@blamejs/exceptd-skills 0.15.50 → 0.15.52

package/data/framework-control-gaps.json

@@ -544,7 +544,8 @@
     "opened_date": "2026-05-13",
     "evidence_cves": [
       "CVE-2026-45321",
-      "MAL-2026-SHAI-HULUD-OSS"
+      "MAL-2026-SHAI-HULUD-OSS",
+      "MAL-2026-TRAPDOOR-CROSS-ECOSYSTEM"
     ],
     "atlas_refs": [
       "AML.T0010",
@@ -907,7 +908,9 @@
       "MAL-2026-3083",
       "MAL-2026-NODE-IPC-STEALER",
       "MAL-2026-SHAI-HULUD-OSS",
-      "MAL-2026-TANSTACK-MINI"
+      "MAL-2026-TANSTACK-MINI",
+      "CVE-2022-23812",
+      "MAL-2026-MOIKA-DEPCONFUSION"
     ],
     "atlas_refs": [
       "AML.T0010",
@@ -2057,7 +2060,9 @@
     "evidence_cves": [
       "CVE-2026-45321",
       "MAL-2026-3083",
-      "MAL-2026-NODE-IPC-STEALER"
+      "MAL-2026-NODE-IPC-STEALER",
+      "CVE-2022-23812",
+      "MAL-2026-MOIKA-DEPCONFUSION"
     ],
     "atlas_refs": [
       "AML.T0010",
@@ -2098,7 +2103,8 @@
       "CVE-2025-30154",
       "CVE-2026-48027",
       "MAL-2026-SHAI-HULUD-OSS",
-      "MAL-2026-TANSTACK-MINI"
+      "MAL-2026-TANSTACK-MINI",
+      "MAL-2026-TRAPDOOR-CROSS-ECOSYSTEM"
     ],
     "atlas_refs": [
       "AML.T0010"
@@ -3668,7 +3674,8 @@
       "CVE-2026-45321",
       "MAL-2026-3083",
       "MAL-2026-NODE-IPC-STEALER",
-      "MAL-2026-SHAI-HULUD-OSS"
+      "MAL-2026-SHAI-HULUD-OSS",
+      "MAL-2026-MOIKA-DEPCONFUSION"
     ],
     "atlas_refs": [
       "AML.T0010",
@@ -5900,7 +5907,10 @@
       "CVE-2026-46333",
       "CVE-2026-5760",
       "CVE-2026-9082",
-      "MAL-2026-SHAI-HULUD-OSS"
+      "MAL-2026-SHAI-HULUD-OSS",
+      "CVE-2022-23812",
+      "MAL-2026-TRAPDOOR-CROSS-ECOSYSTEM",
+      "MAL-2026-MOIKA-DEPCONFUSION"
     ],
     "atlas_refs": [],
     "attack_refs": [
@@ -6116,7 +6126,10 @@
       "MAL-2026-NODE-IPC-STEALER",
       "MAL-2026-RUBYGEMS-BUFFERZONECORP-SLEEPER",
       "MAL-2026-SHAI-HULUD-OSS",
-      "MAL-2026-TANSTACK-MINI"
+      "MAL-2026-TANSTACK-MINI",
+      "CVE-2022-23812",
+      "MAL-2026-TRAPDOOR-CROSS-ECOSYSTEM",
+      "MAL-2026-MOIKA-DEPCONFUSION"
     ],
     "atlas_refs": [
       "AML.T0010",
@@ -6707,7 +6720,9 @@
       "CVE-2025-68665",
       "CVE-2025-6965",
       "CVE-2026-22778",
-      "MAL-2025-AI-FOUND-FFMPEG-BIGSLEEP"
+      "MAL-2025-AI-FOUND-FFMPEG-BIGSLEEP",
+      "MAL-2026-TRAPDOOR-CROSS-ECOSYSTEM",
+      "MAL-2026-MOIKA-DEPCONFUSION"
     ],
     "theater_test": {
       "claim": "We are compliant with Art-15 (Accuracy, robustness, and cybersecurity of high-risk AI systems) because we follow the documented requirement: Article 15 — high-risk AI systems must be designed and developed so as to achieve an appropriate level of accuracy, robustness, and cybersecurity throughout their lifecycle. Anchored on the assumption",
@@ -7519,7 +7534,10 @@
     "opened_at": "2026-05-18",
     "evidence_cves": [
       "MAL-2025-PYPI-COLORAMA-SOLANA-STEALER",
-      "MAL-2026-RUBYGEMS-BUFFERZONECORP-SLEEPER"
+      "MAL-2026-RUBYGEMS-BUFFERZONECORP-SLEEPER",
+      "MAL-2026-MOIKA-DEPCONFUSION",
+      "CVE-2022-23812",
+      "MAL-2026-TRAPDOOR-CROSS-ECOSYSTEM"
     ],
     "theater_test": {
       "claim": "We are compliant with A.5.21 (Managing information security in the ICT supply chain) because we follow the documented requirement: Annex A.5.21 — processes and procedures to manage information security risks associated with the ICT supply chain. Anchored on initial vendor / supplier assessment, contractual security clauses, and o",
@@ -8052,7 +8070,8 @@
     "opened_date": "2026-05-28",
     "evidence_cves": [
       "CVE-2025-30066",
-      "CVE-2026-48027"
+      "CVE-2026-48027",
+      "MAL-2026-MOIKA-DEPCONFUSION"
     ],
     "atlas_refs": [
       "AML.T0010"

package/data/playbooks/sbom.json

@@ -1,7 +1,7 @@
 {
   "_meta": {
     "id": "sbom",
-    "version": "1.2.0",
+    "version": "1.3.1",
     "last_threat_review": "2026-05-13",
     "threat_currency_score": 96,
     "changelog": [
@@ -43,6 +43,21 @@
           "nis2-art21-2d",
           "dora-art28"
         ]
+      },
+      {
+        "version": "1.2.1",
+        "date": "2026-05-30",
+        "summary": "Add capability-creep behavioral detector: flags a dependency that gains network / filesystem-write / shell-spawn / credential-access / install-script capability across a version bump (pre-disclosure supply-chain signal), with five false-positive checks and a matching false-positive profile."
+      },
+      {
+        "version": "1.3.0",
+        "date": "2026-05-30",
+        "summary": "Add a package-capability taxonomy (network / filesystem / shell / env / eval / install-script / telemetry / native-binary): a package-capability-surface evidence artifact plus an absolute capability-surface screen that flags a no-CVE package whose install-script combines with shell/network/env/eval (the credential-harvesting delivery shape), complementing the across-version-bump capability-creep detector."
+      },
+      {
+        "version": "1.3.1",
+        "date": "2026-05-30",
+        "summary": "Add three supply-chain detection-depth indicators: typosquat/homoglyph package-name detection (reusing the vendored codepoint-class confusable tables), a static content red-flag screen (obfuscation / high-entropy / trivial-package / eval+dynamic-require, T1027), and a dependency-confusion resolution-source check (internal scope served by the public registry / inflated-version squat, correlating to MAL-2026-MOIKA-DEPCONFUSION) — each with a paired look artifact and false-positive profile."
       }
     ],
     "owner": "@blamejs/supply-chain",
@@ -602,6 +617,34 @@
           "source": "Read .github/workflows/*.yml and *.yaml — extract `on:` triggers, `permissions:`, and `uses: actions/cache@*` step references",
           "description": "CVE-2026-45321 architectural pre-condition check — detects pull_request_target + id-token:write + shared actions/cache co-residency in the same repo.",
           "required": false
+        },
+        {
+          "id": "package-capability-surface",
+          "type": "config_file",
+          "source": "For each installed/locked npm + PyPI package, read its manifest to enumerate declared/observable capabilities: package.json scripts (preinstall/install/postinstall), bin, gypfile/binding.gyp (native-binary build), and dependencies on known network/child-process modules; PyPI setup.py/pyproject.toml build hooks + .so/.pyd payloads. Classify each package into the capability vocabulary: network, filesystem, shell, env, eval, install-script, telemetry, native-binary.",
+          "description": "Package-capability surface per dependency, using a capability taxonomy (network / filesystem / shell / env / eval / install-script / telemetry / native-binary). Complements the CVE-match register: a package with no catalogued CVE can still carry an outsized capability surface (an install-script that spawns a shell and reads env is the Shai-Hulud delivery shape). Capability is a property of the package, independent of any known vulnerability.",
+          "required": false
+        },
+        {
+          "id": "package-name-similarity-surface",
+          "type": "config_file",
+          "source": "For each direct dependency, capture {package name, resolved registry host, a download/popularity signal where available} and compute (a) the Levenshtein edit-distance to a set of high-download popular package names and (b) a homoglyph-normalized / confusable-folded form of the name (via vendor/blamejs/codepoint-class.js) to surface visually-confusable substitutions. Record the closest popular-name match + distance per dependency.",
+          "description": "Package-name similarity surface — the evidence the typosquat/homoglyph detector reads. Captures edit-distance and confusable-normalized name forms so name-impersonation is computable offline without a registry call (the popularity set is a static bundled list; absence of a live download count degrades to edit-distance + homoglyph only).",
+          "required": false
+        },
+        {
+          "id": "package-source-content-surface",
+          "type": "config_file",
+          "source": "For each installed/locked package, statically read its shipped source and record: readable-source-present vs minified-only, sourcemap presence, high-entropy-string ratio (Shannon entropy over string literals), effective LOC count, and dynamic eval / dynamic require/import usage. No execution — static read of the on-disk package files only.",
+          "description": "Package source-content surface — the static evidence the obfuscation screen reads. Distinct from package-capability-surface (which classifies declared/observable capabilities); this captures source SHAPE (minification, entropy, size, dynamic-eval) for the content red-flag screen.",
+          "required": false
+        },
+        {
+          "id": "dep-confusion-resolution-config",
+          "type": "config_file",
+          "source": "Read scope-to-registry resolution config: .npmrc + $HOME/.npmrc (@scope:registry= lines, registry=, always-auth), .yarnrc.yml (npmScopes), pip.conf / pip.ini (index-url, extra-index-url), and any private-registry manifest listing internal @scopes / package names. Cross with repo-lockfiles resolved URLs to determine which registry actually served each internal-scope name.",
+          "description": "Resolution-source configuration — distinguishes an internal-namespace package correctly pinned to a private registry (safe) from one resolvable off the public registry (dependency-confusion exposed). Without it the indicator can only see inflated-version heuristics; with it the resolution-source check becomes high-confidence.",
+          "required": false
         }
       ],
       "collection_scope": {
@@ -800,6 +843,87 @@
           "description": "Mitigation gap for CVE-2026-45321 and similar fresh-publish worms. Without a registry cooldown, `npm install` will accept a version published seconds ago. Recommended: `before=72h` (npm 11+) or `minimumReleaseAge=4320` minutes. The worm was caught publicly within 20 minutes; 72h is overkill-safe.",
           "confidence": "high",
           "deterministic": false
+        },
+        {
+          "id": "dependency-capability-creep-across-version-bump",
+          "type": "behavioral_signal",
+          "value": "For any dependency present in repo-lockfiles, npm-global-packages, or container-image-layers whose resolved version advanced since the last recorded inventory (or across two lockfile revisions in scope), compare the package's capability surface between the two versions. CAPABILITY SURFACE = (a) network egress (new fetch/http/https/net/dgram/ws imports or new outbound hosts), (b) filesystem write beyond the package's own dir, (c) process/shell spawn (child_process/exec/spawn, os/system, subprocess, Runtime.exec), (d) environment / credential access (process.env enumeration, reads of ~/.aws ~/.ssh ~/.npmrc ~/.kube ~/.config, keychain/secrets API), (e) install-lifecycle scripts newly present or newly non-trivial (preinstall/install/postinstall, setup.py/cfg build hooks, gem extensions, Cargo build.rs). FIRES when a version bump GAINS one or more capability categories the prior in-scope version did not exercise — a capability the dependent never opted into when it first selected the package.",
+          "description": "Capability-creep — a dependency that suddenly gains network / filesystem-write / shell-spawn / credential-access / install-script capability across a version bump. Models the core behavioral supply-chain signal: most maintainer-account takeovers and protestware injections surface first as a new capability class in an otherwise-unchanged package, before any CVE is catalogued. Pre-disclosure detector — fires on behavior delta, not on a known-CVE match.",
+          "confidence": "medium",
+          "deterministic": false,
+          "attack_ref": "T1195.001",
+          "atlas_ref": "AML.T0010",
+          "false_positive_checks_required": [
+            "Confirm the new capability is not explained by a documented feature in the version's release notes / CHANGELOG that the dependent intentionally upgraded to consume (e.g. a logging library that added an opt-in OTLP-over-HTTP exporter). A capability gain matching a documented, in-changelog feature the operator pulled deliberately is benign — demote to inconclusive and record the changelog citation.",
+            "Distinguish a genuine capability gain from a refactor that merely RELOCATED an existing capability (the prior version already spawned a child process via a transitive dep; the new version inlines it). Diff the EFFECTIVE capability of the prior resolved tree (package + its own deps), not the single package file — relocation across the package boundary is not a gain. Demote when the capability was already present transitively.",
+            "Exclude build-time / dev-time-only dependencies whose new capability never reaches a runtime-loaded path (e.g. a test runner gaining child_process). Confirm runtime reachability before elevating; build/dev-only capability gain demotes to low.",
+            "Rule out the package's own first-party major-version migration where the maintainer key, publish provenance (SLSA / npm --provenance), and signing identity are UNCHANGED across the bump and the version follows the project's normal release cadence (not a sub-72h fresh publish). Unchanged provenance + normal cadence + documented breaking-change major demotes; an unchanged-version-string-but-changed-content republish, a new/rotated maintainer key, or a provenance attestation that regressed from present-to-absent ELEVATES (re-publication-over / account-takeover signature).",
+            "For install-lifecycle scripts: confirm the script is newly present OR newly non-trivial versus the prior version — many packages have always shipped a postinstall (e.g. native-addon compile via node-gyp). A long-standing, content-stable lifecycle script is not creep; only a newly-added or newly-mutated one fires."
+          ]
+        },
+        {
+          "id": "package-capability-creep",
+          "type": "config_value",
+          "value": "Within the package-capability-surface artifact: any direct or transitive package combines an install-time hook (install-script: preinstall/install/postinstall, or PyPI build hook) with at least one high-trust capability (shell, network, env, or eval). Capability vocabulary: network / filesystem / shell / env / eval / install-script / telemetry / native-binary. The install-script+shell+network+env quadruple is the credential-harvesting delivery shape (CVE-2026-45321 Mini Shai-Hulud, CVE-2024-3094 XZ class); install-script+native-binary is the compiled-payload shape.",
+          "description": "Capability-surface screen — flags packages whose capability surface is disproportionate to their declared function, independent of CVE match. A no-CVE package that runs an install-script which spawns a shell, opens the network, and reads env vars is the supply-chain delivery primitive even when the catalog shows zero matched CVEs. Surfaces alongside, not in place of, package-matches-catalogued-cve; absolute-surface complement to the across-version-bump capability-creep detector.",
+          "confidence": "medium",
+          "deterministic": false,
+          "attack_ref": "T1195.002",
+          "false_positive_checks_required": [
+            "Build-tooling and native-addon packages legitimately need install-script + native-binary (node-gyp, sass-embedded, esbuild, sharp, bcrypt, prebuild-install, electron, playwright, puppeteer). If the package is on the operator documented build-dependency allowlist AND its publisher identity / provenance attestation matches the expected one, demote — capability presence is expected for this class.",
+            "Confirm the install-script actually exercises the high-trust capability at install time, not merely that the package transitively depends on a network/shell module used only at runtime in an unrelated code path. Read the referenced script: a postinstall that only runs node-gyp rebuild is native-binary, not network+shell+env. Demote when the capability is declared-but-not-install-reachable.",
+            "Telemetry-only capability (a postinstall that pings an analytics endpoint with no env/credential read) is a noise/consent concern, not a credential-exfil primitive. Demote network+telemetry-without-env to informational unless env or filesystem-credential-path access co-occurs.",
+            "If the capability surface was read from a stale or non-build lockfile (archive/ or pre-migration/ subdir), it does not reflect what installs. Confirm against the build-consumed lockfile path before firing (same stale-lockfile check as lockfile-no-integrity)."
+          ]
+        },
+        {
+          "id": "dependency-name-typosquat",
+          "type": "behavioral_signal",
+          "value": "For each DIRECT dependency name in repo-lockfiles / npm-global-packages / pip-packages, flag when the name is within Levenshtein edit-distance 1-2 of a SPECIFIC high-download popular package it is NOT (typosquat — e.g. lodahs vs lodash, crossenv vs cross-env), OR uses a homoglyph / visually-confusable Unicode substitution of a popular name (route the name through the vendored vendor/blamejs/codepoint-class.js confusable/bidi detection — a Latin/Cyrillic/Greek lookalike codepoint inside an otherwise-ASCII clone of a popular name is a near-certain lure), OR is a scope/namespace lookalike of a well-known org scope. FIRES on name-confusability independent of any CVE match — the typosquat lure precedes payload execution.",
+          "description": "Typosquat / homoglyph package-name detector. Flags a direct dependency whose NAME impersonates a popular package by edit-distance or visually-confusable codepoint substitution, a pre-disclosure lure signal that no CVE-match or capability screen catches. Reuses the vendored codepoint-class confusable detection (added v0.15.50). Distinct axis from the dependency-confusion resolution check (name-similarity vs resolution-source).",
+          "confidence": "medium",
+          "deterministic": false,
+          "attack_ref": "T1195.002",
+          "atlas_ref": "AML.T0010",
+          "false_positive_checks_required": [
+            "The package IS the popular one: confirm via download-count / publish-history that the flagged name is not itself the canonical high-download package before treating proximity as a squat. Demote when the package is the legitimate target it resembles.",
+            "Intentional short-name alias or sanctioned scoped fork the operator deliberately consumes (e.g. an internal mirror named close to upstream). Cross-check the operator documented dependency allowlist; demote when the near-name is a known sanctioned alias.",
+            "Common-word collision: short generic names (ms, qs, fs) sit within edit-distance of many strings by chance. Require a SPECIFIC high-download package the flagged dep plausibly impersonates, not any string within distance 2; demote incidental proximity with no plausible impersonation target.",
+            "Homoglyph false alarm: confirm the confusable/non-ASCII codepoint actually substitutes for an ASCII letter in a known popular package name (a Cyrillic a inside an ASCII clone), not an incidental legitimately-non-Latin name that has no popular ASCII twin. Demote names with no ASCII-lookalike target."
+          ]
+        },
+        {
+          "id": "package-content-obfuscation-screen",
+          "type": "config_value",
+          "value": "Within package-source-content-surface: flag a package that ships ONLY minified/obfuscated source with no readable source and no sourcemap, OR a high ratio of high-entropy string literals (packed/encrypted payload), OR is a trivial package (under ~10 effective LOC) that NONETHELESS declares an install-script or network capability (a thin shell wrapping a payload), OR combines dynamic eval with dynamic require/import. These are CONTENT red-flags orthogonal to the capability taxonomy — a package can be capability-light yet content-obfuscated.",
+          "description": "Static content red-flag screen — obfuscation / high-entropy / minified-only / trivial-package / eval+dynamic-require. Complements (does not duplicate) the capability-surface screens: capability is WHAT the package can do, content is HOW its source is shaped. Maps T1027 (Obfuscated Files or Information).",
+          "confidence": "medium",
+          "deterministic": false,
+          "attack_ref": "T1027",
+          "false_positive_checks_required": [
+            "Legitimate minified dist bundle: many front-end packages ship a minified dist/ alongside readable src/ or a sourcemap. Confirm there is NO readable source AND no sourcemap anywhere in the package before flagging minified-only; demote when readable source or a .map file exists.",
+            "Known-good build-output / WASM / native-addon packages legitimately carry high-entropy blobs (embedded WASM, prebuilt binaries, fixtures). Cross-check the operator build-dependency allowlist + publisher provenance; demote expected high-entropy classes.",
+            "Trivial-package false alarm: a genuinely tiny utility (is-number) is trivial WITHOUT an install-script or network capability. Only elevate trivial packages that ALSO declare install-script or network capability (the co-occurrence is the signal); demote trivial-but-inert packages.",
+            "eval / dynamic-require in a legitimate plugin loader or config system (some established frameworks use dynamic require by design). Confirm the eval+dynamic-require pair is in a freshly-published or low-trust package, not a long-standing well-known framework; demote established frameworks with documented dynamic loading."
+          ]
+        },
+        {
+          "id": "dependency-confusion-internal-scope-public-resolution",
+          "type": "config_value",
+          "value": "Within repo-lockfiles + dep-confusion-resolution-config: a dependency whose scope/name matches an organizational-internal naming pattern (a @scope that ALSO appears in the org private-registry manifests, .npmrc/.yarnrc scope-to-registry maps, or pip internal extra-index-url) resolved from the PUBLIC registry (registry.npmjs.org / pypi.org) rather than the internal one — AND/OR a resolved version is anomalously inflated (e.g. 99.x.x, a major far above the package real release history) such that default resolution prefers the public package. The defining condition is RESOLUTION-SOURCE confusion: an internal-namespace identifier served by the public registry, regardless of payload.",
+          "description": "Dependency-confusion / namespace-squat resolution check. Fires when an internal-looking package name is satisfied from the public registry, or an inflated semver indicates a public squat outranking the private package — the resolution-layer signature that precedes any payload. Generalizes MAL-2026-MOIKA-DEPCONFUSION to any internal-scope squat; complements the capability-surface screens (postinstall stager) and the catalog CVE-match (specific known names). Distinct axis from the typosquat name-similarity detector.",
+          "confidence": "high",
+          "deterministic": false,
+          "attack_ref": "T1195.001",
+          "atlas_ref": "AML.T0010",
+          "cve_ref": "MAL-2026-MOIKA-DEPCONFUSION",
+          "false_positive_checks_required": [
+            "Confirm the @scope is genuinely an INTERNAL/private namespace for this org (present in a private-registry manifest, .npmrc scope-to-registry map, or internal pip index), not a public org scope the org legitimately consumes from npmjs (@types, @babel, @aws-sdk are public-by-design and not confusion). Demote when the scope is a known public namespace.",
+            "Verify an actual private package of the same name exists that the public one could shadow. A public-only package under a coincidentally org-like scope, with no private counterpart, is not dependency-confusion — there is nothing to confuse it with. Demote to inconclusive absent a private same-name package.",
+            "Confirm install config does not already pin the internal scope to the private registry (.npmrc @scope:registry=, always-auth, pip --index-url with no public fallthrough). A correctly-pinned scope cannot be confused; the public squat exists but cannot win resolution. Demote when resolution is pinned.",
+            "Distinguish an inflated version that reflects a real (if unusual) upstream release from a squat. Check the package real release history on the AUTHORITATIVE registry for this scope: a genuine 99.x maintained release is not a squat. Demote when the inflated version is the legitimate publisher actual latest on the correct registry.",
+            "Confirm the resolved artifact actually came from the public registry for this run (lockfile resolved/resolution URL host = registry.npmjs.org / files.pythonhosted.org), not the private mirror that merely proxies public names. A private proxy serving a vetted copy under the internal scope is not confusion-exposed. Demote when the resolution host is the internal/proxy registry."
+          ]
         }
       ],
       "false_positive_profile": [
@@ -817,6 +941,31 @@
           "indicator_id": "ai-code-no-provenance",
           "benign_pattern": "Org has documented internal commit-trailer convention (Co-Authored-By:, Generated-By:, AI-Model:) but it isn't reflected in machine-readable SBOM.",
           "distinguishing_test": "Sample 20 commits in the repo. If commit-trailer convention is consistently used, downgrade to medium and recommend SBOM integration rather than flagging absence outright."
+        },
+        {
+          "indicator_id": "dependency-capability-creep-across-version-bump",
+          "benign_pattern": "A widely-used package legitimately adds a capability in a feature release — e.g. an HTTP client adds optional HTTP/2 (new net surface), an ORM adds a CLI migration runner (new child_process), a telemetry SDK adds an opt-in exporter (new egress host). The capability is documented, the maintainer key and publish provenance are unchanged, and the release follows normal cadence.",
+          "distinguishing_test": "Pull the version release notes / CHANGELOG and the npm/PyPI provenance attestation. Benign when ALL hold: (1) the new capability is documented as an intended feature, (2) the signing/maintainer identity is unchanged across the bump, (3) provenance present-before is still present, and (4) publish age exceeds the registry-cooldown threshold (not a sub-72h fresh publish). Malicious-leaning when ANY of: capability is undocumented, maintainer key rotated, provenance regressed from present-to-absent, content changed under an unchanged version string, or the gain is credential-path reads / outbound to a never-before-seen host."
+        },
+        {
+          "indicator_id": "package-capability-creep",
+          "benign_pattern": "Native-addon and build-tooling packages (node-gyp, sass-embedded, esbuild, sharp, bcrypt, prebuild-install, electron, playwright, puppeteer) legitimately carry install-script + native-binary + (sometimes) network capability — the prebuilt-binary download is network + install-script by design.",
+          "distinguishing_test": "Cross-reference the flagged package against the operator documented build-dependency allowlist and its npm/PyPI provenance attestation. If the package is a known build/native-addon dependency AND its publisher identity matches the expected signed publisher, downgrade to medium/informational. Reserve high confidence for packages whose capability surface is unexplained by their stated function (a date-formatting utility that opens the network and reads env)."
+        },
+        {
+          "indicator_id": "dependency-name-typosquat",
+          "benign_pattern": "A short or generic package name sits within edit-distance of a popular one by coincidence (ms, qs), or the operator deliberately consumes a sanctioned near-name (an internal mirror, a scoped fork), or a legitimately non-Latin package name has no popular ASCII twin.",
+          "distinguishing_test": "Typosquat-likely only when ALL hold: the name is within edit-distance 1-2 of (or a homoglyph substitution within) a SPECIFIC high-download package it is NOT, the flagged package is far lower download/younger than that target, and it is not on the operator sanctioned-alias allowlist. Any one failing demotes to medium/informational."
+        },
+        {
+          "indicator_id": "package-content-obfuscation-screen",
+          "benign_pattern": "A front-end package ships a minified dist/ with a sourcemap or alongside readable src/; a native-addon/WASM package carries legitimate high-entropy binary blobs; an established framework uses documented dynamic require for plugin loading.",
+          "distinguishing_test": "Content-malicious-leaning only when the obfuscation co-occurs with risk: minified-only AND no sourcemap AND no readable source; OR trivial-LOC AND (install-script OR network); OR eval+dynamic-require in a fresh/low-trust package. A minified bundle WITH a sourcemap, or high-entropy in an allowlisted native-addon, or dynamic-require in a known framework, demotes to informational."
+        },
+        {
+          "indicator_id": "dependency-confusion-internal-scope-public-resolution",
+          "benign_pattern": "An org legitimately consumes a public scoped package (@types/*, @babel/*, @aws-sdk/*) that superficially resembles an internal naming convention; OR an internal scope is already correctly pinned to the private registry so the public squat cannot win resolution.",
+          "distinguishing_test": "Resolve each flagged @scope against (1) the org private-registry internal-scope list and (2) the .npmrc/.yarnrc/pip index scope-to-registry mapping. Dependency-confusion-exposed only when ALL hold: the scope is an internal namespace, a same-name private package exists, the scope is NOT pinned to the private registry, and the lockfile resolved host is the public registry. If any fails, downgrade to medium/informational."
         }
       ],
       "minimum_signal": {

package/data/zeroday-lessons.json

@@ -17,7 +17,7 @@
       "rebuild_after_days": 365,
       "note": "Per-entry last_verified governs decay. Skills depending on this catalog must check entry freshness before high-stakes use."
     },
-    "entry_count": 427
+    "entry_count": 430
   },
   "CVE-2026-31431": {
     "name": "Copy Fail",
@@ -24854,5 +24854,255 @@
     "ai_discovered_zeroday": false,
     "ai_discovery_source": "vendor_research",
     "ai_assist_factor": "none"
+  },
+  "CVE-2022-23812": {
+    "name": "node-ipc geo-targeted file-wiper protestware (RU/BY heart-emoji overwrite; peacenotwar dropper in 11.0.0+)",
+    "lesson_date": "2026-05-30",
+    "attack_vector": {
+      "description": "A trusted, legitimate package maintainer (node-ipc, ~1M weekly downloads, transitive via Vue CLI) authored a destructive payload directly into published versions 10.1.1/10.1.2 (2022-03-07/08): on require('node-ipc') the code resolved the host's public-IP geolocation and, for Russia/Belarus, recursively overwrote writable files with a heart character; a follow-on bundled the peacenotwar dropper (WITH-LOVE-FROM-AMERICA.txt, NVD-scoped into 11.0.0+). The payload ships in the MAIN MODULE, not a postinstall hook, so --ignore-scripts — the canonical post-Shai-Hulud npm mitigation — does NOT mitigate. Class: insider-maintainer protestware/sabotage, distinct from account-recovery takeover (node-ipc 2026 stealer) and typosquat.",
+      "privileges_required": "downstream consumer runs install resolving 10.1.1/10.1.2 (directly or transitively); payload fires automatically on require('node-ipc')",
+      "complexity": "low for downstream consumers (automatic on module load); trivial for the maintainer (any owner with publish rights can author it)",
+      "ai_factor": "Not AI-discovered, not AI-built. Hand-authored geo-gated wiper; the novelty is the trust-abuse + main-module delivery, not algorithmic."
+    },
+    "defense_chain": {
+      "prevention": {
+        "what_would_have_worked": "Strict-lockfile installs (npm ci) against a lockfile predating 2022-03-07; pinning critical-path dependencies and gating upgrades on a review window; treating high-reach single-maintainer packages as a concentration risk.",
+        "was_this_required": false,
+        "framework_requiring_it": null,
+        "adequacy": "--ignore-scripts does NOT help (main-module payload). Lockfile pinning helps only if the lockfile predates the malicious publish AND npm ci (not npm install) is used."
+      },
+      "detection": {
+        "what_would_have_worked": "Behavioral telemetry on developer/CI hosts: an outbound geolocation lookup followed by recursive filesystem writes within a Node process's lifetime is a near-deterministic IoC for a main-module wiper. File-write telemetry on broad path globs at module-load time catches the class even when --ignore-scripts is set.",
+        "was_this_required": false,
+        "framework_requiring_it": null,
+        "adequacy": "Most endpoints and CI runners do not retain process-level file-write telemetry; the geo-gating means absence of harm on a non-RU/BY host does not prove the payload was absent."
+      },
+      "response": {
+        "what_would_have_worked": "npm removed 10.1.1/10.1.2; consumers upgraded to 10.1.3+. For the 11.0.0+ peacenotwar range, pin to a pre-11.0.0 line or a maintained fork. Restore any overwritten files from backup on affected RU/BY hosts.",
+        "was_this_required": false,
+        "framework_requiring_it": null,
+        "adequacy": "Yank closes new exposure but does not restore wiped files; the destructive action is irreversible without backups."
+      }
+    },
+    "framework_coverage": {
+      "NIST-800-218-SSDF": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Reused-component controls assume maintainer good-faith; no coverage of trusted-maintainer sabotage."
+      },
+      "EU-CRA-Art13": {
+        "covered": true,
+        "adequate": false,
+        "gap": "SBOM records what resolved; a pinned malicious version is SBOM-compliant."
+      },
+      "NIS2-Art21-supply-chain": {
+        "covered": true,
+        "adequate": false,
+        "gap": "No main-module-vs-postinstall payload distinction; no maintainer-intent risk."
+      },
+      "UK-CAF-B4-supply-chain": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Outcome-based principle does not prescribe insider-maintainer-sabotage defense."
+      },
+      "ANY-FRAMEWORK": {
+        "covered": false,
+        "adequate": false,
+        "gap": "No major framework treats a trusted maintainer shipping a geo-targeted destructive main-module payload as a distinct supply-chain class. NEW-CTRL-114 is the headline novel control."
+      }
+    },
+    "new_control_requirements": [
+      {
+        "id": "NEW-CTRL-114",
+        "name": "MAIN-MODULE-PAYLOAD-DETECTION",
+        "description": "Supply-chain controls must not assume --ignore-scripts mitigates malicious dependencies. A payload shipped in the package main module (executing on require/import, not via a lifecycle hook) bypasses --ignore-scripts entirely. Detect via process-level behavioral telemetry: geolocation/IP lookups, broad recursive filesystem writes, or credential-path reads occurring at module-load time within a dependency. Pair with strict-lockfile installs (npm ci) and a publish-to-consume review window on high-reach single-maintainer packages.",
+        "evidence": "CVE-2022-23812 — node-ipc 10.1.1/10.1.2 shipped a geo-targeted file-wiper in the MAIN MODULE; --ignore-scripts (the canonical npm-supply-chain mitigation since Shai-Hulud) did not mitigate because the payload was not in a postinstall hook.",
+        "gap_closes": [
+          "NIST-800-218-SSDF",
+          "NIS2-Art21-supply-chain",
+          "EU-CRA-Art13",
+          "ANY-FRAMEWORK"
+        ]
+      }
+    ],
+    "compliance_exposure_score": {
+      "percent_audit_passing_orgs_still_exposed": 90,
+      "basis": "Most npm-hygiene programs lean on --ignore-scripts and SBOM, neither of which addresses a main-module payload from a trusted maintainer. Lockfile pinning helps only with npm ci and a pre-2022-03-07 lockfile.",
+      "theater_pattern": "ignore_scripts_assumed_sufficient_for_all_supply_chain_payloads"
+    },
+    "ai_discovered_zeroday": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_discovery_date": "2022-03-15",
+    "ai_assist_factor": "low"
+  },
+  "MAL-2026-TRAPDOOR-CROSS-ECOSYSTEM": {
+    "name": "TrapDoor cross-ecosystem crypto-stealer + AI-assistant poisoning campaign (npm/PyPI/crates.io)",
+    "lesson_date": "2026-05-30",
+    "attack_vector": {
+      "description": "Cross-ecosystem (npm/PyPI/crates.io) coordinated malicious-package campaign (\"TrapDoor\", anchor OSV MAL-2026-4207 / GHSA-7r6r-hqg7-f6mq) using lure packages themed as security/crypto/AI tooling. npm: postinstall executes trap-core.js. PyPI: import-time node -e pulls JS from attacker GitHub Pages. crates.io: build.rs runs at compile time. All variants harvest cloud/SSH/GitHub credentials + crypto-wallet data and exfiltrate via a dynamic GitHub-Pages C2. The genuinely novel vector: the payload plants .cursorrules and CLAUDE.md files containing zero-width-Unicode-hidden instructions designed to trick AI coding assistants (Cursor, Claude Code) into running a fake \"security scan\" that self-exfiltrates local secrets — AI-assistant prompt-injection as a supply-chain weaponization channel.",
+      "privileges_required": "developer/CI runs install (npm postinstall), import (PyPI), or compile (crates build.rs); AI-assistant poisoning additionally fires when a developer opens the repo in an LLM coding assistant",
+      "complexity": "low — consumer-side execution is automatic on install/import/compile; --ignore-scripts mitigates only the npm postinstall path, not PyPI import-time or crates build-time triggers",
+      "ai_factor": "AI-ASSISTED WEAPONIZATION (not AI-discovered). The .cursorrules/CLAUDE.md zero-width-Unicode prompt-injection that subverts an AI coding assistant into exfiltrating secrets is the differentiator — maps ATLAS AML.T0051 (LLM prompt injection). Ties directly to the Trojan-Source codepoint-threat surface (CVE-2021-42574) the catalog already tracks."
+    },
+    "defense_chain": {
+      "prevention": {
+        "what_would_have_worked": "Scope-pinning + provenance on dependencies; --ignore-scripts (npm path only); scanning .cursorrules/CLAUDE.md and other AI-assistant config files for zero-width Unicode before an assistant reads them; treating AI-assistant config as untrusted input.",
+        "was_this_required": false,
+        "framework_requiring_it": null,
+        "adequacy": "No framework treats AI-coding-assistant config files as a prompt-injection attack surface. --ignore-scripts is partial (misses import-time + compile-time triggers)."
+      },
+      "detection": {
+        "what_would_have_worked": "Install/import/compile-time egress monitoring (the GitHub-Pages C2 + Gist exfil); a zero-width-Unicode scan over repo config files (.cursorrules, CLAUDE.md) — the same codepoint-class the catalog flags for Trojan-Source; behavioral detection of a credential scan over ~/.aws, ~/.ssh, browser wallet stores following a package resolution.",
+        "was_this_required": false,
+        "framework_requiring_it": null,
+        "adequacy": "PyPI variant pulls live JS at import time, so the on-disk package may not contain the final payload — network/DNS capture to the C2 is required to prove exfil. Zero-width Unicode in repo config is invisible in normal review."
+      },
+      "response": {
+        "what_would_have_worked": "Remove the named packages; rotate ALL credentials reachable from any host that installed/imported/compiled them; audit .cursorrules/CLAUDE.md for hidden instructions; block egress to the C2.",
+        "was_this_required": false,
+        "framework_requiring_it": null,
+        "adequacy": "Registry takedown was partial (some versions live at reporting time); crates.io ids not yet in OSV. Rotation is the only reliable response once secrets are harvested."
+      }
+    },
+    "framework_coverage": {
+      "EU-AI-Act-Art15": {
+        "covered": true,
+        "adequate": false,
+        "gap": "AI robustness/accuracy controls do not address adversarial prompt-injection planted in repo config files that subvert a developer AI assistant."
+      },
+      "NIS2-Art21-supply-chain": {
+        "covered": true,
+        "adequate": false,
+        "gap": "No coverage of cross-ecosystem coordinated campaigns or AI-assistant config-file poisoning as a supply-chain vector."
+      },
+      "DORA-ICT-third-party": {
+        "covered": true,
+        "adequate": false,
+        "gap": "ICT third-party risk assumes vendor relationships, not transitive OSS lure-packages auto-executing on import/build."
+      },
+      "UK-CAF-B4-supply-chain": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Does not cover build-time (build.rs) or import-time auto-execution distinct from install-time hooks."
+      },
+      "ANY-FRAMEWORK": {
+        "covered": false,
+        "adequate": false,
+        "gap": "No framework treats AI-coding-assistant config-file prompt-injection as a supply-chain exfiltration vector. NEW-CTRL-115/116 are the headline novel controls."
+      }
+    },
+    "new_control_requirements": [
+      {
+        "id": "NEW-CTRL-115",
+        "name": "AI-ASSISTANT-CONFIG-POISONING-DETECTION",
+        "description": "Scan AI-coding-assistant configuration files (.cursorrules, CLAUDE.md, .github/copilot-instructions.md, and equivalents) for zero-width / bidirectional / invisible Unicode codepoints and for instructions that direct the assistant to read credential paths, run \"security scans\", or perform network egress. Treat AI-assistant config as untrusted input on dependency intake; render it through a codepoint-normalizer (the Trojan-Source class, CVE-2021-42574) before any assistant consumes it.",
+        "evidence": "MAL-2026-TRAPDOOR-CROSS-ECOSYSTEM — the payload planted .cursorrules and CLAUDE.md with zero-width-Unicode-hidden instructions to trick Cursor/Claude Code into discovering and exfiltrating local secrets.",
+        "gap_closes": [
+          "EU-AI-Act-Art15",
+          "NIS2-Art21-supply-chain",
+          "ANY-FRAMEWORK"
+        ]
+      },
+      {
+        "id": "NEW-CTRL-116",
+        "name": "MULTI-TRIGGER-DEPENDENCY-EXECUTION-POLICY",
+        "description": "Dependency-execution policy must cover install-time (npm postinstall), import-time (PyPI module load / node -e), AND compile-time (crates build.rs) execution — not install hooks alone. --ignore-scripts addresses only the npm postinstall path. Enforce egress allowlists during install/import/compile in CI and monitor for second-stage fetches from dynamic config hosts.",
+        "evidence": "MAL-2026-TRAPDOOR-CROSS-ECOSYSTEM — npm postinstall, PyPI import-time node -e, and crates.io build.rs were three distinct execution triggers; --ignore-scripts mitigated only the first.",
+        "gap_closes": [
+          "NIS2-Art21-supply-chain",
+          "UK-CAF-B4-supply-chain",
+          "DORA-ICT-third-party"
+        ]
+      }
+    ],
+    "compliance_exposure_score": {
+      "percent_audit_passing_orgs_still_exposed": 96,
+      "basis": "AI-coding-assistant config files are not in scope for any current supply-chain or AI-governance control; near-total exposure. Multi-trigger execution (import/compile) is uncovered by the install-hook-centric --ignore-scripts mitigation most programs rely on.",
+      "theater_pattern": "ai_assistant_config_treated_as_trusted"
+    },
+    "ai_discovered_zeroday": false,
+    "ai_discovery_source": "vendor_research",
+    "ai_discovery_date": "2026-05-25",
+    "ai_assist_factor": "high"
+  },
+  "MAL-2026-MOIKA-DEPCONFUSION": {
+    "name": "oob.moika.tech dependency-confusion credential-exfiltration campaign (internal-scope namespace squat)",
+    "lesson_date": "2026-05-30",
+    "attack_vector": {
+      "description": "Dependency-confusion / internal-scope namespace-squat campaign (C2 oob.moika.tech, OSV MAL-2026-4952/4978/5032). The attacker published public npm packages under organizational scopes that mirror targets internal namespaces (@cloudplatform-single-spa, @mlspace, @sber-ecom-core, etc.) at inflated semver (99.99.99 etc.) so default npm resolution prefers the public package when no scope->registry pin exists. A 7-13 KB obfuscated postinstall stager fetches a second stage from oob.moika.tech/payload (header X-Secret: l95HdDaz3kQx1Zsg3WxH6HvKANf51RY1) and POSTs the full process.env (NPM_TOKEN, AWS keys, GITHUB_TOKEN, DB URLs) + host fingerprint to oob.moika.tech/report. Microsoft documents a server-side toggle gating second-stage escalation, but the /report env-exfil is live. Class: dependency-confusion with postinstall second-stage staging — the catalog had zero dependency-confusion entries before this.",
+      "privileges_required": "developer/CI runs npm install against a project referencing a squatted internal scope with no scope->registry pin; postinstall fires automatically",
+      "complexity": "low — automatic on install; --ignore-scripts DOES mitigate (postinstall-gated, unlike the node-ipc main-module class). Attacker-side precondition (knowing internal scope names) is low: scope names leak via public source, CI logs, and job postings.",
+      "ai_factor": "Not AI-discovered, not AI-built. Targets ML-tooling scopes (@mlspace, @data-science) among others, but the payload is conventional obfuscated JavaScript."
+    },
+    "defense_chain": {
+      "prevention": {
+        "what_would_have_worked": "Scope->registry pinning in .npmrc (@scope:registry=) for every internal scope — the structural fix for the entire dependency-confusion class; this prevents public-registry resolution regardless of version inflation. --ignore-scripts blocks the postinstall stager specifically.",
+        "was_this_required": false,
+        "framework_requiring_it": null,
+        "adequacy": "Scope-pinning fully prevents the class but must be configured BEFORE exposure. No framework mandates it; default npm resolution silently prefers the higher public version."
+      },
+      "detection": {
+        "what_would_have_worked": "Install-time egress monitoring (the oob.moika.tech C2); detection of a raw process.env serialization immediately followed by an outbound POST (the credential-harvest fingerprint); lockfile audit for any internal scope resolved to a PUBLIC-registry tarball at an inflated version (99.99.99 / 5.7.1 / 99.5.x).",
+        "was_this_required": false,
+        "framework_requiring_it": null,
+        "adequacy": "A postinstall POST to /report proves exfil; postinstall execution alone does not. Most CI runners do not monitor install-time egress."
+      },
+      "response": {
+        "what_would_have_worked": "Pin internal scopes to the private registry in project + CI .npmrc; rotate every credential exposed as an env var on any host that ran an affected install during the exposure windows; block egress to oob.moika.tech and the t-in-one lure domains.",
+        "was_this_required": false,
+        "framework_requiring_it": null,
+        "adequacy": "Per-package yank is reactive — any attacker can re-publish an inflated version under an unpinned internal scope. Scope-pinning is the only durable fix."
+      }
+    },
+    "framework_coverage": {
+      "NIST-800-218-SSDF": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Component-provenance controls assume the consumed package is the intended one; SSDF does not mandate scope->registry pinning, so a confused resolution is SSDF-conformant."
+      },
+      "EU-CRA-Art13": {
+        "covered": true,
+        "adequate": false,
+        "gap": "SBOM records what resolved, not whether resolution should have gone to a private registry; a confused public package is SBOM-listed and CRA-compliant."
+      },
+      "NIS2-Art21-supply-chain": {
+        "covered": true,
+        "adequate": false,
+        "gap": "No requirement for scope-registry pinning, postinstall-hook policy, or internal-namespace-squat monitoring on public registries."
+      },
+      "SLSA-v1.0-Provenance": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Provenance attests who built an artifact; it cannot assert the resolver selected the artifact the org intended — orthogonal to dependency confusion."
+      },
+      "ANY-FRAMEWORK": {
+        "covered": false,
+        "adequate": false,
+        "gap": "No major framework mandates internal-scope->registry pinning as a dependency-confusion control. NEW-CTRL-117 is the headline novel control."
+      }
+    },
+    "new_control_requirements": [
+      {
+        "id": "NEW-CTRL-117",
+        "name": "PACKAGE-INTERNAL-SCOPE-REGISTRY-PINNING",
+        "description": "Every internal/private package scope must be pinned to its private registry in project and CI .npmrc (@scope:registry=https://private-registry/), so public-registry resolution can never win regardless of version inflation. Continuously monitor public registries for newly published packages under the organization internal scope names (namespace-squat detection). Lockfile-audit for any internal scope resolved to a public-registry tarball. This is the structural fix for the dependency-confusion class, which no current framework prescribes.",
+        "evidence": "MAL-2026-MOIKA-DEPCONFUSION — ~164-179 public npm packages were published under squatted internal scopes at inflated versions (99.99.99 etc.) so default resolution preferred them; a postinstall stager exfiltrated full process.env. Scope->registry pinning would have prevented every install.",
+        "gap_closes": [
+          "NIST-800-218-SSDF",
+          "NIS2-Art21-supply-chain",
+          "EU-CRA-Art13",
+          "ANY-FRAMEWORK"
+        ]
+      }
+    ],
+    "compliance_exposure_score": {
+      "percent_audit_passing_orgs_still_exposed": 88,
+      "basis": "Scope->registry pinning is a non-default npm configuration that no framework mandates; most organizations using internal scopes have not pinned them, leaving the public registry able to win resolution on an inflated version.",
+      "theater_pattern": "default_registry_resolution_assumed_safe"
+    },
+    "ai_discovered_zeroday": false,
+    "ai_discovery_source": "vendor_research",
+    "ai_discovery_date": "2026-05-28",
+    "ai_assist_factor": "low"
   }
 }

package/lib/prefetch.js

@@ -696,8 +696,8 @@ async function main() {
   // contractually correct but visibly noisy. Letting the event loop
   // drain naturally — via exitCode + return — lets undici's connection
   // pool and the AbortController signal listeners finish teardown
-  // before the process exits, eliminating the assertion. Same pattern
-  // documented in CLAUDE.md for v0.11.11's `ci` #100 regression.
+  // before the process exits, eliminating the assertion. Same pattern as
+  // the `ci` #100 stdout-flush regression.
   try {
     const result = await prefetch(opts);
     process.exitCode = result.errors > 0 ? 1 : 0;