@lateos/npm-scan 0.18.3 → 1.1.0

package/backend/detectors/tier1-obfuscation-heuristics.js

@@ -0,0 +1,184 @@
+import { KNOWN_REPUTABLE_PACKAGES } from '../policy.js';
+import { shannonEntropy, isMinified } from './lib/entropy-analyzer.js';
+import { detectPatterns } from './lib/ast-patterns.js';
+
+const LIFECYCLE_SCRIPTS = ['preinstall', 'install', 'postinstall', 'prepare'];
+const ENTROPY_THRESHOLD = 5.3;
+const PAYLOAD_SIZE_THRESHOLD = 100000;
+
+function analyze(code, _label) {
+  if (!code || code.length < 20) {
+    return null;
+  }
+
+  const entropy = shannonEntropy(code);
+  const patterns = detectPatterns(code);
+  const minified = isMinified(code);
+  const payloadSize = code.length;
+
+  let score = 0;
+  const flags = [];
+
+  if (entropy > ENTROPY_THRESHOLD) {
+    score += 35;
+    flags.push(`Entropy ${entropy} exceeds threshold ${ENTROPY_THRESHOLD}`);
+  }
+
+  if (entropy > 5.8) {
+    score += 15;
+    flags.push(`High entropy ${entropy} — strong obfuscation indicator`);
+  }
+
+  const patternCount = patterns.length;
+  if (patternCount >= 3) {
+    score += 30;
+    flags.push(`${patternCount} obfuscation patterns detected`);
+  } else if (patternCount >= 1) {
+    score += 20;
+    flags.push(`${patternCount} obfuscation patterns detected`);
+  }
+
+  if (minified) {
+    score += 10;
+    flags.push('Minified code — reduced readability');
+  }
+
+  if (payloadSize > PAYLOAD_SIZE_THRESHOLD) {
+    score += 15;
+    flags.push(
+      `Payload size ${payloadSize} bytes exceeds ${PAYLOAD_SIZE_THRESHOLD} byte threshold`
+    );
+  }
+
+  if (patterns.includes('XOR_CIPHER') && patterns.length >= 2) {
+    score += 10;
+    flags.push('ctf-scramble-v2 style XOR cipher detected');
+  }
+
+  if (patterns.includes('EVAL_USAGE') && entropy > 5.0) {
+    score += 15;
+    flags.push('eval() with high-entropy code');
+  }
+
+  score = Math.max(0, Math.min(100, score));
+
+  if (score < 40) {
+    return null;
+  }
+
+  return {
+    flagged: true,
+    confidenceScore: score,
+    confidence: score >= 80 ? 'HIGH' : score >= 60 ? 'MEDIUM' : 'LOW',
+    entropy,
+    patterns,
+    patternCount,
+    payloadSize,
+    flags,
+  };
+}
+
+function severityLabel(sc) {
+  if (sc >= 90) {
+    return 'critical';
+  }
+  if (sc >= 70) {
+    return 'high';
+  }
+  if (sc >= 50) {
+    return 'medium';
+  }
+  return 'low';
+}
+
+function confidenceLabel(sc) {
+  if (sc >= 80) {
+    return 'HIGH';
+  }
+  if (sc >= 60) {
+    return 'MEDIUM';
+  }
+  return 'LOW';
+}
+
+export const name = 'tier1-obfuscation-heuristics';
+
+export async function scan(pkgJson, jsFiles, _registryMeta, _allFiles) {
+  const pkgName = pkgJson?.name;
+  if (pkgName && KNOWN_REPUTABLE_PACKAGES.has(pkgName)) {
+    return [];
+  }
+
+  const findings = [];
+  const scripts = pkgJson?.scripts || {};
+
+  for (const [hookName, scriptContent] of Object.entries(scripts)) {
+    if (!LIFECYCLE_SCRIPTS.includes(hookName)) {
+      continue;
+    }
+    const result = analyze(scriptContent, hookName);
+    if (!result) {
+      continue;
+    }
+
+    findings.push({
+      detector: 'tier1-obfuscation-heuristics',
+      id: 'TIER1-OBFUSCATION-HEURISTICS',
+      severity: severityLabel(result.confidenceScore),
+      confidence: confidenceLabel(result.confidenceScore),
+      confidenceScore: result.confidenceScore,
+      subtype: 'obfuscated_lifecycle_script',
+      message: `Obfuscation detected in ${hookName} script: ${result.flags[0] || 'obfuscation patterns found'}`,
+      evidence: [
+        `script: ${hookName}`,
+        `entropy: ${result.entropy}`,
+        `patterns: ${result.patterns.join(', ') || 'none'}`,
+        `pattern_count: ${result.patternCount}`,
+        `payload_size_bytes: ${result.payloadSize}`,
+        ...result.flags,
+      ],
+      crossFiles: [],
+      locations: [{ file: 'package.json', line: 3, column: 10 }],
+      reference: 'Mini Shai-Hulud obfuscation campaign',
+    });
+  }
+
+  for (const f of jsFiles || []) {
+    const content = f.content || '';
+    if (content.length < 100) {
+      continue;
+    }
+
+    const result = analyze(content, f.path || 'unknown.js');
+    if (!result) {
+      continue;
+    }
+
+    if (result.confidenceScore < 50) {
+      continue;
+    }
+
+    findings.push({
+      detector: 'tier1-obfuscation-heuristics',
+      id: 'TIER1-OBFUSCATION-HEURISTICS',
+      severity: severityLabel(result.confidenceScore),
+      confidence: confidenceLabel(result.confidenceScore),
+      confidenceScore: result.confidenceScore,
+      subtype: 'obfuscated_js_file',
+      message: `Obfuscation detected in ${f.path || 'file'}: ${result.flags[0] || 'obfuscation patterns found'}`,
+      evidence: [
+        `file: ${f.path || 'unknown.js'}`,
+        `entropy: ${result.entropy}`,
+        `patterns: ${result.patterns.join(', ') || 'none'}`,
+        `pattern_count: ${result.patternCount}`,
+        `payload_size_bytes: ${result.payloadSize}`,
+        ...result.flags,
+      ],
+      crossFiles: [],
+      locations: [{ file: f.path || 'unknown.js', line: 0, column: 0 }],
+      reference: 'Mini Shai-Hulud obfuscation campaign',
+    });
+  }
+
+  return findings;
+}

package/backend/detectors/tier1-self-propagation.js

@@ -0,0 +1,115 @@
+import { KNOWN_REPUTABLE_PACKAGES } from '../policy.js';
+
+const THRESHOLDS = {
+  flag_threshold: 75,
+  warn_threshold: 60,
+  burst_window_minutes: 60,
+  min_packages_burst: 3,
+  identical_payload_weight: 40,
+};
+
+function parseTimeStamps(registryMeta) {
+  const timeData = registryMeta?.time;
+  if (!timeData || typeof timeData !== 'object') return [];
+  return Object.entries(timeData)
+    .map(([ver, ts]) => ({
+      version: ver,
+      time: new Date(ts).getTime(),
+    }))
+    .filter((e) => !isNaN(e.time))
+    .sort((a, b) => a.time - b.time);
+}
+
+function findBursts(entries, windowMs) {
+  const bursts = [];
+  for (let i = 0; i < entries.length; i++) {
+    const windowEnd = entries[i].time + windowMs;
+    const group = [];
+    for (let j = i; j < entries.length && entries[j].time <= windowEnd; j++) {
+      group.push(entries[j]);
+    }
+    if (group.length >= 3) {
+      bursts.push({
+        startVersion: group[0].version,
+        endVersion: group[group.length - 1].version,
+        count: group.length,
+        windowMinutes: windowMs / 60000,
+        versions: group.map((e) => e.version),
+      });
+    }
+  }
+  return bursts;
+}
+
+function computeConfidence(bursts, findings) {
+  let base = 40;
+  if (bursts.length > 0) {
+    base += 20 + Math.min(bursts[0].count * 5, 25);
+  }
+  if (findings.length > 0) {
+    base += THRESHOLDS.identical_payload_weight;
+  }
+  return Math.min(100, Math.max(0, base));
+}
+
+function severityLabel(score) {
+  if (score >= 80) return 'high';
+  if (score >= 60) return 'medium';
+  return 'low';
+}
+
+function confidenceLabel(score) {
+  if (score >= 80) return 'HIGH';
+  if (score >= 60) return 'MEDIUM';
+  return 'LOW';
+}
+
+export const name = 'tier1-self-propagation';
+
+export async function scan(pkgJson, _jsFiles, registryMeta, _allFiles) {
+  const pkgName = pkgJson?.name;
+  if (!pkgName) return [];
+  if (KNOWN_REPUTABLE_PACKAGES.has(pkgName)) return [];
+
+  const entries = parseTimeStamps(registryMeta);
+  if (entries.length < 3) return [];
+
+  const windowMs = (THRESHOLDS.burst_window_minutes || 60) * 60 * 1000;
+  const bursts = findBursts(entries, windowMs);
+  if (bursts.length === 0) return [];
+
+  const burst = bursts[0];
+  const confidenceScore = computeConfidence(bursts, []);
+  if (confidenceScore < THRESHOLDS.warn_threshold) return [];
+
+  const relatedPackages = [];
+  const maintainer =
+    registryMeta?.maintainer || registryMeta?.versions?.[pkgJson.version]?._npmUser?.name;
+  const namespaces = registryMeta?.namespacePackages || [];
+  if (namespaces.length > 0) {
+    for (const np of namespaces) {
+      if (np !== pkgName) relatedPackages.push(np);
+    }
+  }
+
+  return [
+    {
+      detector: 'tier1-self-propagation',
+      id: 'TIER1-SELF-PROPAGATION',
+      severity: severityLabel(confidenceScore),
+      confidence: confidenceLabel(confidenceScore),
+      confidenceScore,
+      subtype: 'self_propagation_burst',
+      message: `Self-propagation burst detected: ${burst.count} versions in ${burst.windowMinutes} minutes`,
+      evidence: [
+        `burst: ${burst.count} versions in ${burst.windowMinutes}min`,
+        `window: ${burst.startVersion} -> ${burst.endVersion}`,
+        `related_packages: ${relatedPackages.length}`,
+        `maintainer: ${maintainer || 'unknown'}`,
+      ],
+      locations: [{ file: 'package.json', line: 1, column: 1 }],
+      crossFiles: relatedPackages.slice(0, 10),
+      reference: 'D10: @redhat-cloud-services Miasma self-propagation',
+    },
+  ];
+}

package/backend/detectors/tier1-slsa-attestation.js

@@ -0,0 +1,12 @@
+// D8: SLSA Attestation Mismatch Detector
+// TODO: Implement after npm SLSA attestation API stabilizes
+// Blockers:
+//   - npm registry SLSA attestation API not yet widely adopted (as of June 2026)
+//   - Requires npm auth token to fetch provenance
+//   - May have rate limits
+
+export const name = 'tier1-slsa-attestation';
+
+export async function scan(_pkgJson, _jsFiles, _registryMeta, _allFiles) {
+  return [];
+}

package/backend/detectors/tier1-transitive-deps.js

@@ -0,0 +1,182 @@
+import { KNOWN_REPUTABLE_PACKAGES } from '../policy.js';
+
+const THRESHOLDS = {
+  flag_threshold: 80,
+  warn_threshold: 50,
+  new_package_days: 7,
+  unknown_depth_weight: 45,
+  typosquat_depth_weight: 50,
+  different_maintainer_weight: 35,
+};
+
+const SUSPICIOUS_NAMES = /(?:plain-crypto|crypto-js|secure-crypto|crypto-lib|cryptography)/i;
+
+function levenshtein(a, b) {
+  if (Math.abs(a.length - b.length) > 2) return 3;
+  const m = a.length,
+    n = b.length;
+  if (m === 0) return n;
+  if (n === 0) return m;
+  let prev = new Int32Array(n + 1);
+  let curr = new Int32Array(n + 1);
+  for (let j = 0; j <= n; j++) prev[j] = j;
+  for (let i = 1; i <= m; i++) {
+    curr[0] = i;
+    let rowMin = curr[0];
+    for (let j = 1; j <= n; j++) {
+      const cost = a[i - 1] === b[j - 1] ? 0 : 1;
+      curr[j] = Math.min(prev[j] + 1, curr[j - 1] + 1, prev[j - 1] + cost);
+      if (curr[j] < rowMin) rowMin = curr[j];
+    }
+    if (rowMin > 2) return 3;
+    const tmp = prev;
+    prev = curr;
+    curr = tmp;
+  }
+  return prev[n];
+}
+
+function isTyposquat(name, popularNames) {
+  for (const popular of popularNames) {
+    if (Math.abs(name.length - popular.length) > 2) continue;
+    const dist = levenshtein(name, popular);
+    if (dist <= 2 && name !== popular) return popular;
+  }
+  return null;
+}
+
+const POPULAR_PACKAGES = [
+  'crypto-js',
+  'crypto',
+  'bcrypt',
+  'jsonwebtoken',
+  'json5',
+  'lodash',
+  'axios',
+  'express',
+  'moment',
+  'chalk',
+  'react',
+  'vue',
+  'angular',
+  'next',
+  'nuxt',
+  'typescript',
+  'eslint',
+  'prettier',
+  'webpack',
+  'babel',
+  'mongoose',
+  'redis',
+  'mysql',
+  'postgres',
+  'passport',
+];
+
+function collectDependencies(pkgJson) {
+  const deps = {};
+  const allDeps = {
+    ...(pkgJson?.dependencies || {}),
+    ...(pkgJson?.devDependencies || {}),
+  };
+  for (const [name, version] of Object.entries(allDeps)) {
+    deps[name] = { version, depth: 0, isDirect: true };
+  }
+  return deps;
+}
+
+function computeConfidence(findings) {
+  if (findings.length === 0) return 0;
+  const maxScore = Math.max(...findings.map((f) => f.weight));
+  let base = maxScore;
+  if (findings.length > 1) base += 15;
+  return Math.min(100, Math.max(0, base));
+}
+
+function severityLabel(score) {
+  if (score >= 80) return 'high';
+  if (score >= 60) return 'medium';
+  return 'low';
+}
+
+function confidenceLabel(score) {
+  if (score >= 80) return 'HIGH';
+  if (score >= 60) return 'MEDIUM';
+  return 'LOW';
+}
+
+export const name = 'tier1-transitive-deps';
+
+export async function scan(pkgJson, _jsFiles, _registryMeta, _allFiles) {
+  const pkgName = pkgJson?.name;
+  if (pkgName && KNOWN_REPUTABLE_PACKAGES.has(pkgName)) return [];
+
+  const deps = collectDependencies(pkgJson);
+  const depNames = Object.keys(deps);
+  if (depNames.length === 0) return [];
+
+  const findings = [];
+
+  for (const [depName, depInfo] of Object.entries(deps)) {
+    let weight = 0;
+    const reasons = [];
+
+    if (SUSPICIOUS_NAMES.test(depName)) {
+      weight += 55;
+      reasons.push('suspicious_naming: matches known malicious pattern');
+    }
+
+    const typosquatTarget = isTyposquat(depName, POPULAR_PACKAGES);
+    if (typosquatTarget) {
+      weight += THRESHOLDS.typosquat_depth_weight;
+      reasons.push(`typosquat: "${depName}" similar to "${typosquatTarget}"`);
+    }
+
+    if (depInfo.isDirect) {
+      const depVersion = depInfo.version || '';
+      if (depVersion.includes('x') || depVersion === '*' || /^\d+\.\d+\.\d+$/.test(depVersion)) {
+        const parts = depVersion.split('.');
+        if (parts.length === 3) {
+          const major = parseInt(parts[0], 10);
+          if (major >= 99) {
+            weight += 55;
+            reasons.push(`version_anomaly: suspicious version ${depVersion}`);
+          }
+        }
+      }
+    }
+
+    if (weight > 0) {
+      findings.push({
+        package: depName,
+        depth: depInfo.depth,
+        isDirect: depInfo.isDirect,
+        weight,
+        reasons,
+      });
+    }
+  }
+
+  if (findings.length === 0) return [];
+
+  const confidenceScore = computeConfidence(findings);
+  if (confidenceScore < THRESHOLDS.warn_threshold) return [];
+
+  const topFindings = findings.sort((a, b) => b.weight - a.weight).slice(0, 5);
+
+  return [
+    {
+      detector: 'tier1-transitive-deps',
+      id: 'TIER1-TRANSITIVE-DEPS',
+      severity: severityLabel(confidenceScore),
+      confidence: confidenceLabel(confidenceScore),
+      confidenceScore,
+      subtype: 'transitive_injection',
+      message: `${findings.length} suspicious transitive dependenc${findings.length > 1 ? 'ies' : 'y'} detected`,
+      evidence: topFindings.map((f) => `${f.package} (depth ${f.depth}): ${f.reasons.join('; ')}`),
+      locations: [{ file: 'package.json', line: 1, column: 1 }],
+      crossFiles: topFindings.map((f) => f.package),
+      reference: 'D12: Axios backdoor transitive injection',
+    },
+  ];
+}