50c 3.9.5 → 3.9.7

package/lib/backdoor-checker.js

@@ -1,732 +0,0 @@
-/**
- * 50c Backdoor Checker - Local security audit tool
- * Runs entirely on the user's machine. FREE.
- *
- * Detects:
- * - Unauthorized RDP/SSH logins (with geo-IP)
- * - Persistence mechanisms (scheduled tasks, startup, registry, services)
- * - Suspicious network connections to foreign IPs
- * - Rogue certificates and proxy settings
- * - IDE artifacts (Verdant, etc.)
- * - Unauthorized user accounts
- * - SSH authorized_keys anomalies
- *
- * Cross-platform: Windows (PowerShell), Linux (bash), macOS (bash)
- */
-
-const { exec, execSync } = require('child_process');
-const os = require('os');
-const fs = require('fs');
-const path = require('path');
-const { isPrivateIP, isValidIPv4, extractPublicIPs } = require('./ip-utils');
-
-const PLATFORM = os.platform(); // win32, linux, darwin
-const HOME = os.homedir();
-
-// Suspicious country indicators in IP geolocation
-const SUSPICIOUS_GEOS = ['CN', 'RU', 'KP', 'IR'];
-
-// Known suspicious IDE directories
-const SUSPICIOUS_IDE_DIRS = [
-  '.verdent', '.verdant', '.verd',
-  '.trae',  // ByteDance IDE
-];
-
-// Known suspicious process names
-const SUSPICIOUS_PROCESSES = [
-  'cryptominer', 'xmrig', 'minerd', 'cgminer',
-  'nc.exe', 'ncat', 'netcat',
-  'mimikatz', 'lazagne', 'procdump',
-  'psexec', 'wmic', // lateral movement
-];
-
-/**
- * Run a command and return stdout (or error message)
- */
-function run(cmd, timeout = 30000) {
-  try {
-    return execSync(cmd, {
-      timeout,
-      encoding: 'utf8',
-      stdio: ['pipe', 'pipe', 'pipe'],
-      windowsHide: true,
-      maxBuffer: 10 * 1024 * 1024
-    }).trim();
-  } catch (e) {
-    return `[ERROR] ${e.message}`;
-  }
-}
-
-/**
- * Run PowerShell command (Windows)
- */
-function ps(script, timeout = 30000) {
-  const escaped = script.replace(/"/g, '\\"');
-  return run(`powershell -NoProfile -ExecutionPolicy Bypass -Command "${escaped}"`, timeout);
-}
-
-/**
- * Geo-IP lookup using free API (ip-api.com)
- * Returns { country, countryCode, city, isp, org }
- */
-async function geoIP(ip) {
-  try {
-    const http = require('http');
-    return new Promise((resolve, reject) => {
-      const req = http.get(`http://ip-api.com/json/${ip}?fields=country,countryCode,city,isp,org`, { timeout: 5000 }, (res) => {
-        let data = '';
-        res.on('data', c => data += c);
-        res.on('end', () => {
-          try { resolve(JSON.parse(data)); }
-          catch { resolve({ country: 'unknown', countryCode: '??' }); }
-        });
-      });
-      req.on('error', () => resolve({ country: 'unknown', countryCode: '??' }));
-      req.on('timeout', () => { req.destroy(); resolve({ country: 'unknown', countryCode: '??' }); });
-    });
-  } catch {
-    return { country: 'unknown', countryCode: '??' };
-  }
-}
-
-/**
- * Batch geo-IP lookup (ip-api.com supports batch of up to 100)
- */
-async function batchGeoIP(ips) {
-  if (ips.length === 0) return {};
-  const uniqueIPs = [...new Set(ips)].slice(0, 100);
-
-  try {
-    const http = require('http');
-    const body = JSON.stringify(uniqueIPs.map(ip => ({ query: ip, fields: 'query,country,countryCode,city,isp,org' })));
-
-    return new Promise((resolve) => {
-      const req = http.request({
-        hostname: 'ip-api.com',
-        path: '/batch',
-        method: 'POST',
-        headers: { 'Content-Type': 'application/json', 'Content-Length': Buffer.byteLength(body) },
-        timeout: 10000
-      }, (res) => {
-        let data = '';
-        res.on('data', c => data += c);
-        res.on('end', () => {
-          try {
-            const results = JSON.parse(data);
-            const map = {};
-            for (const r of results) { map[r.query] = r; }
-            resolve(map);
-          } catch { resolve({}); }
-        });
-      });
-      req.on('error', () => resolve({}));
-      req.on('timeout', () => { req.destroy(); resolve({}); });
-      req.write(body);
-      req.end();
-    });
-  } catch {
-    return {};
-  }
-}
-
-// ============================================
-// WINDOWS CHECKS
-// ============================================
-
-function windowsChecks() {
-  const findings = [];
-
-  // 1. RDP Login History (Event ID 4624 Type 10 = RemoteInteractive)
-  findings.push({ check: 'RDP Login History', data: getRDPLogins() });
-
-  // 2. Failed RDP attempts (Event ID 4625)
-  findings.push({ check: 'Failed Login Attempts', data: getFailedLogins() });
-
-  // 3. Local user accounts
-  findings.push({ check: 'Local User Accounts', data: getLocalUsers() });
-
-  // 4. Scheduled tasks (persistence)
-  findings.push({ check: 'Scheduled Tasks', data: getScheduledTasks() });
-
-  // 5. Startup programs (registry Run keys)
-  findings.push({ check: 'Startup Registry Keys', data: getStartupKeys() });
-
-  // 6. Running services (unusual ones)
-  findings.push({ check: 'Services', data: getServices() });
-
-  // 7. Active network connections
-  findings.push({ check: 'Active Network Connections', data: getNetConnections() });
-
-  // 8. Firewall rules
-  findings.push({ check: 'Firewall Rules', data: getFirewallRules() });
-
-  // 9. Certificates
-  findings.push({ check: 'Root Certificates', data: getCertificates() });
-
-  // 10. Proxy settings
-  findings.push({ check: 'Proxy Settings', data: getProxySettings() });
-
-  // 11. WinRM / Remote Management
-  findings.push({ check: 'Remote Management (WinRM)', data: getWinRM() });
-
-  // 12. SSH authorized_keys
-  findings.push({ check: 'SSH Authorized Keys', data: getSSHKeys() });
-
-  // 13. Suspicious IDE artifacts
-  findings.push({ check: 'Suspicious IDE Artifacts', data: getIDEArtifacts() });
-
-  // 14. PowerShell history (may reveal attacker commands)
-  findings.push({ check: 'PowerShell History', data: getPSHistory() });
-
-  // 15. DNS cache (suspicious domains)
-  findings.push({ check: 'DNS Cache', data: getDNSCache() });
-
-  // 16. Recently installed programs
-  findings.push({ check: 'Recently Installed Programs', data: getRecentInstalls() });
-
-  // 17. Hidden/suspicious processes
-  findings.push({ check: 'Suspicious Processes', data: getSuspiciousProcesses() });
-
-  return findings;
-}
-
-function getRDPLogins() {
-  const result = ps(`
-    try {
-      $events = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4624} -MaxEvents 200 -ErrorAction Stop |
-        Where-Object { $_.Properties[8].Value -eq 10 } |
-        Select-Object -First 50 |
-        ForEach-Object {
-          $ip = $_.Properties[18].Value
-          $user = $_.Properties[5].Value
-          $domain = $_.Properties[6].Value
-          $time = $_.TimeCreated.ToString('yyyy-MM-dd HH:mm:ss')
-          "$time | $domain\\\\$user | $ip"
-        }
-      if ($events) { $events -join '\\n' } else { 'No RDP logins found in Security log' }
-    } catch { 'Access denied or Security log unavailable - run as Administrator' }
-  `, 60000);
-  return result;
-}
-
-function getFailedLogins() {
-  const result = ps(`
-    try {
-      $events = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4625} -MaxEvents 100 -ErrorAction Stop |
-        Select-Object -First 30 |
-        ForEach-Object {
-          $ip = $_.Properties[19].Value
-          $user = $_.Properties[5].Value
-          $time = $_.TimeCreated.ToString('yyyy-MM-dd HH:mm:ss')
-          "$time | $user | $ip"
-        }
-      if ($events) { $events -join '\\n' } else { 'No failed login attempts found' }
-    } catch { 'Access denied or Security log unavailable - run as Administrator' }
-  `, 60000);
-  return result;
-}
-
-function getLocalUsers() {
-  return ps(`
-    Get-LocalUser | ForEach-Object {
-      $name = $_.Name
-      $enabled = $_.Enabled
-      $lastLogon = $_.LastLogon
-      $desc = $_.Description
-      "$name | Enabled=$enabled | LastLogon=$lastLogon | $desc"
-    } | Out-String
-  `);
-}
-
-function getScheduledTasks() {
-  return ps(`
-    Get-ScheduledTask | Where-Object { $_.State -ne 'Disabled' -and $_.TaskPath -notlike '\\\\Microsoft\\\\*' } |
-      ForEach-Object {
-        $name = $_.TaskName
-        $path = $_.TaskPath
-        $actions = ($_.Actions | ForEach-Object { $_.Execute + ' ' + $_.Arguments }) -join '; '
-        "$path$name | $actions"
-      } | Out-String
-  `, 60000);
-}
-
-function getStartupKeys() {
-  const keys = [
-    'HKLM:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run',
-    'HKLM:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce',
-    'HKCU:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run',
-    'HKCU:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce',
-    'HKLM:\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Run',
-  ];
-
-  return ps(`
-    $keys = @(${keys.map(k => `'${k}'`).join(',')})
-    foreach ($key in $keys) {
-      if (Test-Path $key) {
-        "=== $key ==="
-        Get-ItemProperty $key -ErrorAction SilentlyContinue |
-          ForEach-Object { $_.PSObject.Properties | Where-Object { $_.Name -notlike 'PS*' } |
-            ForEach-Object { "  $($_.Name) = $($_.Value)" }
-          }
-      }
-    }
-  `);
-}
-
-function getServices() {
-  return ps(`
-    Get-Service | Where-Object { $_.Status -eq 'Running' -and $_.StartType -eq 'Automatic' } |
-      Where-Object { $_.DisplayName -notlike 'Windows*' -and $_.DisplayName -notlike 'Microsoft*' -and $_.DisplayName -notlike 'DCOM*' -and $_.DisplayName -notlike 'Plug*' } |
-      Select-Object Name, DisplayName, StartType |
-      Format-Table -AutoSize | Out-String
-  `);
-}
-
-function getNetConnections() {
-  return ps(`
-    Get-NetTCPConnection -State Established -ErrorAction SilentlyContinue |
-      Where-Object { $_.RemoteAddress -ne '127.0.0.1' -and $_.RemoteAddress -ne '::1' -and $_.RemoteAddress -ne '0.0.0.0' } |
-      Select-Object LocalPort, RemoteAddress, RemotePort, OwningProcess,
-        @{N='Process';E={(Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue).ProcessName}} |
-      Sort-Object RemoteAddress |
-      Format-Table -AutoSize | Out-String
-  `);
-}
-
-function getFirewallRules() {
-  return ps(`
-    Get-NetFirewallRule -Enabled True -Direction Inbound -Action Allow -ErrorAction SilentlyContinue |
-      Where-Object { $_.DisplayName -notlike 'Core Networking*' -and $_.DisplayName -notlike 'Windows*' } |
-      Select-Object -First 30 DisplayName, Profile, Direction |
-      Format-Table -AutoSize | Out-String
-  `);
-}
-
-function getCertificates() {
-  return ps(`
-    Get-ChildItem Cert:\\LocalMachine\\Root |
-      Where-Object { $_.NotAfter -gt (Get-Date) } |
-      Select-Object Subject, Issuer, NotAfter, Thumbprint |
-      Format-Table -AutoSize -Wrap | Out-String
-  `);
-}
-
-function getProxySettings() {
-  return ps(`
-    $proxy = Get-ItemProperty 'HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings' -ErrorAction SilentlyContinue
-    "ProxyEnable: $($proxy.ProxyEnable)"
-    "ProxyServer: $($proxy.ProxyServer)"
-    "ProxyOverride: $($proxy.ProxyOverride)"
-    "AutoConfigURL: $($proxy.AutoConfigURL)"
-    ""
-    "Environment:"
-    "HTTP_PROXY: $env:HTTP_PROXY"
-    "HTTPS_PROXY: $env:HTTPS_PROXY"
-    "ALL_PROXY: $env:ALL_PROXY"
-  `);
-}
-
-function getWinRM() {
-  return ps(`
-    try {
-      $status = Get-Service WinRM -ErrorAction Stop
-      "WinRM Status: $($status.Status)"
-      if ($status.Status -eq 'Running') {
-        "WARNING: WinRM is running - remote management is enabled"
-        winrm get winrm/config/client 2>$null
-      }
-    } catch {
-      "WinRM: Not found or access denied"
-    }
-  `);
-}
-
-function getSSHKeys() {
-  const results = [];
-  const sshDir = path.join(HOME, '.ssh');
-
-  if (fs.existsSync(sshDir)) {
-    const authKeys = path.join(sshDir, 'authorized_keys');
-    if (fs.existsSync(authKeys)) {
-      results.push('=== authorized_keys ===');
-      const content = fs.readFileSync(authKeys, 'utf8');
-      const keys = content.split('\n').filter(l => l.trim() && !l.startsWith('#'));
-      for (const key of keys) {
-        const parts = key.trim().split(/\s+/);
-        const comment = parts.length >= 3 ? parts.slice(2).join(' ') : 'no-comment';
-        const type = parts[0];
-        results.push(`  ${type} ... ${comment}`);
-      }
-    } else {
-      results.push('No authorized_keys file found');
-    }
-
-    // Check for unusual files in .ssh
-    const files = fs.readdirSync(sshDir);
-    const unusual = files.filter(f => !['authorized_keys', 'known_hosts', 'config', 'id_rsa', 'id_rsa.pub', 'id_ed25519', 'id_ed25519.pub', 'id_ecdsa', 'id_ecdsa.pub', 'id_ed25519_automation', 'id_ed25519_automation.pub'].includes(f));
-    if (unusual.length > 0) {
-      results.push(`\nUnusual files in .ssh/: ${unusual.join(', ')}`);
-    }
-  } else {
-    results.push('No .ssh directory found');
-  }
-
-  return results.join('\n');
-}
-
-function getIDEArtifacts() {
-  const results = [];
-
-  for (const dir of SUSPICIOUS_IDE_DIRS) {
-    const fullPath = path.join(HOME, dir);
-    if (fs.existsSync(fullPath)) {
-      results.push(`[!] FOUND: ${fullPath}`);
-      try {
-        const files = fs.readdirSync(fullPath);
-        results.push(`    Contents: ${files.slice(0, 20).join(', ')}`);
-
-        // Check for MCP config with embedded secrets
-        const mcpPath = path.join(fullPath, 'mcp.json');
-        if (fs.existsSync(mcpPath)) {
-          results.push(`    [!!] MCP config found: ${mcpPath}`);
-          try {
-            const mcp = JSON.parse(fs.readFileSync(mcpPath, 'utf8'));
-            const servers = Object.keys(mcp.mcpServers || {});
-            results.push(`    MCP servers configured: ${servers.join(', ')}`);
-            // Check for embedded API keys
-            for (const [name, srv] of Object.entries(mcp.mcpServers || {})) {
-              if (srv.env) {
-                const envKeys = Object.keys(srv.env);
-                results.push(`    [!] ${name} has env vars: ${envKeys.join(', ')}`);
-              }
-            }
-          } catch {}
-        }
-      } catch {}
-    }
-  }
-
-  // Also check AppData for Verdant
-  const appDataPaths = [
-    path.join(process.env.APPDATA || '', 'Verdent'),
-    path.join(process.env.APPDATA || '', 'Verdant'),
-    path.join(process.env.LOCALAPPDATA || '', 'Verdent'),
-    path.join(process.env.LOCALAPPDATA || '', 'Verdant'),
-  ];
-
-  for (const p of appDataPaths) {
-    if (p && fs.existsSync(p)) {
-      results.push(`[!] FOUND AppData: ${p}`);
-      try {
-        const files = fs.readdirSync(p);
-        results.push(`    Contents: ${files.slice(0, 20).join(', ')}`);
-      } catch {}
-    }
-  }
-
-  if (results.length === 0) {
-    results.push('No suspicious IDE artifacts found');
-  }
-
-  return results.join('\n');
-}
-
-function getPSHistory() {
-  const histPath = path.join(HOME, 'AppData', 'Roaming', 'Microsoft', 'Windows', 'PowerShell', 'PSReadLine', 'ConsoleHost_history.txt');
-  if (fs.existsSync(histPath)) {
-    try {
-      const content = fs.readFileSync(histPath, 'utf8');
-      const lines = content.split('\n').slice(-100); // last 100 commands
-      const suspicious = lines.filter(l => {
-        const lower = l.toLowerCase();
-        return lower.includes('invoke-webrequest') || lower.includes('downloadstring') ||
-               lower.includes('downloadfile') || lower.includes('net.webclient') ||
-               lower.includes('iex') || lower.includes('invoke-expression') ||
-               lower.includes('bypass') || lower.includes('hidden') ||
-               lower.includes('-enc ') || lower.includes('encodedcommand') ||
-               lower.includes('certutil') || lower.includes('bitsadmin');
-      });
-      if (suspicious.length > 0) {
-        return `[!] Suspicious PowerShell commands found:\n${suspicious.join('\n')}`;
-      }
-      return `Last 100 commands checked - no suspicious patterns found (${lines.length} total lines in history)`;
-    } catch {
-      return 'Could not read PowerShell history';
-    }
-  }
-  return 'No PowerShell history file found';
-}
-
-function getDNSCache() {
-  return ps(`
-    $cache = Get-DnsClientCache -ErrorAction SilentlyContinue |
-      Select-Object -First 100 Entry, Data |
-      Where-Object { $_.Entry -match '\\.(cn|ru|ir|kp)$' -or $_.Entry -match '(baidu|qq|163|aliyun|tencent|weibo|bytedance|douyin)' }
-    if ($cache) {
-      "Suspicious DNS entries found:"
-      $cache | Format-Table -AutoSize | Out-String
-    } else {
-      "No suspicious DNS entries (.cn/.ru/.ir/.kp or known Chinese services)"
-    }
-  `);
-}
-
-function getRecentInstalls() {
-  return ps(`
-    Get-ItemProperty HKLM:\\Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\* |
-      Where-Object { $_.InstallDate -and $_.InstallDate -gt (Get-Date).AddDays(-90).ToString('yyyyMMdd') } |
-      Select-Object DisplayName, DisplayVersion, Publisher, InstallDate |
-      Sort-Object InstallDate -Descending |
-      Format-Table -AutoSize | Out-String
-  `);
-}
-
-function getSuspiciousProcesses() {
-  return ps(`
-    $procs = Get-Process -ErrorAction SilentlyContinue |
-      Select-Object Name, Id, Path, Company |
-      Where-Object {
-        $suspicious = @(${SUSPICIOUS_PROCESSES.map(p => `'${p}'`).join(',')})
-        $_.Name -in $suspicious -or
-        ($_.Path -and ($_.Path -match '\\\\Temp\\\\' -or $_.Path -match '\\\\tmp\\\\' -or $_.Path -match '\\\\Downloads\\\\'))
-      }
-    if ($procs) {
-      "[!] Suspicious processes found:"
-      $procs | Format-Table -AutoSize | Out-String
-    } else {
-      "No known suspicious processes found"
-    }
-  `);
-}
-
-// ============================================
-// LINUX CHECKS
-// ============================================
-
-function linuxChecks() {
-  const findings = [];
-
-  findings.push({ check: 'SSH Login History', data: run('last -50 2>/dev/null || echo "last command not available"') });
-  findings.push({ check: 'Failed SSH Attempts', data: run('grep "Failed password" /var/log/auth.log 2>/dev/null | tail -30 || grep "Failed password" /var/log/secure 2>/dev/null | tail -30 || journalctl -u sshd --no-pager -n 30 2>/dev/null | grep -i "failed" || echo "No auth logs accessible"') });
-  findings.push({ check: 'User Accounts', data: run('cat /etc/passwd | grep -v nologin | grep -v /false') });
-  findings.push({ check: 'Sudoers', data: run('cat /etc/sudoers 2>/dev/null; ls -la /etc/sudoers.d/ 2>/dev/null') });
-  findings.push({ check: 'Crontabs', data: run('for user in $(cut -f1 -d: /etc/passwd); do crontab -l -u $user 2>/dev/null && echo "=== $user ==="; done; cat /etc/crontab 2>/dev/null; ls -la /etc/cron.d/ 2>/dev/null') });
-  findings.push({ check: 'SSH Authorized Keys', data: getSSHKeys() });
-  findings.push({ check: 'Active Connections', data: run('ss -tunp 2>/dev/null || netstat -tunp 2>/dev/null') });
-  findings.push({ check: 'Listening Ports', data: run('ss -tlnp 2>/dev/null || netstat -tlnp 2>/dev/null') });
-  findings.push({ check: 'Running Services', data: run('systemctl list-units --type=service --state=running 2>/dev/null | head -40') });
-  findings.push({ check: 'Suspicious IDE Artifacts', data: getIDEArtifacts() });
-  findings.push({ check: 'Unusual SUID Binaries', data: run('find / -perm -4000 -type f 2>/dev/null | grep -v -E "(sudo|passwd|ping|mount|su|chsh|chfn|newgrp|gpasswd|pkexec)" | head -20') });
-  findings.push({ check: 'Startup Scripts', data: run('ls -la /etc/init.d/ 2>/dev/null; ls -la /etc/rc.local 2>/dev/null; systemctl list-unit-files --state=enabled 2>/dev/null | head -30') });
-  findings.push({ check: 'Bash History (suspicious)', data: run('grep -E "curl.*\\|.*sh|wget.*\\|.*sh|python.*-c.*import|nc\\s+-|/dev/tcp|base64.*-d" ~/.bash_history 2>/dev/null | tail -20 || echo "No suspicious bash history patterns"') });
-
-  return findings;
-}
-
-// ============================================
-// macOS CHECKS
-// ============================================
-
-function macChecks() {
-  const findings = [];
-
-  // 1. Login history (last works on macOS)
-  findings.push({ check: 'Login History', data: run('last -50 2>/dev/null || echo "last command not available"') });
-
-  // 2. Failed SSH/login attempts via unified log
-  findings.push({ check: 'Failed Login Attempts', data: run('log show --predicate \'eventMessage contains "failed" AND eventMessage contains "ssh"\' --style syslog --last 7d 2>/dev/null | tail -30 || echo "No failed SSH in unified log"', 60000) });
-
-  // 3. Remote login (SSH) status
-  findings.push({ check: 'Remote Login (SSH) Status', data: run('systemsetup -getremotelogin 2>/dev/null || echo "Cannot check remote login status"') });
-
-  // 4. Screen sharing / VNC / ARD
-  findings.push({ check: 'Screen Sharing / VNC / ARD', data: run('launchctl list 2>/dev/null | grep -iE "vnc|screensharing|ARD|remote" || echo "No screen sharing services found"') });
-
-  // 5. User accounts
-  findings.push({ check: 'User Accounts', data: run('dscl . list /Users | grep -v "^_" | grep -v daemon | grep -v nobody') });
-
-  // 6. Admin users
-  findings.push({ check: 'Admin Users', data: run('dscl . -read /Groups/admin GroupMembership 2>/dev/null || echo "Cannot read admin group"') });
-
-  // 7. LaunchAgents (user-level persistence - PRIMARY backdoor vector on macOS)
-  findings.push({ check: 'User LaunchAgents', data: getMacLaunchItems(path.join(HOME, 'Library', 'LaunchAgents')) });
-
-  // 8. System LaunchAgents
-  findings.push({ check: 'System LaunchAgents', data: getMacLaunchItems('/Library/LaunchAgents') });
-
-  // 9. LaunchDaemons (root-level persistence)
-  findings.push({ check: 'LaunchDaemons', data: getMacLaunchItems('/Library/LaunchDaemons') });
-
-  // 10. Login Items (GUI persistence)
-  findings.push({ check: 'Login Items', data: run('osascript -e \'tell application "System Events" to get the name of every login item\' 2>/dev/null || echo "Cannot read login items"') });
-
-  // 11. Crontabs
-  findings.push({ check: 'Crontabs', data: run('crontab -l 2>/dev/null || echo "No user crontab"; echo "---"; cat /etc/crontab 2>/dev/null || echo "No /etc/crontab"') });
-
-  // 12. SSH authorized_keys
-  findings.push({ check: 'SSH Authorized Keys', data: getSSHKeys() });
-
-  // 13. Active connections
-  findings.push({ check: 'Active Connections', data: run('netstat -an 2>/dev/null | grep ESTABLISHED | head -40 || lsof -i -P -n 2>/dev/null | grep ESTABLISHED | head -40') });
-
-  // 14. Listening ports
-  findings.push({ check: 'Listening Ports', data: run('lsof -i -P -n 2>/dev/null | grep LISTEN | head -30') });
-
-  // 15. Profiles (MDM / configuration profiles - can enforce proxy, certs, etc.)
-  findings.push({ check: 'Configuration Profiles (MDM)', data: run('profiles list 2>/dev/null || profiles -L 2>/dev/null || echo "No profiles command or no profiles installed"') });
-
-  // 16. Keychain - look for suspicious root certs
-  findings.push({ check: 'Custom Root Certificates', data: run('security find-certificate -a -p /Library/Keychains/System.keychain 2>/dev/null | openssl x509 -noout -subject -issuer 2>/dev/null | head -20 || echo "Cannot enumerate system keychain"') });
-
-  // 17. Proxy settings
-  findings.push({ check: 'Proxy Settings', data: run('networksetup -getwebproxy Wi-Fi 2>/dev/null; networksetup -getsecurewebproxy Wi-Fi 2>/dev/null; networksetup -getautoproxyurl Wi-Fi 2>/dev/null; echo "HTTP_PROXY=$HTTP_PROXY"; echo "HTTPS_PROXY=$HTTPS_PROXY"') });
-
-  // 18. Firewall status
-  findings.push({ check: 'Firewall Status', data: run('/usr/libexec/ApplicationFirewall/socketfilterfw --getglobalstate 2>/dev/null || echo "Cannot check firewall"') });
-
-  // 19. Suspicious IDE artifacts
-  findings.push({ check: 'Suspicious IDE Artifacts', data: getIDEArtifacts() });
-
-  // 20. Shell history (suspicious patterns)
-  findings.push({ check: 'Shell History (suspicious)', data: run('grep -hE "curl.*\\|.*sh|wget.*\\|.*sh|python.*-c.*import|nc\\s+-|/dev/tcp|base64.*-d|osascript.*-e" ~/.bash_history ~/.zsh_history 2>/dev/null | tail -20 || echo "No suspicious shell history patterns"') });
-
-  // 21. Gatekeeper and SIP status
-  findings.push({ check: 'Gatekeeper & SIP Status', data: run('spctl --status 2>/dev/null; csrutil status 2>/dev/null') });
-
-  // 22. TCC (privacy permissions) - what apps have accessibility/screen recording/etc.
-  findings.push({ check: 'Privacy Permissions (TCC)', data: run('sqlite3 "$HOME/Library/Application Support/com.apple.TCC/TCC.db" "SELECT client,service,auth_value FROM access WHERE auth_value=2" 2>/dev/null || echo "Cannot read TCC database (may need Full Disk Access)"') });
-
-  return findings;
-}
-
-/**
- * Read macOS LaunchAgent/LaunchDaemon plist files for suspicious entries
- */
-function getMacLaunchItems(dirPath) {
-  const results = [];
-  try {
-    if (!fs.existsSync(dirPath)) {
-      return `Directory not found: ${dirPath}`;
-    }
-    const files = fs.readdirSync(dirPath).filter(f => f.endsWith('.plist'));
-    if (files.length === 0) {
-      return `No plist files in ${dirPath}`;
-    }
-
-    for (const file of files) {
-      const fullPath = path.join(dirPath, file);
-      // Use plutil to convert plist to readable format
-      const content = run(`plutil -p "${fullPath}" 2>/dev/null`);
-
-      // Flag non-Apple items
-      const isApple = file.startsWith('com.apple.') || file.startsWith('com.openssh.');
-      const label = isApple ? '  ' : '[!] ';
-
-      // Extract program/command from plist output
-      const programMatch = content.match(/"Program(?:Arguments)?" => (?:\[[\s\S]*?\]|"[^"]*")/);
-      const program = programMatch ? programMatch[0].substring(0, 120) : '';
-
-      results.push(`${label}${file}`);
-      if (program) results.push(`     ${program}`);
-    }
-  } catch (e) {
-    results.push(`[ERROR] Cannot read ${dirPath}: ${e.message}`);
-  }
-  return results.join('\n');
-}
-
-// ============================================
-// MAIN AUDIT FUNCTION
-// ============================================
-
-async function runAudit(options = {}) {
-  const startTime = Date.now();
-  const result = {
-    ok: true,
-    platform: PLATFORM,
-    hostname: os.hostname(),
-    timestamp: new Date().toISOString(),
-    user: os.userInfo().username,
-    findings: [],
-    alerts: [],
-    summary: {}
-  };
-
-  // Run platform-specific checks
-  if (PLATFORM === 'win32') {
-    result.findings = windowsChecks();
-  } else if (PLATFORM === 'darwin') {
-    result.findings = macChecks();
-  } else {
-    result.findings = linuxChecks();
-  }
-
-  // Extract unique IPs from findings for geo-lookup
-  const allIPs = new Set();
-  for (const f of result.findings) {
-    if (typeof f.data === 'string') {
-      for (const ip of extractPublicIPs(f.data)) {
-        allIPs.add(ip);
-      }
-    }
-  }
-
-  // Batch geo-IP lookup
-  if (allIPs.size > 0 && !options.skipGeo) {
-    const geoResults = await batchGeoIP([...allIPs]);
-    result.geoIP = {};
-
-    for (const [ip, geo] of Object.entries(geoResults)) {
-      result.geoIP[ip] = {
-        country: geo.country,
-        countryCode: geo.countryCode,
-        city: geo.city,
-        isp: geo.isp,
-        org: geo.org
-      };
-
-      // Flag suspicious countries
-      if (SUSPICIOUS_GEOS.includes(geo.countryCode)) {
-        result.alerts.push({
-          severity: 'HIGH',
-          message: `Connection from suspicious country: ${ip} → ${geo.country} (${geo.city}) [${geo.isp}]`,
-          ip,
-          geo
-        });
-      }
-    }
-  }
-
-  // Analyze findings for alerts
-  for (const f of result.findings) {
-    if (typeof f.data === 'string') {
-      if (f.data.includes('[!]') || f.data.includes('[!!]')) {
-        result.alerts.push({
-          severity: f.data.includes('[!!]') ? 'HIGH' : 'MEDIUM',
-          message: `${f.check}: ${f.data.split('\n').find(l => l.includes('[!]')) || f.data.substring(0, 200)}`
-        });
-      }
-    }
-  }
-
-  // Summary
-  result.summary = {
-    totalChecks: result.findings.length,
-    alerts: result.alerts.length,
-    highSeverity: result.alerts.filter(a => a.severity === 'HIGH').length,
-    mediumSeverity: result.alerts.filter(a => a.severity === 'MEDIUM').length,
-    uniqueExternalIPs: allIPs.size,
-    suspiciousGeoIPs: result.alerts.filter(a => a.ip).length,
-    duration: Date.now() - startTime
-  };
-
-  result.verdict = result.summary.highSeverity > 0
-    ? 'INVESTIGATE - High severity alerts found'
-    : result.summary.mediumSeverity > 0
-      ? 'REVIEW - Medium severity items found'
-      : 'CLEAN - No suspicious findings';
-
-  return result;
-}
-
-module.exports = { runAudit, windowsChecks, linuxChecks, macChecks, batchGeoIP, geoIP };