How it works

One detector core.
Two engines.
Caught twice.

Pre-production — node360-static (SAST / taint) finds the source→sink flow before deploy. Production — node360-rasp (RASP) blocks it at the sink at runtime. The same 16 detectors, byte-for-byte.

● Inner ring · pre-production
node360-static · SAST
Traces tainted sources to dangerous sinks across files — no runtime trigger. Finds it before deploy.
● Outer ring · production
node360-rasp · RASP
Decides at the sink with request provenance — blocks the attack at runtime before it executes.
THE WALKTHROUGH · A REAL 2026 AGENTIC CVE

Prompt → tool-call → sink.

CVE-2026-41208 · Paperclip · CWE-78 · agentic RCE

An AI agent in a Node.js app can call a tool whose provisionCommand field is model-controlled. A poisoned prompt makes the agent emit a tool-call with a malicious command — that untrusted string flows into child_process and executes. Step through how it is found before deploy and blocked at runtime.

01 The setup scenario

Data flow
LLM AGENT · model-controlled AI Agent TOOL-CALL · provisionCommand workspaceStrategy.provision() APP CODE · provision.js runProvision(cmd) SINK · CWE-78 child_process.exec() tainted ;curl|sh
agent-tools.js

        

      

    


    
    

      

        
● SAST · node360-static · GREEN

        
Before deploy. No trigger.

        
Traces the agent-controlled parameter — a tainted source — inter-procedurally and
          cross-file to the child_process sink, and flags the source→sink flow as a
          SARIF finding. Runs entirely on your source. Step 3.

      

      

        
● RASP · node360-rasp · STEEL-BLUE

        
At runtime. Blocks at the sink.

        
guardToolDispatch() taints the LLM-controlled argument; the command
          detector analyses shell-argv metacharacters at the sink and blocks before execution[node360] BLOCK. Step 4.

      

    

  







  

    
THE DETECTOR CORE

    
One core. Sixteen detectors. Both engines.

    

      

        

          

            
              
              
            
            
outer · RASP shell — runtime
inner · SAST core — pre-deploy

          

        

      

      

        
The same 16 semantic detectors run in both engines, byte-for-byte. They decide by
          meaning at the sink — tokenizer differential, containment, shell-argv metacharacter analysis — not by
          regex over the payload and not by version-matching.

        

          command CWE-78
          code CWE-94
          path CWE-22
          ssrf CWE-918
          proto CWE-1321
          deserialize CWE-502
          sql CWE-89
          jwt CWE-347
          +8 more
        

        
// In the walkthrough the command detector fired in both engines from the same module:
          node360-static flagged the flow pre-deploy; node360-rasp blocked it at the child_process sink.