AI Security Review
scanned 10d ago · by lpm-firewall-aiNo confirmed malicious attack surface. Risky primitives are aligned with a developer static-analysis/crucible CLI and are activated by explicit user commands, not npm lifecycle execution.
Decision evidence
public snapshot- package.json and dist/package.json define no install/postinstall/prepare hook; prepublishOnly is publisher-side build only.
- dist/cli.js is a user-invoked bin for static analysis commands; remote git clone is only for explicit scan target URLs.
- dist/packages/crucible/kenny-mode.js contains synthetic vulnerable test fixtures and example secrets used to score scanner detections.
- dist/packages/crucible/mutation-engine.js mutates user-provided files only into a temp thuban-crucible-* session and cleans it up.
- dist/packages/scanner/pre-commit-gate.js writes .git/hooks/pre-commit only when the user runs the gate install path, not during npm install/import.
- Monitor webhook/email paths are stubs; no confirmed package-aligned exfiltration endpoint or credential harvesting found.
Source & flagged code
41 flagged · loading sourcePackage contains a critical-looking secret pattern.
dist/packages/crucible/kenny-mode.jsView on unpkg · L1AWS access key ID in dist/packages/crucible/kenny-mode.js
dist/packages/crucible/kenny-mode.jsView on unpkg · L1RSA private key in dist/packages/crucible/kenny-mode.js
dist/packages/crucible/kenny-mode.jsView on unpkg · L1Package source references shell execution.
dist/packages/crucible/kenny-mode.jsView on unpkg · L1A single source file combines environment access, network access, and code or shell execution; review context before blocking.
dist/packages/crucible/kenny-mode.jsView on unpkg · L1Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.
dist/packages/crucible/kenny-mode.jsView on unpkg · L1Package source references child process execution.
dist/packages/crucible/mutation-engine.jsView on unpkg · L1Package source references a known benign dynamic code generation pattern.
dist/packages/crucible/mutation-engine.jsView on unpkg · L1Package source references dynamic require/import behavior.
dist/packages/crucible/report-generator.jsView on unpkg · L1Package source executes code through a VM context API.
dist/packages/crucible/seeds/js/seed-055.jsView on unpkg · L10Package source references weak cryptographic algorithms.
dist/packages/crucible/seeds/js/seed-035.jsView on unpkg · L20This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
dist/cli.jsView on unpkgSource gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.
dist/cli.jsView on unpkg · L2Package ships non-JavaScript build or shell helper files.
dist/packages/crucible/seeds/python/seed-028 2.pyView on unpkgStripe live secret key in dist/packages/crucible/seeds/go/seed-004.go
dist/packages/crucible/seeds/go/seed-004.goView on unpkg · L14AWS access key ID in dist/packages/crucible/seeds/go/seed-001.go
dist/packages/crucible/seeds/go/seed-001.goView on unpkg · L17AWS access key ID in dist/packages/crucible/seeds/python/seed-001.py
dist/packages/crucible/seeds/python/seed-001.pyView on unpkg · L9AWS secret access key in dist/packages/crucible/seeds/python/seed-001.py
dist/packages/crucible/seeds/python/seed-001.pyView on unpkg · L10Stripe live secret key in dist/packages/crucible/seeds/python/seed-004.py
dist/packages/crucible/seeds/python/seed-004.pyView on unpkg · L11Stripe webhook signing secret in dist/packages/crucible/seeds/python/seed-004.py
dist/packages/crucible/seeds/python/seed-004.pyView on unpkg · L13Hardcoded password in dist/packages/crucible/seeds/python/seed-010.py
dist/packages/crucible/seeds/python/seed-010.pyView on unpkg · L26Stripe live secret key in dist/packages/crucible/seeds/python/seed-003.py
dist/packages/crucible/seeds/python/seed-003.pyView on unpkg · L27Stripe webhook signing secret in dist/packages/crucible/seeds/python/seed-003.py
dist/packages/crucible/seeds/python/seed-003.pyView on unpkg · L28GitHub personal access token in dist/packages/crucible/seeds/python/seed-006.py
dist/packages/crucible/seeds/python/seed-006.pyView on unpkg · L9Slack bot token in dist/packages/crucible/seeds/python/seed-006.py
dist/packages/crucible/seeds/python/seed-006.pyView on unpkg · L13AWS access key ID in dist/packages/crucible/seeds/js/seed-001.js
dist/packages/crucible/seeds/js/seed-001.jsView on unpkg · L11Hardcoded password in dist/packages/crucible/seeds/js/seed-010.js
dist/packages/crucible/seeds/js/seed-010.jsView on unpkg · L12Stripe live secret key in dist/packages/crucible/seeds/js/seed-004.js
dist/packages/crucible/seeds/js/seed-004.jsView on unpkg · L10Stripe webhook signing secret in dist/packages/crucible/seeds/js/seed-004.js
dist/packages/crucible/seeds/js/seed-004.jsView on unpkg · L11GitHub personal access token in dist/packages/crucible/seeds/js/seed-006.js
dist/packages/crucible/seeds/js/seed-006.jsView on unpkg · L10Hardcoded password in dist/packages/crucible/seeds/js/seed-002.js
dist/packages/crucible/seeds/js/seed-002.jsView on unpkg · L14RSA private key in dist/packages/crucible/seeds/js/seed-038.js
dist/packages/crucible/seeds/js/seed-038.jsView on unpkg · L11Stripe live secret key in dist/packages/crucible/seeds/rust/seed-003 2.rs
dist/packages/crucible/seeds/rust/seed-003 2.rsView on unpkg · L12Stripe live secret key in dist/packages/crucible/seeds/rust/seed-004.rs
dist/packages/crucible/seeds/rust/seed-004.rsView on unpkg · L7Stripe webhook signing secret in dist/packages/crucible/seeds/rust/seed-004.rs
dist/packages/crucible/seeds/rust/seed-004.rsView on unpkg · L8GitHub personal access token in dist/packages/crucible/seeds/rust/seed-005 2.rs
dist/packages/crucible/seeds/rust/seed-005 2.rsView on unpkg · L7Stripe live secret key in dist/packages/crucible/seeds/rust/seed-004 2.rs
dist/packages/crucible/seeds/rust/seed-004 2.rsView on unpkg · L7Stripe webhook signing secret in dist/packages/crucible/seeds/rust/seed-004 2.rs
dist/packages/crucible/seeds/rust/seed-004 2.rsView on unpkg · L8AWS access key ID in dist/packages/crucible/seeds/rust/seed-001.rs
dist/packages/crucible/seeds/rust/seed-001.rsView on unpkg · L9Slack bot token in dist/packages/crucible/seeds/rust/seed-008 2.rs
dist/packages/crucible/seeds/rust/seed-008 2.rsView on unpkg · L7