npm - @lateos/npm-scan - Versions diffs - 0.18.2 → 1.0.0 - Mend

@lateos/npm-scan 0.18.2 → 1.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (113) hide show

package/CHANGELOG.md +265 -233
package/LICENSING.md +19 -19
package/README.de.md +708 -708
package/README.fr.md +707 -707
package/README.ja.md +704 -704
package/README.md +861 -826
package/README.zh.md +708 -708
package/VALIDATION.md +92 -0
package/backend/cra.js +68 -68
package/backend/db/pg-schema.sql +155 -0
package/backend/db/schema.sql +32 -32
package/backend/db.js +88 -88
package/backend/detectors/atk-001-lifecycle.js +17 -17
package/backend/detectors/atk-002-obfusc.js +261 -261
package/backend/detectors/atk-003-creds.js +13 -13
package/backend/detectors/atk-004-persist.js +13 -13
package/backend/detectors/atk-005-exfil.js +13 -13
package/backend/detectors/atk-006-depconf.js +14 -14
package/backend/detectors/atk-007-typosquat.js +34 -34
package/backend/detectors/atk-008-tarball-tamper.js +91 -91
package/backend/detectors/atk-009-dormant-trigger.js +62 -62
package/backend/detectors/atk-010-sandbox-evasion.js +50 -50
package/backend/detectors/atk-011-transitive-prop.js +76 -76
package/backend/detectors/config/thresholds.js +66 -0
package/backend/detectors/config/whitelist.json +74 -0
package/backend/detectors/cve-2026-48710-badhost/codePattern.js +99 -99
package/backend/detectors/cve-2026-48710-badhost/findings.js +105 -105
package/backend/detectors/cve-2026-48710-badhost/index.js +15 -15
package/backend/detectors/cve-2026-48710-badhost/manifest.js +305 -305
package/backend/detectors/cve-2026-48710-badhost/transitive.js +189 -189
package/backend/detectors/hf-impersonation/index.js +396 -396
package/backend/detectors/hf-impersonation/jaro-winkler.js +44 -44
package/backend/detectors/hf-impersonation/known-orgs.js +5 -5
package/backend/detectors/hf-impersonation/simhash.js +46 -46
package/backend/detectors/index.js +87 -81
package/backend/detectors/lib/ast-patterns.js +21 -0
package/backend/detectors/lib/entropy-analyzer.js +24 -0
package/backend/detectors/megalodon/d1-workflow-scan.js +147 -147
package/backend/detectors/megalodon/d2-credential-harvest.js +61 -61
package/backend/detectors/megalodon/d3-publish-velocity.js +67 -67
package/backend/detectors/megalodon/d4-publisher-drift.js +124 -124
package/backend/detectors/megalodon/d5-bot-commit-identity.js +3 -3
package/backend/detectors/megalodon/d6-date-anachronism.js +3 -3
package/backend/detectors/megalodon/index.js +80 -80
package/backend/detectors/megalodon/types.js +9 -9
package/backend/detectors/mini-shai-hulud/d1-burst-publish.js +42 -42
package/backend/detectors/mini-shai-hulud/d2-sibling-compromise.js +116 -116
package/backend/detectors/mini-shai-hulud/d3-slsa-mismatch.js +72 -72
package/backend/detectors/mini-shai-hulud/d4-maintainer-anomaly.js +45 -45
package/backend/detectors/mini-shai-hulud/d5-ioc-check.js +95 -95
package/backend/detectors/mini-shai-hulud/d6-token-exfil.js +38 -38
package/backend/detectors/mini-shai-hulud/index.js +118 -118
package/backend/detectors/mini-shai-hulud/iocs.json +79 -79
package/backend/detectors/tier1-binary-embed.js +34 -5
package/backend/detectors/tier1-obfuscation-heuristics.js +156 -0
package/backend/detectors/tier1-slsa-attestation.js +12 -0
package/backend/detectors/tier1-version-anomaly.js +187 -0
package/backend/detectors.test.js +88 -0
package/backend/fetch.js +175 -175
package/backend/index.js +4 -4
package/backend/license.js +89 -89
package/backend/lockfile.js +379 -379
package/backend/pdf.js +245 -245
package/backend/policy.js +193 -193
package/backend/report.js +254 -254
package/backend/sbom.js +66 -66
package/backend/scripts/analyze-false-positives.js +146 -0
package/backend/scripts/analyze-validation.js +151 -0
package/backend/scripts/detect-false-positives.js +93 -0
package/backend/scripts/fetch-top-packages.js +129 -0
package/backend/scripts/validate-detectors.js +142 -0
package/backend/siem/cef.js +32 -32
package/backend/siem/ecs.js +40 -40
package/backend/siem/index.js +18 -18
package/backend/siem/qradar.js +56 -56
package/backend/siem/sentinel.js +27 -27
package/backend/tests-d5-enhanced.test.js +46 -0
package/backend/tests-d6-version-anomaly.test.js +58 -0
package/backend/tests-d6.test.js +116 -0
package/backend/tests-d6c.test.js +106 -0
package/backend/tests-d7-obfuscation.test.js +91 -0
package/backend/tests.test.js +898 -0
package/backend/vsix-scan/detectors/activation-event-risk.js +116 -116
package/backend/vsix-scan/detectors/burst-publish.js +52 -52
package/backend/vsix-scan/detectors/exfil-pattern.js +88 -88
package/backend/vsix-scan/detectors/known-ioc.js +105 -105
package/backend/vsix-scan/detectors/orphan-commit-fetch.js +69 -69
package/backend/vsix-scan/detectors/publisher-anomaly.js +70 -70
package/backend/vsix-scan/index.js +183 -183
package/backend/vsix-scan/marketplace-client.js +145 -145
package/backend/vsix-scan/vsix-iocs.json +31 -31
package/cli/cli.js +458 -458
package/package.json +74 -57
package/.dockerignore +0 -20
package/.husky/pre-commit +0 -1
package/SECURITY.md +0 -73
package/deploy/helm/npm-scan/Chart.yaml +0 -22
package/deploy/helm/npm-scan/templates/_helpers.tpl +0 -9
package/deploy/helm/npm-scan/templates/api.yaml +0 -94
package/deploy/helm/npm-scan/templates/ingress.yaml +0 -28
package/deploy/helm/npm-scan/templates/postgresql.yaml +0 -67
package/deploy/helm/npm-scan/templates/secrets.yaml +0 -19
package/deploy/helm/npm-scan/templates/worker.yaml +0 -32
package/deploy/helm/npm-scan/values.byoc.yaml +0 -75
package/deploy/helm/npm-scan/values.yaml +0 -103
package/scripts/download-corpus.js +0 -30
package/scripts/gen-mal-corpus.js +0 -35
package/scripts/generate-campaign-fixtures.js +0 -170
package/src/config/top-5000.json +0 -87
package/test/fixtures/lockfiles/npm-lock.json +0 -69
package/test/fixtures/lockfiles/pnpm-lock.yaml +0 -118
package/test/fixtures/lockfiles/yarn.lock +0 -104
package/test/fixtures/mock-data.js +0 -69

package/backend/detectors/megalodon/d4-publisher-drift.js CHANGED Viewed

@@ -1,124 +1,124 @@
-import { MegalodonSignal } from './types.js';
-export async function scan(registryMeta, velocityResult) {
-  const evidence = [];
-  const versions = registryMeta?.versions || {};
-  const timeMap = registryMeta?.time || {};
-  const filteredTimes = {};
-  for (const [v, t] of Object.entries(timeMap)) {
-    if (v === 'created' || v === 'modified') continue;
-    if (t) filteredTimes[v] = t;
-  }
-  const sortedVersions = Object.entries(filteredTimes)
-    .filter(([, t]) => t && !Number.isNaN(new Date(t).getTime()))
-    .sort((a, b) => new Date(a[1]).getTime() - new Date(b[1]).getTime())
-    .map(([v]) => v);
-  if (sortedVersions.length === 0) return [];
-  if (velocityResult?.triggered) {
-    const windowStartISO = velocityResult.windowStartISO;
-    const allInWindow = velocityResult._allVersions || [];
-    const priorPublishers = new Set();
-    for (const v of sortedVersions) {
-      if (new Date(filteredTimes[v]).getTime() >= new Date(windowStartISO).getTime()) break;
-      const user = versions[v]?._npmUser?.name;
-      if (user) priorPublishers.add(user);
-    }
-    if (priorPublishers.size === 0 && allInWindow.length > 0) {
-      const firstUser = versions[allInWindow[0]]?._npmUser?.name;
-      if (firstUser) priorPublishers.add(firstUser);
-    }
-    const suspiciousPublishers = [];
-    const affectedVersions = [];
-    for (const v of allInWindow) {
-      const user = versions[v]?._npmUser?.name;
-      if (user && !priorPublishers.has(user)) {
-        if (!suspiciousPublishers.includes(user)) suspiciousPublishers.push(user);
-        if (!affectedVersions.includes(v)) affectedVersions.push(v);
-      }
-    }
-    if (suspiciousPublishers.length > 0) {
-      const detail = `Drift detected: known publishers [${[...priorPublishers].join(', ')}], new publisher(s) [${suspiciousPublishers.join(', ')}] in versions [${affectedVersions.join(', ')}]`;
-      const firstSuspiciousVer = allInWindow.find(v => affectedVersions.includes(v));
-      let ageNote = '';
-      if (firstSuspiciousVer && suspiciousPublishers[0]) {
-        ageNote = await checkAccountAge(suspiciousPublishers[0], filteredTimes[firstSuspiciousVer]);
-      }
-      evidence.push({
-        signal: MegalodonSignal.PUBLISHER_DRIFT,
-        file: 'registry.npmjs.org',
-        excerpt: `publisher drift: ${suspiciousPublishers.join(', ')}`,
-        detail: detail + (ageNote ? ' | ' + ageNote : ''),
-        _severityHint: 'HIGH',
-      });
-    }
-  } else {
-    if (sortedVersions.length < 4) return [];
-    const last3 = sortedVersions.slice(-3);
-    const prior = sortedVersions.slice(0, -3);
-    const priorPublishers = new Set();
-    for (const v of prior) {
-      const user = versions[v]?._npmUser?.name;
-      if (user) priorPublishers.add(user);
-    }
-    const suspiciousPublishers = [];
-    const affectedVersions = [];
-    for (const v of last3) {
-      const user = versions[v]?._npmUser?.name;
-      if (user && !priorPublishers.has(user)) {
-        if (!suspiciousPublishers.includes(user)) suspiciousPublishers.push(user);
-        if (!affectedVersions.includes(v)) affectedVersions.push(v);
-      }
-    }
-    if (suspiciousPublishers.length > 0) {
-      const detail = `Drift (fallback): known publishers [${[...priorPublishers].join(', ')}], new publisher(s) [${suspiciousPublishers.join(', ')}] in last 3 versions [${affectedVersions.join(', ')}]`;
-      let ageNote = '';
-      if (suspiciousPublishers[0] && affectedVersions[0]) {
-        ageNote = await checkAccountAge(suspiciousPublishers[0], filteredTimes[affectedVersions[0]]);
-      }
-      evidence.push({
-        signal: MegalodonSignal.PUBLISHER_DRIFT,
-        file: 'registry.npmjs.org',
-        excerpt: `publisher drift: ${suspiciousPublishers.join(', ')}`,
-        detail: detail + (ageNote ? ' | ' + ageNote : ''),
-        _severityHint: 'MEDIUM',
-      });
-    }
-  }
-  return evidence;
-}
-async function checkAccountAge(npmUser, firstSuspiciousTime) {
-  try {
-    const url = `https://registry.npmjs.org/-/user/org.couchdb.user/${encodeURIComponent(npmUser)}`;
-    const res = await fetch(url);
-    if (!res.ok) return '';
-    const data = await res.json();
-    const created = data?.date;
-    if (!created) return '';
-    const createdDate = new Date(created).getTime();
-    const firstPub = new Date(firstSuspiciousTime).getTime();
-    const daysDiff = (firstPub - createdDate) / (1000 * 60 * 60 * 24);
-    if (!Number.isNaN(daysDiff) && daysDiff >= 0 && daysDiff <= 30) {
-      return `Publisher account created ${Math.round(daysDiff)} days before first suspicious publish`;
-    }
-  } catch {
-  }
-  return '';
-}
+import { MegalodonSignal } from './types.js';
+export async function scan(registryMeta, velocityResult) {
+  const evidence = [];
+  const versions = registryMeta?.versions || {};
+  const timeMap = registryMeta?.time || {};
+  const filteredTimes = {};
+  for (const [v, t] of Object.entries(timeMap)) {
+    if (v === 'created' || v === 'modified') continue;
+    if (t) filteredTimes[v] = t;
+  }
+  const sortedVersions = Object.entries(filteredTimes)
+    .filter(([, t]) => t && !Number.isNaN(new Date(t).getTime()))
+    .sort((a, b) => new Date(a[1]).getTime() - new Date(b[1]).getTime())
+    .map(([v]) => v);
+  if (sortedVersions.length === 0) return [];
+  if (velocityResult?.triggered) {
+    const windowStartISO = velocityResult.windowStartISO;
+    const allInWindow = velocityResult._allVersions || [];
+    const priorPublishers = new Set();
+    for (const v of sortedVersions) {
+      if (new Date(filteredTimes[v]).getTime() >= new Date(windowStartISO).getTime()) break;
+      const user = versions[v]?._npmUser?.name;
+      if (user) priorPublishers.add(user);
+    }
+    if (priorPublishers.size === 0 && allInWindow.length > 0) {
+      const firstUser = versions[allInWindow[0]]?._npmUser?.name;
+      if (firstUser) priorPublishers.add(firstUser);
+    }
+    const suspiciousPublishers = [];
+    const affectedVersions = [];
+    for (const v of allInWindow) {
+      const user = versions[v]?._npmUser?.name;
+      if (user && !priorPublishers.has(user)) {
+        if (!suspiciousPublishers.includes(user)) suspiciousPublishers.push(user);
+        if (!affectedVersions.includes(v)) affectedVersions.push(v);
+      }
+    }
+    if (suspiciousPublishers.length > 0) {
+      const detail = `Drift detected: known publishers [${[...priorPublishers].join(', ')}], new publisher(s) [${suspiciousPublishers.join(', ')}] in versions [${affectedVersions.join(', ')}]`;
+      const firstSuspiciousVer = allInWindow.find(v => affectedVersions.includes(v));
+      let ageNote = '';
+      if (firstSuspiciousVer && suspiciousPublishers[0]) {
+        ageNote = await checkAccountAge(suspiciousPublishers[0], filteredTimes[firstSuspiciousVer]);
+      }
+      evidence.push({
+        signal: MegalodonSignal.PUBLISHER_DRIFT,
+        file: 'registry.npmjs.org',
+        excerpt: `publisher drift: ${suspiciousPublishers.join(', ')}`,
+        detail: detail + (ageNote ? ' | ' + ageNote : ''),
+        _severityHint: 'HIGH',
+      });
+    }
+  } else {
+    if (sortedVersions.length < 4) return [];
+    const last3 = sortedVersions.slice(-3);
+    const prior = sortedVersions.slice(0, -3);
+    const priorPublishers = new Set();
+    for (const v of prior) {
+      const user = versions[v]?._npmUser?.name;
+      if (user) priorPublishers.add(user);
+    }
+    const suspiciousPublishers = [];
+    const affectedVersions = [];
+    for (const v of last3) {
+      const user = versions[v]?._npmUser?.name;
+      if (user && !priorPublishers.has(user)) {
+        if (!suspiciousPublishers.includes(user)) suspiciousPublishers.push(user);
+        if (!affectedVersions.includes(v)) affectedVersions.push(v);
+      }
+    }
+    if (suspiciousPublishers.length > 0) {
+      const detail = `Drift (fallback): known publishers [${[...priorPublishers].join(', ')}], new publisher(s) [${suspiciousPublishers.join(', ')}] in last 3 versions [${affectedVersions.join(', ')}]`;
+      let ageNote = '';
+      if (suspiciousPublishers[0] && affectedVersions[0]) {
+        ageNote = await checkAccountAge(suspiciousPublishers[0], filteredTimes[affectedVersions[0]]);
+      }
+      evidence.push({
+        signal: MegalodonSignal.PUBLISHER_DRIFT,
+        file: 'registry.npmjs.org',
+        excerpt: `publisher drift: ${suspiciousPublishers.join(', ')}`,
+        detail: detail + (ageNote ? ' | ' + ageNote : ''),
+        _severityHint: 'MEDIUM',
+      });
+    }
+  }
+  return evidence;
+}
+async function checkAccountAge(npmUser, firstSuspiciousTime) {
+  try {
+    const url = `https://registry.npmjs.org/-/user/org.couchdb.user/${encodeURIComponent(npmUser)}`;
+    const res = await fetch(url);
+    if (!res.ok) return '';
+    const data = await res.json();
+    const created = data?.date;
+    if (!created) return '';
+    const createdDate = new Date(created).getTime();
+    const firstPub = new Date(firstSuspiciousTime).getTime();
+    const daysDiff = (firstPub - createdDate) / (1000 * 60 * 60 * 24);
+    if (!Number.isNaN(daysDiff) && daysDiff >= 0 && daysDiff <= 30) {
+      return `Publisher account created ${Math.round(daysDiff)} days before first suspicious publish`;
+    }
+  } catch {
+  }
+  return '';
+}

package/backend/detectors/megalodon/d5-bot-commit-identity.js CHANGED Viewed

@@ -1,3 +1,3 @@
-export async function scan(registryMeta) {
-  return [];
-}
+export async function scan(registryMeta) {
+  return [];
+}

package/backend/detectors/megalodon/d6-date-anachronism.js CHANGED Viewed

@@ -1,3 +1,3 @@
-export async function scan(pkgJson, registryMeta) {
-  return [];
-}
+export async function scan(pkgJson, registryMeta) {
+  return [];
+}

package/backend/detectors/megalodon/index.js CHANGED Viewed

@@ -1,80 +1,80 @@
-import { MegalodonSignal } from './types.js';
-import { scan as scanD1 } from './d1-workflow-scan.js';
-import { scan as scanD2 } from './d2-credential-harvest.js';
-import { scan as scanD3 } from './d3-publish-velocity.js';
-import { scan as scanD4 } from './d4-publisher-drift.js';
-import { scan as scanD5 } from './d5-bot-commit-identity.js';
-import { scan as scanD6 } from './d6-date-anachronism.js';
-const SIGNAL_SEVERITY = {
-  [MegalodonSignal.WORKFLOW_C2_EXFIL]: 5,
-  [MegalodonSignal.WORKFLOW_DECODE_CHAIN]: 4,
-  [MegalodonSignal.PUBLISH_VELOCITY]: 4,
-  [MegalodonSignal.PUBLISHER_DRIFT]: 4,
-  [MegalodonSignal.CREDENTIAL_HARVEST]: 3,
-  [MegalodonSignal.BOT_COMMIT_IDENTITY]: 2,
-  [MegalodonSignal.DATE_ANACHRONISM]: 2,
-};
-const SEVERITY_LABELS = ['none', 'low', 'medium', 'high', 'critical', 'critical'];
-function resolveSeverity(signals, d4Evidence) {
-  let maxScore = 0;
-  for (const s of signals) {
-    maxScore = Math.max(maxScore, SIGNAL_SEVERITY[s] || 0);
-  }
-  const d4Hint = d4Evidence.find(e => e._severityHint);
-  if (d4Hint) {
-    const hintScore = d4Hint._severityHint === 'HIGH' ? 4 : d4Hint._severityHint === 'MEDIUM' ? 3 : 0;
-    maxScore = Math.max(maxScore, hintScore);
-  }
-  return SEVERITY_LABELS[maxScore] || 'none';
-}
-export async function scanAll(pkgJson, allFiles = [], registryMeta = {}) {
-  const allEvidence = [];
-  const d1Ev = await scanD1(allFiles);
-  allEvidence.push(...d1Ev);
-  const d2Ev = await scanD2(allFiles);
-  allEvidence.push(...d2Ev);
-  const d3Ev = await scanD3(registryMeta);
-  allEvidence.push(...d3Ev);
-  const velocityResult = d3Ev.length > 0 ? {
-    triggered: true,
-    windowStartISO: d3Ev[0]._windowStartISO || null,
-    versionsInWindow: d3Ev[0].excerpt || '',
-    _allVersions: d3Ev[0]._allVersions || [],
-  } : { triggered: false, versionsInWindow: [], windowStartISO: null };
-  const d4Ev = await scanD4(registryMeta, velocityResult);
-  allEvidence.push(...d4Ev);
-  allEvidence.push(...await scanD5(registryMeta));
-  allEvidence.push(...await scanD6(pkgJson, registryMeta));
-  const signals = [...new Set(allEvidence.map(e => e.signal).filter(Boolean))];
-  if (signals.length === 0) return [];
-  const severity = resolveSeverity(signals, d4Ev);
-  const cleaned = allEvidence.map(({ _windowStartISO, _allVersions, _severityHint, ...rest }) => rest);
-  return [{
-    id: 'MEGALODON',
-    severity,
-    title: 'Megalodon CI/CD attack campaign',
-    description: `${signals.length} signal(s): ${signals.join(', ')}`,
-    evidence: JSON.stringify({
-      campaign: 'MEGALODON',
-      signals,
-      evidence: cleaned,
-    }),
-  }];
-}
+import { MegalodonSignal } from './types.js';
+import { scan as scanD1 } from './d1-workflow-scan.js';
+import { scan as scanD2 } from './d2-credential-harvest.js';
+import { scan as scanD3 } from './d3-publish-velocity.js';
+import { scan as scanD4 } from './d4-publisher-drift.js';
+import { scan as scanD5 } from './d5-bot-commit-identity.js';
+import { scan as scanD6 } from './d6-date-anachronism.js';
+const SIGNAL_SEVERITY = {
+  [MegalodonSignal.WORKFLOW_C2_EXFIL]: 5,
+  [MegalodonSignal.WORKFLOW_DECODE_CHAIN]: 4,
+  [MegalodonSignal.PUBLISH_VELOCITY]: 4,
+  [MegalodonSignal.PUBLISHER_DRIFT]: 4,
+  [MegalodonSignal.CREDENTIAL_HARVEST]: 3,
+  [MegalodonSignal.BOT_COMMIT_IDENTITY]: 2,
+  [MegalodonSignal.DATE_ANACHRONISM]: 2,
+};
+const SEVERITY_LABELS = ['none', 'low', 'medium', 'high', 'critical', 'critical'];
+function resolveSeverity(signals, d4Evidence) {
+  let maxScore = 0;
+  for (const s of signals) {
+    maxScore = Math.max(maxScore, SIGNAL_SEVERITY[s] || 0);
+  }
+  const d4Hint = d4Evidence.find(e => e._severityHint);
+  if (d4Hint) {
+    const hintScore = d4Hint._severityHint === 'HIGH' ? 4 : d4Hint._severityHint === 'MEDIUM' ? 3 : 0;
+    maxScore = Math.max(maxScore, hintScore);
+  }
+  return SEVERITY_LABELS[maxScore] || 'none';
+}
+export async function scanAll(pkgJson, allFiles = [], registryMeta = {}) {
+  const allEvidence = [];
+  const d1Ev = await scanD1(allFiles);
+  allEvidence.push(...d1Ev);
+  const d2Ev = await scanD2(allFiles);
+  allEvidence.push(...d2Ev);
+  const d3Ev = await scanD3(registryMeta);
+  allEvidence.push(...d3Ev);
+  const velocityResult = d3Ev.length > 0 ? {
+    triggered: true,
+    windowStartISO: d3Ev[0]._windowStartISO || null,
+    versionsInWindow: d3Ev[0].excerpt || '',
+    _allVersions: d3Ev[0]._allVersions || [],
+  } : { triggered: false, versionsInWindow: [], windowStartISO: null };
+  const d4Ev = await scanD4(registryMeta, velocityResult);
+  allEvidence.push(...d4Ev);
+  allEvidence.push(...await scanD5(registryMeta));
+  allEvidence.push(...await scanD6(pkgJson, registryMeta));
+  const signals = [...new Set(allEvidence.map(e => e.signal).filter(Boolean))];
+  if (signals.length === 0) return [];
+  const severity = resolveSeverity(signals, d4Ev);
+  const cleaned = allEvidence.map(({ _windowStartISO, _allVersions, _severityHint, ...rest }) => rest);
+  return [{
+    id: 'MEGALODON',
+    severity,
+    title: 'Megalodon CI/CD attack campaign',
+    description: `${signals.length} signal(s): ${signals.join(', ')}`,
+    evidence: JSON.stringify({
+      campaign: 'MEGALODON',
+      signals,
+      evidence: cleaned,
+    }),
+  }];
+}

package/backend/detectors/megalodon/types.js CHANGED Viewed

@@ -1,9 +1,9 @@
-export const MegalodonSignal = Object.freeze({
-  WORKFLOW_C2_EXFIL: 'D1_WORKFLOW_C2_EXFIL',
-  WORKFLOW_DECODE_CHAIN: 'D1_WORKFLOW_DECODE_CHAIN',
-  CREDENTIAL_HARVEST: 'D2_CREDENTIAL_HARVEST',
-  PUBLISH_VELOCITY: 'D3_PUBLISH_VELOCITY',
-  PUBLISHER_DRIFT: 'D4_PUBLISHER_DRIFT',
-  BOT_COMMIT_IDENTITY: 'D5_BOT_COMMIT_IDENTITY',
-  DATE_ANACHRONISM: 'D6_DATE_ANACHRONISM',
-});
+export const MegalodonSignal = Object.freeze({
+  WORKFLOW_C2_EXFIL: 'D1_WORKFLOW_C2_EXFIL',
+  WORKFLOW_DECODE_CHAIN: 'D1_WORKFLOW_DECODE_CHAIN',
+  CREDENTIAL_HARVEST: 'D2_CREDENTIAL_HARVEST',
+  PUBLISH_VELOCITY: 'D3_PUBLISH_VELOCITY',
+  PUBLISHER_DRIFT: 'D4_PUBLISHER_DRIFT',
+  BOT_COMMIT_IDENTITY: 'D5_BOT_COMMIT_IDENTITY',
+  DATE_ANACHRONISM: 'D6_DATE_ANACHRONISM',
+});

package/backend/detectors/mini-shai-hulud/d1-burst-publish.js CHANGED Viewed

@@ -1,42 +1,42 @@
-export async function checkBurstPublish(registryMeta, config = {}) {
-  const windowMinutes = config.burstWindowMinutes ?? 30;
-  const threshold = config.burstVersionThreshold ?? 3;
-  const times = registryMeta?.time || {};
-  const entries = Object.entries(times)
-    .filter(([v]) => v !== 'created' && v !== 'modified')
-    .filter(([, t]) => t)
-    .map(([v, t]) => [v, new Date(t).getTime()])
-    .filter(([, ts]) => !Number.isNaN(ts))
-    .sort((a, b) => a[1] - b[1]);
-  if (entries.length === 0) return { triggered: false };
-  const windowMs = windowMinutes * 60 * 1000;
-  for (let i = 0; i < entries.length; i++) {
-    const windowStart = entries[i][1];
-    const windowEnd = windowStart + windowMs;
-    const inWindow = [];
-    for (let j = i; j < entries.length; j++) {
-      if (entries[j][1] <= windowEnd) {
-        inWindow.push(entries[j][0]);
-      } else {
-        break;
-      }
-    }
-    if (inWindow.length >= threshold) {
-      return {
-        triggered: true,
-        windowStart: new Date(windowStart).toISOString(),
-        windowEnd: new Date(windowEnd).toISOString(),
-        versionCount: inWindow.length,
-        versions: inWindow,
-      };
-    }
-  }
-  return { triggered: false };
-}
+export async function checkBurstPublish(registryMeta, config = {}) {
+  const windowMinutes = config.burstWindowMinutes ?? 30;
+  const threshold = config.burstVersionThreshold ?? 3;
+  const times = registryMeta?.time || {};
+  const entries = Object.entries(times)
+    .filter(([v]) => v !== 'created' && v !== 'modified')
+    .filter(([, t]) => t)
+    .map(([v, t]) => [v, new Date(t).getTime()])
+    .filter(([, ts]) => !Number.isNaN(ts))
+    .sort((a, b) => a[1] - b[1]);
+  if (entries.length === 0) return { triggered: false };
+  const windowMs = windowMinutes * 60 * 1000;
+  for (let i = 0; i < entries.length; i++) {
+    const windowStart = entries[i][1];
+    const windowEnd = windowStart + windowMs;
+    const inWindow = [];
+    for (let j = i; j < entries.length; j++) {
+      if (entries[j][1] <= windowEnd) {
+        inWindow.push(entries[j][0]);
+      } else {
+        break;
+      }
+    }
+    if (inWindow.length >= threshold) {
+      return {
+        triggered: true,
+        windowStart: new Date(windowStart).toISOString(),
+        windowEnd: new Date(windowEnd).toISOString(),
+        versionCount: inWindow.length,
+        versions: inWindow,
+      };
+    }
+  }
+  return { triggered: false };
+}