@lateos/npm-scan 0.15.4 → 0.15.6

package/backend/vsix-scan/marketplace-client.js

@@ -0,0 +1,145 @@
+const MARKETPLACE_API = 'https://marketplace.visualstudio.com/_apis/public/gallery';
+const OPENVSX_API = 'https://open-vsx.org/api';
+
+const _cache = new Map();
+const CACHE_TTL = 5 * 60 * 1000;
+const RATE_LIMIT_MS = 6000;
+let _lastFetchTime = 0;
+
+function sleep(ms) {
+  return new Promise(r => setTimeout(r, ms));
+}
+
+async function rateLimitedFetch(url) {
+  const now = Date.now();
+  const elapsed = now - _lastFetchTime;
+  if (elapsed < RATE_LIMIT_MS) {
+    await sleep(RATE_LIMIT_MS - elapsed);
+  }
+  _lastFetchTime = Date.now();
+
+  const cached = _cache.get(url);
+  if (cached && Date.now() - cached.fetchedAt < CACHE_TTL) {
+    return cached.data;
+  }
+
+  let res;
+  try {
+    res = await fetch(url);
+    if (res.status === 429) {
+      const retryAfter = parseInt(res.headers.get('Retry-After') || '10', 10);
+      await sleep(retryAfter * 1000);
+      res = await fetch(url);
+    }
+    if (!res.ok) {
+      console.debug(`Marketplace API warning: ${url} returned ${res.status}`);
+      return null;
+    }
+    const data = await res.json();
+    _cache.set(url, { data, fetchedAt: Date.now() });
+    return data;
+  } catch (err) {
+    console.debug(`Marketplace API error: ${err.message}`);
+    return null;
+  }
+}
+
+function parseExtensionId(id) {
+  const parts = id.split('.');
+  if (parts.length < 2) throw new Error(`Invalid extension ID: ${id}`);
+  return { publisherId: parts[0], extensionName: parts.slice(1).join('.') };
+}
+
+export async function getExtensionMetadata(publisherId, extensionName) {
+  const url = `${MARKETPLACE_API}/extensionquery`;
+  const body = {
+    filters: [{
+      criteria: [
+        { filterType: 8, value: `${publisherId}.${extensionName}` },
+      ],
+    }],
+    flags: 914,
+  };
+
+  const cached = _cache.get(url + JSON.stringify(body));
+  if (cached && Date.now() - cached.fetchedAt < CACHE_TTL) {
+    return cached.data;
+  }
+
+  const now = Date.now();
+  const elapsed = now - _lastFetchTime;
+  if (elapsed < RATE_LIMIT_MS) {
+    await sleep(RATE_LIMIT_MS - elapsed);
+  }
+  _lastFetchTime = Date.now();
+
+  let res;
+  try {
+    res = await fetch(url, {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json', 'Accept': 'application/json;api-version=3.0-preview.1' },
+      body: JSON.stringify(body),
+    });
+    if (res.status === 429) {
+      const retryAfter = parseInt(res.headers.get('Retry-After') || '10', 10);
+      await sleep(retryAfter * 1000);
+      res = await fetch(url, { method: 'POST', headers: { 'Content-Type': 'application/json', 'Accept': 'application/json;api-version=3.0-preview.1' }, body: JSON.stringify(body) });
+    }
+    if (!res.ok) {
+      console.debug(`Marketplace API warning: ${url} returned ${res.status}`);
+      return null;
+    }
+    const data = await res.json();
+    _cache.set(url + JSON.stringify(body), { data, fetchedAt: Date.now() });
+    return data;
+  } catch (err) {
+    console.debug(`Marketplace API error: ${err.message}`);
+    return null;
+  }
+}
+
+export async function getVersionHistory(publisherId, extensionName) {
+  const data = await getExtensionMetadata(publisherId, extensionName);
+  if (!data?.results?.[0]?.extensions?.[0]) return [];
+
+  const extension = data.results[0].extensions[0];
+  const versions = extension.versions || [];
+
+  return versions.map(v => ({
+    version: v.version,
+    publishedAt: v.lastUpdated || v.publishedDate,
+    publishedBy: extension.publisher?.publisherName || publisherId,
+    assetSha256: v.assetUri ? null : null,
+    flags: v.flags ? [String(v.flags)] : [],
+  }));
+}
+
+export async function getPublisherProfile(publisherId) {
+  const url = `${MARKETPLACE_API}/publishers/${publisherId}`;
+  return rateLimitedFetch(url);
+}
+
+export async function getOpenVsxMetadata(namespace, name) {
+  const url = `${OPENVSX_API}/${namespace}/${name}`;
+  return rateLimitedFetch(url);
+}
+
+export async function getOpenVsxVersionHistory(namespace, name) {
+  const data = await getOpenVsxMetadata(namespace, name);
+  if (!data) return [];
+  const versions = data.allVersions || {};
+  const files = data.files || {};
+
+  return Object.entries(versions).map(([version, publishedAt]) => ({
+    version,
+    publishedAt: typeof publishedAt === 'string' ? publishedAt : data.timestamp,
+    publishedBy: data.namespace || namespace,
+    assetSha256: files?.[version]?.sha256 || null,
+    flags: [],
+  }));
+}
+
+export function clearMarketplaceCache() {
+  _cache.clear();
+  _lastFetchTime = 0;
+}

package/backend/vsix-scan/vsix-iocs.json

@@ -0,0 +1,31 @@
+{
+  "lastUpdated": "2026-05-25",
+  "schema": "vsix-ioc-v1",
+  "iocs": [
+    {
+      "type": "extensionId",
+      "value": "nrwl.angular-console",
+      "maliciousVersions": ["18.95.0"],
+      "wave": "nx-console-wave3",
+      "cve": "CVE-2026-48027",
+      "exposureWindowStart": "2026-05-18T12:30:00Z",
+      "exposureWindowEnd": "2026-05-18T13:09:00Z",
+      "registries": ["marketplace", "open-vsx"],
+      "safeVersion": ">=18.100.0",
+      "source": "https://nx.dev/blog/nx-console-v18-95-0-postmortem"
+    },
+    {
+      "type": "publisherAccount",
+      "value": "nrwl",
+      "compromiseWindowStart": "2026-05-11T00:00:00Z",
+      "compromiseWindowEnd": "2026-05-18T13:09:00Z",
+      "note": "Contributor token stolen via TanStack wave1 on May 11; 7-day dwell before publish"
+    },
+    {
+      "type": "orphanCommitHash",
+      "value": "PLACEHOLDER_UPDATE_FROM_THREAT_INTEL",
+      "repo": "nrwl/nx",
+      "note": "Dangling commit hosting 498KB Bun payload — update hash from StepSecurity IOC report"
+    }
+  ]
+}

package/cli/cli.js

@@ -38,6 +38,7 @@ program
   .option('--cache-dir <path>', 'Cache directory for offline/air-gapped scans')
   .option('--cache-ttl <seconds>', 'Cache TTL in seconds (default: 604800 = 7 days)', '604800')
   .option('--cache-size <bytes>', 'Max cache size in bytes (default: 1GB)', '1000000000')
+  .option('--vsix <extensionId>', 'Scan a VS Code extension (e.g. nrwl.angular-console)')
   .action(async (target, options) => {
     try {
       if (options.fips) {
@@ -50,11 +51,21 @@ program
         cacheMaxSize: parseInt(options.cacheSize || '1000000000')
       };
 
-      if (!target && !options.file) {
-        console.error('Error: specify a package name or --file <path>');
+      if (!target && !options.file && !options.vsix) {
+        console.error('Error: specify a package name, --file <path>, or --vsix <extensionId>');
         process.exit(1);
       }
 
+      if (options.vsix && !target && !options.file) {
+        const { vsixScan } = await import('../backend/vsix-scan/index.js');
+        const vsixFindings = await vsixScan(options.vsix);
+        const { saveScan } = await import('../backend/db.js');
+        const scanId = await saveScan(options.vsix, 'latest', vsixFindings);
+        const vsixOutput = JSON.stringify({ scanId, findings: vsixFindings, blocked: false, riskScore: 0, vsix: true }, null, 2);
+        console.log(vsixOutput);
+        return;
+      }
+
       const policy = options.policy
         ? await import('../backend/policy.js').then(m => m.loadPolicy(options.policy))
         : null;
@@ -72,10 +83,16 @@ program
         : await import('../backend/fetch.js').then(m => m.fetchPackage(target, fetchOptions));
       const pkgName = target || pkgJson.name || 'unknown';
       const findings = await import('../backend/detectors/index.js').then(m => m.runAll(pkgJson, jsFiles, meta, allFiles));
+      let vsixFindings = [];
+      if (options.vsix) {
+        const { vsixScan } = await import('../backend/vsix-scan/index.js');
+        vsixFindings = await vsixScan(options.vsix);
+      }
+      const allFindings = [...findings, ...vsixFindings];
       const { saveScan } = await import('../backend/db.js');
-      const scanId = await saveScan(pkgName, 'latest', findings);
+      const scanId = await saveScan(pkgName, 'latest', allFindings);
 
-      let outputFindings = findings;
+      let outputFindings = allFindings;
       let blocked = false;
 
       if (policy) {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@lateos/npm-scan",
-  "version": "0.15.4",
+  "version": "0.15.6",
   "description": "Modern npm supply chain security scanner — detects obfuscated payloads, credential stealers, conditional triggers, sandbox evasion, and worm-like propagation. 11 attack types, SBOM, NIST/EU CRA compliance reporting.",
   "main": "backend/index.js",
   "bin": {