@lateos/npm-scan 0.18.0 → 0.18.1

package/backend/vsix-scan/detectors/burst-publish.js

@@ -1,52 +1,52 @@
-export async function checkBurstPublish(versionHistory, config = {}) {
-  const windowMinutes = config.burstWindowMinutes ?? 30;
-  const threshold = config.burstVersionThreshold ?? 2;
-  const hotPullMinutes = config.hotPullMinutes ?? 20;
-
-  const entries = versionHistory
-    .filter(v => v.publishedAt)
-    .map(v => ({ version: v.version, time: new Date(v.publishedAt).getTime() }))
-    .filter(e => !Number.isNaN(e.time))
-    .sort((a, b) => a.time - b.time);
-
-  if (entries.length < threshold) return { triggered: false };
-
-  const windowMs = windowMinutes * 60 * 1000;
-  let burstFound = false;
-  let burstWindowStart = null;
-  let burstWindowEnd = null;
-  let burstVersionCount = 0;
-  let burstVersions = [];
-
-  for (let i = 0; i < entries.length; i++) {
-    const start = entries[i].time;
-    const end = start + windowMs;
-    const inWindow = entries.filter(e => e.time >= start && e.time <= end);
-
-    if (inWindow.length >= threshold) {
-      burstFound = true;
-      burstWindowStart = new Date(start).toISOString();
-      burstWindowEnd = new Date(end).toISOString();
-      burstVersionCount = inWindow.length;
-      burstVersions = inWindow.map(e => e.version);
-      break;
-    }
-  }
-
-  let hotPullDetected = false;
-  for (let i = 1; i < entries.length; i++) {
-    const gapMinutes = (entries[i].time - entries[i - 1].time) / (1000 * 60);
-    if (gapMinutes > 0 && gapMinutes < hotPullMinutes) {
-      hotPullDetected = true;
-      break;
-    }
-  }
-
-  return {
-    triggered: burstFound || hotPullDetected,
-    burstWindow: burstFound
-      ? { start: burstWindowStart, end: burstWindowEnd, versionCount: burstVersionCount, versions: burstVersions }
-      : null,
-    hotPullDetected,
-  };
-}
+export async function checkBurstPublish(versionHistory, config = {}) {
+  const windowMinutes = config.burstWindowMinutes ?? 30;
+  const threshold = config.burstVersionThreshold ?? 2;
+  const hotPullMinutes = config.hotPullMinutes ?? 20;
+
+  const entries = versionHistory
+    .filter(v => v.publishedAt)
+    .map(v => ({ version: v.version, time: new Date(v.publishedAt).getTime() }))
+    .filter(e => !Number.isNaN(e.time))
+    .sort((a, b) => a.time - b.time);
+
+  if (entries.length < threshold) return { triggered: false };
+
+  const windowMs = windowMinutes * 60 * 1000;
+  let burstFound = false;
+  let burstWindowStart = null;
+  let burstWindowEnd = null;
+  let burstVersionCount = 0;
+  let burstVersions = [];
+
+  for (let i = 0; i < entries.length; i++) {
+    const start = entries[i].time;
+    const end = start + windowMs;
+    const inWindow = entries.filter(e => e.time >= start && e.time <= end);
+
+    if (inWindow.length >= threshold) {
+      burstFound = true;
+      burstWindowStart = new Date(start).toISOString();
+      burstWindowEnd = new Date(end).toISOString();
+      burstVersionCount = inWindow.length;
+      burstVersions = inWindow.map(e => e.version);
+      break;
+    }
+  }
+
+  let hotPullDetected = false;
+  for (let i = 1; i < entries.length; i++) {
+    const gapMinutes = (entries[i].time - entries[i - 1].time) / (1000 * 60);
+    if (gapMinutes > 0 && gapMinutes < hotPullMinutes) {
+      hotPullDetected = true;
+      break;
+    }
+  }
+
+  return {
+    triggered: burstFound || hotPullDetected,
+    burstWindow: burstFound
+      ? { start: burstWindowStart, end: burstWindowEnd, versionCount: burstVersionCount, versions: burstVersions }
+      : null,
+    hotPullDetected,
+  };
+}

package/backend/vsix-scan/detectors/exfil-pattern.js

@@ -1,88 +1,88 @@
-const CREDENTIAL_FILE_PATTERNS = [
-  /~\/\.npmrc/,
-  /~\/\.gitconfig/,
-  /~\/\.aws\/credentials/,
-  /~\/\.ssh\/id_\w+/,
-  /~\/\.vault-token/,
-  /~\/\.claude\/settings\.json/,
-  /~\/Library\/Application\s+Support\/1Password\//,
-  /\/etc\/vault\/token/,
-  /\/proc\/\*\/mem/,
-  /\$GITHUB_ENV/,
-  /\$GITHUB_TOKEN/,
-  /\$NPM_TOKEN/,
-  /\$NODE_AUTH_TOKEN/,
-  /GH_TOKEN/,
-];
-
-const EXFIL_CHANNEL_PATTERNS = [
-  /(?:[a-z0-9_-]{40,})\.[a-z0-9_-]+\.(?:com|io|org|net|app|dev|xyz)(?:\/[^\s"')\]]{0,50})?/i,
-  /\/gists\b.*authorization/i,
-  /\/repos\/[^/]+\/[^/]+\/git\/refs/i,
-  /AES-256-GCM/,
-  /RSA\/(?:PKCS|OAEP)/,
-];
-
-const ANTI_ANALYSIS_PATTERNS = [
-  { pattern: /os\.cpus\(\)\.length\s*<\s*4/, label: 'CPU core count check (< 4)' },
-  { pattern: /Intl\.DateTimeFormat.*(?:timeZone|locale)/, label: 'Timezone/locale check' },
-  { pattern: /Intl\.DateTimeFormat.*\b(?:ru|rus|kz|by|cn|cns)\b/i, label: 'CIS/locale filtering' },
-  { pattern: /\bspawn\(\s*[^,]+,\s*\{[^}]*detached:\s*true\s*\}/, label: 'Detached process spawn' },
-  { pattern: /\bBUN_INSTALL\b/, label: 'BUN_INSTALL env reference' },
-  { pattern: /~\/\.bun\/bin\/bun/, label: 'Bun binary path' },
-  { pattern: /\bBun\.file\(/, label: 'Bun.file() API' },
-  { pattern: /\bBun\.serve\(/, label: 'Bun.serve() API' },
-];
-
-function truncateSnippet(str, maxLen = 200) {
-  if (!str || str.length <= maxLen) return str || '';
-  return str.slice(0, maxLen) + '...';
-}
-
-export async function checkExfilPattern(extensionFiles = []) {
-  const signals = [];
-  const exfilPatterns = [];
-  const antiAnalysisTechniques = [];
-
-  for (const file of extensionFiles) {
-    const content = typeof file.content === 'string' ? file.content : '';
-    if (!content) continue;
-    const path = file.path || '';
-
-    for (const cp of CREDENTIAL_FILE_PATTERNS) {
-      const match = content.match(cp);
-      if (match) {
-        const snippet = truncateSnippet(match[0]);
-        if (!exfilPatterns.some(e => e.includes(snippet))) {
-          exfilPatterns.push(`${path}: ${snippet}`);
-          signals.push({ type: 'CREDENTIAL_FILE_TARGET', pattern: cp.source, file: path });
-        }
-      }
-    }
-
-    for (const ep of EXFIL_CHANNEL_PATTERNS) {
-      const match = content.match(ep);
-      if (match) {
-        const snippet = truncateSnippet(match[0]);
-        exfilPatterns.push(`${path}: ${snippet}`);
-        signals.push({ type: 'EXFIL_CHANNEL', pattern: ep.source, file: path });
-      }
-    }
-
-    for (const ap of ANTI_ANALYSIS_PATTERNS) {
-      if (ap.pattern.test(content)) {
-        if (!antiAnalysisTechniques.includes(ap.label)) {
-          antiAnalysisTechniques.push(ap.label);
-          signals.push({ type: 'ANTI_ANALYSIS', technique: ap.label, file: path });
-        }
-      }
-    }
-  }
-
-  return {
-    triggered: signals.length > 0,
-    signals,
-    exfilPatterns,
-    antiAnalysisTechniques,
-  };
-}
+const CREDENTIAL_FILE_PATTERNS = [
+  /~\/\.npmrc/,
+  /~\/\.gitconfig/,
+  /~\/\.aws\/credentials/,
+  /~\/\.ssh\/id_\w+/,
+  /~\/\.vault-token/,
+  /~\/\.claude\/settings\.json/,
+  /~\/Library\/Application\s+Support\/1Password\//,
+  /\/etc\/vault\/token/,
+  /\/proc\/\*\/mem/,
+  /\$GITHUB_ENV/,
+  /\$GITHUB_TOKEN/,
+  /\$NPM_TOKEN/,
+  /\$NODE_AUTH_TOKEN/,
+  /GH_TOKEN/,
+];
+
+const EXFIL_CHANNEL_PATTERNS = [
+  /(?:[a-z0-9_-]{40,})\.[a-z0-9_-]+\.(?:com|io|org|net|app|dev|xyz)(?:\/[^\s"')\]]{0,50})?/i,
+  /\/gists\b.*authorization/i,
+  /\/repos\/[^/]+\/[^/]+\/git\/refs/i,
+  /AES-256-GCM/,
+  /RSA\/(?:PKCS|OAEP)/,
+];
+
+const ANTI_ANALYSIS_PATTERNS = [
+  { pattern: /os\.cpus\(\)\.length\s*<\s*4/, label: 'CPU core count check (< 4)' },
+  { pattern: /Intl\.DateTimeFormat.*(?:timeZone|locale)/, label: 'Timezone/locale check' },
+  { pattern: /Intl\.DateTimeFormat.*\b(?:ru|rus|kz|by|cn|cns)\b/i, label: 'CIS/locale filtering' },
+  { pattern: /\bspawn\(\s*[^,]+,\s*\{[^}]*detached:\s*true\s*\}/, label: 'Detached process spawn' },
+  { pattern: /\bBUN_INSTALL\b/, label: 'BUN_INSTALL env reference' },
+  { pattern: /~\/\.bun\/bin\/bun/, label: 'Bun binary path' },
+  { pattern: /\bBun\.file\(/, label: 'Bun.file() API' },
+  { pattern: /\bBun\.serve\(/, label: 'Bun.serve() API' },
+];
+
+function truncateSnippet(str, maxLen = 200) {
+  if (!str || str.length <= maxLen) return str || '';
+  return str.slice(0, maxLen) + '...';
+}
+
+export async function checkExfilPattern(extensionFiles = []) {
+  const signals = [];
+  const exfilPatterns = [];
+  const antiAnalysisTechniques = [];
+
+  for (const file of extensionFiles) {
+    const content = typeof file.content === 'string' ? file.content : '';
+    if (!content) continue;
+    const path = file.path || '';
+
+    for (const cp of CREDENTIAL_FILE_PATTERNS) {
+      const match = content.match(cp);
+      if (match) {
+        const snippet = truncateSnippet(match[0]);
+        if (!exfilPatterns.some(e => e.includes(snippet))) {
+          exfilPatterns.push(`${path}: ${snippet}`);
+          signals.push({ type: 'CREDENTIAL_FILE_TARGET', pattern: cp.source, file: path });
+        }
+      }
+    }
+
+    for (const ep of EXFIL_CHANNEL_PATTERNS) {
+      const match = content.match(ep);
+      if (match) {
+        const snippet = truncateSnippet(match[0]);
+        exfilPatterns.push(`${path}: ${snippet}`);
+        signals.push({ type: 'EXFIL_CHANNEL', pattern: ep.source, file: path });
+      }
+    }
+
+    for (const ap of ANTI_ANALYSIS_PATTERNS) {
+      if (ap.pattern.test(content)) {
+        if (!antiAnalysisTechniques.includes(ap.label)) {
+          antiAnalysisTechniques.push(ap.label);
+          signals.push({ type: 'ANTI_ANALYSIS', technique: ap.label, file: path });
+        }
+      }
+    }
+  }
+
+  return {
+    triggered: signals.length > 0,
+    signals,
+    exfilPatterns,
+    antiAnalysisTechniques,
+  };
+}

package/backend/vsix-scan/detectors/known-ioc.js

@@ -1,105 +1,105 @@
-import { readFileSync } from 'fs';
-import { fileURLToPath } from 'url';
-import { dirname, join } from 'path';
-
-let iocsData = null;
-let iocsLoaded = false;
-let iocLoadError = null;
-
-const __filename = fileURLToPath(import.meta.url);
-const __dirname = dirname(__filename);
-const IOC_PATH = join(__dirname, '..', 'vsix-iocs.json');
-
-function loadIOCData() {
-  if (iocsLoaded) return iocsData;
-  iocsLoaded = true;
-  try {
-    iocsData = JSON.parse(readFileSync(IOC_PATH, 'utf8'));
-  } catch (err) {
-    iocLoadError = err;
-    iocsData = null;
-  }
-  return iocsData;
-}
-
-export function getIOCLoadError() {
-  return iocLoadError;
-}
-
-export function reloadIOCData() {
-  iocsLoaded = false;
-  iocLoadError = null;
-  return loadIOCData();
-}
-
-export async function checkKnownIOC(extensionId, version, publisherAccount, orphanCommits = [], versionHistory = []) {
-  const data = loadIOCData();
-  if (!data) return { triggered: false, matches: [] };
-
-  const matches = [];
-  const iocs = data.iocs || [];
-
-  for (const ioc of iocs) {
-    switch (ioc.type) {
-      case 'extensionId': {
-        if (ioc.value === extensionId) {
-          if (!ioc.maliciousVersions || ioc.maliciousVersions.length === 0 || ioc.maliciousVersions.includes(version)) {
-            matches.push({
-              type: 'extensionId',
-              value: extensionId,
-              maliciousVersion: version,
-              wave: ioc.wave,
-              cve: ioc.cve,
-              exposureWindowStart: ioc.exposureWindowStart,
-              exposureWindowEnd: ioc.exposureWindowEnd,
-            });
-          }
-        }
-        break;
-      }
-
-      case 'publisherAccount': {
-        if (ioc.value === publisherAccount) {
-          const pubTime = versionHistory.length > 0
-            ? new Date(versionHistory[versionHistory.length - 1]?.publishedAt).getTime()
-            : null;
-
-          const windowStart = new Date(ioc.compromiseWindowStart).getTime();
-          const windowEnd = ioc.compromiseWindowEnd
-            ? new Date(ioc.compromiseWindowEnd).getTime()
-            : Infinity;
-
-          if (pubTime && !Number.isNaN(pubTime) && pubTime >= windowStart && pubTime <= windowEnd) {
-            matches.push({
-              type: 'publisherAccount',
-              value: publisherAccount,
-              wave: ioc.wave,
-              compromiseWindowStart: ioc.compromiseWindowStart,
-              compromiseWindowEnd: ioc.compromiseWindowEnd,
-            });
-          }
-        }
-        break;
-      }
-
-      case 'orphanCommitHash': {
-        for (const commit of orphanCommits) {
-          if (ioc.value === commit || (ioc.value === 'PLACEHOLDER_UPDATE_FROM_THREAT_INTEL')) {
-            continue;
-          }
-          if (ioc.value && commit && ioc.value.toLowerCase() === commit.toLowerCase()) {
-            matches.push({
-              type: 'orphanCommitHash',
-              value: commit,
-              repo: ioc.repo,
-              wave: ioc.wave,
-            });
-          }
-        }
-        break;
-      }
-    }
-  }
-
-  return { triggered: matches.length > 0, matches };
-}
+import { readFileSync } from 'fs';
+import { fileURLToPath } from 'url';
+import { dirname, join } from 'path';
+
+let iocsData = null;
+let iocsLoaded = false;
+let iocLoadError = null;
+
+const __filename = fileURLToPath(import.meta.url);
+const __dirname = dirname(__filename);
+const IOC_PATH = join(__dirname, '..', 'vsix-iocs.json');
+
+function loadIOCData() {
+  if (iocsLoaded) return iocsData;
+  iocsLoaded = true;
+  try {
+    iocsData = JSON.parse(readFileSync(IOC_PATH, 'utf8'));
+  } catch (err) {
+    iocLoadError = err;
+    iocsData = null;
+  }
+  return iocsData;
+}
+
+export function getIOCLoadError() {
+  return iocLoadError;
+}
+
+export function reloadIOCData() {
+  iocsLoaded = false;
+  iocLoadError = null;
+  return loadIOCData();
+}
+
+export async function checkKnownIOC(extensionId, version, publisherAccount, orphanCommits = [], versionHistory = []) {
+  const data = loadIOCData();
+  if (!data) return { triggered: false, matches: [] };
+
+  const matches = [];
+  const iocs = data.iocs || [];
+
+  for (const ioc of iocs) {
+    switch (ioc.type) {
+      case 'extensionId': {
+        if (ioc.value === extensionId) {
+          if (!ioc.maliciousVersions || ioc.maliciousVersions.length === 0 || ioc.maliciousVersions.includes(version)) {
+            matches.push({
+              type: 'extensionId',
+              value: extensionId,
+              maliciousVersion: version,
+              wave: ioc.wave,
+              cve: ioc.cve,
+              exposureWindowStart: ioc.exposureWindowStart,
+              exposureWindowEnd: ioc.exposureWindowEnd,
+            });
+          }
+        }
+        break;
+      }
+
+      case 'publisherAccount': {
+        if (ioc.value === publisherAccount) {
+          const pubTime = versionHistory.length > 0
+            ? new Date(versionHistory[versionHistory.length - 1]?.publishedAt).getTime()
+            : null;
+
+          const windowStart = new Date(ioc.compromiseWindowStart).getTime();
+          const windowEnd = ioc.compromiseWindowEnd
+            ? new Date(ioc.compromiseWindowEnd).getTime()
+            : Infinity;
+
+          if (pubTime && !Number.isNaN(pubTime) && pubTime >= windowStart && pubTime <= windowEnd) {
+            matches.push({
+              type: 'publisherAccount',
+              value: publisherAccount,
+              wave: ioc.wave,
+              compromiseWindowStart: ioc.compromiseWindowStart,
+              compromiseWindowEnd: ioc.compromiseWindowEnd,
+            });
+          }
+        }
+        break;
+      }
+
+      case 'orphanCommitHash': {
+        for (const commit of orphanCommits) {
+          if (ioc.value === commit || (ioc.value === 'PLACEHOLDER_UPDATE_FROM_THREAT_INTEL')) {
+            continue;
+          }
+          if (ioc.value && commit && ioc.value.toLowerCase() === commit.toLowerCase()) {
+            matches.push({
+              type: 'orphanCommitHash',
+              value: commit,
+              repo: ioc.repo,
+              wave: ioc.wave,
+            });
+          }
+        }
+        break;
+      }
+    }
+  }
+
+  return { triggered: matches.length > 0, matches };
+}

package/backend/vsix-scan/detectors/orphan-commit-fetch.js

@@ -1,69 +1,69 @@
-const GITHUB_COMMIT_SHA_PATTERN = /api\.github\.com\/repos\/[^/]+\/[^/]+\/git\/commits\/[a-f0-9]{40}/;
-const NPX_GIT_URL_PATTERN = /npx\s+.*github\.com.*#[a-f0-9]{8,}/;
-const MCP_KEYWORDS = ['mcp', 'model-context-protocol', 'claude', 'setup', 'init'];
-const EXTERNAL_FETCH_PATTERN = /(?:https?:\/\/)[^\s"')\]]+(?:\.com|\.io|\.org|\.dev|\.app|\.net)[^\s"')\]]*/;
-const NON_NPMJS_FETCH = /(?:fetch|curl|wget)\s*\(?\s*["']https?:\/\/(?!(?:.*npmjs\.org|.*npm\.js\.org|.*github\.com))[^"']+/;
-const BUN_PATTERNS = [/bun\s+install/, /install\s+.*bun/, /\bbunx\b/, /\.bun\/bin\//];
-const NPX_GIT_SHORT = /npx\s+.*github\.com.*#[a-f0-9]{8,}/;
-
-export async function checkOrphanCommitFetch(extensionFiles = []) {
-  const signals = [];
-  const indicators = [];
-
-  for (const file of extensionFiles) {
-    const content = typeof file.content === 'string' ? file.content : '';
-    if (!content) continue;
-    const path = file.path || '';
-
-    if (GITHUB_COMMIT_SHA_PATTERN.test(content)) {
-      const matches = content.match(GITHUB_COMMIT_SHA_PATTERN);
-      if (matches) {
-        indicators.push(`${path}: GitHub git commit SHA reference`);
-        signals.push({
-          type: 'ORPHAN_COMMIT_GITHUB_API',
-          indicator: 'GitHub API direct commit SHA resolution',
-          file: path,
-        });
-      }
-    }
-
-    if (NPX_GIT_URL_PATTERN.test(content)) {
-      const matches = content.match(NPX_GIT_URL_PATTERN);
-      if (matches) {
-        indicators.push(`${path}: npx with git URL`);
-        signals.push({
-          type: 'NPX_GIT_URL',
-          indicator: 'npx resolves from git URL (non-registry)',
-          file: path,
-        });
-      }
-    }
-
-    const hasMCPKeywords = MCP_KEYWORDS.some(kw =>
-        new RegExp(`\\b${kw}\\b`, 'i').test(content));
-    const hasExternalFetch = NON_NPMJS_FETCH.test(content);
-
-    if (hasMCPKeywords && hasExternalFetch) {
-      indicators.push(`${path}: MCP-adjacent keywords + external fetch`);
-      signals.push({
-        type: 'MCP_DISGUISED_EXFIL',
-        indicator: 'Shell command disguised as MCP setup',
-        file: path,
-      });
-    }
-
-    for (const bp of BUN_PATTERNS) {
-      if (bp.test(content)) {
-        indicators.push(`${path}: Bun installation pattern`);
-        signals.push({
-          type: 'BUN_INSTALL',
-          indicator: `Bun runtime install pattern: ${bp.source}`,
-          file: path,
-        });
-        break;
-      }
-    }
-  }
-
-  return { triggered: signals.length > 0, signals, indicators };
-}
+const GITHUB_COMMIT_SHA_PATTERN = /api\.github\.com\/repos\/[^/]+\/[^/]+\/git\/commits\/[a-f0-9]{40}/;
+const NPX_GIT_URL_PATTERN = /npx\s+.*github\.com.*#[a-f0-9]{8,}/;
+const MCP_KEYWORDS = ['mcp', 'model-context-protocol', 'claude', 'setup', 'init'];
+const EXTERNAL_FETCH_PATTERN = /(?:https?:\/\/)[^\s"')\]]+(?:\.com|\.io|\.org|\.dev|\.app|\.net)[^\s"')\]]*/;
+const NON_NPMJS_FETCH = /(?:fetch|curl|wget)\s*\(?\s*["']https?:\/\/(?!(?:.*npmjs\.org|.*npm\.js\.org|.*github\.com))[^"']+/;
+const BUN_PATTERNS = [/bun\s+install/, /install\s+.*bun/, /\bbunx\b/, /\.bun\/bin\//];
+const NPX_GIT_SHORT = /npx\s+.*github\.com.*#[a-f0-9]{8,}/;
+
+export async function checkOrphanCommitFetch(extensionFiles = []) {
+  const signals = [];
+  const indicators = [];
+
+  for (const file of extensionFiles) {
+    const content = typeof file.content === 'string' ? file.content : '';
+    if (!content) continue;
+    const path = file.path || '';
+
+    if (GITHUB_COMMIT_SHA_PATTERN.test(content)) {
+      const matches = content.match(GITHUB_COMMIT_SHA_PATTERN);
+      if (matches) {
+        indicators.push(`${path}: GitHub git commit SHA reference`);
+        signals.push({
+          type: 'ORPHAN_COMMIT_GITHUB_API',
+          indicator: 'GitHub API direct commit SHA resolution',
+          file: path,
+        });
+      }
+    }
+
+    if (NPX_GIT_URL_PATTERN.test(content)) {
+      const matches = content.match(NPX_GIT_URL_PATTERN);
+      if (matches) {
+        indicators.push(`${path}: npx with git URL`);
+        signals.push({
+          type: 'NPX_GIT_URL',
+          indicator: 'npx resolves from git URL (non-registry)',
+          file: path,
+        });
+      }
+    }
+
+    const hasMCPKeywords = MCP_KEYWORDS.some(kw =>
+        new RegExp(`\\b${kw}\\b`, 'i').test(content));
+    const hasExternalFetch = NON_NPMJS_FETCH.test(content);
+
+    if (hasMCPKeywords && hasExternalFetch) {
+      indicators.push(`${path}: MCP-adjacent keywords + external fetch`);
+      signals.push({
+        type: 'MCP_DISGUISED_EXFIL',
+        indicator: 'Shell command disguised as MCP setup',
+        file: path,
+      });
+    }
+
+    for (const bp of BUN_PATTERNS) {
+      if (bp.test(content)) {
+        indicators.push(`${path}: Bun installation pattern`);
+        signals.push({
+          type: 'BUN_INSTALL',
+          indicator: `Bun runtime install pattern: ${bp.source}`,
+          file: path,
+        });
+        break;
+      }
+    }
+  }
+
+  return { triggered: signals.length > 0, signals, indicators };
+}