@lateos/npm-scan 0.15.1 → 0.15.2

package/README.md

@@ -3,7 +3,7 @@
 [![npm version](https://img.shields.io/npm/v/@lateos/npm-scan?style=flat-square)](https://www.npmjs.com/package/@lateos/npm-scan)
 [![License](https://img.shields.io/badge/license-Apache%202.0%20%2B%20Commons%20Clause-blue?style=flat-square)](LICENSING.md)
 [![Node](https://img.shields.io/badge/node-%3E%3D18-brightgreen?style=flat-square)](package.json)
-[![Tests](https://img.shields.io/badge/tests-324%20passing-brightgreen?style=flat-square)](https://github.com/lateos-ai/npm-scan)
+[![Tests](https://img.shields.io/badge/tests-371%20passing-brightgreen?style=flat-square)](https://github.com/lateos-ai/npm-scan)
 [![Coverage](https://img.shields.io/badge/coverage-90%25-brightgreen?style=flat-square)](https://github.com/lateos-ai/npm-scan)
 [![Docker](https://img.shields.io/badge/docker-lateos%2Fnpm--scan-2496ED?style=flat-square&logo=docker)](https://hub.docker.com/r/lateos/npm-scan)
 [![Sigstore](https://img.shields.io/static/v1?label=Sigstore&message=Provenance&color=green&style=flat-square&logo=sigstore)](https://github.com/lateos-ai/npm-scan/actions/workflows/publish.yml)
@@ -24,6 +24,8 @@ The 2025–2026 wave of npm supply chain attacks proved that traditional tooling
 
 Attackers have moved past simple typosquatting. They now ship **obfuscated preinstall hooks**, **credential harvesters hidden behind environment detection**, **dormant backdoors with time-based activation**, and **worm-style transitive propagation** that spreads through peer dependencies.
 
+The **Megalodon campaign** (2026) alone compromised 5,500+ repositories via fake GitHub PRs, malicious workflow injection, and cloud credential exfiltration — all coordinated through a single actor automating the entire kill chain. **@lateos/npm-scan** now detects artifacts of this campaign out of the box.
+
 **npm audit** checks known CVEs. **Snyk** scans for vulnerabilities. **Socket** looks at package behavior. None of them were designed for the generation of attacks that emerged in 2025 — attacks that look benign until they reach production.
 
 **@lateos/npm-scan** was built for this moment.
@@ -42,6 +44,7 @@ Attackers have moved past simple typosquatting. They now ship **obfuscated prein
 | Conditional trigger detection (ATK-009) | ❌ | ❌ | ❌ | ✅ |
 | Sandbox evasion detection (ATK-010) | ❌ | ❌ | ❌ | ✅ |
 | Transitive worm propagation (ATK-011) | ❌ | ❌ | ❌ | ✅ |
+| Campaign detection (Megalodon CI/CD) | ❌ | ❌ | ❌ | ✅ |
 | Attack taxonomy (ATK series) | ❌ | ❌ | ❌ | ✅ |
 | SBOM output (CycloneDX + SPDX) | ❌ | ✅ | ❌ | ✅ |
 | SARIF v2.1 (GitHub Code Scanning) | ❌ | ❌ | ❌ | ✅ |
@@ -279,8 +282,10 @@ npm-scan report --pdf             # all scans (premium)
 | **ATK-009** | Conditional/dormant triggers (CI detection, time-based) | Behavioral | 🔴 high | SR-9.2 |
 | **ATK-010** | Sandbox evasion / anti-analysis | Behavioral | 🟠 medium | SR-10.3 |
 | **ATK-011** | Transitive propagation (worm-style lateral spread) | Behavioral | 🔴 high | SR-11.4 |
+| **MEGALODON** | Megalodon CI/CD campaign — workflow C2 exfil, credential harvest, publish velocity spike, publisher drift | Static + Registry | ⚫ critical | SR-3.1, SR-7.5 |
 
 > **How evasive attacks are caught:** ATK-009 detects packages that check `process.env.CI`, probe hostnames, or use time-based activation. ATK-010 flags `debugger` statements, `os.hostname()` probes, and env fingerprinting. ATK-011 traces peer dependency graphs to detect worm-like propagation patterns.  
+> **MEGALODON** campaign detection analyzes bundled `.github/workflows/` files for C2 co-occurrence and base64 decode chains, scans tarball files for credential + outbound network patterns, detects version publish velocity spikes via npm registry metadata, and identifies publisher account drift — all without any network calls beyond the initial package fetch.  
 > See [`docs/attack-taxonomy.md`](docs/attack-taxonomy.md) for full evasion surface documentation and PoC examples.
 
 ---
@@ -627,7 +632,7 @@ See the [Docker quick-start section](#-run-lateosnpm-scan-anywhere-with-docker--
 
 ### Free tier (shipped)
 
-- All 11 ATK detectors (static + behavioral)
+- All 11 ATK detectors + **MEGALODON** CI/CD campaign detection (D1–D6)
 - SBOM output (CycloneDX + SPDX)
 - HTML, text, and compliance reports (NIST + EU CRA)
 - Policy-as-code engine (YAML)
@@ -686,6 +691,7 @@ node --test test/detectors-corpus.test.js
 
 **Test structure:**
 - `test/fixtures/mock-data.js` — shared mock scans, packages, and code snippets
+- `test/megalodon.test.js` — 30 Megalodon campaign detection tests (D1–D4 + aggregator + runAll integration)
 - `test/db.test.js` — database CRUD (save, query, persist)
 - `test/detectors-edge-cases.test.js` — per-detector boundary tests (no-ops, clean clears, severity)
 - `test/detectors-corpus.test.js` — 33 malicious + 50 clean tarball integration (offline)

package/backend/detectors/atk-002-obfusc.js

@@ -1,12 +1,13 @@
 const DIST_BUILD_PATTERNS = [/\/dist\//, /\/build\//, /\/bundle/, /\/min\//, /\.min\.js$/, /\.bundled?\.js$/];
 const TEST_FIXTURE_PATTERNS = [/\/test\//, /\/tests\//, /\/__tests__\//, /\/spec\//, /\.test\.js$/, /\.spec\.js$/, /fixtures?/];
-const LIFECYCLE_HOOK_PATTERNS = [/postinstall/, /preinstall/, /['"]install['"]/, /['"]prepare['"]/];
 const KNOWN_SAFE_DOMAINS = [
   'registry.npmjs.org', 'cdn.jsdelivr.net', 'unpkg.com', 'cdn.skypack.dev',
   'esm.sh', 'deno.land', 'raw.githubusercontent.com', 'github.com',
   'npmjs.com', 'nodejs.org', 'v8.dev', 'typescriptlang.org'
 ];
 
+const LIFECYCLE_SCRIPT_NAMES = ['install', 'postinstall', 'preinstall', 'prepare', 'prepack', 'postpack'];
+
 function extractUrlDomain(code) {
   const urlMatch = code.match(/https?:\/\/([^/'"\s]+)/);
   return urlMatch ? urlMatch[1] : null;
@@ -20,23 +21,100 @@ function isTestOrFixture(filePath) {
   return TEST_FIXTURE_PATTERNS.some(p => p.test(filePath));
 }
 
-function isLifecycleHook(code) {
-  return LIFECYCLE_HOOK_PATTERNS.some(p => p.test(code));
-}
-
 function isKnownSafeDomain(domain) {
   if (!domain) return false;
   return KNOWN_SAFE_DOMAINS.some(safe => domain === safe || domain.endsWith('.' + safe));
 }
 
-function createContext(filePath, code) {
+function locateLine(code, pattern) {
+  const lines = code.split('\n');
+  for (let i = 0; i < lines.length; i++) {
+    if (pattern.test(lines[i])) return i + 1;
+  }
+  return null;
+}
+
+function decodePreview(code) {
+  const b64Match = code.match(/atob\(['"]([A-Za-z0-9+/=]{10,})['"]\)/);
+  if (b64Match) {
+    try {
+      const decoded = atob(b64Match[1]);
+      return decoded.length > 80 ? decoded.slice(0, 80) + '...' : decoded;
+    } catch {}
+  }
+  
+  const hexMatch = code.match(/Buffer\.from\(['"]([0-9a-fA-F]+)['"],\s*['"]hex['"]\)/);
+  if (hexMatch) {
+    try {
+      const decoded = Buffer.from(hexMatch[1], 'hex').toString();
+      return decoded.length > 80 ? decoded.slice(0, 80) + '...' : decoded;
+    } catch {}
+  }
+  
+  const btoaMatch = code.match(/btoa\(['"]([A-Za-z0-9+/=]{10,})['"]\)/);
+  if (btoaMatch) {
+    try {
+      const decoded = atob(btoaMatch[1]);
+      return decoded.length > 80 ? decoded.slice(0, 80) + '...' : decoded;
+    } catch {}
+  }
+  
+  return null;
+}
+
+function detectEncodingType(code) {
+  if (/Buffer\.from\(['"][0-9a-fA-F]+['"],\s*['"]hex['"]\)/.test(code)) return 'hex';
+  if (/atob\(/.test(code)) return 'base64';
+  if (/btoa\(/.test(code)) return 'base64';
+  if (/Buffer\.from\([A-Za-z0-9+/=]{10,}/.test(code)) return 'base64';
+  if (/String\.fromCharCode\(/.test(code)) return 'charcode';
+  if (/btoa\(.*btoa\(|atob\(.*atob\(/.test(code)) return 'double-base64';
+  return 'unknown';
+}
+
+function isFileInLifecycleScript(filePath, pkgJson) {
+  if (!pkgJson?.scripts) return false;
+  
+  const scripts = pkgJson.scripts;
+  const fileName = filePath.split('/').pop();
+  const normalizedPath = filePath.replace(/^node_modules\//, '').replace(/^dist\//, '').replace(/^build\//, '');
+  
+  for (const scriptName of LIFECYCLE_SCRIPT_NAMES) {
+    const scriptValue = scripts[scriptName];
+    if (!scriptValue) continue;
+    
+    if (scriptValue.includes(filePath)) return true;
+    if (scriptValue.includes(fileName)) return true;
+    if (scriptValue.includes(normalizedPath)) return true;
+    
+    const scriptFileMatch = scriptValue.match(/[^\s'"]+\.js$/);
+    if (scriptFileMatch && filePath.endsWith(scriptFileMatch[0])) return true;
+  }
+  
+  return false;
+}
+
+function isLikelyLifecycleFileName(filePath) {
+  const name = filePath.split('/').pop().replace(/\.js$/, '');
+  return LIFECYCLE_SCRIPT_NAMES.includes(name) || 
+         name === 'setup' || 
+         name === 'install-helper';
+}
+
+function createEvidence(code, filePath, pattern, pkgJson) {
+  const encodingType = detectEncodingType(code);
+  const line = locateLine(code, pattern);
+  const decodedPreview = decodePreview(code);
+  const destinationHost = extractUrlDomain(code);
+  const lifecycleHook = isFileInLifecycleScript(filePath, pkgJson) || isLikelyLifecycleFileName(filePath);
+  
   return {
-    file_path: filePath,
-    is_dist_build: isDistOrBuild(filePath),
-    is_test_fixture: isTestOrFixture(filePath),
-    is_lifecycle_hook: isLifecycleHook(code),
-    url_domain: extractUrlDomain(code),
-    is_known_safe_domain: isKnownSafeDomain(extractUrlDomain(code)),
+    file: filePath,
+    line: line,
+    lifecycle_hook: lifecycleHook,
+    decoded_preview: decodedPreview,
+    encoding_type: encodingType,
+    destination_host: destinationHost,
   };
 }
 
@@ -47,7 +125,12 @@ export async function scan(pkgJson, files = []) {
 
   for (const f of files) {
     const code = f.content;
-    const ctx = createContext(f.path, code);
+    const filePath = f.path;
+
+    const isDistBuild = isDistOrBuild(filePath);
+    const isTestFixture = isTestOrFixture(filePath);
+    const urlDomain = extractUrlDomain(code);
+    const isSafeDomain = isKnownSafeDomain(urlDomain);
 
     const hasEval = /eval\(|new Function\(|\bFunction\('/.test(code);
 
@@ -57,13 +140,21 @@ export async function scan(pkgJson, files = []) {
       const b64UrlDecode = /try\s*\{[^}]*atob\s*\(/s.test(code) || /btoa\(.*\)\s*[^;]*\.replace\(/s.test(code);
 
       if (hexDecode || b64Decode || b64UrlDecode) {
+        const evidence = createEvidence(code, filePath, /eval\(|new Function\(|\bFunction\('/, pkgJson);
         findings.push({
           id: 'ATK-002',
           severity: 'medium',
           title: 'Obfuscated payload',
           description: hexDecode ? 'Eval with hex-decoded payload' : 'Eval with base64-decoded payload',
-          evidence: 'eval + decode pattern detected',
-          context: ctx,
+          evidence: evidence,
+          context: {
+            file_path: filePath,
+            is_dist_build: isDistBuild,
+            is_test_fixture: isTestFixture,
+            is_lifecycle_hook: evidence.lifecycle_hook,
+            url_domain: urlDomain,
+            is_known_safe_domain: isSafeDomain,
+          },
         });
         return findings;
       }
@@ -71,13 +162,22 @@ export async function scan(pkgJson, files = []) {
       if (btoa(btoa('x')) === 'eDuke'.padEnd(5)) {
         const nested = /atob\([^)]*atob\(/s.test(code) || /btoa\([^)]*btoa\(/s.test(code);
         if (nested) {
+          const evidence = createEvidence(code, filePath, /btoa\(/, pkgJson);
           findings.push({
             id: 'ATK-002',
             severity: 'high',
             title: 'Obfuscated payload',
             description: 'Double-encoded nested payload',
-            evidence: 'nested encode/decode detected',
-            context: { ...ctx, is_multi_layer: true },
+            evidence: { ...evidence, is_multi_layer: true },
+            context: {
+              file_path: filePath,
+              is_dist_build: isDistBuild,
+              is_test_fixture: isTestFixture,
+              is_lifecycle_hook: evidence.lifecycle_hook,
+              url_domain: urlDomain,
+              is_known_safe_domain: isSafeDomain,
+              is_multi_layer: true,
+            },
           });
           return findings;
         }
@@ -88,46 +188,70 @@ export async function scan(pkgJson, files = []) {
       const isNetworkObfusc = /atob\(.*(https?:\/\/|\\x|http).*\)/s.test(code) ||
         /Buffer\.from\(['"`][0-9a-f]+['"`],\s*['"]hex['"].*fetch\(|fetch\(.*atob\(/s.test(code);
       if (isNetworkObfusc) {
+        const evidence = createEvidence(code, filePath, /atob\(|Buffer\.from/, pkgJson);
         findings.push({
           id: 'ATK-002',
           severity: 'medium',
           title: 'Obfuscated payload',
           description: 'Decoded string containing URL/fetch call',
-          evidence: 'obfuscation with network call',
-          context: ctx,
+          evidence: evidence,
+          context: {
+            file_path: filePath,
+            is_dist_build: isDistBuild,
+            is_test_fixture: isTestFixture,
+            is_lifecycle_hook: evidence.lifecycle_hook,
+            url_domain: urlDomain,
+            is_known_safe_domain: isSafeDomain,
+          },
         });
         return findings;
       }
     }
 
     if (/String\.fromCharCode\(.{20,}\)/.test(code) && hasEval) {
+      const evidence = createEvidence(code, filePath, /String\.fromCharCode\(/, pkgJson);
       findings.push({
         id: 'ATK-002',
         severity: 'medium',
         title: 'Obfuscated payload',
         description: 'Eval with String.fromCharCode obfuscation',
-        evidence: 'charcode obfuscation detected',
-        context: ctx,
+        evidence: evidence,
+        context: {
+          file_path: filePath,
+          is_dist_build: isDistBuild,
+          is_test_fixture: isTestFixture,
+          is_lifecycle_hook: evidence.lifecycle_hook,
+          url_domain: urlDomain,
+          is_known_safe_domain: isSafeDomain,
+        },
       });
       return findings;
     }
 
     const shellPatterns = [
-      /eval\s*\(\s*process\.env\.[A-Z_]{4,}/,
-      /exec\s*\(\s*Buffer\.from\(/,
-      /new Function\s*\(\s*(?:atob|process\.env)/,
-      /eval\s*\(\s*(?:require|import\s*\()/,
-      /Function\s*\(\s*'use\s*strict'\s*;?\s*(?:atob|require)/,
+      { regex: /eval\s*\(\s*process\.env\.[A-Z_]{4,}/, name: 'env-eval' },
+      { regex: /exec\s*\(\s*Buffer\.from\(/, name: 'exec-buffer' },
+      { regex: /new Function\s*\(\s*(?:atob|process\.env)/, name: 'function-eval' },
+      { regex: /eval\s*\(\s*(?:require|import\s*\()/, name: 'require-eval' },
+      { regex: /Function\s*\(\s*'use\s*strict'\s*;?\s*(?:atob|require)/, name: 'strict-eval' },
     ];
     for (const p of shellPatterns) {
-      if (p.test(code)) {
+      if (p.regex.test(code)) {
+        const evidence = createEvidence(code, filePath, p.regex, pkgJson);
         findings.push({
           id: 'ATK-002',
           severity: 'high',
           title: 'Obfuscated payload',
           description: 'Shell-code obfuscation pattern',
-          evidence: p.source.substring(0, 60),
-          context: ctx,
+          evidence: { ...evidence, pattern: p.name },
+          context: {
+            file_path: filePath,
+            is_dist_build: isDistBuild,
+            is_test_fixture: isTestFixture,
+            is_lifecycle_hook: evidence.lifecycle_hook,
+            url_domain: urlDomain,
+            is_known_safe_domain: isSafeDomain,
+          },
         });
         return findings;
       }
@@ -135,4 +259,4 @@ export async function scan(pkgJson, files = []) {
   }
 
   return findings;
-}
+}

package/backend/detectors/index.js

@@ -9,8 +9,9 @@ import * as atk008 from './atk-008-tarball-tamper.js';
 import * as atk009 from './atk-009-dormant-trigger.js';
 import * as atk010 from './atk-010-sandbox-evasion.js';
 import * as atk011 from './atk-011-transitive-prop.js';
+import { scanAll as megalodonScan } from './megalodon/index.js';
 
-export async function runAll(pkgJson, files = []) {
+export async function runAll(pkgJson, files = [], registryMeta = null, allFiles = null) {
   const findings = [];
   findings.push(...await atk001.scan(pkgJson, files));
   findings.push(...await atk002.scan(pkgJson, files));
@@ -23,5 +24,6 @@ export async function runAll(pkgJson, files = []) {
   findings.push(...await atk009.scan(pkgJson, files));
   findings.push(...await atk010.scan(pkgJson, files));
   findings.push(...await atk011.scan(pkgJson, files));
+  findings.push(...await megalodonScan(pkgJson, allFiles || files, registryMeta));
   return findings.sort((a, b) => b.severity.localeCompare(a.severity));
 }

package/backend/detectors/megalodon/d1-workflow-scan.js

@@ -0,0 +1,147 @@
+import { MegalodonSignal } from './types.js';
+import yaml from 'js-yaml';
+
+const C2_EXFIL_RE = /curl\s+.*?https?:\/\/(?!github\.com|githubusercontent\.com|raw\.githubusercontent\.com)[^\s'"]+/i;
+const SECRETS_REF_RE = /\$\{\{?\s*secrets\.\w+/;
+const B64_DECODE_CHAIN_RE = /base64\s+-d\s*[|>]\s*(ba)?sh/;
+
+function isWorkflowFile(f) {
+  const p = f.path.replace(/\\/g, '/');
+  return /\.github\/workflows\/.+\.(yml|yaml)$/i.test(p);
+}
+
+function countExecutableLines(text) {
+  return text.split('\n').filter(l => l.trim() && !l.trim().startsWith('#')).length;
+}
+
+function extractRunBlocks(parsed) {
+  const runs = [];
+  if (!parsed || typeof parsed !== 'object') return runs;
+
+  const walk = (obj) => {
+    if (!obj || typeof obj !== 'object') return;
+    if (Array.isArray(obj)) { obj.forEach(walk); return; }
+    for (const [k, v] of Object.entries(obj)) {
+      if (k === 'run' && typeof v === 'string') {
+        runs.push(v);
+      }
+      if (k === 'env' && typeof v === 'object' && v !== null) {
+        runs.push({ _env: v });
+      }
+      walk(v);
+    }
+  };
+  walk(parsed);
+  return runs;
+}
+
+function extractRunBlocksRaw(text) {
+  const runs = [];
+  const runMatch = text.match(/run:\s*[|>]\s*\n(\s{2,}.*(?:\n\s{2,}.*)*)/g);
+  if (runMatch) runs.push(...runMatch.map(m => m.replace(/^run:\s*[|>]\s*\n/, '')));
+
+  const inlineRe = /run:\s*['"](.+?)['"]\s*$/gm;
+  let m;
+  while ((m = inlineRe.exec(text)) !== null) runs.push(m[1]);
+
+  const envRe = /env:\s*\n((?:\s{2,}\w+:\s*.+\n?)*)/g;
+  let em;
+  while ((em = envRe.exec(text)) !== null) runs.push({ _env: em[1] });
+  return runs;
+}
+
+function runInStepHasBoth(step, signal) {
+  const runVal = step.run;
+  const envVals = step.env ? Object.values(step.env).filter(v => typeof v === 'string').join(' ') : '';
+  const combined = typeof runVal === 'string' ? `${runVal} ${envVals}` : '';
+
+  if (signal === 'exfil') {
+    return C2_EXFIL_RE.test(combined) && SECRETS_REF_RE.test(combined);
+  }
+  if (signal === 'decode') {
+    return B64_DECODE_CHAIN_RE.test(combined);
+  }
+  return false;
+}
+
+export async function scan(allFiles) {
+  const evidence = [];
+  const workflowFiles = allFiles.filter(isWorkflowFile);
+
+  for (const f of workflowFiles) {
+    if (f.content.length > 512 * 1024) continue;
+
+    let parsed = null;
+    let parseError = null;
+    try {
+      parsed = yaml.load(f.content);
+    } catch (e) {
+      parseError = e;
+    }
+
+    const rawRunBlocks = parsed ? extractRunBlocks(parsed) : extractRunBlocksRaw(f.content);
+    const runStrings = rawRunBlocks.filter(r => typeof r === 'string');
+    const envBlocks = rawRunBlocks.filter(r => typeof r === 'object' && r._env);
+
+    let exfilTriggered = false;
+    let decodeTriggered = false;
+
+    for (const runStr of runStrings) {
+      if (!exfilTriggered && C2_EXFIL_RE.test(runStr) && SECRETS_REF_RE.test(runStr)) {
+        exfilTriggered = true;
+        evidence.push({
+          signal: MegalodonSignal.WORKFLOW_C2_EXFIL,
+          file: f.path,
+          excerpt: runStr.slice(0, 120),
+          detail: 'C2 outbound call co-occurs with credentials reference in run block',
+        });
+      }
+
+      if (!decodeTriggered && B64_DECODE_CHAIN_RE.test(runStr)) {
+        decodeTriggered = true;
+        evidence.push({
+          signal: MegalodonSignal.WORKFLOW_DECODE_CHAIN,
+          file: f.path,
+          excerpt: runStr.slice(0, 120),
+          detail: 'Base64 decode pipe to shell — obfuscated payload execution',
+        });
+      }
+    }
+
+    if (parsed && typeof parsed === 'object' && !Array.isArray(parsed)) {
+      const steps = parsed.jobs ? Object.values(parsed.jobs).flatMap(j => j.steps || []) : [];
+      for (const step of steps) {
+        if (!exfilTriggered && runInStepHasBoth(step, 'exfil')) {
+          exfilTriggered = true;
+          const runVal = step.run || '';
+          evidence.push({
+            signal: MegalodonSignal.WORKFLOW_C2_EXFIL,
+            file: f.path,
+            excerpt: runVal.slice(0, 120),
+            detail: 'C2 outbound call co-occurs with secrets reference in same step',
+          });
+        }
+        if (!decodeTriggered && runInStepHasBoth(step, 'decode')) {
+          decodeTriggered = true;
+          const runVal = step.run || '';
+          evidence.push({
+            signal: MegalodonSignal.WORKFLOW_DECODE_CHAIN,
+            file: f.path,
+            excerpt: runVal.slice(0, 120),
+            detail: 'Base64 decode pipe to shell — obfuscated payload execution',
+          });
+        }
+      }
+    }
+
+    const lineCount = countExecutableLines(f.content);
+    if ((exfilTriggered || decodeTriggered) && lineCount >= 100 && lineCount <= 120) {
+      const found = evidence.find(e => e.signal === MegalodonSignal.WORKFLOW_C2_EXFIL || e.signal === MegalodonSignal.WORKFLOW_DECODE_CHAIN);
+      if (found) {
+        found.detail += ` | Matches ${lineCount}-line Megalodon payload footprint`;
+      }
+    }
+  }
+
+  return evidence;
+}

package/backend/detectors/megalodon/d2-credential-harvest.js

@@ -0,0 +1,61 @@
+import { MegalodonSignal } from './types.js';
+
+const CRED_PATTERNS = [
+  { pattern: /\bAWS_(SECRET_ACCESS_KEY|ACCESS_KEY_ID|SESSION_TOKEN)\b/, label: 'AWS credential' },
+  { pattern: /\bGOOGLE_APPLICATION_CREDENTIALS\b/, label: 'GCP credential' },
+  { pattern: /\bAZURE_(CLIENT_SECRET|TENANT_ID|CLIENT_ID|SUBSCRIPTION_ID)\b/, label: 'Azure credential' },
+  { pattern: /\bGH_(TOKEN|PAT)\b/, label: 'GitHub PAT' },
+  { pattern: /\bGITHUB_TOKEN\b/, label: 'GitHub token' },
+  { pattern: /\bNPM_TOKEN\b/, label: 'npm token' },
+  { pattern: /\bDISCORD_TOKEN\b/, label: 'Discord token' },
+  { pattern: /\bSLACK_TOKEN\b/, label: 'Slack token' },
+  { pattern: /\bSTRIPE_(SECRET|PUBLISHABLE)_KEY\b/, label: 'Stripe key' },
+  { pattern: /\bTWILIO_(ACCOUNT_SID|AUTH_TOKEN)\b/, label: 'Twilio credential' },
+  { pattern: /\bDB_(USERNAME|PASSWORD|URL)\b/, label: 'Database credential' },
+  { pattern: /\bMONGO_(URI|URL|CONNECTION)\b/, label: 'MongoDB connection' },
+];
+
+const OUTBOUND_NET_RE = /curl\s+|wget\s+|fetch\s*\(|https?\.request\s*\(|http\.request\s*\(|got\s*\(|axios\s*\.|request\s*\(|node-fetch|\.post\s*\(|\.get\s*\(/i;
+
+const TARGET_EXTENSIONS = ['.sh', '.bash', '.yml', '.yaml', '.js'];
+
+function isTargetFile(f) {
+  const ext = f.path.slice(f.path.lastIndexOf('.')).toLowerCase();
+  return TARGET_EXTENSIONS.includes(ext);
+}
+
+export async function scan(allFiles) {
+  const evidence = [];
+  const targetFiles = allFiles.filter(isTargetFile);
+
+  for (const f of targetFiles) {
+    const content = f.content;
+    let score = 0;
+    const matched = [];
+
+    for (const cp of CRED_PATTERNS) {
+      const re = new RegExp(cp.pattern.source, 'gi');
+      let m;
+      while ((m = re.exec(content)) !== null) {
+        if (!matched.some(ex => ex.label === cp.label)) {
+          matched.push({ label: cp.label, match: m[0] });
+        }
+        score += 3;
+      }
+    }
+
+    if (score > 0) {
+      const hasNetwork = OUTBOUND_NET_RE.test(content);
+      if (hasNetwork) {
+        evidence.push({
+          signal: MegalodonSignal.CREDENTIAL_HARVEST,
+          file: f.path,
+          excerpt: matched.map(m => m.label).join(', ').slice(0, 120),
+          detail: `Credential env vars (${matched.map(m => m.label).join(', ')}) co-occur with outbound network call (score: ${score})`,
+        });
+      }
+    }
+  }
+
+  return evidence;
+}

package/backend/detectors/megalodon/d3-publish-velocity.js

@@ -0,0 +1,67 @@
+import { MegalodonSignal } from './types.js';
+
+export function detectVelocitySpike(times, windowHours = 6, threshold = 3) {
+  const filtered = {};
+  for (const [v, t] of Object.entries(times)) {
+    if (v === 'created' || v === 'modified') continue;
+    filtered[v] = t;
+  }
+
+  const entries = Object.entries(filtered)
+    .filter(([, t]) => t)
+    .map(([v, t]) => [v, new Date(t).getTime()])
+    .filter(([, ts]) => !Number.isNaN(ts))
+    .sort((a, b) => a[1] - b[1]);
+
+  if (entries.length === 0) {
+    return { triggered: false, versionsInWindow: [], windowStartISO: null };
+  }
+
+  const windowMs = windowHours * 3_600_000;
+
+  for (let i = 0; i < entries.length; i++) {
+    const windowStart = entries[i][1];
+    const windowEnd = windowStart + windowMs;
+    const inWindow = [];
+
+    for (let j = i; j < entries.length; j++) {
+      if (entries[j][1] <= windowEnd) {
+        inWindow.push(entries[j][0]);
+      } else {
+        break;
+      }
+    }
+
+    if (inWindow.length >= threshold) {
+      let display = inWindow.slice(0, 10);
+      let suffix = '';
+      if (inWindow.length > 10) {
+        suffix = ` +${inWindow.length - 10} more`;
+      }
+      return {
+        triggered: true,
+        versionsInWindow: display.join(', ') + suffix,
+        windowStartISO: new Date(windowStart).toISOString(),
+        _allVersions: inWindow,
+      };
+    }
+  }
+
+  return { triggered: false, versionsInWindow: [], windowStartISO: null };
+}
+
+export async function scan(registryMeta) {
+  const times = registryMeta?.time || {};
+  const result = detectVelocitySpike(times);
+
+  if (!result.triggered) return [];
+
+  return [{
+    signal: MegalodonSignal.PUBLISH_VELOCITY,
+    file: 'registry.npmjs.org',
+    excerpt: result.versionsInWindow,
+    detail: `Version publish velocity spike: ${result.versionsInWindow} versions in window starting ${result.windowStartISO}`,
+    _windowStartISO: result.windowStartISO,
+    _allVersions: result._allVersions,
+  }];
+}

package/backend/detectors/megalodon/d4-publisher-drift.js

@@ -0,0 +1,124 @@
+import { MegalodonSignal } from './types.js';
+
+export async function scan(registryMeta, velocityResult) {
+  const evidence = [];
+  const versions = registryMeta?.versions || {};
+  const timeMap = registryMeta?.time || {};
+
+  const filteredTimes = {};
+  for (const [v, t] of Object.entries(timeMap)) {
+    if (v === 'created' || v === 'modified') continue;
+    if (t) filteredTimes[v] = t;
+  }
+
+  const sortedVersions = Object.entries(filteredTimes)
+    .filter(([, t]) => t && !Number.isNaN(new Date(t).getTime()))
+    .sort((a, b) => new Date(a[1]).getTime() - new Date(b[1]).getTime())
+    .map(([v]) => v);
+
+  if (sortedVersions.length === 0) return [];
+
+  if (velocityResult?.triggered) {
+    const windowStartISO = velocityResult.windowStartISO;
+    const allInWindow = velocityResult._allVersions || [];
+
+    const priorPublishers = new Set();
+    for (const v of sortedVersions) {
+      if (new Date(filteredTimes[v]).getTime() >= new Date(windowStartISO).getTime()) break;
+      const user = versions[v]?._npmUser?.name;
+      if (user) priorPublishers.add(user);
+    }
+
+    if (priorPublishers.size === 0 && allInWindow.length > 0) {
+      const firstUser = versions[allInWindow[0]]?._npmUser?.name;
+      if (firstUser) priorPublishers.add(firstUser);
+    }
+
+    const suspiciousPublishers = [];
+    const affectedVersions = [];
+    for (const v of allInWindow) {
+      const user = versions[v]?._npmUser?.name;
+      if (user && !priorPublishers.has(user)) {
+        if (!suspiciousPublishers.includes(user)) suspiciousPublishers.push(user);
+        if (!affectedVersions.includes(v)) affectedVersions.push(v);
+      }
+    }
+
+    if (suspiciousPublishers.length > 0) {
+      const detail = `Drift detected: known publishers [${[...priorPublishers].join(', ')}], new publisher(s) [${suspiciousPublishers.join(', ')}] in versions [${affectedVersions.join(', ')}]`;
+
+      const firstSuspiciousVer = allInWindow.find(v => affectedVersions.includes(v));
+      let ageNote = '';
+      if (firstSuspiciousVer && suspiciousPublishers[0]) {
+        ageNote = await checkAccountAge(suspiciousPublishers[0], filteredTimes[firstSuspiciousVer]);
+      }
+
+      evidence.push({
+        signal: MegalodonSignal.PUBLISHER_DRIFT,
+        file: 'registry.npmjs.org',
+        excerpt: `publisher drift: ${suspiciousPublishers.join(', ')}`,
+        detail: detail + (ageNote ? ' | ' + ageNote : ''),
+        _severityHint: 'HIGH',
+      });
+    }
+  } else {
+    if (sortedVersions.length < 4) return [];
+
+    const last3 = sortedVersions.slice(-3);
+    const prior = sortedVersions.slice(0, -3);
+
+    const priorPublishers = new Set();
+    for (const v of prior) {
+      const user = versions[v]?._npmUser?.name;
+      if (user) priorPublishers.add(user);
+    }
+
+    const suspiciousPublishers = [];
+    const affectedVersions = [];
+    for (const v of last3) {
+      const user = versions[v]?._npmUser?.name;
+      if (user && !priorPublishers.has(user)) {
+        if (!suspiciousPublishers.includes(user)) suspiciousPublishers.push(user);
+        if (!affectedVersions.includes(v)) affectedVersions.push(v);
+      }
+    }
+
+    if (suspiciousPublishers.length > 0) {
+      const detail = `Drift (fallback): known publishers [${[...priorPublishers].join(', ')}], new publisher(s) [${suspiciousPublishers.join(', ')}] in last 3 versions [${affectedVersions.join(', ')}]`;
+
+      let ageNote = '';
+      if (suspiciousPublishers[0] && affectedVersions[0]) {
+        ageNote = await checkAccountAge(suspiciousPublishers[0], filteredTimes[affectedVersions[0]]);
+      }
+
+      evidence.push({
+        signal: MegalodonSignal.PUBLISHER_DRIFT,
+        file: 'registry.npmjs.org',
+        excerpt: `publisher drift: ${suspiciousPublishers.join(', ')}`,
+        detail: detail + (ageNote ? ' | ' + ageNote : ''),
+        _severityHint: 'MEDIUM',
+      });
+    }
+  }
+
+  return evidence;
+}
+
+async function checkAccountAge(npmUser, firstSuspiciousTime) {
+  try {
+    const url = `https://registry.npmjs.org/-/user/org.couchdb.user/${encodeURIComponent(npmUser)}`;
+    const res = await fetch(url);
+    if (!res.ok) return '';
+    const data = await res.json();
+    const created = data?.date;
+    if (!created) return '';
+    const createdDate = new Date(created).getTime();
+    const firstPub = new Date(firstSuspiciousTime).getTime();
+    const daysDiff = (firstPub - createdDate) / (1000 * 60 * 60 * 24);
+    if (!Number.isNaN(daysDiff) && daysDiff >= 0 && daysDiff <= 30) {
+      return `Publisher account created ${Math.round(daysDiff)} days before first suspicious publish`;
+    }
+  } catch {
+  }
+  return '';
+}

package/backend/detectors/megalodon/d5-bot-commit-identity.js

@@ -0,0 +1,3 @@
+export async function scan(registryMeta) {
+  return [];
+}

package/backend/detectors/megalodon/d6-date-anachronism.js

@@ -0,0 +1,3 @@
+export async function scan(pkgJson, registryMeta) {
+  return [];
+}

package/backend/detectors/megalodon/index.js

@@ -0,0 +1,80 @@
+import { MegalodonSignal } from './types.js';
+import { scan as scanD1 } from './d1-workflow-scan.js';
+import { scan as scanD2 } from './d2-credential-harvest.js';
+import { scan as scanD3 } from './d3-publish-velocity.js';
+import { scan as scanD4 } from './d4-publisher-drift.js';
+import { scan as scanD5 } from './d5-bot-commit-identity.js';
+import { scan as scanD6 } from './d6-date-anachronism.js';
+
+const SIGNAL_SEVERITY = {
+  [MegalodonSignal.WORKFLOW_C2_EXFIL]: 5,
+  [MegalodonSignal.WORKFLOW_DECODE_CHAIN]: 4,
+  [MegalodonSignal.PUBLISH_VELOCITY]: 4,
+  [MegalodonSignal.PUBLISHER_DRIFT]: 4,
+  [MegalodonSignal.CREDENTIAL_HARVEST]: 3,
+  [MegalodonSignal.BOT_COMMIT_IDENTITY]: 2,
+  [MegalodonSignal.DATE_ANACHRONISM]: 2,
+};
+
+const SEVERITY_LABELS = ['none', 'low', 'medium', 'high', 'critical', 'critical'];
+
+function resolveSeverity(signals, d4Evidence) {
+  let maxScore = 0;
+  for (const s of signals) {
+    maxScore = Math.max(maxScore, SIGNAL_SEVERITY[s] || 0);
+  }
+
+  const d4Hint = d4Evidence.find(e => e._severityHint);
+  if (d4Hint) {
+    const hintScore = d4Hint._severityHint === 'HIGH' ? 4 : d4Hint._severityHint === 'MEDIUM' ? 3 : 0;
+    maxScore = Math.max(maxScore, hintScore);
+  }
+
+  return SEVERITY_LABELS[maxScore] || 'none';
+}
+
+export async function scanAll(pkgJson, allFiles = [], registryMeta = {}) {
+  const allEvidence = [];
+
+  const d1Ev = await scanD1(allFiles);
+  allEvidence.push(...d1Ev);
+
+  const d2Ev = await scanD2(allFiles);
+  allEvidence.push(...d2Ev);
+
+  const d3Ev = await scanD3(registryMeta);
+  allEvidence.push(...d3Ev);
+
+  const velocityResult = d3Ev.length > 0 ? {
+    triggered: true,
+    windowStartISO: d3Ev[0]._windowStartISO || null,
+    versionsInWindow: d3Ev[0].excerpt || '',
+    _allVersions: d3Ev[0]._allVersions || [],
+  } : { triggered: false, versionsInWindow: [], windowStartISO: null };
+
+  const d4Ev = await scanD4(registryMeta, velocityResult);
+  allEvidence.push(...d4Ev);
+
+  allEvidence.push(...await scanD5(registryMeta));
+  allEvidence.push(...await scanD6(pkgJson, registryMeta));
+
+  const signals = [...new Set(allEvidence.map(e => e.signal).filter(Boolean))];
+
+  if (signals.length === 0) return [];
+
+  const severity = resolveSeverity(signals, d4Ev);
+
+  const cleaned = allEvidence.map(({ _windowStartISO, _allVersions, _severityHint, ...rest }) => rest);
+
+  return [{
+    id: 'MEGALODON',
+    severity,
+    title: 'Megalodon CI/CD attack campaign',
+    description: `${signals.length} signal(s): ${signals.join(', ')}`,
+    evidence: JSON.stringify({
+      campaign: 'MEGALODON',
+      signals,
+      evidence: cleaned,
+    }),
+  }];
+}

package/backend/detectors/megalodon/types.js

@@ -0,0 +1,9 @@
+export const MegalodonSignal = Object.freeze({
+  WORKFLOW_C2_EXFIL: 'D1_WORKFLOW_C2_EXFIL',
+  WORKFLOW_DECODE_CHAIN: 'D1_WORKFLOW_DECODE_CHAIN',
+  CREDENTIAL_HARVEST: 'D2_CREDENTIAL_HARVEST',
+  PUBLISH_VELOCITY: 'D3_PUBLISH_VELOCITY',
+  PUBLISHER_DRIFT: 'D4_PUBLISHER_DRIFT',
+  BOT_COMMIT_IDENTITY: 'D5_BOT_COMMIT_IDENTITY',
+  DATE_ANACHRONISM: 'D6_DATE_ANACHRONISM',
+});

package/backend/fetch.js

@@ -150,7 +150,12 @@ async function extractTarball(buffer, tmpDir) {
     content: fs.readFileSync(p, 'utf8')
   }));
 
-  return { pkgJson, jsFiles, tmpDir };
+  const allFiles = walkFiles(tmpDir, '').map(p => ({
+    path: p,
+    content: fs.readFileSync(p, 'utf8')
+  }));
+
+  return { pkgJson, jsFiles, allFiles, tmpDir };
 }
 
 function walkFiles(dir, ext) {

package/cli/cli.js

@@ -67,11 +67,11 @@ program
         }
       }
 
-      const { pkgJson, jsFiles, tmpDir } = options.file
+      const { pkgJson, jsFiles, allFiles, tmpDir, meta } = options.file
         ? await import('../backend/fetch.js').then(m => m.scanLocalTarball(options.file))
         : await import('../backend/fetch.js').then(m => m.fetchPackage(target, fetchOptions));
       const pkgName = target || pkgJson.name || 'unknown';
-      const findings = await import('../backend/detectors/index.js').then(m => m.runAll(pkgJson, jsFiles));
+      const findings = await import('../backend/detectors/index.js').then(m => m.runAll(pkgJson, jsFiles, meta, allFiles));
       const { saveScan } = await import('../backend/db.js');
       const scanId = await saveScan(pkgName, 'latest', findings);
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@lateos/npm-scan",
-  "version": "0.15.1",
+  "version": "0.15.2",
   "description": "Modern npm supply chain security scanner — detects obfuscated payloads, credential stealers, conditional triggers, sandbox evasion, and worm-like propagation. 11 attack types, SBOM, NIST/EU CRA compliance reporting.",
   "main": "backend/index.js",
   "bin": {