@lateos/npm-scan 0.16.4 → 0.17.0

package/backend/detectors/tier1-lifecycle-hook.js

@@ -0,0 +1,176 @@
+import { KNOWN_REPUTABLE_PACKAGES } from '../policy.js';
+
+const HOOK_NAMES = ['postinstall', 'preinstall', 'install', 'prepare', 'preuninstall', 'postuninstall'];
+
+const CURL_WGET_RE = /\b(?:curl|wget|powershell|bash|sh)\b/i;
+const CHILD_PROC_RE = /\b(?:exec|execSync|spawn|spawnSync|fork)\s*\(/g;
+const EVAL_RE = /\beval\s*\(/g;
+const FUNCTION_CTOR_RE = /\bFunction\s*\(/g;
+const ZERO_EVAL_RE = /\(0,\s*eval\)\s*\(/g;
+const URL_RE = /https?:\/\/([^'"\s)\]]+)/gi;
+const IP_RE = /\b(?:\d{1,3}\.){3}\d{1,3}\b/g;
+const INTERNAL_DOMAIN_RE = /(?:github-ent|jira\.internal|docs\.internal)/i;
+const ENV_EXFIL_RE = /process\.env\.(?:AWS_[A-Z_]+|NPM_TOKEN|NPM_AUTH_TOKEN|GIT_TOKEN|SSH_KEY)/g;
+const HEX_STRING_RE = /(?:0x[0-9a-fA-F]{2,}|\\x[0-9a-fA-F]{2})/g;
+const B64_RE = /['"`]([A-Za-z0-9+/]{20,}={0,2})['"`]/g;
+const REQUIRE_RE = /\brequire\s*\(/g;
+
+function shannonEntropy(s) {
+  const len = s.length;
+  if (len === 0) return 0;
+  const freq = {};
+  for (const ch of s) freq[ch] = (freq[ch] || 0) + 1;
+  let entropy = 0;
+  for (const count of Object.values(freq)) {
+    const p = count / len;
+    entropy -= p * Math.log2(p);
+  }
+  return entropy;
+}
+
+function isObfuscated(content) {
+  if (!content) return false;
+  const noWhitespace = !/\s/.test(content.trim());
+  const identifiers = content.match(/\b[a-zA-Z_$][\w$]*\b/g);
+  let avgIdLen = 0;
+  if (identifiers && identifiers.length > 0) {
+    avgIdLen = identifiers.reduce((s, id) => s + id.length, 0) / identifiers.length;
+  }
+  if (noWhitespace && identifiers && identifiers.length > 0 && avgIdLen < 3) return true;
+  if (noWhitespace && /^[a-zA-Z_$][\w$]*\([^)]*\)$/.test(content.trim())) return true;
+  HEX_STRING_RE.lastIndex = 0;
+  if (HEX_STRING_RE.test(content)) return true;
+  B64_RE.lastIndex = 0;
+  if (B64_RE.test(content)) return true;
+  if (shannonEntropy(content) > 5.5) return true;
+  return false;
+}
+
+function extractUrls(content) {
+  const urls = [];
+  let match;
+  URL_RE.lastIndex = 0;
+  while ((match = URL_RE.exec(content)) !== null) {
+    urls.push(match[1]);
+  }
+  return urls;
+}
+
+export const name = 'tier1-lifecycle-hook';
+
+export async function scan(pkgJson, jsFiles, registryMeta, allFiles) {
+  const pkgName = pkgJson?.name;
+  if (pkgName && KNOWN_REPUTABLE_PACKAGES.has(pkgName)) return [];
+
+  const scripts = pkgJson?.scripts || {};
+  const hooks = {};
+
+  for (const [name, val] of Object.entries(scripts)) {
+    if (HOOK_NAMES.includes(name) || /^(pre|post)/.test(name)) {
+      hooks[name] = val;
+    }
+  }
+
+  if (Object.keys(hooks).length === 0) return [];
+
+  const findings = [];
+
+  for (const [hookName, scriptContent] of Object.entries(hooks)) {
+    const content = typeof scriptContent === 'string' ? scriptContent : '';
+    if (!content) continue;
+
+    const truncated = content.length > 10240 ? content.slice(0, 10240) : content;
+
+    const obfuscated = isObfuscated(truncated);
+    const hasEval = EVAL_RE.test(truncated) || FUNCTION_CTOR_RE.test(truncated) || ZERO_EVAL_RE.test(truncated);
+    const hasNetwork = CURL_WGET_RE.test(truncated) || CHILD_PROC_RE.test(truncated);
+    const hasUrls = URL_RE.test(truncated) || IP_RE.test(truncated);
+    const urls = extractUrls(truncated);
+    const hasInternal = INTERNAL_DOMAIN_RE.test(truncated);
+    const envExfil = ENV_EXFIL_RE.test(truncated);
+    const silent = !REQUIRE_RE.test(truncated);
+
+    let baseScore = 0;
+    let subtype = '';
+    let severity = 'medium';
+    const evidence = [`hook: ${hookName}`];
+
+    if (hasEval || (obfuscated && hasNetwork)) {
+      baseScore = 90;
+      subtype = 'obfuscated_install';
+      severity = 'critical';
+      evidence.push('patterns: eval, obfuscated code');
+    }
+
+    if (hasUrls) {
+      const urlBase = hasInternal ? 90 : 70;
+      if (urlBase > baseScore) {
+        baseScore = urlBase;
+        subtype = hasInternal ? 'obfuscated_install' : 'encoded_payload_postinstall';
+        severity = hasInternal ? 'critical' : 'high';
+      }
+      const domainInfo = hasInternal ? 'internal domain' : 'external URL';
+      evidence.push(`patterns: hardcoded ${domainInfo} in hook`);
+      if (urls.length > 0) evidence.push(`target: ${urls[0]}`);
+    }
+
+    if (envExfil) {
+      const envScore = 90;
+      if (envScore > baseScore) {
+        baseScore = envScore;
+        subtype = hasUrls ? 'hidden_preinstall' : 'encoded_payload_postinstall';
+        severity = 'critical';
+      }
+      evidence.push('pattern: process.env exfiltration');
+    }
+
+    if (obfuscated && hasEval && hasNetwork && !hasUrls && !envExfil) {
+      if (baseScore < 90) {
+        baseScore = 90;
+        subtype = 'obfuscated_install';
+        severity = 'critical';
+      }
+    }
+
+    if (obfuscated) {
+      const entropy = shannonEntropy(truncated);
+      evidence.push(`entropy: ${entropy.toFixed(2)} (suspicious)`);
+    }
+
+    if (silent && baseScore >= 70) {
+      subtype = 'silent_eval_in_hook';
+      evidence.push('silent: no explicit require()');
+      baseScore = Math.min(100, Math.round(baseScore * 2.5));
+    }
+
+    if (baseScore === 0) continue;
+
+    const confidenceScore = Math.max(50, Math.min(100, baseScore));
+
+    function confidenceLabel(score) {
+      if (score >= 95) return 'CRITICAL';
+      if (score >= 80) return 'HIGH';
+      return 'MEDIUM';
+    }
+
+    findings.push({
+      detector: 'tier1-lifecycle-hook',
+      id: 'TIER1-LIFECYCLE-HOOK',
+      severity,
+      confidence: confidenceLabel(confidenceScore),
+      confidenceScore,
+      subtype,
+      message: `Suspicious lifecycle hook "${hookName}"`,
+      evidence,
+      locations: [{
+        file: 'package.json',
+        field: `scripts.${hookName}`,
+        value: content.length > 200 ? `${content.slice(0, 200)}...` : content,
+      }],
+      crossFiles: [],
+      reference: 'Campaign 1',
+    });
+  }
+
+  return findings;
+}

package/backend/detectors/tier1-metadata-spoof.js

@@ -0,0 +1,180 @@
+import { KNOWN_REPUTABLE_PACKAGES } from '../policy.js';
+
+const INTERNAL_SUFFIX_RE = /\.(?:internal|local|corp|intra|priv|lan)(?:[.:/]|$)/i;
+const CORPORATE_RE = /(?:github-ent|jira-ent|github\.enterprise|internal-gitlab|gitlab\.internal|jenkins\.internal|confluence\.internal)/i;
+const PRIVATE_IP_RE = /^(?:10\.\d{1,3}\.\d{1,3}\.\d{1,3}|172\.(?:1[6-9]|2\d|3[01])\.\d{1,3}\.\d{1,3}|192\.168\.\d{1,3}\.\d{1,3})/;
+
+function extractDomain(url) {
+  try {
+    const u = new URL(url);
+    return u.hostname;
+  } catch {
+    const m = url.match(/^(?:https?:\/\/)?([^\/\s:]+)/);
+    return m ? m[1] : null;
+  }
+}
+
+function isInternalUrl(url) {
+  if (!url) return false;
+  const domain = extractDomain(url);
+  if (!domain) return false;
+  if (INTERNAL_SUFFIX_RE.test(domain)) return true;
+  if (CORPORATE_RE.test(domain)) return true;
+  if (PRIVATE_IP_RE.test(domain)) return true;
+  return false;
+}
+
+function parseSemver(version) {
+  if (!version) return null;
+  const parts = version.replace(/^[~^]/, '').split('.');
+  const m = parseInt(parts[0], 10);
+  const n = parseInt(parts[1], 10);
+  const p = parseInt(parts[2], 10);
+  if (isNaN(m) || isNaN(n) || isNaN(p)) return null;
+  return { major: m, minor: n, patch: p };
+}
+
+function detectSemverInflation(currentVer, registryMeta) {
+  if (!currentVer || !registryMeta) return null;
+
+  const age = registryMeta.age;
+  if (age !== undefined && age < 7) return null;
+
+  const previousVer = registryMeta.previousVersion || null;
+  if (!previousVer) return null;
+
+  const cur = parseSemver(currentVer);
+  const prev = parseSemver(previousVer);
+  if (!cur || !prev) return null;
+
+  const majorJump = cur.major - prev.major;
+  const minorJump = cur.minor - prev.minor;
+  const patchJump = cur.patch - prev.patch;
+
+  if (majorJump > 10) return { type: 'major', from: previousVer, to: currentVer, jump: majorJump };
+  if (minorJump > 20) return { type: 'minor', from: previousVer, to: currentVer, jump: minorJump };
+  if (patchJump > 50) return { type: 'patch', from: previousVer, to: currentVer, jump: patchJump };
+
+  return null;
+}
+
+export const name = 'tier1-metadata-spoof';
+
+export async function scan(pkgJson, jsFiles, registryMeta, allFiles) {
+  const pkgName = pkgJson?.name;
+  if (pkgName && KNOWN_REPUTABLE_PACKAGES.has(pkgName)) return [];
+
+  const fieldUrls = [];
+
+  function addField(field, value) {
+    if (value && typeof value === 'string') {
+      fieldUrls.push({ field, value });
+    }
+  }
+
+  if (pkgJson.repository) {
+    const v = typeof pkgJson.repository === 'string' ? pkgJson.repository : pkgJson.repository.url;
+    addField('repository.url', v);
+  }
+
+  addField('homepage', pkgJson.homepage);
+
+  if (pkgJson.bugs) {
+    const v = typeof pkgJson.bugs === 'string' ? pkgJson.bugs : pkgJson.bugs.url;
+    addField('bugs.url', v);
+  }
+
+  if (pkgJson.funding) {
+    const arr = Array.isArray(pkgJson.funding) ? pkgJson.funding : [pkgJson.funding];
+    for (let i = 0; i < arr.length; i++) {
+      if (arr[i] && arr[i].url) addField(`funding[${i}].url`, arr[i].url);
+    }
+  }
+
+  if (pkgJson.author && typeof pkgJson.author === 'object' && pkgJson.author.url) {
+    addField('author.url', pkgJson.author.url);
+  }
+
+  const internalFields = fieldUrls.filter(f => isInternalUrl(f.value));
+  const hasInternalUrls = internalFields.length > 0;
+
+  const currentVersion = pkgJson?.version;
+  const semverInflation = detectSemverInflation(currentVersion, registryMeta);
+
+  if (!hasInternalUrls && !semverInflation) return [];
+
+  let baseScore = 0;
+  let subtype = '';
+  let primaryMessage = '';
+  const evidence = [];
+  const locations = [];
+
+  if (hasInternalUrls) {
+    baseScore = 65;
+    subtype = 'internal_url_in_repo';
+
+    for (const f of internalFields) {
+      const domain = extractDomain(f.value);
+      evidence.push(`url: ${f.field} = ${f.value}`);
+
+      let pattern = '';
+      if (PRIVATE_IP_RE.test(domain)) pattern = 'private IP';
+      else if (CORPORATE_RE.test(domain)) pattern = 'corporate domain';
+      else pattern = 'internal domain';
+      evidence.push(`pattern: ${domain} (${pattern})`);
+
+      locations.push({ field: f.field, value: f.value });
+    }
+
+    if (internalFields.length > 1) {
+      baseScore += 20;
+      evidence.push('coordinated: multiple internal URLs');
+    }
+
+    primaryMessage = `Package metadata contains spoofed internal URL${internalFields.length > 1 ? 's' : ''}`;
+  }
+
+  if (semverInflation) {
+    const semverMsg = `semver: ${semverInflation.from} \u2192 ${semverInflation.to} (${semverInflation.type} jump of ${semverInflation.jump})`;
+
+    if (hasInternalUrls) {
+      baseScore = Math.round(baseScore * 1.3);
+      evidence.push(semverMsg);
+      evidence.push(`${semverInflation.type} version jump (${semverInflation.jump}) without changelog`);
+      locations.push({ field: 'version', old: semverInflation.from, new: semverInflation.to });
+      primaryMessage += ' + unjustified semver jump';
+    } else {
+      baseScore = 40;
+      subtype = 'semver_inflation';
+      evidence.push(semverMsg);
+      locations.push({ field: 'version', old: semverInflation.from, new: semverInflation.to });
+      primaryMessage = 'Unjustified semver version jump detected';
+    }
+  }
+
+  const confidenceScore = Math.max(50, Math.min(90, baseScore));
+
+  function severityLabel(sc) {
+    if (sc >= 70) return 'high';
+    return 'medium';
+  }
+
+  function confidenceLabel(sc) {
+    if (sc >= 80) return 'HIGH';
+    if (sc >= 60) return 'MEDIUM';
+    return 'LOW';
+  }
+
+  return [{
+    detector: 'tier1-metadata-spoof',
+    id: 'TIER1-METADATA-SPOOF',
+    severity: severityLabel(confidenceScore),
+    confidence: confidenceLabel(confidenceScore),
+    confidenceScore,
+    subtype,
+    message: primaryMessage,
+    evidence,
+    locations,
+    reference: 'Campaign 1',
+  }];
+}

package/backend/detectors/tier1-typosquat.js

@@ -0,0 +1,219 @@
+import { createRequire } from 'module';
+import { KNOWN_REPUTABLE_PACKAGES } from '../policy.js';
+
+const require = createRequire(import.meta.url);
+const TOP_PACKAGES = require('../../src/config/top-5000.json');
+const TOP_SET = new Set(TOP_PACKAGES);
+
+function levenshtein(a, b) {
+  if (Math.abs(a.length - b.length) > 2) return 3;
+  const m = a.length, n = b.length;
+  if (m === 0) return n;
+  if (n === 0) return m;
+  let prev = new Int32Array(n + 1);
+  let curr = new Int32Array(n + 1);
+  for (let j = 0; j <= n; j++) prev[j] = j;
+  for (let i = 1; i <= m; i++) {
+    curr[0] = i;
+    let rowMin = curr[0];
+    for (let j = 1; j <= n; j++) {
+      const cost = a[i - 1] === b[j - 1] ? 0 : 1;
+      curr[j] = Math.min(
+        prev[j] + 1,
+        curr[j - 1] + 1,
+        prev[j - 1] + cost
+      );
+      if (curr[j] < rowMin) rowMin = curr[j];
+    }
+    if (rowMin > 2) return 3;
+    const tmp = prev; prev = curr; curr = tmp;
+  }
+  return prev[n];
+}
+
+function jaroWinkler(a, b) {
+  if (a === b) return 1;
+  const m = a.length, n = b.length;
+  if (m === 0 || n === 0) return 0;
+  const matchDist = Math.floor(Math.max(m, n) / 2) - 1;
+  const aMatch = new Array(m).fill(false);
+  const bMatch = new Array(n).fill(false);
+  let matches = 0;
+  for (let i = 0; i < m; i++) {
+    const start = Math.max(0, i - matchDist);
+    const end = Math.min(n, i + matchDist + 1);
+    for (let j = start; j < end; j++) {
+      if (bMatch[j] || a[i] !== b[j]) continue;
+      aMatch[i] = true;
+      bMatch[j] = true;
+      matches++;
+      break;
+    }
+  }
+  if (matches === 0) return 0;
+  let t = 0, k = 0;
+  for (let i = 0; i < m; i++) {
+    if (!aMatch[i]) continue;
+    while (!bMatch[k]) k++;
+    if (a[i] !== b[k]) t++;
+    k++;
+  }
+  const jaro = (matches / m + matches / n + (matches - t / 2) / matches) / 3;
+  let prefix = 0;
+  const limit = Math.min(4, m, n);
+  for (let i = 0; i < limit; i++) {
+    if (a[i] === b[i]) prefix++;
+    else break;
+  }
+  return jaro + prefix * 0.1 * (1 - jaro);
+}
+
+function soundex(s) {
+  if (!s) return '';
+  s = s.toLowerCase();
+  const first = s[0];
+  const rest = s.slice(1)
+    .replace(/[aeiouyhw]/g, '')
+    .replace(/[bfpv]/g, '1')
+    .replace(/[cgjkqsxz]/g, '2')
+    .replace(/[dt]/g, '3')
+    .replace(/l/g, '4')
+    .replace(/[mn]/g, '5')
+    .replace(/r/g, '6')
+    .replace(/(\d)\1+/g, '$1');
+  return (first + rest + '000').slice(0, 4);
+}
+
+function homoglyphScore(a, b) {
+  if (a.length !== b.length) return 0;
+  const map = { '0': 'o', '1': 'l', '3': 'e', '4': 'a', '5': 's', '6': 'g', '7': 't', '8': 'b', '@': 'a' };
+  let swaps = 0;
+  for (let i = 0; i < a.length; i++) {
+    if (a[i] === b[i]) continue;
+    const na = map[a[i]] || a[i];
+    const nb = map[b[i]] || b[i];
+    if (na === b[i] || a[i] === nb || na === nb) swaps++;
+    else return 0;
+  }
+  return swaps > 0 ? 1 - swaps / a.length : 0;
+}
+
+function computeConfidence(dist, phonetic, homoglyph, registryMeta) {
+  let subtype, base;
+  if (dist === 1) {
+    subtype = 'edit_distance_1';
+    base = 75;
+  } else if (dist === 2) {
+    subtype = 'edit_distance_2';
+    base = 45;
+  } else if (phonetic > 0.85) {
+    subtype = 'phonetic_match';
+    base = 50;
+  } else if (homoglyph > 0.7) {
+    subtype = 'homoglyph_swap';
+    base = 60;
+  } else {
+    return null;
+  }
+  let score = base;
+  if (registryMeta) {
+    const age = registryMeta.age || 0;
+    const downloads = registryMeta.weeklyDownloads || 0;
+    if (age < 30) score += 15;
+    if (downloads < 1000) score += 10;
+    if (age > 365 && downloads > 100000) score -= 30;
+  }
+  score = Math.max(50, Math.min(100, score));
+  return { subtype, score };
+}
+
+function severityLabel(score) {
+  if (score >= 80) return 'high';
+  if (score >= 60) return 'medium';
+  return 'low';
+}
+
+function confidenceLabel(score) {
+  if (score >= 80) return 'HIGH';
+  if (score >= 60) return 'MEDIUM';
+  return 'LOW';
+}
+
+export const name = 'tier1-typosquat';
+
+export async function scan(pkgJson, jsFiles, registryMeta, allFiles) {
+  const findings = [];
+  const pkgName = pkgJson?.name;
+  if (!pkgName) return findings;
+
+  if (KNOWN_REPUTABLE_PACKAGES.has(pkgName)) return findings;
+
+  const namesToCheck = [];
+  let scopedName = null;
+
+  if (pkgName.startsWith('@')) {
+    const parts = pkgName.split('/');
+    if (parts.length === 2) {
+      scopedName = parts[1];
+      namesToCheck.push(pkgName, scopedName);
+    }
+  } else {
+    namesToCheck.push(pkgName);
+  }
+
+  let best = null;
+  let bestScore = 0;
+
+  for (const checkName of namesToCheck) {
+    for (const target of TOP_PACKAGES) {
+      if (checkName === target) {
+        if (pkgName.startsWith('@') && checkName === scopedName && !KNOWN_REPUTABLE_PACKAGES.has(scopedName)) {
+          let score = 80;
+          if (registryMeta) {
+            if ((registryMeta.age || 0) < 30) score += 15;
+            if ((registryMeta.weeklyDownloads || 0) < 1000) score += 10;
+          }
+          score = Math.max(50, Math.min(100, score));
+          if (score > bestScore) {
+            bestScore = score;
+            best = { target, dist: 0, phonetic: 1, homoglyph: 0, subtype: 'edit_distance_1', isScopeSquat: true };
+          }
+        }
+        continue;
+      }
+      if (Math.abs(checkName.length - target.length) > 2) continue;
+      const dist = levenshtein(checkName, target);
+      if (dist > 2) continue;
+      const phonetic = jaroWinkler(checkName, target);
+      const homoglyph = homoglyphScore(checkName, target);
+      const conf = computeConfidence(dist, phonetic, homoglyph, registryMeta);
+      if (!conf || conf.score <= bestScore) continue;
+      bestScore = conf.score;
+      best = { target, dist, phonetic, homoglyph, subtype: conf.subtype, isScopeSquat: false };
+    }
+  }
+
+  if (best) {
+    findings.push({
+      detector: 'tier1-typosquat',
+      id: 'TIER1-TYPOSQUAT',
+      severity: severityLabel(bestScore),
+      confidence: confidenceLabel(bestScore),
+      confidenceScore: bestScore,
+      subtype: best.subtype,
+      message: `Package name "${pkgName}" is typo of "${best.target}"${best.dist > 0 ? ` (distance ${best.dist})` : ''}`,
+      evidence: [
+        `distance: ${best.dist}`,
+        `phonetic_score: ${(best.phonetic || 1).toFixed(2)}`,
+        `similar_package: ${best.target}`,
+        `age_days: ${registryMeta?.age || 0}`,
+        `weekly_downloads: ${registryMeta?.weeklyDownloads || 0}`,
+      ],
+      crossFiles: [],
+      locations: [{ file: 'package.json', line: 2, column: 10 }],
+      reference: 'Campaign 2: Cloud-Secret Typosquatting',
+    });
+  }
+
+  return findings;
+}