registry  /  thuban  /  0.4.14

thuban@0.4.14

The safety layer for AI-coded software. Detect hallucinated APIs, ghost code, tech debt, and architecture drift. One command. Minimal dependencies.

AI Security Review

scanned 3h ago · by lpm-firewall-ai

No unconsented install-time behavior is established. An explicit `thuban gate --fix` command installs a persistent Git pre-commit hook that later invokes npx.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs `thuban gate --fix` in a Git repository; later commits trigger the hook.
Impact
Adds a repository-local pre-commit execution path and may fetch/run thuban through npx on commit.
Mechanism
Explicit Git hook installation and scanner self-test subprocesses.
Rationale
Source inspection does not confirm malware or install-time compromise. The explicit pre-commit hook setup is a real persistence-capable developer-tool behavior that warrants a warning under the stated policy.
Evidence
package.jsoncli.jspackages/scanner/pre-commit-gate.jspackages/scanner/feedback-client.jspackages/crucible/self-attack.jspackages/crucible/mutation-engine.js.git/hooks/pre-commit

Decision evidence

public snapshot
AI called this Suspicious at 87.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `packages/scanner/pre-commit-gate.js` can write `.git/hooks/pre-commit`.
  • Installed hook runs `npx --yes thuban gate --ci` on future commits.
  • `cli.js` activates hook installation via explicit `thuban gate --fix`.
  • Crucible modules create temp payloads and can invoke the package CLI for scanner self-tests.
Evidence against
  • `package.json` has no preinstall, install, postinstall, or prepare hook.
  • `cli.js` only dispatches behavior after an explicit CLI command.
  • Hook writes are scoped to the selected repository's `.git/hooks/pre-commit`.
  • Feedback POST is only reached through `thuban feedback`; it sanitizes submitted text.
  • Vulnerable-looking Crucible code is test-seed content, not executed on import.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsMinifiedUrlStrings
Manifest
NoLicense
scanned 171 file(s), 879 KB of source, external domains: apache.org, api.osv.dev, app.company.com, attacker.com, crates.io, docs.npmjs.com, europe-west2-orion-os-479912.cloudfunctions.net, example.com, git-scm.com, github.com, hooks.slack.com, my-app-prod.firebaseio.com, nodejs.org, proxy.golang.org, pypi.org, registry.npmjs.org, thuban-alpha.vercel.app, thuban.dev, www.w3.org, your-server.com

Source & flagged code

42 flagged · loading source
packages/crucible/kenny-mode.jsView file
1patternName = aws_access_key severity = critical line = 1 matchedText = "use str...TS};
Critical
Critical Secret

Package contains a critical-looking secret pattern.

packages/crucible/kenny-mode.jsView on unpkg · L1
1patternName = aws_access_key severity = critical line = 1 matchedText = "use str...TS};
Critical
Secret Pattern

AWS access key ID in packages/crucible/kenny-mode.js

packages/crucible/kenny-mode.jsView on unpkg · L1
1patternName = private_key_rsa severity = critical line = 1 matchedText = "use str...TS};
Critical
Secret Pattern

RSA private key in packages/crucible/kenny-mode.js

packages/crucible/kenny-mode.jsView on unpkg · L1
1"use strict";const fs=require("fs"),path=require("path"),os=require("os"),crypto=require("crypto"),{spawnSync:spawnSync}=require("child_process"),{getPatterns:getPatterns}=require(...
High
Shell

Package source references shell execution.

packages/crucible/kenny-mode.jsView on unpkg · L1
1"use strict";const fs=require("fs"),path=require("path"),os=require("os"),crypto=require("crypto"),{spawnSync:spawnSync}=require("child_process"),{getPatterns:getPatterns}=require(...
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

packages/crucible/kenny-mode.jsView on unpkg · L1
1"use strict";const fs=require("fs"),path=require("path"),os=require("os"),crypto=require("crypto"),{spawnSync:spawnSync}=require("child_process"),{getPatterns:getPatterns}=require(...
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

packages/crucible/kenny-mode.jsView on unpkg · L1
1Cross-file remote execution chain: packages/crucible/kenny-mode.js spawns cli.js; helper contains network access plus dynamic code execution. L1: "use strict";const fs=require("fs"),path=require("path"),os=require("os"),crypto=require("crypto"),{spawnSync:spawnSync}=require("child_process"),{getPatterns:getPatterns}=require(...
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

packages/crucible/kenny-mode.jsView on unpkg · L1
packages/crucible/mutation-engine.jsView file
1"use strict";const fs=require("fs"),path=require("path"),os=require("os"),crypto=require("crypto"),MUTATIONS=[{name:"operator_flip_eq",description:"Replace === with == (loose equal...
High
Child Process

Package source references child process execution.

packages/crucible/mutation-engine.jsView on unpkg · L1
1"use strict";const fs=require("fs"),path=require("path"),os=require("os"),crypto=require("crypto"),MUTATIONS=[{name:"operator_flip_eq",description:"Replace === with == (loose equal...
Low
Eval

Package source references a known benign dynamic code generation pattern.

packages/crucible/mutation-engine.jsView on unpkg · L1
packages/crucible/report-generator.jsView file
1"use strict";const fs=require("fs"),path=require("path"),crypto=require("crypto");function getScannerVersion(){try{return JSON.parse(fs.readFileSync(path.join(__dirname,"..","..","...
Medium
Dynamic Require

Package source references dynamic require/import behavior.

packages/crucible/report-generator.jsView on unpkg · L1
packages/crucible/seeds/js/seed-055.jsView file
10L11: router.post('/sandbox/eval', (req, res) => { L12: const { code, state } = req.body; L13: const parsedState = JSON.parse(state); L14:
Medium
Unsafe Vm Context

Package source executes code through a VM context API.

packages/crucible/seeds/js/seed-055.jsView on unpkg · L10
packages/crucible/seeds/js/seed-035.jsView file
20// Predictable: only uses current timestamp L21: return Buffer.from(Date.now().toString()).toString('base64'); L22: }
Low
Weak Crypto

Package source references weak cryptographic algorithms.

packages/crucible/seeds/js/seed-035.jsView on unpkg · L20
cli.jsView file
1#!/usr/bin/env node L2: const path=require("path"),fs=require("fs"),os=require("os"),_CLI_VERSION=JSON.parse(fs.readFileSync(path.join(__dirname,"package.json"),"utf-8")).version,CodeScanner=require("./pa...
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

cli.jsView on unpkg · L1
packages/scanner/pre-commit-gate.jsView file
1const fs=require("fs"),path=require("path"),{execSync:execSync}=require("child_process");class PreCommitGate{constructor(e={}){this.rootPath=e.rootPath||process.cwd(),this.strict=!...
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

packages/scanner/pre-commit-gate.jsView on unpkg · L1
packages/crucible/seeds/python/seed-050.pyView file
path = [redacted]-050.py kind = build_helper sizeBytes = 1273 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

packages/crucible/seeds/python/seed-050.pyView on unpkg
packages/scanner/hallucination-detector.jsView file
matchType = previous_version_dangerous_delta matchedPackage = thuban@0.4.13 matchedIdentity = npm:dGh1YmFu:0.4.13 similarity = 0.983 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

packages/scanner/hallucination-detector.jsView on unpkg
README.mdView file
157patternName = generic_password severity = medium line = 157 matchedText = password...C005
Medium
Secret Pattern

Hardcoded password in README.md

README.mdView on unpkg · L157
packages/crucible/seeds/go/seed-004.goView file
14patternName = stripe_live_secret severity = critical line = 14 matchedText = const st...LcD"
Critical
Secret Pattern

Stripe live secret key in packages/crucible/seeds/go/seed-004.go

packages/crucible/seeds/go/seed-004.goView on unpkg · L14
packages/crucible/seeds/go/seed-001.goView file
17patternName = aws_access_key severity = critical line = 17 matchedText = awsAcces...PLE"
Critical
Secret Pattern

AWS access key ID in packages/crucible/seeds/go/seed-001.go

packages/crucible/seeds/go/seed-001.goView on unpkg · L17
packages/crucible/seeds/python/seed-001.pyView file
9patternName = aws_access_key severity = critical line = 9 matchedText = AWS_ACCE...PLE"
Critical
Secret Pattern

AWS access key ID in packages/crucible/seeds/python/seed-001.py

packages/crucible/seeds/python/seed-001.pyView on unpkg · L9
10patternName = aws_secret_key severity = critical line = 10 matchedText = AWS_SECR...KEY"
Critical
Secret Pattern

AWS secret access key in packages/crucible/seeds/python/seed-001.py

packages/crucible/seeds/python/seed-001.pyView on unpkg · L10
packages/crucible/seeds/python/seed-004.pyView file
11patternName = stripe_live_secret severity = critical line = 11 matchedText = STRIPE_S...def"
Critical
Secret Pattern

Stripe live secret key in packages/crucible/seeds/python/seed-004.py

packages/crucible/seeds/python/seed-004.pyView on unpkg · L11
13patternName = stripe_webhook_secret severity = high line = 13 matchedText = STRIPE_W...DEF"
High
Secret Pattern

Stripe webhook signing secret in packages/crucible/seeds/python/seed-004.py

packages/crucible/seeds/python/seed-004.pyView on unpkg · L13
packages/crucible/seeds/python/seed-010.pyView file
26patternName = generic_password severity = medium line = 26 matchedText = query = ...d}'"
Medium
Secret Pattern

Hardcoded password in packages/crucible/seeds/python/seed-010.py

packages/crucible/seeds/python/seed-010.pyView on unpkg · L26
packages/crucible/seeds/python/seed-003.pyView file
27patternName = stripe_live_secret severity = critical line = 27 matchedText = STRIPE_S...def"
Critical
Secret Pattern

Stripe live secret key in packages/crucible/seeds/python/seed-003.py

packages/crucible/seeds/python/seed-003.pyView on unpkg · L27
28patternName = stripe_webhook_secret severity = high line = 28 matchedText = STRIPE_W...678"
High
Secret Pattern

Stripe webhook signing secret in packages/crucible/seeds/python/seed-003.py

packages/crucible/seeds/python/seed-003.pyView on unpkg · L28
packages/crucible/seeds/python/seed-006.pyView file
9patternName = github_pat severity = critical line = 9 matchedText = GITHUB_T...890"
Critical
Secret Pattern

GitHub personal access token in packages/crucible/seeds/python/seed-006.py

packages/crucible/seeds/python/seed-006.pyView on unpkg · L9
13patternName = slack_bot_token severity = critical line = 13 matchedText = SLACK_BO...vwx"
Critical
Secret Pattern

Slack bot token in packages/crucible/seeds/python/seed-006.py

packages/crucible/seeds/python/seed-006.pyView on unpkg · L13
packages/crucible/seeds/js/seed-001.jsView file
11patternName = aws_access_key severity = critical line = 11 matchedText = accessKe...LE',
Critical
Secret Pattern

AWS access key ID in packages/crucible/seeds/js/seed-001.js

packages/crucible/seeds/js/seed-001.jsView on unpkg · L11
packages/crucible/seeds/js/seed-010.jsView file
12patternName = generic_password severity = medium line = 12 matchedText = const qu...}'`;
Medium
Secret Pattern

Hardcoded password in packages/crucible/seeds/js/seed-010.js

packages/crucible/seeds/js/seed-010.jsView on unpkg · L12
packages/crucible/seeds/js/seed-004.jsView file
10patternName = stripe_live_secret severity = critical line = 10 matchedText = const ST...ef';
Critical
Secret Pattern

Stripe live secret key in packages/crucible/seeds/js/seed-004.js

packages/crucible/seeds/js/seed-004.jsView on unpkg · L10
11patternName = stripe_webhook_secret severity = high line = 11 matchedText = const ST...EF';
High
Secret Pattern

Stripe webhook signing secret in packages/crucible/seeds/js/seed-004.js

packages/crucible/seeds/js/seed-004.jsView on unpkg · L11
packages/crucible/seeds/js/seed-006.jsView file
10patternName = github_pat severity = critical line = 10 matchedText = const GI...90';
Critical
Secret Pattern

GitHub personal access token in packages/crucible/seeds/js/seed-006.js

packages/crucible/seeds/js/seed-006.jsView on unpkg · L10
packages/crucible/seeds/js/seed-002.jsView file
14patternName = generic_password severity = medium line = 14 matchedText = password...d!',
Medium
Secret Pattern

Hardcoded password in packages/crucible/seeds/js/seed-002.js

packages/crucible/seeds/js/seed-002.jsView on unpkg · L14
packages/crucible/seeds/js/seed-038.jsView file
11patternName = private_key_rsa severity = critical line = 11 matchedText = const PR...----
Critical
Secret Pattern

RSA private key in packages/crucible/seeds/js/seed-038.js

packages/crucible/seeds/js/seed-038.jsView on unpkg · L11
packages/crucible/seeds/rust/seed-004.rsView file
7patternName = stripe_live_secret severity = critical line = 7 matchedText = const ST...ij";
Critical
Secret Pattern

Stripe live secret key in packages/crucible/seeds/rust/seed-004.rs

packages/crucible/seeds/rust/seed-004.rsView on unpkg · L7
8patternName = stripe_webhook_secret severity = high line = 8 matchedText = const ST...IJ";
High
Secret Pattern

Stripe webhook signing secret in packages/crucible/seeds/rust/seed-004.rs

packages/crucible/seeds/rust/seed-004.rsView on unpkg · L8
packages/crucible/seeds/rust/seed-001.rsView file
9patternName = aws_access_key severity = critical line = 9 matchedText = const AW...E1";
Critical
Secret Pattern

AWS access key ID in packages/crucible/seeds/rust/seed-001.rs

packages/crucible/seeds/rust/seed-001.rsView on unpkg · L9
packages/crucible/seeds/rust/seed-005.rsView file
7patternName = github_pat severity = critical line = 7 matchedText = const GI...xx";
Critical
Secret Pattern

GitHub personal access token in packages/crucible/seeds/rust/seed-005.rs

packages/crucible/seeds/rust/seed-005.rsView on unpkg · L7
packages/crucible/seeds/rust/seed-003.rsView file
12patternName = stripe_live_secret severity = critical line = 12 matchedText = const AD...xx";
Critical
Secret Pattern

Stripe live secret key in packages/crucible/seeds/rust/seed-003.rs

packages/crucible/seeds/rust/seed-003.rsView on unpkg · L12
packages/crucible/seeds/rust/seed-008.rsView file
7patternName = slack_bot_token severity = critical line = 7 matchedText = const SL...wx";
Critical
Secret Pattern

Slack bot token in packages/crucible/seeds/rust/seed-008.rs

packages/crucible/seeds/rust/seed-008.rsView on unpkg · L7
packages/crucible/seeds/java/seed-002.javaView file
8patternName = aws_access_key severity = critical line = 8 matchedText = private ...LE";
Critical
Secret Pattern

AWS access key ID in packages/crucible/seeds/java/seed-002.java

packages/crucible/seeds/java/seed-002.javaView on unpkg · L8

Findings

22 Critical11 High10 Medium7 Low
CriticalCritical Secretpackages/crucible/kenny-mode.js
CriticalPrevious Version Dangerous Deltapackages/scanner/hallucination-detector.js
CriticalSecret Patternpackages/crucible/kenny-mode.js
CriticalSecret Patternpackages/crucible/kenny-mode.js
CriticalSecret Patternpackages/crucible/seeds/go/seed-004.go
CriticalSecret Patternpackages/crucible/seeds/go/seed-001.go
CriticalSecret Patternpackages/crucible/seeds/python/seed-001.py
CriticalSecret Patternpackages/crucible/seeds/python/seed-001.py
CriticalSecret Patternpackages/crucible/seeds/python/seed-004.py
CriticalSecret Patternpackages/crucible/seeds/python/seed-003.py
CriticalSecret Patternpackages/crucible/seeds/python/seed-006.py
CriticalSecret Patternpackages/crucible/seeds/python/seed-006.py
CriticalSecret Patternpackages/crucible/seeds/js/seed-001.js
CriticalSecret Patternpackages/crucible/seeds/js/seed-004.js
CriticalSecret Patternpackages/crucible/seeds/js/seed-006.js
CriticalSecret Patternpackages/crucible/seeds/js/seed-038.js
CriticalSecret Patternpackages/crucible/seeds/rust/seed-004.rs
CriticalSecret Patternpackages/crucible/seeds/rust/seed-001.rs
CriticalSecret Patternpackages/crucible/seeds/rust/seed-005.rs
CriticalSecret Patternpackages/crucible/seeds/rust/seed-003.rs
CriticalSecret Patternpackages/crucible/seeds/rust/seed-008.rs
CriticalSecret Patternpackages/crucible/seeds/java/seed-002.java
HighChild Processpackages/crucible/mutation-engine.js
HighShellpackages/crucible/kenny-mode.js
HighSame File Env Network Executionpackages/crucible/kenny-mode.js
HighCommand Output Exfiltrationpackages/crucible/kenny-mode.js
HighSandbox Evasion Gated Capabilitycli.js
HighCross File Remote Execution Contextpackages/crucible/kenny-mode.js
HighRuntime Package Installpackages/scanner/pre-commit-gate.js
HighSecret Patternpackages/crucible/seeds/python/seed-004.py
HighSecret Patternpackages/crucible/seeds/python/seed-003.py
HighSecret Patternpackages/crucible/seeds/js/seed-004.js
HighSecret Patternpackages/crucible/seeds/rust/seed-004.rs
MediumDynamic Requirepackages/crucible/report-generator.js
MediumUnsafe Vm Contextpackages/crucible/seeds/js/seed-055.js
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helperpackages/crucible/seeds/python/seed-050.py
MediumStructural Risk Force Deep Review
MediumSecret PatternREADME.md
MediumSecret Patternpackages/crucible/seeds/python/seed-010.py
MediumSecret Patternpackages/crucible/seeds/js/seed-010.js
MediumSecret Patternpackages/crucible/seeds/js/seed-002.js
LowScripts Present
LowEvalpackages/crucible/mutation-engine.js
LowWeak Cryptopackages/crucible/seeds/js/seed-035.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License