@lateos/npm-scan 0.18.2 → 1.0.0

package/backend/detectors/mini-shai-hulud/d6-token-exfil.js

@@ -1,38 +1,38 @@
-const EXFIL_PATTERNS = [
-  /NPM_TOKEN|NODE_AUTH_TOKEN|GH_TOKEN|GITHUB_TOKEN|npm_token|node_auth_token/i,
-  /~\/(\.npmrc|\.gitconfig|\.aws\/credentials)/,
-  /\/run\/secrets\//,
-  /\$GITHUB_ENV/,
-  /process\.env\.(NPM_TOKEN|NODE_AUTH_TOKEN|GH_TOKEN|GITHUB_TOKEN)/,
-  /Buffer\.from\s*\([^)]*\)\s*\.\s*toString\s*\(\s*['"]base64['"]\s*\)/,
-  /\batob\s*\(/,
-  /\bbtoa\s*\(/,
-];
-
-const SUSPICIOUS_SCRIPTS = ['preinstall', 'install', 'postinstall', 'prepare'];
-
-const MAX_SNIPPET_LENGTH = 200;
-
-function truncateSnippet(text) {
-  if (text.length <= MAX_SNIPPET_LENGTH) return text;
-  return text.slice(0, MAX_SNIPPET_LENGTH - 3) + '...';
-}
-
-export function checkTokenExfil(allFiles, pkgJson) {
-  const scripts = pkgJson?.scripts || {};
-  const snippets = [];
-
-  for (const hook of SUSPICIOUS_SCRIPTS) {
-    const scriptContent = scripts[hook];
-    if (!scriptContent) continue;
-
-    for (const pattern of EXFIL_PATTERNS) {
-      if (pattern.test(scriptContent)) {
-        snippets.push(truncateSnippet(scriptContent));
-        break;
-      }
-    }
-  }
-
-  return { triggered: snippets.length > 0, snippets };
-}
+const EXFIL_PATTERNS = [
+  /NPM_TOKEN|NODE_AUTH_TOKEN|GH_TOKEN|GITHUB_TOKEN|npm_token|node_auth_token/i,
+  /~\/(\.npmrc|\.gitconfig|\.aws\/credentials)/,
+  /\/run\/secrets\//,
+  /\$GITHUB_ENV/,
+  /process\.env\.(NPM_TOKEN|NODE_AUTH_TOKEN|GH_TOKEN|GITHUB_TOKEN)/,
+  /Buffer\.from\s*\([^)]*\)\s*\.\s*toString\s*\(\s*['"]base64['"]\s*\)/,
+  /\batob\s*\(/,
+  /\bbtoa\s*\(/,
+];
+
+const SUSPICIOUS_SCRIPTS = ['preinstall', 'install', 'postinstall', 'prepare'];
+
+const MAX_SNIPPET_LENGTH = 200;
+
+function truncateSnippet(text) {
+  if (text.length <= MAX_SNIPPET_LENGTH) return text;
+  return text.slice(0, MAX_SNIPPET_LENGTH - 3) + '...';
+}
+
+export function checkTokenExfil(allFiles, pkgJson) {
+  const scripts = pkgJson?.scripts || {};
+  const snippets = [];
+
+  for (const hook of SUSPICIOUS_SCRIPTS) {
+    const scriptContent = scripts[hook];
+    if (!scriptContent) continue;
+
+    for (const pattern of EXFIL_PATTERNS) {
+      if (pattern.test(scriptContent)) {
+        snippets.push(truncateSnippet(scriptContent));
+        break;
+      }
+    }
+  }
+
+  return { triggered: snippets.length > 0, snippets };
+}

package/backend/detectors/mini-shai-hulud/index.js

@@ -1,118 +1,118 @@
-import { checkBurstPublish } from './d1-burst-publish.js';
-import { checkSiblingCompromise, clearSiblingCache } from './d2-sibling-compromise.js';
-import { checkSlsaMismatch } from './d3-slsa-mismatch.js';
-import { checkMaintainerAnomaly } from './d4-maintainer-anomaly.js';
-import { checkIOC } from './d5-ioc-check.js';
-import { checkTokenExfil } from './d6-token-exfil.js';
-
-export async function scan(pkgJson, files = [], registryMeta = null, allFiles = null) {
-  const config = {};
-
-  const burstResult = await checkBurstPublish(registryMeta, config);
-  const maintainerResult = await checkMaintainerAnomaly(registryMeta, config);
-
-  const pkgName = pkgJson?.name || '';
-  const pkgVersion = pkgJson?.version || '';
-  const sha512 = registryMeta?.versions?.[pkgVersion]?.dist?.integrity || null;
-  const publisherAccount = registryMeta?.versions?.[pkgVersion]?._npmUser?.name || null;
-  const timeMap = registryMeta?.time || {};
-
-  const iocResult = await checkIOC(pkgName, pkgVersion, sha512, publisherAccount, timeMap);
-  const exfilResult = checkTokenExfil(allFiles || files, pkgJson);
-
-  let siblingResult = { triggered: false };
-  let slsaResult = { triggered: false };
-
-  if (burstResult.triggered) {
-    siblingResult = await checkSiblingCompromise(pkgJson, config);
-    slsaResult = await checkSlsaMismatch(pkgName, pkgVersion, burstResult, timeMap, config);
-  }
-
-  const nxDownstreamResult = checkNxConsoleDownstream(pkgJson, allFiles || files);
-
-  const triggeredChecks = [];
-  if (burstResult.triggered) triggeredChecks.push('D1_BURST');
-  if (siblingResult.triggered) triggeredChecks.push('D2_SIBLING');
-  if (slsaResult.triggered) triggeredChecks.push('D3_SLSA');
-  if (maintainerResult.triggered) triggeredChecks.push('D4_MAINTAINER');
-  if (iocResult.triggered) triggeredChecks.push('D5_IOC');
-  if (exfilResult.triggered) triggeredChecks.push('D6_EXFIL');
-  if (nxDownstreamResult.triggered) triggeredChecks.push('D7_NX_CONSOLE');
-
-  if (triggeredChecks.length === 0) return [];
-
-  let waveAttribution = 'unknown';
-  if (pkgName.startsWith('@tanstack')) {
-    waveAttribution = 'wave1-tanstack';
-  } else if (pkgName.startsWith('@antv')) {
-    waveAttribution = 'wave2-antv';
-  } else if (nxDownstreamResult.triggered) {
-    waveAttribution = 'wave3-nx-console';
-  } else if (iocResult.matches && iocResult.matches.length > 0) {
-    const waves = [...new Set(iocResult.matches.map(m => m.wave))];
-    if (waves.length === 1) {
-      waveAttribution = waves[0] === 1 ? 'wave1-tanstack' : waves[0] === 2 ? 'wave2-antv' : 'wave3-nx-console';
-    }
-  }
-
-  const isCritical = slsaResult.triggered || iocResult.triggered || nxDownstreamResult.triggered;
-
-  const evidence = {
-    campaign: 'MINI_SHAI_HULUD',
-    waveAttribution,
-    triggeredChecks,
-    burstWindow: burstResult.triggered
-      ? { start: burstResult.windowStart, end: burstResult.windowEnd, versionCount: burstResult.versionCount }
-      : null,
-    siblingPackages: siblingResult.triggered
-      ? siblingResult.results.flatMap(r => r.siblingPackages)
-      : null,
-    attestationAnomalies: slsaResult.triggered ? slsaResult.anomalies : null,
-    iocMatches: iocResult.triggered ? iocResult.matches : null,
-    installScriptSnippets: exfilResult.triggered ? exfilResult.snippets : null,
-    nxConsoleDownstream: nxDownstreamResult.triggered
-      ? { nxDeps: nxDownstreamResult.nxDeps, vsCodeExtensions: nxDownstreamResult.vsCodeExtensions }
-      : null,
-  };
-
-  return [{
-    id: 'MINI_SHAI_HULUD',
-    severity: isCritical ? 'critical' : 'high',
-    title: 'Mini Shai-Hulud worm campaign',
-    description: `${triggeredChecks.length} signal(s): ${triggeredChecks.join(', ')}`,
-    evidence: JSON.stringify(evidence),
-    mitigation: 'Revoke all npm tokens immediately. Rotate CI/CD secrets. Audit maintainer access on all scoped packages. Review recent version publish history for anomalous bursts. Check for postinstall scripts accessing credentials or environment variables. If Wave 1 (TanStack scope): inspect GitHub Actions workflow logs for unauthorized build steps. If Wave 2 (atool/AntV scope): rotate all npm tokens associated with @antv/* packages. If Wave 3 (Nx Console): remove nrwl.angular-console extension immediately, revoke all npm tokens used in CI/CD, and audit @nx/* dependency versions.',
-  }];
-}
-
-function checkNxConsoleDownstream(pkgJson, allFiles) {
-  const deps = { ...pkgJson?.dependencies, ...pkgJson?.devDependencies, ...pkgJson?.peerDependencies };
-  const nxDeps = Object.keys(deps).filter(d => d.startsWith('@nx/') || d.startsWith('nrwl/'));
-  if (nxDeps.length === 0) return { triggered: false, nxDeps: [], vsCodeExtensions: [] };
-
-  let vsCodeExtensions = [];
-  if (allFiles && Array.isArray(allFiles)) {
-    for (const file of allFiles) {
-      if (file.path && (file.path.endsWith('.vscode/extensions.json') || file.path.endsWith('.vscode/extensions.json'))) {
-        try {
-          const content = typeof file.content === 'string' ? file.content : '';
-          const parsed = JSON.parse(content);
-          const allExts = [
-            ...(parsed.recommendations || []),
-            ...(parsed.unwantedRecommendations || []),
-          ];
-          const matched = allExts.filter(e => e.includes('nrwl.angular-console'));
-          if (matched.length > 0) {
-            vsCodeExtensions = matched;
-          }
-        } catch {
-          // non-JSON extensions.json, skip
-        }
-      }
-    }
-  }
-
-  return { triggered: true, nxDeps, vsCodeExtensions };
-}
-
-export { clearSiblingCache } from './d2-sibling-compromise.js';
+import { checkBurstPublish } from './d1-burst-publish.js';
+import { checkSiblingCompromise, clearSiblingCache } from './d2-sibling-compromise.js';
+import { checkSlsaMismatch } from './d3-slsa-mismatch.js';
+import { checkMaintainerAnomaly } from './d4-maintainer-anomaly.js';
+import { checkIOC } from './d5-ioc-check.js';
+import { checkTokenExfil } from './d6-token-exfil.js';
+
+export async function scan(pkgJson, files = [], registryMeta = null, allFiles = null) {
+  const config = {};
+
+  const burstResult = await checkBurstPublish(registryMeta, config);
+  const maintainerResult = await checkMaintainerAnomaly(registryMeta, config);
+
+  const pkgName = pkgJson?.name || '';
+  const pkgVersion = pkgJson?.version || '';
+  const sha512 = registryMeta?.versions?.[pkgVersion]?.dist?.integrity || null;
+  const publisherAccount = registryMeta?.versions?.[pkgVersion]?._npmUser?.name || null;
+  const timeMap = registryMeta?.time || {};
+
+  const iocResult = await checkIOC(pkgName, pkgVersion, sha512, publisherAccount, timeMap);
+  const exfilResult = checkTokenExfil(allFiles || files, pkgJson);
+
+  let siblingResult = { triggered: false };
+  let slsaResult = { triggered: false };
+
+  if (burstResult.triggered) {
+    siblingResult = await checkSiblingCompromise(pkgJson, config);
+    slsaResult = await checkSlsaMismatch(pkgName, pkgVersion, burstResult, timeMap, config);
+  }
+
+  const nxDownstreamResult = checkNxConsoleDownstream(pkgJson, allFiles || files);
+
+  const triggeredChecks = [];
+  if (burstResult.triggered) triggeredChecks.push('D1_BURST');
+  if (siblingResult.triggered) triggeredChecks.push('D2_SIBLING');
+  if (slsaResult.triggered) triggeredChecks.push('D3_SLSA');
+  if (maintainerResult.triggered) triggeredChecks.push('D4_MAINTAINER');
+  if (iocResult.triggered) triggeredChecks.push('D5_IOC');
+  if (exfilResult.triggered) triggeredChecks.push('D6_EXFIL');
+  if (nxDownstreamResult.triggered) triggeredChecks.push('D7_NX_CONSOLE');
+
+  if (triggeredChecks.length === 0) return [];
+
+  let waveAttribution = 'unknown';
+  if (pkgName.startsWith('@tanstack')) {
+    waveAttribution = 'wave1-tanstack';
+  } else if (pkgName.startsWith('@antv')) {
+    waveAttribution = 'wave2-antv';
+  } else if (nxDownstreamResult.triggered) {
+    waveAttribution = 'wave3-nx-console';
+  } else if (iocResult.matches && iocResult.matches.length > 0) {
+    const waves = [...new Set(iocResult.matches.map(m => m.wave))];
+    if (waves.length === 1) {
+      waveAttribution = waves[0] === 1 ? 'wave1-tanstack' : waves[0] === 2 ? 'wave2-antv' : 'wave3-nx-console';
+    }
+  }
+
+  const isCritical = slsaResult.triggered || iocResult.triggered || nxDownstreamResult.triggered;
+
+  const evidence = {
+    campaign: 'MINI_SHAI_HULUD',
+    waveAttribution,
+    triggeredChecks,
+    burstWindow: burstResult.triggered
+      ? { start: burstResult.windowStart, end: burstResult.windowEnd, versionCount: burstResult.versionCount }
+      : null,
+    siblingPackages: siblingResult.triggered
+      ? siblingResult.results.flatMap(r => r.siblingPackages)
+      : null,
+    attestationAnomalies: slsaResult.triggered ? slsaResult.anomalies : null,
+    iocMatches: iocResult.triggered ? iocResult.matches : null,
+    installScriptSnippets: exfilResult.triggered ? exfilResult.snippets : null,
+    nxConsoleDownstream: nxDownstreamResult.triggered
+      ? { nxDeps: nxDownstreamResult.nxDeps, vsCodeExtensions: nxDownstreamResult.vsCodeExtensions }
+      : null,
+  };
+
+  return [{
+    id: 'MINI_SHAI_HULUD',
+    severity: isCritical ? 'critical' : 'high',
+    title: 'Mini Shai-Hulud worm campaign',
+    description: `${triggeredChecks.length} signal(s): ${triggeredChecks.join(', ')}`,
+    evidence: JSON.stringify(evidence),
+    mitigation: 'Revoke all npm tokens immediately. Rotate CI/CD secrets. Audit maintainer access on all scoped packages. Review recent version publish history for anomalous bursts. Check for postinstall scripts accessing credentials or environment variables. If Wave 1 (TanStack scope): inspect GitHub Actions workflow logs for unauthorized build steps. If Wave 2 (atool/AntV scope): rotate all npm tokens associated with @antv/* packages. If Wave 3 (Nx Console): remove nrwl.angular-console extension immediately, revoke all npm tokens used in CI/CD, and audit @nx/* dependency versions.',
+  }];
+}
+
+function checkNxConsoleDownstream(pkgJson, allFiles) {
+  const deps = { ...pkgJson?.dependencies, ...pkgJson?.devDependencies, ...pkgJson?.peerDependencies };
+  const nxDeps = Object.keys(deps).filter(d => d.startsWith('@nx/') || d.startsWith('nrwl/'));
+  if (nxDeps.length === 0) return { triggered: false, nxDeps: [], vsCodeExtensions: [] };
+
+  let vsCodeExtensions = [];
+  if (allFiles && Array.isArray(allFiles)) {
+    for (const file of allFiles) {
+      if (file.path && (file.path.endsWith('.vscode/extensions.json') || file.path.endsWith('.vscode/extensions.json'))) {
+        try {
+          const content = typeof file.content === 'string' ? file.content : '';
+          const parsed = JSON.parse(content);
+          const allExts = [
+            ...(parsed.recommendations || []),
+            ...(parsed.unwantedRecommendations || []),
+          ];
+          const matched = allExts.filter(e => e.includes('nrwl.angular-console'));
+          if (matched.length > 0) {
+            vsCodeExtensions = matched;
+          }
+        } catch {
+          // non-JSON extensions.json, skip
+        }
+      }
+    }
+  }
+
+  return { triggered: true, nxDeps, vsCodeExtensions };
+}
+
+export { clearSiblingCache } from './d2-sibling-compromise.js';

package/backend/detectors/mini-shai-hulud/iocs.json

@@ -1,79 +1,79 @@
-{
-  "lastUpdated": "2026-05-24T00:00:00.000Z",
-  "waves": {
-    "wave1": {
-      "id": "mini-shai-hulud-wave1",
-      "description": "TanStack CI/CD hijack (mid-May 2026) — 84 malicious versions across 42 packages in ~6 minutes via compromised GitHub Actions CI. Forged SLSA BL3 provenance attestations.",
-      "windowMinutes": 6,
-      "iocs": [
-        {
-          "type": "packageScope",
-          "value": "@tanstack",
-          "maliciousVersionRanges": [],
-          "notes": "Seed IOC — update from threat intel feed. Affected: @tanstack/router, @tanstack/react-router, @tanstack/query, @tanstack/form, @tanstack/store, @tanstack/virtual, @tanstack/ranger, @tanstack/table."
-        }
-      ]
-    },
-    "wave2": {
-      "id": "mini-shai-hulud-wave2",
-      "description": "AntV/atool maintainer account compromise (late May 2026) — 600+ malicious versions across 300+ packages in ~22 minutes. ~16M weekly download blast radius.",
-      "windowMinutes": 22,
-      "iocs": [
-        {
-          "type": "publisherAccount",
-          "value": "atool",
-          "compromiseWindowStart": "2026-05-20T00:00:00.000Z",
-          "compromiseWindowEnd": null,
-          "notes": "Seed IOC — compromised @antv/atool maintainer account. Update compromise window from threat intel."
-        },
-        {
-          "type": "packageScope",
-          "value": "@antv",
-          "maliciousVersionRanges": [],
-          "notes": "Blast radius: @antv/g2, @antv/g6, @antv/x6, @antv/l7, echarts-for-react, timeago.js. Seed IOC — update from threat intel."
-        }
-      ]
-    },
-    "wave3": {
-      "id": "nx-console-wave3",
-      "description": "Nx Console 18.95.0 VS Code extension compromise (May 18, 2026, CVE-2026-48027, TeamPCP) — contributor token stolen via TanStack wave1 (May 11), 7-day dwell, malicious extension published using npx to fetch 498KB obfuscated Bun payload from dangling orphan commit on nrwl/nx repo. ~3M installs exposed.",
-      "windowMinutes": 36,
-      "iocs": [
-        {
-          "type": "extensionId",
-          "value": "nrwl.angular-console",
-          "maliciousVersionRanges": ["18.95.0"],
-          "notes": "Nx Console v18.95.0 — malicious VS Code extension. CVE-2026-48027. Exposure window: 11 min on Marketplace, 36 min on Open VSX."
-        },
-        {
-          "type": "publisherAccount",
-          "value": "nrwl",
-          "compromiseWindowStart": "2026-05-11T00:00:00.000Z",
-          "compromiseWindowEnd": "2026-05-18T13:09:00.000Z",
-          "notes": "Nx contributor token stolen via TanStack wave1 on May 11; 7-day dwell before publishing malicious extension on May 18."
-        },
-        {
-          "type": "packageScope",
-          "value": "@nx",
-          "maliciousVersionRanges": [],
-          "notes": "NX_CONSOLE_DOWNSTREAM: npm packages under @nx scope deployed by compromised Nx contributor. Check for versions published within 7 days of 2026-05-18."
-        },
-        {
-          "type": "packageScope",
-          "value": "nrwl",
-          "maliciousVersionRanges": [],
-          "notes": "NX_CONSOLE_DOWNSTREAM: nrwl-scoped npm packages — monitor for anomalous burst publishing."
-        }
-      ]
-    }
-  },
-  "iocs": [
-    {
-      "type": "sha512",
-      "value": "sha512-AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA",
-      "package": "@antv/g2",
-      "wave": 2,
-      "notes": "Placeholder sha512 — replace with actual SHA-512 integrity hash from npm dist.integrity of a confirmed malicious version."
-    }
-  ]
-}
+{
+  "lastUpdated": "2026-05-24T00:00:00.000Z",
+  "waves": {
+    "wave1": {
+      "id": "mini-shai-hulud-wave1",
+      "description": "TanStack CI/CD hijack (mid-May 2026) — 84 malicious versions across 42 packages in ~6 minutes via compromised GitHub Actions CI. Forged SLSA BL3 provenance attestations.",
+      "windowMinutes": 6,
+      "iocs": [
+        {
+          "type": "packageScope",
+          "value": "@tanstack",
+          "maliciousVersionRanges": [],
+          "notes": "Seed IOC — update from threat intel feed. Affected: @tanstack/router, @tanstack/react-router, @tanstack/query, @tanstack/form, @tanstack/store, @tanstack/virtual, @tanstack/ranger, @tanstack/table."
+        }
+      ]
+    },
+    "wave2": {
+      "id": "mini-shai-hulud-wave2",
+      "description": "AntV/atool maintainer account compromise (late May 2026) — 600+ malicious versions across 300+ packages in ~22 minutes. ~16M weekly download blast radius.",
+      "windowMinutes": 22,
+      "iocs": [
+        {
+          "type": "publisherAccount",
+          "value": "atool",
+          "compromiseWindowStart": "2026-05-20T00:00:00.000Z",
+          "compromiseWindowEnd": null,
+          "notes": "Seed IOC — compromised @antv/atool maintainer account. Update compromise window from threat intel."
+        },
+        {
+          "type": "packageScope",
+          "value": "@antv",
+          "maliciousVersionRanges": [],
+          "notes": "Blast radius: @antv/g2, @antv/g6, @antv/x6, @antv/l7, echarts-for-react, timeago.js. Seed IOC — update from threat intel."
+        }
+      ]
+    },
+    "wave3": {
+      "id": "nx-console-wave3",
+      "description": "Nx Console 18.95.0 VS Code extension compromise (May 18, 2026, CVE-2026-48027, TeamPCP) — contributor token stolen via TanStack wave1 (May 11), 7-day dwell, malicious extension published using npx to fetch 498KB obfuscated Bun payload from dangling orphan commit on nrwl/nx repo. ~3M installs exposed.",
+      "windowMinutes": 36,
+      "iocs": [
+        {
+          "type": "extensionId",
+          "value": "nrwl.angular-console",
+          "maliciousVersionRanges": ["18.95.0"],
+          "notes": "Nx Console v18.95.0 — malicious VS Code extension. CVE-2026-48027. Exposure window: 11 min on Marketplace, 36 min on Open VSX."
+        },
+        {
+          "type": "publisherAccount",
+          "value": "nrwl",
+          "compromiseWindowStart": "2026-05-11T00:00:00.000Z",
+          "compromiseWindowEnd": "2026-05-18T13:09:00.000Z",
+          "notes": "Nx contributor token stolen via TanStack wave1 on May 11; 7-day dwell before publishing malicious extension on May 18."
+        },
+        {
+          "type": "packageScope",
+          "value": "@nx",
+          "maliciousVersionRanges": [],
+          "notes": "NX_CONSOLE_DOWNSTREAM: npm packages under @nx scope deployed by compromised Nx contributor. Check for versions published within 7 days of 2026-05-18."
+        },
+        {
+          "type": "packageScope",
+          "value": "nrwl",
+          "maliciousVersionRanges": [],
+          "notes": "NX_CONSOLE_DOWNSTREAM: nrwl-scoped npm packages — monitor for anomalous burst publishing."
+        }
+      ]
+    }
+  },
+  "iocs": [
+    {
+      "type": "sha512",
+      "value": "sha512-AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA",
+      "package": "@antv/g2",
+      "wave": 2,
+      "notes": "Placeholder sha512 — replace with actual SHA-512 integrity hash from npm dist.integrity of a confirmed malicious version."
+    }
+  ]
+}

package/backend/detectors/tier1-binary-embed.js

@@ -45,6 +45,23 @@ function isKnownBinaryName(fileName) {
   return BINARY_FILENAMES.includes(base);
 }
 
+const CROSS_PLATFORM_RE = /-(?:linux|darwin|macos|win32|windows|win)-(?:x64|x86|arm64|ia32)\.?(?:exe)?$/i;
+
+function detectCrossPlatformSets(binaries) {
+  const sets = {};
+  for (const bin of binaries) {
+    const base = bin.file.replace(CROSS_PLATFORM_RE, '').split(/[/\\]/).pop();
+    if (!sets[base]) sets[base] = [];
+    sets[base].push(bin.file);
+  }
+  for (const [base, files] of Object.entries(sets)) {
+    if (files.length >= 2) {
+      return { base, files, count: files.length };
+    }
+  }
+  return null;
+}
+
 function isDeclared(pkgJson, fileName) {
   if (!pkgJson) return false;
   const baseName = fileName.split(/[/\\]/).pop();
@@ -113,6 +130,8 @@ export async function scan(pkgJson, jsFiles, registryMeta, allFiles) {
 
   if (binaries.length === 0) return [];
 
+  const crossPlatformSet = detectCrossPlatformSets(binaries);
+
   const jsCode = (jsFiles || []).map(f => f.content || '').join('\n');
   const invoked = CHILD_PROC_RE.test(jsCode) || FS_CHMOD_RE.test(jsCode);
 
@@ -134,25 +153,30 @@ export async function scan(pkgJson, jsFiles, registryMeta, allFiles) {
     let baseScore;
     let subtype;
 
+    // Cross-platform platform set boost
+    const isCrossPlatform = crossPlatformSet && crossPlatformSet.files.some(f => f === bin.file || f.includes(bin.file) || bin.file.includes(f.replace(/\.exe$/, '')));
+
     if (bin.magic === 'elf_embedded') {
       baseScore = 95;
-      subtype = 'elf_embedded';
+      subtype = isCrossPlatform ? 'cross_platform_elf' : 'elf_embedded';
     } else if (bin.magic === 'pe_embedded') {
       baseScore = 95;
-      subtype = 'pe_embedded';
+      subtype = isCrossPlatform ? 'cross_platform_pe' : 'pe_embedded';
     } else if (bin.magic === 'macho_embedded') {
       baseScore = 95;
-      subtype = 'macho_embedded';
+      subtype = isCrossPlatform ? 'cross_platform_macho' : 'macho_embedded';
     } else if (bin.magic === 'wasm_embedded') {
       baseScore = 60;
-      subtype = 'wasm_embedded';
+      subtype = isCrossPlatform ? 'cross_platform_wasm' : 'wasm_embedded';
     } else {
       baseScore = 60;
-      subtype = 'magic_byte_unknown';
+      subtype = isCrossPlatform ? 'cross_platform_unknown' : 'magic_byte_unknown';
     }
 
     let score = baseScore;
 
+    if (isCrossPlatform) score += 25;
+
     if (bin.inBinDir) score += 15;
 
     if (!bin.declared) score += 50;
@@ -179,6 +203,11 @@ export async function scan(pkgJson, jsFiles, registryMeta, allFiles) {
       `path: ${bin.file}`,
       `declared: ${bin.declared}`,
     ];
+    if (isCrossPlatform) {
+      evidence.push(`cross-platform binary set: ${crossPlatformSet.count} variants of "${crossPlatformSet.base}"`);
+      evidence.push(`platform_files: ${crossPlatformSet.files.join(', ')}`);
+    }
+
     if (invoked && invokedFiles.length > 0) {
       evidence.push(`invoked: child_process usage in ${invokedFiles.length} file(s)`);
       evidence.push(`invoked_file: ${invokedFiles[0]}`);