@lateos/npm-scan 0.18.3 → 1.1.0

package/backend/detectors/atk-011-transitive-prop.js

@@ -1,27 +1,28 @@
 export async function scan(pkgJson, files = []) {
   const findings = [];
-  const code = files.map(f => f.content).join('\n');
+  const code = files.map((f) => f.content).join('\n');
 
   const highPatterns = [
     {
       pattern: /(?:exec|execSync|spawn)\s*\([^)]*npm\s+(?:install|link)\s*\./i,
-      label: 'programmatic self-propagation via npm install/link'
+      label: 'programmatic self-propagation via npm install/link',
     },
     {
-      pattern: /fs\.(?:writeFile|writeFileSync|copyFile|copyFileSync)\s*\([^)]*(?:node_modules\/(?!\.)[^/]+).*(?:index\.js|main\.js|package\.json)/i,
-      label: 'direct file write to peer node_modules'
+      pattern:
+        /fs\.(?:writeFile|writeFileSync|copyFile|copyFileSync)\s*\([^)]*(?:node_modules\/(?!\.)[^/]+).*(?:index\.js|main\.js|package\.json)/i,
+      label: 'direct file write to peer node_modules',
     },
     {
       pattern: /fs\.(?:writeFile|writeFileSync)\s*\([^)]*package\.json[^)]*["']scripts["']/i,
-      label: 'package.json script injection in another package'
+      label: 'package.json script injection in another package',
     },
     {
       pattern: /fs\.(?:writeFile|writeFileSync)\s*\([^)]*\.\.\/[^)]*package\.json/i,
-      label: 'writes modified package.json to sibling package'
+      label: 'writes modified package.json to sibling package',
     },
     {
       pattern: /(?:exec|execSync|spawn)\s*\([^)]*(?:\.\.\/|process\.env\.INIT_CWD).*npm\s+install/i,
-      label: 'cross-directory npm install propagation'
+      label: 'cross-directory npm install propagation',
     },
   ];
 
@@ -32,7 +33,7 @@ export async function scan(pkgJson, files = []) {
         severity: 'high',
         title: 'Transitive propagation (worm)',
         description: `Package attempts lateral worm-style spread: ${label}`,
-        evidence: 'transitive propagation pattern detected'
+        evidence: 'transitive propagation pattern detected',
       });
       break;
     }
@@ -42,19 +43,19 @@ export async function scan(pkgJson, files = []) {
     const mediumPatterns = [
       {
         pattern: /process\.env\.npm_package_name/,
-        label: 'reads own package name from env (self-awareness indicator)'
+        label: 'reads own package name from env (self-awareness indicator)',
       },
       {
         pattern: /fs\.symlink(?:Sync)?\s*\([^)]*node_modules/,
-        label: 'creates symlinks in node_modules (worm spreading mechanism)'
+        label: 'creates symlinks in node_modules (worm spreading mechanism)',
       },
       {
         pattern: /fs\.(?:mkdir|mkdirSync)\s*\([^)]*\.\.\/[^)]*node_modules/,
-        label: 'creates directories in parent node_modules'
+        label: 'creates directories in parent node_modules',
       },
       {
         pattern: /__dirname.*\.\.\/[^/]+\/node_modules.*require\(/,
-        label: 'dynamic parent-node_modules require for lateral spread'
+        label: 'dynamic parent-node_modules require for lateral spread',
       },
     ];
 
@@ -65,7 +66,7 @@ export async function scan(pkgJson, files = []) {
           severity: 'medium',
           title: 'Transitive propagation (worm)',
           description: label,
-          evidence: 'potential propagation indicator'
+          evidence: 'potential propagation indicator',
         });
         break;
       }

package/backend/detectors/axios-poisoning/d1-version-fingerprint.js

@@ -1,13 +1,13 @@
-const BLOCKED_VERSIONS = new Map([
-  ['axios', ['1.14.1', '0.30.4']],
-]);
+const BLOCKED_VERSIONS = new Map([['axios', ['1.14.1', '0.30.4']]]);
 
 export function scanVersionBlocklist(pkgJson) {
   const pkgName = pkgJson?.name || '';
   const pkgVersion = pkgJson?.version || '';
 
   const blocked = BLOCKED_VERSIONS.get(pkgName);
-  if (!blocked) return { triggered: false, stopCondition: false, matchedVersion: null };
+  if (!blocked) {
+    return { triggered: false, stopCondition: false, matchedVersion: null };
+  }
 
   if (blocked.includes(pkgVersion)) {
     return {

package/backend/detectors/axios-poisoning/d2-decoy-dep.js

@@ -1,7 +1,11 @@
 const KNOWN_DECOYS = ['plain-crypto-js'];
 
 export function scanDecoyDependency(pkgJson) {
-  const deps = { ...pkgJson?.dependencies, ...pkgJson?.devDependencies, ...pkgJson?.peerDependencies };
+  const deps = {
+    ...pkgJson?.dependencies,
+    ...pkgJson?.devDependencies,
+    ...pkgJson?.peerDependencies,
+  };
   const findings = [];
 
   for (const depName of KNOWN_DECOYS) {

package/backend/detectors/axios-poisoning/d3-postinstall-rat.js

@@ -7,7 +7,8 @@ const CRON_PERSIST_RE = /crontab\s+-[ei]|@reboot\s+|@daily\s+|@hourly\s+/;
 const DLL_LOAD_RE = /LoadLibrary|dlopen|LoadLibraryEx|lib\.(?:LoadLibrary|dlopen)/;
 const PROCESS_INJECT_RE = /CreateRemoteThread|VirtualAllocEx|WriteProcessMemory|NtCreateThreadEx/;
 const NET_CALLBACK_RE = /(?:https?:\/\/|wss?:\/\/|ws:\/\/)(?:[^\s'"]*\.[^\s'"]{2,})/;
-const BINARY_DROP_RE = /(?:fs\.writeFileSync|writeFile|writeFileSync)\s*\([^)]*(?:\.exe|\.dll|\.bin|\.bat|\.ps1)/;
+const BINARY_DROP_RE =
+  /(?:fs\.writeFileSync|writeFile|writeFileSync)\s*\([^)]*(?:\.exe|\.dll|\.bin|\.bat|\.ps1)/;
 
 const SUSPICIOUS_HOOK_PATTERNS = [
   /curl|wget|fetch|https?:\/\//,
@@ -22,7 +23,7 @@ const SUSPICIOUS_HOOK_PATTERNS = [
 
 export function scanPostinstallRAT(pkgJson, files = []) {
   const scripts = pkgJson?.scripts || {};
-  const code = files.map(f => f.content || '').join('\n');
+  const code = files.map((f) => f.content || '').join('\n');
 
   const activeHooks = [];
   for (const hook of SUSPICIOUS_HOOKS) {
@@ -32,39 +33,76 @@ export function scanPostinstallRAT(pkgJson, files = []) {
   }
 
   if (activeHooks.length === 0) {
-    return { triggered: false, platforms: [], c2Indicators: [], payloadType: null, hooks: [], hasBinaryDrop: false };
+    return {
+      triggered: false,
+      platforms: [],
+      c2Indicators: [],
+      payloadType: null,
+      hooks: [],
+      hasBinaryDrop: false,
+    };
   }
 
-  const combined = code + '\n' + activeHooks.map(h => h.command).join('\n');
+  const combined = code + '\n' + activeHooks.map((h) => h.command).join('\n');
 
-  const hasSuspiciousCode = SUSPICIOUS_HOOK_PATTERNS.some(p => p.test(combined));
+  const hasSuspiciousCode = SUSPICIOUS_HOOK_PATTERNS.some((p) => p.test(combined));
 
   if (activeHooks.length > 0 && !hasSuspiciousCode) {
-    return { triggered: false, platforms: [], c2Indicators: [], payloadType: null, hooks: [], hasBinaryDrop: false };
+    return {
+      triggered: false,
+      platforms: [],
+      c2Indicators: [],
+      payloadType: null,
+      hooks: [],
+      hasBinaryDrop: false,
+    };
   }
 
   const platforms = [];
   let c2Indicators = [];
   let hasBinaryDrop = false;
 
-  if (POWERSHELL_RE.test(combined)) platforms.push('windows');
-  if (LAUNCHD_RE.test(combined)) platforms.push('macos');
-  if (SYSTEMD_SERVICE_RE.test(combined) || CRON_PERSIST_RE.test(combined)) platforms.push('linux');
-  if (TEMP_DIR_RE.test(combined) && (POWERSHELL_RE.test(combined) || BINARY_DROP_RE.test(combined))) {
-    if (!platforms.includes('windows')) platforms.push('windows');
-    if (!platforms.includes('linux')) platforms.push('linux');
-    if (!platforms.includes('macos')) platforms.push('macos');
+  if (POWERSHELL_RE.test(combined)) {
+    platforms.push('windows');
+  }
+  if (LAUNCHD_RE.test(combined)) {
+    platforms.push('macos');
+  }
+  if (SYSTEMD_SERVICE_RE.test(combined) || CRON_PERSIST_RE.test(combined)) {
+    platforms.push('linux');
+  }
+  if (
+    TEMP_DIR_RE.test(combined) &&
+    (POWERSHELL_RE.test(combined) || BINARY_DROP_RE.test(combined))
+  ) {
+    if (!platforms.includes('windows')) {
+      platforms.push('windows');
+    }
+    if (!platforms.includes('linux')) {
+      platforms.push('linux');
+    }
+    if (!platforms.includes('macos')) {
+      platforms.push('macos');
+    }
   }
 
-  if (DLL_LOAD_RE.test(combined)) platforms.push('windows');
-  if (PROCESS_INJECT_RE.test(combined)) platforms.push('windows');
+  if (DLL_LOAD_RE.test(combined)) {
+    platforms.push('windows');
+  }
+  if (PROCESS_INJECT_RE.test(combined)) {
+    platforms.push('windows');
+  }
 
   if (NET_CALLBACK_RE.test(combined)) {
     const urls = combined.match(NET_CALLBACK_RE);
-    c2Indicators = urls ? [...new Set(urls.map(u => u.replace(/['")]/g, '')))] : ['Network callback to external server'];
+    c2Indicators = urls
+      ? [...new Set(urls.map((u) => u.replace(/['")]/g, '')))]
+      : ['Network callback to external server'];
   }
 
-  if (BINARY_DROP_RE.test(combined)) hasBinaryDrop = true;
+  if (BINARY_DROP_RE.test(combined)) {
+    hasBinaryDrop = true;
+  }
 
   let payloadType = null;
   if (platforms.length >= 2 && c2Indicators.length > 0 && hasBinaryDrop) {
@@ -81,10 +119,17 @@ export function scanPostinstallRAT(pkgJson, files = []) {
       payloadType,
       platforms: [...new Set(platforms)],
       c2Indicators,
-      hooks: activeHooks.map(h => h.hook),
+      hooks: activeHooks.map((h) => h.hook),
       hasBinaryDrop,
     };
   }
 
-  return { triggered: false, platforms: [], c2Indicators: [], payloadType: null, hooks: [], hasBinaryDrop: false };
+  return {
+    triggered: false,
+    platforms: [],
+    c2Indicators: [],
+    payloadType: null,
+    hooks: [],
+    hasBinaryDrop: false,
+  };
 }

package/backend/detectors/axios-poisoning/index.js

@@ -7,47 +7,58 @@ const RULE_SEVERITY = { D1: 'critical', D2: 'critical', D3: 'critical' };
 const SEVERITY_ORDER = ['critical', 'high', 'medium', 'low', 'info', 'none'];
 
 function highestSeverity(severities) {
-  for (const s of SEVERITY_ORDER) if (severities.includes(s)) return s;
+  for (const s of SEVERITY_ORDER) {
+    if (severities.includes(s)) {
+      return s;
+    }
+  }
   return 'none';
 }
 
-export async function scan(pkgJson, files = [], registryMeta = null, allFiles = null) {
+export async function scan(pkgJson, files = [], _registryMeta = null, allFiles = null) {
   const pkgName = pkgJson?.name || 'unknown';
   const pkgVersion = pkgJson?.version || '0.0.0';
   const fileList = allFiles || files || [];
 
   const d1Result = scanVersionBlocklist(pkgJson);
   if (d1Result.stopCondition) {
-    const evidence = attachProvenance({
-      rule: 'AXS-VER-001',
-      campaign: 'AXIOS_POISONING',
-      triggeredChecks: ['D1'],
-      matchedVersion: d1Result.matchedVersion,
-      action: 'BLOCK_IMMEDIATELY',
-      remediation: `Upgrade to axios@1.14.2 or later, or use pinned safe version`,
-    }, {
-      ruleId: 'AXS-VER-001',
-      ruleName: 'Compromised Axios Version Fingerprinting',
-      severity: 'CRITICAL',
-      campaignName: 'Axios Registry Poisoning',
-      pkgName,
-      pkgVersion,
-      triggered: true,
-      severity: 'critical',
-      indicators: [{ type: 'known_malicious_version', value: `${pkgName}@${pkgVersion}` }],
-      ruleProvenanceUrl: 'https://github.com/lateos/npm-scan/blob/main/backend/detectors/axios-poisoning/d1-version-fingerprint.js',
-      campaignSourceUrl: 'https://security.researcher.org/supply-chain-report',
-    });
+    const evidence = attachProvenance(
+      {
+        rule: 'AXS-VER-001',
+        campaign: 'AXIOS_POISONING',
+        triggeredChecks: ['D1'],
+        matchedVersion: d1Result.matchedVersion,
+        action: 'BLOCK_IMMEDIATELY',
+        remediation: `Upgrade to axios@1.14.2 or later, or use pinned safe version`,
+      },
+      {
+        ruleId: 'AXS-VER-001',
+        ruleName: 'Compromised Axios Version Fingerprinting',
+        campaignName: 'Axios Registry Poisoning',
+        pkgName,
+        pkgVersion,
+        triggered: true,
+        severity: 'critical',
+        indicators: [{ type: 'known_malicious_version', value: `${pkgName}@${pkgVersion}` }],
+        ruleProvenanceUrl:
+          'https://github.com/lateos/npm-scan/blob/main/backend/detectors/axios-poisoning/d1-version-fingerprint.js',
+        campaignSourceUrl: 'https://security.researcher.org/supply-chain-report',
+      }
+    );
 
-    return [{
-      id: 'AXIOS_POISONING',
-      severity: 'critical',
-      title: 'Axios Registry Poisoning campaign',
-      description: `HALT: ${pkgName}@${pkgVersion} is a known compromised version in the Axios registry poisoning campaign. Block install immediately.`,
-      evidence: JSON.stringify(evidence),
-      mitigation: d1Result.reason ? `BLOCK IMMEDIATELY. ${d1Result.reason}. Upgrade to axios@1.14.2 or later, or use pinned safe version.` : 'BLOCK IMMEDIATELY. Upgrade to a safe version.',
-      stopCondition: true,
-    }];
+    return [
+      {
+        id: 'AXIOS_POISONING',
+        severity: 'critical',
+        title: 'Axios Registry Poisoning campaign',
+        description: `HALT: ${pkgName}@${pkgVersion} is a known compromised version in the Axios registry poisoning campaign. Block install immediately.`,
+        evidence: JSON.stringify(evidence),
+        mitigation: d1Result.reason
+          ? `BLOCK IMMEDIATELY. ${d1Result.reason}. Upgrade to axios@1.14.2 or later, or use pinned safe version.`
+          : 'BLOCK IMMEDIATELY. Upgrade to a safe version.',
+        stopCondition: true,
+      },
+    ];
   }
 
   const d2Result = scanDecoyDependency(pkgJson);
@@ -59,36 +70,42 @@ export async function scan(pkgJson, files = [], registryMeta = null, allFiles =
     .filter(([_, r]) => r.triggered)
     .map(([id]) => id);
 
-  if (triggered.length === 0) return [];
+  if (triggered.length === 0) {
+    return [];
+  }
 
-  const severity = highestSeverity(triggered.map(id => RULE_SEVERITY[id]));
+  const severity = highestSeverity(triggered.map((id) => RULE_SEVERITY[id]));
 
-  const evidence = attachProvenance({
-    campaign: 'AXIOS_POISONING',
-    triggeredChecks: triggered,
-    details: Object.fromEntries(
-      Object.entries(results).filter(([_, r]) => r.triggered)
-    ),
-  }, {
-    ruleId: 'AXIOS_POISONING',
-    ruleName: 'Axios Registry Poisoning Detection',
-    severity: severity.toUpperCase(),
-    campaignName: 'Axios Registry Poisoning',
-    pkgName,
-    pkgVersion,
-    triggered: true,
-    severity,
-    indicators: triggered.map(id => ({ type: `rule_${id}`, value: RULE_SEVERITY[id] })),
-    ruleProvenanceUrl: 'https://github.com/lateos/npm-scan/blob/main/backend/detectors/axios-poisoning/',
-    campaignSourceUrl: 'https://security.researcher.org/supply-chain-report',
-  });
+  const evidence = attachProvenance(
+    {
+      campaign: 'AXIOS_POISONING',
+      triggeredChecks: triggered,
+      details: Object.fromEntries(Object.entries(results).filter(([_, r]) => r.triggered)),
+    },
+    {
+      ruleId: 'AXIOS_POISONING',
+      ruleName: 'Axios Registry Poisoning Detection',
+      campaignName: 'Axios Registry Poisoning',
+      pkgName,
+      pkgVersion,
+      triggered: true,
+      severity,
+      indicators: triggered.map((id) => ({ type: `rule_${id}`, value: RULE_SEVERITY[id] })),
+      ruleProvenanceUrl:
+        'https://github.com/lateos/npm-scan/blob/main/backend/detectors/axios-poisoning/',
+      campaignSourceUrl: 'https://security.researcher.org/supply-chain-report',
+    }
+  );
 
-  return [{
-    id: 'AXIOS_POISONING',
-    severity,
-    title: 'Axios Registry Poisoning campaign',
-    description: `${triggered.length} signal(s): ${triggered.join(', ')}`,
-    evidence: JSON.stringify(evidence),
-    mitigation: 'If decoy dependency detected: verify all axios dependencies are legitimate. If RAT payload detected: run full malware scan on the system, rotate all credentials, check for unauthorized network connections. Upgrade to axios@1.14.2+ or pin to a known safe version.',
-  }];
+  return [
+    {
+      id: 'AXIOS_POISONING',
+      severity,
+      title: 'Axios Registry Poisoning campaign',
+      description: `${triggered.length} signal(s): ${triggered.join(', ')}`,
+      evidence: JSON.stringify(evidence),
+      mitigation:
+        'If decoy dependency detected: verify all axios dependencies are legitimate. If RAT payload detected: run full malware scan on the system, rotate all credentials, check for unauthorized network connections. Upgrade to axios@1.14.2+ or pin to a known safe version.',
+    },
+  ];
 }

package/backend/detectors/config/thresholds.js

@@ -0,0 +1,111 @@
+/**
+ * Detector confidence thresholds (calibrated post-validation)
+ *
+ * Format: { detector: { flag_threshold, warn_threshold } }
+ * Thresholds calibrated against:
+ *   - 3 real May 2026 attack campaigns (validation)
+ *   - Top 1,000 npm packages (false positive calibration)
+ */
+
+export default {
+  'TIER1-VERSION-ANOMALY': {
+    flag_threshold: 72,
+    warn_threshold: 60,
+    notes:
+      'Sentinel patterns (99.99.99/11.11.11/10.10.10) always flag at 92 regardless of threshold',
+  },
+  'TIER1-OBFUSCATION-HEURISTICS': {
+    flag_threshold: 75,
+    warn_threshold: 60,
+    notes: 'Increased from 70 post-FP analysis; bundlers (webpack, terser) exempt via whitelist',
+  },
+  'TIER1-BINARY-EMBED': {
+    flag_threshold: 80,
+    warn_threshold: 65,
+    notes:
+      'High threshold justified; platform-specific binary sets are rare in legitimate packages',
+  },
+  'TIER1-LIFECYCLE-HOOK': {
+    flag_threshold: 65,
+    warn_threshold: 50,
+    notes: 'Moderate threshold; lifecycle hooks common but uncommon in top 1K packages',
+  },
+  'TIER1-INFOSTEALER': {
+    flag_threshold: 72,
+    warn_threshold: 55,
+    notes: 'Pattern-based; calibrated for C2 signatures, credential exfil patterns',
+  },
+  'TIER1-TYPOSQUAT': {
+    flag_threshold: 85,
+    warn_threshold: 70,
+    notes:
+      'Calibrated to 85 post-FP analysis on top 1,000 packages; 46 edit-distance=1 FPs eliminated at this threshold',
+  },
+  'TIER1-METADATA-SPOOF': {
+    flag_threshold: 70,
+    warn_threshold: 55,
+    notes: 'Namespace/repo URL spoofing; moderate threshold for legitimate clones',
+  },
+  'TIER1-VERSION-CONFUSION': {
+    flag_threshold: 75,
+    warn_threshold: 60,
+    notes: 'High-version heuristics (major >= 9); tuned to avoid FP on pre-release tags',
+  },
+  'TIER1-CLOUD-IMDS': {
+    flag_threshold: 80,
+    warn_threshold: 65,
+    notes: 'IMDS endpoint targeting is rarely legitimate; high threshold',
+  },
+  'TIER1-MULTISTAGE-POSTINSTALL': {
+    flag_threshold: 75,
+    warn_threshold: 60,
+    notes: 'Two-stage download+exec patterns; moderate threshold',
+  },
+  'TIER1-SLSA-ATTESTATION': {
+    flag_threshold: 85,
+    warn_threshold: 70,
+    notes: 'Placeholder; threshold TBD when API stabilizes',
+  },
+  'TIER1-SELF-PROPAGATION': {
+    flag_threshold: 75,
+    warn_threshold: 60,
+    burst_window_minutes: 60,
+    min_packages_burst: 3,
+    identical_payload_weight: 40,
+    notes: 'D10: Detects burst republish patterns (Miasma campaign)',
+  },
+  'TIER1-ENCRYPTED-C2': {
+    flag_threshold: 70,
+    warn_threshold: 50,
+    known_c2_endpoints: [
+      'filev2.getsession.org',
+      'api.signal.org',
+      '*.briarproject.org',
+      'api.ricochet.im',
+    ],
+    onion_pattern_weight: 30,
+    encoded_url_weight: 35,
+    env_var_c2_weight: 40,
+    notes: 'D11: Detects Session/Oxen, Signal, Briar, Tor C2 channels',
+  },
+  'TIER1-TRANSITIVE-DEPS': {
+    flag_threshold: 80,
+    warn_threshold: 50,
+    new_package_days: 7,
+    unknown_depth_weight: 45,
+    typosquat_depth_weight: 50,
+    different_maintainer_weight: 35,
+    notes: 'D12: Deep dependency tree analysis for injection attacks',
+  },
+  'TIER1-MAINTAINER-COMPROMISE': {
+    flag_threshold: 75,
+    warn_threshold: 60,
+    velocity_burst_multiplier: 5,
+    burst_window_hours: 24,
+    min_velocity_baseline: 0.5,
+    duplicate_version_weight: 40,
+    unusual_timing_weight: 25,
+    cross_package_burst_weight: 50,
+    notes: 'D13: Version velocity anomaly and maintainer compromise detection',
+  },
+};

package/backend/detectors/config/whitelist.json

@@ -0,0 +1,74 @@
+{
+  "packages": [
+    {
+      "name": "webpack",
+      "reason": "Bundler; naturally high entropy in bundled code",
+      "detectors": ["TIER1-OBFUSCATION-HEURISTICS"]
+    },
+    {
+      "name": "terser",
+      "reason": "Minifier library; intentional obfuscation",
+      "detectors": ["TIER1-OBFUSCATION-HEURISTICS"]
+    },
+    {
+      "name": "uglify-js",
+      "reason": "Minifier library; intentional obfuscation",
+      "detectors": ["TIER1-OBFUSCATION-HEURISTICS"]
+    },
+    {
+      "name": "browserify",
+      "reason": "Bundler; bundled JS has high entropy",
+      "detectors": ["TIER1-OBFUSCATION-HEURISTICS"]
+    },
+    {
+      "name": "rollup",
+      "reason": "Bundler; bundled JS has high entropy",
+      "detectors": ["TIER1-OBFUSCATION-HEURISTICS"]
+    },
+    {
+      "name": "esbuild",
+      "reason": "Bundler/compiler; bundled JS has high entropy",
+      "detectors": ["TIER1-OBFUSCATION-HEURISTICS"]
+    },
+    {
+      "name": "@babel/core",
+      "reason": "Transpiler; generated code has high pattern frequency",
+      "detectors": ["TIER1-OBFUSCATION-HEURISTICS"]
+    },
+    {
+      "name": "typescript",
+      "reason": "Compiler; generated JS has high entropy",
+      "detectors": ["TIER1-OBFUSCATION-HEURISTICS"]
+    },
+    {
+      "name": "lodash",
+      "reason": "Utility library; high pattern frequency from common JS idioms",
+      "detectors": ["TIER1-OBFUSCATION-HEURISTICS"]
+    },
+    {
+      "name": "underscore",
+      "reason": "Utility library; high pattern frequency",
+      "detectors": ["TIER1-OBFUSCATION-HEURISTICS"]
+    },
+    {
+      "name": "moment",
+      "reason": "Date library; legitimate build artifacts with binary-like data",
+      "detectors": ["TIER1-BINARY-EMBED"]
+    },
+    {
+      "name": "crypto-js",
+      "reason": "Cryptography library; legitimate use of hex/unicode escapes and bitwise ops",
+      "detectors": ["TIER1-OBFUSCATION-HEURISTICS"]
+    },
+    {
+      "name": "preact",
+      "reason": "React alternative; shares naming similarity with react, triggering TYPOSQUAT_VPMDHAJ",
+      "detectors": ["TYPOSQUAT_VPMDHAJ"]
+    },
+    {
+      "name": "@commitlint/read",
+      "reason": "Legitimate commitlint scoped sub-package; edit-distance FP",
+      "detectors": ["TIER1-TYPOSQUAT"]
+    }
+  ]
+}

package/backend/detectors/cve-2026-48710-badhost/codePattern.js

@@ -11,11 +11,12 @@ const AUTH_CONTEXT_PATHS = [
 ];
 
 const URL_PATH_PATTERN = /request\.url\.path|req\.url\.path|self\.request\.url\.path/g;
-const SCOPE_PATH_PATTERN = /request\.scope\s*\[\s*["']path["']\s*\]|request\.scope\.get\s*\(\s*["']path["']\s*\)/g;
+const SCOPE_PATH_PATTERN =
+  /request\.scope\s*\[\s*["']path["']\s*\]|request\.scope\.get\s*\(\s*["']path["']\s*\)/g;
 
 function hasAuthContext(filePath) {
   const lower = filePath.toLowerCase();
-  return AUTH_CONTEXT_PATHS.some(ctx => lower.includes(ctx));
+  return AUTH_CONTEXT_PATHS.some((ctx) => lower.includes(ctx));
 }
 
 function findFunctionBoundaries(lines) {
@@ -34,7 +35,13 @@ function findFunctionBoundaries(lines) {
       currentFn = defMatch[1];
       fnBodyStart = i;
       indent = line.length - line.trimStart().length;
-    } else if (currentFn && line.trim() && line.length - line.trimStart().length <= indent && !line.trim().startsWith('#') && !line.trim().startsWith('@')) {
+    } else if (
+      currentFn &&
+      line.trim() &&
+      line.length - line.trimStart().length <= indent &&
+      !line.trim().startsWith('#') &&
+      !line.trim().startsWith('@')
+    ) {
       functions.push({ name: currentFn, startLine: fnBodyStart, endLine: i - 1 });
       currentFn = null;
     }
@@ -48,7 +55,9 @@ function findFunctionBoundaries(lines) {
 
 function hasScopePathInFunction(lines, fnStart, fnEnd) {
   for (let i = fnStart; i <= fnEnd && i < lines.length; i++) {
-    if (SCOPE_PATH_PATTERN.test(lines[i])) return true;
+    if (SCOPE_PATH_PATTERN.test(lines[i])) {
+      return true;
+    }
   }
   return false;
 }
@@ -56,11 +65,15 @@ function hasScopePathInFunction(lines, fnStart, fnEnd) {
 export function scanCodePatterns(allFiles) {
   const findings = [];
 
-  for (const file of (allFiles || [])) {
+  for (const file of allFiles || []) {
     const content = typeof file.content === 'string' ? file.content : '';
-    if (!content) continue;
+    if (!content) {
+      continue;
+    }
     const path = file.path || '';
-    if (!path.endsWith('.py')) continue;
+    if (!path.endsWith('.py')) {
+      continue;
+    }
 
     const lines = content.split('\n');
     const isAuthContext = hasAuthContext(path);
@@ -82,14 +95,18 @@ export function scanCodePatterns(allFiles) {
       let m;
       while ((m = URL_PATH_PATTERN.exec(content)) !== null) {
         const lineNumber = content.slice(0, m.index).split('\n').length;
-        if (suppressedLines.has(lineNumber)) continue;
+        if (suppressedLines.has(lineNumber)) {
+          continue;
+        }
         findings.push(codePatternAuthFinding(path, lineNumber));
       }
     } else {
       let m;
       while ((m = URL_PATH_PATTERN.exec(content)) !== null) {
         const lineNumber = content.slice(0, m.index).split('\n').length;
-        if (suppressedLines.has(lineNumber)) continue;
+        if (suppressedLines.has(lineNumber)) {
+          continue;
+        }
         findings.push(codePatternInfoFinding(path, lineNumber));
       }
     }