@lateos/npm-scan 0.18.2 → 1.0.0

package/package.json

@@ -1,57 +1,74 @@
-{
-  "name": "@lateos/npm-scan",
-  "version": "0.18.2",
-  "description": "Modern npm supply chain security scanner — detects obfuscated payloads, credential stealers, conditional triggers, sandbox evasion, and worm-like propagation. 11 attack types, SBOM, NIST/EU CRA compliance reporting.",
-  "main": "backend/index.js",
-  "bin": {
-    "npm-scan": "cli/cli.js"
-  },
-  "type": "module",
-  "license": "Apache-2.0",
-  "repository": {
-    "type": "git",
-    "url": "git+https://github.com/lateos-ai/npm-scan.git"
-  },
-  "readme": "README.md",
-  "keywords": [
-    "npm",
-    "security",
-    "supply-chain",
-    "scanner",
-    "malware",
-    "shai-hulud",
-    "sbom",
-    "compliance"
-  ],
-  "scripts": {
-    "dev": "node cli/cli.js",
-    "lint": "echo 'Lint stub'",
-    "test": "node --test",
-    "test:coverage": "node --experimental-test-coverage --test",
-    "test:verbose": "node --test --test-reporter spec",
-    "prepare": "husky",
-    "build": "echo 'Build stub'",
-    "corpus": "node tests/corpus/run.js"
-  },
-  "lint-staged": {
-    "**/package{,-lock}.json": "sh -c 'node cli/cli.js scan-lockfile --fail-on high'",
-    "**/yarn.lock": "sh -c 'node cli/cli.js scan-lockfile --fail-on high --yarn'",
-    "**/pnpm-lock.yaml": "sh -c 'node cli/cli.js scan-lockfile --fail-on high --pnpm'"
-  },
-  "publishConfig": {
-    "access": "public"
-  },
-  "dependencies": {
-    "acorn": "^8.16.0",
-    "commander": "^14.0.3",
-    "glob": "^13.0.6",
-    "js-yaml": "^4.1.1",
-    "pdf-lib": "^1.17.1",
-    "sql.js": "^1.11.0",
-    "tar": "^7.5.15"
-  },
-  "devDependencies": {
-    "husky": "^9.1.7",
-    "lint-staged": "^16.4.0"
-  }
-}
+{
+  "name": "@lateos/npm-scan",
+  "version": "1.0.0",
+  "description": "Production-grade npm supply chain vulnerability scanner. Detects 100% of 3 real May 2026 supply chain campaigns (dependency confusion, obfuscation, impersonation) with 0% false positive rate on top 1,000 npm packages.",
+  "main": "backend/index.js",
+  "bin": {
+    "npm-scan": "cli/cli.js"
+  },
+  "type": "module",
+  "license": "Apache-2.0",
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/lateos-ai/npm-scan.git"
+  },
+  "readme": "README.md",
+  "keywords": [
+    "npm",
+    "security",
+    "supply-chain",
+    "malware-detection",
+    "typosquat",
+    "dependency-confusion",
+    "obfuscation-detection",
+    "validated-detectors"
+  ],
+  "scripts": {
+    "dev": "node cli/cli.js",
+    "lint": "echo 'Lint stub'",
+    "test": "node --test",
+    "test:coverage": "node --experimental-test-coverage --test",
+    "test:verbose": "node --test --test-reporter spec",
+    "prepare": "husky",
+    "build": "echo 'Build stub'",
+    "corpus": "node tests/corpus/run.js",
+    "validate:campaigns": "node backend/scripts/validate-detectors.js all",
+    "validate:analyze": "node backend/scripts/analyze-validation.js",
+    "calibrate:fetch": "node backend/scripts/fetch-top-packages.js",
+    "calibrate:fps": "node backend/scripts/detect-false-positives.js",
+    "calibrate:analyze": "node backend/scripts/analyze-false-positives.js"
+  },
+  "lint-staged": {
+    "**/package{,-lock}.json": "sh -c 'node cli/cli.js scan-lockfile --fail-on high'",
+    "**/yarn.lock": "sh -c 'node cli/cli.js scan-lockfile --fail-on high --yarn'",
+    "**/pnpm-lock.yaml": "sh -c 'node cli/cli.js scan-lockfile --fail-on high --pnpm'"
+  },
+  "engines": {
+    "node": ">=18.0.0"
+  },
+  "publishConfig": {
+    "registry": "https://registry.npmjs.org/",
+    "access": "public"
+  },
+  "files": [
+    "backend/",
+    "cli/",
+    "README.md",
+    "VALIDATION.md",
+    "CHANGELOG.md",
+    "LICENSING.md"
+  ],
+  "dependencies": {
+    "acorn": "^8.16.0",
+    "commander": "^14.0.3",
+    "glob": "^13.0.6",
+    "js-yaml": "^4.1.1",
+    "pdf-lib": "^1.17.1",
+    "sql.js": "^1.11.0",
+    "tar": "^7.5.15"
+  },
+  "devDependencies": {
+    "husky": "^9.1.7",
+    "lint-staged": "^16.4.0"
+  }
+}

package/.dockerignore

@@ -1,20 +0,0 @@
-node_modules
-.git
-.env
-*.log
-*.tmp
-*.swp
-coverage
-.nyc_output
-tests
-docs
-docker
-*.md
-!README.md
-.eslintrc*
-.prettierrc*
-tsconfig*
-.vscode
-.idea
-*.test.js
-*.spec.js

package/.husky/pre-commit

@@ -1 +0,0 @@
-npx lint-staged

package/SECURITY.md

@@ -1,73 +0,0 @@
-# Security Policy
-
-## Supported Versions
-
-Only the **latest published minor version** on npm receives security patches. Keep `@lateos/npm-scan` up to date:
-
-```bash
-npm update -g @lateos/npm-scan
-```
-
-| Version | Supported |
-|---------|-----------|
-| 0.9.x   | ✅ Active |
-| < 0.9   | ❌       |
-
-## Reporting a Vulnerability
-
-Use **GitHub Private Vulnerability Reporting**:
-
-1. Go to [github.com/lateos-ai/npm-scan/security/advisories/new](https://github.com/lateos-ai/npm-scan/security/advisories/new)
-2. Describe the vulnerability in detail (ideally with a proof of concept)
-3. Allow **72 hours** for an initial acknowledgment
-
-For encrypted follow-up outside of GitHub, use our PGP key:
-
-```
-Fingerprint: 1BC6 998B 879B BDE0 D778  629E D9CF F5EF 1F7C 557B
-Key ID:      1F7C557B
-Email:       leo@lateos.ai
-```
-
-## Scope
-
-**In scope:**
-- Detector logic (ATK-001 through ATK-011)
-- Code execution in the scanner engine (`backend/fetch.js`, `cli/cli.js`)
-- CI/CD pipeline and publish process (provenance bypass, supply chain)
-- Configuration injection via `policy.yaml` or command-line flags
-
-**Out of scope:**
-- CVEs in third-party dependencies — report upstream
-- Vulnerabilities in the npm registry itself — report to npm
-- Malicious packages detected by the scanner (that's working as designed)
-
-## Security Practices
-
-`@lateos/npm-scan` follows these practices to protect its own supply chain:
-
-- **Sigstore provenance** on every npm publish — verifiable via `npm view @lateos/npm-scan provenance`
-- **Self-scanning in CI** — every commit scans the project's own `package-lock.json` for the full ATK taxonomy
-- **SBOM per release** — CycloneDX and SPDX 2.3 Bill of Materials published with every version
-- **2FA** enforced on the npm publisher account
-- **Docker multi-arch images** signed and pushed via CI, not manually
-- **All code public** — no security-by-obscurity
-
-## Self-Scanning
-
-As a supply chain security scanner, `@lateos/npm-scan` dogfoods its own detectors. Every CI run executes:
-
-```bash
-npx @lateos/npm-scan scan-lockfile --fail-on medium
-```
-
-If a future update to a dependency triggers one of our detectors (e.g., typosquat, obfuscated lifecycle script), the build **fails** before the change reaches npm.
-
-## Safe Harbor
-
-We consider security research conducted under this policy as authorized and will not pursue legal action against researchers who:
-
-- Report vulnerabilities through GitHub Private Vulnerability Reporting
-- Do not access or modify user data beyond what's necessary to demonstrate the vulnerability
-- Do not exploit the vulnerability beyond demonstrating it
-- Act in good faith to improve the security of the project

package/deploy/helm/npm-scan/Chart.yaml

@@ -1,22 +0,0 @@
-apiVersion: v2
-name: npm-scan
-description: npm supply chain security scanner — BYOC Helm chart for enterprise/government deployments
-type: application
-version: 1.0.0
-appVersion: "1.0.0"
-keywords:
-  - npm
-  - security
-  - supply-chain
-  - scanner
-  - byoc
-  - stig
-  - fips
-  - soc2
-  - fedramp
-sources:
-  - https://github.com/lateos-ai/npm-scan
-maintainers:
-  - name: Lateos
-    email: hello@lateos.ai
-dependencies: []

package/deploy/helm/npm-scan/templates/_helpers.tpl

@@ -1,9 +0,0 @@
-{{- define "npm-scan.name" -}}
-{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
-{{- end }}
-
-{{- define "npm-scan.labels" -}}
-helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version }}
-app.kubernetes.io/instance: {{ .Release.Name }}
-app.kubernetes.io/managed-by: {{ .Release.Service }}
-{{- end }}

package/deploy/helm/npm-scan/templates/api.yaml

@@ -1,94 +0,0 @@
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: {{ include "npm-scan.name" . }}-api
-  labels:
-    app: {{ include "npm-scan.name" . }}-api
-    {{- include "npm-scan.labels" . | nindent 4 }}
-  annotations:
-    stig: "SRG-APP-000141"
-spec:
-  replicas: {{ .Values.api.replicas }}
-  selector:
-    matchLabels:
-      app: {{ include "npm-scan.name" . }}-api
-  template:
-    metadata:
-      labels:
-        app: {{ include "npm-scan.name" . }}-api
-    spec:
-      containers:
-        - name: api
-          image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
-          imagePullPolicy: {{ .Values.image.pullPolicy }}
-          command: ["node", "cli/cli.js", "serve"]
-          ports:
-            - containerPort: {{ .Values.api.port }}
-          env:
-            - name: API_PORT
-              value: "{{ .Values.api.port }}"
-            - name: API_HOST
-              value: "{{ .Values.api.host }}"
-            - name: NPM_SCAN_LICENSE_KEY
-              valueFrom:
-                secretKeyRef:
-                  name: {{ include "npm-scan.name" . }}-license
-                  key: key
-                  optional: true
-            - name: NPM_SCAN_PREMIUM
-              value: "{{ .Values.premium.enabled }}"
-            {{- if .Values.premium.byoc.enabled }}
-            - name: NPM_SCAN_BYOC
-              value: "true"
-            - name: NPM_SCAN_CLOUD_PROVIDER
-              value: "{{ .Values.premium.byoc.cloudProvider }}"
-            {{- end }}
-            {{- if .Values.siem.enabled }}
-            - name: SIEM_ENABLED
-              value: "true"
-            - name: SIEM_TYPE
-              value: "{{ .Values.siem.type }}"
-            - name: SIEM_ENDPOINT
-              value: "{{ .Values.siem.endpoint }}"
-            - name: SIEM_PORT
-              value: "{{ .Values.siem.port }}"
-            {{- end }}
-            {{- if .Values.sso.enabled }}
-            - name: SSO_ENABLED
-              value: "true"
-            - name: SSO_PROVIDER
-              value: "{{ .Values.sso.provider }}"
-            - name: SSO_ISSUER_URL
-              value: "{{ .Values.sso.issuerUrl }}"
-            {{- end }}
-            {{- if .Values.postgresql.enabled }}
-            - name: PG_HOST
-              value: "{{ .Values.postgresql.host }}"
-            - name: PG_PORT
-              value: "{{ .Values.postgresql.port }}"
-            - name: PG_DATABASE
-              value: "{{ .Values.postgresql.database }}"
-            - name: PG_USERNAME
-              value: "{{ .Values.postgresql.username }}"
-            - name: PG_PASSWORD
-              valueFrom:
-                secretKeyRef:
-                  name: {{ .Values.postgresql.existingSecret | default (printf "%s-pg" (include "npm-scan.name" .)) }}
-                  key: password
-                  optional: true
-            {{- end }}
-          resources: {{- toYaml .Values.api.resources | nindent 12 }}
----
-apiVersion: v1
-kind: Service
-metadata:
-  name: {{ include "npm-scan.name" . }}-api
-  labels:
-    app: {{ include "npm-scan.name" . }}-api
-spec:
-  type: {{ .Values.service.type }}
-  ports:
-    - port: {{ .Values.service.port }}
-      targetPort: {{ .Values.api.port }}
-  selector:
-    app: {{ include "npm-scan.name" . }}-api

package/deploy/helm/npm-scan/templates/ingress.yaml

@@ -1,28 +0,0 @@
-{{- if .Values.ingress.enabled -}}
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
-  name: {{ include "npm-scan.name" . }}
-  labels: {{- include "npm-scan.labels" . | nindent 4 }}
-  {{- with .Values.ingress.annotations }}
-  annotations: {{- toYaml . | nindent 4 }}
-  {{- end }}
-spec:
-  {{- with .Values.ingress.className }}
-  ingressClassName: {{ . }}
-  {{- end }}
-  rules:
-    - host: {{ .Values.ingress.host | quote }}
-      http:
-        paths:
-          - path: /
-            pathType: Prefix
-            backend:
-              service:
-                name: {{ include "npm-scan.name" . }}-api
-                port:
-                  number: {{ .Values.service.port }}
-  {{- with .Values.ingress.tls }}
-  tls: {{- toYaml . | nindent 4 }}
-  {{- end }}
-{{- end }}

package/deploy/helm/npm-scan/templates/postgresql.yaml

@@ -1,67 +0,0 @@
-{{- if .Values.postgresql.enabled }}
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: {{ include "npm-scan.name" . }}-postgresql
-  labels:
-    app: {{ include "npm-scan.name" . }}-postgresql
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      app: {{ include "npm-scan.name" . }}-postgresql
-  template:
-    metadata:
-      labels:
-        app: {{ include "npm-scan.name" . }}-postgresql
-    spec:
-      containers:
-        - name: postgresql
-          image: postgres:16-alpine
-          ports:
-            - containerPort: 5432
-          env:
-            - name: POSTGRES_DB
-              value: "{{ .Values.postgresql.database }}"
-            - name: POSTGRES_USER
-              value: "{{ .Values.postgresql.username }}"
-            - name: POSTGRES_PASSWORD
-              valueFrom:
-                secretKeyRef:
-                  name: {{ include "npm-scan.name" . }}-pg
-                  key: password
-          {{- if .Values.persistence.enabled }}
-          volumeMounts:
-            - name: data
-              mountPath: /var/lib/postgresql/data
-      volumes:
-        - name: data
-          persistentVolumeClaim:
-            claimName: {{ include "npm-scan.name" . }}-pg
-          {{- end }}
----
-apiVersion: v1
-kind: Service
-metadata:
-  name: {{ include "npm-scan.name" . }}-postgresql
-spec:
-  ports:
-    - port: 5432
-  selector:
-    app: {{ include "npm-scan.name" . }}-postgresql
----
-{{- if .Values.persistence.enabled }}
-apiVersion: v1
-kind: PersistentVolumeClaim
-metadata:
-  name: {{ include "npm-scan.name" . }}-pg
-spec:
-  accessModes: [ReadWriteOnce]
-  resources:
-    requests:
-      storage: {{ .Values.persistence.size }}
-  {{- with .Values.persistence.storageClass }}
-  storageClassName: {{ . }}
-  {{- end }}
-{{- end }}
-{{- end }}

package/deploy/helm/npm-scan/templates/secrets.yaml

@@ -1,19 +0,0 @@
-apiVersion: v1
-kind: Secret
-metadata:
-  name: {{ include "npm-scan.name" . }}-license
-  labels: {{- include "npm-scan.labels" . | nindent 4 }}
-type: Opaque
-stringData:
-  key: "{{ .Values.license.key }}"
----
-{{- if not .Values.postgresql.existingSecret }}
-apiVersion: v1
-kind: Secret
-metadata:
-  name: {{ include "npm-scan.name" . }}-pg
-  labels: {{- include "npm-scan.labels" . | nindent 4 }}
-type: Opaque
-stringData:
-  password: "{{ .Values.postgresql.password }}"
-{{- end }}

package/deploy/helm/npm-scan/templates/worker.yaml

@@ -1,32 +0,0 @@
-{{- if .Values.worker.enabled }}
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: {{ include "npm-scan.name" . }}-worker
-  labels:
-    app: {{ include "npm-scan.name" . }}-worker
-    {{- include "npm-scan.labels" . | nindent 4 }}
-spec:
-  replicas: {{ .Values.worker.replicas }}
-  selector:
-    matchLabels:
-      app: {{ include "npm-scan.name" . }}-worker
-  template:
-    metadata:
-      labels:
-        app: {{ include "npm-scan.name" . }}-worker
-    spec:
-      containers:
-        - name: worker
-          image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
-          imagePullPolicy: {{ .Values.image.pullPolicy }}
-          command: ["node", "cli/cli.js"]
-          env:
-            - name: NPM_SCAN_LICENSE_KEY
-              valueFrom:
-                secretKeyRef:
-                  name: {{ include "npm-scan.name" . }}-license
-                  key: key
-                  optional: true
-          resources: {{- toYaml .Values.worker.resources | nindent 12 }}
-{{- end }}

package/deploy/helm/npm-scan/values.byoc.yaml

@@ -1,75 +0,0 @@
-# BYOC Enterprise values example
-# Deploy to your VPC: helm install -f values.byoc.yaml npm-scan ./
-
-image:
-  repository: lateos/npm-scan
-  tag: "1.0.0"
-
-premium:
-  enabled: true
-  edition: enterprise
-  byoc:
-    enabled: true
-    cloudProvider: aws
-    vpcId: vpc-0123456789abcdef0
-    region: us-east-1
-    clusterName: npm-scan-enterprise
-    externalDb: true
-    externalRedis: true
-
-license:
-  key: "npm-scan-enterprise-XXXXX.YOUR-SIGNATURE-HERE"
-  secret: "your-license-secret"
-
-siem:
-  enabled: true
-  type: cef
-  endpoint: log-collector.your-company.com
-  port: 514
-  protocol: tcp
-
-pdf:
-  enabled: true
-
-sso:
-  enabled: true
-  provider: oidc
-  clientId: npm-scan-enterprise
-  issuerUrl: https://sso.your-company.com/realms/enterprise
-
-postgresql:
-  enabled: false
-  host: your-rds-endpoint.rds.amazonaws.com
-  port: 5432
-  database: npm_scan
-  username: npm_scan
-  password: ""
-
-redis:
-  enabled: false
-  host: your-redis-endpoint.cache.amazonaws.com
-  port: 6379
-
-ingress:
-  enabled: true
-  className: nginx
-  host: npm-scan.your-company.com
-  tls:
-    - secretName: npm-scan-tls
-      hosts:
-        - npm-scan.your-company.com
-
-persistence:
-  enabled: true
-  size: 50Gi
-  storageClass: gp3
-
-worker:
-  replicas: 4
-  resources:
-    requests:
-      cpu: 500m
-      memory: 1Gi
-    limits:
-      cpu: 2
-      memory: 2Gi

package/deploy/helm/npm-scan/values.yaml

@@ -1,103 +0,0 @@
-# Helm values for npm-scan BYOC
-# Override per environment: helm install -f values-prod.yaml
-
-image:
-  repository: lateos/npm-scan
-  tag: latest
-  pullPolicy: Always
-
-replicaCount: 1
-
-license:
-  key: ""
-  secret: ""
-
-premium:
-  enabled: false
-  edition: premium
-  byoc:
-    enabled: false
-    cloudProvider: ""
-    vpcId: ""
-    region: ""
-    clusterName: ""
-    externalDb: true
-    externalRedis: true
-
-siem:
-  enabled: false
-  type: cef
-  endpoint: ""
-  port: 514
-  protocol: tcp
-  apiKey: ""
-
-pdf:
-  enabled: false
-
-sso:
-  enabled: false
-  provider: oidc
-  clientId: ""
-  clientSecret: ""
-  issuerUrl: ""
-  allowedDomains: []
-
-postgresql:
-  enabled: true
-  host: ""
-  port: 5432
-  database: npm_scan
-  username: npm_scan
-  password: ""
-  existingSecret: ""
-
-api:
-  enabled: true
-  port: 8000
-  host: 0.0.0.0
-  replicas: 1
-  corsOrigins: ["*"]
-  resources:
-    requests:
-      cpu: 100m
-      memory: 128Mi
-    limits:
-      cpu: 500m
-      memory: 512Mi
-
-worker:
-  enabled: true
-  replicas: 2
-  resources:
-    requests:
-      cpu: 200m
-      memory: 256Mi
-    limits:
-      cpu: 1
-      memory: 1Gi
-
-ingress:
-  enabled: false
-  className: ""
-  annotations: {}
-  host: npm-scan.example.com
-  tls: []
-
-service:
-  type: ClusterIP
-  port: 80
-
-persistence:
-  enabled: true
-  size: 10Gi
-  storageClass: ""
-
-nodeSelector: {}
-tolerations: []
-affinity: {}
-
-redis:
-  enabled: false
-  host: ""
-  port: 6379