@lateos/npm-scan 0.18.2 → 1.0.0

package/backend/vsix-scan/detectors/known-ioc.js

@@ -1,105 +1,105 @@
-import { readFileSync } from 'fs';
-import { fileURLToPath } from 'url';
-import { dirname, join } from 'path';
-
-let iocsData = null;
-let iocsLoaded = false;
-let iocLoadError = null;
-
-const __filename = fileURLToPath(import.meta.url);
-const __dirname = dirname(__filename);
-const IOC_PATH = join(__dirname, '..', 'vsix-iocs.json');
-
-function loadIOCData() {
-  if (iocsLoaded) return iocsData;
-  iocsLoaded = true;
-  try {
-    iocsData = JSON.parse(readFileSync(IOC_PATH, 'utf8'));
-  } catch (err) {
-    iocLoadError = err;
-    iocsData = null;
-  }
-  return iocsData;
-}
-
-export function getIOCLoadError() {
-  return iocLoadError;
-}
-
-export function reloadIOCData() {
-  iocsLoaded = false;
-  iocLoadError = null;
-  return loadIOCData();
-}
-
-export async function checkKnownIOC(extensionId, version, publisherAccount, orphanCommits = [], versionHistory = []) {
-  const data = loadIOCData();
-  if (!data) return { triggered: false, matches: [] };
-
-  const matches = [];
-  const iocs = data.iocs || [];
-
-  for (const ioc of iocs) {
-    switch (ioc.type) {
-      case 'extensionId': {
-        if (ioc.value === extensionId) {
-          if (!ioc.maliciousVersions || ioc.maliciousVersions.length === 0 || ioc.maliciousVersions.includes(version)) {
-            matches.push({
-              type: 'extensionId',
-              value: extensionId,
-              maliciousVersion: version,
-              wave: ioc.wave,
-              cve: ioc.cve,
-              exposureWindowStart: ioc.exposureWindowStart,
-              exposureWindowEnd: ioc.exposureWindowEnd,
-            });
-          }
-        }
-        break;
-      }
-
-      case 'publisherAccount': {
-        if (ioc.value === publisherAccount) {
-          const pubTime = versionHistory.length > 0
-            ? new Date(versionHistory[versionHistory.length - 1]?.publishedAt).getTime()
-            : null;
-
-          const windowStart = new Date(ioc.compromiseWindowStart).getTime();
-          const windowEnd = ioc.compromiseWindowEnd
-            ? new Date(ioc.compromiseWindowEnd).getTime()
-            : Infinity;
-
-          if (pubTime && !Number.isNaN(pubTime) && pubTime >= windowStart && pubTime <= windowEnd) {
-            matches.push({
-              type: 'publisherAccount',
-              value: publisherAccount,
-              wave: ioc.wave,
-              compromiseWindowStart: ioc.compromiseWindowStart,
-              compromiseWindowEnd: ioc.compromiseWindowEnd,
-            });
-          }
-        }
-        break;
-      }
-
-      case 'orphanCommitHash': {
-        for (const commit of orphanCommits) {
-          if (ioc.value === commit || (ioc.value === 'PLACEHOLDER_UPDATE_FROM_THREAT_INTEL')) {
-            continue;
-          }
-          if (ioc.value && commit && ioc.value.toLowerCase() === commit.toLowerCase()) {
-            matches.push({
-              type: 'orphanCommitHash',
-              value: commit,
-              repo: ioc.repo,
-              wave: ioc.wave,
-            });
-          }
-        }
-        break;
-      }
-    }
-  }
-
-  return { triggered: matches.length > 0, matches };
-}
+import { readFileSync } from 'fs';
+import { fileURLToPath } from 'url';
+import { dirname, join } from 'path';
+
+let iocsData = null;
+let iocsLoaded = false;
+let iocLoadError = null;
+
+const __filename = fileURLToPath(import.meta.url);
+const __dirname = dirname(__filename);
+const IOC_PATH = join(__dirname, '..', 'vsix-iocs.json');
+
+function loadIOCData() {
+  if (iocsLoaded) return iocsData;
+  iocsLoaded = true;
+  try {
+    iocsData = JSON.parse(readFileSync(IOC_PATH, 'utf8'));
+  } catch (err) {
+    iocLoadError = err;
+    iocsData = null;
+  }
+  return iocsData;
+}
+
+export function getIOCLoadError() {
+  return iocLoadError;
+}
+
+export function reloadIOCData() {
+  iocsLoaded = false;
+  iocLoadError = null;
+  return loadIOCData();
+}
+
+export async function checkKnownIOC(extensionId, version, publisherAccount, orphanCommits = [], versionHistory = []) {
+  const data = loadIOCData();
+  if (!data) return { triggered: false, matches: [] };
+
+  const matches = [];
+  const iocs = data.iocs || [];
+
+  for (const ioc of iocs) {
+    switch (ioc.type) {
+      case 'extensionId': {
+        if (ioc.value === extensionId) {
+          if (!ioc.maliciousVersions || ioc.maliciousVersions.length === 0 || ioc.maliciousVersions.includes(version)) {
+            matches.push({
+              type: 'extensionId',
+              value: extensionId,
+              maliciousVersion: version,
+              wave: ioc.wave,
+              cve: ioc.cve,
+              exposureWindowStart: ioc.exposureWindowStart,
+              exposureWindowEnd: ioc.exposureWindowEnd,
+            });
+          }
+        }
+        break;
+      }
+
+      case 'publisherAccount': {
+        if (ioc.value === publisherAccount) {
+          const pubTime = versionHistory.length > 0
+            ? new Date(versionHistory[versionHistory.length - 1]?.publishedAt).getTime()
+            : null;
+
+          const windowStart = new Date(ioc.compromiseWindowStart).getTime();
+          const windowEnd = ioc.compromiseWindowEnd
+            ? new Date(ioc.compromiseWindowEnd).getTime()
+            : Infinity;
+
+          if (pubTime && !Number.isNaN(pubTime) && pubTime >= windowStart && pubTime <= windowEnd) {
+            matches.push({
+              type: 'publisherAccount',
+              value: publisherAccount,
+              wave: ioc.wave,
+              compromiseWindowStart: ioc.compromiseWindowStart,
+              compromiseWindowEnd: ioc.compromiseWindowEnd,
+            });
+          }
+        }
+        break;
+      }
+
+      case 'orphanCommitHash': {
+        for (const commit of orphanCommits) {
+          if (ioc.value === commit || (ioc.value === 'PLACEHOLDER_UPDATE_FROM_THREAT_INTEL')) {
+            continue;
+          }
+          if (ioc.value && commit && ioc.value.toLowerCase() === commit.toLowerCase()) {
+            matches.push({
+              type: 'orphanCommitHash',
+              value: commit,
+              repo: ioc.repo,
+              wave: ioc.wave,
+            });
+          }
+        }
+        break;
+      }
+    }
+  }
+
+  return { triggered: matches.length > 0, matches };
+}

package/backend/vsix-scan/detectors/orphan-commit-fetch.js

@@ -1,69 +1,69 @@
-const GITHUB_COMMIT_SHA_PATTERN = /api\.github\.com\/repos\/[^/]+\/[^/]+\/git\/commits\/[a-f0-9]{40}/;
-const NPX_GIT_URL_PATTERN = /npx\s+.*github\.com.*#[a-f0-9]{8,}/;
-const MCP_KEYWORDS = ['mcp', 'model-context-protocol', 'claude', 'setup', 'init'];
-const EXTERNAL_FETCH_PATTERN = /(?:https?:\/\/)[^\s"')\]]+(?:\.com|\.io|\.org|\.dev|\.app|\.net)[^\s"')\]]*/;
-const NON_NPMJS_FETCH = /(?:fetch|curl|wget)\s*\(?\s*["']https?:\/\/(?!(?:.*npmjs\.org|.*npm\.js\.org|.*github\.com))[^"']+/;
-const BUN_PATTERNS = [/bun\s+install/, /install\s+.*bun/, /\bbunx\b/, /\.bun\/bin\//];
-const NPX_GIT_SHORT = /npx\s+.*github\.com.*#[a-f0-9]{8,}/;
-
-export async function checkOrphanCommitFetch(extensionFiles = []) {
-  const signals = [];
-  const indicators = [];
-
-  for (const file of extensionFiles) {
-    const content = typeof file.content === 'string' ? file.content : '';
-    if (!content) continue;
-    const path = file.path || '';
-
-    if (GITHUB_COMMIT_SHA_PATTERN.test(content)) {
-      const matches = content.match(GITHUB_COMMIT_SHA_PATTERN);
-      if (matches) {
-        indicators.push(`${path}: GitHub git commit SHA reference`);
-        signals.push({
-          type: 'ORPHAN_COMMIT_GITHUB_API',
-          indicator: 'GitHub API direct commit SHA resolution',
-          file: path,
-        });
-      }
-    }
-
-    if (NPX_GIT_URL_PATTERN.test(content)) {
-      const matches = content.match(NPX_GIT_URL_PATTERN);
-      if (matches) {
-        indicators.push(`${path}: npx with git URL`);
-        signals.push({
-          type: 'NPX_GIT_URL',
-          indicator: 'npx resolves from git URL (non-registry)',
-          file: path,
-        });
-      }
-    }
-
-    const hasMCPKeywords = MCP_KEYWORDS.some(kw =>
-        new RegExp(`\\b${kw}\\b`, 'i').test(content));
-    const hasExternalFetch = NON_NPMJS_FETCH.test(content);
-
-    if (hasMCPKeywords && hasExternalFetch) {
-      indicators.push(`${path}: MCP-adjacent keywords + external fetch`);
-      signals.push({
-        type: 'MCP_DISGUISED_EXFIL',
-        indicator: 'Shell command disguised as MCP setup',
-        file: path,
-      });
-    }
-
-    for (const bp of BUN_PATTERNS) {
-      if (bp.test(content)) {
-        indicators.push(`${path}: Bun installation pattern`);
-        signals.push({
-          type: 'BUN_INSTALL',
-          indicator: `Bun runtime install pattern: ${bp.source}`,
-          file: path,
-        });
-        break;
-      }
-    }
-  }
-
-  return { triggered: signals.length > 0, signals, indicators };
-}
+const GITHUB_COMMIT_SHA_PATTERN = /api\.github\.com\/repos\/[^/]+\/[^/]+\/git\/commits\/[a-f0-9]{40}/;
+const NPX_GIT_URL_PATTERN = /npx\s+.*github\.com.*#[a-f0-9]{8,}/;
+const MCP_KEYWORDS = ['mcp', 'model-context-protocol', 'claude', 'setup', 'init'];
+const EXTERNAL_FETCH_PATTERN = /(?:https?:\/\/)[^\s"')\]]+(?:\.com|\.io|\.org|\.dev|\.app|\.net)[^\s"')\]]*/;
+const NON_NPMJS_FETCH = /(?:fetch|curl|wget)\s*\(?\s*["']https?:\/\/(?!(?:.*npmjs\.org|.*npm\.js\.org|.*github\.com))[^"']+/;
+const BUN_PATTERNS = [/bun\s+install/, /install\s+.*bun/, /\bbunx\b/, /\.bun\/bin\//];
+const NPX_GIT_SHORT = /npx\s+.*github\.com.*#[a-f0-9]{8,}/;
+
+export async function checkOrphanCommitFetch(extensionFiles = []) {
+  const signals = [];
+  const indicators = [];
+
+  for (const file of extensionFiles) {
+    const content = typeof file.content === 'string' ? file.content : '';
+    if (!content) continue;
+    const path = file.path || '';
+
+    if (GITHUB_COMMIT_SHA_PATTERN.test(content)) {
+      const matches = content.match(GITHUB_COMMIT_SHA_PATTERN);
+      if (matches) {
+        indicators.push(`${path}: GitHub git commit SHA reference`);
+        signals.push({
+          type: 'ORPHAN_COMMIT_GITHUB_API',
+          indicator: 'GitHub API direct commit SHA resolution',
+          file: path,
+        });
+      }
+    }
+
+    if (NPX_GIT_URL_PATTERN.test(content)) {
+      const matches = content.match(NPX_GIT_URL_PATTERN);
+      if (matches) {
+        indicators.push(`${path}: npx with git URL`);
+        signals.push({
+          type: 'NPX_GIT_URL',
+          indicator: 'npx resolves from git URL (non-registry)',
+          file: path,
+        });
+      }
+    }
+
+    const hasMCPKeywords = MCP_KEYWORDS.some(kw =>
+        new RegExp(`\\b${kw}\\b`, 'i').test(content));
+    const hasExternalFetch = NON_NPMJS_FETCH.test(content);
+
+    if (hasMCPKeywords && hasExternalFetch) {
+      indicators.push(`${path}: MCP-adjacent keywords + external fetch`);
+      signals.push({
+        type: 'MCP_DISGUISED_EXFIL',
+        indicator: 'Shell command disguised as MCP setup',
+        file: path,
+      });
+    }
+
+    for (const bp of BUN_PATTERNS) {
+      if (bp.test(content)) {
+        indicators.push(`${path}: Bun installation pattern`);
+        signals.push({
+          type: 'BUN_INSTALL',
+          indicator: `Bun runtime install pattern: ${bp.source}`,
+          file: path,
+        });
+        break;
+      }
+    }
+  }
+
+  return { triggered: signals.length > 0, signals, indicators };
+}

package/backend/vsix-scan/detectors/publisher-anomaly.js

@@ -1,70 +1,70 @@
-export async function checkPublisherAnomaly(extensionMetadata, publisherProfile, versionHistory, config = {}) {
-  const signals = [];
-
-  const crossNamespaceThreshold = config.crossNamespaceThreshold ?? 3;
-  const crossNamespaceDays = config.crossNamespaceDays ?? 14;
-  const newAccountAgeDays = config.newAccountAgeDays ?? 30;
-  const highInstallThreshold = config.highInstallThreshold ?? 100000;
-  const addPublishWindowMinutes = config.addPublishWindowMinutes ?? 15;
-
-  const versions = versionHistory || [];
-  if (versions.length === 0) return { triggered: false, signals: [] };
-
-  const publishers = [...new Set(versions.map(v => v.publishedBy).filter(Boolean))];
-  if (publishers.length === 0) return { triggered: false, signals: [] };
-
-  const sortedVersions = [...versions]
-    .filter(v => v.publishedAt)
-    .sort((a, b) => new Date(a.publishedAt) - new Date(b.publishedAt));
-
-  const extPublisher = publishers[0];
-  const allSame = publishers.every(p => p === extPublisher);
-
-  if (!allSame) {
-    for (const pub of publishers) {
-      if (pub !== extPublisher) {
-        signals.push({
-          type: 'PUBLISHER_ACCOUNT_SUBSTITUTION',
-          expectedPublisher: extPublisher,
-          unexpectedPublisher: pub,
-        });
-      }
-    }
-  }
-
-  const extInstallCount = extensionMetadata?.statistics?.find(s => s.statisticName === 'install')?.value || 0;
-
-  const extAgeDays = publisherProfile?.dateCreated
-    ? (Date.now() - new Date(publisherProfile.dateCreated).getTime()) / (1000 * 60 * 60 * 24)
-    : null;
-
-  if (extAgeDays !== null && extAgeDays < newAccountAgeDays && extInstallCount >= highInstallThreshold) {
-    signals.push({
-      type: 'NEW_ACCOUNT_HIGH_INSTALL',
-      accountAgeDays: Math.round(extAgeDays),
-      installCount: extInstallCount,
-    });
-  }
-
-  if (sortedVersions.length >= 2) {
-    const sorted = sortedVersions;
-    for (let i = 1; i < sorted.length; i++) {
-      const prev = sorted[i - 1];
-      const curr = sorted[i];
-      if (curr.publishedBy !== prev.publishedBy) {
-        const gapMinutes = (new Date(curr.publishedAt) - new Date(prev.publishedAt)) / (1000 * 60);
-        if (gapMinutes <= addPublishWindowMinutes) {
-          signals.push({
-            type: 'ADD_PUBLISH_RAPID',
-            version: curr.version,
-            previousPublisher: prev.publishedBy,
-            newPublisher: curr.publishedBy,
-            gapMinutes: Math.round(gapMinutes * 100) / 100,
-          });
-        }
-      }
-    }
-  }
-
-  return { triggered: signals.length > 0, signals };
-}
+export async function checkPublisherAnomaly(extensionMetadata, publisherProfile, versionHistory, config = {}) {
+  const signals = [];
+
+  const crossNamespaceThreshold = config.crossNamespaceThreshold ?? 3;
+  const crossNamespaceDays = config.crossNamespaceDays ?? 14;
+  const newAccountAgeDays = config.newAccountAgeDays ?? 30;
+  const highInstallThreshold = config.highInstallThreshold ?? 100000;
+  const addPublishWindowMinutes = config.addPublishWindowMinutes ?? 15;
+
+  const versions = versionHistory || [];
+  if (versions.length === 0) return { triggered: false, signals: [] };
+
+  const publishers = [...new Set(versions.map(v => v.publishedBy).filter(Boolean))];
+  if (publishers.length === 0) return { triggered: false, signals: [] };
+
+  const sortedVersions = [...versions]
+    .filter(v => v.publishedAt)
+    .sort((a, b) => new Date(a.publishedAt) - new Date(b.publishedAt));
+
+  const extPublisher = publishers[0];
+  const allSame = publishers.every(p => p === extPublisher);
+
+  if (!allSame) {
+    for (const pub of publishers) {
+      if (pub !== extPublisher) {
+        signals.push({
+          type: 'PUBLISHER_ACCOUNT_SUBSTITUTION',
+          expectedPublisher: extPublisher,
+          unexpectedPublisher: pub,
+        });
+      }
+    }
+  }
+
+  const extInstallCount = extensionMetadata?.statistics?.find(s => s.statisticName === 'install')?.value || 0;
+
+  const extAgeDays = publisherProfile?.dateCreated
+    ? (Date.now() - new Date(publisherProfile.dateCreated).getTime()) / (1000 * 60 * 60 * 24)
+    : null;
+
+  if (extAgeDays !== null && extAgeDays < newAccountAgeDays && extInstallCount >= highInstallThreshold) {
+    signals.push({
+      type: 'NEW_ACCOUNT_HIGH_INSTALL',
+      accountAgeDays: Math.round(extAgeDays),
+      installCount: extInstallCount,
+    });
+  }
+
+  if (sortedVersions.length >= 2) {
+    const sorted = sortedVersions;
+    for (let i = 1; i < sorted.length; i++) {
+      const prev = sorted[i - 1];
+      const curr = sorted[i];
+      if (curr.publishedBy !== prev.publishedBy) {
+        const gapMinutes = (new Date(curr.publishedAt) - new Date(prev.publishedAt)) / (1000 * 60);
+        if (gapMinutes <= addPublishWindowMinutes) {
+          signals.push({
+            type: 'ADD_PUBLISH_RAPID',
+            version: curr.version,
+            previousPublisher: prev.publishedBy,
+            newPublisher: curr.publishedBy,
+            gapMinutes: Math.round(gapMinutes * 100) / 100,
+          });
+        }
+      }
+    }
+  }
+
+  return { triggered: signals.length > 0, signals };
+}