@lateos/npm-scan 0.18.2 → 1.0.0

package/backend/vsix-scan/detectors/activation-event-risk.js

@@ -1,116 +1,116 @@
-const ACTIVATION_RISK_MATRIX = {
-  '*': { base: 'critical', label: 'Wildcard (all files)' },
-  'onStartupFinished': { base: 'high', label: 'Startup finished' },
-  'workspaceContains:**/*': { base: 'high', label: 'Workspace contains wildcard' },
-  'workspaceContains': { base: 'high', label: 'Workspace contains' },
-  'onCommand:*': { base: 'low', label: 'Any command' },
-};
-
-const DEFAULT_BASE_RISK = 'medium';
-
-const ESCALATION_KEYWORDS = [
-  'npx', 'bun', 'curl', 'wget', 'fetch(',
-  'exec(', 'spawn(', 'execSync', 'spawnSync',
-  'child_process', 'shell: true', 'detached: true',
-];
-
-const BUNDLED_BUN_PATTERN = /bun|runtime/;
-
-const SIZE_DELTA_THRESHOLD = 400 * 1024;
-
-const SHELL_CMDS = ['npx', 'bun', 'curl', 'wget', 'exec', 'spawn', 'execSync'];
-
-export async function checkActivationEventRisk(extensionManifest, versionHistory = [], priorVersions = []) {
-  const signals = [];
-
-  const activationEvents = extensionManifest?.activationEvents || [];
-  if (activationEvents.length === 0 && extensionManifest?.main) {
-    return { triggered: false, signals: [], riskLevel: null, why: [] };
-  }
-
-  let maxBaseRisk = 0;
-  const riskLabels = ['none', 'low', 'medium', 'high', 'critical'];
-  const riskValues = { none: 0, low: 1, medium: 2, high: 3, critical: 4 };
-
-  let worstEvent = null;
-  const why = [];
-
-  for (const event of activationEvents) {
-    const risk = ACTIVATION_RISK_MATRIX[event];
-    if (risk) {
-      const baseIdx = riskValues[risk.base] || riskValues[DEFAULT_BASE_RISK];
-      if (baseIdx > maxBaseRisk) {
-        maxBaseRisk = baseIdx;
-        worstEvent = event;
-      }
-    } else if (event.includes('*') && event !== 'onCommand:*') {
-      const baseIdx = riskValues['high'];
-      if (baseIdx > maxBaseRisk) {
-        maxBaseRisk = baseIdx;
-        worstEvent = event;
-      }
-    }
-  }
-
-  const contributes = extensionManifest?.contributes || {};
-  const commands = contributes?.commands || [];
-  const cmdTitles = commands.map(c => (c.title || '').toLowerCase()).join(' ');
-
-  const bundledDeps = extensionManifest?.bundledDependencies || [];
-  const bundledStr = Array.isArray(bundledDeps) ? bundledDeps.join(' ') : '';
-
-  const hasShellKeyword = SHELL_CMDS.some(cmd => cmdTitles.includes(cmd));
-  const hasBunBundled = BUNDLED_BUN_PATTERN.test(bundledStr);
-
-  const activationEventsStr = activationEvents.join(' ');
-  const hasShellInActivationContext = ESCALATION_KEYWORDS.some(kw => activationEventsStr.toLowerCase().includes(kw.toLowerCase()));
-
-  let escalateToCritical = false;
-
-  if (hasShellKeyword || hasBunBundled || hasShellInActivationContext) {
-    escalateToCritical = true;
-    why.push('HIGH activation event + shell/execution keywords');
-  }
-
-  if (versionHistory.length >= 2) {
-    const sizes = versionHistory
-      .filter(v => v.assetSize)
-      .map(v => v.assetSize)
-      .sort((a, b) => b - a);
-
-    if (sizes.length >= 2 && (sizes[0] - sizes[sizes.length - 1]) > SIZE_DELTA_THRESHOLD) {
-      escalateToCritical = true;
-      why.push(`HIGH activation event + version size delta > ${SIZE_DELTA_THRESHOLD} bytes`);
-    }
-  }
-
-  const priorActivationEvents = priorVersions
-    .filter(v => v.activationEvents)
-    .flatMap(v => v.activationEvents);
-
-  if (priorActivationEvents.length > 0) {
-    const newEvents = activationEvents.filter(e => !priorActivationEvents.includes(e));
-    if (newEvents.length > 0) {
-      why.push(`First-time activation event(s) added: ${newEvents.join(', ')}`);
-      if (!escalateToCritical && maxBaseRisk >= riskValues['high']) {
-        escalateToCritical = true;
-      }
-    }
-  }
-
-  let riskLevel = maxBaseRisk > 0 ? riskLabels[maxBaseRisk] : null;
-  if (escalateToCritical && riskValues[riskLevel] <= riskValues['high']) {
-    riskLevel = 'critical';
-  }
-
-  if (!riskLevel) return { triggered: false, signals: [], riskLevel: null, why: [] };
-
-  signals.push({
-    type: 'ACTIVATION_EVENT_RISK',
-    activationEvents,
-    riskLevel,
-    why,
-  });
-
-  return { triggered: true, signals, riskLevel, why };
-}
+const ACTIVATION_RISK_MATRIX = {
+  '*': { base: 'critical', label: 'Wildcard (all files)' },
+  'onStartupFinished': { base: 'high', label: 'Startup finished' },
+  'workspaceContains:**/*': { base: 'high', label: 'Workspace contains wildcard' },
+  'workspaceContains': { base: 'high', label: 'Workspace contains' },
+  'onCommand:*': { base: 'low', label: 'Any command' },
+};
+
+const DEFAULT_BASE_RISK = 'medium';
+
+const ESCALATION_KEYWORDS = [
+  'npx', 'bun', 'curl', 'wget', 'fetch(',
+  'exec(', 'spawn(', 'execSync', 'spawnSync',
+  'child_process', 'shell: true', 'detached: true',
+];
+
+const BUNDLED_BUN_PATTERN = /bun|runtime/;
+
+const SIZE_DELTA_THRESHOLD = 400 * 1024;
+
+const SHELL_CMDS = ['npx', 'bun', 'curl', 'wget', 'exec', 'spawn', 'execSync'];
+
+export async function checkActivationEventRisk(extensionManifest, versionHistory = [], priorVersions = []) {
+  const signals = [];
+
+  const activationEvents = extensionManifest?.activationEvents || [];
+  if (activationEvents.length === 0 && extensionManifest?.main) {
+    return { triggered: false, signals: [], riskLevel: null, why: [] };
+  }
+
+  let maxBaseRisk = 0;
+  const riskLabels = ['none', 'low', 'medium', 'high', 'critical'];
+  const riskValues = { none: 0, low: 1, medium: 2, high: 3, critical: 4 };
+
+  let worstEvent = null;
+  const why = [];
+
+  for (const event of activationEvents) {
+    const risk = ACTIVATION_RISK_MATRIX[event];
+    if (risk) {
+      const baseIdx = riskValues[risk.base] || riskValues[DEFAULT_BASE_RISK];
+      if (baseIdx > maxBaseRisk) {
+        maxBaseRisk = baseIdx;
+        worstEvent = event;
+      }
+    } else if (event.includes('*') && event !== 'onCommand:*') {
+      const baseIdx = riskValues['high'];
+      if (baseIdx > maxBaseRisk) {
+        maxBaseRisk = baseIdx;
+        worstEvent = event;
+      }
+    }
+  }
+
+  const contributes = extensionManifest?.contributes || {};
+  const commands = contributes?.commands || [];
+  const cmdTitles = commands.map(c => (c.title || '').toLowerCase()).join(' ');
+
+  const bundledDeps = extensionManifest?.bundledDependencies || [];
+  const bundledStr = Array.isArray(bundledDeps) ? bundledDeps.join(' ') : '';
+
+  const hasShellKeyword = SHELL_CMDS.some(cmd => cmdTitles.includes(cmd));
+  const hasBunBundled = BUNDLED_BUN_PATTERN.test(bundledStr);
+
+  const activationEventsStr = activationEvents.join(' ');
+  const hasShellInActivationContext = ESCALATION_KEYWORDS.some(kw => activationEventsStr.toLowerCase().includes(kw.toLowerCase()));
+
+  let escalateToCritical = false;
+
+  if (hasShellKeyword || hasBunBundled || hasShellInActivationContext) {
+    escalateToCritical = true;
+    why.push('HIGH activation event + shell/execution keywords');
+  }
+
+  if (versionHistory.length >= 2) {
+    const sizes = versionHistory
+      .filter(v => v.assetSize)
+      .map(v => v.assetSize)
+      .sort((a, b) => b - a);
+
+    if (sizes.length >= 2 && (sizes[0] - sizes[sizes.length - 1]) > SIZE_DELTA_THRESHOLD) {
+      escalateToCritical = true;
+      why.push(`HIGH activation event + version size delta > ${SIZE_DELTA_THRESHOLD} bytes`);
+    }
+  }
+
+  const priorActivationEvents = priorVersions
+    .filter(v => v.activationEvents)
+    .flatMap(v => v.activationEvents);
+
+  if (priorActivationEvents.length > 0) {
+    const newEvents = activationEvents.filter(e => !priorActivationEvents.includes(e));
+    if (newEvents.length > 0) {
+      why.push(`First-time activation event(s) added: ${newEvents.join(', ')}`);
+      if (!escalateToCritical && maxBaseRisk >= riskValues['high']) {
+        escalateToCritical = true;
+      }
+    }
+  }
+
+  let riskLevel = maxBaseRisk > 0 ? riskLabels[maxBaseRisk] : null;
+  if (escalateToCritical && riskValues[riskLevel] <= riskValues['high']) {
+    riskLevel = 'critical';
+  }
+
+  if (!riskLevel) return { triggered: false, signals: [], riskLevel: null, why: [] };
+
+  signals.push({
+    type: 'ACTIVATION_EVENT_RISK',
+    activationEvents,
+    riskLevel,
+    why,
+  });
+
+  return { triggered: true, signals, riskLevel, why };
+}

package/backend/vsix-scan/detectors/burst-publish.js

@@ -1,52 +1,52 @@
-export async function checkBurstPublish(versionHistory, config = {}) {
-  const windowMinutes = config.burstWindowMinutes ?? 30;
-  const threshold = config.burstVersionThreshold ?? 2;
-  const hotPullMinutes = config.hotPullMinutes ?? 20;
-
-  const entries = versionHistory
-    .filter(v => v.publishedAt)
-    .map(v => ({ version: v.version, time: new Date(v.publishedAt).getTime() }))
-    .filter(e => !Number.isNaN(e.time))
-    .sort((a, b) => a.time - b.time);
-
-  if (entries.length < threshold) return { triggered: false };
-
-  const windowMs = windowMinutes * 60 * 1000;
-  let burstFound = false;
-  let burstWindowStart = null;
-  let burstWindowEnd = null;
-  let burstVersionCount = 0;
-  let burstVersions = [];
-
-  for (let i = 0; i < entries.length; i++) {
-    const start = entries[i].time;
-    const end = start + windowMs;
-    const inWindow = entries.filter(e => e.time >= start && e.time <= end);
-
-    if (inWindow.length >= threshold) {
-      burstFound = true;
-      burstWindowStart = new Date(start).toISOString();
-      burstWindowEnd = new Date(end).toISOString();
-      burstVersionCount = inWindow.length;
-      burstVersions = inWindow.map(e => e.version);
-      break;
-    }
-  }
-
-  let hotPullDetected = false;
-  for (let i = 1; i < entries.length; i++) {
-    const gapMinutes = (entries[i].time - entries[i - 1].time) / (1000 * 60);
-    if (gapMinutes > 0 && gapMinutes < hotPullMinutes) {
-      hotPullDetected = true;
-      break;
-    }
-  }
-
-  return {
-    triggered: burstFound || hotPullDetected,
-    burstWindow: burstFound
-      ? { start: burstWindowStart, end: burstWindowEnd, versionCount: burstVersionCount, versions: burstVersions }
-      : null,
-    hotPullDetected,
-  };
-}
+export async function checkBurstPublish(versionHistory, config = {}) {
+  const windowMinutes = config.burstWindowMinutes ?? 30;
+  const threshold = config.burstVersionThreshold ?? 2;
+  const hotPullMinutes = config.hotPullMinutes ?? 20;
+
+  const entries = versionHistory
+    .filter(v => v.publishedAt)
+    .map(v => ({ version: v.version, time: new Date(v.publishedAt).getTime() }))
+    .filter(e => !Number.isNaN(e.time))
+    .sort((a, b) => a.time - b.time);
+
+  if (entries.length < threshold) return { triggered: false };
+
+  const windowMs = windowMinutes * 60 * 1000;
+  let burstFound = false;
+  let burstWindowStart = null;
+  let burstWindowEnd = null;
+  let burstVersionCount = 0;
+  let burstVersions = [];
+
+  for (let i = 0; i < entries.length; i++) {
+    const start = entries[i].time;
+    const end = start + windowMs;
+    const inWindow = entries.filter(e => e.time >= start && e.time <= end);
+
+    if (inWindow.length >= threshold) {
+      burstFound = true;
+      burstWindowStart = new Date(start).toISOString();
+      burstWindowEnd = new Date(end).toISOString();
+      burstVersionCount = inWindow.length;
+      burstVersions = inWindow.map(e => e.version);
+      break;
+    }
+  }
+
+  let hotPullDetected = false;
+  for (let i = 1; i < entries.length; i++) {
+    const gapMinutes = (entries[i].time - entries[i - 1].time) / (1000 * 60);
+    if (gapMinutes > 0 && gapMinutes < hotPullMinutes) {
+      hotPullDetected = true;
+      break;
+    }
+  }
+
+  return {
+    triggered: burstFound || hotPullDetected,
+    burstWindow: burstFound
+      ? { start: burstWindowStart, end: burstWindowEnd, versionCount: burstVersionCount, versions: burstVersions }
+      : null,
+    hotPullDetected,
+  };
+}

package/backend/vsix-scan/detectors/exfil-pattern.js

@@ -1,88 +1,88 @@
-const CREDENTIAL_FILE_PATTERNS = [
-  /~\/\.npmrc/,
-  /~\/\.gitconfig/,
-  /~\/\.aws\/credentials/,
-  /~\/\.ssh\/id_\w+/,
-  /~\/\.vault-token/,
-  /~\/\.claude\/settings\.json/,
-  /~\/Library\/Application\s+Support\/1Password\//,
-  /\/etc\/vault\/token/,
-  /\/proc\/\*\/mem/,
-  /\$GITHUB_ENV/,
-  /\$GITHUB_TOKEN/,
-  /\$NPM_TOKEN/,
-  /\$NODE_AUTH_TOKEN/,
-  /GH_TOKEN/,
-];
-
-const EXFIL_CHANNEL_PATTERNS = [
-  /(?:[a-z0-9_-]{40,})\.[a-z0-9_-]+\.(?:com|io|org|net|app|dev|xyz)(?:\/[^\s"')\]]{0,50})?/i,
-  /\/gists\b.*authorization/i,
-  /\/repos\/[^/]+\/[^/]+\/git\/refs/i,
-  /AES-256-GCM/,
-  /RSA\/(?:PKCS|OAEP)/,
-];
-
-const ANTI_ANALYSIS_PATTERNS = [
-  { pattern: /os\.cpus\(\)\.length\s*<\s*4/, label: 'CPU core count check (< 4)' },
-  { pattern: /Intl\.DateTimeFormat.*(?:timeZone|locale)/, label: 'Timezone/locale check' },
-  { pattern: /Intl\.DateTimeFormat.*\b(?:ru|rus|kz|by|cn|cns)\b/i, label: 'CIS/locale filtering' },
-  { pattern: /\bspawn\(\s*[^,]+,\s*\{[^}]*detached:\s*true\s*\}/, label: 'Detached process spawn' },
-  { pattern: /\bBUN_INSTALL\b/, label: 'BUN_INSTALL env reference' },
-  { pattern: /~\/\.bun\/bin\/bun/, label: 'Bun binary path' },
-  { pattern: /\bBun\.file\(/, label: 'Bun.file() API' },
-  { pattern: /\bBun\.serve\(/, label: 'Bun.serve() API' },
-];
-
-function truncateSnippet(str, maxLen = 200) {
-  if (!str || str.length <= maxLen) return str || '';
-  return str.slice(0, maxLen) + '...';
-}
-
-export async function checkExfilPattern(extensionFiles = []) {
-  const signals = [];
-  const exfilPatterns = [];
-  const antiAnalysisTechniques = [];
-
-  for (const file of extensionFiles) {
-    const content = typeof file.content === 'string' ? file.content : '';
-    if (!content) continue;
-    const path = file.path || '';
-
-    for (const cp of CREDENTIAL_FILE_PATTERNS) {
-      const match = content.match(cp);
-      if (match) {
-        const snippet = truncateSnippet(match[0]);
-        if (!exfilPatterns.some(e => e.includes(snippet))) {
-          exfilPatterns.push(`${path}: ${snippet}`);
-          signals.push({ type: 'CREDENTIAL_FILE_TARGET', pattern: cp.source, file: path });
-        }
-      }
-    }
-
-    for (const ep of EXFIL_CHANNEL_PATTERNS) {
-      const match = content.match(ep);
-      if (match) {
-        const snippet = truncateSnippet(match[0]);
-        exfilPatterns.push(`${path}: ${snippet}`);
-        signals.push({ type: 'EXFIL_CHANNEL', pattern: ep.source, file: path });
-      }
-    }
-
-    for (const ap of ANTI_ANALYSIS_PATTERNS) {
-      if (ap.pattern.test(content)) {
-        if (!antiAnalysisTechniques.includes(ap.label)) {
-          antiAnalysisTechniques.push(ap.label);
-          signals.push({ type: 'ANTI_ANALYSIS', technique: ap.label, file: path });
-        }
-      }
-    }
-  }
-
-  return {
-    triggered: signals.length > 0,
-    signals,
-    exfilPatterns,
-    antiAnalysisTechniques,
-  };
-}
+const CREDENTIAL_FILE_PATTERNS = [
+  /~\/\.npmrc/,
+  /~\/\.gitconfig/,
+  /~\/\.aws\/credentials/,
+  /~\/\.ssh\/id_\w+/,
+  /~\/\.vault-token/,
+  /~\/\.claude\/settings\.json/,
+  /~\/Library\/Application\s+Support\/1Password\//,
+  /\/etc\/vault\/token/,
+  /\/proc\/\*\/mem/,
+  /\$GITHUB_ENV/,
+  /\$GITHUB_TOKEN/,
+  /\$NPM_TOKEN/,
+  /\$NODE_AUTH_TOKEN/,
+  /GH_TOKEN/,
+];
+
+const EXFIL_CHANNEL_PATTERNS = [
+  /(?:[a-z0-9_-]{40,})\.[a-z0-9_-]+\.(?:com|io|org|net|app|dev|xyz)(?:\/[^\s"')\]]{0,50})?/i,
+  /\/gists\b.*authorization/i,
+  /\/repos\/[^/]+\/[^/]+\/git\/refs/i,
+  /AES-256-GCM/,
+  /RSA\/(?:PKCS|OAEP)/,
+];
+
+const ANTI_ANALYSIS_PATTERNS = [
+  { pattern: /os\.cpus\(\)\.length\s*<\s*4/, label: 'CPU core count check (< 4)' },
+  { pattern: /Intl\.DateTimeFormat.*(?:timeZone|locale)/, label: 'Timezone/locale check' },
+  { pattern: /Intl\.DateTimeFormat.*\b(?:ru|rus|kz|by|cn|cns)\b/i, label: 'CIS/locale filtering' },
+  { pattern: /\bspawn\(\s*[^,]+,\s*\{[^}]*detached:\s*true\s*\}/, label: 'Detached process spawn' },
+  { pattern: /\bBUN_INSTALL\b/, label: 'BUN_INSTALL env reference' },
+  { pattern: /~\/\.bun\/bin\/bun/, label: 'Bun binary path' },
+  { pattern: /\bBun\.file\(/, label: 'Bun.file() API' },
+  { pattern: /\bBun\.serve\(/, label: 'Bun.serve() API' },
+];
+
+function truncateSnippet(str, maxLen = 200) {
+  if (!str || str.length <= maxLen) return str || '';
+  return str.slice(0, maxLen) + '...';
+}
+
+export async function checkExfilPattern(extensionFiles = []) {
+  const signals = [];
+  const exfilPatterns = [];
+  const antiAnalysisTechniques = [];
+
+  for (const file of extensionFiles) {
+    const content = typeof file.content === 'string' ? file.content : '';
+    if (!content) continue;
+    const path = file.path || '';
+
+    for (const cp of CREDENTIAL_FILE_PATTERNS) {
+      const match = content.match(cp);
+      if (match) {
+        const snippet = truncateSnippet(match[0]);
+        if (!exfilPatterns.some(e => e.includes(snippet))) {
+          exfilPatterns.push(`${path}: ${snippet}`);
+          signals.push({ type: 'CREDENTIAL_FILE_TARGET', pattern: cp.source, file: path });
+        }
+      }
+    }
+
+    for (const ep of EXFIL_CHANNEL_PATTERNS) {
+      const match = content.match(ep);
+      if (match) {
+        const snippet = truncateSnippet(match[0]);
+        exfilPatterns.push(`${path}: ${snippet}`);
+        signals.push({ type: 'EXFIL_CHANNEL', pattern: ep.source, file: path });
+      }
+    }
+
+    for (const ap of ANTI_ANALYSIS_PATTERNS) {
+      if (ap.pattern.test(content)) {
+        if (!antiAnalysisTechniques.includes(ap.label)) {
+          antiAnalysisTechniques.push(ap.label);
+          signals.push({ type: 'ANTI_ANALYSIS', technique: ap.label, file: path });
+        }
+      }
+    }
+  }
+
+  return {
+    triggered: signals.length > 0,
+    signals,
+    exfilPatterns,
+    antiAnalysisTechniques,
+  };
+}