@lateos/npm-scan 0.18.3 → 1.1.0

package/backend/detectors/node-ipc-compromise/d3-cjs-payload-injection.js

@@ -7,7 +7,7 @@ export function scanCjsPayloadInjection(allFiles) {
   let cjsContent = null;
   let mjsContent = null;
   let cjsPath = null;
-  let mjsPath = null;
+  let _mjsPath = null;
 
   for (const file of allFiles) {
     const path = file.path?.replace(/\\/g, '/') || '';
@@ -17,7 +17,7 @@ export function scanCjsPayloadInjection(allFiles) {
     }
     if (path.endsWith('node-ipc.mjs')) {
       mjsContent = file.content || '';
-      mjsPath = path;
+      _mjsPath = path;
     }
   }
 
@@ -52,19 +52,21 @@ export function scanCjsPayloadInjection(allFiles) {
         matches.push({
           file: cjsPath,
           finding: 'iife-suffix',
-          detail: 'node-ipc.cjs ends with IIFE pattern — potential obfuscated payload appended after module closure',
+          detail:
+            'node-ipc.cjs ends with IIFE pattern — potential obfuscated payload appended after module closure',
         });
       }
     }
   }
 
   if (cjsContent && IIFE_END_PATTERN.test(cjsContent.trim())) {
-    const alreadyReported = matches.some(m => m.finding === 'iife-suffix');
+    const alreadyReported = matches.some((m) => m.finding === 'iife-suffix');
     if (!alreadyReported) {
       matches.push({
         file: cjsPath,
         finding: 'iife-suffix',
-        detail: 'node-ipc.cjs ends with IIFE pattern — potential obfuscated payload appended after module closure',
+        detail:
+          'node-ipc.cjs ends with IIFE pattern — potential obfuscated payload appended after module closure',
       });
     }
   }

package/backend/detectors/node-ipc-compromise/d4-injected-payload-hash.js

@@ -2,14 +2,16 @@ import { createHash } from 'crypto';
 
 const INJECTED_PAYLOAD_HASH = '3427a90c8cb9af764445448648176e120ebc6af0a538158340cf6220de4d01b7';
 
-const IIFE_BOUNDARY = /}\)\(\);\s*$/;
+const _IIFE_BOUNDARY = /}\)\(\);\s*$/;
 
 export function scanInjectedPayloadHash(allFiles) {
   const matches = [];
 
   for (const file of allFiles) {
     const path = file.path?.replace(/\\/g, '/') || '';
-    if (!path.endsWith('node-ipc.cjs')) continue;
+    if (!path.endsWith('node-ipc.cjs')) {
+      continue;
+    }
 
     const content = file.content || '';
 

package/backend/detectors/node-ipc-compromise/d5-dns-c2-pattern.js

@@ -1,9 +1,4 @@
-const PUBLIC_RESOLVERS = new Set([
-  '1.1.1.1',
-  '8.8.8.8',
-  '8.8.4.4',
-  '9.9.9.9',
-]);
+const PUBLIC_RESOLVERS = new Set(['1.1.1.1', '8.8.8.8', '8.8.4.4', '9.9.9.9']);
 
 const IP_PATTERN = /setServers\(\s*\[?\s*['"`](\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})['"`]/;
 
@@ -21,19 +16,27 @@ export function scanDnsC2Pattern(allFiles, pkgJson) {
 
   for (const file of allFiles) {
     const path = file.path || '';
-    if (!path.endsWith('.js') && !path.endsWith('.mjs') && !path.endsWith('.cjs')) continue;
+    if (!path.endsWith('.js') && !path.endsWith('.mjs') && !path.endsWith('.cjs')) {
+      continue;
+    }
     sources.push({ file: path, content: file.content || '' });
   }
 
   for (const { file, content } of sources) {
     const hasDnsResolver = /\bdns\.promises\s*\.\s*Resolver\b/.test(content);
-    if (!hasDnsResolver) continue;
+    if (!hasDnsResolver) {
+      continue;
+    }
 
     const ipMatch = content.match(IP_PATTERN);
-    if (!ipMatch) continue;
+    if (!ipMatch) {
+      continue;
+    }
 
     const customIP = ipMatch[1];
-    if (PUBLIC_RESOLVERS.has(customIP)) continue;
+    if (PUBLIC_RESOLVERS.has(customIP)) {
+      continue;
+    }
 
     const hasResolveTxt = /\bresolveTxt\b/.test(content);
 

package/backend/detectors/node-ipc-compromise/d7-dns-txt-exfil.js

@@ -15,7 +15,9 @@ export function scanDnsTxtExfil(allFiles, pkgJson) {
 
   for (const file of allFiles) {
     const path = file.path || '';
-    if (!path.endsWith('.js') && !path.endsWith('.mjs') && !path.endsWith('.cjs')) continue;
+    if (!path.endsWith('.js') && !path.endsWith('.mjs') && !path.endsWith('.cjs')) {
+      continue;
+    }
     sources.push({ file: path, content: file.content || '' });
   }
 

package/backend/detectors/node-ipc-compromise/d8-runtime-trigger.js

@@ -10,7 +10,9 @@ export function scanRuntimeTrigger(allFiles, pkgJson) {
 
   for (const file of allFiles) {
     const path = file.path || '';
-    if (!path.endsWith('.js') && !path.endsWith('.mjs') && !path.endsWith('.cjs')) continue;
+    if (!path.endsWith('.js') && !path.endsWith('.mjs') && !path.endsWith('.cjs')) {
+      continue;
+    }
     sources.push({ file: path, content: file.content || '' });
   }
 
@@ -18,7 +20,8 @@ export function scanRuntimeTrigger(allFiles, pkgJson) {
     if (/\bsetImmediate\s*\(/.test(content)) {
       matches.push({
         file,
-        detail: 'setImmediate() call found — node-ipc malware fires at require() time, not via postinstall',
+        detail:
+          'setImmediate() call found — node-ipc malware fires at require() time, not via postinstall',
       });
     }
   }

package/backend/detectors/node-ipc-compromise/index.js

@@ -28,7 +28,9 @@ const SEVERITY_ORDER = ['critical', 'high', 'medium', 'low', 'info', 'none'];
 
 function highestSeverity(severities) {
   for (const s of SEVERITY_ORDER) {
-    if (severities.includes(s)) return s;
+    if (severities.includes(s)) {
+      return s;
+    }
   }
   return 'none';
 }
@@ -42,7 +44,9 @@ function buildRemediation(triggered) {
     lines.push('PRESERVE ~/nt-*/ artifacts for incident response');
   }
   if (triggered.includes('D5') || triggered.includes('D6') || triggered.includes('D7')) {
-    lines.push('Review DNS egress logs for sh.azurestaticprovider.net and 37.16.75.69 post May 14, 2026');
+    lines.push(
+      'Review DNS egress logs for sh.azurestaticprovider.net and 37.16.75.69 post May 14, 2026'
+    );
   }
   lines.push('Rotate all CI/CD secrets and OIDC tokens');
   lines.push('Audit maintainer email domain expiry for all critical dependencies');
@@ -70,24 +74,26 @@ export async function scan(pkgJson, files = [], registryMeta = null, allFiles =
     .filter(([_, r]) => r.triggered)
     .map(([id]) => id);
 
-  if (triggered.length === 0) return [];
+  if (triggered.length === 0) {
+    return [];
+  }
 
-  const severity = highestSeverity(triggered.map(id => RULE_SEVERITY[id]));
+  const severity = highestSeverity(triggered.map((id) => RULE_SEVERITY[id]));
 
   const evidence = {
     campaign: 'NODE_IPC_COMPROMISE',
     triggeredRules: triggered,
-    details: Object.fromEntries(
-      Object.entries(results).filter(([_, r]) => r.triggered)
-    ),
+    details: Object.fromEntries(Object.entries(results).filter(([_, r]) => r.triggered)),
   };
 
-  return [{
-    id: 'NODE_IPC_COMPROMISE',
-    severity,
-    title: 'node-ipc supply chain compromise (May 14, 2026)',
-    description: `${triggered.length} signal(s): ${triggered.join(', ')}`,
-    evidence: JSON.stringify(evidence),
-    mitigation: buildRemediation(triggered),
-  }];
+  return [
+    {
+      id: 'NODE_IPC_COMPROMISE',
+      severity,
+      title: 'node-ipc supply chain compromise (May 14, 2026)',
+      description: `${triggered.length} signal(s): ${triggered.join(', ')}`,
+      evidence: JSON.stringify(evidence),
+      mitigation: buildRemediation(triggered),
+    },
+  ];
 }

package/backend/detectors/tier1-binary-embed.js

@@ -8,36 +8,49 @@ const CHILD_PROC_RE = /\b(?:spawn|exec|execSync|spawnSync|fork)\s*\(/g;
 const FS_CHMOD_RE = /fs\.chmod\s*\(/g;
 
 function detectMagicBytes(content) {
-  if (!content || content.length < 4) return null;
+  if (!content || content.length < 4) {
+    return null;
+  }
 
   const c0 = content.charCodeAt(0);
   const c1 = content.charCodeAt(1);
   const c2 = content.charCodeAt(2);
   const c3 = content.charCodeAt(3);
 
-  if (c0 === 0x7f && content.slice(1, 4) === 'ELF') return 'elf_embedded';
-  if (c0 === 0x4d && c1 === 0x5a) return 'pe_embedded';
-  if (c0 === 0x00 && content.slice(1, 4) === 'asm') return 'wasm_embedded';
+  if (c0 === 0x7f && content.slice(1, 4) === 'ELF') {
+    return 'elf_embedded';
+  }
+  if (c0 === 0x4d && c1 === 0x5a) {
+    return 'pe_embedded';
+  }
+  if (c0 === 0x00 && content.slice(1, 4) === 'asm') {
+    return 'wasm_embedded';
+  }
 
-  const machO = (c0 === 0xfe && c1 === 0xed && c2 === 0xfa && (c3 === 0xce || c3 === 0xcf)) ||
+  const machO =
+    (c0 === 0xfe && c1 === 0xed && c2 === 0xfa && (c3 === 0xce || c3 === 0xcf)) ||
     (c0 === 0xce && c1 === 0xfa && c2 === 0xed && (c3 === 0xfe || c3 === 0xcf)) ||
     (c0 === 0xcf && c1 === 0xfa && c2 === 0xed && c3 === 0xfe);
-  if (machO) return 'macho_embedded';
+  if (machO) {
+    return 'macho_embedded';
+  }
 
   const universal = c0 === 0xca && c1 === 0xfe && c2 === 0xba && c3 === 0xbe;
-  if (universal) return 'macho_embedded';
+  if (universal) {
+    return 'macho_embedded';
+  }
 
   return null;
 }
 
 function isInBinaryDir(filePath) {
   const normalized = filePath.replace(/\\/g, '/');
-  return BINARY_DIRS.some(dir => normalized.includes(`/${dir}`) || normalized.startsWith(dir));
+  return BINARY_DIRS.some((dir) => normalized.includes(`/${dir}`) || normalized.startsWith(dir));
 }
 
 function hasBinaryExt(filePath) {
   const lower = filePath.toLowerCase();
-  return BINARY_EXTS.some(ext => lower.endsWith(ext));
+  return BINARY_EXTS.some((ext) => lower.endsWith(ext));
 }
 
 function isKnownBinaryName(fileName) {
@@ -45,23 +58,60 @@ function isKnownBinaryName(fileName) {
   return BINARY_FILENAMES.includes(base);
 }
 
+const CROSS_PLATFORM_RE =
+  /-(?:linux|darwin|macos|win32|windows|win)-(?:x64|x86|arm64|ia32)\.?(?:exe)?$/i;
+
+function detectCrossPlatformSets(binaries) {
+  const sets = {};
+  for (const bin of binaries) {
+    const base = bin.file.replace(CROSS_PLATFORM_RE, '').split(/[/\\]/).pop();
+    if (!sets[base]) {
+      sets[base] = [];
+    }
+    sets[base].push(bin.file);
+  }
+  for (const [base, files] of Object.entries(sets)) {
+    if (files.length >= 2) {
+      return { base, files, count: files.length };
+    }
+  }
+  return null;
+}
+
 function isDeclared(pkgJson, fileName) {
-  if (!pkgJson) return false;
+  if (!pkgJson) {
+    return false;
+  }
   const baseName = fileName.split(/[/\\]/).pop();
 
   if (pkgJson.bin) {
-    if (typeof pkgJson.bin === 'string' && pkgJson.bin === baseName) return true;
-    if (typeof pkgJson.bin === 'object' && Object.values(pkgJson.bin).some(v => v === baseName || v.endsWith(`/${baseName}`))) return true;
+    if (typeof pkgJson.bin === 'string' && pkgJson.bin === baseName) {
+      return true;
+    }
+    if (
+      typeof pkgJson.bin === 'object' &&
+      Object.values(pkgJson.bin).some((v) => v === baseName || v.endsWith(`/${baseName}`))
+    ) {
+      return true;
+    }
   }
 
   if (pkgJson.optionalDependencies) {
-    for (const [name, val] of Object.entries(pkgJson.optionalDependencies)) {
-      if (name === baseName) return true;
+    for (const [name, _val] of Object.entries(pkgJson.optionalDependencies)) {
+      if (name === baseName) {
+        return true;
+      }
     }
   }
 
-  if (pkgJson.gypfile === true || pkgJson.scripts?.install?.includes('node-gyp') || pkgJson.scripts?.install?.includes('node-pre-gyp')) {
-    if (baseName.endsWith('.node')) return true;
+  if (
+    pkgJson.gypfile === true ||
+    pkgJson.scripts?.install?.includes('node-gyp') ||
+    pkgJson.scripts?.install?.includes('node-pre-gyp')
+  ) {
+    if (baseName.endsWith('.node')) {
+      return true;
+    }
   }
 
   return false;
@@ -71,15 +121,26 @@ export const name = 'tier1-binary-embed';
 
 export async function scan(pkgJson, jsFiles, registryMeta, allFiles) {
   const pkgName = pkgJson?.name;
-  if (pkgName && KNOWN_REPUTABLE_PACKAGES.has(pkgName)) return [];
+  if (pkgName && KNOWN_REPUTABLE_PACKAGES.has(pkgName)) {
+    return [];
+  }
 
-  if (!allFiles || allFiles.length === 0) return [];
+  if (!allFiles || allFiles.length === 0) {
+    return [];
+  }
 
-  if (pkgName && (
-    pkgName === 'electron' || pkgName === 'puppeteer' || pkgName === 'sharp' ||
-    pkgName === 'esbuild' || pkgName === 'node-gyp' || pkgName === 'node-pre-gyp' ||
-    pkgName === '@mapbox/node-pre-gyp'
-  )) return [];
+  if (
+    pkgName &&
+    (pkgName === 'electron' ||
+      pkgName === 'puppeteer' ||
+      pkgName === 'sharp' ||
+      pkgName === 'esbuild' ||
+      pkgName === 'node-gyp' ||
+      pkgName === 'node-pre-gyp' ||
+      pkgName === '@mapbox/node-pre-gyp')
+  ) {
+    return [];
+  }
 
   const binaries = [];
 
@@ -111,9 +172,13 @@ export async function scan(pkgJson, jsFiles, registryMeta, allFiles) {
     }
   }
 
-  if (binaries.length === 0) return [];
+  if (binaries.length === 0) {
+    return [];
+  }
 
-  const jsCode = (jsFiles || []).map(f => f.content || '').join('\n');
+  const crossPlatformSet = detectCrossPlatformSets(binaries);
+
+  const jsCode = (jsFiles || []).map((f) => f.content || '').join('\n');
   const invoked = CHILD_PROC_RE.test(jsCode) || FS_CHMOD_RE.test(jsCode);
 
   const invokedFiles = [];
@@ -134,43 +199,70 @@ export async function scan(pkgJson, jsFiles, registryMeta, allFiles) {
     let baseScore;
     let subtype;
 
+    // Cross-platform platform set boost
+    const isCrossPlatform =
+      crossPlatformSet &&
+      crossPlatformSet.files.some(
+        (f) => f === bin.file || f.includes(bin.file) || bin.file.includes(f.replace(/\.exe$/, ''))
+      );
+
     if (bin.magic === 'elf_embedded') {
       baseScore = 95;
-      subtype = 'elf_embedded';
+      subtype = isCrossPlatform ? 'cross_platform_elf' : 'elf_embedded';
     } else if (bin.magic === 'pe_embedded') {
       baseScore = 95;
-      subtype = 'pe_embedded';
+      subtype = isCrossPlatform ? 'cross_platform_pe' : 'pe_embedded';
     } else if (bin.magic === 'macho_embedded') {
       baseScore = 95;
-      subtype = 'macho_embedded';
+      subtype = isCrossPlatform ? 'cross_platform_macho' : 'macho_embedded';
     } else if (bin.magic === 'wasm_embedded') {
       baseScore = 60;
-      subtype = 'wasm_embedded';
+      subtype = isCrossPlatform ? 'cross_platform_wasm' : 'wasm_embedded';
     } else {
       baseScore = 60;
-      subtype = 'magic_byte_unknown';
+      subtype = isCrossPlatform ? 'cross_platform_unknown' : 'magic_byte_unknown';
     }
 
     let score = baseScore;
 
-    if (bin.inBinDir) score += 15;
+    if (isCrossPlatform) {
+      score += 25;
+    }
+
+    if (bin.inBinDir) {
+      score += 15;
+    }
 
-    if (!bin.declared) score += 50;
+    if (!bin.declared) {
+      score += 50;
+    }
 
-    if (invoked && invokedFiles.length > 0) score += 25;
+    if (invoked && invokedFiles.length > 0) {
+      score += 25;
+    }
 
     const confidenceScore = Math.max(50, Math.min(100, score));
 
     function severityLabel(sc) {
-      if (sc >= 90) return 'critical';
-      if (sc >= 70) return 'high';
+      if (sc >= 90) {
+        return 'critical';
+      }
+      if (sc >= 70) {
+        return 'high';
+      }
       return 'medium';
     }
 
     function confidenceLabel(sc) {
-      if (sc >= 95) return 'CRITICAL';
-      if (sc >= 80) return 'HIGH';
-      if (sc >= 60) return 'MEDIUM';
+      if (sc >= 95) {
+        return 'CRITICAL';
+      }
+      if (sc >= 80) {
+        return 'HIGH';
+      }
+      if (sc >= 60) {
+        return 'MEDIUM';
+      }
       return 'LOW';
     }
 
@@ -179,14 +271,19 @@ export async function scan(pkgJson, jsFiles, registryMeta, allFiles) {
       `path: ${bin.file}`,
       `declared: ${bin.declared}`,
     ];
+    if (isCrossPlatform) {
+      evidence.push(
+        `cross-platform binary set: ${crossPlatformSet.count} variants of "${crossPlatformSet.base}"`
+      );
+      evidence.push(`platform_files: ${crossPlatformSet.files.join(', ')}`);
+    }
+
     if (invoked && invokedFiles.length > 0) {
       evidence.push(`invoked: child_process usage in ${invokedFiles.length} file(s)`);
       evidence.push(`invoked_file: ${invokedFiles[0]}`);
     }
 
-    const locations = [
-      { file: bin.file, size: bin.size },
-    ];
+    const locations = [{ file: bin.file, size: bin.size }];
 
     if (invokedFiles.length > 0) {
       locations.push({ file: invokedFiles[0], line: 0 });

package/backend/detectors/tier1-cloud-imds.js

@@ -4,41 +4,48 @@ const GCP_PATTERNS = [
   'metadata.google.internal/computeMetadata',
 ];
 
-const AZURE_PATTERNS = [
-  '169.254.169.254/metadata/instance',
-  '169.254.169.254/metadata/identity',
-];
+const AZURE_PATTERNS = ['169.254.169.254/metadata/instance', '169.254.169.254/metadata/identity'];
 
 const AZURE_IP = '169.254.169.254';
 const METADATA_HEADER_RE = /Metadata\s*:\s*true/i;
 
 function severityLabel(score) {
-  if (score >= 80) return 'high';
+  if (score >= 80) {
+    return 'high';
+  }
   return 'medium';
 }
 
 function confidenceLabel(score) {
-  if (score >= 80) return 'HIGH';
-  if (score >= 60) return 'MEDIUM';
+  if (score >= 80) {
+    return 'HIGH';
+  }
+  if (score >= 60) {
+    return 'MEDIUM';
+  }
   return 'LOW';
 }
 
 function hasGcpPattern(text) {
-  return GCP_PATTERNS.some(p => text.includes(p));
+  return GCP_PATTERNS.some((p) => text.includes(p));
 }
 
 function hasAzurePath(text) {
-  return AZURE_PATTERNS.some(p => text.includes(p));
+  return AZURE_PATTERNS.some((p) => text.includes(p));
 }
 
 function hasAzureHeaderPattern(text) {
   const lines = text.split('\n');
   for (let i = 0; i < lines.length; i++) {
-    if (!lines[i].includes(AZURE_IP)) continue;
+    if (!lines[i].includes(AZURE_IP)) {
+      continue;
+    }
     const start = Math.max(0, i - 5);
     const end = Math.min(lines.length, i + 6);
     for (let j = start; j < end; j++) {
-      if (METADATA_HEADER_RE.test(lines[j])) return true;
+      if (METADATA_HEADER_RE.test(lines[j])) {
+        return true;
+      }
     }
   }
   return false;
@@ -72,20 +79,30 @@ function collectTexts(pkgJson, jsFiles) {
 
 export const name = 'tier1-cloud-imds';
 
-export async function scan(pkgJson, jsFiles, registryMeta, allFiles) {
+export async function scan(pkgJson, jsFiles, _registryMeta, _allFiles) {
   const texts = collectTexts(pkgJson, jsFiles);
-  if (texts.length === 0) return [];
+  if (texts.length === 0) {
+    return [];
+  }
 
   let hasGcp = false;
   let hasAzure = false;
 
   for (const text of texts) {
-    if (!hasGcp && hasGcpPattern(text)) hasGcp = true;
-    if (!hasAzure && hasAzurePattern(text)) hasAzure = true;
-    if (hasGcp && hasAzure) break;
+    if (!hasGcp && hasGcpPattern(text)) {
+      hasGcp = true;
+    }
+    if (!hasAzure && hasAzurePattern(text)) {
+      hasAzure = true;
+    }
+    if (hasGcp && hasAzure) {
+      break;
+    }
   }
 
-  if (!hasGcp && !hasAzure) return [];
+  if (!hasGcp && !hasAzure) {
+    return [];
+  }
 
   let confidenceScore;
   let subtype;
@@ -101,24 +118,27 @@ export async function scan(pkgJson, jsFiles, registryMeta, allFiles) {
     subtype = 'azure_imds';
   }
 
-  return [{
-    detector: 'tier1-cloud-imds',
-    id: 'TIER1-CLOUD-IMDS',
-    severity: severityLabel(confidenceScore),
-    confidence: confidenceLabel(confidenceScore),
-    confidenceScore,
-    subtype,
-    message: hasGcp && hasAzure
-      ? `Package references both GCP metadata and Azure IMDS endpoints — cloud credential harvesting`
-      : hasGcp
-        ? `Package references GCP metadata server endpoint — cloud credential harvesting`
-        : `Package references Azure IMDS endpoint — cloud credential harvesting`,
-    evidence: [
-      ...(hasGcp ? ['gcp: metadata.google.internal / computeMetadata/v1 pattern detected'] : []),
-      ...(hasAzure ? ['azure: 169.254.169.254/metadata pattern detected'] : []),
-    ],
-    crossFiles: [],
-    locations: [{ file: '', line: 0 }],
-    reference: 'Miasma Cloud IMDS',
-  }];
+  return [
+    {
+      detector: 'tier1-cloud-imds',
+      id: 'TIER1-CLOUD-IMDS',
+      severity: severityLabel(confidenceScore),
+      confidence: confidenceLabel(confidenceScore),
+      confidenceScore,
+      subtype,
+      message:
+        hasGcp && hasAzure
+          ? `Package references both GCP metadata and Azure IMDS endpoints — cloud credential harvesting`
+          : hasGcp
+            ? `Package references GCP metadata server endpoint — cloud credential harvesting`
+            : `Package references Azure IMDS endpoint — cloud credential harvesting`,
+      evidence: [
+        ...(hasGcp ? ['gcp: metadata.google.internal / computeMetadata/v1 pattern detected'] : []),
+        ...(hasAzure ? ['azure: 169.254.169.254/metadata pattern detected'] : []),
+      ],
+      crossFiles: [],
+      locations: [{ file: '', line: 0 }],
+      reference: 'Miasma Cloud IMDS',
+    },
+  ];
 }