@lateos/npm-scan 0.15.6 → 0.16.4

package/backend/detectors/axios-poisoning/d2-decoy-dep.js

@@ -0,0 +1,24 @@
+const KNOWN_DECOYS = ['plain-crypto-js'];
+
+export function scanDecoyDependency(pkgJson) {
+  const deps = { ...pkgJson?.dependencies, ...pkgJson?.devDependencies, ...pkgJson?.peerDependencies };
+  const findings = [];
+
+  for (const depName of KNOWN_DECOYS) {
+    if (deps[depName]) {
+      findings.push({
+        injectedDependency: depName,
+        pattern: 'Pre-staged decoy for supply chain attack',
+      });
+    }
+  }
+
+  if (findings.length > 0) {
+    return {
+      triggered: true,
+      findings,
+    };
+  }
+
+  return { triggered: false, findings: [] };
+}

package/backend/detectors/axios-poisoning/d3-postinstall-rat.js

@@ -0,0 +1,90 @@
+const SUSPICIOUS_HOOKS = ['postinstall', 'install', 'preinstall'];
+const TEMP_DIR_RE = /(?:os\.tmpdir|tmpdir|temp|%TEMP%|\/tmp|\/var\/tmp)/;
+const POWERSHELL_RE = /powershell|pwsh|cmd\.exe|Invoke-Expression|IEX\s*\(/;
+const LAUNCHD_RE = /\/Library\/Launch(Daemons|Agents)\/|launchctl\s+(load|start|submit)/;
+const SYSTEMD_SERVICE_RE = /\/etc\/systemd\/system\/|systemctl\s+(enable|start|daemon-reload)/;
+const CRON_PERSIST_RE = /crontab\s+-[ei]|@reboot\s+|@daily\s+|@hourly\s+/;
+const DLL_LOAD_RE = /LoadLibrary|dlopen|LoadLibraryEx|lib\.(?:LoadLibrary|dlopen)/;
+const PROCESS_INJECT_RE = /CreateRemoteThread|VirtualAllocEx|WriteProcessMemory|NtCreateThreadEx/;
+const NET_CALLBACK_RE = /(?:https?:\/\/|wss?:\/\/|ws:\/\/)(?:[^\s'"]*\.[^\s'"]{2,})/;
+const BINARY_DROP_RE = /(?:fs\.writeFileSync|writeFile|writeFileSync)\s*\([^)]*(?:\.exe|\.dll|\.bin|\.bat|\.ps1)/;
+
+const SUSPICIOUS_HOOK_PATTERNS = [
+  /curl|wget|fetch|https?:\/\//,
+  /powershell|cmd\.exe|bash\b|sh\b/,
+  /process\.exit|fs\.chmod|exec(?:Sync)?\s*\(/,
+  /spawn|fork|detached/,
+  /systemd|launchctl|crontab|schtasks/,
+  /LoadLibrary|dlopen/,
+  /eval|Function\s*\(/,
+  /__dirname|__filename/,
+];
+
+export function scanPostinstallRAT(pkgJson, files = []) {
+  const scripts = pkgJson?.scripts || {};
+  const code = files.map(f => f.content || '').join('\n');
+
+  const activeHooks = [];
+  for (const hook of SUSPICIOUS_HOOKS) {
+    if (scripts[hook]) {
+      activeHooks.push({ hook, command: scripts[hook] });
+    }
+  }
+
+  if (activeHooks.length === 0) {
+    return { triggered: false, platforms: [], c2Indicators: [], payloadType: null, hooks: [], hasBinaryDrop: false };
+  }
+
+  const combined = code + '\n' + activeHooks.map(h => h.command).join('\n');
+
+  const hasSuspiciousCode = SUSPICIOUS_HOOK_PATTERNS.some(p => p.test(combined));
+
+  if (activeHooks.length > 0 && !hasSuspiciousCode) {
+    return { triggered: false, platforms: [], c2Indicators: [], payloadType: null, hooks: [], hasBinaryDrop: false };
+  }
+
+  const platforms = [];
+  let c2Indicators = [];
+  let hasBinaryDrop = false;
+
+  if (POWERSHELL_RE.test(combined)) platforms.push('windows');
+  if (LAUNCHD_RE.test(combined)) platforms.push('macos');
+  if (SYSTEMD_SERVICE_RE.test(combined) || CRON_PERSIST_RE.test(combined)) platforms.push('linux');
+  if (TEMP_DIR_RE.test(combined) && (POWERSHELL_RE.test(combined) || BINARY_DROP_RE.test(combined))) {
+    if (!platforms.includes('windows')) platforms.push('windows');
+    if (!platforms.includes('linux')) platforms.push('linux');
+    if (!platforms.includes('macos')) platforms.push('macos');
+  }
+
+  if (DLL_LOAD_RE.test(combined)) platforms.push('windows');
+  if (PROCESS_INJECT_RE.test(combined)) platforms.push('windows');
+
+  if (NET_CALLBACK_RE.test(combined)) {
+    const urls = combined.match(NET_CALLBACK_RE);
+    c2Indicators = urls ? [...new Set(urls.map(u => u.replace(/['")]/g, '')))] : ['Network callback to external server'];
+  }
+
+  if (BINARY_DROP_RE.test(combined)) hasBinaryDrop = true;
+
+  let payloadType = null;
+  if (platforms.length >= 2 && c2Indicators.length > 0 && hasBinaryDrop) {
+    payloadType = 'cross_platform_RAT';
+  } else if (hasBinaryDrop && c2Indicators.length > 0) {
+    payloadType = 'network_backdoor';
+  } else if (hasBinaryDrop && platforms.length > 0) {
+    payloadType = 'platform_persistence';
+  }
+
+  if (payloadType) {
+    return {
+      triggered: true,
+      payloadType,
+      platforms: [...new Set(platforms)],
+      c2Indicators,
+      hooks: activeHooks.map(h => h.hook),
+      hasBinaryDrop,
+    };
+  }
+
+  return { triggered: false, platforms: [], c2Indicators: [], payloadType: null, hooks: [], hasBinaryDrop: false };
+}

package/backend/detectors/axios-poisoning/index.js

@@ -0,0 +1,94 @@
+import { scanVersionBlocklist } from './d1-version-fingerprint.js';
+import { scanDecoyDependency } from './d2-decoy-dep.js';
+import { scanPostinstallRAT } from './d3-postinstall-rat.js';
+import { attachProvenance } from '../../provenance.js';
+
+const RULE_SEVERITY = { D1: 'critical', D2: 'critical', D3: 'critical' };
+const SEVERITY_ORDER = ['critical', 'high', 'medium', 'low', 'info', 'none'];
+
+function highestSeverity(severities) {
+  for (const s of SEVERITY_ORDER) if (severities.includes(s)) return s;
+  return 'none';
+}
+
+export async function scan(pkgJson, files = [], registryMeta = null, allFiles = null) {
+  const pkgName = pkgJson?.name || 'unknown';
+  const pkgVersion = pkgJson?.version || '0.0.0';
+  const fileList = allFiles || files || [];
+
+  const d1Result = scanVersionBlocklist(pkgJson);
+  if (d1Result.stopCondition) {
+    const evidence = attachProvenance({
+      rule: 'AXS-VER-001',
+      campaign: 'AXIOS_POISONING',
+      triggeredChecks: ['D1'],
+      matchedVersion: d1Result.matchedVersion,
+      action: 'BLOCK_IMMEDIATELY',
+      remediation: `Upgrade to axios@1.14.2 or later, or use pinned safe version`,
+    }, {
+      ruleId: 'AXS-VER-001',
+      ruleName: 'Compromised Axios Version Fingerprinting',
+      severity: 'CRITICAL',
+      campaignName: 'Axios Registry Poisoning',
+      pkgName,
+      pkgVersion,
+      triggered: true,
+      severity: 'critical',
+      indicators: [{ type: 'known_malicious_version', value: `${pkgName}@${pkgVersion}` }],
+      ruleProvenanceUrl: 'https://github.com/lateos/npm-scan/blob/main/backend/detectors/axios-poisoning/d1-version-fingerprint.js',
+      campaignSourceUrl: 'https://security.researcher.org/supply-chain-report',
+    });
+
+    return [{
+      id: 'AXIOS_POISONING',
+      severity: 'critical',
+      title: 'Axios Registry Poisoning campaign',
+      description: `HALT: ${pkgName}@${pkgVersion} is a known compromised version in the Axios registry poisoning campaign. Block install immediately.`,
+      evidence: JSON.stringify(evidence),
+      mitigation: d1Result.reason ? `BLOCK IMMEDIATELY. ${d1Result.reason}. Upgrade to axios@1.14.2 or later, or use pinned safe version.` : 'BLOCK IMMEDIATELY. Upgrade to a safe version.',
+      stopCondition: true,
+    }];
+  }
+
+  const d2Result = scanDecoyDependency(pkgJson);
+  const d3Result = scanPostinstallRAT(pkgJson, fileList);
+
+  const results = { D1: d1Result, D2: d2Result, D3: d3Result };
+
+  const triggered = Object.entries(results)
+    .filter(([_, r]) => r.triggered)
+    .map(([id]) => id);
+
+  if (triggered.length === 0) return [];
+
+  const severity = highestSeverity(triggered.map(id => RULE_SEVERITY[id]));
+
+  const evidence = attachProvenance({
+    campaign: 'AXIOS_POISONING',
+    triggeredChecks: triggered,
+    details: Object.fromEntries(
+      Object.entries(results).filter(([_, r]) => r.triggered)
+    ),
+  }, {
+    ruleId: 'AXIOS_POISONING',
+    ruleName: 'Axios Registry Poisoning Detection',
+    severity: severity.toUpperCase(),
+    campaignName: 'Axios Registry Poisoning',
+    pkgName,
+    pkgVersion,
+    triggered: true,
+    severity,
+    indicators: triggered.map(id => ({ type: `rule_${id}`, value: RULE_SEVERITY[id] })),
+    ruleProvenanceUrl: 'https://github.com/lateos/npm-scan/blob/main/backend/detectors/axios-poisoning/',
+    campaignSourceUrl: 'https://security.researcher.org/supply-chain-report',
+  });
+
+  return [{
+    id: 'AXIOS_POISONING',
+    severity,
+    title: 'Axios Registry Poisoning campaign',
+    description: `${triggered.length} signal(s): ${triggered.join(', ')}`,
+    evidence: JSON.stringify(evidence),
+    mitigation: 'If decoy dependency detected: verify all axios dependencies are legitimate. If RAT payload detected: run full malware scan on the system, rotate all credentials, check for unauthorized network connections. Upgrade to axios@1.14.2+ or pin to a known safe version.',
+  }];
+}

package/backend/detectors/index.js

@@ -13,6 +13,11 @@ import { scanAll as megalodonScan } from './megalodon/index.js';
 import { scan as hfScan } from './hf-impersonation/index.js';
 import { scan as miniShaiHuludScan } from './mini-shai-hulud/index.js';
 import { scan as badhostScan } from './cve-2026-48710-badhost/index.js';
+import { scan as trapdoorScan } from './trapdoor/index.js';
+import { scan as nodeIpcScan } from './node-ipc-compromise/index.js';
+import { scan as mshSupplementScan } from './msh-supplement/index.js';
+import { scan as typosquatScan } from './typosquat-vpmdhaj/index.js';
+import { scan as axiosPoisoningScan } from './axios-poisoning/index.js';
 
 export async function runAll(pkgJson, files = [], registryMeta = null, allFiles = null) {
   const findings = [];
@@ -31,5 +36,10 @@ export async function runAll(pkgJson, files = [], registryMeta = null, allFiles
   findings.push(...await hfScan(pkgJson, files, registryMeta, allFiles || files));
   findings.push(...await miniShaiHuludScan(pkgJson, files, registryMeta, allFiles || files));
   findings.push(...await badhostScan(pkgJson, files, registryMeta, allFiles || files));
+  findings.push(...await trapdoorScan(pkgJson, files, registryMeta, allFiles || files));
+  findings.push(...await nodeIpcScan(pkgJson, files, registryMeta, allFiles || files));
+  findings.push(...await mshSupplementScan(pkgJson, files, registryMeta, allFiles || files));
+  findings.push(...await typosquatScan(pkgJson, files, registryMeta, allFiles || files));
+  findings.push(...await axiosPoisoningScan(pkgJson, files, registryMeta, allFiles || files));
   return findings.sort((a, b) => b.severity.localeCompare(a.severity));
 }

package/backend/detectors/msh-supplement/d1-obfuscation.js

@@ -0,0 +1,18 @@
+const CTF_SCRAMBLE_RE = /require\(['"](ctf-scramble-v2|ctf-scramble-v\d+)['"]\)/;
+const CTF_SCRAMBLE_ESM_RE = /(?:from|import)\s+['"](ctf-scramble-v2|ctf-scramble-v\d+)['"]/;
+
+export function scanCtfScramble(files = []) {
+  for (const file of files) {
+    const content = file.content || '';
+    if (CTF_SCRAMBLE_RE.test(content) || CTF_SCRAMBLE_ESM_RE.test(content)) {
+      const match = content.match(CTF_SCRAMBLE_RE) || content.match(CTF_SCRAMBLE_ESM_RE);
+      return {
+        triggered: true,
+        stopCondition: true,
+        filePath: file.path,
+        patternMatched: match ? match[1] : 'ctf-scramble-v2',
+      };
+    }
+  }
+  return { triggered: false, stopCondition: false };
+}

package/backend/detectors/msh-supplement/d2-persistence.js

@@ -0,0 +1,47 @@
+const DAEMON_RE = /\b(daemon|fork)\s*\(/;
+const SPAWN_DETACHED_RE = /spawn\s*\([^)]*detached\s*:\s*true/;
+const SYSTEMD_RE = /\/etc\/systemd\/system\/|systemctl\s+(enable|start)/;
+const CRON_RE = /crontab\s+-e|\/etc\/cron\b/;
+const LAUNCHD_RE = /\/Library\/LaunchDaemons\/|launchctl\s+(load|start)/;
+const TASK_SCHED_RE = /schtasks\.exe|New-ScheduledTask|Register-ScheduledJob/;
+const CI_GUARD_RE = /!process\.env\.CI|process\.env\.CI\s*===?\s*undefined/;
+
+export function scanPersistence(pkgJson, files = []) {
+  const allScripts = [];
+  const hooks = ['preinstall', 'install', 'postinstall', 'preuninstall', 'postuninstall'];
+  for (const hook of hooks) {
+    const script = pkgJson?.scripts?.[hook];
+    if (script) {
+      allScripts.push({ hook, content: script });
+    }
+  }
+
+  const code = files.map(f => f.content || '').join('\n');
+  const codeWithScripts = code + '\n' + allScripts.map(s => s.content).join('\n');
+
+  const detectedApis = [];
+  let hasCiGuard = false;
+  let hasDaemon = false;
+
+  if (DAEMON_RE.test(codeWithScripts)) detectedApis.push('daemon');
+  if (SPAWN_DETACHED_RE.test(codeWithScripts)) detectedApis.push('spawn_detached');
+  if (SYSTEMD_RE.test(codeWithScripts)) detectedApis.push('systemd');
+  if (CRON_RE.test(codeWithScripts)) detectedApis.push('cron');
+  if (LAUNCHD_RE.test(codeWithScripts)) detectedApis.push('launchd');
+  if (TASK_SCHED_RE.test(codeWithScripts)) detectedApis.push('task_scheduler');
+  if (CI_GUARD_RE.test(codeWithScripts)) hasCiGuard = true;
+
+  if (DAEMON_RE.test(codeWithScripts) || SPAWN_DETACHED_RE.test(codeWithScripts)) hasDaemon = true;
+
+  if (hasDaemon || detectedApis.length > 0) {
+    return {
+      triggered: true,
+      detectedApis,
+      hasCiGuard,
+      hooks: allScripts.map(s => s.hook),
+      context: hasCiGuard ? 'Spawns background process when CI env var absent' : 'Suspicious persistence/detached process detected',
+    };
+  }
+
+  return { triggered: false, detectedApis: [], hasCiGuard: false, hooks: [] };
+}

package/backend/detectors/msh-supplement/d3-geo-killswitch.js

@@ -0,0 +1,35 @@
+const LOCALE_CHECKS = [
+  /process\.env\.LANG/,
+  /process\.env\.LC_ALL/,
+  /process\.env\.LC_MESSAGES/,
+  /Intl\.DateTimeFormat\(\)\.resolvedOptions\(\)\.timeZone/,
+  /Intl\.DateTimeFormat\.resolvedOptions\b/,
+];
+const TARGET_LOCALES = /ru_RU|be_BY|uk_UA/;
+const SILENT_EXIT_RE = /process\.exit\s*\(\s*0\s*\)/;
+
+export function scanGeoKillswitch(files = []) {
+  const code = files.map(f => f.content || '').join('\n');
+  if (!code) return { triggered: false, targetedLocales: [], triggerBehavior: null };
+
+  const hasLocaleCheck = LOCALE_CHECKS.some(re => re.test(code));
+  if (!hasLocaleCheck) return { triggered: false, targetedLocales: [], triggerBehavior: null };
+
+  const hasTargetLocale = TARGET_LOCALES.test(code);
+  const hasSilentExit = SILENT_EXIT_RE.test(code);
+
+  if (hasTargetLocale || hasSilentExit) {
+    const matchedLocales = [];
+    if (/ru_RU/.test(code)) matchedLocales.push('ru_RU');
+    if (/be_BY/.test(code)) matchedLocales.push('be_BY');
+    if (/uk_UA/.test(code)) matchedLocales.push('uk_UA');
+
+    return {
+      triggered: true,
+      targetedLocales: matchedLocales.length > 0 ? matchedLocales : ['ru_RU', 'be_BY'],
+      triggerBehavior: hasSilentExit ? 'Silent exit' : 'Locale/timezone match with conditional behavior',
+    };
+  }
+
+  return { triggered: false, targetedLocales: [], triggerBehavior: null };
+}

package/backend/detectors/msh-supplement/d4-c2-deaddrop.js

@@ -0,0 +1,33 @@
+const OHNO_WHATS_GOING_ON_RE = /OhNoWhatsGoingOnWithGitHub/;
+const GITHUB_COMMIT_SCRAPE_RE = /api\.github\.com\/repos\/[^/]+\/[^/]+\/commits/;
+const GITHUB_GRAPHQL_RE = /api\.github\.com\/graphql/;
+const GITHUB_TOKEN_ACCESS_RE = /process\.env\.(?:GH_TOKEN|GITHUB_TOKEN|GITHUB_ACTOR)/;
+const COMMIT_PARSE_LOOP_RE = /commits?\s*\.\s*(?:map|filter|forEach|for\s*\(|while\s*\()/;
+
+export function scanC2DeadDrop(files = []) {
+  const code = files.map(f => f.content || '').join('\n');
+  if (!code) return { triggered: false, matches: [] };
+
+  const matches = [];
+
+  if (OHNO_WHATS_GOING_ON_RE.test(code)) {
+    matches.push({ type: 'ioc_keyword', value: 'OhNoWhatsGoingOnWithGitHub', attackVector: 'GitHub commit scraping for token recovery' });
+  }
+
+  const hasTokenAccess = GITHUB_TOKEN_ACCESS_RE.test(code);
+  const hasGithubApi = GITHUB_COMMIT_SCRAPE_RE.test(code) || GITHUB_GRAPHQL_RE.test(code);
+  const hasCommitParseLoop = COMMIT_PARSE_LOOP_RE.test(code);
+
+  if (hasTokenAccess && hasGithubApi) {
+    matches.push({ type: 'token_exfil_github_api', value: 'Credential access followed by GitHub API call', attackVector: 'Credential/token extraction followed by GitHub API calls' });
+  }
+
+  if (hasCommitParseLoop && hasGithubApi) {
+    matches.push({ type: 'commit_scraping', value: 'Commit message parsing with GitHub API', attackVector: 'Commit scraping for secret detection' });
+  }
+
+  return {
+    triggered: matches.length > 0,
+    matches,
+  };
+}

package/backend/detectors/msh-supplement/index.js

@@ -0,0 +1,107 @@
+import { scanCtfScramble } from './d1-obfuscation.js';
+import { scanPersistence } from './d2-persistence.js';
+import { scanGeoKillswitch } from './d3-geo-killswitch.js';
+import { scanC2DeadDrop } from './d4-c2-deaddrop.js';
+import { attachProvenance } from '../../provenance.js';
+
+const RULE_SEVERITY = {
+  D1: 'critical',
+  D2: 'critical',
+  D3: 'high',
+  D4: 'critical',
+};
+
+const SEVERITY_ORDER = ['critical', 'high', 'medium', 'low', 'info', 'none'];
+
+function highestSeverity(severities) {
+  for (const s of SEVERITY_ORDER) {
+    if (severities.includes(s)) return s;
+  }
+  return 'none';
+}
+
+export async function scan(pkgJson, files = [], registryMeta = null, allFiles = null) {
+  const fileList = allFiles || files || [];
+  const pkgName = pkgJson?.name || 'unknown';
+  const pkgVersion = pkgJson?.version || '0.0.0';
+
+  const d1Results = scanCtfScramble(fileList);
+  if (d1Results.stopCondition) {
+    const evidence = attachProvenance({
+      rule: 'MSH-OBF-001',
+      campaign: 'MINI_SHAI_HULUD',
+      triggeredChecks: ['D1'],
+      filePath: d1Results.filePath,
+      patternMatched: d1Results.patternMatched,
+      action: 'BLOCK_IMMEDIATELY',
+    }, {
+      ruleId: 'MSH-OBF-001',
+      ruleName: 'ctf-scramble-v2 Obfuscation Detection',
+      severity: 'CRITICAL',
+      campaignName: 'Mini Shai-Hulud',
+      pkgName,
+      pkgVersion,
+      triggered: true,
+      severity: 'critical',
+      indicators: [{ type: 'obfuscation_found', value: d1Results.patternMatched }],
+      ruleProvenanceUrl: 'https://github.com/lateos/npm-scan/blob/main/backend/detectors/msh-supplement/d1-obfuscation.js',
+      campaignSourceUrl: 'https://security.researcher.org/supply-chain-report',
+    });
+
+    return [{
+      id: 'MINI_SHAI_HULUD',
+      severity: 'critical',
+      title: 'Mini Shai-Hulud worm campaign — ctf-scramble-v2 malware obfuscation detected',
+      description: 'HALT: ctf-scramble-v2 obfuscation layer detected. Package is compromised. Block install immediately.',
+      evidence: JSON.stringify(evidence),
+      mitigation: 'BLOCK IMMEDIATELY. Do not install this package version. Revoke any npm tokens exposed to this package. Rotate all CI/CD secrets. Run full malware scan on any system that processed this package.',
+      stopCondition: true,
+    }];
+  }
+
+  const results = {
+    D2: scanPersistence(pkgJson, fileList),
+    D3: scanGeoKillswitch(fileList),
+    D4: scanC2DeadDrop(fileList),
+  };
+
+  const triggered = Object.entries(results)
+    .filter(([_, r]) => r.triggered)
+    .map(([id]) => id);
+
+  if (triggered.length === 0) return [];
+
+  const severity = highestSeverity(triggered.map(id => RULE_SEVERITY[id]));
+
+  const evidence = attachProvenance({
+    campaign: 'MINI_SHAI_HULUD',
+    triggeredChecks: triggered,
+    details: Object.fromEntries(
+      Object.entries(results).filter(([_, r]) => r.triggered)
+    ),
+  }, {
+    ruleId: 'MSH-SUPPLEMENT',
+    ruleName: 'Mini Shai-Hulud Supplement Detection',
+    severity: severity.toUpperCase(),
+    campaignName: 'Mini Shai-Hulud',
+    pkgName,
+    pkgVersion,
+    triggered: true,
+    severity,
+    indicators: triggered.map(id => ({
+      type: `rule_${id}`,
+      value: RULE_SEVERITY[id],
+    })),
+    ruleProvenanceUrl: 'https://github.com/lateos/npm-scan/blob/main/backend/detectors/msh-supplement/',
+    campaignSourceUrl: 'https://security.researcher.org/supply-chain-report',
+  });
+
+  return [{
+    id: 'MINI_SHAI_HULUD',
+    severity,
+    title: 'Mini Shai-Hulud worm campaign — supplement indicators',
+    description: `${triggered.length} signal(s): ${triggered.join(', ')}`,
+    evidence: JSON.stringify(evidence),
+    mitigation: 'If daemonization detected: revoke npm tokens and rotate CI/CD secrets. If geographic killswitch detected: verify running in expected region; attacker may be avoiding certain locales. If C2 dead-drop detected: check for unauthorized GitHub API access and token exfiltration. Review recent version publish history for anomalous bursts.',
+  }];
+}

package/backend/detectors/node-ipc-compromise/d1-version-blocklist.js

@@ -0,0 +1,24 @@
+const BLOCKED_VERSIONS = new Set(['9.1.6', '9.2.3', '12.0.1']);
+
+const SAFE_PINS = {
+  '9.1.6': '9.1.5',
+  '9.2.3': '9.1.5',
+  '12.0.1': '12.0.0',
+};
+
+export function scanVersionBlocklist(pkgJson, registryMeta) {
+  const pkgName = pkgJson?.name || '';
+  if (pkgName !== 'node-ipc') return { triggered: false };
+
+  const version = pkgJson?.version || '';
+  if (BLOCKED_VERSIONS.has(version)) {
+    return {
+      triggered: true,
+      version,
+      safePin: SAFE_PINS[version],
+      maliciousVersions: ['9.1.6', '9.2.3', '12.0.1'],
+    };
+  }
+
+  return { triggered: false, version };
+}

package/backend/detectors/node-ipc-compromise/d10-unauthorized-publisher.js

@@ -0,0 +1,19 @@
+export function scanUnauthorizedPublisher(pkgJson, registryMeta) {
+  const pkgName = pkgJson?.name || '';
+  if (pkgName !== 'node-ipc') return { triggered: false };
+
+  const publisherAccount = registryMeta?.versions?.[pkgJson?.version]?._npmUser?.name
+    || registryMeta?.versions?.[Object.keys(registryMeta.versions || {})[0]]?._npmUser?.name
+    || null;
+
+  if (publisherAccount === 'atiertant') {
+    return {
+      triggered: true,
+      publisher: publisherAccount,
+      package: pkgName,
+      detail: 'Account atiertant has no prior release history on node-ipc — account recovery via expired email domain takeover',
+    };
+  }
+
+  return { triggered: false, publisher: publisherAccount };
+}

package/backend/detectors/node-ipc-compromise/d11-blast-radius.js

@@ -0,0 +1,40 @@
+const COMPROMISED_VERSIONS = {
+  '9.1.6': { safePin: '9.1.5', ranges: ['~9.1.x', '^9.1', '^9'] },
+  '9.2.3': { safePin: '9.1.5', ranges: ['~9.2.x', '^9.2'] },
+  '12.0.1': { safePin: '12.0.0', ranges: ['~12.0.x', '^12'] },
+};
+
+const LOCKFILE_PATTERNS = [
+  /package-lock\.json$/i,
+  /yarn\.lock$/i,
+  /pnpm-lock\.yaml$/i,
+  /pnpm-lock\.yml$/i,
+];
+
+export function scanBlastRadius(allFiles) {
+  const matches = [];
+
+  for (const file of allFiles) {
+    const path = file.path?.replace(/\\/g, '/') || '';
+    const isLockfile = LOCKFILE_PATTERNS.some(p => p.test(path));
+    if (!isLockfile) continue;
+
+    const content = file.content || '';
+    const hasNodeIpc = /\bnode-ipc\b/i.test(content);
+    if (!hasNodeIpc) continue;
+
+    for (const [badVersion, info] of Object.entries(COMPROMISED_VERSIONS)) {
+      const versionInQuotes = `"${badVersion}"`;
+      if (content.includes(versionInQuotes)) {
+        matches.push({
+          file: path,
+          compromisedVersion: badVersion,
+          safePin: info.safePin,
+          detail: `node-ipc resolved to compromised version ${badVersion} in lockfile. Pin to ${info.safePin}.`,
+        });
+      }
+    }
+  }
+
+  return { triggered: matches.length > 0, matches };
+}

package/backend/detectors/node-ipc-compromise/d2-tarball-hash.js

@@ -0,0 +1,31 @@
+import { createHash } from 'crypto';
+
+const MALICIOUS_HASHES = new Set([
+  '449e4265979b5fdb2d3446c021af437e815debd66de7da2fe54f1ad93cbcc75e',
+  'c2f4dc64aec4631540a568e88932b61daebbfb7e8281b812fa01b7215f9be9ea',
+  '78a82d93b4f580835f5823b85a3d9ee1f03a15ee6f0e01b4eac86252a7002981',
+]);
+
+export function scanTarballHash(allFiles) {
+  const matches = [];
+
+  for (const file of allFiles) {
+    const path = file.path || '';
+    if (!path.endsWith('.tgz') && !path.endsWith('.tar.gz')) continue;
+
+    const content = file.content || '';
+    const hash = createHash('sha256').update(content, 'utf8').digest('hex');
+
+    if (MALICIOUS_HASHES.has(hash)) {
+      matches.push({
+        file: path,
+        sha256: hash,
+        version: hash === '449e4265979b5fdb2d3446c021af437e815debd66de7da2fe54f1ad93cbcc75e'
+          ? '9.1.6' : hash === 'c2f4dc64aec4631540a568e88932b61daebbfb7e8281b812fa01b7215f9be9ea'
+          ? '9.2.3' : '12.0.1',
+      });
+    }
+  }
+
+  return { triggered: matches.length > 0, matches };
+}

package/backend/detectors/node-ipc-compromise/d3-cjs-payload-injection.js

@@ -0,0 +1,73 @@
+const IIFE_END_PATTERN = /}\)\(\);\s*$/;
+const SIZE_DIFFERENTIAL_THRESHOLD = 50 * 1024;
+
+export function scanCjsPayloadInjection(allFiles) {
+  const matches = [];
+
+  let cjsContent = null;
+  let mjsContent = null;
+  let cjsPath = null;
+  let mjsPath = null;
+
+  for (const file of allFiles) {
+    const path = file.path?.replace(/\\/g, '/') || '';
+    if (path.endsWith('node-ipc.cjs')) {
+      cjsContent = file.content || '';
+      cjsPath = path;
+    }
+    if (path.endsWith('node-ipc.mjs')) {
+      mjsContent = file.content || '';
+      mjsPath = path;
+    }
+  }
+
+  if (cjsContent && !mjsContent) {
+    matches.push({
+      file: cjsPath,
+      finding: 'cjs-present-no-esm',
+      detail: 'node-ipc.cjs present but node-ipc.mjs not found — unable to cross-reference size',
+    });
+  }
+
+  if (cjsContent && mjsContent) {
+    const cjsSize = Buffer.byteLength(cjsContent, 'utf8');
+    const mjsSize = Buffer.byteLength(mjsContent, 'utf8');
+    const sizeDiff = cjsSize - mjsSize;
+
+    if (sizeDiff > SIZE_DIFFERENTIAL_THRESHOLD) {
+      matches.push({
+        file: cjsPath,
+        finding: 'size-anomaly',
+        cjsSize,
+        mjsSize,
+        sizeDiff,
+        detail: `CJS (${cjsSize} bytes) exceeds ESM (${mjsSize} bytes) by ${sizeDiff} bytes — potential injected payload`,
+      });
+    }
+
+    if (IIFE_END_PATTERN.test(cjsContent.trim())) {
+      const trimmed = cjsContent.trim();
+      const iifeMatch = trimmed.match(IIFE_END_PATTERN);
+      if (iifeMatch) {
+        matches.push({
+          file: cjsPath,
+          finding: 'iife-suffix',
+          detail: 'node-ipc.cjs ends with IIFE pattern — potential obfuscated payload appended after module closure',
+        });
+      }
+    }
+  }
+
+  if (cjsContent && IIFE_END_PATTERN.test(cjsContent.trim())) {
+    const alreadyReported = matches.some(m => m.finding === 'iife-suffix');
+    if (!alreadyReported) {
+      matches.push({
+        file: cjsPath,
+        finding: 'iife-suffix',
+        detail: 'node-ipc.cjs ends with IIFE pattern — potential obfuscated payload appended after module closure',
+      });
+    }
+  }
+
+  return { triggered: matches.length > 0, matches };
+}