@lateos/npm-scan 0.18.3 → 1.1.0

package/backend/detectors/atk-002-obfusc.js

@@ -1,12 +1,43 @@
-const DIST_BUILD_PATTERNS = [/\/dist\//, /\/build\//, /\/bundle/, /\/min\//, /\.min\.js$/, /\.bundled?\.js$/];
-const TEST_FIXTURE_PATTERNS = [/\/test\//, /\/tests\//, /\/__tests__\//, /\/spec\//, /\.test\.js$/, /\.spec\.js$/, /fixtures?/];
+const DIST_BUILD_PATTERNS = [
+  /\/dist\//,
+  /\/build\//,
+  /\/bundle/,
+  /\/min\//,
+  /\.min\.js$/,
+  /\.bundled?\.js$/,
+];
+const TEST_FIXTURE_PATTERNS = [
+  /\/test\//,
+  /\/tests\//,
+  /\/__tests__\//,
+  /\/spec\//,
+  /\.test\.js$/,
+  /\.spec\.js$/,
+  /fixtures?/,
+];
 const KNOWN_SAFE_DOMAINS = [
-  'registry.npmjs.org', 'cdn.jsdelivr.net', 'unpkg.com', 'cdn.skypack.dev',
-  'esm.sh', 'deno.land', 'raw.githubusercontent.com', 'github.com',
-  'npmjs.com', 'nodejs.org', 'v8.dev', 'typescriptlang.org'
+  'registry.npmjs.org',
+  'cdn.jsdelivr.net',
+  'unpkg.com',
+  'cdn.skypack.dev',
+  'esm.sh',
+  'deno.land',
+  'raw.githubusercontent.com',
+  'github.com',
+  'npmjs.com',
+  'nodejs.org',
+  'v8.dev',
+  'typescriptlang.org',
 ];
 
-const LIFECYCLE_SCRIPT_NAMES = ['install', 'postinstall', 'preinstall', 'prepare', 'prepack', 'postpack'];
+const LIFECYCLE_SCRIPT_NAMES = [
+  'install',
+  'postinstall',
+  'preinstall',
+  'prepare',
+  'prepack',
+  'postpack',
+];
 
 function extractUrlDomain(code) {
   const urlMatch = code.match(/https?:\/\/([^/'"\s]+)/);
@@ -14,22 +45,26 @@ function extractUrlDomain(code) {
 }
 
 function isDistOrBuild(filePath) {
-  return DIST_BUILD_PATTERNS.some(p => p.test(filePath));
+  return DIST_BUILD_PATTERNS.some((p) => p.test(filePath));
 }
 
 function isTestOrFixture(filePath) {
-  return TEST_FIXTURE_PATTERNS.some(p => p.test(filePath));
+  return TEST_FIXTURE_PATTERNS.some((p) => p.test(filePath));
 }
 
 function isKnownSafeDomain(domain) {
-  if (!domain) return false;
-  return KNOWN_SAFE_DOMAINS.some(safe => domain === safe || domain.endsWith('.' + safe));
+  if (!domain) {
+    return false;
+  }
+  return KNOWN_SAFE_DOMAINS.some((safe) => domain === safe || domain.endsWith('.' + safe));
 }
 
 function locateLine(code, pattern) {
   const lines = code.split('\n');
   for (let i = 0; i < lines.length; i++) {
-    if (pattern.test(lines[i])) return i + 1;
+    if (pattern.test(lines[i])) {
+      return i + 1;
+    }
   }
   return null;
 }
@@ -40,65 +75,96 @@ function decodePreview(code) {
     try {
       const decoded = atob(b64Match[1]);
       return decoded.length > 80 ? decoded.slice(0, 80) + '...' : decoded;
-    } catch {}
+    } catch {
+      /* ignore decode errors */
+    }
   }
-  
+
   const hexMatch = code.match(/Buffer\.from\(['"]([0-9a-fA-F]+)['"],\s*['"]hex['"]\)/);
   if (hexMatch) {
     try {
       const decoded = Buffer.from(hexMatch[1], 'hex').toString();
       return decoded.length > 80 ? decoded.slice(0, 80) + '...' : decoded;
-    } catch {}
+    } catch {
+      /* ignore decode errors */
+    }
   }
-  
+
   const btoaMatch = code.match(/btoa\(['"]([A-Za-z0-9+/=]{10,})['"]\)/);
   if (btoaMatch) {
     try {
       const decoded = atob(btoaMatch[1]);
       return decoded.length > 80 ? decoded.slice(0, 80) + '...' : decoded;
-    } catch {}
+    } catch {
+      /* ignore decode errors */
+    }
   }
-  
+
   return null;
 }
 
 function detectEncodingType(code) {
-  if (/Buffer\.from\(['"][0-9a-fA-F]+['"],\s*['"]hex['"]\)/.test(code)) return 'hex';
-  if (/atob\(/.test(code)) return 'base64';
-  if (/btoa\(/.test(code)) return 'base64';
-  if (/Buffer\.from\([A-Za-z0-9+/=]{10,}/.test(code)) return 'base64';
-  if (/String\.fromCharCode\(/.test(code)) return 'charcode';
-  if (/btoa\(.*btoa\(|atob\(.*atob\(/.test(code)) return 'double-base64';
+  if (/Buffer\.from\(['"][0-9a-fA-F]+['"],\s*['"]hex['"]\)/.test(code)) {
+    return 'hex';
+  }
+  if (/atob\(/.test(code)) {
+    return 'base64';
+  }
+  if (/btoa\(/.test(code)) {
+    return 'base64';
+  }
+  if (/Buffer\.from\([A-Za-z0-9+/=]{10,}/.test(code)) {
+    return 'base64';
+  }
+  if (/String\.fromCharCode\(/.test(code)) {
+    return 'charcode';
+  }
+  if (/btoa\(.*btoa\(|atob\(.*atob\(/.test(code)) {
+    return 'double-base64';
+  }
   return 'unknown';
 }
 
 function isFileInLifecycleScript(filePath, pkgJson) {
-  if (!pkgJson?.scripts) return false;
-  
+  if (!pkgJson?.scripts) {
+    return false;
+  }
+
   const scripts = pkgJson.scripts;
   const fileName = filePath.split('/').pop();
-  const normalizedPath = filePath.replace(/^node_modules\//, '').replace(/^dist\//, '').replace(/^build\//, '');
-  
+  const normalizedPath = filePath
+    .replace(/^node_modules\//, '')
+    .replace(/^dist\//, '')
+    .replace(/^build\//, '');
+
   for (const scriptName of LIFECYCLE_SCRIPT_NAMES) {
     const scriptValue = scripts[scriptName];
-    if (!scriptValue) continue;
-    
-    if (scriptValue.includes(filePath)) return true;
-    if (scriptValue.includes(fileName)) return true;
-    if (scriptValue.includes(normalizedPath)) return true;
-    
+    if (!scriptValue) {
+      continue;
+    }
+
+    if (scriptValue.includes(filePath)) {
+      return true;
+    }
+    if (scriptValue.includes(fileName)) {
+      return true;
+    }
+    if (scriptValue.includes(normalizedPath)) {
+      return true;
+    }
+
     const scriptFileMatch = scriptValue.match(/[^\s'"]+\.js$/);
-    if (scriptFileMatch && filePath.endsWith(scriptFileMatch[0])) return true;
+    if (scriptFileMatch && filePath.endsWith(scriptFileMatch[0])) {
+      return true;
+    }
   }
-  
+
   return false;
 }
 
 function isLikelyLifecycleFileName(filePath) {
   const name = filePath.split('/').pop().replace(/\.js$/, '');
-  return LIFECYCLE_SCRIPT_NAMES.includes(name) || 
-         name === 'setup' || 
-         name === 'install-helper';
+  return LIFECYCLE_SCRIPT_NAMES.includes(name) || name === 'setup' || name === 'install-helper';
 }
 
 function createEvidence(code, filePath, pattern, pkgJson) {
@@ -106,8 +172,9 @@ function createEvidence(code, filePath, pattern, pkgJson) {
   const line = locateLine(code, pattern);
   const decodedPreview = decodePreview(code);
   const destinationHost = extractUrlDomain(code);
-  const lifecycleHook = isFileInLifecycleScript(filePath, pkgJson) || isLikelyLifecycleFileName(filePath);
-  
+  const lifecycleHook =
+    isFileInLifecycleScript(filePath, pkgJson) || isLikelyLifecycleFileName(filePath);
+
   return {
     file: filePath,
     line: line,
@@ -121,7 +188,7 @@ function createEvidence(code, filePath, pattern, pkgJson) {
 export async function scan(pkgJson, files = []) {
   const findings = [];
   const pkgName = pkgJson?.name || '';
-  const selfName = pkgName.replace(/^@/, '').replace(/\//, '-');
+  const _selfName = pkgName.replace(/^@/, '').replace(/\//, '-');
 
   for (const f of files) {
     const code = f.content;
@@ -137,15 +204,23 @@ export async function scan(pkgJson, files = []) {
     if (hasEval) {
       const hexDecode = /Buffer\.from\(['"`][0-9a-f]+['"`],\s*['"]hex['"]/.test(code);
       const b64Decode = /atob\(|Buffer\.from\([A-Za-z0-9+/=]{10,}/.test(code);
-      const b64UrlDecode = /try\s*\{[^}]*atob\s*\(/s.test(code) || /btoa\(.*\)\s*[^;]*\.replace\(/s.test(code);
+      const b64UrlDecode =
+        /try\s*\{[^}]*atob\s*\(/s.test(code) || /btoa\(.*\)\s*[^;]*\.replace\(/s.test(code);
 
       if (hexDecode || b64Decode || b64UrlDecode) {
-        const evidence = createEvidence(code, filePath, /eval\(|new Function\(|\bFunction\('/, pkgJson);
+        const evidence = createEvidence(
+          code,
+          filePath,
+          /eval\(|new Function\(|\bFunction\('/,
+          pkgJson
+        );
         findings.push({
           id: 'ATK-002',
           severity: 'medium',
           title: 'Obfuscated payload',
-          description: hexDecode ? 'Eval with hex-decoded payload' : 'Eval with base64-decoded payload',
+          description: hexDecode
+            ? 'Eval with hex-decoded payload'
+            : 'Eval with base64-decoded payload',
           evidence: evidence,
           context: {
             file_path: filePath,
@@ -184,8 +259,12 @@ export async function scan(pkgJson, files = []) {
       }
     }
 
-    if (/atob\(|Buffer\.from/.test(code) && /url|fetch|curl|http\.request|https\.request/.test(code)) {
-      const isNetworkObfusc = /atob\(.*(https?:\/\/|\\x|http).*\)/s.test(code) ||
+    if (
+      /atob\(|Buffer\.from/.test(code) &&
+      /url|fetch|curl|http\.request|https\.request/.test(code)
+    ) {
+      const isNetworkObfusc =
+        /atob\(.*(https?:\/\/|\\x|http).*\)/s.test(code) ||
         /Buffer\.from\(['"`][0-9a-f]+['"`],\s*['"]hex['"].*fetch\(|fetch\(.*atob\(/s.test(code);
       if (isNetworkObfusc) {
         const evidence = createEvidence(code, filePath, /atob\(|Buffer\.from/, pkgJson);
@@ -259,4 +338,4 @@ export async function scan(pkgJson, files = []) {
   }
 
   return findings;
-}
+}

package/backend/detectors/atk-003-creds.js

@@ -1,14 +1,18 @@
 export async function scan(pkgJson, files = []) {
   const findings = [];
-  const code = files.map(f => f.content).join('\n');
-  if (/process\.env\.(NPM_TOKEN|GIT_TOKEN|AWS_SECRET|AWS_ACCESS|SSH_KEY)|\.npmrc|\.ssh\/id_rsa|readFile.*\.ssh/.test(code)) {
+  const code = files.map((f) => f.content).join('\n');
+  if (
+    /process\.env\.(NPM_TOKEN|GIT_TOKEN|AWS_SECRET|AWS_ACCESS|SSH_KEY)|\.npmrc|\.ssh\/id_rsa|readFile.*\.ssh/.test(
+      code
+    )
+  ) {
     findings.push({
       id: 'ATK-003',
       severity: 'high',
       title: 'Credential harvesting',
       description: 'Env vars or .npmrc/SSH key access',
-      evidence: 'credential pattern match'
+      evidence: 'credential pattern match',
     });
   }
   return findings;
-}
+}

package/backend/detectors/atk-004-persist.js

@@ -1,14 +1,14 @@
 export async function scan(pkgJson, files = []) {
   const findings = [];
-  const code = files.map(f => f.content).join('\n');
+  const code = files.map((f) => f.content).join('\n');
   if (/mkdir.*(\.vscode|\.claude|\.cursor)/.test(code)) {
     findings.push({
       id: 'ATK-004',
       severity: 'high',
       title: 'Persistence via editor configs',
       description: 'Creates .vscode/.claude/.cursor dirs',
-      evidence: 'mkdir pattern match'
+      evidence: 'mkdir pattern match',
     });
   }
   return findings;
-}
+}

package/backend/detectors/atk-005-exfil.js

@@ -1,14 +1,18 @@
 export async function scan(pkgJson, files = []) {
   const findings = [];
-  const code = files.map(f => f.content).join('\n');
-  if (/curl.*(-d|--data|--data-binary)|github\.com\/.*keys|pastebin|dns\.resolve.*\.com|exfil/.test(code.toLowerCase())) {
+  const code = files.map((f) => f.content).join('\n');
+  if (
+    /curl.*(-d|--data|--data-binary)|github\.com\/.*keys|pastebin|dns\.resolve.*\.com|exfil/.test(
+      code.toLowerCase()
+    )
+  ) {
     findings.push({
       id: 'ATK-005',
       severity: 'critical',
       title: 'Network exfiltration',
       description: 'Suspicious network calls: curl data exfil, pastebin, dns tunneling',
-      evidence: 'network exfil pattern'
+      evidence: 'network exfil pattern',
     });
   }
   return findings;
-}
+}

package/backend/detectors/atk-006-depconf.js

@@ -1,15 +1,15 @@
 export async function scan(pkgJson) {
   const findings = [];
   const deps = { ...pkgJson.dependencies, ...pkgJson.devDependencies };
-  const squat = Object.keys(deps).filter(d => /squat|confus|typo/i.test(d.toLowerCase()));
+  const squat = Object.keys(deps).filter((d) => /squat|confus|typo/i.test(d.toLowerCase()));
   if (squat.length) {
     findings.push({
       id: 'ATK-006',
       severity: 'medium',
       title: 'Dependency confusion',
       description: 'Suspicious dependency names',
-      evidence: squat.join(', ')
+      evidence: squat.join(', '),
     });
   }
   return findings;
-}
+}

package/backend/detectors/atk-007-typosquat.js

@@ -1,12 +1,62 @@
-const TOP_PKGS = ['lodash', 'react', 'express', 'axios', 'chalk', 'vue', 'typescript', 'moment', 'uuid', 'commander', 'debug', 'semver', 'underscore', 'request', 'async', 'cheerio', 'bluebird', 'jest', 'mocha', 'dotenv', 'glob', 'minimist', 'body-parser', 'cors', 'helmet', 'jsonwebtoken', 'socket.io', 'redis', 'mongoose', 'sequelize', 'pg', 'passport', 'nodemailer', 'multer', 'bcrypt', 'winston', 'luxon', 'dayjs', 'rxjs', 'redux'];
+const TOP_PKGS = [
+  'lodash',
+  'react',
+  'express',
+  'axios',
+  'chalk',
+  'vue',
+  'typescript',
+  'moment',
+  'uuid',
+  'commander',
+  'debug',
+  'semver',
+  'underscore',
+  'request',
+  'async',
+  'cheerio',
+  'bluebird',
+  'jest',
+  'mocha',
+  'dotenv',
+  'glob',
+  'minimist',
+  'body-parser',
+  'cors',
+  'helmet',
+  'jsonwebtoken',
+  'socket.io',
+  'redis',
+  'mongoose',
+  'sequelize',
+  'pg',
+  'passport',
+  'nodemailer',
+  'multer',
+  'bcrypt',
+  'winston',
+  'luxon',
+  'dayjs',
+  'rxjs',
+  'redux',
+];
 
 function levenshtein(a, b) {
-  const m = a.length, n = b.length;
+  const m = a.length,
+    n = b.length;
   const d = Array.from({ length: m + 1 }, (_, i) => [i]);
-  for (let j = 0; j <= n; j++) d[0][j] = j;
-  for (let i = 1; i <= m; i++)
-    for (let j = 1; j <= n; j++)
-      d[i][j] = Math.min(d[i-1][j]+1, d[i][j-1]+1, d[i-1][j-1]+(a[i-1]===b[j-1]?0:1));
+  for (let j = 0; j <= n; j++) {
+    d[0][j] = j;
+  }
+  for (let i = 1; i <= m; i++) {
+    for (let j = 1; j <= n; j++) {
+      d[i][j] = Math.min(
+        d[i - 1][j] + 1,
+        d[i][j - 1] + 1,
+        d[i - 1][j - 1] + (a[i - 1] === b[j - 1] ? 0 : 1)
+      );
+    }
+  }
   return d[m][n];
 }
 
@@ -14,9 +64,13 @@ export async function scan(pkgJson) {
   const findings = [];
   const deps = { ...pkgJson.dependencies, ...pkgJson.devDependencies };
   const names = Object.keys(deps);
-  if (names.length === 0) return findings;
+  if (names.length === 0) {
+    return findings;
+  }
   for (const d of names) {
-    if (d.length < 4) continue;
+    if (d.length < 4) {
+      continue;
+    }
     for (const top of TOP_PKGS) {
       const dist = levenshtein(d, top);
       if (dist > 0 && dist <= 2 && d !== top) {
@@ -25,11 +79,11 @@ export async function scan(pkgJson) {
           severity: 'low',
           title: 'Typosquatting suspect',
           description: `"${d}" is edit-distance ${dist} from "${top}"`,
-          evidence: d
+          evidence: d,
         });
         break;
       }
     }
   }
   return findings;
-}
+}

package/backend/detectors/atk-008-tarball-tamper.js

@@ -1,7 +1,7 @@
 export async function scan(pkgJson, files = []) {
   const findings = [];
   const repo = pkgJson.repository || {};
-  const repoUrl = typeof repo === 'string' ? repo : (repo.url || '');
+  const repoUrl = typeof repo === 'string' ? repo : repo.url || '';
   const pkgName = (pkgJson.name || '').toLowerCase();
 
   const knownRepos = {
@@ -29,7 +29,7 @@ export async function scan(pkgJson, files = []) {
   };
 
   if (repoUrl && repoUrl.includes('github.com')) {
-    const repoMatch = repoUrl.match(/github\.com[\/:]([\w.-]+\/[\w.-]+?)(?:\.git)?$/);
+    const repoMatch = repoUrl.match(/github\.com[/:]([\w.-]+\/[\w.-]+?)(?:\.git)?$/);
     if (repoMatch) {
       const ghRepo = repoMatch[1].toLowerCase();
       const ghName = ghRepo.split('/')[1];
@@ -45,7 +45,7 @@ export async function scan(pkgJson, files = []) {
             severity: 'high',
             title: 'Tarball tampering suspect',
             description: `Repository "${ghRepo}" does not match expected "${expectedRepo}" for package "${pkgName}"`,
-            evidence: `repo: ${ghRepo}, expected: ${expectedRepo}`
+            evidence: `repo: ${ghRepo}, expected: ${expectedRepo}`,
           });
         } else {
           const orgExpected = knownRepos[shortName];
@@ -57,7 +57,7 @@ export async function scan(pkgJson, files = []) {
                 severity: 'medium',
                 title: 'Tarball tampering suspect',
                 description: `Repository "${ghRepo}" is a different repo under a different org (legitimate: ${expectedRepo})`,
-                evidence: `org mismatch: ${ghOrg} vs ${expectedOrg}`
+                evidence: `org mismatch: ${ghOrg} vs ${expectedOrg}`,
               });
             }
           }
@@ -66,7 +66,7 @@ export async function scan(pkgJson, files = []) {
     }
   }
 
-  const code = files.map(f => f.content).join('\n');
+  const code = files.map((f) => f.content).join('\n');
   const embeddedIntros = code.match(/\/\/\s*Source:\s*(https?:\/\/[^\s]+)/gi);
   if (embeddedIntros && repoUrl) {
     for (const intro of embeddedIntros) {
@@ -78,7 +78,7 @@ export async function scan(pkgJson, files = []) {
             severity: 'medium',
             title: 'Tarball tampering suspect',
             description: 'Source URL in file does not match declared repository',
-            evidence: srcUrl
+            evidence: srcUrl,
           });
         }
       } catch {

package/backend/detectors/atk-009-dormant-trigger.js

@@ -1,10 +1,13 @@
 export async function scan(pkgJson, files = []) {
   const findings = [];
-  const code = files.map(f => f.content).join('\n');
+  const code = files.map((f) => f.content).join('\n');
 
   const ciPatterns = [
     { pattern: /process\.env\.CI\b/, label: 'CI env check' },
-    { pattern: /process\.env\.(TRAVIS|CIRCLECI|GITHUB_ACTIONS|JENKINS|GITLAB_CI|CODEBUILD)/, label: 'CI platform check' },
+    {
+      pattern: /process\.env\.(TRAVIS|CIRCLECI|GITHUB_ACTIONS|JENKINS|GITLAB_CI|CODEBUILD)/,
+      label: 'CI platform check',
+    },
     { pattern: /\bisCI\b/, label: 'isCI utility check' },
   ];
 
@@ -15,7 +18,7 @@ export async function scan(pkgJson, files = []) {
         severity: 'high',
         title: 'Conditional trigger (CI/production env)',
         description: `Package checks for CI or production environment: ${label}`,
-        evidence: 'conditional trigger detected'
+        evidence: 'conditional trigger detected',
       });
       break;
     }
@@ -24,7 +27,8 @@ export async function scan(pkgJson, files = []) {
   const suspiciousCode = /\beval\(|atob\(|btoa\(|new Function\(|child_process\b|\.exec\(|spawn\(/;
   const suspiciousNetwork = /\.fetch\(|http\.request\(|https\.request\(|dns\.lookup\(/;
   const suspiciousEnv = /process\.env\.(?!NODE_ENV)[A-Z_]{4,}/;
-  const hasSuspicious = suspiciousCode.test(code) || suspiciousNetwork.test(code) || suspiciousEnv.test(code);
+  const hasSuspicious =
+    suspiciousCode.test(code) || suspiciousNetwork.test(code) || suspiciousEnv.test(code);
 
   const timePatterns = [
     {
@@ -52,7 +56,7 @@ export async function scan(pkgJson, files = []) {
         severity: hasSuspicious ? 'high' : 'medium',
         title: 'Conditional trigger (time-based)',
         description: `Package uses ${label}`,
-        evidence: `${label}${hasSuspicious ? ' — elevated (suspicious context: eval/network/exec detected)' : ''}`
+        evidence: `${label}${hasSuspicious ? ' — elevated (suspicious context: eval/network/exec detected)' : ''}`,
       });
       break;
     }

package/backend/detectors/atk-010-sandbox-evasion.js

@@ -1,13 +1,22 @@
 export async function scan(pkgJson, files = []) {
   const findings = [];
-  const code = files.map(f => f.content).join('\n');
+  const code = files.map((f) => f.content).join('\n');
 
   const highPatterns = [
     { pattern: /\bdebugger\s*;?(\s*\/\/|\s*$|\)|\])/m, label: 'debugger statement' },
-    { pattern: /process\.argv.*['"]--inspect['"]|process\.argv.*\binspect\b(?!.*argv)/, label: 'inspect/debug flag detection' },
-    { pattern: /hostname.*(?:docker|sandbox|container|vmware|vbox)/i, label: 'anti-sandbox hostname check' },
+    {
+      pattern: /process\.argv.*['"]--inspect['"]|process\.argv.*\binspect\b(?!.*argv)/,
+      label: 'inspect/debug flag detection',
+    },
+    {
+      pattern: /hostname.*(?:docker|sandbox|container|vmware|vbox)/i,
+      label: 'anti-sandbox hostname check',
+    },
     { pattern: /detect.*(?:sandbox|debugger|analysis|virtual)/i, label: 'explicit evasion probe' },
-    { pattern: /e\.stack\b.*(?:sandbox|docker|container|vmware)/i, label: 'stack trace sandbox probe' },
+    {
+      pattern: /e\.stack\b.*(?:sandbox|docker|container|vmware)/i,
+      label: 'stack trace sandbox probe',
+    },
   ];
 
   for (const { pattern, label } of highPatterns) {
@@ -17,35 +26,41 @@ export async function scan(pkgJson, files = []) {
         severity: 'high',
         title: 'Sandbox evasion / anti-analysis',
         description: `Package performs anti-analysis behavior: ${label}`,
-        evidence: 'evasion pattern detected'
+        evidence: 'evasion pattern detected',
       });
       break;
     }
   }
 
   if (findings.length === 0) {
-    const multiApi = ['process.pid', 'process.ppid', 'os.hostname', 'os.cpus', 'process.arch'].filter(api => code.includes(api));
+    const multiApi = [
+      'process.pid',
+      'process.ppid',
+      'os.hostname',
+      'os.cpus',
+      'process.arch',
+    ].filter((api) => code.includes(api));
     if (multiApi.length >= 3) {
       findings.push({
         id: 'ATK-010',
         severity: 'medium',
         title: 'Sandbox evasion / anti-analysis',
         description: 'Multiple system fingerprinting APIs detected',
-        evidence: `${multiApi.length} fingerprinting APIs: ${multiApi.join(', ')}`
+        evidence: `${multiApi.length} fingerprinting APIs: ${multiApi.join(', ')}`,
       });
     }
   }
 
-  const multiStack = ['Error().stack', 'new Error().stack'].filter(s => code.includes(s));
+  const multiStack = ['Error().stack', 'new Error().stack'].filter((s) => code.includes(s));
   if (multiStack.length > 0 && /atob|eval|execSync|spawn|child_process/.test(code)) {
     findings.push({
       id: 'ATK-010',
       severity: 'medium',
       title: 'Sandbox evasion / anti-analysis',
       description: 'Stack trace capture combined with code execution',
-      evidence: 'stack trace + execution'
+      evidence: 'stack trace + execution',
     });
   }
 
   return findings;
-}
+}