npm - @lateos/npm-scan - Versions diffs - 0.16.4 → 0.16.5 - Mend

@lateos/npm-scan 0.16.4 → 0.16.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (96) hide show

package/.dockerignore +20 -20
package/.husky/pre-commit +1 -1
package/CHANGELOG.md +199 -199
package/LICENSING.md +19 -19
package/README.de.md +708 -708
package/README.fr.md +707 -707
package/README.ja.md +704 -704
package/README.md +826 -826
package/README.zh.md +708 -708
package/SECURITY.md +72 -72
package/backend/cra.js +68 -68
package/backend/db/schema.sql +32 -32
package/backend/db.js +88 -88
package/backend/detectors/atk-001-lifecycle.js +17 -17
package/backend/detectors/atk-002-obfusc.js +261 -261
package/backend/detectors/atk-003-creds.js +13 -13
package/backend/detectors/atk-004-persist.js +13 -13
package/backend/detectors/atk-005-exfil.js +13 -13
package/backend/detectors/atk-006-depconf.js +14 -14
package/backend/detectors/atk-007-typosquat.js +34 -34
package/backend/detectors/atk-008-tarball-tamper.js +91 -91
package/backend/detectors/atk-009-dormant-trigger.js +62 -62
package/backend/detectors/atk-010-sandbox-evasion.js +50 -50
package/backend/detectors/atk-011-transitive-prop.js +76 -76
package/backend/detectors/cve-2026-48710-badhost/codePattern.js +99 -99
package/backend/detectors/cve-2026-48710-badhost/findings.js +105 -105
package/backend/detectors/cve-2026-48710-badhost/index.js +15 -15
package/backend/detectors/cve-2026-48710-badhost/manifest.js +305 -305
package/backend/detectors/cve-2026-48710-badhost/transitive.js +189 -189
package/backend/detectors/hf-impersonation/index.js +396 -396
package/backend/detectors/hf-impersonation/jaro-winkler.js +44 -44
package/backend/detectors/hf-impersonation/known-orgs.js +5 -5
package/backend/detectors/hf-impersonation/simhash.js +46 -46
package/backend/detectors/index.js +75 -44
package/backend/detectors/megalodon/d1-workflow-scan.js +147 -147
package/backend/detectors/megalodon/d2-credential-harvest.js +61 -61
package/backend/detectors/megalodon/d3-publish-velocity.js +67 -67
package/backend/detectors/megalodon/d4-publisher-drift.js +124 -124
package/backend/detectors/megalodon/d5-bot-commit-identity.js +3 -3
package/backend/detectors/megalodon/d6-date-anachronism.js +3 -3
package/backend/detectors/megalodon/index.js +80 -80
package/backend/detectors/megalodon/types.js +9 -9
package/backend/detectors/mini-shai-hulud/d1-burst-publish.js +42 -42
package/backend/detectors/mini-shai-hulud/d2-sibling-compromise.js +116 -116
package/backend/detectors/mini-shai-hulud/d3-slsa-mismatch.js +72 -72
package/backend/detectors/mini-shai-hulud/d4-maintainer-anomaly.js +45 -45
package/backend/detectors/mini-shai-hulud/d5-ioc-check.js +95 -95
package/backend/detectors/mini-shai-hulud/d6-token-exfil.js +38 -38
package/backend/detectors/mini-shai-hulud/index.js +118 -118
package/backend/detectors/mini-shai-hulud/iocs.json +79 -79
package/backend/detectors/tier1-binary-embed.js +219 -0
package/backend/detectors/tier1-infostealer.js +280 -0
package/backend/detectors/tier1-lifecycle-hook.js +176 -0
package/backend/detectors/tier1-metadata-spoof.js +180 -0
package/backend/detectors/tier1-typosquat.js +219 -0
package/backend/fetch.js +175 -175
package/backend/index.js +4 -4
package/backend/license.js +89 -89
package/backend/lockfile.js +379 -379
package/backend/pdf.js +245 -245
package/backend/policy.js +193 -176
package/backend/report.js +254 -254
package/backend/sbom.js +66 -66
package/backend/siem/cef.js +32 -32
package/backend/siem/ecs.js +40 -40
package/backend/siem/index.js +18 -18
package/backend/siem/qradar.js +56 -56
package/backend/siem/sentinel.js +27 -27
package/backend/vsix-scan/detectors/activation-event-risk.js +116 -116
package/backend/vsix-scan/detectors/burst-publish.js +52 -52
package/backend/vsix-scan/detectors/exfil-pattern.js +88 -88
package/backend/vsix-scan/detectors/known-ioc.js +105 -105
package/backend/vsix-scan/detectors/orphan-commit-fetch.js +69 -69
package/backend/vsix-scan/detectors/publisher-anomaly.js +70 -70
package/backend/vsix-scan/index.js +183 -183
package/backend/vsix-scan/marketplace-client.js +145 -145
package/backend/vsix-scan/vsix-iocs.json +31 -31
package/cli/cli.js +458 -458
package/deploy/helm/npm-scan/Chart.yaml +21 -21
package/deploy/helm/npm-scan/templates/_helpers.tpl +8 -8
package/deploy/helm/npm-scan/templates/api.yaml +93 -93
package/deploy/helm/npm-scan/templates/ingress.yaml +27 -27
package/deploy/helm/npm-scan/templates/postgresql.yaml +66 -66
package/deploy/helm/npm-scan/templates/secrets.yaml +18 -18
package/deploy/helm/npm-scan/templates/worker.yaml +31 -31
package/deploy/helm/npm-scan/values.byoc.yaml +74 -74
package/deploy/helm/npm-scan/values.yaml +102 -102
package/package.json +57 -57
package/scripts/download-corpus.js +30 -30
package/scripts/gen-mal-corpus.js +34 -34
package/scripts/generate-campaign-fixtures.js +170 -0
package/src/config/top-5000.json +87 -0
package/test/fixtures/lockfiles/npm-lock.json +68 -68
package/test/fixtures/lockfiles/pnpm-lock.yaml +117 -117
package/test/fixtures/lockfiles/yarn.lock +103 -103
package/test/fixtures/mock-data.js +69 -69

package/backend/detectors/megalodon/index.js CHANGED Viewed

@@ -1,80 +1,80 @@
-import { MegalodonSignal } from './types.js';
-import { scan as scanD1 } from './d1-workflow-scan.js';
-import { scan as scanD2 } from './d2-credential-harvest.js';
-import { scan as scanD3 } from './d3-publish-velocity.js';
-import { scan as scanD4 } from './d4-publisher-drift.js';
-import { scan as scanD5 } from './d5-bot-commit-identity.js';
-import { scan as scanD6 } from './d6-date-anachronism.js';
-const SIGNAL_SEVERITY = {
-  [MegalodonSignal.WORKFLOW_C2_EXFIL]: 5,
-  [MegalodonSignal.WORKFLOW_DECODE_CHAIN]: 4,
-  [MegalodonSignal.PUBLISH_VELOCITY]: 4,
-  [MegalodonSignal.PUBLISHER_DRIFT]: 4,
-  [MegalodonSignal.CREDENTIAL_HARVEST]: 3,
-  [MegalodonSignal.BOT_COMMIT_IDENTITY]: 2,
-  [MegalodonSignal.DATE_ANACHRONISM]: 2,
-};
-const SEVERITY_LABELS = ['none', 'low', 'medium', 'high', 'critical', 'critical'];
-function resolveSeverity(signals, d4Evidence) {
-  let maxScore = 0;
-  for (const s of signals) {
-    maxScore = Math.max(maxScore, SIGNAL_SEVERITY[s] || 0);
-  }
-  const d4Hint = d4Evidence.find(e => e._severityHint);
-  if (d4Hint) {
-    const hintScore = d4Hint._severityHint === 'HIGH' ? 4 : d4Hint._severityHint === 'MEDIUM' ? 3 : 0;
-    maxScore = Math.max(maxScore, hintScore);
-  }
-  return SEVERITY_LABELS[maxScore] || 'none';
-}
-export async function scanAll(pkgJson, allFiles = [], registryMeta = {}) {
-  const allEvidence = [];
-  const d1Ev = await scanD1(allFiles);
-  allEvidence.push(...d1Ev);
-  const d2Ev = await scanD2(allFiles);
-  allEvidence.push(...d2Ev);
-  const d3Ev = await scanD3(registryMeta);
-  allEvidence.push(...d3Ev);
-  const velocityResult = d3Ev.length > 0 ? {
-    triggered: true,
-    windowStartISO: d3Ev[0]._windowStartISO || null,
-    versionsInWindow: d3Ev[0].excerpt || '',
-    _allVersions: d3Ev[0]._allVersions || [],
-  } : { triggered: false, versionsInWindow: [], windowStartISO: null };
-  const d4Ev = await scanD4(registryMeta, velocityResult);
-  allEvidence.push(...d4Ev);
-  allEvidence.push(...await scanD5(registryMeta));
-  allEvidence.push(...await scanD6(pkgJson, registryMeta));
-  const signals = [...new Set(allEvidence.map(e => e.signal).filter(Boolean))];
-  if (signals.length === 0) return [];
-  const severity = resolveSeverity(signals, d4Ev);
-  const cleaned = allEvidence.map(({ _windowStartISO, _allVersions, _severityHint, ...rest }) => rest);
-  return [{
-    id: 'MEGALODON',
-    severity,
-    title: 'Megalodon CI/CD attack campaign',
-    description: `${signals.length} signal(s): ${signals.join(', ')}`,
-    evidence: JSON.stringify({
-      campaign: 'MEGALODON',
-      signals,
-      evidence: cleaned,
-    }),
-  }];
-}
+import { MegalodonSignal } from './types.js';
+import { scan as scanD1 } from './d1-workflow-scan.js';
+import { scan as scanD2 } from './d2-credential-harvest.js';
+import { scan as scanD3 } from './d3-publish-velocity.js';
+import { scan as scanD4 } from './d4-publisher-drift.js';
+import { scan as scanD5 } from './d5-bot-commit-identity.js';
+import { scan as scanD6 } from './d6-date-anachronism.js';
+const SIGNAL_SEVERITY = {
+  [MegalodonSignal.WORKFLOW_C2_EXFIL]: 5,
+  [MegalodonSignal.WORKFLOW_DECODE_CHAIN]: 4,
+  [MegalodonSignal.PUBLISH_VELOCITY]: 4,
+  [MegalodonSignal.PUBLISHER_DRIFT]: 4,
+  [MegalodonSignal.CREDENTIAL_HARVEST]: 3,
+  [MegalodonSignal.BOT_COMMIT_IDENTITY]: 2,
+  [MegalodonSignal.DATE_ANACHRONISM]: 2,
+};
+const SEVERITY_LABELS = ['none', 'low', 'medium', 'high', 'critical', 'critical'];
+function resolveSeverity(signals, d4Evidence) {
+  let maxScore = 0;
+  for (const s of signals) {
+    maxScore = Math.max(maxScore, SIGNAL_SEVERITY[s] || 0);
+  }
+  const d4Hint = d4Evidence.find(e => e._severityHint);
+  if (d4Hint) {
+    const hintScore = d4Hint._severityHint === 'HIGH' ? 4 : d4Hint._severityHint === 'MEDIUM' ? 3 : 0;
+    maxScore = Math.max(maxScore, hintScore);
+  }
+  return SEVERITY_LABELS[maxScore] || 'none';
+}
+export async function scanAll(pkgJson, allFiles = [], registryMeta = {}) {
+  const allEvidence = [];
+  const d1Ev = await scanD1(allFiles);
+  allEvidence.push(...d1Ev);
+  const d2Ev = await scanD2(allFiles);
+  allEvidence.push(...d2Ev);
+  const d3Ev = await scanD3(registryMeta);
+  allEvidence.push(...d3Ev);
+  const velocityResult = d3Ev.length > 0 ? {
+    triggered: true,
+    windowStartISO: d3Ev[0]._windowStartISO || null,
+    versionsInWindow: d3Ev[0].excerpt || '',
+    _allVersions: d3Ev[0]._allVersions || [],
+  } : { triggered: false, versionsInWindow: [], windowStartISO: null };
+  const d4Ev = await scanD4(registryMeta, velocityResult);
+  allEvidence.push(...d4Ev);
+  allEvidence.push(...await scanD5(registryMeta));
+  allEvidence.push(...await scanD6(pkgJson, registryMeta));
+  const signals = [...new Set(allEvidence.map(e => e.signal).filter(Boolean))];
+  if (signals.length === 0) return [];
+  const severity = resolveSeverity(signals, d4Ev);
+  const cleaned = allEvidence.map(({ _windowStartISO, _allVersions, _severityHint, ...rest }) => rest);
+  return [{
+    id: 'MEGALODON',
+    severity,
+    title: 'Megalodon CI/CD attack campaign',
+    description: `${signals.length} signal(s): ${signals.join(', ')}`,
+    evidence: JSON.stringify({
+      campaign: 'MEGALODON',
+      signals,
+      evidence: cleaned,
+    }),
+  }];
+}

package/backend/detectors/megalodon/types.js CHANGED Viewed

@@ -1,9 +1,9 @@
-export const MegalodonSignal = Object.freeze({
-  WORKFLOW_C2_EXFIL: 'D1_WORKFLOW_C2_EXFIL',
-  WORKFLOW_DECODE_CHAIN: 'D1_WORKFLOW_DECODE_CHAIN',
-  CREDENTIAL_HARVEST: 'D2_CREDENTIAL_HARVEST',
-  PUBLISH_VELOCITY: 'D3_PUBLISH_VELOCITY',
-  PUBLISHER_DRIFT: 'D4_PUBLISHER_DRIFT',
-  BOT_COMMIT_IDENTITY: 'D5_BOT_COMMIT_IDENTITY',
-  DATE_ANACHRONISM: 'D6_DATE_ANACHRONISM',
-});
+export const MegalodonSignal = Object.freeze({
+  WORKFLOW_C2_EXFIL: 'D1_WORKFLOW_C2_EXFIL',
+  WORKFLOW_DECODE_CHAIN: 'D1_WORKFLOW_DECODE_CHAIN',
+  CREDENTIAL_HARVEST: 'D2_CREDENTIAL_HARVEST',
+  PUBLISH_VELOCITY: 'D3_PUBLISH_VELOCITY',
+  PUBLISHER_DRIFT: 'D4_PUBLISHER_DRIFT',
+  BOT_COMMIT_IDENTITY: 'D5_BOT_COMMIT_IDENTITY',
+  DATE_ANACHRONISM: 'D6_DATE_ANACHRONISM',
+});

package/backend/detectors/mini-shai-hulud/d1-burst-publish.js CHANGED Viewed

@@ -1,42 +1,42 @@
-export async function checkBurstPublish(registryMeta, config = {}) {
-  const windowMinutes = config.burstWindowMinutes ?? 30;
-  const threshold = config.burstVersionThreshold ?? 3;
-  const times = registryMeta?.time || {};
-  const entries = Object.entries(times)
-    .filter(([v]) => v !== 'created' && v !== 'modified')
-    .filter(([, t]) => t)
-    .map(([v, t]) => [v, new Date(t).getTime()])
-    .filter(([, ts]) => !Number.isNaN(ts))
-    .sort((a, b) => a[1] - b[1]);
-  if (entries.length === 0) return { triggered: false };
-  const windowMs = windowMinutes * 60 * 1000;
-  for (let i = 0; i < entries.length; i++) {
-    const windowStart = entries[i][1];
-    const windowEnd = windowStart + windowMs;
-    const inWindow = [];
-    for (let j = i; j < entries.length; j++) {
-      if (entries[j][1] <= windowEnd) {
-        inWindow.push(entries[j][0]);
-      } else {
-        break;
-      }
-    }
-    if (inWindow.length >= threshold) {
-      return {
-        triggered: true,
-        windowStart: new Date(windowStart).toISOString(),
-        windowEnd: new Date(windowEnd).toISOString(),
-        versionCount: inWindow.length,
-        versions: inWindow,
-      };
-    }
-  }
-  return { triggered: false };
-}
+export async function checkBurstPublish(registryMeta, config = {}) {
+  const windowMinutes = config.burstWindowMinutes ?? 30;
+  const threshold = config.burstVersionThreshold ?? 3;
+  const times = registryMeta?.time || {};
+  const entries = Object.entries(times)
+    .filter(([v]) => v !== 'created' && v !== 'modified')
+    .filter(([, t]) => t)
+    .map(([v, t]) => [v, new Date(t).getTime()])
+    .filter(([, ts]) => !Number.isNaN(ts))
+    .sort((a, b) => a[1] - b[1]);
+  if (entries.length === 0) return { triggered: false };
+  const windowMs = windowMinutes * 60 * 1000;
+  for (let i = 0; i < entries.length; i++) {
+    const windowStart = entries[i][1];
+    const windowEnd = windowStart + windowMs;
+    const inWindow = [];
+    for (let j = i; j < entries.length; j++) {
+      if (entries[j][1] <= windowEnd) {
+        inWindow.push(entries[j][0]);
+      } else {
+        break;
+      }
+    }
+    if (inWindow.length >= threshold) {
+      return {
+        triggered: true,
+        windowStart: new Date(windowStart).toISOString(),
+        windowEnd: new Date(windowEnd).toISOString(),
+        versionCount: inWindow.length,
+        versions: inWindow,
+      };
+    }
+  }
+  return { triggered: false };
+}

package/backend/detectors/mini-shai-hulud/d2-sibling-compromise.js CHANGED Viewed

@@ -1,116 +1,116 @@
-const siblingCache = new Map();
-export function clearSiblingCache() {
-  siblingCache.clear();
-}
-function checkBurstOnTimeMap(timeMap, windowMinutes, threshold) {
-  const entries = Object.entries(timeMap)
-    .filter(([v]) => v !== 'created' && v !== 'modified')
-    .filter(([, t]) => t)
-    .map(([v, t]) => [v, new Date(t).getTime()])
-    .filter(([, ts]) => !Number.isNaN(ts))
-    .sort((a, b) => a[1] - b[1]);
-  if (entries.length === 0) return null;
-  const windowMs = windowMinutes * 60 * 1000;
-  for (let i = 0; i < entries.length; i++) {
-    const wStart = entries[i][1];
-    const wEnd = wStart + windowMs;
-    const inWindow = [];
-    for (let j = i; j < entries.length; j++) {
-      if (entries[j][1] <= wEnd) {
-        inWindow.push(entries[j][0]);
-      } else {
-        break;
-      }
-    }
-    if (inWindow.length >= threshold) {
-      return {
-        windowStart: new Date(wStart).toISOString(),
-        windowEnd: new Date(wEnd).toISOString(),
-        versionCount: inWindow.length,
-      };
-    }
-  }
-  return null;
-}
-export async function checkSiblingCompromise(pkgJson, config = {}) {
-  const windowMinutes = config.burstWindowMinutes ?? 30;
-  const threshold = config.burstVersionThreshold ?? 3;
-  const deps = {
-    ...pkgJson.dependencies,
-    ...pkgJson.devDependencies,
-    ...pkgJson.peerDependencies,
-  };
-  const scopedDeps = {};
-  for (const name of Object.keys(deps)) {
-    if (name.startsWith('@')) {
-      const scope = name.split('/')[0];
-      if (!scopedDeps[scope]) scopedDeps[scope] = [];
-      scopedDeps[scope].push(name);
-    }
-  }
-  if (Object.keys(scopedDeps).length === 0) return { triggered: false };
-  const results = [];
-  for (const [scope, packages] of Object.entries(scopedDeps)) {
-    if (packages.length < 2) continue;
-    const burstSiblings = [];
-    for (const pkg of packages) {
-      let timeData = siblingCache.get(pkg);
-      if (!timeData) {
-        try {
-          const url = `https://registry.npmjs.org/${encodeURIComponent(pkg)}`;
-          const res = await fetch(url);
-          if (!res.ok) continue;
-          const data = await res.json();
-          timeData = data.time || {};
-          siblingCache.set(pkg, timeData);
-        } catch {
-          continue;
-        }
-      }
-      const burstInfo = checkBurstOnTimeMap(timeData, windowMinutes, threshold);
-      if (burstInfo) {
-        burstSiblings.push({ name: pkg, ...burstInfo });
-      }
-    }
-    if (burstSiblings.length >= 2) {
-      const windows = burstSiblings.map(s => ({
-        start: new Date(s.windowStart).getTime(),
-        end: new Date(s.windowEnd).getTime(),
-      }));
-      const overlapStart = Math.max(...windows.map(w => w.start));
-      const overlapEnd = Math.min(...windows.map(w => w.end));
-      if (overlapStart < overlapEnd) {
-        results.push({
-          triggered: true,
-          scope,
-          siblingPackages: burstSiblings.map(s => s.name),
-          windowStart: new Date(overlapStart).toISOString(),
-          windowEnd: new Date(overlapEnd).toISOString(),
-        });
-      }
-    }
-  }
-  if (results.length === 0) return { triggered: false };
-  return { triggered: true, results };
-}
+const siblingCache = new Map();
+export function clearSiblingCache() {
+  siblingCache.clear();
+}
+function checkBurstOnTimeMap(timeMap, windowMinutes, threshold) {
+  const entries = Object.entries(timeMap)
+    .filter(([v]) => v !== 'created' && v !== 'modified')
+    .filter(([, t]) => t)
+    .map(([v, t]) => [v, new Date(t).getTime()])
+    .filter(([, ts]) => !Number.isNaN(ts))
+    .sort((a, b) => a[1] - b[1]);
+  if (entries.length === 0) return null;
+  const windowMs = windowMinutes * 60 * 1000;
+  for (let i = 0; i < entries.length; i++) {
+    const wStart = entries[i][1];
+    const wEnd = wStart + windowMs;
+    const inWindow = [];
+    for (let j = i; j < entries.length; j++) {
+      if (entries[j][1] <= wEnd) {
+        inWindow.push(entries[j][0]);
+      } else {
+        break;
+      }
+    }
+    if (inWindow.length >= threshold) {
+      return {
+        windowStart: new Date(wStart).toISOString(),
+        windowEnd: new Date(wEnd).toISOString(),
+        versionCount: inWindow.length,
+      };
+    }
+  }
+  return null;
+}
+export async function checkSiblingCompromise(pkgJson, config = {}) {
+  const windowMinutes = config.burstWindowMinutes ?? 30;
+  const threshold = config.burstVersionThreshold ?? 3;
+  const deps = {
+    ...pkgJson.dependencies,
+    ...pkgJson.devDependencies,
+    ...pkgJson.peerDependencies,
+  };
+  const scopedDeps = {};
+  for (const name of Object.keys(deps)) {
+    if (name.startsWith('@')) {
+      const scope = name.split('/')[0];
+      if (!scopedDeps[scope]) scopedDeps[scope] = [];
+      scopedDeps[scope].push(name);
+    }
+  }
+  if (Object.keys(scopedDeps).length === 0) return { triggered: false };
+  const results = [];
+  for (const [scope, packages] of Object.entries(scopedDeps)) {
+    if (packages.length < 2) continue;
+    const burstSiblings = [];
+    for (const pkg of packages) {
+      let timeData = siblingCache.get(pkg);
+      if (!timeData) {
+        try {
+          const url = `https://registry.npmjs.org/${encodeURIComponent(pkg)}`;
+          const res = await fetch(url);
+          if (!res.ok) continue;
+          const data = await res.json();
+          timeData = data.time || {};
+          siblingCache.set(pkg, timeData);
+        } catch {
+          continue;
+        }
+      }
+      const burstInfo = checkBurstOnTimeMap(timeData, windowMinutes, threshold);
+      if (burstInfo) {
+        burstSiblings.push({ name: pkg, ...burstInfo });
+      }
+    }
+    if (burstSiblings.length >= 2) {
+      const windows = burstSiblings.map(s => ({
+        start: new Date(s.windowStart).getTime(),
+        end: new Date(s.windowEnd).getTime(),
+      }));
+      const overlapStart = Math.max(...windows.map(w => w.start));
+      const overlapEnd = Math.min(...windows.map(w => w.end));
+      if (overlapStart < overlapEnd) {
+        results.push({
+          triggered: true,
+          scope,
+          siblingPackages: burstSiblings.map(s => s.name),
+          windowStart: new Date(overlapStart).toISOString(),
+          windowEnd: new Date(overlapEnd).toISOString(),
+        });
+      }
+    }
+  }
+  if (results.length === 0) return { triggered: false };
+  return { triggered: true, results };
+}

package/backend/detectors/mini-shai-hulud/d3-slsa-mismatch.js CHANGED Viewed

@@ -1,72 +1,72 @@
-export async function checkSlsaMismatch(packageName, version, burstWindow, timeMap = {}, config = {}) {
-  if (!burstWindow?.triggered) return { triggered: false };
-  const anomalies = [];
-  const publishTime = timeMap?.[version];
-  if (!publishTime) return { triggered: false };
-  try {
-    const url = `https://registry.npmjs.org/-/npm/v1/attestations/${encodeURIComponent(packageName)}/${encodeURIComponent(version)}`;
-    const res = await fetch(url);
-    if (!res.ok) return { triggered: false };
-    const data = await res.json();
-    const attestations = data?.attestations || [];
-    if (attestations.length === 0) return { triggered: false };
-    const publishMs = new Date(publishTime).getTime();
-    if (Number.isNaN(publishMs)) return { triggered: false };
-    // Check if this is the first-ever attested version for this package
-    const allVersions = Object.keys(timeMap).filter(v => v !== 'created' && v !== 'modified');
-    const currentIdx = allVersions.indexOf(version);
-    let prevHadAttestation = false;
-    if (currentIdx > 0) {
-      const priorVersions = allVersions.slice(0, currentIdx).slice(-2);
-      for (const pv of priorVersions) {
-        try {
-          const purl = `https://registry.npmjs.org/-/npm/v1/attestations/${encodeURIComponent(packageName)}/${encodeURIComponent(pv)}`;
-          const pres = await fetch(purl);
-          if (pres.ok) {
-            const pdata = await pres.json();
-            if (pdata?.attestations?.length > 0) {
-              prevHadAttestation = true;
-              break;
-            }
-          }
-        } catch {
-          // skip prior version check
-        }
-      }
-      if (!prevHadAttestation && priorVersions.length > 0) {
-        anomalies.push(`First-ever SLSA attestation for ${packageName}, published in burst window`);
-      }
-    }
-    for (const att of attestations) {
-      const ts = att?.timestamp;
-      if (ts) {
-        const attMs = new Date(ts).getTime();
-        if (!Number.isNaN(attMs) && attMs >= publishMs && (attMs - publishMs) < 60000) {
-          const gapMs = attMs - publishMs;
-          anomalies.push(`Sub-60s attestation gap for ${version}: ${gapMs}ms`);
-        }
-      }
-      const builderId = att?.predicate?.runDetails?.builder?.id;
-      if (builderId) {
-        const knownPrefixes = ['https://github.com/', 'https://gitlab.com/', 'https://circleci.com/'];
-        const isKnown = knownPrefixes.some(p => builderId.startsWith(p));
-        if (!isKnown) {
-          anomalies.push(`Unrecognized builder ID for ${version}: ${builderId}`);
-        }
-      }
-    }
-  } catch {
-    return { triggered: false };
-  }
-  return { triggered: anomalies.length > 0, anomalies };
-}
+export async function checkSlsaMismatch(packageName, version, burstWindow, timeMap = {}, config = {}) {
+  if (!burstWindow?.triggered) return { triggered: false };
+  const anomalies = [];
+  const publishTime = timeMap?.[version];
+  if (!publishTime) return { triggered: false };
+  try {
+    const url = `https://registry.npmjs.org/-/npm/v1/attestations/${encodeURIComponent(packageName)}/${encodeURIComponent(version)}`;
+    const res = await fetch(url);
+    if (!res.ok) return { triggered: false };
+    const data = await res.json();
+    const attestations = data?.attestations || [];
+    if (attestations.length === 0) return { triggered: false };
+    const publishMs = new Date(publishTime).getTime();
+    if (Number.isNaN(publishMs)) return { triggered: false };
+    // Check if this is the first-ever attested version for this package
+    const allVersions = Object.keys(timeMap).filter(v => v !== 'created' && v !== 'modified');
+    const currentIdx = allVersions.indexOf(version);
+    let prevHadAttestation = false;
+    if (currentIdx > 0) {
+      const priorVersions = allVersions.slice(0, currentIdx).slice(-2);
+      for (const pv of priorVersions) {
+        try {
+          const purl = `https://registry.npmjs.org/-/npm/v1/attestations/${encodeURIComponent(packageName)}/${encodeURIComponent(pv)}`;
+          const pres = await fetch(purl);
+          if (pres.ok) {
+            const pdata = await pres.json();
+            if (pdata?.attestations?.length > 0) {
+              prevHadAttestation = true;
+              break;
+            }
+          }
+        } catch {
+          // skip prior version check
+        }
+      }
+      if (!prevHadAttestation && priorVersions.length > 0) {
+        anomalies.push(`First-ever SLSA attestation for ${packageName}, published in burst window`);
+      }
+    }
+    for (const att of attestations) {
+      const ts = att?.timestamp;
+      if (ts) {
+        const attMs = new Date(ts).getTime();
+        if (!Number.isNaN(attMs) && attMs >= publishMs && (attMs - publishMs) < 60000) {
+          const gapMs = attMs - publishMs;
+          anomalies.push(`Sub-60s attestation gap for ${version}: ${gapMs}ms`);
+        }
+      }
+      const builderId = att?.predicate?.runDetails?.builder?.id;
+      if (builderId) {
+        const knownPrefixes = ['https://github.com/', 'https://gitlab.com/', 'https://circleci.com/'];
+        const isKnown = knownPrefixes.some(p => builderId.startsWith(p));
+        if (!isKnown) {
+          anomalies.push(`Unrecognized builder ID for ${version}: ${builderId}`);
+        }
+      }
+    }
+  } catch {
+    return { triggered: false };
+  }
+  return { triggered: anomalies.length > 0, anomalies };
+}