@lateos/npm-scan 0.16.0 → 0.16.5

package/backend/detectors/megalodon/d2-credential-harvest.js

@@ -1,61 +1,61 @@
-import { MegalodonSignal } from './types.js';
-
-const CRED_PATTERNS = [
-  { pattern: /\bAWS_(SECRET_ACCESS_KEY|ACCESS_KEY_ID|SESSION_TOKEN)\b/, label: 'AWS credential' },
-  { pattern: /\bGOOGLE_APPLICATION_CREDENTIALS\b/, label: 'GCP credential' },
-  { pattern: /\bAZURE_(CLIENT_SECRET|TENANT_ID|CLIENT_ID|SUBSCRIPTION_ID)\b/, label: 'Azure credential' },
-  { pattern: /\bGH_(TOKEN|PAT)\b/, label: 'GitHub PAT' },
-  { pattern: /\bGITHUB_TOKEN\b/, label: 'GitHub token' },
-  { pattern: /\bNPM_TOKEN\b/, label: 'npm token' },
-  { pattern: /\bDISCORD_TOKEN\b/, label: 'Discord token' },
-  { pattern: /\bSLACK_TOKEN\b/, label: 'Slack token' },
-  { pattern: /\bSTRIPE_(SECRET|PUBLISHABLE)_KEY\b/, label: 'Stripe key' },
-  { pattern: /\bTWILIO_(ACCOUNT_SID|AUTH_TOKEN)\b/, label: 'Twilio credential' },
-  { pattern: /\bDB_(USERNAME|PASSWORD|URL)\b/, label: 'Database credential' },
-  { pattern: /\bMONGO_(URI|URL|CONNECTION)\b/, label: 'MongoDB connection' },
-];
-
-const OUTBOUND_NET_RE = /curl\s+|wget\s+|fetch\s*\(|https?\.request\s*\(|http\.request\s*\(|got\s*\(|axios\s*\.|request\s*\(|node-fetch|\.post\s*\(|\.get\s*\(/i;
-
-const TARGET_EXTENSIONS = ['.sh', '.bash', '.yml', '.yaml', '.js'];
-
-function isTargetFile(f) {
-  const ext = f.path.slice(f.path.lastIndexOf('.')).toLowerCase();
-  return TARGET_EXTENSIONS.includes(ext);
-}
-
-export async function scan(allFiles) {
-  const evidence = [];
-  const targetFiles = allFiles.filter(isTargetFile);
-
-  for (const f of targetFiles) {
-    const content = f.content;
-    let score = 0;
-    const matched = [];
-
-    for (const cp of CRED_PATTERNS) {
-      const re = new RegExp(cp.pattern.source, 'gi');
-      let m;
-      while ((m = re.exec(content)) !== null) {
-        if (!matched.some(ex => ex.label === cp.label)) {
-          matched.push({ label: cp.label, match: m[0] });
-        }
-        score += 3;
-      }
-    }
-
-    if (score > 0) {
-      const hasNetwork = OUTBOUND_NET_RE.test(content);
-      if (hasNetwork) {
-        evidence.push({
-          signal: MegalodonSignal.CREDENTIAL_HARVEST,
-          file: f.path,
-          excerpt: matched.map(m => m.label).join(', ').slice(0, 120),
-          detail: `Credential env vars (${matched.map(m => m.label).join(', ')}) co-occur with outbound network call (score: ${score})`,
-        });
-      }
-    }
-  }
-
-  return evidence;
-}
+import { MegalodonSignal } from './types.js';
+
+const CRED_PATTERNS = [
+  { pattern: /\bAWS_(SECRET_ACCESS_KEY|ACCESS_KEY_ID|SESSION_TOKEN)\b/, label: 'AWS credential' },
+  { pattern: /\bGOOGLE_APPLICATION_CREDENTIALS\b/, label: 'GCP credential' },
+  { pattern: /\bAZURE_(CLIENT_SECRET|TENANT_ID|CLIENT_ID|SUBSCRIPTION_ID)\b/, label: 'Azure credential' },
+  { pattern: /\bGH_(TOKEN|PAT)\b/, label: 'GitHub PAT' },
+  { pattern: /\bGITHUB_TOKEN\b/, label: 'GitHub token' },
+  { pattern: /\bNPM_TOKEN\b/, label: 'npm token' },
+  { pattern: /\bDISCORD_TOKEN\b/, label: 'Discord token' },
+  { pattern: /\bSLACK_TOKEN\b/, label: 'Slack token' },
+  { pattern: /\bSTRIPE_(SECRET|PUBLISHABLE)_KEY\b/, label: 'Stripe key' },
+  { pattern: /\bTWILIO_(ACCOUNT_SID|AUTH_TOKEN)\b/, label: 'Twilio credential' },
+  { pattern: /\bDB_(USERNAME|PASSWORD|URL)\b/, label: 'Database credential' },
+  { pattern: /\bMONGO_(URI|URL|CONNECTION)\b/, label: 'MongoDB connection' },
+];
+
+const OUTBOUND_NET_RE = /curl\s+|wget\s+|fetch\s*\(|https?\.request\s*\(|http\.request\s*\(|got\s*\(|axios\s*\.|request\s*\(|node-fetch|\.post\s*\(|\.get\s*\(/i;
+
+const TARGET_EXTENSIONS = ['.sh', '.bash', '.yml', '.yaml', '.js'];
+
+function isTargetFile(f) {
+  const ext = f.path.slice(f.path.lastIndexOf('.')).toLowerCase();
+  return TARGET_EXTENSIONS.includes(ext);
+}
+
+export async function scan(allFiles) {
+  const evidence = [];
+  const targetFiles = allFiles.filter(isTargetFile);
+
+  for (const f of targetFiles) {
+    const content = f.content;
+    let score = 0;
+    const matched = [];
+
+    for (const cp of CRED_PATTERNS) {
+      const re = new RegExp(cp.pattern.source, 'gi');
+      let m;
+      while ((m = re.exec(content)) !== null) {
+        if (!matched.some(ex => ex.label === cp.label)) {
+          matched.push({ label: cp.label, match: m[0] });
+        }
+        score += 3;
+      }
+    }
+
+    if (score > 0) {
+      const hasNetwork = OUTBOUND_NET_RE.test(content);
+      if (hasNetwork) {
+        evidence.push({
+          signal: MegalodonSignal.CREDENTIAL_HARVEST,
+          file: f.path,
+          excerpt: matched.map(m => m.label).join(', ').slice(0, 120),
+          detail: `Credential env vars (${matched.map(m => m.label).join(', ')}) co-occur with outbound network call (score: ${score})`,
+        });
+      }
+    }
+  }
+
+  return evidence;
+}

package/backend/detectors/megalodon/d3-publish-velocity.js

@@ -1,67 +1,67 @@
-import { MegalodonSignal } from './types.js';
-
-export function detectVelocitySpike(times, windowHours = 6, threshold = 3) {
-  const filtered = {};
-  for (const [v, t] of Object.entries(times)) {
-    if (v === 'created' || v === 'modified') continue;
-    filtered[v] = t;
-  }
-
-  const entries = Object.entries(filtered)
-    .filter(([, t]) => t)
-    .map(([v, t]) => [v, new Date(t).getTime()])
-    .filter(([, ts]) => !Number.isNaN(ts))
-    .sort((a, b) => a[1] - b[1]);
-
-  if (entries.length === 0) {
-    return { triggered: false, versionsInWindow: [], windowStartISO: null };
-  }
-
-  const windowMs = windowHours * 3_600_000;
-
-  for (let i = 0; i < entries.length; i++) {
-    const windowStart = entries[i][1];
-    const windowEnd = windowStart + windowMs;
-    const inWindow = [];
-
-    for (let j = i; j < entries.length; j++) {
-      if (entries[j][1] <= windowEnd) {
-        inWindow.push(entries[j][0]);
-      } else {
-        break;
-      }
-    }
-
-    if (inWindow.length >= threshold) {
-      let display = inWindow.slice(0, 10);
-      let suffix = '';
-      if (inWindow.length > 10) {
-        suffix = ` +${inWindow.length - 10} more`;
-      }
-      return {
-        triggered: true,
-        versionsInWindow: display.join(', ') + suffix,
-        windowStartISO: new Date(windowStart).toISOString(),
-        _allVersions: inWindow,
-      };
-    }
-  }
-
-  return { triggered: false, versionsInWindow: [], windowStartISO: null };
-}
-
-export async function scan(registryMeta) {
-  const times = registryMeta?.time || {};
-  const result = detectVelocitySpike(times);
-
-  if (!result.triggered) return [];
-
-  return [{
-    signal: MegalodonSignal.PUBLISH_VELOCITY,
-    file: 'registry.npmjs.org',
-    excerpt: result.versionsInWindow,
-    detail: `Version publish velocity spike: ${result.versionsInWindow} versions in window starting ${result.windowStartISO}`,
-    _windowStartISO: result.windowStartISO,
-    _allVersions: result._allVersions,
-  }];
-}
+import { MegalodonSignal } from './types.js';
+
+export function detectVelocitySpike(times, windowHours = 6, threshold = 3) {
+  const filtered = {};
+  for (const [v, t] of Object.entries(times)) {
+    if (v === 'created' || v === 'modified') continue;
+    filtered[v] = t;
+  }
+
+  const entries = Object.entries(filtered)
+    .filter(([, t]) => t)
+    .map(([v, t]) => [v, new Date(t).getTime()])
+    .filter(([, ts]) => !Number.isNaN(ts))
+    .sort((a, b) => a[1] - b[1]);
+
+  if (entries.length === 0) {
+    return { triggered: false, versionsInWindow: [], windowStartISO: null };
+  }
+
+  const windowMs = windowHours * 3_600_000;
+
+  for (let i = 0; i < entries.length; i++) {
+    const windowStart = entries[i][1];
+    const windowEnd = windowStart + windowMs;
+    const inWindow = [];
+
+    for (let j = i; j < entries.length; j++) {
+      if (entries[j][1] <= windowEnd) {
+        inWindow.push(entries[j][0]);
+      } else {
+        break;
+      }
+    }
+
+    if (inWindow.length >= threshold) {
+      let display = inWindow.slice(0, 10);
+      let suffix = '';
+      if (inWindow.length > 10) {
+        suffix = ` +${inWindow.length - 10} more`;
+      }
+      return {
+        triggered: true,
+        versionsInWindow: display.join(', ') + suffix,
+        windowStartISO: new Date(windowStart).toISOString(),
+        _allVersions: inWindow,
+      };
+    }
+  }
+
+  return { triggered: false, versionsInWindow: [], windowStartISO: null };
+}
+
+export async function scan(registryMeta) {
+  const times = registryMeta?.time || {};
+  const result = detectVelocitySpike(times);
+
+  if (!result.triggered) return [];
+
+  return [{
+    signal: MegalodonSignal.PUBLISH_VELOCITY,
+    file: 'registry.npmjs.org',
+    excerpt: result.versionsInWindow,
+    detail: `Version publish velocity spike: ${result.versionsInWindow} versions in window starting ${result.windowStartISO}`,
+    _windowStartISO: result.windowStartISO,
+    _allVersions: result._allVersions,
+  }];
+}

package/backend/detectors/megalodon/d4-publisher-drift.js

@@ -1,124 +1,124 @@
-import { MegalodonSignal } from './types.js';
-
-export async function scan(registryMeta, velocityResult) {
-  const evidence = [];
-  const versions = registryMeta?.versions || {};
-  const timeMap = registryMeta?.time || {};
-
-  const filteredTimes = {};
-  for (const [v, t] of Object.entries(timeMap)) {
-    if (v === 'created' || v === 'modified') continue;
-    if (t) filteredTimes[v] = t;
-  }
-
-  const sortedVersions = Object.entries(filteredTimes)
-    .filter(([, t]) => t && !Number.isNaN(new Date(t).getTime()))
-    .sort((a, b) => new Date(a[1]).getTime() - new Date(b[1]).getTime())
-    .map(([v]) => v);
-
-  if (sortedVersions.length === 0) return [];
-
-  if (velocityResult?.triggered) {
-    const windowStartISO = velocityResult.windowStartISO;
-    const allInWindow = velocityResult._allVersions || [];
-
-    const priorPublishers = new Set();
-    for (const v of sortedVersions) {
-      if (new Date(filteredTimes[v]).getTime() >= new Date(windowStartISO).getTime()) break;
-      const user = versions[v]?._npmUser?.name;
-      if (user) priorPublishers.add(user);
-    }
-
-    if (priorPublishers.size === 0 && allInWindow.length > 0) {
-      const firstUser = versions[allInWindow[0]]?._npmUser?.name;
-      if (firstUser) priorPublishers.add(firstUser);
-    }
-
-    const suspiciousPublishers = [];
-    const affectedVersions = [];
-    for (const v of allInWindow) {
-      const user = versions[v]?._npmUser?.name;
-      if (user && !priorPublishers.has(user)) {
-        if (!suspiciousPublishers.includes(user)) suspiciousPublishers.push(user);
-        if (!affectedVersions.includes(v)) affectedVersions.push(v);
-      }
-    }
-
-    if (suspiciousPublishers.length > 0) {
-      const detail = `Drift detected: known publishers [${[...priorPublishers].join(', ')}], new publisher(s) [${suspiciousPublishers.join(', ')}] in versions [${affectedVersions.join(', ')}]`;
-
-      const firstSuspiciousVer = allInWindow.find(v => affectedVersions.includes(v));
-      let ageNote = '';
-      if (firstSuspiciousVer && suspiciousPublishers[0]) {
-        ageNote = await checkAccountAge(suspiciousPublishers[0], filteredTimes[firstSuspiciousVer]);
-      }
-
-      evidence.push({
-        signal: MegalodonSignal.PUBLISHER_DRIFT,
-        file: 'registry.npmjs.org',
-        excerpt: `publisher drift: ${suspiciousPublishers.join(', ')}`,
-        detail: detail + (ageNote ? ' | ' + ageNote : ''),
-        _severityHint: 'HIGH',
-      });
-    }
-  } else {
-    if (sortedVersions.length < 4) return [];
-
-    const last3 = sortedVersions.slice(-3);
-    const prior = sortedVersions.slice(0, -3);
-
-    const priorPublishers = new Set();
-    for (const v of prior) {
-      const user = versions[v]?._npmUser?.name;
-      if (user) priorPublishers.add(user);
-    }
-
-    const suspiciousPublishers = [];
-    const affectedVersions = [];
-    for (const v of last3) {
-      const user = versions[v]?._npmUser?.name;
-      if (user && !priorPublishers.has(user)) {
-        if (!suspiciousPublishers.includes(user)) suspiciousPublishers.push(user);
-        if (!affectedVersions.includes(v)) affectedVersions.push(v);
-      }
-    }
-
-    if (suspiciousPublishers.length > 0) {
-      const detail = `Drift (fallback): known publishers [${[...priorPublishers].join(', ')}], new publisher(s) [${suspiciousPublishers.join(', ')}] in last 3 versions [${affectedVersions.join(', ')}]`;
-
-      let ageNote = '';
-      if (suspiciousPublishers[0] && affectedVersions[0]) {
-        ageNote = await checkAccountAge(suspiciousPublishers[0], filteredTimes[affectedVersions[0]]);
-      }
-
-      evidence.push({
-        signal: MegalodonSignal.PUBLISHER_DRIFT,
-        file: 'registry.npmjs.org',
-        excerpt: `publisher drift: ${suspiciousPublishers.join(', ')}`,
-        detail: detail + (ageNote ? ' | ' + ageNote : ''),
-        _severityHint: 'MEDIUM',
-      });
-    }
-  }
-
-  return evidence;
-}
-
-async function checkAccountAge(npmUser, firstSuspiciousTime) {
-  try {
-    const url = `https://registry.npmjs.org/-/user/org.couchdb.user/${encodeURIComponent(npmUser)}`;
-    const res = await fetch(url);
-    if (!res.ok) return '';
-    const data = await res.json();
-    const created = data?.date;
-    if (!created) return '';
-    const createdDate = new Date(created).getTime();
-    const firstPub = new Date(firstSuspiciousTime).getTime();
-    const daysDiff = (firstPub - createdDate) / (1000 * 60 * 60 * 24);
-    if (!Number.isNaN(daysDiff) && daysDiff >= 0 && daysDiff <= 30) {
-      return `Publisher account created ${Math.round(daysDiff)} days before first suspicious publish`;
-    }
-  } catch {
-  }
-  return '';
-}
+import { MegalodonSignal } from './types.js';
+
+export async function scan(registryMeta, velocityResult) {
+  const evidence = [];
+  const versions = registryMeta?.versions || {};
+  const timeMap = registryMeta?.time || {};
+
+  const filteredTimes = {};
+  for (const [v, t] of Object.entries(timeMap)) {
+    if (v === 'created' || v === 'modified') continue;
+    if (t) filteredTimes[v] = t;
+  }
+
+  const sortedVersions = Object.entries(filteredTimes)
+    .filter(([, t]) => t && !Number.isNaN(new Date(t).getTime()))
+    .sort((a, b) => new Date(a[1]).getTime() - new Date(b[1]).getTime())
+    .map(([v]) => v);
+
+  if (sortedVersions.length === 0) return [];
+
+  if (velocityResult?.triggered) {
+    const windowStartISO = velocityResult.windowStartISO;
+    const allInWindow = velocityResult._allVersions || [];
+
+    const priorPublishers = new Set();
+    for (const v of sortedVersions) {
+      if (new Date(filteredTimes[v]).getTime() >= new Date(windowStartISO).getTime()) break;
+      const user = versions[v]?._npmUser?.name;
+      if (user) priorPublishers.add(user);
+    }
+
+    if (priorPublishers.size === 0 && allInWindow.length > 0) {
+      const firstUser = versions[allInWindow[0]]?._npmUser?.name;
+      if (firstUser) priorPublishers.add(firstUser);
+    }
+
+    const suspiciousPublishers = [];
+    const affectedVersions = [];
+    for (const v of allInWindow) {
+      const user = versions[v]?._npmUser?.name;
+      if (user && !priorPublishers.has(user)) {
+        if (!suspiciousPublishers.includes(user)) suspiciousPublishers.push(user);
+        if (!affectedVersions.includes(v)) affectedVersions.push(v);
+      }
+    }
+
+    if (suspiciousPublishers.length > 0) {
+      const detail = `Drift detected: known publishers [${[...priorPublishers].join(', ')}], new publisher(s) [${suspiciousPublishers.join(', ')}] in versions [${affectedVersions.join(', ')}]`;
+
+      const firstSuspiciousVer = allInWindow.find(v => affectedVersions.includes(v));
+      let ageNote = '';
+      if (firstSuspiciousVer && suspiciousPublishers[0]) {
+        ageNote = await checkAccountAge(suspiciousPublishers[0], filteredTimes[firstSuspiciousVer]);
+      }
+
+      evidence.push({
+        signal: MegalodonSignal.PUBLISHER_DRIFT,
+        file: 'registry.npmjs.org',
+        excerpt: `publisher drift: ${suspiciousPublishers.join(', ')}`,
+        detail: detail + (ageNote ? ' | ' + ageNote : ''),
+        _severityHint: 'HIGH',
+      });
+    }
+  } else {
+    if (sortedVersions.length < 4) return [];
+
+    const last3 = sortedVersions.slice(-3);
+    const prior = sortedVersions.slice(0, -3);
+
+    const priorPublishers = new Set();
+    for (const v of prior) {
+      const user = versions[v]?._npmUser?.name;
+      if (user) priorPublishers.add(user);
+    }
+
+    const suspiciousPublishers = [];
+    const affectedVersions = [];
+    for (const v of last3) {
+      const user = versions[v]?._npmUser?.name;
+      if (user && !priorPublishers.has(user)) {
+        if (!suspiciousPublishers.includes(user)) suspiciousPublishers.push(user);
+        if (!affectedVersions.includes(v)) affectedVersions.push(v);
+      }
+    }
+
+    if (suspiciousPublishers.length > 0) {
+      const detail = `Drift (fallback): known publishers [${[...priorPublishers].join(', ')}], new publisher(s) [${suspiciousPublishers.join(', ')}] in last 3 versions [${affectedVersions.join(', ')}]`;
+
+      let ageNote = '';
+      if (suspiciousPublishers[0] && affectedVersions[0]) {
+        ageNote = await checkAccountAge(suspiciousPublishers[0], filteredTimes[affectedVersions[0]]);
+      }
+
+      evidence.push({
+        signal: MegalodonSignal.PUBLISHER_DRIFT,
+        file: 'registry.npmjs.org',
+        excerpt: `publisher drift: ${suspiciousPublishers.join(', ')}`,
+        detail: detail + (ageNote ? ' | ' + ageNote : ''),
+        _severityHint: 'MEDIUM',
+      });
+    }
+  }
+
+  return evidence;
+}
+
+async function checkAccountAge(npmUser, firstSuspiciousTime) {
+  try {
+    const url = `https://registry.npmjs.org/-/user/org.couchdb.user/${encodeURIComponent(npmUser)}`;
+    const res = await fetch(url);
+    if (!res.ok) return '';
+    const data = await res.json();
+    const created = data?.date;
+    if (!created) return '';
+    const createdDate = new Date(created).getTime();
+    const firstPub = new Date(firstSuspiciousTime).getTime();
+    const daysDiff = (firstPub - createdDate) / (1000 * 60 * 60 * 24);
+    if (!Number.isNaN(daysDiff) && daysDiff >= 0 && daysDiff <= 30) {
+      return `Publisher account created ${Math.round(daysDiff)} days before first suspicious publish`;
+    }
+  } catch {
+  }
+  return '';
+}

package/backend/detectors/megalodon/d5-bot-commit-identity.js

@@ -1,3 +1,3 @@
-export async function scan(registryMeta) {
-  return [];
-}
+export async function scan(registryMeta) {
+  return [];
+}

package/backend/detectors/megalodon/d6-date-anachronism.js

@@ -1,3 +1,3 @@
-export async function scan(pkgJson, registryMeta) {
-  return [];
-}
+export async function scan(pkgJson, registryMeta) {
+  return [];
+}