Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/irchaosclub/FANGS/llms.txt

Use this file to discover all available pages before exploring further.

FANGS (Fuck All NPM Garbage Supply-chains) is a behavioral delta detector for the npm ecosystem. It installs each new package release inside a Docker container, captures every file access, process exec, DNS query, TCP connection, and TLS handshake from the host kernel via eBPF — without any in-container agent — then compares those observations against a rolling per-package baseline. Anything new surfaces as a deviation for operator review.

Installation

Build prerequisites, kernel requirements, and compiling the four binaries from source.

Quickstart

Start the orchestrator, runner, and CLI; add your first package and see deviations in minutes.

Architecture

How the orchestrator, runner, eBPF sensor, differ, and watcher fit together.

CLI Reference

Every subcommand and flag for the fangs operator console.

How FANGS Works

FANGS is built around a simple idea: a package that has been connecting to registry.npmjs.org and reading node_modules/ for a year shouldn’t suddenly start reading /root/.ssh/id_rsa and connecting to an unknown IP. FANGS makes that difference visible.
1

Watch packages

Add npm packages with fangs package add <name>. The built-in watcher polls the registry every 5 minutes and automatically queues a scan whenever a new version is published.
2

Run in a sandbox

Each scan installs the package inside a Docker container (node:20-slim). The eBPF sensor — attached at runner startup — captures every syscall and network event from the host kernel without modifying the container.
3

Diff against the baseline

The differ extracts fingerprints (file paths, exec binaries, destination IPs, DNS names, TLS SNIs) and compares them to the package’s rolling baseline. New observations become deviation rows.
4

Triage findings

Use fangs pending or the web dashboard at http://127.0.0.1:8443/ui/ to review deviations. Promote clean runs with fangs baseline promote <run-id> or suppress recurring noise with fangs allow add.

Key Features

eBPF Sensor

Tracepoints + kprobes capture file access, exec, TCP connect, DNS, and TLS SNI events from the host kernel. No in-container agent, no modified base image.

Delta Detection

Six deviation categories track what changes between versions: network destinations, DNS names, HTTPS hosts, file reads/writes, and process executions.

Allowlists

Suppress known-good noise with CIDR, path-prefix, and SNI rules — globally or scoped to a single package.

Webhook Notifiers

Push deviation summaries to Slack, Discord, or any SIEM via the generic JSON envelope. HMAC signing and exponential-backoff retry included.

Dual Storage

SQLite for zero-config single-host deployments. PostgreSQL for production multi-runner setups.

mTLS Security

Mutual TLS between orchestrator and runner so only authorized runners can receive jobs and stream events.
FANGS requires a Linux kernel with BTF support (5.8+), clang, bpftool, Go 1.21+, and Docker. See Installation for the full prerequisites matrix.

Build docs developers (and LLMs) love

Get started for freeTalk to us