@lateos/npm-scan 0.18.2 → 1.0.0

package/backend/vsix-scan/index.js

@@ -1,183 +1,183 @@
-import { checkBurstPublish } from './detectors/burst-publish.js';
-import { checkPublisherAnomaly } from './detectors/publisher-anomaly.js';
-import { checkActivationEventRisk } from './detectors/activation-event-risk.js';
-import { checkOrphanCommitFetch } from './detectors/orphan-commit-fetch.js';
-import { checkKnownIOC } from './detectors/known-ioc.js';
-import { checkExfilPattern } from './detectors/exfil-pattern.js';
-import { getExtensionMetadata, getVersionHistory, getPublisherProfile, getOpenVsxMetadata, getOpenVsxVersionHistory } from './marketplace-client.js';
-
-const SEVERITY_SCORE = { none: 0, low: 1, medium: 2, high: 3, critical: 4 };
-const SEVERITY_LABELS = ['none', 'low', 'medium', 'high', 'critical'];
-
-export async function vsixScan(extensionId, options = {}) {
-  const { publisherId, extensionName } = parseExtensionId(extensionId);
-
-  const marketplaceMeta = options.marketplaceMeta || (options.skipNetwork ? null : await getExtensionMetadata(publisherId, extensionName));
-  const marketplaceVersions = options.marketplaceVersions || (marketplaceMeta ? await getVersionHistory(publisherId, extensionName) : []);
-  const openVsxVersions = options.openVsxVersions || (options.skipNetwork ? [] : await getOpenVsxVersionHistory(publisherId, extensionName));
-  const publisherProfile = options.publisherProfile || (options.skipNetwork ? null : await getPublisherProfile(publisherId));
-
-  const allVersions = mergeVersionHistories(marketplaceVersions, openVsxVersions);
-  const manifest = options.manifest || extractManifest(marketplaceMeta, extensionId);
-
-  const config = options.config || {};
-
-  const activationResult = await checkActivationEventRisk(
-    manifest,
-    allVersions,
-    options.priorVersions || [],
-  );
-
-  const burstResult = await checkBurstPublish(allVersions, config);
-
-  const publisherResult = await checkPublisherAnomaly(
-    manifest || {},
-    publisherProfile || {},
-    allVersions,
-    config,
-  );
-
-  const orphanResult = await checkOrphanCommitFetch(options.extensionFiles || []);
-
-  const iocResult = await checkKnownIOC(
-    extensionId,
-    options.version || (allVersions.length > 0 ? allVersions[allVersions.length - 1].version : 'unknown'),
-    publisherId,
-    orphanResult.signals
-      .filter(s => s.type === 'ORPHAN_COMMIT_GITHUB_API')
-      .map(s => s.indicator),
-    allVersions,
-  );
-
-  const exfilResult = await checkExfilPattern(options.extensionFiles || []);
-
-  const triggeredSignals = [];
-  if (burstResult.triggered) triggeredSignals.push('VSIX_BURST_PUBLISH');
-  if (publisherResult.triggered) triggeredSignals.push('VSIX_PUBLISHER_ANOMALY');
-  if (activationResult.triggered) triggeredSignals.push('VSIX_ACTIVATION_EVENT_RISK');
-  if (orphanResult.triggered) triggeredSignals.push('VSIX_ORPHAN_COMMIT_FETCH');
-  if (iocResult.triggered) triggeredSignals.push('VSIX_KNOWN_IOC');
-  if (exfilResult.triggered) triggeredSignals.push('VSIX_EXFIL_PATTERN');
-
-  if (triggeredSignals.length === 0) return [];
-
-  const registryLabels = [];
-  if (marketplaceVersions.length > 0) registryLabels.push('marketplace');
-  if (openVsxVersions.length > 0) registryLabels.push('open-vsx');
-
-  const maxSeverity = triggeredSignals.reduce((max, s) => {
-    if (s === 'VSIX_KNOWN_IOC' || s === 'VSIX_ORPHAN_COMMIT_FETCH') return Math.max(max, 4);
-    if (s === 'VSIX_BURST_PUBLISH' || s === 'VSIX_PUBLISHER_ANOMALY' || s === 'VSIX_EXFIL_PATTERN') return Math.max(max, 3);
-    if (s === 'VSIX_ACTIVATION_EVENT_RISK') return Math.max(max, 3);
-    return max;
-  }, 0);
-
-  const finalSeverity = SEVERITY_LABELS[maxSeverity] || 'high';
-
-  const latestVersion = allVersions.length > 0 ? allVersions[allVersions.length - 1].version : 'unknown';
-  let exposureWindowMinutes = null;
-  if (burstResult.hotPullDetected && allVersions.length >= 2) {
-    const sorted = [...allVersions].sort((a, b) => new Date(b.publishedAt) - new Date(a.publishedAt));
-    const gap = (new Date(sorted[0].publishedAt) - new Date(sorted[1].publishedAt)) / (1000 * 60);
-    exposureWindowMinutes = Math.round(gap);
-  }
-
-  const evidence = {
-    extensionId,
-    maliciousVersion: latestVersion,
-    registries: registryLabels,
-    exposureWindowMinutes,
-    triggeredSignals,
-    burstWindow: burstResult.burstWindow,
-    hotPullDetected: burstResult.hotPullDetected,
-    publisherSignals: publisherResult.triggered ? publisherResult.signals : null,
-    activationEvents: manifest?.activationEvents || null,
-    activationRisk: activationResult.triggered ? { riskLevel: activationResult.riskLevel, why: activationResult.why } : null,
-    orphanCommitIndicators: orphanResult.triggered ? orphanResult.indicators : null,
-    iocMatches: iocResult.triggered ? iocResult.matches : null,
-    exfilPatterns: exfilResult.triggered ? exfilResult.exfilPatterns : null,
-    antiAnalysisTechniques: exfilResult.triggered ? exfilResult.antiAnalysisTechniques : null,
-  };
-
-  const remediationGuidance = buildRemediation(triggeredSignals, extensionId);
-
-  return [{
-    id: 'VSIX_SCAN',
-    severity: finalSeverity,
-    title: `VS Code extension risk: ${extensionId}`,
-    description: `${triggeredSignals.length} signal(s): ${triggeredSignals.join(', ')}`,
-    evidence: JSON.stringify(evidence),
-    mitigation: remediationGuidance,
-  }];
-}
-
-function parseExtensionId(id) {
-  const idx = id.indexOf('.');
-  if (idx === -1 || idx === 0 || idx === id.length - 1) {
-    throw new Error(`Invalid extension ID: ${id}. Expected format: publisher.extension-name`);
-  }
-  return { publisherId: id.slice(0, idx), extensionName: id.slice(idx + 1) };
-}
-
-function mergeVersionHistories(marketplace, openVsx) {
-  const seen = new Set();
-  const merged = [];
-
-  for (const v of marketplace) {
-    if (!seen.has(v.version)) {
-      seen.add(v.version);
-      merged.push({ ...v, registries: ['marketplace'] });
-    }
-  }
-
-  for (const v of openVsx) {
-    if (!seen.has(v.version)) {
-      seen.add(v.version);
-      merged.push({ ...v, registries: ['open-vsx'] });
-    } else {
-      const existing = merged.find(m => m.version === v.version);
-      if (existing) {
-        existing.registries.push('open-vsx');
-      }
-    }
-  }
-
-  return merged.sort((a, b) => new Date(a.publishedAt) - new Date(b.publishedAt));
-}
-
-function extractManifest(marketplaceMeta, extensionId) {
-  if (!marketplaceMeta?.results?.[0]?.extensions?.[0]) return {};
-  const ext = marketplaceMeta.results[0].extensions[0];
-  const manifestStr = ext.galleryApiUrl || ext.manifest;
-  if (!manifestStr) return {};
-
-  try {
-    if (typeof manifestStr === 'object') return manifestStr;
-    return JSON.parse(manifestStr);
-  } catch {
-    return {};
-  }
-}
-
-function buildRemediation(triggeredSignals, extensionId) {
-  const parts = [];
-  if (triggeredSignals.includes('VSIX_KNOWN_IOC')) {
-    parts.push(`Extension ${extensionId} matches known campaign IOC. Remove immediately.`);
-  }
-  if (triggeredSignals.includes('VSIX_BURST_PUBLISH')) {
-    parts.push('Suspicious publish velocity detected. Verify publisher release history.');
-  }
-  if (triggeredSignals.includes('VSIX_PUBLISHER_ANOMALY')) {
-    parts.push('Publisher account anomaly detected. Verify publisher identity.');
-  }
-  if (triggeredSignals.includes('VSIX_ACTIVATION_EVENT_RISK')) {
-    parts.push('Risky activation events detected. Review extension activation scope.');
-  }
-  if (triggeredSignals.includes('VSIX_ORPHAN_COMMIT_FETCH')) {
-    parts.push('Dangling orphan commit fetch detected — technical signature of Nx Console attack.');
-  }
-  if (triggeredSignals.includes('VSIX_EXFIL_PATTERN')) {
-    parts.push('Credential exfiltration patterns detected. Revoke all tokens.');
-  }
-  return parts.join(' ');
-}
+import { checkBurstPublish } from './detectors/burst-publish.js';
+import { checkPublisherAnomaly } from './detectors/publisher-anomaly.js';
+import { checkActivationEventRisk } from './detectors/activation-event-risk.js';
+import { checkOrphanCommitFetch } from './detectors/orphan-commit-fetch.js';
+import { checkKnownIOC } from './detectors/known-ioc.js';
+import { checkExfilPattern } from './detectors/exfil-pattern.js';
+import { getExtensionMetadata, getVersionHistory, getPublisherProfile, getOpenVsxMetadata, getOpenVsxVersionHistory } from './marketplace-client.js';
+
+const SEVERITY_SCORE = { none: 0, low: 1, medium: 2, high: 3, critical: 4 };
+const SEVERITY_LABELS = ['none', 'low', 'medium', 'high', 'critical'];
+
+export async function vsixScan(extensionId, options = {}) {
+  const { publisherId, extensionName } = parseExtensionId(extensionId);
+
+  const marketplaceMeta = options.marketplaceMeta || (options.skipNetwork ? null : await getExtensionMetadata(publisherId, extensionName));
+  const marketplaceVersions = options.marketplaceVersions || (marketplaceMeta ? await getVersionHistory(publisherId, extensionName) : []);
+  const openVsxVersions = options.openVsxVersions || (options.skipNetwork ? [] : await getOpenVsxVersionHistory(publisherId, extensionName));
+  const publisherProfile = options.publisherProfile || (options.skipNetwork ? null : await getPublisherProfile(publisherId));
+
+  const allVersions = mergeVersionHistories(marketplaceVersions, openVsxVersions);
+  const manifest = options.manifest || extractManifest(marketplaceMeta, extensionId);
+
+  const config = options.config || {};
+
+  const activationResult = await checkActivationEventRisk(
+    manifest,
+    allVersions,
+    options.priorVersions || [],
+  );
+
+  const burstResult = await checkBurstPublish(allVersions, config);
+
+  const publisherResult = await checkPublisherAnomaly(
+    manifest || {},
+    publisherProfile || {},
+    allVersions,
+    config,
+  );
+
+  const orphanResult = await checkOrphanCommitFetch(options.extensionFiles || []);
+
+  const iocResult = await checkKnownIOC(
+    extensionId,
+    options.version || (allVersions.length > 0 ? allVersions[allVersions.length - 1].version : 'unknown'),
+    publisherId,
+    orphanResult.signals
+      .filter(s => s.type === 'ORPHAN_COMMIT_GITHUB_API')
+      .map(s => s.indicator),
+    allVersions,
+  );
+
+  const exfilResult = await checkExfilPattern(options.extensionFiles || []);
+
+  const triggeredSignals = [];
+  if (burstResult.triggered) triggeredSignals.push('VSIX_BURST_PUBLISH');
+  if (publisherResult.triggered) triggeredSignals.push('VSIX_PUBLISHER_ANOMALY');
+  if (activationResult.triggered) triggeredSignals.push('VSIX_ACTIVATION_EVENT_RISK');
+  if (orphanResult.triggered) triggeredSignals.push('VSIX_ORPHAN_COMMIT_FETCH');
+  if (iocResult.triggered) triggeredSignals.push('VSIX_KNOWN_IOC');
+  if (exfilResult.triggered) triggeredSignals.push('VSIX_EXFIL_PATTERN');
+
+  if (triggeredSignals.length === 0) return [];
+
+  const registryLabels = [];
+  if (marketplaceVersions.length > 0) registryLabels.push('marketplace');
+  if (openVsxVersions.length > 0) registryLabels.push('open-vsx');
+
+  const maxSeverity = triggeredSignals.reduce((max, s) => {
+    if (s === 'VSIX_KNOWN_IOC' || s === 'VSIX_ORPHAN_COMMIT_FETCH') return Math.max(max, 4);
+    if (s === 'VSIX_BURST_PUBLISH' || s === 'VSIX_PUBLISHER_ANOMALY' || s === 'VSIX_EXFIL_PATTERN') return Math.max(max, 3);
+    if (s === 'VSIX_ACTIVATION_EVENT_RISK') return Math.max(max, 3);
+    return max;
+  }, 0);
+
+  const finalSeverity = SEVERITY_LABELS[maxSeverity] || 'high';
+
+  const latestVersion = allVersions.length > 0 ? allVersions[allVersions.length - 1].version : 'unknown';
+  let exposureWindowMinutes = null;
+  if (burstResult.hotPullDetected && allVersions.length >= 2) {
+    const sorted = [...allVersions].sort((a, b) => new Date(b.publishedAt) - new Date(a.publishedAt));
+    const gap = (new Date(sorted[0].publishedAt) - new Date(sorted[1].publishedAt)) / (1000 * 60);
+    exposureWindowMinutes = Math.round(gap);
+  }
+
+  const evidence = {
+    extensionId,
+    maliciousVersion: latestVersion,
+    registries: registryLabels,
+    exposureWindowMinutes,
+    triggeredSignals,
+    burstWindow: burstResult.burstWindow,
+    hotPullDetected: burstResult.hotPullDetected,
+    publisherSignals: publisherResult.triggered ? publisherResult.signals : null,
+    activationEvents: manifest?.activationEvents || null,
+    activationRisk: activationResult.triggered ? { riskLevel: activationResult.riskLevel, why: activationResult.why } : null,
+    orphanCommitIndicators: orphanResult.triggered ? orphanResult.indicators : null,
+    iocMatches: iocResult.triggered ? iocResult.matches : null,
+    exfilPatterns: exfilResult.triggered ? exfilResult.exfilPatterns : null,
+    antiAnalysisTechniques: exfilResult.triggered ? exfilResult.antiAnalysisTechniques : null,
+  };
+
+  const remediationGuidance = buildRemediation(triggeredSignals, extensionId);
+
+  return [{
+    id: 'VSIX_SCAN',
+    severity: finalSeverity,
+    title: `VS Code extension risk: ${extensionId}`,
+    description: `${triggeredSignals.length} signal(s): ${triggeredSignals.join(', ')}`,
+    evidence: JSON.stringify(evidence),
+    mitigation: remediationGuidance,
+  }];
+}
+
+function parseExtensionId(id) {
+  const idx = id.indexOf('.');
+  if (idx === -1 || idx === 0 || idx === id.length - 1) {
+    throw new Error(`Invalid extension ID: ${id}. Expected format: publisher.extension-name`);
+  }
+  return { publisherId: id.slice(0, idx), extensionName: id.slice(idx + 1) };
+}
+
+function mergeVersionHistories(marketplace, openVsx) {
+  const seen = new Set();
+  const merged = [];
+
+  for (const v of marketplace) {
+    if (!seen.has(v.version)) {
+      seen.add(v.version);
+      merged.push({ ...v, registries: ['marketplace'] });
+    }
+  }
+
+  for (const v of openVsx) {
+    if (!seen.has(v.version)) {
+      seen.add(v.version);
+      merged.push({ ...v, registries: ['open-vsx'] });
+    } else {
+      const existing = merged.find(m => m.version === v.version);
+      if (existing) {
+        existing.registries.push('open-vsx');
+      }
+    }
+  }
+
+  return merged.sort((a, b) => new Date(a.publishedAt) - new Date(b.publishedAt));
+}
+
+function extractManifest(marketplaceMeta, extensionId) {
+  if (!marketplaceMeta?.results?.[0]?.extensions?.[0]) return {};
+  const ext = marketplaceMeta.results[0].extensions[0];
+  const manifestStr = ext.galleryApiUrl || ext.manifest;
+  if (!manifestStr) return {};
+
+  try {
+    if (typeof manifestStr === 'object') return manifestStr;
+    return JSON.parse(manifestStr);
+  } catch {
+    return {};
+  }
+}
+
+function buildRemediation(triggeredSignals, extensionId) {
+  const parts = [];
+  if (triggeredSignals.includes('VSIX_KNOWN_IOC')) {
+    parts.push(`Extension ${extensionId} matches known campaign IOC. Remove immediately.`);
+  }
+  if (triggeredSignals.includes('VSIX_BURST_PUBLISH')) {
+    parts.push('Suspicious publish velocity detected. Verify publisher release history.');
+  }
+  if (triggeredSignals.includes('VSIX_PUBLISHER_ANOMALY')) {
+    parts.push('Publisher account anomaly detected. Verify publisher identity.');
+  }
+  if (triggeredSignals.includes('VSIX_ACTIVATION_EVENT_RISK')) {
+    parts.push('Risky activation events detected. Review extension activation scope.');
+  }
+  if (triggeredSignals.includes('VSIX_ORPHAN_COMMIT_FETCH')) {
+    parts.push('Dangling orphan commit fetch detected — technical signature of Nx Console attack.');
+  }
+  if (triggeredSignals.includes('VSIX_EXFIL_PATTERN')) {
+    parts.push('Credential exfiltration patterns detected. Revoke all tokens.');
+  }
+  return parts.join(' ');
+}

package/backend/vsix-scan/marketplace-client.js

@@ -1,145 +1,145 @@
-const MARKETPLACE_API = 'https://marketplace.visualstudio.com/_apis/public/gallery';
-const OPENVSX_API = 'https://open-vsx.org/api';
-
-const _cache = new Map();
-const CACHE_TTL = 5 * 60 * 1000;
-const RATE_LIMIT_MS = 6000;
-let _lastFetchTime = 0;
-
-function sleep(ms) {
-  return new Promise(r => setTimeout(r, ms));
-}
-
-async function rateLimitedFetch(url) {
-  const now = Date.now();
-  const elapsed = now - _lastFetchTime;
-  if (elapsed < RATE_LIMIT_MS) {
-    await sleep(RATE_LIMIT_MS - elapsed);
-  }
-  _lastFetchTime = Date.now();
-
-  const cached = _cache.get(url);
-  if (cached && Date.now() - cached.fetchedAt < CACHE_TTL) {
-    return cached.data;
-  }
-
-  let res;
-  try {
-    res = await fetch(url);
-    if (res.status === 429) {
-      const retryAfter = parseInt(res.headers.get('Retry-After') || '10', 10);
-      await sleep(retryAfter * 1000);
-      res = await fetch(url);
-    }
-    if (!res.ok) {
-      console.debug(`Marketplace API warning: ${url} returned ${res.status}`);
-      return null;
-    }
-    const data = await res.json();
-    _cache.set(url, { data, fetchedAt: Date.now() });
-    return data;
-  } catch (err) {
-    console.debug(`Marketplace API error: ${err.message}`);
-    return null;
-  }
-}
-
-function parseExtensionId(id) {
-  const parts = id.split('.');
-  if (parts.length < 2) throw new Error(`Invalid extension ID: ${id}`);
-  return { publisherId: parts[0], extensionName: parts.slice(1).join('.') };
-}
-
-export async function getExtensionMetadata(publisherId, extensionName) {
-  const url = `${MARKETPLACE_API}/extensionquery`;
-  const body = {
-    filters: [{
-      criteria: [
-        { filterType: 8, value: `${publisherId}.${extensionName}` },
-      ],
-    }],
-    flags: 914,
-  };
-
-  const cached = _cache.get(url + JSON.stringify(body));
-  if (cached && Date.now() - cached.fetchedAt < CACHE_TTL) {
-    return cached.data;
-  }
-
-  const now = Date.now();
-  const elapsed = now - _lastFetchTime;
-  if (elapsed < RATE_LIMIT_MS) {
-    await sleep(RATE_LIMIT_MS - elapsed);
-  }
-  _lastFetchTime = Date.now();
-
-  let res;
-  try {
-    res = await fetch(url, {
-      method: 'POST',
-      headers: { 'Content-Type': 'application/json', 'Accept': 'application/json;api-version=3.0-preview.1' },
-      body: JSON.stringify(body),
-    });
-    if (res.status === 429) {
-      const retryAfter = parseInt(res.headers.get('Retry-After') || '10', 10);
-      await sleep(retryAfter * 1000);
-      res = await fetch(url, { method: 'POST', headers: { 'Content-Type': 'application/json', 'Accept': 'application/json;api-version=3.0-preview.1' }, body: JSON.stringify(body) });
-    }
-    if (!res.ok) {
-      console.debug(`Marketplace API warning: ${url} returned ${res.status}`);
-      return null;
-    }
-    const data = await res.json();
-    _cache.set(url + JSON.stringify(body), { data, fetchedAt: Date.now() });
-    return data;
-  } catch (err) {
-    console.debug(`Marketplace API error: ${err.message}`);
-    return null;
-  }
-}
-
-export async function getVersionHistory(publisherId, extensionName) {
-  const data = await getExtensionMetadata(publisherId, extensionName);
-  if (!data?.results?.[0]?.extensions?.[0]) return [];
-
-  const extension = data.results[0].extensions[0];
-  const versions = extension.versions || [];
-
-  return versions.map(v => ({
-    version: v.version,
-    publishedAt: v.lastUpdated || v.publishedDate,
-    publishedBy: extension.publisher?.publisherName || publisherId,
-    assetSha256: v.assetUri ? null : null,
-    flags: v.flags ? [String(v.flags)] : [],
-  }));
-}
-
-export async function getPublisherProfile(publisherId) {
-  const url = `${MARKETPLACE_API}/publishers/${publisherId}`;
-  return rateLimitedFetch(url);
-}
-
-export async function getOpenVsxMetadata(namespace, name) {
-  const url = `${OPENVSX_API}/${namespace}/${name}`;
-  return rateLimitedFetch(url);
-}
-
-export async function getOpenVsxVersionHistory(namespace, name) {
-  const data = await getOpenVsxMetadata(namespace, name);
-  if (!data) return [];
-  const versions = data.allVersions || {};
-  const files = data.files || {};
-
-  return Object.entries(versions).map(([version, publishedAt]) => ({
-    version,
-    publishedAt: typeof publishedAt === 'string' ? publishedAt : data.timestamp,
-    publishedBy: data.namespace || namespace,
-    assetSha256: files?.[version]?.sha256 || null,
-    flags: [],
-  }));
-}
-
-export function clearMarketplaceCache() {
-  _cache.clear();
-  _lastFetchTime = 0;
-}
+const MARKETPLACE_API = 'https://marketplace.visualstudio.com/_apis/public/gallery';
+const OPENVSX_API = 'https://open-vsx.org/api';
+
+const _cache = new Map();
+const CACHE_TTL = 5 * 60 * 1000;
+const RATE_LIMIT_MS = 6000;
+let _lastFetchTime = 0;
+
+function sleep(ms) {
+  return new Promise(r => setTimeout(r, ms));
+}
+
+async function rateLimitedFetch(url) {
+  const now = Date.now();
+  const elapsed = now - _lastFetchTime;
+  if (elapsed < RATE_LIMIT_MS) {
+    await sleep(RATE_LIMIT_MS - elapsed);
+  }
+  _lastFetchTime = Date.now();
+
+  const cached = _cache.get(url);
+  if (cached && Date.now() - cached.fetchedAt < CACHE_TTL) {
+    return cached.data;
+  }
+
+  let res;
+  try {
+    res = await fetch(url);
+    if (res.status === 429) {
+      const retryAfter = parseInt(res.headers.get('Retry-After') || '10', 10);
+      await sleep(retryAfter * 1000);
+      res = await fetch(url);
+    }
+    if (!res.ok) {
+      console.debug(`Marketplace API warning: ${url} returned ${res.status}`);
+      return null;
+    }
+    const data = await res.json();
+    _cache.set(url, { data, fetchedAt: Date.now() });
+    return data;
+  } catch (err) {
+    console.debug(`Marketplace API error: ${err.message}`);
+    return null;
+  }
+}
+
+function parseExtensionId(id) {
+  const parts = id.split('.');
+  if (parts.length < 2) throw new Error(`Invalid extension ID: ${id}`);
+  return { publisherId: parts[0], extensionName: parts.slice(1).join('.') };
+}
+
+export async function getExtensionMetadata(publisherId, extensionName) {
+  const url = `${MARKETPLACE_API}/extensionquery`;
+  const body = {
+    filters: [{
+      criteria: [
+        { filterType: 8, value: `${publisherId}.${extensionName}` },
+      ],
+    }],
+    flags: 914,
+  };
+
+  const cached = _cache.get(url + JSON.stringify(body));
+  if (cached && Date.now() - cached.fetchedAt < CACHE_TTL) {
+    return cached.data;
+  }
+
+  const now = Date.now();
+  const elapsed = now - _lastFetchTime;
+  if (elapsed < RATE_LIMIT_MS) {
+    await sleep(RATE_LIMIT_MS - elapsed);
+  }
+  _lastFetchTime = Date.now();
+
+  let res;
+  try {
+    res = await fetch(url, {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json', 'Accept': 'application/json;api-version=3.0-preview.1' },
+      body: JSON.stringify(body),
+    });
+    if (res.status === 429) {
+      const retryAfter = parseInt(res.headers.get('Retry-After') || '10', 10);
+      await sleep(retryAfter * 1000);
+      res = await fetch(url, { method: 'POST', headers: { 'Content-Type': 'application/json', 'Accept': 'application/json;api-version=3.0-preview.1' }, body: JSON.stringify(body) });
+    }
+    if (!res.ok) {
+      console.debug(`Marketplace API warning: ${url} returned ${res.status}`);
+      return null;
+    }
+    const data = await res.json();
+    _cache.set(url + JSON.stringify(body), { data, fetchedAt: Date.now() });
+    return data;
+  } catch (err) {
+    console.debug(`Marketplace API error: ${err.message}`);
+    return null;
+  }
+}
+
+export async function getVersionHistory(publisherId, extensionName) {
+  const data = await getExtensionMetadata(publisherId, extensionName);
+  if (!data?.results?.[0]?.extensions?.[0]) return [];
+
+  const extension = data.results[0].extensions[0];
+  const versions = extension.versions || [];
+
+  return versions.map(v => ({
+    version: v.version,
+    publishedAt: v.lastUpdated || v.publishedDate,
+    publishedBy: extension.publisher?.publisherName || publisherId,
+    assetSha256: v.assetUri ? null : null,
+    flags: v.flags ? [String(v.flags)] : [],
+  }));
+}
+
+export async function getPublisherProfile(publisherId) {
+  const url = `${MARKETPLACE_API}/publishers/${publisherId}`;
+  return rateLimitedFetch(url);
+}
+
+export async function getOpenVsxMetadata(namespace, name) {
+  const url = `${OPENVSX_API}/${namespace}/${name}`;
+  return rateLimitedFetch(url);
+}
+
+export async function getOpenVsxVersionHistory(namespace, name) {
+  const data = await getOpenVsxMetadata(namespace, name);
+  if (!data) return [];
+  const versions = data.allVersions || {};
+  const files = data.files || {};
+
+  return Object.entries(versions).map(([version, publishedAt]) => ({
+    version,
+    publishedAt: typeof publishedAt === 'string' ? publishedAt : data.timestamp,
+    publishedBy: data.namespace || namespace,
+    assetSha256: files?.[version]?.sha256 || null,
+    flags: [],
+  }));
+}
+
+export function clearMarketplaceCache() {
+  _cache.clear();
+  _lastFetchTime = 0;
+}