@lateos/npm-scan 0.18.1 → 0.18.2

package/backend/detectors/hf-impersonation/jaro-winkler.js

@@ -1,44 +1,44 @@
-export function jaroWinkler(s1, s2) {
-  if (s1 === s2) return 1;
-  const len1 = s1.length, len2 = s2.length;
-  if (len1 === 0 || len2 === 0) return 0;
-
-  const matchDist = Math.floor(Math.max(len1, len2) / 2) - 1;
-  const matches1 = new Array(len1).fill(false);
-  const matches2 = new Array(len2).fill(false);
-  let matches = 0;
-
-  for (let i = 0; i < len1; i++) {
-    const start = Math.max(0, i - matchDist);
-    const end = Math.min(len2, i + matchDist + 1);
-    for (let j = start; j < end; j++) {
-      if (matches2[j]) continue;
-      if (s1[i] !== s2[j]) continue;
-      matches1[i] = true;
-      matches2[j] = true;
-      matches++;
-      break;
-    }
-  }
-
-  if (matches === 0) return 0;
-
-  let transpositions = 0, k = 0;
-  for (let i = 0; i < len1; i++) {
-    if (!matches1[i]) continue;
-    while (!matches2[k]) k++;
-    if (s1[i] !== s2[k]) transpositions++;
-    k++;
-  }
-
-  const jaro = (matches / len1 + matches / len2 + (matches - transpositions / 2) / matches) / 3;
-
-  let prefix = 0;
-  const maxPrefix = Math.min(4, len1, len2);
-  for (let i = 0; i < maxPrefix; i++) {
-    if (s1[i] === s2[i]) prefix++;
-    else break;
-  }
-
-  return jaro + prefix * 0.1 * (1 - jaro);
-}
+export function jaroWinkler(s1, s2) {
+  if (s1 === s2) return 1;
+  const len1 = s1.length, len2 = s2.length;
+  if (len1 === 0 || len2 === 0) return 0;
+
+  const matchDist = Math.floor(Math.max(len1, len2) / 2) - 1;
+  const matches1 = new Array(len1).fill(false);
+  const matches2 = new Array(len2).fill(false);
+  let matches = 0;
+
+  for (let i = 0; i < len1; i++) {
+    const start = Math.max(0, i - matchDist);
+    const end = Math.min(len2, i + matchDist + 1);
+    for (let j = start; j < end; j++) {
+      if (matches2[j]) continue;
+      if (s1[i] !== s2[j]) continue;
+      matches1[i] = true;
+      matches2[j] = true;
+      matches++;
+      break;
+    }
+  }
+
+  if (matches === 0) return 0;
+
+  let transpositions = 0, k = 0;
+  for (let i = 0; i < len1; i++) {
+    if (!matches1[i]) continue;
+    while (!matches2[k]) k++;
+    if (s1[i] !== s2[k]) transpositions++;
+    k++;
+  }
+
+  const jaro = (matches / len1 + matches / len2 + (matches - transpositions / 2) / matches) / 3;
+
+  let prefix = 0;
+  const maxPrefix = Math.min(4, len1, len2);
+  for (let i = 0; i < maxPrefix; i++) {
+    if (s1[i] === s2[i]) prefix++;
+    else break;
+  }
+
+  return jaro + prefix * 0.1 * (1 - jaro);
+}

package/backend/detectors/hf-impersonation/known-orgs.js

@@ -1,5 +1,5 @@
-export const KNOWN_HF_ORGS = [
-  'openai', 'meta-llama', 'mistralai', 'google', 'microsoft',
-  'stabilityai', 'EleutherAI', 'huggingface', 'tiiuae', 'cohere',
-  'anthropic', 'deepseek-ai', 'Qwen', 'NousResearch', 'teknium',
-];
+export const KNOWN_HF_ORGS = [
+  'openai', 'meta-llama', 'mistralai', 'google', 'microsoft',
+  'stabilityai', 'EleutherAI', 'huggingface', 'tiiuae', 'cohere',
+  'anthropic', 'deepseek-ai', 'Qwen', 'NousResearch', 'teknium',
+];

package/backend/detectors/hf-impersonation/simhash.js

@@ -1,46 +1,46 @@
-function hashToken(str) {
-  let hash = 5381;
-  for (let i = 0; i < str.length; i++) {
-    hash = ((hash << 5) + hash) + str.charCodeAt(i);
-    hash = hash & hash;
-  }
-  return hash >>> 0;
-}
-
-export function simhash(text) {
-  const v = new Array(64).fill(0);
-  const tokens = text.toLowerCase().split(/\s+/).filter(Boolean);
-
-  for (const token of tokens) {
-    const h = hashToken(token);
-    for (let i = 0; i < 64; i++) {
-      if ((h >> i) & 1) {
-        v[i] += 1;
-      } else {
-        v[i] -= 1;
-      }
-    }
-  }
-
-  let fingerprint = 0n;
-  for (let i = 0; i < 64; i++) {
-    if (v[i] > 0) {
-      fingerprint |= (1n << BigInt(i));
-    }
-  }
-  return fingerprint;
-}
-
-export function hammingDistance(a, b) {
-  let xor = a ^ b;
-  let count = 0;
-  while (xor > 0n) {
-    count += Number(xor & 1n);
-    xor >>= 1n;
-  }
-  return count;
-}
-
-export function similarity(a, b) {
-  return 1 - hammingDistance(a, b) / 64;
-}
+function hashToken(str) {
+  let hash = 5381;
+  for (let i = 0; i < str.length; i++) {
+    hash = ((hash << 5) + hash) + str.charCodeAt(i);
+    hash = hash & hash;
+  }
+  return hash >>> 0;
+}
+
+export function simhash(text) {
+  const v = new Array(64).fill(0);
+  const tokens = text.toLowerCase().split(/\s+/).filter(Boolean);
+
+  for (const token of tokens) {
+    const h = hashToken(token);
+    for (let i = 0; i < 64; i++) {
+      if ((h >> i) & 1) {
+        v[i] += 1;
+      } else {
+        v[i] -= 1;
+      }
+    }
+  }
+
+  let fingerprint = 0n;
+  for (let i = 0; i < 64; i++) {
+    if (v[i] > 0) {
+      fingerprint |= (1n << BigInt(i));
+    }
+  }
+  return fingerprint;
+}
+
+export function hammingDistance(a, b) {
+  let xor = a ^ b;
+  let count = 0;
+  while (xor > 0n) {
+    count += Number(xor & 1n);
+    xor >>= 1n;
+  }
+  return count;
+}
+
+export function similarity(a, b) {
+  return 1 - hammingDistance(a, b) / 64;
+}

package/backend/detectors/index.js

@@ -1,76 +1,82 @@
-import * as atk001 from './atk-001-lifecycle.js';
-import * as atk002 from './atk-002-obfusc.js';
-import * as atk003 from './atk-003-creds.js';
-import * as atk004 from './atk-004-persist.js';
-import * as atk005 from './atk-005-exfil.js';
-import * as atk006 from './atk-006-depconf.js';
-import * as atk007 from './atk-007-typosquat.js';
-import * as atk008 from './atk-008-tarball-tamper.js';
-import * as atk009 from './atk-009-dormant-trigger.js';
-import * as atk010 from './atk-010-sandbox-evasion.js';
-import * as atk011 from './atk-011-transitive-prop.js';
-import { scanAll as megalodonScan } from './megalodon/index.js';
-import { scan as hfScan } from './hf-impersonation/index.js';
-import { scan as miniShaiHuludScan } from './mini-shai-hulud/index.js';
-import { scan as badhostScan } from './cve-2026-48710-badhost/index.js';
-import { scan as trapdoorScan } from './trapdoor/index.js';
-import { scan as nodeIpcScan } from './node-ipc-compromise/index.js';
-import { scan as mshSupplementScan } from './msh-supplement/index.js';
-import { scan as typosquatScan } from './typosquat-vpmdhaj/index.js';
-import { scan as axiosPoisoningScan } from './axios-poisoning/index.js';
-import { scan as tier1TyposquatScan } from './tier1-typosquat.js';
-import { scan as tier1InfostealerScan } from './tier1-infostealer.js';
-import { scan as tier1LifecycleHookScan } from './tier1-lifecycle-hook.js';
-import { scan as tier1BinaryEmbedScan } from './tier1-binary-embed.js';
-import { scan as tier1MetadataSpoofScan } from './tier1-metadata-spoof.js';
-
-function timeout(ms) {
-  return new Promise((_, reject) => setTimeout(() => reject(new Error(`timeout after ${ms}ms`)), ms));
-}
-
-async function runTier1(name, scanFn, pkgJson, files, registryMeta, allFiles) {
-  try {
-    const result = await Promise.race([
-      scanFn(pkgJson, files, registryMeta, allFiles),
-      timeout(800),
-    ]);
-    const fileCount = allFiles && allFiles.length > 0 ? allFiles.length : files.length;
-    if (fileCount >= 10 && result.length > 0) {
-      const hitRate = result.length / fileCount;
-      if (hitRate > 0.8) return [];
-    }
-    return result;
-  } catch {
-    return [];
-  }
-}
-
-export async function runAll(pkgJson, files = [], registryMeta = null, allFiles = null) {
-  const findings = [];
-  findings.push(...await atk001.scan(pkgJson, files));
-  findings.push(...await atk002.scan(pkgJson, files));
-  findings.push(...await atk003.scan(pkgJson, files));
-  findings.push(...await atk004.scan(pkgJson, files));
-  findings.push(...await atk005.scan(pkgJson, files));
-  findings.push(...await atk006.scan(pkgJson, files));
-  findings.push(...await atk007.scan(pkgJson, files));
-  findings.push(...await atk008.scan(pkgJson, files));
-  findings.push(...await atk009.scan(pkgJson, files));
-  findings.push(...await atk010.scan(pkgJson, files));
-  findings.push(...await atk011.scan(pkgJson, files));
-  findings.push(...await megalodonScan(pkgJson, allFiles || files, registryMeta));
-  findings.push(...await hfScan(pkgJson, files, registryMeta, allFiles || files));
-  findings.push(...await miniShaiHuludScan(pkgJson, files, registryMeta, allFiles || files));
-  findings.push(...await badhostScan(pkgJson, files, registryMeta, allFiles || files));
-  findings.push(...await trapdoorScan(pkgJson, files, registryMeta, allFiles || files));
-  findings.push(...await nodeIpcScan(pkgJson, files, registryMeta, allFiles || files));
-  findings.push(...await mshSupplementScan(pkgJson, files, registryMeta, allFiles || files));
-  findings.push(...await typosquatScan(pkgJson, files, registryMeta, allFiles || files));
-  findings.push(...await axiosPoisoningScan(pkgJson, files, registryMeta, allFiles || files));
-  findings.push(...await runTier1('tier1-typosquat', tier1TyposquatScan, pkgJson, files, registryMeta, allFiles || files));
-  findings.push(...await runTier1('tier1-infostealer', tier1InfostealerScan, pkgJson, files, registryMeta, allFiles || files));
-  findings.push(...await runTier1('tier1-lifecycle-hook', tier1LifecycleHookScan, pkgJson, files, registryMeta, allFiles || files));
-  findings.push(...await runTier1('tier1-binary-embed', tier1BinaryEmbedScan, pkgJson, files, registryMeta, allFiles || files));
-  findings.push(...await runTier1('tier1-metadata-spoof', tier1MetadataSpoofScan, pkgJson, files, registryMeta, allFiles || files));
-  return findings.sort((a, b) => b.severity.localeCompare(a.severity));
+import * as atk001 from './atk-001-lifecycle.js';
+import * as atk002 from './atk-002-obfusc.js';
+import * as atk003 from './atk-003-creds.js';
+import * as atk004 from './atk-004-persist.js';
+import * as atk005 from './atk-005-exfil.js';
+import * as atk006 from './atk-006-depconf.js';
+import * as atk007 from './atk-007-typosquat.js';
+import * as atk008 from './atk-008-tarball-tamper.js';
+import * as atk009 from './atk-009-dormant-trigger.js';
+import * as atk010 from './atk-010-sandbox-evasion.js';
+import * as atk011 from './atk-011-transitive-prop.js';
+import { scanAll as megalodonScan } from './megalodon/index.js';
+import { scan as hfScan } from './hf-impersonation/index.js';
+import { scan as miniShaiHuludScan } from './mini-shai-hulud/index.js';
+import { scan as badhostScan } from './cve-2026-48710-badhost/index.js';
+import { scan as trapdoorScan } from './trapdoor/index.js';
+import { scan as nodeIpcScan } from './node-ipc-compromise/index.js';
+import { scan as mshSupplementScan } from './msh-supplement/index.js';
+import { scan as typosquatScan } from './typosquat-vpmdhaj/index.js';
+import { scan as axiosPoisoningScan } from './axios-poisoning/index.js';
+import { scan as tier1TyposquatScan } from './tier1-typosquat.js';
+import { scan as tier1InfostealerScan } from './tier1-infostealer.js';
+import { scan as tier1LifecycleHookScan } from './tier1-lifecycle-hook.js';
+import { scan as tier1BinaryEmbedScan } from './tier1-binary-embed.js';
+import { scan as tier1MetadataSpoofScan } from './tier1-metadata-spoof.js';
+import { scan as tier1VersionConfusionScan } from './tier1-version-confusion.js';
+import { scan as tier1CloudImdsScan } from './tier1-cloud-imds.js';
+import { scan as tier1MultistagePostinstallScan } from './tier1-multistage-postinstall.js';
+
+function timeout(ms) {
+  return new Promise((_, reject) => setTimeout(() => reject(new Error(`timeout after ${ms}ms`)), ms));
+}
+
+async function runTier1(name, scanFn, pkgJson, files, registryMeta, allFiles) {
+  try {
+    const result = await Promise.race([
+      scanFn(pkgJson, files, registryMeta, allFiles),
+      timeout(800),
+    ]);
+    const fileCount = allFiles && allFiles.length > 0 ? allFiles.length : files.length;
+    if (fileCount >= 10 && result.length > 0) {
+      const hitRate = result.length / fileCount;
+      if (hitRate > 0.8) return [];
+    }
+    return result;
+  } catch {
+    return [];
+  }
+}
+
+export async function runAll(pkgJson, files = [], registryMeta = null, allFiles = null) {
+  const findings = [];
+  findings.push(...await atk001.scan(pkgJson, files));
+  findings.push(...await atk002.scan(pkgJson, files));
+  findings.push(...await atk003.scan(pkgJson, files));
+  findings.push(...await atk004.scan(pkgJson, files));
+  findings.push(...await atk005.scan(pkgJson, files));
+  findings.push(...await atk006.scan(pkgJson, files));
+  findings.push(...await atk007.scan(pkgJson, files));
+  findings.push(...await atk008.scan(pkgJson, files));
+  findings.push(...await atk009.scan(pkgJson, files));
+  findings.push(...await atk010.scan(pkgJson, files));
+  findings.push(...await atk011.scan(pkgJson, files));
+  findings.push(...await megalodonScan(pkgJson, allFiles || files, registryMeta));
+  findings.push(...await hfScan(pkgJson, files, registryMeta, allFiles || files));
+  findings.push(...await miniShaiHuludScan(pkgJson, files, registryMeta, allFiles || files));
+  findings.push(...await badhostScan(pkgJson, files, registryMeta, allFiles || files));
+  findings.push(...await trapdoorScan(pkgJson, files, registryMeta, allFiles || files));
+  findings.push(...await nodeIpcScan(pkgJson, files, registryMeta, allFiles || files));
+  findings.push(...await mshSupplementScan(pkgJson, files, registryMeta, allFiles || files));
+  findings.push(...await typosquatScan(pkgJson, files, registryMeta, allFiles || files));
+  findings.push(...await axiosPoisoningScan(pkgJson, files, registryMeta, allFiles || files));
+  findings.push(...await runTier1('tier1-typosquat', tier1TyposquatScan, pkgJson, files, registryMeta, allFiles || files));
+  findings.push(...await runTier1('tier1-infostealer', tier1InfostealerScan, pkgJson, files, registryMeta, allFiles || files));
+  findings.push(...await runTier1('tier1-lifecycle-hook', tier1LifecycleHookScan, pkgJson, files, registryMeta, allFiles || files));
+  findings.push(...await runTier1('tier1-binary-embed', tier1BinaryEmbedScan, pkgJson, files, registryMeta, allFiles || files));
+  findings.push(...await runTier1('tier1-metadata-spoof', tier1MetadataSpoofScan, pkgJson, files, registryMeta, allFiles || files));
+  findings.push(...await runTier1('tier1-version-confusion', tier1VersionConfusionScan, pkgJson, files, registryMeta, allFiles || files));
+  findings.push(...await runTier1('tier1-cloud-imds', tier1CloudImdsScan, pkgJson, files, registryMeta, allFiles || files));
+  findings.push(...await runTier1('tier1-multistage-postinstall', tier1MultistagePostinstallScan, pkgJson, files, registryMeta, allFiles || files));
+  return findings.sort((a, b) => b.severity.localeCompare(a.severity));
 }

package/backend/detectors/megalodon/d1-workflow-scan.js

@@ -1,147 +1,147 @@
-import { MegalodonSignal } from './types.js';
-import yaml from 'js-yaml';
-
-const C2_EXFIL_RE = /curl\s+.*?https?:\/\/(?!github\.com|githubusercontent\.com|raw\.githubusercontent\.com)[^\s'"]+/i;
-const SECRETS_REF_RE = /\$\{\{?\s*secrets\.\w+/;
-const B64_DECODE_CHAIN_RE = /base64\s+-d\s*[|>]\s*(ba)?sh/;
-
-function isWorkflowFile(f) {
-  const p = f.path.replace(/\\/g, '/');
-  return /\.github\/workflows\/.+\.(yml|yaml)$/i.test(p);
-}
-
-function countExecutableLines(text) {
-  return text.split('\n').filter(l => l.trim() && !l.trim().startsWith('#')).length;
-}
-
-function extractRunBlocks(parsed) {
-  const runs = [];
-  if (!parsed || typeof parsed !== 'object') return runs;
-
-  const walk = (obj) => {
-    if (!obj || typeof obj !== 'object') return;
-    if (Array.isArray(obj)) { obj.forEach(walk); return; }
-    for (const [k, v] of Object.entries(obj)) {
-      if (k === 'run' && typeof v === 'string') {
-        runs.push(v);
-      }
-      if (k === 'env' && typeof v === 'object' && v !== null) {
-        runs.push({ _env: v });
-      }
-      walk(v);
-    }
-  };
-  walk(parsed);
-  return runs;
-}
-
-function extractRunBlocksRaw(text) {
-  const runs = [];
-  const runMatch = text.match(/run:\s*[|>]\s*\n(\s{2,}.*(?:\n\s{2,}.*)*)/g);
-  if (runMatch) runs.push(...runMatch.map(m => m.replace(/^run:\s*[|>]\s*\n/, '')));
-
-  const inlineRe = /run:\s*['"](.+?)['"]\s*$/gm;
-  let m;
-  while ((m = inlineRe.exec(text)) !== null) runs.push(m[1]);
-
-  const envRe = /env:\s*\n((?:\s{2,}\w+:\s*.+\n?)*)/g;
-  let em;
-  while ((em = envRe.exec(text)) !== null) runs.push({ _env: em[1] });
-  return runs;
-}
-
-function runInStepHasBoth(step, signal) {
-  const runVal = step.run;
-  const envVals = step.env ? Object.values(step.env).filter(v => typeof v === 'string').join(' ') : '';
-  const combined = typeof runVal === 'string' ? `${runVal} ${envVals}` : '';
-
-  if (signal === 'exfil') {
-    return C2_EXFIL_RE.test(combined) && SECRETS_REF_RE.test(combined);
-  }
-  if (signal === 'decode') {
-    return B64_DECODE_CHAIN_RE.test(combined);
-  }
-  return false;
-}
-
-export async function scan(allFiles) {
-  const evidence = [];
-  const workflowFiles = allFiles.filter(isWorkflowFile);
-
-  for (const f of workflowFiles) {
-    if (f.content.length > 512 * 1024) continue;
-
-    let parsed = null;
-    let parseError = null;
-    try {
-      parsed = yaml.load(f.content);
-    } catch (e) {
-      parseError = e;
-    }
-
-    const rawRunBlocks = parsed ? extractRunBlocks(parsed) : extractRunBlocksRaw(f.content);
-    const runStrings = rawRunBlocks.filter(r => typeof r === 'string');
-    const envBlocks = rawRunBlocks.filter(r => typeof r === 'object' && r._env);
-
-    let exfilTriggered = false;
-    let decodeTriggered = false;
-
-    for (const runStr of runStrings) {
-      if (!exfilTriggered && C2_EXFIL_RE.test(runStr) && SECRETS_REF_RE.test(runStr)) {
-        exfilTriggered = true;
-        evidence.push({
-          signal: MegalodonSignal.WORKFLOW_C2_EXFIL,
-          file: f.path,
-          excerpt: runStr.slice(0, 120),
-          detail: 'C2 outbound call co-occurs with credentials reference in run block',
-        });
-      }
-
-      if (!decodeTriggered && B64_DECODE_CHAIN_RE.test(runStr)) {
-        decodeTriggered = true;
-        evidence.push({
-          signal: MegalodonSignal.WORKFLOW_DECODE_CHAIN,
-          file: f.path,
-          excerpt: runStr.slice(0, 120),
-          detail: 'Base64 decode pipe to shell — obfuscated payload execution',
-        });
-      }
-    }
-
-    if (parsed && typeof parsed === 'object' && !Array.isArray(parsed)) {
-      const steps = parsed.jobs ? Object.values(parsed.jobs).flatMap(j => j.steps || []) : [];
-      for (const step of steps) {
-        if (!exfilTriggered && runInStepHasBoth(step, 'exfil')) {
-          exfilTriggered = true;
-          const runVal = step.run || '';
-          evidence.push({
-            signal: MegalodonSignal.WORKFLOW_C2_EXFIL,
-            file: f.path,
-            excerpt: runVal.slice(0, 120),
-            detail: 'C2 outbound call co-occurs with secrets reference in same step',
-          });
-        }
-        if (!decodeTriggered && runInStepHasBoth(step, 'decode')) {
-          decodeTriggered = true;
-          const runVal = step.run || '';
-          evidence.push({
-            signal: MegalodonSignal.WORKFLOW_DECODE_CHAIN,
-            file: f.path,
-            excerpt: runVal.slice(0, 120),
-            detail: 'Base64 decode pipe to shell — obfuscated payload execution',
-          });
-        }
-      }
-    }
-
-    const lineCount = countExecutableLines(f.content);
-    if ((exfilTriggered || decodeTriggered) && lineCount >= 100 && lineCount <= 120) {
-      const found = evidence.find(e => e.signal === MegalodonSignal.WORKFLOW_C2_EXFIL || e.signal === MegalodonSignal.WORKFLOW_DECODE_CHAIN);
-      if (found) {
-        found.detail += ` | Matches ${lineCount}-line Megalodon payload footprint`;
-      }
-    }
-  }
-
-  return evidence;
-}
+import { MegalodonSignal } from './types.js';
+import yaml from 'js-yaml';
+
+const C2_EXFIL_RE = /curl\s+.*?https?:\/\/(?!github\.com|githubusercontent\.com|raw\.githubusercontent\.com)[^\s'"]+/i;
+const SECRETS_REF_RE = /\$\{\{?\s*secrets\.\w+/;
+const B64_DECODE_CHAIN_RE = /base64\s+-d\s*[|>]\s*(ba)?sh/;
+
+function isWorkflowFile(f) {
+  const p = f.path.replace(/\\/g, '/');
+  return /\.github\/workflows\/.+\.(yml|yaml)$/i.test(p);
+}
+
+function countExecutableLines(text) {
+  return text.split('\n').filter(l => l.trim() && !l.trim().startsWith('#')).length;
+}
+
+function extractRunBlocks(parsed) {
+  const runs = [];
+  if (!parsed || typeof parsed !== 'object') return runs;
+
+  const walk = (obj) => {
+    if (!obj || typeof obj !== 'object') return;
+    if (Array.isArray(obj)) { obj.forEach(walk); return; }
+    for (const [k, v] of Object.entries(obj)) {
+      if (k === 'run' && typeof v === 'string') {
+        runs.push(v);
+      }
+      if (k === 'env' && typeof v === 'object' && v !== null) {
+        runs.push({ _env: v });
+      }
+      walk(v);
+    }
+  };
+  walk(parsed);
+  return runs;
+}
+
+function extractRunBlocksRaw(text) {
+  const runs = [];
+  const runMatch = text.match(/run:\s*[|>]\s*\n(\s{2,}.*(?:\n\s{2,}.*)*)/g);
+  if (runMatch) runs.push(...runMatch.map(m => m.replace(/^run:\s*[|>]\s*\n/, '')));
+
+  const inlineRe = /run:\s*['"](.+?)['"]\s*$/gm;
+  let m;
+  while ((m = inlineRe.exec(text)) !== null) runs.push(m[1]);
+
+  const envRe = /env:\s*\n((?:\s{2,}\w+:\s*.+\n?)*)/g;
+  let em;
+  while ((em = envRe.exec(text)) !== null) runs.push({ _env: em[1] });
+  return runs;
+}
+
+function runInStepHasBoth(step, signal) {
+  const runVal = step.run;
+  const envVals = step.env ? Object.values(step.env).filter(v => typeof v === 'string').join(' ') : '';
+  const combined = typeof runVal === 'string' ? `${runVal} ${envVals}` : '';
+
+  if (signal === 'exfil') {
+    return C2_EXFIL_RE.test(combined) && SECRETS_REF_RE.test(combined);
+  }
+  if (signal === 'decode') {
+    return B64_DECODE_CHAIN_RE.test(combined);
+  }
+  return false;
+}
+
+export async function scan(allFiles) {
+  const evidence = [];
+  const workflowFiles = allFiles.filter(isWorkflowFile);
+
+  for (const f of workflowFiles) {
+    if (f.content.length > 512 * 1024) continue;
+
+    let parsed = null;
+    let parseError = null;
+    try {
+      parsed = yaml.load(f.content);
+    } catch (e) {
+      parseError = e;
+    }
+
+    const rawRunBlocks = parsed ? extractRunBlocks(parsed) : extractRunBlocksRaw(f.content);
+    const runStrings = rawRunBlocks.filter(r => typeof r === 'string');
+    const envBlocks = rawRunBlocks.filter(r => typeof r === 'object' && r._env);
+
+    let exfilTriggered = false;
+    let decodeTriggered = false;
+
+    for (const runStr of runStrings) {
+      if (!exfilTriggered && C2_EXFIL_RE.test(runStr) && SECRETS_REF_RE.test(runStr)) {
+        exfilTriggered = true;
+        evidence.push({
+          signal: MegalodonSignal.WORKFLOW_C2_EXFIL,
+          file: f.path,
+          excerpt: runStr.slice(0, 120),
+          detail: 'C2 outbound call co-occurs with credentials reference in run block',
+        });
+      }
+
+      if (!decodeTriggered && B64_DECODE_CHAIN_RE.test(runStr)) {
+        decodeTriggered = true;
+        evidence.push({
+          signal: MegalodonSignal.WORKFLOW_DECODE_CHAIN,
+          file: f.path,
+          excerpt: runStr.slice(0, 120),
+          detail: 'Base64 decode pipe to shell — obfuscated payload execution',
+        });
+      }
+    }
+
+    if (parsed && typeof parsed === 'object' && !Array.isArray(parsed)) {
+      const steps = parsed.jobs ? Object.values(parsed.jobs).flatMap(j => j.steps || []) : [];
+      for (const step of steps) {
+        if (!exfilTriggered && runInStepHasBoth(step, 'exfil')) {
+          exfilTriggered = true;
+          const runVal = step.run || '';
+          evidence.push({
+            signal: MegalodonSignal.WORKFLOW_C2_EXFIL,
+            file: f.path,
+            excerpt: runVal.slice(0, 120),
+            detail: 'C2 outbound call co-occurs with secrets reference in same step',
+          });
+        }
+        if (!decodeTriggered && runInStepHasBoth(step, 'decode')) {
+          decodeTriggered = true;
+          const runVal = step.run || '';
+          evidence.push({
+            signal: MegalodonSignal.WORKFLOW_DECODE_CHAIN,
+            file: f.path,
+            excerpt: runVal.slice(0, 120),
+            detail: 'Base64 decode pipe to shell — obfuscated payload execution',
+          });
+        }
+      }
+    }
+
+    const lineCount = countExecutableLines(f.content);
+    if ((exfilTriggered || decodeTriggered) && lineCount >= 100 && lineCount <= 120) {
+      const found = evidence.find(e => e.signal === MegalodonSignal.WORKFLOW_C2_EXFIL || e.signal === MegalodonSignal.WORKFLOW_DECODE_CHAIN);
+      if (found) {
+        found.detail += ` | Matches ${lineCount}-line Megalodon payload footprint`;
+      }
+    }
+  }
+
+  return evidence;
+}