wasm/khy-math-demo.wasmView file
path = [redacted]-math-demo.wasm kind = wasm_module sizeBytes = 41 magicHex = [redacted]
Medium
Ships Wasm Module

Package ships WebAssembly modules.

bundled/software/khyquant/frontend/dist/wasm/khy-math-demo.wasmView on unpkg
bundled/tools/khyos-markdown/unregister-linux.shView file
path = bundled/tools/khyos-markdown/unregister-linux.sh kind = build_helper sizeBytes = 1209 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

bundled/tools/khyos-markdown/unregister-linux.shView on unpkg
bundled/extensions/khy-trae-bridge/khy-trae-bridge-0.2.1.vsixView file
path = bundled/extensions/khy-trae-bridge/khy-trae-bridge-0.2.1.vsix kind = compressed_blob sizeBytes = 8053 magicHex = [redacted]
Medium
Ships Compressed Blob

Package ships compressed or archive-like blobs.

bundled/extensions/khy-trae-bridge/khy-trae-bridge-0.2.1.vsixView on unpkg
path = bundled/extensions/khy-trae-bridge/khy-trae-bridge-0.2.1.vsix kind = nested_archive_needs_inspection sizeBytes = 8053 magicHex = [redacted]
Low
Nested Archive Needs Inspection

Package ships a nested archive or MCP bundle that was inventoried but not recursively analyzed.

bundled/extensions/khy-trae-bridge/khy-trae-bridge-0.2.1.vsixView on unpkg
bundled/docs/07_OPS_运维/[OPS-MAN-043] 从0到高手-新手成长路线与pip安装后清单.pdfView file
path = bundled/docs/07_OPS_运维/[OPS-MAN-043] 从0到高手-新手成长路线与pip安装后清单.pdf kind = high_entropy_blob sizeBytes = 1082109 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

bundled/docs/07_OPS_运维/[OPS-MAN-043] 从0到高手-新手成长路线与pip安装后清单.pdfView on unpkg
bundled/services/ai-backend/test/fixtures/coze/sample-linear.zipView file
path = bundled/services/ai-[redacted]-linear.zip kind = payload_in_excluded_dir sizeBytes = 3073 magicHex = [redacted]
High
Payload In Excluded Dir

Package hides binary, compressed, or executable-looking payloads in test/fixture/hidden paths.

bundled/services/ai-backend/test/fixtures/coze/sample-linear.zipView on unpkg
bundled/tools/khyos-markdown/vendor/khyos-muya.jsView file
path = bundled/tools/khyos-markdown/vendor/khyos-muya.js kind = oversized_source_file sizeBytes = 6439218 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

bundled/tools/khyos-markdown/vendor/khyos-muya.jsView on unpkg
bundled/software/khyquant/frontend/dist/assets/Debug--vriC6bB.jsView file
1patternName = generic_password severity = medium line = 1 matchedText = import{_...lt};
Medium
Secret Pattern

Hardcoded password in bundled/software/khyquant/frontend/dist/assets/Debug--vriC6bB.js

bundled/software/khyquant/frontend/dist/assets/Debug--vriC6bB.jsView on unpkg · L1
bundled/apps/ai-frontend/dist/assets/Login-BD-XGBty.jsView file
1patternName = generic_password severity = medium line = 1 matchedText = import{E...lt};
Medium
Secret Pattern

Hardcoded password in bundled/apps/ai-frontend/dist/assets/Login-BD-XGBty.js

bundled/apps/ai-frontend/dist/assets/Login-BD-XGBty.jsView on unpkg · L1
bundled/services/backend/tests/tools/securityScan.test.jsView file
36patternName = private_key_rsa severity = critical line = 36 matchedText = 'const k...--',
Critical
Secret Pattern

RSA private key in bundled/services/backend/tests/tools/securityScan.test.js

bundled/services/backend/tests/tools/securityScan.test.jsView on unpkg · L36
bundled/services/backend/tests/auth.sessionSecurityRoutes.test.jsView file
85patternName = generic_password severity = medium line = 85 matchedText = .send({ ... });
Medium
Secret Pattern

Hardcoded password in bundled/services/backend/tests/auth.sessionSecurityRoutes.test.js

bundled/services/backend/tests/auth.sessionSecurityRoutes.test.jsView on unpkg · L85
bundled/services/backend/tests/proxyServer.https.test.jsView file
10patternName = private_key_rsa severity = critical line = 10 matchedText = const TE...----
Critical
Secret Pattern

RSA private key in bundled/services/backend/tests/proxyServer.https.test.js

bundled/services/backend/tests/proxyServer.https.test.jsView on unpkg · L10
bundled/services/backend/src/constants/commandSchema.jsView file
234patternName = generic_password severity = medium line = 234 matchedText = passwd...
Medium
Secret Pattern

Hardcoded password in bundled/services/backend/src/constants/commandSchema.js

bundled/services/backend/src/constants/commandSchema.jsView on unpkg · L234
bundled/services/backend/src/routes/admin.jsView file
141patternName = generic_password severity = medium line = 141 matchedText = password...23.'
Medium
Secret Pattern

Hardcoded password in bundled/services/backend/src/routes/admin.js

bundled/services/backend/src/routes/admin.jsView on unpkg · L141
bundled/services/backend/src/services/cliAuthService.jsView file
282patternName = generic_password severity = medium line = 282 matchedText = { userna...' },
Medium
Secret Pattern

Hardcoded password in bundled/services/backend/src/services/cliAuthService.js

bundled/services/backend/src/services/cliAuthService.jsView on unpkg · L282
bundled/services/ai-backend/test/workflow.routes.test.jsView file
39patternName = generic_password severity = medium line = 39 matchedText = userA = ... });
Medium
Secret Pattern

Hardcoded password in bundled/services/ai-backend/test/workflow.routes.test.js

bundled/services/ai-backend/test/workflow.routes.test.jsView on unpkg · L39

Findings

15 Critical7 High19 Medium9 Low
CriticalCritical Secretbundled/services/backend/tests/repoDisciplineRisk.test.js
CriticalReverse Shellbundled/services/ai-backend/src/services/securityGuardService.js
CriticalTrojan Source Unicodebundled/scripts/diagnostics/fuzzInputCorpus.js
CriticalSecret Patternbundled/services/backend/tests/tools/securityScan.test.js
CriticalSecret Patternbundled/services/backend/tests/repoDisciplineRisk.test.js
CriticalSecret Patternbundled/services/backend/tests/repoDisciplineRisk.test.js
CriticalSecret Patternbundled/services/backend/tests/repoDisciplineRisk.test.js
CriticalSecret Patternbundled/services/backend/tests/repoDisciplineRisk.test.js
CriticalSecret Patternbundled/services/backend/tests/repoDisciplineRisk.test.js
CriticalSecret Patternbundled/services/backend/tests/repoDisciplineRisk.test.js
CriticalSecret Patternbundled/services/backend/tests/repoDisciplineRisk.test.js
CriticalSecret Patternbundled/services/backend/tests/repoDisciplineRisk.test.js
CriticalSecret Patternbundled/services/backend/tests/repoDisciplineRisk.test.js
CriticalSecret Patternbundled/services/backend/tests/repoDisciplineRisk.test.js
CriticalSecret Patternbundled/services/backend/tests/proxyServer.https.test.js
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processbin/khy.js
HighShellbundled/scripts/bench/win_cost_compact.js
HighSame File Env Network Executionbundled/services/backend/bin/khy.js
HighShips High Entropy Blobbundled/docs/07_OPS_运维/[OPS-MAN-043] 从0到高手-新手成长路线与pip安装后清单.pdf
HighPayload In Excluded Dirbundled/services/ai-backend/test/fixtures/coze/sample-linear.zip
HighOversized Source Filebundled/tools/khyos-markdown/vendor/khyos-muya.js
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumDynamic Requirebin/khy.js
MediumUnsafe Vm Contextbundled/software/khyquant/services/backtestEngine.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencebundled/services/backend/tests/services/additionalDirectories.test.js
MediumShips Wasm Modulebundled/software/khyquant/frontend/dist/wasm/khy-math-demo.wasm
MediumShips Build Helperbundled/tools/khyos-markdown/unregister-linux.sh
MediumShips Compressed Blobbundled/extensions/khy-trae-bridge/khy-trae-bridge-0.2.1.vsix
MediumStructural Risk Force Deep Review
MediumSecret Patternbundled/software/khyquant/frontend/dist/assets/Debug--vriC6bB.js
MediumSecret Patternbundled/apps/ai-frontend/dist/assets/Login-BD-XGBty.js
MediumSecret Patternbundled/services/backend/tests/repoDisciplineRisk.test.js
MediumSecret Patternbundled/services/backend/tests/repoDisciplineRisk.test.js
MediumSecret Patternbundled/services/backend/tests/auth.sessionSecurityRoutes.test.js
MediumSecret Patternbundled/services/backend/src/constants/commandSchema.js
MediumSecret Patternbundled/services/backend/src/routes/admin.js
MediumSecret Patternbundled/services/backend/src/services/cliAuthService.js
MediumSecret Patternbundled/services/ai-backend/test/workflow.routes.test.js
LowScripts Present
LowEvalbundled/software/khyquant/frontend/dist/assets/IntelligentStrategySelector-DPLaZEuV.js
LowWeak Cryptobundled/platform/packages/shared/src/services/gateway/example_plugins/cache-plugin.js
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings
LowNested Archive Needs Inspectionbundled/extensions/khy-trae-bridge/khy-trae-bridge-0.2.1.vsix