@lateos/npm-scan 0.18.3 → 1.1.0

package/backend/detectors/tier1-lifecycle-hook.js

@@ -1,6 +1,13 @@
 import { KNOWN_REPUTABLE_PACKAGES } from '../policy.js';
 
-const HOOK_NAMES = ['postinstall', 'preinstall', 'install', 'prepare', 'preuninstall', 'postuninstall'];
+const HOOK_NAMES = [
+  'postinstall',
+  'preinstall',
+  'install',
+  'prepare',
+  'preuninstall',
+  'postuninstall',
+];
 
 const CURL_WGET_RE = /\b(?:curl|wget|powershell|bash|sh)\b/i;
 const CHILD_PROC_RE = /\b(?:exec|execSync|spawn|spawnSync|fork)\s*\(/g;
@@ -17,9 +24,13 @@ const REQUIRE_RE = /\brequire\s*\(/g;
 
 function shannonEntropy(s) {
   const len = s.length;
-  if (len === 0) return 0;
+  if (len === 0) {
+    return 0;
+  }
   const freq = {};
-  for (const ch of s) freq[ch] = (freq[ch] || 0) + 1;
+  for (const ch of s) {
+    freq[ch] = (freq[ch] || 0) + 1;
+  }
   let entropy = 0;
   for (const count of Object.values(freq)) {
     const p = count / len;
@@ -29,20 +40,32 @@ function shannonEntropy(s) {
 }
 
 function isObfuscated(content) {
-  if (!content) return false;
+  if (!content) {
+    return false;
+  }
   const noWhitespace = !/\s/.test(content.trim());
   const identifiers = content.match(/\b[a-zA-Z_$][\w$]*\b/g);
   let avgIdLen = 0;
   if (identifiers && identifiers.length > 0) {
     avgIdLen = identifiers.reduce((s, id) => s + id.length, 0) / identifiers.length;
   }
-  if (noWhitespace && identifiers && identifiers.length > 0 && avgIdLen < 3) return true;
-  if (noWhitespace && /^[a-zA-Z_$][\w$]*\([^)]*\)$/.test(content.trim())) return true;
+  if (noWhitespace && identifiers && identifiers.length > 0 && avgIdLen < 3) {
+    return true;
+  }
+  if (noWhitespace && /^[a-zA-Z_$][\w$]*\([^)]*\)$/.test(content.trim())) {
+    return true;
+  }
   HEX_STRING_RE.lastIndex = 0;
-  if (HEX_STRING_RE.test(content)) return true;
+  if (HEX_STRING_RE.test(content)) {
+    return true;
+  }
   B64_RE.lastIndex = 0;
-  if (B64_RE.test(content)) return true;
-  if (shannonEntropy(content) > 5.5) return true;
+  if (B64_RE.test(content)) {
+    return true;
+  }
+  if (shannonEntropy(content) > 5.5) {
+    return true;
+  }
   return false;
 }
 
@@ -58,9 +81,11 @@ function extractUrls(content) {
 
 export const name = 'tier1-lifecycle-hook';
 
-export async function scan(pkgJson, jsFiles, registryMeta, allFiles) {
+export async function scan(pkgJson, _jsFiles, _registryMeta, _allFiles) {
   const pkgName = pkgJson?.name;
-  if (pkgName && KNOWN_REPUTABLE_PACKAGES.has(pkgName)) return [];
+  if (pkgName && KNOWN_REPUTABLE_PACKAGES.has(pkgName)) {
+    return [];
+  }
 
   const scripts = pkgJson?.scripts || {};
   const hooks = {};
@@ -71,18 +96,23 @@ export async function scan(pkgJson, jsFiles, registryMeta, allFiles) {
     }
   }
 
-  if (Object.keys(hooks).length === 0) return [];
+  if (Object.keys(hooks).length === 0) {
+    return [];
+  }
 
   const findings = [];
 
   for (const [hookName, scriptContent] of Object.entries(hooks)) {
     const content = typeof scriptContent === 'string' ? scriptContent : '';
-    if (!content) continue;
+    if (!content) {
+      continue;
+    }
 
     const truncated = content.length > 10240 ? content.slice(0, 10240) : content;
 
     const obfuscated = isObfuscated(truncated);
-    const hasEval = EVAL_RE.test(truncated) || FUNCTION_CTOR_RE.test(truncated) || ZERO_EVAL_RE.test(truncated);
+    const hasEval =
+      EVAL_RE.test(truncated) || FUNCTION_CTOR_RE.test(truncated) || ZERO_EVAL_RE.test(truncated);
     const hasNetwork = CURL_WGET_RE.test(truncated) || CHILD_PROC_RE.test(truncated);
     const hasUrls = URL_RE.test(truncated) || IP_RE.test(truncated);
     const urls = extractUrls(truncated);
@@ -111,7 +141,9 @@ export async function scan(pkgJson, jsFiles, registryMeta, allFiles) {
       }
       const domainInfo = hasInternal ? 'internal domain' : 'external URL';
       evidence.push(`patterns: hardcoded ${domainInfo} in hook`);
-      if (urls.length > 0) evidence.push(`target: ${urls[0]}`);
+      if (urls.length > 0) {
+        evidence.push(`target: ${urls[0]}`);
+      }
     }
 
     if (envExfil) {
@@ -143,13 +175,19 @@ export async function scan(pkgJson, jsFiles, registryMeta, allFiles) {
       baseScore = Math.min(100, Math.round(baseScore * 2.5));
     }
 
-    if (baseScore === 0) continue;
+    if (baseScore === 0) {
+      continue;
+    }
 
     const confidenceScore = Math.max(50, Math.min(100, baseScore));
 
     function confidenceLabel(score) {
-      if (score >= 95) return 'CRITICAL';
-      if (score >= 80) return 'HIGH';
+      if (score >= 95) {
+        return 'CRITICAL';
+      }
+      if (score >= 80) {
+        return 'HIGH';
+      }
       return 'MEDIUM';
     }
 
@@ -162,11 +200,13 @@ export async function scan(pkgJson, jsFiles, registryMeta, allFiles) {
       subtype,
       message: `Suspicious lifecycle hook "${hookName}"`,
       evidence,
-      locations: [{
-        file: 'package.json',
-        field: `scripts.${hookName}`,
-        value: content.length > 200 ? `${content.slice(0, 200)}...` : content,
-      }],
+      locations: [
+        {
+          file: 'package.json',
+          field: `scripts.${hookName}`,
+          value: content.length > 200 ? `${content.slice(0, 200)}...` : content,
+        },
+      ],
       crossFiles: [],
       reference: 'Campaign 1',
     });

package/backend/detectors/tier1-maintainer-compromise.js

@@ -0,0 +1,157 @@
+import { KNOWN_REPUTABLE_PACKAGES } from '../policy.js';
+
+const THRESHOLDS = {
+  flag_threshold: 75,
+  warn_threshold: 60,
+  velocity_burst_multiplier: 5,
+  burst_window_hours: 24,
+  min_velocity_baseline: 0.5,
+  duplicate_version_weight: 40,
+  unusual_timing_weight: 25,
+  cross_package_burst_weight: 50,
+};
+
+function parseVersionHistory(registryMeta) {
+  const timeData = registryMeta?.time;
+  if (!timeData || typeof timeData !== 'object') return [];
+
+  return Object.entries(timeData)
+    .map(([ver, ts]) => ({
+      version: ver,
+      time: new Date(ts).getTime(),
+      date: new Date(ts),
+    }))
+    .filter((e) => !isNaN(e.time))
+    .sort((a, b) => a.time - b.time);
+}
+
+function getHour(date) {
+  return date.getUTCHours();
+}
+
+function calculateVelocity(history) {
+  if (history.length < 2) return { perWeek: 0, perDay: 0 };
+  const firstTime = history[0].time;
+  const lastTime = history[history.length - 1].time;
+  const spanMs = lastTime - firstTime;
+  const spanDays = spanMs / (1000 * 60 * 60 * 24);
+  if (spanDays < 1) return { perWeek: history.length, perDay: history.length };
+  const perDay = history.length / Math.max(spanDays, 1);
+  const perWeek = perDay * 7;
+  return { perWeek, perDay };
+}
+
+function detectBursts(history) {
+  const bursts = [];
+  const windowMs = (THRESHOLDS.burst_window_hours || 24) * 60 * 60 * 1000;
+
+  for (let i = 0; i < history.length; i++) {
+    const windowEnd = history[i].time + windowMs;
+    const group = [];
+    for (let j = i; j < history.length && history[j].time <= windowEnd; j++) {
+      group.push(history[j]);
+    }
+    if (group.length >= 3) {
+      const groupHour = group.map((e) => getHour(e.date));
+      const timings = groupHour.filter((h) => h >= 0 && h <= 5);
+      bursts.push({
+        count: group.length,
+        windowHours: windowMs / (1000 * 60 * 60),
+        versions: group.map((e) => e.version),
+        unusualTimings: [...new Set(timings)]
+          .sort()
+          .map((h) => `${String(h).padStart(2, '0')}:00 UTC`),
+        startTime: group[0].date.toISOString(),
+        endTime: group[group.length - 1].date.toISOString(),
+      });
+    }
+  }
+  return bursts;
+}
+
+function computeConfidence(bursts, velocity, unusualTimingsCount) {
+  if (bursts.length === 0) return 0;
+  let base = 40;
+
+  const burst = bursts[0];
+  const burstMultiplier =
+    velocity.perWeek > 0
+      ? burst.count / Math.max(velocity.perWeek, THRESHOLDS.min_velocity_baseline)
+      : burst.count;
+
+  if (burstMultiplier >= THRESHOLDS.velocity_burst_multiplier) {
+    base += Math.min(burstMultiplier * 3, 30);
+  }
+
+  if (unusualTimingsCount > 0) {
+    base += Math.min(unusualTimingsCount * THRESHOLDS.unusual_timing_weight, 20);
+  }
+
+  if (burst.count >= 10) {
+    base += 15;
+  }
+
+  return Math.min(100, Math.max(0, base));
+}
+
+function severityLabel(score) {
+  if (score >= 80) return 'critical';
+  if (score >= 60) return 'high';
+  return 'medium';
+}
+
+function confidenceLabel(score) {
+  if (score >= 80) return 'CRITICAL';
+  if (score >= 60) return 'HIGH';
+  return 'MEDIUM';
+}
+
+export const name = 'tier1-maintainer-compromise';
+
+export async function scan(pkgJson, _jsFiles, registryMeta, _allFiles) {
+  const pkgName = pkgJson?.name;
+  if (!pkgName) return [];
+  if (KNOWN_REPUTABLE_PACKAGES.has(pkgName)) return [];
+
+  const history = parseVersionHistory(registryMeta);
+  if (history.length < 3) return [];
+
+  const velocity = calculateVelocity(history);
+  const bursts = detectBursts(history);
+  if (bursts.length === 0) return [];
+
+  const burst = bursts[0];
+  const unusualTimings = burst.unusualTimings;
+  const burstMultiplier =
+    velocity.perWeek > 0
+      ? burst.count / Math.max(velocity.perWeek, THRESHOLDS.min_velocity_baseline)
+      : burst.count;
+
+  const crossPackageBurst = registryMeta?.crossPackageBurst || false;
+
+  const confidenceScore = computeConfidence(bursts, velocity, unusualTimings.length);
+  if (confidenceScore < THRESHOLDS.warn_threshold) return [];
+
+  return [
+    {
+      detector: 'tier1-maintainer-compromise',
+      id: 'TIER1-MAINTAINER-COMPROMISE',
+      severity: severityLabel(confidenceScore),
+      confidence: confidenceLabel(confidenceScore),
+      confidenceScore,
+      subtype: 'maintainer_compromise_burst',
+      message: `Maintainer compromise detected: ${burst.count} versions in ${burst.windowHours}h window (${burstMultiplier.toFixed(1)}x normal velocity)`,
+      evidence: [
+        `normal_velocity: ${velocity.perWeek.toFixed(1)}/week (${velocity.perDay.toFixed(1)}/day)`,
+        `burst_count: ${burst.count} in ${burst.windowHours}h`,
+        `burst_multiplier: ${burstMultiplier.toFixed(1)}x`,
+        `unusual_timings: ${unusualTimings.length > 0 ? unusualTimings.join(', ') : 'none'}`,
+        `cross_package: ${crossPackageBurst}`,
+        `versions: ${burst.versions.slice(0, 5).join(', ')}${burst.versions.length > 5 ? `... (+${burst.versions.length - 5} more)` : ''}`,
+      ],
+      locations: [{ file: 'package.json', line: 1, column: 1 }],
+      crossFiles: [],
+      reference: 'D13: @redhat-cloud-services maintainer compromise',
+    },
+  ];
+}

package/backend/detectors/tier1-metadata-spoof.js

@@ -1,68 +1,100 @@
 import { KNOWN_REPUTABLE_PACKAGES } from '../policy.js';
 
 const INTERNAL_SUFFIX_RE = /\.(?:internal|local|corp|intra|priv|lan)(?:[.:/]|$)/i;
-const CORPORATE_RE = /(?:github-ent|jira-ent|github\.enterprise|internal-gitlab|gitlab\.internal|jenkins\.internal|confluence\.internal)/i;
-const PRIVATE_IP_RE = /^(?:10\.\d{1,3}\.\d{1,3}\.\d{1,3}|172\.(?:1[6-9]|2\d|3[01])\.\d{1,3}\.\d{1,3}|192\.168\.\d{1,3}\.\d{1,3})/;
+const CORPORATE_RE =
+  /(?:github-ent|jira-ent|github\.enterprise|internal-gitlab|gitlab\.internal|jenkins\.internal|confluence\.internal)/i;
+const PRIVATE_IP_RE =
+  /^(?:10\.\d{1,3}\.\d{1,3}\.\d{1,3}|172\.(?:1[6-9]|2\d|3[01])\.\d{1,3}\.\d{1,3}|192\.168\.\d{1,3}\.\d{1,3})/;
 
 function extractDomain(url) {
   try {
     const u = new URL(url);
     return u.hostname;
   } catch {
-    const m = url.match(/^(?:https?:\/\/)?([^\/\s:]+)/);
+    const m = url.match(/^(?:https?:\/\/)?([^/\s:]+)/);
     return m ? m[1] : null;
   }
 }
 
 function isInternalUrl(url) {
-  if (!url) return false;
+  if (!url) {
+    return false;
+  }
   const domain = extractDomain(url);
-  if (!domain) return false;
-  if (INTERNAL_SUFFIX_RE.test(domain)) return true;
-  if (CORPORATE_RE.test(domain)) return true;
-  if (PRIVATE_IP_RE.test(domain)) return true;
+  if (!domain) {
+    return false;
+  }
+  if (INTERNAL_SUFFIX_RE.test(domain)) {
+    return true;
+  }
+  if (CORPORATE_RE.test(domain)) {
+    return true;
+  }
+  if (PRIVATE_IP_RE.test(domain)) {
+    return true;
+  }
   return false;
 }
 
 function parseSemver(version) {
-  if (!version) return null;
+  if (!version) {
+    return null;
+  }
   const parts = version.replace(/^[~^]/, '').split('.');
   const m = parseInt(parts[0], 10);
   const n = parseInt(parts[1], 10);
   const p = parseInt(parts[2], 10);
-  if (isNaN(m) || isNaN(n) || isNaN(p)) return null;
+  if (isNaN(m) || isNaN(n) || isNaN(p)) {
+    return null;
+  }
   return { major: m, minor: n, patch: p };
 }
 
 function detectSemverInflation(currentVer, registryMeta) {
-  if (!currentVer || !registryMeta) return null;
+  if (!currentVer || !registryMeta) {
+    return null;
+  }
 
   const age = registryMeta.age;
-  if (age !== undefined && age < 7) return null;
+  if (age !== undefined && age < 7) {
+    return null;
+  }
 
   const previousVer = registryMeta.previousVersion || null;
-  if (!previousVer) return null;
+  if (!previousVer) {
+    return null;
+  }
 
   const cur = parseSemver(currentVer);
   const prev = parseSemver(previousVer);
-  if (!cur || !prev) return null;
+  if (!cur || !prev) {
+    return null;
+  }
 
   const majorJump = cur.major - prev.major;
   const minorJump = cur.minor - prev.minor;
   const patchJump = cur.patch - prev.patch;
 
-  if (majorJump > 10) return { type: 'major', from: previousVer, to: currentVer, jump: majorJump };
-  if (minorJump > 20) return { type: 'minor', from: previousVer, to: currentVer, jump: minorJump };
-  if (patchJump > 50) return { type: 'patch', from: previousVer, to: currentVer, jump: patchJump };
+  if (majorJump > 10) {
+    return { type: 'major', from: previousVer, to: currentVer, jump: majorJump };
+  }
+  if (minorJump > 20) {
+    return { type: 'minor', from: previousVer, to: currentVer, jump: minorJump };
+  }
+  if (patchJump > 50) {
+    return { type: 'patch', from: previousVer, to: currentVer, jump: patchJump };
+  }
 
   return null;
 }
 
 export const name = 'tier1-metadata-spoof';
 
-export async function scan(pkgJson, jsFiles, registryMeta, allFiles) {
+export async function scan(pkgJson, jsFiles, registryMeta, _allFiles) {
   const pkgName = pkgJson?.name;
-  if (pkgName && KNOWN_REPUTABLE_PACKAGES.has(pkgName)) return [];
+  if (pkgName && KNOWN_REPUTABLE_PACKAGES.has(pkgName)) {
+    return [];
+  }
 
   const fieldUrls = [];
 
@@ -87,7 +119,9 @@ export async function scan(pkgJson, jsFiles, registryMeta, allFiles) {
   if (pkgJson.funding) {
     const arr = Array.isArray(pkgJson.funding) ? pkgJson.funding : [pkgJson.funding];
     for (let i = 0; i < arr.length; i++) {
-      if (arr[i] && arr[i].url) addField(`funding[${i}].url`, arr[i].url);
+      if (arr[i] && arr[i].url) {
+        addField(`funding[${i}].url`, arr[i].url);
+      }
     }
   }
 
@@ -95,13 +129,15 @@ export async function scan(pkgJson, jsFiles, registryMeta, allFiles) {
     addField('author.url', pkgJson.author.url);
   }
 
-  const internalFields = fieldUrls.filter(f => isInternalUrl(f.value));
+  const internalFields = fieldUrls.filter((f) => isInternalUrl(f.value));
   const hasInternalUrls = internalFields.length > 0;
 
   const currentVersion = pkgJson?.version;
   const semverInflation = detectSemverInflation(currentVersion, registryMeta);
 
-  if (!hasInternalUrls && !semverInflation) return [];
+  if (!hasInternalUrls && !semverInflation) {
+    return [];
+  }
 
   let baseScore = 0;
   let subtype = '';
@@ -117,10 +153,14 @@ export async function scan(pkgJson, jsFiles, registryMeta, allFiles) {
       const domain = extractDomain(f.value);
       evidence.push(`url: ${f.field} = ${f.value}`);
 
-      let pattern = '';
-      if (PRIVATE_IP_RE.test(domain)) pattern = 'private IP';
-      else if (CORPORATE_RE.test(domain)) pattern = 'corporate domain';
-      else pattern = 'internal domain';
+      let pattern;
+      if (PRIVATE_IP_RE.test(domain)) {
+        pattern = 'private IP';
+      } else if (CORPORATE_RE.test(domain)) {
+        pattern = 'corporate domain';
+      } else {
+        pattern = 'internal domain';
+      }
       evidence.push(`pattern: ${domain} (${pattern})`);
 
       locations.push({ field: f.field, value: f.value });
@@ -140,7 +180,9 @@ export async function scan(pkgJson, jsFiles, registryMeta, allFiles) {
     if (hasInternalUrls) {
       baseScore = Math.round(baseScore * 1.3);
       evidence.push(semverMsg);
-      evidence.push(`${semverInflation.type} version jump (${semverInflation.jump}) without changelog`);
+      evidence.push(
+        `${semverInflation.type} version jump (${semverInflation.jump}) without changelog`
+      );
       locations.push({ field: 'version', old: semverInflation.from, new: semverInflation.to });
       primaryMessage += ' + unjustified semver jump';
     } else {
@@ -155,26 +197,34 @@ export async function scan(pkgJson, jsFiles, registryMeta, allFiles) {
   const confidenceScore = Math.max(50, Math.min(90, baseScore));
 
   function severityLabel(sc) {
-    if (sc >= 70) return 'high';
+    if (sc >= 70) {
+      return 'high';
+    }
     return 'medium';
   }
 
   function confidenceLabel(sc) {
-    if (sc >= 80) return 'HIGH';
-    if (sc >= 60) return 'MEDIUM';
+    if (sc >= 80) {
+      return 'HIGH';
+    }
+    if (sc >= 60) {
+      return 'MEDIUM';
+    }
     return 'LOW';
   }
 
-  return [{
-    detector: 'tier1-metadata-spoof',
-    id: 'TIER1-METADATA-SPOOF',
-    severity: severityLabel(confidenceScore),
-    confidence: confidenceLabel(confidenceScore),
-    confidenceScore,
-    subtype,
-    message: primaryMessage,
-    evidence,
-    locations,
-    reference: 'Campaign 1',
-  }];
+  return [
+    {
+      detector: 'tier1-metadata-spoof',
+      id: 'TIER1-METADATA-SPOOF',
+      severity: severityLabel(confidenceScore),
+      confidence: confidenceLabel(confidenceScore),
+      confidenceScore,
+      subtype,
+      message: primaryMessage,
+      evidence,
+      locations,
+      reference: 'Campaign 1',
+    },
+  ];
 }

package/backend/detectors/tier1-multistage-postinstall.js

@@ -1,34 +1,51 @@
 const SCAN_HOOKS = ['preinstall', 'install', 'postinstall', 'prepare'];
 
-const REMOTE_FETCH_RE = /\b(?:fetch|axios\.get|axios\.post|http\.get|https\.get)\(|\b(?:curl|wget)\s/;
+const REMOTE_FETCH_RE =
+  /\b(?:fetch|axios\.get|axios\.post|http\.get|https\.get)\(|\b(?:curl|wget)\s/;
 const BINARY_EXEC_RE = /\b(?:execFile|execFileSync|execSync|exec|spawnSync|spawn)\s*\(/;
 const DETACHED_RE = /detached\s*:\s*true/;
 
 function severityLabel(score) {
-  if (score >= 95) return 'critical';
-  if (score >= 80) return 'high';
-  if (score >= 60) return 'medium';
+  if (score >= 95) {
+    return 'critical';
+  }
+  if (score >= 80) {
+    return 'high';
+  }
+  if (score >= 60) {
+    return 'medium';
+  }
   return 'low';
 }
 
 function confidenceLabel(score) {
-  if (score >= 95) return 'CRITICAL';
-  if (score >= 80) return 'HIGH';
-  if (score >= 60) return 'MEDIUM';
+  if (score >= 95) {
+    return 'CRITICAL';
+  }
+  if (score >= 80) {
+    return 'HIGH';
+  }
+  if (score >= 60) {
+    return 'MEDIUM';
+  }
   return 'LOW';
 }
 
 export const name = 'tier1-multistage-postinstall';
 
-export async function scan(pkgJson, jsFiles, registryMeta, allFiles) {
+export async function scan(pkgJson, _jsFiles, _registryMeta, _allFiles) {
   const scripts = pkgJson?.scripts;
-  if (!scripts || typeof scripts !== 'object') return [];
+  if (!scripts || typeof scripts !== 'object') {
+    return [];
+  }
 
   const findings = [];
 
   for (const hookName of SCAN_HOOKS) {
     const content = scripts[hookName];
-    if (!content || typeof content !== 'string') continue;
+    if (!content || typeof content !== 'string') {
+      continue;
+    }
 
     const hasRemoteFetch = REMOTE_FETCH_RE.test(content);
     const hasBinaryExec = BINARY_EXEC_RE.test(content);
@@ -37,7 +54,9 @@ export async function scan(pkgJson, jsFiles, registryMeta, allFiles) {
     const signalA = hasRemoteFetch && hasBinaryExec;
     const signalB = hasDetached;
 
-    if (!signalA && !signalB) continue;
+    if (!signalA && !signalB) {
+      continue;
+    }
 
     let confidenceScore;
     let subtype;
@@ -54,9 +73,15 @@ export async function scan(pkgJson, jsFiles, registryMeta, allFiles) {
     }
 
     const evidence = [`hook: ${hookName}`];
-    if (hasRemoteFetch) evidence.push('pattern: remote fetch call');
-    if (hasBinaryExec) evidence.push('pattern: binary execution call');
-    if (hasDetached) evidence.push('pattern: detached background process');
+    if (hasRemoteFetch) {
+      evidence.push('pattern: remote fetch call');
+    }
+    if (hasBinaryExec) {
+      evidence.push('pattern: binary execution call');
+    }
+    if (hasDetached) {
+      evidence.push('pattern: detached background process');
+    }
 
     findings.push({
       detector: 'tier1-multistage-postinstall',
@@ -67,11 +92,13 @@ export async function scan(pkgJson, jsFiles, registryMeta, allFiles) {
       subtype,
       message: `Multi-stage install hook detected in "${hookName}" — ${subtype}`,
       evidence,
-      locations: [{
-        file: 'package.json',
-        field: `scripts.${hookName}`,
-        value: content.length > 200 ? `${content.slice(0, 200)}...` : content,
-      }],
+      locations: [
+        {
+          file: 'package.json',
+          field: `scripts.${hookName}`,
+          value: content.length > 200 ? `${content.slice(0, 200)}...` : content,
+        },
+      ],
       crossFiles: [],
       reference: 'Sonatype-2026-003429',
     });