@lateos/npm-scan 1.0.0 → 1.1.1

package/backend/vsix-scan/detectors/exfil-pattern.js

@@ -35,7 +35,9 @@ const ANTI_ANALYSIS_PATTERNS = [
 ];
 
 function truncateSnippet(str, maxLen = 200) {
-  if (!str || str.length <= maxLen) return str || '';
+  if (!str || str.length <= maxLen) {
+    return str || '';
+  }
   return str.slice(0, maxLen) + '...';
 }
 
@@ -46,14 +48,16 @@ export async function checkExfilPattern(extensionFiles = []) {
 
   for (const file of extensionFiles) {
     const content = typeof file.content === 'string' ? file.content : '';
-    if (!content) continue;
+    if (!content) {
+      continue;
+    }
     const path = file.path || '';
 
     for (const cp of CREDENTIAL_FILE_PATTERNS) {
       const match = content.match(cp);
       if (match) {
         const snippet = truncateSnippet(match[0]);
-        if (!exfilPatterns.some(e => e.includes(snippet))) {
+        if (!exfilPatterns.some((e) => e.includes(snippet))) {
           exfilPatterns.push(`${path}: ${snippet}`);
           signals.push({ type: 'CREDENTIAL_FILE_TARGET', pattern: cp.source, file: path });
         }

package/backend/vsix-scan/detectors/known-ioc.js

@@ -11,7 +11,9 @@ const __dirname = dirname(__filename);
 const IOC_PATH = join(__dirname, '..', 'vsix-iocs.json');
 
 function loadIOCData() {
-  if (iocsLoaded) return iocsData;
+  if (iocsLoaded) {
+    return iocsData;
+  }
   iocsLoaded = true;
   try {
     iocsData = JSON.parse(readFileSync(IOC_PATH, 'utf8'));
@@ -32,9 +34,17 @@ export function reloadIOCData() {
   return loadIOCData();
 }
 
-export async function checkKnownIOC(extensionId, version, publisherAccount, orphanCommits = [], versionHistory = []) {
+export async function checkKnownIOC(
+  extensionId,
+  version,
+  publisherAccount,
+  orphanCommits = [],
+  versionHistory = []
+) {
   const data = loadIOCData();
-  if (!data) return { triggered: false, matches: [] };
+  if (!data) {
+    return { triggered: false, matches: [] };
+  }
 
   const matches = [];
   const iocs = data.iocs || [];
@@ -43,7 +53,11 @@ export async function checkKnownIOC(extensionId, version, publisherAccount, orph
     switch (ioc.type) {
       case 'extensionId': {
         if (ioc.value === extensionId) {
-          if (!ioc.maliciousVersions || ioc.maliciousVersions.length === 0 || ioc.maliciousVersions.includes(version)) {
+          if (
+            !ioc.maliciousVersions ||
+            ioc.maliciousVersions.length === 0 ||
+            ioc.maliciousVersions.includes(version)
+          ) {
             matches.push({
               type: 'extensionId',
               value: extensionId,
@@ -60,9 +74,10 @@ export async function checkKnownIOC(extensionId, version, publisherAccount, orph
 
       case 'publisherAccount': {
         if (ioc.value === publisherAccount) {
-          const pubTime = versionHistory.length > 0
-            ? new Date(versionHistory[versionHistory.length - 1]?.publishedAt).getTime()
-            : null;
+          const pubTime =
+            versionHistory.length > 0
+              ? new Date(versionHistory[versionHistory.length - 1]?.publishedAt).getTime()
+              : null;
 
           const windowStart = new Date(ioc.compromiseWindowStart).getTime();
           const windowEnd = ioc.compromiseWindowEnd
@@ -84,7 +99,7 @@ export async function checkKnownIOC(extensionId, version, publisherAccount, orph
 
       case 'orphanCommitHash': {
         for (const commit of orphanCommits) {
-          if (ioc.value === commit || (ioc.value === 'PLACEHOLDER_UPDATE_FROM_THREAT_INTEL')) {
+          if (ioc.value === commit || ioc.value === 'PLACEHOLDER_UPDATE_FROM_THREAT_INTEL') {
             continue;
           }
           if (ioc.value && commit && ioc.value.toLowerCase() === commit.toLowerCase()) {

package/backend/vsix-scan/detectors/orphan-commit-fetch.js

@@ -1,10 +1,13 @@
-const GITHUB_COMMIT_SHA_PATTERN = /api\.github\.com\/repos\/[^/]+\/[^/]+\/git\/commits\/[a-f0-9]{40}/;
+const GITHUB_COMMIT_SHA_PATTERN =
+  /api\.github\.com\/repos\/[^/]+\/[^/]+\/git\/commits\/[a-f0-9]{40}/;
 const NPX_GIT_URL_PATTERN = /npx\s+.*github\.com.*#[a-f0-9]{8,}/;
 const MCP_KEYWORDS = ['mcp', 'model-context-protocol', 'claude', 'setup', 'init'];
-const EXTERNAL_FETCH_PATTERN = /(?:https?:\/\/)[^\s"')\]]+(?:\.com|\.io|\.org|\.dev|\.app|\.net)[^\s"')\]]*/;
-const NON_NPMJS_FETCH = /(?:fetch|curl|wget)\s*\(?\s*["']https?:\/\/(?!(?:.*npmjs\.org|.*npm\.js\.org|.*github\.com))[^"']+/;
+const _EXTERNAL_FETCH_PATTERN =
+  /(?:https?:\/\/)[^\s"')\]]+(?:\.com|\.io|\.org|\.dev|\.app|\.net)[^\s"')\]]*/;
+const NON_NPMJS_FETCH =
+  /(?:fetch|curl|wget)\s*\(?\s*["']https?:\/\/(?!(?:.*npmjs\.org|.*npm\.js\.org|.*github\.com))[^"']+/;
 const BUN_PATTERNS = [/bun\s+install/, /install\s+.*bun/, /\bbunx\b/, /\.bun\/bin\//];
-const NPX_GIT_SHORT = /npx\s+.*github\.com.*#[a-f0-9]{8,}/;
+const _NPX_GIT_SHORT = /npx\s+.*github\.com.*#[a-f0-9]{8,}/;
 
 export async function checkOrphanCommitFetch(extensionFiles = []) {
   const signals = [];
@@ -12,7 +15,9 @@ export async function checkOrphanCommitFetch(extensionFiles = []) {
 
   for (const file of extensionFiles) {
     const content = typeof file.content === 'string' ? file.content : '';
-    if (!content) continue;
+    if (!content) {
+      continue;
+    }
     const path = file.path || '';
 
     if (GITHUB_COMMIT_SHA_PATTERN.test(content)) {
@@ -39,8 +44,7 @@ export async function checkOrphanCommitFetch(extensionFiles = []) {
       }
     }
 
-    const hasMCPKeywords = MCP_KEYWORDS.some(kw =>
-        new RegExp(`\\b${kw}\\b`, 'i').test(content));
+    const hasMCPKeywords = MCP_KEYWORDS.some((kw) => new RegExp(`\\b${kw}\\b`, 'i').test(content));
     const hasExternalFetch = NON_NPMJS_FETCH.test(content);
 
     if (hasMCPKeywords && hasExternalFetch) {

package/backend/vsix-scan/detectors/publisher-anomaly.js

@@ -1,24 +1,33 @@
-export async function checkPublisherAnomaly(extensionMetadata, publisherProfile, versionHistory, config = {}) {
+export async function checkPublisherAnomaly(
+  extensionMetadata,
+  publisherProfile,
+  versionHistory,
+  config = {}
+) {
   const signals = [];
 
-  const crossNamespaceThreshold = config.crossNamespaceThreshold ?? 3;
-  const crossNamespaceDays = config.crossNamespaceDays ?? 14;
+  const _crossNamespaceThreshold = config.crossNamespaceThreshold ?? 3;
+  const _crossNamespaceDays = config.crossNamespaceDays ?? 14;
   const newAccountAgeDays = config.newAccountAgeDays ?? 30;
   const highInstallThreshold = config.highInstallThreshold ?? 100000;
   const addPublishWindowMinutes = config.addPublishWindowMinutes ?? 15;
 
   const versions = versionHistory || [];
-  if (versions.length === 0) return { triggered: false, signals: [] };
+  if (versions.length === 0) {
+    return { triggered: false, signals: [] };
+  }
 
-  const publishers = [...new Set(versions.map(v => v.publishedBy).filter(Boolean))];
-  if (publishers.length === 0) return { triggered: false, signals: [] };
+  const publishers = [...new Set(versions.map((v) => v.publishedBy).filter(Boolean))];
+  if (publishers.length === 0) {
+    return { triggered: false, signals: [] };
+  }
 
   const sortedVersions = [...versions]
-    .filter(v => v.publishedAt)
+    .filter((v) => v.publishedAt)
     .sort((a, b) => new Date(a.publishedAt) - new Date(b.publishedAt));
 
   const extPublisher = publishers[0];
-  const allSame = publishers.every(p => p === extPublisher);
+  const allSame = publishers.every((p) => p === extPublisher);
 
   if (!allSame) {
     for (const pub of publishers) {
@@ -32,13 +41,18 @@ export async function checkPublisherAnomaly(extensionMetadata, publisherProfile,
     }
   }
 
-  const extInstallCount = extensionMetadata?.statistics?.find(s => s.statisticName === 'install')?.value || 0;
+  const extInstallCount =
+    extensionMetadata?.statistics?.find((s) => s.statisticName === 'install')?.value || 0;
 
   const extAgeDays = publisherProfile?.dateCreated
     ? (Date.now() - new Date(publisherProfile.dateCreated).getTime()) / (1000 * 60 * 60 * 24)
     : null;
 
-  if (extAgeDays !== null && extAgeDays < newAccountAgeDays && extInstallCount >= highInstallThreshold) {
+  if (
+    extAgeDays !== null &&
+    extAgeDays < newAccountAgeDays &&
+    extInstallCount >= highInstallThreshold
+  ) {
     signals.push({
       type: 'NEW_ACCOUNT_HIGH_INSTALL',
       accountAgeDays: Math.round(extAgeDays),

package/backend/vsix-scan/index.js

@@ -4,18 +4,32 @@ import { checkActivationEventRisk } from './detectors/activation-event-risk.js';
 import { checkOrphanCommitFetch } from './detectors/orphan-commit-fetch.js';
 import { checkKnownIOC } from './detectors/known-ioc.js';
 import { checkExfilPattern } from './detectors/exfil-pattern.js';
-import { getExtensionMetadata, getVersionHistory, getPublisherProfile, getOpenVsxMetadata, getOpenVsxVersionHistory } from './marketplace-client.js';
-
-const SEVERITY_SCORE = { none: 0, low: 1, medium: 2, high: 3, critical: 4 };
+import {
+  getExtensionMetadata,
+  getVersionHistory,
+  getPublisherProfile,
+  getOpenVsxMetadata as _getOpenVsxMetadata,
+  getOpenVsxVersionHistory,
+} from './marketplace-client.js';
+
+const _SEVERITY_SCORE = { none: 0, low: 1, medium: 2, high: 3, critical: 4 };
 const SEVERITY_LABELS = ['none', 'low', 'medium', 'high', 'critical'];
 
 export async function vsixScan(extensionId, options = {}) {
   const { publisherId, extensionName } = parseExtensionId(extensionId);
 
-  const marketplaceMeta = options.marketplaceMeta || (options.skipNetwork ? null : await getExtensionMetadata(publisherId, extensionName));
-  const marketplaceVersions = options.marketplaceVersions || (marketplaceMeta ? await getVersionHistory(publisherId, extensionName) : []);
-  const openVsxVersions = options.openVsxVersions || (options.skipNetwork ? [] : await getOpenVsxVersionHistory(publisherId, extensionName));
-  const publisherProfile = options.publisherProfile || (options.skipNetwork ? null : await getPublisherProfile(publisherId));
+  const marketplaceMeta =
+    options.marketplaceMeta ||
+    (options.skipNetwork ? null : await getExtensionMetadata(publisherId, extensionName));
+  const marketplaceVersions =
+    options.marketplaceVersions ||
+    (marketplaceMeta ? await getVersionHistory(publisherId, extensionName) : []);
+  const openVsxVersions =
+    options.openVsxVersions ||
+    (options.skipNetwork ? [] : await getOpenVsxVersionHistory(publisherId, extensionName));
+  const publisherProfile =
+    options.publisherProfile ||
+    (options.skipNetwork ? null : await getPublisherProfile(publisherId));
 
   const allVersions = mergeVersionHistories(marketplaceVersions, openVsxVersions);
   const manifest = options.manifest || extractManifest(marketplaceMeta, extensionId);
@@ -25,7 +39,7 @@ export async function vsixScan(extensionId, options = {}) {
   const activationResult = await checkActivationEventRisk(
     manifest,
     allVersions,
-    options.priorVersions || [],
+    options.priorVersions || []
   );
 
   const burstResult = await checkBurstPublish(allVersions, config);
@@ -34,50 +48,82 @@ export async function vsixScan(extensionId, options = {}) {
     manifest || {},
     publisherProfile || {},
     allVersions,
-    config,
+    config
   );
 
   const orphanResult = await checkOrphanCommitFetch(options.extensionFiles || []);
 
   const iocResult = await checkKnownIOC(
     extensionId,
-    options.version || (allVersions.length > 0 ? allVersions[allVersions.length - 1].version : 'unknown'),
+    options.version ||
+      (allVersions.length > 0 ? allVersions[allVersions.length - 1].version : 'unknown'),
     publisherId,
     orphanResult.signals
-      .filter(s => s.type === 'ORPHAN_COMMIT_GITHUB_API')
-      .map(s => s.indicator),
-    allVersions,
+      .filter((s) => s.type === 'ORPHAN_COMMIT_GITHUB_API')
+      .map((s) => s.indicator),
+    allVersions
   );
 
   const exfilResult = await checkExfilPattern(options.extensionFiles || []);
 
   const triggeredSignals = [];
-  if (burstResult.triggered) triggeredSignals.push('VSIX_BURST_PUBLISH');
-  if (publisherResult.triggered) triggeredSignals.push('VSIX_PUBLISHER_ANOMALY');
-  if (activationResult.triggered) triggeredSignals.push('VSIX_ACTIVATION_EVENT_RISK');
-  if (orphanResult.triggered) triggeredSignals.push('VSIX_ORPHAN_COMMIT_FETCH');
-  if (iocResult.triggered) triggeredSignals.push('VSIX_KNOWN_IOC');
-  if (exfilResult.triggered) triggeredSignals.push('VSIX_EXFIL_PATTERN');
+  if (burstResult.triggered) {
+    triggeredSignals.push('VSIX_BURST_PUBLISH');
+  }
+  if (publisherResult.triggered) {
+    triggeredSignals.push('VSIX_PUBLISHER_ANOMALY');
+  }
+  if (activationResult.triggered) {
+    triggeredSignals.push('VSIX_ACTIVATION_EVENT_RISK');
+  }
+  if (orphanResult.triggered) {
+    triggeredSignals.push('VSIX_ORPHAN_COMMIT_FETCH');
+  }
+  if (iocResult.triggered) {
+    triggeredSignals.push('VSIX_KNOWN_IOC');
+  }
+  if (exfilResult.triggered) {
+    triggeredSignals.push('VSIX_EXFIL_PATTERN');
+  }
 
-  if (triggeredSignals.length === 0) return [];
+  if (triggeredSignals.length === 0) {
+    return [];
+  }
 
   const registryLabels = [];
-  if (marketplaceVersions.length > 0) registryLabels.push('marketplace');
-  if (openVsxVersions.length > 0) registryLabels.push('open-vsx');
+  if (marketplaceVersions.length > 0) {
+    registryLabels.push('marketplace');
+  }
+  if (openVsxVersions.length > 0) {
+    registryLabels.push('open-vsx');
+  }
 
   const maxSeverity = triggeredSignals.reduce((max, s) => {
-    if (s === 'VSIX_KNOWN_IOC' || s === 'VSIX_ORPHAN_COMMIT_FETCH') return Math.max(max, 4);
-    if (s === 'VSIX_BURST_PUBLISH' || s === 'VSIX_PUBLISHER_ANOMALY' || s === 'VSIX_EXFIL_PATTERN') return Math.max(max, 3);
-    if (s === 'VSIX_ACTIVATION_EVENT_RISK') return Math.max(max, 3);
+    if (s === 'VSIX_KNOWN_IOC' || s === 'VSIX_ORPHAN_COMMIT_FETCH') {
+      return Math.max(max, 4);
+    }
+    if (
+      s === 'VSIX_BURST_PUBLISH' ||
+      s === 'VSIX_PUBLISHER_ANOMALY' ||
+      s === 'VSIX_EXFIL_PATTERN'
+    ) {
+      return Math.max(max, 3);
+    }
+    if (s === 'VSIX_ACTIVATION_EVENT_RISK') {
+      return Math.max(max, 3);
+    }
     return max;
   }, 0);
 
   const finalSeverity = SEVERITY_LABELS[maxSeverity] || 'high';
 
-  const latestVersion = allVersions.length > 0 ? allVersions[allVersions.length - 1].version : 'unknown';
+  const latestVersion =
+    allVersions.length > 0 ? allVersions[allVersions.length - 1].version : 'unknown';
   let exposureWindowMinutes = null;
   if (burstResult.hotPullDetected && allVersions.length >= 2) {
-    const sorted = [...allVersions].sort((a, b) => new Date(b.publishedAt) - new Date(a.publishedAt));
+    const sorted = [...allVersions].sort(
+      (a, b) => new Date(b.publishedAt) - new Date(a.publishedAt)
+    );
     const gap = (new Date(sorted[0].publishedAt) - new Date(sorted[1].publishedAt)) / (1000 * 60);
     exposureWindowMinutes = Math.round(gap);
   }
@@ -92,7 +138,9 @@ export async function vsixScan(extensionId, options = {}) {
     hotPullDetected: burstResult.hotPullDetected,
     publisherSignals: publisherResult.triggered ? publisherResult.signals : null,
     activationEvents: manifest?.activationEvents || null,
-    activationRisk: activationResult.triggered ? { riskLevel: activationResult.riskLevel, why: activationResult.why } : null,
+    activationRisk: activationResult.triggered
+      ? { riskLevel: activationResult.riskLevel, why: activationResult.why }
+      : null,
     orphanCommitIndicators: orphanResult.triggered ? orphanResult.indicators : null,
     iocMatches: iocResult.triggered ? iocResult.matches : null,
     exfilPatterns: exfilResult.triggered ? exfilResult.exfilPatterns : null,
@@ -101,14 +149,16 @@ export async function vsixScan(extensionId, options = {}) {
 
   const remediationGuidance = buildRemediation(triggeredSignals, extensionId);
 
-  return [{
-    id: 'VSIX_SCAN',
-    severity: finalSeverity,
-    title: `VS Code extension risk: ${extensionId}`,
-    description: `${triggeredSignals.length} signal(s): ${triggeredSignals.join(', ')}`,
-    evidence: JSON.stringify(evidence),
-    mitigation: remediationGuidance,
-  }];
+  return [
+    {
+      id: 'VSIX_SCAN',
+      severity: finalSeverity,
+      title: `VS Code extension risk: ${extensionId}`,
+      description: `${triggeredSignals.length} signal(s): ${triggeredSignals.join(', ')}`,
+      evidence: JSON.stringify(evidence),
+      mitigation: remediationGuidance,
+    },
+  ];
 }
 
 function parseExtensionId(id) {
@@ -135,7 +185,7 @@ function mergeVersionHistories(marketplace, openVsx) {
       seen.add(v.version);
       merged.push({ ...v, registries: ['open-vsx'] });
     } else {
-      const existing = merged.find(m => m.version === v.version);
+      const existing = merged.find((m) => m.version === v.version);
       if (existing) {
         existing.registries.push('open-vsx');
       }
@@ -145,14 +195,20 @@ function mergeVersionHistories(marketplace, openVsx) {
   return merged.sort((a, b) => new Date(a.publishedAt) - new Date(b.publishedAt));
 }
 
-function extractManifest(marketplaceMeta, extensionId) {
-  if (!marketplaceMeta?.results?.[0]?.extensions?.[0]) return {};
+function extractManifest(marketplaceMeta, _extensionId) {
+  if (!marketplaceMeta?.results?.[0]?.extensions?.[0]) {
+    return {};
+  }
   const ext = marketplaceMeta.results[0].extensions[0];
   const manifestStr = ext.galleryApiUrl || ext.manifest;
-  if (!manifestStr) return {};
+  if (!manifestStr) {
+    return {};
+  }
 
   try {
-    if (typeof manifestStr === 'object') return manifestStr;
+    if (typeof manifestStr === 'object') {
+      return manifestStr;
+    }
     return JSON.parse(manifestStr);
   } catch {
     return {};

package/backend/vsix-scan/marketplace-client.js

@@ -7,7 +7,7 @@ const RATE_LIMIT_MS = 6000;
 let _lastFetchTime = 0;
 
 function sleep(ms) {
-  return new Promise(r => setTimeout(r, ms));
+  return new Promise((r) => setTimeout(r, ms));
 }
 
 async function rateLimitedFetch(url) {
@@ -44,20 +44,22 @@ async function rateLimitedFetch(url) {
   }
 }
 
-function parseExtensionId(id) {
+function _parseExtensionId(id) {
   const parts = id.split('.');
-  if (parts.length < 2) throw new Error(`Invalid extension ID: ${id}`);
+  if (parts.length < 2) {
+    throw new Error(`Invalid extension ID: ${id}`);
+  }
   return { publisherId: parts[0], extensionName: parts.slice(1).join('.') };
 }
 
 export async function getExtensionMetadata(publisherId, extensionName) {
   const url = `${MARKETPLACE_API}/extensionquery`;
   const body = {
-    filters: [{
-      criteria: [
-        { filterType: 8, value: `${publisherId}.${extensionName}` },
-      ],
-    }],
+    filters: [
+      {
+        criteria: [{ filterType: 8, value: `${publisherId}.${extensionName}` }],
+      },
+    ],
     flags: 914,
   };
 
@@ -77,13 +79,23 @@ export async function getExtensionMetadata(publisherId, extensionName) {
   try {
     res = await fetch(url, {
       method: 'POST',
-      headers: { 'Content-Type': 'application/json', 'Accept': 'application/json;api-version=3.0-preview.1' },
+      headers: {
+        'Content-Type': 'application/json',
+        Accept: 'application/json;api-version=3.0-preview.1',
+      },
       body: JSON.stringify(body),
     });
     if (res.status === 429) {
       const retryAfter = parseInt(res.headers.get('Retry-After') || '10', 10);
       await sleep(retryAfter * 1000);
-      res = await fetch(url, { method: 'POST', headers: { 'Content-Type': 'application/json', 'Accept': 'application/json;api-version=3.0-preview.1' }, body: JSON.stringify(body) });
+      res = await fetch(url, {
+        method: 'POST',
+        headers: {
+          'Content-Type': 'application/json',
+          Accept: 'application/json;api-version=3.0-preview.1',
+        },
+        body: JSON.stringify(body),
+      });
     }
     if (!res.ok) {
       console.debug(`Marketplace API warning: ${url} returned ${res.status}`);
@@ -100,12 +112,14 @@ export async function getExtensionMetadata(publisherId, extensionName) {
 
 export async function getVersionHistory(publisherId, extensionName) {
   const data = await getExtensionMetadata(publisherId, extensionName);
-  if (!data?.results?.[0]?.extensions?.[0]) return [];
+  if (!data?.results?.[0]?.extensions?.[0]) {
+    return [];
+  }
 
   const extension = data.results[0].extensions[0];
   const versions = extension.versions || [];
 
-  return versions.map(v => ({
+  return versions.map((v) => ({
     version: v.version,
     publishedAt: v.lastUpdated || v.publishedDate,
     publishedBy: extension.publisher?.publisherName || publisherId,
@@ -126,7 +140,9 @@ export async function getOpenVsxMetadata(namespace, name) {
 
 export async function getOpenVsxVersionHistory(namespace, name) {
   const data = await getOpenVsxMetadata(namespace, name);
-  if (!data) return [];
+  if (!data) {
+    return [];
+  }
   const versions = data.allVersions || {};
   const files = data.files || {};