@lateos/npm-scan 0.16.0 → 0.16.5

package/backend/detectors/mini-shai-hulud/d4-maintainer-anomaly.js

@@ -1,45 +1,45 @@
-export async function checkMaintainerAnomaly(registryMeta, config = {}) {
-  const versions = registryMeta?.versions || {};
-  const timeMap = registryMeta?.time || {};
-
-  const sorted = Object.entries(timeMap)
-    .filter(([v]) => v !== 'created' && v !== 'modified')
-    .filter(([, t]) => t)
-    .map(([v, t]) => ({
-      version: v,
-      time: new Date(t).getTime(),
-      user: versions[v]?._npmUser?.name,
-    }))
-    .filter(e => !Number.isNaN(e.time) && e.user)
-    .sort((a, b) => a.time - b.time);
-
-  if (sorted.length < 2) return { triggered: false };
-
-  for (let i = 1; i < sorted.length; i++) {
-    const prev = sorted[i - 1];
-    const curr = sorted[i];
-
-    if (curr.user !== prev.user) {
-      const gapMinutes = (curr.time - prev.time) / (1000 * 60);
-      if (gapMinutes <= 10) {
-        const newUserVersions = sorted.filter(e => e.user === curr.user);
-        if (newUserVersions.length >= 2) {
-          return {
-            triggered: true,
-            signals: [{
-              type: 'PUBLISHER_DRIFT_RAPID',
-              previousPublisher: prev.user,
-              newPublisher: curr.user,
-              gapMinutes,
-              newUserVersionCount: newUserVersions.length,
-              driftVersion: curr.version,
-              driftWindowStart: new Date(curr.time).toISOString(),
-            }],
-          };
-        }
-      }
-    }
-  }
-
-  return { triggered: false };
-}
+export async function checkMaintainerAnomaly(registryMeta, config = {}) {
+  const versions = registryMeta?.versions || {};
+  const timeMap = registryMeta?.time || {};
+
+  const sorted = Object.entries(timeMap)
+    .filter(([v]) => v !== 'created' && v !== 'modified')
+    .filter(([, t]) => t)
+    .map(([v, t]) => ({
+      version: v,
+      time: new Date(t).getTime(),
+      user: versions[v]?._npmUser?.name,
+    }))
+    .filter(e => !Number.isNaN(e.time) && e.user)
+    .sort((a, b) => a.time - b.time);
+
+  if (sorted.length < 2) return { triggered: false };
+
+  for (let i = 1; i < sorted.length; i++) {
+    const prev = sorted[i - 1];
+    const curr = sorted[i];
+
+    if (curr.user !== prev.user) {
+      const gapMinutes = (curr.time - prev.time) / (1000 * 60);
+      if (gapMinutes <= 10) {
+        const newUserVersions = sorted.filter(e => e.user === curr.user);
+        if (newUserVersions.length >= 2) {
+          return {
+            triggered: true,
+            signals: [{
+              type: 'PUBLISHER_DRIFT_RAPID',
+              previousPublisher: prev.user,
+              newPublisher: curr.user,
+              gapMinutes,
+              newUserVersionCount: newUserVersions.length,
+              driftVersion: curr.version,
+              driftWindowStart: new Date(curr.time).toISOString(),
+            }],
+          };
+        }
+      }
+    }
+  }
+
+  return { triggered: false };
+}

package/backend/detectors/mini-shai-hulud/d5-ioc-check.js

@@ -1,95 +1,95 @@
-import { readFileSync } from 'fs';
-import { fileURLToPath } from 'url';
-import { dirname, join } from 'path';
-
-let iocsData = null;
-let iocsLoaded = false;
-let iocLoadError = null;
-
-const __filename = fileURLToPath(import.meta.url);
-const __dirname = dirname(__filename);
-const IOC_PATH = join(__dirname, 'iocs.json');
-
-function loadIOCData() {
-  if (iocsLoaded) return iocsData;
-  iocsLoaded = true;
-  try {
-    iocsData = JSON.parse(readFileSync(IOC_PATH, 'utf8'));
-  } catch (err) {
-    iocLoadError = err;
-    iocsData = null;
-  }
-  return iocsData;
-}
-
-export function getIOCLoadError() {
-  return iocLoadError;
-}
-
-export function reloadIOCData() {
-  iocsLoaded = false;
-  iocLoadError = null;
-  return loadIOCData();
-}
-
-export async function checkIOC(pkgName, pkgVersion, sha512, publisherAccount, timeMap = {}) {
-  const data = loadIOCData();
-  if (!data) return { triggered: false, matches: [] };
-
-  const matches = [];
-  const allIOCs = [];
-
-  allIOCs.push(...(data.iocs || []));
-
-  for (const waveKey of Object.keys(data.waves || {})) {
-    const wave = data.waves[waveKey];
-    const waveNum = waveKey === 'wave1' ? 1 : waveKey === 'wave2' ? 2 : 3;
-    for (const ioc of (wave.iocs || [])) {
-      allIOCs.push({ ...ioc, wave: waveNum });
-    }
-  }
-
-  for (const ioc of allIOCs) {
-    switch (ioc.type) {
-      case 'packageName': {
-        if (ioc.value === pkgName) {
-          if (!ioc.maliciousVersions || ioc.maliciousVersions.length === 0 || ioc.maliciousVersions.includes(pkgVersion)) {
-            matches.push({ type: 'packageName', value: pkgName, wave: ioc.wave });
-          }
-        }
-        break;
-      }
-
-      case 'packageScope': {
-        if (pkgName.startsWith(ioc.value)) {
-          matches.push({ type: 'packageScope', value: ioc.value, wave: ioc.wave });
-        }
-        break;
-      }
-
-      case 'sha512': {
-        if (ioc.value === sha512 && ioc.package === pkgName) {
-          matches.push({ type: 'sha512', value: sha512, wave: ioc.wave, package: pkgName });
-        }
-        break;
-      }
-
-      case 'publisherAccount': {
-        if (ioc.value === publisherAccount) {
-          const pubTime = new Date(timeMap?.[pkgVersion]).getTime();
-          const windowStart = new Date(ioc.compromiseWindowStart).getTime();
-          const windowEnd = ioc.compromiseWindowEnd
-            ? new Date(ioc.compromiseWindowEnd).getTime()
-            : Infinity;
-
-          if (!Number.isNaN(pubTime) && pubTime >= windowStart && pubTime <= windowEnd) {
-            matches.push({ type: 'publisherAccount', value: publisherAccount, wave: ioc.wave });
-          }
-        }
-        break;
-      }
-    }
-  }
-
-  return { triggered: matches.length > 0, matches };
-}
+import { readFileSync } from 'fs';
+import { fileURLToPath } from 'url';
+import { dirname, join } from 'path';
+
+let iocsData = null;
+let iocsLoaded = false;
+let iocLoadError = null;
+
+const __filename = fileURLToPath(import.meta.url);
+const __dirname = dirname(__filename);
+const IOC_PATH = join(__dirname, 'iocs.json');
+
+function loadIOCData() {
+  if (iocsLoaded) return iocsData;
+  iocsLoaded = true;
+  try {
+    iocsData = JSON.parse(readFileSync(IOC_PATH, 'utf8'));
+  } catch (err) {
+    iocLoadError = err;
+    iocsData = null;
+  }
+  return iocsData;
+}
+
+export function getIOCLoadError() {
+  return iocLoadError;
+}
+
+export function reloadIOCData() {
+  iocsLoaded = false;
+  iocLoadError = null;
+  return loadIOCData();
+}
+
+export async function checkIOC(pkgName, pkgVersion, sha512, publisherAccount, timeMap = {}) {
+  const data = loadIOCData();
+  if (!data) return { triggered: false, matches: [] };
+
+  const matches = [];
+  const allIOCs = [];
+
+  allIOCs.push(...(data.iocs || []));
+
+  for (const waveKey of Object.keys(data.waves || {})) {
+    const wave = data.waves[waveKey];
+    const waveNum = waveKey === 'wave1' ? 1 : waveKey === 'wave2' ? 2 : 3;
+    for (const ioc of (wave.iocs || [])) {
+      allIOCs.push({ ...ioc, wave: waveNum });
+    }
+  }
+
+  for (const ioc of allIOCs) {
+    switch (ioc.type) {
+      case 'packageName': {
+        if (ioc.value === pkgName) {
+          if (!ioc.maliciousVersions || ioc.maliciousVersions.length === 0 || ioc.maliciousVersions.includes(pkgVersion)) {
+            matches.push({ type: 'packageName', value: pkgName, wave: ioc.wave });
+          }
+        }
+        break;
+      }
+
+      case 'packageScope': {
+        if (pkgName.startsWith(ioc.value)) {
+          matches.push({ type: 'packageScope', value: ioc.value, wave: ioc.wave });
+        }
+        break;
+      }
+
+      case 'sha512': {
+        if (ioc.value === sha512 && ioc.package === pkgName) {
+          matches.push({ type: 'sha512', value: sha512, wave: ioc.wave, package: pkgName });
+        }
+        break;
+      }
+
+      case 'publisherAccount': {
+        if (ioc.value === publisherAccount) {
+          const pubTime = new Date(timeMap?.[pkgVersion]).getTime();
+          const windowStart = new Date(ioc.compromiseWindowStart).getTime();
+          const windowEnd = ioc.compromiseWindowEnd
+            ? new Date(ioc.compromiseWindowEnd).getTime()
+            : Infinity;
+
+          if (!Number.isNaN(pubTime) && pubTime >= windowStart && pubTime <= windowEnd) {
+            matches.push({ type: 'publisherAccount', value: publisherAccount, wave: ioc.wave });
+          }
+        }
+        break;
+      }
+    }
+  }
+
+  return { triggered: matches.length > 0, matches };
+}

package/backend/detectors/mini-shai-hulud/d6-token-exfil.js

@@ -1,38 +1,38 @@
-const EXFIL_PATTERNS = [
-  /NPM_TOKEN|NODE_AUTH_TOKEN|GH_TOKEN|GITHUB_TOKEN|npm_token|node_auth_token/i,
-  /~\/(\.npmrc|\.gitconfig|\.aws\/credentials)/,
-  /\/run\/secrets\//,
-  /\$GITHUB_ENV/,
-  /process\.env\.(NPM_TOKEN|NODE_AUTH_TOKEN|GH_TOKEN|GITHUB_TOKEN)/,
-  /Buffer\.from\s*\([^)]*\)\s*\.\s*toString\s*\(\s*['"]base64['"]\s*\)/,
-  /\batob\s*\(/,
-  /\bbtoa\s*\(/,
-];
-
-const SUSPICIOUS_SCRIPTS = ['preinstall', 'install', 'postinstall', 'prepare'];
-
-const MAX_SNIPPET_LENGTH = 200;
-
-function truncateSnippet(text) {
-  if (text.length <= MAX_SNIPPET_LENGTH) return text;
-  return text.slice(0, MAX_SNIPPET_LENGTH - 3) + '...';
-}
-
-export function checkTokenExfil(allFiles, pkgJson) {
-  const scripts = pkgJson?.scripts || {};
-  const snippets = [];
-
-  for (const hook of SUSPICIOUS_SCRIPTS) {
-    const scriptContent = scripts[hook];
-    if (!scriptContent) continue;
-
-    for (const pattern of EXFIL_PATTERNS) {
-      if (pattern.test(scriptContent)) {
-        snippets.push(truncateSnippet(scriptContent));
-        break;
-      }
-    }
-  }
-
-  return { triggered: snippets.length > 0, snippets };
-}
+const EXFIL_PATTERNS = [
+  /NPM_TOKEN|NODE_AUTH_TOKEN|GH_TOKEN|GITHUB_TOKEN|npm_token|node_auth_token/i,
+  /~\/(\.npmrc|\.gitconfig|\.aws\/credentials)/,
+  /\/run\/secrets\//,
+  /\$GITHUB_ENV/,
+  /process\.env\.(NPM_TOKEN|NODE_AUTH_TOKEN|GH_TOKEN|GITHUB_TOKEN)/,
+  /Buffer\.from\s*\([^)]*\)\s*\.\s*toString\s*\(\s*['"]base64['"]\s*\)/,
+  /\batob\s*\(/,
+  /\bbtoa\s*\(/,
+];
+
+const SUSPICIOUS_SCRIPTS = ['preinstall', 'install', 'postinstall', 'prepare'];
+
+const MAX_SNIPPET_LENGTH = 200;
+
+function truncateSnippet(text) {
+  if (text.length <= MAX_SNIPPET_LENGTH) return text;
+  return text.slice(0, MAX_SNIPPET_LENGTH - 3) + '...';
+}
+
+export function checkTokenExfil(allFiles, pkgJson) {
+  const scripts = pkgJson?.scripts || {};
+  const snippets = [];
+
+  for (const hook of SUSPICIOUS_SCRIPTS) {
+    const scriptContent = scripts[hook];
+    if (!scriptContent) continue;
+
+    for (const pattern of EXFIL_PATTERNS) {
+      if (pattern.test(scriptContent)) {
+        snippets.push(truncateSnippet(scriptContent));
+        break;
+      }
+    }
+  }
+
+  return { triggered: snippets.length > 0, snippets };
+}

package/backend/detectors/mini-shai-hulud/index.js

@@ -1,118 +1,118 @@
-import { checkBurstPublish } from './d1-burst-publish.js';
-import { checkSiblingCompromise, clearSiblingCache } from './d2-sibling-compromise.js';
-import { checkSlsaMismatch } from './d3-slsa-mismatch.js';
-import { checkMaintainerAnomaly } from './d4-maintainer-anomaly.js';
-import { checkIOC } from './d5-ioc-check.js';
-import { checkTokenExfil } from './d6-token-exfil.js';
-
-export async function scan(pkgJson, files = [], registryMeta = null, allFiles = null) {
-  const config = {};
-
-  const burstResult = await checkBurstPublish(registryMeta, config);
-  const maintainerResult = await checkMaintainerAnomaly(registryMeta, config);
-
-  const pkgName = pkgJson?.name || '';
-  const pkgVersion = pkgJson?.version || '';
-  const sha512 = registryMeta?.versions?.[pkgVersion]?.dist?.integrity || null;
-  const publisherAccount = registryMeta?.versions?.[pkgVersion]?._npmUser?.name || null;
-  const timeMap = registryMeta?.time || {};
-
-  const iocResult = await checkIOC(pkgName, pkgVersion, sha512, publisherAccount, timeMap);
-  const exfilResult = checkTokenExfil(allFiles || files, pkgJson);
-
-  let siblingResult = { triggered: false };
-  let slsaResult = { triggered: false };
-
-  if (burstResult.triggered) {
-    siblingResult = await checkSiblingCompromise(pkgJson, config);
-    slsaResult = await checkSlsaMismatch(pkgName, pkgVersion, burstResult, timeMap, config);
-  }
-
-  const nxDownstreamResult = checkNxConsoleDownstream(pkgJson, allFiles || files);
-
-  const triggeredChecks = [];
-  if (burstResult.triggered) triggeredChecks.push('D1_BURST');
-  if (siblingResult.triggered) triggeredChecks.push('D2_SIBLING');
-  if (slsaResult.triggered) triggeredChecks.push('D3_SLSA');
-  if (maintainerResult.triggered) triggeredChecks.push('D4_MAINTAINER');
-  if (iocResult.triggered) triggeredChecks.push('D5_IOC');
-  if (exfilResult.triggered) triggeredChecks.push('D6_EXFIL');
-  if (nxDownstreamResult.triggered) triggeredChecks.push('D7_NX_CONSOLE');
-
-  if (triggeredChecks.length === 0) return [];
-
-  let waveAttribution = 'unknown';
-  if (pkgName.startsWith('@tanstack')) {
-    waveAttribution = 'wave1-tanstack';
-  } else if (pkgName.startsWith('@antv')) {
-    waveAttribution = 'wave2-antv';
-  } else if (nxDownstreamResult.triggered) {
-    waveAttribution = 'wave3-nx-console';
-  } else if (iocResult.matches && iocResult.matches.length > 0) {
-    const waves = [...new Set(iocResult.matches.map(m => m.wave))];
-    if (waves.length === 1) {
-      waveAttribution = waves[0] === 1 ? 'wave1-tanstack' : waves[0] === 2 ? 'wave2-antv' : 'wave3-nx-console';
-    }
-  }
-
-  const isCritical = slsaResult.triggered || iocResult.triggered || nxDownstreamResult.triggered;
-
-  const evidence = {
-    campaign: 'MINI_SHAI_HULUD',
-    waveAttribution,
-    triggeredChecks,
-    burstWindow: burstResult.triggered
-      ? { start: burstResult.windowStart, end: burstResult.windowEnd, versionCount: burstResult.versionCount }
-      : null,
-    siblingPackages: siblingResult.triggered
-      ? siblingResult.results.flatMap(r => r.siblingPackages)
-      : null,
-    attestationAnomalies: slsaResult.triggered ? slsaResult.anomalies : null,
-    iocMatches: iocResult.triggered ? iocResult.matches : null,
-    installScriptSnippets: exfilResult.triggered ? exfilResult.snippets : null,
-    nxConsoleDownstream: nxDownstreamResult.triggered
-      ? { nxDeps: nxDownstreamResult.nxDeps, vsCodeExtensions: nxDownstreamResult.vsCodeExtensions }
-      : null,
-  };
-
-  return [{
-    id: 'MINI_SHAI_HULUD',
-    severity: isCritical ? 'critical' : 'high',
-    title: 'Mini Shai-Hulud worm campaign',
-    description: `${triggeredChecks.length} signal(s): ${triggeredChecks.join(', ')}`,
-    evidence: JSON.stringify(evidence),
-    mitigation: 'Revoke all npm tokens immediately. Rotate CI/CD secrets. Audit maintainer access on all scoped packages. Review recent version publish history for anomalous bursts. Check for postinstall scripts accessing credentials or environment variables. If Wave 1 (TanStack scope): inspect GitHub Actions workflow logs for unauthorized build steps. If Wave 2 (atool/AntV scope): rotate all npm tokens associated with @antv/* packages. If Wave 3 (Nx Console): remove nrwl.angular-console extension immediately, revoke all npm tokens used in CI/CD, and audit @nx/* dependency versions.',
-  }];
-}
-
-function checkNxConsoleDownstream(pkgJson, allFiles) {
-  const deps = { ...pkgJson?.dependencies, ...pkgJson?.devDependencies, ...pkgJson?.peerDependencies };
-  const nxDeps = Object.keys(deps).filter(d => d.startsWith('@nx/') || d.startsWith('nrwl/'));
-  if (nxDeps.length === 0) return { triggered: false, nxDeps: [], vsCodeExtensions: [] };
-
-  let vsCodeExtensions = [];
-  if (allFiles && Array.isArray(allFiles)) {
-    for (const file of allFiles) {
-      if (file.path && (file.path.endsWith('.vscode/extensions.json') || file.path.endsWith('.vscode/extensions.json'))) {
-        try {
-          const content = typeof file.content === 'string' ? file.content : '';
-          const parsed = JSON.parse(content);
-          const allExts = [
-            ...(parsed.recommendations || []),
-            ...(parsed.unwantedRecommendations || []),
-          ];
-          const matched = allExts.filter(e => e.includes('nrwl.angular-console'));
-          if (matched.length > 0) {
-            vsCodeExtensions = matched;
-          }
-        } catch {
-          // non-JSON extensions.json, skip
-        }
-      }
-    }
-  }
-
-  return { triggered: true, nxDeps, vsCodeExtensions };
-}
-
-export { clearSiblingCache } from './d2-sibling-compromise.js';
+import { checkBurstPublish } from './d1-burst-publish.js';
+import { checkSiblingCompromise, clearSiblingCache } from './d2-sibling-compromise.js';
+import { checkSlsaMismatch } from './d3-slsa-mismatch.js';
+import { checkMaintainerAnomaly } from './d4-maintainer-anomaly.js';
+import { checkIOC } from './d5-ioc-check.js';
+import { checkTokenExfil } from './d6-token-exfil.js';
+
+export async function scan(pkgJson, files = [], registryMeta = null, allFiles = null) {
+  const config = {};
+
+  const burstResult = await checkBurstPublish(registryMeta, config);
+  const maintainerResult = await checkMaintainerAnomaly(registryMeta, config);
+
+  const pkgName = pkgJson?.name || '';
+  const pkgVersion = pkgJson?.version || '';
+  const sha512 = registryMeta?.versions?.[pkgVersion]?.dist?.integrity || null;
+  const publisherAccount = registryMeta?.versions?.[pkgVersion]?._npmUser?.name || null;
+  const timeMap = registryMeta?.time || {};
+
+  const iocResult = await checkIOC(pkgName, pkgVersion, sha512, publisherAccount, timeMap);
+  const exfilResult = checkTokenExfil(allFiles || files, pkgJson);
+
+  let siblingResult = { triggered: false };
+  let slsaResult = { triggered: false };
+
+  if (burstResult.triggered) {
+    siblingResult = await checkSiblingCompromise(pkgJson, config);
+    slsaResult = await checkSlsaMismatch(pkgName, pkgVersion, burstResult, timeMap, config);
+  }
+
+  const nxDownstreamResult = checkNxConsoleDownstream(pkgJson, allFiles || files);
+
+  const triggeredChecks = [];
+  if (burstResult.triggered) triggeredChecks.push('D1_BURST');
+  if (siblingResult.triggered) triggeredChecks.push('D2_SIBLING');
+  if (slsaResult.triggered) triggeredChecks.push('D3_SLSA');
+  if (maintainerResult.triggered) triggeredChecks.push('D4_MAINTAINER');
+  if (iocResult.triggered) triggeredChecks.push('D5_IOC');
+  if (exfilResult.triggered) triggeredChecks.push('D6_EXFIL');
+  if (nxDownstreamResult.triggered) triggeredChecks.push('D7_NX_CONSOLE');
+
+  if (triggeredChecks.length === 0) return [];
+
+  let waveAttribution = 'unknown';
+  if (pkgName.startsWith('@tanstack')) {
+    waveAttribution = 'wave1-tanstack';
+  } else if (pkgName.startsWith('@antv')) {
+    waveAttribution = 'wave2-antv';
+  } else if (nxDownstreamResult.triggered) {
+    waveAttribution = 'wave3-nx-console';
+  } else if (iocResult.matches && iocResult.matches.length > 0) {
+    const waves = [...new Set(iocResult.matches.map(m => m.wave))];
+    if (waves.length === 1) {
+      waveAttribution = waves[0] === 1 ? 'wave1-tanstack' : waves[0] === 2 ? 'wave2-antv' : 'wave3-nx-console';
+    }
+  }
+
+  const isCritical = slsaResult.triggered || iocResult.triggered || nxDownstreamResult.triggered;
+
+  const evidence = {
+    campaign: 'MINI_SHAI_HULUD',
+    waveAttribution,
+    triggeredChecks,
+    burstWindow: burstResult.triggered
+      ? { start: burstResult.windowStart, end: burstResult.windowEnd, versionCount: burstResult.versionCount }
+      : null,
+    siblingPackages: siblingResult.triggered
+      ? siblingResult.results.flatMap(r => r.siblingPackages)
+      : null,
+    attestationAnomalies: slsaResult.triggered ? slsaResult.anomalies : null,
+    iocMatches: iocResult.triggered ? iocResult.matches : null,
+    installScriptSnippets: exfilResult.triggered ? exfilResult.snippets : null,
+    nxConsoleDownstream: nxDownstreamResult.triggered
+      ? { nxDeps: nxDownstreamResult.nxDeps, vsCodeExtensions: nxDownstreamResult.vsCodeExtensions }
+      : null,
+  };
+
+  return [{
+    id: 'MINI_SHAI_HULUD',
+    severity: isCritical ? 'critical' : 'high',
+    title: 'Mini Shai-Hulud worm campaign',
+    description: `${triggeredChecks.length} signal(s): ${triggeredChecks.join(', ')}`,
+    evidence: JSON.stringify(evidence),
+    mitigation: 'Revoke all npm tokens immediately. Rotate CI/CD secrets. Audit maintainer access on all scoped packages. Review recent version publish history for anomalous bursts. Check for postinstall scripts accessing credentials or environment variables. If Wave 1 (TanStack scope): inspect GitHub Actions workflow logs for unauthorized build steps. If Wave 2 (atool/AntV scope): rotate all npm tokens associated with @antv/* packages. If Wave 3 (Nx Console): remove nrwl.angular-console extension immediately, revoke all npm tokens used in CI/CD, and audit @nx/* dependency versions.',
+  }];
+}
+
+function checkNxConsoleDownstream(pkgJson, allFiles) {
+  const deps = { ...pkgJson?.dependencies, ...pkgJson?.devDependencies, ...pkgJson?.peerDependencies };
+  const nxDeps = Object.keys(deps).filter(d => d.startsWith('@nx/') || d.startsWith('nrwl/'));
+  if (nxDeps.length === 0) return { triggered: false, nxDeps: [], vsCodeExtensions: [] };
+
+  let vsCodeExtensions = [];
+  if (allFiles && Array.isArray(allFiles)) {
+    for (const file of allFiles) {
+      if (file.path && (file.path.endsWith('.vscode/extensions.json') || file.path.endsWith('.vscode/extensions.json'))) {
+        try {
+          const content = typeof file.content === 'string' ? file.content : '';
+          const parsed = JSON.parse(content);
+          const allExts = [
+            ...(parsed.recommendations || []),
+            ...(parsed.unwantedRecommendations || []),
+          ];
+          const matched = allExts.filter(e => e.includes('nrwl.angular-console'));
+          if (matched.length > 0) {
+            vsCodeExtensions = matched;
+          }
+        } catch {
+          // non-JSON extensions.json, skip
+        }
+      }
+    }
+  }
+
+  return { triggered: true, nxDeps, vsCodeExtensions };
+}
+
+export { clearSiblingCache } from './d2-sibling-compromise.js';