@deepv-code/safe-npm 0.1.0

package/dist/i18n/zh.js

@@ -0,0 +1,50 @@
+export const zh = {
+    // General
+    appName: 'safe-npm',
+    version: '版本',
+    // Risk levels
+    riskFatal: '致命',
+    riskHigh: '高危',
+    riskWarning: '警告',
+    riskSafe: '安全',
+    // Detection messages
+    virusDetected: '检测到已知恶意软件',
+    typosquatDetected: '检测到仿冒包 - 这可能是假冒包',
+    suspiciousCode: '检测到可疑代码模式',
+    cveFound: '发现已知漏洞',
+    minerDetected: '检测到挖矿脚本特征',
+    obfuscatedCode: '检测到代码混淆 - 可能隐藏恶意行为',
+    dangerousScript: '检测到危险的安装脚本',
+    blacklisted: '此包在已知恶意包名单中',
+    // Actions
+    blocked: '已阻止安装',
+    useForce: '如确认安全，可使用 --force 强制安装',
+    cannotBypass: '此威胁无法绕过',
+    continuing: '继续安装...',
+    // Scanner
+    scanning: '正在扫描包',
+    scanComplete: '扫描完成',
+    downloadingPackage: '正在下载包进行分析',
+    analyzingCode: '正在分析代码模式',
+    checkingVirustotal: '正在检查 VirusTotal 数据库',
+    checkingBlacklist: '正在检查已知恶意包名单',
+    // Errors
+    networkError: '网络错误 - 回退到本地缓存',
+    offlineMode: '离线模式运行中',
+    vtNoApiKey: '未配置 VirusTotal API 密钥 - 跳过在线扫描',
+    // TUI
+    tuiWelcome: '欢迎使用 safe-npm',
+    tuiPopular: '热门包',
+    tuiCheck: '检测包',
+    tuiSettings: '设置',
+    tuiQuit: '退出',
+    tuiLanguage: '语言',
+    // Suggestions
+    suggestionTitle: '💡 建议：您是否想安装官方正版包',
+    suggestionPrompt: '您是否要安装',
+    installingCorrect: '🚀 正在安装正确的包',
+    packageNotFound: '在注册表中未找到此包',
+    didYouMean: '您是指',
+    checkName: '请检查包名',
+    registryCheckFail: '包不存在',
+};

package/dist/index.d.ts

@@ -0,0 +1,2 @@
+#!/usr/bin/env node
+export {};

package/dist/index.js

@@ -0,0 +1,77 @@
+#!/usr/bin/env node
+import { parseArgs } from './cli/args-parser.js';
+import { proxyToNpm } from './cli/proxy.js';
+import { checkPackages } from './cli/check.js';
+import { startTui } from './tui/index.js';
+import { hasConfigFile, saveConfig } from './utils/config.js';
+import * as readline from 'readline';
+async function promptLanguage() {
+    return new Promise((resolve) => {
+        const rl = readline.createInterface({
+            input: process.stdin,
+            output: process.stdout,
+        });
+        console.log('\nWelcome to safe-npm! / 欢迎使用 safe-npm!');
+        console.log('Please select your language / 请选择语言:');
+        console.log('1. English');
+        console.log('2. 中文 (Chinese)');
+        rl.question('Select [1/2] (default: 2): ', (answer) => {
+            if (answer.trim() === '1') {
+                saveConfig({ language: 'en' });
+                console.log('Language set to English.\n');
+            }
+            else {
+                // Default to Chinese as per request context or generic 'other'
+                saveConfig({ language: 'zh' });
+                console.log('语言已设置为中文。\n');
+            }
+            rl.close();
+            resolve();
+        });
+    });
+}
+async function main() {
+    const args = process.argv.slice(2);
+    // First run check
+    if (!hasConfigFile()) {
+        await promptLanguage();
+    }
+    if (args.length === 0) {
+        // Show help or start TUI
+        console.log('safe-npm - A security-focused npm wrapper');
+        console.log('');
+        console.log('Usage:');
+        console.log('  safe-npm <npm-command>    Proxy npm commands with security checks');
+        console.log('  safe-npm check <pkg>      Check package without installing');
+        console.log('  safe-npm tui              Open interactive TUI');
+        console.log('');
+        process.exit(0);
+    }
+    const parsed = parseArgs(args);
+    if (parsed.isTui) {
+        startTui();
+        // Don't exit - Ink handles the process
+        return;
+    }
+    if (parsed.isCheck) {
+        await checkPackages(parsed.packages);
+        process.exit(0);
+    }
+    if (parsed.isInstall && parsed.packages.length > 0) {
+        // Security scan before install
+        const safe = await checkPackages(parsed.packages, {
+            isForce: parsed.isForce,
+            install: true,
+        });
+        if (!safe) {
+            process.exit(1);
+        }
+    }
+    // Proxy to npm
+    const exitCode = await proxyToNpm(args);
+    process.exit(exitCode);
+}
+main().catch((err) => {
+    console.error('Error:', err.message);
+    process.exit(1);
+});

package/dist/scanner/code-analyzer.d.ts

@@ -0,0 +1,2 @@
+import type { ScanIssue } from './types.js';
+export declare function scanCodePatterns(packageName: string): Promise<ScanIssue[]>;

package/dist/scanner/code-analyzer.js

@@ -0,0 +1,130 @@
+import { checkMinerPatterns } from './patterns/miner.js';
+import { checkExfiltrationPatterns } from './patterns/exfiltration.js';
+import { checkObfuscationPatterns } from './patterns/obfuscation.js';
+import { t } from '../i18n/index.js';
+import { extractAndScanPackage, getPackageInfo } from '../utils/npm-package.js';
+// Dangerous postinstall script patterns
+const dangerousScriptPatterns = [
+    // Direct command execution
+    /curl\s+.*\|\s*(bash|sh)/i,
+    /wget\s+.*\|\s*(bash|sh)/i,
+    /powershell\s+-.*downloadstring/i,
+    /powershell\s+.*iex/i,
+    // Reverse shells
+    /bash\s+-i\s+>&\s*\/dev\/tcp/i,
+    /nc\s+-e\s+\/bin\/(ba)?sh/i,
+    /python.*socket.*connect/i,
+    // Suspicious node execution
+    /node\s+-e\s+['"].*require.*child_process/i,
+    /node\s+-e\s+['"].*eval\s*\(/i,
+    // Environment variable exfiltration
+    /curl.*\$\{?npm_config/i,
+    /curl.*process\.env/i,
+];
+/**
+ * Scan package.json scripts for dangerous patterns
+ */
+function scanScripts(scripts) {
+    const issues = [];
+    const dangerousScriptNames = ['preinstall', 'install', 'postinstall', 'preuninstall', 'postuninstall'];
+    for (const [name, script] of Object.entries(scripts)) {
+        // Check if it's a lifecycle script
+        const isLifecycleScript = dangerousScriptNames.includes(name);
+        for (const pattern of dangerousScriptPatterns) {
+            if (pattern.test(script)) {
+                issues.push({
+                    type: 'suspicious_code',
+                    severity: isLifecycleScript ? 'high' : 'warning',
+                    message: t('suspiciousCode'),
+                    details: `Dangerous pattern in "${name}" script: ${pattern.source}`,
+                });
+                break;
+            }
+        }
+        // Check for obfuscated commands in scripts
+        if (isLifecycleScript && script.length > 500) {
+            // Very long script might be hiding something
+            issues.push({
+                type: 'suspicious_code',
+                severity: 'warning',
+                message: t('suspiciousCode'),
+                details: `Unusually long "${name}" script (${script.length} chars) - manual review recommended`,
+            });
+        }
+    }
+    return issues;
+}
+/**
+ * Scan JavaScript file content for malicious patterns
+ */
+function scanFileContent(filePath, content) {
+    const issues = [];
+    // Check for miner patterns
+    const minerResult = checkMinerPatterns(content);
+    if (minerResult.matched) {
+        issues.push({
+            type: 'miner',
+            severity: 'high',
+            message: t('minerDetected'),
+            details: `Pattern matched in ${filePath}: ${minerResult.pattern}`,
+        });
+    }
+    // Check for data exfiltration patterns
+    const exfilFindings = checkExfiltrationPatterns(content);
+    for (const finding of exfilFindings) {
+        issues.push({
+            type: 'suspicious_code',
+            severity: 'high',
+            message: t('suspiciousCode'),
+            details: `${finding} (in ${filePath})`,
+        });
+    }
+    // Check for obfuscation patterns
+    const obfuscationResult = checkObfuscationPatterns(content);
+    if (obfuscationResult.matched) {
+        issues.push({
+            type: 'suspicious_code',
+            severity: 'warning',
+            message: t('suspiciousCode'),
+            details: `Code obfuscation detected in ${filePath}: ${obfuscationResult.pattern}`,
+        });
+    }
+    return issues;
+}
+export async function scanCodePatterns(packageName) {
+    const issues = [];
+    // First, try to get basic package info without downloading
+    const packageInfo = await getPackageInfo(packageName);
+    if (!packageInfo) {
+        // Can't fetch package info, skip code analysis
+        return issues;
+    }
+    // Quick check on package.json scripts first
+    if (Object.keys(packageInfo.scripts).length > 0) {
+        const scriptIssues = scanScripts(packageInfo.scripts);
+        issues.push(...scriptIssues);
+    }
+    // Check if package has lifecycle scripts that warrant deeper analysis
+    const hasLifecycleScripts = ['preinstall', 'install', 'postinstall'].some(s => s in packageInfo.scripts);
+    // If there are lifecycle scripts or already found issues, do deep scan
+    if (hasLifecycleScripts || issues.length > 0) {
+        const packageFiles = await extractAndScanPackage(packageName);
+        if (packageFiles) {
+            // Scan all collected JS files
+            for (const file of packageFiles.allJsFiles) {
+                const fileIssues = scanFileContent(file.path, file.content);
+                issues.push(...fileIssues);
+            }
+            // Scan entry file if not already scanned
+            if (packageFiles.entryContent) {
+                const entryPath = packageFiles.entryFile || 'index.js';
+                const alreadyScanned = packageFiles.allJsFiles.some(f => f.path === entryPath);
+                if (!alreadyScanned) {
+                    const entryIssues = scanFileContent(entryPath, packageFiles.entryContent);
+                    issues.push(...entryIssues);
+                }
+            }
+        }
+    }
+    return issues;
+}

package/dist/scanner/index.d.ts

@@ -0,0 +1,3 @@
+import type { ScanResult, ScanOptions, ProgressCallback } from './types.js';
+export declare function scanPackage(packageName: string, options?: ScanOptions, onProgress?: ProgressCallback): Promise<ScanResult>;
+export type { ScanResult, ScanOptions, ScanIssue, RiskLevel, ProgressCallback } from './types.js';

package/dist/scanner/index.js

@@ -0,0 +1,163 @@
+import { scanVirusTotal } from './virustotal.js';
+import { scanTyposquatting, findClosestPopularPackage } from './typosquatting.js';
+import { scanCodePatterns } from './code-analyzer.js';
+import { scanVulnerabilities } from './vulnerability.js';
+import { checkPackageExists } from '../utils/npm-package.js';
+import { t } from '../i18n/index.js';
+// Built-in trusted packages
+const TRUSTED_PACKAGES = new Set([
+    'deepv-code'
+]);
+export async function scanPackage(packageName, options = {}, onProgress) {
+    // Check whitelist first
+    if (TRUSTED_PACKAGES.has(packageName)) {
+        onProgress?.('Checking whitelist...', 1, 1);
+        return {
+            packageName,
+            riskLevel: 'safe',
+            issues: [],
+            checks: [
+                { name: 'Whitelist Check', status: 'pass', description: 'Package is in the built-in trusted list' },
+                { name: 'VirusTotal Scan', status: 'pass', description: 'Implicitly passed (Trusted)' },
+                { name: 'Typosquatting Check', status: 'pass', description: 'Implicitly passed (Trusted)' },
+                { name: 'Code Analysis', status: 'pass', description: 'Implicitly passed (Trusted)' },
+                { name: 'Vulnerability Check', status: 'pass', description: 'Implicitly passed (Trusted)' }
+            ],
+            canBypass: true,
+        };
+    }
+    // Check if package exists in registry
+    onProgress?.('Checking registry...', 0, 1);
+    const exists = await checkPackageExists(packageName);
+    if (!exists) {
+        const suggestion = findClosestPopularPackage(packageName);
+        return {
+            packageName,
+            riskLevel: 'fatal', // Treat as fatal to stop installation flow
+            issues: [{
+                    type: 'typosquat',
+                    severity: 'fatal',
+                    message: t('packageNotFound'),
+                    details: suggestion ? `${t('didYouMean')} "${suggestion}"?` : t('checkName')
+                }],
+            checks: [
+                { name: 'Registry Check', status: 'fail', description: t('registryCheckFail') }
+            ],
+            canBypass: false,
+            suggestedPackage: suggestion || undefined
+        };
+    }
+    const issues = [];
+    const checks = [];
+    // Helper to wrap tasks with progress
+    let completedTasks = 0;
+    const totalTasks = 4; // VT, Typo, Code, Vuln
+    const wrapTask = async (name, task) => {
+        onProgress?.(`Starting ${name}...`, completedTasks, totalTasks);
+        try {
+            const res = await task;
+            completedTasks++;
+            onProgress?.(`Finished ${name}`, completedTasks, totalTasks);
+            return res;
+        }
+        catch (err) {
+            completedTasks++;
+            onProgress?.(`Error in ${name}`, completedTasks, totalTasks);
+            throw err;
+        }
+    };
+    // Run all scans in parallel
+    const [virusResult, typoResult, codeResult, vulnResult] = await Promise.all([
+        wrapTask('VirusTotal', options.skipVirustotal ? Promise.resolve(null) : scanVirusTotal(packageName, options).catch(err => {
+            console.error('VT Error:', err);
+            return null;
+        })),
+        wrapTask('Typosquatting Check', scanTyposquatting(packageName).catch(err => {
+            console.error('Typo Error:', err);
+            return [];
+        })),
+        wrapTask('Code Analysis', scanCodePatterns(packageName).catch(err => {
+            console.error('Code Error:', err);
+            return [];
+        })),
+        wrapTask('Vulnerability Check', scanVulnerabilities(packageName).catch(err => {
+            console.error('Vuln Error:', err);
+            return [];
+        })),
+    ]);
+    // Process VirusTotal
+    if (options.skipVirustotal) {
+        checks.push({ name: 'VirusTotal Scan', status: 'skipped', description: 'Skipped by user option' });
+    }
+    else if (virusResult) {
+        // If it's the new object structure
+        const vtIssues = 'issues' in virusResult ? virusResult.issues : virusResult;
+        const vtInfo = 'info' in virusResult ? virusResult.info : 'Scan complete';
+        if (vtIssues && vtIssues.length > 0) {
+            checks.push({ name: 'VirusTotal Scan', status: 'fail', description: vtInfo });
+            issues.push(...vtIssues);
+        }
+        else {
+            checks.push({ name: 'VirusTotal Scan', status: 'pass', description: vtInfo });
+        }
+    }
+    else {
+        // Should not happen if catch returns null, but just in case
+        checks.push({ name: 'VirusTotal Scan', status: 'error', description: 'Scan failed to execute' });
+    }
+    // Process Typosquatting
+    if (typoResult && typoResult.length > 0) {
+        checks.push({ name: 'Typosquatting Check', status: 'fail', description: 'Suspicious package name detected' });
+        issues.push(...typoResult);
+    }
+    else {
+        checks.push({ name: 'Typosquatting Check', status: 'pass', description: 'Package name looks safe' });
+    }
+    // Process Code Patterns
+    if (codeResult && codeResult.length > 0) {
+        checks.push({ name: 'Static Code Analysis', status: 'fail', description: 'Suspicious code patterns detected' });
+        issues.push(...codeResult);
+    }
+    else {
+        checks.push({ name: 'Static Code Analysis', status: 'pass', description: 'No malicious code patterns found' });
+    }
+    // Process Vulnerabilities
+    if (vulnResult && vulnResult.length > 0) {
+        checks.push({ name: 'Vulnerability Database', status: 'fail', description: `Found ${vulnResult.length} known vulnerabilities` });
+        issues.push(...vulnResult);
+    }
+    else {
+        checks.push({ name: 'Vulnerability Database', status: 'pass', description: 'No known vulnerabilities (CVEs)' });
+    }
+    // Determine overall risk level
+    let riskLevel = 'safe';
+    let canBypass = true;
+    let suggestedPackage;
+    for (const issue of issues) {
+        if (issue.severity === 'fatal') {
+            riskLevel = 'fatal';
+            canBypass = false;
+            // Try to extract suggestion from typosquat details
+            if (issue.type === 'typosquat' && issue.details?.includes('"')) {
+                const match = issue.details.match(/"([^"]+)"/);
+                if (match)
+                    suggestedPackage = match[1];
+            }
+            break;
+        }
+        if (issue.severity === 'high') {
+            riskLevel = 'high';
+        }
+        if (issue.severity === 'warning' && riskLevel === 'safe') {
+            riskLevel = 'warning';
+        }
+    }
+    return {
+        packageName,
+        riskLevel,
+        issues,
+        checks,
+        canBypass,
+        suggestedPackage,
+    };
+}

package/dist/scanner/patterns/exfiltration.d.ts

@@ -0,0 +1,7 @@
+export declare const exfiltrationPatterns: {
+    pattern: RegExp;
+    context: RegExp;
+    message: string;
+}[];
+export declare const suspiciousNetworkPatterns: RegExp[];
+export declare function checkExfiltrationPatterns(code: string): string[];

package/dist/scanner/patterns/exfiltration.js

@@ -0,0 +1,49 @@
+export const exfiltrationPatterns = [
+    // Environment variable access + network
+    {
+        pattern: /process\.env\b/,
+        context: /(fetch|axios|http|https|request|got)\s*\(/i,
+        message: 'Environment variables accessed with network request',
+    },
+    // SSH key access
+    {
+        pattern: /\.ssh[\/\\]/,
+        context: /(readFile|readFileSync|createReadStream)/,
+        message: 'Accessing SSH directory',
+    },
+    // npmrc access
+    {
+        pattern: /\.npmrc/,
+        context: /(readFile|readFileSync|createReadStream)/,
+        message: 'Accessing .npmrc file',
+    },
+    // Base64 encoding of sensitive data
+    {
+        pattern: /Buffer\.from\(.*process\.env/,
+        context: /toString\s*\(\s*['"]base64['"]\s*\)/,
+        message: 'Base64 encoding environment data',
+    },
+];
+export const suspiciousNetworkPatterns = [
+    // Direct IP connections
+    /https?:\/\/\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/,
+    // Suspicious TLDs
+    /https?:\/\/[^\/]+\.(tk|ml|ga|cf|gq)\//,
+    // Hex/base64 encoded URLs
+    /atob\s*\(\s*['"][A-Za-z0-9+\/=]+['"]\s*\)/,
+    /Buffer\.from\s*\(\s*['"][A-Za-z0-9+\/=]+['"]\s*,\s*['"]base64['"]\s*\)/,
+];
+export function checkExfiltrationPatterns(code) {
+    const findings = [];
+    for (const { pattern, context, message } of exfiltrationPatterns) {
+        if (pattern.test(code) && context.test(code)) {
+            findings.push(message);
+        }
+    }
+    for (const pattern of suspiciousNetworkPatterns) {
+        if (pattern.test(code)) {
+            findings.push(`Suspicious network pattern: ${pattern.source}`);
+        }
+    }
+    return findings;
+}

package/dist/scanner/patterns/miner.d.ts

@@ -0,0 +1,5 @@
+export declare const minerPatterns: RegExp[];
+export declare function checkMinerPatterns(code: string): {
+    matched: boolean;
+    pattern?: string;
+};

package/dist/scanner/patterns/miner.js

@@ -0,0 +1,32 @@
+export const minerPatterns = [
+    // Known miner libraries/functions
+    /cryptonight/i,
+    /coinhive/i,
+    /coin-?hive/i,
+    /minero/i,
+    /deepMiner/i,
+    /coinimp/i,
+    /crypto-?loot/i,
+    /webminer/i,
+    /mineralt/i,
+    // Mining pool connections
+    /stratum\+tcp:\/\//i,
+    /pool\..*\.(com|net|org):\d+/i,
+    /xmr\.pool/i,
+    /monero.*pool/i,
+    // WebAssembly mining patterns
+    /cryptonight.*wasm/i,
+    /cn-?lite/i,
+    // CPU/GPU mining indicators
+    /startMining/i,
+    /miner\.start/i,
+    /CryptoNoter/i,
+];
+export function checkMinerPatterns(code) {
+    for (const pattern of minerPatterns) {
+        if (pattern.test(code)) {
+            return { matched: true, pattern: pattern.source };
+        }
+    }
+    return { matched: false };
+}

package/dist/scanner/patterns/obfuscation.d.ts

@@ -0,0 +1,15 @@
+/**
+ * Patterns for detecting code obfuscation
+ * Obfuscated code is often used to hide malicious behavior
+ */
+export declare const obfuscationPatterns: {
+    pattern: RegExp;
+    name: string;
+}[];
+/**
+ * Analyze code for obfuscation patterns
+ */
+export declare function checkObfuscationPatterns(code: string): {
+    matched: boolean;
+    pattern?: string;
+};

package/dist/scanner/patterns/obfuscation.js

@@ -0,0 +1,110 @@
+/**
+ * Patterns for detecting code obfuscation
+ * Obfuscated code is often used to hide malicious behavior
+ */
+export const obfuscationPatterns = [
+    // Hex encoded strings (common in obfuscated code)
+    {
+        pattern: /\\x[0-9a-f]{2}(?:\\x[0-9a-f]{2}){10,}/i,
+        name: 'Hex-encoded string sequence',
+    },
+    // Unicode escape sequences (excessive use)
+    {
+        pattern: /\\u[0-9a-f]{4}(?:\\u[0-9a-f]{4}){10,}/i,
+        name: 'Unicode escape sequence',
+    },
+    // Base64 with eval
+    {
+        pattern: /eval\s*\(\s*(?:atob|Buffer\.from)\s*\(/i,
+        name: 'eval() with Base64 decode',
+    },
+    // Long strings without spaces (typical of encoded payloads)
+    {
+        pattern: /['"][A-Za-z0-9+\/=]{200,}['"]/,
+        name: 'Long Base64-like string',
+    },
+    // Function constructor with string (code execution)
+    {
+        pattern: /new\s+Function\s*\(\s*['"].*['"]\s*\)/,
+        name: 'new Function() with string code',
+    },
+    // Common obfuscator patterns
+    {
+        pattern: /_0x[a-f0-9]{4,}/i,
+        name: 'JavaScript obfuscator variable pattern',
+    },
+    // Array-based string obfuscation
+    {
+        pattern: /\[['"][^'"]{1,20}['"](?:\s*,\s*['"][^'"]{1,20}['"]\s*){20,}\]/,
+        name: 'Array-based string obfuscation',
+    },
+    // Bitwise operations for string decoding
+    {
+        pattern: /String\.fromCharCode\s*\(\s*(?:\d+\s*[\^&|]\s*)+\d+\s*\)/,
+        name: 'Bitwise string decoding',
+    },
+    // JSFuck patterns
+    {
+        pattern: /\[\]\[(!\[\]\+\[\])/,
+        name: 'JSFuck obfuscation',
+    },
+    // eval with string concatenation/manipulation
+    {
+        pattern: /eval\s*\(\s*(?:\w+\s*\+\s*)+\w+\s*\)/,
+        name: 'eval() with string concatenation',
+    },
+    // setTimeout/setInterval with string
+    {
+        pattern: /set(?:Timeout|Interval)\s*\(\s*['"][^'"]+['"]/,
+        name: 'setTimeout/setInterval with string code',
+    },
+    // Char code array to string
+    {
+        pattern: /String\.fromCharCode\.apply\s*\(\s*null\s*,/,
+        name: 'Char code array conversion',
+    },
+];
+// Threshold for considering code as obfuscated
+const OBFUSCATION_THRESHOLD = 0.3; // 30% of lines look obfuscated
+/**
+ * Analyze code for obfuscation patterns
+ */
+export function checkObfuscationPatterns(code) {
+    // Check for specific obfuscation patterns
+    for (const { pattern, name } of obfuscationPatterns) {
+        if (pattern.test(code)) {
+            return { matched: true, pattern: name };
+        }
+    }
+    // Heuristic: check for high entropy (many short variable names)
+    const lines = code.split('\n').filter(line => line.trim().length > 0);
+    if (lines.length < 10) {
+        return { matched: false };
+    }
+    // Count lines with suspicious patterns
+    let suspiciousLines = 0;
+    for (const line of lines) {
+        // Very long line without spaces
+        if (line.length > 500 && line.split(/\s+/).length < 10) {
+            suspiciousLines++;
+            continue;
+        }
+        // Many short variable names (a, b, c, _0x...)
+        const shortVarMatches = line.match(/\b[a-z_$][a-z0-9_$]?\b/gi);
+        if (shortVarMatches && shortVarMatches.length > 20) {
+            suspiciousLines++;
+            continue;
+        }
+        // Excessive bracket/parenthesis nesting
+        const brackets = (line.match(/[\[\]\(\)\{\}]/g) || []).length;
+        if (brackets > 50) {
+            suspiciousLines++;
+            continue;
+        }
+    }
+    const obfuscationRatio = suspiciousLines / lines.length;
+    if (obfuscationRatio > OBFUSCATION_THRESHOLD) {
+        return { matched: true, pattern: `Heuristic: ${Math.round(obfuscationRatio * 100)}% of code appears obfuscated` };
+    }
+    return { matched: false };
+}