@lateos/npm-scan 0.15.5 → 0.16.0

package/backend/detectors/node-ipc-compromise/d3-cjs-payload-injection.js

@@ -0,0 +1,73 @@
+const IIFE_END_PATTERN = /}\)\(\);\s*$/;
+const SIZE_DIFFERENTIAL_THRESHOLD = 50 * 1024;
+
+export function scanCjsPayloadInjection(allFiles) {
+  const matches = [];
+
+  let cjsContent = null;
+  let mjsContent = null;
+  let cjsPath = null;
+  let mjsPath = null;
+
+  for (const file of allFiles) {
+    const path = file.path?.replace(/\\/g, '/') || '';
+    if (path.endsWith('node-ipc.cjs')) {
+      cjsContent = file.content || '';
+      cjsPath = path;
+    }
+    if (path.endsWith('node-ipc.mjs')) {
+      mjsContent = file.content || '';
+      mjsPath = path;
+    }
+  }
+
+  if (cjsContent && !mjsContent) {
+    matches.push({
+      file: cjsPath,
+      finding: 'cjs-present-no-esm',
+      detail: 'node-ipc.cjs present but node-ipc.mjs not found — unable to cross-reference size',
+    });
+  }
+
+  if (cjsContent && mjsContent) {
+    const cjsSize = Buffer.byteLength(cjsContent, 'utf8');
+    const mjsSize = Buffer.byteLength(mjsContent, 'utf8');
+    const sizeDiff = cjsSize - mjsSize;
+
+    if (sizeDiff > SIZE_DIFFERENTIAL_THRESHOLD) {
+      matches.push({
+        file: cjsPath,
+        finding: 'size-anomaly',
+        cjsSize,
+        mjsSize,
+        sizeDiff,
+        detail: `CJS (${cjsSize} bytes) exceeds ESM (${mjsSize} bytes) by ${sizeDiff} bytes — potential injected payload`,
+      });
+    }
+
+    if (IIFE_END_PATTERN.test(cjsContent.trim())) {
+      const trimmed = cjsContent.trim();
+      const iifeMatch = trimmed.match(IIFE_END_PATTERN);
+      if (iifeMatch) {
+        matches.push({
+          file: cjsPath,
+          finding: 'iife-suffix',
+          detail: 'node-ipc.cjs ends with IIFE pattern — potential obfuscated payload appended after module closure',
+        });
+      }
+    }
+  }
+
+  if (cjsContent && IIFE_END_PATTERN.test(cjsContent.trim())) {
+    const alreadyReported = matches.some(m => m.finding === 'iife-suffix');
+    if (!alreadyReported) {
+      matches.push({
+        file: cjsPath,
+        finding: 'iife-suffix',
+        detail: 'node-ipc.cjs ends with IIFE pattern — potential obfuscated payload appended after module closure',
+      });
+    }
+  }
+
+  return { triggered: matches.length > 0, matches };
+}

package/backend/detectors/node-ipc-compromise/d4-injected-payload-hash.js

@@ -0,0 +1,37 @@
+import { createHash } from 'crypto';
+
+const INJECTED_PAYLOAD_HASH = '3427a90c8cb9af764445448648176e120ebc6af0a538158340cf6220de4d01b7';
+
+const IIFE_BOUNDARY = /}\)\(\);\s*$/;
+
+export function scanInjectedPayloadHash(allFiles) {
+  const matches = [];
+
+  for (const file of allFiles) {
+    const path = file.path?.replace(/\\/g, '/') || '';
+    if (!path.endsWith('node-ipc.cjs')) continue;
+
+    const content = file.content || '';
+
+    if (content.includes(INJECTED_PAYLOAD_HASH)) {
+      matches.push({
+        file: path,
+        finding: 'hash-string-present',
+        sha256: INJECTED_PAYLOAD_HASH,
+        detail: 'Known injected payload SHA-256 found within node-ipc.cjs content',
+      });
+    }
+
+    const fileHash = createHash('sha256').update(content, 'utf8').digest('hex');
+    if (fileHash === INJECTED_PAYLOAD_HASH) {
+      matches.push({
+        file: path,
+        finding: 'file-hash-match',
+        sha256: fileHash,
+        detail: 'node-ipc.cjs SHA-256 matches known injected payload hash',
+      });
+    }
+  }
+
+  return { triggered: matches.length > 0, matches };
+}

package/backend/detectors/node-ipc-compromise/d5-dns-c2-pattern.js

@@ -0,0 +1,49 @@
+const PUBLIC_RESOLVERS = new Set([
+  '1.1.1.1',
+  '8.8.8.8',
+  '8.8.4.4',
+  '9.9.9.9',
+]);
+
+const IP_PATTERN = /setServers\(\s*\[?\s*['"`](\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})['"`]/;
+
+export function scanDnsC2Pattern(allFiles, pkgJson) {
+  const matches = [];
+
+  const sources = [];
+
+  const scripts = pkgJson?.scripts || {};
+  for (const [hook, content] of Object.entries(scripts)) {
+    if (/preinstall|install|postinstall|prepare/.test(hook)) {
+      sources.push({ file: `script:${hook}`, content });
+    }
+  }
+
+  for (const file of allFiles) {
+    const path = file.path || '';
+    if (!path.endsWith('.js') && !path.endsWith('.mjs') && !path.endsWith('.cjs')) continue;
+    sources.push({ file: path, content: file.content || '' });
+  }
+
+  for (const { file, content } of sources) {
+    const hasDnsResolver = /\bdns\.promises\s*\.\s*Resolver\b/.test(content);
+    if (!hasDnsResolver) continue;
+
+    const ipMatch = content.match(IP_PATTERN);
+    if (!ipMatch) continue;
+
+    const customIP = ipMatch[1];
+    if (PUBLIC_RESOLVERS.has(customIP)) continue;
+
+    const hasResolveTxt = /\bresolveTxt\b/.test(content);
+
+    matches.push({
+      file,
+      customResolverIP: customIP,
+      hasResolveTxt,
+      detail: `Custom DNS resolver at ${customIP}${hasResolveTxt ? ' with resolveTxt() — TXT tunneling fingerprint' : ''}`,
+    });
+  }
+
+  return { triggered: matches.length > 0, matches };
+}

package/backend/detectors/node-ipc-compromise/d6-bootstrap-resolver.js

@@ -0,0 +1,40 @@
+const BOOTSTRAP_DOMAIN = /sh\.azurestaticprovider\.net/i;
+const C2_IP = /37\.16\.75\.69/;
+
+export function scanBootstrapResolver(allFiles, pkgJson) {
+  const matches = [];
+
+  const sources = [];
+
+  const scripts = pkgJson?.scripts || {};
+  for (const [hook, content] of Object.entries(scripts)) {
+    sources.push({ file: `script:${hook}`, content });
+  }
+
+  for (const file of allFiles) {
+    const path = file.path || '';
+    sources.push({ file: path, content: file.content || '' });
+  }
+
+  for (const { file, content } of sources) {
+    if (BOOTSTRAP_DOMAIN.test(content)) {
+      matches.push({
+        file,
+        finding: 'c2-domain',
+        value: 'sh.azurestaticprovider.net',
+        detail: 'Bootstrap resolver domain — lookalike, not a Microsoft domain',
+      });
+    }
+
+    if (C2_IP.test(content)) {
+      matches.push({
+        file,
+        finding: 'c2-ip',
+        value: '37.16.75.69',
+        detail: 'Known C2 IP address for DNS TXT tunneling',
+      });
+    }
+  }
+
+  return { triggered: matches.length > 0, matches };
+}

package/backend/detectors/node-ipc-compromise/d7-dns-txt-exfil.js

@@ -0,0 +1,42 @@
+const EXFIL_ZONE = /bt\.node\.js/i;
+const RESOLVE_TXT_DYNAMIC = /\bresolveTxt\s*\(/;
+
+export function scanDnsTxtExfil(allFiles, pkgJson) {
+  const matches = [];
+
+  const sources = [];
+
+  const scripts = pkgJson?.scripts || {};
+  for (const [hook, content] of Object.entries(scripts)) {
+    if (/preinstall|install|postinstall|prepare/.test(hook)) {
+      sources.push({ file: `script:${hook}`, content });
+    }
+  }
+
+  for (const file of allFiles) {
+    const path = file.path || '';
+    if (!path.endsWith('.js') && !path.endsWith('.mjs') && !path.endsWith('.cjs')) continue;
+    sources.push({ file: path, content: file.content || '' });
+  }
+
+  for (const { file, content } of sources) {
+    if (EXFIL_ZONE.test(content)) {
+      matches.push({
+        file,
+        finding: 'exfil-zone',
+        value: 'bt.node.js',
+        detail: 'DNS TXT exfiltration zone reference found',
+      });
+    }
+
+    if (RESOLVE_TXT_DYNAMIC.test(content)) {
+      matches.push({
+        file,
+        finding: 'resolve-txt',
+        detail: 'resolveTxt() call detected — potential DNS TXT tunneling',
+      });
+    }
+  }
+
+  return { triggered: matches.length > 0, matches };
+}

package/backend/detectors/node-ipc-compromise/d8-runtime-trigger.js

@@ -0,0 +1,27 @@
+export function scanRuntimeTrigger(allFiles, pkgJson) {
+  const matches = [];
+
+  const sources = [];
+
+  const scripts = pkgJson?.scripts || {};
+  for (const [hook, content] of Object.entries(scripts)) {
+    sources.push({ file: `script:${hook}`, content });
+  }
+
+  for (const file of allFiles) {
+    const path = file.path || '';
+    if (!path.endsWith('.js') && !path.endsWith('.mjs') && !path.endsWith('.cjs')) continue;
+    sources.push({ file: path, content: file.content || '' });
+  }
+
+  for (const { file, content } of sources) {
+    if (/\bsetImmediate\s*\(/.test(content)) {
+      matches.push({
+        file,
+        detail: 'setImmediate() call found — node-ipc malware fires at require() time, not via postinstall',
+      });
+    }
+  }
+
+  return { triggered: matches.length > 0, matches };
+}

package/backend/detectors/node-ipc-compromise/d9-temp-artifact.js

@@ -0,0 +1,20 @@
+const NT_DIR_PATTERN = /~\/(nt-(?:[\w-]+))\/.*\.tar\.gz/;
+
+export function scanTempArtifact(allFiles) {
+  const matches = [];
+
+  for (const file of allFiles) {
+    const path = file.path || '';
+
+    const artifactMatch = path.match(NT_DIR_PATTERN);
+    if (artifactMatch) {
+      matches.push({
+        file: path,
+        dirName: artifactMatch[1],
+        detail: `Staging artifact found in ~/${artifactMatch[1]}/ — exfil may have been interrupted`,
+      });
+    }
+  }
+
+  return { triggered: matches.length > 0, matches };
+}

package/backend/detectors/node-ipc-compromise/index.js

@@ -0,0 +1,93 @@
+import { scanVersionBlocklist } from './d1-version-blocklist.js';
+import { scanTarballHash } from './d2-tarball-hash.js';
+import { scanCjsPayloadInjection } from './d3-cjs-payload-injection.js';
+import { scanInjectedPayloadHash } from './d4-injected-payload-hash.js';
+import { scanDnsC2Pattern } from './d5-dns-c2-pattern.js';
+import { scanBootstrapResolver } from './d6-bootstrap-resolver.js';
+import { scanDnsTxtExfil } from './d7-dns-txt-exfil.js';
+import { scanRuntimeTrigger } from './d8-runtime-trigger.js';
+import { scanTempArtifact } from './d9-temp-artifact.js';
+import { scanUnauthorizedPublisher } from './d10-unauthorized-publisher.js';
+import { scanBlastRadius } from './d11-blast-radius.js';
+
+const RULE_SEVERITY = {
+  D1: 'critical',
+  D2: 'critical',
+  D3: 'critical',
+  D4: 'critical',
+  D5: 'critical',
+  D6: 'critical',
+  D7: 'critical',
+  D8: 'info',
+  D9: 'critical',
+  D10: 'critical',
+  D11: 'critical',
+};
+
+const SEVERITY_ORDER = ['critical', 'high', 'medium', 'low', 'info', 'none'];
+
+function highestSeverity(severities) {
+  for (const s of SEVERITY_ORDER) {
+    if (severities.includes(s)) return s;
+  }
+  return 'none';
+}
+
+function buildRemediation(triggered) {
+  const lines = [];
+  if (triggered.includes('D1') || triggered.includes('D11')) {
+    lines.push('Pin node-ipc to safe version: 9.1.5 or 12.0.0');
+  }
+  if (triggered.includes('D9')) {
+    lines.push('PRESERVE ~/nt-*/ artifacts for incident response');
+  }
+  if (triggered.includes('D5') || triggered.includes('D6') || triggered.includes('D7')) {
+    lines.push('Review DNS egress logs for sh.azurestaticprovider.net and 37.16.75.69 post May 14, 2026');
+  }
+  lines.push('Rotate all CI/CD secrets and OIDC tokens');
+  lines.push('Audit maintainer email domain expiry for all critical dependencies');
+  return lines.join('. ');
+}
+
+export async function scan(pkgJson, files = [], registryMeta = null, allFiles = null) {
+  const fileList = allFiles || files || [];
+
+  const results = {
+    D1: scanVersionBlocklist(pkgJson, registryMeta),
+    D2: scanTarballHash(fileList),
+    D3: scanCjsPayloadInjection(fileList),
+    D4: scanInjectedPayloadHash(fileList),
+    D5: scanDnsC2Pattern(fileList, pkgJson),
+    D6: scanBootstrapResolver(fileList, pkgJson),
+    D7: scanDnsTxtExfil(fileList, pkgJson),
+    D8: scanRuntimeTrigger(fileList, pkgJson),
+    D9: scanTempArtifact(fileList),
+    D10: scanUnauthorizedPublisher(pkgJson, registryMeta),
+    D11: scanBlastRadius(fileList),
+  };
+
+  const triggered = Object.entries(results)
+    .filter(([_, r]) => r.triggered)
+    .map(([id]) => id);
+
+  if (triggered.length === 0) return [];
+
+  const severity = highestSeverity(triggered.map(id => RULE_SEVERITY[id]));
+
+  const evidence = {
+    campaign: 'NODE_IPC_COMPROMISE',
+    triggeredRules: triggered,
+    details: Object.fromEntries(
+      Object.entries(results).filter(([_, r]) => r.triggered)
+    ),
+  };
+
+  return [{
+    id: 'NODE_IPC_COMPROMISE',
+    severity,
+    title: 'node-ipc supply chain compromise (May 14, 2026)',
+    description: `${triggered.length} signal(s): ${triggered.join(', ')}`,
+    evidence: JSON.stringify(evidence),
+    mitigation: buildRemediation(triggered),
+  }];
+}

package/backend/detectors/node-ipc-compromise/iocs.json

@@ -0,0 +1,59 @@
+{
+  "lastUpdated": "2026-05-28T00:00:00.000Z",
+  "campaign": {
+    "id": "node-ipc-compromise",
+    "description": "node-ipc supply chain compromise (May 14, 2026) — 3 malicious versions (9.1.6, 9.2.3, 12.0.1) published via expired maintainer email domain takeover. 80KB credential stealer delivered via DNS TXT tunneling.",
+    "firstObserved": "2026-05-14T00:00:00.000Z",
+    "attribution": {
+      "npmPublisher": "atiertant",
+      "c2Domain": "sh.azurestaticprovider.net",
+      "c2IP": "37.16.75.69",
+      "exfilZone": "bt.node.js"
+    }
+  },
+  "versions": {
+    "9.1.6": {
+      "tarballSha256": "449e4265979b5fdb2d3446c021af437e815debd66de7da2fe54f1ad93cbcc75e",
+      "safePin": "9.1.5",
+      "semverRanges": ["~9.1.x", "^9.1", "^9"]
+    },
+    "9.2.3": {
+      "tarballSha256": "c2f4dc64aec4631540a568e88932b61daebbfb7e8281b812fa01b7215f9be9ea",
+      "safePin": "9.1.5",
+      "semverRanges": ["~9.2.x", "^9.2"]
+    },
+    "12.0.1": {
+      "tarballSha256": "78a82d93b4f580835f5823b85a3d9ee1f03a15ee6f0e01b4eac86252a7002981",
+      "safePin": "12.0.0",
+      "semverRanges": ["~12.0.x", "^12"]
+    }
+  },
+  "iocs": [
+    {
+      "type": "publisherAccount",
+      "value": "atiertant",
+      "ecosystem": "npm",
+      "notes": "Unauthorized publisher — no prior history on node-ipc, exclusively used for malicious versions."
+    },
+    {
+      "type": "c2Domain",
+      "value": "sh.azurestaticprovider.net",
+      "notes": "Bootstrap resolver domain (lookalike, not Microsoft). DNS TXT tunneling C2."
+    },
+    {
+      "type": "c2IP",
+      "value": "37.16.75.69",
+      "notes": "C2 IP address for DNS TXT tunneling."
+    },
+    {
+      "type": "exfilZone",
+      "value": "bt.node.js",
+      "notes": "DNS TXT exfiltration zone. Queries encode stolen data into subdomain labels."
+    },
+    {
+      "type": "payloadHash",
+      "value": "3427a90c8cb9af764445448648176e120ebc6af0a538158340cf6220de4d01b7",
+      "notes": "SHA-256 of injected payload blob within node-ipc.cjs."
+    }
+  ]
+}

package/backend/detectors/trapdoor/d1-campaign-marker.js

@@ -0,0 +1,20 @@
+const TARGET_EXTENSIONS = ['.md', '.sh', '.json'];
+const TARGET_FILENAMES = new Set(['.cursorrules', 'CLAUDE.md', 'README.md', 'package.json']);
+
+export function scanCampaignMarker(allFiles) {
+  const matches = [];
+  for (const file of allFiles) {
+    const path = file.path || '';
+    const content = file.content || '';
+    const basename = path.split(/[\\/]/).pop();
+    const ext = path.includes('.') ? '.' + path.split('.').pop() : '';
+
+    const isTarget = TARGET_FILENAMES.has(basename) || TARGET_EXTENSIONS.includes(ext);
+    if (!isTarget) continue;
+
+    if (content.includes('P-2024-001')) {
+      matches.push({ file: path });
+    }
+  }
+  return { triggered: matches.length > 0, matches };
+}

package/backend/detectors/trapdoor/d2-payload-fingerprint.js

@@ -0,0 +1,22 @@
+export function scanPayloadFingerprint(allFiles) {
+  const matches = [];
+  for (const file of allFiles) {
+    const path = file.path || '';
+    const content = file.content || '';
+    const basename = path.split(/[\\/]/).pop();
+
+    const byteSize = Buffer.byteLength(content, 'utf8');
+
+    if (basename === 'trap-core.js') {
+      matches.push({ file: path, matchType: 'filename', byteSize });
+    }
+
+    if (byteSize === 48485) {
+      const alreadyMatched = matches.some(m => m.file === path);
+      if (!alreadyMatched) {
+        matches.push({ file: path, matchType: 'byteSize', byteSize });
+      }
+    }
+  }
+  return { triggered: matches.length > 0, matches };
+}

package/backend/detectors/trapdoor/d3-publisher-blocklist.js

@@ -0,0 +1,10 @@
+export function scanPublisherBlocklist(pkgJson, registryMeta) {
+  const publisherAccount = registryMeta?.versions?.[pkgJson?.version]?._npmUser?.name
+    || registryMeta?.versions?.[Object.keys(registryMeta.versions || {})[0]]?._npmUser?.name
+    || null;
+
+  if (publisherAccount === 'asdxzxc') {
+    return { triggered: true, publisher: publisherAccount };
+  }
+  return { triggered: false, publisher: publisherAccount };
+}

package/backend/detectors/trapdoor/d4-gists-exfil.js

@@ -0,0 +1,34 @@
+const CRED_PATH_PATTERNS = /\.aws\/|id_rsa|\.env|keystore|credentials|\.npmrc|\.ssh\//i;
+const C2_PATTERNS = [/ddjidd564\.github\.io/i, /gist\.github\.com/i];
+
+function scanContent(content, filePath) {
+  const matches = [];
+  const hasC2 = C2_PATTERNS.some(p => p.test(content));
+  if (!hasC2) return matches;
+
+  const hasCredPath = CRED_PATH_PATTERNS.test(content);
+  if (hasCredPath) {
+    matches.push({ file: filePath });
+  }
+  return matches;
+}
+
+export function scanGistsExfil(allFiles, pkgJson) {
+  const matches = [];
+
+  const scripts = pkgJson?.scripts || {};
+  for (const [hook, scriptContent] of Object.entries(scripts)) {
+    if (/preinstall|install|postinstall|prepare/.test(hook)) {
+      matches.push(...scanContent(scriptContent, `script:${hook}`));
+    }
+  }
+
+  for (const file of allFiles) {
+    const path = file.path || '';
+    if (path.endsWith('.js') || path.endsWith('.mjs') || path.endsWith('.cjs')) {
+      matches.push(...scanContent(file.content || '', path));
+    }
+  }
+
+  return { triggered: matches.length > 0, matches };
+}

package/backend/detectors/trapdoor/d5-ai-poisoning.js

@@ -0,0 +1,35 @@
+const ZERO_WIDTH_RANGES = [
+  [0x200B, 0x200D],
+  [0xFEFF, 0xFEFF],
+];
+
+function isZeroWidthChar(code) {
+  return ZERO_WIDTH_RANGES.some(([lo, hi]) => code >= lo && code <= hi);
+}
+
+const TARGET_FILES = /(^|[\\/])(\.cursorrules|CLAUDE\.md)$/i;
+
+export function scanAIPoisoning(allFiles) {
+  const matches = [];
+
+  for (const file of allFiles) {
+    const path = file.path?.replace(/\\/g, '/') || '';
+    if (!TARGET_FILES.test(path)) continue;
+
+    const content = file.content || '';
+    const found = [];
+
+    for (let i = 0; i < content.length; i++) {
+      const code = content.charCodeAt(i);
+      if (isZeroWidthChar(code)) {
+        found.push({ char: `U+${code.toString(16).toUpperCase()}`, position: i });
+      }
+    }
+
+    if (found.length > 0) {
+      matches.push({ file: path, zeroWidthChars: found, count: found.length });
+    }
+  }
+
+  return { triggered: matches.length > 0, matches };
+}

package/backend/detectors/trapdoor/d6-lure-name.js

@@ -0,0 +1,42 @@
+const LURE_PATTERNS = [
+  /solidity/i,
+  /defi/i,
+  /solana/i,
+  /sui\b/i,
+  /move-lang/i,
+  /^eth-/i,
+  /prompt-engineering/i,
+  /token-usage/i,
+  /dev-env-bootstrap/i,
+];
+
+export function scanLureName(pkgJson, registryMeta) {
+  const pkgName = pkgJson?.name || '';
+  const matchedPattern = LURE_PATTERNS.find(p => p.test(pkgName));
+  if (!matchedPattern) return { triggered: false };
+
+  const timeMap = registryMeta?.time || {};
+  const versions = Object.keys(timeMap).filter(v => v !== 'created' && v !== 'modified');
+  const firstVersion = versions.length > 0
+    ? versions.sort((a, b) => new Date(timeMap[a]) - new Date(timeMap[b]))[0]
+    : null;
+
+  if (!firstVersion) return { triggered: false };
+
+  const firstPubDate = new Date(timeMap[firstVersion]);
+  const now = new Date();
+  const daysSinceFirstPub = (now - firstPubDate) / (1000 * 60 * 60 * 24);
+
+  if (daysSinceFirstPub < 30 && versions.length <= 2) {
+    return {
+      triggered: true,
+      packageName: pkgName,
+      matchedPattern: matchedPattern.source,
+      firstPublished: timeMap[firstVersion],
+      ageDays: Math.round(daysSinceFirstPub),
+      versionCount: versions.length,
+    };
+  }
+
+  return { triggered: false };
+}

package/backend/detectors/trapdoor/d7-crypto-primitives.js

@@ -0,0 +1,22 @@
+export function scanCryptoPrimitives(allFiles, pkgJson) {
+  const matches = [];
+
+  const scripts = pkgJson?.scripts || {};
+  const scriptEntries = Object.entries(scripts)
+    .filter(([hook]) => /preinstall|install|postinstall|prepare/.test(hook))
+    .map(([hook, content]) => ({ file: `script:${hook}`, content }));
+
+  const jsFiles = allFiles
+    .filter(f => f.path?.endsWith('.js') || f.path?.endsWith('.mjs') || f.path?.endsWith('.cjs'))
+    .map(f => ({ file: f.path, content: f.content || '' }));
+
+  for (const { file, content } of [...scriptEntries, ...jsFiles]) {
+    const hasFernet = /Fernet/i.test(content);
+    const hasECDH = /\bECDH\b|\bcreateECDH\b/i.test(content);
+    if (hasFernet && hasECDH) {
+      matches.push({ file });
+    }
+  }
+
+  return { triggered: matches.length > 0, matches };
+}

package/backend/detectors/trapdoor/d8-xor-key.js

@@ -0,0 +1,15 @@
+export function scanXorKey(allFiles) {
+  const matches = [];
+  for (const file of allFiles) {
+    const path = file.path?.replace(/\\/g, '/') || '';
+    const isLockFile = /(package-lock\.json|yarn\.lock|pnpm-lock\.yaml|pnpm-lock\.yml|Cargo\.lock|Cargo\.toml)/i.test(path);
+    const isBundled = /\.node$|vendor|native/i.test(path);
+    if (!isLockFile && !isBundled) continue;
+
+    const content = file.content || '';
+    if (content.includes('cargo-build-helper-2026')) {
+      matches.push({ file: path });
+    }
+  }
+  return { triggered: matches.length > 0, matches };
+}