registry  /  thuban  /  0.4.2

thuban@0.4.2

The safety layer for AI-coded software. Detect hallucinated APIs, ghost code, tech debt, and architecture drift. One command. Minimal dependencies.

Static Scan Results

scanned 12d ago · by rust-scanner

Static analysis flagged 50 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsMinifiedUrlStrings
Manifest
NoLicense
scanned 209 file(s), 652 KB of source, external domains: apache.org, app.company.com, attacker.com, example.com, github.com, hooks.slack.com, my-app-prod.firebaseio.com, thuban.dev, www.w3.org

Source & flagged code

41 flagged · loading source
dist/packages/crucible/kenny-mode.jsView file
1patternName = aws_access_key severity = critical line = 1 matchedText = "use str...TS};
Critical
Critical Secret

Package contains a critical-looking secret pattern.

dist/packages/crucible/kenny-mode.jsView on unpkg · L1
1patternName = aws_access_key severity = critical line = 1 matchedText = "use str...TS};
Critical
Secret Pattern

AWS access key ID in dist/packages/crucible/kenny-mode.js

dist/packages/crucible/kenny-mode.jsView on unpkg · L1
1patternName = private_key_rsa severity = critical line = 1 matchedText = "use str...TS};
Critical
Secret Pattern

RSA private key in dist/packages/crucible/kenny-mode.js

dist/packages/crucible/kenny-mode.jsView on unpkg · L1
1"use strict";const fs=require("fs"),path=require("path"),os=require("os"),crypto=require("crypto"),{spawnSync:spawnSync}=require("child_process"),{getPatterns:getPatterns}=require(...
High
Shell

Package source references shell execution.

dist/packages/crucible/kenny-mode.jsView on unpkg · L1
1"use strict";const fs=require("fs"),path=require("path"),os=require("os"),crypto=require("crypto"),{spawnSync:spawnSync}=require("child_process"),{getPatterns:getPatterns}=require(...
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/packages/crucible/kenny-mode.jsView on unpkg · L1
1"use strict";const fs=require("fs"),path=require("path"),os=require("os"),crypto=require("crypto"),{spawnSync:spawnSync}=require("child_process"),{getPatterns:getPatterns}=require(...
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

dist/packages/crucible/kenny-mode.jsView on unpkg · L1
dist/packages/crucible/mutation-engine.jsView file
1"use strict";const fs=require("fs"),path=require("path"),os=require("os"),crypto=require("crypto"),MUTATIONS=[{name:"operator_flip_eq",description:"Replace === with == (loose equal...
High
Child Process

Package source references child process execution.

dist/packages/crucible/mutation-engine.jsView on unpkg · L1
1"use strict";const fs=require("fs"),path=require("path"),os=require("os"),crypto=require("crypto"),MUTATIONS=[{name:"operator_flip_eq",description:"Replace === with == (loose equal...
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/packages/crucible/mutation-engine.jsView on unpkg · L1
dist/packages/crucible/report-generator.jsView file
1"use strict";const fs=require("fs"),path=require("path"),crypto=require("crypto");function getScannerVersion(){try{return JSON.parse(fs.readFileSync(path.join(__dirname,"..","..","...
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/packages/crucible/report-generator.jsView on unpkg · L1
dist/packages/crucible/seeds/js/seed-055.jsView file
10L11: router.post('/sandbox/eval', (req, res) => { L12: const { code, state } = req.body; L13: const parsedState = JSON.parse(state); L14:
Medium
Unsafe Vm Context

Package source executes code through a VM context API.

dist/packages/crucible/seeds/js/seed-055.jsView on unpkg · L10
dist/packages/crucible/seeds/js/seed-035.jsView file
20// Predictable: only uses current timestamp L21: return Buffer.from(Date.now().toString()).toString('base64'); L22: }
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/packages/crucible/seeds/js/seed-035.jsView on unpkg · L20
dist/cli.jsView file
1#!/usr/bin/env node L2: const path=require("path"),fs=require("fs"),os=require("os"),CodeScanner=require("./packages/scanner/code-scanner.js"),DependencyGraph=require("./packages/scanner/dependency-graph....
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/cli.jsView on unpkg · L1
dist/packages/crucible/seeds/python/seed-028 2.pyView file
path = [redacted]-028 2.py kind = build_helper sizeBytes = 1368 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

dist/packages/crucible/seeds/python/seed-028 2.pyView on unpkg
dist/packages/crucible/seeds/go/seed-004.goView file
14patternName = stripe_live_secret severity = critical line = 14 matchedText = const st...LcD"
Critical
Secret Pattern

Stripe live secret key in dist/packages/crucible/seeds/go/seed-004.go

dist/packages/crucible/seeds/go/seed-004.goView on unpkg · L14
dist/packages/crucible/seeds/go/seed-001.goView file
17patternName = aws_access_key severity = critical line = 17 matchedText = awsAcces...PLE"
Critical
Secret Pattern

AWS access key ID in dist/packages/crucible/seeds/go/seed-001.go

dist/packages/crucible/seeds/go/seed-001.goView on unpkg · L17
dist/packages/crucible/seeds/python/seed-001.pyView file
9patternName = aws_access_key severity = critical line = 9 matchedText = AWS_ACCE...PLE"
Critical
Secret Pattern

AWS access key ID in dist/packages/crucible/seeds/python/seed-001.py

dist/packages/crucible/seeds/python/seed-001.pyView on unpkg · L9
10patternName = aws_secret_key severity = critical line = 10 matchedText = AWS_SECR...KEY"
Critical
Secret Pattern

AWS secret access key in dist/packages/crucible/seeds/python/seed-001.py

dist/packages/crucible/seeds/python/seed-001.pyView on unpkg · L10
dist/packages/crucible/seeds/python/seed-004.pyView file
11patternName = stripe_live_secret severity = critical line = 11 matchedText = STRIPE_S...def"
Critical
Secret Pattern

Stripe live secret key in dist/packages/crucible/seeds/python/seed-004.py

dist/packages/crucible/seeds/python/seed-004.pyView on unpkg · L11
13patternName = stripe_webhook_secret severity = high line = 13 matchedText = STRIPE_W...DEF"
High
Secret Pattern

Stripe webhook signing secret in dist/packages/crucible/seeds/python/seed-004.py

dist/packages/crucible/seeds/python/seed-004.pyView on unpkg · L13
dist/packages/crucible/seeds/python/seed-010.pyView file
26patternName = generic_password severity = medium line = 26 matchedText = query = ...d}'"
Medium
Secret Pattern

Hardcoded password in dist/packages/crucible/seeds/python/seed-010.py

dist/packages/crucible/seeds/python/seed-010.pyView on unpkg · L26
dist/packages/crucible/seeds/python/seed-003.pyView file
27patternName = stripe_live_secret severity = critical line = 27 matchedText = STRIPE_S...def"
Critical
Secret Pattern

Stripe live secret key in dist/packages/crucible/seeds/python/seed-003.py

dist/packages/crucible/seeds/python/seed-003.pyView on unpkg · L27
28patternName = stripe_webhook_secret severity = high line = 28 matchedText = STRIPE_W...678"
High
Secret Pattern

Stripe webhook signing secret in dist/packages/crucible/seeds/python/seed-003.py

dist/packages/crucible/seeds/python/seed-003.pyView on unpkg · L28
dist/packages/crucible/seeds/python/seed-006.pyView file
9patternName = github_pat severity = critical line = 9 matchedText = GITHUB_T...890"
Critical
Secret Pattern

GitHub personal access token in dist/packages/crucible/seeds/python/seed-006.py

dist/packages/crucible/seeds/python/seed-006.pyView on unpkg · L9
13patternName = slack_bot_token severity = critical line = 13 matchedText = SLACK_BO...vwx"
Critical
Secret Pattern

Slack bot token in dist/packages/crucible/seeds/python/seed-006.py

dist/packages/crucible/seeds/python/seed-006.pyView on unpkg · L13
dist/packages/crucible/seeds/js/seed-001.jsView file
11patternName = aws_access_key severity = critical line = 11 matchedText = accessKe...LE',
Critical
Secret Pattern

AWS access key ID in dist/packages/crucible/seeds/js/seed-001.js

dist/packages/crucible/seeds/js/seed-001.jsView on unpkg · L11
dist/packages/crucible/seeds/js/seed-010.jsView file
12patternName = generic_password severity = medium line = 12 matchedText = const qu...}'`;
Medium
Secret Pattern

Hardcoded password in dist/packages/crucible/seeds/js/seed-010.js

dist/packages/crucible/seeds/js/seed-010.jsView on unpkg · L12
dist/packages/crucible/seeds/js/seed-004.jsView file
10patternName = stripe_live_secret severity = critical line = 10 matchedText = const ST...ef';
Critical
Secret Pattern

Stripe live secret key in dist/packages/crucible/seeds/js/seed-004.js

dist/packages/crucible/seeds/js/seed-004.jsView on unpkg · L10
11patternName = stripe_webhook_secret severity = high line = 11 matchedText = const ST...EF';
High
Secret Pattern

Stripe webhook signing secret in dist/packages/crucible/seeds/js/seed-004.js

dist/packages/crucible/seeds/js/seed-004.jsView on unpkg · L11
dist/packages/crucible/seeds/js/seed-006.jsView file
10patternName = github_pat severity = critical line = 10 matchedText = const GI...90';
Critical
Secret Pattern

GitHub personal access token in dist/packages/crucible/seeds/js/seed-006.js

dist/packages/crucible/seeds/js/seed-006.jsView on unpkg · L10
dist/packages/crucible/seeds/js/seed-002.jsView file
14patternName = generic_password severity = medium line = 14 matchedText = password...d!',
Medium
Secret Pattern

Hardcoded password in dist/packages/crucible/seeds/js/seed-002.js

dist/packages/crucible/seeds/js/seed-002.jsView on unpkg · L14
dist/packages/crucible/seeds/js/seed-038.jsView file
11patternName = private_key_rsa severity = critical line = 11 matchedText = const PR...----
Critical
Secret Pattern

RSA private key in dist/packages/crucible/seeds/js/seed-038.js

dist/packages/crucible/seeds/js/seed-038.jsView on unpkg · L11
dist/packages/crucible/seeds/rust/seed-003 2.rsView file
12patternName = stripe_live_secret severity = critical line = 12 matchedText = const AD...xx";
Critical
Secret Pattern

Stripe live secret key in dist/packages/crucible/seeds/rust/seed-003 2.rs

dist/packages/crucible/seeds/rust/seed-003 2.rsView on unpkg · L12
dist/packages/crucible/seeds/rust/seed-004.rsView file
7patternName = stripe_live_secret severity = critical line = 7 matchedText = const ST...ij";
Critical
Secret Pattern

Stripe live secret key in dist/packages/crucible/seeds/rust/seed-004.rs

dist/packages/crucible/seeds/rust/seed-004.rsView on unpkg · L7
8patternName = stripe_webhook_secret severity = high line = 8 matchedText = const ST...IJ";
High
Secret Pattern

Stripe webhook signing secret in dist/packages/crucible/seeds/rust/seed-004.rs

dist/packages/crucible/seeds/rust/seed-004.rsView on unpkg · L8
dist/packages/crucible/seeds/rust/seed-005 2.rsView file
7patternName = github_pat severity = critical line = 7 matchedText = const GI...xx";
Critical
Secret Pattern

GitHub personal access token in dist/packages/crucible/seeds/rust/seed-005 2.rs

dist/packages/crucible/seeds/rust/seed-005 2.rsView on unpkg · L7
dist/packages/crucible/seeds/rust/seed-004 2.rsView file
7patternName = stripe_live_secret severity = critical line = 7 matchedText = const ST...ij";
Critical
Secret Pattern

Stripe live secret key in dist/packages/crucible/seeds/rust/seed-004 2.rs

dist/packages/crucible/seeds/rust/seed-004 2.rsView on unpkg · L7
8patternName = stripe_webhook_secret severity = high line = 8 matchedText = const ST...IJ";
High
Secret Pattern

Stripe webhook signing secret in dist/packages/crucible/seeds/rust/seed-004 2.rs

dist/packages/crucible/seeds/rust/seed-004 2.rsView on unpkg · L8
dist/packages/crucible/seeds/rust/seed-001.rsView file
9patternName = aws_access_key severity = critical line = 9 matchedText = const AW...E1";
Critical
Secret Pattern

AWS access key ID in dist/packages/crucible/seeds/rust/seed-001.rs

dist/packages/crucible/seeds/rust/seed-001.rsView on unpkg · L9
dist/packages/crucible/seeds/rust/seed-008 2.rsView file
7patternName = slack_bot_token severity = critical line = 7 matchedText = const SL...wx";
Critical
Secret Pattern

Slack bot token in dist/packages/crucible/seeds/rust/seed-008 2.rs

dist/packages/crucible/seeds/rust/seed-008 2.rsView on unpkg · L7
dist/packages/crucible/seeds/rust/seed-005.rsView file
7patternName = github_pat severity = critical line = 7 matchedText = const GI...xx";
Critical
Secret Pattern

GitHub personal access token in dist/packages/crucible/seeds/rust/seed-005.rs

dist/packages/crucible/seeds/rust/seed-005.rsView on unpkg · L7
dist/packages/crucible/seeds/rust/seed-003.rsView file
12patternName = stripe_live_secret severity = critical line = 12 matchedText = const AD...xx";
Critical
Secret Pattern

Stripe live secret key in dist/packages/crucible/seeds/rust/seed-003.rs

dist/packages/crucible/seeds/rust/seed-003.rsView on unpkg · L12

Findings

23 Critical10 High9 Medium8 Low
CriticalCritical Secretdist/packages/crucible/kenny-mode.js
CriticalSecret Patterndist/packages/crucible/kenny-mode.js
CriticalSecret Patterndist/packages/crucible/kenny-mode.js
CriticalSecret Patterndist/packages/crucible/seeds/go/seed-004.go
CriticalSecret Patterndist/packages/crucible/seeds/go/seed-001.go
CriticalSecret Patterndist/packages/crucible/seeds/python/seed-001.py
CriticalSecret Patterndist/packages/crucible/seeds/python/seed-001.py
CriticalSecret Patterndist/packages/crucible/seeds/python/seed-004.py
CriticalSecret Patterndist/packages/crucible/seeds/python/seed-003.py
CriticalSecret Patterndist/packages/crucible/seeds/python/seed-006.py
CriticalSecret Patterndist/packages/crucible/seeds/python/seed-006.py
CriticalSecret Patterndist/packages/crucible/seeds/js/seed-001.js
CriticalSecret Patterndist/packages/crucible/seeds/js/seed-004.js
CriticalSecret Patterndist/packages/crucible/seeds/js/seed-006.js
CriticalSecret Patterndist/packages/crucible/seeds/js/seed-038.js
CriticalSecret Patterndist/packages/crucible/seeds/rust/seed-003 2.rs
CriticalSecret Patterndist/packages/crucible/seeds/rust/seed-004.rs
CriticalSecret Patterndist/packages/crucible/seeds/rust/seed-005 2.rs
CriticalSecret Patterndist/packages/crucible/seeds/rust/seed-004 2.rs
CriticalSecret Patterndist/packages/crucible/seeds/rust/seed-001.rs
CriticalSecret Patterndist/packages/crucible/seeds/rust/seed-008 2.rs
CriticalSecret Patterndist/packages/crucible/seeds/rust/seed-005.rs
CriticalSecret Patterndist/packages/crucible/seeds/rust/seed-003.rs
HighChild Processdist/packages/crucible/mutation-engine.js
HighShelldist/packages/crucible/kenny-mode.js
HighSame File Env Network Executiondist/packages/crucible/kenny-mode.js
HighCommand Output Exfiltrationdist/packages/crucible/kenny-mode.js
HighSandbox Evasion Gated Capabilitydist/cli.js
HighSecret Patterndist/packages/crucible/seeds/python/seed-004.py
HighSecret Patterndist/packages/crucible/seeds/python/seed-003.py
HighSecret Patterndist/packages/crucible/seeds/js/seed-004.js
HighSecret Patterndist/packages/crucible/seeds/rust/seed-004.rs
HighSecret Patterndist/packages/crucible/seeds/rust/seed-004 2.rs
MediumDynamic Requiredist/packages/crucible/report-generator.js
MediumUnsafe Vm Contextdist/packages/crucible/seeds/js/seed-055.js
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helperdist/packages/crucible/seeds/python/seed-028 2.py
MediumStructural Risk Force Deep Review
MediumSecret Patterndist/packages/crucible/seeds/python/seed-010.py
MediumSecret Patterndist/packages/crucible/seeds/js/seed-010.js
MediumSecret Patterndist/packages/crucible/seeds/js/seed-002.js
LowNon Install Lifecycle Scripts
LowScripts Present
LowEvaldist/packages/crucible/mutation-engine.js
LowWeak Cryptodist/packages/crucible/seeds/js/seed-035.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License