@lateos/npm-scan 0.18.3 → 1.1.0

package/backend/detectors/hf-impersonation/index.js

@@ -2,7 +2,7 @@ import { KNOWN_HF_ORGS } from './known-orgs.js';
 import { jaroWinkler } from './jaro-winkler.js';
 import { simhash, similarity as simhashSimilarity } from './simhash.js';
 
-const HF_URL_PATTERN = /(?:huggingface\.co|hf\.co)\/([^\/\s"'>]+)\/([^\/\s"'>]+)/g;
+const HF_URL_PATTERN = /(?:huggingface\.co|hf\.co)\/([^/\s"'>]+)\/([^/\s"'>]+)/g;
 const FROM_PRETRAINED_PATTERN = /from_pretrained\(\s*["']([^"']+\/[^"']+)["']/g;
 const HUB_DOWNLOAD_SINGLE = /hub\.download\(\s*["']([^"']+\/[^"']+)["']/g;
 const HUB_DOWNLOAD_DOUBLE = /hub\.download\(\s*["']([^"']+)["']\s*,\s*["']([^"']+)["']/g;
@@ -11,9 +11,15 @@ const LIFECYCLE_SCRIPTS = new Set(['postinstall', 'prepare', 'install']);
 const API_BASE = 'https://huggingface.co';
 
 const SEVERITY_SCORE = { none: 0, low: 1, medium: 2, high: 3, critical: 4 };
-const SEVERITY_LABELS = ['none', 'low', 'medium', 'high', 'critical'];
-
-const HF_ARTIFACT_LIBS = new Set(['transformers', 'diffusers', 'sentence-transformers', 'gguf', 'safetensors']);
+const _SEVERITY_LABELS = ['none', 'low', 'medium', 'high', 'critical'];
+
+const HF_ARTIFACT_LIBS = new Set([
+  'transformers',
+  'diffusers',
+  'sentence-transformers',
+  'gguf',
+  'safetensors',
+]);
 const SUSPICIOUS_EXTENSIONS = /\.(exe|msi|bat|ps1|dll)$/i;
 
 const _cache = new Map();
@@ -24,12 +30,12 @@ function severityIndex(sev) {
   return SEVERITY_SCORE[sev] || 0;
 }
 
-function maxSeverity(a, b) {
+function _maxSeverity(a, b) {
   return severityIndex(a) >= severityIndex(b) ? a : b;
 }
 
 function sleep(ms) {
-  return new Promise(r => setTimeout(r, ms));
+  return new Promise((r) => setTimeout(r, ms));
 }
 
 async function fetchWithCache(url) {
@@ -81,12 +87,16 @@ async function fetchReadme(url) {
       const retryAfter = parseInt(res.headers.get('Retry-After') || '5', 10);
       await sleep(retryAfter * 1000);
       const retryRes = await fetch(url);
-      if (!retryRes.ok) return null;
+      if (!retryRes.ok) {
+        return null;
+      }
       const text = await retryRes.text();
       _cache.set(url, { data: text, fetchedAt: Date.now() });
       return text;
     }
-    if (!res.ok) return null;
+    if (!res.ok) {
+      return null;
+    }
     const text = await res.text();
     _cache.set(url, { data: text, fetchedAt: Date.now() });
     return text;
@@ -115,7 +125,9 @@ function extractHFTuples(pkgJson, allFiles) {
   const scripts = pkgJson?.scripts || {};
   let m;
   for (const [hook, script] of Object.entries(scripts)) {
-    if (typeof script !== 'string') continue;
+    if (typeof script !== 'string') {
+      continue;
+    }
 
     HF_URL_PATTERN.lastIndex = 0;
     while ((m = HF_URL_PATTERN.exec(script)) !== null) {
@@ -152,7 +164,9 @@ function extractHFTuples(pkgJson, allFiles) {
 
   if (allFiles) {
     for (const file of allFiles) {
-      if (!file.path?.match(/\.(js|ts|jsx|tsx|mjs|cjs)$/i)) continue;
+      if (!file.path?.match(/\.(js|ts|jsx|tsx|mjs|cjs)$/i)) {
+        continue;
+      }
       const content = typeof file.content === 'string' ? file.content : '';
 
       HF_URL_PATTERN.lastIndex = 0;
@@ -180,7 +194,15 @@ function extractHFTuples(pkgJson, allFiles) {
   return { tuples, postinstallFetchFlag };
 }
 
-function buildHFOrgSpoofFinding(referencedRepo, org, canonicalOrg, similarityScore, postinstallFetchFlag, tags, hfMeta) {
+function buildHFOrgSpoofFinding(
+  referencedRepo,
+  org,
+  canonicalOrg,
+  similarityScore,
+  postinstallFetchFlag,
+  tags,
+  hfMeta
+) {
   const finding = {
     id: 'HF_ORG_SPOOF',
     severity: 'high',
@@ -207,16 +229,22 @@ function buildHFOrgSpoofFinding(referencedRepo, org, canonicalOrg, similaritySco
 async function runStage2(spoofFindings, orgsToCheck, postinstallFetchFlag) {
   const newFindings = [];
 
-  for (const [referencedRepo, { org, canonicalOrg, similarityScore, finding }] of orgsToCheck) {
+  for (const [
+    referencedRepo,
+    { org, canonicalOrg, similarityScore: _similarityScore, finding: _finding },
+  ] of orgsToCheck) {
     const tags = [];
     let hfMeta = null;
 
     const modelUrl = `${API_BASE}/api/models/${referencedRepo}`;
-    const canonicalUrl = canonicalOrg.org !== org ? `${API_BASE}/api/models/${canonicalOrg.org}/${referencedRepo.split('/')[1]}` : null;
+    const canonicalUrl =
+      canonicalOrg.org !== org
+        ? `${API_BASE}/api/models/${canonicalOrg.org}/${referencedRepo.split('/')[1]}`
+        : null;
     const userUrl = `${API_BASE}/api/users/${org}`;
 
     const spoofedModel = await fetchWithCache(modelUrl);
-    const canonicalModel = canonicalUrl ? await fetchWithCache(canonicalUrl) : null;
+    const _canonicalModel = canonicalUrl ? await fetchWithCache(canonicalUrl) : null;
     const userData = await fetchWithCache(userUrl);
 
     // Org age check for NEW_ORG tag
@@ -235,7 +263,9 @@ async function runStage2(spoofFindings, orgsToCheck, postinstallFetchFlag) {
     // README clone check
     if (canonicalOrg.org !== org) {
       const readmeSpoof = await fetchReadme(`${API_BASE}/${referencedRepo}/resolve/main/README.md`);
-      const readmeCanonical = await fetchReadme(`${API_BASE}/${canonicalOrg.org}/${referencedRepo.split('/')[1]}/resolve/main/README.md`);
+      const readmeCanonical = await fetchReadme(
+        `${API_BASE}/${canonicalOrg.org}/${referencedRepo.split('/')[1]}/resolve/main/README.md`
+      );
 
       if (readmeSpoof && readmeCanonical) {
         const fp1 = simhash(readmeSpoof);
@@ -260,7 +290,9 @@ async function runStage2(spoofFindings, orgsToCheck, postinstallFetchFlag) {
             tags: [],
             ipiClass: 'SUPPLY_CHAIN',
           };
-          if (hfMeta) readmeFinding.hfMeta = hfMeta;
+          if (hfMeta) {
+            readmeFinding.hfMeta = hfMeta;
+          }
           newFindings.push(readmeFinding);
         }
       }
@@ -288,7 +320,9 @@ async function runStage2(spoofFindings, orgsToCheck, postinstallFetchFlag) {
               tags: [],
               ipiClass: 'SUPPLY_CHAIN',
             };
-            if (hfMeta) artifactFinding.hfMeta = hfMeta;
+            if (hfMeta) {
+              artifactFinding.hfMeta = hfMeta;
+            }
             newFindings.push(artifactFinding);
             break;
           }
@@ -297,12 +331,16 @@ async function runStage2(spoofFindings, orgsToCheck, postinstallFetchFlag) {
     }
 
     // Apply NEW_ORG and POSTINSTALL_FETCH tags to all findings for this repo
-    const repoSpoofFindings = spoofFindings.filter(f => f.referencedRepo === referencedRepo);
+    const repoSpoofFindings = spoofFindings.filter((f) => f.referencedRepo === referencedRepo);
     for (const sf of repoSpoofFindings) {
       if (tags.length > 0) {
-        if (!sf.tags) sf.tags = [];
+        if (!sf.tags) {
+          sf.tags = [];
+        }
         for (const t of tags) {
-          if (!sf.tags.includes(t)) sf.tags.push(t);
+          if (!sf.tags.includes(t)) {
+            sf.tags.push(t);
+          }
         }
       }
       if (hfMeta) {
@@ -312,9 +350,13 @@ async function runStage2(spoofFindings, orgsToCheck, postinstallFetchFlag) {
     for (const nf of newFindings) {
       if (nf.referencedRepo === referencedRepo) {
         if (tags.length > 0) {
-          if (!nf.tags) nf.tags = [];
+          if (!nf.tags) {
+            nf.tags = [];
+          }
           for (const t of tags) {
-            if (!nf.tags.includes(t)) nf.tags.push(t);
+            if (!nf.tags.includes(t)) {
+              nf.tags.push(t);
+            }
           }
         }
       }
@@ -326,14 +368,18 @@ async function runStage2(spoofFindings, orgsToCheck, postinstallFetchFlag) {
     const allStage2Findings = [...spoofFindings, ...newFindings];
     const escalatedRepos = new Set();
     for (const f of allStage2Findings) {
-      if (f.referencedRepo) escalatedRepos.add(f.referencedRepo);
+      if (f.referencedRepo) {
+        escalatedRepos.add(f.referencedRepo);
+      }
     }
     for (const f of allStage2Findings) {
       if (escalatedRepos.has(f.referencedRepo)) {
         if (severityIndex(f.severity) < severityIndex('critical')) {
           f.severity = 'critical';
         }
-        if (!f.tags) f.tags = [];
+        if (!f.tags) {
+          f.tags = [];
+        }
         if (!f.tags.includes('POSTINSTALL_ESCALATED')) {
           f.tags.push('POSTINSTALL_ESCALATED');
         }
@@ -344,10 +390,12 @@ async function runStage2(spoofFindings, orgsToCheck, postinstallFetchFlag) {
   return newFindings;
 }
 
-export async function scan(pkgJson, files = [], registryMeta = null, allFiles = null) {
+export async function scan(pkgJson, files = [], _registryMeta = null, allFiles = null) {
   const { tuples, postinstallFetchFlag } = extractHFTuples(pkgJson, allFiles || files);
 
-  if (tuples.size === 0) return [];
+  if (tuples.size === 0) {
+    return [];
+  }
 
   // Stage 1: org spoof detection (local only)
   const spoofFindings = [];
@@ -355,19 +403,34 @@ export async function scan(pkgJson, files = [], registryMeta = null, allFiles =
 
   for (const tuple of tuples) {
     const parts = tuple.split('/');
-    if (parts.length < 2) continue;
+    if (parts.length < 2) {
+      continue;
+    }
     const org = parts[0];
 
     const canonicalOrg = findClosestOrg(org);
-    if (!canonicalOrg.org) continue;
-    if (org.toLowerCase() === canonicalOrg.org.toLowerCase()) continue;
+    if (!canonicalOrg.org) {
+      continue;
+    }
+    if (org.toLowerCase() === canonicalOrg.org.toLowerCase()) {
+      continue;
+    }
 
-    const finding = buildHFOrgSpoofFinding(tuple, org, canonicalOrg, canonicalOrg.score, postinstallFetchFlag, []);
+    const finding = buildHFOrgSpoofFinding(
+      tuple,
+      org,
+      canonicalOrg,
+      canonicalOrg.score,
+      postinstallFetchFlag,
+      []
+    );
     spoofFindings.push(finding);
     orgsToCheck.push([tuple, { org, canonicalOrg, similarityScore: canonicalOrg.score, finding }]);
   }
 
-  if (spoofFindings.length === 0) return [];
+  if (spoofFindings.length === 0) {
+    return [];
+  }
 
   // Stage 2: network checks
   const stage2Findings = await runStage2(spoofFindings, orgsToCheck, postinstallFetchFlag);

package/backend/detectors/hf-impersonation/jaro-winkler.js

@@ -1,7 +1,12 @@
 export function jaroWinkler(s1, s2) {
-  if (s1 === s2) return 1;
-  const len1 = s1.length, len2 = s2.length;
-  if (len1 === 0 || len2 === 0) return 0;
+  if (s1 === s2) {
+    return 1;
+  }
+  const len1 = s1.length,
+    len2 = s2.length;
+  if (len1 === 0 || len2 === 0) {
+    return 0;
+  }
 
   const matchDist = Math.floor(Math.max(len1, len2) / 2) - 1;
   const matches1 = new Array(len1).fill(false);
@@ -12,8 +17,12 @@ export function jaroWinkler(s1, s2) {
     const start = Math.max(0, i - matchDist);
     const end = Math.min(len2, i + matchDist + 1);
     for (let j = start; j < end; j++) {
-      if (matches2[j]) continue;
-      if (s1[i] !== s2[j]) continue;
+      if (matches2[j]) {
+        continue;
+      }
+      if (s1[i] !== s2[j]) {
+        continue;
+      }
       matches1[i] = true;
       matches2[j] = true;
       matches++;
@@ -21,13 +30,22 @@ export function jaroWinkler(s1, s2) {
     }
   }
 
-  if (matches === 0) return 0;
+  if (matches === 0) {
+    return 0;
+  }
 
-  let transpositions = 0, k = 0;
+  let transpositions = 0,
+    k = 0;
   for (let i = 0; i < len1; i++) {
-    if (!matches1[i]) continue;
-    while (!matches2[k]) k++;
-    if (s1[i] !== s2[k]) transpositions++;
+    if (!matches1[i]) {
+      continue;
+    }
+    while (!matches2[k]) {
+      k++;
+    }
+    if (s1[i] !== s2[k]) {
+      transpositions++;
+    }
     k++;
   }
 
@@ -36,8 +54,11 @@ export function jaroWinkler(s1, s2) {
   let prefix = 0;
   const maxPrefix = Math.min(4, len1, len2);
   for (let i = 0; i < maxPrefix; i++) {
-    if (s1[i] === s2[i]) prefix++;
-    else break;
+    if (s1[i] === s2[i]) {
+      prefix++;
+    } else {
+      break;
+    }
   }
 
   return jaro + prefix * 0.1 * (1 - jaro);

package/backend/detectors/hf-impersonation/known-orgs.js

@@ -1,5 +1,17 @@
 export const KNOWN_HF_ORGS = [
-  'openai', 'meta-llama', 'mistralai', 'google', 'microsoft',
-  'stabilityai', 'EleutherAI', 'huggingface', 'tiiuae', 'cohere',
-  'anthropic', 'deepseek-ai', 'Qwen', 'NousResearch', 'teknium',
+  'openai',
+  'meta-llama',
+  'mistralai',
+  'google',
+  'microsoft',
+  'stabilityai',
+  'EleutherAI',
+  'huggingface',
+  'tiiuae',
+  'cohere',
+  'anthropic',
+  'deepseek-ai',
+  'Qwen',
+  'NousResearch',
+  'teknium',
 ];

package/backend/detectors/hf-impersonation/simhash.js

@@ -1,7 +1,7 @@
 function hashToken(str) {
   let hash = 5381;
   for (let i = 0; i < str.length; i++) {
-    hash = ((hash << 5) + hash) + str.charCodeAt(i);
+    hash = (hash << 5) + hash + str.charCodeAt(i);
     hash = hash & hash;
   }
   return hash >>> 0;
@@ -25,7 +25,7 @@ export function simhash(text) {
   let fingerprint = 0n;
   for (let i = 0; i < 64; i++) {
     if (v[i] > 0) {
-      fingerprint |= (1n << BigInt(i));
+      fingerprint |= 1n << BigInt(i);
     }
   }
   return fingerprint;

package/backend/detectors/index.js

@@ -26,9 +26,18 @@ import { scan as tier1MetadataSpoofScan } from './tier1-metadata-spoof.js';
 import { scan as tier1VersionConfusionScan } from './tier1-version-confusion.js';
 import { scan as tier1CloudImdsScan } from './tier1-cloud-imds.js';
 import { scan as tier1MultistagePostinstallScan } from './tier1-multistage-postinstall.js';
+import { scan as tier1VersionAnomalyScan } from './tier1-version-anomaly.js';
+import { scan as tier1ObfuscationHeuristicsScan } from './tier1-obfuscation-heuristics.js';
+import { scan as tier1SlsaAttestationScan } from './tier1-slsa-attestation.js';
+import { scan as tier1SelfPropagationScan } from './tier1-self-propagation.js';
+import { scan as tier1EncryptedC2Scan } from './tier1-encrypted-c2.js';
+import { scan as tier1TransitiveDepsScan } from './tier1-transitive-deps.js';
+import { scan as tier1MaintainerCompromiseScan } from './tier1-maintainer-compromise.js';
 
 function timeout(ms) {
-  return new Promise((_, reject) => setTimeout(() => reject(new Error(`timeout after ${ms}ms`)), ms));
+  return new Promise((_, reject) =>
+    setTimeout(() => reject(new Error(`timeout after ${ms}ms`)), ms)
+  );
 }
 
 async function runTier1(name, scanFn, pkgJson, files, registryMeta, allFiles) {
@@ -40,7 +49,9 @@ async function runTier1(name, scanFn, pkgJson, files, registryMeta, allFiles) {
     const fileCount = allFiles && allFiles.length > 0 ? allFiles.length : files.length;
     if (fileCount >= 10 && result.length > 0) {
       const hitRate = result.length / fileCount;
-      if (hitRate > 0.8) return [];
+      if (hitRate > 0.8) {
+        return [];
+      }
     }
     return result;
   } catch {
@@ -50,33 +61,175 @@ async function runTier1(name, scanFn, pkgJson, files, registryMeta, allFiles) {
 
 export async function runAll(pkgJson, files = [], registryMeta = null, allFiles = null) {
   const findings = [];
-  findings.push(...await atk001.scan(pkgJson, files));
-  findings.push(...await atk002.scan(pkgJson, files));
-  findings.push(...await atk003.scan(pkgJson, files));
-  findings.push(...await atk004.scan(pkgJson, files));
-  findings.push(...await atk005.scan(pkgJson, files));
-  findings.push(...await atk006.scan(pkgJson, files));
-  findings.push(...await atk007.scan(pkgJson, files));
-  findings.push(...await atk008.scan(pkgJson, files));
-  findings.push(...await atk009.scan(pkgJson, files));
-  findings.push(...await atk010.scan(pkgJson, files));
-  findings.push(...await atk011.scan(pkgJson, files));
-  findings.push(...await megalodonScan(pkgJson, allFiles || files, registryMeta));
-  findings.push(...await hfScan(pkgJson, files, registryMeta, allFiles || files));
-  findings.push(...await miniShaiHuludScan(pkgJson, files, registryMeta, allFiles || files));
-  findings.push(...await badhostScan(pkgJson, files, registryMeta, allFiles || files));
-  findings.push(...await trapdoorScan(pkgJson, files, registryMeta, allFiles || files));
-  findings.push(...await nodeIpcScan(pkgJson, files, registryMeta, allFiles || files));
-  findings.push(...await mshSupplementScan(pkgJson, files, registryMeta, allFiles || files));
-  findings.push(...await typosquatScan(pkgJson, files, registryMeta, allFiles || files));
-  findings.push(...await axiosPoisoningScan(pkgJson, files, registryMeta, allFiles || files));
-  findings.push(...await runTier1('tier1-typosquat', tier1TyposquatScan, pkgJson, files, registryMeta, allFiles || files));
-  findings.push(...await runTier1('tier1-infostealer', tier1InfostealerScan, pkgJson, files, registryMeta, allFiles || files));
-  findings.push(...await runTier1('tier1-lifecycle-hook', tier1LifecycleHookScan, pkgJson, files, registryMeta, allFiles || files));
-  findings.push(...await runTier1('tier1-binary-embed', tier1BinaryEmbedScan, pkgJson, files, registryMeta, allFiles || files));
-  findings.push(...await runTier1('tier1-metadata-spoof', tier1MetadataSpoofScan, pkgJson, files, registryMeta, allFiles || files));
-  findings.push(...await runTier1('tier1-version-confusion', tier1VersionConfusionScan, pkgJson, files, registryMeta, allFiles || files));
-  findings.push(...await runTier1('tier1-cloud-imds', tier1CloudImdsScan, pkgJson, files, registryMeta, allFiles || files));
-  findings.push(...await runTier1('tier1-multistage-postinstall', tier1MultistagePostinstallScan, pkgJson, files, registryMeta, allFiles || files));
+  findings.push(...(await atk001.scan(pkgJson, files)));
+  findings.push(...(await atk002.scan(pkgJson, files)));
+  findings.push(...(await atk003.scan(pkgJson, files)));
+  findings.push(...(await atk004.scan(pkgJson, files)));
+  findings.push(...(await atk005.scan(pkgJson, files)));
+  findings.push(...(await atk006.scan(pkgJson, files)));
+  findings.push(...(await atk007.scan(pkgJson, files)));
+  findings.push(...(await atk008.scan(pkgJson, files)));
+  findings.push(...(await atk009.scan(pkgJson, files)));
+  findings.push(...(await atk010.scan(pkgJson, files)));
+  findings.push(...(await atk011.scan(pkgJson, files)));
+  findings.push(...(await megalodonScan(pkgJson, allFiles || files, registryMeta)));
+  findings.push(...(await hfScan(pkgJson, files, registryMeta, allFiles || files)));
+  findings.push(...(await miniShaiHuludScan(pkgJson, files, registryMeta, allFiles || files)));
+  findings.push(...(await badhostScan(pkgJson, files, registryMeta, allFiles || files)));
+  findings.push(...(await trapdoorScan(pkgJson, files, registryMeta, allFiles || files)));
+  findings.push(...(await nodeIpcScan(pkgJson, files, registryMeta, allFiles || files)));
+  findings.push(...(await mshSupplementScan(pkgJson, files, registryMeta, allFiles || files)));
+  findings.push(...(await typosquatScan(pkgJson, files, registryMeta, allFiles || files)));
+  findings.push(...(await axiosPoisoningScan(pkgJson, files, registryMeta, allFiles || files)));
+  findings.push(
+    ...(await runTier1(
+      'tier1-typosquat',
+      tier1TyposquatScan,
+      pkgJson,
+      files,
+      registryMeta,
+      allFiles || files
+    ))
+  );
+  findings.push(
+    ...(await runTier1(
+      'tier1-infostealer',
+      tier1InfostealerScan,
+      pkgJson,
+      files,
+      registryMeta,
+      allFiles || files
+    ))
+  );
+  findings.push(
+    ...(await runTier1(
+      'tier1-lifecycle-hook',
+      tier1LifecycleHookScan,
+      pkgJson,
+      files,
+      registryMeta,
+      allFiles || files
+    ))
+  );
+  findings.push(
+    ...(await runTier1(
+      'tier1-binary-embed',
+      tier1BinaryEmbedScan,
+      pkgJson,
+      files,
+      registryMeta,
+      allFiles || files
+    ))
+  );
+  findings.push(
+    ...(await runTier1(
+      'tier1-metadata-spoof',
+      tier1MetadataSpoofScan,
+      pkgJson,
+      files,
+      registryMeta,
+      allFiles || files
+    ))
+  );
+  findings.push(
+    ...(await runTier1(
+      'tier1-version-confusion',
+      tier1VersionConfusionScan,
+      pkgJson,
+      files,
+      registryMeta,
+      allFiles || files
+    ))
+  );
+  findings.push(
+    ...(await runTier1(
+      'tier1-cloud-imds',
+      tier1CloudImdsScan,
+      pkgJson,
+      files,
+      registryMeta,
+      allFiles || files
+    ))
+  );
+  findings.push(
+    ...(await runTier1(
+      'tier1-multistage-postinstall',
+      tier1MultistagePostinstallScan,
+      pkgJson,
+      files,
+      registryMeta,
+      allFiles || files
+    ))
+  );
+  findings.push(
+    ...(await runTier1(
+      'tier1-version-anomaly',
+      tier1VersionAnomalyScan,
+      pkgJson,
+      files,
+      registryMeta,
+      allFiles || files
+    ))
+  );
+  findings.push(
+    ...(await runTier1(
+      'tier1-obfuscation-heuristics',
+      tier1ObfuscationHeuristicsScan,
+      pkgJson,
+      files,
+      registryMeta,
+      allFiles || files
+    ))
+  );
+  findings.push(
+    ...(await runTier1(
+      'tier1-slsa-attestation',
+      tier1SlsaAttestationScan,
+      pkgJson,
+      files,
+      registryMeta,
+      allFiles || files
+    ))
+  );
+  findings.push(
+    ...(await runTier1(
+      'tier1-self-propagation',
+      tier1SelfPropagationScan,
+      pkgJson,
+      files,
+      registryMeta,
+      allFiles || files
+    ))
+  );
+  findings.push(
+    ...(await runTier1(
+      'tier1-encrypted-c2',
+      tier1EncryptedC2Scan,
+      pkgJson,
+      files,
+      registryMeta,
+      allFiles || files
+    ))
+  );
+  findings.push(
+    ...(await runTier1(
+      'tier1-transitive-deps',
+      tier1TransitiveDepsScan,
+      pkgJson,
+      files,
+      registryMeta,
+      allFiles || files
+    ))
+  );
+  findings.push(
+    ...(await runTier1(
+      'tier1-maintainer-compromise',
+      tier1MaintainerCompromiseScan,
+      pkgJson,
+      files,
+      registryMeta,
+      allFiles || files
+    ))
+  );
   return findings.sort((a, b) => b.severity.localeCompare(a.severity));
-}
+}

package/backend/detectors/lib/ast-patterns.js

@@ -0,0 +1,24 @@
+const PATTERNS = [
+  { id: 'EVAL_USAGE', re: /\beval\s*\(/ },
+  { id: 'FUNCTION_CONSTRUCTOR', re: /Function\s*\(/ },
+  {
+    id: 'STRING_REVERSAL_CHAIN',
+    re: /\.split\s*\(\s*['"]\s*['"]\s*\)\s*\.reverse\s*\(\s*\)\s*\.join\s*\(/,
+  },
+  { id: 'XOR_CIPHER', re: /charCodeAt\s*\([^)]*\)\s*\^\s*\w+/ },
+  { id: 'BITWISE_LOOP', re: /for\s*\([^;]+;[^;]+\)\s*\{[^}]{20,}\^[^}]*\}/ },
+  { id: 'DYNAMIC_REQUIRE', re: /require\s*\(\s*(?:Buffer\.from|atob|decodeURIComponent)/ },
+  { id: 'BASE64_LITERAL', re: /['"][A-Za-z0-9+/]{60,}={0,2}['"]/ },
+  { id: 'OBFUSCATED_STRING', re: /(?:\\x[0-9a-fA-F]{2}){8,}/ },
+  { id: 'UNICODE_ESCAPE', re: /(?:\\u[0-9a-fA-F]{4}){8,}/ },
+];
+
+export function detectPatterns(code) {
+  const detected = [];
+  for (const { id, re } of PATTERNS) {
+    if (re.test(code)) {
+      detected.push(id);
+    }
+  }
+  return detected;
+}

package/backend/detectors/lib/entropy-analyzer.js

@@ -0,0 +1,32 @@
+export function shannonEntropy(str) {
+  const len = str.length;
+  if (len === 0) {
+    return 0;
+  }
+  const freq = {};
+  for (const ch of str) {
+    freq[ch] = (freq[ch] || 0) + 1;
+  }
+  let entropy = 0;
+  for (const count of Object.values(freq)) {
+    const p = count / len;
+    entropy -= p * Math.log2(p);
+  }
+  return Math.round(entropy * 100) / 100;
+}
+
+export function isMinified(code) {
+  if (code.length < 100) {
+    return false;
+  }
+  const lines = code.split('\n');
+  if (lines.length <= 3 && code.length > 1000) {
+    return true;
+  }
+  const tokens = code.match(/\b[a-zA-Z_$][\w$]*\b/g) || [];
+  if (tokens.length < 10) {
+    return false;
+  }
+  const avgLen = tokens.reduce((s, t) => s + t.length, 0) / tokens.length;
+  return avgLen < 3;
+}