@lateos/npm-scan 1.0.0 → 1.1.1

package/backend/detectors/msh-supplement/index.js

@@ -15,48 +15,57 @@ const SEVERITY_ORDER = ['critical', 'high', 'medium', 'low', 'info', 'none'];
 
 function highestSeverity(severities) {
   for (const s of SEVERITY_ORDER) {
-    if (severities.includes(s)) return s;
+    if (severities.includes(s)) {
+      return s;
+    }
   }
   return 'none';
 }
 
-export async function scan(pkgJson, files = [], registryMeta = null, allFiles = null) {
+export async function scan(pkgJson, files = [], _registryMeta = null, allFiles = null) {
   const fileList = allFiles || files || [];
   const pkgName = pkgJson?.name || 'unknown';
   const pkgVersion = pkgJson?.version || '0.0.0';
 
   const d1Results = scanCtfScramble(fileList);
   if (d1Results.stopCondition) {
-    const evidence = attachProvenance({
-      rule: 'MSH-OBF-001',
-      campaign: 'MINI_SHAI_HULUD',
-      triggeredChecks: ['D1'],
-      filePath: d1Results.filePath,
-      patternMatched: d1Results.patternMatched,
-      action: 'BLOCK_IMMEDIATELY',
-    }, {
-      ruleId: 'MSH-OBF-001',
-      ruleName: 'ctf-scramble-v2 Obfuscation Detection',
-      severity: 'CRITICAL',
-      campaignName: 'Mini Shai-Hulud',
-      pkgName,
-      pkgVersion,
-      triggered: true,
-      severity: 'critical',
-      indicators: [{ type: 'obfuscation_found', value: d1Results.patternMatched }],
-      ruleProvenanceUrl: 'https://github.com/lateos/npm-scan/blob/main/backend/detectors/msh-supplement/d1-obfuscation.js',
-      campaignSourceUrl: 'https://security.researcher.org/supply-chain-report',
-    });
+    const evidence = attachProvenance(
+      {
+        rule: 'MSH-OBF-001',
+        campaign: 'MINI_SHAI_HULUD',
+        triggeredChecks: ['D1'],
+        filePath: d1Results.filePath,
+        patternMatched: d1Results.patternMatched,
+        action: 'BLOCK_IMMEDIATELY',
+      },
+      {
+        ruleId: 'MSH-OBF-001',
+        ruleName: 'ctf-scramble-v2 Obfuscation Detection',
+        campaignName: 'Mini Shai-Hulud',
+        pkgName,
+        pkgVersion,
+        triggered: true,
+        severity: 'critical',
+        indicators: [{ type: 'obfuscation_found', value: d1Results.patternMatched }],
+        ruleProvenanceUrl:
+          'https://github.com/lateos/npm-scan/blob/main/backend/detectors/msh-supplement/d1-obfuscation.js',
+        campaignSourceUrl: 'https://security.researcher.org/supply-chain-report',
+      }
+    );
 
-    return [{
-      id: 'MINI_SHAI_HULUD',
-      severity: 'critical',
-      title: 'Mini Shai-Hulud worm campaign — ctf-scramble-v2 malware obfuscation detected',
-      description: 'HALT: ctf-scramble-v2 obfuscation layer detected. Package is compromised. Block install immediately.',
-      evidence: JSON.stringify(evidence),
-      mitigation: 'BLOCK IMMEDIATELY. Do not install this package version. Revoke any npm tokens exposed to this package. Rotate all CI/CD secrets. Run full malware scan on any system that processed this package.',
-      stopCondition: true,
-    }];
+    return [
+      {
+        id: 'MINI_SHAI_HULUD',
+        severity: 'critical',
+        title: 'Mini Shai-Hulud worm campaign — ctf-scramble-v2 malware obfuscation detected',
+        description:
+          'HALT: ctf-scramble-v2 obfuscation layer detected. Package is compromised. Block install immediately.',
+        evidence: JSON.stringify(evidence),
+        mitigation:
+          'BLOCK IMMEDIATELY. Do not install this package version. Revoke any npm tokens exposed to this package. Rotate all CI/CD secrets. Run full malware scan on any system that processed this package.',
+        stopCondition: true,
+      },
+    ];
   }
 
   const results = {
@@ -69,39 +78,45 @@ export async function scan(pkgJson, files = [], registryMeta = null, allFiles =
     .filter(([_, r]) => r.triggered)
     .map(([id]) => id);
 
-  if (triggered.length === 0) return [];
+  if (triggered.length === 0) {
+    return [];
+  }
 
-  const severity = highestSeverity(triggered.map(id => RULE_SEVERITY[id]));
+  const severity = highestSeverity(triggered.map((id) => RULE_SEVERITY[id]));
 
-  const evidence = attachProvenance({
-    campaign: 'MINI_SHAI_HULUD',
-    triggeredChecks: triggered,
-    details: Object.fromEntries(
-      Object.entries(results).filter(([_, r]) => r.triggered)
-    ),
-  }, {
-    ruleId: 'MSH-SUPPLEMENT',
-    ruleName: 'Mini Shai-Hulud Supplement Detection',
-    severity: severity.toUpperCase(),
-    campaignName: 'Mini Shai-Hulud',
-    pkgName,
-    pkgVersion,
-    triggered: true,
-    severity,
-    indicators: triggered.map(id => ({
-      type: `rule_${id}`,
-      value: RULE_SEVERITY[id],
-    })),
-    ruleProvenanceUrl: 'https://github.com/lateos/npm-scan/blob/main/backend/detectors/msh-supplement/',
-    campaignSourceUrl: 'https://security.researcher.org/supply-chain-report',
-  });
+  const evidence = attachProvenance(
+    {
+      campaign: 'MINI_SHAI_HULUD',
+      triggeredChecks: triggered,
+      details: Object.fromEntries(Object.entries(results).filter(([_, r]) => r.triggered)),
+    },
+    {
+      ruleId: 'MSH-SUPPLEMENT',
+      ruleName: 'Mini Shai-Hulud Supplement Detection',
+      campaignName: 'Mini Shai-Hulud',
+      pkgName,
+      pkgVersion,
+      triggered: true,
+      severity,
+      indicators: triggered.map((id) => ({
+        type: `rule_${id}`,
+        value: RULE_SEVERITY[id],
+      })),
+      ruleProvenanceUrl:
+        'https://github.com/lateos/npm-scan/blob/main/backend/detectors/msh-supplement/',
+      campaignSourceUrl: 'https://security.researcher.org/supply-chain-report',
+    }
+  );
 
-  return [{
-    id: 'MINI_SHAI_HULUD',
-    severity,
-    title: 'Mini Shai-Hulud worm campaign — supplement indicators',
-    description: `${triggered.length} signal(s): ${triggered.join(', ')}`,
-    evidence: JSON.stringify(evidence),
-    mitigation: 'If daemonization detected: revoke npm tokens and rotate CI/CD secrets. If geographic killswitch detected: verify running in expected region; attacker may be avoiding certain locales. If C2 dead-drop detected: check for unauthorized GitHub API access and token exfiltration. Review recent version publish history for anomalous bursts.',
-  }];
+  return [
+    {
+      id: 'MINI_SHAI_HULUD',
+      severity,
+      title: 'Mini Shai-Hulud worm campaign — supplement indicators',
+      description: `${triggered.length} signal(s): ${triggered.join(', ')}`,
+      evidence: JSON.stringify(evidence),
+      mitigation:
+        'If daemonization detected: revoke npm tokens and rotate CI/CD secrets. If geographic killswitch detected: verify running in expected region; attacker may be avoiding certain locales. If C2 dead-drop detected: check for unauthorized GitHub API access and token exfiltration. Review recent version publish history for anomalous bursts.',
+    },
+  ];
 }

package/backend/detectors/node-ipc-compromise/d1-version-blocklist.js

@@ -6,9 +6,11 @@ const SAFE_PINS = {
   '12.0.1': '12.0.0',
 };
 
-export function scanVersionBlocklist(pkgJson, registryMeta) {
+export function scanVersionBlocklist(pkgJson, _registryMeta) {
   const pkgName = pkgJson?.name || '';
-  if (pkgName !== 'node-ipc') return { triggered: false };
+  if (pkgName !== 'node-ipc') {
+    return { triggered: false };
+  }
 
   const version = pkgJson?.version || '';
   if (BLOCKED_VERSIONS.has(version)) {

package/backend/detectors/node-ipc-compromise/d10-unauthorized-publisher.js

@@ -1,17 +1,21 @@
 export function scanUnauthorizedPublisher(pkgJson, registryMeta) {
   const pkgName = pkgJson?.name || '';
-  if (pkgName !== 'node-ipc') return { triggered: false };
+  if (pkgName !== 'node-ipc') {
+    return { triggered: false };
+  }
 
-  const publisherAccount = registryMeta?.versions?.[pkgJson?.version]?._npmUser?.name
-    || registryMeta?.versions?.[Object.keys(registryMeta.versions || {})[0]]?._npmUser?.name
-    || null;
+  const publisherAccount =
+    registryMeta?.versions?.[pkgJson?.version]?._npmUser?.name ||
+    registryMeta?.versions?.[Object.keys(registryMeta.versions || {})[0]]?._npmUser?.name ||
+    null;
 
   if (publisherAccount === 'atiertant') {
     return {
       triggered: true,
       publisher: publisherAccount,
       package: pkgName,
-      detail: 'Account atiertant has no prior release history on node-ipc — account recovery via expired email domain takeover',
+      detail:
+        'Account atiertant has no prior release history on node-ipc — account recovery via expired email domain takeover',
     };
   }
 

package/backend/detectors/node-ipc-compromise/d11-blast-radius.js

@@ -16,12 +16,16 @@ export function scanBlastRadius(allFiles) {
 
   for (const file of allFiles) {
     const path = file.path?.replace(/\\/g, '/') || '';
-    const isLockfile = LOCKFILE_PATTERNS.some(p => p.test(path));
-    if (!isLockfile) continue;
+    const isLockfile = LOCKFILE_PATTERNS.some((p) => p.test(path));
+    if (!isLockfile) {
+      continue;
+    }
 
     const content = file.content || '';
     const hasNodeIpc = /\bnode-ipc\b/i.test(content);
-    if (!hasNodeIpc) continue;
+    if (!hasNodeIpc) {
+      continue;
+    }
 
     for (const [badVersion, info] of Object.entries(COMPROMISED_VERSIONS)) {
       const versionInQuotes = `"${badVersion}"`;

package/backend/detectors/node-ipc-compromise/d2-tarball-hash.js

@@ -11,7 +11,9 @@ export function scanTarballHash(allFiles) {
 
   for (const file of allFiles) {
     const path = file.path || '';
-    if (!path.endsWith('.tgz') && !path.endsWith('.tar.gz')) continue;
+    if (!path.endsWith('.tgz') && !path.endsWith('.tar.gz')) {
+      continue;
+    }
 
     const content = file.content || '';
     const hash = createHash('sha256').update(content, 'utf8').digest('hex');
@@ -20,9 +22,12 @@ export function scanTarballHash(allFiles) {
       matches.push({
         file: path,
         sha256: hash,
-        version: hash === '449e4265979b5fdb2d3446c021af437e815debd66de7da2fe54f1ad93cbcc75e'
-          ? '9.1.6' : hash === 'c2f4dc64aec4631540a568e88932b61daebbfb7e8281b812fa01b7215f9be9ea'
-          ? '9.2.3' : '12.0.1',
+        version:
+          hash === '449e4265979b5fdb2d3446c021af437e815debd66de7da2fe54f1ad93cbcc75e'
+            ? '9.1.6'
+            : hash === 'c2f4dc64aec4631540a568e88932b61daebbfb7e8281b812fa01b7215f9be9ea'
+              ? '9.2.3'
+              : '12.0.1',
       });
     }
   }

package/backend/detectors/node-ipc-compromise/d3-cjs-payload-injection.js

@@ -7,7 +7,7 @@ export function scanCjsPayloadInjection(allFiles) {
   let cjsContent = null;
   let mjsContent = null;
   let cjsPath = null;
-  let mjsPath = null;
+  let _mjsPath = null;
 
   for (const file of allFiles) {
     const path = file.path?.replace(/\\/g, '/') || '';
@@ -17,7 +17,7 @@ export function scanCjsPayloadInjection(allFiles) {
     }
     if (path.endsWith('node-ipc.mjs')) {
       mjsContent = file.content || '';
-      mjsPath = path;
+      _mjsPath = path;
     }
   }
 
@@ -52,19 +52,21 @@ export function scanCjsPayloadInjection(allFiles) {
         matches.push({
           file: cjsPath,
           finding: 'iife-suffix',
-          detail: 'node-ipc.cjs ends with IIFE pattern — potential obfuscated payload appended after module closure',
+          detail:
+            'node-ipc.cjs ends with IIFE pattern — potential obfuscated payload appended after module closure',
         });
       }
     }
   }
 
   if (cjsContent && IIFE_END_PATTERN.test(cjsContent.trim())) {
-    const alreadyReported = matches.some(m => m.finding === 'iife-suffix');
+    const alreadyReported = matches.some((m) => m.finding === 'iife-suffix');
     if (!alreadyReported) {
       matches.push({
         file: cjsPath,
         finding: 'iife-suffix',
-        detail: 'node-ipc.cjs ends with IIFE pattern — potential obfuscated payload appended after module closure',
+        detail:
+          'node-ipc.cjs ends with IIFE pattern — potential obfuscated payload appended after module closure',
       });
     }
   }

package/backend/detectors/node-ipc-compromise/d4-injected-payload-hash.js

@@ -2,14 +2,16 @@ import { createHash } from 'crypto';
 
 const INJECTED_PAYLOAD_HASH = '3427a90c8cb9af764445448648176e120ebc6af0a538158340cf6220de4d01b7';
 
-const IIFE_BOUNDARY = /}\)\(\);\s*$/;
+const _IIFE_BOUNDARY = /}\)\(\);\s*$/;
 
 export function scanInjectedPayloadHash(allFiles) {
   const matches = [];
 
   for (const file of allFiles) {
     const path = file.path?.replace(/\\/g, '/') || '';
-    if (!path.endsWith('node-ipc.cjs')) continue;
+    if (!path.endsWith('node-ipc.cjs')) {
+      continue;
+    }
 
     const content = file.content || '';
 

package/backend/detectors/node-ipc-compromise/d5-dns-c2-pattern.js

@@ -1,9 +1,4 @@
-const PUBLIC_RESOLVERS = new Set([
-  '1.1.1.1',
-  '8.8.8.8',
-  '8.8.4.4',
-  '9.9.9.9',
-]);
+const PUBLIC_RESOLVERS = new Set(['1.1.1.1', '8.8.8.8', '8.8.4.4', '9.9.9.9']);
 
 const IP_PATTERN = /setServers\(\s*\[?\s*['"`](\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})['"`]/;
 
@@ -21,19 +16,27 @@ export function scanDnsC2Pattern(allFiles, pkgJson) {
 
   for (const file of allFiles) {
     const path = file.path || '';
-    if (!path.endsWith('.js') && !path.endsWith('.mjs') && !path.endsWith('.cjs')) continue;
+    if (!path.endsWith('.js') && !path.endsWith('.mjs') && !path.endsWith('.cjs')) {
+      continue;
+    }
     sources.push({ file: path, content: file.content || '' });
   }
 
   for (const { file, content } of sources) {
     const hasDnsResolver = /\bdns\.promises\s*\.\s*Resolver\b/.test(content);
-    if (!hasDnsResolver) continue;
+    if (!hasDnsResolver) {
+      continue;
+    }
 
     const ipMatch = content.match(IP_PATTERN);
-    if (!ipMatch) continue;
+    if (!ipMatch) {
+      continue;
+    }
 
     const customIP = ipMatch[1];
-    if (PUBLIC_RESOLVERS.has(customIP)) continue;
+    if (PUBLIC_RESOLVERS.has(customIP)) {
+      continue;
+    }
 
     const hasResolveTxt = /\bresolveTxt\b/.test(content);
 

package/backend/detectors/node-ipc-compromise/d7-dns-txt-exfil.js

@@ -15,7 +15,9 @@ export function scanDnsTxtExfil(allFiles, pkgJson) {
 
   for (const file of allFiles) {
     const path = file.path || '';
-    if (!path.endsWith('.js') && !path.endsWith('.mjs') && !path.endsWith('.cjs')) continue;
+    if (!path.endsWith('.js') && !path.endsWith('.mjs') && !path.endsWith('.cjs')) {
+      continue;
+    }
     sources.push({ file: path, content: file.content || '' });
   }
 

package/backend/detectors/node-ipc-compromise/d8-runtime-trigger.js

@@ -10,7 +10,9 @@ export function scanRuntimeTrigger(allFiles, pkgJson) {
 
   for (const file of allFiles) {
     const path = file.path || '';
-    if (!path.endsWith('.js') && !path.endsWith('.mjs') && !path.endsWith('.cjs')) continue;
+    if (!path.endsWith('.js') && !path.endsWith('.mjs') && !path.endsWith('.cjs')) {
+      continue;
+    }
     sources.push({ file: path, content: file.content || '' });
   }
 
@@ -18,7 +20,8 @@ export function scanRuntimeTrigger(allFiles, pkgJson) {
     if (/\bsetImmediate\s*\(/.test(content)) {
       matches.push({
         file,
-        detail: 'setImmediate() call found — node-ipc malware fires at require() time, not via postinstall',
+        detail:
+          'setImmediate() call found — node-ipc malware fires at require() time, not via postinstall',
       });
     }
   }

package/backend/detectors/node-ipc-compromise/index.js

@@ -28,7 +28,9 @@ const SEVERITY_ORDER = ['critical', 'high', 'medium', 'low', 'info', 'none'];
 
 function highestSeverity(severities) {
   for (const s of SEVERITY_ORDER) {
-    if (severities.includes(s)) return s;
+    if (severities.includes(s)) {
+      return s;
+    }
   }
   return 'none';
 }
@@ -42,7 +44,9 @@ function buildRemediation(triggered) {
     lines.push('PRESERVE ~/nt-*/ artifacts for incident response');
   }
   if (triggered.includes('D5') || triggered.includes('D6') || triggered.includes('D7')) {
-    lines.push('Review DNS egress logs for sh.azurestaticprovider.net and 37.16.75.69 post May 14, 2026');
+    lines.push(
+      'Review DNS egress logs for sh.azurestaticprovider.net and 37.16.75.69 post May 14, 2026'
+    );
   }
   lines.push('Rotate all CI/CD secrets and OIDC tokens');
   lines.push('Audit maintainer email domain expiry for all critical dependencies');
@@ -70,24 +74,26 @@ export async function scan(pkgJson, files = [], registryMeta = null, allFiles =
     .filter(([_, r]) => r.triggered)
     .map(([id]) => id);
 
-  if (triggered.length === 0) return [];
+  if (triggered.length === 0) {
+    return [];
+  }
 
-  const severity = highestSeverity(triggered.map(id => RULE_SEVERITY[id]));
+  const severity = highestSeverity(triggered.map((id) => RULE_SEVERITY[id]));
 
   const evidence = {
     campaign: 'NODE_IPC_COMPROMISE',
     triggeredRules: triggered,
-    details: Object.fromEntries(
-      Object.entries(results).filter(([_, r]) => r.triggered)
-    ),
+    details: Object.fromEntries(Object.entries(results).filter(([_, r]) => r.triggered)),
   };
 
-  return [{
-    id: 'NODE_IPC_COMPROMISE',
-    severity,
-    title: 'node-ipc supply chain compromise (May 14, 2026)',
-    description: `${triggered.length} signal(s): ${triggered.join(', ')}`,
-    evidence: JSON.stringify(evidence),
-    mitigation: buildRemediation(triggered),
-  }];
+  return [
+    {
+      id: 'NODE_IPC_COMPROMISE',
+      severity,
+      title: 'node-ipc supply chain compromise (May 14, 2026)',
+      description: `${triggered.length} signal(s): ${triggered.join(', ')}`,
+      evidence: JSON.stringify(evidence),
+      mitigation: buildRemediation(triggered),
+    },
+  ];
 }