npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

venom-pentest

v1.2.1

Published

Venom — Autonomous AI pentester for developers. Find exploits AND fix them.

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Maintainers

jayesh77jayesh77

Keywords

securitypentestingvulnerability-scanneraiowaspappsecdevsecopssastdastautonomouspentesthackingexploitcli

Readme

Venom — Autonomous AI Pentester

Venom is an AI-powered security testing tool that finds real, exploitable vulnerabilities in web applications — and generates the fixes. It combines static analysis (SAST) with live attack simulation (DAST) using AI agents.

Scan results, reports, and fix suggestions are stored securely in Venom Cloud and accessible through your dashboard.

Quick Start

1. Install

npm install -g venom-pentest

2. Create an Account

venom signup

Or login if you already have one:

venom login

3. Set Up Your AI Provider

Venom uses your own AI API key. Set one of:

# OpenAI (recommended)
export OPENAI_API_KEY="sk-..."

# Anthropic
export ANTHROPIC_API_KEY="sk-ant-..."

# Google Gemini
export GEMINI_API_KEY="AI..."

# Local (Ollama — free, but less effective)
# Just have Ollama running locally

Or create a .env file in your project directory:

OPENAI_API_KEY=sk-...

4. Run Your First Scan

# Black-box scan (live URL only)
venom scan https://your-app.com

# White-box scan (URL + source code — recommended)
venom scan https://your-app.com --repo ./path-to-code

# White-box scan from Git URL (auto-clones the repo)
venom scan https://your-app.com --repo https://github.com/user/repo

# Deep scan (thorough, tests all OWASP categories)
venom scan https://your-app.com --repo ./code --mode deep

# Strict mode — only confirmed vulnerabilities
venom scan https://your-app.com --repo ./code --strict

5. View Results

After the scan completes, view your full report in the dashboard:

venom dashboard

Or visit: https://dashboard-puce-six-90.vercel.app

CLI Commands

| Command | Description | |---------|-------------| | venom scan <url> | Run a security scan | | venom login | Login to your Venom Cloud account | | venom signup | Create a new account | | venom logout | Logout | | venom whoami | Show current account info | | venom dashboard | Open the web dashboard | | venom history | View past scan results | | venom license | Show subscription status | | venom subscribe | Upgrade your plan | | venom poc <scan-id> | Auto-run PoC exploits to verify findings | | venom config --set-key | Interactive AI provider key setup | | venom config --check | Validate configuration | | venom config --providers | List available AI providers |

Scan Options

venom scan <url> [options]

Options:
  -r, --repo <path>              Path to source code repository (local path or Git URL)
  -m, --mode <mode>              Scan mode: quick | standard | deep (default: standard)
  -c, --config <path>            Path to YAML configuration file
  -p, --provider <name>          AI provider: openai | anthropic | gemini | ollama
  --model <name>                 Specific model to use
  --categories <list>            Comma-separated vulnerability categories
  --strict                       Only report confirmed findings (confidence >= 85%)
  --min-confidence <threshold>   Minimum confidence threshold 0.0-1.0 (e.g. 0.6)
  -v, --verbose                  Enable verbose debug output

Strict Mode (No Exploit, No Report)

Use --strict to only include findings with strong exploitation proof:

# Only show confirmed vulnerabilities (85%+ confidence)
venom scan https://your-app.com --strict

# Custom threshold — show "likely" and above (60%+)
venom scan https://your-app.com --min-confidence 0.6

This eliminates noise from speculative or AI-inferred findings, giving you a clean report of only verified issues.

Scan Modes

| Mode | Duration | Categories | Best For | |------|----------|------------|----------| | quick | 1-3 min | Changed files only (git diff) | CI/CD, pre-commit | | standard | 5-15 min | Core OWASP categories | Regular testing | | deep | 15-45 min | All categories + deep exploit chains + browser XSS | Pre-release audits |

Deep Mode Features

Deep mode (--mode deep) enables advanced exploitation beyond initial vulnerability confirmation:

  • Deep Exploit Chains — After confirming a finding, Venom goes further: extracting data from SQL injection, escalating privileges through auth bypass, and walking cloud metadata via SSRF
  • Browser-Based XSS — Falls back to Playwright headless browser to confirm DOM-based XSS that pure HTTP checks miss (hash fragments, postMessage, innerHTML sinks)
  • AI-Assisted WAF Bypass — When payloads are blocked, AI generates alternative payloads using case randomization, inline comments, and encoding tricks

Vulnerability Coverage (OWASP Top 10)

  • A01 — Broken Access Control (IDOR, privilege escalation)
  • A02 — Cryptographic Failures (weak hashing, exposed secrets)
  • A03 — Injection (SQL, NoSQL, command, LDAP)
  • A04 — Insecure Design (business logic flaws)
  • A05 — Security Misconfiguration (headers, CORS, debug modes)
  • A06 — Vulnerable Components (outdated dependencies)
  • A07 — Authentication Failures (brute force, session issues)
  • A08 — Data Integrity Failures (deserialization, CSRF)
  • A09 — Logging Failures (missing audit trails)
  • A10 — SSRF (server-side request forgery)
  • XSS — Cross-Site Scripting (reflected, stored, DOM)

Reconnaissance Tools (Built-in)

Venom includes pure JavaScript implementations of industry-standard recon tools — no external dependencies required. Everything runs with npm install, no Docker or system packages needed.

| Tool | Replaces | What It Does | |------|----------|--------------| | Port Scanner | Nmap | TCP connect scan on 50+ common ports with service detection and banner grabbing | | Subdomain Enumeration | Subfinder | Certificate Transparency logs (crt.sh) + DNS brute-force with 150+ common prefixes | | Tech Fingerprinting | WhatWeb | HTTP headers, HTML meta tags, cookies, JS libraries, CSS frameworks, WAF detection | | API Schema Discovery | Schemathesis | OpenAPI/Swagger auto-detection (17+ paths) + GraphQL introspection + endpoint enumeration |

All recon tools run in parallel during Phase 1 to minimize scan time. Results feed directly into the vulnerability analysis pipeline:

  • Port scan results populate networkInfo.ports — exposed services like Redis, MongoDB, or Docker API become SSRF targets
  • Subdomain enumeration runs in deep mode only — discovers attack surface beyond the primary domain
  • Tech fingerprinting enriches the tech stack — detects frameworks, CDNs, WAFs, and hosting providers from response patterns
  • API schema discovery auto-detects OpenAPI specs and GraphQL endpoints, adding every documented endpoint with parameter types for targeted fuzzing

How It Works

┌─────────────┐     ┌────────────────────────┐     ┌─────────────────┐
│   Your CLI   │────▶│  AI Agents + Recon      │────▶│  Venom Cloud    │
│   (local)    │     │  (all local execution)  │     │  (results)      │
└─────────────┘     └────────────────────────┘     └─────────────────┘
       │                      │                             │
  Your machine         Port scan, subdomains,         Your dashboard
  Your source code     tech fingerprint, API schema   Reports, findings
  Your API key         Recon → Analyze → Exploit      Fix suggestions
                       → Deep Chains → Patch → Report Scan history
  1. CLI runs locally on your machine with your AI API key
  2. AI agents perform reconnaissance, analysis, exploitation, deep chains (deep mode), patching, and reporting
  3. Browser engine authenticates with the target (supports 2FA/TOTP) and confirms DOM-based XSS
  4. Results upload to Venom Cloud (Supabase) after each scan
  5. Dashboard at https://dashboard-puce-six-90.vercel.app shows full reports, findings, fix suggestions
  6. No source code leaves your machine — only scan results are uploaded

Confidence Scoring & PoC Scripts

Every finding includes a confidence score (0-100%) and a confidence level:

| Level | Score | Meaning | |-------|-------|---------| | Confirmed | 85-100% | Exploit succeeded — response confirms vulnerability | | Likely | 60-84% | Strong evidence — response differs meaningfully from baseline | | Suspected | 30-59% | Weak evidence — AI inference, no direct confirmation | | Possible | 0-29% | Pattern matched — speculative, needs manual verification |

Verification Methods

Each finding is tagged with how it was verified:

  • exploited — An actual exploit payload was sent and the response confirmed the vulnerability
  • response-diff — The response differed from the expected baseline in a meaningful way
  • ai-inference — AI analysis identified the pattern but no live confirmation was possible
  • pattern-match — Code patterns match known vulnerable constructs

Automated PoC Verification

Venom generates PoC scripts for every finding and can auto-run them to verify if vulnerabilities are still exploitable:

# Auto-run all PoCs from a scan (re-tests every finding against live target)
venom poc <scan-id>

# Only verify critical findings
venom poc <scan-id> --severity critical

# Only verify confirmed findings
venom poc <scan-id> --confirmed

# Export PoC scripts as runnable files
venom poc <scan-id> --export ./poc-scripts

# Verify a specific finding
venom poc <scan-id> --finding <finding-id>

Auto-run mode sends the original exploit request and compares the response to determine:

  • EXPLOITABLE — vulnerability is still present (payload reflected, same status)
  • PATCHED — vulnerability no longer works (different status, blocked)
  • INCONCLUSIVE — needs manual verification

Export mode creates a directory with:

  • Individual curl scripts (curl/poc_01_*.sh)
  • Individual Python scripts (python/poc_01_*.py)
  • Master runner scripts (run-all.sh, run_all.py)
  • A README with finding details

PoC scripts are also available in the dashboard (curl/Python tab per finding) and in PDF reports.

SPA False-Positive Detection

Venom automatically detects Single Page Applications (SPAs) that return a generic index.html for all routes, preventing false positives like:

  • Misconfiguration findings on catch-all SPA routes
  • IDOR findings when all user IDs return the same page
  • Auth bypass findings on public landing pages

Browser-Based XSS Detection

The XSS exploiter uses a two-pass strategy:

  1. Pass 1 (HTTP) — Fast reflection check via raw HTTP (catches reflected XSS)
  2. Pass 2 (Browser) — If HTTP fails or hypothesis indicates DOM-based XSS, Playwright headless browser tests for alert dialog execution

DOM XSS payloads target: location.hash, document.referrer, window.name, postMessage, innerHTML sinks.

Deep Exploit Chains (Deep Mode)

When running --mode deep, confirmed findings are escalated with specialized chains:

| Chain | Trigger | What It Does | |-------|---------|--------------| | Injection Chain | Confirmed SQLi | Column enumeration → DB fingerprint → Schema extraction → Data sampling → AI WAF bypass | | Auth Chain | Confirmed auth bypass / IDOR | Admin endpoint probing → Mass-assignment role elevation → JWT algorithm confusion | | SSRF Chain | Confirmed SSRF | Cloud metadata walking (AWS/GCP/Azure) → IAM credential extraction → Internal service probing |

Chain results appear in the dashboard finding details and PDF reports under "Deep Chain Evidence".

Guard rails:

  • Chains only run on findings with confidence >= 60%
  • Max 30s timeout per chain step
  • Deep mode must be explicitly enabled (--mode deep)

Plans & Pricing

| Feature | Free | Pro | Enterprise | |---------|------|-----|------------| | Scans per month | 5 | 100 | Unlimited | | Vulnerability categories | Core 4 | All 11 | All 11 | | Scan modes | Quick only | All modes | All modes | | Finding details | Title + severity | Full details + PoC | Full details + PoC | | Fix suggestions | — | AI-generated patches | AI-generated patches | | CI/CD integration | — | GitHub Actions | GitHub Actions + custom | | Priority support | — | — | Dedicated channel |

Upgrade anytime:

venom subscribe

Configuration File (Optional)

Create a venom.config.yaml in your project root:

scan:
  mode: standard
  vulnCategories:
    - injection
    - xss
    - auth
    - ssrf

ai:
  provider: openai
  model: gpt-4o

authentication:
  loginUrl: https://your-app.com/login
  credentials:
    username: [email protected]
    password: testpassword123
    # totpSecret: JBSWY3DPEHPK3PXP  # Base32-encoded TOTP secret (optional)
  loginFlow:
    - "Type $username into the email field"
    - "Type $password into the password field"
    - "Click the 'Sign In' button"
    # For 2FA/TOTP flows, uncomment:
    # - "Wait 3"
    # - "Type $totp into the 2fa code field"
    # - "Click the 'Verify' button"
  successCondition:
    type: url_contains
    value: /dashboard

notifications:
  slack:
    webhookUrl: https://hooks.slack.com/services/...
    channel: "#security"
  webhook:
    url: https://your-server.com/webhook

2FA/TOTP Authentication

If your target application uses two-factor authentication with TOTP (Time-based One-Time Passwords), Venom can generate live codes during the login flow:

  1. Set totpSecret in your config to the Base32-encoded TOTP secret (the same string you'd use in Google Authenticator)
  2. Add $totp placeholder in your loginFlow steps — it will be replaced with a fresh 6-digit code at runtime
  3. Supported field selectors for OTP inputs: otp, totp, 2fa code, verification code, mfa code, one-time code

The browser engine handles the full login flow including typing credentials, clicking buttons, waiting for 2FA prompts, and entering the TOTP code — all headlessly via Playwright.

CI/CD Integration (Pro+)

GitHub Actions

name: Venom Security Scan
on:
  pull_request:
    branches: [main]

jobs:
  security-scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - uses: actions/setup-node@v4
        with:
          node-version: 20

      - name: Install Venom
        run: npm install -g venom-pentest

      - name: Login to Venom Cloud
        run: |
          # Use service account credentials (set in GitHub Secrets)
          echo '{"access_token":"${{ secrets.VENOM_ACCESS_TOKEN }}","refresh_token":"${{ secrets.VENOM_REFRESH_TOKEN }}"}' > ~/.venom/credentials.json

      - name: Run Security Scan
        env:
          OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }}
        run: venom scan ${{ github.event.pull_request.head.repo.html_url }} --repo . --mode quick

Environment Variables

| Variable | Required | Description | |----------|----------|-------------| | OPENAI_API_KEY | One of these | OpenAI API key | | ANTHROPIC_API_KEY | One of these | Anthropic API key | | GEMINI_API_KEY | One of these | Google Gemini API key | | VENOM_SUPABASE_URL | No | Custom Supabase URL (default: Venom Cloud) | | VENOM_SUPABASE_ANON_KEY | No | Custom Supabase anon key |

Troubleshooting

"Authentication Required"

Run venom login or venom signup to create an account first.

"Monthly scan limit reached"

Upgrade your plan: venom subscribe

"API key not configured"

Set one of: OPENAI_API_KEY, ANTHROPIC_API_KEY, GEMINI_API_KEY, or run Ollama locally.

Scan takes too long

Use --mode quick for faster scans. Quick mode only tests changed files (requires --repo).

"Cloud connection failed"

Check your internet connection. Venom requires network access to store results.

Security & Privacy

  • Source code never leaves your machine. Only scan results (findings, severity, PoC snippets) are uploaded.
  • Your AI API key stays local. Venom calls AI providers directly from your machine.
  • Results are encrypted in transit (HTTPS/TLS) and at rest (Supabase).
  • Row-Level Security ensures you can only access your own data.
  • No telemetry, no tracking. Venom does not collect usage analytics.

XBOW Benchmark

Venom can be validated against the industry-standard XBOW Benchmark — 104 CTF-style web security challenges used to evaluate autonomous pentesting agents.

# Run the full benchmark (requires Docker)
./scripts/run-xbow-benchmark.sh

# Quick test (first 10 challenges)
./scripts/run-xbow-benchmark.sh --start 1 --end 10

See docs/BENCHMARK.md for full instructions, scoring methodology, and tuning tips.

Support

  • Dashboard: https://dashboard-puce-six-90.vercel.app
  • Documentation: https://docs.venom.dev
  • Email: [email protected]

Built for developers who care about security.