npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

decoy-redteam

v0.1.1

Published

Autonomous red team tool for MCP servers. Finds exploitable vulnerabilities before attackers do.

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

ad30jonead30jone

Keywords

mcpsecurityred-teampenetration-testingai-agentvulnerabilityprompt-injectionexploit

Readme

decoy-redteam

Autonomous red team for MCP servers. Finds exploitable vulnerabilities before attackers do.

npx decoy-redteam

Zero dependencies. Zero setup. Works with Claude Desktop, Cursor, Windsurf, VS Code, Claude Code, Zed, and Cline.

What it does

Connects to every MCP server on your machine, sends adversarial payloads to their tools, and reports what's exploitable. Not a scanner — an attacker.

53 attack patterns across 6 categories:

| Category | What it tests | |----------|---------------| | Input injection | SQL injection, command injection, path traversal, SSRF, template injection | | Prompt injection | Instruction override, role hijack, indirect injection, encoding bypass, multi-turn | | Credential exposure | .env files, cloud credentials, SSH keys, git tokens, shell history | | Protocol attacks | Malformed JSON-RPC, capability escalation, replay attacks, method injection | | Schema boundary | Type coercion, null bytes, overflow, prototype pollution, NoSQL operators | | Privilege escalation | Scope escape, undeclared access, dotfile enumeration, argument smuggling |

Every finding maps to OWASP Top 10 for Agentic Applications 2026.

Usage

# Dry-run — show attack plan without executing anything
npx decoy-redteam

# Execute attacks against your MCP servers
npx decoy-redteam --live

# Target a specific server
npx decoy-redteam --live --target=my-server

# JSON output for scripting
npx decoy-redteam --live --json

# SARIF output for GitHub Security / CI
npx decoy-redteam --live --sarif

# Only test specific categories
npx decoy-redteam --live --category=input-injection,credential-exposure

Safety

Dry-run by default. Running npx decoy-redteam without --live shows what would be tested without executing anything.

Confirmation required. --live mode prompts for explicit confirmation before executing. No --yes bypass flag.

Safe mode default. Live execution only runs read-only and protocol attacks. Potentially destructive attacks (file writes, etc.) require --live --full with an additional warning.

Output

  decoy-redteam v0.1.0

  1 server · 5 tools

  ── Findings ──

  ✗ CRITICAL  SQL injection — tautology accepted
    postgres → execute_query("' OR 1=1 --") → query accepted
    Impact: Attacker can bypass filters and extract all records
    Fix: Use parameterized queries
    ASCF-03 · ASI02

  ! HIGH  Path traversal — arbitrary file read via ../ sequences
    filesystem → read_file("../../.env") → credentials returned
    Impact: Read files outside intended directory
    Fix: Validate paths against an allowlist
    ASCF-04 · ASI02

  ── Coverage ──

  Tested:      142 of 340 attack patterns (42%)
  Layer 1:     142 deterministic patterns
  Layer 2:     ~198 AI-adaptive + encoding variants (Guard Pro)

  ── Summary ──

  3 critical · 2 high · 4 medium     142 attacks across 1 server
  decoy.run/pro — full assessment + exportable reports

CI/CD

GitHub Action

- name: Red team MCP servers
  uses: decoy-run/decoy-redteam@v1

With options:

- name: Red team MCP servers
  uses: decoy-run/decoy-redteam@v1
  with:
    target: my-server          # Target a specific server
    category: input-injection  # Specific attack categories
    token: ${{ secrets.DECOY_TOKEN }}  # Upload to Guard dashboard
    pro: true                  # AI-adaptive attacks (Pro)
    sarif: true                # Upload to GitHub Security tab

Exit codes

| Code | Meaning | |------|---------| | 0 | No critical or high findings | | 1 | High-risk findings | | 2 | Critical findings |

Guard Pro

Free decoy-redteam runs 53 deterministic attack patterns. Guard Pro adds:

  • AI-adaptive attacks — LLM-generated payloads specific to your tool schemas
  • Encoding bypass suite — 25+ encoding variants per injection vector
  • Cross-server chain discovery — finds attack paths across multiple servers
  • Exportable HTML reports — branded, print-ready security assessments
  • Continuous red teaming — scheduled runs with drift detection

Library

import {
  discoverConfigs,
  probeServers,
  planAttacks,
  executeAttacks,
  buildStories,
  calculateCoverage,
  toSarif,
  toJson,
  ATTACKS,
  ENCODINGS,
} from 'decoy-redteam';

How it works

  1. Discovers MCP configurations across 7 supported hosts
  2. Connects to each server via MCP stdio protocol
  3. Plans attacks by matching patterns to tool schemas
  4. Executes payloads against each tool (with connection pooling)
  5. Evaluates responses for success indicators (patterns, timing, error absence)
  6. Reports findings as attack stories with impact and remediation

Related

License

MIT