@lateos/npm-scan 0.16.4 → 0.17.0

package/backend/detectors/mini-shai-hulud/iocs.json

@@ -1,79 +1,79 @@
-{
-  "lastUpdated": "2026-05-24T00:00:00.000Z",
-  "waves": {
-    "wave1": {
-      "id": "mini-shai-hulud-wave1",
-      "description": "TanStack CI/CD hijack (mid-May 2026) — 84 malicious versions across 42 packages in ~6 minutes via compromised GitHub Actions CI. Forged SLSA BL3 provenance attestations.",
-      "windowMinutes": 6,
-      "iocs": [
-        {
-          "type": "packageScope",
-          "value": "@tanstack",
-          "maliciousVersionRanges": [],
-          "notes": "Seed IOC — update from threat intel feed. Affected: @tanstack/router, @tanstack/react-router, @tanstack/query, @tanstack/form, @tanstack/store, @tanstack/virtual, @tanstack/ranger, @tanstack/table."
-        }
-      ]
-    },
-    "wave2": {
-      "id": "mini-shai-hulud-wave2",
-      "description": "AntV/atool maintainer account compromise (late May 2026) — 600+ malicious versions across 300+ packages in ~22 minutes. ~16M weekly download blast radius.",
-      "windowMinutes": 22,
-      "iocs": [
-        {
-          "type": "publisherAccount",
-          "value": "atool",
-          "compromiseWindowStart": "2026-05-20T00:00:00.000Z",
-          "compromiseWindowEnd": null,
-          "notes": "Seed IOC — compromised @antv/atool maintainer account. Update compromise window from threat intel."
-        },
-        {
-          "type": "packageScope",
-          "value": "@antv",
-          "maliciousVersionRanges": [],
-          "notes": "Blast radius: @antv/g2, @antv/g6, @antv/x6, @antv/l7, echarts-for-react, timeago.js. Seed IOC — update from threat intel."
-        }
-      ]
-    },
-    "wave3": {
-      "id": "nx-console-wave3",
-      "description": "Nx Console 18.95.0 VS Code extension compromise (May 18, 2026, CVE-2026-48027, TeamPCP) — contributor token stolen via TanStack wave1 (May 11), 7-day dwell, malicious extension published using npx to fetch 498KB obfuscated Bun payload from dangling orphan commit on nrwl/nx repo. ~3M installs exposed.",
-      "windowMinutes": 36,
-      "iocs": [
-        {
-          "type": "extensionId",
-          "value": "nrwl.angular-console",
-          "maliciousVersionRanges": ["18.95.0"],
-          "notes": "Nx Console v18.95.0 — malicious VS Code extension. CVE-2026-48027. Exposure window: 11 min on Marketplace, 36 min on Open VSX."
-        },
-        {
-          "type": "publisherAccount",
-          "value": "nrwl",
-          "compromiseWindowStart": "2026-05-11T00:00:00.000Z",
-          "compromiseWindowEnd": "2026-05-18T13:09:00.000Z",
-          "notes": "Nx contributor token stolen via TanStack wave1 on May 11; 7-day dwell before publishing malicious extension on May 18."
-        },
-        {
-          "type": "packageScope",
-          "value": "@nx",
-          "maliciousVersionRanges": [],
-          "notes": "NX_CONSOLE_DOWNSTREAM: npm packages under @nx scope deployed by compromised Nx contributor. Check for versions published within 7 days of 2026-05-18."
-        },
-        {
-          "type": "packageScope",
-          "value": "nrwl",
-          "maliciousVersionRanges": [],
-          "notes": "NX_CONSOLE_DOWNSTREAM: nrwl-scoped npm packages — monitor for anomalous burst publishing."
-        }
-      ]
-    }
-  },
-  "iocs": [
-    {
-      "type": "sha512",
-      "value": "sha512-AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA",
-      "package": "@antv/g2",
-      "wave": 2,
-      "notes": "Placeholder sha512 — replace with actual SHA-512 integrity hash from npm dist.integrity of a confirmed malicious version."
-    }
-  ]
-}
+{
+  "lastUpdated": "2026-05-24T00:00:00.000Z",
+  "waves": {
+    "wave1": {
+      "id": "mini-shai-hulud-wave1",
+      "description": "TanStack CI/CD hijack (mid-May 2026) — 84 malicious versions across 42 packages in ~6 minutes via compromised GitHub Actions CI. Forged SLSA BL3 provenance attestations.",
+      "windowMinutes": 6,
+      "iocs": [
+        {
+          "type": "packageScope",
+          "value": "@tanstack",
+          "maliciousVersionRanges": [],
+          "notes": "Seed IOC — update from threat intel feed. Affected: @tanstack/router, @tanstack/react-router, @tanstack/query, @tanstack/form, @tanstack/store, @tanstack/virtual, @tanstack/ranger, @tanstack/table."
+        }
+      ]
+    },
+    "wave2": {
+      "id": "mini-shai-hulud-wave2",
+      "description": "AntV/atool maintainer account compromise (late May 2026) — 600+ malicious versions across 300+ packages in ~22 minutes. ~16M weekly download blast radius.",
+      "windowMinutes": 22,
+      "iocs": [
+        {
+          "type": "publisherAccount",
+          "value": "atool",
+          "compromiseWindowStart": "2026-05-20T00:00:00.000Z",
+          "compromiseWindowEnd": null,
+          "notes": "Seed IOC — compromised @antv/atool maintainer account. Update compromise window from threat intel."
+        },
+        {
+          "type": "packageScope",
+          "value": "@antv",
+          "maliciousVersionRanges": [],
+          "notes": "Blast radius: @antv/g2, @antv/g6, @antv/x6, @antv/l7, echarts-for-react, timeago.js. Seed IOC — update from threat intel."
+        }
+      ]
+    },
+    "wave3": {
+      "id": "nx-console-wave3",
+      "description": "Nx Console 18.95.0 VS Code extension compromise (May 18, 2026, CVE-2026-48027, TeamPCP) — contributor token stolen via TanStack wave1 (May 11), 7-day dwell, malicious extension published using npx to fetch 498KB obfuscated Bun payload from dangling orphan commit on nrwl/nx repo. ~3M installs exposed.",
+      "windowMinutes": 36,
+      "iocs": [
+        {
+          "type": "extensionId",
+          "value": "nrwl.angular-console",
+          "maliciousVersionRanges": ["18.95.0"],
+          "notes": "Nx Console v18.95.0 — malicious VS Code extension. CVE-2026-48027. Exposure window: 11 min on Marketplace, 36 min on Open VSX."
+        },
+        {
+          "type": "publisherAccount",
+          "value": "nrwl",
+          "compromiseWindowStart": "2026-05-11T00:00:00.000Z",
+          "compromiseWindowEnd": "2026-05-18T13:09:00.000Z",
+          "notes": "Nx contributor token stolen via TanStack wave1 on May 11; 7-day dwell before publishing malicious extension on May 18."
+        },
+        {
+          "type": "packageScope",
+          "value": "@nx",
+          "maliciousVersionRanges": [],
+          "notes": "NX_CONSOLE_DOWNSTREAM: npm packages under @nx scope deployed by compromised Nx contributor. Check for versions published within 7 days of 2026-05-18."
+        },
+        {
+          "type": "packageScope",
+          "value": "nrwl",
+          "maliciousVersionRanges": [],
+          "notes": "NX_CONSOLE_DOWNSTREAM: nrwl-scoped npm packages — monitor for anomalous burst publishing."
+        }
+      ]
+    }
+  },
+  "iocs": [
+    {
+      "type": "sha512",
+      "value": "sha512-AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA",
+      "package": "@antv/g2",
+      "wave": 2,
+      "notes": "Placeholder sha512 — replace with actual SHA-512 integrity hash from npm dist.integrity of a confirmed malicious version."
+    }
+  ]
+}

package/backend/detectors/tier1-binary-embed.js

@@ -0,0 +1,219 @@
+import { KNOWN_REPUTABLE_PACKAGES } from '../policy.js';
+
+const BINARY_DIRS = ['bin/', 'native/'];
+const BINARY_EXTS = ['.exe', '.dll', '.so', '.dylib', '.wasm', '.node', '.o', '.a'];
+const BINARY_FILENAMES = ['bun', 'deno', 'go', 'rustc', 'python', 'python3', 'ruby', 'php'];
+
+const CHILD_PROC_RE = /\b(?:spawn|exec|execSync|spawnSync|fork)\s*\(/g;
+const FS_CHMOD_RE = /fs\.chmod\s*\(/g;
+
+function detectMagicBytes(content) {
+  if (!content || content.length < 4) return null;
+
+  const c0 = content.charCodeAt(0);
+  const c1 = content.charCodeAt(1);
+  const c2 = content.charCodeAt(2);
+  const c3 = content.charCodeAt(3);
+
+  if (c0 === 0x7f && content.slice(1, 4) === 'ELF') return 'elf_embedded';
+  if (c0 === 0x4d && c1 === 0x5a) return 'pe_embedded';
+  if (c0 === 0x00 && content.slice(1, 4) === 'asm') return 'wasm_embedded';
+
+  const machO = (c0 === 0xfe && c1 === 0xed && c2 === 0xfa && (c3 === 0xce || c3 === 0xcf)) ||
+    (c0 === 0xce && c1 === 0xfa && c2 === 0xed && (c3 === 0xfe || c3 === 0xcf)) ||
+    (c0 === 0xcf && c1 === 0xfa && c2 === 0xed && c3 === 0xfe);
+  if (machO) return 'macho_embedded';
+
+  const universal = c0 === 0xca && c1 === 0xfe && c2 === 0xba && c3 === 0xbe;
+  if (universal) return 'macho_embedded';
+
+  return null;
+}
+
+function isInBinaryDir(filePath) {
+  const normalized = filePath.replace(/\\/g, '/');
+  return BINARY_DIRS.some(dir => normalized.includes(`/${dir}`) || normalized.startsWith(dir));
+}
+
+function hasBinaryExt(filePath) {
+  const lower = filePath.toLowerCase();
+  return BINARY_EXTS.some(ext => lower.endsWith(ext));
+}
+
+function isKnownBinaryName(fileName) {
+  const base = fileName.replace(/\.\w+$/, '').toLowerCase();
+  return BINARY_FILENAMES.includes(base);
+}
+
+function isDeclared(pkgJson, fileName) {
+  if (!pkgJson) return false;
+  const baseName = fileName.split(/[/\\]/).pop();
+
+  if (pkgJson.bin) {
+    if (typeof pkgJson.bin === 'string' && pkgJson.bin === baseName) return true;
+    if (typeof pkgJson.bin === 'object' && Object.values(pkgJson.bin).some(v => v === baseName || v.endsWith(`/${baseName}`))) return true;
+  }
+
+  if (pkgJson.optionalDependencies) {
+    for (const [name, val] of Object.entries(pkgJson.optionalDependencies)) {
+      if (name === baseName) return true;
+    }
+  }
+
+  if (pkgJson.gypfile === true || pkgJson.scripts?.install?.includes('node-gyp') || pkgJson.scripts?.install?.includes('node-pre-gyp')) {
+    if (baseName.endsWith('.node')) return true;
+  }
+
+  return false;
+}
+
+export const name = 'tier1-binary-embed';
+
+export async function scan(pkgJson, jsFiles, registryMeta, allFiles) {
+  const pkgName = pkgJson?.name;
+  if (pkgName && KNOWN_REPUTABLE_PACKAGES.has(pkgName)) return [];
+
+  if (!allFiles || allFiles.length === 0) return [];
+
+  if (pkgName && (
+    pkgName === 'electron' || pkgName === 'puppeteer' || pkgName === 'sharp' ||
+    pkgName === 'esbuild' || pkgName === 'node-gyp' || pkgName === 'node-pre-gyp' ||
+    pkgName === '@mapbox/node-pre-gyp'
+  )) return [];
+
+  const binaries = [];
+
+  for (const f of allFiles) {
+    const content = f.content || '';
+    const filePath = f.path || f.name || '';
+    const fileName = filePath.split(/[/\\]/).pop();
+    const fileSize = content.length;
+
+    const magic = detectMagicBytes(content);
+    const inBinDir = isInBinaryDir(filePath);
+    const hasExt = hasBinaryExt(filePath);
+    const knownName = isKnownBinaryName(fileName);
+    const largeFile = fileSize > 100000000;
+
+    if (magic || inBinDir || hasExt || knownName) {
+      const declared = isDeclared(pkgJson, filePath);
+
+      binaries.push({
+        file: filePath,
+        size: fileSize,
+        magic,
+        inBinDir,
+        hasExt,
+        knownName,
+        declared,
+        largeFile,
+      });
+    }
+  }
+
+  if (binaries.length === 0) return [];
+
+  const jsCode = (jsFiles || []).map(f => f.content || '').join('\n');
+  const invoked = CHILD_PROC_RE.test(jsCode) || FS_CHMOD_RE.test(jsCode);
+
+  const invokedFiles = [];
+  if (jsFiles && invoked) {
+    for (const f of jsFiles) {
+      const c = f.content || '';
+      CHILD_PROC_RE.lastIndex = 0;
+      FS_CHMOD_RE.lastIndex = 0;
+      if (CHILD_PROC_RE.test(c) || FS_CHMOD_RE.test(c)) {
+        invokedFiles.push(f.path || f.name || 'unknown.js');
+      }
+    }
+  }
+
+  const findings = [];
+
+  for (const bin of binaries) {
+    let baseScore;
+    let subtype;
+
+    if (bin.magic === 'elf_embedded') {
+      baseScore = 95;
+      subtype = 'elf_embedded';
+    } else if (bin.magic === 'pe_embedded') {
+      baseScore = 95;
+      subtype = 'pe_embedded';
+    } else if (bin.magic === 'macho_embedded') {
+      baseScore = 95;
+      subtype = 'macho_embedded';
+    } else if (bin.magic === 'wasm_embedded') {
+      baseScore = 60;
+      subtype = 'wasm_embedded';
+    } else {
+      baseScore = 60;
+      subtype = 'magic_byte_unknown';
+    }
+
+    let score = baseScore;
+
+    if (bin.inBinDir) score += 15;
+
+    if (!bin.declared) score += 50;
+
+    if (invoked && invokedFiles.length > 0) score += 25;
+
+    const confidenceScore = Math.max(50, Math.min(100, score));
+
+    function severityLabel(sc) {
+      if (sc >= 90) return 'critical';
+      if (sc >= 70) return 'high';
+      return 'medium';
+    }
+
+    function confidenceLabel(sc) {
+      if (sc >= 95) return 'CRITICAL';
+      if (sc >= 80) return 'HIGH';
+      if (sc >= 60) return 'MEDIUM';
+      return 'LOW';
+    }
+
+    const evidence = [
+      `binary: ${bin.file.split(/[/\\]/).pop()}${bin.magic ? ` (${bin.magic.toUpperCase().replace('_EMBEDDED', '')})` : ''}`,
+      `path: ${bin.file}`,
+      `declared: ${bin.declared}`,
+    ];
+    if (invoked && invokedFiles.length > 0) {
+      evidence.push(`invoked: child_process usage in ${invokedFiles.length} file(s)`);
+      evidence.push(`invoked_file: ${invokedFiles[0]}`);
+    }
+
+    const locations = [
+      { file: bin.file, size: bin.size },
+    ];
+
+    if (invokedFiles.length > 0) {
+      locations.push({ file: invokedFiles[0], line: 0 });
+    }
+
+    let message;
+    if (!bin.declared) {
+      message = `Undeclared binary detected: ${bin.file.split(/[/\\]/).pop()}`;
+    } else if (invoked) {
+      message = `Binary ${bin.file.split(/[/\\]/).pop()} invoked from JavaScript`;
+    } else {
+      message = `Binary embedded in package: ${bin.file.split(/[/\\]/).pop()}`;
+    }
+
+    findings.push({
+      detector: 'tier1-binary-embed',
+      id: 'TIER1-BINARY-EMBED',
+      severity: severityLabel(confidenceScore),
+      confidence: confidenceLabel(confidenceScore),
+      confidenceScore,
+      subtype,
+      message,
+      evidence,
+      locations,
+      reference: 'Campaign 2',
+    });
+  }
+
+  return findings;
+}

package/backend/detectors/tier1-infostealer.js

@@ -0,0 +1,280 @@
+import { KNOWN_REPUTABLE_PACKAGES } from '../policy.js';
+import * as acorn from 'acorn';
+
+const FS_READ_RE = /fs\.(?:readFile|readFileSync|readdir|readdirSync)\s*\(/g;
+const HTTP_FETCH_RE = /\b(?:fetch|axios|got|superagent|request)\s*\(/g;
+const CURL_WGET_RE = /\b(?:curl|wget|powershell)\s+/gi;
+const CHILD_PROC_RE = /\b(?:exec|execSync|execFile|execFileSync|spawn|spawnSync|fork)\s*\(/g;
+const DOMAIN_EXTRACT_RE = /https?:\/\/([^'"\s)\];,\n\r]+)/gi;
+const GITHUB_DOMAIN_RE = /github\.com/i;
+const NPMJS_DOMAIN_RE = /npmjs\.(?:com|org)/i;
+
+const AWS_KEY_RE = /AKIA[0-9A-Z]{16}/g;
+const NPM_TOKEN_RE = /npm_[a-zA-Z0-9]{36}/g;
+const GH_TOKEN_RE = /ghp_[a-zA-Z0-9]{30,40}/g;
+const GH_OLD_TOKEN_RE = /gho_[a-zA-Z0-9]{36}/g;
+const GITLAB_TOKEN_RE = /glpat-[a-zA-Z0-9_-]{20,}/g;
+
+const ENV_DUMP_RE = /process\.env\.(?:AWS_[A-Z_]+|NPM_TOKEN|NPM_AUTH_TOKEN|GIT_TOKEN|SSH_KEY)/g;
+
+const EVAL_RE = /\beval\s*\(/g;
+const FUNCTION_CTOR_RE = /\bFunction\s*\(/g;
+const B64_STRING_RE = /['"`]([A-Za-z0-9+/]{40,}={0,2})['"`]/g;
+
+function shannonEntropy(s) {
+  const len = s.length;
+  if (len === 0) return 0;
+  const freq = {};
+  for (const ch of s) freq[ch] = (freq[ch] || 0) + 1;
+  let entropy = 0;
+  for (const count of Object.values(freq)) {
+    const p = count / len;
+    entropy -= p * Math.log2(p);
+  }
+  return entropy;
+}
+
+function isMinified(content) {
+  const identifiers = content.match(/\b[a-zA-Z_$][\w$]*\b/g);
+  if (identifiers && identifiers.length > 0) {
+    const avgLen = identifiers.reduce((s, id) => s + id.length, 0) / identifiers.length;
+    if (avgLen < 3) return true;
+  }
+  return shannonEntropy(content) > 5.5;
+}
+
+function extractDomains(content) {
+  const domains = [];
+  let match;
+  DOMAIN_EXTRACT_RE.lastIndex = 0;
+  while ((match = DOMAIN_EXTRACT_RE.exec(content)) !== null) {
+    domains.push(match[1]);
+  }
+  return domains;
+}
+
+function extractCredentials(content) {
+  const creds = [];
+  let match;
+  AWS_KEY_RE.lastIndex = 0;
+  while ((match = AWS_KEY_RE.exec(content)) !== null) {
+    creds.push({ type: 'cred_regex_aws', value: match[0], index: match.index });
+  }
+  NPM_TOKEN_RE.lastIndex = 0;
+  while ((match = NPM_TOKEN_RE.exec(content)) !== null) {
+    creds.push({ type: 'cred_regex_npm_token', value: match[0], index: match.index });
+  }
+  GH_TOKEN_RE.lastIndex = 0;
+  while ((match = GH_TOKEN_RE.exec(content)) !== null) {
+    creds.push({ type: 'cred_regex_gh_token', value: match[0], index: match.index });
+  }
+  return creds;
+}
+
+function getLineColumn(content, index) {
+  const lines = content.slice(0, index).split('\n');
+  return { line: lines.length, column: lines[lines.length - 1].length + 1 };
+}
+
+function patternMatcher(f, content) {
+  const file = f.path || f.name || 'unknown';
+  const result = {
+    file,
+    hasPattern: false,
+    patterns: [],
+    locations: [],
+    evidence: [],
+    domainsFound: [],
+    credsFound: [],
+    isObfuscated: false,
+  };
+
+  if (!content) return result;
+
+  result.isObfuscated = isMinified(content) || EVAL_RE.test(content) || FUNCTION_CTOR_RE.test(content);
+
+  FS_READ_RE.lastIndex = 0;
+  HTTP_FETCH_RE.lastIndex = 0;
+  CHILD_PROC_RE.lastIndex = 0;
+  CURL_WGET_RE.lastIndex = 0;
+
+  const hasFsRead = FS_READ_RE.test(content);
+  const hasHttpFetch = HTTP_FETCH_RE.test(content);
+  const hasChildProc = CHILD_PROC_RE.test(content);
+  const hasCurlWget = CURL_WGET_RE.test(content);
+
+  const domains = extractDomains(content);
+  const externalDomains = domains.filter(d => !NPMJS_DOMAIN_RE.test(d));
+  const gitHubDomains = domains.filter(d => GITHUB_DOMAIN_RE.test(d) && !NPMJS_DOMAIN_RE.test(d));
+
+  if (hasFsRead && hasHttpFetch) {
+    const isGithubOnly = gitHubDomains.length > 0 && externalDomains.length === gitHubDomains.length;
+    result.hasPattern = true;
+    result.patterns.push({ subtype: isGithubOnly ? 'nw_exfil_to_github' : 'fs_exfil', baseScore: 80 });
+    result.domainsFound.push(...domains);
+    FS_READ_RE.lastIndex = 0;
+    const fsMatch = FS_READ_RE.exec(content);
+    if (fsMatch) {
+      const lc = getLineColumn(content, fsMatch.index);
+      result.locations.push({ file, line: lc.line, column: lc.column });
+    }
+    result.evidence.push(isGithubOnly
+      ? 'pattern: fs.readFile + network to GitHub'
+      : 'pattern: fs.readFile + external fetch');
+  }
+
+  if (hasFsRead && (hasChildProc || hasCurlWget)) {
+    const isGithubOnly = gitHubDomains.length > 0 && externalDomains.length === gitHubDomains.length;
+    result.hasPattern = true;
+    result.patterns.push({ subtype: isGithubOnly ? 'nw_exfil_to_github' : 'fs_exfil', baseScore: 80 });
+    result.domainsFound.push(...domains);
+    FS_READ_RE.lastIndex = 0;
+    const fsMatch = FS_READ_RE.exec(content);
+    if (fsMatch) {
+      const lc = getLineColumn(content, fsMatch.index);
+      result.locations.push({ file, line: lc.line, column: lc.column });
+    }
+    result.evidence.push(isGithubOnly
+      ? 'pattern: fs.readFile + child_process to GitHub'
+      : 'pattern: fs.readFile + child_process network');
+  }
+
+  const creds = extractCredentials(content);
+  if (creds.length > 0) {
+    result.hasPattern = true;
+    result.credsFound.push(...creds);
+    const primaryType = creds[0].type;
+    result.patterns.push({ subtype: primaryType, baseScore: 85 });
+    const lc = getLineColumn(content, creds[0].index);
+    result.locations.push({ file, line: lc.line, column: lc.column });
+    const typeNames = [...new Set(creds.map(c => c.type))];
+    result.evidence.push(`hardcoded_credentials: ${creds.length} (${typeNames.join(', ')})`);
+  }
+
+  ENV_DUMP_RE.lastIndex = 0;
+  const envMatch = ENV_DUMP_RE.exec(content);
+  if (envMatch) {
+    result.hasPattern = true;
+    result.patterns.push({ subtype: 'env_dump', baseScore: 80 });
+    const lc = getLineColumn(content, envMatch.index);
+    result.locations.push({ file, line: lc.line, column: lc.column });
+    result.evidence.push('pattern: process.env.AWS_* dump');
+  }
+
+  return result;
+}
+
+export const name = 'tier1-infostealer';
+
+export async function scan(pkgJson, jsFiles, registryMeta, allFiles) {
+  const pkgName = pkgJson?.name;
+  if (pkgName && KNOWN_REPUTABLE_PACKAGES.has(pkgName)) return [];
+
+  const files = jsFiles || [];
+  if (files.length === 0) return [];
+
+  let parseFailCount = 0;
+
+  for (const f of files) {
+    const content = f.content || '';
+    if (!content) continue;
+    try {
+      acorn.parse(content, { ecmaVersion: 'latest' });
+    } catch {
+      parseFailCount++;
+    }
+  }
+
+  if (files.length >= 20 && parseFailCount / files.length >= 0.1) return [];
+
+  const perFile = files.map(f => patternMatcher(f, f.content || ''));
+  const filesWithPatterns = perFile.filter(p => p.hasPattern);
+
+  if (filesWithPatterns.length === 0) return [];
+
+  let highestBase = 0;
+  let mainSubtype = '';
+  let isObfuscated = false;
+  const allEvidence = [];
+  const allLocations = [];
+  const involvedFiles = [];
+  const hasCreds = false;
+
+  for (const f of filesWithPatterns) {
+    if (!involvedFiles.includes(f.file)) involvedFiles.push(f.file);
+    allLocations.push(...f.locations);
+    allEvidence.push(...f.evidence);
+    if (f.isObfuscated) isObfuscated = true;
+    for (const p of f.patterns) {
+      if (p.baseScore > highestBase) {
+        highestBase = p.baseScore;
+        mainSubtype = p.subtype;
+      }
+    }
+  }
+
+  let baseScore = highestBase;
+
+  const anyCredPattern = filesWithPatterns.some(f => f.patterns.some(p => p.subtype.startsWith('cred_')));
+  if (anyCredPattern) {
+    baseScore = Math.min(100, Math.round(baseScore * 2.5));
+  }
+
+  if (isObfuscated) baseScore += 15;
+
+  if (involvedFiles.length > 1) {
+    baseScore = Math.min(100, Math.round(baseScore * 1.3));
+  }
+
+  const confidenceScore = Math.max(50, Math.min(100, baseScore));
+
+  function confidenceLabel(score) {
+    if (score >= 95) return 'CRITICAL';
+    if (score >= 80) return 'HIGH';
+    return 'MEDIUM';
+  }
+
+  const evidenceSet = new Set(allEvidence);
+  const evidence = [...evidenceSet].slice(0, 10);
+
+  const locationMap = new Map();
+  for (const loc of allLocations) {
+    const key = `${loc.file}:${loc.line}:${loc.column}`;
+    if (!locationMap.has(key)) locationMap.set(key, loc);
+  }
+
+  const isCritical = anyCredPattern;
+  const severity = isCritical ? 'critical' : confidenceScore >= 80 ? 'high' : 'medium';
+
+  const domainSummary = filesWithPatterns
+    .flatMap(f => f.domainsFound)
+    .filter(Boolean)
+    .slice(0, 3);
+
+  const credCount = filesWithPatterns.reduce((s, f) => s + f.credsFound.length, 0);
+
+  let message;
+  if (anyCredPattern) {
+    message = `Hardcoded credentials detected (${credCount} found)`;
+  } else if (involvedFiles.length > 1) {
+    message = `Cross-file exfiltration detected across ${involvedFiles.length} files`;
+  } else if (mainSubtype === 'env_dump') {
+    message = 'Environment variable harvesting detected';
+  } else {
+    message = 'Filesystem exfiltration to external domain detected';
+  }
+
+  return [{
+    detector: 'tier1-infostealer',
+    id: 'TIER1-INFOSTEALER',
+    severity,
+    confidence: confidenceLabel(confidenceScore),
+    confidenceScore,
+    subtype: mainSubtype || 'fs_exfil',
+    message,
+    evidence,
+    locations: [...locationMap.values()],
+    crossFiles: [...new Set(involvedFiles)],
+    reference: 'Campaign 2 & 3',
+  }];
+}