@lateos/npm-scan 1.0.0 → 1.1.0

package/backend/detectors/tier1-binary-embed.js

@@ -8,36 +8,49 @@ const CHILD_PROC_RE = /\b(?:spawn|exec|execSync|spawnSync|fork)\s*\(/g;
 const FS_CHMOD_RE = /fs\.chmod\s*\(/g;
 
 function detectMagicBytes(content) {
-  if (!content || content.length < 4) return null;
+  if (!content || content.length < 4) {
+    return null;
+  }
 
   const c0 = content.charCodeAt(0);
   const c1 = content.charCodeAt(1);
   const c2 = content.charCodeAt(2);
   const c3 = content.charCodeAt(3);
 
-  if (c0 === 0x7f && content.slice(1, 4) === 'ELF') return 'elf_embedded';
-  if (c0 === 0x4d && c1 === 0x5a) return 'pe_embedded';
-  if (c0 === 0x00 && content.slice(1, 4) === 'asm') return 'wasm_embedded';
+  if (c0 === 0x7f && content.slice(1, 4) === 'ELF') {
+    return 'elf_embedded';
+  }
+  if (c0 === 0x4d && c1 === 0x5a) {
+    return 'pe_embedded';
+  }
+  if (c0 === 0x00 && content.slice(1, 4) === 'asm') {
+    return 'wasm_embedded';
+  }
 
-  const machO = (c0 === 0xfe && c1 === 0xed && c2 === 0xfa && (c3 === 0xce || c3 === 0xcf)) ||
+  const machO =
+    (c0 === 0xfe && c1 === 0xed && c2 === 0xfa && (c3 === 0xce || c3 === 0xcf)) ||
     (c0 === 0xce && c1 === 0xfa && c2 === 0xed && (c3 === 0xfe || c3 === 0xcf)) ||
     (c0 === 0xcf && c1 === 0xfa && c2 === 0xed && c3 === 0xfe);
-  if (machO) return 'macho_embedded';
+  if (machO) {
+    return 'macho_embedded';
+  }
 
   const universal = c0 === 0xca && c1 === 0xfe && c2 === 0xba && c3 === 0xbe;
-  if (universal) return 'macho_embedded';
+  if (universal) {
+    return 'macho_embedded';
+  }
 
   return null;
 }
 
 function isInBinaryDir(filePath) {
   const normalized = filePath.replace(/\\/g, '/');
-  return BINARY_DIRS.some(dir => normalized.includes(`/${dir}`) || normalized.startsWith(dir));
+  return BINARY_DIRS.some((dir) => normalized.includes(`/${dir}`) || normalized.startsWith(dir));
 }
 
 function hasBinaryExt(filePath) {
   const lower = filePath.toLowerCase();
-  return BINARY_EXTS.some(ext => lower.endsWith(ext));
+  return BINARY_EXTS.some((ext) => lower.endsWith(ext));
 }
 
 function isKnownBinaryName(fileName) {
@@ -45,13 +58,16 @@ function isKnownBinaryName(fileName) {
   return BINARY_FILENAMES.includes(base);
 }
 
-const CROSS_PLATFORM_RE = /-(?:linux|darwin|macos|win32|windows|win)-(?:x64|x86|arm64|ia32)\.?(?:exe)?$/i;
+const CROSS_PLATFORM_RE =
+  /-(?:linux|darwin|macos|win32|windows|win)-(?:x64|x86|arm64|ia32)\.?(?:exe)?$/i;
 
 function detectCrossPlatformSets(binaries) {
   const sets = {};
   for (const bin of binaries) {
     const base = bin.file.replace(CROSS_PLATFORM_RE, '').split(/[/\\]/).pop();
-    if (!sets[base]) sets[base] = [];
+    if (!sets[base]) {
+      sets[base] = [];
+    }
     sets[base].push(bin.file);
   }
   for (const [base, files] of Object.entries(sets)) {
@@ -63,22 +79,39 @@ function detectCrossPlatformSets(binaries) {
 }
 
 function isDeclared(pkgJson, fileName) {
-  if (!pkgJson) return false;
+  if (!pkgJson) {
+    return false;
+  }
   const baseName = fileName.split(/[/\\]/).pop();
 
   if (pkgJson.bin) {
-    if (typeof pkgJson.bin === 'string' && pkgJson.bin === baseName) return true;
-    if (typeof pkgJson.bin === 'object' && Object.values(pkgJson.bin).some(v => v === baseName || v.endsWith(`/${baseName}`))) return true;
+    if (typeof pkgJson.bin === 'string' && pkgJson.bin === baseName) {
+      return true;
+    }
+    if (
+      typeof pkgJson.bin === 'object' &&
+      Object.values(pkgJson.bin).some((v) => v === baseName || v.endsWith(`/${baseName}`))
+    ) {
+      return true;
+    }
   }
 
   if (pkgJson.optionalDependencies) {
-    for (const [name, val] of Object.entries(pkgJson.optionalDependencies)) {
-      if (name === baseName) return true;
+    for (const [name, _val] of Object.entries(pkgJson.optionalDependencies)) {
+      if (name === baseName) {
+        return true;
+      }
     }
   }
 
-  if (pkgJson.gypfile === true || pkgJson.scripts?.install?.includes('node-gyp') || pkgJson.scripts?.install?.includes('node-pre-gyp')) {
-    if (baseName.endsWith('.node')) return true;
+  if (
+    pkgJson.gypfile === true ||
+    pkgJson.scripts?.install?.includes('node-gyp') ||
+    pkgJson.scripts?.install?.includes('node-pre-gyp')
+  ) {
+    if (baseName.endsWith('.node')) {
+      return true;
+    }
   }
 
   return false;
@@ -88,15 +121,26 @@ export const name = 'tier1-binary-embed';
 
 export async function scan(pkgJson, jsFiles, registryMeta, allFiles) {
   const pkgName = pkgJson?.name;
-  if (pkgName && KNOWN_REPUTABLE_PACKAGES.has(pkgName)) return [];
+  if (pkgName && KNOWN_REPUTABLE_PACKAGES.has(pkgName)) {
+    return [];
+  }
 
-  if (!allFiles || allFiles.length === 0) return [];
+  if (!allFiles || allFiles.length === 0) {
+    return [];
+  }
 
-  if (pkgName && (
-    pkgName === 'electron' || pkgName === 'puppeteer' || pkgName === 'sharp' ||
-    pkgName === 'esbuild' || pkgName === 'node-gyp' || pkgName === 'node-pre-gyp' ||
-    pkgName === '@mapbox/node-pre-gyp'
-  )) return [];
+  if (
+    pkgName &&
+    (pkgName === 'electron' ||
+      pkgName === 'puppeteer' ||
+      pkgName === 'sharp' ||
+      pkgName === 'esbuild' ||
+      pkgName === 'node-gyp' ||
+      pkgName === 'node-pre-gyp' ||
+      pkgName === '@mapbox/node-pre-gyp')
+  ) {
+    return [];
+  }
 
   const binaries = [];
 
@@ -128,11 +172,13 @@ export async function scan(pkgJson, jsFiles, registryMeta, allFiles) {
     }
   }
 
-  if (binaries.length === 0) return [];
+  if (binaries.length === 0) {
+    return [];
+  }
 
   const crossPlatformSet = detectCrossPlatformSets(binaries);
 
-  const jsCode = (jsFiles || []).map(f => f.content || '').join('\n');
+  const jsCode = (jsFiles || []).map((f) => f.content || '').join('\n');
   const invoked = CHILD_PROC_RE.test(jsCode) || FS_CHMOD_RE.test(jsCode);
 
   const invokedFiles = [];
@@ -154,7 +200,11 @@ export async function scan(pkgJson, jsFiles, registryMeta, allFiles) {
     let subtype;
 
     // Cross-platform platform set boost
-    const isCrossPlatform = crossPlatformSet && crossPlatformSet.files.some(f => f === bin.file || f.includes(bin.file) || bin.file.includes(f.replace(/\.exe$/, '')));
+    const isCrossPlatform =
+      crossPlatformSet &&
+      crossPlatformSet.files.some(
+        (f) => f === bin.file || f.includes(bin.file) || bin.file.includes(f.replace(/\.exe$/, ''))
+      );
 
     if (bin.magic === 'elf_embedded') {
       baseScore = 95;
@@ -175,26 +225,44 @@ export async function scan(pkgJson, jsFiles, registryMeta, allFiles) {
 
     let score = baseScore;
 
-    if (isCrossPlatform) score += 25;
+    if (isCrossPlatform) {
+      score += 25;
+    }
 
-    if (bin.inBinDir) score += 15;
+    if (bin.inBinDir) {
+      score += 15;
+    }
 
-    if (!bin.declared) score += 50;
+    if (!bin.declared) {
+      score += 50;
+    }
 
-    if (invoked && invokedFiles.length > 0) score += 25;
+    if (invoked && invokedFiles.length > 0) {
+      score += 25;
+    }
 
     const confidenceScore = Math.max(50, Math.min(100, score));
 
     function severityLabel(sc) {
-      if (sc >= 90) return 'critical';
-      if (sc >= 70) return 'high';
+      if (sc >= 90) {
+        return 'critical';
+      }
+      if (sc >= 70) {
+        return 'high';
+      }
       return 'medium';
     }
 
     function confidenceLabel(sc) {
-      if (sc >= 95) return 'CRITICAL';
-      if (sc >= 80) return 'HIGH';
-      if (sc >= 60) return 'MEDIUM';
+      if (sc >= 95) {
+        return 'CRITICAL';
+      }
+      if (sc >= 80) {
+        return 'HIGH';
+      }
+      if (sc >= 60) {
+        return 'MEDIUM';
+      }
       return 'LOW';
     }
 
@@ -204,7 +272,9 @@ export async function scan(pkgJson, jsFiles, registryMeta, allFiles) {
       `declared: ${bin.declared}`,
     ];
     if (isCrossPlatform) {
-      evidence.push(`cross-platform binary set: ${crossPlatformSet.count} variants of "${crossPlatformSet.base}"`);
+      evidence.push(
+        `cross-platform binary set: ${crossPlatformSet.count} variants of "${crossPlatformSet.base}"`
+      );
       evidence.push(`platform_files: ${crossPlatformSet.files.join(', ')}`);
     }
 
@@ -213,9 +283,7 @@ export async function scan(pkgJson, jsFiles, registryMeta, allFiles) {
       evidence.push(`invoked_file: ${invokedFiles[0]}`);
     }
 
-    const locations = [
-      { file: bin.file, size: bin.size },
-    ];
+    const locations = [{ file: bin.file, size: bin.size }];
 
     if (invokedFiles.length > 0) {
       locations.push({ file: invokedFiles[0], line: 0 });

package/backend/detectors/tier1-cloud-imds.js

@@ -4,41 +4,48 @@ const GCP_PATTERNS = [
   'metadata.google.internal/computeMetadata',
 ];
 
-const AZURE_PATTERNS = [
-  '169.254.169.254/metadata/instance',
-  '169.254.169.254/metadata/identity',
-];
+const AZURE_PATTERNS = ['169.254.169.254/metadata/instance', '169.254.169.254/metadata/identity'];
 
 const AZURE_IP = '169.254.169.254';
 const METADATA_HEADER_RE = /Metadata\s*:\s*true/i;
 
 function severityLabel(score) {
-  if (score >= 80) return 'high';
+  if (score >= 80) {
+    return 'high';
+  }
   return 'medium';
 }
 
 function confidenceLabel(score) {
-  if (score >= 80) return 'HIGH';
-  if (score >= 60) return 'MEDIUM';
+  if (score >= 80) {
+    return 'HIGH';
+  }
+  if (score >= 60) {
+    return 'MEDIUM';
+  }
   return 'LOW';
 }
 
 function hasGcpPattern(text) {
-  return GCP_PATTERNS.some(p => text.includes(p));
+  return GCP_PATTERNS.some((p) => text.includes(p));
 }
 
 function hasAzurePath(text) {
-  return AZURE_PATTERNS.some(p => text.includes(p));
+  return AZURE_PATTERNS.some((p) => text.includes(p));
 }
 
 function hasAzureHeaderPattern(text) {
   const lines = text.split('\n');
   for (let i = 0; i < lines.length; i++) {
-    if (!lines[i].includes(AZURE_IP)) continue;
+    if (!lines[i].includes(AZURE_IP)) {
+      continue;
+    }
     const start = Math.max(0, i - 5);
     const end = Math.min(lines.length, i + 6);
     for (let j = start; j < end; j++) {
-      if (METADATA_HEADER_RE.test(lines[j])) return true;
+      if (METADATA_HEADER_RE.test(lines[j])) {
+        return true;
+      }
     }
   }
   return false;
@@ -72,20 +79,30 @@ function collectTexts(pkgJson, jsFiles) {
 
 export const name = 'tier1-cloud-imds';
 
-export async function scan(pkgJson, jsFiles, registryMeta, allFiles) {
+export async function scan(pkgJson, jsFiles, _registryMeta, _allFiles) {
   const texts = collectTexts(pkgJson, jsFiles);
-  if (texts.length === 0) return [];
+  if (texts.length === 0) {
+    return [];
+  }
 
   let hasGcp = false;
   let hasAzure = false;
 
   for (const text of texts) {
-    if (!hasGcp && hasGcpPattern(text)) hasGcp = true;
-    if (!hasAzure && hasAzurePattern(text)) hasAzure = true;
-    if (hasGcp && hasAzure) break;
+    if (!hasGcp && hasGcpPattern(text)) {
+      hasGcp = true;
+    }
+    if (!hasAzure && hasAzurePattern(text)) {
+      hasAzure = true;
+    }
+    if (hasGcp && hasAzure) {
+      break;
+    }
   }
 
-  if (!hasGcp && !hasAzure) return [];
+  if (!hasGcp && !hasAzure) {
+    return [];
+  }
 
   let confidenceScore;
   let subtype;
@@ -101,24 +118,27 @@ export async function scan(pkgJson, jsFiles, registryMeta, allFiles) {
     subtype = 'azure_imds';
   }
 
-  return [{
-    detector: 'tier1-cloud-imds',
-    id: 'TIER1-CLOUD-IMDS',
-    severity: severityLabel(confidenceScore),
-    confidence: confidenceLabel(confidenceScore),
-    confidenceScore,
-    subtype,
-    message: hasGcp && hasAzure
-      ? `Package references both GCP metadata and Azure IMDS endpoints — cloud credential harvesting`
-      : hasGcp
-        ? `Package references GCP metadata server endpoint — cloud credential harvesting`
-        : `Package references Azure IMDS endpoint — cloud credential harvesting`,
-    evidence: [
-      ...(hasGcp ? ['gcp: metadata.google.internal / computeMetadata/v1 pattern detected'] : []),
-      ...(hasAzure ? ['azure: 169.254.169.254/metadata pattern detected'] : []),
-    ],
-    crossFiles: [],
-    locations: [{ file: '', line: 0 }],
-    reference: 'Miasma Cloud IMDS',
-  }];
+  return [
+    {
+      detector: 'tier1-cloud-imds',
+      id: 'TIER1-CLOUD-IMDS',
+      severity: severityLabel(confidenceScore),
+      confidence: confidenceLabel(confidenceScore),
+      confidenceScore,
+      subtype,
+      message:
+        hasGcp && hasAzure
+          ? `Package references both GCP metadata and Azure IMDS endpoints — cloud credential harvesting`
+          : hasGcp
+            ? `Package references GCP metadata server endpoint — cloud credential harvesting`
+            : `Package references Azure IMDS endpoint — cloud credential harvesting`,
+      evidence: [
+        ...(hasGcp ? ['gcp: metadata.google.internal / computeMetadata/v1 pattern detected'] : []),
+        ...(hasAzure ? ['azure: 169.254.169.254/metadata pattern detected'] : []),
+      ],
+      crossFiles: [],
+      locations: [{ file: '', line: 0 }],
+      reference: 'Miasma Cloud IMDS',
+    },
+  ];
 }

package/backend/detectors/tier1-encrypted-c2.js

@@ -0,0 +1,198 @@
+import { KNOWN_REPUTABLE_PACKAGES } from '../policy.js';
+
+const THRESHOLDS = {
+  flag_threshold: 70,
+  warn_threshold: 50,
+  known_c2_endpoints: [
+    'filev2.getsession.org',
+    'api.signal.org',
+    '*.briarproject.org',
+    'api.ricochet.im',
+  ],
+  onion_pattern_weight: 30,
+  encoded_url_weight: 35,
+  env_var_c2_weight: 40,
+};
+
+const KNOWN_C2_RE =
+  /(?:filev2\.getsession\.org|api\.signal\.org|(?:[\w-]+\.)?briarproject\.org|api\.ricochet\.im|signal-cli|signal-desktop|tor\s*(?:proxy|socks|connect|bridge))/gi;
+const ONION_RE = /(?:[a-z2-7]{16,56}\.onion|\.onion|tor\s*(?:proxy|socks|connect|bridge))/gi;
+const ENCODED_URL_RE =
+  /(?:atob|Buffer\.from|decodeURIComponent)\s*\((?:['"`][A-Za-z0-9+/=]{20,}['"`]|['"`](?:[0-9a-fA-F]{2,})['"`])/gi;
+const HEX_DOMAIN_RE = /(?:0x[0-9a-fA-F]{2,}){4,}/g;
+const SESSION_RE = /session|oxen|filev2|getsession/i;
+const SIGNAL_RE = /signal|signal-cli|signal-desktop/i;
+const BRIAR_RE = /briar|briarproject/i;
+
+function detectC2InContent(content) {
+  const findings = [];
+
+  let match;
+  KNOWN_C2_RE.lastIndex = 0;
+  while ((match = KNOWN_C2_RE.exec(content)) !== null) {
+    findings.push({
+      type: 'known_endpoint',
+      endpoint: match[0],
+      weight: 80,
+    });
+  }
+
+  ONION_RE.lastIndex = 0;
+  while ((match = ONION_RE.exec(content)) !== null) {
+    findings.push({
+      type: 'onion_service',
+      pattern: match[0],
+      weight: THRESHOLDS.onion_pattern_weight,
+    });
+  }
+
+  ENCODED_URL_RE.lastIndex = 0;
+  while ((match = ENCODED_URL_RE.exec(content)) !== null) {
+    findings.push({
+      type: 'encoded_url',
+      snippet: match[0].substring(0, 60),
+      weight: THRESHOLDS.encoded_url_weight,
+      encoding: match[0].includes('atob')
+        ? 'base64'
+        : match[0].includes('Buffer.from')
+          ? 'hex_or_other'
+          : 'other',
+    });
+  }
+
+  HEX_DOMAIN_RE.lastIndex = 0;
+  while ((match = HEX_DOMAIN_RE.exec(content)) !== null) {
+    findings.push({
+      type: 'hex_encoded_domain',
+      snippet: match[0].substring(0, 40),
+      weight: THRESHOLDS.encoded_url_weight,
+      encoding: 'hex',
+    });
+  }
+
+  return findings;
+}
+
+function computeConfidence(c2Findings, hasSession, hasSignal, hasBriar) {
+  let base = 0;
+
+  const totalWeight = c2Findings.reduce((s, f) => s + f.weight, 0);
+  base += Math.min(totalWeight, 80);
+
+  if (c2Findings.length === 0) {
+    base = 20;
+  }
+
+  if (hasSession) base += 20;
+  if (hasSignal) base += 20;
+  if (hasBriar) base += 15;
+
+  if (c2Findings.length > 0) {
+    base += 20;
+  }
+
+  if (c2Findings.length > 1) {
+    base += Math.min(c2Findings.length * 5, 15);
+  }
+
+  return Math.min(100, Math.max(0, base));
+}
+
+function severityLabel(score) {
+  if (score >= 80) return 'critical';
+  if (score >= 60) return 'high';
+  return 'medium';
+}
+
+function confidenceLabel(score) {
+  if (score >= 80) return 'CRITICAL';
+  if (score >= 60) return 'HIGH';
+  return 'MEDIUM';
+}
+
+export const name = 'tier1-encrypted-c2';
+
+export async function scan(pkgJson, jsFiles, _registryMeta, _allFiles) {
+  const pkgName = pkgJson?.name;
+  if (pkgName && KNOWN_REPUTABLE_PACKAGES.has(pkgName)) return [];
+
+  const allContents = [];
+  if (pkgJson?.scripts && typeof pkgJson.scripts === 'object') {
+    for (const val of Object.values(pkgJson.scripts)) {
+      if (typeof val === 'string') {
+        allContents.push({ source: 'package.json scripts', content: val });
+      }
+    }
+  }
+
+  const files = jsFiles || [];
+  for (const f of files) {
+    if (f?.content) {
+      allContents.push({ source: f.path || f.name || 'unknown', content: f.content });
+    }
+  }
+
+  if (allContents.length === 0) return [];
+
+  const hasSession = SESSION_RE.test(JSON.stringify(allContents.map((c) => c.content)));
+  const hasSignal = SIGNAL_RE.test(JSON.stringify(allContents.map((c) => c.content)));
+  const hasBriar = BRIAR_RE.test(JSON.stringify(allContents.map((c) => c.content)));
+
+  const allFindings = [];
+  for (const { source, content } of allContents) {
+    const c2Findings = detectC2InContent(content);
+    if (c2Findings.length > 0) {
+      allFindings.push({ source, c2Findings });
+    }
+  }
+
+  const flatC2 = allFindings.flatMap((f) => f.c2Findings);
+  const totalSignals =
+    flatC2.length + (hasSession ? 1 : 0) + (hasSignal ? 1 : 0) + (hasBriar ? 1 : 0);
+  if (totalSignals === 0) return [];
+
+  const confidenceScore = computeConfidence(flatC2, hasSession, hasSignal, hasBriar);
+  if (confidenceScore < THRESHOLDS.warn_threshold) return [];
+
+  const endpointTypes = [...new Set(flatC2.map((f) => f.type))];
+  const primaryType = endpointTypes.includes('known_endpoint')
+    ? 'known_endpoint'
+    : endpointTypes.includes('onion_service')
+      ? 'onion_service'
+      : endpointTypes.includes('encoded_url')
+        ? 'encoded_url'
+        : endpointTypes.includes('hex_encoded_domain')
+          ? 'hex_encoded_domain'
+          : 'protocol_signal';
+
+  const evidence = flatC2.map((f) => {
+    if (f.type === 'known_endpoint') return `c2_endpoint: ${f.endpoint}`;
+    if (f.type === 'onion_service') return `onion_pattern: ${f.pattern}`;
+    return `encoded: ${f.snippet}`;
+  });
+
+  if (hasSession) evidence.push('protocol: Session/Oxen messenger');
+  if (hasSignal) evidence.push('protocol: Signal messenger');
+  if (hasBriar) evidence.push('protocol: Briar project');
+
+  const locations =
+    allFindings.length > 0
+      ? allFindings.map((f) => ({ file: f.source, line: 1, column: 1 })).slice(0, 5)
+      : [{ file: 'package.json', line: 1, column: 1 }];
+
+  return [
+    {
+      detector: 'tier1-encrypted-c2',
+      id: 'TIER1-ENCRYPTED-C2',
+      severity: severityLabel(confidenceScore),
+      confidence: confidenceLabel(confidenceScore),
+      confidenceScore,
+      subtype: primaryType,
+      message: `${flatC2.length > 0 ? flatC2.length + ' encrypted C2 signal(s)' : 'Encrypted C2 protocol(s) detected'}${hasSession || hasSignal || hasBriar ? ' (' + [hasSession ? 'Session' : '', hasSignal ? 'Signal' : '', hasBriar ? 'Briar' : ''].filter(Boolean).join(', ') + ')' : ''}`,
+      evidence: evidence.slice(0, 8),
+      locations,
+      crossFiles: [],
+      reference: 'D11: TanStack Mini Shai-Hulud encrypted C2',
+    },
+  ];
+}