@lateos/npm-scan 0.18.2 → 0.18.3

package/backend/detectors/mini-shai-hulud/iocs.json

@@ -1,79 +1,79 @@
-{
-  "lastUpdated": "2026-05-24T00:00:00.000Z",
-  "waves": {
-    "wave1": {
-      "id": "mini-shai-hulud-wave1",
-      "description": "TanStack CI/CD hijack (mid-May 2026) — 84 malicious versions across 42 packages in ~6 minutes via compromised GitHub Actions CI. Forged SLSA BL3 provenance attestations.",
-      "windowMinutes": 6,
-      "iocs": [
-        {
-          "type": "packageScope",
-          "value": "@tanstack",
-          "maliciousVersionRanges": [],
-          "notes": "Seed IOC — update from threat intel feed. Affected: @tanstack/router, @tanstack/react-router, @tanstack/query, @tanstack/form, @tanstack/store, @tanstack/virtual, @tanstack/ranger, @tanstack/table."
-        }
-      ]
-    },
-    "wave2": {
-      "id": "mini-shai-hulud-wave2",
-      "description": "AntV/atool maintainer account compromise (late May 2026) — 600+ malicious versions across 300+ packages in ~22 minutes. ~16M weekly download blast radius.",
-      "windowMinutes": 22,
-      "iocs": [
-        {
-          "type": "publisherAccount",
-          "value": "atool",
-          "compromiseWindowStart": "2026-05-20T00:00:00.000Z",
-          "compromiseWindowEnd": null,
-          "notes": "Seed IOC — compromised @antv/atool maintainer account. Update compromise window from threat intel."
-        },
-        {
-          "type": "packageScope",
-          "value": "@antv",
-          "maliciousVersionRanges": [],
-          "notes": "Blast radius: @antv/g2, @antv/g6, @antv/x6, @antv/l7, echarts-for-react, timeago.js. Seed IOC — update from threat intel."
-        }
-      ]
-    },
-    "wave3": {
-      "id": "nx-console-wave3",
-      "description": "Nx Console 18.95.0 VS Code extension compromise (May 18, 2026, CVE-2026-48027, TeamPCP) — contributor token stolen via TanStack wave1 (May 11), 7-day dwell, malicious extension published using npx to fetch 498KB obfuscated Bun payload from dangling orphan commit on nrwl/nx repo. ~3M installs exposed.",
-      "windowMinutes": 36,
-      "iocs": [
-        {
-          "type": "extensionId",
-          "value": "nrwl.angular-console",
-          "maliciousVersionRanges": ["18.95.0"],
-          "notes": "Nx Console v18.95.0 — malicious VS Code extension. CVE-2026-48027. Exposure window: 11 min on Marketplace, 36 min on Open VSX."
-        },
-        {
-          "type": "publisherAccount",
-          "value": "nrwl",
-          "compromiseWindowStart": "2026-05-11T00:00:00.000Z",
-          "compromiseWindowEnd": "2026-05-18T13:09:00.000Z",
-          "notes": "Nx contributor token stolen via TanStack wave1 on May 11; 7-day dwell before publishing malicious extension on May 18."
-        },
-        {
-          "type": "packageScope",
-          "value": "@nx",
-          "maliciousVersionRanges": [],
-          "notes": "NX_CONSOLE_DOWNSTREAM: npm packages under @nx scope deployed by compromised Nx contributor. Check for versions published within 7 days of 2026-05-18."
-        },
-        {
-          "type": "packageScope",
-          "value": "nrwl",
-          "maliciousVersionRanges": [],
-          "notes": "NX_CONSOLE_DOWNSTREAM: nrwl-scoped npm packages — monitor for anomalous burst publishing."
-        }
-      ]
-    }
-  },
-  "iocs": [
-    {
-      "type": "sha512",
-      "value": "sha512-AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA",
-      "package": "@antv/g2",
-      "wave": 2,
-      "notes": "Placeholder sha512 — replace with actual SHA-512 integrity hash from npm dist.integrity of a confirmed malicious version."
-    }
-  ]
-}
+{
+  "lastUpdated": "2026-05-24T00:00:00.000Z",
+  "waves": {
+    "wave1": {
+      "id": "mini-shai-hulud-wave1",
+      "description": "TanStack CI/CD hijack (mid-May 2026) — 84 malicious versions across 42 packages in ~6 minutes via compromised GitHub Actions CI. Forged SLSA BL3 provenance attestations.",
+      "windowMinutes": 6,
+      "iocs": [
+        {
+          "type": "packageScope",
+          "value": "@tanstack",
+          "maliciousVersionRanges": [],
+          "notes": "Seed IOC — update from threat intel feed. Affected: @tanstack/router, @tanstack/react-router, @tanstack/query, @tanstack/form, @tanstack/store, @tanstack/virtual, @tanstack/ranger, @tanstack/table."
+        }
+      ]
+    },
+    "wave2": {
+      "id": "mini-shai-hulud-wave2",
+      "description": "AntV/atool maintainer account compromise (late May 2026) — 600+ malicious versions across 300+ packages in ~22 minutes. ~16M weekly download blast radius.",
+      "windowMinutes": 22,
+      "iocs": [
+        {
+          "type": "publisherAccount",
+          "value": "atool",
+          "compromiseWindowStart": "2026-05-20T00:00:00.000Z",
+          "compromiseWindowEnd": null,
+          "notes": "Seed IOC — compromised @antv/atool maintainer account. Update compromise window from threat intel."
+        },
+        {
+          "type": "packageScope",
+          "value": "@antv",
+          "maliciousVersionRanges": [],
+          "notes": "Blast radius: @antv/g2, @antv/g6, @antv/x6, @antv/l7, echarts-for-react, timeago.js. Seed IOC — update from threat intel."
+        }
+      ]
+    },
+    "wave3": {
+      "id": "nx-console-wave3",
+      "description": "Nx Console 18.95.0 VS Code extension compromise (May 18, 2026, CVE-2026-48027, TeamPCP) — contributor token stolen via TanStack wave1 (May 11), 7-day dwell, malicious extension published using npx to fetch 498KB obfuscated Bun payload from dangling orphan commit on nrwl/nx repo. ~3M installs exposed.",
+      "windowMinutes": 36,
+      "iocs": [
+        {
+          "type": "extensionId",
+          "value": "nrwl.angular-console",
+          "maliciousVersionRanges": ["18.95.0"],
+          "notes": "Nx Console v18.95.0 — malicious VS Code extension. CVE-2026-48027. Exposure window: 11 min on Marketplace, 36 min on Open VSX."
+        },
+        {
+          "type": "publisherAccount",
+          "value": "nrwl",
+          "compromiseWindowStart": "2026-05-11T00:00:00.000Z",
+          "compromiseWindowEnd": "2026-05-18T13:09:00.000Z",
+          "notes": "Nx contributor token stolen via TanStack wave1 on May 11; 7-day dwell before publishing malicious extension on May 18."
+        },
+        {
+          "type": "packageScope",
+          "value": "@nx",
+          "maliciousVersionRanges": [],
+          "notes": "NX_CONSOLE_DOWNSTREAM: npm packages under @nx scope deployed by compromised Nx contributor. Check for versions published within 7 days of 2026-05-18."
+        },
+        {
+          "type": "packageScope",
+          "value": "nrwl",
+          "maliciousVersionRanges": [],
+          "notes": "NX_CONSOLE_DOWNSTREAM: nrwl-scoped npm packages — monitor for anomalous burst publishing."
+        }
+      ]
+    }
+  },
+  "iocs": [
+    {
+      "type": "sha512",
+      "value": "sha512-AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA",
+      "package": "@antv/g2",
+      "wave": 2,
+      "notes": "Placeholder sha512 — replace with actual SHA-512 integrity hash from npm dist.integrity of a confirmed malicious version."
+    }
+  ]
+}

package/backend/fetch.js

@@ -1,176 +1,176 @@
-import fs from 'fs';
-import os from 'os';
-import path from 'path';
-import { extract } from 'tar';
-import zlib from 'zlib';
-import { Readable } from 'stream';
-import { pipeline } from 'stream/promises';
-
-export async function fetchPackage(target, options = {}) {
-  const { cacheDir, cacheTTL = 604800, cacheMaxSize = 1000000000 } = options;
-  let name, version;
-  
-  if (target.startsWith('@')) {
-    const lastAt = target.lastIndexOf('@');
-    name = target.slice(0, lastAt);
-    version = target.slice(lastAt + 1);
-    if (!version) version = undefined;
-  } else {
-    const idx = target.indexOf('@');
-    name = idx > -1 ? target.slice(0, idx) : target;
-    version = idx > -1 ? target.slice(idx + 1) : undefined;
-  }
-  
-  const endpoint = version ? `/${encodeURIComponent(name)}/${version}` : `/${encodeURIComponent(name)}/latest`;
-
-  if (cacheDir) {
-    const cached = getFromCache(cacheDir, target, cacheTTL);
-    if (cached) {
-      const tmpDir = path.join(os.tmpdir(), 'npm-scan-cache-' + Date.now());
-      return { ...(await extractTarball(cached, tmpDir)), meta: null };
-    }
-  }
-
-  const metaRes = await fetch(`https://registry.npmjs.org${endpoint}`);
-  const meta = await metaRes.json();
-
-  if (!metaRes.ok || !meta.dist?.tarball) {
-    throw new Error(`Package '${target}' not found on npm (${metaRes.status})`);
-  }
-
-  const tarUrl = meta.dist.tarball;
-  const tarRes = await fetch(tarUrl);
-  const buffer = Buffer.from(await tarRes.arrayBuffer());
-  if (buffer.length > 500 * 1024 * 1024) throw new Error('Tarball too large');
-
-  // Save to cache if enabled
-  if (cacheDir) {
-    saveToCache(cacheDir, target, buffer, cacheTTL, cacheMaxSize);
-  }
-
-  const tmpDir = path.join(os.tmpdir(), 'npm-scan-' + Date.now());
-  return { ...(await extractTarball(buffer, tmpDir)), meta };
-}
-
-function getFromCache(cacheDir, target, ttl) {
-  const cachePath = path.join(cacheDir, `${target.replace('/', '-')}.tgz`);
-  const metaPath = path.join(cacheDir, `${target.replace('/', '-')}.meta.json`);
-  
-  try {
-    if (!fs.existsSync(cachePath) || !fs.existsSync(metaPath)) return null;
-    
-    const meta = JSON.parse(fs.readFileSync(metaPath, 'utf8'));
-    const age = (Date.now() - meta.timestamp) / 1000;
-    
-    if (age > ttl) {
-      fs.unlinkSync(cachePath);
-      fs.unlinkSync(metaPath);
-      return null;
-    }
-    
-    return fs.readFileSync(cachePath);
-  } catch {
-    return null;
-  }
-}
-
-function saveToCache(cacheDir, target, buffer, ttl, maxSize) {
-  try {
-    if (!fs.existsSync(cacheDir)) {
-      fs.mkdirSync(cacheDir, { recursive: true });
-    }
-    
-    // Prune if needed
-    pruneCache(cacheDir, maxSize);
-    
-    const safeName = target.replace('/', '-');
-    const cachePath = path.join(cacheDir, `${safeName}.tgz`);
-    const metaPath = path.join(cacheDir, `${safeName}.meta.json`);
-    
-    fs.writeFileSync(cachePath, buffer);
-    fs.writeFileSync(metaPath, JSON.stringify({ timestamp: Date.now(), size: buffer.length }));
-  } catch (e) {
-    // Cache write failure - continue without caching
-  }
-}
-
-function pruneCache(cacheDir, maxSize) {
-  try {
-    const files = fs.readdirSync(cacheDir).filter(f => f.endsWith('.meta.json'));
-    let totalSize = 0;
-    const fileInfos = [];
-    
-    for (const f of files) {
-      const meta = JSON.parse(fs.readFileSync(path.join(cacheDir, f), 'utf8'));
-      const tarFile = f.replace('.meta.json', '.tgz');
-      const size = meta.size || 0;
-      totalSize += size;
-      fileInfos.push({ tarFile, metaFile: f, timestamp: meta.timestamp, size });
-    }
-    
-    if (totalSize > maxSize) {
-      // Sort by oldest first and remove until under limit
-      fileInfos.sort((a, b) => a.timestamp - b.timestamp);
-      for (const info of fileInfos) {
-        if (totalSize <= maxSize * 0.8) break; // Leave 20% margin
-        try {
-          fs.unlinkSync(path.join(cacheDir, info.tarFile));
-          fs.unlinkSync(path.join(cacheDir, info.metaFile));
-          totalSize -= info.size;
-        } catch {}
-      }
-    }
-  } catch {
-    // Prune failure - ignore
-  }
-}
-
-export async function scanLocalTarball(filePath) {
-  const buffer = fs.readFileSync(filePath);
-  const tmpDir = path.join(os.tmpdir(), 'npm-scan-local-' + Date.now());
-  return await extractTarball(buffer, tmpDir);
-}
-
-async function extractTarball(buffer, tmpDir) {
-  fs.mkdirSync(tmpDir, { recursive: true });
-
-  const stream = Readable.from(buffer);
-  await pipeline(
-    stream,
-    zlib.createGunzip(),
-    extract({ cwd: tmpDir, strip: 1 })
-  );
-
-  const pkgPath = path.join(tmpDir, 'package.json');
-  const pkgJsonStr = fs.readFileSync(pkgPath, 'utf8');
-  const pkgJson = JSON.parse(pkgJsonStr);
-
-  const jsFiles = walkFiles(tmpDir, '.js').map(p => ({
-    path: p,
-    content: fs.readFileSync(p, 'utf8')
-  }));
-
-  const allFiles = walkFiles(tmpDir, '').map(p => ({
-    path: p,
-    content: fs.readFileSync(p, 'utf8')
-  }));
-
-  return { pkgJson, jsFiles, allFiles, tmpDir };
-}
-
-function walkFiles(dir, ext) {
-  const results = [];
-  for (const entry of fs.readdirSync(dir, { withFileTypes: true })) {
-    const full = path.join(dir, entry.name);
-    if (entry.isDirectory() && entry.name !== 'node_modules') {
-      results.push(...walkFiles(full, ext));
-    } else if (entry.isFile() && full.endsWith(ext)) {
-      results.push(full);
-    }
-  }
-  return results;
-}
-
-export function cleanup(tmpDir) {
-  fs.rmSync(tmpDir, { recursive: true, force: true });
+import fs from 'fs';
+import os from 'os';
+import path from 'path';
+import { extract } from 'tar';
+import zlib from 'zlib';
+import { Readable } from 'stream';
+import { pipeline } from 'stream/promises';
+
+export async function fetchPackage(target, options = {}) {
+  const { cacheDir, cacheTTL = 604800, cacheMaxSize = 1000000000 } = options;
+  let name, version;
+  
+  if (target.startsWith('@')) {
+    const lastAt = target.lastIndexOf('@');
+    name = target.slice(0, lastAt);
+    version = target.slice(lastAt + 1);
+    if (!version) version = undefined;
+  } else {
+    const idx = target.indexOf('@');
+    name = idx > -1 ? target.slice(0, idx) : target;
+    version = idx > -1 ? target.slice(idx + 1) : undefined;
+  }
+  
+  const endpoint = version ? `/${encodeURIComponent(name)}/${version}` : `/${encodeURIComponent(name)}/latest`;
+
+  if (cacheDir) {
+    const cached = getFromCache(cacheDir, target, cacheTTL);
+    if (cached) {
+      const tmpDir = path.join(os.tmpdir(), 'npm-scan-cache-' + Date.now());
+      return { ...(await extractTarball(cached, tmpDir)), meta: null };
+    }
+  }
+
+  const metaRes = await fetch(`https://registry.npmjs.org${endpoint}`);
+  const meta = await metaRes.json();
+
+  if (!metaRes.ok || !meta.dist?.tarball) {
+    throw new Error(`Package '${target}' not found on npm (${metaRes.status})`);
+  }
+
+  const tarUrl = meta.dist.tarball;
+  const tarRes = await fetch(tarUrl);
+  const buffer = Buffer.from(await tarRes.arrayBuffer());
+  if (buffer.length > 500 * 1024 * 1024) throw new Error('Tarball too large');
+
+  // Save to cache if enabled
+  if (cacheDir) {
+    saveToCache(cacheDir, target, buffer, cacheTTL, cacheMaxSize);
+  }
+
+  const tmpDir = path.join(os.tmpdir(), 'npm-scan-' + Date.now());
+  return { ...(await extractTarball(buffer, tmpDir)), meta };
+}
+
+function getFromCache(cacheDir, target, ttl) {
+  const cachePath = path.join(cacheDir, `${target.replace('/', '-')}.tgz`);
+  const metaPath = path.join(cacheDir, `${target.replace('/', '-')}.meta.json`);
+  
+  try {
+    if (!fs.existsSync(cachePath) || !fs.existsSync(metaPath)) return null;
+    
+    const meta = JSON.parse(fs.readFileSync(metaPath, 'utf8'));
+    const age = (Date.now() - meta.timestamp) / 1000;
+    
+    if (age > ttl) {
+      fs.unlinkSync(cachePath);
+      fs.unlinkSync(metaPath);
+      return null;
+    }
+    
+    return fs.readFileSync(cachePath);
+  } catch {
+    return null;
+  }
+}
+
+function saveToCache(cacheDir, target, buffer, ttl, maxSize) {
+  try {
+    if (!fs.existsSync(cacheDir)) {
+      fs.mkdirSync(cacheDir, { recursive: true });
+    }
+    
+    // Prune if needed
+    pruneCache(cacheDir, maxSize);
+    
+    const safeName = target.replace('/', '-');
+    const cachePath = path.join(cacheDir, `${safeName}.tgz`);
+    const metaPath = path.join(cacheDir, `${safeName}.meta.json`);
+    
+    fs.writeFileSync(cachePath, buffer);
+    fs.writeFileSync(metaPath, JSON.stringify({ timestamp: Date.now(), size: buffer.length }));
+  } catch (e) {
+    // Cache write failure - continue without caching
+  }
+}
+
+function pruneCache(cacheDir, maxSize) {
+  try {
+    const files = fs.readdirSync(cacheDir).filter(f => f.endsWith('.meta.json'));
+    let totalSize = 0;
+    const fileInfos = [];
+    
+    for (const f of files) {
+      const meta = JSON.parse(fs.readFileSync(path.join(cacheDir, f), 'utf8'));
+      const tarFile = f.replace('.meta.json', '.tgz');
+      const size = meta.size || 0;
+      totalSize += size;
+      fileInfos.push({ tarFile, metaFile: f, timestamp: meta.timestamp, size });
+    }
+    
+    if (totalSize > maxSize) {
+      // Sort by oldest first and remove until under limit
+      fileInfos.sort((a, b) => a.timestamp - b.timestamp);
+      for (const info of fileInfos) {
+        if (totalSize <= maxSize * 0.8) break; // Leave 20% margin
+        try {
+          fs.unlinkSync(path.join(cacheDir, info.tarFile));
+          fs.unlinkSync(path.join(cacheDir, info.metaFile));
+          totalSize -= info.size;
+        } catch {}
+      }
+    }
+  } catch {
+    // Prune failure - ignore
+  }
+}
+
+export async function scanLocalTarball(filePath) {
+  const buffer = fs.readFileSync(filePath);
+  const tmpDir = path.join(os.tmpdir(), 'npm-scan-local-' + Date.now());
+  return await extractTarball(buffer, tmpDir);
+}
+
+async function extractTarball(buffer, tmpDir) {
+  fs.mkdirSync(tmpDir, { recursive: true });
+
+  const stream = Readable.from(buffer);
+  await pipeline(
+    stream,
+    zlib.createGunzip(),
+    extract({ cwd: tmpDir, strip: 1 })
+  );
+
+  const pkgPath = path.join(tmpDir, 'package.json');
+  const pkgJsonStr = fs.readFileSync(pkgPath, 'utf8');
+  const pkgJson = JSON.parse(pkgJsonStr);
+
+  const jsFiles = walkFiles(tmpDir, '.js').map(p => ({
+    path: p,
+    content: fs.readFileSync(p, 'utf8')
+  }));
+
+  const allFiles = walkFiles(tmpDir, '').map(p => ({
+    path: p,
+    content: fs.readFileSync(p, 'utf8')
+  }));
+
+  return { pkgJson, jsFiles, allFiles, tmpDir };
+}
+
+function walkFiles(dir, ext) {
+  const results = [];
+  for (const entry of fs.readdirSync(dir, { withFileTypes: true })) {
+    const full = path.join(dir, entry.name);
+    if (entry.isDirectory() && entry.name !== 'node_modules') {
+      results.push(...walkFiles(full, ext));
+    } else if (entry.isFile() && full.endsWith(ext)) {
+      results.push(full);
+    }
+  }
+  return results;
+}
+
+export function cleanup(tmpDir) {
+  fs.rmSync(tmpDir, { recursive: true, force: true });
 }

package/backend/index.js

@@ -1,4 +1,4 @@
-export default {
-  version: '0.1.0',
-  description: 'npm-scan - Supply chain security for npm'
-};
+export default {
+  version: '0.1.0',
+  description: 'npm-scan - Supply chain security for npm'
+};