@lateos/npm-scan 0.15.5 → 0.16.0

package/backend/detectors/trapdoor/d9-cred-validation.js

@@ -0,0 +1,32 @@
+const CRED_VALIDATION_PATTERNS = [
+  /sts\.amazonaws\.com/i,
+  /api\.github\.com\/user/i,
+];
+
+export function scanCredValidation(allFiles, pkgJson) {
+  const matches = [];
+
+  const scripts = pkgJson?.scripts || {};
+  for (const [hook, content] of Object.entries(scripts)) {
+    if (/preinstall|install|postinstall|prepare/.test(hook)) {
+      for (const pattern of CRED_VALIDATION_PATTERNS) {
+        if (pattern.test(content)) {
+          matches.push({ file: `script:${hook}`, pattern: pattern.source });
+        }
+      }
+    }
+  }
+
+  for (const file of allFiles) {
+    const path = file.path || '';
+    if (!path.endsWith('.js') && !path.endsWith('.mjs') && !path.endsWith('.cjs')) continue;
+    const content = file.content || '';
+    for (const pattern of CRED_VALIDATION_PATTERNS) {
+      if (pattern.test(content)) {
+        matches.push({ file: path, pattern: pattern.source });
+      }
+    }
+  }
+
+  return { triggered: matches.length > 0, matches };
+}

package/backend/detectors/trapdoor/index.js

@@ -0,0 +1,77 @@
+import { scanCampaignMarker } from './d1-campaign-marker.js';
+import { scanPayloadFingerprint } from './d2-payload-fingerprint.js';
+import { scanPublisherBlocklist } from './d3-publisher-blocklist.js';
+import { scanGistsExfil } from './d4-gists-exfil.js';
+import { scanAIPoisoning } from './d5-ai-poisoning.js';
+import { scanLureName } from './d6-lure-name.js';
+import { scanCryptoPrimitives } from './d7-crypto-primitives.js';
+import { scanXorKey } from './d8-xor-key.js';
+import { scanCredValidation } from './d9-cred-validation.js';
+
+const RULE_SEVERITY = {
+  D1: 'critical',
+  D2: 'critical',
+  D3: 'critical',
+  D4: 'critical',
+  D5: 'high',
+  D6: 'medium',
+  D7: 'high',
+  D8: 'high',
+  D9: 'critical',
+};
+
+const SEVERITY_ORDER = ['critical', 'high', 'medium', 'low', 'info', 'none'];
+
+function highestSeverity(severities) {
+  for (const s of SEVERITY_ORDER) {
+    if (severities.includes(s)) return s;
+  }
+  return 'none';
+}
+
+export async function scan(pkgJson, files = [], registryMeta = null, allFiles = null) {
+  const fileList = allFiles || files || [];
+
+  const results = {
+    D1: scanCampaignMarker(fileList),
+    D2: scanPayloadFingerprint(fileList),
+    D3: scanPublisherBlocklist(pkgJson, registryMeta),
+    D4: scanGistsExfil(fileList, pkgJson),
+    D5: scanAIPoisoning(fileList),
+    D6: scanLureName(pkgJson, registryMeta),
+    D7: scanCryptoPrimitives(fileList, pkgJson),
+    D8: scanXorKey(fileList),
+    D9: scanCredValidation(fileList, pkgJson),
+  };
+
+  const triggered = Object.entries(results)
+    .filter(([_, r]) => r.triggered)
+    .map(([id]) => id);
+
+  if (triggered.length === 0) return [];
+
+  const severity = highestSeverity(triggered.map(id => RULE_SEVERITY[id]));
+
+  const evidence = {
+    campaign: 'TRAPDOOR',
+    triggeredRules: triggered,
+    details: Object.fromEntries(
+      Object.entries(results).filter(([_, r]) => r.triggered)
+    ),
+    iocSummary: {
+      publisher: 'asdxzxc',
+      c2Domain: 'ddjidd564.github.io',
+      campaignMarker: 'P-2024-001',
+      payloadFile: 'trap-core.js',
+    },
+  };
+
+  return [{
+    id: 'TRAPDOOR',
+    severity,
+    title: 'TrapDoor cross-ecosystem supply chain attack campaign',
+    description: `${triggered.length} signal(s): ${triggered.join(', ')}`,
+    evidence: JSON.stringify(evidence),
+    mitigation: 'Block install immediately. Revoke any npm tokens associated with this package. Rotate CI/CD secrets. Audit for postinstall scripts accessing credentials. Check for AI config poisoning (.cursorrules/CLAUDE.md). Verify all package versions from publisher asdxzxc. If confirmed compromise, follow incident response procedures per SECURITY.md.',
+  }];
+}

package/backend/detectors/trapdoor/iocs.json

@@ -0,0 +1,51 @@
+{
+  "lastUpdated": "2026-05-28T00:00:00.000Z",
+  "campaign": {
+    "id": "trapdoor",
+    "description": "TrapDoor cross-ecosystem supply chain attack (npm, PyPI, Crates.io) targeting crypto, DeFi, Solana, and AI developer communities.",
+    "firstObserved": "2026-05-22T00:00:00.000Z",
+    "attribution": {
+      "npmPublisher": "asdxzxc",
+      "githubAccount": "ddjidd564",
+      "githubPages": "ddjidd564.github.io"
+    }
+  },
+  "iocs": [
+    {
+      "type": "publisherAccount",
+      "value": "asdxzxc",
+      "ecosystem": "npm",
+      "notes": "TrapDoor campaign — known malicious npm publisher account."
+    },
+    {
+      "type": "campaignMarker",
+      "value": "P-2024-001",
+      "notes": "Hardcoded campaign marker found in package files (README.md, .cursorrules, CLAUDE.md)."
+    },
+    {
+      "type": "payloadFilename",
+      "value": "trap-core.js",
+      "notes": "Shared payload filename in TrapDoor packages."
+    },
+    {
+      "type": "payloadSize",
+      "value": 48485,
+      "notes": "Exact byte size of trap-core.js payload."
+    },
+    {
+      "type": "xorKey",
+      "value": "cargo-build-helper-2026",
+      "notes": "XOR key string found in Crates.io / cross-ecosystem packages."
+    },
+    {
+      "type": "c2Domain",
+      "value": "ddjidd564.github.io",
+      "notes": "GitHub Pages C2 infrastructure."
+    },
+    {
+      "type": "gistDomain",
+      "value": "gist.github.com",
+      "notes": "GitHub Gist used for exfiltration."
+    }
+  ]
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@lateos/npm-scan",
-  "version": "0.15.5",
+  "version": "0.16.0",
   "description": "Modern npm supply chain security scanner — detects obfuscated payloads, credential stealers, conditional triggers, sandbox evasion, and worm-like propagation. 11 attack types, SBOM, NIST/EU CRA compliance reporting.",
   "main": "backend/index.js",
   "bin": {