@lateos/npm-scan 0.16.0 → 0.16.5

package/backend/detectors/megalodon/index.js

@@ -1,80 +1,80 @@
-import { MegalodonSignal } from './types.js';
-import { scan as scanD1 } from './d1-workflow-scan.js';
-import { scan as scanD2 } from './d2-credential-harvest.js';
-import { scan as scanD3 } from './d3-publish-velocity.js';
-import { scan as scanD4 } from './d4-publisher-drift.js';
-import { scan as scanD5 } from './d5-bot-commit-identity.js';
-import { scan as scanD6 } from './d6-date-anachronism.js';
-
-const SIGNAL_SEVERITY = {
-  [MegalodonSignal.WORKFLOW_C2_EXFIL]: 5,
-  [MegalodonSignal.WORKFLOW_DECODE_CHAIN]: 4,
-  [MegalodonSignal.PUBLISH_VELOCITY]: 4,
-  [MegalodonSignal.PUBLISHER_DRIFT]: 4,
-  [MegalodonSignal.CREDENTIAL_HARVEST]: 3,
-  [MegalodonSignal.BOT_COMMIT_IDENTITY]: 2,
-  [MegalodonSignal.DATE_ANACHRONISM]: 2,
-};
-
-const SEVERITY_LABELS = ['none', 'low', 'medium', 'high', 'critical', 'critical'];
-
-function resolveSeverity(signals, d4Evidence) {
-  let maxScore = 0;
-  for (const s of signals) {
-    maxScore = Math.max(maxScore, SIGNAL_SEVERITY[s] || 0);
-  }
-
-  const d4Hint = d4Evidence.find(e => e._severityHint);
-  if (d4Hint) {
-    const hintScore = d4Hint._severityHint === 'HIGH' ? 4 : d4Hint._severityHint === 'MEDIUM' ? 3 : 0;
-    maxScore = Math.max(maxScore, hintScore);
-  }
-
-  return SEVERITY_LABELS[maxScore] || 'none';
-}
-
-export async function scanAll(pkgJson, allFiles = [], registryMeta = {}) {
-  const allEvidence = [];
-
-  const d1Ev = await scanD1(allFiles);
-  allEvidence.push(...d1Ev);
-
-  const d2Ev = await scanD2(allFiles);
-  allEvidence.push(...d2Ev);
-
-  const d3Ev = await scanD3(registryMeta);
-  allEvidence.push(...d3Ev);
-
-  const velocityResult = d3Ev.length > 0 ? {
-    triggered: true,
-    windowStartISO: d3Ev[0]._windowStartISO || null,
-    versionsInWindow: d3Ev[0].excerpt || '',
-    _allVersions: d3Ev[0]._allVersions || [],
-  } : { triggered: false, versionsInWindow: [], windowStartISO: null };
-
-  const d4Ev = await scanD4(registryMeta, velocityResult);
-  allEvidence.push(...d4Ev);
-
-  allEvidence.push(...await scanD5(registryMeta));
-  allEvidence.push(...await scanD6(pkgJson, registryMeta));
-
-  const signals = [...new Set(allEvidence.map(e => e.signal).filter(Boolean))];
-
-  if (signals.length === 0) return [];
-
-  const severity = resolveSeverity(signals, d4Ev);
-
-  const cleaned = allEvidence.map(({ _windowStartISO, _allVersions, _severityHint, ...rest }) => rest);
-
-  return [{
-    id: 'MEGALODON',
-    severity,
-    title: 'Megalodon CI/CD attack campaign',
-    description: `${signals.length} signal(s): ${signals.join(', ')}`,
-    evidence: JSON.stringify({
-      campaign: 'MEGALODON',
-      signals,
-      evidence: cleaned,
-    }),
-  }];
-}
+import { MegalodonSignal } from './types.js';
+import { scan as scanD1 } from './d1-workflow-scan.js';
+import { scan as scanD2 } from './d2-credential-harvest.js';
+import { scan as scanD3 } from './d3-publish-velocity.js';
+import { scan as scanD4 } from './d4-publisher-drift.js';
+import { scan as scanD5 } from './d5-bot-commit-identity.js';
+import { scan as scanD6 } from './d6-date-anachronism.js';
+
+const SIGNAL_SEVERITY = {
+  [MegalodonSignal.WORKFLOW_C2_EXFIL]: 5,
+  [MegalodonSignal.WORKFLOW_DECODE_CHAIN]: 4,
+  [MegalodonSignal.PUBLISH_VELOCITY]: 4,
+  [MegalodonSignal.PUBLISHER_DRIFT]: 4,
+  [MegalodonSignal.CREDENTIAL_HARVEST]: 3,
+  [MegalodonSignal.BOT_COMMIT_IDENTITY]: 2,
+  [MegalodonSignal.DATE_ANACHRONISM]: 2,
+};
+
+const SEVERITY_LABELS = ['none', 'low', 'medium', 'high', 'critical', 'critical'];
+
+function resolveSeverity(signals, d4Evidence) {
+  let maxScore = 0;
+  for (const s of signals) {
+    maxScore = Math.max(maxScore, SIGNAL_SEVERITY[s] || 0);
+  }
+
+  const d4Hint = d4Evidence.find(e => e._severityHint);
+  if (d4Hint) {
+    const hintScore = d4Hint._severityHint === 'HIGH' ? 4 : d4Hint._severityHint === 'MEDIUM' ? 3 : 0;
+    maxScore = Math.max(maxScore, hintScore);
+  }
+
+  return SEVERITY_LABELS[maxScore] || 'none';
+}
+
+export async function scanAll(pkgJson, allFiles = [], registryMeta = {}) {
+  const allEvidence = [];
+
+  const d1Ev = await scanD1(allFiles);
+  allEvidence.push(...d1Ev);
+
+  const d2Ev = await scanD2(allFiles);
+  allEvidence.push(...d2Ev);
+
+  const d3Ev = await scanD3(registryMeta);
+  allEvidence.push(...d3Ev);
+
+  const velocityResult = d3Ev.length > 0 ? {
+    triggered: true,
+    windowStartISO: d3Ev[0]._windowStartISO || null,
+    versionsInWindow: d3Ev[0].excerpt || '',
+    _allVersions: d3Ev[0]._allVersions || [],
+  } : { triggered: false, versionsInWindow: [], windowStartISO: null };
+
+  const d4Ev = await scanD4(registryMeta, velocityResult);
+  allEvidence.push(...d4Ev);
+
+  allEvidence.push(...await scanD5(registryMeta));
+  allEvidence.push(...await scanD6(pkgJson, registryMeta));
+
+  const signals = [...new Set(allEvidence.map(e => e.signal).filter(Boolean))];
+
+  if (signals.length === 0) return [];
+
+  const severity = resolveSeverity(signals, d4Ev);
+
+  const cleaned = allEvidence.map(({ _windowStartISO, _allVersions, _severityHint, ...rest }) => rest);
+
+  return [{
+    id: 'MEGALODON',
+    severity,
+    title: 'Megalodon CI/CD attack campaign',
+    description: `${signals.length} signal(s): ${signals.join(', ')}`,
+    evidence: JSON.stringify({
+      campaign: 'MEGALODON',
+      signals,
+      evidence: cleaned,
+    }),
+  }];
+}

package/backend/detectors/megalodon/types.js

@@ -1,9 +1,9 @@
-export const MegalodonSignal = Object.freeze({
-  WORKFLOW_C2_EXFIL: 'D1_WORKFLOW_C2_EXFIL',
-  WORKFLOW_DECODE_CHAIN: 'D1_WORKFLOW_DECODE_CHAIN',
-  CREDENTIAL_HARVEST: 'D2_CREDENTIAL_HARVEST',
-  PUBLISH_VELOCITY: 'D3_PUBLISH_VELOCITY',
-  PUBLISHER_DRIFT: 'D4_PUBLISHER_DRIFT',
-  BOT_COMMIT_IDENTITY: 'D5_BOT_COMMIT_IDENTITY',
-  DATE_ANACHRONISM: 'D6_DATE_ANACHRONISM',
-});
+export const MegalodonSignal = Object.freeze({
+  WORKFLOW_C2_EXFIL: 'D1_WORKFLOW_C2_EXFIL',
+  WORKFLOW_DECODE_CHAIN: 'D1_WORKFLOW_DECODE_CHAIN',
+  CREDENTIAL_HARVEST: 'D2_CREDENTIAL_HARVEST',
+  PUBLISH_VELOCITY: 'D3_PUBLISH_VELOCITY',
+  PUBLISHER_DRIFT: 'D4_PUBLISHER_DRIFT',
+  BOT_COMMIT_IDENTITY: 'D5_BOT_COMMIT_IDENTITY',
+  DATE_ANACHRONISM: 'D6_DATE_ANACHRONISM',
+});

package/backend/detectors/mini-shai-hulud/d1-burst-publish.js

@@ -1,42 +1,42 @@
-export async function checkBurstPublish(registryMeta, config = {}) {
-  const windowMinutes = config.burstWindowMinutes ?? 30;
-  const threshold = config.burstVersionThreshold ?? 3;
-
-  const times = registryMeta?.time || {};
-  const entries = Object.entries(times)
-    .filter(([v]) => v !== 'created' && v !== 'modified')
-    .filter(([, t]) => t)
-    .map(([v, t]) => [v, new Date(t).getTime()])
-    .filter(([, ts]) => !Number.isNaN(ts))
-    .sort((a, b) => a[1] - b[1]);
-
-  if (entries.length === 0) return { triggered: false };
-
-  const windowMs = windowMinutes * 60 * 1000;
-
-  for (let i = 0; i < entries.length; i++) {
-    const windowStart = entries[i][1];
-    const windowEnd = windowStart + windowMs;
-    const inWindow = [];
-
-    for (let j = i; j < entries.length; j++) {
-      if (entries[j][1] <= windowEnd) {
-        inWindow.push(entries[j][0]);
-      } else {
-        break;
-      }
-    }
-
-    if (inWindow.length >= threshold) {
-      return {
-        triggered: true,
-        windowStart: new Date(windowStart).toISOString(),
-        windowEnd: new Date(windowEnd).toISOString(),
-        versionCount: inWindow.length,
-        versions: inWindow,
-      };
-    }
-  }
-
-  return { triggered: false };
-}
+export async function checkBurstPublish(registryMeta, config = {}) {
+  const windowMinutes = config.burstWindowMinutes ?? 30;
+  const threshold = config.burstVersionThreshold ?? 3;
+
+  const times = registryMeta?.time || {};
+  const entries = Object.entries(times)
+    .filter(([v]) => v !== 'created' && v !== 'modified')
+    .filter(([, t]) => t)
+    .map(([v, t]) => [v, new Date(t).getTime()])
+    .filter(([, ts]) => !Number.isNaN(ts))
+    .sort((a, b) => a[1] - b[1]);
+
+  if (entries.length === 0) return { triggered: false };
+
+  const windowMs = windowMinutes * 60 * 1000;
+
+  for (let i = 0; i < entries.length; i++) {
+    const windowStart = entries[i][1];
+    const windowEnd = windowStart + windowMs;
+    const inWindow = [];
+
+    for (let j = i; j < entries.length; j++) {
+      if (entries[j][1] <= windowEnd) {
+        inWindow.push(entries[j][0]);
+      } else {
+        break;
+      }
+    }
+
+    if (inWindow.length >= threshold) {
+      return {
+        triggered: true,
+        windowStart: new Date(windowStart).toISOString(),
+        windowEnd: new Date(windowEnd).toISOString(),
+        versionCount: inWindow.length,
+        versions: inWindow,
+      };
+    }
+  }
+
+  return { triggered: false };
+}

package/backend/detectors/mini-shai-hulud/d2-sibling-compromise.js

@@ -1,116 +1,116 @@
-const siblingCache = new Map();
-
-export function clearSiblingCache() {
-  siblingCache.clear();
-}
-
-function checkBurstOnTimeMap(timeMap, windowMinutes, threshold) {
-  const entries = Object.entries(timeMap)
-    .filter(([v]) => v !== 'created' && v !== 'modified')
-    .filter(([, t]) => t)
-    .map(([v, t]) => [v, new Date(t).getTime()])
-    .filter(([, ts]) => !Number.isNaN(ts))
-    .sort((a, b) => a[1] - b[1]);
-
-  if (entries.length === 0) return null;
-
-  const windowMs = windowMinutes * 60 * 1000;
-
-  for (let i = 0; i < entries.length; i++) {
-    const wStart = entries[i][1];
-    const wEnd = wStart + windowMs;
-    const inWindow = [];
-
-    for (let j = i; j < entries.length; j++) {
-      if (entries[j][1] <= wEnd) {
-        inWindow.push(entries[j][0]);
-      } else {
-        break;
-      }
-    }
-
-    if (inWindow.length >= threshold) {
-      return {
-        windowStart: new Date(wStart).toISOString(),
-        windowEnd: new Date(wEnd).toISOString(),
-        versionCount: inWindow.length,
-      };
-    }
-  }
-
-  return null;
-}
-
-export async function checkSiblingCompromise(pkgJson, config = {}) {
-  const windowMinutes = config.burstWindowMinutes ?? 30;
-  const threshold = config.burstVersionThreshold ?? 3;
-
-  const deps = {
-    ...pkgJson.dependencies,
-    ...pkgJson.devDependencies,
-    ...pkgJson.peerDependencies,
-  };
-
-  const scopedDeps = {};
-  for (const name of Object.keys(deps)) {
-    if (name.startsWith('@')) {
-      const scope = name.split('/')[0];
-      if (!scopedDeps[scope]) scopedDeps[scope] = [];
-      scopedDeps[scope].push(name);
-    }
-  }
-
-  if (Object.keys(scopedDeps).length === 0) return { triggered: false };
-
-  const results = [];
-
-  for (const [scope, packages] of Object.entries(scopedDeps)) {
-    if (packages.length < 2) continue;
-
-    const burstSiblings = [];
-
-    for (const pkg of packages) {
-      let timeData = siblingCache.get(pkg);
-      if (!timeData) {
-        try {
-          const url = `https://registry.npmjs.org/${encodeURIComponent(pkg)}`;
-          const res = await fetch(url);
-          if (!res.ok) continue;
-          const data = await res.json();
-          timeData = data.time || {};
-          siblingCache.set(pkg, timeData);
-        } catch {
-          continue;
-        }
-      }
-
-      const burstInfo = checkBurstOnTimeMap(timeData, windowMinutes, threshold);
-      if (burstInfo) {
-        burstSiblings.push({ name: pkg, ...burstInfo });
-      }
-    }
-
-    if (burstSiblings.length >= 2) {
-      const windows = burstSiblings.map(s => ({
-        start: new Date(s.windowStart).getTime(),
-        end: new Date(s.windowEnd).getTime(),
-      }));
-
-      const overlapStart = Math.max(...windows.map(w => w.start));
-      const overlapEnd = Math.min(...windows.map(w => w.end));
-
-      if (overlapStart < overlapEnd) {
-        results.push({
-          triggered: true,
-          scope,
-          siblingPackages: burstSiblings.map(s => s.name),
-          windowStart: new Date(overlapStart).toISOString(),
-          windowEnd: new Date(overlapEnd).toISOString(),
-        });
-      }
-    }
-  }
-
-  if (results.length === 0) return { triggered: false };
-  return { triggered: true, results };
-}
+const siblingCache = new Map();
+
+export function clearSiblingCache() {
+  siblingCache.clear();
+}
+
+function checkBurstOnTimeMap(timeMap, windowMinutes, threshold) {
+  const entries = Object.entries(timeMap)
+    .filter(([v]) => v !== 'created' && v !== 'modified')
+    .filter(([, t]) => t)
+    .map(([v, t]) => [v, new Date(t).getTime()])
+    .filter(([, ts]) => !Number.isNaN(ts))
+    .sort((a, b) => a[1] - b[1]);
+
+  if (entries.length === 0) return null;
+
+  const windowMs = windowMinutes * 60 * 1000;
+
+  for (let i = 0; i < entries.length; i++) {
+    const wStart = entries[i][1];
+    const wEnd = wStart + windowMs;
+    const inWindow = [];
+
+    for (let j = i; j < entries.length; j++) {
+      if (entries[j][1] <= wEnd) {
+        inWindow.push(entries[j][0]);
+      } else {
+        break;
+      }
+    }
+
+    if (inWindow.length >= threshold) {
+      return {
+        windowStart: new Date(wStart).toISOString(),
+        windowEnd: new Date(wEnd).toISOString(),
+        versionCount: inWindow.length,
+      };
+    }
+  }
+
+  return null;
+}
+
+export async function checkSiblingCompromise(pkgJson, config = {}) {
+  const windowMinutes = config.burstWindowMinutes ?? 30;
+  const threshold = config.burstVersionThreshold ?? 3;
+
+  const deps = {
+    ...pkgJson.dependencies,
+    ...pkgJson.devDependencies,
+    ...pkgJson.peerDependencies,
+  };
+
+  const scopedDeps = {};
+  for (const name of Object.keys(deps)) {
+    if (name.startsWith('@')) {
+      const scope = name.split('/')[0];
+      if (!scopedDeps[scope]) scopedDeps[scope] = [];
+      scopedDeps[scope].push(name);
+    }
+  }
+
+  if (Object.keys(scopedDeps).length === 0) return { triggered: false };
+
+  const results = [];
+
+  for (const [scope, packages] of Object.entries(scopedDeps)) {
+    if (packages.length < 2) continue;
+
+    const burstSiblings = [];
+
+    for (const pkg of packages) {
+      let timeData = siblingCache.get(pkg);
+      if (!timeData) {
+        try {
+          const url = `https://registry.npmjs.org/${encodeURIComponent(pkg)}`;
+          const res = await fetch(url);
+          if (!res.ok) continue;
+          const data = await res.json();
+          timeData = data.time || {};
+          siblingCache.set(pkg, timeData);
+        } catch {
+          continue;
+        }
+      }
+
+      const burstInfo = checkBurstOnTimeMap(timeData, windowMinutes, threshold);
+      if (burstInfo) {
+        burstSiblings.push({ name: pkg, ...burstInfo });
+      }
+    }
+
+    if (burstSiblings.length >= 2) {
+      const windows = burstSiblings.map(s => ({
+        start: new Date(s.windowStart).getTime(),
+        end: new Date(s.windowEnd).getTime(),
+      }));
+
+      const overlapStart = Math.max(...windows.map(w => w.start));
+      const overlapEnd = Math.min(...windows.map(w => w.end));
+
+      if (overlapStart < overlapEnd) {
+        results.push({
+          triggered: true,
+          scope,
+          siblingPackages: burstSiblings.map(s => s.name),
+          windowStart: new Date(overlapStart).toISOString(),
+          windowEnd: new Date(overlapEnd).toISOString(),
+        });
+      }
+    }
+  }
+
+  if (results.length === 0) return { triggered: false };
+  return { triggered: true, results };
+}

package/backend/detectors/mini-shai-hulud/d3-slsa-mismatch.js

@@ -1,72 +1,72 @@
-export async function checkSlsaMismatch(packageName, version, burstWindow, timeMap = {}, config = {}) {
-  if (!burstWindow?.triggered) return { triggered: false };
-
-  const anomalies = [];
-  const publishTime = timeMap?.[version];
-  if (!publishTime) return { triggered: false };
-
-  try {
-    const url = `https://registry.npmjs.org/-/npm/v1/attestations/${encodeURIComponent(packageName)}/${encodeURIComponent(version)}`;
-    const res = await fetch(url);
-    if (!res.ok) return { triggered: false };
-
-    const data = await res.json();
-    const attestations = data?.attestations || [];
-    if (attestations.length === 0) return { triggered: false };
-
-    const publishMs = new Date(publishTime).getTime();
-    if (Number.isNaN(publishMs)) return { triggered: false };
-
-    // Check if this is the first-ever attested version for this package
-    const allVersions = Object.keys(timeMap).filter(v => v !== 'created' && v !== 'modified');
-    const currentIdx = allVersions.indexOf(version);
-    let prevHadAttestation = false;
-
-    if (currentIdx > 0) {
-      const priorVersions = allVersions.slice(0, currentIdx).slice(-2);
-      for (const pv of priorVersions) {
-        try {
-          const purl = `https://registry.npmjs.org/-/npm/v1/attestations/${encodeURIComponent(packageName)}/${encodeURIComponent(pv)}`;
-          const pres = await fetch(purl);
-          if (pres.ok) {
-            const pdata = await pres.json();
-            if (pdata?.attestations?.length > 0) {
-              prevHadAttestation = true;
-              break;
-            }
-          }
-        } catch {
-          // skip prior version check
-        }
-      }
-
-      if (!prevHadAttestation && priorVersions.length > 0) {
-        anomalies.push(`First-ever SLSA attestation for ${packageName}, published in burst window`);
-      }
-    }
-
-    for (const att of attestations) {
-      const ts = att?.timestamp;
-      if (ts) {
-        const attMs = new Date(ts).getTime();
-        if (!Number.isNaN(attMs) && attMs >= publishMs && (attMs - publishMs) < 60000) {
-          const gapMs = attMs - publishMs;
-          anomalies.push(`Sub-60s attestation gap for ${version}: ${gapMs}ms`);
-        }
-      }
-
-      const builderId = att?.predicate?.runDetails?.builder?.id;
-      if (builderId) {
-        const knownPrefixes = ['https://github.com/', 'https://gitlab.com/', 'https://circleci.com/'];
-        const isKnown = knownPrefixes.some(p => builderId.startsWith(p));
-        if (!isKnown) {
-          anomalies.push(`Unrecognized builder ID for ${version}: ${builderId}`);
-        }
-      }
-    }
-  } catch {
-    return { triggered: false };
-  }
-
-  return { triggered: anomalies.length > 0, anomalies };
-}
+export async function checkSlsaMismatch(packageName, version, burstWindow, timeMap = {}, config = {}) {
+  if (!burstWindow?.triggered) return { triggered: false };
+
+  const anomalies = [];
+  const publishTime = timeMap?.[version];
+  if (!publishTime) return { triggered: false };
+
+  try {
+    const url = `https://registry.npmjs.org/-/npm/v1/attestations/${encodeURIComponent(packageName)}/${encodeURIComponent(version)}`;
+    const res = await fetch(url);
+    if (!res.ok) return { triggered: false };
+
+    const data = await res.json();
+    const attestations = data?.attestations || [];
+    if (attestations.length === 0) return { triggered: false };
+
+    const publishMs = new Date(publishTime).getTime();
+    if (Number.isNaN(publishMs)) return { triggered: false };
+
+    // Check if this is the first-ever attested version for this package
+    const allVersions = Object.keys(timeMap).filter(v => v !== 'created' && v !== 'modified');
+    const currentIdx = allVersions.indexOf(version);
+    let prevHadAttestation = false;
+
+    if (currentIdx > 0) {
+      const priorVersions = allVersions.slice(0, currentIdx).slice(-2);
+      for (const pv of priorVersions) {
+        try {
+          const purl = `https://registry.npmjs.org/-/npm/v1/attestations/${encodeURIComponent(packageName)}/${encodeURIComponent(pv)}`;
+          const pres = await fetch(purl);
+          if (pres.ok) {
+            const pdata = await pres.json();
+            if (pdata?.attestations?.length > 0) {
+              prevHadAttestation = true;
+              break;
+            }
+          }
+        } catch {
+          // skip prior version check
+        }
+      }
+
+      if (!prevHadAttestation && priorVersions.length > 0) {
+        anomalies.push(`First-ever SLSA attestation for ${packageName}, published in burst window`);
+      }
+    }
+
+    for (const att of attestations) {
+      const ts = att?.timestamp;
+      if (ts) {
+        const attMs = new Date(ts).getTime();
+        if (!Number.isNaN(attMs) && attMs >= publishMs && (attMs - publishMs) < 60000) {
+          const gapMs = attMs - publishMs;
+          anomalies.push(`Sub-60s attestation gap for ${version}: ${gapMs}ms`);
+        }
+      }
+
+      const builderId = att?.predicate?.runDetails?.builder?.id;
+      if (builderId) {
+        const knownPrefixes = ['https://github.com/', 'https://gitlab.com/', 'https://circleci.com/'];
+        const isKnown = knownPrefixes.some(p => builderId.startsWith(p));
+        if (!isKnown) {
+          anomalies.push(`Unrecognized builder ID for ${version}: ${builderId}`);
+        }
+      }
+    }
+  } catch {
+    return { triggered: false };
+  }
+
+  return { triggered: anomalies.length > 0, anomalies };
+}