@lateos/npm-scan 1.0.0 → 1.1.1

package/backend/detectors/atk-007-typosquat.js

@@ -1,12 +1,62 @@
-const TOP_PKGS = ['lodash', 'react', 'express', 'axios', 'chalk', 'vue', 'typescript', 'moment', 'uuid', 'commander', 'debug', 'semver', 'underscore', 'request', 'async', 'cheerio', 'bluebird', 'jest', 'mocha', 'dotenv', 'glob', 'minimist', 'body-parser', 'cors', 'helmet', 'jsonwebtoken', 'socket.io', 'redis', 'mongoose', 'sequelize', 'pg', 'passport', 'nodemailer', 'multer', 'bcrypt', 'winston', 'luxon', 'dayjs', 'rxjs', 'redux'];
+const TOP_PKGS = [
+  'lodash',
+  'react',
+  'express',
+  'axios',
+  'chalk',
+  'vue',
+  'typescript',
+  'moment',
+  'uuid',
+  'commander',
+  'debug',
+  'semver',
+  'underscore',
+  'request',
+  'async',
+  'cheerio',
+  'bluebird',
+  'jest',
+  'mocha',
+  'dotenv',
+  'glob',
+  'minimist',
+  'body-parser',
+  'cors',
+  'helmet',
+  'jsonwebtoken',
+  'socket.io',
+  'redis',
+  'mongoose',
+  'sequelize',
+  'pg',
+  'passport',
+  'nodemailer',
+  'multer',
+  'bcrypt',
+  'winston',
+  'luxon',
+  'dayjs',
+  'rxjs',
+  'redux',
+];
 
 function levenshtein(a, b) {
-  const m = a.length, n = b.length;
+  const m = a.length,
+    n = b.length;
   const d = Array.from({ length: m + 1 }, (_, i) => [i]);
-  for (let j = 0; j <= n; j++) d[0][j] = j;
-  for (let i = 1; i <= m; i++)
-    for (let j = 1; j <= n; j++)
-      d[i][j] = Math.min(d[i-1][j]+1, d[i][j-1]+1, d[i-1][j-1]+(a[i-1]===b[j-1]?0:1));
+  for (let j = 0; j <= n; j++) {
+    d[0][j] = j;
+  }
+  for (let i = 1; i <= m; i++) {
+    for (let j = 1; j <= n; j++) {
+      d[i][j] = Math.min(
+        d[i - 1][j] + 1,
+        d[i][j - 1] + 1,
+        d[i - 1][j - 1] + (a[i - 1] === b[j - 1] ? 0 : 1)
+      );
+    }
+  }
   return d[m][n];
 }
 
@@ -14,9 +64,13 @@ export async function scan(pkgJson) {
   const findings = [];
   const deps = { ...pkgJson.dependencies, ...pkgJson.devDependencies };
   const names = Object.keys(deps);
-  if (names.length === 0) return findings;
+  if (names.length === 0) {
+    return findings;
+  }
   for (const d of names) {
-    if (d.length < 4) continue;
+    if (d.length < 4) {
+      continue;
+    }
     for (const top of TOP_PKGS) {
       const dist = levenshtein(d, top);
       if (dist > 0 && dist <= 2 && d !== top) {
@@ -25,11 +79,11 @@ export async function scan(pkgJson) {
           severity: 'low',
           title: 'Typosquatting suspect',
           description: `"${d}" is edit-distance ${dist} from "${top}"`,
-          evidence: d
+          evidence: d,
         });
         break;
       }
     }
   }
   return findings;
-}
+}

package/backend/detectors/atk-008-tarball-tamper.js

@@ -1,7 +1,7 @@
 export async function scan(pkgJson, files = []) {
   const findings = [];
   const repo = pkgJson.repository || {};
-  const repoUrl = typeof repo === 'string' ? repo : (repo.url || '');
+  const repoUrl = typeof repo === 'string' ? repo : repo.url || '';
   const pkgName = (pkgJson.name || '').toLowerCase();
 
   const knownRepos = {
@@ -29,7 +29,7 @@ export async function scan(pkgJson, files = []) {
   };
 
   if (repoUrl && repoUrl.includes('github.com')) {
-    const repoMatch = repoUrl.match(/github\.com[\/:]([\w.-]+\/[\w.-]+?)(?:\.git)?$/);
+    const repoMatch = repoUrl.match(/github\.com[/:]([\w.-]+\/[\w.-]+?)(?:\.git)?$/);
     if (repoMatch) {
       const ghRepo = repoMatch[1].toLowerCase();
       const ghName = ghRepo.split('/')[1];
@@ -45,7 +45,7 @@ export async function scan(pkgJson, files = []) {
             severity: 'high',
             title: 'Tarball tampering suspect',
             description: `Repository "${ghRepo}" does not match expected "${expectedRepo}" for package "${pkgName}"`,
-            evidence: `repo: ${ghRepo}, expected: ${expectedRepo}`
+            evidence: `repo: ${ghRepo}, expected: ${expectedRepo}`,
           });
         } else {
           const orgExpected = knownRepos[shortName];
@@ -57,7 +57,7 @@ export async function scan(pkgJson, files = []) {
                 severity: 'medium',
                 title: 'Tarball tampering suspect',
                 description: `Repository "${ghRepo}" is a different repo under a different org (legitimate: ${expectedRepo})`,
-                evidence: `org mismatch: ${ghOrg} vs ${expectedOrg}`
+                evidence: `org mismatch: ${ghOrg} vs ${expectedOrg}`,
               });
             }
           }
@@ -66,7 +66,7 @@ export async function scan(pkgJson, files = []) {
     }
   }
 
-  const code = files.map(f => f.content).join('\n');
+  const code = files.map((f) => f.content).join('\n');
   const embeddedIntros = code.match(/\/\/\s*Source:\s*(https?:\/\/[^\s]+)/gi);
   if (embeddedIntros && repoUrl) {
     for (const intro of embeddedIntros) {
@@ -78,7 +78,7 @@ export async function scan(pkgJson, files = []) {
             severity: 'medium',
             title: 'Tarball tampering suspect',
             description: 'Source URL in file does not match declared repository',
-            evidence: srcUrl
+            evidence: srcUrl,
           });
         }
       } catch {

package/backend/detectors/atk-009-dormant-trigger.js

@@ -1,10 +1,13 @@
 export async function scan(pkgJson, files = []) {
   const findings = [];
-  const code = files.map(f => f.content).join('\n');
+  const code = files.map((f) => f.content).join('\n');
 
   const ciPatterns = [
     { pattern: /process\.env\.CI\b/, label: 'CI env check' },
-    { pattern: /process\.env\.(TRAVIS|CIRCLECI|GITHUB_ACTIONS|JENKINS|GITLAB_CI|CODEBUILD)/, label: 'CI platform check' },
+    {
+      pattern: /process\.env\.(TRAVIS|CIRCLECI|GITHUB_ACTIONS|JENKINS|GITLAB_CI|CODEBUILD)/,
+      label: 'CI platform check',
+    },
     { pattern: /\bisCI\b/, label: 'isCI utility check' },
   ];
 
@@ -15,7 +18,7 @@ export async function scan(pkgJson, files = []) {
         severity: 'high',
         title: 'Conditional trigger (CI/production env)',
         description: `Package checks for CI or production environment: ${label}`,
-        evidence: 'conditional trigger detected'
+        evidence: 'conditional trigger detected',
       });
       break;
     }
@@ -24,7 +27,8 @@ export async function scan(pkgJson, files = []) {
   const suspiciousCode = /\beval\(|atob\(|btoa\(|new Function\(|child_process\b|\.exec\(|spawn\(/;
   const suspiciousNetwork = /\.fetch\(|http\.request\(|https\.request\(|dns\.lookup\(/;
   const suspiciousEnv = /process\.env\.(?!NODE_ENV)[A-Z_]{4,}/;
-  const hasSuspicious = suspiciousCode.test(code) || suspiciousNetwork.test(code) || suspiciousEnv.test(code);
+  const hasSuspicious =
+    suspiciousCode.test(code) || suspiciousNetwork.test(code) || suspiciousEnv.test(code);
 
   const timePatterns = [
     {
@@ -52,7 +56,7 @@ export async function scan(pkgJson, files = []) {
         severity: hasSuspicious ? 'high' : 'medium',
         title: 'Conditional trigger (time-based)',
         description: `Package uses ${label}`,
-        evidence: `${label}${hasSuspicious ? ' — elevated (suspicious context: eval/network/exec detected)' : ''}`
+        evidence: `${label}${hasSuspicious ? ' — elevated (suspicious context: eval/network/exec detected)' : ''}`,
       });
       break;
     }

package/backend/detectors/atk-010-sandbox-evasion.js

@@ -1,13 +1,22 @@
 export async function scan(pkgJson, files = []) {
   const findings = [];
-  const code = files.map(f => f.content).join('\n');
+  const code = files.map((f) => f.content).join('\n');
 
   const highPatterns = [
     { pattern: /\bdebugger\s*;?(\s*\/\/|\s*$|\)|\])/m, label: 'debugger statement' },
-    { pattern: /process\.argv.*['"]--inspect['"]|process\.argv.*\binspect\b(?!.*argv)/, label: 'inspect/debug flag detection' },
-    { pattern: /hostname.*(?:docker|sandbox|container|vmware|vbox)/i, label: 'anti-sandbox hostname check' },
+    {
+      pattern: /process\.argv.*['"]--inspect['"]|process\.argv.*\binspect\b(?!.*argv)/,
+      label: 'inspect/debug flag detection',
+    },
+    {
+      pattern: /hostname.*(?:docker|sandbox|container|vmware|vbox)/i,
+      label: 'anti-sandbox hostname check',
+    },
     { pattern: /detect.*(?:sandbox|debugger|analysis|virtual)/i, label: 'explicit evasion probe' },
-    { pattern: /e\.stack\b.*(?:sandbox|docker|container|vmware)/i, label: 'stack trace sandbox probe' },
+    {
+      pattern: /e\.stack\b.*(?:sandbox|docker|container|vmware)/i,
+      label: 'stack trace sandbox probe',
+    },
   ];
 
   for (const { pattern, label } of highPatterns) {
@@ -17,35 +26,41 @@ export async function scan(pkgJson, files = []) {
         severity: 'high',
         title: 'Sandbox evasion / anti-analysis',
         description: `Package performs anti-analysis behavior: ${label}`,
-        evidence: 'evasion pattern detected'
+        evidence: 'evasion pattern detected',
       });
       break;
     }
   }
 
   if (findings.length === 0) {
-    const multiApi = ['process.pid', 'process.ppid', 'os.hostname', 'os.cpus', 'process.arch'].filter(api => code.includes(api));
+    const multiApi = [
+      'process.pid',
+      'process.ppid',
+      'os.hostname',
+      'os.cpus',
+      'process.arch',
+    ].filter((api) => code.includes(api));
     if (multiApi.length >= 3) {
       findings.push({
         id: 'ATK-010',
         severity: 'medium',
         title: 'Sandbox evasion / anti-analysis',
         description: 'Multiple system fingerprinting APIs detected',
-        evidence: `${multiApi.length} fingerprinting APIs: ${multiApi.join(', ')}`
+        evidence: `${multiApi.length} fingerprinting APIs: ${multiApi.join(', ')}`,
       });
     }
   }
 
-  const multiStack = ['Error().stack', 'new Error().stack'].filter(s => code.includes(s));
+  const multiStack = ['Error().stack', 'new Error().stack'].filter((s) => code.includes(s));
   if (multiStack.length > 0 && /atob|eval|execSync|spawn|child_process/.test(code)) {
     findings.push({
       id: 'ATK-010',
       severity: 'medium',
       title: 'Sandbox evasion / anti-analysis',
       description: 'Stack trace capture combined with code execution',
-      evidence: 'stack trace + execution'
+      evidence: 'stack trace + execution',
     });
   }
 
   return findings;
-}
+}

package/backend/detectors/atk-011-transitive-prop.js

@@ -1,27 +1,28 @@
 export async function scan(pkgJson, files = []) {
   const findings = [];
-  const code = files.map(f => f.content).join('\n');
+  const code = files.map((f) => f.content).join('\n');
 
   const highPatterns = [
     {
       pattern: /(?:exec|execSync|spawn)\s*\([^)]*npm\s+(?:install|link)\s*\./i,
-      label: 'programmatic self-propagation via npm install/link'
+      label: 'programmatic self-propagation via npm install/link',
     },
     {
-      pattern: /fs\.(?:writeFile|writeFileSync|copyFile|copyFileSync)\s*\([^)]*(?:node_modules\/(?!\.)[^/]+).*(?:index\.js|main\.js|package\.json)/i,
-      label: 'direct file write to peer node_modules'
+      pattern:
+        /fs\.(?:writeFile|writeFileSync|copyFile|copyFileSync)\s*\([^)]*(?:node_modules\/(?!\.)[^/]+).*(?:index\.js|main\.js|package\.json)/i,
+      label: 'direct file write to peer node_modules',
     },
     {
       pattern: /fs\.(?:writeFile|writeFileSync)\s*\([^)]*package\.json[^)]*["']scripts["']/i,
-      label: 'package.json script injection in another package'
+      label: 'package.json script injection in another package',
     },
     {
       pattern: /fs\.(?:writeFile|writeFileSync)\s*\([^)]*\.\.\/[^)]*package\.json/i,
-      label: 'writes modified package.json to sibling package'
+      label: 'writes modified package.json to sibling package',
     },
     {
       pattern: /(?:exec|execSync|spawn)\s*\([^)]*(?:\.\.\/|process\.env\.INIT_CWD).*npm\s+install/i,
-      label: 'cross-directory npm install propagation'
+      label: 'cross-directory npm install propagation',
     },
   ];
 
@@ -32,7 +33,7 @@ export async function scan(pkgJson, files = []) {
         severity: 'high',
         title: 'Transitive propagation (worm)',
         description: `Package attempts lateral worm-style spread: ${label}`,
-        evidence: 'transitive propagation pattern detected'
+        evidence: 'transitive propagation pattern detected',
       });
       break;
     }
@@ -42,19 +43,19 @@ export async function scan(pkgJson, files = []) {
     const mediumPatterns = [
       {
         pattern: /process\.env\.npm_package_name/,
-        label: 'reads own package name from env (self-awareness indicator)'
+        label: 'reads own package name from env (self-awareness indicator)',
       },
       {
         pattern: /fs\.symlink(?:Sync)?\s*\([^)]*node_modules/,
-        label: 'creates symlinks in node_modules (worm spreading mechanism)'
+        label: 'creates symlinks in node_modules (worm spreading mechanism)',
       },
       {
         pattern: /fs\.(?:mkdir|mkdirSync)\s*\([^)]*\.\.\/[^)]*node_modules/,
-        label: 'creates directories in parent node_modules'
+        label: 'creates directories in parent node_modules',
       },
       {
         pattern: /__dirname.*\.\.\/[^/]+\/node_modules.*require\(/,
-        label: 'dynamic parent-node_modules require for lateral spread'
+        label: 'dynamic parent-node_modules require for lateral spread',
       },
     ];
 
@@ -65,7 +66,7 @@ export async function scan(pkgJson, files = []) {
           severity: 'medium',
           title: 'Transitive propagation (worm)',
           description: label,
-          evidence: 'potential propagation indicator'
+          evidence: 'potential propagation indicator',
         });
         break;
       }

package/backend/detectors/axios-poisoning/d1-version-fingerprint.js

@@ -1,13 +1,13 @@
-const BLOCKED_VERSIONS = new Map([
-  ['axios', ['1.14.1', '0.30.4']],
-]);
+const BLOCKED_VERSIONS = new Map([['axios', ['1.14.1', '0.30.4']]]);
 
 export function scanVersionBlocklist(pkgJson) {
   const pkgName = pkgJson?.name || '';
   const pkgVersion = pkgJson?.version || '';
 
   const blocked = BLOCKED_VERSIONS.get(pkgName);
-  if (!blocked) return { triggered: false, stopCondition: false, matchedVersion: null };
+  if (!blocked) {
+    return { triggered: false, stopCondition: false, matchedVersion: null };
+  }
 
   if (blocked.includes(pkgVersion)) {
     return {

package/backend/detectors/axios-poisoning/d2-decoy-dep.js

@@ -1,7 +1,11 @@
 const KNOWN_DECOYS = ['plain-crypto-js'];
 
 export function scanDecoyDependency(pkgJson) {
-  const deps = { ...pkgJson?.dependencies, ...pkgJson?.devDependencies, ...pkgJson?.peerDependencies };
+  const deps = {
+    ...pkgJson?.dependencies,
+    ...pkgJson?.devDependencies,
+    ...pkgJson?.peerDependencies,
+  };
   const findings = [];
 
   for (const depName of KNOWN_DECOYS) {

package/backend/detectors/axios-poisoning/d3-postinstall-rat.js

@@ -7,7 +7,8 @@ const CRON_PERSIST_RE = /crontab\s+-[ei]|@reboot\s+|@daily\s+|@hourly\s+/;
 const DLL_LOAD_RE = /LoadLibrary|dlopen|LoadLibraryEx|lib\.(?:LoadLibrary|dlopen)/;
 const PROCESS_INJECT_RE = /CreateRemoteThread|VirtualAllocEx|WriteProcessMemory|NtCreateThreadEx/;
 const NET_CALLBACK_RE = /(?:https?:\/\/|wss?:\/\/|ws:\/\/)(?:[^\s'"]*\.[^\s'"]{2,})/;
-const BINARY_DROP_RE = /(?:fs\.writeFileSync|writeFile|writeFileSync)\s*\([^)]*(?:\.exe|\.dll|\.bin|\.bat|\.ps1)/;
+const BINARY_DROP_RE =
+  /(?:fs\.writeFileSync|writeFile|writeFileSync)\s*\([^)]*(?:\.exe|\.dll|\.bin|\.bat|\.ps1)/;
 
 const SUSPICIOUS_HOOK_PATTERNS = [
   /curl|wget|fetch|https?:\/\//,
@@ -22,7 +23,7 @@ const SUSPICIOUS_HOOK_PATTERNS = [
 
 export function scanPostinstallRAT(pkgJson, files = []) {
   const scripts = pkgJson?.scripts || {};
-  const code = files.map(f => f.content || '').join('\n');
+  const code = files.map((f) => f.content || '').join('\n');
 
   const activeHooks = [];
   for (const hook of SUSPICIOUS_HOOKS) {
@@ -32,39 +33,76 @@ export function scanPostinstallRAT(pkgJson, files = []) {
   }
 
   if (activeHooks.length === 0) {
-    return { triggered: false, platforms: [], c2Indicators: [], payloadType: null, hooks: [], hasBinaryDrop: false };
+    return {
+      triggered: false,
+      platforms: [],
+      c2Indicators: [],
+      payloadType: null,
+      hooks: [],
+      hasBinaryDrop: false,
+    };
   }
 
-  const combined = code + '\n' + activeHooks.map(h => h.command).join('\n');
+  const combined = code + '\n' + activeHooks.map((h) => h.command).join('\n');
 
-  const hasSuspiciousCode = SUSPICIOUS_HOOK_PATTERNS.some(p => p.test(combined));
+  const hasSuspiciousCode = SUSPICIOUS_HOOK_PATTERNS.some((p) => p.test(combined));
 
   if (activeHooks.length > 0 && !hasSuspiciousCode) {
-    return { triggered: false, platforms: [], c2Indicators: [], payloadType: null, hooks: [], hasBinaryDrop: false };
+    return {
+      triggered: false,
+      platforms: [],
+      c2Indicators: [],
+      payloadType: null,
+      hooks: [],
+      hasBinaryDrop: false,
+    };
   }
 
   const platforms = [];
   let c2Indicators = [];
   let hasBinaryDrop = false;
 
-  if (POWERSHELL_RE.test(combined)) platforms.push('windows');
-  if (LAUNCHD_RE.test(combined)) platforms.push('macos');
-  if (SYSTEMD_SERVICE_RE.test(combined) || CRON_PERSIST_RE.test(combined)) platforms.push('linux');
-  if (TEMP_DIR_RE.test(combined) && (POWERSHELL_RE.test(combined) || BINARY_DROP_RE.test(combined))) {
-    if (!platforms.includes('windows')) platforms.push('windows');
-    if (!platforms.includes('linux')) platforms.push('linux');
-    if (!platforms.includes('macos')) platforms.push('macos');
+  if (POWERSHELL_RE.test(combined)) {
+    platforms.push('windows');
+  }
+  if (LAUNCHD_RE.test(combined)) {
+    platforms.push('macos');
+  }
+  if (SYSTEMD_SERVICE_RE.test(combined) || CRON_PERSIST_RE.test(combined)) {
+    platforms.push('linux');
+  }
+  if (
+    TEMP_DIR_RE.test(combined) &&
+    (POWERSHELL_RE.test(combined) || BINARY_DROP_RE.test(combined))
+  ) {
+    if (!platforms.includes('windows')) {
+      platforms.push('windows');
+    }
+    if (!platforms.includes('linux')) {
+      platforms.push('linux');
+    }
+    if (!platforms.includes('macos')) {
+      platforms.push('macos');
+    }
   }
 
-  if (DLL_LOAD_RE.test(combined)) platforms.push('windows');
-  if (PROCESS_INJECT_RE.test(combined)) platforms.push('windows');
+  if (DLL_LOAD_RE.test(combined)) {
+    platforms.push('windows');
+  }
+  if (PROCESS_INJECT_RE.test(combined)) {
+    platforms.push('windows');
+  }
 
   if (NET_CALLBACK_RE.test(combined)) {
     const urls = combined.match(NET_CALLBACK_RE);
-    c2Indicators = urls ? [...new Set(urls.map(u => u.replace(/['")]/g, '')))] : ['Network callback to external server'];
+    c2Indicators = urls
+      ? [...new Set(urls.map((u) => u.replace(/['")]/g, '')))]
+      : ['Network callback to external server'];
   }
 
-  if (BINARY_DROP_RE.test(combined)) hasBinaryDrop = true;
+  if (BINARY_DROP_RE.test(combined)) {
+    hasBinaryDrop = true;
+  }
 
   let payloadType = null;
   if (platforms.length >= 2 && c2Indicators.length > 0 && hasBinaryDrop) {
@@ -81,10 +119,17 @@ export function scanPostinstallRAT(pkgJson, files = []) {
       payloadType,
       platforms: [...new Set(platforms)],
       c2Indicators,
-      hooks: activeHooks.map(h => h.hook),
+      hooks: activeHooks.map((h) => h.hook),
       hasBinaryDrop,
     };
   }
 
-  return { triggered: false, platforms: [], c2Indicators: [], payloadType: null, hooks: [], hasBinaryDrop: false };
+  return {
+    triggered: false,
+    platforms: [],
+    c2Indicators: [],
+    payloadType: null,
+    hooks: [],
+    hasBinaryDrop: false,
+  };
 }