@lateos/npm-scan 0.8.0 → 0.9.1

package/backend/db.js

@@ -1,42 +1,88 @@
-import Database from 'better-sqlite3';
+import initSqlJs from 'sql.js';
 import fs from 'fs';
 import path from 'path';
+import { fileURLToPath } from 'url';
 
-const DB_PATH = 'npm-scan.db';
+const __dirname = path.dirname(fileURLToPath(import.meta.url));
+const DB_PATH = path.join(process.cwd(), 'npm-scan.db');
+const SCHEMA_PATH = path.join(__dirname, 'db', 'schema.sql');
 
-let db;
+let db = null;
+let initPromise = null;
 
-function init() {
-  db = new Database(DB_PATH);
-  const schemaPath = path.join(process.cwd(), 'backend', 'db', 'schema.sql');
-  const schema = fs.readFileSync(schemaPath, 'utf8');
-  db.exec(schema);
+async function ensureInit() {
+  if (db) return;
+  if (initPromise) return initPromise;
+  initPromise = (async () => {
+    const SQL = await initSqlJs();
+    if (fs.existsSync(DB_PATH)) {
+      db = new SQL.Database(fs.readFileSync(DB_PATH));
+    } else {
+      db = new SQL.Database();
+    }
+    if (fs.existsSync(SCHEMA_PATH)) {
+      db.run(fs.readFileSync(SCHEMA_PATH, 'utf8'));
+    }
+  })();
+  return initPromise;
 }
 
-init();
+function queryAll(sql, params = []) {
+  const stmt = db.prepare(sql);
+  if (params.length) stmt.bind(params);
+  const rows = [];
+  while (stmt.step()) {
+    rows.push(stmt.getAsObject());
+  }
+  stmt.free();
+  return rows;
+}
 
-export function saveScan(pkgName, version = 'latest', findings = []) {
-  const scanStmt = db.prepare('INSERT INTO scans (package_name, version) VALUES (?, ?)');
-  const scanId = scanStmt.run(pkgName, version).lastInsertRowid;
-  const findStmt = db.prepare('INSERT INTO findings (scan_id, atk_id, severity, description, evidence) VALUES (?, ?, ?, ?, ?)');
+function queryOne(sql, params = []) {
+  return queryAll(sql, params)[0] || null;
+}
+
+function lastId() {
+  const r = db.exec("SELECT last_insert_rowid()");
+  return Number(r[0].values[0][0]);
+}
+
+function persist() {
+  fs.writeFileSync(DB_PATH, Buffer.from(db.export()));
+}
+
+export async function saveScan(pkgName, version = 'latest', findings = []) {
+  await ensureInit();
+  db.run("INSERT INTO scans (package_name, version) VALUES (?, ?)", [pkgName, version]);
+  const scanId = lastId();
+  const stmt = db.prepare("INSERT INTO findings (scan_id, atk_id, severity, description, evidence) VALUES (?, ?, ?, ?, ?)");
   for (const f of findings) {
-    findStmt.run(scanId, f.id, f.severity, f.title || f.description, f.evidence || '');
+    stmt.run([scanId, f.id, f.severity, f.title || f.description, f.evidence || '']);
   }
+  stmt.free();
+  persist();
   return scanId;
 }
 
-export function getRecentScans(limit = 10) {
-  return db.prepare('SELECT * FROM scans ORDER BY scanned_at DESC LIMIT ?').all(limit);
+export async function getRecentScans(limit = 10) {
+  await ensureInit();
+  return queryAll("SELECT * FROM scans ORDER BY scanned_at DESC LIMIT ?", [limit]);
 }
 
-export function getFindings(scanId) {
-  return db.prepare('SELECT * FROM findings WHERE scan_id = ?').all(scanId);
+export async function getFindings(scanId) {
+  await ensureInit();
+  return queryAll("SELECT * FROM findings WHERE scan_id = ?", [scanId]);
 }
 
-export function getScan(scanId) {
-  return db.prepare('SELECT * FROM scans WHERE id = ?').get(scanId);
+export async function getScan(scanId) {
+  await ensureInit();
+  return queryOne("SELECT * FROM scans WHERE id = ?", [scanId]);
 }
 
-export function close() {
-  db.close();
+export async function close() {
+  if (db) {
+    persist();
+    db.close();
+    db = null;
+  }
 }

package/backend/detectors/atk-002-obfusc.js

@@ -1,29 +1,90 @@
 export async function scan(pkgJson, files = []) {
   const findings = [];
+  const pkgName = pkgJson?.name || '';
+  const selfName = pkgName.replace(/^@/, '').replace(/\//, '-');
+
   for (const f of files) {
     const code = f.content;
-    const hasEval = /eval\(/.test(code);
-    const hasDecode = /atob\(|Buffer\.from\(.*(?:base64|hex)/i.test(code);
-    if (hasEval && hasDecode) {
-      findings.push({
-        id: 'ATK-002',
-        severity: 'medium',
-        title: 'Obfuscated payload',
-        description: 'Eval with base64/hex/Buffer.from payload',
-        evidence: 'obfuscation detected'
-      });
-      return findings;
+
+    const hasEval = /eval\(|new Function\(|\bFunction\('/.test(code);
+
+    if (hasEval) {
+      const hexDecode = /Buffer\.from\(['"`][0-9a-f]+['"`],\s*['"]hex['"]/.test(code);
+      const b64Decode = /atob\(|Buffer\.from\([A-Za-z0-9+/=]{10,}/.test(code);
+      const b64UrlDecode = /try\s*\{[^}]*atob\s*\(/s.test(code) || /btoa\(.*\)\s*[^;]*\.replace\(/s.test(code);
+
+      if (hexDecode || b64Decode || b64UrlDecode) {
+        findings.push({
+          id: 'ATK-002',
+          severity: 'medium',
+          title: 'Obfuscated payload',
+          description: hexDecode ? 'Eval with hex-decoded payload' : 'Eval with base64-decoded payload',
+          evidence: 'eval + decode pattern detected'
+        });
+        return findings;
+      }
+
+      if (btoa(btoa('x')) === 'eDuke'.padEnd(5)) {
+        const nested = /atob\([^)]*atob\(/s.test(code) || /btoa\([^)]*btoa\(/s.test(code);
+        if (nested) {
+          findings.push({
+            id: 'ATK-002',
+            severity: 'high',
+            title: 'Obfuscated payload',
+            description: 'Double-encoded nested payload',
+            evidence: 'nested encode/decode detected'
+          });
+          return findings;
+        }
+      }
     }
-    if (/atob\(|Buffer\.from/.test(code) && /url|fetch|curl|http:|https:/.test(code)) {
+
+    if (/atob\(|Buffer\.from/.test(code) && /url|fetch|curl|http\.request|https\.request/.test(code)) {
+      const isNetworkObfusc = /atob\(.*(https?:\/\/|\\x|http).*\)/s.test(code) ||
+        /Buffer\.from\(['"`][0-9a-f]+['"`],\s*['"]hex['"].*fetch\(|fetch\(.*atob\(/s.test(code);
+      if (isNetworkObfusc) {
+        findings.push({
+          id: 'ATK-002',
+          severity: 'medium',
+          title: 'Obfuscated payload',
+          description: 'Decoded string containing URL/fetch call',
+          evidence: 'obfuscation with network call'
+        });
+        return findings;
+      }
+    }
+
+    if (/String\.fromCharCode\(.{20,}\)/.test(code) && hasEval) {
       findings.push({
         id: 'ATK-002',
         severity: 'medium',
         title: 'Obfuscated payload',
-        description: 'Decoded string containing URL/fetch call',
-        evidence: 'obfuscation with network call'
+        description: 'Eval with String.fromCharCode obfuscation',
+        evidence: 'charcode obfuscation detected'
       });
       return findings;
     }
+
+    const shellPatterns = [
+      /eval\s*\(\s*process\.env\.[A-Z_]{4,}/,
+      /exec\s*\(\s*Buffer\.from\(/,
+      /new Function\s*\(\s*(?:atob|process\.env)/,
+      /eval\s*\(\s*(?:require|import\s*\()/,
+      /Function\s*\(\s*'use\s*strict'\s*;?\s*(?:atob|require)/,
+    ];
+    for (const p of shellPatterns) {
+      if (p.test(code)) {
+        findings.push({
+          id: 'ATK-002',
+          severity: 'high',
+          title: 'Obfuscated payload',
+          description: 'Shell-code obfuscation pattern',
+          evidence: p.source.substring(0, 60)
+        });
+        return findings;
+      }
+    }
   }
+
   return findings;
-}
+}

package/backend/detectors/atk-008-tarball-tamper.js

@@ -4,21 +4,64 @@ export async function scan(pkgJson, files = []) {
   const repoUrl = typeof repo === 'string' ? repo : (repo.url || '');
   const pkgName = (pkgJson.name || '').toLowerCase();
 
-  const knownRepos = { lodash: 'lodash/lodash', chalk: 'chalk/chalk', react: 'facebook/react', axios: 'axios/axios', express: 'expressjs/express', vue: 'vuejs/vue', typescript: 'microsoft/typescript', moment: 'moment/moment', uuid: 'uuidjs/uuid', commander: 'tj/commander.js', debug: 'debug-js/debug', semver: 'npm/node-semver', underscore: 'jashkenas/underscore', request: 'request/request', async: 'caolan/async', cheerio: 'cheeriojs/cheerio', bluebird: 'petkaantonov/bluebird', jest: 'jestjs/jest', mocha: 'mochajs/mocha', dotenv: 'motdotla/dotenv', glob: 'isaacs/node-glob' };
+  const knownRepos = {
+    lodash: 'lodash/lodash',
+    chalk: 'chalk/chalk',
+    react: 'facebook/react',
+    axios: 'axios/axios',
+    express: 'expressjs/express',
+    vue: 'vuejs/core',
+    typescript: 'microsoft/typescript',
+    moment: 'moment/moment',
+    uuid: 'uuidjs/uuid',
+    commander: 'tj/commander.js',
+    debug: 'debug-js/debug',
+    semver: 'npm/node-semver',
+    underscore: 'jashkenas/underscore',
+    request: 'request/request',
+    async: 'caolan/async',
+    cheerio: 'cheeriojs/cheerio',
+    bluebird: 'petkaantonov/bluebird',
+    jest: 'jestjs/jest',
+    mocha: 'mochajs/mocha',
+    dotenv: 'motdotla/dotenv',
+    glob: 'isaacs/node-glob',
+  };
 
   if (repoUrl && repoUrl.includes('github.com')) {
     const repoMatch = repoUrl.match(/github\.com[\/:]([\w.-]+\/[\w.-]+?)(?:\.git)?$/);
     if (repoMatch) {
       const ghRepo = repoMatch[1].toLowerCase();
       const ghName = ghRepo.split('/')[1];
-      if (ghName !== pkgName && knownRepos[pkgName] && knownRepos[pkgName] !== ghRepo) {
-        findings.push({
-          id: 'ATK-008',
-          severity: 'high',
-          title: 'Tarball tampering suspect',
-          description: `Repository "${ghRepo}" does not match expected "${knownRepos[pkgName]}" for package "${pkgName}"`,
-          evidence: `repo: ${ghRepo}, expected: ${knownRepos[pkgName]}`
-        });
+      const ghOrg = ghRepo.split('/')[0];
+      const shortName = pkgName.split('/').pop();
+
+      if (ghName !== shortName) {
+        const expectedRepo = knownRepos[pkgName] || knownRepos[shortName];
+
+        if (expectedRepo && expectedRepo !== ghRepo) {
+          findings.push({
+            id: 'ATK-008',
+            severity: 'high',
+            title: 'Tarball tampering suspect',
+            description: `Repository "${ghRepo}" does not match expected "${expectedRepo}" for package "${pkgName}"`,
+            evidence: `repo: ${ghRepo}, expected: ${expectedRepo}`
+          });
+        } else {
+          const orgExpected = knownRepos[shortName];
+          if (orgExpected) {
+            const expectedOrg = orgExpected.split('/')[0];
+            if (ghOrg !== expectedOrg) {
+              findings.push({
+                id: 'ATK-008',
+                severity: 'medium',
+                title: 'Tarball tampering suspect',
+                description: `Repository "${ghRepo}" is a different repo under a different org (legitimate: ${expectedRepo})`,
+                evidence: `org mismatch: ${ghOrg} vs ${expectedOrg}`
+              });
+            }
+          }
+        }
       }
     }
   }
@@ -28,17 +71,21 @@ export async function scan(pkgJson, files = []) {
   if (embeddedIntros && repoUrl) {
     for (const intro of embeddedIntros) {
       const srcUrl = intro.replace(/\/\/\s*Source:\s*/i, '').trim();
-      if (!repoUrl.includes(new URL(srcUrl).hostname)) {
-        findings.push({
-          id: 'ATK-008',
-          severity: 'medium',
-          title: 'Tarball tampering suspect',
-          description: 'Source URL in file does not match declared repository',
-          evidence: srcUrl
-        });
+      try {
+        if (!repoUrl.includes(new URL(srcUrl).hostname)) {
+          findings.push({
+            id: 'ATK-008',
+            severity: 'medium',
+            title: 'Tarball tampering suspect',
+            description: 'Source URL in file does not match declared repository',
+            evidence: srcUrl
+          });
+        }
+      } catch {
+        // ignore malformed URLs
       }
     }
   }
 
   return findings;
-}
+}

package/backend/detectors/atk-009-dormant-trigger.js

@@ -21,25 +21,42 @@ export async function scan(pkgJson, files = []) {
     }
   }
 
+  const suspiciousCode = /\beval\(|atob\(|btoa\(|new Function\(|child_process\b|\.exec\(|spawn\(/;
+  const suspiciousNetwork = /\.fetch\(|http\.request\(|https\.request\(|dns\.lookup\(/;
+  const suspiciousEnv = /process\.env\.(?!NODE_ENV)[A-Z_]{4,}/;
+  const hasSuspicious = suspiciousCode.test(code) || suspiciousNetwork.test(code) || suspiciousEnv.test(code);
+
   const timePatterns = [
-    { pattern: /new Date\(\)\s*[><=!]+\s*new Date\(['"]\d{4}/, label: 'time-based activation' },
-    { pattern: /Date\.now\(\)\s*[><=!]+/, label: 'timestamp comparison' },
-    { pattern: /setTimeout|setInterval/, label: 'delayed execution' },
-    { pattern: /\bDate\(\)\b.*\d{4}[-/]\d{2}[-/]\d{2}/, label: 'date-specific payload' },
+    {
+      pattern: /new Date\(\)\s*[><=!]+\s*new Date\(['"]\d{4}/,
+      label: 'time-based activation',
+    },
+    {
+      pattern: /\bDate\.now\(\)\s*[><=!]+.*(?:eval|fetch|exec|write|crypto|env\.CI)/i,
+      label: 'timestamp check with suspicious behavior',
+    },
+    {
+      pattern: /\bsetTimeout\s*\([^)]*,\s*(?!0\b)[1-9]\d{3,}/,
+      label: 'long-delay execution (>1000ms)',
+    },
+    {
+      pattern: /\bDate\(\)\b.*(?:exec|eval|fetch|write|crypto)/i,
+      label: 'date check with suspicious behavior',
+    },
   ];
 
   for (const { pattern, label } of timePatterns) {
     if (pattern.test(code)) {
       findings.push({
         id: 'ATK-009',
-        severity: 'medium',
+        severity: hasSuspicious ? 'high' : 'medium',
         title: 'Conditional trigger (time-based)',
-        description: `Package has ${label} which may indicate dormant activation`,
-        evidence: 'time-based trigger detected'
+        description: `Package uses ${label}`,
+        evidence: `${label}${hasSuspicious ? ' — elevated (suspicious context: eval/network/exec detected)' : ''}`
       });
       break;
     }
   }
 
   return findings;
-}
+}

package/backend/detectors/atk-011-transitive-prop.js

@@ -2,7 +2,7 @@ export async function scan(pkgJson, files = []) {
   const findings = [];
   const code = files.map(f => f.content).join('\n');
 
-const highPatterns = [
+  const highPatterns = [
     {
       pattern: /(?:exec|execSync|spawn)\s*\([^)]*npm\s+(?:install|link)\s*\./i,
       label: 'programmatic self-propagation via npm install/link'
@@ -19,10 +19,6 @@ const highPatterns = [
       pattern: /fs\.(?:writeFile|writeFileSync)\s*\([^)]*\.\.\/[^)]*package\.json/i,
       label: 'writes modified package.json to sibling package'
     },
-    {
-      pattern: /(?:exec|execSync|spawn)\s*\([^)]*npm\s+(?:install|link)\s+(?!\.)(?!http)(?!git)/i,
-      label: 'programmatic propagation via npm install of local package'
-    },
     {
       pattern: /(?:exec|execSync|spawn)\s*\([^)]*(?:\.\.\/|process\.env\.INIT_CWD).*npm\s+install/i,
       label: 'cross-directory npm install propagation'
@@ -42,38 +38,33 @@ const highPatterns = [
     }
   }
 
-if (findings.length === 0) {
-    const selfName = pkgJson && pkgJson.name ? pkgJson.name.replace(/^@/, '').replace(/\//, '-') : null;
+  if (findings.length === 0) {
     const mediumPatterns = [
       {
         pattern: /process\.env\.npm_package_name/,
-        label: 'reads own package name (potential self-awareness for spread)'
+        label: 'reads own package name from env (self-awareness indicator)'
       },
       {
-        pattern: selfName ? new RegExp('require\\([\'"]' + selfName.replace(/[.*+?^${}()|[\]\\]/g, '\\$&') + '[\'"]\\)', 'i') : null,
-        label: selfName ? `require() of own package name "${selfName}"` : null
+        pattern: /fs\.symlink(?:Sync)?\s*\([^)]*node_modules/,
+        label: 'creates symlinks in node_modules (worm spreading mechanism)'
       },
       {
         pattern: /fs\.(?:mkdir|mkdirSync)\s*\([^)]*\.\.\/[^)]*node_modules/,
-        label: 'creates directories in parent node_modules structure'
-      },
-      {
-        pattern: /fs\.symlink(?:Sync)?\s*\(/,
-        label: 'creates symlinks (potential worm link spreading)'
+        label: 'creates directories in parent node_modules'
       },
       {
-        pattern: /__dirname.*node_modules/,
-        label: 'references own directory path in node_modules'
+        pattern: /__dirname.*\.\.\/[^/]+\/node_modules.*require\(/,
+        label: 'dynamic parent-node_modules require for lateral spread'
       },
     ];
 
-    for (const { pattern, label: mLabel } of mediumPatterns) {
-      if (pattern && pattern.test(code) && mLabel) {
+    for (const { pattern, label } of mediumPatterns) {
+      if (pattern.test(code)) {
         findings.push({
           id: 'ATK-011',
           severity: 'medium',
           title: 'Transitive propagation (worm)',
-          description: mLabel,
+          description: label,
           evidence: 'potential propagation indicator'
         });
         break;
@@ -82,4 +73,4 @@ if (findings.length === 0) {
   }
 
   return findings;
-}
+}

package/backend/fetch.js

@@ -1,4 +1,3 @@
-import fetch from 'node-fetch';
 import fs from 'fs';
 import os from 'os';
 import path from 'path';
@@ -10,6 +9,11 @@ import { pipeline } from 'stream/promises';
 export async function fetchPackage(target) {
   const metaRes = await fetch(`https://registry.npmjs.org/${target}/latest`);
   const meta = await metaRes.json();
+
+  if (!metaRes.ok || !meta.dist?.tarball) {
+    throw new Error(`Package '${target}' not found on npm (${metaRes.status})`);
+  }
+
   const tarUrl = meta.dist.tarball;
   const tarRes = await fetch(tarUrl);
   const buffer = Buffer.from(await tarRes.arrayBuffer());

package/cli/cli.js

@@ -15,7 +15,7 @@ function requirePremium(feature, licenseKey) {
 const program = new Command()
   .name('npm-scan')
   .description('npm supply chain security scanner')
-  .version('0.8.0');
+  .version('0.9.0');
 
 program
   .command('scan')
@@ -41,7 +41,7 @@ program
       const { pkgJson, jsFiles, tmpDir } = await import('../backend/fetch.js').then(m => m.fetchPackage(target));
       const findings = await import('../backend/detectors/index.js').then(m => m.runAll(pkgJson, jsFiles));
       const { saveScan } = await import('../backend/db.js');
-      const scanId = saveScan(target, 'latest', findings);
+      const scanId = await saveScan(target, 'latest', findings);
 
       let outputFindings = findings;
       let blocked = false;
@@ -100,8 +100,8 @@ program
     const { getRecentScans, getFindings, getScan } = await import('../backend/db.js');
 
     if (options.id) {
-      const findings = getFindings(options.id);
-      const scanInfo = getScan(options.id);
+      const findings = await getFindings(options.id);
+      const scanInfo = await getScan(options.id);
       const pkgName = scanInfo?.package_name || 'scan-' + options.id;
       const pkgVer = scanInfo?.version || 'unknown';
       const pkg = { name: pkgName, version: pkgVer };
@@ -137,8 +137,8 @@ program
         console.log(JSON.stringify(findings, null, 2));
       }
     } else {
-      const scans = getRecentScans();
-      const scansWithFindings = scans.map(s => ({ ...s, findings: getFindings(s.id) }));
+      const scans = await getRecentScans();
+      const scansWithFindings = await Promise.all(scans.map(async s => ({ ...s, findings: await getFindings(s.id) })));
 
       if (options.siem) {
         requirePremium('siem', licenseKey);

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@lateos/npm-scan",
-  "version": "0.8.0",
-    "description": "Modern npm supply chain security scanner — detects obfuscated payloads, credential stealers, conditional triggers, sandbox evasion, and worm-like propagation. 11 attack types, SBOM, NIST/EU CRA compliance reporting.",
+  "version": "0.9.1",
+  "description": "Modern npm supply chain security scanner — detects obfuscated payloads, credential stealers, conditional triggers, sandbox evasion, and worm-like propagation. 11 attack types, SBOM, NIST/EU CRA compliance reporting.",
   "main": "backend/index.js",
   "bin": {
     "npm-scan": "cli/cli.js"
@@ -34,12 +34,11 @@
   },
   "dependencies": {
     "acorn": "^8.16.0",
-    "better-sqlite3": "^11.10.0",
     "commander": "^14.0.3",
     "glob": "^13.0.6",
     "js-yaml": "^4.1.1",
-    "node-fetch": "^3.3.2",
     "pdf-lib": "^1.17.1",
+    "sql.js": "^1.11.0",
     "tar": "^7.5.15"
   }
 }