@lateos/npm-scan 0.18.3 → 1.1.0

package/backend/detectors/mini-shai-hulud/d5-ioc-check.js

@@ -11,7 +11,9 @@ const __dirname = dirname(__filename);
 const IOC_PATH = join(__dirname, 'iocs.json');
 
 function loadIOCData() {
-  if (iocsLoaded) return iocsData;
+  if (iocsLoaded) {
+    return iocsData;
+  }
   iocsLoaded = true;
   try {
     iocsData = JSON.parse(readFileSync(IOC_PATH, 'utf8'));
@@ -34,7 +36,9 @@ export function reloadIOCData() {
 
 export async function checkIOC(pkgName, pkgVersion, sha512, publisherAccount, timeMap = {}) {
   const data = loadIOCData();
-  if (!data) return { triggered: false, matches: [] };
+  if (!data) {
+    return { triggered: false, matches: [] };
+  }
 
   const matches = [];
   const allIOCs = [];
@@ -44,7 +48,7 @@ export async function checkIOC(pkgName, pkgVersion, sha512, publisherAccount, ti
   for (const waveKey of Object.keys(data.waves || {})) {
     const wave = data.waves[waveKey];
     const waveNum = waveKey === 'wave1' ? 1 : waveKey === 'wave2' ? 2 : 3;
-    for (const ioc of (wave.iocs || [])) {
+    for (const ioc of wave.iocs || []) {
       allIOCs.push({ ...ioc, wave: waveNum });
     }
   }
@@ -53,7 +57,11 @@ export async function checkIOC(pkgName, pkgVersion, sha512, publisherAccount, ti
     switch (ioc.type) {
       case 'packageName': {
         if (ioc.value === pkgName) {
-          if (!ioc.maliciousVersions || ioc.maliciousVersions.length === 0 || ioc.maliciousVersions.includes(pkgVersion)) {
+          if (
+            !ioc.maliciousVersions ||
+            ioc.maliciousVersions.length === 0 ||
+            ioc.maliciousVersions.includes(pkgVersion)
+          ) {
             matches.push({ type: 'packageName', value: pkgName, wave: ioc.wave });
           }
         }

package/backend/detectors/mini-shai-hulud/d6-token-exfil.js

@@ -14,7 +14,9 @@ const SUSPICIOUS_SCRIPTS = ['preinstall', 'install', 'postinstall', 'prepare'];
 const MAX_SNIPPET_LENGTH = 200;
 
 function truncateSnippet(text) {
-  if (text.length <= MAX_SNIPPET_LENGTH) return text;
+  if (text.length <= MAX_SNIPPET_LENGTH) {
+    return text;
+  }
   return text.slice(0, MAX_SNIPPET_LENGTH - 3) + '...';
 }
 
@@ -24,7 +26,9 @@ export function checkTokenExfil(allFiles, pkgJson) {
 
   for (const hook of SUSPICIOUS_SCRIPTS) {
     const scriptContent = scripts[hook];
-    if (!scriptContent) continue;
+    if (!scriptContent) {
+      continue;
+    }
 
     for (const pattern of EXFIL_PATTERNS) {
       if (pattern.test(scriptContent)) {

package/backend/detectors/mini-shai-hulud/index.js

@@ -1,5 +1,8 @@
 import { checkBurstPublish } from './d1-burst-publish.js';
-import { checkSiblingCompromise, clearSiblingCache } from './d2-sibling-compromise.js';
+import {
+  checkSiblingCompromise,
+  clearSiblingCache as _clearSiblingCache,
+} from './d2-sibling-compromise.js';
 import { checkSlsaMismatch } from './d3-slsa-mismatch.js';
 import { checkMaintainerAnomaly } from './d4-maintainer-anomaly.js';
 import { checkIOC } from './d5-ioc-check.js';
@@ -31,15 +34,31 @@ export async function scan(pkgJson, files = [], registryMeta = null, allFiles =
   const nxDownstreamResult = checkNxConsoleDownstream(pkgJson, allFiles || files);
 
   const triggeredChecks = [];
-  if (burstResult.triggered) triggeredChecks.push('D1_BURST');
-  if (siblingResult.triggered) triggeredChecks.push('D2_SIBLING');
-  if (slsaResult.triggered) triggeredChecks.push('D3_SLSA');
-  if (maintainerResult.triggered) triggeredChecks.push('D4_MAINTAINER');
-  if (iocResult.triggered) triggeredChecks.push('D5_IOC');
-  if (exfilResult.triggered) triggeredChecks.push('D6_EXFIL');
-  if (nxDownstreamResult.triggered) triggeredChecks.push('D7_NX_CONSOLE');
+  if (burstResult.triggered) {
+    triggeredChecks.push('D1_BURST');
+  }
+  if (siblingResult.triggered) {
+    triggeredChecks.push('D2_SIBLING');
+  }
+  if (slsaResult.triggered) {
+    triggeredChecks.push('D3_SLSA');
+  }
+  if (maintainerResult.triggered) {
+    triggeredChecks.push('D4_MAINTAINER');
+  }
+  if (iocResult.triggered) {
+    triggeredChecks.push('D5_IOC');
+  }
+  if (exfilResult.triggered) {
+    triggeredChecks.push('D6_EXFIL');
+  }
+  if (nxDownstreamResult.triggered) {
+    triggeredChecks.push('D7_NX_CONSOLE');
+  }
 
-  if (triggeredChecks.length === 0) return [];
+  if (triggeredChecks.length === 0) {
+    return [];
+  }
 
   let waveAttribution = 'unknown';
   if (pkgName.startsWith('@tanstack')) {
@@ -49,9 +68,10 @@ export async function scan(pkgJson, files = [], registryMeta = null, allFiles =
   } else if (nxDownstreamResult.triggered) {
     waveAttribution = 'wave3-nx-console';
   } else if (iocResult.matches && iocResult.matches.length > 0) {
-    const waves = [...new Set(iocResult.matches.map(m => m.wave))];
+    const waves = [...new Set(iocResult.matches.map((m) => m.wave))];
     if (waves.length === 1) {
-      waveAttribution = waves[0] === 1 ? 'wave1-tanstack' : waves[0] === 2 ? 'wave2-antv' : 'wave3-nx-console';
+      waveAttribution =
+        waves[0] === 1 ? 'wave1-tanstack' : waves[0] === 2 ? 'wave2-antv' : 'wave3-nx-console';
     }
   }
 
@@ -62,10 +82,14 @@ export async function scan(pkgJson, files = [], registryMeta = null, allFiles =
     waveAttribution,
     triggeredChecks,
     burstWindow: burstResult.triggered
-      ? { start: burstResult.windowStart, end: burstResult.windowEnd, versionCount: burstResult.versionCount }
+      ? {
+          start: burstResult.windowStart,
+          end: burstResult.windowEnd,
+          versionCount: burstResult.versionCount,
+        }
       : null,
     siblingPackages: siblingResult.triggered
-      ? siblingResult.results.flatMap(r => r.siblingPackages)
+      ? siblingResult.results.flatMap((r) => r.siblingPackages)
       : null,
     attestationAnomalies: slsaResult.triggered ? slsaResult.anomalies : null,
     iocMatches: iocResult.triggered ? iocResult.matches : null,
@@ -75,25 +99,38 @@ export async function scan(pkgJson, files = [], registryMeta = null, allFiles =
       : null,
   };
 
-  return [{
-    id: 'MINI_SHAI_HULUD',
-    severity: isCritical ? 'critical' : 'high',
-    title: 'Mini Shai-Hulud worm campaign',
-    description: `${triggeredChecks.length} signal(s): ${triggeredChecks.join(', ')}`,
-    evidence: JSON.stringify(evidence),
-    mitigation: 'Revoke all npm tokens immediately. Rotate CI/CD secrets. Audit maintainer access on all scoped packages. Review recent version publish history for anomalous bursts. Check for postinstall scripts accessing credentials or environment variables. If Wave 1 (TanStack scope): inspect GitHub Actions workflow logs for unauthorized build steps. If Wave 2 (atool/AntV scope): rotate all npm tokens associated with @antv/* packages. If Wave 3 (Nx Console): remove nrwl.angular-console extension immediately, revoke all npm tokens used in CI/CD, and audit @nx/* dependency versions.',
-  }];
+  return [
+    {
+      id: 'MINI_SHAI_HULUD',
+      severity: isCritical ? 'critical' : 'high',
+      title: 'Mini Shai-Hulud worm campaign',
+      description: `${triggeredChecks.length} signal(s): ${triggeredChecks.join(', ')}`,
+      evidence: JSON.stringify(evidence),
+      mitigation:
+        'Revoke all npm tokens immediately. Rotate CI/CD secrets. Audit maintainer access on all scoped packages. Review recent version publish history for anomalous bursts. Check for postinstall scripts accessing credentials or environment variables. If Wave 1 (TanStack scope): inspect GitHub Actions workflow logs for unauthorized build steps. If Wave 2 (atool/AntV scope): rotate all npm tokens associated with @antv/* packages. If Wave 3 (Nx Console): remove nrwl.angular-console extension immediately, revoke all npm tokens used in CI/CD, and audit @nx/* dependency versions.',
+    },
+  ];
 }
 
 function checkNxConsoleDownstream(pkgJson, allFiles) {
-  const deps = { ...pkgJson?.dependencies, ...pkgJson?.devDependencies, ...pkgJson?.peerDependencies };
-  const nxDeps = Object.keys(deps).filter(d => d.startsWith('@nx/') || d.startsWith('nrwl/'));
-  if (nxDeps.length === 0) return { triggered: false, nxDeps: [], vsCodeExtensions: [] };
+  const deps = {
+    ...pkgJson?.dependencies,
+    ...pkgJson?.devDependencies,
+    ...pkgJson?.peerDependencies,
+  };
+  const nxDeps = Object.keys(deps).filter((d) => d.startsWith('@nx/') || d.startsWith('nrwl/'));
+  if (nxDeps.length === 0) {
+    return { triggered: false, nxDeps: [], vsCodeExtensions: [] };
+  }
 
   let vsCodeExtensions = [];
   if (allFiles && Array.isArray(allFiles)) {
     for (const file of allFiles) {
-      if (file.path && (file.path.endsWith('.vscode/extensions.json') || file.path.endsWith('.vscode/extensions.json'))) {
+      if (
+        file.path &&
+        (file.path.endsWith('.vscode/extensions.json') ||
+          file.path.endsWith('.vscode/extensions.json'))
+      ) {
         try {
           const content = typeof file.content === 'string' ? file.content : '';
           const parsed = JSON.parse(content);
@@ -101,7 +138,7 @@ function checkNxConsoleDownstream(pkgJson, allFiles) {
             ...(parsed.recommendations || []),
             ...(parsed.unwantedRecommendations || []),
           ];
-          const matched = allExts.filter(e => e.includes('nrwl.angular-console'));
+          const matched = allExts.filter((e) => e.includes('nrwl.angular-console'));
           if (matched.length > 0) {
             vsCodeExtensions = matched;
           }

package/backend/detectors/msh-supplement/d2-persistence.js

@@ -16,30 +16,48 @@ export function scanPersistence(pkgJson, files = []) {
     }
   }
 
-  const code = files.map(f => f.content || '').join('\n');
-  const codeWithScripts = code + '\n' + allScripts.map(s => s.content).join('\n');
+  const code = files.map((f) => f.content || '').join('\n');
+  const codeWithScripts = code + '\n' + allScripts.map((s) => s.content).join('\n');
 
   const detectedApis = [];
   let hasCiGuard = false;
   let hasDaemon = false;
 
-  if (DAEMON_RE.test(codeWithScripts)) detectedApis.push('daemon');
-  if (SPAWN_DETACHED_RE.test(codeWithScripts)) detectedApis.push('spawn_detached');
-  if (SYSTEMD_RE.test(codeWithScripts)) detectedApis.push('systemd');
-  if (CRON_RE.test(codeWithScripts)) detectedApis.push('cron');
-  if (LAUNCHD_RE.test(codeWithScripts)) detectedApis.push('launchd');
-  if (TASK_SCHED_RE.test(codeWithScripts)) detectedApis.push('task_scheduler');
-  if (CI_GUARD_RE.test(codeWithScripts)) hasCiGuard = true;
+  if (DAEMON_RE.test(codeWithScripts)) {
+    detectedApis.push('daemon');
+  }
+  if (SPAWN_DETACHED_RE.test(codeWithScripts)) {
+    detectedApis.push('spawn_detached');
+  }
+  if (SYSTEMD_RE.test(codeWithScripts)) {
+    detectedApis.push('systemd');
+  }
+  if (CRON_RE.test(codeWithScripts)) {
+    detectedApis.push('cron');
+  }
+  if (LAUNCHD_RE.test(codeWithScripts)) {
+    detectedApis.push('launchd');
+  }
+  if (TASK_SCHED_RE.test(codeWithScripts)) {
+    detectedApis.push('task_scheduler');
+  }
+  if (CI_GUARD_RE.test(codeWithScripts)) {
+    hasCiGuard = true;
+  }
 
-  if (DAEMON_RE.test(codeWithScripts) || SPAWN_DETACHED_RE.test(codeWithScripts)) hasDaemon = true;
+  if (DAEMON_RE.test(codeWithScripts) || SPAWN_DETACHED_RE.test(codeWithScripts)) {
+    hasDaemon = true;
+  }
 
   if (hasDaemon || detectedApis.length > 0) {
     return {
       triggered: true,
       detectedApis,
       hasCiGuard,
-      hooks: allScripts.map(s => s.hook),
-      context: hasCiGuard ? 'Spawns background process when CI env var absent' : 'Suspicious persistence/detached process detected',
+      hooks: allScripts.map((s) => s.hook),
+      context: hasCiGuard
+        ? 'Spawns background process when CI env var absent'
+        : 'Suspicious persistence/detached process detected',
     };
   }
 

package/backend/detectors/msh-supplement/d3-geo-killswitch.js

@@ -9,25 +9,37 @@ const TARGET_LOCALES = /ru_RU|be_BY|uk_UA/;
 const SILENT_EXIT_RE = /process\.exit\s*\(\s*0\s*\)/;
 
 export function scanGeoKillswitch(files = []) {
-  const code = files.map(f => f.content || '').join('\n');
-  if (!code) return { triggered: false, targetedLocales: [], triggerBehavior: null };
+  const code = files.map((f) => f.content || '').join('\n');
+  if (!code) {
+    return { triggered: false, targetedLocales: [], triggerBehavior: null };
+  }
 
-  const hasLocaleCheck = LOCALE_CHECKS.some(re => re.test(code));
-  if (!hasLocaleCheck) return { triggered: false, targetedLocales: [], triggerBehavior: null };
+  const hasLocaleCheck = LOCALE_CHECKS.some((re) => re.test(code));
+  if (!hasLocaleCheck) {
+    return { triggered: false, targetedLocales: [], triggerBehavior: null };
+  }
 
   const hasTargetLocale = TARGET_LOCALES.test(code);
   const hasSilentExit = SILENT_EXIT_RE.test(code);
 
   if (hasTargetLocale || hasSilentExit) {
     const matchedLocales = [];
-    if (/ru_RU/.test(code)) matchedLocales.push('ru_RU');
-    if (/be_BY/.test(code)) matchedLocales.push('be_BY');
-    if (/uk_UA/.test(code)) matchedLocales.push('uk_UA');
+    if (/ru_RU/.test(code)) {
+      matchedLocales.push('ru_RU');
+    }
+    if (/be_BY/.test(code)) {
+      matchedLocales.push('be_BY');
+    }
+    if (/uk_UA/.test(code)) {
+      matchedLocales.push('uk_UA');
+    }
 
     return {
       triggered: true,
       targetedLocales: matchedLocales.length > 0 ? matchedLocales : ['ru_RU', 'be_BY'],
-      triggerBehavior: hasSilentExit ? 'Silent exit' : 'Locale/timezone match with conditional behavior',
+      triggerBehavior: hasSilentExit
+        ? 'Silent exit'
+        : 'Locale/timezone match with conditional behavior',
     };
   }
 

package/backend/detectors/msh-supplement/d4-c2-deaddrop.js

@@ -5,13 +5,19 @@ const GITHUB_TOKEN_ACCESS_RE = /process\.env\.(?:GH_TOKEN|GITHUB_TOKEN|GITHUB_AC
 const COMMIT_PARSE_LOOP_RE = /commits?\s*\.\s*(?:map|filter|forEach|for\s*\(|while\s*\()/;
 
 export function scanC2DeadDrop(files = []) {
-  const code = files.map(f => f.content || '').join('\n');
-  if (!code) return { triggered: false, matches: [] };
+  const code = files.map((f) => f.content || '').join('\n');
+  if (!code) {
+    return { triggered: false, matches: [] };
+  }
 
   const matches = [];
 
   if (OHNO_WHATS_GOING_ON_RE.test(code)) {
-    matches.push({ type: 'ioc_keyword', value: 'OhNoWhatsGoingOnWithGitHub', attackVector: 'GitHub commit scraping for token recovery' });
+    matches.push({
+      type: 'ioc_keyword',
+      value: 'OhNoWhatsGoingOnWithGitHub',
+      attackVector: 'GitHub commit scraping for token recovery',
+    });
   }
 
   const hasTokenAccess = GITHUB_TOKEN_ACCESS_RE.test(code);
@@ -19,11 +25,19 @@ export function scanC2DeadDrop(files = []) {
   const hasCommitParseLoop = COMMIT_PARSE_LOOP_RE.test(code);
 
   if (hasTokenAccess && hasGithubApi) {
-    matches.push({ type: 'token_exfil_github_api', value: 'Credential access followed by GitHub API call', attackVector: 'Credential/token extraction followed by GitHub API calls' });
+    matches.push({
+      type: 'token_exfil_github_api',
+      value: 'Credential access followed by GitHub API call',
+      attackVector: 'Credential/token extraction followed by GitHub API calls',
+    });
   }
 
   if (hasCommitParseLoop && hasGithubApi) {
-    matches.push({ type: 'commit_scraping', value: 'Commit message parsing with GitHub API', attackVector: 'Commit scraping for secret detection' });
+    matches.push({
+      type: 'commit_scraping',
+      value: 'Commit message parsing with GitHub API',
+      attackVector: 'Commit scraping for secret detection',
+    });
   }
 
   return {

package/backend/detectors/msh-supplement/index.js

@@ -15,48 +15,57 @@ const SEVERITY_ORDER = ['critical', 'high', 'medium', 'low', 'info', 'none'];
 
 function highestSeverity(severities) {
   for (const s of SEVERITY_ORDER) {
-    if (severities.includes(s)) return s;
+    if (severities.includes(s)) {
+      return s;
+    }
   }
   return 'none';
 }
 
-export async function scan(pkgJson, files = [], registryMeta = null, allFiles = null) {
+export async function scan(pkgJson, files = [], _registryMeta = null, allFiles = null) {
   const fileList = allFiles || files || [];
   const pkgName = pkgJson?.name || 'unknown';
   const pkgVersion = pkgJson?.version || '0.0.0';
 
   const d1Results = scanCtfScramble(fileList);
   if (d1Results.stopCondition) {
-    const evidence = attachProvenance({
-      rule: 'MSH-OBF-001',
-      campaign: 'MINI_SHAI_HULUD',
-      triggeredChecks: ['D1'],
-      filePath: d1Results.filePath,
-      patternMatched: d1Results.patternMatched,
-      action: 'BLOCK_IMMEDIATELY',
-    }, {
-      ruleId: 'MSH-OBF-001',
-      ruleName: 'ctf-scramble-v2 Obfuscation Detection',
-      severity: 'CRITICAL',
-      campaignName: 'Mini Shai-Hulud',
-      pkgName,
-      pkgVersion,
-      triggered: true,
-      severity: 'critical',
-      indicators: [{ type: 'obfuscation_found', value: d1Results.patternMatched }],
-      ruleProvenanceUrl: 'https://github.com/lateos/npm-scan/blob/main/backend/detectors/msh-supplement/d1-obfuscation.js',
-      campaignSourceUrl: 'https://security.researcher.org/supply-chain-report',
-    });
+    const evidence = attachProvenance(
+      {
+        rule: 'MSH-OBF-001',
+        campaign: 'MINI_SHAI_HULUD',
+        triggeredChecks: ['D1'],
+        filePath: d1Results.filePath,
+        patternMatched: d1Results.patternMatched,
+        action: 'BLOCK_IMMEDIATELY',
+      },
+      {
+        ruleId: 'MSH-OBF-001',
+        ruleName: 'ctf-scramble-v2 Obfuscation Detection',
+        campaignName: 'Mini Shai-Hulud',
+        pkgName,
+        pkgVersion,
+        triggered: true,
+        severity: 'critical',
+        indicators: [{ type: 'obfuscation_found', value: d1Results.patternMatched }],
+        ruleProvenanceUrl:
+          'https://github.com/lateos/npm-scan/blob/main/backend/detectors/msh-supplement/d1-obfuscation.js',
+        campaignSourceUrl: 'https://security.researcher.org/supply-chain-report',
+      }
+    );
 
-    return [{
-      id: 'MINI_SHAI_HULUD',
-      severity: 'critical',
-      title: 'Mini Shai-Hulud worm campaign — ctf-scramble-v2 malware obfuscation detected',
-      description: 'HALT: ctf-scramble-v2 obfuscation layer detected. Package is compromised. Block install immediately.',
-      evidence: JSON.stringify(evidence),
-      mitigation: 'BLOCK IMMEDIATELY. Do not install this package version. Revoke any npm tokens exposed to this package. Rotate all CI/CD secrets. Run full malware scan on any system that processed this package.',
-      stopCondition: true,
-    }];
+    return [
+      {
+        id: 'MINI_SHAI_HULUD',
+        severity: 'critical',
+        title: 'Mini Shai-Hulud worm campaign — ctf-scramble-v2 malware obfuscation detected',
+        description:
+          'HALT: ctf-scramble-v2 obfuscation layer detected. Package is compromised. Block install immediately.',
+        evidence: JSON.stringify(evidence),
+        mitigation:
+          'BLOCK IMMEDIATELY. Do not install this package version. Revoke any npm tokens exposed to this package. Rotate all CI/CD secrets. Run full malware scan on any system that processed this package.',
+        stopCondition: true,
+      },
+    ];
   }
 
   const results = {
@@ -69,39 +78,45 @@ export async function scan(pkgJson, files = [], registryMeta = null, allFiles =
     .filter(([_, r]) => r.triggered)
     .map(([id]) => id);
 
-  if (triggered.length === 0) return [];
+  if (triggered.length === 0) {
+    return [];
+  }
 
-  const severity = highestSeverity(triggered.map(id => RULE_SEVERITY[id]));
+  const severity = highestSeverity(triggered.map((id) => RULE_SEVERITY[id]));
 
-  const evidence = attachProvenance({
-    campaign: 'MINI_SHAI_HULUD',
-    triggeredChecks: triggered,
-    details: Object.fromEntries(
-      Object.entries(results).filter(([_, r]) => r.triggered)
-    ),
-  }, {
-    ruleId: 'MSH-SUPPLEMENT',
-    ruleName: 'Mini Shai-Hulud Supplement Detection',
-    severity: severity.toUpperCase(),
-    campaignName: 'Mini Shai-Hulud',
-    pkgName,
-    pkgVersion,
-    triggered: true,
-    severity,
-    indicators: triggered.map(id => ({
-      type: `rule_${id}`,
-      value: RULE_SEVERITY[id],
-    })),
-    ruleProvenanceUrl: 'https://github.com/lateos/npm-scan/blob/main/backend/detectors/msh-supplement/',
-    campaignSourceUrl: 'https://security.researcher.org/supply-chain-report',
-  });
+  const evidence = attachProvenance(
+    {
+      campaign: 'MINI_SHAI_HULUD',
+      triggeredChecks: triggered,
+      details: Object.fromEntries(Object.entries(results).filter(([_, r]) => r.triggered)),
+    },
+    {
+      ruleId: 'MSH-SUPPLEMENT',
+      ruleName: 'Mini Shai-Hulud Supplement Detection',
+      campaignName: 'Mini Shai-Hulud',
+      pkgName,
+      pkgVersion,
+      triggered: true,
+      severity,
+      indicators: triggered.map((id) => ({
+        type: `rule_${id}`,
+        value: RULE_SEVERITY[id],
+      })),
+      ruleProvenanceUrl:
+        'https://github.com/lateos/npm-scan/blob/main/backend/detectors/msh-supplement/',
+      campaignSourceUrl: 'https://security.researcher.org/supply-chain-report',
+    }
+  );
 
-  return [{
-    id: 'MINI_SHAI_HULUD',
-    severity,
-    title: 'Mini Shai-Hulud worm campaign — supplement indicators',
-    description: `${triggered.length} signal(s): ${triggered.join(', ')}`,
-    evidence: JSON.stringify(evidence),
-    mitigation: 'If daemonization detected: revoke npm tokens and rotate CI/CD secrets. If geographic killswitch detected: verify running in expected region; attacker may be avoiding certain locales. If C2 dead-drop detected: check for unauthorized GitHub API access and token exfiltration. Review recent version publish history for anomalous bursts.',
-  }];
+  return [
+    {
+      id: 'MINI_SHAI_HULUD',
+      severity,
+      title: 'Mini Shai-Hulud worm campaign — supplement indicators',
+      description: `${triggered.length} signal(s): ${triggered.join(', ')}`,
+      evidence: JSON.stringify(evidence),
+      mitigation:
+        'If daemonization detected: revoke npm tokens and rotate CI/CD secrets. If geographic killswitch detected: verify running in expected region; attacker may be avoiding certain locales. If C2 dead-drop detected: check for unauthorized GitHub API access and token exfiltration. Review recent version publish history for anomalous bursts.',
+    },
+  ];
 }

package/backend/detectors/node-ipc-compromise/d1-version-blocklist.js

@@ -6,9 +6,11 @@ const SAFE_PINS = {
   '12.0.1': '12.0.0',
 };
 
-export function scanVersionBlocklist(pkgJson, registryMeta) {
+export function scanVersionBlocklist(pkgJson, _registryMeta) {
   const pkgName = pkgJson?.name || '';
-  if (pkgName !== 'node-ipc') return { triggered: false };
+  if (pkgName !== 'node-ipc') {
+    return { triggered: false };
+  }
 
   const version = pkgJson?.version || '';
   if (BLOCKED_VERSIONS.has(version)) {

package/backend/detectors/node-ipc-compromise/d10-unauthorized-publisher.js

@@ -1,17 +1,21 @@
 export function scanUnauthorizedPublisher(pkgJson, registryMeta) {
   const pkgName = pkgJson?.name || '';
-  if (pkgName !== 'node-ipc') return { triggered: false };
+  if (pkgName !== 'node-ipc') {
+    return { triggered: false };
+  }
 
-  const publisherAccount = registryMeta?.versions?.[pkgJson?.version]?._npmUser?.name
-    || registryMeta?.versions?.[Object.keys(registryMeta.versions || {})[0]]?._npmUser?.name
-    || null;
+  const publisherAccount =
+    registryMeta?.versions?.[pkgJson?.version]?._npmUser?.name ||
+    registryMeta?.versions?.[Object.keys(registryMeta.versions || {})[0]]?._npmUser?.name ||
+    null;
 
   if (publisherAccount === 'atiertant') {
     return {
       triggered: true,
       publisher: publisherAccount,
       package: pkgName,
-      detail: 'Account atiertant has no prior release history on node-ipc — account recovery via expired email domain takeover',
+      detail:
+        'Account atiertant has no prior release history on node-ipc — account recovery via expired email domain takeover',
     };
   }
 

package/backend/detectors/node-ipc-compromise/d11-blast-radius.js

@@ -16,12 +16,16 @@ export function scanBlastRadius(allFiles) {
 
   for (const file of allFiles) {
     const path = file.path?.replace(/\\/g, '/') || '';
-    const isLockfile = LOCKFILE_PATTERNS.some(p => p.test(path));
-    if (!isLockfile) continue;
+    const isLockfile = LOCKFILE_PATTERNS.some((p) => p.test(path));
+    if (!isLockfile) {
+      continue;
+    }
 
     const content = file.content || '';
     const hasNodeIpc = /\bnode-ipc\b/i.test(content);
-    if (!hasNodeIpc) continue;
+    if (!hasNodeIpc) {
+      continue;
+    }
 
     for (const [badVersion, info] of Object.entries(COMPROMISED_VERSIONS)) {
       const versionInQuotes = `"${badVersion}"`;

package/backend/detectors/node-ipc-compromise/d2-tarball-hash.js

@@ -11,7 +11,9 @@ export function scanTarballHash(allFiles) {
 
   for (const file of allFiles) {
     const path = file.path || '';
-    if (!path.endsWith('.tgz') && !path.endsWith('.tar.gz')) continue;
+    if (!path.endsWith('.tgz') && !path.endsWith('.tar.gz')) {
+      continue;
+    }
 
     const content = file.content || '';
     const hash = createHash('sha256').update(content, 'utf8').digest('hex');
@@ -20,9 +22,12 @@ export function scanTarballHash(allFiles) {
       matches.push({
         file: path,
         sha256: hash,
-        version: hash === '449e4265979b5fdb2d3446c021af437e815debd66de7da2fe54f1ad93cbcc75e'
-          ? '9.1.6' : hash === 'c2f4dc64aec4631540a568e88932b61daebbfb7e8281b812fa01b7215f9be9ea'
-          ? '9.2.3' : '12.0.1',
+        version:
+          hash === '449e4265979b5fdb2d3446c021af437e815debd66de7da2fe54f1ad93cbcc75e'
+            ? '9.1.6'
+            : hash === 'c2f4dc64aec4631540a568e88932b61daebbfb7e8281b812fa01b7215f9be9ea'
+              ? '9.2.3'
+              : '12.0.1',
       });
     }
   }