registry  /  fractascan  /  0.1.17

fractascan@0.1.17

Fracta — auditor de segurança + LGPD multi-agente e determinístico para SaaS (DAST + SAST, relatório A–F). CLI: fracta scan.

AI Security Review

scanned 5h ago · by lpm-firewall-ai

No confirmed malicious attack surface. The package is a security-auditing CLI that makes user-invoked network probes against configured targets and may run local scanner binaries against a configured repo.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs fracta CLI commands such as scan, docs, verify, verify-csp, or init
Impact
Can generate active test traffic and local reports; no unconsented install-time or import-time behavior identified.
Mechanism
User-invoked SaaS security scanner with DAST/SAST/reporting
Rationale
The suspicious primitives are package-aligned for a documented security scanner and are activated by explicit CLI use, with no lifecycle hooks or hidden exfiltration path found. Bundled Anthropic SDK/tooling and scanner subprocess use are opt-in or scan-path capabilities, not evidence of malware in this package.
Evidence
package.jsonREADME.mddist/index.jsdist/chunk-U24RMSTQ.jsdist/node-QWZVVGUH.jsconfigs/targets.yamlfracta-reportsfracta-state.db
Network endpoints2
fracta.proapi.anthropic.com

Decision evidence

public snapshot
AI called this Clean at 88.0% confidence as Benign with medium false-positive risk.
Evidence for block
  • dist/index.js CLI performs active DAST requests against configured target URLs, including auth, IDOR, CORS, race, Stripe tests.
  • dist/chunk-U24RMSTQ.js runCommand can invoke npm audit, gitleaks, semgrep on user-configured repoPath during scan.
  • dist/index.js --llm opt-in uses ANTHROPIC_API_KEY and Anthropic client to enrich reports.
Evidence against
  • package.json has no preinstall/install/postinstall lifecycle scripts.
  • dist/index.js main only runs on CLI/bin invocation; no import-time scan or install-time mutation found.
  • Network requests are target-configured audit traffic or documented Anthropic API use when --llm is explicitly enabled.
  • Report/state writes are local user-selected paths: output directory, state DB, and init targets.yaml.
  • Secret scanning code sanitizes gitleaks output and does not include leaked secret values in findings.
  • No credential harvesting/exfiltration, persistence, destructive behavior, or AI-agent control-surface writes found.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsEvalFilesystemNetworkShell
Supply chain
HighEntropyStringsTelemetryUrlStrings
Manifest
WildcardDependency
scanned 9 file(s), 674 KB of source, external domains: api.anthropic.com, app.seu-dominio.com, cve.mitre.org, cwe.mitre.org, datatracker.ietf.org, developer.mozilla.org, docs.anthropic.com, docs.expo.dev, docs.nestjs.com, docs.stripe.com, evil.com, fracta.pro, github.com, json.schemastore.org, owasp.org, platform.claude.com, semgrep.dev, staging.meuapp.com.br, supabase.com, www.gov.br, www.prisma.io, zap-api.tech

Source & flagged code

7 flagged · loading source
dist/index.jsView file
matchType = previous_version_dangerous_delta matchedPackage = fractascan@0.1.2 matchedIdentity = npm:ZnJhY3Rhc2Nhbg:0.1.2 similarity = 0.714 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/index.jsView on unpkg
193patternName = generic_password severity = medium line = 193 matchedText = const bo..." };
Medium
Secret Pattern

Package contains a possible secret pattern.

dist/index.jsView on unpkg · L193
1639patternName = generic_password severity = medium line = 1639 matchedText = body: { ..." },
Medium
Secret Pattern

Hardcoded password in dist/index.js

dist/index.jsView on unpkg · L1639
3768patternName = generic_password severity = medium line = 3768 matchedText = password...99",
Medium
Secret Pattern

Hardcoded password in dist/index.js

dist/index.jsView on unpkg · L3768
250title: "CSP com 'unsafe-eval' em script-src", L251: detail: "'unsafe-eval' reabre eval()/new Function()/setTimeout(string) \u2014 amplia a superf\xEDcie de XSS.", L252: recommendation: "Remova 'unsafe-eval' e refatore o c\xF3digo que depende de eval/Function din\xE2micos."
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/index.jsView on unpkg · L250
dist/init-EUSLT3FC.jsView file
24patternName = generic_password severity = medium line = 24 matchedText = password...aqui
Medium
Secret Pattern

Hardcoded password in dist/init-EUSLT3FC.js

dist/init-EUSLT3FC.jsView on unpkg · L24
32patternName = generic_password severity = medium line = 32 matchedText = # pa...SS}"
Medium
Secret Pattern

Hardcoded password in dist/init-EUSLT3FC.js

dist/init-EUSLT3FC.jsView on unpkg · L32

Findings

1 High8 Medium6 Low
HighPrevious Version Dangerous Deltadist/index.js
MediumSecret Patterndist/index.js
MediumNetwork
MediumEnvironment Vars
MediumWildcard Dependency
MediumSecret Patterndist/index.js
MediumSecret Patterndist/index.js
MediumSecret Patterndist/init-EUSLT3FC.js
MediumSecret Patterndist/init-EUSLT3FC.js
LowScripts Present
LowEvaldist/index.js
LowFilesystem
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings