registry  /  thuban  /  0.4.3

thuban@0.4.3

The safety layer for AI-coded software. Detect hallucinated APIs, ghost code, tech debt, and architecture drift. One command. Minimal dependencies.

AI Security Review

scanned 11d ago · by lpm-firewall-ai

No confirmed malicious attack surface. Risky primitives are tied to explicit developer-tool commands or inert scanner test fixtures.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs thuban CLI commands such as scan, compare, gate, monitor, telemetry, or crucible.
Impact
No install-time execution, credential harvesting, persistence, or unauthorized exfiltration identified.
Mechanism
Static-analysis developer tool with optional reporting, hooks, telemetry, and adversarial test fixtures.
Rationale
Source inspection shows a legitimate static-analysis CLI whose shell, filesystem, network, and fake-secret indicators are package-aligned and user-invoked. The suspicious seed files and Kenny Mode payloads are inert test fixtures for scanner evaluation, not runtime malware.
Evidence
package.jsondist/cli.jsdist/packages/crucible/kenny-mode.jsdist/packages/crucible/mutation-engine.jsdist/packages/crucible/report-generator.jsdist/packages/scanner/license-manager.jsdist/packages/scanner/pre-commit-gate.jsdist/packages/scanner/monitor-service.js~/.thuban/usage.json~/.thuban/license.json.git/hooks/pre-commit.thuban-baseline.json.thuban-telemetry.json
Network endpoints4
thuban.devgithub.com/SilverwingsBenefitsGit/thuban.gitgithub.com/SilverwingsBenefitsGit/thuban/issuesthuban-telemetry.silverwingsbenefits.workers.dev

Decision evidence

public snapshot
AI called this Clean at 92.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • package.json has no install/postinstall hooks; only prepublishOnly build script for publisher workflow.
    • dist/cli.js is a user-invoked CLI for scanning, reporting, fixing, monitoring, and crucible tests.
    • dist/packages/crucible/kenny-mode.js embeds fake vulnerable snippets and dummy AWS keys as scanner test cases, not active credential use.
    • dist/packages/crucible/mutation-engine.js writes mutated files only under os.tmpdir during explicit crucible mutation runs and cleans them up.
    • Network use is package-aligned: git clone for URL scan/compare targets, opt-in telemetry, and displayed project/pricing URLs.
    • PreCommitGate modifies .git/hooks/pre-commit only when the user runs the gate install command.
    Behavioral surface
    Source
    ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkShellWebSocket
    Supply chain
    HighEntropyStringsMinifiedUrlStrings
    Manifest
    NoLicense
    scanned 209 file(s), 660 KB of source, external domains: apache.org, app.company.com, attacker.com, example.com, github.com, hooks.slack.com, my-app-prod.firebaseio.com, thuban.dev, www.w3.org

    Source & flagged code

    41 flagged · loading source
    dist/packages/crucible/kenny-mode.jsView file
    1patternName = aws_access_key severity = critical line = 1 matchedText = "use str...TS};
    Critical
    Critical Secret

    Package contains a critical-looking secret pattern.

    dist/packages/crucible/kenny-mode.jsView on unpkg · L1
    1patternName = aws_access_key severity = critical line = 1 matchedText = "use str...TS};
    Critical
    Secret Pattern

    AWS access key ID in dist/packages/crucible/kenny-mode.js

    dist/packages/crucible/kenny-mode.jsView on unpkg · L1
    1patternName = private_key_rsa severity = critical line = 1 matchedText = "use str...TS};
    Critical
    Secret Pattern

    RSA private key in dist/packages/crucible/kenny-mode.js

    dist/packages/crucible/kenny-mode.jsView on unpkg · L1
    1"use strict";const fs=require("fs"),path=require("path"),os=require("os"),crypto=require("crypto"),{spawnSync:spawnSync}=require("child_process"),{getPatterns:getPatterns}=require(...
    High
    Shell

    Package source references shell execution.

    dist/packages/crucible/kenny-mode.jsView on unpkg · L1
    1"use strict";const fs=require("fs"),path=require("path"),os=require("os"),crypto=require("crypto"),{spawnSync:spawnSync}=require("child_process"),{getPatterns:getPatterns}=require(...
    High
    Same File Env Network Execution

    A single source file combines environment access, network access, and code or shell execution; review context before blocking.

    dist/packages/crucible/kenny-mode.jsView on unpkg · L1
    1"use strict";const fs=require("fs"),path=require("path"),os=require("os"),crypto=require("crypto"),{spawnSync:spawnSync}=require("child_process"),{getPatterns:getPatterns}=require(...
    High
    Command Output Exfiltration

    Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

    dist/packages/crucible/kenny-mode.jsView on unpkg · L1
    dist/packages/crucible/mutation-engine.jsView file
    1"use strict";const fs=require("fs"),path=require("path"),os=require("os"),crypto=require("crypto"),MUTATIONS=[{name:"operator_flip_eq",description:"Replace === with == (loose equal...
    High
    Child Process

    Package source references child process execution.

    dist/packages/crucible/mutation-engine.jsView on unpkg · L1
    1"use strict";const fs=require("fs"),path=require("path"),os=require("os"),crypto=require("crypto"),MUTATIONS=[{name:"operator_flip_eq",description:"Replace === with == (loose equal...
    Low
    Eval

    Package source references a known benign dynamic code generation pattern.

    dist/packages/crucible/mutation-engine.jsView on unpkg · L1
    dist/packages/crucible/report-generator.jsView file
    1"use strict";const fs=require("fs"),path=require("path"),crypto=require("crypto");function getScannerVersion(){try{return JSON.parse(fs.readFileSync(path.join(__dirname,"..","..","...
    Medium
    Dynamic Require

    Package source references dynamic require/import behavior.

    dist/packages/crucible/report-generator.jsView on unpkg · L1
    dist/packages/crucible/seeds/js/seed-055.jsView file
    10L11: router.post('/sandbox/eval', (req, res) => { L12: const { code, state } = req.body; L13: const parsedState = JSON.parse(state); L14:
    Medium
    Unsafe Vm Context

    Package source executes code through a VM context API.

    dist/packages/crucible/seeds/js/seed-055.jsView on unpkg · L10
    dist/packages/crucible/seeds/js/seed-035.jsView file
    20// Predictable: only uses current timestamp L21: return Buffer.from(Date.now().toString()).toString('base64'); L22: }
    Low
    Weak Crypto

    Package source references weak cryptographic algorithms.

    dist/packages/crucible/seeds/js/seed-035.jsView on unpkg · L20
    dist/cli.jsView file
    matchType = previous_version_dangerous_delta matchedPackage = thuban@0.4.2 matchedIdentity = npm:dGh1YmFu:0.4.2 similarity = 0.942 summary = stored previous version shares package body but lacks this dangerous source file
    Critical
    Previous Version Dangerous Delta

    This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

    dist/cli.jsView on unpkg
    1#!/usr/bin/env node L2: const path=require("path"),fs=require("fs"),os=require("os"),_CLI_VERSION=JSON.parse(fs.readFileSync(path.join(__dirname,"package.json"),"utf-8")).version,CodeScanner=require("./pa...
    High
    Sandbox Evasion Gated Capability

    Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

    dist/cli.jsView on unpkg · L1
    dist/packages/crucible/seeds/python/seed-028 2.pyView file
    path = [redacted]-028 2.py kind = build_helper sizeBytes = 1368 magicHex = [redacted]
    Medium
    Ships Build Helper

    Package ships non-JavaScript build or shell helper files.

    dist/packages/crucible/seeds/python/seed-028 2.pyView on unpkg
    dist/packages/crucible/seeds/go/seed-004.goView file
    14patternName = stripe_live_secret severity = critical line = 14 matchedText = const st...LcD"
    Critical
    Secret Pattern

    Stripe live secret key in dist/packages/crucible/seeds/go/seed-004.go

    dist/packages/crucible/seeds/go/seed-004.goView on unpkg · L14
    dist/packages/crucible/seeds/go/seed-001.goView file
    17patternName = aws_access_key severity = critical line = 17 matchedText = awsAcces...PLE"
    Critical
    Secret Pattern

    AWS access key ID in dist/packages/crucible/seeds/go/seed-001.go

    dist/packages/crucible/seeds/go/seed-001.goView on unpkg · L17
    dist/packages/crucible/seeds/python/seed-001.pyView file
    9patternName = aws_access_key severity = critical line = 9 matchedText = AWS_ACCE...PLE"
    Critical
    Secret Pattern

    AWS access key ID in dist/packages/crucible/seeds/python/seed-001.py

    dist/packages/crucible/seeds/python/seed-001.pyView on unpkg · L9
    10patternName = aws_secret_key severity = critical line = 10 matchedText = AWS_SECR...KEY"
    Critical
    Secret Pattern

    AWS secret access key in dist/packages/crucible/seeds/python/seed-001.py

    dist/packages/crucible/seeds/python/seed-001.pyView on unpkg · L10
    dist/packages/crucible/seeds/python/seed-004.pyView file
    11patternName = stripe_live_secret severity = critical line = 11 matchedText = STRIPE_S...def"
    Critical
    Secret Pattern

    Stripe live secret key in dist/packages/crucible/seeds/python/seed-004.py

    dist/packages/crucible/seeds/python/seed-004.pyView on unpkg · L11
    13patternName = stripe_webhook_secret severity = high line = 13 matchedText = STRIPE_W...DEF"
    High
    Secret Pattern

    Stripe webhook signing secret in dist/packages/crucible/seeds/python/seed-004.py

    dist/packages/crucible/seeds/python/seed-004.pyView on unpkg · L13
    dist/packages/crucible/seeds/python/seed-010.pyView file
    26patternName = generic_password severity = medium line = 26 matchedText = query = ...d}'"
    Medium
    Secret Pattern

    Hardcoded password in dist/packages/crucible/seeds/python/seed-010.py

    dist/packages/crucible/seeds/python/seed-010.pyView on unpkg · L26
    dist/packages/crucible/seeds/python/seed-003.pyView file
    27patternName = stripe_live_secret severity = critical line = 27 matchedText = STRIPE_S...def"
    Critical
    Secret Pattern

    Stripe live secret key in dist/packages/crucible/seeds/python/seed-003.py

    dist/packages/crucible/seeds/python/seed-003.pyView on unpkg · L27
    28patternName = stripe_webhook_secret severity = high line = 28 matchedText = STRIPE_W...678"
    High
    Secret Pattern

    Stripe webhook signing secret in dist/packages/crucible/seeds/python/seed-003.py

    dist/packages/crucible/seeds/python/seed-003.pyView on unpkg · L28
    dist/packages/crucible/seeds/python/seed-006.pyView file
    9patternName = github_pat severity = critical line = 9 matchedText = GITHUB_T...890"
    Critical
    Secret Pattern

    GitHub personal access token in dist/packages/crucible/seeds/python/seed-006.py

    dist/packages/crucible/seeds/python/seed-006.pyView on unpkg · L9
    13patternName = slack_bot_token severity = critical line = 13 matchedText = SLACK_BO...vwx"
    Critical
    Secret Pattern

    Slack bot token in dist/packages/crucible/seeds/python/seed-006.py

    dist/packages/crucible/seeds/python/seed-006.pyView on unpkg · L13
    dist/packages/crucible/seeds/js/seed-001.jsView file
    11patternName = aws_access_key severity = critical line = 11 matchedText = accessKe...LE',
    Critical
    Secret Pattern

    AWS access key ID in dist/packages/crucible/seeds/js/seed-001.js

    dist/packages/crucible/seeds/js/seed-001.jsView on unpkg · L11
    dist/packages/crucible/seeds/js/seed-010.jsView file
    12patternName = generic_password severity = medium line = 12 matchedText = const qu...}'`;
    Medium
    Secret Pattern

    Hardcoded password in dist/packages/crucible/seeds/js/seed-010.js

    dist/packages/crucible/seeds/js/seed-010.jsView on unpkg · L12
    dist/packages/crucible/seeds/js/seed-004.jsView file
    10patternName = stripe_live_secret severity = critical line = 10 matchedText = const ST...ef';
    Critical
    Secret Pattern

    Stripe live secret key in dist/packages/crucible/seeds/js/seed-004.js

    dist/packages/crucible/seeds/js/seed-004.jsView on unpkg · L10
    11patternName = stripe_webhook_secret severity = high line = 11 matchedText = const ST...EF';
    High
    Secret Pattern

    Stripe webhook signing secret in dist/packages/crucible/seeds/js/seed-004.js

    dist/packages/crucible/seeds/js/seed-004.jsView on unpkg · L11
    dist/packages/crucible/seeds/js/seed-006.jsView file
    10patternName = github_pat severity = critical line = 10 matchedText = const GI...90';
    Critical
    Secret Pattern

    GitHub personal access token in dist/packages/crucible/seeds/js/seed-006.js

    dist/packages/crucible/seeds/js/seed-006.jsView on unpkg · L10
    dist/packages/crucible/seeds/js/seed-002.jsView file
    14patternName = generic_password severity = medium line = 14 matchedText = password...d!',
    Medium
    Secret Pattern

    Hardcoded password in dist/packages/crucible/seeds/js/seed-002.js

    dist/packages/crucible/seeds/js/seed-002.jsView on unpkg · L14
    dist/packages/crucible/seeds/js/seed-038.jsView file
    11patternName = private_key_rsa severity = critical line = 11 matchedText = const PR...----
    Critical
    Secret Pattern

    RSA private key in dist/packages/crucible/seeds/js/seed-038.js

    dist/packages/crucible/seeds/js/seed-038.jsView on unpkg · L11
    dist/packages/crucible/seeds/rust/seed-003 2.rsView file
    12patternName = stripe_live_secret severity = critical line = 12 matchedText = const AD...xx";
    Critical
    Secret Pattern

    Stripe live secret key in dist/packages/crucible/seeds/rust/seed-003 2.rs

    dist/packages/crucible/seeds/rust/seed-003 2.rsView on unpkg · L12
    dist/packages/crucible/seeds/rust/seed-004.rsView file
    7patternName = stripe_live_secret severity = critical line = 7 matchedText = const ST...ij";
    Critical
    Secret Pattern

    Stripe live secret key in dist/packages/crucible/seeds/rust/seed-004.rs

    dist/packages/crucible/seeds/rust/seed-004.rsView on unpkg · L7
    8patternName = stripe_webhook_secret severity = high line = 8 matchedText = const ST...IJ";
    High
    Secret Pattern

    Stripe webhook signing secret in dist/packages/crucible/seeds/rust/seed-004.rs

    dist/packages/crucible/seeds/rust/seed-004.rsView on unpkg · L8
    dist/packages/crucible/seeds/rust/seed-005 2.rsView file
    7patternName = github_pat severity = critical line = 7 matchedText = const GI...xx";
    Critical
    Secret Pattern

    GitHub personal access token in dist/packages/crucible/seeds/rust/seed-005 2.rs

    dist/packages/crucible/seeds/rust/seed-005 2.rsView on unpkg · L7
    dist/packages/crucible/seeds/rust/seed-004 2.rsView file
    7patternName = stripe_live_secret severity = critical line = 7 matchedText = const ST...ij";
    Critical
    Secret Pattern

    Stripe live secret key in dist/packages/crucible/seeds/rust/seed-004 2.rs

    dist/packages/crucible/seeds/rust/seed-004 2.rsView on unpkg · L7
    8patternName = stripe_webhook_secret severity = high line = 8 matchedText = const ST...IJ";
    High
    Secret Pattern

    Stripe webhook signing secret in dist/packages/crucible/seeds/rust/seed-004 2.rs

    dist/packages/crucible/seeds/rust/seed-004 2.rsView on unpkg · L8
    dist/packages/crucible/seeds/rust/seed-001.rsView file
    9patternName = aws_access_key severity = critical line = 9 matchedText = const AW...E1";
    Critical
    Secret Pattern

    AWS access key ID in dist/packages/crucible/seeds/rust/seed-001.rs

    dist/packages/crucible/seeds/rust/seed-001.rsView on unpkg · L9
    dist/packages/crucible/seeds/rust/seed-008 2.rsView file
    7patternName = slack_bot_token severity = critical line = 7 matchedText = const SL...wx";
    Critical
    Secret Pattern

    Slack bot token in dist/packages/crucible/seeds/rust/seed-008 2.rs

    dist/packages/crucible/seeds/rust/seed-008 2.rsView on unpkg · L7
    dist/packages/crucible/seeds/rust/seed-005.rsView file
    7patternName = github_pat severity = critical line = 7 matchedText = const GI...xx";
    Critical
    Secret Pattern

    GitHub personal access token in dist/packages/crucible/seeds/rust/seed-005.rs

    dist/packages/crucible/seeds/rust/seed-005.rsView on unpkg · L7

    Findings

    23 Critical10 High9 Medium8 Low
    CriticalCritical Secretdist/packages/crucible/kenny-mode.js
    CriticalPrevious Version Dangerous Deltadist/cli.js
    CriticalSecret Patterndist/packages/crucible/kenny-mode.js
    CriticalSecret Patterndist/packages/crucible/kenny-mode.js
    CriticalSecret Patterndist/packages/crucible/seeds/go/seed-004.go
    CriticalSecret Patterndist/packages/crucible/seeds/go/seed-001.go
    CriticalSecret Patterndist/packages/crucible/seeds/python/seed-001.py
    CriticalSecret Patterndist/packages/crucible/seeds/python/seed-001.py
    CriticalSecret Patterndist/packages/crucible/seeds/python/seed-004.py
    CriticalSecret Patterndist/packages/crucible/seeds/python/seed-003.py
    CriticalSecret Patterndist/packages/crucible/seeds/python/seed-006.py
    CriticalSecret Patterndist/packages/crucible/seeds/python/seed-006.py
    CriticalSecret Patterndist/packages/crucible/seeds/js/seed-001.js
    CriticalSecret Patterndist/packages/crucible/seeds/js/seed-004.js
    CriticalSecret Patterndist/packages/crucible/seeds/js/seed-006.js
    CriticalSecret Patterndist/packages/crucible/seeds/js/seed-038.js
    CriticalSecret Patterndist/packages/crucible/seeds/rust/seed-003 2.rs
    CriticalSecret Patterndist/packages/crucible/seeds/rust/seed-004.rs
    CriticalSecret Patterndist/packages/crucible/seeds/rust/seed-005 2.rs
    CriticalSecret Patterndist/packages/crucible/seeds/rust/seed-004 2.rs
    CriticalSecret Patterndist/packages/crucible/seeds/rust/seed-001.rs
    CriticalSecret Patterndist/packages/crucible/seeds/rust/seed-008 2.rs
    CriticalSecret Patterndist/packages/crucible/seeds/rust/seed-005.rs
    HighChild Processdist/packages/crucible/mutation-engine.js
    HighShelldist/packages/crucible/kenny-mode.js
    HighSame File Env Network Executiondist/packages/crucible/kenny-mode.js
    HighCommand Output Exfiltrationdist/packages/crucible/kenny-mode.js
    HighSandbox Evasion Gated Capabilitydist/cli.js
    HighSecret Patterndist/packages/crucible/seeds/python/seed-004.py
    HighSecret Patterndist/packages/crucible/seeds/python/seed-003.py
    HighSecret Patterndist/packages/crucible/seeds/js/seed-004.js
    HighSecret Patterndist/packages/crucible/seeds/rust/seed-004.rs
    HighSecret Patterndist/packages/crucible/seeds/rust/seed-004 2.rs
    MediumDynamic Requiredist/packages/crucible/report-generator.js
    MediumUnsafe Vm Contextdist/packages/crucible/seeds/js/seed-055.js
    MediumNetwork
    MediumEnvironment Vars
    MediumShips Build Helperdist/packages/crucible/seeds/python/seed-028 2.py
    MediumStructural Risk Force Deep Review
    MediumSecret Patterndist/packages/crucible/seeds/python/seed-010.py
    MediumSecret Patterndist/packages/crucible/seeds/js/seed-010.js
    MediumSecret Patterndist/packages/crucible/seeds/js/seed-002.js
    LowNon Install Lifecycle Scripts
    LowScripts Present
    LowEvaldist/packages/crucible/mutation-engine.js
    LowWeak Cryptodist/packages/crucible/seeds/js/seed-035.js
    LowFilesystem
    LowHigh Entropy Strings
    LowUrl Strings
    LowNo License