@lateos/npm-scan 1.0.0 → 1.1.0

package/backend/detectors/megalodon/index.js

@@ -24,9 +24,10 @@ function resolveSeverity(signals, d4Evidence) {
     maxScore = Math.max(maxScore, SIGNAL_SEVERITY[s] || 0);
   }
 
-  const d4Hint = d4Evidence.find(e => e._severityHint);
+  const d4Hint = d4Evidence.find((e) => e._severityHint);
   if (d4Hint) {
-    const hintScore = d4Hint._severityHint === 'HIGH' ? 4 : d4Hint._severityHint === 'MEDIUM' ? 3 : 0;
+    const hintScore =
+      d4Hint._severityHint === 'HIGH' ? 4 : d4Hint._severityHint === 'MEDIUM' ? 3 : 0;
     maxScore = Math.max(maxScore, hintScore);
   }
 
@@ -45,36 +46,45 @@ export async function scanAll(pkgJson, allFiles = [], registryMeta = {}) {
   const d3Ev = await scanD3(registryMeta);
   allEvidence.push(...d3Ev);
 
-  const velocityResult = d3Ev.length > 0 ? {
-    triggered: true,
-    windowStartISO: d3Ev[0]._windowStartISO || null,
-    versionsInWindow: d3Ev[0].excerpt || '',
-    _allVersions: d3Ev[0]._allVersions || [],
-  } : { triggered: false, versionsInWindow: [], windowStartISO: null };
+  const velocityResult =
+    d3Ev.length > 0
+      ? {
+          triggered: true,
+          windowStartISO: d3Ev[0]._windowStartISO || null,
+          versionsInWindow: d3Ev[0].excerpt || '',
+          _allVersions: d3Ev[0]._allVersions || [],
+        }
+      : { triggered: false, versionsInWindow: [], windowStartISO: null };
 
   const d4Ev = await scanD4(registryMeta, velocityResult);
   allEvidence.push(...d4Ev);
 
-  allEvidence.push(...await scanD5(registryMeta));
-  allEvidence.push(...await scanD6(pkgJson, registryMeta));
+  allEvidence.push(...(await scanD5(registryMeta)));
+  allEvidence.push(...(await scanD6(pkgJson, registryMeta)));
 
-  const signals = [...new Set(allEvidence.map(e => e.signal).filter(Boolean))];
+  const signals = [...new Set(allEvidence.map((e) => e.signal).filter(Boolean))];
 
-  if (signals.length === 0) return [];
+  if (signals.length === 0) {
+    return [];
+  }
 
   const severity = resolveSeverity(signals, d4Ev);
 
-  const cleaned = allEvidence.map(({ _windowStartISO, _allVersions, _severityHint, ...rest }) => rest);
-
-  return [{
-    id: 'MEGALODON',
-    severity,
-    title: 'Megalodon CI/CD attack campaign',
-    description: `${signals.length} signal(s): ${signals.join(', ')}`,
-    evidence: JSON.stringify({
-      campaign: 'MEGALODON',
-      signals,
-      evidence: cleaned,
-    }),
-  }];
+  const cleaned = allEvidence.map(
+    ({ _windowStartISO, _allVersions, _severityHint, ...rest }) => rest
+  );
+
+  return [
+    {
+      id: 'MEGALODON',
+      severity,
+      title: 'Megalodon CI/CD attack campaign',
+      description: `${signals.length} signal(s): ${signals.join(', ')}`,
+      evidence: JSON.stringify({
+        campaign: 'MEGALODON',
+        signals,
+        evidence: cleaned,
+      }),
+    },
+  ];
 }

package/backend/detectors/mini-shai-hulud/d1-burst-publish.js

@@ -10,7 +10,9 @@ export async function checkBurstPublish(registryMeta, config = {}) {
     .filter(([, ts]) => !Number.isNaN(ts))
     .sort((a, b) => a[1] - b[1]);
 
-  if (entries.length === 0) return { triggered: false };
+  if (entries.length === 0) {
+    return { triggered: false };
+  }
 
   const windowMs = windowMinutes * 60 * 1000;
 

package/backend/detectors/mini-shai-hulud/d2-sibling-compromise.js

@@ -12,7 +12,9 @@ function checkBurstOnTimeMap(timeMap, windowMinutes, threshold) {
     .filter(([, ts]) => !Number.isNaN(ts))
     .sort((a, b) => a[1] - b[1]);
 
-  if (entries.length === 0) return null;
+  if (entries.length === 0) {
+    return null;
+  }
 
   const windowMs = windowMinutes * 60 * 1000;
 
@@ -55,17 +57,23 @@ export async function checkSiblingCompromise(pkgJson, config = {}) {
   for (const name of Object.keys(deps)) {
     if (name.startsWith('@')) {
       const scope = name.split('/')[0];
-      if (!scopedDeps[scope]) scopedDeps[scope] = [];
+      if (!scopedDeps[scope]) {
+        scopedDeps[scope] = [];
+      }
       scopedDeps[scope].push(name);
     }
   }
 
-  if (Object.keys(scopedDeps).length === 0) return { triggered: false };
+  if (Object.keys(scopedDeps).length === 0) {
+    return { triggered: false };
+  }
 
   const results = [];
 
   for (const [scope, packages] of Object.entries(scopedDeps)) {
-    if (packages.length < 2) continue;
+    if (packages.length < 2) {
+      continue;
+    }
 
     const burstSiblings = [];
 
@@ -75,7 +83,9 @@ export async function checkSiblingCompromise(pkgJson, config = {}) {
         try {
           const url = `https://registry.npmjs.org/${encodeURIComponent(pkg)}`;
           const res = await fetch(url);
-          if (!res.ok) continue;
+          if (!res.ok) {
+            continue;
+          }
           const data = await res.json();
           timeData = data.time || {};
           siblingCache.set(pkg, timeData);
@@ -91,19 +101,19 @@ export async function checkSiblingCompromise(pkgJson, config = {}) {
     }
 
     if (burstSiblings.length >= 2) {
-      const windows = burstSiblings.map(s => ({
+      const windows = burstSiblings.map((s) => ({
         start: new Date(s.windowStart).getTime(),
         end: new Date(s.windowEnd).getTime(),
       }));
 
-      const overlapStart = Math.max(...windows.map(w => w.start));
-      const overlapEnd = Math.min(...windows.map(w => w.end));
+      const overlapStart = Math.max(...windows.map((w) => w.start));
+      const overlapEnd = Math.min(...windows.map((w) => w.end));
 
       if (overlapStart < overlapEnd) {
         results.push({
           triggered: true,
           scope,
-          siblingPackages: burstSiblings.map(s => s.name),
+          siblingPackages: burstSiblings.map((s) => s.name),
           windowStart: new Date(overlapStart).toISOString(),
           windowEnd: new Date(overlapEnd).toISOString(),
         });
@@ -111,6 +121,8 @@ export async function checkSiblingCompromise(pkgJson, config = {}) {
     }
   }
 
-  if (results.length === 0) return { triggered: false };
+  if (results.length === 0) {
+    return { triggered: false };
+  }
   return { triggered: true, results };
 }

package/backend/detectors/mini-shai-hulud/d3-slsa-mismatch.js

@@ -1,24 +1,40 @@
-export async function checkSlsaMismatch(packageName, version, burstWindow, timeMap = {}, config = {}) {
-  if (!burstWindow?.triggered) return { triggered: false };
+export async function checkSlsaMismatch(
+  packageName,
+  version,
+  burstWindow,
+  timeMap = {},
+  _config = {}
+) {
+  if (!burstWindow?.triggered) {
+    return { triggered: false };
+  }
 
   const anomalies = [];
   const publishTime = timeMap?.[version];
-  if (!publishTime) return { triggered: false };
+  if (!publishTime) {
+    return { triggered: false };
+  }
 
   try {
     const url = `https://registry.npmjs.org/-/npm/v1/attestations/${encodeURIComponent(packageName)}/${encodeURIComponent(version)}`;
     const res = await fetch(url);
-    if (!res.ok) return { triggered: false };
+    if (!res.ok) {
+      return { triggered: false };
+    }
 
     const data = await res.json();
     const attestations = data?.attestations || [];
-    if (attestations.length === 0) return { triggered: false };
+    if (attestations.length === 0) {
+      return { triggered: false };
+    }
 
     const publishMs = new Date(publishTime).getTime();
-    if (Number.isNaN(publishMs)) return { triggered: false };
+    if (Number.isNaN(publishMs)) {
+      return { triggered: false };
+    }
 
     // Check if this is the first-ever attested version for this package
-    const allVersions = Object.keys(timeMap).filter(v => v !== 'created' && v !== 'modified');
+    const allVersions = Object.keys(timeMap).filter((v) => v !== 'created' && v !== 'modified');
     const currentIdx = allVersions.indexOf(version);
     let prevHadAttestation = false;
 
@@ -49,7 +65,7 @@ export async function checkSlsaMismatch(packageName, version, burstWindow, timeM
       const ts = att?.timestamp;
       if (ts) {
         const attMs = new Date(ts).getTime();
-        if (!Number.isNaN(attMs) && attMs >= publishMs && (attMs - publishMs) < 60000) {
+        if (!Number.isNaN(attMs) && attMs >= publishMs && attMs - publishMs < 60000) {
           const gapMs = attMs - publishMs;
           anomalies.push(`Sub-60s attestation gap for ${version}: ${gapMs}ms`);
         }
@@ -57,8 +73,12 @@ export async function checkSlsaMismatch(packageName, version, burstWindow, timeM
 
       const builderId = att?.predicate?.runDetails?.builder?.id;
       if (builderId) {
-        const knownPrefixes = ['https://github.com/', 'https://gitlab.com/', 'https://circleci.com/'];
-        const isKnown = knownPrefixes.some(p => builderId.startsWith(p));
+        const knownPrefixes = [
+          'https://github.com/',
+          'https://gitlab.com/',
+          'https://circleci.com/',
+        ];
+        const isKnown = knownPrefixes.some((p) => builderId.startsWith(p));
         if (!isKnown) {
           anomalies.push(`Unrecognized builder ID for ${version}: ${builderId}`);
         }

package/backend/detectors/mini-shai-hulud/d4-maintainer-anomaly.js

@@ -1,4 +1,4 @@
-export async function checkMaintainerAnomaly(registryMeta, config = {}) {
+export async function checkMaintainerAnomaly(registryMeta, _config = {}) {
   const versions = registryMeta?.versions || {};
   const timeMap = registryMeta?.time || {};
 
@@ -10,10 +10,12 @@ export async function checkMaintainerAnomaly(registryMeta, config = {}) {
       time: new Date(t).getTime(),
       user: versions[v]?._npmUser?.name,
     }))
-    .filter(e => !Number.isNaN(e.time) && e.user)
+    .filter((e) => !Number.isNaN(e.time) && e.user)
     .sort((a, b) => a.time - b.time);
 
-  if (sorted.length < 2) return { triggered: false };
+  if (sorted.length < 2) {
+    return { triggered: false };
+  }
 
   for (let i = 1; i < sorted.length; i++) {
     const prev = sorted[i - 1];
@@ -22,19 +24,21 @@ export async function checkMaintainerAnomaly(registryMeta, config = {}) {
     if (curr.user !== prev.user) {
       const gapMinutes = (curr.time - prev.time) / (1000 * 60);
       if (gapMinutes <= 10) {
-        const newUserVersions = sorted.filter(e => e.user === curr.user);
+        const newUserVersions = sorted.filter((e) => e.user === curr.user);
         if (newUserVersions.length >= 2) {
           return {
             triggered: true,
-            signals: [{
-              type: 'PUBLISHER_DRIFT_RAPID',
-              previousPublisher: prev.user,
-              newPublisher: curr.user,
-              gapMinutes,
-              newUserVersionCount: newUserVersions.length,
-              driftVersion: curr.version,
-              driftWindowStart: new Date(curr.time).toISOString(),
-            }],
+            signals: [
+              {
+                type: 'PUBLISHER_DRIFT_RAPID',
+                previousPublisher: prev.user,
+                newPublisher: curr.user,
+                gapMinutes,
+                newUserVersionCount: newUserVersions.length,
+                driftVersion: curr.version,
+                driftWindowStart: new Date(curr.time).toISOString(),
+              },
+            ],
           };
         }
       }

package/backend/detectors/mini-shai-hulud/d5-ioc-check.js

@@ -11,7 +11,9 @@ const __dirname = dirname(__filename);
 const IOC_PATH = join(__dirname, 'iocs.json');
 
 function loadIOCData() {
-  if (iocsLoaded) return iocsData;
+  if (iocsLoaded) {
+    return iocsData;
+  }
   iocsLoaded = true;
   try {
     iocsData = JSON.parse(readFileSync(IOC_PATH, 'utf8'));
@@ -34,7 +36,9 @@ export function reloadIOCData() {
 
 export async function checkIOC(pkgName, pkgVersion, sha512, publisherAccount, timeMap = {}) {
   const data = loadIOCData();
-  if (!data) return { triggered: false, matches: [] };
+  if (!data) {
+    return { triggered: false, matches: [] };
+  }
 
   const matches = [];
   const allIOCs = [];
@@ -44,7 +48,7 @@ export async function checkIOC(pkgName, pkgVersion, sha512, publisherAccount, ti
   for (const waveKey of Object.keys(data.waves || {})) {
     const wave = data.waves[waveKey];
     const waveNum = waveKey === 'wave1' ? 1 : waveKey === 'wave2' ? 2 : 3;
-    for (const ioc of (wave.iocs || [])) {
+    for (const ioc of wave.iocs || []) {
       allIOCs.push({ ...ioc, wave: waveNum });
     }
   }
@@ -53,7 +57,11 @@ export async function checkIOC(pkgName, pkgVersion, sha512, publisherAccount, ti
     switch (ioc.type) {
       case 'packageName': {
         if (ioc.value === pkgName) {
-          if (!ioc.maliciousVersions || ioc.maliciousVersions.length === 0 || ioc.maliciousVersions.includes(pkgVersion)) {
+          if (
+            !ioc.maliciousVersions ||
+            ioc.maliciousVersions.length === 0 ||
+            ioc.maliciousVersions.includes(pkgVersion)
+          ) {
             matches.push({ type: 'packageName', value: pkgName, wave: ioc.wave });
           }
         }

package/backend/detectors/mini-shai-hulud/d6-token-exfil.js

@@ -14,7 +14,9 @@ const SUSPICIOUS_SCRIPTS = ['preinstall', 'install', 'postinstall', 'prepare'];
 const MAX_SNIPPET_LENGTH = 200;
 
 function truncateSnippet(text) {
-  if (text.length <= MAX_SNIPPET_LENGTH) return text;
+  if (text.length <= MAX_SNIPPET_LENGTH) {
+    return text;
+  }
   return text.slice(0, MAX_SNIPPET_LENGTH - 3) + '...';
 }
 
@@ -24,7 +26,9 @@ export function checkTokenExfil(allFiles, pkgJson) {
 
   for (const hook of SUSPICIOUS_SCRIPTS) {
     const scriptContent = scripts[hook];
-    if (!scriptContent) continue;
+    if (!scriptContent) {
+      continue;
+    }
 
     for (const pattern of EXFIL_PATTERNS) {
       if (pattern.test(scriptContent)) {

package/backend/detectors/mini-shai-hulud/index.js

@@ -1,5 +1,8 @@
 import { checkBurstPublish } from './d1-burst-publish.js';
-import { checkSiblingCompromise, clearSiblingCache } from './d2-sibling-compromise.js';
+import {
+  checkSiblingCompromise,
+  clearSiblingCache as _clearSiblingCache,
+} from './d2-sibling-compromise.js';
 import { checkSlsaMismatch } from './d3-slsa-mismatch.js';
 import { checkMaintainerAnomaly } from './d4-maintainer-anomaly.js';
 import { checkIOC } from './d5-ioc-check.js';
@@ -31,15 +34,31 @@ export async function scan(pkgJson, files = [], registryMeta = null, allFiles =
   const nxDownstreamResult = checkNxConsoleDownstream(pkgJson, allFiles || files);
 
   const triggeredChecks = [];
-  if (burstResult.triggered) triggeredChecks.push('D1_BURST');
-  if (siblingResult.triggered) triggeredChecks.push('D2_SIBLING');
-  if (slsaResult.triggered) triggeredChecks.push('D3_SLSA');
-  if (maintainerResult.triggered) triggeredChecks.push('D4_MAINTAINER');
-  if (iocResult.triggered) triggeredChecks.push('D5_IOC');
-  if (exfilResult.triggered) triggeredChecks.push('D6_EXFIL');
-  if (nxDownstreamResult.triggered) triggeredChecks.push('D7_NX_CONSOLE');
+  if (burstResult.triggered) {
+    triggeredChecks.push('D1_BURST');
+  }
+  if (siblingResult.triggered) {
+    triggeredChecks.push('D2_SIBLING');
+  }
+  if (slsaResult.triggered) {
+    triggeredChecks.push('D3_SLSA');
+  }
+  if (maintainerResult.triggered) {
+    triggeredChecks.push('D4_MAINTAINER');
+  }
+  if (iocResult.triggered) {
+    triggeredChecks.push('D5_IOC');
+  }
+  if (exfilResult.triggered) {
+    triggeredChecks.push('D6_EXFIL');
+  }
+  if (nxDownstreamResult.triggered) {
+    triggeredChecks.push('D7_NX_CONSOLE');
+  }
 
-  if (triggeredChecks.length === 0) return [];
+  if (triggeredChecks.length === 0) {
+    return [];
+  }
 
   let waveAttribution = 'unknown';
   if (pkgName.startsWith('@tanstack')) {
@@ -49,9 +68,10 @@ export async function scan(pkgJson, files = [], registryMeta = null, allFiles =
   } else if (nxDownstreamResult.triggered) {
     waveAttribution = 'wave3-nx-console';
   } else if (iocResult.matches && iocResult.matches.length > 0) {
-    const waves = [...new Set(iocResult.matches.map(m => m.wave))];
+    const waves = [...new Set(iocResult.matches.map((m) => m.wave))];
     if (waves.length === 1) {
-      waveAttribution = waves[0] === 1 ? 'wave1-tanstack' : waves[0] === 2 ? 'wave2-antv' : 'wave3-nx-console';
+      waveAttribution =
+        waves[0] === 1 ? 'wave1-tanstack' : waves[0] === 2 ? 'wave2-antv' : 'wave3-nx-console';
     }
   }
 
@@ -62,10 +82,14 @@ export async function scan(pkgJson, files = [], registryMeta = null, allFiles =
     waveAttribution,
     triggeredChecks,
     burstWindow: burstResult.triggered
-      ? { start: burstResult.windowStart, end: burstResult.windowEnd, versionCount: burstResult.versionCount }
+      ? {
+          start: burstResult.windowStart,
+          end: burstResult.windowEnd,
+          versionCount: burstResult.versionCount,
+        }
       : null,
     siblingPackages: siblingResult.triggered
-      ? siblingResult.results.flatMap(r => r.siblingPackages)
+      ? siblingResult.results.flatMap((r) => r.siblingPackages)
       : null,
     attestationAnomalies: slsaResult.triggered ? slsaResult.anomalies : null,
     iocMatches: iocResult.triggered ? iocResult.matches : null,
@@ -75,25 +99,38 @@ export async function scan(pkgJson, files = [], registryMeta = null, allFiles =
       : null,
   };
 
-  return [{
-    id: 'MINI_SHAI_HULUD',
-    severity: isCritical ? 'critical' : 'high',
-    title: 'Mini Shai-Hulud worm campaign',
-    description: `${triggeredChecks.length} signal(s): ${triggeredChecks.join(', ')}`,
-    evidence: JSON.stringify(evidence),
-    mitigation: 'Revoke all npm tokens immediately. Rotate CI/CD secrets. Audit maintainer access on all scoped packages. Review recent version publish history for anomalous bursts. Check for postinstall scripts accessing credentials or environment variables. If Wave 1 (TanStack scope): inspect GitHub Actions workflow logs for unauthorized build steps. If Wave 2 (atool/AntV scope): rotate all npm tokens associated with @antv/* packages. If Wave 3 (Nx Console): remove nrwl.angular-console extension immediately, revoke all npm tokens used in CI/CD, and audit @nx/* dependency versions.',
-  }];
+  return [
+    {
+      id: 'MINI_SHAI_HULUD',
+      severity: isCritical ? 'critical' : 'high',
+      title: 'Mini Shai-Hulud worm campaign',
+      description: `${triggeredChecks.length} signal(s): ${triggeredChecks.join(', ')}`,
+      evidence: JSON.stringify(evidence),
+      mitigation:
+        'Revoke all npm tokens immediately. Rotate CI/CD secrets. Audit maintainer access on all scoped packages. Review recent version publish history for anomalous bursts. Check for postinstall scripts accessing credentials or environment variables. If Wave 1 (TanStack scope): inspect GitHub Actions workflow logs for unauthorized build steps. If Wave 2 (atool/AntV scope): rotate all npm tokens associated with @antv/* packages. If Wave 3 (Nx Console): remove nrwl.angular-console extension immediately, revoke all npm tokens used in CI/CD, and audit @nx/* dependency versions.',
+    },
+  ];
 }
 
 function checkNxConsoleDownstream(pkgJson, allFiles) {
-  const deps = { ...pkgJson?.dependencies, ...pkgJson?.devDependencies, ...pkgJson?.peerDependencies };
-  const nxDeps = Object.keys(deps).filter(d => d.startsWith('@nx/') || d.startsWith('nrwl/'));
-  if (nxDeps.length === 0) return { triggered: false, nxDeps: [], vsCodeExtensions: [] };
+  const deps = {
+    ...pkgJson?.dependencies,
+    ...pkgJson?.devDependencies,
+    ...pkgJson?.peerDependencies,
+  };
+  const nxDeps = Object.keys(deps).filter((d) => d.startsWith('@nx/') || d.startsWith('nrwl/'));
+  if (nxDeps.length === 0) {
+    return { triggered: false, nxDeps: [], vsCodeExtensions: [] };
+  }
 
   let vsCodeExtensions = [];
   if (allFiles && Array.isArray(allFiles)) {
     for (const file of allFiles) {
-      if (file.path && (file.path.endsWith('.vscode/extensions.json') || file.path.endsWith('.vscode/extensions.json'))) {
+      if (
+        file.path &&
+        (file.path.endsWith('.vscode/extensions.json') ||
+          file.path.endsWith('.vscode/extensions.json'))
+      ) {
         try {
           const content = typeof file.content === 'string' ? file.content : '';
           const parsed = JSON.parse(content);
@@ -101,7 +138,7 @@ function checkNxConsoleDownstream(pkgJson, allFiles) {
             ...(parsed.recommendations || []),
             ...(parsed.unwantedRecommendations || []),
           ];
-          const matched = allExts.filter(e => e.includes('nrwl.angular-console'));
+          const matched = allExts.filter((e) => e.includes('nrwl.angular-console'));
           if (matched.length > 0) {
             vsCodeExtensions = matched;
           }

package/backend/detectors/msh-supplement/d2-persistence.js

@@ -16,30 +16,48 @@ export function scanPersistence(pkgJson, files = []) {
     }
   }
 
-  const code = files.map(f => f.content || '').join('\n');
-  const codeWithScripts = code + '\n' + allScripts.map(s => s.content).join('\n');
+  const code = files.map((f) => f.content || '').join('\n');
+  const codeWithScripts = code + '\n' + allScripts.map((s) => s.content).join('\n');
 
   const detectedApis = [];
   let hasCiGuard = false;
   let hasDaemon = false;
 
-  if (DAEMON_RE.test(codeWithScripts)) detectedApis.push('daemon');
-  if (SPAWN_DETACHED_RE.test(codeWithScripts)) detectedApis.push('spawn_detached');
-  if (SYSTEMD_RE.test(codeWithScripts)) detectedApis.push('systemd');
-  if (CRON_RE.test(codeWithScripts)) detectedApis.push('cron');
-  if (LAUNCHD_RE.test(codeWithScripts)) detectedApis.push('launchd');
-  if (TASK_SCHED_RE.test(codeWithScripts)) detectedApis.push('task_scheduler');
-  if (CI_GUARD_RE.test(codeWithScripts)) hasCiGuard = true;
+  if (DAEMON_RE.test(codeWithScripts)) {
+    detectedApis.push('daemon');
+  }
+  if (SPAWN_DETACHED_RE.test(codeWithScripts)) {
+    detectedApis.push('spawn_detached');
+  }
+  if (SYSTEMD_RE.test(codeWithScripts)) {
+    detectedApis.push('systemd');
+  }
+  if (CRON_RE.test(codeWithScripts)) {
+    detectedApis.push('cron');
+  }
+  if (LAUNCHD_RE.test(codeWithScripts)) {
+    detectedApis.push('launchd');
+  }
+  if (TASK_SCHED_RE.test(codeWithScripts)) {
+    detectedApis.push('task_scheduler');
+  }
+  if (CI_GUARD_RE.test(codeWithScripts)) {
+    hasCiGuard = true;
+  }
 
-  if (DAEMON_RE.test(codeWithScripts) || SPAWN_DETACHED_RE.test(codeWithScripts)) hasDaemon = true;
+  if (DAEMON_RE.test(codeWithScripts) || SPAWN_DETACHED_RE.test(codeWithScripts)) {
+    hasDaemon = true;
+  }
 
   if (hasDaemon || detectedApis.length > 0) {
     return {
       triggered: true,
       detectedApis,
       hasCiGuard,
-      hooks: allScripts.map(s => s.hook),
-      context: hasCiGuard ? 'Spawns background process when CI env var absent' : 'Suspicious persistence/detached process detected',
+      hooks: allScripts.map((s) => s.hook),
+      context: hasCiGuard
+        ? 'Spawns background process when CI env var absent'
+        : 'Suspicious persistence/detached process detected',
     };
   }
 

package/backend/detectors/msh-supplement/d3-geo-killswitch.js

@@ -9,25 +9,37 @@ const TARGET_LOCALES = /ru_RU|be_BY|uk_UA/;
 const SILENT_EXIT_RE = /process\.exit\s*\(\s*0\s*\)/;
 
 export function scanGeoKillswitch(files = []) {
-  const code = files.map(f => f.content || '').join('\n');
-  if (!code) return { triggered: false, targetedLocales: [], triggerBehavior: null };
+  const code = files.map((f) => f.content || '').join('\n');
+  if (!code) {
+    return { triggered: false, targetedLocales: [], triggerBehavior: null };
+  }
 
-  const hasLocaleCheck = LOCALE_CHECKS.some(re => re.test(code));
-  if (!hasLocaleCheck) return { triggered: false, targetedLocales: [], triggerBehavior: null };
+  const hasLocaleCheck = LOCALE_CHECKS.some((re) => re.test(code));
+  if (!hasLocaleCheck) {
+    return { triggered: false, targetedLocales: [], triggerBehavior: null };
+  }
 
   const hasTargetLocale = TARGET_LOCALES.test(code);
   const hasSilentExit = SILENT_EXIT_RE.test(code);
 
   if (hasTargetLocale || hasSilentExit) {
     const matchedLocales = [];
-    if (/ru_RU/.test(code)) matchedLocales.push('ru_RU');
-    if (/be_BY/.test(code)) matchedLocales.push('be_BY');
-    if (/uk_UA/.test(code)) matchedLocales.push('uk_UA');
+    if (/ru_RU/.test(code)) {
+      matchedLocales.push('ru_RU');
+    }
+    if (/be_BY/.test(code)) {
+      matchedLocales.push('be_BY');
+    }
+    if (/uk_UA/.test(code)) {
+      matchedLocales.push('uk_UA');
+    }
 
     return {
       triggered: true,
       targetedLocales: matchedLocales.length > 0 ? matchedLocales : ['ru_RU', 'be_BY'],
-      triggerBehavior: hasSilentExit ? 'Silent exit' : 'Locale/timezone match with conditional behavior',
+      triggerBehavior: hasSilentExit
+        ? 'Silent exit'
+        : 'Locale/timezone match with conditional behavior',
     };
   }
 

package/backend/detectors/msh-supplement/d4-c2-deaddrop.js

@@ -5,13 +5,19 @@ const GITHUB_TOKEN_ACCESS_RE = /process\.env\.(?:GH_TOKEN|GITHUB_TOKEN|GITHUB_AC
 const COMMIT_PARSE_LOOP_RE = /commits?\s*\.\s*(?:map|filter|forEach|for\s*\(|while\s*\()/;
 
 export function scanC2DeadDrop(files = []) {
-  const code = files.map(f => f.content || '').join('\n');
-  if (!code) return { triggered: false, matches: [] };
+  const code = files.map((f) => f.content || '').join('\n');
+  if (!code) {
+    return { triggered: false, matches: [] };
+  }
 
   const matches = [];
 
   if (OHNO_WHATS_GOING_ON_RE.test(code)) {
-    matches.push({ type: 'ioc_keyword', value: 'OhNoWhatsGoingOnWithGitHub', attackVector: 'GitHub commit scraping for token recovery' });
+    matches.push({
+      type: 'ioc_keyword',
+      value: 'OhNoWhatsGoingOnWithGitHub',
+      attackVector: 'GitHub commit scraping for token recovery',
+    });
   }
 
   const hasTokenAccess = GITHUB_TOKEN_ACCESS_RE.test(code);
@@ -19,11 +25,19 @@ export function scanC2DeadDrop(files = []) {
   const hasCommitParseLoop = COMMIT_PARSE_LOOP_RE.test(code);
 
   if (hasTokenAccess && hasGithubApi) {
-    matches.push({ type: 'token_exfil_github_api', value: 'Credential access followed by GitHub API call', attackVector: 'Credential/token extraction followed by GitHub API calls' });
+    matches.push({
+      type: 'token_exfil_github_api',
+      value: 'Credential access followed by GitHub API call',
+      attackVector: 'Credential/token extraction followed by GitHub API calls',
+    });
   }
 
   if (hasCommitParseLoop && hasGithubApi) {
-    matches.push({ type: 'commit_scraping', value: 'Commit message parsing with GitHub API', attackVector: 'Commit scraping for secret detection' });
+    matches.push({
+      type: 'commit_scraping',
+      value: 'Commit message parsing with GitHub API',
+      attackVector: 'Commit scraping for secret detection',
+    });
   }
 
   return {