@lateos/npm-scan 1.0.0 → 1.1.0

package/backend/detectors/tier1-version-confusion.js

@@ -4,23 +4,37 @@ const SENTINEL_EXACT = ['99.99.99'];
 const SENTINEL_FAMILY = ['9.9.9', '9.9.10', '10.10.10', '11.11.11'];
 
 function severityLabel(score) {
-  if (score >= 80) return 'high';
-  if (score >= 60) return 'medium';
+  if (score >= 80) {
+    return 'high';
+  }
+  if (score >= 60) {
+    return 'medium';
+  }
   return 'low';
 }
 
 function confidenceLabel(score) {
-  if (score >= 80) return 'HIGH';
-  if (score >= 60) return 'MEDIUM';
+  if (score >= 80) {
+    return 'HIGH';
+  }
+  if (score >= 60) {
+    return 'MEDIUM';
+  }
   return 'LOW';
 }
 
 function parseVersion(version) {
-  if (!version || typeof version !== 'string') return null;
+  if (!version || typeof version !== 'string') {
+    return null;
+  }
   const parts = version.split('.');
-  if (parts.length !== 3) return null;
+  if (parts.length !== 3) {
+    return null;
+  }
   const [major, minor, patch] = parts.map(Number);
-  if (isNaN(major) || isNaN(minor) || isNaN(patch)) return null;
+  if (isNaN(major) || isNaN(minor) || isNaN(patch)) {
+    return null;
+  }
   return { major, minor, patch };
 }
 
@@ -30,77 +44,83 @@ function matchesHeuristic(parsed) {
 
 export const name = 'tier1-version-confusion';
 
-export async function scan(pkgJson, jsFiles, registryMeta, allFiles) {
+export async function scan(pkgJson, _jsFiles, _registryMeta, _allFiles) {
   const pkgName = pkgJson?.name;
   const version = pkgJson?.version;
 
-  if (!pkgName || !version) return [];
-  if (KNOWN_REPUTABLE_PACKAGES.has(pkgName)) return [];
+  if (!pkgName || !version) {
+    return [];
+  }
+  if (KNOWN_REPUTABLE_PACKAGES.has(pkgName)) {
+    return [];
+  }
 
   const parsed = parseVersion(version);
-  if (!parsed) return [];
+  if (!parsed) {
+    return [];
+  }
 
   const vStr = version;
 
   // Priority: SENTINEL_EXACT > SENTINEL_FAMILY > HEURISTIC
   if (SENTINEL_EXACT.includes(vStr)) {
     const score = 85;
-    return [{
-      detector: 'tier1-version-confusion',
-      id: 'TIER1-VERSION-CONFUSION',
-      severity: severityLabel(score),
-      confidence: confidenceLabel(score),
-      confidenceScore: score,
-      subtype: 'sentinel_exact',
-      message: `Package "${pkgName}" uses exact sentinel version ${vStr} — dependency confusion indicator`,
-      evidence: [
-        `version: ${vStr}`,
-        `sentinel: exact match`,
-      ],
-      crossFiles: [],
-      locations: [{ file: 'package.json', line: 3, column: 10 }],
-      reference: 'Sonatype-2026-003429',
-    }];
+    return [
+      {
+        detector: 'tier1-version-confusion',
+        id: 'TIER1-VERSION-CONFUSION',
+        severity: severityLabel(score),
+        confidence: confidenceLabel(score),
+        confidenceScore: score,
+        subtype: 'sentinel_exact',
+        message: `Package "${pkgName}" uses exact sentinel version ${vStr} — dependency confusion indicator`,
+        evidence: [`version: ${vStr}`, `sentinel: exact match`],
+        crossFiles: [],
+        locations: [{ file: 'package.json', line: 3, column: 10 }],
+        reference: 'Sonatype-2026-003429',
+      },
+    ];
   }
 
   if (SENTINEL_FAMILY.includes(vStr)) {
     const score = 65;
-    return [{
-      detector: 'tier1-version-confusion',
-      id: 'TIER1-VERSION-CONFUSION',
-      severity: severityLabel(score),
-      confidence: confidenceLabel(score),
-      confidenceScore: score,
-      subtype: 'sentinel_family',
-      message: `Package "${pkgName}" uses sentinel family version ${vStr} — dependency confusion indicator`,
-      evidence: [
-        `version: ${vStr}`,
-        `sentinel: family match`,
-      ],
-      crossFiles: [],
-      locations: [{ file: 'package.json', line: 3, column: 10 }],
-      reference: 'Sonatype-2026-003429',
-    }];
+    return [
+      {
+        detector: 'tier1-version-confusion',
+        id: 'TIER1-VERSION-CONFUSION',
+        severity: severityLabel(score),
+        confidence: confidenceLabel(score),
+        confidenceScore: score,
+        subtype: 'sentinel_family',
+        message: `Package "${pkgName}" uses sentinel family version ${vStr} — dependency confusion indicator`,
+        evidence: [`version: ${vStr}`, `sentinel: family match`],
+        crossFiles: [],
+        locations: [{ file: 'package.json', line: 3, column: 10 }],
+        reference: 'Sonatype-2026-003429',
+      },
+    ];
   }
 
   if (matchesHeuristic(parsed)) {
     const score = 62;
-    return [{
-      detector: 'tier1-version-confusion',
-      id: 'TIER1-VERSION-CONFUSION',
-      severity: severityLabel(score),
-      confidence: confidenceLabel(score),
-      confidenceScore: score,
-      subtype: 'high_version_heuristic',
-      message: `Package "${pkgName}" version ${vStr} matches high-version heuristic — possible dependency confusion`,
-      evidence: [
-        `version: ${vStr}`,
-        `major: ${parsed.major}, minor: ${parsed.minor}, patch: ${parsed.patch}`,
-      ],
-      crossFiles: [],
-      locations: [{ file: 'package.json', line: 3, column: 10 }],
-      reference: 'Microsoft Scope Confusion',
-    }];
+    return [
+      {
+        detector: 'tier1-version-confusion',
+        id: 'TIER1-VERSION-CONFUSION',
+        severity: severityLabel(score),
+        confidence: confidenceLabel(score),
+        confidenceScore: score,
+        subtype: 'high_version_heuristic',
+        message: `Package "${pkgName}" version ${vStr} matches high-version heuristic — possible dependency confusion`,
+        evidence: [
+          `version: ${vStr}`,
+          `major: ${parsed.major}, minor: ${parsed.minor}, patch: ${parsed.patch}`,
+        ],
+        crossFiles: [],
+        locations: [{ file: 'package.json', line: 3, column: 10 }],
+        reference: 'Microsoft Scope Confusion',
+      },
+    ];
   }
 
   return [];

package/backend/detectors/trapdoor/d1-campaign-marker.js

@@ -10,7 +10,9 @@ export function scanCampaignMarker(allFiles) {
     const ext = path.includes('.') ? '.' + path.split('.').pop() : '';
 
     const isTarget = TARGET_FILENAMES.has(basename) || TARGET_EXTENSIONS.includes(ext);
-    if (!isTarget) continue;
+    if (!isTarget) {
+      continue;
+    }
 
     if (content.includes('P-2024-001')) {
       matches.push({ file: path });

package/backend/detectors/trapdoor/d2-payload-fingerprint.js

@@ -12,7 +12,7 @@ export function scanPayloadFingerprint(allFiles) {
     }
 
     if (byteSize === 48485) {
-      const alreadyMatched = matches.some(m => m.file === path);
+      const alreadyMatched = matches.some((m) => m.file === path);
       if (!alreadyMatched) {
         matches.push({ file: path, matchType: 'byteSize', byteSize });
       }

package/backend/detectors/trapdoor/d3-publisher-blocklist.js

@@ -1,7 +1,8 @@
 export function scanPublisherBlocklist(pkgJson, registryMeta) {
-  const publisherAccount = registryMeta?.versions?.[pkgJson?.version]?._npmUser?.name
-    || registryMeta?.versions?.[Object.keys(registryMeta.versions || {})[0]]?._npmUser?.name
-    || null;
+  const publisherAccount =
+    registryMeta?.versions?.[pkgJson?.version]?._npmUser?.name ||
+    registryMeta?.versions?.[Object.keys(registryMeta.versions || {})[0]]?._npmUser?.name ||
+    null;
 
   if (publisherAccount === 'asdxzxc') {
     return { triggered: true, publisher: publisherAccount };

package/backend/detectors/trapdoor/d4-gists-exfil.js

@@ -3,8 +3,10 @@ const C2_PATTERNS = [/ddjidd564\.github\.io/i, /gist\.github\.com/i];
 
 function scanContent(content, filePath) {
   const matches = [];
-  const hasC2 = C2_PATTERNS.some(p => p.test(content));
-  if (!hasC2) return matches;
+  const hasC2 = C2_PATTERNS.some((p) => p.test(content));
+  if (!hasC2) {
+    return matches;
+  }
 
   const hasCredPath = CRED_PATH_PATTERNS.test(content);
   if (hasCredPath) {

package/backend/detectors/trapdoor/d5-ai-poisoning.js

@@ -1,6 +1,6 @@
 const ZERO_WIDTH_RANGES = [
-  [0x200B, 0x200D],
-  [0xFEFF, 0xFEFF],
+  [0x200b, 0x200d],
+  [0xfeff, 0xfeff],
 ];
 
 function isZeroWidthChar(code) {
@@ -14,7 +14,9 @@ export function scanAIPoisoning(allFiles) {
 
   for (const file of allFiles) {
     const path = file.path?.replace(/\\/g, '/') || '';
-    if (!TARGET_FILES.test(path)) continue;
+    if (!TARGET_FILES.test(path)) {
+      continue;
+    }
 
     const content = file.content || '';
     const found = [];

package/backend/detectors/trapdoor/d6-lure-name.js

@@ -12,16 +12,21 @@ const LURE_PATTERNS = [
 
 export function scanLureName(pkgJson, registryMeta) {
   const pkgName = pkgJson?.name || '';
-  const matchedPattern = LURE_PATTERNS.find(p => p.test(pkgName));
-  if (!matchedPattern) return { triggered: false };
+  const matchedPattern = LURE_PATTERNS.find((p) => p.test(pkgName));
+  if (!matchedPattern) {
+    return { triggered: false };
+  }
 
   const timeMap = registryMeta?.time || {};
-  const versions = Object.keys(timeMap).filter(v => v !== 'created' && v !== 'modified');
-  const firstVersion = versions.length > 0
-    ? versions.sort((a, b) => new Date(timeMap[a]) - new Date(timeMap[b]))[0]
-    : null;
+  const versions = Object.keys(timeMap).filter((v) => v !== 'created' && v !== 'modified');
+  const firstVersion =
+    versions.length > 0
+      ? versions.sort((a, b) => new Date(timeMap[a]) - new Date(timeMap[b]))[0]
+      : null;
 
-  if (!firstVersion) return { triggered: false };
+  if (!firstVersion) {
+    return { triggered: false };
+  }
 
   const firstPubDate = new Date(timeMap[firstVersion]);
   const now = new Date();

package/backend/detectors/trapdoor/d7-crypto-primitives.js

@@ -7,8 +7,8 @@ export function scanCryptoPrimitives(allFiles, pkgJson) {
     .map(([hook, content]) => ({ file: `script:${hook}`, content }));
 
   const jsFiles = allFiles
-    .filter(f => f.path?.endsWith('.js') || f.path?.endsWith('.mjs') || f.path?.endsWith('.cjs'))
-    .map(f => ({ file: f.path, content: f.content || '' }));
+    .filter((f) => f.path?.endsWith('.js') || f.path?.endsWith('.mjs') || f.path?.endsWith('.cjs'))
+    .map((f) => ({ file: f.path, content: f.content || '' }));
 
   for (const { file, content } of [...scriptEntries, ...jsFiles]) {
     const hasFernet = /Fernet/i.test(content);

package/backend/detectors/trapdoor/d8-xor-key.js

@@ -2,9 +2,14 @@ export function scanXorKey(allFiles) {
   const matches = [];
   for (const file of allFiles) {
     const path = file.path?.replace(/\\/g, '/') || '';
-    const isLockFile = /(package-lock\.json|yarn\.lock|pnpm-lock\.yaml|pnpm-lock\.yml|Cargo\.lock|Cargo\.toml)/i.test(path);
+    const isLockFile =
+      /(package-lock\.json|yarn\.lock|pnpm-lock\.yaml|pnpm-lock\.yml|Cargo\.lock|Cargo\.toml)/i.test(
+        path
+      );
     const isBundled = /\.node$|vendor|native/i.test(path);
-    if (!isLockFile && !isBundled) continue;
+    if (!isLockFile && !isBundled) {
+      continue;
+    }
 
     const content = file.content || '';
     if (content.includes('cargo-build-helper-2026')) {

package/backend/detectors/trapdoor/d9-cred-validation.js

@@ -1,7 +1,4 @@
-const CRED_VALIDATION_PATTERNS = [
-  /sts\.amazonaws\.com/i,
-  /api\.github\.com\/user/i,
-];
+const CRED_VALIDATION_PATTERNS = [/sts\.amazonaws\.com/i, /api\.github\.com\/user/i];
 
 export function scanCredValidation(allFiles, pkgJson) {
   const matches = [];
@@ -19,7 +16,9 @@ export function scanCredValidation(allFiles, pkgJson) {
 
   for (const file of allFiles) {
     const path = file.path || '';
-    if (!path.endsWith('.js') && !path.endsWith('.mjs') && !path.endsWith('.cjs')) continue;
+    if (!path.endsWith('.js') && !path.endsWith('.mjs') && !path.endsWith('.cjs')) {
+      continue;
+    }
     const content = file.content || '';
     for (const pattern of CRED_VALIDATION_PATTERNS) {
       if (pattern.test(content)) {

package/backend/detectors/trapdoor/index.js

@@ -24,7 +24,9 @@ const SEVERITY_ORDER = ['critical', 'high', 'medium', 'low', 'info', 'none'];
 
 function highestSeverity(severities) {
   for (const s of SEVERITY_ORDER) {
-    if (severities.includes(s)) return s;
+    if (severities.includes(s)) {
+      return s;
+    }
   }
   return 'none';
 }
@@ -48,16 +50,16 @@ export async function scan(pkgJson, files = [], registryMeta = null, allFiles =
     .filter(([_, r]) => r.triggered)
     .map(([id]) => id);
 
-  if (triggered.length === 0) return [];
+  if (triggered.length === 0) {
+    return [];
+  }
 
-  const severity = highestSeverity(triggered.map(id => RULE_SEVERITY[id]));
+  const severity = highestSeverity(triggered.map((id) => RULE_SEVERITY[id]));
 
   const evidence = {
     campaign: 'TRAPDOOR',
     triggeredRules: triggered,
-    details: Object.fromEntries(
-      Object.entries(results).filter(([_, r]) => r.triggered)
-    ),
+    details: Object.fromEntries(Object.entries(results).filter(([_, r]) => r.triggered)),
     iocSummary: {
       publisher: 'asdxzxc',
       c2Domain: 'ddjidd564.github.io',
@@ -66,12 +68,15 @@ export async function scan(pkgJson, files = [], registryMeta = null, allFiles =
     },
   };
 
-  return [{
-    id: 'TRAPDOOR',
-    severity,
-    title: 'TrapDoor cross-ecosystem supply chain attack campaign',
-    description: `${triggered.length} signal(s): ${triggered.join(', ')}`,
-    evidence: JSON.stringify(evidence),
-    mitigation: 'Block install immediately. Revoke any npm tokens associated with this package. Rotate CI/CD secrets. Audit for postinstall scripts accessing credentials. Check for AI config poisoning (.cursorrules/CLAUDE.md). Verify all package versions from publisher asdxzxc. If confirmed compromise, follow incident response procedures per SECURITY.md.',
-  }];
+  return [
+    {
+      id: 'TRAPDOOR',
+      severity,
+      title: 'TrapDoor cross-ecosystem supply chain attack campaign',
+      description: `${triggered.length} signal(s): ${triggered.join(', ')}`,
+      evidence: JSON.stringify(evidence),
+      mitigation:
+        'Block install immediately. Revoke any npm tokens associated with this package. Rotate CI/CD secrets. Audit for postinstall scripts accessing credentials. Check for AI config poisoning (.cursorrules/CLAUDE.md). Verify all package versions from publisher asdxzxc. If confirmed compromise, follow incident response procedures per SECURITY.md.',
+    },
+  ];
 }

package/backend/detectors/typosquat-vpmdhaj/d1-maintainer.js

@@ -1,19 +1,37 @@
 const BLOCKED_MAINTAINERS = ['vpmdhaj'];
 const VPMDHAJ_PREFIX_RE = /^vpmdhaj-/;
 const TYPOSQUAT_TARGETS = [
-  'opensearch-setup', 'env-config-manager',
-  'express', 'lodash', 'axios', 'react', 'vue', 'angular',
-  'babel', 'webpack', 'typescript', 'moment', 'dotenv',
+  'opensearch-setup',
+  'env-config-manager',
+  'express',
+  'lodash',
+  'axios',
+  'react',
+  'vue',
+  'angular',
+  'babel',
+  'webpack',
+  'typescript',
+  'moment',
+  'dotenv',
 ];
 
 function levenshteinDistance(a, b) {
-  const m = a.length, n = b.length;
+  const m = a.length,
+    n = b.length;
   const dp = Array.from({ length: m + 1 }, () => Array(n + 1).fill(0));
-  for (let i = 0; i <= m; i++) dp[i][0] = i;
-  for (let j = 0; j <= n; j++) dp[0][j] = j;
+  for (let i = 0; i <= m; i++) {
+    dp[i][0] = i;
+  }
+  for (let j = 0; j <= n; j++) {
+    dp[0][j] = j;
+  }
   for (let i = 1; i <= m; i++) {
     for (let j = 1; j <= n; j++) {
-      dp[i][j] = a[i - 1] === b[j - 1] ? dp[i - 1][j - 1] : 1 + Math.min(dp[i - 1][j], dp[i][j - 1], dp[i - 1][j - 1]);
+      dp[i][j] =
+        a[i - 1] === b[j - 1]
+          ? dp[i - 1][j - 1]
+          : 1 + Math.min(dp[i - 1][j], dp[i][j - 1], dp[i - 1][j - 1]);
     }
   }
   return dp[m][n];
@@ -71,7 +89,13 @@ export function scanMaintainerAnomaly(pkgJson, registryMeta) {
     };
   }
 
-  return { triggered: false, stopCondition: false, maintainer: '', suspiciousAliases: [], reason: '' };
+  return {
+    triggered: false,
+    stopCondition: false,
+    maintainer: '',
+    suspiciousAliases: [],
+    reason: '',
+  };
 }
 
 export { BLOCKED_MAINTAINERS };

package/backend/detectors/typosquat-vpmdhaj/d2-preinstall-loader.js

@@ -1,8 +1,8 @@
 const SUSPICIOUS_HOOKS = ['preinstall'];
-const LOADER_SCRIPTS = ['setup.mjs', 'loader.js', 'stager.js', 'init.mjs'];
+const _LOADER_SCRIPTS = ['setup.mjs', 'loader.js', 'stager.js', 'init.mjs'];
 const BUN_RUN_RE = /\bbun\s+run\b/;
 const NODE_SETUP_RE = /\bnode\s+(setup\.mjs|init\.mjs|loader\.js|stager\.js)\b/;
-const PREINSTALL_STAGER_RE = /preinstall\s*[:=]/;
+const _PREINSTALL_STAGER_RE = /preinstall\s*[:=]/;
 
 export function scanPreinstallLoader(pkgJson) {
   const scripts = pkgJson?.scripts || {};
@@ -10,7 +10,9 @@ export function scanPreinstallLoader(pkgJson) {
 
   for (const hook of SUSPICIOUS_HOOKS) {
     const cmd = scripts[hook];
-    if (!cmd) continue;
+    if (!cmd) {
+      continue;
+    }
 
     const details = { hookType: hook, hookCommand: cmd };
 

package/backend/detectors/typosquat-vpmdhaj/d3-cred-exfil.js

@@ -4,49 +4,71 @@ const VAULT_CRED_RE = /VAULT_ADDR|VAULT_TOKEN/;
 const GITHUB_TOKEN_RE = /GITHUB_TOKEN|GH_TOKEN/;
 const AWS_ACCESS_KEY_RE = /AWS_ACCESS_KEY_ID|AWS_SECRET_ACCESS_KEY|AWS_SESSION_TOKEN/;
 const BASE64_OBFUSCATION_RE = /Buffer\.from\([^)]+['"]base64['"]\)|btoa\(|atob\(/;
-const HTTP_POST_EXFIL_RE = /(?:fetch|axios|request|got|curl)\s*\([^)]*(?:https?:\/\/[^'"\s)\]]+)[^)]*(?:method\s*[:=]\s*['"]POST['"]|\.post\s*\()/;
-const DOMAIN_EXFIL_RE = /(?:fetch|axios|request|got|curl)\s*\(['"](?:https?:\/\/)?[^'"\s)\]]*\.[^'"\s)\]]{2,}[^)]*\)/;
+const HTTP_POST_EXFIL_RE =
+  /(?:fetch|axios|request|got|curl)\s*\([^)]*(?:https?:\/\/[^'"\s)\]]+)[^)]*(?:method\s*[:=]\s*['"]POST['"]|\.post\s*\()/;
+const DOMAIN_EXFIL_RE =
+  /(?:fetch|axios|request|got|curl)\s*\(['"](?:https?:\/\/)?[^'"\s)\]]*\.[^'"\s)\]]{2,}[^)]*\)/;
 
 const TARGET_ENV_VARS = {
-  AWS: ['AWS_CONTAINER_CREDENTIALS_FULL_URI', 'AWS_CONTAINER_AUTHORIZATION_TOKEN', 'AWS_ACCESS_KEY_ID', 'AWS_SECRET_ACCESS_KEY', 'AWS_SESSION_TOKEN'],
+  AWS: [
+    'AWS_CONTAINER_CREDENTIALS_FULL_URI',
+    'AWS_CONTAINER_AUTHORIZATION_TOKEN',
+    'AWS_ACCESS_KEY_ID',
+    'AWS_SECRET_ACCESS_KEY',
+    'AWS_SESSION_TOKEN',
+  ],
   VAULT: ['VAULT_ADDR', 'VAULT_TOKEN'],
   GITHUB: ['GITHUB_TOKEN', 'GH_TOKEN'],
 };
 
-export function scanCredExfil(files = [], pkgJson) {
-  const code = files.map(f => f.content || '').join('\n');
-  if (!code) return { triggered: false, targets: [], exfilMethod: null, detectedEnvVars: [] };
+export function scanCredExfil(files = [], _pkgJson) {
+  const code = files.map((f) => f.content || '').join('\n');
+  if (!code) {
+    return { triggered: false, targets: [], exfilMethod: null, detectedEnvVars: [] };
+  }
 
   const targets = [];
   const detectedEnvVars = [];
 
-  if (AWS_IMDS_RE.test(code)) targets.push('AWS_IMDSv2');
+  if (AWS_IMDS_RE.test(code)) {
+    targets.push('AWS_IMDSv2');
+  }
   if (ECS_CRED_RE.test(code)) {
     targets.push('ECS_TASK_ROLE');
     for (const v of TARGET_ENV_VARS.AWS) {
-      if (code.includes(v)) detectedEnvVars.push(v);
+      if (code.includes(v)) {
+        detectedEnvVars.push(v);
+      }
     }
   }
   if (VAULT_CRED_RE.test(code)) {
     targets.push('VAULT_CREDENTIALS');
     for (const v of TARGET_ENV_VARS.VAULT) {
-      if (code.includes(v)) detectedEnvVars.push(v);
+      if (code.includes(v)) {
+        detectedEnvVars.push(v);
+      }
     }
   }
   if (GITHUB_TOKEN_RE.test(code)) {
     targets.push('GITHUB_TOKEN');
     for (const v of TARGET_ENV_VARS.GITHUB) {
-      if (code.includes(v)) detectedEnvVars.push(v);
+      if (code.includes(v)) {
+        detectedEnvVars.push(v);
+      }
     }
   }
   if (AWS_ACCESS_KEY_RE.test(code)) {
     targets.push('AWS_ACCESS_KEYS');
     for (const v of TARGET_ENV_VARS.AWS) {
-      if (code.includes(v) && !detectedEnvVars.includes(v)) detectedEnvVars.push(v);
+      if (code.includes(v) && !detectedEnvVars.includes(v)) {
+        detectedEnvVars.push(v);
+      }
     }
   }
 
-  if (targets.length === 0) return { triggered: false, targets: [], exfilMethod: null, detectedEnvVars: [] };
+  if (targets.length === 0) {
+    return { triggered: false, targets: [], exfilMethod: null, detectedEnvVars: [] };
+  }
 
   let exfilMethod = null;
   if (HTTP_POST_EXFIL_RE.test(code)) {