@archpublicwebsite/eslint-config 1.0.15 → 1.0.16

package/tools/security/safe-reinstall.sh

@@ -0,0 +1,179 @@
+#!/usr/bin/env bash
+# =============================================================================
+# safe-reinstall.sh
+# Clean node_modules reinstall — post-PolinRider incident (June 2026)
+#
+# What it does:
+#   1. Verifies ignore-scripts=true is set       (blocks postinstall hooks)
+#   2. Scans config files for PolinRider IOCs    (abort if still infected)
+#   3. Removes all node_modules directories      (including monorepo packages)
+#   4. Clears the package manager cache          (npm / pnpm / yarn)
+#   5. Reinstalls strictly from lockfile         (npm ci / pnpm --frozen-lockfile)
+#
+# Usage — single repo:
+#   cd /path/to/your/repo && bash safe-reinstall.sh
+#
+# Usage — all repos in a folder at once:
+#   for dir in ~/code/*/; do
+#     [ -f "$dir/package.json" ] && echo "── $dir" && (cd "$dir" && bash ~/safe-reinstall.sh)
+#   done
+# =============================================================================
+
+set -euo pipefail
+
+CHECK_ONLY=false
+if [[ "${1:-}" == "--check-only" ]]; then
+  CHECK_ONLY=true
+fi
+
+# ── Colours ───────────────────────────────────────────────────────────────────
+BLUE='\033[0;34m'; GREEN='\033[0;32m'
+YELLOW='\033[1;33m'; RED='\033[0;31m'; NC='\033[0m'
+
+step() { echo -e "\n${BLUE}[→]${NC} $1"; }
+ok()   { echo -e "${GREEN}[✓]${NC} $1"; }
+warn() { echo -e "${YELLOW}[!]${NC} $1"; }
+fail() { echo -e "${RED}[✗]${NC} $1"; exit 1; }
+hr()   { echo -e "${BLUE}────────────────────────────────────────────────────${NC}"; }
+
+hr
+echo -e "${BLUE}  Safe Reinstall  ·  Post-PolinRider (Jun 2026)${NC}"
+echo -e "  Repo: ${YELLOW}$(basename "$PWD")${NC}"
+hr
+
+# ── Step 1 — Verify we are inside a JS/TS project ────────────────────────────
+step "Checking project root..."
+[[ -f "package.json" ]] \
+  || fail "No package.json found. cd into the root of a JS/TS repo first."
+ok "package.json found"
+
+# ── Step 2 — Enforce ignore-scripts=true ─────────────────────────────────────
+step "Verifying ignore-scripts protection..."
+if npm config get ignore-scripts 2>/dev/null | grep -q "^true$"; then
+  ok "ignore-scripts=true is set — postinstall hooks are blocked"
+else
+  if [[ "$CHECK_ONLY" == "true" ]]; then
+    fail "ignore-scripts is NOT set in ~/.npmrc. Run: npm config set ignore-scripts true"
+  fi
+
+  warn "ignore-scripts is NOT set in ~/.npmrc"
+  warn "Without this, reinstalling could re-trigger the malware."
+  read -rp "  Add ignore-scripts=true to ~/.npmrc now? (y/N): " CONFIRM
+  if [[ "$CONFIRM" =~ ^[Yy]$ ]]; then
+    npm config set ignore-scripts true
+    ok "ignore-scripts=true added to ~/.npmrc"
+  else
+    fail "Aborted. Add 'ignore-scripts=true' to ~/.npmrc manually and re-run."
+  fi
+fi
+
+# ── Step 3 — IOC scan (abort if the repo is still infected) ──────────────────
+step "Scanning config files for PolinRider IOC markers..."
+
+IOC_FILES=()
+
+while IFS= read -r file; do
+  if grep -qE \
+    "9-0224-2|9-857-1|global\[.!\.\]|createRequire.*import\.meta\.url" \
+    "$file" 2>/dev/null; then
+    IOC_FILES+=("$file")
+  fi
+done < <(find . \
+  -not -path "*/node_modules/*" \
+  -not -path "*/.git/*" \
+  \( -name "eslint.config.*"  \
+     -o -name "postcss.config.*" \
+     -o -name "vite.config.*"  \
+     -o -name "webpack.config.*" \) \
+  -type f 2>/dev/null)
+
+if (( ${#IOC_FILES[@]} > 0 )); then
+  warn "IOC markers detected in ${#IOC_FILES[@]} file(s):"
+  for f in "${IOC_FILES[@]}"; do
+    echo -e "    ${RED}$f${NC}"
+  done
+  echo ""
+  fail "This repo still has infected config files. Clean them first (see Security-Remediation-Runbook-2026-06.md) then re-run this script."
+fi
+
+ok "No IOC markers found — config files are clean"
+
+# ── Step 4 — Detect package manager from lockfile ────────────────────────────
+step "Detecting package manager..."
+
+if [[ -f "pnpm-lock.yaml" ]]; then
+  PKG_MGR="pnpm"
+  LOCKFILE="pnpm-lock.yaml"
+  INSTALL_CMD="pnpm install --frozen-lockfile"
+  command -v pnpm >/dev/null 2>&1 \
+    || fail "pnpm not found. Install it with: npm install -g pnpm"
+
+elif [[ -f "package-lock.json" ]]; then
+  PKG_MGR="npm"
+  LOCKFILE="package-lock.json"
+  INSTALL_CMD="npm ci"
+
+elif [[ -f "yarn.lock" ]]; then
+  PKG_MGR="yarn"
+  LOCKFILE="yarn.lock"
+  INSTALL_CMD="yarn install --frozen-lockfile"
+  command -v yarn >/dev/null 2>&1 \
+    || fail "yarn not found. Install it with: npm install -g yarn"
+
+else
+  fail "No lockfile found (pnpm-lock.yaml / package-lock.json / yarn.lock). A lockfile is required to guarantee a safe reinstall."
+fi
+
+ok "Package manager: $PKG_MGR  ·  lockfile: $LOCKFILE"
+ok "Install command: $INSTALL_CMD"
+
+if [[ "$CHECK_ONLY" == "true" ]]; then
+  step "Checking node_modules safety status..."
+  NM_COUNT=$(find . -name "node_modules" -type d -prune 2>/dev/null | wc -l | tr -d ' ')
+  ok "node_modules directories detected: $NM_COUNT"
+
+  hr
+  echo -e "${GREEN}  ✓  $(basename "$PWD")  →  safe checks complete (no reinstall executed)${NC}"
+  hr
+  echo ""
+  exit 0
+fi
+
+# ── Step 5 — Remove all node_modules ─────────────────────────────────────────
+step "Removing node_modules..."
+
+NM_COUNT=$(find . -name "node_modules" -type d -prune 2>/dev/null | wc -l | tr -d ' ')
+
+if (( NM_COUNT > 1 )); then
+  warn "Monorepo: found $NM_COUNT node_modules directories — removing all"
+fi
+
+find . -name "node_modules" -type d -prune -exec rm -rf '{}' + 2>/dev/null || true
+
+ok "Removed $NM_COUNT node_modules director$( (( NM_COUNT == 1 )) && echo 'y' || echo 'ies' )"
+
+# ── Step 6 — Clear package manager cache ─────────────────────────────────────
+step "Clearing $PKG_MGR cache..."
+
+case "$PKG_MGR" in
+  pnpm) pnpm store prune 2>/dev/null || true  ;;
+  npm)  npm cache clean --force               ;;
+  yarn) yarn cache clean                      ;;
+esac
+
+ok "$PKG_MGR cache cleared"
+
+# ── Step 7 — Reinstall strictly from lockfile ─────────────────────────────────
+step "Reinstalling from $LOCKFILE..."
+echo ""
+
+eval "$INSTALL_CMD"
+
+echo ""
+ok "Dependencies installed from lockfile"
+
+# ── Done ──────────────────────────────────────────────────────────────────────
+hr
+echo -e "${GREEN}  ✓  $(basename "$PWD")  →  clean reinstall complete${NC}"
+hr
+echo ""

package/tools/security/scan-global.sh

@@ -0,0 +1,155 @@
+#!/usr/bin/env bash
+# =============================================================================
+# scan-global.sh
+# Scan global node_modules and caches for PolinRider IOC markers.
+# Run once per machine — no need to be inside any repo.
+#
+# Locations scanned:
+#   • npm global node_modules      (npm root -g)
+#   • All nvm node versions        (~/.nvm/versions/node/*/lib/node_modules)
+#   • pnpm global node_modules     (pnpm root -g)
+#   • pnpm store                   (pnpm store path)
+#   • npx cache                    (~/.npm/_npx)
+#
+# Usage:
+#   bash scan-global.sh
+# =============================================================================
+
+set -euo pipefail
+
+GREEN='\033[0;32m'; YELLOW='\033[1;33m'; RED='\033[0;31m'
+BLUE='\033[0;34m'; GRAY='\033[0;90m'; NC='\033[0m'
+
+step() { echo -e "\n${BLUE}[→]${NC} $1"; }
+ok()   { echo -e "${GREEN}[✓]${NC} $1"; }
+warn() { echo -e "${YELLOW}[!]${NC} $1"; }
+skip() { echo -e "${GRAY}[–]${NC} $1"; }
+hr()   { echo -e "${BLUE}────────────────────────────────────────────────────${NC}"; }
+
+# IOC patterns: payload markers + C2 hosts from the incident report
+IOC_PATTERN="9-0224-2|9-857-1|trongrid\.io|aptoslabs\.com|bsc-dataseed\.binance|publicnode\.com"
+
+SCAN_DIRS=()   # entries formatted as "label|path"
+TOTAL_HITS=0
+
+hr
+echo -e "${BLUE}  Global IOC Scan  ·  Post-PolinRider (Jun 2026)${NC}"
+echo -e "  Host: $(hostname)"
+hr
+
+# ── Collect scan targets ──────────────────────────────────────────────────────
+
+# 1. npm global node_modules
+step "Locating npm global node_modules..."
+NPM_GLOBAL=$(npm root -g 2>/dev/null || echo "")
+if [[ -n "$NPM_GLOBAL" && -d "$NPM_GLOBAL" ]]; then
+  SCAN_DIRS+=("npm global|$NPM_GLOBAL")
+  ok "$NPM_GLOBAL"
+else
+  skip "npm global not found"
+fi
+
+# 2. All nvm-managed node versions
+step "Locating nvm node_modules..."
+NVM_BASE="${NVM_DIR:-$HOME/.nvm}/versions/node"
+if [[ -d "$NVM_BASE" ]]; then
+  while IFS= read -r ver; do
+    nm="$ver/lib/node_modules"
+    if [[ -d "$nm" ]]; then
+      SCAN_DIRS+=("nvm $(basename "$ver")|$nm")
+      ok "$nm"
+    fi
+  done < <(find "$NVM_BASE" -maxdepth 1 -mindepth 1 -type d 2>/dev/null | sort)
+else
+  skip "nvm not found (checked $NVM_BASE)"
+fi
+
+# 3. pnpm global node_modules
+step "Locating pnpm global node_modules..."
+if command -v pnpm >/dev/null 2>&1; then
+  PNPM_GLOBAL=$(pnpm root -g 2>/dev/null || echo "")
+  if [[ -n "$PNPM_GLOBAL" && -d "$PNPM_GLOBAL" ]]; then
+    SCAN_DIRS+=("pnpm global|$PNPM_GLOBAL")
+    ok "$PNPM_GLOBAL"
+  else
+    skip "pnpm global node_modules not found"
+  fi
+else
+  skip "pnpm not installed"
+fi
+
+# 4. pnpm store (content-addressable cache)
+step "Locating pnpm store..."
+if command -v pnpm >/dev/null 2>&1; then
+  PNPM_STORE=$(pnpm store path 2>/dev/null || echo "")
+  if [[ -n "$PNPM_STORE" && -d "$PNPM_STORE" ]]; then
+    SCAN_DIRS+=("pnpm store|$PNPM_STORE")
+    warn "pnpm store can be large — this may take a moment"
+    warn "$PNPM_STORE"
+  else
+    skip "pnpm store not found"
+  fi
+else
+  skip "pnpm not installed"
+fi
+
+# 5. npx cache
+step "Locating npx cache..."
+NPM_CACHE=$(npm config get cache 2>/dev/null || echo "$HOME/.npm")
+NPX_CACHE="$NPM_CACHE/_npx"
+if [[ -d "$NPX_CACHE" ]]; then
+  SCAN_DIRS+=("npx cache|$NPX_CACHE")
+  ok "$NPX_CACHE"
+else
+  skip "npx cache not found at $NPX_CACHE"
+fi
+
+# ── Run scan ──────────────────────────────────────────────────────────────────
+
+echo ""
+hr
+echo -e "${BLUE}  Scanning ${#SCAN_DIRS[@]} location(s)...${NC}"
+hr
+
+for ENTRY in "${SCAN_DIRS[@]}"; do
+  LABEL="${ENTRY%%|*}"
+  DIR="${ENTRY##*|}"
+
+  echo -e "\n${BLUE}[→]${NC} ${LABEL}"
+  echo -e "    ${GRAY}${DIR}${NC}"
+
+  HITS=$(grep -rl \
+    --include="*.js" --include="*.mjs" --include="*.cjs" \
+    -E "$IOC_PATTERN" "$DIR" 2>/dev/null || true)
+
+  if [[ -z "$HITS" ]]; then
+    ok "Clean"
+  else
+    HIT_COUNT=$(echo "$HITS" | grep -c "." || true)
+    echo -e "${RED}[✗]${NC} IOC markers found in ${HIT_COUNT} file(s):"
+    while IFS= read -r f; do
+      echo -e "    ${RED}${f}${NC}"
+      PREVIEW=$(grep -m1 -oE ".{0,30}(${IOC_PATTERN}).{0,30}" "$f" 2>/dev/null || true)
+      [[ -n "$PREVIEW" ]] && echo -e "    ${GRAY}→ ${PREVIEW}${NC}"
+    done <<< "$HITS"
+    TOTAL_HITS=$((TOTAL_HITS + HIT_COUNT))
+  fi
+done
+
+# ── Summary ───────────────────────────────────────────────────────────────────
+
+echo ""
+hr
+if [[ "$TOTAL_HITS" -eq 0 ]]; then
+  echo -e "${GREEN}  ✓  All ${#SCAN_DIRS[@]} location(s) clean — machine is clear${NC}"
+else
+  echo -e "${RED}  ✗  IOC markers found in ${TOTAL_HITS} file(s) across global locations${NC}"
+  echo ""
+  echo -e "${YELLOW}  Recommended next steps:${NC}"
+  echo -e "${YELLOW}  1. npm cache clean --force${NC}"
+  echo -e "${YELLOW}  2. pnpm store prune          (if pnpm is installed)${NC}"
+  echo -e "${YELLOW}  3. Identify and remove the flagged packages globally${NC}"
+  echo -e "${YELLOW}  4. See: Security-Remediation-Runbook-2026-06.md${NC}"
+fi
+hr
+echo ""