@lateos/npm-scan 0.18.3 → 1.1.0

package/backend/detectors/trapdoor/d1-campaign-marker.js

@@ -10,7 +10,9 @@ export function scanCampaignMarker(allFiles) {
     const ext = path.includes('.') ? '.' + path.split('.').pop() : '';
 
     const isTarget = TARGET_FILENAMES.has(basename) || TARGET_EXTENSIONS.includes(ext);
-    if (!isTarget) continue;
+    if (!isTarget) {
+      continue;
+    }
 
     if (content.includes('P-2024-001')) {
       matches.push({ file: path });

package/backend/detectors/trapdoor/d2-payload-fingerprint.js

@@ -12,7 +12,7 @@ export function scanPayloadFingerprint(allFiles) {
     }
 
     if (byteSize === 48485) {
-      const alreadyMatched = matches.some(m => m.file === path);
+      const alreadyMatched = matches.some((m) => m.file === path);
       if (!alreadyMatched) {
         matches.push({ file: path, matchType: 'byteSize', byteSize });
       }

package/backend/detectors/trapdoor/d3-publisher-blocklist.js

@@ -1,7 +1,8 @@
 export function scanPublisherBlocklist(pkgJson, registryMeta) {
-  const publisherAccount = registryMeta?.versions?.[pkgJson?.version]?._npmUser?.name
-    || registryMeta?.versions?.[Object.keys(registryMeta.versions || {})[0]]?._npmUser?.name
-    || null;
+  const publisherAccount =
+    registryMeta?.versions?.[pkgJson?.version]?._npmUser?.name ||
+    registryMeta?.versions?.[Object.keys(registryMeta.versions || {})[0]]?._npmUser?.name ||
+    null;
 
   if (publisherAccount === 'asdxzxc') {
     return { triggered: true, publisher: publisherAccount };

package/backend/detectors/trapdoor/d4-gists-exfil.js

@@ -3,8 +3,10 @@ const C2_PATTERNS = [/ddjidd564\.github\.io/i, /gist\.github\.com/i];
 
 function scanContent(content, filePath) {
   const matches = [];
-  const hasC2 = C2_PATTERNS.some(p => p.test(content));
-  if (!hasC2) return matches;
+  const hasC2 = C2_PATTERNS.some((p) => p.test(content));
+  if (!hasC2) {
+    return matches;
+  }
 
   const hasCredPath = CRED_PATH_PATTERNS.test(content);
   if (hasCredPath) {

package/backend/detectors/trapdoor/d5-ai-poisoning.js

@@ -1,6 +1,6 @@
 const ZERO_WIDTH_RANGES = [
-  [0x200B, 0x200D],
-  [0xFEFF, 0xFEFF],
+  [0x200b, 0x200d],
+  [0xfeff, 0xfeff],
 ];
 
 function isZeroWidthChar(code) {
@@ -14,7 +14,9 @@ export function scanAIPoisoning(allFiles) {
 
   for (const file of allFiles) {
     const path = file.path?.replace(/\\/g, '/') || '';
-    if (!TARGET_FILES.test(path)) continue;
+    if (!TARGET_FILES.test(path)) {
+      continue;
+    }
 
     const content = file.content || '';
     const found = [];

package/backend/detectors/trapdoor/d6-lure-name.js

@@ -12,16 +12,21 @@ const LURE_PATTERNS = [
 
 export function scanLureName(pkgJson, registryMeta) {
   const pkgName = pkgJson?.name || '';
-  const matchedPattern = LURE_PATTERNS.find(p => p.test(pkgName));
-  if (!matchedPattern) return { triggered: false };
+  const matchedPattern = LURE_PATTERNS.find((p) => p.test(pkgName));
+  if (!matchedPattern) {
+    return { triggered: false };
+  }
 
   const timeMap = registryMeta?.time || {};
-  const versions = Object.keys(timeMap).filter(v => v !== 'created' && v !== 'modified');
-  const firstVersion = versions.length > 0
-    ? versions.sort((a, b) => new Date(timeMap[a]) - new Date(timeMap[b]))[0]
-    : null;
+  const versions = Object.keys(timeMap).filter((v) => v !== 'created' && v !== 'modified');
+  const firstVersion =
+    versions.length > 0
+      ? versions.sort((a, b) => new Date(timeMap[a]) - new Date(timeMap[b]))[0]
+      : null;
 
-  if (!firstVersion) return { triggered: false };
+  if (!firstVersion) {
+    return { triggered: false };
+  }
 
   const firstPubDate = new Date(timeMap[firstVersion]);
   const now = new Date();

package/backend/detectors/trapdoor/d7-crypto-primitives.js

@@ -7,8 +7,8 @@ export function scanCryptoPrimitives(allFiles, pkgJson) {
     .map(([hook, content]) => ({ file: `script:${hook}`, content }));
 
   const jsFiles = allFiles
-    .filter(f => f.path?.endsWith('.js') || f.path?.endsWith('.mjs') || f.path?.endsWith('.cjs'))
-    .map(f => ({ file: f.path, content: f.content || '' }));
+    .filter((f) => f.path?.endsWith('.js') || f.path?.endsWith('.mjs') || f.path?.endsWith('.cjs'))
+    .map((f) => ({ file: f.path, content: f.content || '' }));
 
   for (const { file, content } of [...scriptEntries, ...jsFiles]) {
     const hasFernet = /Fernet/i.test(content);

package/backend/detectors/trapdoor/d8-xor-key.js

@@ -2,9 +2,14 @@ export function scanXorKey(allFiles) {
   const matches = [];
   for (const file of allFiles) {
     const path = file.path?.replace(/\\/g, '/') || '';
-    const isLockFile = /(package-lock\.json|yarn\.lock|pnpm-lock\.yaml|pnpm-lock\.yml|Cargo\.lock|Cargo\.toml)/i.test(path);
+    const isLockFile =
+      /(package-lock\.json|yarn\.lock|pnpm-lock\.yaml|pnpm-lock\.yml|Cargo\.lock|Cargo\.toml)/i.test(
+        path
+      );
     const isBundled = /\.node$|vendor|native/i.test(path);
-    if (!isLockFile && !isBundled) continue;
+    if (!isLockFile && !isBundled) {
+      continue;
+    }
 
     const content = file.content || '';
     if (content.includes('cargo-build-helper-2026')) {

package/backend/detectors/trapdoor/d9-cred-validation.js

@@ -1,7 +1,4 @@
-const CRED_VALIDATION_PATTERNS = [
-  /sts\.amazonaws\.com/i,
-  /api\.github\.com\/user/i,
-];
+const CRED_VALIDATION_PATTERNS = [/sts\.amazonaws\.com/i, /api\.github\.com\/user/i];
 
 export function scanCredValidation(allFiles, pkgJson) {
   const matches = [];
@@ -19,7 +16,9 @@ export function scanCredValidation(allFiles, pkgJson) {
 
   for (const file of allFiles) {
     const path = file.path || '';
-    if (!path.endsWith('.js') && !path.endsWith('.mjs') && !path.endsWith('.cjs')) continue;
+    if (!path.endsWith('.js') && !path.endsWith('.mjs') && !path.endsWith('.cjs')) {
+      continue;
+    }
     const content = file.content || '';
     for (const pattern of CRED_VALIDATION_PATTERNS) {
       if (pattern.test(content)) {

package/backend/detectors/trapdoor/index.js

@@ -24,7 +24,9 @@ const SEVERITY_ORDER = ['critical', 'high', 'medium', 'low', 'info', 'none'];
 
 function highestSeverity(severities) {
   for (const s of SEVERITY_ORDER) {
-    if (severities.includes(s)) return s;
+    if (severities.includes(s)) {
+      return s;
+    }
   }
   return 'none';
 }
@@ -48,16 +50,16 @@ export async function scan(pkgJson, files = [], registryMeta = null, allFiles =
     .filter(([_, r]) => r.triggered)
     .map(([id]) => id);
 
-  if (triggered.length === 0) return [];
+  if (triggered.length === 0) {
+    return [];
+  }
 
-  const severity = highestSeverity(triggered.map(id => RULE_SEVERITY[id]));
+  const severity = highestSeverity(triggered.map((id) => RULE_SEVERITY[id]));
 
   const evidence = {
     campaign: 'TRAPDOOR',
     triggeredRules: triggered,
-    details: Object.fromEntries(
-      Object.entries(results).filter(([_, r]) => r.triggered)
-    ),
+    details: Object.fromEntries(Object.entries(results).filter(([_, r]) => r.triggered)),
     iocSummary: {
       publisher: 'asdxzxc',
       c2Domain: 'ddjidd564.github.io',
@@ -66,12 +68,15 @@ export async function scan(pkgJson, files = [], registryMeta = null, allFiles =
     },
   };
 
-  return [{
-    id: 'TRAPDOOR',
-    severity,
-    title: 'TrapDoor cross-ecosystem supply chain attack campaign',
-    description: `${triggered.length} signal(s): ${triggered.join(', ')}`,
-    evidence: JSON.stringify(evidence),
-    mitigation: 'Block install immediately. Revoke any npm tokens associated with this package. Rotate CI/CD secrets. Audit for postinstall scripts accessing credentials. Check for AI config poisoning (.cursorrules/CLAUDE.md). Verify all package versions from publisher asdxzxc. If confirmed compromise, follow incident response procedures per SECURITY.md.',
-  }];
+  return [
+    {
+      id: 'TRAPDOOR',
+      severity,
+      title: 'TrapDoor cross-ecosystem supply chain attack campaign',
+      description: `${triggered.length} signal(s): ${triggered.join(', ')}`,
+      evidence: JSON.stringify(evidence),
+      mitigation:
+        'Block install immediately. Revoke any npm tokens associated with this package. Rotate CI/CD secrets. Audit for postinstall scripts accessing credentials. Check for AI config poisoning (.cursorrules/CLAUDE.md). Verify all package versions from publisher asdxzxc. If confirmed compromise, follow incident response procedures per SECURITY.md.',
+    },
+  ];
 }

package/backend/detectors/typosquat-vpmdhaj/d1-maintainer.js

@@ -1,19 +1,37 @@
 const BLOCKED_MAINTAINERS = ['vpmdhaj'];
 const VPMDHAJ_PREFIX_RE = /^vpmdhaj-/;
 const TYPOSQUAT_TARGETS = [
-  'opensearch-setup', 'env-config-manager',
-  'express', 'lodash', 'axios', 'react', 'vue', 'angular',
-  'babel', 'webpack', 'typescript', 'moment', 'dotenv',
+  'opensearch-setup',
+  'env-config-manager',
+  'express',
+  'lodash',
+  'axios',
+  'react',
+  'vue',
+  'angular',
+  'babel',
+  'webpack',
+  'typescript',
+  'moment',
+  'dotenv',
 ];
 
 function levenshteinDistance(a, b) {
-  const m = a.length, n = b.length;
+  const m = a.length,
+    n = b.length;
   const dp = Array.from({ length: m + 1 }, () => Array(n + 1).fill(0));
-  for (let i = 0; i <= m; i++) dp[i][0] = i;
-  for (let j = 0; j <= n; j++) dp[0][j] = j;
+  for (let i = 0; i <= m; i++) {
+    dp[i][0] = i;
+  }
+  for (let j = 0; j <= n; j++) {
+    dp[0][j] = j;
+  }
   for (let i = 1; i <= m; i++) {
     for (let j = 1; j <= n; j++) {
-      dp[i][j] = a[i - 1] === b[j - 1] ? dp[i - 1][j - 1] : 1 + Math.min(dp[i - 1][j], dp[i][j - 1], dp[i - 1][j - 1]);
+      dp[i][j] =
+        a[i - 1] === b[j - 1]
+          ? dp[i - 1][j - 1]
+          : 1 + Math.min(dp[i - 1][j], dp[i][j - 1], dp[i - 1][j - 1]);
     }
   }
   return dp[m][n];
@@ -71,7 +89,13 @@ export function scanMaintainerAnomaly(pkgJson, registryMeta) {
     };
   }
 
-  return { triggered: false, stopCondition: false, maintainer: '', suspiciousAliases: [], reason: '' };
+  return {
+    triggered: false,
+    stopCondition: false,
+    maintainer: '',
+    suspiciousAliases: [],
+    reason: '',
+  };
 }
 
 export { BLOCKED_MAINTAINERS };

package/backend/detectors/typosquat-vpmdhaj/d2-preinstall-loader.js

@@ -1,8 +1,8 @@
 const SUSPICIOUS_HOOKS = ['preinstall'];
-const LOADER_SCRIPTS = ['setup.mjs', 'loader.js', 'stager.js', 'init.mjs'];
+const _LOADER_SCRIPTS = ['setup.mjs', 'loader.js', 'stager.js', 'init.mjs'];
 const BUN_RUN_RE = /\bbun\s+run\b/;
 const NODE_SETUP_RE = /\bnode\s+(setup\.mjs|init\.mjs|loader\.js|stager\.js)\b/;
-const PREINSTALL_STAGER_RE = /preinstall\s*[:=]/;
+const _PREINSTALL_STAGER_RE = /preinstall\s*[:=]/;
 
 export function scanPreinstallLoader(pkgJson) {
   const scripts = pkgJson?.scripts || {};
@@ -10,7 +10,9 @@ export function scanPreinstallLoader(pkgJson) {
 
   for (const hook of SUSPICIOUS_HOOKS) {
     const cmd = scripts[hook];
-    if (!cmd) continue;
+    if (!cmd) {
+      continue;
+    }
 
     const details = { hookType: hook, hookCommand: cmd };
 

package/backend/detectors/typosquat-vpmdhaj/d3-cred-exfil.js

@@ -4,49 +4,71 @@ const VAULT_CRED_RE = /VAULT_ADDR|VAULT_TOKEN/;
 const GITHUB_TOKEN_RE = /GITHUB_TOKEN|GH_TOKEN/;
 const AWS_ACCESS_KEY_RE = /AWS_ACCESS_KEY_ID|AWS_SECRET_ACCESS_KEY|AWS_SESSION_TOKEN/;
 const BASE64_OBFUSCATION_RE = /Buffer\.from\([^)]+['"]base64['"]\)|btoa\(|atob\(/;
-const HTTP_POST_EXFIL_RE = /(?:fetch|axios|request|got|curl)\s*\([^)]*(?:https?:\/\/[^'"\s)\]]+)[^)]*(?:method\s*[:=]\s*['"]POST['"]|\.post\s*\()/;
-const DOMAIN_EXFIL_RE = /(?:fetch|axios|request|got|curl)\s*\(['"](?:https?:\/\/)?[^'"\s)\]]*\.[^'"\s)\]]{2,}[^)]*\)/;
+const HTTP_POST_EXFIL_RE =
+  /(?:fetch|axios|request|got|curl)\s*\([^)]*(?:https?:\/\/[^'"\s)\]]+)[^)]*(?:method\s*[:=]\s*['"]POST['"]|\.post\s*\()/;
+const DOMAIN_EXFIL_RE =
+  /(?:fetch|axios|request|got|curl)\s*\(['"](?:https?:\/\/)?[^'"\s)\]]*\.[^'"\s)\]]{2,}[^)]*\)/;
 
 const TARGET_ENV_VARS = {
-  AWS: ['AWS_CONTAINER_CREDENTIALS_FULL_URI', 'AWS_CONTAINER_AUTHORIZATION_TOKEN', 'AWS_ACCESS_KEY_ID', 'AWS_SECRET_ACCESS_KEY', 'AWS_SESSION_TOKEN'],
+  AWS: [
+    'AWS_CONTAINER_CREDENTIALS_FULL_URI',
+    'AWS_CONTAINER_AUTHORIZATION_TOKEN',
+    'AWS_ACCESS_KEY_ID',
+    'AWS_SECRET_ACCESS_KEY',
+    'AWS_SESSION_TOKEN',
+  ],
   VAULT: ['VAULT_ADDR', 'VAULT_TOKEN'],
   GITHUB: ['GITHUB_TOKEN', 'GH_TOKEN'],
 };
 
-export function scanCredExfil(files = [], pkgJson) {
-  const code = files.map(f => f.content || '').join('\n');
-  if (!code) return { triggered: false, targets: [], exfilMethod: null, detectedEnvVars: [] };
+export function scanCredExfil(files = [], _pkgJson) {
+  const code = files.map((f) => f.content || '').join('\n');
+  if (!code) {
+    return { triggered: false, targets: [], exfilMethod: null, detectedEnvVars: [] };
+  }
 
   const targets = [];
   const detectedEnvVars = [];
 
-  if (AWS_IMDS_RE.test(code)) targets.push('AWS_IMDSv2');
+  if (AWS_IMDS_RE.test(code)) {
+    targets.push('AWS_IMDSv2');
+  }
   if (ECS_CRED_RE.test(code)) {
     targets.push('ECS_TASK_ROLE');
     for (const v of TARGET_ENV_VARS.AWS) {
-      if (code.includes(v)) detectedEnvVars.push(v);
+      if (code.includes(v)) {
+        detectedEnvVars.push(v);
+      }
     }
   }
   if (VAULT_CRED_RE.test(code)) {
     targets.push('VAULT_CREDENTIALS');
     for (const v of TARGET_ENV_VARS.VAULT) {
-      if (code.includes(v)) detectedEnvVars.push(v);
+      if (code.includes(v)) {
+        detectedEnvVars.push(v);
+      }
     }
   }
   if (GITHUB_TOKEN_RE.test(code)) {
     targets.push('GITHUB_TOKEN');
     for (const v of TARGET_ENV_VARS.GITHUB) {
-      if (code.includes(v)) detectedEnvVars.push(v);
+      if (code.includes(v)) {
+        detectedEnvVars.push(v);
+      }
     }
   }
   if (AWS_ACCESS_KEY_RE.test(code)) {
     targets.push('AWS_ACCESS_KEYS');
     for (const v of TARGET_ENV_VARS.AWS) {
-      if (code.includes(v) && !detectedEnvVars.includes(v)) detectedEnvVars.push(v);
+      if (code.includes(v) && !detectedEnvVars.includes(v)) {
+        detectedEnvVars.push(v);
+      }
     }
   }
 
-  if (targets.length === 0) return { triggered: false, targets: [], exfilMethod: null, detectedEnvVars: [] };
+  if (targets.length === 0) {
+    return { triggered: false, targets: [], exfilMethod: null, detectedEnvVars: [] };
+  }
 
   let exfilMethod = null;
   if (HTTP_POST_EXFIL_RE.test(code)) {

package/backend/detectors/typosquat-vpmdhaj/index.js

@@ -7,7 +7,11 @@ const RULE_SEVERITY = { D1: 'critical', D2: 'critical', D3: 'critical' };
 const SEVERITY_ORDER = ['critical', 'high', 'medium', 'low', 'info', 'none'];
 
 function highestSeverity(severities) {
-  for (const s of SEVERITY_ORDER) if (severities.includes(s)) return s;
+  for (const s of SEVERITY_ORDER) {
+    if (severities.includes(s)) {
+      return s;
+    }
+  }
   return 'none';
 }
 
@@ -18,36 +22,45 @@ export async function scan(pkgJson, files = [], registryMeta = null, allFiles =
 
   const d1Result = scanMaintainerAnomaly(pkgJson, registryMeta);
   if (d1Result.stopCondition) {
-    const evidence = attachProvenance({
-      rule: 'TSQ-MAINT-001',
-      campaign: 'TYPOSQUAT_VPMDHAJ',
-      triggeredChecks: ['D1'],
-      maintainer: d1Result.maintainer,
-      suspiciousAliases: d1Result.suspiciousAliases,
-      action: 'BLOCK',
-    }, {
-      ruleId: 'TSQ-MAINT-001',
-      ruleName: 'Maintainer & Package Alias Anomalies',
-      severity: 'CRITICAL',
-      campaignName: 'Mass Typosquatting (vpmdhaj)',
-      pkgName,
-      pkgVersion,
-      triggered: true,
-      severity: 'critical',
-      indicators: [{ type: 'blocked_maintainer', value: d1Result.maintainer }, ...d1Result.suspiciousAliases.map(a => ({ type: 'suspicious_alias', value: a }))],
-      ruleProvenanceUrl: 'https://github.com/lateos/npm-scan/blob/main/backend/detectors/typosquat-vpmdhaj/d1-maintainer.js',
-      campaignSourceUrl: 'https://security.researcher.org/supply-chain-report',
-    });
+    const evidence = attachProvenance(
+      {
+        rule: 'TSQ-MAINT-001',
+        campaign: 'TYPOSQUAT_VPMDHAJ',
+        triggeredChecks: ['D1'],
+        maintainer: d1Result.maintainer,
+        suspiciousAliases: d1Result.suspiciousAliases,
+        action: 'BLOCK',
+      },
+      {
+        ruleId: 'TSQ-MAINT-001',
+        ruleName: 'Maintainer & Package Alias Anomalies',
+        campaignName: 'Mass Typosquatting (vpmdhaj)',
+        pkgName,
+        pkgVersion,
+        triggered: true,
+        severity: 'critical',
+        indicators: [
+          { type: 'blocked_maintainer', value: d1Result.maintainer },
+          ...d1Result.suspiciousAliases.map((a) => ({ type: 'suspicious_alias', value: a })),
+        ],
+        ruleProvenanceUrl:
+          'https://github.com/lateos/npm-scan/blob/main/backend/detectors/typosquat-vpmdhaj/d1-maintainer.js',
+        campaignSourceUrl: 'https://security.researcher.org/supply-chain-report',
+      }
+    );
 
-    return [{
-      id: 'TYPOSQUAT_VPMDHAJ',
-      severity: 'critical',
-      title: 'Mass Typosquatting campaign (vpmdhaj) — blocked maintainer',
-      description: d1Result.reason,
-      evidence: JSON.stringify(evidence),
-      mitigation: 'BLOCK IMMEDIATELY. Do not install packages from maintainer vpmdhaj. Audit all packages from your lockfile for this maintainer. Check for typosquatting of popular packages.',
-      stopCondition: true,
-    }];
+    return [
+      {
+        id: 'TYPOSQUAT_VPMDHAJ',
+        severity: 'critical',
+        title: 'Mass Typosquatting campaign (vpmdhaj) — blocked maintainer',
+        description: d1Result.reason,
+        evidence: JSON.stringify(evidence),
+        mitigation:
+          'BLOCK IMMEDIATELY. Do not install packages from maintainer vpmdhaj. Audit all packages from your lockfile for this maintainer. Check for typosquatting of popular packages.',
+        stopCondition: true,
+      },
+    ];
   }
 
   const d2Result = scanPreinstallLoader(pkgJson);
@@ -63,36 +76,42 @@ export async function scan(pkgJson, files = [], registryMeta = null, allFiles =
     .filter(([_, r]) => r.triggered)
     .map(([id]) => id);
 
-  if (triggered.length === 0) return [];
+  if (triggered.length === 0) {
+    return [];
+  }
 
-  const severity = highestSeverity(triggered.map(id => RULE_SEVERITY[id]));
+  const severity = highestSeverity(triggered.map((id) => RULE_SEVERITY[id]));
 
-  const evidence = attachProvenance({
-    campaign: 'TYPOSQUAT_VPMDHAJ',
-    triggeredChecks: triggered,
-    details: Object.fromEntries(
-      Object.entries(results).filter(([_, r]) => r.triggered)
-    ),
-  }, {
-    ruleId: 'TYPOSQUAT_VPMDHAJ',
-    ruleName: 'Mass Typosquatting Campaign Detection',
-    severity: severity.toUpperCase(),
-    campaignName: 'Mass Typosquatting (vpmdhaj)',
-    pkgName,
-    pkgVersion,
-    triggered: true,
-    severity,
-    indicators: triggered.map(id => ({ type: `rule_${id}`, value: RULE_SEVERITY[id] })),
-    ruleProvenanceUrl: 'https://github.com/lateos/npm-scan/blob/main/backend/detectors/typosquat-vpmdhaj/',
-    campaignSourceUrl: 'https://security.researcher.org/supply-chain-report',
-  });
+  const evidence = attachProvenance(
+    {
+      campaign: 'TYPOSQUAT_VPMDHAJ',
+      triggeredChecks: triggered,
+      details: Object.fromEntries(Object.entries(results).filter(([_, r]) => r.triggered)),
+    },
+    {
+      ruleId: 'TYPOSQUAT_VPMDHAJ',
+      ruleName: 'Mass Typosquatting Campaign Detection',
+      campaignName: 'Mass Typosquatting (vpmdhaj)',
+      pkgName,
+      pkgVersion,
+      triggered: true,
+      severity,
+      indicators: triggered.map((id) => ({ type: `rule_${id}`, value: RULE_SEVERITY[id] })),
+      ruleProvenanceUrl:
+        'https://github.com/lateos/npm-scan/blob/main/backend/detectors/typosquat-vpmdhaj/',
+      campaignSourceUrl: 'https://security.researcher.org/supply-chain-report',
+    }
+  );
 
-  return [{
-    id: 'TYPOSQUAT_VPMDHAJ',
-    severity,
-    title: 'Mass Typosquatting campaign (vpmdhaj)',
-    description: `${triggered.length} signal(s): ${triggered.join(', ')}`,
-    evidence: JSON.stringify(evidence),
-    mitigation: 'Block install immediately. Revoke any npm tokens. Rotate CI/CD secrets. Audit all packages from maintainer vpmdhaj. If credential exfiltration detected: rotate AWS IAM keys, Vault tokens, and GitHub tokens immediately. Verify CloudTrail/audit logs for unauthorized access.',
-  }];
+  return [
+    {
+      id: 'TYPOSQUAT_VPMDHAJ',
+      severity,
+      title: 'Mass Typosquatting campaign (vpmdhaj)',
+      description: `${triggered.length} signal(s): ${triggered.join(', ')}`,
+      evidence: JSON.stringify(evidence),
+      mitigation:
+        'Block install immediately. Revoke any npm tokens. Rotate CI/CD secrets. Audit all packages from maintainer vpmdhaj. If credential exfiltration detected: rotate AWS IAM keys, Vault tokens, and GitHub tokens immediately. Verify CloudTrail/audit logs for unauthorized access.',
+    },
+  ];
 }