npm - @lateos/npm-scan - Versions diffs - 0.18.1 → 0.18.3 - Mend

@lateos/npm-scan 0.18.1 → 0.18.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/CHANGELOG.md +34 -0
package/backend/detectors/index.js +6 -0
package/backend/detectors/tier1-cloud-imds.js +124 -0
package/backend/detectors/tier1-infostealer.js +36 -0
package/backend/detectors/tier1-multistage-postinstall.js +81 -0
package/backend/detectors/tier1-version-confusion.js +107 -0
package/package.json +1 -1

package/CHANGELOG.md CHANGED Viewed

@@ -6,6 +6,40 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 ## [Unreleased]
+### Added
+## v0.18.2 — June 2, 2026
+### New Detectors
+- **D6a** `tier1-version-confusion.js` — Detects dependency confusion via sentinel
+  versions (99.99.99 family → HIGH) and high-version heuristic (major≥9 → MEDIUM).
+  Covers Sonatype-2026-003429 and Microsoft scope confusion campaigns.
+- **D6b** `tier1-multistage-postinstall.js` — Detects two-stage remote download +
+  binary execution and detached background persistence in lifecycle scripts.
+  Covers Gen-2 stager patterns from the OpenSearch/ES typosquatting wave.
+- **D6c** `tier1-cloud-imds.js` — Detects GCP metadata server and Azure IMDS endpoint
+  targeting in scripts and JS files. Covers the Miasma @redhat-cloud-services campaign.
+### Detector Enhancements
+- **D2** `tier1-infostealer.js` — Added NAMED_SIGNATURES array with early-return
+  CRITICAL detection for confirmed malware campaign strings. First entry: Miasma
+  campaign identifier (June 2026).
+### Bug Fixes
+- **D6b** `tier1-multistage-postinstall.js`
+  - Removed /g flag from REMOTE_FETCH_RE, BINARY_EXEC_RE, DETACHED_RE —
+    eliminated fragile lastIndex state between hook iterations
+  - Added critical severity tier to severityLabel — Signal A+B findings
+    now consistently report severity: critical / confidence: CRITICAL
+  - Fixed hardcoded "postinstall" in finding message — now reflects
+    whichever hook fired and the subtype string
+### Infrastructure
+- Added Detector Registry section to AGENTS.md with calibration notes.
+### Test Suite
+- 656 passing, 0 failing, 19 skipping.
 ### Added
 - `scan --file <path>` flag to analyze local `.tgz` tarballs without fetching from npm registry
 - `scan --fail-on <level>` flag to exit with code 1 when findings >= severity (CI/CD integration)

package/backend/detectors/index.js CHANGED Viewed

@@ -23,6 +23,9 @@ import { scan as tier1InfostealerScan } from './tier1-infostealer.js';
 import { scan as tier1LifecycleHookScan } from './tier1-lifecycle-hook.js';
 import { scan as tier1BinaryEmbedScan } from './tier1-binary-embed.js';
 import { scan as tier1MetadataSpoofScan } from './tier1-metadata-spoof.js';
+import { scan as tier1VersionConfusionScan } from './tier1-version-confusion.js';
+import { scan as tier1CloudImdsScan } from './tier1-cloud-imds.js';
+import { scan as tier1MultistagePostinstallScan } from './tier1-multistage-postinstall.js';
 function timeout(ms) {
   return new Promise((_, reject) => setTimeout(() => reject(new Error(`timeout after ${ms}ms`)), ms));
@@ -72,5 +75,8 @@ export async function runAll(pkgJson, files = [], registryMeta = null, allFiles
   findings.push(...await runTier1('tier1-lifecycle-hook', tier1LifecycleHookScan, pkgJson, files, registryMeta, allFiles || files));
   findings.push(...await runTier1('tier1-binary-embed', tier1BinaryEmbedScan, pkgJson, files, registryMeta, allFiles || files));
   findings.push(...await runTier1('tier1-metadata-spoof', tier1MetadataSpoofScan, pkgJson, files, registryMeta, allFiles || files));
+  findings.push(...await runTier1('tier1-version-confusion', tier1VersionConfusionScan, pkgJson, files, registryMeta, allFiles || files));
+  findings.push(...await runTier1('tier1-cloud-imds', tier1CloudImdsScan, pkgJson, files, registryMeta, allFiles || files));
+  findings.push(...await runTier1('tier1-multistage-postinstall', tier1MultistagePostinstallScan, pkgJson, files, registryMeta, allFiles || files));
   return findings.sort((a, b) => b.severity.localeCompare(a.severity));
 }

package/backend/detectors/tier1-cloud-imds.js ADDED Viewed

@@ -0,0 +1,124 @@
+const GCP_PATTERNS = [
+  'metadata.google.internal',
+  'computeMetadata/v1',
+  'metadata.google.internal/computeMetadata',
+];
+const AZURE_PATTERNS = [
+  '169.254.169.254/metadata/instance',
+  '169.254.169.254/metadata/identity',
+];
+const AZURE_IP = '169.254.169.254';
+const METADATA_HEADER_RE = /Metadata\s*:\s*true/i;
+function severityLabel(score) {
+  if (score >= 80) return 'high';
+  return 'medium';
+}
+function confidenceLabel(score) {
+  if (score >= 80) return 'HIGH';
+  if (score >= 60) return 'MEDIUM';
+  return 'LOW';
+}
+function hasGcpPattern(text) {
+  return GCP_PATTERNS.some(p => text.includes(p));
+}
+function hasAzurePath(text) {
+  return AZURE_PATTERNS.some(p => text.includes(p));
+}
+function hasAzureHeaderPattern(text) {
+  const lines = text.split('\n');
+  for (let i = 0; i < lines.length; i++) {
+    if (!lines[i].includes(AZURE_IP)) continue;
+    const start = Math.max(0, i - 5);
+    const end = Math.min(lines.length, i + 6);
+    for (let j = start; j < end; j++) {
+      if (METADATA_HEADER_RE.test(lines[j])) return true;
+    }
+  }
+  return false;
+}
+function hasAzurePattern(text) {
+  return hasAzurePath(text) || hasAzureHeaderPattern(text);
+}
+function collectTexts(pkgJson, jsFiles) {
+  const texts = [];
+  if (pkgJson?.scripts && typeof pkgJson.scripts === 'object') {
+    for (const value of Object.values(pkgJson.scripts)) {
+      if (typeof value === 'string') {
+        texts.push(value);
+      }
+    }
+  }
+  if (jsFiles && Array.isArray(jsFiles)) {
+    for (const file of jsFiles) {
+      if (file?.content && typeof file.content === 'string') {
+        texts.push(file.content);
+      }
+    }
+  }
+  return texts;
+}
+export const name = 'tier1-cloud-imds';
+export async function scan(pkgJson, jsFiles, registryMeta, allFiles) {
+  const texts = collectTexts(pkgJson, jsFiles);
+  if (texts.length === 0) return [];
+  let hasGcp = false;
+  let hasAzure = false;
+  for (const text of texts) {
+    if (!hasGcp && hasGcpPattern(text)) hasGcp = true;
+    if (!hasAzure && hasAzurePattern(text)) hasAzure = true;
+    if (hasGcp && hasAzure) break;
+  }
+  if (!hasGcp && !hasAzure) return [];
+  let confidenceScore;
+  let subtype;
+  if (hasGcp && hasAzure) {
+    confidenceScore = 92;
+    subtype = 'multi_cloud_imds';
+  } else if (hasGcp) {
+    confidenceScore = 82;
+    subtype = 'gcp_metadata';
+  } else {
+    confidenceScore = 82;
+    subtype = 'azure_imds';
+  }
+  return [{
+    detector: 'tier1-cloud-imds',
+    id: 'TIER1-CLOUD-IMDS',
+    severity: severityLabel(confidenceScore),
+    confidence: confidenceLabel(confidenceScore),
+    confidenceScore,
+    subtype,
+    message: hasGcp && hasAzure
+      ? `Package references both GCP metadata and Azure IMDS endpoints — cloud credential harvesting`
+      : hasGcp
+        ? `Package references GCP metadata server endpoint — cloud credential harvesting`
+        : `Package references Azure IMDS endpoint — cloud credential harvesting`,
+    evidence: [
+      ...(hasGcp ? ['gcp: metadata.google.internal / computeMetadata/v1 pattern detected'] : []),
+      ...(hasAzure ? ['azure: 169.254.169.254/metadata pattern detected'] : []),
+    ],
+    crossFiles: [],
+    locations: [{ file: '', line: 0 }],
+    reference: 'Miasma Cloud IMDS',
+  }];
+}

package/backend/detectors/tier1-infostealer.js CHANGED Viewed

@@ -21,6 +21,11 @@ const EVAL_RE = /\beval\s*\(/g;
 const FUNCTION_CTOR_RE = /\bFunction\s*\(/g;
 const B64_STRING_RE = /['"`]([A-Za-z0-9+/]{40,}={0,2})['"`]/g;
+// Named malware signatures — zero-FP string literals for confirmed campaigns
+const NAMED_SIGNATURES = [
+  'Miasma: The Spreading Blight',   // Miasma campaign, June 2026, @redhat-cloud-services compromise
+];
 function shannonEntropy(s) {
   const len = s.length;
   if (len === 0) return 0;
@@ -171,6 +176,37 @@ export async function scan(pkgJson, jsFiles, registryMeta, allFiles) {
   if (pkgName && KNOWN_REPUTABLE_PACKAGES.has(pkgName)) return [];
   const files = jsFiles || [];
+  // Named malware signature check — zero-FP string literals, early return
+  const sigTexts = [];
+  if (pkgJson?.scripts && typeof pkgJson.scripts === 'object') {
+    for (const value of Object.values(pkgJson.scripts)) {
+      if (typeof value === 'string') sigTexts.push(value);
+    }
+  }
+  for (const f of files) {
+    if (f?.content) sigTexts.push(f.content);
+  }
+  for (const sig of NAMED_SIGNATURES) {
+    for (const text of sigTexts) {
+      if (text.includes(sig)) {
+        return [{
+          detector: 'tier1-infostealer',
+          id: 'TIER1-INFOSTEALER',
+          severity: 'critical',
+          confidence: 'CRITICAL',
+          confidenceScore: 98,
+          subtype: 'named_signature_miasma',
+          message: `Named malware signature detected: "${sig}"`,
+          evidence: [sig],
+          locations: [{ file: '', line: 0 }],
+          crossFiles: [],
+          reference: 'Campaign 2 & 3',
+        }];
+      }
+    }
+  }
   if (files.length === 0) return [];
   let parseFailCount = 0;

package/backend/detectors/tier1-multistage-postinstall.js ADDED Viewed

@@ -0,0 +1,81 @@
+const SCAN_HOOKS = ['preinstall', 'install', 'postinstall', 'prepare'];
+const REMOTE_FETCH_RE = /\b(?:fetch|axios\.get|axios\.post|http\.get|https\.get)\(|\b(?:curl|wget)\s/;
+const BINARY_EXEC_RE = /\b(?:execFile|execFileSync|execSync|exec|spawnSync|spawn)\s*\(/;
+const DETACHED_RE = /detached\s*:\s*true/;
+function severityLabel(score) {
+  if (score >= 95) return 'critical';
+  if (score >= 80) return 'high';
+  if (score >= 60) return 'medium';
+  return 'low';
+}
+function confidenceLabel(score) {
+  if (score >= 95) return 'CRITICAL';
+  if (score >= 80) return 'HIGH';
+  if (score >= 60) return 'MEDIUM';
+  return 'LOW';
+}
+export const name = 'tier1-multistage-postinstall';
+export async function scan(pkgJson, jsFiles, registryMeta, allFiles) {
+  const scripts = pkgJson?.scripts;
+  if (!scripts || typeof scripts !== 'object') return [];
+  const findings = [];
+  for (const hookName of SCAN_HOOKS) {
+    const content = scripts[hookName];
+    if (!content || typeof content !== 'string') continue;
+    const hasRemoteFetch = REMOTE_FETCH_RE.test(content);
+    const hasBinaryExec = BINARY_EXEC_RE.test(content);
+    const hasDetached = DETACHED_RE.test(content);
+    const signalA = hasRemoteFetch && hasBinaryExec;
+    const signalB = hasDetached;
+    if (!signalA && !signalB) continue;
+    let confidenceScore;
+    let subtype;
+    if (signalA && signalB) {
+      confidenceScore = 95;
+      subtype = 'two_stage_plus_detached';
+    } else if (signalA) {
+      confidenceScore = 82;
+      subtype = 'two_stage_download_exec';
+    } else {
+      confidenceScore = 78;
+      subtype = 'detached_background_process';
+    }
+    const evidence = [`hook: ${hookName}`];
+    if (hasRemoteFetch) evidence.push('pattern: remote fetch call');
+    if (hasBinaryExec) evidence.push('pattern: binary execution call');
+    if (hasDetached) evidence.push('pattern: detached background process');
+    findings.push({
+      detector: 'tier1-multistage-postinstall',
+      id: 'TIER1-MULTISTAGE-POSTINSTALL',
+      severity: severityLabel(confidenceScore),
+      confidence: confidenceLabel(confidenceScore),
+      confidenceScore,
+      subtype,
+      message: `Multi-stage install hook detected in "${hookName}" — ${subtype}`,
+      evidence,
+      locations: [{
+        file: 'package.json',
+        field: `scripts.${hookName}`,
+        value: content.length > 200 ? `${content.slice(0, 200)}...` : content,
+      }],
+      crossFiles: [],
+      reference: 'Sonatype-2026-003429',
+    });
+  }
+  return findings;
+}

package/backend/detectors/tier1-version-confusion.js ADDED Viewed

@@ -0,0 +1,107 @@
+import { KNOWN_REPUTABLE_PACKAGES } from '../policy.js';
+const SENTINEL_EXACT = ['99.99.99'];
+const SENTINEL_FAMILY = ['9.9.9', '9.9.10', '10.10.10', '11.11.11'];
+function severityLabel(score) {
+  if (score >= 80) return 'high';
+  if (score >= 60) return 'medium';
+  return 'low';
+}
+function confidenceLabel(score) {
+  if (score >= 80) return 'HIGH';
+  if (score >= 60) return 'MEDIUM';
+  return 'LOW';
+}
+function parseVersion(version) {
+  if (!version || typeof version !== 'string') return null;
+  const parts = version.split('.');
+  if (parts.length !== 3) return null;
+  const [major, minor, patch] = parts.map(Number);
+  if (isNaN(major) || isNaN(minor) || isNaN(patch)) return null;
+  return { major, minor, patch };
+}
+function matchesHeuristic(parsed) {
+  return parsed.major >= 9 && parsed.minor >= 5 && parsed.patch >= 5 && parsed.major !== 1;
+}
+export const name = 'tier1-version-confusion';
+export async function scan(pkgJson, jsFiles, registryMeta, allFiles) {
+  const pkgName = pkgJson?.name;
+  const version = pkgJson?.version;
+  if (!pkgName || !version) return [];
+  if (KNOWN_REPUTABLE_PACKAGES.has(pkgName)) return [];
+  const parsed = parseVersion(version);
+  if (!parsed) return [];
+  const vStr = version;
+  // Priority: SENTINEL_EXACT > SENTINEL_FAMILY > HEURISTIC
+  if (SENTINEL_EXACT.includes(vStr)) {
+    const score = 85;
+    return [{
+      detector: 'tier1-version-confusion',
+      id: 'TIER1-VERSION-CONFUSION',
+      severity: severityLabel(score),
+      confidence: confidenceLabel(score),
+      confidenceScore: score,
+      subtype: 'sentinel_exact',
+      message: `Package "${pkgName}" uses exact sentinel version ${vStr} — dependency confusion indicator`,
+      evidence: [
+        `version: ${vStr}`,
+        `sentinel: exact match`,
+      ],
+      crossFiles: [],
+      locations: [{ file: 'package.json', line: 3, column: 10 }],
+      reference: 'Sonatype-2026-003429',
+    }];
+  }
+  if (SENTINEL_FAMILY.includes(vStr)) {
+    const score = 65;
+    return [{
+      detector: 'tier1-version-confusion',
+      id: 'TIER1-VERSION-CONFUSION',
+      severity: severityLabel(score),
+      confidence: confidenceLabel(score),
+      confidenceScore: score,
+      subtype: 'sentinel_family',
+      message: `Package "${pkgName}" uses sentinel family version ${vStr} — dependency confusion indicator`,
+      evidence: [
+        `version: ${vStr}`,
+        `sentinel: family match`,
+      ],
+      crossFiles: [],
+      locations: [{ file: 'package.json', line: 3, column: 10 }],
+      reference: 'Sonatype-2026-003429',
+    }];
+  }
+  if (matchesHeuristic(parsed)) {
+    const score = 62;
+    return [{
+      detector: 'tier1-version-confusion',
+      id: 'TIER1-VERSION-CONFUSION',
+      severity: severityLabel(score),
+      confidence: confidenceLabel(score),
+      confidenceScore: score,
+      subtype: 'high_version_heuristic',
+      message: `Package "${pkgName}" version ${vStr} matches high-version heuristic — possible dependency confusion`,
+      evidence: [
+        `version: ${vStr}`,
+        `major: ${parsed.major}, minor: ${parsed.minor}, patch: ${parsed.patch}`,
+      ],
+      crossFiles: [],
+      locations: [{ file: 'package.json', line: 3, column: 10 }],
+      reference: 'Microsoft Scope Confusion',
+    }];
+  }
+  return [];
+}

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@lateos/npm-scan",
-  "version": "0.18.1",
+  "version": "0.18.3",
   "description": "Modern npm supply chain security scanner — detects obfuscated payloads, credential stealers, conditional triggers, sandbox evasion, and worm-like propagation. 11 attack types, SBOM, NIST/EU CRA compliance reporting.",
   "main": "backend/index.js",
   "bin": {