Offensive Security Tools Shipped in Production: PenetrationTestingFramework and VulnerabilityScanner Expose Attack Surface

A security misconfiguration has surfaced where penetration testing and vulnerability scanning tools were packaged into production builds, raising the risk of exposing sensitive attack surface information to end users. Two files—`src/PenetrationTestingFramework.js` and `src/VulnerabilityScanner.js`—containing approximately 1,200 combined lines of offensive security code, were placed in the `src/` directory, making them subject to automatic inclusion during the standard build process.

The affected files include exploit development capabilities, fuzzing tools, and vulnerability scanning logic that security researchers typically restrict to internal development environments. Their presence in production builds creates a dual problem: the tools themselves could be extracted and misused by malicious actors, and their inclusion unnecessarily expands the production bundle with code that was never intended for distribution.

The root cause appears to be a lack of build-time exclusion rules in the project's configuration. Security guidance recommends relocating both files to a dedicated directory outside the standard build path—such as `tools/security/` or `scripts/security/`—and explicitly adding them to the electron-builder exclusion list in `package.json`. Additionally, teams should verify that no production code imports these modules and implement a build verification step to ensure the files are absent from final artifacts. The incident underscores the need for architectural separation between development-only tooling and distributable application code.