@lateos/npm-scan 0.16.0 → 0.16.5

package/backend/detectors/tier1-typosquat.js

@@ -0,0 +1,219 @@
+import { createRequire } from 'module';
+import { KNOWN_REPUTABLE_PACKAGES } from '../policy.js';
+
+const require = createRequire(import.meta.url);
+const TOP_PACKAGES = require('../../src/config/top-5000.json');
+const TOP_SET = new Set(TOP_PACKAGES);
+
+function levenshtein(a, b) {
+  if (Math.abs(a.length - b.length) > 2) return 3;
+  const m = a.length, n = b.length;
+  if (m === 0) return n;
+  if (n === 0) return m;
+  let prev = new Int32Array(n + 1);
+  let curr = new Int32Array(n + 1);
+  for (let j = 0; j <= n; j++) prev[j] = j;
+  for (let i = 1; i <= m; i++) {
+    curr[0] = i;
+    let rowMin = curr[0];
+    for (let j = 1; j <= n; j++) {
+      const cost = a[i - 1] === b[j - 1] ? 0 : 1;
+      curr[j] = Math.min(
+        prev[j] + 1,
+        curr[j - 1] + 1,
+        prev[j - 1] + cost
+      );
+      if (curr[j] < rowMin) rowMin = curr[j];
+    }
+    if (rowMin > 2) return 3;
+    const tmp = prev; prev = curr; curr = tmp;
+  }
+  return prev[n];
+}
+
+function jaroWinkler(a, b) {
+  if (a === b) return 1;
+  const m = a.length, n = b.length;
+  if (m === 0 || n === 0) return 0;
+  const matchDist = Math.floor(Math.max(m, n) / 2) - 1;
+  const aMatch = new Array(m).fill(false);
+  const bMatch = new Array(n).fill(false);
+  let matches = 0;
+  for (let i = 0; i < m; i++) {
+    const start = Math.max(0, i - matchDist);
+    const end = Math.min(n, i + matchDist + 1);
+    for (let j = start; j < end; j++) {
+      if (bMatch[j] || a[i] !== b[j]) continue;
+      aMatch[i] = true;
+      bMatch[j] = true;
+      matches++;
+      break;
+    }
+  }
+  if (matches === 0) return 0;
+  let t = 0, k = 0;
+  for (let i = 0; i < m; i++) {
+    if (!aMatch[i]) continue;
+    while (!bMatch[k]) k++;
+    if (a[i] !== b[k]) t++;
+    k++;
+  }
+  const jaro = (matches / m + matches / n + (matches - t / 2) / matches) / 3;
+  let prefix = 0;
+  const limit = Math.min(4, m, n);
+  for (let i = 0; i < limit; i++) {
+    if (a[i] === b[i]) prefix++;
+    else break;
+  }
+  return jaro + prefix * 0.1 * (1 - jaro);
+}
+
+function soundex(s) {
+  if (!s) return '';
+  s = s.toLowerCase();
+  const first = s[0];
+  const rest = s.slice(1)
+    .replace(/[aeiouyhw]/g, '')
+    .replace(/[bfpv]/g, '1')
+    .replace(/[cgjkqsxz]/g, '2')
+    .replace(/[dt]/g, '3')
+    .replace(/l/g, '4')
+    .replace(/[mn]/g, '5')
+    .replace(/r/g, '6')
+    .replace(/(\d)\1+/g, '$1');
+  return (first + rest + '000').slice(0, 4);
+}
+
+function homoglyphScore(a, b) {
+  if (a.length !== b.length) return 0;
+  const map = { '0': 'o', '1': 'l', '3': 'e', '4': 'a', '5': 's', '6': 'g', '7': 't', '8': 'b', '@': 'a' };
+  let swaps = 0;
+  for (let i = 0; i < a.length; i++) {
+    if (a[i] === b[i]) continue;
+    const na = map[a[i]] || a[i];
+    const nb = map[b[i]] || b[i];
+    if (na === b[i] || a[i] === nb || na === nb) swaps++;
+    else return 0;
+  }
+  return swaps > 0 ? 1 - swaps / a.length : 0;
+}
+
+function computeConfidence(dist, phonetic, homoglyph, registryMeta) {
+  let subtype, base;
+  if (dist === 1) {
+    subtype = 'edit_distance_1';
+    base = 75;
+  } else if (dist === 2) {
+    subtype = 'edit_distance_2';
+    base = 45;
+  } else if (phonetic > 0.85) {
+    subtype = 'phonetic_match';
+    base = 50;
+  } else if (homoglyph > 0.7) {
+    subtype = 'homoglyph_swap';
+    base = 60;
+  } else {
+    return null;
+  }
+  let score = base;
+  if (registryMeta) {
+    const age = registryMeta.age || 0;
+    const downloads = registryMeta.weeklyDownloads || 0;
+    if (age < 30) score += 15;
+    if (downloads < 1000) score += 10;
+    if (age > 365 && downloads > 100000) score -= 30;
+  }
+  score = Math.max(50, Math.min(100, score));
+  return { subtype, score };
+}
+
+function severityLabel(score) {
+  if (score >= 80) return 'high';
+  if (score >= 60) return 'medium';
+  return 'low';
+}
+
+function confidenceLabel(score) {
+  if (score >= 80) return 'HIGH';
+  if (score >= 60) return 'MEDIUM';
+  return 'LOW';
+}
+
+export const name = 'tier1-typosquat';
+
+export async function scan(pkgJson, jsFiles, registryMeta, allFiles) {
+  const findings = [];
+  const pkgName = pkgJson?.name;
+  if (!pkgName) return findings;
+
+  if (KNOWN_REPUTABLE_PACKAGES.has(pkgName)) return findings;
+
+  const namesToCheck = [];
+  let scopedName = null;
+
+  if (pkgName.startsWith('@')) {
+    const parts = pkgName.split('/');
+    if (parts.length === 2) {
+      scopedName = parts[1];
+      namesToCheck.push(pkgName, scopedName);
+    }
+  } else {
+    namesToCheck.push(pkgName);
+  }
+
+  let best = null;
+  let bestScore = 0;
+
+  for (const checkName of namesToCheck) {
+    for (const target of TOP_PACKAGES) {
+      if (checkName === target) {
+        if (pkgName.startsWith('@') && checkName === scopedName && !KNOWN_REPUTABLE_PACKAGES.has(scopedName)) {
+          let score = 80;
+          if (registryMeta) {
+            if ((registryMeta.age || 0) < 30) score += 15;
+            if ((registryMeta.weeklyDownloads || 0) < 1000) score += 10;
+          }
+          score = Math.max(50, Math.min(100, score));
+          if (score > bestScore) {
+            bestScore = score;
+            best = { target, dist: 0, phonetic: 1, homoglyph: 0, subtype: 'edit_distance_1', isScopeSquat: true };
+          }
+        }
+        continue;
+      }
+      if (Math.abs(checkName.length - target.length) > 2) continue;
+      const dist = levenshtein(checkName, target);
+      if (dist > 2) continue;
+      const phonetic = jaroWinkler(checkName, target);
+      const homoglyph = homoglyphScore(checkName, target);
+      const conf = computeConfidence(dist, phonetic, homoglyph, registryMeta);
+      if (!conf || conf.score <= bestScore) continue;
+      bestScore = conf.score;
+      best = { target, dist, phonetic, homoglyph, subtype: conf.subtype, isScopeSquat: false };
+    }
+  }
+
+  if (best) {
+    findings.push({
+      detector: 'tier1-typosquat',
+      id: 'TIER1-TYPOSQUAT',
+      severity: severityLabel(bestScore),
+      confidence: confidenceLabel(bestScore),
+      confidenceScore: bestScore,
+      subtype: best.subtype,
+      message: `Package name "${pkgName}" is typo of "${best.target}"${best.dist > 0 ? ` (distance ${best.dist})` : ''}`,
+      evidence: [
+        `distance: ${best.dist}`,
+        `phonetic_score: ${(best.phonetic || 1).toFixed(2)}`,
+        `similar_package: ${best.target}`,
+        `age_days: ${registryMeta?.age || 0}`,
+        `weekly_downloads: ${registryMeta?.weeklyDownloads || 0}`,
+      ],
+      crossFiles: [],
+      locations: [{ file: 'package.json', line: 2, column: 10 }],
+      reference: 'Campaign 2: Cloud-Secret Typosquatting',
+    });
+  }
+
+  return findings;
+}

package/backend/detectors/typosquat-vpmdhaj/d1-maintainer.js

@@ -0,0 +1,77 @@
+const BLOCKED_MAINTAINERS = ['vpmdhaj'];
+const VPMDHAJ_PREFIX_RE = /^vpmdhaj-/;
+const TYPOSQUAT_TARGETS = [
+  'opensearch-setup', 'env-config-manager',
+  'express', 'lodash', 'axios', 'react', 'vue', 'angular',
+  'babel', 'webpack', 'typescript', 'moment', 'dotenv',
+];
+
+function levenshteinDistance(a, b) {
+  const m = a.length, n = b.length;
+  const dp = Array.from({ length: m + 1 }, () => Array(n + 1).fill(0));
+  for (let i = 0; i <= m; i++) dp[i][0] = i;
+  for (let j = 0; j <= n; j++) dp[0][j] = j;
+  for (let i = 1; i <= m; i++) {
+    for (let j = 1; j <= n; j++) {
+      dp[i][j] = a[i - 1] === b[j - 1] ? dp[i - 1][j - 1] : 1 + Math.min(dp[i - 1][j], dp[i][j - 1], dp[i - 1][j - 1]);
+    }
+  }
+  return dp[m][n];
+}
+
+export function scanMaintainerAnomaly(pkgJson, registryMeta) {
+  const pkgName = pkgJson?.name || '';
+  const currentVersion = pkgJson?.version || '';
+  const versionMeta = registryMeta?.versions?.[currentVersion];
+  const publisherName = versionMeta?._npmUser?.name || '';
+
+  if (BLOCKED_MAINTAINERS.includes(publisherName)) {
+    return {
+      triggered: true,
+      stopCondition: true,
+      maintainer: publisherName,
+      suspiciousAliases: [],
+      reason: 'Blocked maintainer detected',
+    };
+  }
+
+  if (VPMDHAJ_PREFIX_RE.test(pkgName)) {
+    return {
+      triggered: true,
+      stopCondition: true,
+      maintainer: publisherName || 'unknown',
+      suspiciousAliases: [pkgName],
+      reason: 'Package name matches vpmdhaj attacker namespace',
+    };
+  }
+
+  const suspiciousAliases = [];
+  for (const target of TYPOSQUAT_TARGETS) {
+    if (pkgName.includes(target) && pkgName !== target && !pkgName.startsWith('@')) {
+      const dist = levenshteinDistance(pkgName.toLowerCase(), target.toLowerCase());
+      if (dist <= 2 && dist > 0) {
+        suspiciousAliases.push(pkgName);
+      }
+    }
+  }
+  if (pkgName.toLowerCase().includes('opensearch')) {
+    suspiciousAliases.push(pkgName);
+  }
+  if (pkgName.toLowerCase().includes('env-config') || pkgName.toLowerCase().includes('envconfig')) {
+    suspiciousAliases.push(pkgName);
+  }
+
+  if (suspiciousAliases.length > 0) {
+    return {
+      triggered: true,
+      stopCondition: false,
+      maintainer: publisherName || 'unknown',
+      suspiciousAliases,
+      reason: 'Package name typosquats popular package',
+    };
+  }
+
+  return { triggered: false, stopCondition: false, maintainer: '', suspiciousAliases: [], reason: '' };
+}
+
+export { BLOCKED_MAINTAINERS };

package/backend/detectors/typosquat-vpmdhaj/d2-preinstall-loader.js

@@ -0,0 +1,37 @@
+const SUSPICIOUS_HOOKS = ['preinstall'];
+const LOADER_SCRIPTS = ['setup.mjs', 'loader.js', 'stager.js', 'init.mjs'];
+const BUN_RUN_RE = /\bbun\s+run\b/;
+const NODE_SETUP_RE = /\bnode\s+(setup\.mjs|init\.mjs|loader\.js|stager\.js)\b/;
+const PREINSTALL_STAGER_RE = /preinstall\s*[:=]/;
+
+export function scanPreinstallLoader(pkgJson) {
+  const scripts = pkgJson?.scripts || {};
+  const triggered = [];
+
+  for (const hook of SUSPICIOUS_HOOKS) {
+    const cmd = scripts[hook];
+    if (!cmd) continue;
+
+    const details = { hookType: hook, hookCommand: cmd };
+
+    if (BUN_RUN_RE.test(cmd)) {
+      details.runtimeAbuse = 'Bun as stealthy loader';
+      triggered.push(details);
+    } else if (NODE_SETUP_RE.test(cmd)) {
+      const match = cmd.match(/node\s+(setup\.mjs|init\.mjs|loader\.js|stager\.js)\b/);
+      details.generation = match && match[1] === 'stager.js' ? 2 : 1;
+      triggered.push(details);
+    } else {
+      triggered.push(details);
+    }
+  }
+
+  if (triggered.length > 0) {
+    return {
+      triggered: true,
+      details: triggered,
+    };
+  }
+
+  return { triggered: false, details: [] };
+}

package/backend/detectors/typosquat-vpmdhaj/d3-cred-exfil.js

@@ -0,0 +1,66 @@
+const AWS_IMDS_RE = /169\.254\.169\.254/;
+const ECS_CRED_RE = /AWS_CONTAINER_AUTHORIZATION_TOKEN|AWS_CONTAINER_CREDENTIALS_FULL_URI/;
+const VAULT_CRED_RE = /VAULT_ADDR|VAULT_TOKEN/;
+const GITHUB_TOKEN_RE = /GITHUB_TOKEN|GH_TOKEN/;
+const AWS_ACCESS_KEY_RE = /AWS_ACCESS_KEY_ID|AWS_SECRET_ACCESS_KEY|AWS_SESSION_TOKEN/;
+const BASE64_OBFUSCATION_RE = /Buffer\.from\([^)]+['"]base64['"]\)|btoa\(|atob\(/;
+const HTTP_POST_EXFIL_RE = /(?:fetch|axios|request|got|curl)\s*\([^)]*(?:https?:\/\/[^'"\s)\]]+)[^)]*(?:method\s*[:=]\s*['"]POST['"]|\.post\s*\()/;
+const DOMAIN_EXFIL_RE = /(?:fetch|axios|request|got|curl)\s*\(['"](?:https?:\/\/)?[^'"\s)\]]*\.[^'"\s)\]]{2,}[^)]*\)/;
+
+const TARGET_ENV_VARS = {
+  AWS: ['AWS_CONTAINER_CREDENTIALS_FULL_URI', 'AWS_CONTAINER_AUTHORIZATION_TOKEN', 'AWS_ACCESS_KEY_ID', 'AWS_SECRET_ACCESS_KEY', 'AWS_SESSION_TOKEN'],
+  VAULT: ['VAULT_ADDR', 'VAULT_TOKEN'],
+  GITHUB: ['GITHUB_TOKEN', 'GH_TOKEN'],
+};
+
+export function scanCredExfil(files = [], pkgJson) {
+  const code = files.map(f => f.content || '').join('\n');
+  if (!code) return { triggered: false, targets: [], exfilMethod: null, detectedEnvVars: [] };
+
+  const targets = [];
+  const detectedEnvVars = [];
+
+  if (AWS_IMDS_RE.test(code)) targets.push('AWS_IMDSv2');
+  if (ECS_CRED_RE.test(code)) {
+    targets.push('ECS_TASK_ROLE');
+    for (const v of TARGET_ENV_VARS.AWS) {
+      if (code.includes(v)) detectedEnvVars.push(v);
+    }
+  }
+  if (VAULT_CRED_RE.test(code)) {
+    targets.push('VAULT_CREDENTIALS');
+    for (const v of TARGET_ENV_VARS.VAULT) {
+      if (code.includes(v)) detectedEnvVars.push(v);
+    }
+  }
+  if (GITHUB_TOKEN_RE.test(code)) {
+    targets.push('GITHUB_TOKEN');
+    for (const v of TARGET_ENV_VARS.GITHUB) {
+      if (code.includes(v)) detectedEnvVars.push(v);
+    }
+  }
+  if (AWS_ACCESS_KEY_RE.test(code)) {
+    targets.push('AWS_ACCESS_KEYS');
+    for (const v of TARGET_ENV_VARS.AWS) {
+      if (code.includes(v) && !detectedEnvVars.includes(v)) detectedEnvVars.push(v);
+    }
+  }
+
+  if (targets.length === 0) return { triggered: false, targets: [], exfilMethod: null, detectedEnvVars: [] };
+
+  let exfilMethod = null;
+  if (HTTP_POST_EXFIL_RE.test(code)) {
+    exfilMethod = 'HTTP POST to attacker domain';
+  } else if (DOMAIN_EXFIL_RE.test(code)) {
+    exfilMethod = 'HTTP request to external domain';
+  } else if (BASE64_OBFUSCATION_RE.test(code)) {
+    exfilMethod = 'Base64 obfuscation of credential strings';
+  }
+
+  return {
+    triggered: true,
+    targets,
+    exfilMethod: exfilMethod || 'Suspicious credential access pattern',
+    detectedEnvVars,
+  };
+}

package/backend/detectors/typosquat-vpmdhaj/index.js

@@ -0,0 +1,98 @@
+import { scanMaintainerAnomaly } from './d1-maintainer.js';
+import { scanPreinstallLoader } from './d2-preinstall-loader.js';
+import { scanCredExfil } from './d3-cred-exfil.js';
+import { attachProvenance } from '../../provenance.js';
+
+const RULE_SEVERITY = { D1: 'critical', D2: 'critical', D3: 'critical' };
+const SEVERITY_ORDER = ['critical', 'high', 'medium', 'low', 'info', 'none'];
+
+function highestSeverity(severities) {
+  for (const s of SEVERITY_ORDER) if (severities.includes(s)) return s;
+  return 'none';
+}
+
+export async function scan(pkgJson, files = [], registryMeta = null, allFiles = null) {
+  const pkgName = pkgJson?.name || 'unknown';
+  const pkgVersion = pkgJson?.version || '0.0.0';
+  const fileList = allFiles || files || [];
+
+  const d1Result = scanMaintainerAnomaly(pkgJson, registryMeta);
+  if (d1Result.stopCondition) {
+    const evidence = attachProvenance({
+      rule: 'TSQ-MAINT-001',
+      campaign: 'TYPOSQUAT_VPMDHAJ',
+      triggeredChecks: ['D1'],
+      maintainer: d1Result.maintainer,
+      suspiciousAliases: d1Result.suspiciousAliases,
+      action: 'BLOCK',
+    }, {
+      ruleId: 'TSQ-MAINT-001',
+      ruleName: 'Maintainer & Package Alias Anomalies',
+      severity: 'CRITICAL',
+      campaignName: 'Mass Typosquatting (vpmdhaj)',
+      pkgName,
+      pkgVersion,
+      triggered: true,
+      severity: 'critical',
+      indicators: [{ type: 'blocked_maintainer', value: d1Result.maintainer }, ...d1Result.suspiciousAliases.map(a => ({ type: 'suspicious_alias', value: a }))],
+      ruleProvenanceUrl: 'https://github.com/lateos/npm-scan/blob/main/backend/detectors/typosquat-vpmdhaj/d1-maintainer.js',
+      campaignSourceUrl: 'https://security.researcher.org/supply-chain-report',
+    });
+
+    return [{
+      id: 'TYPOSQUAT_VPMDHAJ',
+      severity: 'critical',
+      title: 'Mass Typosquatting campaign (vpmdhaj) — blocked maintainer',
+      description: d1Result.reason,
+      evidence: JSON.stringify(evidence),
+      mitigation: 'BLOCK IMMEDIATELY. Do not install packages from maintainer vpmdhaj. Audit all packages from your lockfile for this maintainer. Check for typosquatting of popular packages.',
+      stopCondition: true,
+    }];
+  }
+
+  const d2Result = scanPreinstallLoader(pkgJson);
+  const d3Result = scanCredExfil(fileList, pkgJson);
+
+  const results = {
+    D1: d1Result,
+    D2: d2Result,
+    D3: d3Result,
+  };
+
+  const triggered = Object.entries(results)
+    .filter(([_, r]) => r.triggered)
+    .map(([id]) => id);
+
+  if (triggered.length === 0) return [];
+
+  const severity = highestSeverity(triggered.map(id => RULE_SEVERITY[id]));
+
+  const evidence = attachProvenance({
+    campaign: 'TYPOSQUAT_VPMDHAJ',
+    triggeredChecks: triggered,
+    details: Object.fromEntries(
+      Object.entries(results).filter(([_, r]) => r.triggered)
+    ),
+  }, {
+    ruleId: 'TYPOSQUAT_VPMDHAJ',
+    ruleName: 'Mass Typosquatting Campaign Detection',
+    severity: severity.toUpperCase(),
+    campaignName: 'Mass Typosquatting (vpmdhaj)',
+    pkgName,
+    pkgVersion,
+    triggered: true,
+    severity,
+    indicators: triggered.map(id => ({ type: `rule_${id}`, value: RULE_SEVERITY[id] })),
+    ruleProvenanceUrl: 'https://github.com/lateos/npm-scan/blob/main/backend/detectors/typosquat-vpmdhaj/',
+    campaignSourceUrl: 'https://security.researcher.org/supply-chain-report',
+  });
+
+  return [{
+    id: 'TYPOSQUAT_VPMDHAJ',
+    severity,
+    title: 'Mass Typosquatting campaign (vpmdhaj)',
+    description: `${triggered.length} signal(s): ${triggered.join(', ')}`,
+    evidence: JSON.stringify(evidence),
+    mitigation: 'Block install immediately. Revoke any npm tokens. Rotate CI/CD secrets. Audit all packages from maintainer vpmdhaj. If credential exfiltration detected: rotate AWS IAM keys, Vault tokens, and GitHub tokens immediately. Verify CloudTrail/audit logs for unauthorized access.',
+  }];
+}