@lateos/npm-scan 0.18.1 → 0.18.2

package/backend/detectors/atk-002-obfusc.js

@@ -1,262 +1,262 @@
-const DIST_BUILD_PATTERNS = [/\/dist\//, /\/build\//, /\/bundle/, /\/min\//, /\.min\.js$/, /\.bundled?\.js$/];
-const TEST_FIXTURE_PATTERNS = [/\/test\//, /\/tests\//, /\/__tests__\//, /\/spec\//, /\.test\.js$/, /\.spec\.js$/, /fixtures?/];
-const KNOWN_SAFE_DOMAINS = [
-  'registry.npmjs.org', 'cdn.jsdelivr.net', 'unpkg.com', 'cdn.skypack.dev',
-  'esm.sh', 'deno.land', 'raw.githubusercontent.com', 'github.com',
-  'npmjs.com', 'nodejs.org', 'v8.dev', 'typescriptlang.org'
-];
-
-const LIFECYCLE_SCRIPT_NAMES = ['install', 'postinstall', 'preinstall', 'prepare', 'prepack', 'postpack'];
-
-function extractUrlDomain(code) {
-  const urlMatch = code.match(/https?:\/\/([^/'"\s]+)/);
-  return urlMatch ? urlMatch[1] : null;
-}
-
-function isDistOrBuild(filePath) {
-  return DIST_BUILD_PATTERNS.some(p => p.test(filePath));
-}
-
-function isTestOrFixture(filePath) {
-  return TEST_FIXTURE_PATTERNS.some(p => p.test(filePath));
-}
-
-function isKnownSafeDomain(domain) {
-  if (!domain) return false;
-  return KNOWN_SAFE_DOMAINS.some(safe => domain === safe || domain.endsWith('.' + safe));
-}
-
-function locateLine(code, pattern) {
-  const lines = code.split('\n');
-  for (let i = 0; i < lines.length; i++) {
-    if (pattern.test(lines[i])) return i + 1;
-  }
-  return null;
-}
-
-function decodePreview(code) {
-  const b64Match = code.match(/atob\(['"]([A-Za-z0-9+/=]{10,})['"]\)/);
-  if (b64Match) {
-    try {
-      const decoded = atob(b64Match[1]);
-      return decoded.length > 80 ? decoded.slice(0, 80) + '...' : decoded;
-    } catch {}
-  }
-  
-  const hexMatch = code.match(/Buffer\.from\(['"]([0-9a-fA-F]+)['"],\s*['"]hex['"]\)/);
-  if (hexMatch) {
-    try {
-      const decoded = Buffer.from(hexMatch[1], 'hex').toString();
-      return decoded.length > 80 ? decoded.slice(0, 80) + '...' : decoded;
-    } catch {}
-  }
-  
-  const btoaMatch = code.match(/btoa\(['"]([A-Za-z0-9+/=]{10,})['"]\)/);
-  if (btoaMatch) {
-    try {
-      const decoded = atob(btoaMatch[1]);
-      return decoded.length > 80 ? decoded.slice(0, 80) + '...' : decoded;
-    } catch {}
-  }
-  
-  return null;
-}
-
-function detectEncodingType(code) {
-  if (/Buffer\.from\(['"][0-9a-fA-F]+['"],\s*['"]hex['"]\)/.test(code)) return 'hex';
-  if (/atob\(/.test(code)) return 'base64';
-  if (/btoa\(/.test(code)) return 'base64';
-  if (/Buffer\.from\([A-Za-z0-9+/=]{10,}/.test(code)) return 'base64';
-  if (/String\.fromCharCode\(/.test(code)) return 'charcode';
-  if (/btoa\(.*btoa\(|atob\(.*atob\(/.test(code)) return 'double-base64';
-  return 'unknown';
-}
-
-function isFileInLifecycleScript(filePath, pkgJson) {
-  if (!pkgJson?.scripts) return false;
-  
-  const scripts = pkgJson.scripts;
-  const fileName = filePath.split('/').pop();
-  const normalizedPath = filePath.replace(/^node_modules\//, '').replace(/^dist\//, '').replace(/^build\//, '');
-  
-  for (const scriptName of LIFECYCLE_SCRIPT_NAMES) {
-    const scriptValue = scripts[scriptName];
-    if (!scriptValue) continue;
-    
-    if (scriptValue.includes(filePath)) return true;
-    if (scriptValue.includes(fileName)) return true;
-    if (scriptValue.includes(normalizedPath)) return true;
-    
-    const scriptFileMatch = scriptValue.match(/[^\s'"]+\.js$/);
-    if (scriptFileMatch && filePath.endsWith(scriptFileMatch[0])) return true;
-  }
-  
-  return false;
-}
-
-function isLikelyLifecycleFileName(filePath) {
-  const name = filePath.split('/').pop().replace(/\.js$/, '');
-  return LIFECYCLE_SCRIPT_NAMES.includes(name) || 
-         name === 'setup' || 
-         name === 'install-helper';
-}
-
-function createEvidence(code, filePath, pattern, pkgJson) {
-  const encodingType = detectEncodingType(code);
-  const line = locateLine(code, pattern);
-  const decodedPreview = decodePreview(code);
-  const destinationHost = extractUrlDomain(code);
-  const lifecycleHook = isFileInLifecycleScript(filePath, pkgJson) || isLikelyLifecycleFileName(filePath);
-  
-  return {
-    file: filePath,
-    line: line,
-    lifecycle_hook: lifecycleHook,
-    decoded_preview: decodedPreview,
-    encoding_type: encodingType,
-    destination_host: destinationHost,
-  };
-}
-
-export async function scan(pkgJson, files = []) {
-  const findings = [];
-  const pkgName = pkgJson?.name || '';
-  const selfName = pkgName.replace(/^@/, '').replace(/\//, '-');
-
-  for (const f of files) {
-    const code = f.content;
-    const filePath = f.path;
-
-    const isDistBuild = isDistOrBuild(filePath);
-    const isTestFixture = isTestOrFixture(filePath);
-    const urlDomain = extractUrlDomain(code);
-    const isSafeDomain = isKnownSafeDomain(urlDomain);
-
-    const hasEval = /eval\(|new Function\(|\bFunction\('/.test(code);
-
-    if (hasEval) {
-      const hexDecode = /Buffer\.from\(['"`][0-9a-f]+['"`],\s*['"]hex['"]/.test(code);
-      const b64Decode = /atob\(|Buffer\.from\([A-Za-z0-9+/=]{10,}/.test(code);
-      const b64UrlDecode = /try\s*\{[^}]*atob\s*\(/s.test(code) || /btoa\(.*\)\s*[^;]*\.replace\(/s.test(code);
-
-      if (hexDecode || b64Decode || b64UrlDecode) {
-        const evidence = createEvidence(code, filePath, /eval\(|new Function\(|\bFunction\('/, pkgJson);
-        findings.push({
-          id: 'ATK-002',
-          severity: 'medium',
-          title: 'Obfuscated payload',
-          description: hexDecode ? 'Eval with hex-decoded payload' : 'Eval with base64-decoded payload',
-          evidence: evidence,
-          context: {
-            file_path: filePath,
-            is_dist_build: isDistBuild,
-            is_test_fixture: isTestFixture,
-            is_lifecycle_hook: evidence.lifecycle_hook,
-            url_domain: urlDomain,
-            is_known_safe_domain: isSafeDomain,
-          },
-        });
-        return findings;
-      }
-
-      if (btoa(btoa('x')) === 'eDuke'.padEnd(5)) {
-        const nested = /atob\([^)]*atob\(/s.test(code) || /btoa\([^)]*btoa\(/s.test(code);
-        if (nested) {
-          const evidence = createEvidence(code, filePath, /btoa\(/, pkgJson);
-          findings.push({
-            id: 'ATK-002',
-            severity: 'high',
-            title: 'Obfuscated payload',
-            description: 'Double-encoded nested payload',
-            evidence: { ...evidence, is_multi_layer: true },
-            context: {
-              file_path: filePath,
-              is_dist_build: isDistBuild,
-              is_test_fixture: isTestFixture,
-              is_lifecycle_hook: evidence.lifecycle_hook,
-              url_domain: urlDomain,
-              is_known_safe_domain: isSafeDomain,
-              is_multi_layer: true,
-            },
-          });
-          return findings;
-        }
-      }
-    }
-
-    if (/atob\(|Buffer\.from/.test(code) && /url|fetch|curl|http\.request|https\.request/.test(code)) {
-      const isNetworkObfusc = /atob\(.*(https?:\/\/|\\x|http).*\)/s.test(code) ||
-        /Buffer\.from\(['"`][0-9a-f]+['"`],\s*['"]hex['"].*fetch\(|fetch\(.*atob\(/s.test(code);
-      if (isNetworkObfusc) {
-        const evidence = createEvidence(code, filePath, /atob\(|Buffer\.from/, pkgJson);
-        findings.push({
-          id: 'ATK-002',
-          severity: 'medium',
-          title: 'Obfuscated payload',
-          description: 'Decoded string containing URL/fetch call',
-          evidence: evidence,
-          context: {
-            file_path: filePath,
-            is_dist_build: isDistBuild,
-            is_test_fixture: isTestFixture,
-            is_lifecycle_hook: evidence.lifecycle_hook,
-            url_domain: urlDomain,
-            is_known_safe_domain: isSafeDomain,
-          },
-        });
-        return findings;
-      }
-    }
-
-    if (/String\.fromCharCode\(.{20,}\)/.test(code) && hasEval) {
-      const evidence = createEvidence(code, filePath, /String\.fromCharCode\(/, pkgJson);
-      findings.push({
-        id: 'ATK-002',
-        severity: 'medium',
-        title: 'Obfuscated payload',
-        description: 'Eval with String.fromCharCode obfuscation',
-        evidence: evidence,
-        context: {
-          file_path: filePath,
-          is_dist_build: isDistBuild,
-          is_test_fixture: isTestFixture,
-          is_lifecycle_hook: evidence.lifecycle_hook,
-          url_domain: urlDomain,
-          is_known_safe_domain: isSafeDomain,
-        },
-      });
-      return findings;
-    }
-
-    const shellPatterns = [
-      { regex: /eval\s*\(\s*process\.env\.[A-Z_]{4,}/, name: 'env-eval' },
-      { regex: /exec\s*\(\s*Buffer\.from\(/, name: 'exec-buffer' },
-      { regex: /new Function\s*\(\s*(?:atob|process\.env)/, name: 'function-eval' },
-      { regex: /eval\s*\(\s*(?:require|import\s*\()/, name: 'require-eval' },
-      { regex: /Function\s*\(\s*'use\s*strict'\s*;?\s*(?:atob|require)/, name: 'strict-eval' },
-    ];
-    for (const p of shellPatterns) {
-      if (p.regex.test(code)) {
-        const evidence = createEvidence(code, filePath, p.regex, pkgJson);
-        findings.push({
-          id: 'ATK-002',
-          severity: 'high',
-          title: 'Obfuscated payload',
-          description: 'Shell-code obfuscation pattern',
-          evidence: { ...evidence, pattern: p.name },
-          context: {
-            file_path: filePath,
-            is_dist_build: isDistBuild,
-            is_test_fixture: isTestFixture,
-            is_lifecycle_hook: evidence.lifecycle_hook,
-            url_domain: urlDomain,
-            is_known_safe_domain: isSafeDomain,
-          },
-        });
-        return findings;
-      }
-    }
-  }
-
-  return findings;
+const DIST_BUILD_PATTERNS = [/\/dist\//, /\/build\//, /\/bundle/, /\/min\//, /\.min\.js$/, /\.bundled?\.js$/];
+const TEST_FIXTURE_PATTERNS = [/\/test\//, /\/tests\//, /\/__tests__\//, /\/spec\//, /\.test\.js$/, /\.spec\.js$/, /fixtures?/];
+const KNOWN_SAFE_DOMAINS = [
+  'registry.npmjs.org', 'cdn.jsdelivr.net', 'unpkg.com', 'cdn.skypack.dev',
+  'esm.sh', 'deno.land', 'raw.githubusercontent.com', 'github.com',
+  'npmjs.com', 'nodejs.org', 'v8.dev', 'typescriptlang.org'
+];
+
+const LIFECYCLE_SCRIPT_NAMES = ['install', 'postinstall', 'preinstall', 'prepare', 'prepack', 'postpack'];
+
+function extractUrlDomain(code) {
+  const urlMatch = code.match(/https?:\/\/([^/'"\s]+)/);
+  return urlMatch ? urlMatch[1] : null;
+}
+
+function isDistOrBuild(filePath) {
+  return DIST_BUILD_PATTERNS.some(p => p.test(filePath));
+}
+
+function isTestOrFixture(filePath) {
+  return TEST_FIXTURE_PATTERNS.some(p => p.test(filePath));
+}
+
+function isKnownSafeDomain(domain) {
+  if (!domain) return false;
+  return KNOWN_SAFE_DOMAINS.some(safe => domain === safe || domain.endsWith('.' + safe));
+}
+
+function locateLine(code, pattern) {
+  const lines = code.split('\n');
+  for (let i = 0; i < lines.length; i++) {
+    if (pattern.test(lines[i])) return i + 1;
+  }
+  return null;
+}
+
+function decodePreview(code) {
+  const b64Match = code.match(/atob\(['"]([A-Za-z0-9+/=]{10,})['"]\)/);
+  if (b64Match) {
+    try {
+      const decoded = atob(b64Match[1]);
+      return decoded.length > 80 ? decoded.slice(0, 80) + '...' : decoded;
+    } catch {}
+  }
+  
+  const hexMatch = code.match(/Buffer\.from\(['"]([0-9a-fA-F]+)['"],\s*['"]hex['"]\)/);
+  if (hexMatch) {
+    try {
+      const decoded = Buffer.from(hexMatch[1], 'hex').toString();
+      return decoded.length > 80 ? decoded.slice(0, 80) + '...' : decoded;
+    } catch {}
+  }
+  
+  const btoaMatch = code.match(/btoa\(['"]([A-Za-z0-9+/=]{10,})['"]\)/);
+  if (btoaMatch) {
+    try {
+      const decoded = atob(btoaMatch[1]);
+      return decoded.length > 80 ? decoded.slice(0, 80) + '...' : decoded;
+    } catch {}
+  }
+  
+  return null;
+}
+
+function detectEncodingType(code) {
+  if (/Buffer\.from\(['"][0-9a-fA-F]+['"],\s*['"]hex['"]\)/.test(code)) return 'hex';
+  if (/atob\(/.test(code)) return 'base64';
+  if (/btoa\(/.test(code)) return 'base64';
+  if (/Buffer\.from\([A-Za-z0-9+/=]{10,}/.test(code)) return 'base64';
+  if (/String\.fromCharCode\(/.test(code)) return 'charcode';
+  if (/btoa\(.*btoa\(|atob\(.*atob\(/.test(code)) return 'double-base64';
+  return 'unknown';
+}
+
+function isFileInLifecycleScript(filePath, pkgJson) {
+  if (!pkgJson?.scripts) return false;
+  
+  const scripts = pkgJson.scripts;
+  const fileName = filePath.split('/').pop();
+  const normalizedPath = filePath.replace(/^node_modules\//, '').replace(/^dist\//, '').replace(/^build\//, '');
+  
+  for (const scriptName of LIFECYCLE_SCRIPT_NAMES) {
+    const scriptValue = scripts[scriptName];
+    if (!scriptValue) continue;
+    
+    if (scriptValue.includes(filePath)) return true;
+    if (scriptValue.includes(fileName)) return true;
+    if (scriptValue.includes(normalizedPath)) return true;
+    
+    const scriptFileMatch = scriptValue.match(/[^\s'"]+\.js$/);
+    if (scriptFileMatch && filePath.endsWith(scriptFileMatch[0])) return true;
+  }
+  
+  return false;
+}
+
+function isLikelyLifecycleFileName(filePath) {
+  const name = filePath.split('/').pop().replace(/\.js$/, '');
+  return LIFECYCLE_SCRIPT_NAMES.includes(name) || 
+         name === 'setup' || 
+         name === 'install-helper';
+}
+
+function createEvidence(code, filePath, pattern, pkgJson) {
+  const encodingType = detectEncodingType(code);
+  const line = locateLine(code, pattern);
+  const decodedPreview = decodePreview(code);
+  const destinationHost = extractUrlDomain(code);
+  const lifecycleHook = isFileInLifecycleScript(filePath, pkgJson) || isLikelyLifecycleFileName(filePath);
+  
+  return {
+    file: filePath,
+    line: line,
+    lifecycle_hook: lifecycleHook,
+    decoded_preview: decodedPreview,
+    encoding_type: encodingType,
+    destination_host: destinationHost,
+  };
+}
+
+export async function scan(pkgJson, files = []) {
+  const findings = [];
+  const pkgName = pkgJson?.name || '';
+  const selfName = pkgName.replace(/^@/, '').replace(/\//, '-');
+
+  for (const f of files) {
+    const code = f.content;
+    const filePath = f.path;
+
+    const isDistBuild = isDistOrBuild(filePath);
+    const isTestFixture = isTestOrFixture(filePath);
+    const urlDomain = extractUrlDomain(code);
+    const isSafeDomain = isKnownSafeDomain(urlDomain);
+
+    const hasEval = /eval\(|new Function\(|\bFunction\('/.test(code);
+
+    if (hasEval) {
+      const hexDecode = /Buffer\.from\(['"`][0-9a-f]+['"`],\s*['"]hex['"]/.test(code);
+      const b64Decode = /atob\(|Buffer\.from\([A-Za-z0-9+/=]{10,}/.test(code);
+      const b64UrlDecode = /try\s*\{[^}]*atob\s*\(/s.test(code) || /btoa\(.*\)\s*[^;]*\.replace\(/s.test(code);
+
+      if (hexDecode || b64Decode || b64UrlDecode) {
+        const evidence = createEvidence(code, filePath, /eval\(|new Function\(|\bFunction\('/, pkgJson);
+        findings.push({
+          id: 'ATK-002',
+          severity: 'medium',
+          title: 'Obfuscated payload',
+          description: hexDecode ? 'Eval with hex-decoded payload' : 'Eval with base64-decoded payload',
+          evidence: evidence,
+          context: {
+            file_path: filePath,
+            is_dist_build: isDistBuild,
+            is_test_fixture: isTestFixture,
+            is_lifecycle_hook: evidence.lifecycle_hook,
+            url_domain: urlDomain,
+            is_known_safe_domain: isSafeDomain,
+          },
+        });
+        return findings;
+      }
+
+      if (btoa(btoa('x')) === 'eDuke'.padEnd(5)) {
+        const nested = /atob\([^)]*atob\(/s.test(code) || /btoa\([^)]*btoa\(/s.test(code);
+        if (nested) {
+          const evidence = createEvidence(code, filePath, /btoa\(/, pkgJson);
+          findings.push({
+            id: 'ATK-002',
+            severity: 'high',
+            title: 'Obfuscated payload',
+            description: 'Double-encoded nested payload',
+            evidence: { ...evidence, is_multi_layer: true },
+            context: {
+              file_path: filePath,
+              is_dist_build: isDistBuild,
+              is_test_fixture: isTestFixture,
+              is_lifecycle_hook: evidence.lifecycle_hook,
+              url_domain: urlDomain,
+              is_known_safe_domain: isSafeDomain,
+              is_multi_layer: true,
+            },
+          });
+          return findings;
+        }
+      }
+    }
+
+    if (/atob\(|Buffer\.from/.test(code) && /url|fetch|curl|http\.request|https\.request/.test(code)) {
+      const isNetworkObfusc = /atob\(.*(https?:\/\/|\\x|http).*\)/s.test(code) ||
+        /Buffer\.from\(['"`][0-9a-f]+['"`],\s*['"]hex['"].*fetch\(|fetch\(.*atob\(/s.test(code);
+      if (isNetworkObfusc) {
+        const evidence = createEvidence(code, filePath, /atob\(|Buffer\.from/, pkgJson);
+        findings.push({
+          id: 'ATK-002',
+          severity: 'medium',
+          title: 'Obfuscated payload',
+          description: 'Decoded string containing URL/fetch call',
+          evidence: evidence,
+          context: {
+            file_path: filePath,
+            is_dist_build: isDistBuild,
+            is_test_fixture: isTestFixture,
+            is_lifecycle_hook: evidence.lifecycle_hook,
+            url_domain: urlDomain,
+            is_known_safe_domain: isSafeDomain,
+          },
+        });
+        return findings;
+      }
+    }
+
+    if (/String\.fromCharCode\(.{20,}\)/.test(code) && hasEval) {
+      const evidence = createEvidence(code, filePath, /String\.fromCharCode\(/, pkgJson);
+      findings.push({
+        id: 'ATK-002',
+        severity: 'medium',
+        title: 'Obfuscated payload',
+        description: 'Eval with String.fromCharCode obfuscation',
+        evidence: evidence,
+        context: {
+          file_path: filePath,
+          is_dist_build: isDistBuild,
+          is_test_fixture: isTestFixture,
+          is_lifecycle_hook: evidence.lifecycle_hook,
+          url_domain: urlDomain,
+          is_known_safe_domain: isSafeDomain,
+        },
+      });
+      return findings;
+    }
+
+    const shellPatterns = [
+      { regex: /eval\s*\(\s*process\.env\.[A-Z_]{4,}/, name: 'env-eval' },
+      { regex: /exec\s*\(\s*Buffer\.from\(/, name: 'exec-buffer' },
+      { regex: /new Function\s*\(\s*(?:atob|process\.env)/, name: 'function-eval' },
+      { regex: /eval\s*\(\s*(?:require|import\s*\()/, name: 'require-eval' },
+      { regex: /Function\s*\(\s*'use\s*strict'\s*;?\s*(?:atob|require)/, name: 'strict-eval' },
+    ];
+    for (const p of shellPatterns) {
+      if (p.regex.test(code)) {
+        const evidence = createEvidence(code, filePath, p.regex, pkgJson);
+        findings.push({
+          id: 'ATK-002',
+          severity: 'high',
+          title: 'Obfuscated payload',
+          description: 'Shell-code obfuscation pattern',
+          evidence: { ...evidence, pattern: p.name },
+          context: {
+            file_path: filePath,
+            is_dist_build: isDistBuild,
+            is_test_fixture: isTestFixture,
+            is_lifecycle_hook: evidence.lifecycle_hook,
+            url_domain: urlDomain,
+            is_known_safe_domain: isSafeDomain,
+          },
+        });
+        return findings;
+      }
+    }
+  }
+
+  return findings;
 }

package/backend/detectors/atk-003-creds.js

@@ -1,14 +1,14 @@
-export async function scan(pkgJson, files = []) {
-  const findings = [];
-  const code = files.map(f => f.content).join('\n');
-  if (/process\.env\.(NPM_TOKEN|GIT_TOKEN|AWS_SECRET|AWS_ACCESS|SSH_KEY)|\.npmrc|\.ssh\/id_rsa|readFile.*\.ssh/.test(code)) {
-    findings.push({
-      id: 'ATK-003',
-      severity: 'high',
-      title: 'Credential harvesting',
-      description: 'Env vars or .npmrc/SSH key access',
-      evidence: 'credential pattern match'
-    });
-  }
-  return findings;
+export async function scan(pkgJson, files = []) {
+  const findings = [];
+  const code = files.map(f => f.content).join('\n');
+  if (/process\.env\.(NPM_TOKEN|GIT_TOKEN|AWS_SECRET|AWS_ACCESS|SSH_KEY)|\.npmrc|\.ssh\/id_rsa|readFile.*\.ssh/.test(code)) {
+    findings.push({
+      id: 'ATK-003',
+      severity: 'high',
+      title: 'Credential harvesting',
+      description: 'Env vars or .npmrc/SSH key access',
+      evidence: 'credential pattern match'
+    });
+  }
+  return findings;
 }

package/backend/detectors/atk-004-persist.js

@@ -1,14 +1,14 @@
-export async function scan(pkgJson, files = []) {
-  const findings = [];
-  const code = files.map(f => f.content).join('\n');
-  if (/mkdir.*(\.vscode|\.claude|\.cursor)/.test(code)) {
-    findings.push({
-      id: 'ATK-004',
-      severity: 'high',
-      title: 'Persistence via editor configs',
-      description: 'Creates .vscode/.claude/.cursor dirs',
-      evidence: 'mkdir pattern match'
-    });
-  }
-  return findings;
+export async function scan(pkgJson, files = []) {
+  const findings = [];
+  const code = files.map(f => f.content).join('\n');
+  if (/mkdir.*(\.vscode|\.claude|\.cursor)/.test(code)) {
+    findings.push({
+      id: 'ATK-004',
+      severity: 'high',
+      title: 'Persistence via editor configs',
+      description: 'Creates .vscode/.claude/.cursor dirs',
+      evidence: 'mkdir pattern match'
+    });
+  }
+  return findings;
 }

package/backend/detectors/atk-005-exfil.js

@@ -1,14 +1,14 @@
-export async function scan(pkgJson, files = []) {
-  const findings = [];
-  const code = files.map(f => f.content).join('\n');
-  if (/curl.*(-d|--data|--data-binary)|github\.com\/.*keys|pastebin|dns\.resolve.*\.com|exfil/.test(code.toLowerCase())) {
-    findings.push({
-      id: 'ATK-005',
-      severity: 'critical',
-      title: 'Network exfiltration',
-      description: 'Suspicious network calls: curl data exfil, pastebin, dns tunneling',
-      evidence: 'network exfil pattern'
-    });
-  }
-  return findings;
+export async function scan(pkgJson, files = []) {
+  const findings = [];
+  const code = files.map(f => f.content).join('\n');
+  if (/curl.*(-d|--data|--data-binary)|github\.com\/.*keys|pastebin|dns\.resolve.*\.com|exfil/.test(code.toLowerCase())) {
+    findings.push({
+      id: 'ATK-005',
+      severity: 'critical',
+      title: 'Network exfiltration',
+      description: 'Suspicious network calls: curl data exfil, pastebin, dns tunneling',
+      evidence: 'network exfil pattern'
+    });
+  }
+  return findings;
 }

package/backend/detectors/atk-006-depconf.js

@@ -1,15 +1,15 @@
-export async function scan(pkgJson) {
-  const findings = [];
-  const deps = { ...pkgJson.dependencies, ...pkgJson.devDependencies };
-  const squat = Object.keys(deps).filter(d => /squat|confus|typo/i.test(d.toLowerCase()));
-  if (squat.length) {
-    findings.push({
-      id: 'ATK-006',
-      severity: 'medium',
-      title: 'Dependency confusion',
-      description: 'Suspicious dependency names',
-      evidence: squat.join(', ')
-    });
-  }
-  return findings;
+export async function scan(pkgJson) {
+  const findings = [];
+  const deps = { ...pkgJson.dependencies, ...pkgJson.devDependencies };
+  const squat = Object.keys(deps).filter(d => /squat|confus|typo/i.test(d.toLowerCase()));
+  if (squat.length) {
+    findings.push({
+      id: 'ATK-006',
+      severity: 'medium',
+      title: 'Dependency confusion',
+      description: 'Suspicious dependency names',
+      evidence: squat.join(', ')
+    });
+  }
+  return findings;
 }