@lateos/npm-scan 1.0.0 → 1.1.0

package/backend/detectors/tier1-infostealer.js

@@ -12,25 +12,29 @@ const NPMJS_DOMAIN_RE = /npmjs\.(?:com|org)/i;
 const AWS_KEY_RE = /AKIA[0-9A-Z]{16}/g;
 const NPM_TOKEN_RE = /npm_[a-zA-Z0-9]{36}/g;
 const GH_TOKEN_RE = /ghp_[a-zA-Z0-9]{30,40}/g;
-const GH_OLD_TOKEN_RE = /gho_[a-zA-Z0-9]{36}/g;
-const GITLAB_TOKEN_RE = /glpat-[a-zA-Z0-9_-]{20,}/g;
+const _GH_OLD_TOKEN_RE = /gho_[a-zA-Z0-9]{36}/g;
+const _GITLAB_TOKEN_RE = /glpat-[a-zA-Z0-9_-]{20,}/g;
 
 const ENV_DUMP_RE = /process\.env\.(?:AWS_[A-Z_]+|NPM_TOKEN|NPM_AUTH_TOKEN|GIT_TOKEN|SSH_KEY)/g;
 
 const EVAL_RE = /\beval\s*\(/g;
 const FUNCTION_CTOR_RE = /\bFunction\s*\(/g;
-const B64_STRING_RE = /['"`]([A-Za-z0-9+/]{40,}={0,2})['"`]/g;
+const _B64_STRING_RE = /['"`]([A-Za-z0-9+/]{40,}={0,2})['"`]/g;
 
 // Named malware signatures — zero-FP string literals for confirmed campaigns
 const NAMED_SIGNATURES = [
-  'Miasma: The Spreading Blight',   // Miasma campaign, June 2026, @redhat-cloud-services compromise
+  'Miasma: The Spreading Blight', // Miasma campaign, June 2026, @redhat-cloud-services compromise
 ];
 
 function shannonEntropy(s) {
   const len = s.length;
-  if (len === 0) return 0;
+  if (len === 0) {
+    return 0;
+  }
   const freq = {};
-  for (const ch of s) freq[ch] = (freq[ch] || 0) + 1;
+  for (const ch of s) {
+    freq[ch] = (freq[ch] || 0) + 1;
+  }
   let entropy = 0;
   for (const count of Object.values(freq)) {
     const p = count / len;
@@ -43,7 +47,9 @@ function isMinified(content) {
   const identifiers = content.match(/\b[a-zA-Z_$][\w$]*\b/g);
   if (identifiers && identifiers.length > 0) {
     const avgLen = identifiers.reduce((s, id) => s + id.length, 0) / identifiers.length;
-    if (avgLen < 3) return true;
+    if (avgLen < 3) {
+      return true;
+    }
   }
   return shannonEntropy(content) > 5.5;
 }
@@ -94,9 +100,12 @@ function patternMatcher(f, content) {
     isObfuscated: false,
   };
 
-  if (!content) return result;
+  if (!content) {
+    return result;
+  }
 
-  result.isObfuscated = isMinified(content) || EVAL_RE.test(content) || FUNCTION_CTOR_RE.test(content);
+  result.isObfuscated =
+    isMinified(content) || EVAL_RE.test(content) || FUNCTION_CTOR_RE.test(content);
 
   FS_READ_RE.lastIndex = 0;
   HTTP_FETCH_RE.lastIndex = 0;
@@ -109,13 +118,17 @@ function patternMatcher(f, content) {
   const hasCurlWget = CURL_WGET_RE.test(content);
 
   const domains = extractDomains(content);
-  const externalDomains = domains.filter(d => !NPMJS_DOMAIN_RE.test(d));
-  const gitHubDomains = domains.filter(d => GITHUB_DOMAIN_RE.test(d) && !NPMJS_DOMAIN_RE.test(d));
+  const externalDomains = domains.filter((d) => !NPMJS_DOMAIN_RE.test(d));
+  const gitHubDomains = domains.filter((d) => GITHUB_DOMAIN_RE.test(d) && !NPMJS_DOMAIN_RE.test(d));
 
   if (hasFsRead && hasHttpFetch) {
-    const isGithubOnly = gitHubDomains.length > 0 && externalDomains.length === gitHubDomains.length;
+    const isGithubOnly =
+      gitHubDomains.length > 0 && externalDomains.length === gitHubDomains.length;
     result.hasPattern = true;
-    result.patterns.push({ subtype: isGithubOnly ? 'nw_exfil_to_github' : 'fs_exfil', baseScore: 80 });
+    result.patterns.push({
+      subtype: isGithubOnly ? 'nw_exfil_to_github' : 'fs_exfil',
+      baseScore: 80,
+    });
     result.domainsFound.push(...domains);
     FS_READ_RE.lastIndex = 0;
     const fsMatch = FS_READ_RE.exec(content);
@@ -123,15 +136,21 @@ function patternMatcher(f, content) {
       const lc = getLineColumn(content, fsMatch.index);
       result.locations.push({ file, line: lc.line, column: lc.column });
     }
-    result.evidence.push(isGithubOnly
-      ? 'pattern: fs.readFile + network to GitHub'
-      : 'pattern: fs.readFile + external fetch');
+    result.evidence.push(
+      isGithubOnly
+        ? 'pattern: fs.readFile + network to GitHub'
+        : 'pattern: fs.readFile + external fetch'
+    );
   }
 
   if (hasFsRead && (hasChildProc || hasCurlWget)) {
-    const isGithubOnly = gitHubDomains.length > 0 && externalDomains.length === gitHubDomains.length;
+    const isGithubOnly =
+      gitHubDomains.length > 0 && externalDomains.length === gitHubDomains.length;
     result.hasPattern = true;
-    result.patterns.push({ subtype: isGithubOnly ? 'nw_exfil_to_github' : 'fs_exfil', baseScore: 80 });
+    result.patterns.push({
+      subtype: isGithubOnly ? 'nw_exfil_to_github' : 'fs_exfil',
+      baseScore: 80,
+    });
     result.domainsFound.push(...domains);
     FS_READ_RE.lastIndex = 0;
     const fsMatch = FS_READ_RE.exec(content);
@@ -139,9 +158,11 @@ function patternMatcher(f, content) {
       const lc = getLineColumn(content, fsMatch.index);
       result.locations.push({ file, line: lc.line, column: lc.column });
     }
-    result.evidence.push(isGithubOnly
-      ? 'pattern: fs.readFile + child_process to GitHub'
-      : 'pattern: fs.readFile + child_process network');
+    result.evidence.push(
+      isGithubOnly
+        ? 'pattern: fs.readFile + child_process to GitHub'
+        : 'pattern: fs.readFile + child_process network'
+    );
   }
 
   const creds = extractCredentials(content);
@@ -152,7 +173,7 @@ function patternMatcher(f, content) {
     result.patterns.push({ subtype: primaryType, baseScore: 85 });
     const lc = getLineColumn(content, creds[0].index);
     result.locations.push({ file, line: lc.line, column: lc.column });
-    const typeNames = [...new Set(creds.map(c => c.type))];
+    const typeNames = [...new Set(creds.map((c) => c.type))];
     result.evidence.push(`hardcoded_credentials: ${creds.length} (${typeNames.join(', ')})`);
   }
 
@@ -171,9 +192,11 @@ function patternMatcher(f, content) {
 
 export const name = 'tier1-infostealer';
 
-export async function scan(pkgJson, jsFiles, registryMeta, allFiles) {
+export async function scan(pkgJson, jsFiles, _registryMeta, _allFiles) {
   const pkgName = pkgJson?.name;
-  if (pkgName && KNOWN_REPUTABLE_PACKAGES.has(pkgName)) return [];
+  if (pkgName && KNOWN_REPUTABLE_PACKAGES.has(pkgName)) {
+    return [];
+  }
 
   const files = jsFiles || [];
 
@@ -181,39 +204,49 @@ export async function scan(pkgJson, jsFiles, registryMeta, allFiles) {
   const sigTexts = [];
   if (pkgJson?.scripts && typeof pkgJson.scripts === 'object') {
     for (const value of Object.values(pkgJson.scripts)) {
-      if (typeof value === 'string') sigTexts.push(value);
+      if (typeof value === 'string') {
+        sigTexts.push(value);
+      }
     }
   }
   for (const f of files) {
-    if (f?.content) sigTexts.push(f.content);
+    if (f?.content) {
+      sigTexts.push(f.content);
+    }
   }
   for (const sig of NAMED_SIGNATURES) {
     for (const text of sigTexts) {
       if (text.includes(sig)) {
-        return [{
-          detector: 'tier1-infostealer',
-          id: 'TIER1-INFOSTEALER',
-          severity: 'critical',
-          confidence: 'CRITICAL',
-          confidenceScore: 98,
-          subtype: 'named_signature_miasma',
-          message: `Named malware signature detected: "${sig}"`,
-          evidence: [sig],
-          locations: [{ file: '', line: 0 }],
-          crossFiles: [],
-          reference: 'Campaign 2 & 3',
-        }];
+        return [
+          {
+            detector: 'tier1-infostealer',
+            id: 'TIER1-INFOSTEALER',
+            severity: 'critical',
+            confidence: 'CRITICAL',
+            confidenceScore: 98,
+            subtype: 'named_signature_miasma',
+            message: `Named malware signature detected: "${sig}"`,
+            evidence: [sig],
+            locations: [{ file: '', line: 0 }],
+            crossFiles: [],
+            reference: 'Campaign 2 & 3',
+          },
+        ];
       }
     }
   }
 
-  if (files.length === 0) return [];
+  if (files.length === 0) {
+    return [];
+  }
 
   let parseFailCount = 0;
 
   for (const f of files) {
     const content = f.content || '';
-    if (!content) continue;
+    if (!content) {
+      continue;
+    }
     try {
       acorn.parse(content, { ecmaVersion: 'latest' });
     } catch {
@@ -221,12 +254,16 @@ export async function scan(pkgJson, jsFiles, registryMeta, allFiles) {
     }
   }
 
-  if (files.length >= 20 && parseFailCount / files.length >= 0.1) return [];
+  if (files.length >= 20 && parseFailCount / files.length >= 0.1) {
+    return [];
+  }
 
-  const perFile = files.map(f => patternMatcher(f, f.content || ''));
-  const filesWithPatterns = perFile.filter(p => p.hasPattern);
+  const perFile = files.map((f) => patternMatcher(f, f.content || ''));
+  const filesWithPatterns = perFile.filter((p) => p.hasPattern);
 
-  if (filesWithPatterns.length === 0) return [];
+  if (filesWithPatterns.length === 0) {
+    return [];
+  }
 
   let highestBase = 0;
   let mainSubtype = '';
@@ -234,13 +271,17 @@ export async function scan(pkgJson, jsFiles, registryMeta, allFiles) {
   const allEvidence = [];
   const allLocations = [];
   const involvedFiles = [];
-  const hasCreds = false;
+  const _hasCreds = false;
 
   for (const f of filesWithPatterns) {
-    if (!involvedFiles.includes(f.file)) involvedFiles.push(f.file);
+    if (!involvedFiles.includes(f.file)) {
+      involvedFiles.push(f.file);
+    }
     allLocations.push(...f.locations);
     allEvidence.push(...f.evidence);
-    if (f.isObfuscated) isObfuscated = true;
+    if (f.isObfuscated) {
+      isObfuscated = true;
+    }
     for (const p of f.patterns) {
       if (p.baseScore > highestBase) {
         highestBase = p.baseScore;
@@ -251,12 +292,16 @@ export async function scan(pkgJson, jsFiles, registryMeta, allFiles) {
 
   let baseScore = highestBase;
 
-  const anyCredPattern = filesWithPatterns.some(f => f.patterns.some(p => p.subtype.startsWith('cred_')));
+  const anyCredPattern = filesWithPatterns.some((f) =>
+    f.patterns.some((p) => p.subtype.startsWith('cred_'))
+  );
   if (anyCredPattern) {
     baseScore = Math.min(100, Math.round(baseScore * 2.5));
   }
 
-  if (isObfuscated) baseScore += 15;
+  if (isObfuscated) {
+    baseScore += 15;
+  }
 
   if (involvedFiles.length > 1) {
     baseScore = Math.min(100, Math.round(baseScore * 1.3));
@@ -265,8 +310,12 @@ export async function scan(pkgJson, jsFiles, registryMeta, allFiles) {
   const confidenceScore = Math.max(50, Math.min(100, baseScore));
 
   function confidenceLabel(score) {
-    if (score >= 95) return 'CRITICAL';
-    if (score >= 80) return 'HIGH';
+    if (score >= 95) {
+      return 'CRITICAL';
+    }
+    if (score >= 80) {
+      return 'HIGH';
+    }
     return 'MEDIUM';
   }
 
@@ -276,14 +325,16 @@ export async function scan(pkgJson, jsFiles, registryMeta, allFiles) {
   const locationMap = new Map();
   for (const loc of allLocations) {
     const key = `${loc.file}:${loc.line}:${loc.column}`;
-    if (!locationMap.has(key)) locationMap.set(key, loc);
+    if (!locationMap.has(key)) {
+      locationMap.set(key, loc);
+    }
   }
 
   const isCritical = anyCredPattern;
   const severity = isCritical ? 'critical' : confidenceScore >= 80 ? 'high' : 'medium';
 
-  const domainSummary = filesWithPatterns
-    .flatMap(f => f.domainsFound)
+  const _domainSummary = filesWithPatterns
+    .flatMap((f) => f.domainsFound)
     .filter(Boolean)
     .slice(0, 3);
 
@@ -300,17 +351,19 @@ export async function scan(pkgJson, jsFiles, registryMeta, allFiles) {
     message = 'Filesystem exfiltration to external domain detected';
   }
 
-  return [{
-    detector: 'tier1-infostealer',
-    id: 'TIER1-INFOSTEALER',
-    severity,
-    confidence: confidenceLabel(confidenceScore),
-    confidenceScore,
-    subtype: mainSubtype || 'fs_exfil',
-    message,
-    evidence,
-    locations: [...locationMap.values()],
-    crossFiles: [...new Set(involvedFiles)],
-    reference: 'Campaign 2 & 3',
-  }];
+  return [
+    {
+      detector: 'tier1-infostealer',
+      id: 'TIER1-INFOSTEALER',
+      severity,
+      confidence: confidenceLabel(confidenceScore),
+      confidenceScore,
+      subtype: mainSubtype || 'fs_exfil',
+      message,
+      evidence,
+      locations: [...locationMap.values()],
+      crossFiles: [...new Set(involvedFiles)],
+      reference: 'Campaign 2 & 3',
+    },
+  ];
 }

package/backend/detectors/tier1-lifecycle-hook.js

@@ -1,6 +1,13 @@
 import { KNOWN_REPUTABLE_PACKAGES } from '../policy.js';
 
-const HOOK_NAMES = ['postinstall', 'preinstall', 'install', 'prepare', 'preuninstall', 'postuninstall'];
+const HOOK_NAMES = [
+  'postinstall',
+  'preinstall',
+  'install',
+  'prepare',
+  'preuninstall',
+  'postuninstall',
+];
 
 const CURL_WGET_RE = /\b(?:curl|wget|powershell|bash|sh)\b/i;
 const CHILD_PROC_RE = /\b(?:exec|execSync|spawn|spawnSync|fork)\s*\(/g;
@@ -17,9 +24,13 @@ const REQUIRE_RE = /\brequire\s*\(/g;
 
 function shannonEntropy(s) {
   const len = s.length;
-  if (len === 0) return 0;
+  if (len === 0) {
+    return 0;
+  }
   const freq = {};
-  for (const ch of s) freq[ch] = (freq[ch] || 0) + 1;
+  for (const ch of s) {
+    freq[ch] = (freq[ch] || 0) + 1;
+  }
   let entropy = 0;
   for (const count of Object.values(freq)) {
     const p = count / len;
@@ -29,20 +40,32 @@ function shannonEntropy(s) {
 }
 
 function isObfuscated(content) {
-  if (!content) return false;
+  if (!content) {
+    return false;
+  }
   const noWhitespace = !/\s/.test(content.trim());
   const identifiers = content.match(/\b[a-zA-Z_$][\w$]*\b/g);
   let avgIdLen = 0;
   if (identifiers && identifiers.length > 0) {
     avgIdLen = identifiers.reduce((s, id) => s + id.length, 0) / identifiers.length;
   }
-  if (noWhitespace && identifiers && identifiers.length > 0 && avgIdLen < 3) return true;
-  if (noWhitespace && /^[a-zA-Z_$][\w$]*\([^)]*\)$/.test(content.trim())) return true;
+  if (noWhitespace && identifiers && identifiers.length > 0 && avgIdLen < 3) {
+    return true;
+  }
+  if (noWhitespace && /^[a-zA-Z_$][\w$]*\([^)]*\)$/.test(content.trim())) {
+    return true;
+  }
   HEX_STRING_RE.lastIndex = 0;
-  if (HEX_STRING_RE.test(content)) return true;
+  if (HEX_STRING_RE.test(content)) {
+    return true;
+  }
   B64_RE.lastIndex = 0;
-  if (B64_RE.test(content)) return true;
-  if (shannonEntropy(content) > 5.5) return true;
+  if (B64_RE.test(content)) {
+    return true;
+  }
+  if (shannonEntropy(content) > 5.5) {
+    return true;
+  }
   return false;
 }
 
@@ -58,9 +81,11 @@ function extractUrls(content) {
 
 export const name = 'tier1-lifecycle-hook';
 
-export async function scan(pkgJson, jsFiles, registryMeta, allFiles) {
+export async function scan(pkgJson, _jsFiles, _registryMeta, _allFiles) {
   const pkgName = pkgJson?.name;
-  if (pkgName && KNOWN_REPUTABLE_PACKAGES.has(pkgName)) return [];
+  if (pkgName && KNOWN_REPUTABLE_PACKAGES.has(pkgName)) {
+    return [];
+  }
 
   const scripts = pkgJson?.scripts || {};
   const hooks = {};
@@ -71,18 +96,23 @@ export async function scan(pkgJson, jsFiles, registryMeta, allFiles) {
     }
   }
 
-  if (Object.keys(hooks).length === 0) return [];
+  if (Object.keys(hooks).length === 0) {
+    return [];
+  }
 
   const findings = [];
 
   for (const [hookName, scriptContent] of Object.entries(hooks)) {
     const content = typeof scriptContent === 'string' ? scriptContent : '';
-    if (!content) continue;
+    if (!content) {
+      continue;
+    }
 
     const truncated = content.length > 10240 ? content.slice(0, 10240) : content;
 
     const obfuscated = isObfuscated(truncated);
-    const hasEval = EVAL_RE.test(truncated) || FUNCTION_CTOR_RE.test(truncated) || ZERO_EVAL_RE.test(truncated);
+    const hasEval =
+      EVAL_RE.test(truncated) || FUNCTION_CTOR_RE.test(truncated) || ZERO_EVAL_RE.test(truncated);
     const hasNetwork = CURL_WGET_RE.test(truncated) || CHILD_PROC_RE.test(truncated);
     const hasUrls = URL_RE.test(truncated) || IP_RE.test(truncated);
     const urls = extractUrls(truncated);
@@ -111,7 +141,9 @@ export async function scan(pkgJson, jsFiles, registryMeta, allFiles) {
       }
       const domainInfo = hasInternal ? 'internal domain' : 'external URL';
       evidence.push(`patterns: hardcoded ${domainInfo} in hook`);
-      if (urls.length > 0) evidence.push(`target: ${urls[0]}`);
+      if (urls.length > 0) {
+        evidence.push(`target: ${urls[0]}`);
+      }
     }
 
     if (envExfil) {
@@ -143,13 +175,19 @@ export async function scan(pkgJson, jsFiles, registryMeta, allFiles) {
       baseScore = Math.min(100, Math.round(baseScore * 2.5));
     }
 
-    if (baseScore === 0) continue;
+    if (baseScore === 0) {
+      continue;
+    }
 
     const confidenceScore = Math.max(50, Math.min(100, baseScore));
 
     function confidenceLabel(score) {
-      if (score >= 95) return 'CRITICAL';
-      if (score >= 80) return 'HIGH';
+      if (score >= 95) {
+        return 'CRITICAL';
+      }
+      if (score >= 80) {
+        return 'HIGH';
+      }
       return 'MEDIUM';
     }
 
@@ -162,11 +200,13 @@ export async function scan(pkgJson, jsFiles, registryMeta, allFiles) {
       subtype,
       message: `Suspicious lifecycle hook "${hookName}"`,
       evidence,
-      locations: [{
-        file: 'package.json',
-        field: `scripts.${hookName}`,
-        value: content.length > 200 ? `${content.slice(0, 200)}...` : content,
-      }],
+      locations: [
+        {
+          file: 'package.json',
+          field: `scripts.${hookName}`,
+          value: content.length > 200 ? `${content.slice(0, 200)}...` : content,
+        },
+      ],
       crossFiles: [],
       reference: 'Campaign 1',
     });

package/backend/detectors/tier1-maintainer-compromise.js

@@ -0,0 +1,157 @@
+import { KNOWN_REPUTABLE_PACKAGES } from '../policy.js';
+
+const THRESHOLDS = {
+  flag_threshold: 75,
+  warn_threshold: 60,
+  velocity_burst_multiplier: 5,
+  burst_window_hours: 24,
+  min_velocity_baseline: 0.5,
+  duplicate_version_weight: 40,
+  unusual_timing_weight: 25,
+  cross_package_burst_weight: 50,
+};
+
+function parseVersionHistory(registryMeta) {
+  const timeData = registryMeta?.time;
+  if (!timeData || typeof timeData !== 'object') return [];
+
+  return Object.entries(timeData)
+    .map(([ver, ts]) => ({
+      version: ver,
+      time: new Date(ts).getTime(),
+      date: new Date(ts),
+    }))
+    .filter((e) => !isNaN(e.time))
+    .sort((a, b) => a.time - b.time);
+}
+
+function getHour(date) {
+  return date.getUTCHours();
+}
+
+function calculateVelocity(history) {
+  if (history.length < 2) return { perWeek: 0, perDay: 0 };
+  const firstTime = history[0].time;
+  const lastTime = history[history.length - 1].time;
+  const spanMs = lastTime - firstTime;
+  const spanDays = spanMs / (1000 * 60 * 60 * 24);
+  if (spanDays < 1) return { perWeek: history.length, perDay: history.length };
+  const perDay = history.length / Math.max(spanDays, 1);
+  const perWeek = perDay * 7;
+  return { perWeek, perDay };
+}
+
+function detectBursts(history) {
+  const bursts = [];
+  const windowMs = (THRESHOLDS.burst_window_hours || 24) * 60 * 60 * 1000;
+
+  for (let i = 0; i < history.length; i++) {
+    const windowEnd = history[i].time + windowMs;
+    const group = [];
+    for (let j = i; j < history.length && history[j].time <= windowEnd; j++) {
+      group.push(history[j]);
+    }
+    if (group.length >= 3) {
+      const groupHour = group.map((e) => getHour(e.date));
+      const timings = groupHour.filter((h) => h >= 0 && h <= 5);
+      bursts.push({
+        count: group.length,
+        windowHours: windowMs / (1000 * 60 * 60),
+        versions: group.map((e) => e.version),
+        unusualTimings: [...new Set(timings)]
+          .sort()
+          .map((h) => `${String(h).padStart(2, '0')}:00 UTC`),
+        startTime: group[0].date.toISOString(),
+        endTime: group[group.length - 1].date.toISOString(),
+      });
+    }
+  }
+  return bursts;
+}
+
+function computeConfidence(bursts, velocity, unusualTimingsCount) {
+  if (bursts.length === 0) return 0;
+  let base = 40;
+
+  const burst = bursts[0];
+  const burstMultiplier =
+    velocity.perWeek > 0
+      ? burst.count / Math.max(velocity.perWeek, THRESHOLDS.min_velocity_baseline)
+      : burst.count;
+
+  if (burstMultiplier >= THRESHOLDS.velocity_burst_multiplier) {
+    base += Math.min(burstMultiplier * 3, 30);
+  }
+
+  if (unusualTimingsCount > 0) {
+    base += Math.min(unusualTimingsCount * THRESHOLDS.unusual_timing_weight, 20);
+  }
+
+  if (burst.count >= 10) {
+    base += 15;
+  }
+
+  return Math.min(100, Math.max(0, base));
+}
+
+function severityLabel(score) {
+  if (score >= 80) return 'critical';
+  if (score >= 60) return 'high';
+  return 'medium';
+}
+
+function confidenceLabel(score) {
+  if (score >= 80) return 'CRITICAL';
+  if (score >= 60) return 'HIGH';
+  return 'MEDIUM';
+}
+
+export const name = 'tier1-maintainer-compromise';
+
+export async function scan(pkgJson, _jsFiles, registryMeta, _allFiles) {
+  const pkgName = pkgJson?.name;
+  if (!pkgName) return [];
+  if (KNOWN_REPUTABLE_PACKAGES.has(pkgName)) return [];
+
+  const history = parseVersionHistory(registryMeta);
+  if (history.length < 3) return [];
+
+  const velocity = calculateVelocity(history);
+  const bursts = detectBursts(history);
+  if (bursts.length === 0) return [];
+
+  const burst = bursts[0];
+  const unusualTimings = burst.unusualTimings;
+  const burstMultiplier =
+    velocity.perWeek > 0
+      ? burst.count / Math.max(velocity.perWeek, THRESHOLDS.min_velocity_baseline)
+      : burst.count;
+
+  const crossPackageBurst = registryMeta?.crossPackageBurst || false;
+
+  const confidenceScore = computeConfidence(bursts, velocity, unusualTimings.length);
+  if (confidenceScore < THRESHOLDS.warn_threshold) return [];
+
+  return [
+    {
+      detector: 'tier1-maintainer-compromise',
+      id: 'TIER1-MAINTAINER-COMPROMISE',
+      severity: severityLabel(confidenceScore),
+      confidence: confidenceLabel(confidenceScore),
+      confidenceScore,
+      subtype: 'maintainer_compromise_burst',
+      message: `Maintainer compromise detected: ${burst.count} versions in ${burst.windowHours}h window (${burstMultiplier.toFixed(1)}x normal velocity)`,
+      evidence: [
+        `normal_velocity: ${velocity.perWeek.toFixed(1)}/week (${velocity.perDay.toFixed(1)}/day)`,
+        `burst_count: ${burst.count} in ${burst.windowHours}h`,
+        `burst_multiplier: ${burstMultiplier.toFixed(1)}x`,
+        `unusual_timings: ${unusualTimings.length > 0 ? unusualTimings.join(', ') : 'none'}`,
+        `cross_package: ${crossPackageBurst}`,
+        `versions: ${burst.versions.slice(0, 5).join(', ')}${burst.versions.length > 5 ? `... (+${burst.versions.length - 5} more)` : ''}`,
+      ],
+      locations: [{ file: 'package.json', line: 1, column: 1 }],
+      crossFiles: [],
+      reference: 'D13: @redhat-cloud-services maintainer compromise',
+    },
+  ];
+}