BHEESHMA is a security tool designed to protect Node.js applications from supply-chain attacks. We take security seriously and follow strict secure coding practices.
| Version | Supported |
|---|---|
| 1.0.x | ✅ |
| < 1.0 | ❌ |
- ❌ No telemetry - Zero outbound network communication
- ❌ No cloud services - All processing is local
- ❌ No persistent storage - Data exists only in memory
- ❌ No secret capture - Only metadata (variable names, paths, hosts)
- ❌ No behavior modification - Observes only, never alters
- ✅ Credential theft (environment variable access)
- ✅ Data exfiltration (network connections)
- ✅ Persistence mechanisms (filesystem writes)
- ✅ Arbitrary code execution (shell commands)
- OWASP Secure Coding Practices
- CERT/SEI Secure Coding Standards
- Node.js Security Best Practices
create a public GitHub issue for security vulnerabilities.
Alternatively, use GitHub Security Advisories:
- Go to the Security tab
- Click "Report a vulnerability"
Please provide:
- Vulnerability Description: What is the security issue?
- Impact: What can an attacker do?
- Affected Versions: Which versions are vulnerable?
- Reproduction Steps: How to reproduce the issue
- Proposed Fix: If you have suggestions
- Disclosure Timeline: When you plan to disclose publicly
- Acknowledgment: Within 48 hours
- Triage: Within 1 week
- Fix Development: Depends on severity
- Disclosure: Coordinated with reporter
| Severity | Response Time | Example |
|---|---|---|
| Critical | 48 hours | Remote code execution, secret leakage |
| High | 1 week | Privilege escalation, data corruption |
| Medium | 2 weeks | Denial of service, info disclosure |
| Low | 1 month | Minor issues with limited impact |
# Always verify package integrity
npm install bheeshma --package-lock# Run in isolated environment for untrusted code
# BHEESHMA itself is safe, but the code it monitors may not be- 0-29 (CRITICAL): Immediate investigation required
- 30-59 (HIGH): Review before production
- 60-79 (MEDIUM): Monitor over time
- 80-100 (LOW): Generally safe
BHEESHMA cannot detect:
- Pre-hook activity: Behaviors before
init()is called - Native addons: C++ modules bypass JavaScript hooks
- Worker threads: Currently not monitored (V2 feature)
- Time bombs: Delayed execution after monitoring stops
These are design limitations, not bugs:
- First-party code is not attributed (by design)
- Signals require node_modules structure
- ESM support is partial (full support in V2)
We follow responsible disclosure:
- Reporter notifies us privately
- We develop and test fix
- We notify affected users
- We release patched version
- 30 days later: Public disclosure (or earlier with reporter agreement)
Security researchers who responsibly disclose vulnerabilities will be:
- Listed here with gratitude
- Acknowledged in release notes
- Credited in CVE (if applicable)
No researchers yet - be the first!
Subscribe to:
- GitHub Releases: Watch this repository
- Security Advisories: Enable notifications
- npm:
npm outdatedto check for updates
For non-security questions, use GitHub Issues or Discussions.
For security matters only, use the private reporting channels above.
Last Updated: 2026-01-18