npm - @lateos/npm-scan - Versions diffs - 0.16.0 → 0.16.4 - Mend

@lateos/npm-scan 0.16.0 → 0.16.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (21) hide show

package/README.de.md +42 -3
package/README.fr.md +45 -6
package/README.ja.md +41 -2
package/README.md +26 -1
package/README.zh.md +41 -2
package/backend/detectors/axios-poisoning/d1-version-fingerprint.js +24 -0
package/backend/detectors/axios-poisoning/d2-decoy-dep.js +24 -0
package/backend/detectors/axios-poisoning/d3-postinstall-rat.js +90 -0
package/backend/detectors/axios-poisoning/index.js +94 -0
package/backend/detectors/index.js +6 -0
package/backend/detectors/msh-supplement/d1-obfuscation.js +18 -0
package/backend/detectors/msh-supplement/d2-persistence.js +47 -0
package/backend/detectors/msh-supplement/d3-geo-killswitch.js +35 -0
package/backend/detectors/msh-supplement/d4-c2-deaddrop.js +33 -0
package/backend/detectors/msh-supplement/index.js +107 -0
package/backend/detectors/typosquat-vpmdhaj/d1-maintainer.js +77 -0
package/backend/detectors/typosquat-vpmdhaj/d2-preinstall-loader.js +37 -0
package/backend/detectors/typosquat-vpmdhaj/d3-cred-exfil.js +66 -0
package/backend/detectors/typosquat-vpmdhaj/index.js +98 -0
package/backend/provenance.js +79 -0
package/package.json +1 -1

package/backend/detectors/typosquat-vpmdhaj/index.js ADDED Viewed

@@ -0,0 +1,98 @@
+import { scanMaintainerAnomaly } from './d1-maintainer.js';
+import { scanPreinstallLoader } from './d2-preinstall-loader.js';
+import { scanCredExfil } from './d3-cred-exfil.js';
+import { attachProvenance } from '../../provenance.js';
+const RULE_SEVERITY = { D1: 'critical', D2: 'critical', D3: 'critical' };
+const SEVERITY_ORDER = ['critical', 'high', 'medium', 'low', 'info', 'none'];
+function highestSeverity(severities) {
+  for (const s of SEVERITY_ORDER) if (severities.includes(s)) return s;
+  return 'none';
+}
+export async function scan(pkgJson, files = [], registryMeta = null, allFiles = null) {
+  const pkgName = pkgJson?.name || 'unknown';
+  const pkgVersion = pkgJson?.version || '0.0.0';
+  const fileList = allFiles || files || [];
+  const d1Result = scanMaintainerAnomaly(pkgJson, registryMeta);
+  if (d1Result.stopCondition) {
+    const evidence = attachProvenance({
+      rule: 'TSQ-MAINT-001',
+      campaign: 'TYPOSQUAT_VPMDHAJ',
+      triggeredChecks: ['D1'],
+      maintainer: d1Result.maintainer,
+      suspiciousAliases: d1Result.suspiciousAliases,
+      action: 'BLOCK',
+    }, {
+      ruleId: 'TSQ-MAINT-001',
+      ruleName: 'Maintainer & Package Alias Anomalies',
+      severity: 'CRITICAL',
+      campaignName: 'Mass Typosquatting (vpmdhaj)',
+      pkgName,
+      pkgVersion,
+      triggered: true,
+      severity: 'critical',
+      indicators: [{ type: 'blocked_maintainer', value: d1Result.maintainer }, ...d1Result.suspiciousAliases.map(a => ({ type: 'suspicious_alias', value: a }))],
+      ruleProvenanceUrl: 'https://github.com/lateos/npm-scan/blob/main/backend/detectors/typosquat-vpmdhaj/d1-maintainer.js',
+      campaignSourceUrl: 'https://security.researcher.org/supply-chain-report',
+    });
+    return [{
+      id: 'TYPOSQUAT_VPMDHAJ',
+      severity: 'critical',
+      title: 'Mass Typosquatting campaign (vpmdhaj) — blocked maintainer',
+      description: d1Result.reason,
+      evidence: JSON.stringify(evidence),
+      mitigation: 'BLOCK IMMEDIATELY. Do not install packages from maintainer vpmdhaj. Audit all packages from your lockfile for this maintainer. Check for typosquatting of popular packages.',
+      stopCondition: true,
+    }];
+  }
+  const d2Result = scanPreinstallLoader(pkgJson);
+  const d3Result = scanCredExfil(fileList, pkgJson);
+  const results = {
+    D1: d1Result,
+    D2: d2Result,
+    D3: d3Result,
+  };
+  const triggered = Object.entries(results)
+    .filter(([_, r]) => r.triggered)
+    .map(([id]) => id);
+  if (triggered.length === 0) return [];
+  const severity = highestSeverity(triggered.map(id => RULE_SEVERITY[id]));
+  const evidence = attachProvenance({
+    campaign: 'TYPOSQUAT_VPMDHAJ',
+    triggeredChecks: triggered,
+    details: Object.fromEntries(
+      Object.entries(results).filter(([_, r]) => r.triggered)
+    ),
+  }, {
+    ruleId: 'TYPOSQUAT_VPMDHAJ',
+    ruleName: 'Mass Typosquatting Campaign Detection',
+    severity: severity.toUpperCase(),
+    campaignName: 'Mass Typosquatting (vpmdhaj)',
+    pkgName,
+    pkgVersion,
+    triggered: true,
+    severity,
+    indicators: triggered.map(id => ({ type: `rule_${id}`, value: RULE_SEVERITY[id] })),
+    ruleProvenanceUrl: 'https://github.com/lateos/npm-scan/blob/main/backend/detectors/typosquat-vpmdhaj/',
+    campaignSourceUrl: 'https://security.researcher.org/supply-chain-report',
+  });
+  return [{
+    id: 'TYPOSQUAT_VPMDHAJ',
+    severity,
+    title: 'Mass Typosquatting campaign (vpmdhaj)',
+    description: `${triggered.length} signal(s): ${triggered.join(', ')}`,
+    evidence: JSON.stringify(evidence),
+    mitigation: 'Block install immediately. Revoke any npm tokens. Rotate CI/CD secrets. Audit all packages from maintainer vpmdhaj. If credential exfiltration detected: rotate AWS IAM keys, Vault tokens, and GitHub tokens immediately. Verify CloudTrail/audit logs for unauthorized access.',
+  }];
+}

package/backend/provenance.js ADDED Viewed

@@ -0,0 +1,79 @@
+import { createHash, createHmac } from 'crypto';
+const PROVENANCE_VERSION = 'aureus-v1.7';
+const HMAC_KEY = process.env.AUREUS_HMAC_KEY || '@lateos/npm-scan:provenance:v1';
+export function hashContent(content) {
+  return createHash('sha256').update(JSON.stringify(content)).digest('hex');
+}
+export function signManifest(manifest, key = HMAC_KEY) {
+  return createHmac('sha256', key).update(JSON.stringify(manifest)).digest('hex');
+}
+export function buildDetectionRule({ ruleId, ruleName, severity, cveReferences = [], campaignName }) {
+  return {
+    rule_id: ruleId,
+    rule_name: ruleName,
+    severity,
+    cve_references: cveReferences,
+    campaign_name: campaignName,
+  };
+}
+export function buildScanMetadata({ scannerVersion, packageAnalyzed }) {
+  return {
+    scan_timestamp: new Date().toISOString(),
+    scanner_version: scannerVersion || '@lateos/npm-scan',
+    pipeline_version: PROVENANCE_VERSION,
+    package_analyzed: packageAnalyzed,
+  };
+}
+export function buildDetectionResult({ triggered, severity, indicators = [] }) {
+  return {
+    triggered,
+    severity,
+    indicators,
+  };
+}
+export function buildAuditTrail({ detectionLogic, ruleProvenanceUrl, campaignSourceUrl }) {
+  const contentHash = hashContent(detectionLogic);
+  const manifest = { contentHash, ruleProvenanceUrl, campaignSourceUrl, generatedAt: new Date().toISOString() };
+  return {
+    content_hash: contentHash,
+    rule_provenance_url: ruleProvenanceUrl,
+    campaign_source_url: campaignSourceUrl,
+    hmac_signature: signManifest(manifest),
+    _manifest: manifest,
+  };
+}
+export function buildDetectionRecord({ rule, scanMetadata, detectionResult, auditTrail }) {
+  return {
+    detection_rule: rule,
+    scan_metadata: scanMetadata,
+    detection_result: detectionResult,
+    audit_trail: auditTrail,
+  };
+}
+export function attachProvenance(evidence, { ruleId, ruleName, severity, campaignName, pkgName, pkgVersion, triggered, indicators, ruleProvenanceUrl, campaignSourceUrl }) {
+  const rule = buildDetectionRule({ ruleId, ruleName, severity, campaignName });
+  const scanMetadata = buildScanMetadata({
+    scannerVersion: '@lateos/npm-scan',
+    packageAnalyzed: `${pkgName}@${pkgVersion}`,
+  });
+  const detectionResult = buildDetectionResult({ triggered, severity, indicators });
+  const auditTrail = buildAuditTrail({
+    detectionLogic: { rule, indicators },
+    ruleProvenanceUrl,
+    campaignSourceUrl,
+  });
+  const record = buildDetectionRecord({ rule, scanMetadata, detectionResult, auditTrail });
+  return { ...evidence, _provenance: record };
+}
+export { PROVENANCE_VERSION };

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@lateos/npm-scan",
-  "version": "0.16.0",
+  "version": "0.16.4",
   "description": "Modern npm supply chain security scanner — detects obfuscated payloads, credential stealers, conditional triggers, sandbox evasion, and worm-like propagation. 11 attack types, SBOM, NIST/EU CRA compliance reporting.",
   "main": "backend/index.js",
   "bin": {