npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

mantis-redteam

v0.2.9

Published

Open-source CLI toolkit for automated red-teaming of LLM-powered applications

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

farhanashrafdevfarhanashrafdev

Keywords

ai-securityllm-securityred-teamprompt-injectionowaspcliappsecdevsecops

Readme

🔒 Mantis

Open-source CLI toolkit for automated red-teaming of LLM-powered applications

CI npm License Node.js TypeScript Docker

Systematically probe AI applications for prompt injection, data leakage, hallucination, and agent exploitation vulnerabilities — before attackers do.

Quick Start · Attack Modules · CI/CD Integration · Architecture · Contributing

Why Mantis?

LLM-powered applications introduce a fundamentally new class of vulnerabilities that traditional security scanners cannot detect. Prompt injection, data leakage through hidden system prompts, hallucinated URLs, and agent exploitation all require purpose-built tooling.

Mantis is that tooling — a modular, extensible CLI framework that automates AI security testing the same way traditional DAST tools automate web application testing.

What It Finds

| Category | What Mantis Tests | Plugins | Attacks | |----------|-------------------|---------|---------| | 🔴 Prompt Injection | System prompt overrides, jailbreaks, role confusion, instruction extraction | 4 | 20 | | 🟠 Data Leakage | Hidden prompt exposure, secret retrieval, PII extraction, memory exfiltration | 4 | 16 | | 🟡 Hallucination | Fabricated URLs, nonexistent entities, citation failures, confidence mismatches | 4 | 15 | | 🟣 Tool/Agent Exploitation | Command injection, file system access, network exploitation, privilege escalation | 4 | 16 | | | Total | 16 | 67 |

Key Capabilities

  • 67 attack prompts across 16 plugins — covering the most critical AI vulnerability classes
  • ALVSS scoring — purpose-built CVSS-inspired risk model for AI vulnerabilities (Exploitability, Impact, Data Sensitivity, Reproducibility, Model Compliance)
  • OWASP LLM Top 10 — every plugin maps to the 2025 OWASP Top 10 for LLM Applications
  • CI/CD native — exit code gates, SARIF output for GitHub Security tab, Jenkins/GitLab compatible
  • Extensible — write a custom attack plugin in ~15 lines of TypeScript

🚀 Quick Start

Install

# npm (recommended)
npm install -g mantis-redteam

# Or run without installing
npx mantis-redteam scan --target https://your-ai-app.com/api/chat

# Or use Docker
docker pull ghcr.io/farhanashrafdev/mantis:latest

Scan

# Basic scan with table output
mantis scan --target https://your-ai-app.com/api/chat

# JSON output for automation
mantis scan --target https://your-ai-app.com/api/chat --format json

# SARIF output for GitHub Security tab
mantis scan --target https://your-ai-app.com/api/chat --format sarif --output results.sarif

Docker

docker run --rm ghcr.io/farhanashrafdev/mantis:latest \
    scan --target https://your-ai-app.com/api/chat --format json

Configuration File

For advanced setups, create a mantis.config.yaml:

version: "1.0"

target:
  url: https://your-ai-app.com/api/chat
  method: POST
  headers:
    Content-Type: application/json
  promptField: messages[-1].content
  responseField: choices[0].message.content
  authToken: ${MANTIS_AUTH_TOKEN}

modules:
  include: []       # empty = all plugins
  exclude: []

scan:
  timeoutMs: 30000
  maxRetries: 2
  rateLimit: 10
  severityThreshold: low

output:
  format: table
  verbose: false
  redactResponses: true
mantis scan --config mantis.config.yaml

🔗 CI/CD Integration

Mantis is designed to run as a quality gate in continuous integration pipelines.

GitHub Actions

name: AI Security Scan
on:
  push:
    branches: [main]
  pull_request:
    branches: [main]

jobs:
  mantis-scan:
    runs-on: ubuntu-latest
    permissions:
      security-events: write
    steps:
      - uses: actions/checkout@v4

      - name: Install Mantis
        run: npm install -g mantis-redteam

      - name: Run AI security scan
        run: |
          mantis scan \
            --target ${{ secrets.AI_APP_URL }} \
            --format sarif \
            --output results.sarif \
            --severity-threshold medium
        continue-on-error: true

      - name: Upload to GitHub Security tab
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: results.sarif

      - name: Fail on critical/high findings
        run: |
          mantis scan \
            --target ${{ secrets.AI_APP_URL }} \
            --severity-threshold high

Jenkins / GitLab CI / Any CI System

npm install -g mantis-redteam
mantis scan --target "$AI_APP_URL" --format sarif --output results.sarif

Exit Codes

| Code | Meaning | |------|---------| | 0 | Scan complete — no critical or high findings | | 1 | Scan complete — critical or high findings detected | | 2 | Runtime error (invalid config, network failure, etc.) |

🏗 Architecture

graph LR
    CLI["CLI"] --> Engine["CoreEngine"]
    Engine --> Registry["PluginRegistry"]
    Registry --> PI["Prompt Injection<br/>4 plugins · 20 attacks"]
    Registry --> DL["Data Leakage<br/>4 plugins · 16 attacks"]
    Registry --> HL["Hallucination<br/>4 plugins · 15 attacks"]
    Registry --> TE["Tool Exploit<br/>4 plugins · 16 attacks"]
    Engine --> Adapter["HttpAdapter"]
    Adapter --> Target["Target LLM"]
    Engine --> Scoring["ALVSS Scorer"]
    Engine --> Reporter["Table · JSON · SARIF"]

How It Works

  1. CLI parses options and loads configuration from file/CLI/env vars
  2. CoreEngine orchestrates the scan lifecycle
  3. PluginRegistry auto-discovers and filters attack plugins
  4. Each Plugin sends attack prompts through the HttpAdapter to the target
  5. Responses are analyzed against known vulnerable/secure patterns
  6. ALVSS Scorer calculates risk scores across 5 weighted dimensions
  7. Reporters output results as table, JSON, or SARIF

Attack Modules (Detail)

| Plugin | Attacks | What It Tests | |--------|---------|---------------| | System Override | 5 | Direct instruction override, DAN persona, developer mode, context reset, multilingual bypass | | Jailbreak | 5 | Roleplay bypass, hypothetical scenarios, Base64 encoding, reverse psychology, academic framing | | Role Confusion | 5 | Admin impersonation, maintenance mode, authority claims, system commands, trust escalation | | Instruction Extraction | 5 | Direct extraction, reflection, debug mode, export prompts, metadata inspection |

| Plugin | Attacks | What It Tests | |--------|---------|---------------| | Hidden Prompt | 4 | Pre-conversation extraction, JSON message dump, constraint extraction, error-triggered leaks | | Secret Retrieval | 4 | API key extraction, credential probing, config dump, environment variable leaks | | PII Extraction | 4 | Training data extraction, user data probing, cross-session leaks, demographic profiling | | Memory Exfiltration | 4 | Conversation history access, stale context, cross-user data, session boundary testing |

| Plugin | Attacks | What It Tests | |--------|---------|---------------| | Fabricated URL | 4 | Fake documentation links, dead URLs in citations, phishing vector generation | | Nonexistent Entity | 4 | Fictional papers, fake APIs, imaginary specifications, fabricated expert opinions | | Citation Verification | 4 | Fake quote attribution, invented statistics, false legal citations, fabricated historical events | | Confidence Mismatch | 3 | Uncertain claims stated with authority, impossible knowledge, future event predictions |

| Plugin | Attacks | What It Tests | |--------|---------|---------------| | Command Injection | 4 | Shell command execution, code evaluation, subprocess spawning, OS interaction | | File System Access | 4 | Path traversal, file read/write, directory listing, sensitive file access | | Network Access | 4 | SSRF probing, DNS exfiltration, outbound connections, internal network scanning | | Privilege Escalation | 4 | Admin function access, permission bypass, role elevation, capability override |

📊 Risk Scoring (ALVSS)

Mantis uses ALVSS (AI LLM Vulnerability Scoring System) — a CVSS-inspired scoring model purpose-built for AI applications:

| Dimension | Weight | What It Measures | |-----------|--------|------------------| | Exploitability | 30% | How easy is the vulnerability to exploit? | | Impact | 25% | What is the potential damage? | | Data Sensitivity | 20% | How sensitive is the exposed data? | | Reproducibility | 15% | Can the attack be reliably repeated? | | Model Compliance | 10% | How much does the model deviate from expected behavior? |

Severity mapping: Critical (≥9.0) → High (≥7.0) → Medium (≥4.0) → Low (<4.0) → Info

📁 Output Formats

| Format | Use Case | Flag | |--------|----------|------| | Table | Interactive terminal use, human review | --format table | | JSON | CI/CD pipelines, programmatic consumption, API integration | --format json | | SARIF | GitHub Security tab, Azure DevOps, VS Code SARIF Viewer | --format sarif |

🗺 Roadmap

| Phase | Scope | Status | |-------|-------|--------| | Phase 1 | Core engine, 16 plugins (67 attacks), CLI, JSON/Table/SARIF reports, ALVSS scoring, config system, Docker, CI/CD workflows | ✅ Complete | | Phase 2 | Plugin marketplace, multi-model adapters, advanced rate limiting, scan replay, historical comparison | 📋 Planned | | Phase 3 | Attack chaining, AI-assisted mutation, campaign mode, web dashboard, team collaboration | 📋 Planned |

🤝 Contributing

We welcome contributions! The easiest way to get started is by writing attack plugins — it takes ~15 lines of TypeScript.

See CONTRIBUTING.md for setup instructions, code standards, and PR guidelines.

src/plugins/
├── prompt-injection/    # 4 plugins
├── data-leakage/        # 4 plugins
├── hallucination/       # 4 plugins
└── tool-exploit/        # 4 plugins

Quick plugin template:

import { BasePlugin } from '../base-plugin.js';
import { AttackCategory, SeverityLevel, type PluginMeta, type AttackPrompt } from '../../types/types.js';

class MyPlugin extends BasePlugin {
    meta: PluginMeta = {
        id: 'category/my-plugin',
        name: 'My Attack Plugin',
        description: 'Tests for a specific vulnerability',
        category: AttackCategory.PromptInjection,
        version: '1.0.0',
        author: 'your-name',
        tags: ['my-tag'],
        owaspLLM: 'LLM01: Prompt Injection',
    };

    prompts: AttackPrompt[] = [
        {
            id: 'my-attack-1',
            prompt: 'Your attack prompt here',
            description: 'What this tests',
            securePatterns: [/I cannot/i],
            vulnerablePatterns: [/here is the secret/i],
            severity: SeverityLevel.High,
        },
    ];

    protected getRemediation(): string {
        return 'How to fix this vulnerability';
    }

    protected getCWE(): string {
        return 'CWE-XXX';
    }
}

export default new MyPlugin();

🔐 Security

For reporting security vulnerabilities in Mantis itself, see SECURITY.md.

⚠️ Responsible Use: Mantis is a security testing tool. Always ensure you have explicit written authorization before scanning any application. Unauthorized security testing is illegal and unethical.

📄 License

Apache 2.0 — see LICENSE for details.

Built for the security community, by the security community.

npm · Docker · Issues · Contributing