@lateos/npm-scan 0.18.2 → 1.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (113) hide show
  1. package/CHANGELOG.md +265 -233
  2. package/LICENSING.md +19 -19
  3. package/README.de.md +708 -708
  4. package/README.fr.md +707 -707
  5. package/README.ja.md +704 -704
  6. package/README.md +861 -826
  7. package/README.zh.md +708 -708
  8. package/VALIDATION.md +92 -0
  9. package/backend/cra.js +68 -68
  10. package/backend/db/pg-schema.sql +155 -0
  11. package/backend/db/schema.sql +32 -32
  12. package/backend/db.js +88 -88
  13. package/backend/detectors/atk-001-lifecycle.js +17 -17
  14. package/backend/detectors/atk-002-obfusc.js +261 -261
  15. package/backend/detectors/atk-003-creds.js +13 -13
  16. package/backend/detectors/atk-004-persist.js +13 -13
  17. package/backend/detectors/atk-005-exfil.js +13 -13
  18. package/backend/detectors/atk-006-depconf.js +14 -14
  19. package/backend/detectors/atk-007-typosquat.js +34 -34
  20. package/backend/detectors/atk-008-tarball-tamper.js +91 -91
  21. package/backend/detectors/atk-009-dormant-trigger.js +62 -62
  22. package/backend/detectors/atk-010-sandbox-evasion.js +50 -50
  23. package/backend/detectors/atk-011-transitive-prop.js +76 -76
  24. package/backend/detectors/config/thresholds.js +66 -0
  25. package/backend/detectors/config/whitelist.json +74 -0
  26. package/backend/detectors/cve-2026-48710-badhost/codePattern.js +99 -99
  27. package/backend/detectors/cve-2026-48710-badhost/findings.js +105 -105
  28. package/backend/detectors/cve-2026-48710-badhost/index.js +15 -15
  29. package/backend/detectors/cve-2026-48710-badhost/manifest.js +305 -305
  30. package/backend/detectors/cve-2026-48710-badhost/transitive.js +189 -189
  31. package/backend/detectors/hf-impersonation/index.js +396 -396
  32. package/backend/detectors/hf-impersonation/jaro-winkler.js +44 -44
  33. package/backend/detectors/hf-impersonation/known-orgs.js +5 -5
  34. package/backend/detectors/hf-impersonation/simhash.js +46 -46
  35. package/backend/detectors/index.js +87 -81
  36. package/backend/detectors/lib/ast-patterns.js +21 -0
  37. package/backend/detectors/lib/entropy-analyzer.js +24 -0
  38. package/backend/detectors/megalodon/d1-workflow-scan.js +147 -147
  39. package/backend/detectors/megalodon/d2-credential-harvest.js +61 -61
  40. package/backend/detectors/megalodon/d3-publish-velocity.js +67 -67
  41. package/backend/detectors/megalodon/d4-publisher-drift.js +124 -124
  42. package/backend/detectors/megalodon/d5-bot-commit-identity.js +3 -3
  43. package/backend/detectors/megalodon/d6-date-anachronism.js +3 -3
  44. package/backend/detectors/megalodon/index.js +80 -80
  45. package/backend/detectors/megalodon/types.js +9 -9
  46. package/backend/detectors/mini-shai-hulud/d1-burst-publish.js +42 -42
  47. package/backend/detectors/mini-shai-hulud/d2-sibling-compromise.js +116 -116
  48. package/backend/detectors/mini-shai-hulud/d3-slsa-mismatch.js +72 -72
  49. package/backend/detectors/mini-shai-hulud/d4-maintainer-anomaly.js +45 -45
  50. package/backend/detectors/mini-shai-hulud/d5-ioc-check.js +95 -95
  51. package/backend/detectors/mini-shai-hulud/d6-token-exfil.js +38 -38
  52. package/backend/detectors/mini-shai-hulud/index.js +118 -118
  53. package/backend/detectors/mini-shai-hulud/iocs.json +79 -79
  54. package/backend/detectors/tier1-binary-embed.js +34 -5
  55. package/backend/detectors/tier1-obfuscation-heuristics.js +156 -0
  56. package/backend/detectors/tier1-slsa-attestation.js +12 -0
  57. package/backend/detectors/tier1-version-anomaly.js +187 -0
  58. package/backend/detectors.test.js +88 -0
  59. package/backend/fetch.js +175 -175
  60. package/backend/index.js +4 -4
  61. package/backend/license.js +89 -89
  62. package/backend/lockfile.js +379 -379
  63. package/backend/pdf.js +245 -245
  64. package/backend/policy.js +193 -193
  65. package/backend/report.js +254 -254
  66. package/backend/sbom.js +66 -66
  67. package/backend/scripts/analyze-false-positives.js +146 -0
  68. package/backend/scripts/analyze-validation.js +151 -0
  69. package/backend/scripts/detect-false-positives.js +93 -0
  70. package/backend/scripts/fetch-top-packages.js +129 -0
  71. package/backend/scripts/validate-detectors.js +142 -0
  72. package/backend/siem/cef.js +32 -32
  73. package/backend/siem/ecs.js +40 -40
  74. package/backend/siem/index.js +18 -18
  75. package/backend/siem/qradar.js +56 -56
  76. package/backend/siem/sentinel.js +27 -27
  77. package/backend/tests-d5-enhanced.test.js +46 -0
  78. package/backend/tests-d6-version-anomaly.test.js +58 -0
  79. package/backend/tests-d6.test.js +116 -0
  80. package/backend/tests-d6c.test.js +106 -0
  81. package/backend/tests-d7-obfuscation.test.js +91 -0
  82. package/backend/tests.test.js +898 -0
  83. package/backend/vsix-scan/detectors/activation-event-risk.js +116 -116
  84. package/backend/vsix-scan/detectors/burst-publish.js +52 -52
  85. package/backend/vsix-scan/detectors/exfil-pattern.js +88 -88
  86. package/backend/vsix-scan/detectors/known-ioc.js +105 -105
  87. package/backend/vsix-scan/detectors/orphan-commit-fetch.js +69 -69
  88. package/backend/vsix-scan/detectors/publisher-anomaly.js +70 -70
  89. package/backend/vsix-scan/index.js +183 -183
  90. package/backend/vsix-scan/marketplace-client.js +145 -145
  91. package/backend/vsix-scan/vsix-iocs.json +31 -31
  92. package/cli/cli.js +458 -458
  93. package/package.json +74 -57
  94. package/.dockerignore +0 -20
  95. package/.husky/pre-commit +0 -1
  96. package/SECURITY.md +0 -73
  97. package/deploy/helm/npm-scan/Chart.yaml +0 -22
  98. package/deploy/helm/npm-scan/templates/_helpers.tpl +0 -9
  99. package/deploy/helm/npm-scan/templates/api.yaml +0 -94
  100. package/deploy/helm/npm-scan/templates/ingress.yaml +0 -28
  101. package/deploy/helm/npm-scan/templates/postgresql.yaml +0 -67
  102. package/deploy/helm/npm-scan/templates/secrets.yaml +0 -19
  103. package/deploy/helm/npm-scan/templates/worker.yaml +0 -32
  104. package/deploy/helm/npm-scan/values.byoc.yaml +0 -75
  105. package/deploy/helm/npm-scan/values.yaml +0 -103
  106. package/scripts/download-corpus.js +0 -30
  107. package/scripts/gen-mal-corpus.js +0 -35
  108. package/scripts/generate-campaign-fixtures.js +0 -170
  109. package/src/config/top-5000.json +0 -87
  110. package/test/fixtures/lockfiles/npm-lock.json +0 -69
  111. package/test/fixtures/lockfiles/pnpm-lock.yaml +0 -118
  112. package/test/fixtures/lockfiles/yarn.lock +0 -104
  113. package/test/fixtures/mock-data.js +0 -69
package/backend/tests-d6c.test.js ADDED
@@ -0,0 +1,106 @@
1
+ import { test, describe } from 'node:test';
2
+ import assert from 'assert/strict';
3
+ import * as detectors from './detectors/index.js';
4
+
5
+ // ─── D6a — tier1-version-confusion ──────────────────────────────────
6
+
7
+ describe('D6a — tier1-version-confusion', () => {
8
+ test('D6a: exact sentinel 99.99.99 → HIGH, confidenceScore >= 80', async () => {
9
+ const pkg = { name: 'internal-utils', version: '99.99.99' };
10
+ const findings = await detectors.runAll(pkg);
11
+ const match = findings.find(f => f.id === 'TIER1-VERSION-CONFUSION');
12
+ assert(match, 'Expected TIER1-VERSION-CONFUSION finding');
13
+ assert.equal(match.confidence, 'HIGH');
14
+ assert(match.confidenceScore >= 80, `confidenceScore ${match.confidenceScore} < 80`);
15
+ });
16
+
17
+ test('D6a: exact sentinel 9.9.9 → MEDIUM, confidenceScore >= 60', async () => {
18
+ const pkg = { name: 'corp-auth', version: '9.9.9' };
19
+ const findings = await detectors.runAll(pkg);
20
+ const match = findings.find(f => f.id === 'TIER1-VERSION-CONFUSION');
21
+ assert(match, 'Expected TIER1-VERSION-CONFUSION finding');
22
+ assert.equal(match.confidence, 'MEDIUM');
23
+ assert(match.confidenceScore >= 60, `confidenceScore ${match.confidenceScore} < 60`);
24
+ });
25
+
26
+ test('D6a: high-version heuristic 99.5.8 → MEDIUM, confidenceScore >= 60', async () => {
27
+ const pkg = { name: 'internal-payments', version: '99.5.8' };
28
+ const findings = await detectors.runAll(pkg);
29
+ const match = findings.find(f => f.id === 'TIER1-VERSION-CONFUSION');
30
+ assert(match, 'Expected TIER1-VERSION-CONFUSION finding');
31
+ assert.equal(match.confidence, 'MEDIUM');
32
+ assert(match.confidenceScore >= 60, `confidenceScore ${match.confidenceScore} < 60`);
33
+ });
34
+
35
+ test('D6a: heuristic does not fire on legitimate high patch, e.g. 1.99.0', async () => {
36
+ const pkg = { name: 'some-lib', version: '1.99.0' };
37
+ const findings = await detectors.runAll(pkg);
38
+ const match = findings.find(f => f.id === 'TIER1-VERSION-CONFUSION');
39
+ assert(!match);
40
+ });
41
+
42
+ test('D6a: no finding on legitimate semver 4.17.21', async () => {
43
+ const pkg = { name: 'lodash', version: '4.17.21' };
44
+ const findings = await detectors.runAll(pkg);
45
+ const match = findings.find(f => f.id === 'TIER1-VERSION-CONFUSION');
46
+ assert(!match);
47
+ });
48
+
49
+ test('D6a: no finding on KNOWN_REPUTABLE_PACKAGES regardless of version', async () => {
50
+ const pkg = { name: 'react', version: '99.99.99' };
51
+ const findings = await detectors.runAll(pkg);
52
+ const match = findings.find(f => f.id === 'TIER1-VERSION-CONFUSION');
53
+ assert(!match);
54
+ });
55
+ });
56
+
57
+ // ─── D6c — tier1-cloud-imds ─────────────────────────────────────────
58
+
59
+ describe('D6c — tier1-cloud-imds', () => {
60
+ test('D6c: detects GCP metadata endpoint in JS file', async () => {
61
+ const jsFiles = [{ path: 'index.js', content: 'fetch("http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token")' }];
62
+ const findings = await detectors.runAll({ name: 'test-pkg' }, jsFiles);
63
+ const match = findings.find(f => f.id === 'TIER1-CLOUD-IMDS');
64
+ assert(match, 'Expected TIER1-CLOUD-IMDS finding');
65
+ assert.equal(match.confidence, 'HIGH');
66
+ assert(match.confidenceScore >= 80, `confidenceScore ${match.confidenceScore} < 80`);
67
+ });
68
+
69
+ test('D6c: detects Azure IMDS endpoint in JS file', async () => {
70
+ const jsFiles = [{ path: 'app.js', content: 'axios.get("http://169.254.169.254/metadata/instance", { headers: { Metadata: "true" } })' }];
71
+ const findings = await detectors.runAll({ name: 'test-pkg' }, jsFiles);
72
+ const match = findings.find(f => f.id === 'TIER1-CLOUD-IMDS');
73
+ assert(match, 'Expected TIER1-CLOUD-IMDS finding');
74
+ assert.equal(match.confidence, 'HIGH');
75
+ assert(match.confidenceScore >= 80, `confidenceScore ${match.confidenceScore} < 80`);
76
+ });
77
+
78
+ test('D6c: detects GCP/Azure pattern in postinstall script', async () => {
79
+ const pkg = {
80
+ name: 'malicious-pkg',
81
+ version: '1.0.0',
82
+ scripts: {
83
+ postinstall: 'node -e "require(\\"http\\").get(\\"http://metadata.google.internal/computeMetadata/v1/\\")"',
84
+ },
85
+ };
86
+ const findings = await detectors.runAll(pkg);
87
+ const match = findings.find(f => f.id === 'TIER1-CLOUD-IMDS');
88
+ assert(match, 'Expected TIER1-CLOUD-IMDS finding');
89
+ assert.equal(match.confidence, 'HIGH');
90
+ assert(match.confidenceScore >= 80, `confidenceScore ${match.confidenceScore} < 80`);
91
+ });
92
+
93
+ test('D6c: no finding on clean JS with no IMDS patterns', async () => {
94
+ const jsFiles = [{ path: 'clean.js', content: 'const x = 1 + 1;' }];
95
+ const findings = await detectors.runAll({ name: 'test-pkg' }, jsFiles);
96
+ const match = findings.find(f => f.id === 'TIER1-CLOUD-IMDS');
97
+ assert(!match);
98
+ });
99
+
100
+ test('D6c: no finding when 169.254.169.254 appears without /metadata path', async () => {
101
+ const jsFiles = [{ path: 'docs.js', content: '// link-local range starts at 169.254.0.0' }];
102
+ const findings = await detectors.runAll({ name: 'test-pkg' }, jsFiles);
103
+ const match = findings.find(f => f.id === 'TIER1-CLOUD-IMDS');
104
+ assert(!match);
105
+ });
106
+ });
package/backend/tests-d7-obfuscation.test.js ADDED
@@ -0,0 +1,91 @@
1
+ import { test, describe } from 'node:test';
2
+ import assert from 'assert/strict';
3
+ import * as detectors from './detectors/index.js';
4
+
5
+ describe('D7: Obfuscation Heuristics', () => {
6
+ test('D7: flags heavily obfuscated postinstall script', async () => {
7
+ const obfuscated =
8
+ `var _0x=["eval","fromCharCode","charCodeAt"];for(var i=0;i<999;i++){var x=String.fromCharCode(i);if(i>500){eval(atob("Y29uc3QgeCA9ICdtYWxpY2lvdXMnO2V2YWwoeCk7Y29uc3QgeSA9ICdiYWNrZG9vcic7ZXZhbCh5KTs="))}}var _0xe="\\x65\\x76\\x61\\x6c\\x28\\x61\\x74\\x6f\\x62\\x28\\x22\\x59\\x6d\\x39\\x75\\x62\\x47\\x38\\x67"`;
9
+ const pkg = {
10
+ name: 'malicious-pkg',
11
+ version: '1.0.0',
12
+ scripts: { postinstall: obfuscated },
13
+ };
14
+ const findings = await detectors.runAll(pkg);
15
+ const match = findings.find(f => f.id === 'TIER1-OBFUSCATION-HEURISTICS');
16
+ assert(match, 'Expected TIER1-OBFUSCATION-HEURISTICS finding');
17
+ assert(match.confidenceScore >= 75, `confidenceScore ${match.confidenceScore} < 75`);
18
+ });
19
+
20
+ test('D7: detects XOR cipher pattern in preinstall script', async () => {
21
+ const xorCode =
22
+ `var _0xk=[0x66,0x6c,0x61,0x67];var _0xd="LzdHJKdUp4VWt5S292RXBsb3Zlck5pZ2h0U2VjcmV0S2V5Rm9yRW50cm9weUJvb3N0";let r='';for(let i=0;i<str.length;i++){r+=String.fromCharCode(str.charCodeAt(i)^_0xk[i%4]);if(i>50){eval(atob("RGV0ZWN0ZWQ="))}}`;
23
+ const pkg = {
24
+ name: 'suspicious-pkg',
25
+ version: '1.0.0',
26
+ scripts: { preinstall: xorCode },
27
+ };
28
+ const findings = await detectors.runAll(pkg);
29
+ const match = findings.find(f => f.id === 'TIER1-OBFUSCATION-HEURISTICS');
30
+ assert(match, 'Expected TIER1-OBFUSCATION-HEURISTICS finding');
31
+ assert(match.confidenceScore >= 70, `confidenceScore ${match.confidenceScore} < 70`);
32
+ });
33
+
34
+ test('D7: does NOT flag normal string reversal (palindrome check)', async () => {
35
+ const normalCode = `
36
+ function isPalindrome(s) {
37
+ return s === s.split('').reverse().join('');
38
+ }
39
+ `;
40
+ const pkg = {
41
+ name: 'normal-pkg',
42
+ version: '1.0.0',
43
+ scripts: { postinstall: normalCode },
44
+ };
45
+ const findings = await detectors.runAll(pkg);
46
+ const match = findings.find(f => f.id === 'TIER1-OBFUSCATION-HEURISTICS');
47
+ assert(!match, 'Should not flag normal palindrome function');
48
+ });
49
+
50
+ test('D7: flags high entropy in postinstall script', async () => {
51
+ const highEntropyCode =
52
+ `var x="T3NobmFJc0VudHJvcHlCb29zdGVkV2l0aEJhc2U2NFBheWxvYWRUaGF0U2hvdWxkQmVQbGVudHlPZkNoYXJhY3RlcnNGb3JIaWdoRW50cm9weVNjb3JlQW5kSXRTaG91bGRCZU9mVmVyeUhpZ2hRdWFsaXR5VG9NYWtlVGhlVGVzdFBhc3NBbmRJdFNob3VsZEJlT2ZNaXhlZENhc2VXaXRoTnVtYmVyc0FuZFNwZWNpYWxDaGFyYWN0ZXJzRm9yTWF4RW50cm9weQ==";`;
53
+ const pkg = {
54
+ name: 'high-entropy-pkg',
55
+ version: '1.0.0',
56
+ scripts: { postinstall: highEntropyCode },
57
+ };
58
+ const findings = await detectors.runAll(pkg);
59
+ const match = findings.find(f => f.id === 'TIER1-OBFUSCATION-HEURISTICS');
60
+ assert(match, 'Expected TIER1-OBFUSCATION-HEURISTICS finding');
61
+ assert(match.confidenceScore >= 55, `confidenceScore ${match.confidenceScore} < 55`);
62
+ });
63
+
64
+ test('D7: no finding on clean build script', async () => {
65
+ const cleanCode = `
66
+ const path = require('path');
67
+ const fs = require('fs');
68
+ fs.mkdirSync(path.join(__dirname, 'dist'));
69
+ console.log('build complete');
70
+ `;
71
+ const pkg = {
72
+ name: 'clean-pkg',
73
+ version: '1.0.0',
74
+ scripts: { postinstall: cleanCode },
75
+ };
76
+ const findings = await detectors.runAll(pkg);
77
+ const match = findings.find(f => f.id === 'TIER1-OBFUSCATION-HEURISTICS');
78
+ assert(!match, 'Should not flag clean build script');
79
+ });
80
+
81
+ test('D7: no finding on KNOWN_REPUTABLE_PACKAGES', async () => {
82
+ const pkg = {
83
+ name: 'lodash',
84
+ version: '4.17.21',
85
+ scripts: { postinstall: 'eval(atob("dmFyIHg9J21hbGljaW91cyc7"))' },
86
+ };
87
+ const findings = await detectors.runAll(pkg);
88
+ const match = findings.find(f => f.id === 'TIER1-OBFUSCATION-HEURISTICS');
89
+ assert(!match);
90
+ });
91
+ });