Skip to content

Home

Jump to bottom
cyb3rjerry edited this page May 23, 2026 · 2 revisions

FANGS Wiki

FANGS is a delta detector for npm supply-chain attacks. It watches a list of packages, runs each new release inside a hardened Docker sandbox, and compares observed syscall + network behavior against a per-package baseline. New behavior surfaces as deviations the operator triages; recurrent behavior gets allowlisted; clean releases roll forward into the baseline automatically.

The repo's README covers install + the day-to-day workflow in ~150 lines. This wiki is the long-form reference — every probe, every metric, every flag, every migration, every category and normalization rule.

Pages

Getting started

Reference

Subsystems

  • Sensor-Probes — what each eBPF probe captures
  • Differ-Rules — fingerprint extraction, normalization, allowlist semantics
  • Notifier — webhook templates, retry policy, HMAC

Security

  • TLS-mTLS — cert lifecycle, gen-tls.sh, rotation
  • Threat-Model — what FANGS protects, what it doesn't

FAQ

  • FAQ — common questions, gotchas, recipes

Mental model

FANGS doesn't answer "is this package malicious." It answers "did this run behave differently from the last N versions of this same package." That collapses a hard classification problem into a tractable comparison problem — the work that's hard for AV (signatures, sandbox-evasion games, ML classifiers) goes away; the work that's easy for a sequence-of-syscalls comparator becomes the whole product.

A maintainer's npm account gets hijacked. They publish lodash@4.99.0 with a postinstall that exfiltrates env vars. The advertised behavior is benign. The delta from prior versions is the signal — lodash has been opening node_modules/lodash/* and connecting to registry.npmjs.org for a year, and now it's reading /root/.ssh/id_rsa and connecting to 1.2.3.4:31337. That's a deviation. The full threat surface (including what FANGS doesn't catch) is in Threat-Model.

Clone this wiki locally