@lateos/npm-scan 0.3.3 → 0.4.0

package/backend/cra.js

@@ -0,0 +1,69 @@
+export function generateCRA(scans) {
+  const atkMap = {};
+  for (const s of scans) {
+    for (const f of (s.findings || [])) {
+      const key = f.atk_id || f.id;
+      if (!atkMap[key]) atkMap[key] = [];
+      atkMap[key].push({ ...f, package_name: s.package_name, version: s.version });
+    }
+  }
+
+  const CRA_ARTICLES = [
+    { article: 'Art. 7', title: 'Secure by default configuration', atkId: 'ATK-001', desc: 'Lifecycle hooks used for insecure defaults' },
+    { article: 'Art. 7', title: 'Secure by default configuration', atkId: 'ATK-010', desc: 'Anti-analysis in default state' },
+    { article: 'Art. 10(1)', title: 'Vulnerability disclosure', atkId: 'ATK-008', desc: 'Tarball integrity prevents disclosure accuracy' },
+    { article: 'Art. 10(2)', title: 'Known vulnerability reporting', atkId: 'ATK-006', desc: 'Dependency confusion undermines visibility' },
+    { article: 'Art. 11', title: 'Software Bill of Materials', atkId: 'ATK-008', desc: 'Integrity of SBOM entries must be verified' },
+    { article: 'Art. 11', title: 'Software Bill of Materials', atkId: 'ATK-006', desc: 'SBOM must reflect actual dependency graph' },
+    { article: 'Annex I(1.1)', title: 'No known exploitable vulnerabilities', atkId: 'ATK-009', desc: 'Conditional triggers may activate known vulns' },
+    { article: 'Annex I(1.3)', title: 'Least privilege', atkId: 'ATK-003', desc: 'Credential harvesting violates least privilege' },
+    { article: 'Annex I(1.5)', title: 'Limited attack surface', atkId: 'ATK-002', desc: 'Obfuscation increases attack surface' },
+    { article: 'Annex I(1.5)', title: 'Limited attack surface', atkId: 'ATK-004', desc: 'Persistence mechanisms expand attack surface' },
+    { article: 'Annex I(1.5)', title: 'Limited attack surface', atkId: 'ATK-005', desc: 'Network exfiltration expands attack surface' },
+    { article: 'Annex I(2.1)', title: 'Protection against unauthorized access', atkId: 'ATK-003', desc: 'Credential harvesting enables unauthorized access' },
+    { article: 'Annex I(2.3)', title: 'Data integrity', atkId: 'ATK-008', desc: 'Tarball tampering violates data integrity' },
+    { article: 'Annex I(2.3)', title: 'Data integrity', atkId: 'ATK-011', desc: 'Propagation attacks compromise data integrity' },
+    { article: 'Annex I(3.2)', title: 'Incident detection and reporting', atkId: 'ATK-009', desc: 'Conditional triggers evade incident detection' },
+    { article: 'Annex I(3.2)', title: 'Incident detection and reporting', atkId: 'ATK-010', desc: 'Sandbox evasion defeats incident detection' },
+    { article: 'Annex I(3.3)', title: 'Supply chain security monitoring', atkId: 'ATK-011', desc: 'Propagation requires SC monitoring' },
+    { article: 'Annex I(3.3)', title: 'Supply chain security monitoring', atkId: 'ATK-007', desc: 'Typosquatting undermines SC trust' },
+  ];
+
+  let rows = '';
+  for (const { article, title, atkId, desc } of CRA_ARTICLES) {
+    const findings = atkMap[atkId] || [];
+    const status = findings.length > 0 ? 'fail' : 'pass';
+    const colorClass = status === 'pass' ? 'pass' : 'fail';
+    const label = findings.length > 0 ? `${findings.length} finding(s)` : 'No findings';
+    rows += `<tr><td>${article}</td><td>${title}</td><td>${desc}</td><td class="nist-${colorClass}">${label}</td><td>${atkId}</td></tr>`;
+  }
+
+  return `<h2>EU CRA Compliance Summary</h2>
+<table>
+<thead><tr><th>CRA Article</th><th>Requirement</th><th>Relevance</th><th>Status</th><th>ATK</th></tr></thead>
+<tbody>${rows}</tbody>
+</table>`;
+}
+
+export function generateCRAHTML(scans) {
+  const body = generateCRA(scans);
+  return `<!DOCTYPE html>
+<html lang="en">
+<head><meta charset="UTF-8"><title>EU CRA Compliance Report</title>
+<style>
+body { font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', sans-serif; max-width: 960px; margin: 0 auto; padding: 20px; background: #0d1117; color: #c9d1d9; }
+h1, h2 { color: #58a6ff; }
+table { width: 100%; border-collapse: collapse; margin: 12px 0; }
+th, td { padding: 8px 12px; text-align: left; border-bottom: 1px solid #30363d; }
+th { background: #161b22; }
+.nist-pass { background: #1b3a1b; color: #7ee787; }
+.nist-fail { background: #3a1b1b; color: #ff7b72; }
+.meta { color: #8b949e; font-size: 13px; margin-top: 30px; }
+</style></head>
+<body>
+<h1>npm-scan EU CRA Compliance Report</h1>
+<p>Generated ${new Date().toISOString()} | npm-scan v${process.env.npm_package_version || '0.4.0'}</p>
+${body}
+<p class="meta">EU Cyber Resilience Act (Regulation 2023/2841) mapped to ATK findings.</p>
+</body></html>`;
+}

package/backend/detectors/atk-011-transitive-prop.js

@@ -0,0 +1,85 @@
+export async function scan(pkgJson, files = []) {
+  const findings = [];
+  const code = files.map(f => f.content).join('\n');
+
+const highPatterns = [
+    {
+      pattern: /(?:exec|execSync|spawn)\s*\([^)]*npm\s+(?:install|link)\s*\./i,
+      label: 'programmatic self-propagation via npm install/link'
+    },
+    {
+      pattern: /fs\.(?:writeFile|writeFileSync|copyFile|copyFileSync)\s*\([^)]*(?:node_modules\/(?!\.)[^/]+).*(?:index\.js|main\.js|package\.json)/i,
+      label: 'direct file write to peer node_modules'
+    },
+    {
+      pattern: /fs\.(?:writeFile|writeFileSync)\s*\([^)]*package\.json[^)]*["']scripts["']/i,
+      label: 'package.json script injection in another package'
+    },
+    {
+      pattern: /fs\.(?:writeFile|writeFileSync)\s*\([^)]*\.\.\/[^)]*package\.json/i,
+      label: 'writes modified package.json to sibling package'
+    },
+    {
+      pattern: /(?:exec|execSync|spawn)\s*\([^)]*npm\s+(?:install|link)\s+(?!\.)(?!http)(?!git)/i,
+      label: 'programmatic propagation via npm install of local package'
+    },
+    {
+      pattern: /(?:exec|execSync|spawn)\s*\([^)]*(?:\.\.\/|process\.env\.INIT_CWD).*npm\s+install/i,
+      label: 'cross-directory npm install propagation'
+    },
+  ];
+
+  for (const { pattern, label } of highPatterns) {
+    if (pattern.test(code)) {
+      findings.push({
+        id: 'ATK-011',
+        severity: 'high',
+        title: 'Transitive propagation (worm)',
+        description: `Package attempts lateral worm-style spread: ${label}`,
+        evidence: 'transitive propagation pattern detected'
+      });
+      break;
+    }
+  }
+
+if (findings.length === 0) {
+    const selfName = pkgJson && pkgJson.name ? pkgJson.name.replace(/^@/, '').replace(/\//, '-') : null;
+    const mediumPatterns = [
+      {
+        pattern: /process\.env\.npm_package_name/,
+        label: 'reads own package name (potential self-awareness for spread)'
+      },
+      {
+        pattern: selfName ? new RegExp('require\\([\'"]' + selfName.replace(/[.*+?^${}()|[\]\\]/g, '\\$&') + '[\'"]\\)', 'i') : null,
+        label: selfName ? `require() of own package name "${selfName}"` : null
+      },
+      {
+        pattern: /fs\.(?:mkdir|mkdirSync)\s*\([^)]*\.\.\/[^)]*node_modules/,
+        label: 'creates directories in parent node_modules structure'
+      },
+      {
+        pattern: /fs\.symlink(?:Sync)?\s*\(/,
+        label: 'creates symlinks (potential worm link spreading)'
+      },
+      {
+        pattern: /__dirname.*node_modules/,
+        label: 'references own directory path in node_modules'
+      },
+    ];
+
+    for (const { pattern, label: mLabel } of mediumPatterns) {
+      if (pattern && pattern.test(code) && mLabel) {
+        findings.push({
+          id: 'ATK-011',
+          severity: 'medium',
+          title: 'Transitive propagation (worm)',
+          description: mLabel,
+          evidence: 'potential propagation indicator'
+        });
+        break;
+      }
+    }
+  }
+
+  return findings;
+}

package/backend/detectors/index.js

@@ -8,6 +8,7 @@ import * as atk007 from './atk-007-typosquat.js';
 import * as atk008 from './atk-008-tarball-tamper.js';
 import * as atk009 from './atk-009-dormant-trigger.js';
 import * as atk010 from './atk-010-sandbox-evasion.js';
+import * as atk011 from './atk-011-transitive-prop.js';
 
 export async function runAll(pkgJson, files = []) {
   const findings = [];
@@ -21,5 +22,6 @@ export async function runAll(pkgJson, files = []) {
   findings.push(...await atk008.scan(pkgJson, files));
   findings.push(...await atk009.scan(pkgJson, files));
   findings.push(...await atk010.scan(pkgJson, files));
+  findings.push(...await atk011.scan(pkgJson, files));
   return findings.sort((a, b) => b.severity.localeCompare(a.severity));
 }

package/backend/detectors.test.js

@@ -67,6 +67,12 @@ test('ATK-010 detects sandbox evasion', async () => {
   assert(findings.some(f => f.id === 'ATK-010'), 'Expected ATK-010');
 });
 
+test('ATK-011 detects transitive propagation', async () => {
+  const files = [{ path: 'i.js', content: 'exec("npm install ./malicious-pkg")' }];
+  const findings = await detectors.runAll({}, files);
+  assert(findings.some(f => f.id === 'ATK-011'), 'Expected ATK-011');
+});
+
 test('no false positives on clean package', async () => {
   const pkg = { name: 'test-pkg', version: '1.0.0', scripts: { test: 'node test.js' }, dependencies: { 'express': '4.0.0' } };
   const files = [{ path: 'index.js', content: 'module.exports = function() { return 42 }' }];
@@ -75,8 +81,8 @@ test('no false positives on clean package', async () => {
   assert.equal(highCrit.length, 0, `Expected no high/crit findings on clean pkg: ${JSON.stringify(highCrit)}`);
 });
 
-test('all 10 ATK IDs present', async () => {
-  const expected = ['ATK-001', 'ATK-002', 'ATK-003', 'ATK-004', 'ATK-005', 'ATK-006', 'ATK-007', 'ATK-008', 'ATK-009', 'ATK-010'];
+test('all 11 ATK IDs present', async () => {
+  const expected = ['ATK-001', 'ATK-002', 'ATK-003', 'ATK-004', 'ATK-005', 'ATK-006', 'ATK-007', 'ATK-008', 'ATK-009', 'ATK-010', 'ATK-011'];
   const exports = Object.keys(detectors);
   assert.equal(exports.includes('runAll'), true);
 });

package/backend/report.js

@@ -93,6 +93,7 @@ const NIST_SR_MAP = {
   'ATK-008': { control: 'SR-8.1', title: 'Integrity verification' },
   'ATK-009': { control: 'SR-9.2', title: 'Conditional behavior analysis' },
   'ATK-010': { control: 'SR-10.3', title: 'Anti-evasion detection' },
+  'ATK-011': { control: 'SR-11.4', title: 'Supply chain propagation monitoring' },
 };
 
 function generateNistTable(scans) {

package/backend/sbom.js

@@ -15,7 +15,7 @@ function generateCycloneDX(pkgJson, findings) {
         version: pkgJson.version || 'unknown',
         purl: `pkg:npm/${pkgJson.name || 'unknown'}@${pkgJson.version || 'unknown'}`
       },
-      tools: [{ name: 'npm-scan', version: '0.3.2' }]
+      tools: [{ name: 'npm-scan', version: process.env.npm_package_version || '0.3.2' }]
     },
     vulnerabilities: findings.map(f => {
       const atkId = f.atk_id || f.id;

package/backend/siem/cef.js

@@ -0,0 +1,33 @@
+export function generateCEF(scans) {
+  const entries = [];
+  for (const s of scans) {
+    for (const f of (s.findings || [])) {
+      const atkId = f.atk_id || f.id;
+      const desc = (f.description || f.title || '').replace(/\\/g, '\\\\').replace(/\|/g, '\\|');
+      const sevMap = { critical: 10, high: 8, medium: 5, low: 2 };
+      const sev = sevMap[f.severity] || 5;
+      const pkgName = (s.package_name || 'unknown').replace(/\|/g, '\\|');
+      const pkgVer = (s.version || '').replace(/\|/g, '\\|');
+      entries.push([
+        'CEF:0',
+        'npm-scan',
+        'npm-scan',
+        process.env.npm_package_version || '0.4.0',
+        atkId,
+        desc,
+        String(sev),
+        `suser=${pkgName} ${pkgVer}`,
+        `msg=${desc}`,
+        `cs1=${atkId}`,
+        `cs1Label=atkId`,
+        `cs2=${f.severity}`,
+        `cs2Label=severity`,
+        `cs3=${pkgName}`,
+        `cs3Label=package`,
+        `cs4=${pkgVer}`,
+        `cs4Label=version`,
+      ].join('|'));
+    }
+  }
+  return entries.join('\n');
+}

package/backend/siem/index.js

@@ -0,0 +1,10 @@
+import { generateCEF } from './cef.js';
+
+export function generateSIEM(scans, format = 'cef') {
+  switch (format) {
+    case 'cef':
+      return generateCEF(scans);
+    default:
+      throw new Error(`Unknown SIEM format: ${format}`);
+  }
+}

package/cli/cli.js

@@ -5,7 +5,7 @@ import { Command } from 'commander';
 const program = new Command()
   .name('npm-scan')
   .description('npm supply chain security scanner')
-  .version('0.2.5');
+  .version('0.4.0');
 
 program
   .command('scan')
@@ -47,8 +47,11 @@ program
   .description('Generate report')
   .option('-i, --id <id>', 'Scan ID')
   .option('--sbom [format]', 'SBOM format (json/xml/spdx)')
-  .option('--html', 'HTML report')
+.option('--html', 'HTML report')
   .option('--nist', 'NIST 800-161 compliance report')
+  .option('--cra', 'EU CRA compliance report')
+  .option('--siem <format>', 'SIEM format (cef)')
+  .option('-l, --license-key <key>', 'Premium license')
   .action(async (options) => {
     const { getRecentScans, getFindings, getScan } = await import('../backend/db.js');
     if (options.id) {
@@ -57,30 +60,38 @@ program
       const pkgName = scanInfo?.package_name || 'scan-' + options.id;
       const pkgVer = scanInfo?.version || 'unknown';
       const pkg = { name: pkgName, version: pkgVer };
+      const scan = findings.length ? { package_name: pkgName, version: pkgVer, findings } : null;
       if (options.sbom) {
         const { generateSBOM } = await import('../backend/sbom.js');
         const sbom = generateSBOM(pkg, findings, options.sbom === true ? 'json' : options.sbom);
         console.log(sbom);
+      } else if (options.siem) {
+        const { generateSIEM } = await import('../backend/siem/index.js');
+        console.log(generateSIEM(scan ? [scan] : [], options.siem));
+      } else if (options.cra) {
+        const { generateCRA } = await import('../backend/cra.js');
+        console.log(generateCRA(scan ? [scan] : []));
       } else if (options.html || options.nist) {
         const { generateHTML } = await import('../backend/report.js');
-        const scan = findings.length ? { package_name: pkgName, version: pkgVer, findings } : null;
         const html = generateHTML(scan ? [scan] : []);
         console.log(html);
       } else {
         console.log(JSON.stringify(findings, null, 2));
       }
     } else {
-      if (options.html || options.nist) {
-        const scans = getRecentScans();
-        const scansWithFindings = scans.map(s => ({
-          ...s,
-          findings: getFindings(s.id)
-        }));
+      const scans = getRecentScans();
+      const scansWithFindings = scans.map(s => ({ ...s, findings: getFindings(s.id) }));
+if (options.siem) {
+        const { generateSIEM } = await import('../backend/siem/index.js');
+        console.log(generateSIEM(scansWithFindings, options.siem));
+      } else if (options.cra) {
+        const { generateCRA } = await import('../backend/cra.js');
+        console.log(generateCRA(scansWithFindings));
+      } else if (options.html || options.nist) {
         const { generateHTML } = await import('../backend/report.js');
         const html = generateHTML(scansWithFindings);
         console.log(html);
       } else {
-        const scans = getRecentScans();
         console.log('Recent scans:', JSON.stringify(scans, null, 2));
       }
     }

package/docs/attack-taxonomy.md

@@ -16,7 +16,7 @@ Versioned anchor for detectors, PRs, reports. Each entry: attack class, detectio
 | ATK-008 | Tarball tampering (tarball ≠ repo)         | Static (diff)   | Mirror repos             | SR-8.1           | Phase 2 |
 | ATK-009 | Conditional triggers (CI/time)             | Static+Dynamic  | Env probes               | SR-9.2           | Phase 2 |
 | ATK-010 | Sandbox evasion                            | Static+Dynamic  | Anti-analysis            | SR-10.3          | Phase 2 |
-| ATK-011 | Transitive propagation (worm)              | Dynamic         | Peer deps                | SR-11.4          | Phase 3 |
+| ATK-011 | Transitive propagation (worm)              | Static+Dynamic  | Peer deps                | SR-11.4          | Phase 3 |
 
 ## Detailed Entries
 
@@ -41,6 +41,13 @@ Versioned anchor for detectors, PRs, reports. Each entry: attack class, detectio
 - **NIST mapping:** SR-10.3 (Anti-Evasion Detection)
 - **Example:** `if (os.hostname().includes('docker')) { process.exit(0) }`
 
+### ATK-011 — Transitive Propagation (Worm)
+- **Description:** The package acts as a self-propagating worm by spreading itself through the dependency tree. Instead of (or in addition to) executing a standalone payload, it modifies peer/sibling packages' code or `package.json` to inject its own lifecycle hooks or entry points. This propagates the attack when the infected sibling is required by other packages upstream. Also covers "worm-drop" patterns where the package installs itself into other packages' `node_modules` via programmatic `npm install`/`npm link`.
+- **Detection surface:** Static+Dynamic. Static analysis checks for `child_process.exec`/`execSync` with `npm install`/`npm link` of local packages, `fs.writeFile` targeting sibling `node_modules` directories, `package.json` script injection in other packages, `fs.symlink` for binary propagation, and self-name references used to locate and copy own code into peer packages. Dynamic sandbox monitors filesystem writes outside the package's own directory tree.
+- **Evasion surface:** Peer dep confusion (installing a popular peer package with the same name as a benign transitive dep), delayed propagation (worm activates only after N runs or N days), piggybacking on legitimate `postinstall` chains, writing to `node_modules/.cache` or `node_modules/.bin` where detection is less likely.
+- **NIST mapping:** SR-11.4 (Supply Chain Propagation Monitoring)
+- **Example:** A package reads `process.env.npm_package_name`, locates its own directory in `node_modules`, then writes a malicious `postinstall` script to the `package.json` of a sibling package, ensuring the worm runs when any project dependency is installed.
+
 ## Governance
 
 New ATK requires PR with: PoC sample, detection rule, FP analysis, NIST map. Published at `docs/attack-taxonomy.md`. Referenced in all scan reports.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@lateos/npm-scan",
-  "version": "0.3.3",
+  "version": "0.4.0",
   "description": "Powerful npm supply chain security scanner - detects malicious packages (Shai-Hulud style), behavioral analysis, SBOM, and compliance reporting.",
   "main": "backend/index.js",
   "bin": {

package/scripts/gen-mal-corpus.js

@@ -15,6 +15,9 @@ const MALS = [
   { name: 'mal-evasion-1', pkg: {}, js: 'if (os.hostname().includes("docker") || os.hostname().includes("sandbox")) { process.exit(0) }' },
   { name: 'mal-evasion-2', pkg: {}, js: 'if (process.argv.join(" ").includes("inspect")) { debugger; /* stop analysis */ }' },
   { name: 'mal-evasion-3', pkg: {}, js: 'try { throw new Error(); } catch(e) { if (e.stack.includes("sandbox")) { process.exit(0) } }' },
+  { name: 'mal-prop-1', pkg: { name: '@evil/worm' }, js: 'execSync("npm install ./worm-pkg"); execSync("npm link")' },
+  { name: 'mal-prop-2', pkg: {}, js: 'fs.writeFileSync("../lodash/node_modules/worm/index.js", "module.exports = { compromised: true }")' },
+  { name: 'mal-prop-3', pkg: { name: 'worm-pkg' }, js: `const pj = require('../express/package.json'); pj.scripts.install = 'node worm.js'; fs.writeFileSync('../express/package.json', JSON.stringify(pj))` },
 ];
 
 for (const mal of MALS) {