npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2025 – Pkg Stats / Ryan Hefner

munshig

v0.1.6

Published

Runtime API security that catches vulnerabilities as they happen. Zero-config security proxy for developers.

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

shaikhzaynsaifshaikhzaynsaif

Keywords

apisecuritybolaidorowaspvulnerabilityscannerproxyjwtauthenticationauthorizationbroken-access-controlsql-injectionxsspiiprivacyruntime-securityapi-testingsecurity-toolsdeveloper-tools

Readme

🛡️ munshig

Runtime API security that catches vulnerabilities as they happen.

munshig is a zero-config security proxy that monitors your API during development and automatically detects critical vulnerabilities like broken access control, missing authentication, SQL injection, and PII leaks—before they reach production.

npx munshig
# That's it. Your API is now being monitored for security issues.

🔥 The Problem

APIs get hacked because developers miss authorization checks.

This exact bug has caused:

  • Facebook: 50 million accounts exposed (2018)
  • T-Mobile: 37 million customer records leaked (2023)
  • Optus (Australia): 10 million customers exposed (2022)
  • Peloton: All user data accessible (2021)

Traditional security tools:

  • ❌ Cost $500k/year (Salt Security, Traceable AI)
  • ❌ Take 6 months to deploy
  • ❌ Require security teams to operate
  • ❌ Miss logic bugs (static analysis can't catch runtime issues)

munshig is different:

  • ✅ Free and open source
  • ✅ Works in 30 seconds
  • ✅ Catches bugs during development
  • ✅ No configuration required

⚡ Quick Start

# Start munshig (runs on port 3001 by default)
npx munshig

# Point your app/tests to localhost:3001 instead of localhost:3000
# munshig will forward traffic and monitor for vulnerabilities

That's it. munshig will now catch security bugs in real-time.

🎯 What It Catches

1. Broken Access Control (BOLA) 🔴 CRITICAL

The #1 API vulnerability (OWASP A01:2021)

// Your API code (vulnerable):
app.get('/api/users/:id', (req, res) => {
  const user = db.getUser(req.params.id);
  res.json(user);  // ❌ No authorization check!
});

// User 456 requests /api/users/123
// API returns User 123's data

munshig catches this:

🔴 ══════════════════════════════════════════════════════════════
   ⚠️  CRITICAL SECURITY VULNERABILITY DETECTED
════════════════════════════════════════════════════════════════

   SEVERITY: CRITICAL (CVSS: 8.2)
   TYPE: BROKEN_ACCESS_CONTROL (BOLA)

   🚨 User 456 accessed resource 123

   📍 Endpoint: GET /api/users/123
   👤 Authenticated User: 456
   🎯 Accessed Resource: 123

   🔴 Impact: Users can access other users' private data
   📋 OWASP: A01:2021 - Broken Access Control

   🔧 HOW TO FIX:
   app.get('/api/users/:id', async (req, res) => {
     const currentUserId = req.user.id;
     const requestedId = req.params.id;
     
     if (currentUserId !== requestedId) {
       return res.status(403).json({ error: 'Forbidden' });
     }
     
     const user = await db.getUser(requestedId);
     res.json(user);
   });

2. Missing Authentication 🟡 HIGH

Catches endpoints that should require authentication but don't.

🚨 ══════════════════════════════════════════════════════════════
   SEVERITY: HIGH
   TYPE: MISSING_AUTHENTICATION

   GET /api/admin/settings returned 200 without authentication

   💡 RECOMMENDATION:
   Add authentication middleware to verify user identity

3. SQL Injection 🔴 CRITICAL

Detects SQL injection attempts in query parameters.

⚠️ ══════════════════════════════════════════════════════════════
   SECURITY THREAT DETECTED
   
   SEVERITY: CRITICAL
   TYPE: INJECTION_ATTACK (SQL_INJECTION)

   SQL Boolean Injection detected in GET /api/users?id=' OR '1'='1

   🔧 HOW TO FIX:
   // ❌ BAD:
   const query = `SELECT * FROM users WHERE id = '${userId}'`;

   // ✅ GOOD:
   const query = 'SELECT * FROM users WHERE id = ?';
   db.execute(query, [userId]);

4. PII Exposure 🟡 HIGH

Detects sensitive data (SSN, credit cards, emails) in API responses.

🔒 ══════════════════════════════════════════════════════════════
   DATA PRIVACY VIOLATION DETECTED
   
   SEVERITY: HIGH
   TYPE: DATA_EXPOSURE (PII_LEAK)

   API response contains sensitive PII: SSN, Email

   📝 PII TYPES DETECTED:
      • SSN (e.g., 123-45-6789)
      • Email (e.g., [email protected])

   🔧 HOW TO FIX:
   // Redact sensitive fields
   res.json({
     id: user.id,
     name: user.name,
     email: user.email.replace(/(.{2})(.*)(@.*)/, '$1***$3'),
     ssn: '***-**-' + user.ssn.slice(-4)
   });

🎬 Demo

# Terminal 1: Start your API
npm run dev  # Your API runs on :3000

# Terminal 2: Start munshig
npx munshig

# Terminal 3: Make requests
curl http://localhost:3001/api/users/123

munshig output:

🛡️  Munshig proxy running on :3001
📡 Forwarding to :3000
⚡ Started at 2:30:45 PM

[14:30:50] ➡️  GET /api/users/123
[14:30:50] ⬅️  GET /api/users/123 → 200

🔴 ══════════════════════════════════════════════════════════════
   ⚠️  CRITICAL SECURITY VULNERABILITY DETECTED

   User 456 accessed resource 123
   
   This is a Broken Access Control bug (OWASP #1)
   
   [Full details and fix provided...]
════════════════════════════════════════════════════════════════

📊 Session Summary

Press Ctrl+C to stop munshig and see a summary:

📊 MUNSHIG SESSION SUMMARY
════════════════════════════════════════════════════════════════

   🔍 Total Requests: 47
   🚨 Issues Found: 3
   📍 Endpoints Discovered: 12

   ⚠️  3 security vulnerabilities detected!
   Review the alerts above and fix before deploying.

════════════════════════════════════════════════════════════════

📦 Installation

Using npx (recommended)

npx munshig

Global install

npm install -g munshig
munshig

Local development

git clone https://github.com/shaikhzaynsaif/munshig.git
cd munshig
npm install
npm start

🔧 Configuration

munshig works with zero configuration, but you can customize:

# Default behavior (proxy on :3001, forwards to :3000)
npx munshig

# Custom ports (coming soon)
npx munshig --port 3000 --proxy 8080

🏗️ How It Works

  1. Proxy Setup: munshig starts an HTTP proxy on port 3001
  2. Traffic Interception: All requests/responses are captured
  3. JWT Analysis: Extracts user IDs from Authorization headers
  4. Pattern Detection: Runs security detectors on each request
  5. Real-time Alerts: Shows vulnerabilities with actionable fixes

No code changes required. Just point your client to the proxy.

🆚 Comparison

| Feature | munshig | Salt Security | Snyk | Manual Audits | |---------|---------|---------------|------|---------------| | Price | Free | $500k/year | $99/mo | $10k+ | | Setup Time | 30 seconds | 6 months | 1 day | Weeks | | BOLA Detection | ✅ Automatic | ✅ Yes | ❌ No | ✅ Manual | | Runtime Analysis | ✅ Yes | ✅ Yes | ❌ Static only | ❌ One-time | | For Developers | ✅ Yes | ❌ Enterprise | ⚠️ Partial | ❌ Post-dev | | Open Source | ✅ Yes | ❌ No | ❌ No | N/A |

🎯 Who Is This For?

  • Solo developers building APIs
  • Startup engineering teams (pre-Series A)
  • Open source maintainers securing their projects
  • Security researchers testing APIs
  • Students learning API security

🛠️ Tech Stack

  • Node.js - Runtime
  • Express - HTTP handling
  • http-proxy - Traffic forwarding
  • JWT decoding - User identification

Zero dependencies bloat. Just 2 core dependencies.

🚀 Roadmap

  • [x] BOLA/IDOR detection
  • [x] Missing authentication detection
  • [x] SQL injection detection
  • [x] PII leak detection
  • [ ] CI/CD integration (GitHub Actions)
  • [ ] Web dashboard
  • [ ] Custom detection rules
  • [ ] VSCode extension
  • [ ] Production monitoring mode

🤝 Contributing

Contributions welcome! Please read CONTRIBUTING.md first.

Areas we'd love help with:

  • Additional security detectors
  • Framework-specific integrations
  • Documentation improvements
  • Bug reports and feature requests

📄 License

MIT License - see LICENSE

🙏 Acknowledgments

Inspired by:

  • OWASP API Security Top 10
  • Salt Security, Traceable AI (the $500k tools we're democratizing)
  • Every developer who's shipped a BOLA bug to production (we've all been there)

📞 Support

⭐ Star History

If munshig saved you from a security bug, please star the repo! ⭐

Built with ❤️ by developers, for developers.

Stop shipping BOLA bugs. Start using munshig.

npx munshig