@aikidosec/safe-chain 1.4.3 → 1.4.7

package/README.md

@@ -7,7 +7,7 @@
 
 - ✅ **Block malware on developer laptops and CI/CD**
 - ✅ **Supports npm and PyPI** more package managers coming
-- ✅ **Blocks packages newer than 24 hours** without breaking your build
+- ✅ **Blocks packages newer than 48 hours** without breaking your build
 - ✅ **Tokenless, free, no build data shared**
 
 Aikido Safe Chain supports the following package managers:
@@ -111,11 +111,20 @@ safe-chain --version
 
 The Aikido Safe Chain works by running a lightweight proxy server that intercepts package downloads from the npm registry and PyPI. When you run npm, npx, yarn, pnpm, pnpx, bun, bunx, pip, pip3, uv, poetry or pipx commands, all package downloads are routed through this local proxy, which verifies packages in real-time against **[Aikido Intel - Open Sources Threat Intelligence](https://intel.aikido.dev/?tab=malware)**. If malware is detected in any package (including deep dependencies), the proxy blocks the download before the malicious code reaches your machine.
 
-### Minimum package age (npm only)
+### Minimum package age
 
-For npm packages, Safe Chain temporarily suppresses packages published within the last 24 hours (by default) until they have been validated against malware. This provides an additional security layer during the critical period when newly published packages are most vulnerable to containing undetected threats. You can configure this threshold or bypass this protection entirely - see the [Minimum Package Age Configuration](#minimum-package-age) section below.
+Safe Chain applies minimum package age checks to supported ecosystems.
 
-⚠️ This feature **only applies to npm-based package managers** (npm, npx, yarn, pnpm, pnpx, bun, bunx) and does not apply to Python package managers (uv, pip, pip3, poetry, pipx).
+Current enforcement differs by ecosystem:
+
+- npm-based package managers:
+  - during normal package resolution, Safe Chain suppresses versions that are newer than the configured minimum age from the package metadata returned by the registry
+  - for direct package download requests that bypass that metadata flow, Safe Chain can block the request itself using a cached list of newly released packages
+- Python package managers:
+  - during package resolution, Safe Chain suppresses too-young files and releases from PyPI metadata responses
+  - for direct package download requests that bypass that metadata flow, Safe Chain can block the request itself using a cached list of newly released packages
+
+By default, the minimum package age is 48 hours. This provides an additional security layer during the critical period when newly published packages are most vulnerable to containing undetected threats. You can configure this threshold or bypass this protection entirely - see the [Minimum Package Age Configuration](#minimum-package-age) section below.
 
 ### Shell Integration
 
@@ -183,7 +192,17 @@ You can set the logging level through multiple sources (in order of priority):
 
 ## Minimum Package Age
 
-You can configure how long packages must exist before Safe Chain allows their installation. By default, packages must be at least 24 hours old before they can be installed through npm-based package managers.
+You can configure how long packages must exist before Safe Chain allows their installation. By default, packages must be at least 48 hours old before they can be installed.
+
+For npm-based package managers, this check currently has two enforcement modes:
+
+- Safe Chain suppresses too-young versions from package metadata during normal dependency resolution.
+- Safe Chain blocks direct package download requests when they are matched against the cached newly released packages list.
+
+For Python package managers, this check currently has two enforcement modes:
+
+- Safe Chain suppresses too-young files and releases from PyPI metadata during dependency resolution.
+- Safe Chain blocks direct package download requests when they are matched against the cached newly released packages list.
 
 ### Configuration Options
 
@@ -202,7 +221,7 @@ You can set the minimum package age through multiple sources (in order of priori
    npm install express
    ```
 
-3. **Config File** (`~/.aikido/config.json`):
+3. **Config File** (`~/.safe-chain/config.json`):
 
    ```json
    {
@@ -215,13 +234,16 @@ You can set the minimum package age through multiple sources (in order of priori
 Exclude trusted packages from minimum age filtering via environment variable or config file (both are merged). Use `@scope/*` to trust all packages from an organization:
 
 ```shell
-export SAFE_CHAIN_NPM_MINIMUM_PACKAGE_AGE_EXCLUSIONS="@aikidosec/*"
+export SAFE_CHAIN_MINIMUM_PACKAGE_AGE_EXCLUSIONS="@aikidosec/*"
 ```
 
 ```json
 {
   "npm": {
     "minimumPackageAgeExclusions": ["@aikidosec/*"]
+  },
+  "pip": {
+    "minimumPackageAgeExclusions": ["requests"]
   }
 }
 ```
@@ -246,7 +268,7 @@ You can set custom registries through environment variable or config file. Both
    export SAFE_CHAIN_PIP_CUSTOM_REGISTRIES="pip.company.com,registry.internal.net"
    ```
 
-2. **Config File** (`~/.aikido/config.json`):
+2. **Config File** (`~/.safe-chain/config.json`):
 
    ```json
    {
@@ -259,6 +281,41 @@ You can set custom registries through environment variable or config file. Both
    }
    ```
 
+## Malware List Base URL
+
+Configure Safe Chain to fetch malware databases and new packages lists from a custom mirror URL. This allows you to host your own copy of the Aikido malware database.
+
+### Configuration Options
+
+You can set the malware list base URL through multiple sources (in order of priority):
+
+1. **CLI Argument** (highest priority):
+
+   ```shell
+   npm install express --safe-chain-malware-list-base-url=https://your-mirror.com
+   ```
+
+2. **Environment Variable**:
+
+   ```shell
+   export SAFE_CHAIN_MALWARE_LIST_BASE_URL=https://your-mirror.com
+   npm install express
+   ```
+
+3. **Config File** (`~/.safe-chain/config.json`):
+
+   ```json
+   {
+     "malwareListBaseUrl": "https://your-mirror.com"
+   }
+   ```
+
+The base URL should point to a server that mirrors the structure of `https://malware-list.aikido.dev/`, including the following paths:
+- `/malware_predictions.json` (JavaScript ecosystem malware database)
+- `/malware_pypi.json` (Python ecosystem malware database)
+- `/releases/npm.json` (JavaScript new packages list)
+- `/releases/pypi.json` (Python new packages list)
+
 # Usage in CI/CD
 
 You can protect your CI/CD pipelines from malicious packages by integrating Aikido Safe Chain into your build process. This ensures that any packages installed during your automated builds are checked for malware before installation.

package/bin/safe-chain.js

@@ -16,14 +16,6 @@ import path from "path";
 import { fileURLToPath } from "url";
 import fs from "fs";
 import { knownAikidoTools } from "../src/shell-integration/helpers.js";
-import {
-  installUltimate,
-  uninstallUltimate,
-} from "../src/installation/installUltimate.js";
-import {
-  printUltimateLogs,
-  troubleshootingExport,
-} from "../src/ultimate/ultimateTroubleshooting.js";
 
 /** @type {string} */
 // This checks the current file's dirname in a way that's compatible with:
@@ -70,39 +62,6 @@ if (tool) {
   process.exit(0);
 } else if (command === "setup") {
   setup();
-} else if (command === "ultimate") {
-  const cliArgs = initializeCliArguments(process.argv.slice(2));
-  const subCommand = cliArgs[1];
-  if (subCommand === "uninstall") {
-    guardCliArgsMaxLenght(2, cliArgs, "safe-chain ultimate uninstall");
-    (async () => {
-      await uninstallUltimate();
-    })();
-  } else if (subCommand === "troubleshooting-logs") {
-    guardCliArgsMaxLenght(
-      2,
-      cliArgs,
-      "safe-chain ultimate troubleshooting-logs",
-    );
-    (async () => {
-      await printUltimateLogs();
-    })();
-  } else if (subCommand === "troubleshooting-export") {
-    guardCliArgsMaxLenght(
-      2,
-      cliArgs,
-      "safe-chain ultimate troubleshooting-export",
-    );
-    (async () => {
-      await troubleshootingExport();
-    })();
-  } else {
-    guardCliArgsMaxLenght(1, cliArgs, "safe-chain ultimate");
-    // Install command = when no subcommand is provided (safe-chain ultimate)
-    (async () => {
-      await installUltimate();
-    })();
-  }
 } else if (command === "teardown") {
   teardown();
   teardownDirectories();
@@ -121,22 +80,6 @@ if (tool) {
   process.exit(1);
 }
 
-/**
- * @param {Number} maxLength
- * @param {String[]} args
- * @param {String} command
- */
-function guardCliArgsMaxLenght(maxLength, args, command) {
-  if (args.length > maxLength) {
-    ui.writeError(`Unexpected number of arguments for command ${command}.`);
-    ui.emptyLine();
-
-    writeHelp();
-
-    process.exit(1);
-  }
-}
-
 function writeHelp() {
   ui.writeInformation(
     chalk.bold("Usage: ") + chalk.cyan("safe-chain <command>"),
@@ -145,7 +88,7 @@ function writeHelp() {
   ui.writeInformation(
     `Available commands: ${chalk.cyan("setup")}, ${chalk.cyan(
       "teardown",
-    )}, ${chalk.cyan("setup-ci")}, ${chalk.cyan("ultimate")}, ${chalk.cyan("help")}, ${chalk.cyan(
+    )}, ${chalk.cyan("setup-ci")}, ${chalk.cyan("help")}, ${chalk.cyan(
       "--version",
     )}`,
   );
@@ -171,29 +114,6 @@ function writeHelp() {
     )}): Display the current version of safe-chain.`,
   );
   ui.emptyLine();
-  ui.writeInformation(chalk.bold("Ultimate commands:"));
-  ui.emptyLine();
-  ui.writeInformation(
-    `- ${chalk.cyan(
-      "safe-chain ultimate",
-    )}: Install the ultimate version of safe-chain, enabling protection for more eco-systems.`,
-  );
-  ui.writeInformation(
-    `- ${chalk.cyan(
-      "safe-chain ultimate troubleshooting-logs",
-    )}: Prints standard and error logs for safe-chain ultimate and it's proxy.`,
-  );
-  ui.writeInformation(
-    `- ${chalk.cyan(
-      "safe-chain ultimate troubleshooting-export",
-    )}: Creates a zip archive of useful data for troubleshooting safe-chain ultimate, that can be shared with our support team.`,
-  );
-  ui.writeInformation(
-    `- ${chalk.cyan(
-      "safe-chain ultimate uninstall",
-    )}: Uninstall the ultimate version of safe-chain.`,
-  );
-  ui.emptyLine();
 }
 
 async function getVersion() {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@aikidosec/safe-chain",
-  "version": "1.4.3",
+  "version": "1.4.7",
   "scripts": {
     "test": "node --test --experimental-test-module-mocks 'src/**/*.spec.js'",
     "test:watch": "node --test --watch --experimental-test-module-mocks 'src/**/*.spec.js'",

package/src/api/aikido.js

@@ -3,14 +3,22 @@ import {
   getEcoSystem,
   ECOSYSTEM_JS,
   ECOSYSTEM_PY,
+  getMalwareListBaseUrl,
 } from "../config/settings.js";
 import { ui } from "../environment/userInteraction.js";
 
-const malwareDatabaseUrls = {
-  [ECOSYSTEM_JS]: "https://malware-list.aikido.dev/malware_predictions.json",
-  [ECOSYSTEM_PY]: "https://malware-list.aikido.dev/malware_pypi.json",
+const malwareDatabasePaths = {
+  [ECOSYSTEM_JS]: "malware_predictions.json",
+  [ECOSYSTEM_PY]: "malware_pypi.json",
 };
 
+const newPackagesListPaths = {
+  [ECOSYSTEM_JS]: "releases/npm.json",
+  [ECOSYSTEM_PY]: "releases/pypi.json",
+};
+
+const DEFAULT_FETCH_RETRY_ATTEMPTS = 4;
+
 /**
  * @typedef {Object} MalwarePackage
  * @property {string} package_name
@@ -18,18 +26,26 @@ const malwareDatabaseUrls = {
  * @property {string} reason
  */
 
+/**
+ * @typedef {Object} NewPackageEntry
+ * @property {string} [source]
+ * @property {string} package_name
+ * @property {string} version
+ * @property {number} released_on  - Unix timestamp (seconds)
+ * @property {number} scraped_on   - Unix timestamp (seconds)
+ */
+
 /**
  * @returns {Promise<{malwareDatabase: MalwarePackage[], version: string | undefined}>}
  */
 export async function fetchMalwareDatabase() {
-  const numberOfAttempts = 4;
-
   return retry(async () => {
     const ecosystem = getEcoSystem();
-    const malwareDatabaseUrl =
-      malwareDatabaseUrls[
-        /** @type {keyof typeof malwareDatabaseUrls} */ (ecosystem)
-      ];
+    const baseUrl = getMalwareListBaseUrl();
+    const path = malwareDatabasePaths[
+      /** @type {keyof typeof malwareDatabasePaths} */ (ecosystem)
+    ];
+    const malwareDatabaseUrl = `${baseUrl}/${path}`;
     const response = await fetch(malwareDatabaseUrl);
     if (!response.ok) {
       throw new Error(
@@ -46,21 +62,20 @@ export async function fetchMalwareDatabase() {
     } catch (/** @type {any} */ error) {
       throw new Error(`Error parsing malware database: ${error.message}`);
     }
-  }, numberOfAttempts);
+  }, DEFAULT_FETCH_RETRY_ATTEMPTS);
 }
 
 /**
  * @returns {Promise<string | undefined>}
  */
 export async function fetchMalwareDatabaseVersion() {
-  const numberOfAttempts = 4;
-
   return retry(async () => {
     const ecosystem = getEcoSystem();
-    const malwareDatabaseUrl =
-      malwareDatabaseUrls[
-        /** @type {keyof typeof malwareDatabaseUrls} */ (ecosystem)
-      ];
+    const baseUrl = getMalwareListBaseUrl();
+    const path = malwareDatabasePaths[
+      /** @type {keyof typeof malwareDatabasePaths} */ (ecosystem)
+    ];
+    const malwareDatabaseUrl = `${baseUrl}/${path}`;
     const response = await fetch(malwareDatabaseUrl, {
       method: "HEAD",
     });
@@ -71,7 +86,67 @@ export async function fetchMalwareDatabaseVersion() {
       );
     }
     return response.headers.get("etag") || undefined;
-  }, numberOfAttempts);
+  }, DEFAULT_FETCH_RETRY_ATTEMPTS);
+}
+
+/**
+ * @returns {Promise<{newPackagesList: NewPackageEntry[], version: string | undefined}>}
+ */
+export async function fetchNewPackagesList() {
+  return retry(async () => {
+    const ecosystem = getEcoSystem();
+    const baseUrl = getMalwareListBaseUrl();
+    const path = newPackagesListPaths[/** @type {keyof typeof newPackagesListPaths} */ (ecosystem)];
+
+    if (!path) {
+      return { newPackagesList: [], version: undefined };
+    }
+
+    const url = `${baseUrl}/${path}`;
+
+    const response = await fetch(url);
+    if (!response.ok) {
+      throw new Error(
+        `Error fetching ${ecosystem} new packages list: ${response.statusText}`
+      );
+    }
+
+    try {
+      const newPackagesList = await response.json();
+      return {
+        newPackagesList,
+        version: response.headers.get("etag") || undefined,
+      };
+    } catch (/** @type {any} */ error) {
+      throw new Error(`Error parsing new packages list: ${error.message}`);
+    }
+  }, DEFAULT_FETCH_RETRY_ATTEMPTS);
+}
+
+/**
+ * @returns {Promise<string | undefined>}
+ */
+export async function fetchNewPackagesListVersion() {
+  return retry(async () => {
+    const ecosystem = getEcoSystem();
+    const baseUrl = getMalwareListBaseUrl();
+    const path = newPackagesListPaths[/** @type {keyof typeof newPackagesListPaths} */ (ecosystem)];
+
+    if (!path) {
+      return undefined;
+    }
+
+    const url = `${baseUrl}/${path}`;
+
+    const response = await fetch(url, { method: "HEAD" });
+    if (!response.ok) {
+      throw new Error(
+        `Error fetching ${ecosystem} new packages list version: ${response.statusText}`
+      );
+    }
+
+    return response.headers.get("etag") || undefined;
+  }, DEFAULT_FETCH_RETRY_ATTEMPTS);
 }
 
 /**
@@ -91,7 +166,7 @@ async function retry(func, attempts) {
       return await func();
     } catch (error) {
       ui.writeVerbose(
-        "An error occurred while trying to download the Aikido Malware database",
+        "An error occurred while trying to download Aikido data",
         error
       );
       lastError = error;

package/src/config/cliArguments.js

@@ -1,12 +1,13 @@
 import { ui } from "../environment/userInteraction.js";
 
 /**
- * @type {{loggingLevel: string | undefined, skipMinimumPackageAge: boolean | undefined, minimumPackageAgeHours: string | undefined}}
+ * @type {{loggingLevel: string | undefined, skipMinimumPackageAge: boolean | undefined, minimumPackageAgeHours: string | undefined, malwareListBaseUrl: string | undefined}}
  */
 const state = {
   loggingLevel: undefined,
   skipMinimumPackageAge: undefined,
   minimumPackageAgeHours: undefined,
+  malwareListBaseUrl: undefined,
 };
 
 const SAFE_CHAIN_ARG_PREFIX = "--safe-chain-";
@@ -20,6 +21,7 @@ export function initializeCliArguments(args) {
   state.loggingLevel = undefined;
   state.skipMinimumPackageAge = undefined;
   state.minimumPackageAgeHours = undefined;
+  state.malwareListBaseUrl = undefined;
 
   const safeChainArgs = [];
   const remainingArgs = [];
@@ -35,6 +37,7 @@ export function initializeCliArguments(args) {
   setLoggingLevel(safeChainArgs);
   setSkipMinimumPackageAge(safeChainArgs);
   setMinimumPackageAgeHours(safeChainArgs);
+  setMalwareListBaseUrl(safeChainArgs);
   checkDeprecatedPythonFlag(args);
   return remainingArgs;
 }
@@ -109,6 +112,26 @@ export function getMinimumPackageAgeHours() {
   return state.minimumPackageAgeHours;
 }
 
+/**
+ * @param {string[]} args
+ * @returns {void}
+ */
+function setMalwareListBaseUrl(args) {
+  const argName = SAFE_CHAIN_ARG_PREFIX + "malware-list-base-url=";
+
+  const value = getLastArgEqualsValue(args, argName);
+  if (value) {
+    state.malwareListBaseUrl = value;
+  }
+}
+
+/**
+ * @returns {string | undefined}
+ */
+export function getMalwareListBaseUrl() {
+  return state.malwareListBaseUrl;
+}
+
 /**
  * @param {string[]} args
  * @param {string} flagName

package/src/config/configFile.js

@@ -10,6 +10,7 @@ import { getEcoSystem } from "./settings.js";
  * We cannot trust the input and should add the necessary validations
  * @property {unknown | Number} scanTimeout
  * @property {unknown | Number} minimumPackageAgeHours
+ * @property {unknown | string} malwareListBaseUrl
  * @property {unknown | SafeChainRegistryConfiguration} npm
  * @property {unknown | SafeChainRegistryConfiguration} pip
  *
@@ -84,6 +85,18 @@ export function getMinimumPackageAgeHours() {
   return undefined;
 }
 
+/**
+ * Gets the malware list base URL from config file only
+ * @returns {string | undefined}
+ */
+export function getMalwareListBaseUrl() {
+  const config = readConfigFile();
+  if (config.malwareListBaseUrl && typeof config.malwareListBaseUrl === "string") {
+    return config.malwareListBaseUrl;
+  }
+  return undefined;
+}
+
 /**
  * Gets the custom npm registries from the config file (format parsing only, no validation)
  * @returns {string[]}
@@ -129,18 +142,21 @@ export function getPipCustomRegistries() {
 }
 
 /**
- * Gets the minimum package age exclusions from the config file
+ * Gets the minimum package age exclusions from the config file for the current ecosystem
  * @returns {string[]}
  */
-export function getNpmMinimumPackageAgeExclusions() {
+export function getMinimumPackageAgeExclusions() {
   const config = readConfigFile();
+  const ecosystem = getEcoSystem();
+  const registryConfig = ecosystem === "py" ? config.pip : config.npm;
 
-  if (!config || !config.npm) {
+  if (!config || !registryConfig) {
     return [];
   }
 
-  const npmConfig = /** @type {SafeChainRegistryConfiguration} */ (config.npm);
-  const exclusions = npmConfig.minimumPackageAgeExclusions;
+  const typedRegistryConfig =
+    /** @type {SafeChainRegistryConfiguration} */ (registryConfig);
+  const exclusions = typedRegistryConfig.minimumPackageAgeExclusions;
 
   if (!Array.isArray(exclusions)) {
     return [];
@@ -211,6 +227,7 @@ function readConfigFile() {
   const emptyConfig = {
     scanTimeout: undefined,
     minimumPackageAgeHours: undefined,
+    malwareListBaseUrl: undefined,
     npm: {
       customRegistries: undefined,
     },
@@ -248,11 +265,52 @@ function getDatabaseVersionPath() {
   return path.join(aikidoDir, `version_${ecosystem}.txt`);
 }
 
+/**
+ * @returns {string}
+ */
+export function getNewPackagesListPath() {
+  const safeChainDir = getSafeChainDirectory();
+  const ecosystem = getEcoSystem();
+  return path.join(safeChainDir, `newPackagesList_${ecosystem}.json`);
+}
+
+/**
+ * @returns {string}
+ */
+export function getNewPackagesListVersionPath() {
+  const safeChainDir = getSafeChainDirectory();
+  const ecosystem = getEcoSystem();
+  return path.join(safeChainDir, `newPackagesList_version_${ecosystem}.txt`);
+}
+
 /**
  * @returns {string}
  */
 function getConfigFilePath() {
-  return path.join(getAikidoDirectory(), "config.json");
+  const primaryPath = path.join(getSafeChainDirectory(), "config.json");
+  if (fs.existsSync(primaryPath)) {
+    return primaryPath;
+  }
+
+  const legacyPath = path.join(getAikidoDirectory(), "config.json");
+  if (fs.existsSync(legacyPath)) {
+    return legacyPath;
+  }
+
+  return primaryPath;
+}
+
+/**
+ * @returns {string}
+ */
+export function getSafeChainDirectory() {
+  const homeDir = os.homedir();
+  const safeChainDir = path.join(homeDir, ".safe-chain");
+
+  if (!fs.existsSync(safeChainDir)) {
+    fs.mkdirSync(safeChainDir, { recursive: true });
+  }
+  return safeChainDir;
 }
 
 /**

package/src/config/environmentVariables.js

@@ -41,6 +41,17 @@ export function getLoggingLevel() {
  * Example: "react,@aikidosec/safe-chain,lodash"
  * @returns {string | undefined}
  */
-export function getNpmMinimumPackageAgeExclusions() {
-  return process.env.SAFE_CHAIN_NPM_MINIMUM_PACKAGE_AGE_EXCLUSIONS;
+export function getMinimumPackageAgeExclusions() {
+  return process.env.SAFE_CHAIN_MINIMUM_PACKAGE_AGE_EXCLUSIONS ||
+    process.env.SAFE_CHAIN_NPM_MINIMUM_PACKAGE_AGE_EXCLUSIONS;
+}
+
+/**
+ * Gets the malware list base URL from environment variable
+ * Expected format: full URL without trailing slash
+ * Example: "https://malware-list.aikido.dev"
+ * @returns {string | undefined}
+ */
+export function getMalwareListBaseUrl() {
+  return process.env.SAFE_CHAIN_MALWARE_LIST_BASE_URL;
 }

package/src/config/settings.js

@@ -1,6 +1,7 @@
 import * as cliArguments from "./cliArguments.js";
 import * as configFile from "./configFile.js";
 import * as environmentVariables from "./environmentVariables.js";
+import { ui } from "../environment/userInteraction.js";
 
 export const LOGGING_SILENT = "silent";
 export const LOGGING_NORMAL = "normal";
@@ -45,7 +46,7 @@ export function setEcoSystem(setting) {
   ecosystemSettings.ecoSystem = setting;
 }
 
-const defaultMinimumPackageAge = 24;
+const defaultMinimumPackageAge = 48;
 /** @returns {number} */
 export function getMinimumPackageAgeHours() {
   // Priority 1: CLI argument
@@ -188,13 +189,61 @@ function parseExclusionsFromEnv(envValue) {
  * Gets the minimum package age exclusions from both environment variable and config file (merged)
  * @returns {string[]}
  */
-export function getNpmMinimumPackageAgeExclusions() {
+export function getMinimumPackageAgeExclusions() {
   const envExclusions = parseExclusionsFromEnv(
-    environmentVariables.getNpmMinimumPackageAgeExclusions()
+    environmentVariables.getMinimumPackageAgeExclusions()
   );
-  const configExclusions = configFile.getNpmMinimumPackageAgeExclusions();
+  const configExclusions = configFile.getMinimumPackageAgeExclusions();
 
   // Merge both sources and remove duplicates
   const allExclusions = [...envExclusions, ...configExclusions];
   return [...new Set(allExclusions)];
 }
+
+/**
+ * Gets the malware list base URL with priority: CLI argument > environment variable > config file > default
+ * @returns {string}
+ */
+export function getMalwareListBaseUrl() {
+  // Priority 1: CLI argument
+  const cliValue = cliArguments.getMalwareListBaseUrl();
+  if (cliValue) {
+    const url = removeTrailingSlashes(cliValue);
+    ui.writeInformation(`Fetching malware lists from ${url} as defined by CLI argument --safe-chain-malware-list-base-url`);
+    return url;
+  }
+
+  // Priority 2: Environment variable
+  const envValue = environmentVariables.getMalwareListBaseUrl();
+  if (envValue) {
+    const url = removeTrailingSlashes(envValue);
+    ui.writeInformation(`Fetching malware lists from ${url} as defined by environment variable SAFE_CHAIN_MALWARE_LIST_BASE_URL`);
+    return url;
+  }
+
+  // Priority 3: Config file
+  const configValue = configFile.getMalwareListBaseUrl();
+  if (configValue) {
+    const url = removeTrailingSlashes(configValue);
+    ui.writeInformation(`Fetching malware lists from ${url} as defined by config file (malwareListBaseUrl)`);
+    return url;
+  }
+
+  // Default
+  const url = removeTrailingSlashes("https://malware-list.aikido.dev");
+  ui.writeInformation(`Fetching malware lists from ${url} (default)`);
+  return url;
+}
+
+/**
+ * Removes trailing slashes from a URL-like string.
+ * @param {string} value
+ * @returns {string}
+ */
+function removeTrailingSlashes(value) {
+  if (!value || typeof value !== "string") {
+    return value;
+  }
+
+  return value.replace(/\/+$/, "");
+}