@lateos/npm-scan 0.15.1 → 0.15.3
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +15 -2
- package/backend/detectors/atk-002-obfusc.js +154 -30
- package/backend/detectors/hf-impersonation/index.js +396 -0
- package/backend/detectors/hf-impersonation/jaro-winkler.js +44 -0
- package/backend/detectors/hf-impersonation/known-orgs.js +5 -0
- package/backend/detectors/hf-impersonation/simhash.js +46 -0
- package/backend/detectors/index.js +5 -1
- package/backend/detectors/megalodon/d1-workflow-scan.js +147 -0
- package/backend/detectors/megalodon/d2-credential-harvest.js +61 -0
- package/backend/detectors/megalodon/d3-publish-velocity.js +67 -0
- package/backend/detectors/megalodon/d4-publisher-drift.js +124 -0
- package/backend/detectors/megalodon/d5-bot-commit-identity.js +3 -0
- package/backend/detectors/megalodon/d6-date-anachronism.js +3 -0
- package/backend/detectors/megalodon/index.js +80 -0
- package/backend/detectors/megalodon/types.js +9 -0
- package/backend/fetch.js +6 -1
- package/cli/cli.js +2 -2
- package/package.json +1 -1
|
@@ -0,0 +1,61 @@
|
|
|
1
|
+
import { MegalodonSignal } from './types.js';
|
|
2
|
+
|
|
3
|
+
const CRED_PATTERNS = [
|
|
4
|
+
{ pattern: /\bAWS_(SECRET_ACCESS_KEY|ACCESS_KEY_ID|SESSION_TOKEN)\b/, label: 'AWS credential' },
|
|
5
|
+
{ pattern: /\bGOOGLE_APPLICATION_CREDENTIALS\b/, label: 'GCP credential' },
|
|
6
|
+
{ pattern: /\bAZURE_(CLIENT_SECRET|TENANT_ID|CLIENT_ID|SUBSCRIPTION_ID)\b/, label: 'Azure credential' },
|
|
7
|
+
{ pattern: /\bGH_(TOKEN|PAT)\b/, label: 'GitHub PAT' },
|
|
8
|
+
{ pattern: /\bGITHUB_TOKEN\b/, label: 'GitHub token' },
|
|
9
|
+
{ pattern: /\bNPM_TOKEN\b/, label: 'npm token' },
|
|
10
|
+
{ pattern: /\bDISCORD_TOKEN\b/, label: 'Discord token' },
|
|
11
|
+
{ pattern: /\bSLACK_TOKEN\b/, label: 'Slack token' },
|
|
12
|
+
{ pattern: /\bSTRIPE_(SECRET|PUBLISHABLE)_KEY\b/, label: 'Stripe key' },
|
|
13
|
+
{ pattern: /\bTWILIO_(ACCOUNT_SID|AUTH_TOKEN)\b/, label: 'Twilio credential' },
|
|
14
|
+
{ pattern: /\bDB_(USERNAME|PASSWORD|URL)\b/, label: 'Database credential' },
|
|
15
|
+
{ pattern: /\bMONGO_(URI|URL|CONNECTION)\b/, label: 'MongoDB connection' },
|
|
16
|
+
];
|
|
17
|
+
|
|
18
|
+
const OUTBOUND_NET_RE = /curl\s+|wget\s+|fetch\s*\(|https?\.request\s*\(|http\.request\s*\(|got\s*\(|axios\s*\.|request\s*\(|node-fetch|\.post\s*\(|\.get\s*\(/i;
|
|
19
|
+
|
|
20
|
+
const TARGET_EXTENSIONS = ['.sh', '.bash', '.yml', '.yaml', '.js'];
|
|
21
|
+
|
|
22
|
+
function isTargetFile(f) {
|
|
23
|
+
const ext = f.path.slice(f.path.lastIndexOf('.')).toLowerCase();
|
|
24
|
+
return TARGET_EXTENSIONS.includes(ext);
|
|
25
|
+
}
|
|
26
|
+
|
|
27
|
+
export async function scan(allFiles) {
|
|
28
|
+
const evidence = [];
|
|
29
|
+
const targetFiles = allFiles.filter(isTargetFile);
|
|
30
|
+
|
|
31
|
+
for (const f of targetFiles) {
|
|
32
|
+
const content = f.content;
|
|
33
|
+
let score = 0;
|
|
34
|
+
const matched = [];
|
|
35
|
+
|
|
36
|
+
for (const cp of CRED_PATTERNS) {
|
|
37
|
+
const re = new RegExp(cp.pattern.source, 'gi');
|
|
38
|
+
let m;
|
|
39
|
+
while ((m = re.exec(content)) !== null) {
|
|
40
|
+
if (!matched.some(ex => ex.label === cp.label)) {
|
|
41
|
+
matched.push({ label: cp.label, match: m[0] });
|
|
42
|
+
}
|
|
43
|
+
score += 3;
|
|
44
|
+
}
|
|
45
|
+
}
|
|
46
|
+
|
|
47
|
+
if (score > 0) {
|
|
48
|
+
const hasNetwork = OUTBOUND_NET_RE.test(content);
|
|
49
|
+
if (hasNetwork) {
|
|
50
|
+
evidence.push({
|
|
51
|
+
signal: MegalodonSignal.CREDENTIAL_HARVEST,
|
|
52
|
+
file: f.path,
|
|
53
|
+
excerpt: matched.map(m => m.label).join(', ').slice(0, 120),
|
|
54
|
+
detail: `Credential env vars (${matched.map(m => m.label).join(', ')}) co-occur with outbound network call (score: ${score})`,
|
|
55
|
+
});
|
|
56
|
+
}
|
|
57
|
+
}
|
|
58
|
+
}
|
|
59
|
+
|
|
60
|
+
return evidence;
|
|
61
|
+
}
|
|
@@ -0,0 +1,67 @@
|
|
|
1
|
+
import { MegalodonSignal } from './types.js';
|
|
2
|
+
|
|
3
|
+
export function detectVelocitySpike(times, windowHours = 6, threshold = 3) {
|
|
4
|
+
const filtered = {};
|
|
5
|
+
for (const [v, t] of Object.entries(times)) {
|
|
6
|
+
if (v === 'created' || v === 'modified') continue;
|
|
7
|
+
filtered[v] = t;
|
|
8
|
+
}
|
|
9
|
+
|
|
10
|
+
const entries = Object.entries(filtered)
|
|
11
|
+
.filter(([, t]) => t)
|
|
12
|
+
.map(([v, t]) => [v, new Date(t).getTime()])
|
|
13
|
+
.filter(([, ts]) => !Number.isNaN(ts))
|
|
14
|
+
.sort((a, b) => a[1] - b[1]);
|
|
15
|
+
|
|
16
|
+
if (entries.length === 0) {
|
|
17
|
+
return { triggered: false, versionsInWindow: [], windowStartISO: null };
|
|
18
|
+
}
|
|
19
|
+
|
|
20
|
+
const windowMs = windowHours * 3_600_000;
|
|
21
|
+
|
|
22
|
+
for (let i = 0; i < entries.length; i++) {
|
|
23
|
+
const windowStart = entries[i][1];
|
|
24
|
+
const windowEnd = windowStart + windowMs;
|
|
25
|
+
const inWindow = [];
|
|
26
|
+
|
|
27
|
+
for (let j = i; j < entries.length; j++) {
|
|
28
|
+
if (entries[j][1] <= windowEnd) {
|
|
29
|
+
inWindow.push(entries[j][0]);
|
|
30
|
+
} else {
|
|
31
|
+
break;
|
|
32
|
+
}
|
|
33
|
+
}
|
|
34
|
+
|
|
35
|
+
if (inWindow.length >= threshold) {
|
|
36
|
+
let display = inWindow.slice(0, 10);
|
|
37
|
+
let suffix = '';
|
|
38
|
+
if (inWindow.length > 10) {
|
|
39
|
+
suffix = ` +${inWindow.length - 10} more`;
|
|
40
|
+
}
|
|
41
|
+
return {
|
|
42
|
+
triggered: true,
|
|
43
|
+
versionsInWindow: display.join(', ') + suffix,
|
|
44
|
+
windowStartISO: new Date(windowStart).toISOString(),
|
|
45
|
+
_allVersions: inWindow,
|
|
46
|
+
};
|
|
47
|
+
}
|
|
48
|
+
}
|
|
49
|
+
|
|
50
|
+
return { triggered: false, versionsInWindow: [], windowStartISO: null };
|
|
51
|
+
}
|
|
52
|
+
|
|
53
|
+
export async function scan(registryMeta) {
|
|
54
|
+
const times = registryMeta?.time || {};
|
|
55
|
+
const result = detectVelocitySpike(times);
|
|
56
|
+
|
|
57
|
+
if (!result.triggered) return [];
|
|
58
|
+
|
|
59
|
+
return [{
|
|
60
|
+
signal: MegalodonSignal.PUBLISH_VELOCITY,
|
|
61
|
+
file: 'registry.npmjs.org',
|
|
62
|
+
excerpt: result.versionsInWindow,
|
|
63
|
+
detail: `Version publish velocity spike: ${result.versionsInWindow} versions in window starting ${result.windowStartISO}`,
|
|
64
|
+
_windowStartISO: result.windowStartISO,
|
|
65
|
+
_allVersions: result._allVersions,
|
|
66
|
+
}];
|
|
67
|
+
}
|
|
@@ -0,0 +1,124 @@
|
|
|
1
|
+
import { MegalodonSignal } from './types.js';
|
|
2
|
+
|
|
3
|
+
export async function scan(registryMeta, velocityResult) {
|
|
4
|
+
const evidence = [];
|
|
5
|
+
const versions = registryMeta?.versions || {};
|
|
6
|
+
const timeMap = registryMeta?.time || {};
|
|
7
|
+
|
|
8
|
+
const filteredTimes = {};
|
|
9
|
+
for (const [v, t] of Object.entries(timeMap)) {
|
|
10
|
+
if (v === 'created' || v === 'modified') continue;
|
|
11
|
+
if (t) filteredTimes[v] = t;
|
|
12
|
+
}
|
|
13
|
+
|
|
14
|
+
const sortedVersions = Object.entries(filteredTimes)
|
|
15
|
+
.filter(([, t]) => t && !Number.isNaN(new Date(t).getTime()))
|
|
16
|
+
.sort((a, b) => new Date(a[1]).getTime() - new Date(b[1]).getTime())
|
|
17
|
+
.map(([v]) => v);
|
|
18
|
+
|
|
19
|
+
if (sortedVersions.length === 0) return [];
|
|
20
|
+
|
|
21
|
+
if (velocityResult?.triggered) {
|
|
22
|
+
const windowStartISO = velocityResult.windowStartISO;
|
|
23
|
+
const allInWindow = velocityResult._allVersions || [];
|
|
24
|
+
|
|
25
|
+
const priorPublishers = new Set();
|
|
26
|
+
for (const v of sortedVersions) {
|
|
27
|
+
if (new Date(filteredTimes[v]).getTime() >= new Date(windowStartISO).getTime()) break;
|
|
28
|
+
const user = versions[v]?._npmUser?.name;
|
|
29
|
+
if (user) priorPublishers.add(user);
|
|
30
|
+
}
|
|
31
|
+
|
|
32
|
+
if (priorPublishers.size === 0 && allInWindow.length > 0) {
|
|
33
|
+
const firstUser = versions[allInWindow[0]]?._npmUser?.name;
|
|
34
|
+
if (firstUser) priorPublishers.add(firstUser);
|
|
35
|
+
}
|
|
36
|
+
|
|
37
|
+
const suspiciousPublishers = [];
|
|
38
|
+
const affectedVersions = [];
|
|
39
|
+
for (const v of allInWindow) {
|
|
40
|
+
const user = versions[v]?._npmUser?.name;
|
|
41
|
+
if (user && !priorPublishers.has(user)) {
|
|
42
|
+
if (!suspiciousPublishers.includes(user)) suspiciousPublishers.push(user);
|
|
43
|
+
if (!affectedVersions.includes(v)) affectedVersions.push(v);
|
|
44
|
+
}
|
|
45
|
+
}
|
|
46
|
+
|
|
47
|
+
if (suspiciousPublishers.length > 0) {
|
|
48
|
+
const detail = `Drift detected: known publishers [${[...priorPublishers].join(', ')}], new publisher(s) [${suspiciousPublishers.join(', ')}] in versions [${affectedVersions.join(', ')}]`;
|
|
49
|
+
|
|
50
|
+
const firstSuspiciousVer = allInWindow.find(v => affectedVersions.includes(v));
|
|
51
|
+
let ageNote = '';
|
|
52
|
+
if (firstSuspiciousVer && suspiciousPublishers[0]) {
|
|
53
|
+
ageNote = await checkAccountAge(suspiciousPublishers[0], filteredTimes[firstSuspiciousVer]);
|
|
54
|
+
}
|
|
55
|
+
|
|
56
|
+
evidence.push({
|
|
57
|
+
signal: MegalodonSignal.PUBLISHER_DRIFT,
|
|
58
|
+
file: 'registry.npmjs.org',
|
|
59
|
+
excerpt: `publisher drift: ${suspiciousPublishers.join(', ')}`,
|
|
60
|
+
detail: detail + (ageNote ? ' | ' + ageNote : ''),
|
|
61
|
+
_severityHint: 'HIGH',
|
|
62
|
+
});
|
|
63
|
+
}
|
|
64
|
+
} else {
|
|
65
|
+
if (sortedVersions.length < 4) return [];
|
|
66
|
+
|
|
67
|
+
const last3 = sortedVersions.slice(-3);
|
|
68
|
+
const prior = sortedVersions.slice(0, -3);
|
|
69
|
+
|
|
70
|
+
const priorPublishers = new Set();
|
|
71
|
+
for (const v of prior) {
|
|
72
|
+
const user = versions[v]?._npmUser?.name;
|
|
73
|
+
if (user) priorPublishers.add(user);
|
|
74
|
+
}
|
|
75
|
+
|
|
76
|
+
const suspiciousPublishers = [];
|
|
77
|
+
const affectedVersions = [];
|
|
78
|
+
for (const v of last3) {
|
|
79
|
+
const user = versions[v]?._npmUser?.name;
|
|
80
|
+
if (user && !priorPublishers.has(user)) {
|
|
81
|
+
if (!suspiciousPublishers.includes(user)) suspiciousPublishers.push(user);
|
|
82
|
+
if (!affectedVersions.includes(v)) affectedVersions.push(v);
|
|
83
|
+
}
|
|
84
|
+
}
|
|
85
|
+
|
|
86
|
+
if (suspiciousPublishers.length > 0) {
|
|
87
|
+
const detail = `Drift (fallback): known publishers [${[...priorPublishers].join(', ')}], new publisher(s) [${suspiciousPublishers.join(', ')}] in last 3 versions [${affectedVersions.join(', ')}]`;
|
|
88
|
+
|
|
89
|
+
let ageNote = '';
|
|
90
|
+
if (suspiciousPublishers[0] && affectedVersions[0]) {
|
|
91
|
+
ageNote = await checkAccountAge(suspiciousPublishers[0], filteredTimes[affectedVersions[0]]);
|
|
92
|
+
}
|
|
93
|
+
|
|
94
|
+
evidence.push({
|
|
95
|
+
signal: MegalodonSignal.PUBLISHER_DRIFT,
|
|
96
|
+
file: 'registry.npmjs.org',
|
|
97
|
+
excerpt: `publisher drift: ${suspiciousPublishers.join(', ')}`,
|
|
98
|
+
detail: detail + (ageNote ? ' | ' + ageNote : ''),
|
|
99
|
+
_severityHint: 'MEDIUM',
|
|
100
|
+
});
|
|
101
|
+
}
|
|
102
|
+
}
|
|
103
|
+
|
|
104
|
+
return evidence;
|
|
105
|
+
}
|
|
106
|
+
|
|
107
|
+
async function checkAccountAge(npmUser, firstSuspiciousTime) {
|
|
108
|
+
try {
|
|
109
|
+
const url = `https://registry.npmjs.org/-/user/org.couchdb.user/${encodeURIComponent(npmUser)}`;
|
|
110
|
+
const res = await fetch(url);
|
|
111
|
+
if (!res.ok) return '';
|
|
112
|
+
const data = await res.json();
|
|
113
|
+
const created = data?.date;
|
|
114
|
+
if (!created) return '';
|
|
115
|
+
const createdDate = new Date(created).getTime();
|
|
116
|
+
const firstPub = new Date(firstSuspiciousTime).getTime();
|
|
117
|
+
const daysDiff = (firstPub - createdDate) / (1000 * 60 * 60 * 24);
|
|
118
|
+
if (!Number.isNaN(daysDiff) && daysDiff >= 0 && daysDiff <= 30) {
|
|
119
|
+
return `Publisher account created ${Math.round(daysDiff)} days before first suspicious publish`;
|
|
120
|
+
}
|
|
121
|
+
} catch {
|
|
122
|
+
}
|
|
123
|
+
return '';
|
|
124
|
+
}
|
|
@@ -0,0 +1,80 @@
|
|
|
1
|
+
import { MegalodonSignal } from './types.js';
|
|
2
|
+
import { scan as scanD1 } from './d1-workflow-scan.js';
|
|
3
|
+
import { scan as scanD2 } from './d2-credential-harvest.js';
|
|
4
|
+
import { scan as scanD3 } from './d3-publish-velocity.js';
|
|
5
|
+
import { scan as scanD4 } from './d4-publisher-drift.js';
|
|
6
|
+
import { scan as scanD5 } from './d5-bot-commit-identity.js';
|
|
7
|
+
import { scan as scanD6 } from './d6-date-anachronism.js';
|
|
8
|
+
|
|
9
|
+
const SIGNAL_SEVERITY = {
|
|
10
|
+
[MegalodonSignal.WORKFLOW_C2_EXFIL]: 5,
|
|
11
|
+
[MegalodonSignal.WORKFLOW_DECODE_CHAIN]: 4,
|
|
12
|
+
[MegalodonSignal.PUBLISH_VELOCITY]: 4,
|
|
13
|
+
[MegalodonSignal.PUBLISHER_DRIFT]: 4,
|
|
14
|
+
[MegalodonSignal.CREDENTIAL_HARVEST]: 3,
|
|
15
|
+
[MegalodonSignal.BOT_COMMIT_IDENTITY]: 2,
|
|
16
|
+
[MegalodonSignal.DATE_ANACHRONISM]: 2,
|
|
17
|
+
};
|
|
18
|
+
|
|
19
|
+
const SEVERITY_LABELS = ['none', 'low', 'medium', 'high', 'critical', 'critical'];
|
|
20
|
+
|
|
21
|
+
function resolveSeverity(signals, d4Evidence) {
|
|
22
|
+
let maxScore = 0;
|
|
23
|
+
for (const s of signals) {
|
|
24
|
+
maxScore = Math.max(maxScore, SIGNAL_SEVERITY[s] || 0);
|
|
25
|
+
}
|
|
26
|
+
|
|
27
|
+
const d4Hint = d4Evidence.find(e => e._severityHint);
|
|
28
|
+
if (d4Hint) {
|
|
29
|
+
const hintScore = d4Hint._severityHint === 'HIGH' ? 4 : d4Hint._severityHint === 'MEDIUM' ? 3 : 0;
|
|
30
|
+
maxScore = Math.max(maxScore, hintScore);
|
|
31
|
+
}
|
|
32
|
+
|
|
33
|
+
return SEVERITY_LABELS[maxScore] || 'none';
|
|
34
|
+
}
|
|
35
|
+
|
|
36
|
+
export async function scanAll(pkgJson, allFiles = [], registryMeta = {}) {
|
|
37
|
+
const allEvidence = [];
|
|
38
|
+
|
|
39
|
+
const d1Ev = await scanD1(allFiles);
|
|
40
|
+
allEvidence.push(...d1Ev);
|
|
41
|
+
|
|
42
|
+
const d2Ev = await scanD2(allFiles);
|
|
43
|
+
allEvidence.push(...d2Ev);
|
|
44
|
+
|
|
45
|
+
const d3Ev = await scanD3(registryMeta);
|
|
46
|
+
allEvidence.push(...d3Ev);
|
|
47
|
+
|
|
48
|
+
const velocityResult = d3Ev.length > 0 ? {
|
|
49
|
+
triggered: true,
|
|
50
|
+
windowStartISO: d3Ev[0]._windowStartISO || null,
|
|
51
|
+
versionsInWindow: d3Ev[0].excerpt || '',
|
|
52
|
+
_allVersions: d3Ev[0]._allVersions || [],
|
|
53
|
+
} : { triggered: false, versionsInWindow: [], windowStartISO: null };
|
|
54
|
+
|
|
55
|
+
const d4Ev = await scanD4(registryMeta, velocityResult);
|
|
56
|
+
allEvidence.push(...d4Ev);
|
|
57
|
+
|
|
58
|
+
allEvidence.push(...await scanD5(registryMeta));
|
|
59
|
+
allEvidence.push(...await scanD6(pkgJson, registryMeta));
|
|
60
|
+
|
|
61
|
+
const signals = [...new Set(allEvidence.map(e => e.signal).filter(Boolean))];
|
|
62
|
+
|
|
63
|
+
if (signals.length === 0) return [];
|
|
64
|
+
|
|
65
|
+
const severity = resolveSeverity(signals, d4Ev);
|
|
66
|
+
|
|
67
|
+
const cleaned = allEvidence.map(({ _windowStartISO, _allVersions, _severityHint, ...rest }) => rest);
|
|
68
|
+
|
|
69
|
+
return [{
|
|
70
|
+
id: 'MEGALODON',
|
|
71
|
+
severity,
|
|
72
|
+
title: 'Megalodon CI/CD attack campaign',
|
|
73
|
+
description: `${signals.length} signal(s): ${signals.join(', ')}`,
|
|
74
|
+
evidence: JSON.stringify({
|
|
75
|
+
campaign: 'MEGALODON',
|
|
76
|
+
signals,
|
|
77
|
+
evidence: cleaned,
|
|
78
|
+
}),
|
|
79
|
+
}];
|
|
80
|
+
}
|
|
@@ -0,0 +1,9 @@
|
|
|
1
|
+
export const MegalodonSignal = Object.freeze({
|
|
2
|
+
WORKFLOW_C2_EXFIL: 'D1_WORKFLOW_C2_EXFIL',
|
|
3
|
+
WORKFLOW_DECODE_CHAIN: 'D1_WORKFLOW_DECODE_CHAIN',
|
|
4
|
+
CREDENTIAL_HARVEST: 'D2_CREDENTIAL_HARVEST',
|
|
5
|
+
PUBLISH_VELOCITY: 'D3_PUBLISH_VELOCITY',
|
|
6
|
+
PUBLISHER_DRIFT: 'D4_PUBLISHER_DRIFT',
|
|
7
|
+
BOT_COMMIT_IDENTITY: 'D5_BOT_COMMIT_IDENTITY',
|
|
8
|
+
DATE_ANACHRONISM: 'D6_DATE_ANACHRONISM',
|
|
9
|
+
});
|
package/backend/fetch.js
CHANGED
|
@@ -150,7 +150,12 @@ async function extractTarball(buffer, tmpDir) {
|
|
|
150
150
|
content: fs.readFileSync(p, 'utf8')
|
|
151
151
|
}));
|
|
152
152
|
|
|
153
|
-
|
|
153
|
+
const allFiles = walkFiles(tmpDir, '').map(p => ({
|
|
154
|
+
path: p,
|
|
155
|
+
content: fs.readFileSync(p, 'utf8')
|
|
156
|
+
}));
|
|
157
|
+
|
|
158
|
+
return { pkgJson, jsFiles, allFiles, tmpDir };
|
|
154
159
|
}
|
|
155
160
|
|
|
156
161
|
function walkFiles(dir, ext) {
|
package/cli/cli.js
CHANGED
|
@@ -67,11 +67,11 @@ program
|
|
|
67
67
|
}
|
|
68
68
|
}
|
|
69
69
|
|
|
70
|
-
const { pkgJson, jsFiles, tmpDir } = options.file
|
|
70
|
+
const { pkgJson, jsFiles, allFiles, tmpDir, meta } = options.file
|
|
71
71
|
? await import('../backend/fetch.js').then(m => m.scanLocalTarball(options.file))
|
|
72
72
|
: await import('../backend/fetch.js').then(m => m.fetchPackage(target, fetchOptions));
|
|
73
73
|
const pkgName = target || pkgJson.name || 'unknown';
|
|
74
|
-
const findings = await import('../backend/detectors/index.js').then(m => m.runAll(pkgJson, jsFiles));
|
|
74
|
+
const findings = await import('../backend/detectors/index.js').then(m => m.runAll(pkgJson, jsFiles, meta, allFiles));
|
|
75
75
|
const { saveScan } = await import('../backend/db.js');
|
|
76
76
|
const scanId = await saveScan(pkgName, 'latest', findings);
|
|
77
77
|
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@lateos/npm-scan",
|
|
3
|
-
"version": "0.15.
|
|
3
|
+
"version": "0.15.3",
|
|
4
4
|
"description": "Modern npm supply chain security scanner — detects obfuscated payloads, credential stealers, conditional triggers, sandbox evasion, and worm-like propagation. 11 attack types, SBOM, NIST/EU CRA compliance reporting.",
|
|
5
5
|
"main": "backend/index.js",
|
|
6
6
|
"bin": {
|