@lateos/npm-scan 0.15.3 → 0.15.5

package/backend/vsix-scan/detectors/publisher-anomaly.js

@@ -0,0 +1,70 @@
+export async function checkPublisherAnomaly(extensionMetadata, publisherProfile, versionHistory, config = {}) {
+  const signals = [];
+
+  const crossNamespaceThreshold = config.crossNamespaceThreshold ?? 3;
+  const crossNamespaceDays = config.crossNamespaceDays ?? 14;
+  const newAccountAgeDays = config.newAccountAgeDays ?? 30;
+  const highInstallThreshold = config.highInstallThreshold ?? 100000;
+  const addPublishWindowMinutes = config.addPublishWindowMinutes ?? 15;
+
+  const versions = versionHistory || [];
+  if (versions.length === 0) return { triggered: false, signals: [] };
+
+  const publishers = [...new Set(versions.map(v => v.publishedBy).filter(Boolean))];
+  if (publishers.length === 0) return { triggered: false, signals: [] };
+
+  const sortedVersions = [...versions]
+    .filter(v => v.publishedAt)
+    .sort((a, b) => new Date(a.publishedAt) - new Date(b.publishedAt));
+
+  const extPublisher = publishers[0];
+  const allSame = publishers.every(p => p === extPublisher);
+
+  if (!allSame) {
+    for (const pub of publishers) {
+      if (pub !== extPublisher) {
+        signals.push({
+          type: 'PUBLISHER_ACCOUNT_SUBSTITUTION',
+          expectedPublisher: extPublisher,
+          unexpectedPublisher: pub,
+        });
+      }
+    }
+  }
+
+  const extInstallCount = extensionMetadata?.statistics?.find(s => s.statisticName === 'install')?.value || 0;
+
+  const extAgeDays = publisherProfile?.dateCreated
+    ? (Date.now() - new Date(publisherProfile.dateCreated).getTime()) / (1000 * 60 * 60 * 24)
+    : null;
+
+  if (extAgeDays !== null && extAgeDays < newAccountAgeDays && extInstallCount >= highInstallThreshold) {
+    signals.push({
+      type: 'NEW_ACCOUNT_HIGH_INSTALL',
+      accountAgeDays: Math.round(extAgeDays),
+      installCount: extInstallCount,
+    });
+  }
+
+  if (sortedVersions.length >= 2) {
+    const sorted = sortedVersions;
+    for (let i = 1; i < sorted.length; i++) {
+      const prev = sorted[i - 1];
+      const curr = sorted[i];
+      if (curr.publishedBy !== prev.publishedBy) {
+        const gapMinutes = (new Date(curr.publishedAt) - new Date(prev.publishedAt)) / (1000 * 60);
+        if (gapMinutes <= addPublishWindowMinutes) {
+          signals.push({
+            type: 'ADD_PUBLISH_RAPID',
+            version: curr.version,
+            previousPublisher: prev.publishedBy,
+            newPublisher: curr.publishedBy,
+            gapMinutes: Math.round(gapMinutes * 100) / 100,
+          });
+        }
+      }
+    }
+  }
+
+  return { triggered: signals.length > 0, signals };
+}

package/backend/vsix-scan/index.js

@@ -0,0 +1,183 @@
+import { checkBurstPublish } from './detectors/burst-publish.js';
+import { checkPublisherAnomaly } from './detectors/publisher-anomaly.js';
+import { checkActivationEventRisk } from './detectors/activation-event-risk.js';
+import { checkOrphanCommitFetch } from './detectors/orphan-commit-fetch.js';
+import { checkKnownIOC } from './detectors/known-ioc.js';
+import { checkExfilPattern } from './detectors/exfil-pattern.js';
+import { getExtensionMetadata, getVersionHistory, getPublisherProfile, getOpenVsxMetadata, getOpenVsxVersionHistory } from './marketplace-client.js';
+
+const SEVERITY_SCORE = { none: 0, low: 1, medium: 2, high: 3, critical: 4 };
+const SEVERITY_LABELS = ['none', 'low', 'medium', 'high', 'critical'];
+
+export async function vsixScan(extensionId, options = {}) {
+  const { publisherId, extensionName } = parseExtensionId(extensionId);
+
+  const marketplaceMeta = options.marketplaceMeta || (options.skipNetwork ? null : await getExtensionMetadata(publisherId, extensionName));
+  const marketplaceVersions = options.marketplaceVersions || (marketplaceMeta ? await getVersionHistory(publisherId, extensionName) : []);
+  const openVsxVersions = options.openVsxVersions || (options.skipNetwork ? [] : await getOpenVsxVersionHistory(publisherId, extensionName));
+  const publisherProfile = options.publisherProfile || (options.skipNetwork ? null : await getPublisherProfile(publisherId));
+
+  const allVersions = mergeVersionHistories(marketplaceVersions, openVsxVersions);
+  const manifest = options.manifest || extractManifest(marketplaceMeta, extensionId);
+
+  const config = options.config || {};
+
+  const activationResult = await checkActivationEventRisk(
+    manifest,
+    allVersions,
+    options.priorVersions || [],
+  );
+
+  const burstResult = await checkBurstPublish(allVersions, config);
+
+  const publisherResult = await checkPublisherAnomaly(
+    manifest || {},
+    publisherProfile || {},
+    allVersions,
+    config,
+  );
+
+  const orphanResult = await checkOrphanCommitFetch(options.extensionFiles || []);
+
+  const iocResult = await checkKnownIOC(
+    extensionId,
+    options.version || (allVersions.length > 0 ? allVersions[allVersions.length - 1].version : 'unknown'),
+    publisherId,
+    orphanResult.signals
+      .filter(s => s.type === 'ORPHAN_COMMIT_GITHUB_API')
+      .map(s => s.indicator),
+    allVersions,
+  );
+
+  const exfilResult = await checkExfilPattern(options.extensionFiles || []);
+
+  const triggeredSignals = [];
+  if (burstResult.triggered) triggeredSignals.push('VSIX_BURST_PUBLISH');
+  if (publisherResult.triggered) triggeredSignals.push('VSIX_PUBLISHER_ANOMALY');
+  if (activationResult.triggered) triggeredSignals.push('VSIX_ACTIVATION_EVENT_RISK');
+  if (orphanResult.triggered) triggeredSignals.push('VSIX_ORPHAN_COMMIT_FETCH');
+  if (iocResult.triggered) triggeredSignals.push('VSIX_KNOWN_IOC');
+  if (exfilResult.triggered) triggeredSignals.push('VSIX_EXFIL_PATTERN');
+
+  if (triggeredSignals.length === 0) return [];
+
+  const registryLabels = [];
+  if (marketplaceVersions.length > 0) registryLabels.push('marketplace');
+  if (openVsxVersions.length > 0) registryLabels.push('open-vsx');
+
+  const maxSeverity = triggeredSignals.reduce((max, s) => {
+    if (s === 'VSIX_KNOWN_IOC' || s === 'VSIX_ORPHAN_COMMIT_FETCH') return Math.max(max, 4);
+    if (s === 'VSIX_BURST_PUBLISH' || s === 'VSIX_PUBLISHER_ANOMALY' || s === 'VSIX_EXFIL_PATTERN') return Math.max(max, 3);
+    if (s === 'VSIX_ACTIVATION_EVENT_RISK') return Math.max(max, 3);
+    return max;
+  }, 0);
+
+  const finalSeverity = SEVERITY_LABELS[maxSeverity] || 'high';
+
+  const latestVersion = allVersions.length > 0 ? allVersions[allVersions.length - 1].version : 'unknown';
+  let exposureWindowMinutes = null;
+  if (burstResult.hotPullDetected && allVersions.length >= 2) {
+    const sorted = [...allVersions].sort((a, b) => new Date(b.publishedAt) - new Date(a.publishedAt));
+    const gap = (new Date(sorted[0].publishedAt) - new Date(sorted[1].publishedAt)) / (1000 * 60);
+    exposureWindowMinutes = Math.round(gap);
+  }
+
+  const evidence = {
+    extensionId,
+    maliciousVersion: latestVersion,
+    registries: registryLabels,
+    exposureWindowMinutes,
+    triggeredSignals,
+    burstWindow: burstResult.burstWindow,
+    hotPullDetected: burstResult.hotPullDetected,
+    publisherSignals: publisherResult.triggered ? publisherResult.signals : null,
+    activationEvents: manifest?.activationEvents || null,
+    activationRisk: activationResult.triggered ? { riskLevel: activationResult.riskLevel, why: activationResult.why } : null,
+    orphanCommitIndicators: orphanResult.triggered ? orphanResult.indicators : null,
+    iocMatches: iocResult.triggered ? iocResult.matches : null,
+    exfilPatterns: exfilResult.triggered ? exfilResult.exfilPatterns : null,
+    antiAnalysisTechniques: exfilResult.triggered ? exfilResult.antiAnalysisTechniques : null,
+  };
+
+  const remediationGuidance = buildRemediation(triggeredSignals, extensionId);
+
+  return [{
+    id: 'VSIX_SCAN',
+    severity: finalSeverity,
+    title: `VS Code extension risk: ${extensionId}`,
+    description: `${triggeredSignals.length} signal(s): ${triggeredSignals.join(', ')}`,
+    evidence: JSON.stringify(evidence),
+    mitigation: remediationGuidance,
+  }];
+}
+
+function parseExtensionId(id) {
+  const idx = id.indexOf('.');
+  if (idx === -1 || idx === 0 || idx === id.length - 1) {
+    throw new Error(`Invalid extension ID: ${id}. Expected format: publisher.extension-name`);
+  }
+  return { publisherId: id.slice(0, idx), extensionName: id.slice(idx + 1) };
+}
+
+function mergeVersionHistories(marketplace, openVsx) {
+  const seen = new Set();
+  const merged = [];
+
+  for (const v of marketplace) {
+    if (!seen.has(v.version)) {
+      seen.add(v.version);
+      merged.push({ ...v, registries: ['marketplace'] });
+    }
+  }
+
+  for (const v of openVsx) {
+    if (!seen.has(v.version)) {
+      seen.add(v.version);
+      merged.push({ ...v, registries: ['open-vsx'] });
+    } else {
+      const existing = merged.find(m => m.version === v.version);
+      if (existing) {
+        existing.registries.push('open-vsx');
+      }
+    }
+  }
+
+  return merged.sort((a, b) => new Date(a.publishedAt) - new Date(b.publishedAt));
+}
+
+function extractManifest(marketplaceMeta, extensionId) {
+  if (!marketplaceMeta?.results?.[0]?.extensions?.[0]) return {};
+  const ext = marketplaceMeta.results[0].extensions[0];
+  const manifestStr = ext.galleryApiUrl || ext.manifest;
+  if (!manifestStr) return {};
+
+  try {
+    if (typeof manifestStr === 'object') return manifestStr;
+    return JSON.parse(manifestStr);
+  } catch {
+    return {};
+  }
+}
+
+function buildRemediation(triggeredSignals, extensionId) {
+  const parts = [];
+  if (triggeredSignals.includes('VSIX_KNOWN_IOC')) {
+    parts.push(`Extension ${extensionId} matches known campaign IOC. Remove immediately.`);
+  }
+  if (triggeredSignals.includes('VSIX_BURST_PUBLISH')) {
+    parts.push('Suspicious publish velocity detected. Verify publisher release history.');
+  }
+  if (triggeredSignals.includes('VSIX_PUBLISHER_ANOMALY')) {
+    parts.push('Publisher account anomaly detected. Verify publisher identity.');
+  }
+  if (triggeredSignals.includes('VSIX_ACTIVATION_EVENT_RISK')) {
+    parts.push('Risky activation events detected. Review extension activation scope.');
+  }
+  if (triggeredSignals.includes('VSIX_ORPHAN_COMMIT_FETCH')) {
+    parts.push('Dangling orphan commit fetch detected — technical signature of Nx Console attack.');
+  }
+  if (triggeredSignals.includes('VSIX_EXFIL_PATTERN')) {
+    parts.push('Credential exfiltration patterns detected. Revoke all tokens.');
+  }
+  return parts.join(' ');
+}

package/backend/vsix-scan/marketplace-client.js

@@ -0,0 +1,145 @@
+const MARKETPLACE_API = 'https://marketplace.visualstudio.com/_apis/public/gallery';
+const OPENVSX_API = 'https://open-vsx.org/api';
+
+const _cache = new Map();
+const CACHE_TTL = 5 * 60 * 1000;
+const RATE_LIMIT_MS = 6000;
+let _lastFetchTime = 0;
+
+function sleep(ms) {
+  return new Promise(r => setTimeout(r, ms));
+}
+
+async function rateLimitedFetch(url) {
+  const now = Date.now();
+  const elapsed = now - _lastFetchTime;
+  if (elapsed < RATE_LIMIT_MS) {
+    await sleep(RATE_LIMIT_MS - elapsed);
+  }
+  _lastFetchTime = Date.now();
+
+  const cached = _cache.get(url);
+  if (cached && Date.now() - cached.fetchedAt < CACHE_TTL) {
+    return cached.data;
+  }
+
+  let res;
+  try {
+    res = await fetch(url);
+    if (res.status === 429) {
+      const retryAfter = parseInt(res.headers.get('Retry-After') || '10', 10);
+      await sleep(retryAfter * 1000);
+      res = await fetch(url);
+    }
+    if (!res.ok) {
+      console.debug(`Marketplace API warning: ${url} returned ${res.status}`);
+      return null;
+    }
+    const data = await res.json();
+    _cache.set(url, { data, fetchedAt: Date.now() });
+    return data;
+  } catch (err) {
+    console.debug(`Marketplace API error: ${err.message}`);
+    return null;
+  }
+}
+
+function parseExtensionId(id) {
+  const parts = id.split('.');
+  if (parts.length < 2) throw new Error(`Invalid extension ID: ${id}`);
+  return { publisherId: parts[0], extensionName: parts.slice(1).join('.') };
+}
+
+export async function getExtensionMetadata(publisherId, extensionName) {
+  const url = `${MARKETPLACE_API}/extensionquery`;
+  const body = {
+    filters: [{
+      criteria: [
+        { filterType: 8, value: `${publisherId}.${extensionName}` },
+      ],
+    }],
+    flags: 914,
+  };
+
+  const cached = _cache.get(url + JSON.stringify(body));
+  if (cached && Date.now() - cached.fetchedAt < CACHE_TTL) {
+    return cached.data;
+  }
+
+  const now = Date.now();
+  const elapsed = now - _lastFetchTime;
+  if (elapsed < RATE_LIMIT_MS) {
+    await sleep(RATE_LIMIT_MS - elapsed);
+  }
+  _lastFetchTime = Date.now();
+
+  let res;
+  try {
+    res = await fetch(url, {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json', 'Accept': 'application/json;api-version=3.0-preview.1' },
+      body: JSON.stringify(body),
+    });
+    if (res.status === 429) {
+      const retryAfter = parseInt(res.headers.get('Retry-After') || '10', 10);
+      await sleep(retryAfter * 1000);
+      res = await fetch(url, { method: 'POST', headers: { 'Content-Type': 'application/json', 'Accept': 'application/json;api-version=3.0-preview.1' }, body: JSON.stringify(body) });
+    }
+    if (!res.ok) {
+      console.debug(`Marketplace API warning: ${url} returned ${res.status}`);
+      return null;
+    }
+    const data = await res.json();
+    _cache.set(url + JSON.stringify(body), { data, fetchedAt: Date.now() });
+    return data;
+  } catch (err) {
+    console.debug(`Marketplace API error: ${err.message}`);
+    return null;
+  }
+}
+
+export async function getVersionHistory(publisherId, extensionName) {
+  const data = await getExtensionMetadata(publisherId, extensionName);
+  if (!data?.results?.[0]?.extensions?.[0]) return [];
+
+  const extension = data.results[0].extensions[0];
+  const versions = extension.versions || [];
+
+  return versions.map(v => ({
+    version: v.version,
+    publishedAt: v.lastUpdated || v.publishedDate,
+    publishedBy: extension.publisher?.publisherName || publisherId,
+    assetSha256: v.assetUri ? null : null,
+    flags: v.flags ? [String(v.flags)] : [],
+  }));
+}
+
+export async function getPublisherProfile(publisherId) {
+  const url = `${MARKETPLACE_API}/publishers/${publisherId}`;
+  return rateLimitedFetch(url);
+}
+
+export async function getOpenVsxMetadata(namespace, name) {
+  const url = `${OPENVSX_API}/${namespace}/${name}`;
+  return rateLimitedFetch(url);
+}
+
+export async function getOpenVsxVersionHistory(namespace, name) {
+  const data = await getOpenVsxMetadata(namespace, name);
+  if (!data) return [];
+  const versions = data.allVersions || {};
+  const files = data.files || {};
+
+  return Object.entries(versions).map(([version, publishedAt]) => ({
+    version,
+    publishedAt: typeof publishedAt === 'string' ? publishedAt : data.timestamp,
+    publishedBy: data.namespace || namespace,
+    assetSha256: files?.[version]?.sha256 || null,
+    flags: [],
+  }));
+}
+
+export function clearMarketplaceCache() {
+  _cache.clear();
+  _lastFetchTime = 0;
+}

package/backend/vsix-scan/vsix-iocs.json

@@ -0,0 +1,31 @@
+{
+  "lastUpdated": "2026-05-25",
+  "schema": "vsix-ioc-v1",
+  "iocs": [
+    {
+      "type": "extensionId",
+      "value": "nrwl.angular-console",
+      "maliciousVersions": ["18.95.0"],
+      "wave": "nx-console-wave3",
+      "cve": "CVE-2026-48027",
+      "exposureWindowStart": "2026-05-18T12:30:00Z",
+      "exposureWindowEnd": "2026-05-18T13:09:00Z",
+      "registries": ["marketplace", "open-vsx"],
+      "safeVersion": ">=18.100.0",
+      "source": "https://nx.dev/blog/nx-console-v18-95-0-postmortem"
+    },
+    {
+      "type": "publisherAccount",
+      "value": "nrwl",
+      "compromiseWindowStart": "2026-05-11T00:00:00Z",
+      "compromiseWindowEnd": "2026-05-18T13:09:00Z",
+      "note": "Contributor token stolen via TanStack wave1 on May 11; 7-day dwell before publish"
+    },
+    {
+      "type": "orphanCommitHash",
+      "value": "PLACEHOLDER_UPDATE_FROM_THREAT_INTEL",
+      "repo": "nrwl/nx",
+      "note": "Dangling commit hosting 498KB Bun payload — update hash from StepSecurity IOC report"
+    }
+  ]
+}

package/cli/cli.js

@@ -38,6 +38,7 @@ program
   .option('--cache-dir <path>', 'Cache directory for offline/air-gapped scans')
   .option('--cache-ttl <seconds>', 'Cache TTL in seconds (default: 604800 = 7 days)', '604800')
   .option('--cache-size <bytes>', 'Max cache size in bytes (default: 1GB)', '1000000000')
+  .option('--vsix <extensionId>', 'Scan a VS Code extension (e.g. nrwl.angular-console)')
   .action(async (target, options) => {
     try {
       if (options.fips) {
@@ -50,11 +51,21 @@ program
         cacheMaxSize: parseInt(options.cacheSize || '1000000000')
       };
 
-      if (!target && !options.file) {
-        console.error('Error: specify a package name or --file <path>');
+      if (!target && !options.file && !options.vsix) {
+        console.error('Error: specify a package name, --file <path>, or --vsix <extensionId>');
         process.exit(1);
       }
 
+      if (options.vsix && !target && !options.file) {
+        const { vsixScan } = await import('../backend/vsix-scan/index.js');
+        const vsixFindings = await vsixScan(options.vsix);
+        const { saveScan } = await import('../backend/db.js');
+        const scanId = await saveScan(options.vsix, 'latest', vsixFindings);
+        const vsixOutput = JSON.stringify({ scanId, findings: vsixFindings, blocked: false, riskScore: 0, vsix: true }, null, 2);
+        console.log(vsixOutput);
+        return;
+      }
+
       const policy = options.policy
         ? await import('../backend/policy.js').then(m => m.loadPolicy(options.policy))
         : null;
@@ -72,10 +83,16 @@ program
         : await import('../backend/fetch.js').then(m => m.fetchPackage(target, fetchOptions));
       const pkgName = target || pkgJson.name || 'unknown';
       const findings = await import('../backend/detectors/index.js').then(m => m.runAll(pkgJson, jsFiles, meta, allFiles));
+      let vsixFindings = [];
+      if (options.vsix) {
+        const { vsixScan } = await import('../backend/vsix-scan/index.js');
+        vsixFindings = await vsixScan(options.vsix);
+      }
+      const allFindings = [...findings, ...vsixFindings];
       const { saveScan } = await import('../backend/db.js');
-      const scanId = await saveScan(pkgName, 'latest', findings);
+      const scanId = await saveScan(pkgName, 'latest', allFindings);
 
-      let outputFindings = findings;
+      let outputFindings = allFindings;
       let blocked = false;
 
       if (policy) {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@lateos/npm-scan",
-  "version": "0.15.3",
+  "version": "0.15.5",
   "description": "Modern npm supply chain security scanner — detects obfuscated payloads, credential stealers, conditional triggers, sandbox evasion, and worm-like propagation. 11 attack types, SBOM, NIST/EU CRA compliance reporting.",
   "main": "backend/index.js",
   "bin": {