npm - @lateos/npm-scan - Versions diffs - 0.16.4 → 0.17.0 - Mend

@lateos/npm-scan 0.16.4 → 0.17.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (96) hide show

package/.dockerignore +20 -20
package/.husky/pre-commit +1 -1
package/CHANGELOG.md +199 -199
package/LICENSING.md +19 -19
package/README.de.md +708 -708
package/README.fr.md +707 -707
package/README.ja.md +704 -704
package/README.md +826 -826
package/README.zh.md +708 -708
package/SECURITY.md +72 -72
package/backend/cra.js +68 -68
package/backend/db/schema.sql +32 -32
package/backend/db.js +88 -88
package/backend/detectors/atk-001-lifecycle.js +17 -17
package/backend/detectors/atk-002-obfusc.js +261 -261
package/backend/detectors/atk-003-creds.js +13 -13
package/backend/detectors/atk-004-persist.js +13 -13
package/backend/detectors/atk-005-exfil.js +13 -13
package/backend/detectors/atk-006-depconf.js +14 -14
package/backend/detectors/atk-007-typosquat.js +34 -34
package/backend/detectors/atk-008-tarball-tamper.js +91 -91
package/backend/detectors/atk-009-dormant-trigger.js +62 -62
package/backend/detectors/atk-010-sandbox-evasion.js +50 -50
package/backend/detectors/atk-011-transitive-prop.js +76 -76
package/backend/detectors/cve-2026-48710-badhost/codePattern.js +99 -99
package/backend/detectors/cve-2026-48710-badhost/findings.js +105 -105
package/backend/detectors/cve-2026-48710-badhost/index.js +15 -15
package/backend/detectors/cve-2026-48710-badhost/manifest.js +305 -305
package/backend/detectors/cve-2026-48710-badhost/transitive.js +189 -189
package/backend/detectors/hf-impersonation/index.js +396 -396
package/backend/detectors/hf-impersonation/jaro-winkler.js +44 -44
package/backend/detectors/hf-impersonation/known-orgs.js +5 -5
package/backend/detectors/hf-impersonation/simhash.js +46 -46
package/backend/detectors/index.js +75 -44
package/backend/detectors/megalodon/d1-workflow-scan.js +147 -147
package/backend/detectors/megalodon/d2-credential-harvest.js +61 -61
package/backend/detectors/megalodon/d3-publish-velocity.js +67 -67
package/backend/detectors/megalodon/d4-publisher-drift.js +124 -124
package/backend/detectors/megalodon/d5-bot-commit-identity.js +3 -3
package/backend/detectors/megalodon/d6-date-anachronism.js +3 -3
package/backend/detectors/megalodon/index.js +80 -80
package/backend/detectors/megalodon/types.js +9 -9
package/backend/detectors/mini-shai-hulud/d1-burst-publish.js +42 -42
package/backend/detectors/mini-shai-hulud/d2-sibling-compromise.js +116 -116
package/backend/detectors/mini-shai-hulud/d3-slsa-mismatch.js +72 -72
package/backend/detectors/mini-shai-hulud/d4-maintainer-anomaly.js +45 -45
package/backend/detectors/mini-shai-hulud/d5-ioc-check.js +95 -95
package/backend/detectors/mini-shai-hulud/d6-token-exfil.js +38 -38
package/backend/detectors/mini-shai-hulud/index.js +118 -118
package/backend/detectors/mini-shai-hulud/iocs.json +79 -79
package/backend/detectors/tier1-binary-embed.js +219 -0
package/backend/detectors/tier1-infostealer.js +280 -0
package/backend/detectors/tier1-lifecycle-hook.js +176 -0
package/backend/detectors/tier1-metadata-spoof.js +180 -0
package/backend/detectors/tier1-typosquat.js +219 -0
package/backend/fetch.js +175 -175
package/backend/index.js +4 -4
package/backend/license.js +89 -89
package/backend/lockfile.js +379 -379
package/backend/pdf.js +245 -245
package/backend/policy.js +193 -176
package/backend/report.js +254 -254
package/backend/sbom.js +66 -66
package/backend/siem/cef.js +32 -32
package/backend/siem/ecs.js +40 -40
package/backend/siem/index.js +18 -18
package/backend/siem/qradar.js +56 -56
package/backend/siem/sentinel.js +27 -27
package/backend/vsix-scan/detectors/activation-event-risk.js +116 -116
package/backend/vsix-scan/detectors/burst-publish.js +52 -52
package/backend/vsix-scan/detectors/exfil-pattern.js +88 -88
package/backend/vsix-scan/detectors/known-ioc.js +105 -105
package/backend/vsix-scan/detectors/orphan-commit-fetch.js +69 -69
package/backend/vsix-scan/detectors/publisher-anomaly.js +70 -70
package/backend/vsix-scan/index.js +183 -183
package/backend/vsix-scan/marketplace-client.js +145 -145
package/backend/vsix-scan/vsix-iocs.json +31 -31
package/cli/cli.js +458 -458
package/deploy/helm/npm-scan/Chart.yaml +21 -21
package/deploy/helm/npm-scan/templates/_helpers.tpl +8 -8
package/deploy/helm/npm-scan/templates/api.yaml +93 -93
package/deploy/helm/npm-scan/templates/ingress.yaml +27 -27
package/deploy/helm/npm-scan/templates/postgresql.yaml +66 -66
package/deploy/helm/npm-scan/templates/secrets.yaml +18 -18
package/deploy/helm/npm-scan/templates/worker.yaml +31 -31
package/deploy/helm/npm-scan/values.byoc.yaml +74 -74
package/deploy/helm/npm-scan/values.yaml +102 -102
package/package.json +57 -57
package/scripts/download-corpus.js +30 -30
package/scripts/gen-mal-corpus.js +34 -34
package/scripts/generate-campaign-fixtures.js +170 -0
package/src/config/top-5000.json +87 -0
package/test/fixtures/lockfiles/npm-lock.json +68 -68
package/test/fixtures/lockfiles/pnpm-lock.yaml +117 -117
package/test/fixtures/lockfiles/yarn.lock +103 -103
package/test/fixtures/mock-data.js +69 -69

package/backend/vsix-scan/marketplace-client.js CHANGED Viewed

@@ -1,145 +1,145 @@
-const MARKETPLACE_API = 'https://marketplace.visualstudio.com/_apis/public/gallery';
-const OPENVSX_API = 'https://open-vsx.org/api';
-const _cache = new Map();
-const CACHE_TTL = 5 * 60 * 1000;
-const RATE_LIMIT_MS = 6000;
-let _lastFetchTime = 0;
-function sleep(ms) {
-  return new Promise(r => setTimeout(r, ms));
-}
-async function rateLimitedFetch(url) {
-  const now = Date.now();
-  const elapsed = now - _lastFetchTime;
-  if (elapsed < RATE_LIMIT_MS) {
-    await sleep(RATE_LIMIT_MS - elapsed);
-  }
-  _lastFetchTime = Date.now();
-  const cached = _cache.get(url);
-  if (cached && Date.now() - cached.fetchedAt < CACHE_TTL) {
-    return cached.data;
-  }
-  let res;
-  try {
-    res = await fetch(url);
-    if (res.status === 429) {
-      const retryAfter = parseInt(res.headers.get('Retry-After') || '10', 10);
-      await sleep(retryAfter * 1000);
-      res = await fetch(url);
-    }
-    if (!res.ok) {
-      console.debug(`Marketplace API warning: ${url} returned ${res.status}`);
-      return null;
-    }
-    const data = await res.json();
-    _cache.set(url, { data, fetchedAt: Date.now() });
-    return data;
-  } catch (err) {
-    console.debug(`Marketplace API error: ${err.message}`);
-    return null;
-  }
-}
-function parseExtensionId(id) {
-  const parts = id.split('.');
-  if (parts.length < 2) throw new Error(`Invalid extension ID: ${id}`);
-  return { publisherId: parts[0], extensionName: parts.slice(1).join('.') };
-}
-export async function getExtensionMetadata(publisherId, extensionName) {
-  const url = `${MARKETPLACE_API}/extensionquery`;
-  const body = {
-    filters: [{
-      criteria: [
-        { filterType: 8, value: `${publisherId}.${extensionName}` },
-      ],
-    }],
-    flags: 914,
-  };
-  const cached = _cache.get(url + JSON.stringify(body));
-  if (cached && Date.now() - cached.fetchedAt < CACHE_TTL) {
-    return cached.data;
-  }
-  const now = Date.now();
-  const elapsed = now - _lastFetchTime;
-  if (elapsed < RATE_LIMIT_MS) {
-    await sleep(RATE_LIMIT_MS - elapsed);
-  }
-  _lastFetchTime = Date.now();
-  let res;
-  try {
-    res = await fetch(url, {
-      method: 'POST',
-      headers: { 'Content-Type': 'application/json', 'Accept': 'application/json;api-version=3.0-preview.1' },
-      body: JSON.stringify(body),
-    });
-    if (res.status === 429) {
-      const retryAfter = parseInt(res.headers.get('Retry-After') || '10', 10);
-      await sleep(retryAfter * 1000);
-      res = await fetch(url, { method: 'POST', headers: { 'Content-Type': 'application/json', 'Accept': 'application/json;api-version=3.0-preview.1' }, body: JSON.stringify(body) });
-    }
-    if (!res.ok) {
-      console.debug(`Marketplace API warning: ${url} returned ${res.status}`);
-      return null;
-    }
-    const data = await res.json();
-    _cache.set(url + JSON.stringify(body), { data, fetchedAt: Date.now() });
-    return data;
-  } catch (err) {
-    console.debug(`Marketplace API error: ${err.message}`);
-    return null;
-  }
-}
-export async function getVersionHistory(publisherId, extensionName) {
-  const data = await getExtensionMetadata(publisherId, extensionName);
-  if (!data?.results?.[0]?.extensions?.[0]) return [];
-  const extension = data.results[0].extensions[0];
-  const versions = extension.versions || [];
-  return versions.map(v => ({
-    version: v.version,
-    publishedAt: v.lastUpdated || v.publishedDate,
-    publishedBy: extension.publisher?.publisherName || publisherId,
-    assetSha256: v.assetUri ? null : null,
-    flags: v.flags ? [String(v.flags)] : [],
-  }));
-}
-export async function getPublisherProfile(publisherId) {
-  const url = `${MARKETPLACE_API}/publishers/${publisherId}`;
-  return rateLimitedFetch(url);
-}
-export async function getOpenVsxMetadata(namespace, name) {
-  const url = `${OPENVSX_API}/${namespace}/${name}`;
-  return rateLimitedFetch(url);
-}
-export async function getOpenVsxVersionHistory(namespace, name) {
-  const data = await getOpenVsxMetadata(namespace, name);
-  if (!data) return [];
-  const versions = data.allVersions || {};
-  const files = data.files || {};
-  return Object.entries(versions).map(([version, publishedAt]) => ({
-    version,
-    publishedAt: typeof publishedAt === 'string' ? publishedAt : data.timestamp,
-    publishedBy: data.namespace || namespace,
-    assetSha256: files?.[version]?.sha256 || null,
-    flags: [],
-  }));
-}
-export function clearMarketplaceCache() {
-  _cache.clear();
-  _lastFetchTime = 0;
-}
+const MARKETPLACE_API = 'https://marketplace.visualstudio.com/_apis/public/gallery';
+const OPENVSX_API = 'https://open-vsx.org/api';
+const _cache = new Map();
+const CACHE_TTL = 5 * 60 * 1000;
+const RATE_LIMIT_MS = 6000;
+let _lastFetchTime = 0;
+function sleep(ms) {
+  return new Promise(r => setTimeout(r, ms));
+}
+async function rateLimitedFetch(url) {
+  const now = Date.now();
+  const elapsed = now - _lastFetchTime;
+  if (elapsed < RATE_LIMIT_MS) {
+    await sleep(RATE_LIMIT_MS - elapsed);
+  }
+  _lastFetchTime = Date.now();
+  const cached = _cache.get(url);
+  if (cached && Date.now() - cached.fetchedAt < CACHE_TTL) {
+    return cached.data;
+  }
+  let res;
+  try {
+    res = await fetch(url);
+    if (res.status === 429) {
+      const retryAfter = parseInt(res.headers.get('Retry-After') || '10', 10);
+      await sleep(retryAfter * 1000);
+      res = await fetch(url);
+    }
+    if (!res.ok) {
+      console.debug(`Marketplace API warning: ${url} returned ${res.status}`);
+      return null;
+    }
+    const data = await res.json();
+    _cache.set(url, { data, fetchedAt: Date.now() });
+    return data;
+  } catch (err) {
+    console.debug(`Marketplace API error: ${err.message}`);
+    return null;
+  }
+}
+function parseExtensionId(id) {
+  const parts = id.split('.');
+  if (parts.length < 2) throw new Error(`Invalid extension ID: ${id}`);
+  return { publisherId: parts[0], extensionName: parts.slice(1).join('.') };
+}
+export async function getExtensionMetadata(publisherId, extensionName) {
+  const url = `${MARKETPLACE_API}/extensionquery`;
+  const body = {
+    filters: [{
+      criteria: [
+        { filterType: 8, value: `${publisherId}.${extensionName}` },
+      ],
+    }],
+    flags: 914,
+  };
+  const cached = _cache.get(url + JSON.stringify(body));
+  if (cached && Date.now() - cached.fetchedAt < CACHE_TTL) {
+    return cached.data;
+  }
+  const now = Date.now();
+  const elapsed = now - _lastFetchTime;
+  if (elapsed < RATE_LIMIT_MS) {
+    await sleep(RATE_LIMIT_MS - elapsed);
+  }
+  _lastFetchTime = Date.now();
+  let res;
+  try {
+    res = await fetch(url, {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json', 'Accept': 'application/json;api-version=3.0-preview.1' },
+      body: JSON.stringify(body),
+    });
+    if (res.status === 429) {
+      const retryAfter = parseInt(res.headers.get('Retry-After') || '10', 10);
+      await sleep(retryAfter * 1000);
+      res = await fetch(url, { method: 'POST', headers: { 'Content-Type': 'application/json', 'Accept': 'application/json;api-version=3.0-preview.1' }, body: JSON.stringify(body) });
+    }
+    if (!res.ok) {
+      console.debug(`Marketplace API warning: ${url} returned ${res.status}`);
+      return null;
+    }
+    const data = await res.json();
+    _cache.set(url + JSON.stringify(body), { data, fetchedAt: Date.now() });
+    return data;
+  } catch (err) {
+    console.debug(`Marketplace API error: ${err.message}`);
+    return null;
+  }
+}
+export async function getVersionHistory(publisherId, extensionName) {
+  const data = await getExtensionMetadata(publisherId, extensionName);
+  if (!data?.results?.[0]?.extensions?.[0]) return [];
+  const extension = data.results[0].extensions[0];
+  const versions = extension.versions || [];
+  return versions.map(v => ({
+    version: v.version,
+    publishedAt: v.lastUpdated || v.publishedDate,
+    publishedBy: extension.publisher?.publisherName || publisherId,
+    assetSha256: v.assetUri ? null : null,
+    flags: v.flags ? [String(v.flags)] : [],
+  }));
+}
+export async function getPublisherProfile(publisherId) {
+  const url = `${MARKETPLACE_API}/publishers/${publisherId}`;
+  return rateLimitedFetch(url);
+}
+export async function getOpenVsxMetadata(namespace, name) {
+  const url = `${OPENVSX_API}/${namespace}/${name}`;
+  return rateLimitedFetch(url);
+}
+export async function getOpenVsxVersionHistory(namespace, name) {
+  const data = await getOpenVsxMetadata(namespace, name);
+  if (!data) return [];
+  const versions = data.allVersions || {};
+  const files = data.files || {};
+  return Object.entries(versions).map(([version, publishedAt]) => ({
+    version,
+    publishedAt: typeof publishedAt === 'string' ? publishedAt : data.timestamp,
+    publishedBy: data.namespace || namespace,
+    assetSha256: files?.[version]?.sha256 || null,
+    flags: [],
+  }));
+}
+export function clearMarketplaceCache() {
+  _cache.clear();
+  _lastFetchTime = 0;
+}

package/backend/vsix-scan/vsix-iocs.json CHANGED Viewed

@@ -1,31 +1,31 @@
-{
-  "lastUpdated": "2026-05-25",
-  "schema": "vsix-ioc-v1",
-  "iocs": [
-    {
-      "type": "extensionId",
-      "value": "nrwl.angular-console",
-      "maliciousVersions": ["18.95.0"],
-      "wave": "nx-console-wave3",
-      "cve": "CVE-2026-48027",
-      "exposureWindowStart": "2026-05-18T12:30:00Z",
-      "exposureWindowEnd": "2026-05-18T13:09:00Z",
-      "registries": ["marketplace", "open-vsx"],
-      "safeVersion": ">=18.100.0",
-      "source": "https://nx.dev/blog/nx-console-v18-95-0-postmortem"
-    },
-    {
-      "type": "publisherAccount",
-      "value": "nrwl",
-      "compromiseWindowStart": "2026-05-11T00:00:00Z",
-      "compromiseWindowEnd": "2026-05-18T13:09:00Z",
-      "note": "Contributor token stolen via TanStack wave1 on May 11; 7-day dwell before publish"
-    },
-    {
-      "type": "orphanCommitHash",
-      "value": "PLACEHOLDER_UPDATE_FROM_THREAT_INTEL",
-      "repo": "nrwl/nx",
-      "note": "Dangling commit hosting 498KB Bun payload — update hash from StepSecurity IOC report"
-    }
-  ]
-}
+{
+  "lastUpdated": "2026-05-25",
+  "schema": "vsix-ioc-v1",
+  "iocs": [
+    {
+      "type": "extensionId",
+      "value": "nrwl.angular-console",
+      "maliciousVersions": ["18.95.0"],
+      "wave": "nx-console-wave3",
+      "cve": "CVE-2026-48027",
+      "exposureWindowStart": "2026-05-18T12:30:00Z",
+      "exposureWindowEnd": "2026-05-18T13:09:00Z",
+      "registries": ["marketplace", "open-vsx"],
+      "safeVersion": ">=18.100.0",
+      "source": "https://nx.dev/blog/nx-console-v18-95-0-postmortem"
+    },
+    {
+      "type": "publisherAccount",
+      "value": "nrwl",
+      "compromiseWindowStart": "2026-05-11T00:00:00Z",
+      "compromiseWindowEnd": "2026-05-18T13:09:00Z",
+      "note": "Contributor token stolen via TanStack wave1 on May 11; 7-day dwell before publish"
+    },
+    {
+      "type": "orphanCommitHash",
+      "value": "PLACEHOLDER_UPDATE_FROM_THREAT_INTEL",
+      "repo": "nrwl/nx",
+      "note": "Dangling commit hosting 498KB Bun payload — update hash from StepSecurity IOC report"
+    }
+  ]
+}