@7nsane/zift 2.2.1 → 3.0.0

package/README.md

@@ -1,103 +1,52 @@
-# 🛡️ Zift (v2.0.0)
+# 🛡️ Zift (v3.0.0)
 
 [![npm version](https://img.shields.io/npm/v/@7nsane/zift.svg?style=flat-square)](https://www.npmjs.com/package/@7nsane/zift)
 [![License](https://img.shields.io/npm/l/@7nsane/zift.svg?style=flat-square)](https://www.npmjs.com/package/@7nsane/zift)
 [![Build Status](https://img.shields.io/badge/CI-passing-brightgreen?style=flat-square)](https://github.com/7nsane/zift)
 
-**The Deterministic Pre-install Security Gate for JavaScript Projects.** By using deterministic AST analysis and lightweight variable propagation, Zift identifies potential credential exfiltration, malicious persistence, and obfuscated execution with extreme precision.
+**The Intelligent Ecosystem Security Engine for JavaScript.**
 
-## Installation
+Zift v3.0 is a massive leap forward, moving beyond static analysis into **Cross-File Intelligence** and **Runtime Protection**. It is designed to identify and stop advanced supply-chain attacks (credential exfiltration, reverse-shell droppers) before they hit your production environment.
 
-```bash
-# Install globally to use the 'zift' command anywhere
-npm install -g @7nsane/zift
-```
+## 🚀 Major Features (v3.0.0)
 
-## 🛡️ Secure Your Workflow (Recommended)
+- **🌍 Cross-File Taint Tracking**: Tracks sensitive data (e.g., `process.env.TOKEN`) across `import/export` and `require` boundaries.
+- **🧠 VM-Based De-obfuscation**: Safe, sandboxed evaluation of string manipulation logic (e.g., character arrays, reverse/join) to reveal hidden malicious signals.
+- **🛡️ Zift Shield (Runtime Guard)**: A real-time audit layer for network and shell activity. Run `zift protect` to monitor your app's dependencies in real-world conditions.
+- **🔒 Lockfile Security**: Automatic auditing of `package-lock.json` and `yarn.lock` for registry confusion.
 
-Set up the **Secure npm Wrapper** to audit packages automatically every time you install something.
+## 📦 Quick Start
 
 ```bash
-# 1. Run the setup
-zift setup
-
-# 2. Reload your terminal (or run the command provided by setup)
-
-# 3. Use the --zift flag with your normal npm commands
-npm install <package-name> --zift
-```
-
-## 🔍 Limitations & Blind Spots (v2.0.0)
-
-To maintain a zero-false-positive baseline and high performance, Zift v2 focus on **deterministic behavioral patterns**. It does NOT currently cover:
-
-- **Cross-file Taint**: Taint tracking is limited to intra-file propagation.
-- **Runtime Decryption**: Logic that decrypts and executes memory-only payloads at runtime.
-- **VM-based Execution**: Malicious payloads executed inside isolated virtual machine environments.
-- **Multi-stage Loaders**: Sophisticated multi-hop obfuscation that reconstructs logic over several cycles.
-- **Post-install Generation**: Malicious code generated or downloaded *after* the initial install/preinstall phase.
-
-**Positioning**: Zift is a *Deterministic Pre-install Behavioral Security Gate*. It is designed to catch the most common and damaging malware patterns instantly, not to serve as a complete, multi-layer supply-chain defense.
-
-## License
-MIT
-## Usage
-
-### 🚀 Secure Installer Mode
-Use Zift as a security gate. It will pre-audit the package source into a sandbox, show you the risk score, and ask for permission before the official installation begins.
-
-```bash
-# With the --zift alias (Recommended)
-npm install axios --zift
-
-# Directly using Zift
-zift install gsap
-```
+# 1. Install Zift
+npm install -g @7nsane/zift
 
-### 🔍 Advanced Scanning
-Scan local directories or existing dependencies in your `node_modules`.
+# 2. Setup Secure Wrappers (adds --zift flag to npm/bun/pnpm)
+zift setup
 
-```bash
-# Scan current directory
+# 3. Audit a local project
 zift .
 
-# Scan a specific folder or dependency
-zift ./node_modules/example-pkg
-
-# CI/CD Mode (JSON output + Non-zero exit on high risk)
-zift . --format json
+# 4. Run your application with Active Shield
+zift protect index.js
 ```
 
-## Rule Transparency
-
-Zift uses a multi-phase engine:
-1. **Collection**: Single-pass AST traversal to gather facts (sources, sinks, flows).
-2. **Evaluation**: Deterministic rule matching against collected facts.
-
-### Rule IDs:
-- **ZFT-001 (ENV_EXFILTRATION)**: Detection of environment variables being read and sent over the network.
-- **ZFT-002 (SENSITIVE_FILE_EXFILTRATION)**: Detection of sensitive files (e.g., `.ssh`, `.env`) being read and sent over the network.
-- **ZFT-003 (PERSISTENCE_ATTEMPT)**: Detection of attempts to write to startup directories.
-- **ZFT-004 (OBFUSCATED_EXECUTION)**: Detection of high-entropy strings executed via dynamic constructors.
-
-## Key Features
-- **Deterministic AST Analysis**: O(n) complexity, single-pass scanner.
-- **Zero False Positives**: Verified against React, Express, and ESLint (0.0% FP rate).
-- **Lifecycle Awareness**: Identifies if suspicious code is slated to run during `postinstall`.
-- **Credential Protection**: Detects exfiltration of `process.env` (AWS, SSH keys, etc.) over network sinks.
-
-## Limitations
+## 🔍 How It Works
 
-Transparency is key to trust. As a V1 static analysis tool, Zift has the following scope boundaries:
+Zift uses a **Deterministic AST Analysis** engine. Unlike regex-based scanners, Zift understands the structure of your code. It tracks the flow of data from sensitive **Sources** (like `process.env`) to dangerous **Sinks** (like `fetch` or `child_process.exec`).
 
-- **No Interprocedural Flow**: Variable tracking is restricted to function scope; it does not track data across function boundaries.
-- **No Cross-File Propagation**: Analysis is performed on a per-file basis.
-- **No Dynamic Runtime Analysis**: Zift does not execute code; it cannot detect evasion techniques that only trigger during execution.
+- **Collection**: Single-pass O(n) traversal.
+- **Evaluation**: Priority-based rule matching.
+- **Intelligence**: Cross-file propagation and VM-based reveal.
 
-## Performance Guarantees
+## 🛠️ Commands
 
-- **File Cap**: Files larger than **512KB** are skipped to ensure predictable scan times.
-- **String Cap**: Entropy calculation is skipped for literal strings longer than **2048 characters**.
+| Command | Description |
+| --- | --- |
+| `zift .` | Deep scan of the current directory |
+| `zift install <pkg>` | Pre-audit and install a package securely |
+| `zift protect <app>` | Launch application with **Zift Shield** runtime auditing |
+| `zift setup` | Configure shell aliases for secure package management |
 
 ---
-**Build with confidence. Scan with Zift.** 🛡️
+**Build with confidence. Secure with Zift.** 🛡️

package/bin/zift.js

@@ -23,6 +23,10 @@ async function main() {
     runInit();
     return;
   }
+  if (args[0] === 'protect') {
+    runShield(args.slice(1));
+    return;
+  }
 
   // 2. Detection for bun/pnpm usage
   if (args.includes('--bun')) installer = 'bun';
@@ -238,10 +242,11 @@ function runInit() {
 }
 
 function showHelp() {
-  console.log(chalk.blue.bold('\n🛡️  Zift v2.0.0 - Intelligent Pre-install Security Gate\n'));
+  console.log(chalk.blue.bold('\n🛡️  Zift v3.0.0 - Intelligent Ecosystem Security\n'));
   console.log('Usage:');
   console.log('  zift setup           Secure npm, bun, and pnpm');
   console.log('  zift init            Initialize configuration');
+  console.log('  zift protect <app>   Run application with Zift Shield');
   console.log('  zift install <pkg>   Scan and install package');
   console.log('  zift .               Scan current directory');
   console.log('\nOptions:');
@@ -272,4 +277,18 @@ function printSummary(findings) {
   console.log(chalk.red(`  Critical: ${s.Critical}\n  High:     ${s.High}`));
 }
 
+function runShield(appArgs) {
+  if (appArgs.length === 0) {
+    console.error(chalk.red('❌ Error: Specify an application to protect (e.g., zift protect main.js)'));
+    process.exit(1);
+  }
+
+  const shieldPath = path.join(__dirname, '../src/shield.js');
+  const nodeArgs = ['-r', shieldPath, ...appArgs];
+
+  console.log(chalk.blue(`\n🛡️  Launching with Zift Shield...`));
+  const child = cp.spawn('node', nodeArgs, { stdio: 'inherit' });
+  child.on('exit', (code) => process.exit(code));
+}
+
 main();

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@7nsane/zift",
-  "version": "2.2.1",
+  "version": "3.0.0",
   "description": "A high-performance, deterministic security scanner for npm packages.",
   "main": "src/scanner.js",
   "bin": {

package/src/collector.js

@@ -1,5 +1,6 @@
 const acorn = require('acorn');
 const walk = require('acorn-walk');
+const vm = require('node:vm');
 const { calculateEntropy } = require('./utils/entropy');
 
 class ASTCollector {
@@ -24,7 +25,9 @@ class ASTCollector {
             SHELL_EXECUTION: [],
             ENCODER_USE: [],
             REMOTE_FETCH_SIGNAL: [],
-            PIPE_TO_SHELL_SIGNAL: []
+            PIPE_TO_SHELL_SIGNAL: [],
+            EXPORTS: [],
+            IMPORTS: []
         };
         const flows = [];
         const sourceCode = code;
@@ -55,6 +58,57 @@ class ASTCollector {
                     }
                 }
             },
+            ImportDeclaration: (node) => {
+                const source = node.source.value;
+                node.specifiers.forEach(spec => {
+                    facts.IMPORTS.push({
+                        file: filePath,
+                        line: node.loc.start.line,
+                        source,
+                        local: spec.local.name,
+                        imported: spec.type === 'ImportDefaultSpecifier' ? 'default' : (spec.imported ? spec.imported.name : null)
+                    });
+                });
+            },
+            ExportNamedDeclaration: (node) => {
+                if (node.declaration) {
+                    if (node.declaration.type === 'VariableDeclaration') {
+                        node.declaration.declarations.forEach(decl => {
+                            facts.EXPORTS.push({
+                                file: filePath,
+                                line: node.loc.start.line,
+                                name: decl.id.name,
+                                type: 'named'
+                            });
+                        });
+                    } else if (node.declaration.id) {
+                        facts.EXPORTS.push({
+                            file: filePath,
+                            line: node.loc.start.line,
+                            name: node.declaration.id.name,
+                            type: 'named'
+                        });
+                    }
+                }
+                node.specifiers.forEach(spec => {
+                    facts.EXPORTS.push({
+                        file: filePath,
+                        line: node.loc.start.line,
+                        name: spec.exported.name,
+                        local: spec.local.name,
+                        type: 'named'
+                    });
+                });
+            },
+            ExportDefaultDeclaration: (node) => {
+                facts.EXPORTS.push({
+                    file: filePath,
+                    line: node.loc.start.line,
+                    name: 'default',
+                    local: (node.declaration.id ? node.declaration.id.name : (node.declaration.name || null)),
+                    type: 'default'
+                });
+            },
             CallExpression: (node, state, ancestors) => {
                 const calleeCode = sourceCode.substring(node.callee.start, node.callee.end);
 
@@ -66,12 +120,38 @@ class ASTCollector {
                     });
                 }
 
-                if (calleeCode === 'require' && node.arguments.length > 0 && node.arguments[0].type !== 'Literal') {
-                    facts.DYNAMIC_REQUIRE.push({
-                        file: filePath,
-                        line: node.loc.start.line,
-                        variable: sourceCode.substring(node.arguments[0].start, node.arguments[0].end)
-                    });
+                if (calleeCode === 'require' && node.arguments.length > 0) {
+                    if (node.arguments[0].type !== 'Literal') {
+                        facts.DYNAMIC_REQUIRE.push({
+                            file: filePath,
+                            line: node.loc.start.line,
+                            variable: sourceCode.substring(node.arguments[0].start, node.arguments[0].end)
+                        });
+                    } else {
+                        const source = node.arguments[0].value;
+                        const parent = ancestors[ancestors.length - 2];
+                        if (parent && parent.type === 'VariableDeclarator' && parent.id.type === 'Identifier') {
+                            facts.IMPORTS.push({
+                                file: filePath, line: node.loc.start.line, source, local: parent.id.name, imported: 'default'
+                            });
+                        }
+                    }
+                }
+
+                // De-obfuscation Trigger
+                const evaluated = this.tryEvaluate(node, sourceCode);
+                if (evaluated) {
+                    if (this.getNetworkType(evaluated) || this.isShellSink(evaluated) || evaluated === 'eval' || evaluated === 'Function') {
+                        facts.OBFUSCATION.push({
+                            file: filePath,
+                            line: node.loc.start.line,
+                            reason: `De-obfuscated to: ${evaluated}`,
+                            revealed: evaluated
+                        });
+                        if (evaluated === 'eval' || evaluated === 'Function') {
+                            facts.DYNAMIC_EXECUTION.push({ file: filePath, line: node.loc.start.line, type: evaluated });
+                        }
+                    }
                 }
 
                 const netType = this.getNetworkType(calleeCode);
@@ -90,7 +170,6 @@ class ASTCollector {
                         callee: calleeCode
                     });
 
-                    // Signal Analysis: Dropper Patterns
                     node.arguments.forEach(arg => {
                         if (arg.type === 'Literal' && typeof arg.value === 'string') {
                             const val = arg.value.toLowerCase();
@@ -180,6 +259,17 @@ class ASTCollector {
                 }
             },
             AssignmentExpression: (node) => {
+                const leftCode = sourceCode.substring(node.left.start, node.left.end);
+                if (leftCode === 'module.exports' || leftCode.startsWith('exports.')) {
+                    facts.EXPORTS.push({
+                        file: filePath,
+                        line: node.loc.start.line,
+                        name: leftCode === 'module.exports' ? 'default' : leftCode.replace('exports.', ''),
+                        local: (node.right.type === 'Identifier' ? node.right.name : null),
+                        type: leftCode === 'module.exports' ? 'default' : 'named'
+                    });
+                }
+
                 if (node.left.type === 'MemberExpression' && node.right.type === 'Identifier') {
                     const from = sourceCode.substring(node.right.start, node.right.end);
                     const to = sourceCode.substring(node.left.start, node.left.end);
@@ -216,6 +306,7 @@ class ASTCollector {
     }
 
     getNetworkType(calleeCode) {
+        if (typeof calleeCode !== 'string') return null;
         const dnsSinks = ['dns.lookup', 'dns.resolve', 'dns.resolve4', 'dns.resolve6'];
         const rawSocketSinks = ['net.connect', 'net.createConnection'];
         const networkSinks = ['http.request', 'https.request', 'http.get', 'https.get', 'fetch', 'axios', 'request'];
@@ -233,6 +324,7 @@ class ASTCollector {
     }
 
     isShellSink(calleeCode) {
+        if (typeof calleeCode !== 'string') return false;
         const shellSinks = ['child_process.exec', 'child_process.spawn', 'child_process.execSync', 'exec', 'spawn', 'execSync'];
         return shellSinks.some(sink => {
             if (calleeCode === sink) return true;
@@ -243,6 +335,7 @@ class ASTCollector {
     }
 
     isEncoder(calleeCode) {
+        if (typeof calleeCode !== 'string') return false;
         const encoders = ['Buffer.from', 'btoa', 'atob', 'zlib.deflate', 'zlib.gzip', 'crypto.createCipheriv'];
         return encoders.some(enc => calleeCode === enc || calleeCode.endsWith('.' + enc));
     }
@@ -263,6 +356,7 @@ class ASTCollector {
     }
 
     isSensitiveFileRead(calleeCode, node, sourceCode) {
+        if (typeof calleeCode !== 'string') return false;
         if (!calleeCode.includes('fs.readFile') && !calleeCode.includes('fs.readFileSync') &&
             !calleeCode.includes('fs.promises.readFile')) return false;
 
@@ -275,6 +369,7 @@ class ASTCollector {
     }
 
     isStartupFileWrite(calleeCode, node, sourceCode) {
+        if (typeof calleeCode !== 'string') return false;
         if (!calleeCode.includes('fs.writeFile') && !calleeCode.includes('fs.writeFileSync') &&
             !calleeCode.includes('fs.appendFile')) return false;
 
@@ -286,8 +381,19 @@ class ASTCollector {
         return false;
     }
 
-    getSourceCode(node) {
-        return this.sourceCode.substring(node.start, node.end);
+    tryEvaluate(node, sourceCode) {
+        try {
+            const code = sourceCode.substring(node.start, node.end);
+            if (code.includes('process') || code.includes('require') || code.includes('fs') || code.includes('child_process')) return null;
+            if (!code.includes('[') && !code.includes('+') && !code.includes('join') && !code.includes('reverse')) return null;
+
+            const script = new vm.Script(code);
+            const context = vm.createContext({});
+            const result = script.runInContext(context, { timeout: 50 });
+            return typeof result === 'string' ? result : null;
+        } catch (e) {
+            return null;
+        }
     }
 }
 

package/src/scanner.js

@@ -24,6 +24,7 @@ class PackageScanner {
             try { fs.mkdirSync(cacheDir, { recursive: true }); } catch (e) { }
         }
 
+        // Initialize fact storage
         let allFacts = {
             facts: {
                 ENV_READ: [],
@@ -40,14 +41,16 @@ class PackageScanner {
                 ENCODER_USE: [],
                 REMOTE_FETCH_SIGNAL: [],
                 PIPE_TO_SHELL_SIGNAL: [],
-                LIFECYCLE_CONTEXT: []
+                LIFECYCLE_CONTEXT: [],
+                EXPORTS: [],
+                IMPORTS: []
             },
             flows: []
         };
 
         const pkgVersion = require('../package.json').version;
 
-        // Parallel processing with limited concurrency (8 files at a time)
+        // Pass 1: Collection
         const concurrency = 8;
         for (let i = 0; i < files.length; i += concurrency) {
             const chunk = files.slice(i, i + concurrency);
@@ -62,47 +65,84 @@ class PackageScanner {
                 let facts = {}, flows = [];
 
                 if (fs.existsSync(cachePath)) {
-                    // Cache hit: Load metadata
                     try {
                         const cached = JSON.parse(fs.readFileSync(cachePath, 'utf8'));
                         facts = cached.facts || {};
                         flows = cached.flows || [];
                     } catch (e) {
-                        // Corrupt cache: re-scan
                         const result = this.collector.collect(code, file);
                         facts = result.facts;
                         flows = result.flows;
                     }
                 } else {
-                    // Cache miss: Scan and save
                     const result = this.collector.collect(code, file);
                     facts = result.facts;
                     flows = result.flows;
-
-                    try {
-                        fs.writeFileSync(cachePath, JSON.stringify({ facts, flows }));
-                    } catch (e) { }
+                    try { fs.writeFileSync(cachePath, JSON.stringify({ facts, flows })); } catch (e) { }
                 }
 
-                // Merge facts (Synchronized)
                 if (lifecycleFiles.has(file)) {
                     facts.LIFECYCLE_CONTEXT = facts.LIFECYCLE_CONTEXT || [];
                     facts.LIFECYCLE_CONTEXT.push({ file, reason: 'Lifecycle script context detected' });
                 }
 
                 for (const category in facts) {
-                    if (allFacts.facts[category]) {
-                        allFacts.facts[category].push(...facts[category]);
-                    }
+                    if (allFacts.facts[category]) allFacts.facts[category].push(...facts[category]);
                 }
                 allFacts.flows.push(...flows);
             }));
         }
 
+        // Pass 2: Cross-File Taint Resolution
+        this.resolveCrossFileTaint(allFacts);
+
         const findings = this.engine.evaluate(allFacts, lifecycleFiles);
         return this.formatFindings(findings);
     }
 
+    resolveCrossFileTaint(allFacts) {
+        const { facts, flows } = allFacts;
+        const exportMap = new Map(); // file -> exportName -> localName/isTainted
+
+        // 1. Build Export Map
+        facts.EXPORTS.forEach(exp => {
+            if (!exportMap.has(exp.file)) exportMap.set(exp.file, new Map());
+
+            // Check if localName is tainted in this file
+            const isLocalTainted = flows.some(f => f.file === exp.file && f.toVar === exp.local && f.fromVar.includes('process.env'));
+            const isNamedTainted = flows.some(f => f.file === exp.file && f.toVar === exp.name && f.fromVar.includes('process.env'));
+
+            exportMap.get(exp.file).set(exp.name, {
+                local: exp.local,
+                isTainted: isLocalTainted || isNamedTainted
+            });
+        });
+
+        // 2. Propagate to Imports
+        facts.IMPORTS.forEach(imp => {
+            let resolvedPath;
+            if (imp.source.startsWith('.')) {
+                resolvedPath = path.resolve(path.dirname(imp.file), imp.source);
+                if (!resolvedPath.endsWith('.js')) resolvedPath += '.js';
+            }
+
+            if (resolvedPath && exportMap.has(resolvedPath)) {
+                const targetExports = exportMap.get(resolvedPath);
+                const matchedExport = targetExports.get(imp.imported);
+
+                if (matchedExport && matchedExport.isTainted) {
+                    // Mark as a virtual ENV_READ in the importing file
+                    facts.ENV_READ.push({
+                        file: imp.file,
+                        line: imp.line,
+                        variable: `[Cross-File] ${imp.local} (from ${imp.source})`,
+                        isCrossFile: true
+                    });
+                }
+            }
+        });
+    }
+
     async getFiles() {
         // Load .ziftignore
         const ziftIgnorePath = path.join(this.packageDir, '.ziftignore');

package/src/shield.js

@@ -0,0 +1,57 @@
+const diagnostics = require('node:diagnostics_channel');
+
+/**
+ * Zift Shield Runtime Guard
+ * Intercepts network and shell activity at runtime for security auditing.
+ */
+
+function setupShield() {
+    console.warn('🛡️ ZIFT SHIELD ACTIVE: Monitoring suspicious runtime activity...');
+
+    // 1. Monitor Network Activity via diagnostics_channel
+    const netChannel = diagnostics.channel('net.client.socket.request.start');
+    netChannel.subscribe(({ address, port }) => {
+        console.warn(`[ZIFT-SHIELD] 🌐 Outbound Connection: ${address}:${port}`);
+    });
+
+    // 2. Wrap Child Process (for shell command execution)
+    const cp = require('node:child_process');
+    ['exec', 'spawn', 'execSync', 'spawnSync'].forEach(method => {
+        const original = cp[method];
+        cp[method] = function (...args) {
+            const command = args[0];
+            const cmdStr = typeof command === 'string' ? command : (args[1] ? args[1].join(' ') : 'unknown');
+            console.warn(`[ZIFT-SHIELD] 🐚 Shell Execution: ${cmdStr}`);
+
+            // Heuristic Check: Is it a potential dropper?
+            if (cmdStr.includes('curl') || cmdStr.includes('wget') || cmdStr.includes('| sh')) {
+                console.error(`[ZIFT-SHIELD] ⚠️  CRITICAL: Potential Remote Dropper detected in shell execution!`);
+            }
+
+            return original.apply(this, args);
+        };
+    });
+
+    // 3. Monitor HTTP/HTTPS
+    const http = require('node:http');
+    const https = require('node:https');
+    [http, https].forEach(mod => {
+        ['request', 'get'].forEach(method => {
+            const original = mod[method];
+            mod[method] = function (...args) {
+                let url = args[0];
+                if (typeof url === 'object' && url.href) url = url.href;
+                else if (typeof url === 'string') url = url;
+                else url = `${args[0].host || args[0].hostname}${args[0].path || ''}`;
+
+                console.warn(`[ZIFT-SHIELD] 📡 HTTP Request: ${url}`);
+                return original.apply(this, args);
+            };
+        });
+    });
+}
+
+// Auto-activate if required via node -r
+setupShield();
+
+module.exports = { setupShield };