@lateos/npm-scan 1.0.0 → 1.1.0

package/backend/detectors/tier1-metadata-spoof.js

@@ -1,68 +1,100 @@
 import { KNOWN_REPUTABLE_PACKAGES } from '../policy.js';
 
 const INTERNAL_SUFFIX_RE = /\.(?:internal|local|corp|intra|priv|lan)(?:[.:/]|$)/i;
-const CORPORATE_RE = /(?:github-ent|jira-ent|github\.enterprise|internal-gitlab|gitlab\.internal|jenkins\.internal|confluence\.internal)/i;
-const PRIVATE_IP_RE = /^(?:10\.\d{1,3}\.\d{1,3}\.\d{1,3}|172\.(?:1[6-9]|2\d|3[01])\.\d{1,3}\.\d{1,3}|192\.168\.\d{1,3}\.\d{1,3})/;
+const CORPORATE_RE =
+  /(?:github-ent|jira-ent|github\.enterprise|internal-gitlab|gitlab\.internal|jenkins\.internal|confluence\.internal)/i;
+const PRIVATE_IP_RE =
+  /^(?:10\.\d{1,3}\.\d{1,3}\.\d{1,3}|172\.(?:1[6-9]|2\d|3[01])\.\d{1,3}\.\d{1,3}|192\.168\.\d{1,3}\.\d{1,3})/;
 
 function extractDomain(url) {
   try {
     const u = new URL(url);
     return u.hostname;
   } catch {
-    const m = url.match(/^(?:https?:\/\/)?([^\/\s:]+)/);
+    const m = url.match(/^(?:https?:\/\/)?([^/\s:]+)/);
     return m ? m[1] : null;
   }
 }
 
 function isInternalUrl(url) {
-  if (!url) return false;
+  if (!url) {
+    return false;
+  }
   const domain = extractDomain(url);
-  if (!domain) return false;
-  if (INTERNAL_SUFFIX_RE.test(domain)) return true;
-  if (CORPORATE_RE.test(domain)) return true;
-  if (PRIVATE_IP_RE.test(domain)) return true;
+  if (!domain) {
+    return false;
+  }
+  if (INTERNAL_SUFFIX_RE.test(domain)) {
+    return true;
+  }
+  if (CORPORATE_RE.test(domain)) {
+    return true;
+  }
+  if (PRIVATE_IP_RE.test(domain)) {
+    return true;
+  }
   return false;
 }
 
 function parseSemver(version) {
-  if (!version) return null;
+  if (!version) {
+    return null;
+  }
   const parts = version.replace(/^[~^]/, '').split('.');
   const m = parseInt(parts[0], 10);
   const n = parseInt(parts[1], 10);
   const p = parseInt(parts[2], 10);
-  if (isNaN(m) || isNaN(n) || isNaN(p)) return null;
+  if (isNaN(m) || isNaN(n) || isNaN(p)) {
+    return null;
+  }
   return { major: m, minor: n, patch: p };
 }
 
 function detectSemverInflation(currentVer, registryMeta) {
-  if (!currentVer || !registryMeta) return null;
+  if (!currentVer || !registryMeta) {
+    return null;
+  }
 
   const age = registryMeta.age;
-  if (age !== undefined && age < 7) return null;
+  if (age !== undefined && age < 7) {
+    return null;
+  }
 
   const previousVer = registryMeta.previousVersion || null;
-  if (!previousVer) return null;
+  if (!previousVer) {
+    return null;
+  }
 
   const cur = parseSemver(currentVer);
   const prev = parseSemver(previousVer);
-  if (!cur || !prev) return null;
+  if (!cur || !prev) {
+    return null;
+  }
 
   const majorJump = cur.major - prev.major;
   const minorJump = cur.minor - prev.minor;
   const patchJump = cur.patch - prev.patch;
 
-  if (majorJump > 10) return { type: 'major', from: previousVer, to: currentVer, jump: majorJump };
-  if (minorJump > 20) return { type: 'minor', from: previousVer, to: currentVer, jump: minorJump };
-  if (patchJump > 50) return { type: 'patch', from: previousVer, to: currentVer, jump: patchJump };
+  if (majorJump > 10) {
+    return { type: 'major', from: previousVer, to: currentVer, jump: majorJump };
+  }
+  if (minorJump > 20) {
+    return { type: 'minor', from: previousVer, to: currentVer, jump: minorJump };
+  }
+  if (patchJump > 50) {
+    return { type: 'patch', from: previousVer, to: currentVer, jump: patchJump };
+  }
 
   return null;
 }
 
 export const name = 'tier1-metadata-spoof';
 
-export async function scan(pkgJson, jsFiles, registryMeta, allFiles) {
+export async function scan(pkgJson, jsFiles, registryMeta, _allFiles) {
   const pkgName = pkgJson?.name;
-  if (pkgName && KNOWN_REPUTABLE_PACKAGES.has(pkgName)) return [];
+  if (pkgName && KNOWN_REPUTABLE_PACKAGES.has(pkgName)) {
+    return [];
+  }
 
   const fieldUrls = [];
 
@@ -87,7 +119,9 @@ export async function scan(pkgJson, jsFiles, registryMeta, allFiles) {
   if (pkgJson.funding) {
     const arr = Array.isArray(pkgJson.funding) ? pkgJson.funding : [pkgJson.funding];
     for (let i = 0; i < arr.length; i++) {
-      if (arr[i] && arr[i].url) addField(`funding[${i}].url`, arr[i].url);
+      if (arr[i] && arr[i].url) {
+        addField(`funding[${i}].url`, arr[i].url);
+      }
     }
   }
 
@@ -95,13 +129,15 @@ export async function scan(pkgJson, jsFiles, registryMeta, allFiles) {
     addField('author.url', pkgJson.author.url);
   }
 
-  const internalFields = fieldUrls.filter(f => isInternalUrl(f.value));
+  const internalFields = fieldUrls.filter((f) => isInternalUrl(f.value));
   const hasInternalUrls = internalFields.length > 0;
 
   const currentVersion = pkgJson?.version;
   const semverInflation = detectSemverInflation(currentVersion, registryMeta);
 
-  if (!hasInternalUrls && !semverInflation) return [];
+  if (!hasInternalUrls && !semverInflation) {
+    return [];
+  }
 
   let baseScore = 0;
   let subtype = '';
@@ -117,10 +153,14 @@ export async function scan(pkgJson, jsFiles, registryMeta, allFiles) {
       const domain = extractDomain(f.value);
       evidence.push(`url: ${f.field} = ${f.value}`);
 
-      let pattern = '';
-      if (PRIVATE_IP_RE.test(domain)) pattern = 'private IP';
-      else if (CORPORATE_RE.test(domain)) pattern = 'corporate domain';
-      else pattern = 'internal domain';
+      let pattern;
+      if (PRIVATE_IP_RE.test(domain)) {
+        pattern = 'private IP';
+      } else if (CORPORATE_RE.test(domain)) {
+        pattern = 'corporate domain';
+      } else {
+        pattern = 'internal domain';
+      }
       evidence.push(`pattern: ${domain} (${pattern})`);
 
       locations.push({ field: f.field, value: f.value });
@@ -140,7 +180,9 @@ export async function scan(pkgJson, jsFiles, registryMeta, allFiles) {
     if (hasInternalUrls) {
       baseScore = Math.round(baseScore * 1.3);
       evidence.push(semverMsg);
-      evidence.push(`${semverInflation.type} version jump (${semverInflation.jump}) without changelog`);
+      evidence.push(
+        `${semverInflation.type} version jump (${semverInflation.jump}) without changelog`
+      );
       locations.push({ field: 'version', old: semverInflation.from, new: semverInflation.to });
       primaryMessage += ' + unjustified semver jump';
     } else {
@@ -155,26 +197,34 @@ export async function scan(pkgJson, jsFiles, registryMeta, allFiles) {
   const confidenceScore = Math.max(50, Math.min(90, baseScore));
 
   function severityLabel(sc) {
-    if (sc >= 70) return 'high';
+    if (sc >= 70) {
+      return 'high';
+    }
     return 'medium';
   }
 
   function confidenceLabel(sc) {
-    if (sc >= 80) return 'HIGH';
-    if (sc >= 60) return 'MEDIUM';
+    if (sc >= 80) {
+      return 'HIGH';
+    }
+    if (sc >= 60) {
+      return 'MEDIUM';
+    }
     return 'LOW';
   }
 
-  return [{
-    detector: 'tier1-metadata-spoof',
-    id: 'TIER1-METADATA-SPOOF',
-    severity: severityLabel(confidenceScore),
-    confidence: confidenceLabel(confidenceScore),
-    confidenceScore,
-    subtype,
-    message: primaryMessage,
-    evidence,
-    locations,
-    reference: 'Campaign 1',
-  }];
+  return [
+    {
+      detector: 'tier1-metadata-spoof',
+      id: 'TIER1-METADATA-SPOOF',
+      severity: severityLabel(confidenceScore),
+      confidence: confidenceLabel(confidenceScore),
+      confidenceScore,
+      subtype,
+      message: primaryMessage,
+      evidence,
+      locations,
+      reference: 'Campaign 1',
+    },
+  ];
 }

package/backend/detectors/tier1-multistage-postinstall.js

@@ -1,34 +1,51 @@
 const SCAN_HOOKS = ['preinstall', 'install', 'postinstall', 'prepare'];
 
-const REMOTE_FETCH_RE = /\b(?:fetch|axios\.get|axios\.post|http\.get|https\.get)\(|\b(?:curl|wget)\s/;
+const REMOTE_FETCH_RE =
+  /\b(?:fetch|axios\.get|axios\.post|http\.get|https\.get)\(|\b(?:curl|wget)\s/;
 const BINARY_EXEC_RE = /\b(?:execFile|execFileSync|execSync|exec|spawnSync|spawn)\s*\(/;
 const DETACHED_RE = /detached\s*:\s*true/;
 
 function severityLabel(score) {
-  if (score >= 95) return 'critical';
-  if (score >= 80) return 'high';
-  if (score >= 60) return 'medium';
+  if (score >= 95) {
+    return 'critical';
+  }
+  if (score >= 80) {
+    return 'high';
+  }
+  if (score >= 60) {
+    return 'medium';
+  }
   return 'low';
 }
 
 function confidenceLabel(score) {
-  if (score >= 95) return 'CRITICAL';
-  if (score >= 80) return 'HIGH';
-  if (score >= 60) return 'MEDIUM';
+  if (score >= 95) {
+    return 'CRITICAL';
+  }
+  if (score >= 80) {
+    return 'HIGH';
+  }
+  if (score >= 60) {
+    return 'MEDIUM';
+  }
   return 'LOW';
 }
 
 export const name = 'tier1-multistage-postinstall';
 
-export async function scan(pkgJson, jsFiles, registryMeta, allFiles) {
+export async function scan(pkgJson, _jsFiles, _registryMeta, _allFiles) {
   const scripts = pkgJson?.scripts;
-  if (!scripts || typeof scripts !== 'object') return [];
+  if (!scripts || typeof scripts !== 'object') {
+    return [];
+  }
 
   const findings = [];
 
   for (const hookName of SCAN_HOOKS) {
     const content = scripts[hookName];
-    if (!content || typeof content !== 'string') continue;
+    if (!content || typeof content !== 'string') {
+      continue;
+    }
 
     const hasRemoteFetch = REMOTE_FETCH_RE.test(content);
     const hasBinaryExec = BINARY_EXEC_RE.test(content);
@@ -37,7 +54,9 @@ export async function scan(pkgJson, jsFiles, registryMeta, allFiles) {
     const signalA = hasRemoteFetch && hasBinaryExec;
     const signalB = hasDetached;
 
-    if (!signalA && !signalB) continue;
+    if (!signalA && !signalB) {
+      continue;
+    }
 
     let confidenceScore;
     let subtype;
@@ -54,9 +73,15 @@ export async function scan(pkgJson, jsFiles, registryMeta, allFiles) {
     }
 
     const evidence = [`hook: ${hookName}`];
-    if (hasRemoteFetch) evidence.push('pattern: remote fetch call');
-    if (hasBinaryExec) evidence.push('pattern: binary execution call');
-    if (hasDetached) evidence.push('pattern: detached background process');
+    if (hasRemoteFetch) {
+      evidence.push('pattern: remote fetch call');
+    }
+    if (hasBinaryExec) {
+      evidence.push('pattern: binary execution call');
+    }
+    if (hasDetached) {
+      evidence.push('pattern: detached background process');
+    }
 
     findings.push({
       detector: 'tier1-multistage-postinstall',
@@ -67,11 +92,13 @@ export async function scan(pkgJson, jsFiles, registryMeta, allFiles) {
       subtype,
       message: `Multi-stage install hook detected in "${hookName}" — ${subtype}`,
       evidence,
-      locations: [{
-        file: 'package.json',
-        field: `scripts.${hookName}`,
-        value: content.length > 200 ? `${content.slice(0, 200)}...` : content,
-      }],
+      locations: [
+        {
+          file: 'package.json',
+          field: `scripts.${hookName}`,
+          value: content.length > 200 ? `${content.slice(0, 200)}...` : content,
+        },
+      ],
       crossFiles: [],
       reference: 'Sonatype-2026-003429',
     });

package/backend/detectors/tier1-obfuscation-heuristics.js

@@ -6,8 +6,10 @@ const LIFECYCLE_SCRIPTS = ['preinstall', 'install', 'postinstall', 'prepare'];
 const ENTROPY_THRESHOLD = 5.3;
 const PAYLOAD_SIZE_THRESHOLD = 100000;
 
-function analyze(code, label) {
-  if (!code || code.length < 20) return null;
+function analyze(code, _label) {
+  if (!code || code.length < 20) {
+    return null;
+  }
 
   const entropy = shannonEntropy(code);
   const patterns = detectPatterns(code);
@@ -15,7 +17,7 @@ function analyze(code, label) {
   const payloadSize = code.length;
 
   let score = 0;
-  let flags = [];
+  const flags = [];
 
   if (entropy > ENTROPY_THRESHOLD) {
     score += 35;
@@ -43,7 +45,9 @@ function analyze(code, label) {
 
   if (payloadSize > PAYLOAD_SIZE_THRESHOLD) {
     score += 15;
-    flags.push(`Payload size ${payloadSize} bytes exceeds ${PAYLOAD_SIZE_THRESHOLD} byte threshold`);
+    flags.push(
+      `Payload size ${payloadSize} bytes exceeds ${PAYLOAD_SIZE_THRESHOLD} byte threshold`
+    );
   }
 
   if (patterns.includes('XOR_CIPHER') && patterns.length >= 2) {
@@ -58,7 +62,9 @@ function analyze(code, label) {
 
   score = Math.max(0, Math.min(100, score));
 
-  if (score < 40) return null;
+  if (score < 40) {
+    return null;
+  }
 
   return {
     flagged: true,
@@ -73,31 +79,47 @@ function analyze(code, label) {
 }
 
 function severityLabel(sc) {
-  if (sc >= 90) return 'critical';
-  if (sc >= 70) return 'high';
-  if (sc >= 50) return 'medium';
+  if (sc >= 90) {
+    return 'critical';
+  }
+  if (sc >= 70) {
+    return 'high';
+  }
+  if (sc >= 50) {
+    return 'medium';
+  }
   return 'low';
 }
 
 function confidenceLabel(sc) {
-  if (sc >= 80) return 'HIGH';
-  if (sc >= 60) return 'MEDIUM';
+  if (sc >= 80) {
+    return 'HIGH';
+  }
+  if (sc >= 60) {
+    return 'MEDIUM';
+  }
   return 'LOW';
 }
 
 export const name = 'tier1-obfuscation-heuristics';
 
-export async function scan(pkgJson, jsFiles, registryMeta, allFiles) {
+export async function scan(pkgJson, jsFiles, _registryMeta, _allFiles) {
   const pkgName = pkgJson?.name;
-  if (pkgName && KNOWN_REPUTABLE_PACKAGES.has(pkgName)) return [];
+  if (pkgName && KNOWN_REPUTABLE_PACKAGES.has(pkgName)) {
+    return [];
+  }
 
   const findings = [];
   const scripts = pkgJson?.scripts || {};
 
   for (const [hookName, scriptContent] of Object.entries(scripts)) {
-    if (!LIFECYCLE_SCRIPTS.includes(hookName)) continue;
+    if (!LIFECYCLE_SCRIPTS.includes(hookName)) {
+      continue;
+    }
     const result = analyze(scriptContent, hookName);
-    if (!result) continue;
+    if (!result) {
+      continue;
+    }
 
     findings.push({
       detector: 'tier1-obfuscation-heuristics',
@@ -123,12 +145,18 @@ export async function scan(pkgJson, jsFiles, registryMeta, allFiles) {
 
   for (const f of jsFiles || []) {
     const content = f.content || '';
-    if (content.length < 100) continue;
+    if (content.length < 100) {
+      continue;
+    }
 
     const result = analyze(content, f.path || 'unknown.js');
-    if (!result) continue;
+    if (!result) {
+      continue;
+    }
 
-    if (result.confidenceScore < 50) continue;
+    if (result.confidenceScore < 50) {
+      continue;
+    }
 
     findings.push({
       detector: 'tier1-obfuscation-heuristics',

package/backend/detectors/tier1-self-propagation.js

@@ -0,0 +1,115 @@
+import { KNOWN_REPUTABLE_PACKAGES } from '../policy.js';
+
+const THRESHOLDS = {
+  flag_threshold: 75,
+  warn_threshold: 60,
+  burst_window_minutes: 60,
+  min_packages_burst: 3,
+  identical_payload_weight: 40,
+};
+
+function parseTimeStamps(registryMeta) {
+  const timeData = registryMeta?.time;
+  if (!timeData || typeof timeData !== 'object') return [];
+  return Object.entries(timeData)
+    .map(([ver, ts]) => ({
+      version: ver,
+      time: new Date(ts).getTime(),
+    }))
+    .filter((e) => !isNaN(e.time))
+    .sort((a, b) => a.time - b.time);
+}
+
+function findBursts(entries, windowMs) {
+  const bursts = [];
+  for (let i = 0; i < entries.length; i++) {
+    const windowEnd = entries[i].time + windowMs;
+    const group = [];
+    for (let j = i; j < entries.length && entries[j].time <= windowEnd; j++) {
+      group.push(entries[j]);
+    }
+    if (group.length >= 3) {
+      bursts.push({
+        startVersion: group[0].version,
+        endVersion: group[group.length - 1].version,
+        count: group.length,
+        windowMinutes: windowMs / 60000,
+        versions: group.map((e) => e.version),
+      });
+    }
+  }
+  return bursts;
+}
+
+function computeConfidence(bursts, findings) {
+  let base = 40;
+  if (bursts.length > 0) {
+    base += 20 + Math.min(bursts[0].count * 5, 25);
+  }
+  if (findings.length > 0) {
+    base += THRESHOLDS.identical_payload_weight;
+  }
+  return Math.min(100, Math.max(0, base));
+}
+
+function severityLabel(score) {
+  if (score >= 80) return 'high';
+  if (score >= 60) return 'medium';
+  return 'low';
+}
+
+function confidenceLabel(score) {
+  if (score >= 80) return 'HIGH';
+  if (score >= 60) return 'MEDIUM';
+  return 'LOW';
+}
+
+export const name = 'tier1-self-propagation';
+
+export async function scan(pkgJson, _jsFiles, registryMeta, _allFiles) {
+  const pkgName = pkgJson?.name;
+  if (!pkgName) return [];
+  if (KNOWN_REPUTABLE_PACKAGES.has(pkgName)) return [];
+
+  const entries = parseTimeStamps(registryMeta);
+  if (entries.length < 3) return [];
+
+  const windowMs = (THRESHOLDS.burst_window_minutes || 60) * 60 * 1000;
+  const bursts = findBursts(entries, windowMs);
+  if (bursts.length === 0) return [];
+
+  const burst = bursts[0];
+  const confidenceScore = computeConfidence(bursts, []);
+  if (confidenceScore < THRESHOLDS.warn_threshold) return [];
+
+  const relatedPackages = [];
+  const maintainer =
+    registryMeta?.maintainer || registryMeta?.versions?.[pkgJson.version]?._npmUser?.name;
+  const namespaces = registryMeta?.namespacePackages || [];
+  if (namespaces.length > 0) {
+    for (const np of namespaces) {
+      if (np !== pkgName) relatedPackages.push(np);
+    }
+  }
+
+  return [
+    {
+      detector: 'tier1-self-propagation',
+      id: 'TIER1-SELF-PROPAGATION',
+      severity: severityLabel(confidenceScore),
+      confidence: confidenceLabel(confidenceScore),
+      confidenceScore,
+      subtype: 'self_propagation_burst',
+      message: `Self-propagation burst detected: ${burst.count} versions in ${burst.windowMinutes} minutes`,
+      evidence: [
+        `burst: ${burst.count} versions in ${burst.windowMinutes}min`,
+        `window: ${burst.startVersion} -> ${burst.endVersion}`,
+        `related_packages: ${relatedPackages.length}`,
+        `maintainer: ${maintainer || 'unknown'}`,
+      ],
+      locations: [{ file: 'package.json', line: 1, column: 1 }],
+      crossFiles: relatedPackages.slice(0, 10),
+      reference: 'D10: @redhat-cloud-services Miasma self-propagation',
+    },
+  ];
+}

package/backend/detectors/tier1-slsa-attestation.js

@@ -7,6 +7,6 @@
 
 export const name = 'tier1-slsa-attestation';
 
-export async function scan(pkgJson, jsFiles, registryMeta, allFiles) {
+export async function scan(_pkgJson, _jsFiles, _registryMeta, _allFiles) {
   return [];
 }