npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

@qcryptonsec/qcrypton

v3.0.0

Published

Quantum-resilient cryptography, FTQC resource estimation, noise reachability, threat detection, and automated remediation. 16 native modules, 130+ endpoints, 19 dependencies.

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Maintainers

qcrypton-secqcrypton-sec

Keywords

mcpsecurityenterpriseprompt-injectionai-safetyquantummiddleware

Readme

QCrypton

Quantum-resilient cryptography, FTQC resource estimation, noise reachability, threat detection, automated remediation, risk-based scoring with business context, Shamir secret sharing, encrypted vault management, and SIEM forwarding. 24 native modules, 160+ endpoints, 25 route modules, 19 dependencies.

Three Ways to Use

| Mode | What you get | Server required | |------|-------------|-----------------| | CLI | qcrypton scan . — offline, zero config | No | | SDK | require('qcrypton') — in-process, no HTTP | No | | Multi-Language SDKs | Python, Go, Java, Ruby, Rust — HTTP clients | Yes | | Server | REST API + dashboard + multi-tenant auth | Yes (+ PostgreSQL) |

Architecture

┌─────────────────────────────────────────────────────────────────┐
│                   Cloud-Native Deployment                       │
│           (Kubernetes, HPA, Health Probes, Docker)              │
├─────────────────────────────────────────────────────────────────┤
│                      Web Dashboard + REST API                   │
│                  (src/routes/ — 22 route modules)               │
│   OAuth (Google, GitHub, Azure AD, Okta) · SAML · OIDC · JWT   │
├─────────────────────────────────────────────────────────────────┤
│           Authentication & Multi-Tenancy (DB-backed)            │
│   MFA (TOTP) · WebAuthn/Passkeys · SAML SSO · OIDC · SCIM 2.0 │
│   IP Allowlist · Per-User Rate Limit · Quota Enforcement        │
│   Domain Provisioning · Permission Overrides · RBAC (5 roles)   │
├──────────┬──────────┬──────────┬──────────┬─────────────────────┤
│ Threat   │ Quantum  │  Code    │  Key     │  Noise     │ Auto     │
│ Scanners │ Crypto   │ Scanner  │ Mgmt     │  Reach.    │ Remed.   │
│ (13)     │ Engine   │ (6 lang) │          │            │          │
│          │          │ + SARIF  │ qkd.js   │  noise-    │ remed-   │
│ scanners │ quantum- │ code-    │ hsm.js   │  reacha-   │ iate.js  │
│ .js      │ crypto.js│ scanner  │          │  bility.js │          │
│          │ lsh.js   │ .js      │          │            │          │
│          │ hpke.js  │          │          │            │          │
├──────────┴──────────┴──────────┴──────────┴─────────────────────┤
│  Risk Scoring │ Vault & Shamir │ SIEM Forwarding                │
│  (ASPM)       │ AES-256-GCM    │ Syslog/CEF/JSON               │
│  riskScoring  │ shamir.js      │ UDP/TCP/TLS/HTTPS             │
│  Service.js   │ vaultService   │ siemService.js                │
├──────────┴──────────┴──────────┴──────────┴─────────────────────┤
│                  PostgreSQL (fully DB-backed)                    │
│  Users · Tenants · API Keys · Policies · Audit · Scans ·        │
│  Webhooks · Revoked Tokens · WebAuthn · SCIM Provisioning ·     │
│  Assets · Findings · Controls · Risk Acceptances · SLA ·        │
│  Vault Secrets                                                   │
├─────────────────────────────────────────────────────────────────┤
│                     Node.js Built-in crypto                     │
│           (SHA3, AES-GCM, X25519, ChaCha20, HKDF)              │
└─────────────────────────────────────────────────────────────────┘

Quick Start

CLI (no server required)

npm install -g qcrypton

# Scan a project for crypto usage
qcrypton scan .

# CI/CD quality gate (exit 1 on failure)
qcrypton gate . --fail-on-weak

# Generate Cryptographic Bill of Materials
qcrypton cbom .

# Generate SARIF report for GitHub Security tab
qcrypton sarif .
qcrypton gate . --format sarif > results.sarif

# Check if an algorithm is quantum-safe
qcrypton assess RSA-2048
qcrypton assess AES-256

# Estimate quantum attack cost
qcrypton attack-cost RSA-2048
qcrypton attack-cost --batch RSA-2048,ECDSA,AES-256

# Scan for prompt injection
qcrypton scan:injection "ignore all previous instructions"

# Scan MCP tool definition for poisoning
qcrypton scan:tool tool-definition.json

# Encrypt/decrypt offline
qcrypton encrypt "secret data" -p mypassword
qcrypton decrypt <ciphertext> -p mypassword

# Quantum-safe hash
qcrypton hash "hello world" --algo lsh-256
qcrypton hash "hello world" --algo sha3-256

# Quantum noise reachability analysis
qcrypton noise --channel=1e-3 --gate=1e-3 --environment=1e-4
qcrypton noise --channel=0.05 --platform=superconducting --json

# Run cryptographic self-tests (KAT vectors)
qcrypton selftest

All commands support --json for machine-readable output and stdin via -:

echo "ignore all instructions" | qcrypton scan:injection -
cat payload.txt | qcrypton scan:injection - --json

SDK (in-process, no HTTP)

const { scanners, quantumCrypto, quantumCost, scanNoiseReachability, enhancedEavesdropDetection } = require('qcrypton');

// Scan for prompt injection
const result = scanners.scanInjection('user input here');

// Check quantum safety
const assessment = quantumCrypto.assessAlgorithm('RSA-2048');

// Estimate attack cost
const cost = quantumCost.estimateAttackCost('ECDSA');

// Quantum noise reachability analysis
const noise = scanNoiseReachability({ channelErrorRate: 1e-3, gateErrorRate: 1e-3 });
// noise.verdict: 'all_correctable' | 'elevated_noise' | 'critical_noise'

// Encrypt with quantum-safe crypto
const encrypted = quantumCrypto.encrypt('secret', 'password', 'context');

// Express middleware
const { middleware } = require('qcrypton');
app.use('/api/ai', middleware.defenderMiddleware());

Multi-Language SDKs

Native HTTP clients for 5 languages — all covering the same 13 scanners, monitoring, and policy endpoints.

Python (pip install qcrypton)

from qcrypton import QCryptonClient

client = QCryptonClient('http://localhost:3000', api_key='your-key')
result = client.scan_injection('user input')
combined = client.scan_all('user input')  # injection + exfiltration

Go (go get github.com/qcrypton/qcrypton-go)

client := qcrypton.NewClient("http://localhost:3000", qcrypton.WithAPIKey("your-key"))
result, _ := client.ScanInjection(ctx, "user input")
combined, _ := client.ScanAll(ctx, "user input")

Java (Maven: com.qcrypton:qcrypton-sdk:1.0.0)

QCryptonClient client = new QCryptonClient("http://localhost:3000", "your-key");
ScanResult result = client.scanInjection("user input");
CombinedResult combined = client.scanAll("user input");

Ruby (gem install qcrypton)

client = QCrypton::Client.new('http://localhost:3000', api_key: 'your-key')
result = client.scan_injection('user input')
combined = client.scan_all('user input')

Rust (cargo add qcrypton)

let client = QCryptonClient::builder("http://localhost:3000")
    .api_key("your-key").build();
let result = client.scan_injection("user input").await?;
let combined = client.scan_all("user input").await?;

All SDKs support: configurable timeout, Bearer token auth, on_threat callback, and concurrent scan_all.

Server (full platform)

# Set up PostgreSQL connection
export DATABASE_URL=postgres://qcrypton@localhost:5432/qcrypton

# Optional: OAuth providers (configure any or all)
export GOOGLE_CLIENT_ID=...
export GOOGLE_CLIENT_SECRET=...
export GITHUB_CLIENT_ID=...
export GITHUB_CLIENT_SECRET=...
export AZURE_CLIENT_ID=...
export AZURE_CLIENT_SECRET=...
export AZURE_TENANT_ID=common
export OKTA_CLIENT_ID=...
export OKTA_CLIENT_SECRET=...
export OKTA_DOMAIN=dev-12345.okta.com

# Start
npm start

The server runs at http://localhost:3000 with:

  • Web dashboard at /dashboard.html
  • User signup at /signup.html
  • REST API at /api/*
  • Auto-generated master API key on first boot (persisted in DB)

Running Locally

Prerequisites

  • Node.js (v18 or later)
  • PostgreSQL (running instance with a database created for QCrypton)

Steps

  1. Install dependencies:

    npm install

  2. Set up PostgreSQL — create the role and database:

    createuser qcrypton
createdb -O qcrypton qcrypton

    If the database already exists but is owned by a different role, grant ownership:

    psql -d qcrypton -c "GRANT ALL PRIVILEGES ON SCHEMA public TO qcrypton;"
psql -d qcrypton -c "GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA public TO qcrypton;"
psql -d qcrypton -c "GRANT ALL PRIVILEGES ON ALL SEQUENCES IN SCHEMA public TO qcrypton;"
psql -d qcrypton -c "ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT ALL ON TABLES TO qcrypton;"
psql -d qcrypton -c "ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT ALL ON SEQUENCES TO qcrypton;"

    To transfer table ownership (required for ALTER TABLE during auto-migration):

    for tbl in tenants users api_keys audit_log scan_results policies webhooks revoked_tokens webauthn_credentials; do
  psql -d qcrypton -c "ALTER TABLE IF EXISTS $tbl OWNER TO qcrypton;" 2>/dev/null
done

  3. Configure the connection — set the connection string as an environment variable:

    export DATABASE_URL=postgres://qcrypton@localhost:5432/qcrypton

    Or set individual variables:

    export DB_HOST=localhost
export DB_NAME=qcrypton
export DB_USER=qcrypton
export DB_PASSWORD=        # leave empty for local peer/trust auth

  4. Start the server:

    npm start

    On startup, the server will:

    • Connect to PostgreSQL and initialize/migrate tables automatically
    • Seed default policies and scan results
    • Print a master API key to the console on first boot (save it — it is only shown once)

  5. Open the app at http://localhost:3000:

    | Page | URL | |------|-----| | Landing | http://localhost:3000/ | | Dashboard | http://localhost:3000/dashboard.html | | Login | http://localhost:3000/login.html | | SSO | http://localhost:3000/sso.html | | Subscription | http://localhost:3000/subscription.html | | User management | http://localhost:3000/users.html | | REST API | http://localhost:3000/api/* |

    Override the default port with PORT:

    PORT=8080 npm start

Running with Docker

# Build the image
docker build -t qcrypton:latest .

# Run the container
docker run -p 3000:3000 -e DATABASE_URL=postgres://[email protected]:5432/qcrypton qcrypton:latest

Kubernetes Deployment

# Build image
docker build -t qcrypton:latest .

# Deploy to cluster
kubectl apply -f k8s/namespace.yaml
kubectl apply -f k8s/

Includes: Deployment (2 replicas), HPA (2-10 pods), health probes (/healthz, /readyz), PDB, Ingress with TLS, optional in-cluster PostgreSQL.

Features

Threat Detection (13 Scanners)

| Scanner | What it detects | |---------|----------------| | Prompt injection | Instruction override, role hijacking, jailbreaks, encoding evasion | | Tool poisoning | Hidden instructions, shadowed names, rug pull indicators, shell injection | | Data exfiltration | PII leakage, DNS tunneling, known exfil endpoints, base64 payloads | | Server audit | TLS, auth, CORS, rate limiting, sandbox config | | Quantum vulnerability | RSA, ECDSA, ECDH exposure assessment | | PQC migration | Post-quantum migration readiness, algorithm inventory, transition gaps | | Brute force | PIN brute-force, weak password policies | | Credential stuffing | Breached credential reuse | | Dictionary attack | Common/weak password detection | | Phishing | Spoofed authority, QR code phishing | | Keylogger/malware | Keystroke capture, payment skimmers | | Card fraud | Physical card swap, stored value drain | | Noise reachability | Quantum noise classification, QEC code evaluation, error propagation analysis |

Quantum Cryptography

| Capability | Standard | Details | |-----------|----------|---------| | Encryption | AES-256-GCM + HKDF-SHA3-256 | 128-bit post-quantum security | | HPKE | RFC 9180 | Base, PSK, Auth modes with AES-256-GCM and ChaCha20-Poly1305 | | Hashing | KS X 3262 (LSH-256) | Validated against 22 official KCMVP test vectors | | QKD | BB84 | Quantum key distribution with enhanced eavesdrop detection | | Enhanced BB84 | Statistical noise decomposition | Catches eavesdroppers that standard 11% threshold misses | | HSM | ML-KEM, ML-DSA, SLH-DSA | FIPS 203/204/205 post-quantum algorithms | | Attack cost | FTQC estimation | 28 algorithms, surface code + magic state distillation model | | Noise reachability | 6 QEC codes | 12 noise types, 720 evaluations, reachability ratio, 24 mitigations |

Code Scanning

  • 6 languages: JavaScript/TypeScript, Python, Go, Java, Rust, C/C++
  • Secret detection: 30+ patterns (AWS, Google, GitHub, Stripe, PEM keys, DB strings)
  • Binary analysis: Detects crypto constants in compiled binaries
  • CBOM generation: CycloneDX format
  • SARIF output: SARIF 2.1.0 for GitHub Security tab (qcrypton sarif . or --format sarif)
  • CI/CD quality gate: Exit code 1 on critical findings

Automated Remediation

  • Code remediation: Generates patches for weak crypto in source code
  • Config remediation: Fixes insecure server configurations
  • Input sanitization: Strips injection and exfiltration patterns

Risk-Based Scoring & ASPM

  • Contextual risk scoring: severity * asset criticality * data classification * environment * compensating controls (0-100)
  • Asset registry: Register assets with criticality, data classification, environment, compliance tags
  • Finding deduplication: SHA-256 fingerprinting, cross-scan dedup, occurrence tracking, manual merge
  • Finding lifecycle: new > acknowledged > in_progress > remediated > verified > closed with SLA tracking
  • Triage prioritization: 0-1000 priority factoring risk score, age, and compliance tags
  • Compensating controls: Quantitative % reduction per control (capped at 80%)
  • Risk acceptance: Formal request > approve/reject workflow with auto-expiry and finding reopen
  • SLA enforcement: Configurable deadlines by risk score range with automatic breach detection
  • Risk dashboard: Aggregations by status, severity, criticality tier, weekly trend, dedup stats

Shamir Secret Sharing & Vault

  • Shamir Secret Sharing: GF(256) k-of-n threshold secret splitting — any k shares reconstruct the secret
  • Encrypted vault: AES-256-GCM encrypted secret storage with version tracking and tenant isolation
  • Vault + Shamir integration: Split vault secrets into Shamir shares via API
  • CRUD API: Create, read (decrypt), update (version bump), delete secrets
  • Standalone Shamir: Split/combine arbitrary plaintext without vault storage

SIEM Forwarding

  • 3 output formats: Syslog (RFC 5424), CEF (Common Event Format), JSON
  • 4 transport protocols: UDP, TCP, TLS, HTTPS (Splunk HEC, Elastic, etc.)
  • Auto-forwarding: All audit events forwarded in real-time (fire-and-forget)
  • Per-tenant configuration: Each tenant can configure their own SIEM destination
  • Global configuration: Environment variable-based for platform-wide forwarding

Authentication & Multi-Tenancy

  • 4 OAuth providers: Google, GitHub, Azure AD, Okta
  • OIDC: Per-tenant OpenID Connect provider configuration with discovery endpoint and authorization code flow
  • SAML SSO: SP-initiated SAML 2.0 authentication
  • SCIM 2.0: RFC 7644-compliant user provisioning/deprovisioning from Azure AD, Google Workspace, and Okta
  • MFA (TOTP): App-based two-factor authentication with backup codes
  • WebAuthn/Passkeys: Hardware key and biometric authentication (FIDO2)
  • Email/password with bcrypt hashing, email verification, and password reset
  • Session management: JWT revocation, revoke-all-sessions, configurable idle timeout per tenant
  • Domain-verified provisioning: Auto-assign users to tenants by email domain (wildcard support)
  • Per-user permission overrides: Custom grants and explicit denials on top of roles
  • 4 RBAC roles: admin, manager, analyst, viewer
  • IP allowlisting: Restrict tenant API access by CIDR range, wildcard, or individual IP (IPv4/IPv6)
  • Per-user rate limiting: 60 req/min default, Redis or in-memory, prevents single-user quota monopolization
  • Quota enforcement: Monthly API quota per plan (enterprise/large/trial) with Redis-backed counting and Retry-After headers
  • API key auth: SHA3-256 hashed, tenant-scoped
  • JWT sessions: httpOnly cookies, configurable expiry

Compliance Reporting

  • SOC 2 Type II: Auto-generated compliance report mapped to Trust Services Criteria controls
  • ISO 27001:2022: Control mapping with live tenant statistics and coverage metrics
  • 44+ controls: Automated evidence collection across encryption, access control, audit logging, and incident response

Admin & Data Governance

  • Retention policies: Configurable data retention with automated cleanup (/admin/retention)
  • Team invites: Invite system with privilege escalation prevention
  • SSO status: Centralized SSO configuration status endpoint

Billing (Stripe)

  • Subscription plans: Large and Enterprise tiers (monthly/annual)
  • Free trial: 14-day trial with automatic conversion
  • Payment management: Add/remove cards, set default, view invoices
  • Webhook integration: Stripe event processing for subscription lifecycle

OAuth Setup

QCrypton supports Sign in with Google, GitHub, Azure AD, and Okta out of the box. Each provider uses the standard Authorization Code flow — no Passport.js or third-party middleware required.

How it works:

  1. User clicks an OAuth button on the login page
  2. QCrypton redirects to the provider's consent screen (/auth/{provider})
  3. Provider redirects back with an authorization code (/auth/{provider}/callback)
  4. QCrypton exchanges the code for an access token and fetches the user profile
  5. If the user exists, the provider ID is linked to their account; otherwise a new account is created
  6. A JWT session cookie is set and the user is redirected to the dashboard

Redirect URIs — register these callback URLs in each provider's console:

http://localhost:3000/auth/google/callback
http://localhost:3000/auth/github/callback
http://localhost:3000/auth/azure/callback
http://localhost:3000/auth/okta/callback

Replace localhost:3000 with your production domain for deployed environments.

Example — Google OAuth:

export GOOGLE_CLIENT_ID=123456789.apps.googleusercontent.com
export GOOGLE_CLIENT_SECRET=GOCSPX-xxxxxxxxxx
npm start

Example — GitHub OAuth:

export GITHUB_CLIENT_ID=Iv1.xxxxxxxxxxxx
export GITHUB_CLIENT_SECRET=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
npm start

Example — Azure AD OAuth:

export AZURE_CLIENT_ID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
export AZURE_CLIENT_SECRET=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
export AZURE_TENANT_ID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx   # or "common" for multi-tenant
npm start

Example — Okta OAuth:

export OKTA_CLIENT_ID=0oaxxxxxxxxxx
export OKTA_CLIENT_SECRET=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
export OKTA_DOMAIN=dev-12345.okta.com
npm start

Notes:

  • Providers with missing credentials are gracefully skipped — the login page only shows buttons for configured providers
  • OAuth users are auto-verified (emailVerified: true) since the provider already confirmed their email
  • If an OAuth user's email matches an existing email/password account, the accounts are linked automatically
  • New OAuth users are auto-assigned to a tenant via domain matching, or placed in the default tenant
  • Each new user (OAuth or email/password) receives an auto-generated API key

Multi-Language SDKs

| SDK | Package | Dependencies | |-----|---------|-------------| | Python | pip install qcrypton | requests | | Go | go get github.com/qcrypton/qcrypton-go | stdlib only | | Java | Maven com.qcrypton:qcrypton-sdk | Java 11+ stdlib only | | Ruby | gem install qcrypton | stdlib only | | Rust | cargo add qcrypton | reqwest, serde, tokio |

All SDKs expose 13 scanner methods, scanAll (concurrent), monitoring endpoints, threat callbacks, and Bearer token auth.

Platform

  • Fully DB-backed: All state in PostgreSQL (15 models), stateless app layer
  • Cloud-native database: AWS Aurora, GCP Cloud SQL, and Azure Database support with dynamic SSL, read-replica routing, and connection pool tuning
  • Kubernetes-native: Health probes, graceful shutdown, HPA, PDB
  • Redis support: Optional Redis-backed rate limiting and quota counting (ioredis + rate-limit-redis)
  • Email service: Transactional email via AWS SES or SMTP (Nodemailer)
  • Modular architecture: src/models/, src/routes/, src/services/, src/middleware/

Testing

# KAT tests (official standard test vectors)
npm run test:kat

# Fuzz testing (random/malformed inputs)
npm run test:fuzz

# All crypto tests
npm run test:all

# Integration tests (requires server + DB)
npm test

# CLI self-test
qcrypton selftest

Cryptographic Verification

| Module | Standard | Test Vectors | Source | |--------|----------|-------------|--------| | LSH-256 | KS X 3262 | 22 KAT vectors | KCMVP Verification Criteria V3.0 | | HPKE | RFC 9180 | 12 roundtrip tests | IETF CFRG test vectors | | Fuzz | — | 19,000+ random inputs | Automated per CI run |

Security

See SECURITY.md for vulnerability reporting instructions.

All custom cryptographic implementations (LSH-256, HPKE, BB84) are validated against official standard test vectors and fuzz-tested in CI. Standard algorithms (AES, SHA3, X25519, HKDF) use Node.js built-in crypto (OpenSSL-backed).

License

Apache-2.0