@lateos/npm-scan 0.16.0 → 0.16.5

package/backend/detectors/mini-shai-hulud/iocs.json

@@ -1,79 +1,79 @@
-{
-  "lastUpdated": "2026-05-24T00:00:00.000Z",
-  "waves": {
-    "wave1": {
-      "id": "mini-shai-hulud-wave1",
-      "description": "TanStack CI/CD hijack (mid-May 2026) — 84 malicious versions across 42 packages in ~6 minutes via compromised GitHub Actions CI. Forged SLSA BL3 provenance attestations.",
-      "windowMinutes": 6,
-      "iocs": [
-        {
-          "type": "packageScope",
-          "value": "@tanstack",
-          "maliciousVersionRanges": [],
-          "notes": "Seed IOC — update from threat intel feed. Affected: @tanstack/router, @tanstack/react-router, @tanstack/query, @tanstack/form, @tanstack/store, @tanstack/virtual, @tanstack/ranger, @tanstack/table."
-        }
-      ]
-    },
-    "wave2": {
-      "id": "mini-shai-hulud-wave2",
-      "description": "AntV/atool maintainer account compromise (late May 2026) — 600+ malicious versions across 300+ packages in ~22 minutes. ~16M weekly download blast radius.",
-      "windowMinutes": 22,
-      "iocs": [
-        {
-          "type": "publisherAccount",
-          "value": "atool",
-          "compromiseWindowStart": "2026-05-20T00:00:00.000Z",
-          "compromiseWindowEnd": null,
-          "notes": "Seed IOC — compromised @antv/atool maintainer account. Update compromise window from threat intel."
-        },
-        {
-          "type": "packageScope",
-          "value": "@antv",
-          "maliciousVersionRanges": [],
-          "notes": "Blast radius: @antv/g2, @antv/g6, @antv/x6, @antv/l7, echarts-for-react, timeago.js. Seed IOC — update from threat intel."
-        }
-      ]
-    },
-    "wave3": {
-      "id": "nx-console-wave3",
-      "description": "Nx Console 18.95.0 VS Code extension compromise (May 18, 2026, CVE-2026-48027, TeamPCP) — contributor token stolen via TanStack wave1 (May 11), 7-day dwell, malicious extension published using npx to fetch 498KB obfuscated Bun payload from dangling orphan commit on nrwl/nx repo. ~3M installs exposed.",
-      "windowMinutes": 36,
-      "iocs": [
-        {
-          "type": "extensionId",
-          "value": "nrwl.angular-console",
-          "maliciousVersionRanges": ["18.95.0"],
-          "notes": "Nx Console v18.95.0 — malicious VS Code extension. CVE-2026-48027. Exposure window: 11 min on Marketplace, 36 min on Open VSX."
-        },
-        {
-          "type": "publisherAccount",
-          "value": "nrwl",
-          "compromiseWindowStart": "2026-05-11T00:00:00.000Z",
-          "compromiseWindowEnd": "2026-05-18T13:09:00.000Z",
-          "notes": "Nx contributor token stolen via TanStack wave1 on May 11; 7-day dwell before publishing malicious extension on May 18."
-        },
-        {
-          "type": "packageScope",
-          "value": "@nx",
-          "maliciousVersionRanges": [],
-          "notes": "NX_CONSOLE_DOWNSTREAM: npm packages under @nx scope deployed by compromised Nx contributor. Check for versions published within 7 days of 2026-05-18."
-        },
-        {
-          "type": "packageScope",
-          "value": "nrwl",
-          "maliciousVersionRanges": [],
-          "notes": "NX_CONSOLE_DOWNSTREAM: nrwl-scoped npm packages — monitor for anomalous burst publishing."
-        }
-      ]
-    }
-  },
-  "iocs": [
-    {
-      "type": "sha512",
-      "value": "sha512-AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA",
-      "package": "@antv/g2",
-      "wave": 2,
-      "notes": "Placeholder sha512 — replace with actual SHA-512 integrity hash from npm dist.integrity of a confirmed malicious version."
-    }
-  ]
-}
+{
+  "lastUpdated": "2026-05-24T00:00:00.000Z",
+  "waves": {
+    "wave1": {
+      "id": "mini-shai-hulud-wave1",
+      "description": "TanStack CI/CD hijack (mid-May 2026) — 84 malicious versions across 42 packages in ~6 minutes via compromised GitHub Actions CI. Forged SLSA BL3 provenance attestations.",
+      "windowMinutes": 6,
+      "iocs": [
+        {
+          "type": "packageScope",
+          "value": "@tanstack",
+          "maliciousVersionRanges": [],
+          "notes": "Seed IOC — update from threat intel feed. Affected: @tanstack/router, @tanstack/react-router, @tanstack/query, @tanstack/form, @tanstack/store, @tanstack/virtual, @tanstack/ranger, @tanstack/table."
+        }
+      ]
+    },
+    "wave2": {
+      "id": "mini-shai-hulud-wave2",
+      "description": "AntV/atool maintainer account compromise (late May 2026) — 600+ malicious versions across 300+ packages in ~22 minutes. ~16M weekly download blast radius.",
+      "windowMinutes": 22,
+      "iocs": [
+        {
+          "type": "publisherAccount",
+          "value": "atool",
+          "compromiseWindowStart": "2026-05-20T00:00:00.000Z",
+          "compromiseWindowEnd": null,
+          "notes": "Seed IOC — compromised @antv/atool maintainer account. Update compromise window from threat intel."
+        },
+        {
+          "type": "packageScope",
+          "value": "@antv",
+          "maliciousVersionRanges": [],
+          "notes": "Blast radius: @antv/g2, @antv/g6, @antv/x6, @antv/l7, echarts-for-react, timeago.js. Seed IOC — update from threat intel."
+        }
+      ]
+    },
+    "wave3": {
+      "id": "nx-console-wave3",
+      "description": "Nx Console 18.95.0 VS Code extension compromise (May 18, 2026, CVE-2026-48027, TeamPCP) — contributor token stolen via TanStack wave1 (May 11), 7-day dwell, malicious extension published using npx to fetch 498KB obfuscated Bun payload from dangling orphan commit on nrwl/nx repo. ~3M installs exposed.",
+      "windowMinutes": 36,
+      "iocs": [
+        {
+          "type": "extensionId",
+          "value": "nrwl.angular-console",
+          "maliciousVersionRanges": ["18.95.0"],
+          "notes": "Nx Console v18.95.0 — malicious VS Code extension. CVE-2026-48027. Exposure window: 11 min on Marketplace, 36 min on Open VSX."
+        },
+        {
+          "type": "publisherAccount",
+          "value": "nrwl",
+          "compromiseWindowStart": "2026-05-11T00:00:00.000Z",
+          "compromiseWindowEnd": "2026-05-18T13:09:00.000Z",
+          "notes": "Nx contributor token stolen via TanStack wave1 on May 11; 7-day dwell before publishing malicious extension on May 18."
+        },
+        {
+          "type": "packageScope",
+          "value": "@nx",
+          "maliciousVersionRanges": [],
+          "notes": "NX_CONSOLE_DOWNSTREAM: npm packages under @nx scope deployed by compromised Nx contributor. Check for versions published within 7 days of 2026-05-18."
+        },
+        {
+          "type": "packageScope",
+          "value": "nrwl",
+          "maliciousVersionRanges": [],
+          "notes": "NX_CONSOLE_DOWNSTREAM: nrwl-scoped npm packages — monitor for anomalous burst publishing."
+        }
+      ]
+    }
+  },
+  "iocs": [
+    {
+      "type": "sha512",
+      "value": "sha512-AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA",
+      "package": "@antv/g2",
+      "wave": 2,
+      "notes": "Placeholder sha512 — replace with actual SHA-512 integrity hash from npm dist.integrity of a confirmed malicious version."
+    }
+  ]
+}

package/backend/detectors/msh-supplement/d1-obfuscation.js

@@ -0,0 +1,18 @@
+const CTF_SCRAMBLE_RE = /require\(['"](ctf-scramble-v2|ctf-scramble-v\d+)['"]\)/;
+const CTF_SCRAMBLE_ESM_RE = /(?:from|import)\s+['"](ctf-scramble-v2|ctf-scramble-v\d+)['"]/;
+
+export function scanCtfScramble(files = []) {
+  for (const file of files) {
+    const content = file.content || '';
+    if (CTF_SCRAMBLE_RE.test(content) || CTF_SCRAMBLE_ESM_RE.test(content)) {
+      const match = content.match(CTF_SCRAMBLE_RE) || content.match(CTF_SCRAMBLE_ESM_RE);
+      return {
+        triggered: true,
+        stopCondition: true,
+        filePath: file.path,
+        patternMatched: match ? match[1] : 'ctf-scramble-v2',
+      };
+    }
+  }
+  return { triggered: false, stopCondition: false };
+}

package/backend/detectors/msh-supplement/d2-persistence.js

@@ -0,0 +1,47 @@
+const DAEMON_RE = /\b(daemon|fork)\s*\(/;
+const SPAWN_DETACHED_RE = /spawn\s*\([^)]*detached\s*:\s*true/;
+const SYSTEMD_RE = /\/etc\/systemd\/system\/|systemctl\s+(enable|start)/;
+const CRON_RE = /crontab\s+-e|\/etc\/cron\b/;
+const LAUNCHD_RE = /\/Library\/LaunchDaemons\/|launchctl\s+(load|start)/;
+const TASK_SCHED_RE = /schtasks\.exe|New-ScheduledTask|Register-ScheduledJob/;
+const CI_GUARD_RE = /!process\.env\.CI|process\.env\.CI\s*===?\s*undefined/;
+
+export function scanPersistence(pkgJson, files = []) {
+  const allScripts = [];
+  const hooks = ['preinstall', 'install', 'postinstall', 'preuninstall', 'postuninstall'];
+  for (const hook of hooks) {
+    const script = pkgJson?.scripts?.[hook];
+    if (script) {
+      allScripts.push({ hook, content: script });
+    }
+  }
+
+  const code = files.map(f => f.content || '').join('\n');
+  const codeWithScripts = code + '\n' + allScripts.map(s => s.content).join('\n');
+
+  const detectedApis = [];
+  let hasCiGuard = false;
+  let hasDaemon = false;
+
+  if (DAEMON_RE.test(codeWithScripts)) detectedApis.push('daemon');
+  if (SPAWN_DETACHED_RE.test(codeWithScripts)) detectedApis.push('spawn_detached');
+  if (SYSTEMD_RE.test(codeWithScripts)) detectedApis.push('systemd');
+  if (CRON_RE.test(codeWithScripts)) detectedApis.push('cron');
+  if (LAUNCHD_RE.test(codeWithScripts)) detectedApis.push('launchd');
+  if (TASK_SCHED_RE.test(codeWithScripts)) detectedApis.push('task_scheduler');
+  if (CI_GUARD_RE.test(codeWithScripts)) hasCiGuard = true;
+
+  if (DAEMON_RE.test(codeWithScripts) || SPAWN_DETACHED_RE.test(codeWithScripts)) hasDaemon = true;
+
+  if (hasDaemon || detectedApis.length > 0) {
+    return {
+      triggered: true,
+      detectedApis,
+      hasCiGuard,
+      hooks: allScripts.map(s => s.hook),
+      context: hasCiGuard ? 'Spawns background process when CI env var absent' : 'Suspicious persistence/detached process detected',
+    };
+  }
+
+  return { triggered: false, detectedApis: [], hasCiGuard: false, hooks: [] };
+}

package/backend/detectors/msh-supplement/d3-geo-killswitch.js

@@ -0,0 +1,35 @@
+const LOCALE_CHECKS = [
+  /process\.env\.LANG/,
+  /process\.env\.LC_ALL/,
+  /process\.env\.LC_MESSAGES/,
+  /Intl\.DateTimeFormat\(\)\.resolvedOptions\(\)\.timeZone/,
+  /Intl\.DateTimeFormat\.resolvedOptions\b/,
+];
+const TARGET_LOCALES = /ru_RU|be_BY|uk_UA/;
+const SILENT_EXIT_RE = /process\.exit\s*\(\s*0\s*\)/;
+
+export function scanGeoKillswitch(files = []) {
+  const code = files.map(f => f.content || '').join('\n');
+  if (!code) return { triggered: false, targetedLocales: [], triggerBehavior: null };
+
+  const hasLocaleCheck = LOCALE_CHECKS.some(re => re.test(code));
+  if (!hasLocaleCheck) return { triggered: false, targetedLocales: [], triggerBehavior: null };
+
+  const hasTargetLocale = TARGET_LOCALES.test(code);
+  const hasSilentExit = SILENT_EXIT_RE.test(code);
+
+  if (hasTargetLocale || hasSilentExit) {
+    const matchedLocales = [];
+    if (/ru_RU/.test(code)) matchedLocales.push('ru_RU');
+    if (/be_BY/.test(code)) matchedLocales.push('be_BY');
+    if (/uk_UA/.test(code)) matchedLocales.push('uk_UA');
+
+    return {
+      triggered: true,
+      targetedLocales: matchedLocales.length > 0 ? matchedLocales : ['ru_RU', 'be_BY'],
+      triggerBehavior: hasSilentExit ? 'Silent exit' : 'Locale/timezone match with conditional behavior',
+    };
+  }
+
+  return { triggered: false, targetedLocales: [], triggerBehavior: null };
+}

package/backend/detectors/msh-supplement/d4-c2-deaddrop.js

@@ -0,0 +1,33 @@
+const OHNO_WHATS_GOING_ON_RE = /OhNoWhatsGoingOnWithGitHub/;
+const GITHUB_COMMIT_SCRAPE_RE = /api\.github\.com\/repos\/[^/]+\/[^/]+\/commits/;
+const GITHUB_GRAPHQL_RE = /api\.github\.com\/graphql/;
+const GITHUB_TOKEN_ACCESS_RE = /process\.env\.(?:GH_TOKEN|GITHUB_TOKEN|GITHUB_ACTOR)/;
+const COMMIT_PARSE_LOOP_RE = /commits?\s*\.\s*(?:map|filter|forEach|for\s*\(|while\s*\()/;
+
+export function scanC2DeadDrop(files = []) {
+  const code = files.map(f => f.content || '').join('\n');
+  if (!code) return { triggered: false, matches: [] };
+
+  const matches = [];
+
+  if (OHNO_WHATS_GOING_ON_RE.test(code)) {
+    matches.push({ type: 'ioc_keyword', value: 'OhNoWhatsGoingOnWithGitHub', attackVector: 'GitHub commit scraping for token recovery' });
+  }
+
+  const hasTokenAccess = GITHUB_TOKEN_ACCESS_RE.test(code);
+  const hasGithubApi = GITHUB_COMMIT_SCRAPE_RE.test(code) || GITHUB_GRAPHQL_RE.test(code);
+  const hasCommitParseLoop = COMMIT_PARSE_LOOP_RE.test(code);
+
+  if (hasTokenAccess && hasGithubApi) {
+    matches.push({ type: 'token_exfil_github_api', value: 'Credential access followed by GitHub API call', attackVector: 'Credential/token extraction followed by GitHub API calls' });
+  }
+
+  if (hasCommitParseLoop && hasGithubApi) {
+    matches.push({ type: 'commit_scraping', value: 'Commit message parsing with GitHub API', attackVector: 'Commit scraping for secret detection' });
+  }
+
+  return {
+    triggered: matches.length > 0,
+    matches,
+  };
+}

package/backend/detectors/msh-supplement/index.js

@@ -0,0 +1,107 @@
+import { scanCtfScramble } from './d1-obfuscation.js';
+import { scanPersistence } from './d2-persistence.js';
+import { scanGeoKillswitch } from './d3-geo-killswitch.js';
+import { scanC2DeadDrop } from './d4-c2-deaddrop.js';
+import { attachProvenance } from '../../provenance.js';
+
+const RULE_SEVERITY = {
+  D1: 'critical',
+  D2: 'critical',
+  D3: 'high',
+  D4: 'critical',
+};
+
+const SEVERITY_ORDER = ['critical', 'high', 'medium', 'low', 'info', 'none'];
+
+function highestSeverity(severities) {
+  for (const s of SEVERITY_ORDER) {
+    if (severities.includes(s)) return s;
+  }
+  return 'none';
+}
+
+export async function scan(pkgJson, files = [], registryMeta = null, allFiles = null) {
+  const fileList = allFiles || files || [];
+  const pkgName = pkgJson?.name || 'unknown';
+  const pkgVersion = pkgJson?.version || '0.0.0';
+
+  const d1Results = scanCtfScramble(fileList);
+  if (d1Results.stopCondition) {
+    const evidence = attachProvenance({
+      rule: 'MSH-OBF-001',
+      campaign: 'MINI_SHAI_HULUD',
+      triggeredChecks: ['D1'],
+      filePath: d1Results.filePath,
+      patternMatched: d1Results.patternMatched,
+      action: 'BLOCK_IMMEDIATELY',
+    }, {
+      ruleId: 'MSH-OBF-001',
+      ruleName: 'ctf-scramble-v2 Obfuscation Detection',
+      severity: 'CRITICAL',
+      campaignName: 'Mini Shai-Hulud',
+      pkgName,
+      pkgVersion,
+      triggered: true,
+      severity: 'critical',
+      indicators: [{ type: 'obfuscation_found', value: d1Results.patternMatched }],
+      ruleProvenanceUrl: 'https://github.com/lateos/npm-scan/blob/main/backend/detectors/msh-supplement/d1-obfuscation.js',
+      campaignSourceUrl: 'https://security.researcher.org/supply-chain-report',
+    });
+
+    return [{
+      id: 'MINI_SHAI_HULUD',
+      severity: 'critical',
+      title: 'Mini Shai-Hulud worm campaign — ctf-scramble-v2 malware obfuscation detected',
+      description: 'HALT: ctf-scramble-v2 obfuscation layer detected. Package is compromised. Block install immediately.',
+      evidence: JSON.stringify(evidence),
+      mitigation: 'BLOCK IMMEDIATELY. Do not install this package version. Revoke any npm tokens exposed to this package. Rotate all CI/CD secrets. Run full malware scan on any system that processed this package.',
+      stopCondition: true,
+    }];
+  }
+
+  const results = {
+    D2: scanPersistence(pkgJson, fileList),
+    D3: scanGeoKillswitch(fileList),
+    D4: scanC2DeadDrop(fileList),
+  };
+
+  const triggered = Object.entries(results)
+    .filter(([_, r]) => r.triggered)
+    .map(([id]) => id);
+
+  if (triggered.length === 0) return [];
+
+  const severity = highestSeverity(triggered.map(id => RULE_SEVERITY[id]));
+
+  const evidence = attachProvenance({
+    campaign: 'MINI_SHAI_HULUD',
+    triggeredChecks: triggered,
+    details: Object.fromEntries(
+      Object.entries(results).filter(([_, r]) => r.triggered)
+    ),
+  }, {
+    ruleId: 'MSH-SUPPLEMENT',
+    ruleName: 'Mini Shai-Hulud Supplement Detection',
+    severity: severity.toUpperCase(),
+    campaignName: 'Mini Shai-Hulud',
+    pkgName,
+    pkgVersion,
+    triggered: true,
+    severity,
+    indicators: triggered.map(id => ({
+      type: `rule_${id}`,
+      value: RULE_SEVERITY[id],
+    })),
+    ruleProvenanceUrl: 'https://github.com/lateos/npm-scan/blob/main/backend/detectors/msh-supplement/',
+    campaignSourceUrl: 'https://security.researcher.org/supply-chain-report',
+  });
+
+  return [{
+    id: 'MINI_SHAI_HULUD',
+    severity,
+    title: 'Mini Shai-Hulud worm campaign — supplement indicators',
+    description: `${triggered.length} signal(s): ${triggered.join(', ')}`,
+    evidence: JSON.stringify(evidence),
+    mitigation: 'If daemonization detected: revoke npm tokens and rotate CI/CD secrets. If geographic killswitch detected: verify running in expected region; attacker may be avoiding certain locales. If C2 dead-drop detected: check for unauthorized GitHub API access and token exfiltration. Review recent version publish history for anomalous bursts.',
+  }];
+}

package/backend/detectors/tier1-binary-embed.js

@@ -0,0 +1,219 @@
+import { KNOWN_REPUTABLE_PACKAGES } from '../policy.js';
+
+const BINARY_DIRS = ['bin/', 'native/'];
+const BINARY_EXTS = ['.exe', '.dll', '.so', '.dylib', '.wasm', '.node', '.o', '.a'];
+const BINARY_FILENAMES = ['bun', 'deno', 'go', 'rustc', 'python', 'python3', 'ruby', 'php'];
+
+const CHILD_PROC_RE = /\b(?:spawn|exec|execSync|spawnSync|fork)\s*\(/g;
+const FS_CHMOD_RE = /fs\.chmod\s*\(/g;
+
+function detectMagicBytes(content) {
+  if (!content || content.length < 4) return null;
+
+  const c0 = content.charCodeAt(0);
+  const c1 = content.charCodeAt(1);
+  const c2 = content.charCodeAt(2);
+  const c3 = content.charCodeAt(3);
+
+  if (c0 === 0x7f && content.slice(1, 4) === 'ELF') return 'elf_embedded';
+  if (c0 === 0x4d && c1 === 0x5a) return 'pe_embedded';
+  if (c0 === 0x00 && content.slice(1, 4) === 'asm') return 'wasm_embedded';
+
+  const machO = (c0 === 0xfe && c1 === 0xed && c2 === 0xfa && (c3 === 0xce || c3 === 0xcf)) ||
+    (c0 === 0xce && c1 === 0xfa && c2 === 0xed && (c3 === 0xfe || c3 === 0xcf)) ||
+    (c0 === 0xcf && c1 === 0xfa && c2 === 0xed && c3 === 0xfe);
+  if (machO) return 'macho_embedded';
+
+  const universal = c0 === 0xca && c1 === 0xfe && c2 === 0xba && c3 === 0xbe;
+  if (universal) return 'macho_embedded';
+
+  return null;
+}
+
+function isInBinaryDir(filePath) {
+  const normalized = filePath.replace(/\\/g, '/');
+  return BINARY_DIRS.some(dir => normalized.includes(`/${dir}`) || normalized.startsWith(dir));
+}
+
+function hasBinaryExt(filePath) {
+  const lower = filePath.toLowerCase();
+  return BINARY_EXTS.some(ext => lower.endsWith(ext));
+}
+
+function isKnownBinaryName(fileName) {
+  const base = fileName.replace(/\.\w+$/, '').toLowerCase();
+  return BINARY_FILENAMES.includes(base);
+}
+
+function isDeclared(pkgJson, fileName) {
+  if (!pkgJson) return false;
+  const baseName = fileName.split(/[/\\]/).pop();
+
+  if (pkgJson.bin) {
+    if (typeof pkgJson.bin === 'string' && pkgJson.bin === baseName) return true;
+    if (typeof pkgJson.bin === 'object' && Object.values(pkgJson.bin).some(v => v === baseName || v.endsWith(`/${baseName}`))) return true;
+  }
+
+  if (pkgJson.optionalDependencies) {
+    for (const [name, val] of Object.entries(pkgJson.optionalDependencies)) {
+      if (name === baseName) return true;
+    }
+  }
+
+  if (pkgJson.gypfile === true || pkgJson.scripts?.install?.includes('node-gyp') || pkgJson.scripts?.install?.includes('node-pre-gyp')) {
+    if (baseName.endsWith('.node')) return true;
+  }
+
+  return false;
+}
+
+export const name = 'tier1-binary-embed';
+
+export async function scan(pkgJson, jsFiles, registryMeta, allFiles) {
+  const pkgName = pkgJson?.name;
+  if (pkgName && KNOWN_REPUTABLE_PACKAGES.has(pkgName)) return [];
+
+  if (!allFiles || allFiles.length === 0) return [];
+
+  if (pkgName && (
+    pkgName === 'electron' || pkgName === 'puppeteer' || pkgName === 'sharp' ||
+    pkgName === 'esbuild' || pkgName === 'node-gyp' || pkgName === 'node-pre-gyp' ||
+    pkgName === '@mapbox/node-pre-gyp'
+  )) return [];
+
+  const binaries = [];
+
+  for (const f of allFiles) {
+    const content = f.content || '';
+    const filePath = f.path || f.name || '';
+    const fileName = filePath.split(/[/\\]/).pop();
+    const fileSize = content.length;
+
+    const magic = detectMagicBytes(content);
+    const inBinDir = isInBinaryDir(filePath);
+    const hasExt = hasBinaryExt(filePath);
+    const knownName = isKnownBinaryName(fileName);
+    const largeFile = fileSize > 100000000;
+
+    if (magic || inBinDir || hasExt || knownName) {
+      const declared = isDeclared(pkgJson, filePath);
+
+      binaries.push({
+        file: filePath,
+        size: fileSize,
+        magic,
+        inBinDir,
+        hasExt,
+        knownName,
+        declared,
+        largeFile,
+      });
+    }
+  }
+
+  if (binaries.length === 0) return [];
+
+  const jsCode = (jsFiles || []).map(f => f.content || '').join('\n');
+  const invoked = CHILD_PROC_RE.test(jsCode) || FS_CHMOD_RE.test(jsCode);
+
+  const invokedFiles = [];
+  if (jsFiles && invoked) {
+    for (const f of jsFiles) {
+      const c = f.content || '';
+      CHILD_PROC_RE.lastIndex = 0;
+      FS_CHMOD_RE.lastIndex = 0;
+      if (CHILD_PROC_RE.test(c) || FS_CHMOD_RE.test(c)) {
+        invokedFiles.push(f.path || f.name || 'unknown.js');
+      }
+    }
+  }
+
+  const findings = [];
+
+  for (const bin of binaries) {
+    let baseScore;
+    let subtype;
+
+    if (bin.magic === 'elf_embedded') {
+      baseScore = 95;
+      subtype = 'elf_embedded';
+    } else if (bin.magic === 'pe_embedded') {
+      baseScore = 95;
+      subtype = 'pe_embedded';
+    } else if (bin.magic === 'macho_embedded') {
+      baseScore = 95;
+      subtype = 'macho_embedded';
+    } else if (bin.magic === 'wasm_embedded') {
+      baseScore = 60;
+      subtype = 'wasm_embedded';
+    } else {
+      baseScore = 60;
+      subtype = 'magic_byte_unknown';
+    }
+
+    let score = baseScore;
+
+    if (bin.inBinDir) score += 15;
+
+    if (!bin.declared) score += 50;
+
+    if (invoked && invokedFiles.length > 0) score += 25;
+
+    const confidenceScore = Math.max(50, Math.min(100, score));
+
+    function severityLabel(sc) {
+      if (sc >= 90) return 'critical';
+      if (sc >= 70) return 'high';
+      return 'medium';
+    }
+
+    function confidenceLabel(sc) {
+      if (sc >= 95) return 'CRITICAL';
+      if (sc >= 80) return 'HIGH';
+      if (sc >= 60) return 'MEDIUM';
+      return 'LOW';
+    }
+
+    const evidence = [
+      `binary: ${bin.file.split(/[/\\]/).pop()}${bin.magic ? ` (${bin.magic.toUpperCase().replace('_EMBEDDED', '')})` : ''}`,
+      `path: ${bin.file}`,
+      `declared: ${bin.declared}`,
+    ];
+    if (invoked && invokedFiles.length > 0) {
+      evidence.push(`invoked: child_process usage in ${invokedFiles.length} file(s)`);
+      evidence.push(`invoked_file: ${invokedFiles[0]}`);
+    }
+
+    const locations = [
+      { file: bin.file, size: bin.size },
+    ];
+
+    if (invokedFiles.length > 0) {
+      locations.push({ file: invokedFiles[0], line: 0 });
+    }
+
+    let message;
+    if (!bin.declared) {
+      message = `Undeclared binary detected: ${bin.file.split(/[/\\]/).pop()}`;
+    } else if (invoked) {
+      message = `Binary ${bin.file.split(/[/\\]/).pop()} invoked from JavaScript`;
+    } else {
+      message = `Binary embedded in package: ${bin.file.split(/[/\\]/).pop()}`;
+    }
+
+    findings.push({
+      detector: 'tier1-binary-embed',
+      id: 'TIER1-BINARY-EMBED',
+      severity: severityLabel(confidenceScore),
+      confidence: confidenceLabel(confidenceScore),
+      confidenceScore,
+      subtype,
+      message,
+      evidence,
+      locations,
+      reference: 'Campaign 2',
+    });
+  }
+
+  return findings;
+}