@lateos/npm-scan 0.15.3 → 0.15.5

package/backend/detectors/mini-shai-hulud/index.js

@@ -0,0 +1,118 @@
+import { checkBurstPublish } from './d1-burst-publish.js';
+import { checkSiblingCompromise, clearSiblingCache } from './d2-sibling-compromise.js';
+import { checkSlsaMismatch } from './d3-slsa-mismatch.js';
+import { checkMaintainerAnomaly } from './d4-maintainer-anomaly.js';
+import { checkIOC } from './d5-ioc-check.js';
+import { checkTokenExfil } from './d6-token-exfil.js';
+
+export async function scan(pkgJson, files = [], registryMeta = null, allFiles = null) {
+  const config = {};
+
+  const burstResult = await checkBurstPublish(registryMeta, config);
+  const maintainerResult = await checkMaintainerAnomaly(registryMeta, config);
+
+  const pkgName = pkgJson?.name || '';
+  const pkgVersion = pkgJson?.version || '';
+  const sha512 = registryMeta?.versions?.[pkgVersion]?.dist?.integrity || null;
+  const publisherAccount = registryMeta?.versions?.[pkgVersion]?._npmUser?.name || null;
+  const timeMap = registryMeta?.time || {};
+
+  const iocResult = await checkIOC(pkgName, pkgVersion, sha512, publisherAccount, timeMap);
+  const exfilResult = checkTokenExfil(allFiles || files, pkgJson);
+
+  let siblingResult = { triggered: false };
+  let slsaResult = { triggered: false };
+
+  if (burstResult.triggered) {
+    siblingResult = await checkSiblingCompromise(pkgJson, config);
+    slsaResult = await checkSlsaMismatch(pkgName, pkgVersion, burstResult, timeMap, config);
+  }
+
+  const nxDownstreamResult = checkNxConsoleDownstream(pkgJson, allFiles || files);
+
+  const triggeredChecks = [];
+  if (burstResult.triggered) triggeredChecks.push('D1_BURST');
+  if (siblingResult.triggered) triggeredChecks.push('D2_SIBLING');
+  if (slsaResult.triggered) triggeredChecks.push('D3_SLSA');
+  if (maintainerResult.triggered) triggeredChecks.push('D4_MAINTAINER');
+  if (iocResult.triggered) triggeredChecks.push('D5_IOC');
+  if (exfilResult.triggered) triggeredChecks.push('D6_EXFIL');
+  if (nxDownstreamResult.triggered) triggeredChecks.push('D7_NX_CONSOLE');
+
+  if (triggeredChecks.length === 0) return [];
+
+  let waveAttribution = 'unknown';
+  if (pkgName.startsWith('@tanstack')) {
+    waveAttribution = 'wave1-tanstack';
+  } else if (pkgName.startsWith('@antv')) {
+    waveAttribution = 'wave2-antv';
+  } else if (nxDownstreamResult.triggered) {
+    waveAttribution = 'wave3-nx-console';
+  } else if (iocResult.matches && iocResult.matches.length > 0) {
+    const waves = [...new Set(iocResult.matches.map(m => m.wave))];
+    if (waves.length === 1) {
+      waveAttribution = waves[0] === 1 ? 'wave1-tanstack' : waves[0] === 2 ? 'wave2-antv' : 'wave3-nx-console';
+    }
+  }
+
+  const isCritical = slsaResult.triggered || iocResult.triggered || nxDownstreamResult.triggered;
+
+  const evidence = {
+    campaign: 'MINI_SHAI_HULUD',
+    waveAttribution,
+    triggeredChecks,
+    burstWindow: burstResult.triggered
+      ? { start: burstResult.windowStart, end: burstResult.windowEnd, versionCount: burstResult.versionCount }
+      : null,
+    siblingPackages: siblingResult.triggered
+      ? siblingResult.results.flatMap(r => r.siblingPackages)
+      : null,
+    attestationAnomalies: slsaResult.triggered ? slsaResult.anomalies : null,
+    iocMatches: iocResult.triggered ? iocResult.matches : null,
+    installScriptSnippets: exfilResult.triggered ? exfilResult.snippets : null,
+    nxConsoleDownstream: nxDownstreamResult.triggered
+      ? { nxDeps: nxDownstreamResult.nxDeps, vsCodeExtensions: nxDownstreamResult.vsCodeExtensions }
+      : null,
+  };
+
+  return [{
+    id: 'MINI_SHAI_HULUD',
+    severity: isCritical ? 'critical' : 'high',
+    title: 'Mini Shai-Hulud worm campaign',
+    description: `${triggeredChecks.length} signal(s): ${triggeredChecks.join(', ')}`,
+    evidence: JSON.stringify(evidence),
+    mitigation: 'Revoke all npm tokens immediately. Rotate CI/CD secrets. Audit maintainer access on all scoped packages. Review recent version publish history for anomalous bursts. Check for postinstall scripts accessing credentials or environment variables. If Wave 1 (TanStack scope): inspect GitHub Actions workflow logs for unauthorized build steps. If Wave 2 (atool/AntV scope): rotate all npm tokens associated with @antv/* packages. If Wave 3 (Nx Console): remove nrwl.angular-console extension immediately, revoke all npm tokens used in CI/CD, and audit @nx/* dependency versions.',
+  }];
+}
+
+function checkNxConsoleDownstream(pkgJson, allFiles) {
+  const deps = { ...pkgJson?.dependencies, ...pkgJson?.devDependencies, ...pkgJson?.peerDependencies };
+  const nxDeps = Object.keys(deps).filter(d => d.startsWith('@nx/') || d.startsWith('nrwl/'));
+  if (nxDeps.length === 0) return { triggered: false, nxDeps: [], vsCodeExtensions: [] };
+
+  let vsCodeExtensions = [];
+  if (allFiles && Array.isArray(allFiles)) {
+    for (const file of allFiles) {
+      if (file.path && (file.path.endsWith('.vscode/extensions.json') || file.path.endsWith('.vscode/extensions.json'))) {
+        try {
+          const content = typeof file.content === 'string' ? file.content : '';
+          const parsed = JSON.parse(content);
+          const allExts = [
+            ...(parsed.recommendations || []),
+            ...(parsed.unwantedRecommendations || []),
+          ];
+          const matched = allExts.filter(e => e.includes('nrwl.angular-console'));
+          if (matched.length > 0) {
+            vsCodeExtensions = matched;
+          }
+        } catch {
+          // non-JSON extensions.json, skip
+        }
+      }
+    }
+  }
+
+  return { triggered: true, nxDeps, vsCodeExtensions };
+}
+
+export { clearSiblingCache } from './d2-sibling-compromise.js';

package/backend/detectors/mini-shai-hulud/iocs.json

@@ -0,0 +1,79 @@
+{
+  "lastUpdated": "2026-05-24T00:00:00.000Z",
+  "waves": {
+    "wave1": {
+      "id": "mini-shai-hulud-wave1",
+      "description": "TanStack CI/CD hijack (mid-May 2026) — 84 malicious versions across 42 packages in ~6 minutes via compromised GitHub Actions CI. Forged SLSA BL3 provenance attestations.",
+      "windowMinutes": 6,
+      "iocs": [
+        {
+          "type": "packageScope",
+          "value": "@tanstack",
+          "maliciousVersionRanges": [],
+          "notes": "Seed IOC — update from threat intel feed. Affected: @tanstack/router, @tanstack/react-router, @tanstack/query, @tanstack/form, @tanstack/store, @tanstack/virtual, @tanstack/ranger, @tanstack/table."
+        }
+      ]
+    },
+    "wave2": {
+      "id": "mini-shai-hulud-wave2",
+      "description": "AntV/atool maintainer account compromise (late May 2026) — 600+ malicious versions across 300+ packages in ~22 minutes. ~16M weekly download blast radius.",
+      "windowMinutes": 22,
+      "iocs": [
+        {
+          "type": "publisherAccount",
+          "value": "atool",
+          "compromiseWindowStart": "2026-05-20T00:00:00.000Z",
+          "compromiseWindowEnd": null,
+          "notes": "Seed IOC — compromised @antv/atool maintainer account. Update compromise window from threat intel."
+        },
+        {
+          "type": "packageScope",
+          "value": "@antv",
+          "maliciousVersionRanges": [],
+          "notes": "Blast radius: @antv/g2, @antv/g6, @antv/x6, @antv/l7, echarts-for-react, timeago.js. Seed IOC — update from threat intel."
+        }
+      ]
+    },
+    "wave3": {
+      "id": "nx-console-wave3",
+      "description": "Nx Console 18.95.0 VS Code extension compromise (May 18, 2026, CVE-2026-48027, TeamPCP) — contributor token stolen via TanStack wave1 (May 11), 7-day dwell, malicious extension published using npx to fetch 498KB obfuscated Bun payload from dangling orphan commit on nrwl/nx repo. ~3M installs exposed.",
+      "windowMinutes": 36,
+      "iocs": [
+        {
+          "type": "extensionId",
+          "value": "nrwl.angular-console",
+          "maliciousVersionRanges": ["18.95.0"],
+          "notes": "Nx Console v18.95.0 — malicious VS Code extension. CVE-2026-48027. Exposure window: 11 min on Marketplace, 36 min on Open VSX."
+        },
+        {
+          "type": "publisherAccount",
+          "value": "nrwl",
+          "compromiseWindowStart": "2026-05-11T00:00:00.000Z",
+          "compromiseWindowEnd": "2026-05-18T13:09:00.000Z",
+          "notes": "Nx contributor token stolen via TanStack wave1 on May 11; 7-day dwell before publishing malicious extension on May 18."
+        },
+        {
+          "type": "packageScope",
+          "value": "@nx",
+          "maliciousVersionRanges": [],
+          "notes": "NX_CONSOLE_DOWNSTREAM: npm packages under @nx scope deployed by compromised Nx contributor. Check for versions published within 7 days of 2026-05-18."
+        },
+        {
+          "type": "packageScope",
+          "value": "nrwl",
+          "maliciousVersionRanges": [],
+          "notes": "NX_CONSOLE_DOWNSTREAM: nrwl-scoped npm packages — monitor for anomalous burst publishing."
+        }
+      ]
+    }
+  },
+  "iocs": [
+    {
+      "type": "sha512",
+      "value": "sha512-AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA",
+      "package": "@antv/g2",
+      "wave": 2,
+      "notes": "Placeholder sha512 — replace with actual SHA-512 integrity hash from npm dist.integrity of a confirmed malicious version."
+    }
+  ]
+}

package/backend/vsix-scan/detectors/activation-event-risk.js

@@ -0,0 +1,116 @@
+const ACTIVATION_RISK_MATRIX = {
+  '*': { base: 'critical', label: 'Wildcard (all files)' },
+  'onStartupFinished': { base: 'high', label: 'Startup finished' },
+  'workspaceContains:**/*': { base: 'high', label: 'Workspace contains wildcard' },
+  'workspaceContains': { base: 'high', label: 'Workspace contains' },
+  'onCommand:*': { base: 'low', label: 'Any command' },
+};
+
+const DEFAULT_BASE_RISK = 'medium';
+
+const ESCALATION_KEYWORDS = [
+  'npx', 'bun', 'curl', 'wget', 'fetch(',
+  'exec(', 'spawn(', 'execSync', 'spawnSync',
+  'child_process', 'shell: true', 'detached: true',
+];
+
+const BUNDLED_BUN_PATTERN = /bun|runtime/;
+
+const SIZE_DELTA_THRESHOLD = 400 * 1024;
+
+const SHELL_CMDS = ['npx', 'bun', 'curl', 'wget', 'exec', 'spawn', 'execSync'];
+
+export async function checkActivationEventRisk(extensionManifest, versionHistory = [], priorVersions = []) {
+  const signals = [];
+
+  const activationEvents = extensionManifest?.activationEvents || [];
+  if (activationEvents.length === 0 && extensionManifest?.main) {
+    return { triggered: false, signals: [], riskLevel: null, why: [] };
+  }
+
+  let maxBaseRisk = 0;
+  const riskLabels = ['none', 'low', 'medium', 'high', 'critical'];
+  const riskValues = { none: 0, low: 1, medium: 2, high: 3, critical: 4 };
+
+  let worstEvent = null;
+  const why = [];
+
+  for (const event of activationEvents) {
+    const risk = ACTIVATION_RISK_MATRIX[event];
+    if (risk) {
+      const baseIdx = riskValues[risk.base] || riskValues[DEFAULT_BASE_RISK];
+      if (baseIdx > maxBaseRisk) {
+        maxBaseRisk = baseIdx;
+        worstEvent = event;
+      }
+    } else if (event.includes('*') && event !== 'onCommand:*') {
+      const baseIdx = riskValues['high'];
+      if (baseIdx > maxBaseRisk) {
+        maxBaseRisk = baseIdx;
+        worstEvent = event;
+      }
+    }
+  }
+
+  const contributes = extensionManifest?.contributes || {};
+  const commands = contributes?.commands || [];
+  const cmdTitles = commands.map(c => (c.title || '').toLowerCase()).join(' ');
+
+  const bundledDeps = extensionManifest?.bundledDependencies || [];
+  const bundledStr = Array.isArray(bundledDeps) ? bundledDeps.join(' ') : '';
+
+  const hasShellKeyword = SHELL_CMDS.some(cmd => cmdTitles.includes(cmd));
+  const hasBunBundled = BUNDLED_BUN_PATTERN.test(bundledStr);
+
+  const activationEventsStr = activationEvents.join(' ');
+  const hasShellInActivationContext = ESCALATION_KEYWORDS.some(kw => activationEventsStr.toLowerCase().includes(kw.toLowerCase()));
+
+  let escalateToCritical = false;
+
+  if (hasShellKeyword || hasBunBundled || hasShellInActivationContext) {
+    escalateToCritical = true;
+    why.push('HIGH activation event + shell/execution keywords');
+  }
+
+  if (versionHistory.length >= 2) {
+    const sizes = versionHistory
+      .filter(v => v.assetSize)
+      .map(v => v.assetSize)
+      .sort((a, b) => b - a);
+
+    if (sizes.length >= 2 && (sizes[0] - sizes[sizes.length - 1]) > SIZE_DELTA_THRESHOLD) {
+      escalateToCritical = true;
+      why.push(`HIGH activation event + version size delta > ${SIZE_DELTA_THRESHOLD} bytes`);
+    }
+  }
+
+  const priorActivationEvents = priorVersions
+    .filter(v => v.activationEvents)
+    .flatMap(v => v.activationEvents);
+
+  if (priorActivationEvents.length > 0) {
+    const newEvents = activationEvents.filter(e => !priorActivationEvents.includes(e));
+    if (newEvents.length > 0) {
+      why.push(`First-time activation event(s) added: ${newEvents.join(', ')}`);
+      if (!escalateToCritical && maxBaseRisk >= riskValues['high']) {
+        escalateToCritical = true;
+      }
+    }
+  }
+
+  let riskLevel = maxBaseRisk > 0 ? riskLabels[maxBaseRisk] : null;
+  if (escalateToCritical && riskValues[riskLevel] <= riskValues['high']) {
+    riskLevel = 'critical';
+  }
+
+  if (!riskLevel) return { triggered: false, signals: [], riskLevel: null, why: [] };
+
+  signals.push({
+    type: 'ACTIVATION_EVENT_RISK',
+    activationEvents,
+    riskLevel,
+    why,
+  });
+
+  return { triggered: true, signals, riskLevel, why };
+}

package/backend/vsix-scan/detectors/burst-publish.js

@@ -0,0 +1,52 @@
+export async function checkBurstPublish(versionHistory, config = {}) {
+  const windowMinutes = config.burstWindowMinutes ?? 30;
+  const threshold = config.burstVersionThreshold ?? 2;
+  const hotPullMinutes = config.hotPullMinutes ?? 20;
+
+  const entries = versionHistory
+    .filter(v => v.publishedAt)
+    .map(v => ({ version: v.version, time: new Date(v.publishedAt).getTime() }))
+    .filter(e => !Number.isNaN(e.time))
+    .sort((a, b) => a.time - b.time);
+
+  if (entries.length < threshold) return { triggered: false };
+
+  const windowMs = windowMinutes * 60 * 1000;
+  let burstFound = false;
+  let burstWindowStart = null;
+  let burstWindowEnd = null;
+  let burstVersionCount = 0;
+  let burstVersions = [];
+
+  for (let i = 0; i < entries.length; i++) {
+    const start = entries[i].time;
+    const end = start + windowMs;
+    const inWindow = entries.filter(e => e.time >= start && e.time <= end);
+
+    if (inWindow.length >= threshold) {
+      burstFound = true;
+      burstWindowStart = new Date(start).toISOString();
+      burstWindowEnd = new Date(end).toISOString();
+      burstVersionCount = inWindow.length;
+      burstVersions = inWindow.map(e => e.version);
+      break;
+    }
+  }
+
+  let hotPullDetected = false;
+  for (let i = 1; i < entries.length; i++) {
+    const gapMinutes = (entries[i].time - entries[i - 1].time) / (1000 * 60);
+    if (gapMinutes > 0 && gapMinutes < hotPullMinutes) {
+      hotPullDetected = true;
+      break;
+    }
+  }
+
+  return {
+    triggered: burstFound || hotPullDetected,
+    burstWindow: burstFound
+      ? { start: burstWindowStart, end: burstWindowEnd, versionCount: burstVersionCount, versions: burstVersions }
+      : null,
+    hotPullDetected,
+  };
+}

package/backend/vsix-scan/detectors/exfil-pattern.js

@@ -0,0 +1,88 @@
+const CREDENTIAL_FILE_PATTERNS = [
+  /~\/\.npmrc/,
+  /~\/\.gitconfig/,
+  /~\/\.aws\/credentials/,
+  /~\/\.ssh\/id_\w+/,
+  /~\/\.vault-token/,
+  /~\/\.claude\/settings\.json/,
+  /~\/Library\/Application\s+Support\/1Password\//,
+  /\/etc\/vault\/token/,
+  /\/proc\/\*\/mem/,
+  /\$GITHUB_ENV/,
+  /\$GITHUB_TOKEN/,
+  /\$NPM_TOKEN/,
+  /\$NODE_AUTH_TOKEN/,
+  /GH_TOKEN/,
+];
+
+const EXFIL_CHANNEL_PATTERNS = [
+  /(?:[a-z0-9_-]{40,})\.[a-z0-9_-]+\.(?:com|io|org|net|app|dev|xyz)(?:\/[^\s"')\]]{0,50})?/i,
+  /\/gists\b.*authorization/i,
+  /\/repos\/[^/]+\/[^/]+\/git\/refs/i,
+  /AES-256-GCM/,
+  /RSA\/(?:PKCS|OAEP)/,
+];
+
+const ANTI_ANALYSIS_PATTERNS = [
+  { pattern: /os\.cpus\(\)\.length\s*<\s*4/, label: 'CPU core count check (< 4)' },
+  { pattern: /Intl\.DateTimeFormat.*(?:timeZone|locale)/, label: 'Timezone/locale check' },
+  { pattern: /Intl\.DateTimeFormat.*\b(?:ru|rus|kz|by|cn|cns)\b/i, label: 'CIS/locale filtering' },
+  { pattern: /\bspawn\(\s*[^,]+,\s*\{[^}]*detached:\s*true\s*\}/, label: 'Detached process spawn' },
+  { pattern: /\bBUN_INSTALL\b/, label: 'BUN_INSTALL env reference' },
+  { pattern: /~\/\.bun\/bin\/bun/, label: 'Bun binary path' },
+  { pattern: /\bBun\.file\(/, label: 'Bun.file() API' },
+  { pattern: /\bBun\.serve\(/, label: 'Bun.serve() API' },
+];
+
+function truncateSnippet(str, maxLen = 200) {
+  if (!str || str.length <= maxLen) return str || '';
+  return str.slice(0, maxLen) + '...';
+}
+
+export async function checkExfilPattern(extensionFiles = []) {
+  const signals = [];
+  const exfilPatterns = [];
+  const antiAnalysisTechniques = [];
+
+  for (const file of extensionFiles) {
+    const content = typeof file.content === 'string' ? file.content : '';
+    if (!content) continue;
+    const path = file.path || '';
+
+    for (const cp of CREDENTIAL_FILE_PATTERNS) {
+      const match = content.match(cp);
+      if (match) {
+        const snippet = truncateSnippet(match[0]);
+        if (!exfilPatterns.some(e => e.includes(snippet))) {
+          exfilPatterns.push(`${path}: ${snippet}`);
+          signals.push({ type: 'CREDENTIAL_FILE_TARGET', pattern: cp.source, file: path });
+        }
+      }
+    }
+
+    for (const ep of EXFIL_CHANNEL_PATTERNS) {
+      const match = content.match(ep);
+      if (match) {
+        const snippet = truncateSnippet(match[0]);
+        exfilPatterns.push(`${path}: ${snippet}`);
+        signals.push({ type: 'EXFIL_CHANNEL', pattern: ep.source, file: path });
+      }
+    }
+
+    for (const ap of ANTI_ANALYSIS_PATTERNS) {
+      if (ap.pattern.test(content)) {
+        if (!antiAnalysisTechniques.includes(ap.label)) {
+          antiAnalysisTechniques.push(ap.label);
+          signals.push({ type: 'ANTI_ANALYSIS', technique: ap.label, file: path });
+        }
+      }
+    }
+  }
+
+  return {
+    triggered: signals.length > 0,
+    signals,
+    exfilPatterns,
+    antiAnalysisTechniques,
+  };
+}

package/backend/vsix-scan/detectors/known-ioc.js

@@ -0,0 +1,105 @@
+import { readFileSync } from 'fs';
+import { fileURLToPath } from 'url';
+import { dirname, join } from 'path';
+
+let iocsData = null;
+let iocsLoaded = false;
+let iocLoadError = null;
+
+const __filename = fileURLToPath(import.meta.url);
+const __dirname = dirname(__filename);
+const IOC_PATH = join(__dirname, '..', 'vsix-iocs.json');
+
+function loadIOCData() {
+  if (iocsLoaded) return iocsData;
+  iocsLoaded = true;
+  try {
+    iocsData = JSON.parse(readFileSync(IOC_PATH, 'utf8'));
+  } catch (err) {
+    iocLoadError = err;
+    iocsData = null;
+  }
+  return iocsData;
+}
+
+export function getIOCLoadError() {
+  return iocLoadError;
+}
+
+export function reloadIOCData() {
+  iocsLoaded = false;
+  iocLoadError = null;
+  return loadIOCData();
+}
+
+export async function checkKnownIOC(extensionId, version, publisherAccount, orphanCommits = [], versionHistory = []) {
+  const data = loadIOCData();
+  if (!data) return { triggered: false, matches: [] };
+
+  const matches = [];
+  const iocs = data.iocs || [];
+
+  for (const ioc of iocs) {
+    switch (ioc.type) {
+      case 'extensionId': {
+        if (ioc.value === extensionId) {
+          if (!ioc.maliciousVersions || ioc.maliciousVersions.length === 0 || ioc.maliciousVersions.includes(version)) {
+            matches.push({
+              type: 'extensionId',
+              value: extensionId,
+              maliciousVersion: version,
+              wave: ioc.wave,
+              cve: ioc.cve,
+              exposureWindowStart: ioc.exposureWindowStart,
+              exposureWindowEnd: ioc.exposureWindowEnd,
+            });
+          }
+        }
+        break;
+      }
+
+      case 'publisherAccount': {
+        if (ioc.value === publisherAccount) {
+          const pubTime = versionHistory.length > 0
+            ? new Date(versionHistory[versionHistory.length - 1]?.publishedAt).getTime()
+            : null;
+
+          const windowStart = new Date(ioc.compromiseWindowStart).getTime();
+          const windowEnd = ioc.compromiseWindowEnd
+            ? new Date(ioc.compromiseWindowEnd).getTime()
+            : Infinity;
+
+          if (pubTime && !Number.isNaN(pubTime) && pubTime >= windowStart && pubTime <= windowEnd) {
+            matches.push({
+              type: 'publisherAccount',
+              value: publisherAccount,
+              wave: ioc.wave,
+              compromiseWindowStart: ioc.compromiseWindowStart,
+              compromiseWindowEnd: ioc.compromiseWindowEnd,
+            });
+          }
+        }
+        break;
+      }
+
+      case 'orphanCommitHash': {
+        for (const commit of orphanCommits) {
+          if (ioc.value === commit || (ioc.value === 'PLACEHOLDER_UPDATE_FROM_THREAT_INTEL')) {
+            continue;
+          }
+          if (ioc.value && commit && ioc.value.toLowerCase() === commit.toLowerCase()) {
+            matches.push({
+              type: 'orphanCommitHash',
+              value: commit,
+              repo: ioc.repo,
+              wave: ioc.wave,
+            });
+          }
+        }
+        break;
+      }
+    }
+  }
+
+  return { triggered: matches.length > 0, matches };
+}

package/backend/vsix-scan/detectors/orphan-commit-fetch.js

@@ -0,0 +1,69 @@
+const GITHUB_COMMIT_SHA_PATTERN = /api\.github\.com\/repos\/[^/]+\/[^/]+\/git\/commits\/[a-f0-9]{40}/;
+const NPX_GIT_URL_PATTERN = /npx\s+.*github\.com.*#[a-f0-9]{8,}/;
+const MCP_KEYWORDS = ['mcp', 'model-context-protocol', 'claude', 'setup', 'init'];
+const EXTERNAL_FETCH_PATTERN = /(?:https?:\/\/)[^\s"')\]]+(?:\.com|\.io|\.org|\.dev|\.app|\.net)[^\s"')\]]*/;
+const NON_NPMJS_FETCH = /(?:fetch|curl|wget)\s*\(?\s*["']https?:\/\/(?!(?:.*npmjs\.org|.*npm\.js\.org|.*github\.com))[^"']+/;
+const BUN_PATTERNS = [/bun\s+install/, /install\s+.*bun/, /\bbunx\b/, /\.bun\/bin\//];
+const NPX_GIT_SHORT = /npx\s+.*github\.com.*#[a-f0-9]{8,}/;
+
+export async function checkOrphanCommitFetch(extensionFiles = []) {
+  const signals = [];
+  const indicators = [];
+
+  for (const file of extensionFiles) {
+    const content = typeof file.content === 'string' ? file.content : '';
+    if (!content) continue;
+    const path = file.path || '';
+
+    if (GITHUB_COMMIT_SHA_PATTERN.test(content)) {
+      const matches = content.match(GITHUB_COMMIT_SHA_PATTERN);
+      if (matches) {
+        indicators.push(`${path}: GitHub git commit SHA reference`);
+        signals.push({
+          type: 'ORPHAN_COMMIT_GITHUB_API',
+          indicator: 'GitHub API direct commit SHA resolution',
+          file: path,
+        });
+      }
+    }
+
+    if (NPX_GIT_URL_PATTERN.test(content)) {
+      const matches = content.match(NPX_GIT_URL_PATTERN);
+      if (matches) {
+        indicators.push(`${path}: npx with git URL`);
+        signals.push({
+          type: 'NPX_GIT_URL',
+          indicator: 'npx resolves from git URL (non-registry)',
+          file: path,
+        });
+      }
+    }
+
+    const hasMCPKeywords = MCP_KEYWORDS.some(kw =>
+        new RegExp(`\\b${kw}\\b`, 'i').test(content));
+    const hasExternalFetch = NON_NPMJS_FETCH.test(content);
+
+    if (hasMCPKeywords && hasExternalFetch) {
+      indicators.push(`${path}: MCP-adjacent keywords + external fetch`);
+      signals.push({
+        type: 'MCP_DISGUISED_EXFIL',
+        indicator: 'Shell command disguised as MCP setup',
+        file: path,
+      });
+    }
+
+    for (const bp of BUN_PATTERNS) {
+      if (bp.test(content)) {
+        indicators.push(`${path}: Bun installation pattern`);
+        signals.push({
+          type: 'BUN_INSTALL',
+          indicator: `Bun runtime install pattern: ${bp.source}`,
+          file: path,
+        });
+        break;
+      }
+    }
+  }
+
+  return { triggered: signals.length > 0, signals, indicators };
+}