i found 7 CVEs in npm packages with 40M+ weekly downloads. here's the tool i used.
i've been using Claude Opus 4.6 to systematically audit npm packages since early march. after finding 7 CVEs across mysql2, jsPDF, LiquidJS, Uptime Kuma, and node-forge, i'm open-sourcing the multi-agent framework that made it possible.
in three weeks, i found 7 security vulnerabilities in npm packages downloaded 40 million times a week.
node-forge. mysql2. jsPDF. LiquidJS. Uptime Kuma. all disclosed, all patched, all assigned CVEs.
every finding came from the same process: point an AI agent at source code with a structured methodology. the agent finds potential vulns. a separate agent independently re-exploits each one. if it can't reproduce, the finding gets killed.
after repeating this workflow manually for weeks, i built a framework around it. today i'm open-sourcing it.
here's what i found:
| CVE | package | downloads/week | what i found |
|---|---|---|---|
| CVE-2026-33896 | node-forge | 32M | certificate chain verification bypass — any end-entity cert becomes a CA |
| CVE-2026-33130 | Uptime Kuma | 86k+ stars | SSTI fix bypass via unquoted paths in LiquidJS templates |
| CVE-2026-30952 | LiquidJS | — | path traversal in the require.resolve() fallback (upstream root cause) |
| CVE-2026-31898 | jsPDF | 4M | PDF object injection via unsanitized text streams |
| CVE-2026-31938 | jsPDF | 4M | HTML injection / XSS through the HTML plugin |
| 4 findings | mysql2 | 5M | connection option override, prototype pollution, geometry DoS, OOB read |
every single one was found through the same process — and the same tool.
introducing pwnkit
AI writes the code. pwnkit hacks it.
pwnkit is an open-source agentic harness for autonomous security research. it automates the workflow i used to find those 7 CVEs in packages with 40M+ weekly downloads. point it at an npm package, an LLM endpoint, or a git repo — autonomous agents discover attack surface, run targeted attacks, verify every finding is real, and generate a report.
the code is on GitHub and the CLI is on npm.
three attack surfaces
pwnkit covers three attack surfaces out of the box:
- LLM endpoints — ChatGPT, Claude, Llama APIs, custom chatbots. prompt injection, jailbreaks, data exfiltration, tool poisoning.
- npm packages — supply chain risks, malicious code, dependency vulnerabilities.
- source code — local repos, GitHub URLs, deep AI-powered audit.
as of v0.3.4, MCP server scanning and web app pentesting are also built into the unified pipeline.
the pipeline
the core idea is a research-then-verify pipeline. a single research agent does discovery, attack, and writes proof-of-concept code. then a separate blind verify agent gets only the PoC and the file path — not the reasoning — and independently tries to reproduce it.
RESEARCH ──> BLIND VERIFY ──> REPORT
(discover, (PoC + path (only confirmed
attack, only — no findings with
write PoC) reasoning) evidence)
research — one agent session that maps the attack surface, crafts multi-turn attacks, and writes working proof-of-concept code. for npm audits, it reads actual source code (not docs), traces data flow from untrusted input to sensitive operations, and identifies patterns: prototype pollution, injection, path traversal, ReDoS, unsafe defaults.
blind verify — the most important step. a separate agent gets ONLY the PoC code and the file path — not the research agent's reasoning. it independently traces the data flow and tries to reproduce the finding. can't reproduce? killed as a false positive. same principle as double-blind peer review.
report — generates SARIF output for GitHub's Security tab, markdown for humans, and JSON for CI pipelines. only confirmed findings with severity scores and remediation guidance.
the blind verification is the differentiator. most security tools report everything that might be a bug. pwnkit only reports what it can prove is a bug — and the proof comes from an agent that can't be biased by the original reasoning.
what you can do with it
# scan an LLM endpoint
npx pwnkit scan --target https://your-app.com/api/chat
# audit an npm package
npx pwnkit audit express
# deep review of a codebase
npx pwnkit review ./my-project
# query verified findings
npx pwnkit findings list --severity critical
# browse past scan results
npx pwnkit history
CI integration
add one line to your GitHub Actions workflow:
- uses: peaktwilight/pwnkit@main
with:
mode: review
findings show up directly in GitHub's Security tab via SARIF.
why this matters now
georgia tech's vibe security radar disclosed 35 new CVEs directly related to AI-generated code in march 2026 alone. researchers estimate 45% of AI-generated code contains security vulnerabilities.
AI agents are writing code faster than humans can audit it. the gap between "it works" and "it's secure" is growing every week.
existing tools (promptfoo, garak, PyRIT) are primarily evaluation frameworks — they test whether your defenses hold against known attack patterns. pwnkit is the opposite: it's an offensive tool that discovers new vulnerabilities using multi-turn agentic reasoning. working exploit code is the proof. that's what found the node-forge certificate forgery, not running a test suite against known patterns.
the methodology
pwnkit encodes the same audit methodology i used for the CVE work:
- target selection — identify high-value packages handling untrusted input, auth, crypto, parsing, or serialization. higher downloads = higher impact.
- deep source review — always audit the latest published version. read actual source code, not docs. map data flow from untrusted input to sensitive operations.
- verification — for each finding: can attacker-controlled data actually reach the vulnerable code? what preconditions are needed? does the PoC actually work? is the latest version still affected?
- honest severity assessment — rate on real-world exploitability, not theoretical impact. is it exploitable in default config? do upstream defenses block it?
- responsible disclosure — check SECURITY.md, prefer GitHub Security Advisories for CVE assignment, provide concrete fix suggestions, 90-day coordinated disclosure timeline.
the framework automates steps 1-4. step 5 is still manual — you should always review findings and handle disclosure yourself.
what's next
this is v0.3.4 — the foundation is solid. the npm audit workflow that found the CVEs works, and the LLM endpoint scanner covers 8/10 of the OWASP LLM Top 10. the areas i'm actively working on:
- MCP server security — scanning tool descriptions for injection, unauthorized access, SSRF (shipped in v0.3.4)
- web app pentesting — security headers, CORS, open redirects (shipped in v0.3.4)
- expanding the attack template library beyond the current 47 test cases
- better support for non-JavaScript ecosystems (Python, Go, Rust)
- deterministic CI replay mode for regression testing
if you find a vulnerability using pwnkit, i'd love to hear about it.
links
- website: pwnkit.com
- github: peaktwilight/pwnkit
- npm: pwnkit
built by doruk tan ozturk (@peaktwilight) — the same person behind those 7 CVEs. if you're interested in security research, AI agents, or both, give pwnkit a spin and open an issue if something breaks.