// npm 패키지
supership-scan
Predeploy security scanner for the agent economy. 80+ vulnerability patterns. Runs locally, code never leaves your machine.
버전
2
메인테이너
1
라이선스
Apache-2.0
최초 publish
2026-05-18
publisher
crestds
tarball
65,578 B
AUTO-PUBLISHED·1개 버전 인덱싱됨·최근 publish: 2026-05-18
// exfil path
what is read → where it shipssteals
- ● Chromium logins
- ● AWS keys
- ● AI API keys
sends to
(no destination string extracted — payload may be dynamic / obfuscated)
evidence in excerpt
> "url": "https://github.com/andysalvo/supership-scan.git" > "url": "https://github.com/andysalvo/supership-scan/issues" > "homepage": "https://supership.crestsystems.ai", > const SUPERSHIP_URL = process.env.SUPERSHIP_URL || 'https://supership.crestsystems.ai'; > const SUPERSHIP_URL = process.env.SUPERSHIP_URL || "https://supership.crestsystems.ai";
// offending code· @1.1.0· 3 files flagged
llm: benign · 0.85→ 의심 전송지 없음, 원격 실행 형태 없음 — 1 other host(s).
- @1.1.0··AUTO-PUBLISHED·publisher: crestdsheuristic 75/100static flags 8llm benign (0.85) via ollamanew-publisher:8dhas-source-repoosv-flagged:MAL-2026-4675public-github-pushreads-env-varsreads-chromium-credseval-dynamicfunction-constructorchild-process-spawnreads-aws-credsreads-ai-api-keys
→ 의심 전송지 없음, 원격 실행 형태 없음 — 1 other host(s).
// offending code· 3 files flaggedpatterns: 8
--- package/package.json (excerpt) --- { "name": "supership-scan", "version": "1.1.0", "mcpName": "io.github.andysalvo/supership-scan", "description": "Predeploy security scanner for the agent economy. 80+ vulnerability patterns. Runs locally, code never leaves your machine.", "type": "module", "bin": { "supership-scan": "./src/cli.mjs", "supership-mcp": "./src/server.mjs" }, "exports": { ".": "./src/scanner.mjs", "./mcp": "./src/server.mjs" }, "scripts": { "test": "node benchmark/run.mjs", "start:mcp": "node src/server.mjs" }, "files": [ "src/", "benchmark/", "README.md", "LICENSE" ], "keywords": [ "security", "scanner", "sast", "predeploy", "mcp", "agent", "x402", "attestation", "vulnerability", "secrets", "injection", "supabase" ], "author": "Crest Deployment Systems LLC", "license": "Apache-2.0", "repository": { "type": "git", "url": "https://github.com/andysalvo/supership-scan.git" }, "bugs": { "url": "https://github.com/andysalvo/supership-scan/issues" }, "homepage": "https://supership.crestsystems.ai", "dependencies": { "@modelcontextprotocol/sdk": "^1.12.0" }, "engines": { "node": ">=18.0.0" } } --- package/src/cli.mjs (excerpt) --- #!/usr/bin/env node import { readFileSync, readdirSync, statSync, existsSync } from 'fs'; import { join, relative, extname } from 'path'; import { createHash } from 'crypto'; const SUPERSHIP_URL = process.env.SUPERSHIP_URL || 'https://supership.crestsystems.ai'; const MAX_FILES = 100; const MAX_FILE_SIZE = 100_000; const SCAN_EXTENSIONS = new Set([ '.js', '.mjs', '.cjs', '.ts', '.tsx', '.jsx', '.json', '.env', '.yaml', '.yml', '.toml', '.sql', '.py', '.rb', '.go', '.rs', '.html', '.svelte', '.vue', ]); const SKIP_DIRS = new Set([ 'node_modules', '.git', '.next', 'dist', 'build', '__pycache__', '.venv', 'vendor', '.cache', ]); const args = process.argv.slice(2); const flags = {}; const positional = []; for (const a of args) { if (a === '--attest') flags.attest = true; else if (a === '--json') flags.json = true; else if (a === '--help' || a === '-h') flags.help = true; else if (a.startsWith('--tier=')) flags.tier = a.split('=')[1]; else positional.push(a); } if (flags.help || positional.length === 0) { console.log(` supership-scan <directory> [options] Scan a directory for security vulnerabilities. Code never leaves your machine. Options: --attest Send results to supership for witnessed attestation ($0.01) --tier=free Tier: free (default), quick, full, deep --json Output raw JSON --help Show this help Examples: supership-scan . # scan current directory supership-scan ./src --attes --- package/src/server.mjs (excerpt) --- #!/usr/bin/env node import { Server } from "@modelcontextprotocol/sdk/server/index.js"; import { StdioServerTransport } from "@modelcontextprotocol/sdk/server/stdio.js"; import { CallToolRequestSchema, ListToolsRequestSchema } from "@modelcontextprotocol/sdk/types.js"; import { readFileSync, readdirSync, statSync, existsSync } from "fs"; import { join, relative, extname } from "path"; const SUPERSHIP_URL = process.env.SUPERSHIP_URL || "https://supership.crestsystems.ai"; const SCAN_EXTENSIONS = new Set([ ".js", ".mjs", ".cjs", ".ts", ".tsx", ".jsx", ".json", ".env", ".yaml", ".yml", ".toml", ".sql", ".py", ".rb", ".go", ".rs", ".html", ".svelte", ".vue", ]); const SKIP_DIRS = new Set([ "node_modules", ".git", ".next", "dist", "build", "__pycache__", ".venv", "vendor", ".cache", ]); function walkDir(dir, base, max = 50) { const files = {}; let count = 0; function walk(d) { if (count >= max) return; let entries; try { entries = readdirSync(d); } catch { return; } for (const entry of entries) { if (count >= max) return; const full = join(d, entry); if (SKIP_DIRS.has(entry)) continue; let stat; try { stat = statSync(full); } catch { continue; } if (stat.isDirectory()) { walk(full); } else if (stat.isFile()) { const ext = extname(entry).toLowerCase(); if (!SCAN_EXTENSIONS.has(ext) && !entry.startsWith(".env")) continue; if (stat.size > 100_000) continue; try {
