@lateos/npm-scan 0.18.2 → 1.0.0

package/backend/detectors/megalodon/d1-workflow-scan.js

@@ -1,147 +1,147 @@
-import { MegalodonSignal } from './types.js';
-import yaml from 'js-yaml';
-
-const C2_EXFIL_RE = /curl\s+.*?https?:\/\/(?!github\.com|githubusercontent\.com|raw\.githubusercontent\.com)[^\s'"]+/i;
-const SECRETS_REF_RE = /\$\{\{?\s*secrets\.\w+/;
-const B64_DECODE_CHAIN_RE = /base64\s+-d\s*[|>]\s*(ba)?sh/;
-
-function isWorkflowFile(f) {
-  const p = f.path.replace(/\\/g, '/');
-  return /\.github\/workflows\/.+\.(yml|yaml)$/i.test(p);
-}
-
-function countExecutableLines(text) {
-  return text.split('\n').filter(l => l.trim() && !l.trim().startsWith('#')).length;
-}
-
-function extractRunBlocks(parsed) {
-  const runs = [];
-  if (!parsed || typeof parsed !== 'object') return runs;
-
-  const walk = (obj) => {
-    if (!obj || typeof obj !== 'object') return;
-    if (Array.isArray(obj)) { obj.forEach(walk); return; }
-    for (const [k, v] of Object.entries(obj)) {
-      if (k === 'run' && typeof v === 'string') {
-        runs.push(v);
-      }
-      if (k === 'env' && typeof v === 'object' && v !== null) {
-        runs.push({ _env: v });
-      }
-      walk(v);
-    }
-  };
-  walk(parsed);
-  return runs;
-}
-
-function extractRunBlocksRaw(text) {
-  const runs = [];
-  const runMatch = text.match(/run:\s*[|>]\s*\n(\s{2,}.*(?:\n\s{2,}.*)*)/g);
-  if (runMatch) runs.push(...runMatch.map(m => m.replace(/^run:\s*[|>]\s*\n/, '')));
-
-  const inlineRe = /run:\s*['"](.+?)['"]\s*$/gm;
-  let m;
-  while ((m = inlineRe.exec(text)) !== null) runs.push(m[1]);
-
-  const envRe = /env:\s*\n((?:\s{2,}\w+:\s*.+\n?)*)/g;
-  let em;
-  while ((em = envRe.exec(text)) !== null) runs.push({ _env: em[1] });
-  return runs;
-}
-
-function runInStepHasBoth(step, signal) {
-  const runVal = step.run;
-  const envVals = step.env ? Object.values(step.env).filter(v => typeof v === 'string').join(' ') : '';
-  const combined = typeof runVal === 'string' ? `${runVal} ${envVals}` : '';
-
-  if (signal === 'exfil') {
-    return C2_EXFIL_RE.test(combined) && SECRETS_REF_RE.test(combined);
-  }
-  if (signal === 'decode') {
-    return B64_DECODE_CHAIN_RE.test(combined);
-  }
-  return false;
-}
-
-export async function scan(allFiles) {
-  const evidence = [];
-  const workflowFiles = allFiles.filter(isWorkflowFile);
-
-  for (const f of workflowFiles) {
-    if (f.content.length > 512 * 1024) continue;
-
-    let parsed = null;
-    let parseError = null;
-    try {
-      parsed = yaml.load(f.content);
-    } catch (e) {
-      parseError = e;
-    }
-
-    const rawRunBlocks = parsed ? extractRunBlocks(parsed) : extractRunBlocksRaw(f.content);
-    const runStrings = rawRunBlocks.filter(r => typeof r === 'string');
-    const envBlocks = rawRunBlocks.filter(r => typeof r === 'object' && r._env);
-
-    let exfilTriggered = false;
-    let decodeTriggered = false;
-
-    for (const runStr of runStrings) {
-      if (!exfilTriggered && C2_EXFIL_RE.test(runStr) && SECRETS_REF_RE.test(runStr)) {
-        exfilTriggered = true;
-        evidence.push({
-          signal: MegalodonSignal.WORKFLOW_C2_EXFIL,
-          file: f.path,
-          excerpt: runStr.slice(0, 120),
-          detail: 'C2 outbound call co-occurs with credentials reference in run block',
-        });
-      }
-
-      if (!decodeTriggered && B64_DECODE_CHAIN_RE.test(runStr)) {
-        decodeTriggered = true;
-        evidence.push({
-          signal: MegalodonSignal.WORKFLOW_DECODE_CHAIN,
-          file: f.path,
-          excerpt: runStr.slice(0, 120),
-          detail: 'Base64 decode pipe to shell — obfuscated payload execution',
-        });
-      }
-    }
-
-    if (parsed && typeof parsed === 'object' && !Array.isArray(parsed)) {
-      const steps = parsed.jobs ? Object.values(parsed.jobs).flatMap(j => j.steps || []) : [];
-      for (const step of steps) {
-        if (!exfilTriggered && runInStepHasBoth(step, 'exfil')) {
-          exfilTriggered = true;
-          const runVal = step.run || '';
-          evidence.push({
-            signal: MegalodonSignal.WORKFLOW_C2_EXFIL,
-            file: f.path,
-            excerpt: runVal.slice(0, 120),
-            detail: 'C2 outbound call co-occurs with secrets reference in same step',
-          });
-        }
-        if (!decodeTriggered && runInStepHasBoth(step, 'decode')) {
-          decodeTriggered = true;
-          const runVal = step.run || '';
-          evidence.push({
-            signal: MegalodonSignal.WORKFLOW_DECODE_CHAIN,
-            file: f.path,
-            excerpt: runVal.slice(0, 120),
-            detail: 'Base64 decode pipe to shell — obfuscated payload execution',
-          });
-        }
-      }
-    }
-
-    const lineCount = countExecutableLines(f.content);
-    if ((exfilTriggered || decodeTriggered) && lineCount >= 100 && lineCount <= 120) {
-      const found = evidence.find(e => e.signal === MegalodonSignal.WORKFLOW_C2_EXFIL || e.signal === MegalodonSignal.WORKFLOW_DECODE_CHAIN);
-      if (found) {
-        found.detail += ` | Matches ${lineCount}-line Megalodon payload footprint`;
-      }
-    }
-  }
-
-  return evidence;
-}
+import { MegalodonSignal } from './types.js';
+import yaml from 'js-yaml';
+
+const C2_EXFIL_RE = /curl\s+.*?https?:\/\/(?!github\.com|githubusercontent\.com|raw\.githubusercontent\.com)[^\s'"]+/i;
+const SECRETS_REF_RE = /\$\{\{?\s*secrets\.\w+/;
+const B64_DECODE_CHAIN_RE = /base64\s+-d\s*[|>]\s*(ba)?sh/;
+
+function isWorkflowFile(f) {
+  const p = f.path.replace(/\\/g, '/');
+  return /\.github\/workflows\/.+\.(yml|yaml)$/i.test(p);
+}
+
+function countExecutableLines(text) {
+  return text.split('\n').filter(l => l.trim() && !l.trim().startsWith('#')).length;
+}
+
+function extractRunBlocks(parsed) {
+  const runs = [];
+  if (!parsed || typeof parsed !== 'object') return runs;
+
+  const walk = (obj) => {
+    if (!obj || typeof obj !== 'object') return;
+    if (Array.isArray(obj)) { obj.forEach(walk); return; }
+    for (const [k, v] of Object.entries(obj)) {
+      if (k === 'run' && typeof v === 'string') {
+        runs.push(v);
+      }
+      if (k === 'env' && typeof v === 'object' && v !== null) {
+        runs.push({ _env: v });
+      }
+      walk(v);
+    }
+  };
+  walk(parsed);
+  return runs;
+}
+
+function extractRunBlocksRaw(text) {
+  const runs = [];
+  const runMatch = text.match(/run:\s*[|>]\s*\n(\s{2,}.*(?:\n\s{2,}.*)*)/g);
+  if (runMatch) runs.push(...runMatch.map(m => m.replace(/^run:\s*[|>]\s*\n/, '')));
+
+  const inlineRe = /run:\s*['"](.+?)['"]\s*$/gm;
+  let m;
+  while ((m = inlineRe.exec(text)) !== null) runs.push(m[1]);
+
+  const envRe = /env:\s*\n((?:\s{2,}\w+:\s*.+\n?)*)/g;
+  let em;
+  while ((em = envRe.exec(text)) !== null) runs.push({ _env: em[1] });
+  return runs;
+}
+
+function runInStepHasBoth(step, signal) {
+  const runVal = step.run;
+  const envVals = step.env ? Object.values(step.env).filter(v => typeof v === 'string').join(' ') : '';
+  const combined = typeof runVal === 'string' ? `${runVal} ${envVals}` : '';
+
+  if (signal === 'exfil') {
+    return C2_EXFIL_RE.test(combined) && SECRETS_REF_RE.test(combined);
+  }
+  if (signal === 'decode') {
+    return B64_DECODE_CHAIN_RE.test(combined);
+  }
+  return false;
+}
+
+export async function scan(allFiles) {
+  const evidence = [];
+  const workflowFiles = allFiles.filter(isWorkflowFile);
+
+  for (const f of workflowFiles) {
+    if (f.content.length > 512 * 1024) continue;
+
+    let parsed = null;
+    let parseError = null;
+    try {
+      parsed = yaml.load(f.content);
+    } catch (e) {
+      parseError = e;
+    }
+
+    const rawRunBlocks = parsed ? extractRunBlocks(parsed) : extractRunBlocksRaw(f.content);
+    const runStrings = rawRunBlocks.filter(r => typeof r === 'string');
+    const envBlocks = rawRunBlocks.filter(r => typeof r === 'object' && r._env);
+
+    let exfilTriggered = false;
+    let decodeTriggered = false;
+
+    for (const runStr of runStrings) {
+      if (!exfilTriggered && C2_EXFIL_RE.test(runStr) && SECRETS_REF_RE.test(runStr)) {
+        exfilTriggered = true;
+        evidence.push({
+          signal: MegalodonSignal.WORKFLOW_C2_EXFIL,
+          file: f.path,
+          excerpt: runStr.slice(0, 120),
+          detail: 'C2 outbound call co-occurs with credentials reference in run block',
+        });
+      }
+
+      if (!decodeTriggered && B64_DECODE_CHAIN_RE.test(runStr)) {
+        decodeTriggered = true;
+        evidence.push({
+          signal: MegalodonSignal.WORKFLOW_DECODE_CHAIN,
+          file: f.path,
+          excerpt: runStr.slice(0, 120),
+          detail: 'Base64 decode pipe to shell — obfuscated payload execution',
+        });
+      }
+    }
+
+    if (parsed && typeof parsed === 'object' && !Array.isArray(parsed)) {
+      const steps = parsed.jobs ? Object.values(parsed.jobs).flatMap(j => j.steps || []) : [];
+      for (const step of steps) {
+        if (!exfilTriggered && runInStepHasBoth(step, 'exfil')) {
+          exfilTriggered = true;
+          const runVal = step.run || '';
+          evidence.push({
+            signal: MegalodonSignal.WORKFLOW_C2_EXFIL,
+            file: f.path,
+            excerpt: runVal.slice(0, 120),
+            detail: 'C2 outbound call co-occurs with secrets reference in same step',
+          });
+        }
+        if (!decodeTriggered && runInStepHasBoth(step, 'decode')) {
+          decodeTriggered = true;
+          const runVal = step.run || '';
+          evidence.push({
+            signal: MegalodonSignal.WORKFLOW_DECODE_CHAIN,
+            file: f.path,
+            excerpt: runVal.slice(0, 120),
+            detail: 'Base64 decode pipe to shell — obfuscated payload execution',
+          });
+        }
+      }
+    }
+
+    const lineCount = countExecutableLines(f.content);
+    if ((exfilTriggered || decodeTriggered) && lineCount >= 100 && lineCount <= 120) {
+      const found = evidence.find(e => e.signal === MegalodonSignal.WORKFLOW_C2_EXFIL || e.signal === MegalodonSignal.WORKFLOW_DECODE_CHAIN);
+      if (found) {
+        found.detail += ` | Matches ${lineCount}-line Megalodon payload footprint`;
+      }
+    }
+  }
+
+  return evidence;
+}

package/backend/detectors/megalodon/d2-credential-harvest.js

@@ -1,61 +1,61 @@
-import { MegalodonSignal } from './types.js';
-
-const CRED_PATTERNS = [
-  { pattern: /\bAWS_(SECRET_ACCESS_KEY|ACCESS_KEY_ID|SESSION_TOKEN)\b/, label: 'AWS credential' },
-  { pattern: /\bGOOGLE_APPLICATION_CREDENTIALS\b/, label: 'GCP credential' },
-  { pattern: /\bAZURE_(CLIENT_SECRET|TENANT_ID|CLIENT_ID|SUBSCRIPTION_ID)\b/, label: 'Azure credential' },
-  { pattern: /\bGH_(TOKEN|PAT)\b/, label: 'GitHub PAT' },
-  { pattern: /\bGITHUB_TOKEN\b/, label: 'GitHub token' },
-  { pattern: /\bNPM_TOKEN\b/, label: 'npm token' },
-  { pattern: /\bDISCORD_TOKEN\b/, label: 'Discord token' },
-  { pattern: /\bSLACK_TOKEN\b/, label: 'Slack token' },
-  { pattern: /\bSTRIPE_(SECRET|PUBLISHABLE)_KEY\b/, label: 'Stripe key' },
-  { pattern: /\bTWILIO_(ACCOUNT_SID|AUTH_TOKEN)\b/, label: 'Twilio credential' },
-  { pattern: /\bDB_(USERNAME|PASSWORD|URL)\b/, label: 'Database credential' },
-  { pattern: /\bMONGO_(URI|URL|CONNECTION)\b/, label: 'MongoDB connection' },
-];
-
-const OUTBOUND_NET_RE = /curl\s+|wget\s+|fetch\s*\(|https?\.request\s*\(|http\.request\s*\(|got\s*\(|axios\s*\.|request\s*\(|node-fetch|\.post\s*\(|\.get\s*\(/i;
-
-const TARGET_EXTENSIONS = ['.sh', '.bash', '.yml', '.yaml', '.js'];
-
-function isTargetFile(f) {
-  const ext = f.path.slice(f.path.lastIndexOf('.')).toLowerCase();
-  return TARGET_EXTENSIONS.includes(ext);
-}
-
-export async function scan(allFiles) {
-  const evidence = [];
-  const targetFiles = allFiles.filter(isTargetFile);
-
-  for (const f of targetFiles) {
-    const content = f.content;
-    let score = 0;
-    const matched = [];
-
-    for (const cp of CRED_PATTERNS) {
-      const re = new RegExp(cp.pattern.source, 'gi');
-      let m;
-      while ((m = re.exec(content)) !== null) {
-        if (!matched.some(ex => ex.label === cp.label)) {
-          matched.push({ label: cp.label, match: m[0] });
-        }
-        score += 3;
-      }
-    }
-
-    if (score > 0) {
-      const hasNetwork = OUTBOUND_NET_RE.test(content);
-      if (hasNetwork) {
-        evidence.push({
-          signal: MegalodonSignal.CREDENTIAL_HARVEST,
-          file: f.path,
-          excerpt: matched.map(m => m.label).join(', ').slice(0, 120),
-          detail: `Credential env vars (${matched.map(m => m.label).join(', ')}) co-occur with outbound network call (score: ${score})`,
-        });
-      }
-    }
-  }
-
-  return evidence;
-}
+import { MegalodonSignal } from './types.js';
+
+const CRED_PATTERNS = [
+  { pattern: /\bAWS_(SECRET_ACCESS_KEY|ACCESS_KEY_ID|SESSION_TOKEN)\b/, label: 'AWS credential' },
+  { pattern: /\bGOOGLE_APPLICATION_CREDENTIALS\b/, label: 'GCP credential' },
+  { pattern: /\bAZURE_(CLIENT_SECRET|TENANT_ID|CLIENT_ID|SUBSCRIPTION_ID)\b/, label: 'Azure credential' },
+  { pattern: /\bGH_(TOKEN|PAT)\b/, label: 'GitHub PAT' },
+  { pattern: /\bGITHUB_TOKEN\b/, label: 'GitHub token' },
+  { pattern: /\bNPM_TOKEN\b/, label: 'npm token' },
+  { pattern: /\bDISCORD_TOKEN\b/, label: 'Discord token' },
+  { pattern: /\bSLACK_TOKEN\b/, label: 'Slack token' },
+  { pattern: /\bSTRIPE_(SECRET|PUBLISHABLE)_KEY\b/, label: 'Stripe key' },
+  { pattern: /\bTWILIO_(ACCOUNT_SID|AUTH_TOKEN)\b/, label: 'Twilio credential' },
+  { pattern: /\bDB_(USERNAME|PASSWORD|URL)\b/, label: 'Database credential' },
+  { pattern: /\bMONGO_(URI|URL|CONNECTION)\b/, label: 'MongoDB connection' },
+];
+
+const OUTBOUND_NET_RE = /curl\s+|wget\s+|fetch\s*\(|https?\.request\s*\(|http\.request\s*\(|got\s*\(|axios\s*\.|request\s*\(|node-fetch|\.post\s*\(|\.get\s*\(/i;
+
+const TARGET_EXTENSIONS = ['.sh', '.bash', '.yml', '.yaml', '.js'];
+
+function isTargetFile(f) {
+  const ext = f.path.slice(f.path.lastIndexOf('.')).toLowerCase();
+  return TARGET_EXTENSIONS.includes(ext);
+}
+
+export async function scan(allFiles) {
+  const evidence = [];
+  const targetFiles = allFiles.filter(isTargetFile);
+
+  for (const f of targetFiles) {
+    const content = f.content;
+    let score = 0;
+    const matched = [];
+
+    for (const cp of CRED_PATTERNS) {
+      const re = new RegExp(cp.pattern.source, 'gi');
+      let m;
+      while ((m = re.exec(content)) !== null) {
+        if (!matched.some(ex => ex.label === cp.label)) {
+          matched.push({ label: cp.label, match: m[0] });
+        }
+        score += 3;
+      }
+    }
+
+    if (score > 0) {
+      const hasNetwork = OUTBOUND_NET_RE.test(content);
+      if (hasNetwork) {
+        evidence.push({
+          signal: MegalodonSignal.CREDENTIAL_HARVEST,
+          file: f.path,
+          excerpt: matched.map(m => m.label).join(', ').slice(0, 120),
+          detail: `Credential env vars (${matched.map(m => m.label).join(', ')}) co-occur with outbound network call (score: ${score})`,
+        });
+      }
+    }
+  }
+
+  return evidence;
+}

package/backend/detectors/megalodon/d3-publish-velocity.js

@@ -1,67 +1,67 @@
-import { MegalodonSignal } from './types.js';
-
-export function detectVelocitySpike(times, windowHours = 6, threshold = 3) {
-  const filtered = {};
-  for (const [v, t] of Object.entries(times)) {
-    if (v === 'created' || v === 'modified') continue;
-    filtered[v] = t;
-  }
-
-  const entries = Object.entries(filtered)
-    .filter(([, t]) => t)
-    .map(([v, t]) => [v, new Date(t).getTime()])
-    .filter(([, ts]) => !Number.isNaN(ts))
-    .sort((a, b) => a[1] - b[1]);
-
-  if (entries.length === 0) {
-    return { triggered: false, versionsInWindow: [], windowStartISO: null };
-  }
-
-  const windowMs = windowHours * 3_600_000;
-
-  for (let i = 0; i < entries.length; i++) {
-    const windowStart = entries[i][1];
-    const windowEnd = windowStart + windowMs;
-    const inWindow = [];
-
-    for (let j = i; j < entries.length; j++) {
-      if (entries[j][1] <= windowEnd) {
-        inWindow.push(entries[j][0]);
-      } else {
-        break;
-      }
-    }
-
-    if (inWindow.length >= threshold) {
-      let display = inWindow.slice(0, 10);
-      let suffix = '';
-      if (inWindow.length > 10) {
-        suffix = ` +${inWindow.length - 10} more`;
-      }
-      return {
-        triggered: true,
-        versionsInWindow: display.join(', ') + suffix,
-        windowStartISO: new Date(windowStart).toISOString(),
-        _allVersions: inWindow,
-      };
-    }
-  }
-
-  return { triggered: false, versionsInWindow: [], windowStartISO: null };
-}
-
-export async function scan(registryMeta) {
-  const times = registryMeta?.time || {};
-  const result = detectVelocitySpike(times);
-
-  if (!result.triggered) return [];
-
-  return [{
-    signal: MegalodonSignal.PUBLISH_VELOCITY,
-    file: 'registry.npmjs.org',
-    excerpt: result.versionsInWindow,
-    detail: `Version publish velocity spike: ${result.versionsInWindow} versions in window starting ${result.windowStartISO}`,
-    _windowStartISO: result.windowStartISO,
-    _allVersions: result._allVersions,
-  }];
-}
+import { MegalodonSignal } from './types.js';
+
+export function detectVelocitySpike(times, windowHours = 6, threshold = 3) {
+  const filtered = {};
+  for (const [v, t] of Object.entries(times)) {
+    if (v === 'created' || v === 'modified') continue;
+    filtered[v] = t;
+  }
+
+  const entries = Object.entries(filtered)
+    .filter(([, t]) => t)
+    .map(([v, t]) => [v, new Date(t).getTime()])
+    .filter(([, ts]) => !Number.isNaN(ts))
+    .sort((a, b) => a[1] - b[1]);
+
+  if (entries.length === 0) {
+    return { triggered: false, versionsInWindow: [], windowStartISO: null };
+  }
+
+  const windowMs = windowHours * 3_600_000;
+
+  for (let i = 0; i < entries.length; i++) {
+    const windowStart = entries[i][1];
+    const windowEnd = windowStart + windowMs;
+    const inWindow = [];
+
+    for (let j = i; j < entries.length; j++) {
+      if (entries[j][1] <= windowEnd) {
+        inWindow.push(entries[j][0]);
+      } else {
+        break;
+      }
+    }
+
+    if (inWindow.length >= threshold) {
+      let display = inWindow.slice(0, 10);
+      let suffix = '';
+      if (inWindow.length > 10) {
+        suffix = ` +${inWindow.length - 10} more`;
+      }
+      return {
+        triggered: true,
+        versionsInWindow: display.join(', ') + suffix,
+        windowStartISO: new Date(windowStart).toISOString(),
+        _allVersions: inWindow,
+      };
+    }
+  }
+
+  return { triggered: false, versionsInWindow: [], windowStartISO: null };
+}
+
+export async function scan(registryMeta) {
+  const times = registryMeta?.time || {};
+  const result = detectVelocitySpike(times);
+
+  if (!result.triggered) return [];
+
+  return [{
+    signal: MegalodonSignal.PUBLISH_VELOCITY,
+    file: 'registry.npmjs.org',
+    excerpt: result.versionsInWindow,
+    detail: `Version publish velocity spike: ${result.versionsInWindow} versions in window starting ${result.windowStartISO}`,
+    _windowStartISO: result.windowStartISO,
+    _allVersions: result._allVersions,
+  }];
+}