@obfuscan/core 0.1.0

package/dist/detectors/library-load-non-literal.js

@@ -0,0 +1,72 @@
+/**
+ * obf.library-load-non-literal.<lang> — Layer B.
+ *
+ * Fires when a dynamic-library-load function (`require`, `importlib.import_module`,
+ * `Assembly.Load`, `libloading::Library::new`, …) is called with a non-literal
+ * argument.
+ */
+import { lineAtOffset, MAX_FINDINGS_PER_DETECTOR, MAX_SOURCE_BYTES, namedCallAlternation, } from "../internal/patterns.js";
+import { truncateSnippet } from "../internal/text.js";
+const cache = new WeakMap();
+function compile(config) {
+    if (cache.has(config))
+        return cache.get(config) ?? null;
+    const list = config.library_load ?? [];
+    if (list.length === 0) {
+        cache.set(config, null);
+        return null;
+    }
+    const re = new RegExp(`(?:^|[^A-Za-z0-9_$])((?:${namedCallAlternation(list)}))\\s*\\(([\\s\\S]{0,12})`, "g");
+    cache.set(config, re);
+    return re;
+}
+function looksLikeLiteral(peek) {
+    const t = peek.replace(/^\s+/, "");
+    if (t.length === 0)
+        return false;
+    const c = t[0];
+    return c === '"' || c === "'" || c === "`" && !t.includes("${");
+}
+export const libraryLoadNonLiteral = {
+    id: "obf.library-load-non-literal",
+    docsUrl: "https://github.com/bytebardorg/obfuscan/blob/main/docs/detectors.md#obflibrary-load-non-literal",
+    applies(ctx) {
+        return (ctx.config !== null &&
+            (ctx.config.library_load?.length ?? 0) > 0 &&
+            ctx.source.length > 0 &&
+            ctx.source.length < MAX_SOURCE_BYTES);
+    },
+    run(ctx) {
+        if (!ctx.config)
+            return [];
+        const cfg = ctx.config;
+        const re = compile(cfg);
+        if (!re)
+            return [];
+        const findings = [];
+        const local = new RegExp(re.source, re.flags);
+        let m;
+        while ((m = local.exec(ctx.source)) !== null) {
+            if (findings.length >= MAX_FINDINGS_PER_DETECTOR)
+                break;
+            const name = m[1] ?? "";
+            const peek = m[2] ?? "";
+            if (looksLikeLiteral(peek))
+                continue;
+            const offset = m.index + (m[0].length - peek.length);
+            findings.push({
+                ruleId: `obf.library-load-non-literal.${cfg.id}`,
+                severity: "warn",
+                score: 7,
+                file: ctx.path,
+                line: lineAtOffset(ctx.source, offset),
+                snippet: truncateSnippet(`${name}(${peek}`),
+                reason: `Dynamic library load \`${name}\` called with a non-literal argument. ` +
+                    `Module name flowing from a variable is suspicious.`,
+                evidence: { language: cfg.id, loader: name },
+            });
+        }
+        return findings;
+    },
+};
+//# sourceMappingURL=library-load-non-literal.js.map

package/dist/detectors/library-load-non-literal.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"library-load-non-literal.js","sourceRoot":"","sources":["../../src/detectors/library-load-non-literal.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAGH,OAAO,EACL,YAAY,EACZ,yBAAyB,EACzB,gBAAgB,EAChB,oBAAoB,GACrB,MAAM,yBAAyB,CAAC;AACjC,OAAO,EAAE,eAAe,EAAE,MAAM,qBAAqB,CAAC;AAEtD,MAAM,KAAK,GAAG,IAAI,OAAO,EAAiC,CAAC;AAE3D,SAAS,OAAO,CAAC,MAAsB;IACrC,IAAI,KAAK,CAAC,GAAG,CAAC,MAAM,CAAC;QAAE,OAAO,KAAK,CAAC,GAAG,CAAC,MAAM,CAAC,IAAI,IAAI,CAAC;IACxD,MAAM,IAAI,GAAG,MAAM,CAAC,YAAY,IAAI,EAAE,CAAC;IACvC,IAAI,IAAI,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACtB,KAAK,CAAC,GAAG,CAAC,MAAM,EAAE,IAAI,CAAC,CAAC;QACxB,OAAO,IAAI,CAAC;IACd,CAAC;IACD,MAAM,EAAE,GAAG,IAAI,MAAM,CACnB,2BAA2B,oBAAoB,CAAC,IAAI,CAAC,2BAA2B,EAChF,GAAG,CACJ,CAAC;IACF,KAAK,CAAC,GAAG,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;IACtB,OAAO,EAAE,CAAC;AACZ,CAAC;AAED,SAAS,gBAAgB,CAAC,IAAY;IACpC,MAAM,CAAC,GAAG,IAAI,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;IACnC,IAAI,CAAC,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,KAAK,CAAC;IACjC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,CAAE,CAAC;IAChB,OAAO,CAAC,KAAK,GAAG,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;AAClE,CAAC;AAED,MAAM,CAAC,MAAM,qBAAqB,GAAa;IAC7C,EAAE,EAAE,8BAA8B;IAClC,OAAO,EAAE,iGAAiG;IAE1G,OAAO,CAAC,GAAgB;QACtB,OAAO,CACL,GAAG,CAAC,MAAM,KAAK,IAAI;YACnB,CAAC,GAAG,CAAC,MAAM,CAAC,YAAY,EAAE,MAAM,IAAI,CAAC,CAAC,GAAG,CAAC;YAC1C,GAAG,CAAC,MAAM,CAAC,MAAM,GAAG,CAAC;YACrB,GAAG,CAAC,MAAM,CAAC,MAAM,GAAG,gBAAgB,CACrC,CAAC;IACJ,CAAC;IAED,GAAG,CAAC,GAAgB;QAClB,IAAI,CAAC,GAAG,CAAC,MAAM;YAAE,OAAO,EAAE,CAAC;QAC3B,MAAM,GAAG,GAAG,GAAG,CAAC,MAAM,CAAC;QACvB,MAAM,EAAE,GAAG,OAAO,CAAC,GAAG,CAAC,CAAC;QACxB,IAAI,CAAC,EAAE;YAAE,OAAO,EAAE,CAAC;QAEnB,MAAM,QAAQ,GAAc,EAAE,CAAC;QAC/B,MAAM,KAAK,GAAG,IAAI,MAAM,CAAC,EAAE,CAAC,MAAM,EAAE,EAAE,CAAC,KAAK,CAAC,CAAC;QAC9C,IAAI,CAAyB,CAAC;QAC9B,OAAO,CAAC,CAAC,GAAG,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;YAC7C,IAAI,QAAQ,CAAC,MAAM,IAAI,yBAAyB;gBAAE,MAAM;YACxD,MAAM,IAAI,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;YACxB,MAAM,IAAI,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;YACxB,IAAI,gBAAgB,CAAC,IAAI,CAAC;gBAAE,SAAS;YAErC,MAAM,MAAM,GAAG,CAAC,CAAC,KAAK,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,MAAM,GAAG,IAAI,CAAC,MAAM,CAAC,CAAC;YACrD,QAAQ,CAAC,IAAI,CAAC;gBACZ,MAAM,EAAE,gCAAgC,GAAG,CAAC,EAAE,EAAE;gBAChD,QAAQ,EAAE,MAAM;gBAChB,KAAK,EAAE,CAAC;gBACR,IAAI,EAAE,GAAG,CAAC,IAAI;gBACd,IAAI,EAAE,YAAY,CAAC,GAAG,CAAC,MAAM,EAAE,MAAM,CAAC;gBACtC,OAAO,EAAE,eAAe,CAAC,GAAG,IAAI,IAAI,IAAI,EAAE,CAAC;gBAC3C,MAAM,EACJ,0BAA0B,IAAI,yCAAyC;oBACvE,oDAAoD;gBACtD,QAAQ,EAAE,EAAE,QAAQ,EAAE,GAAG,CAAC,EAAE,EAAE,MAAM,EAAE,IAAI,EAAE;aAC7C,CAAC,CAAC;QACL,CAAC;QACD,OAAO,QAAQ,CAAC;IAClB,CAAC;CACF,CAAC"}

package/dist/detectors/long-line.d.ts

@@ -0,0 +1,12 @@
+/**
+ * obf.long-line — Layer A.
+ *
+ * Flags pathologically long source lines, which are the universal signal
+ * of minified or hand-rolled-obfuscated code being slipped into a regular
+ * source tree. We don't fire on bona-fide minified bundles — those usually
+ * live under `dist/`, `vendor/`, or `node_modules/` and are excluded by
+ * convention or allowlist.
+ */
+import type { Detector } from "../types.js";
+export declare const longLine: Detector;
+//# sourceMappingURL=long-line.d.ts.map

package/dist/detectors/long-line.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"long-line.d.ts","sourceRoot":"","sources":["../../src/detectors/long-line.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,KAAK,EAAE,QAAQ,EAAwB,MAAM,aAAa,CAAC;AAOlE,eAAO,MAAM,QAAQ,EAAE,QA0CtB,CAAC"}

package/dist/detectors/long-line.js

@@ -0,0 +1,53 @@
+/**
+ * obf.long-line — Layer A.
+ *
+ * Flags pathologically long source lines, which are the universal signal
+ * of minified or hand-rolled-obfuscated code being slipped into a regular
+ * source tree. We don't fire on bona-fide minified bundles — those usually
+ * live under `dist/`, `vendor/`, or `node_modules/` and are excluded by
+ * convention or allowlist.
+ */
+import { MAX_SOURCE_BYTES } from "../internal/patterns.js";
+import { truncateSnippet } from "../internal/text.js";
+const LONG_LINE_THRESHOLD = 2000;
+const VERY_LONG_LINE_THRESHOLD = 10_000;
+export const longLine = {
+    id: "obf.long-line",
+    docsUrl: "https://github.com/bytebardorg/obfuscan/blob/main/docs/detectors.md#obflong-line",
+    applies(ctx) {
+        return ctx.source.length > LONG_LINE_THRESHOLD && ctx.source.length < MAX_SOURCE_BYTES;
+    },
+    run(ctx) {
+        const findings = [];
+        const src = ctx.source;
+        let lineStart = 0;
+        let lineNo = 1;
+        const len = src.length;
+        for (let i = 0; i <= len; i++) {
+            if (i === len || src.charCodeAt(i) === 10) {
+                const lineLen = i - lineStart;
+                if (lineLen >= LONG_LINE_THRESHOLD) {
+                    const snippet = src.slice(lineStart, lineStart + 200);
+                    const score = lineLen >= VERY_LONG_LINE_THRESHOLD ? 8 : 5;
+                    const severity = lineLen >= VERY_LONG_LINE_THRESHOLD ? "warn" : "info";
+                    findings.push({
+                        ruleId: longLine.id,
+                        severity,
+                        score,
+                        file: ctx.path,
+                        line: lineNo,
+                        snippet: truncateSnippet(snippet),
+                        reason: `Line ${lineNo} is ${lineLen} characters long. This is the ` +
+                            `signature of minified or hand-obfuscated code. If the file is ` +
+                            `intentionally a bundle, suppress with a path allowlist entry.`,
+                        evidence: { lineLength: lineLen },
+                    });
+                }
+                lineStart = i + 1;
+                lineNo++;
+            }
+        }
+        return findings;
+    },
+};
+//# sourceMappingURL=long-line.js.map

package/dist/detectors/long-line.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"long-line.js","sourceRoot":"","sources":["../../src/detectors/long-line.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAGH,OAAO,EAAE,gBAAgB,EAAE,MAAM,yBAAyB,CAAC;AAC3D,OAAO,EAAE,eAAe,EAAE,MAAM,qBAAqB,CAAC;AAEtD,MAAM,mBAAmB,GAAG,IAAI,CAAC;AACjC,MAAM,wBAAwB,GAAG,MAAM,CAAC;AAExC,MAAM,CAAC,MAAM,QAAQ,GAAa;IAChC,EAAE,EAAE,eAAe;IACnB,OAAO,EAAE,kFAAkF;IAE3F,OAAO,CAAC,GAAgB;QACtB,OAAO,GAAG,CAAC,MAAM,CAAC,MAAM,GAAG,mBAAmB,IAAI,GAAG,CAAC,MAAM,CAAC,MAAM,GAAG,gBAAgB,CAAC;IACzF,CAAC;IAED,GAAG,CAAC,GAAgB;QAClB,MAAM,QAAQ,GAAc,EAAE,CAAC;QAC/B,MAAM,GAAG,GAAG,GAAG,CAAC,MAAM,CAAC;QACvB,IAAI,SAAS,GAAG,CAAC,CAAC;QAClB,IAAI,MAAM,GAAG,CAAC,CAAC;QACf,MAAM,GAAG,GAAG,GAAG,CAAC,MAAM,CAAC;QAEvB,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,IAAI,GAAG,EAAE,CAAC,EAAE,EAAE,CAAC;YAC9B,IAAI,CAAC,KAAK,GAAG,IAAI,GAAG,CAAC,UAAU,CAAC,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC;gBAC1C,MAAM,OAAO,GAAG,CAAC,GAAG,SAAS,CAAC;gBAC9B,IAAI,OAAO,IAAI,mBAAmB,EAAE,CAAC;oBACnC,MAAM,OAAO,GAAG,GAAG,CAAC,KAAK,CAAC,SAAS,EAAE,SAAS,GAAG,GAAG,CAAC,CAAC;oBACtD,MAAM,KAAK,GAAG,OAAO,IAAI,wBAAwB,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;oBAC1D,MAAM,QAAQ,GAAG,OAAO,IAAI,wBAAwB,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,MAAM,CAAC;oBACvE,QAAQ,CAAC,IAAI,CAAC;wBACZ,MAAM,EAAE,QAAQ,CAAC,EAAE;wBACnB,QAAQ;wBACR,KAAK;wBACL,IAAI,EAAE,GAAG,CAAC,IAAI;wBACd,IAAI,EAAE,MAAM;wBACZ,OAAO,EAAE,eAAe,CAAC,OAAO,CAAC;wBACjC,MAAM,EACJ,QAAQ,MAAM,OAAO,OAAO,gCAAgC;4BAC5D,gEAAgE;4BAChE,+DAA+D;wBACjE,QAAQ,EAAE,EAAE,UAAU,EAAE,OAAO,EAAE;qBAClC,CAAC,CAAC;gBACL,CAAC;gBACD,SAAS,GAAG,CAAC,GAAG,CAAC,CAAC;gBAClB,MAAM,EAAE,CAAC;YACX,CAAC;QACH,CAAC;QACD,OAAO,QAAQ,CAAC;IAClB,CAAC;CACF,CAAC"}

package/dist/detectors/manifest-install-script.d.ts

@@ -0,0 +1,54 @@
+/**
+ * obf.manifest-install-script — install/lifecycle hooks across package manifests.
+ *
+ * One detector covers every ecosystem whose manifest can run arbitrary code
+ * during `install` (or the equivalent dependency-fetch phase). The shape is
+ * consistent across ecosystems: a structured manifest declares a script /
+ * command / file that the package manager will execute on the consumer's
+ * machine when they pull the dependency. That's the supply-chain attack
+ * surface; the ecosystem just changes the file format.
+ *
+ * Coverage:
+ *
+ *   ┌──────────────┬───────────────────────────────┬─────────────────────────┐
+ *   │ ecosystem    │ manifest                      │ hooks flagged           │
+ *   ├──────────────┼───────────────────────────────┼─────────────────────────┤
+ *   │ npm/yarn/pnpm│ package.json                  │ scripts.preinstall,     │
+ *   │              │                               │ scripts.install,        │
+ *   │              │                               │ scripts.postinstall,    │
+ *   │              │                               │ scripts.prepare         │
+ *   │ composer (PHP│ composer.json                 │ scripts.pre-install-cmd,│
+ *   │              │                               │ scripts.post-install-cmd│
+ *   │              │                               │ scripts.pre-update-cmd, │
+ *   │              │                               │ scripts.post-update-cmd,│
+ *   │              │                               │ scripts.post-autoload-  │
+ *   │              │                               │   dump                  │
+ *   │ rubygems     │ *.gemspec                     │ extensions = [...]      │
+ *   │              │                               │   (extconf.rb / Rakefile│
+ *   │              │                               │    runs at gem install) │
+ *   │ luarocks     │ *.rockspec                    │ build.type = "command", │
+ *   │              │                               │ build.build_command,    │
+ *   │              │                               │ build.install_command   │
+ *   │ nuget        │ *.nuspec                      │ <files src=".../*.ps1"> │
+ *   │              │                               │   for install.ps1 /     │
+ *   │              │                               │   init.ps1              │
+ *   └──────────────┴───────────────────────────────┴─────────────────────────┘
+ *
+ * Severity:
+ *   - `warn` (score 6) for any install hook that runs a command on the user's
+ *     machine. The mere presence of an install hook is not malicious — many
+ *     legitimate packages ship them — but it is the right line to surface in
+ *     a code review.
+ *   - `block` (score 9) when the script body contains exfil-shaped commands:
+ *     `curl|bash`, `wget ... | sh`, etc. — the shape behind the
+ *     axios-2026 / chalk+debug-2025 incidents.
+ *
+ * Evidence:
+ *   - `manifest`: which ecosystem (`npm`, `composer`, `gemspec`, `rockspec`, `nuspec`)
+ *   - `hook`: which lifecycle hook fired
+ *   - `command`: the hook body (truncated in `snippet`)
+ *   - `curlPipeShell`: boolean — whether the command matched the curl|sh shape
+ */
+import type { Detector } from "../types.js";
+export declare const manifestInstallScript: Detector;
+//# sourceMappingURL=manifest-install-script.d.ts.map

package/dist/detectors/manifest-install-script.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"manifest-install-script.d.ts","sourceRoot":"","sources":["../../src/detectors/manifest-install-script.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAkDG;AAEH,OAAO,KAAK,EAAE,QAAQ,EAAwB,MAAM,aAAa,CAAC;AAiPlE,eAAO,MAAM,qBAAqB,EAAE,QAwCnC,CAAC"}

package/dist/detectors/manifest-install-script.js

@@ -0,0 +1,272 @@
+/**
+ * obf.manifest-install-script — install/lifecycle hooks across package manifests.
+ *
+ * One detector covers every ecosystem whose manifest can run arbitrary code
+ * during `install` (or the equivalent dependency-fetch phase). The shape is
+ * consistent across ecosystems: a structured manifest declares a script /
+ * command / file that the package manager will execute on the consumer's
+ * machine when they pull the dependency. That's the supply-chain attack
+ * surface; the ecosystem just changes the file format.
+ *
+ * Coverage:
+ *
+ *   ┌──────────────┬───────────────────────────────┬─────────────────────────┐
+ *   │ ecosystem    │ manifest                      │ hooks flagged           │
+ *   ├──────────────┼───────────────────────────────┼─────────────────────────┤
+ *   │ npm/yarn/pnpm│ package.json                  │ scripts.preinstall,     │
+ *   │              │                               │ scripts.install,        │
+ *   │              │                               │ scripts.postinstall,    │
+ *   │              │                               │ scripts.prepare         │
+ *   │ composer (PHP│ composer.json                 │ scripts.pre-install-cmd,│
+ *   │              │                               │ scripts.post-install-cmd│
+ *   │              │                               │ scripts.pre-update-cmd, │
+ *   │              │                               │ scripts.post-update-cmd,│
+ *   │              │                               │ scripts.post-autoload-  │
+ *   │              │                               │   dump                  │
+ *   │ rubygems     │ *.gemspec                     │ extensions = [...]      │
+ *   │              │                               │   (extconf.rb / Rakefile│
+ *   │              │                               │    runs at gem install) │
+ *   │ luarocks     │ *.rockspec                    │ build.type = "command", │
+ *   │              │                               │ build.build_command,    │
+ *   │              │                               │ build.install_command   │
+ *   │ nuget        │ *.nuspec                      │ <files src=".../*.ps1"> │
+ *   │              │                               │   for install.ps1 /     │
+ *   │              │                               │   init.ps1              │
+ *   └──────────────┴───────────────────────────────┴─────────────────────────┘
+ *
+ * Severity:
+ *   - `warn` (score 6) for any install hook that runs a command on the user's
+ *     machine. The mere presence of an install hook is not malicious — many
+ *     legitimate packages ship them — but it is the right line to surface in
+ *     a code review.
+ *   - `block` (score 9) when the script body contains exfil-shaped commands:
+ *     `curl|bash`, `wget ... | sh`, etc. — the shape behind the
+ *     axios-2026 / chalk+debug-2025 incidents.
+ *
+ * Evidence:
+ *   - `manifest`: which ecosystem (`npm`, `composer`, `gemspec`, `rockspec`, `nuspec`)
+ *   - `hook`: which lifecycle hook fired
+ *   - `command`: the hook body (truncated in `snippet`)
+ *   - `curlPipeShell`: boolean — whether the command matched the curl|sh shape
+ */
+import { truncateSnippet } from "../internal/text.js";
+function classify(p) {
+    const norm = p.replace(/\\/g, "/");
+    const base = norm.slice(norm.lastIndexOf("/") + 1);
+    if (base === "package.json")
+        return "npm";
+    if (base === "composer.json")
+        return "composer";
+    if (base.endsWith(".gemspec"))
+        return "gemspec";
+    if (base.endsWith(".rockspec"))
+        return "rockspec";
+    if (base.endsWith(".nuspec"))
+        return "nuspec";
+    return null;
+}
+// ─── Severity escalation ────────────────────────────────────────────────────
+const CURL_PIPE_SHELL_RE = /(?:curl|wget|fetch|Invoke-WebRequest|iwr)\b[^\n]{0,300}\|\s*(?:bash|sh|zsh|python|node|perl|powershell|pwsh|iex|Invoke-Expression)/i;
+// PowerShell `iex (New-Object Net.WebClient).DownloadString(...)` — the
+// canonical Windows install-time payload shape, no pipe involved.
+const PS_IEX_DOWNLOAD_RE = /\b(?:iex|Invoke-Expression)\b[^\n]{0,300}\b(?:DownloadString|DownloadFile|Invoke-WebRequest|wget|curl)\b/i;
+function isCurlPipeShape(s) {
+    return CURL_PIPE_SHELL_RE.test(s) || PS_IEX_DOWNLOAD_RE.test(s);
+}
+// ─── npm / package.json ─────────────────────────────────────────────────────
+//
+// `prepare` is included because npm runs it on `npm install` from a git URL
+// and on `npm pack` — which is how malicious tarballs are constructed.
+const NPM_INSTALL_HOOKS = ["preinstall", "install", "postinstall", "prepare"];
+function scanNpm(ctx, pkg) {
+    if (!pkg.scripts || typeof pkg.scripts !== "object")
+        return [];
+    const findings = [];
+    for (const hook of NPM_INSTALL_HOOKS) {
+        const cmd = pkg.scripts[hook];
+        if (typeof cmd !== "string" || cmd.length === 0)
+            continue;
+        findings.push(buildFinding(ctx, "npm", hook, cmd, lineOfJsonKey(ctx.source, hook)));
+    }
+    return findings;
+}
+// ─── composer / composer.json ───────────────────────────────────────────────
+const COMPOSER_INSTALL_HOOKS = [
+    "pre-install-cmd",
+    "post-install-cmd",
+    "pre-update-cmd",
+    "post-update-cmd",
+    "post-autoload-dump",
+];
+function scanComposer(ctx, pkg) {
+    if (!pkg.scripts || typeof pkg.scripts !== "object")
+        return [];
+    const findings = [];
+    for (const hook of COMPOSER_INSTALL_HOOKS) {
+        const raw = pkg.scripts[hook];
+        if (raw == null)
+            continue;
+        const cmds = Array.isArray(raw) ? raw : [raw];
+        for (const cmd of cmds) {
+            if (typeof cmd !== "string" || cmd.length === 0)
+                continue;
+            findings.push(buildFinding(ctx, "composer", hook, cmd, lineOfJsonKey(ctx.source, hook)));
+        }
+    }
+    return findings;
+}
+// ─── rubygems / *.gemspec ───────────────────────────────────────────────────
+//
+// Gemspecs are Ruby, not JSON. We don't need a Ruby parser — `extensions` is
+// almost always assigned via a literal array of relative paths. Anything
+// non-trivial is itself worth surfacing.
+const GEMSPEC_EXTENSIONS_RE = /\b\w+\.extensions\s*(?:=|<<)\s*(\[[^\]]*\]|%w[\[\(][^\]\)]*[\]\)]|['"][^'"]+['"])/;
+function scanGemspec(ctx) {
+    const m = GEMSPEC_EXTENSIONS_RE.exec(ctx.source);
+    if (!m)
+        return [];
+    const value = m[1] ?? "";
+    return [buildFinding(ctx, "gemspec", "extensions", value, lineAt(ctx.source, m.index))];
+}
+// ─── luarocks / *.rockspec ──────────────────────────────────────────────────
+//
+// Rockspec is Lua data; the install-time hook is the `build` table. We grep
+// for the high-risk shapes: build.type == "command" or any *_command field.
+const ROCKSPEC_BUILD_TYPE_RE = /build\s*=\s*\{[^}]*?type\s*=\s*['"]command['"]/s;
+const ROCKSPEC_COMMAND_FIELD_RE = /(\bbuild_command\b|\binstall_command\b|\bcommand\b)\s*=\s*['"]([^'"\n]{1,400})['"]/;
+function scanRockspec(ctx) {
+    const findings = [];
+    const declaresCommand = ROCKSPEC_BUILD_TYPE_RE.test(ctx.source);
+    const cmd = ROCKSPEC_COMMAND_FIELD_RE.exec(ctx.source);
+    if (declaresCommand) {
+        const where = ctx.source.search(ROCKSPEC_BUILD_TYPE_RE);
+        findings.push(buildFinding(ctx, "rockspec", "build.type", "command", where >= 0 ? lineAt(ctx.source, where) : 1));
+    }
+    if (cmd) {
+        const field = cmd[1] ?? "command";
+        const value = cmd[2] ?? "";
+        findings.push(buildFinding(ctx, "rockspec", field, value, lineAt(ctx.source, cmd.index)));
+    }
+    return findings;
+}
+// ─── nuget / *.nuspec ───────────────────────────────────────────────────────
+//
+// .nuspec is XML. NuGet historically auto-ran `tools/install.ps1`,
+// `tools/init.ps1`, `tools/uninstall.ps1` at package install. Those files are
+// auto-discovered by path; the .nuspec is the place we can see *that they
+// exist* without the rest of the package tree, because they're declared in
+// `<files>` entries. We also surface direct PowerShell content inlined into
+// the manifest.
+// Matches the inner `<file src="tools/install.ps1" .../>` entry as well as a
+// degenerate `<files src="...install.ps1" .../>` shorthand. NuGet historically
+// auto-ran any tools/{install,init,uninstall}.ps1 inside the package.
+const NUSPEC_FILES_PS1_RE = /<files?\b[^>]*\bsrc\s*=\s*['"]([^'"]*\b(?:install|init|uninstall)\.ps1)['"]/gi;
+function scanNuspec(ctx) {
+    const findings = [];
+    let m;
+    NUSPEC_FILES_PS1_RE.lastIndex = 0;
+    while ((m = NUSPEC_FILES_PS1_RE.exec(ctx.source)) !== null) {
+        const ref = m[1] ?? "";
+        findings.push(buildFinding(ctx, "nuspec", "files.install-ps1", ref, lineAt(ctx.source, m.index)));
+    }
+    return findings;
+}
+// ─── Finding builder ────────────────────────────────────────────────────────
+function buildFinding(ctx, manifest, hook, command, line) {
+    const escalated = isCurlPipeShape(command);
+    return {
+        ruleId: "obf.manifest-install-script",
+        severity: escalated ? "block" : "warn",
+        score: escalated ? 9 : 6,
+        file: ctx.path,
+        line,
+        snippet: truncateSnippet(`${manifest}:${hook} ${command}`),
+        reason: escalated
+            ? reasonEscalated(manifest, hook)
+            : reasonBase(manifest, hook),
+        evidence: { manifest, hook, command, curlPipeShell: escalated },
+    };
+}
+function reasonBase(manifest, hook) {
+    switch (manifest) {
+        case "npm":
+            return (`npm \`${hook}\` lifecycle script runs automatically on \`npm install\`. ` +
+                `Review for network calls, decoders, or shell-exec patterns.`);
+        case "composer":
+            return (`Composer \`${hook}\` script runs during \`composer install\`/\`update\`. ` +
+                `Review for network calls, decoders, or shell-exec patterns.`);
+        case "gemspec":
+            return (`Gemspec declares native extensions; \`gem install\` will execute the ` +
+                `referenced \`extconf.rb\` / \`Rakefile\` on the user's machine.`);
+        case "rockspec":
+            return (`Rockspec declares a \`${hook}\` build hook; \`luarocks install\` will ` +
+                `run this command on the user's machine.`);
+        case "nuspec":
+            return (`.nuspec ships an auto-run PowerShell file (\`${hook}\`); legacy NuGet ` +
+                `clients execute these on package install.`);
+    }
+}
+function reasonEscalated(manifest, hook) {
+    return (`${manifest} \`${hook}\` hook pipes a network download into a shell. This ` +
+        `is the exfil/payload-delivery shape behind the axios-2026 / ` +
+        `chalk+debug-2025 supply-chain incidents.`);
+}
+// ─── Source helpers ─────────────────────────────────────────────────────────
+function lineOfJsonKey(source, key) {
+    const re = new RegExp(`"${key.replace(/[.*+?^${}()|[\]\\-]/g, "\\$&")}"\\s*:`, "g");
+    const m = re.exec(source);
+    if (!m)
+        return 1;
+    return lineAt(source, m.index);
+}
+function lineAt(source, offset) {
+    let line = 1;
+    const stop = Math.min(offset, source.length);
+    for (let i = 0; i < stop; i++) {
+        if (source.charCodeAt(i) === 10)
+            line++;
+    }
+    return line;
+}
+// ─── Public detector ────────────────────────────────────────────────────────
+export const manifestInstallScript = {
+    id: "obf.manifest-install-script",
+    docsUrl: "https://github.com/bytebardorg/obfuscan/blob/main/docs/detectors.md#obfmanifest-install-script",
+    applies(ctx) {
+        return classify(ctx.path) !== null;
+    },
+    run(ctx) {
+        const kind = classify(ctx.path);
+        if (kind === null)
+            return [];
+        switch (kind) {
+            case "npm": {
+                let pkg;
+                try {
+                    pkg = JSON.parse(ctx.source);
+                }
+                catch {
+                    return [];
+                }
+                return scanNpm(ctx, pkg);
+            }
+            case "composer": {
+                let pkg;
+                try {
+                    pkg = JSON.parse(ctx.source);
+                }
+                catch {
+                    return [];
+                }
+                return scanComposer(ctx, pkg);
+            }
+            case "gemspec":
+                return scanGemspec(ctx);
+            case "rockspec":
+                return scanRockspec(ctx);
+            case "nuspec":
+                return scanNuspec(ctx);
+        }
+    },
+};
+//# sourceMappingURL=manifest-install-script.js.map

package/dist/detectors/manifest-install-script.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"manifest-install-script.js","sourceRoot":"","sources":["../../src/detectors/manifest-install-script.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAkDG;AAGH,OAAO,EAAE,eAAe,EAAE,MAAM,qBAAqB,CAAC;AAMtD,SAAS,QAAQ,CAAC,CAAS;IACzB,MAAM,IAAI,GAAG,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;IACnC,MAAM,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC;IACnD,IAAI,IAAI,KAAK,cAAc;QAAE,OAAO,KAAK,CAAC;IAC1C,IAAI,IAAI,KAAK,eAAe;QAAE,OAAO,UAAU,CAAC;IAChD,IAAI,IAAI,CAAC,QAAQ,CAAC,UAAU,CAAC;QAAE,OAAO,SAAS,CAAC;IAChD,IAAI,IAAI,CAAC,QAAQ,CAAC,WAAW,CAAC;QAAE,OAAO,UAAU,CAAC;IAClD,IAAI,IAAI,CAAC,QAAQ,CAAC,SAAS,CAAC;QAAE,OAAO,QAAQ,CAAC;IAC9C,OAAO,IAAI,CAAC;AACd,CAAC;AAED,+EAA+E;AAE/E,MAAM,kBAAkB,GACtB,qIAAqI,CAAC;AAExI,wEAAwE;AACxE,kEAAkE;AAClE,MAAM,kBAAkB,GACtB,2GAA2G,CAAC;AAE9G,SAAS,eAAe,CAAC,CAAS;IAChC,OAAO,kBAAkB,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,kBAAkB,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;AAClE,CAAC;AAED,+EAA+E;AAC/E,EAAE;AACF,4EAA4E;AAC5E,uEAAuE;AAEvE,MAAM,iBAAiB,GAAG,CAAC,YAAY,EAAE,SAAS,EAAE,aAAa,EAAE,SAAS,CAAU,CAAC;AAMvF,SAAS,OAAO,CAAC,GAAgB,EAAE,GAAgB;IACjD,IAAI,CAAC,GAAG,CAAC,OAAO,IAAI,OAAO,GAAG,CAAC,OAAO,KAAK,QAAQ;QAAE,OAAO,EAAE,CAAC;IAC/D,MAAM,QAAQ,GAAc,EAAE,CAAC;IAC/B,KAAK,MAAM,IAAI,IAAI,iBAAiB,EAAE,CAAC;QACrC,MAAM,GAAG,GAAG,GAAG,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;QAC9B,IAAI,OAAO,GAAG,KAAK,QAAQ,IAAI,GAAG,CAAC,MAAM,KAAK,CAAC;YAAE,SAAS;QAC1D,QAAQ,CAAC,IAAI,CAAC,YAAY,CAAC,GAAG,EAAE,KAAK,EAAE,IAAI,EAAE,GAAG,EAAE,aAAa,CAAC,GAAG,CAAC,MAAM,EAAE,IAAI,CAAC,CAAC,CAAC,CAAC;IACtF,CAAC;IACD,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,+EAA+E;AAE/E,MAAM,sBAAsB,GAAG;IAC7B,iBAAiB;IACjB,kBAAkB;IAClB,gBAAgB;IAChB,iBAAiB;IACjB,oBAAoB;CACZ,CAAC;AAMX,SAAS,YAAY,CAAC,GAAgB,EAAE,GAAqB;IAC3D,IAAI,CAAC,GAAG,CAAC,OAAO,IAAI,OAAO,GAAG,CAAC,OAAO,KAAK,QAAQ;QAAE,OAAO,EAAE,CAAC;IAC/D,MAAM,QAAQ,GAAc,EAAE,CAAC;IAC/B,KAAK,MAAM,IAAI,IAAI,sBAAsB,EAAE,CAAC;QAC1C,MAAM,GAAG,GAAG,GAAG,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;QAC9B,IAAI,GAAG,IAAI,IAAI;YAAE,SAAS;QAC1B,MAAM,IAAI,GAAG,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC;QAC9C,KAAK,MAAM,GAAG,IAAI,IAAI,EAAE,CAAC;YACvB,IAAI,OAAO,GAAG,KAAK,QAAQ,IAAI,GAAG,CAAC,MAAM,KAAK,CAAC;gBAAE,SAAS;YAC1D,QAAQ,CAAC,IAAI,CAAC,YAAY,CAAC,GAAG,EAAE,UAAU,EAAE,IAAI,EAAE,GAAG,EAAE,aAAa,CAAC,GAAG,CAAC,MAAM,EAAE,IAAI,CAAC,CAAC,CAAC,CAAC;QAC3F,CAAC;IACH,CAAC;IACD,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,+EAA+E;AAC/E,EAAE;AACF,6EAA6E;AAC7E,yEAAyE;AACzE,yCAAyC;AAEzC,MAAM,qBAAqB,GACzB,mFAAmF,CAAC;AAEtF,SAAS,WAAW,CAAC,GAAgB;IACnC,MAAM,CAAC,GAAG,qBAAqB,CAAC,IAAI,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;IACjD,IAAI,CAAC,CAAC;QAAE,OAAO,EAAE,CAAC;IAClB,MAAM,KAAK,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;IACzB,OAAO,CAAC,YAAY,CAAC,GAAG,EAAE,SAAS,EAAE,YAAY,EAAE,KAAK,EAAE,MAAM,CAAC,GAAG,CAAC,MAAM,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;AAC1F,CAAC;AAED,+EAA+E;AAC/E,EAAE;AACF,4EAA4E;AAC5E,4EAA4E;AAE5E,MAAM,sBAAsB,GAAG,iDAAiD,CAAC;AACjF,MAAM,yBAAyB,GAC7B,oFAAoF,CAAC;AAEvF,SAAS,YAAY,CAAC,GAAgB;IACpC,MAAM,QAAQ,GAAc,EAAE,CAAC;IAC/B,MAAM,eAAe,GAAG,sBAAsB,CAAC,IAAI,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;IAChE,MAAM,GAAG,GAAG,yBAAyB,CAAC,IAAI,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;IAEvD,IAAI,eAAe,EAAE,CAAC;QACpB,MAAM,KAAK,GAAG,GAAG,CAAC,MAAM,CAAC,MAAM,CAAC,sBAAsB,CAAC,CAAC;QACxD,QAAQ,CAAC,IAAI,CACX,YAAY,CACV,GAAG,EACH,UAAU,EACV,YAAY,EACZ,SAAS,EACT,KAAK,IAAI,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,MAAM,EAAE,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAC3C,CACF,CAAC;IACJ,CAAC;IACD,IAAI,GAAG,EAAE,CAAC;QACR,MAAM,KAAK,GAAG,GAAG,CAAC,CAAC,CAAC,IAAI,SAAS,CAAC;QAClC,MAAM,KAAK,GAAG,GAAG,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;QAC3B,QAAQ,CAAC,IAAI,CAAC,YAAY,CAAC,GAAG,EAAE,UAAU,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,CAAC,GAAG,CAAC,MAAM,EAAE,GAAG,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;IAC5F,CAAC;IACD,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,+EAA+E;AAC/E,EAAE;AACF,mEAAmE;AACnE,8EAA8E;AAC9E,0EAA0E;AAC1E,2EAA2E;AAC3E,4EAA4E;AAC5E,gBAAgB;AAEhB,6EAA6E;AAC7E,+EAA+E;AAC/E,sEAAsE;AACtE,MAAM,mBAAmB,GACvB,+EAA+E,CAAC;AAElF,SAAS,UAAU,CAAC,GAAgB;IAClC,MAAM,QAAQ,GAAc,EAAE,CAAC;IAC/B,IAAI,CAAyB,CAAC;IAC9B,mBAAmB,CAAC,SAAS,GAAG,CAAC,CAAC;IAClC,OAAO,CAAC,CAAC,GAAG,mBAAmB,CAAC,IAAI,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;QAC3D,MAAM,GAAG,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;QACvB,QAAQ,CAAC,IAAI,CAAC,YAAY,CAAC,GAAG,EAAE,QAAQ,EAAE,mBAAmB,EAAE,GAAG,EAAE,MAAM,CAAC,GAAG,CAAC,MAAM,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;IACpG,CAAC;IACD,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,+EAA+E;AAE/E,SAAS,YAAY,CACnB,GAAgB,EAChB,QAAsB,EACtB,IAAY,EACZ,OAAe,EACf,IAAY;IAEZ,MAAM,SAAS,GAAG,eAAe,CAAC,OAAO,CAAC,CAAC;IAC3C,OAAO;QACL,MAAM,EAAE,6BAA6B;QACrC,QAAQ,EAAE,SAAS,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM;QACtC,KAAK,EAAE,SAAS,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;QACxB,IAAI,EAAE,GAAG,CAAC,IAAI;QACd,IAAI;QACJ,OAAO,EAAE,eAAe,CAAC,GAAG,QAAQ,IAAI,IAAI,IAAI,OAAO,EAAE,CAAC;QAC1D,MAAM,EAAE,SAAS;YACf,CAAC,CAAC,eAAe,CAAC,QAAQ,EAAE,IAAI,CAAC;YACjC,CAAC,CAAC,UAAU,CAAC,QAAQ,EAAE,IAAI,CAAC;QAC9B,QAAQ,EAAE,EAAE,QAAQ,EAAE,IAAI,EAAE,OAAO,EAAE,aAAa,EAAE,SAAS,EAAE;KAChE,CAAC;AACJ,CAAC;AAED,SAAS,UAAU,CAAC,QAAsB,EAAE,IAAY;IACtD,QAAQ,QAAQ,EAAE,CAAC;QACjB,KAAK,KAAK;YACR,OAAO,CACL,SAAS,IAAI,6DAA6D;gBAC1E,6DAA6D,CAC9D,CAAC;QACJ,KAAK,UAAU;YACb,OAAO,CACL,cAAc,IAAI,yDAAyD;gBAC3E,6DAA6D,CAC9D,CAAC;QACJ,KAAK,SAAS;YACZ,OAAO,CACL,uEAAuE;gBACvE,iEAAiE,CAClE,CAAC;QACJ,KAAK,UAAU;YACb,OAAO,CACL,yBAAyB,IAAI,2CAA2C;gBACxE,yCAAyC,CAC1C,CAAC;QACJ,KAAK,QAAQ;YACX,OAAO,CACL,gDAAgD,IAAI,oBAAoB;gBACxE,2CAA2C,CAC5C,CAAC;IACN,CAAC;AACH,CAAC;AAED,SAAS,eAAe,CAAC,QAAsB,EAAE,IAAY;IAC3D,OAAO,CACL,GAAG,QAAQ,MAAM,IAAI,sDAAsD;QAC3E,8DAA8D;QAC9D,0CAA0C,CAC3C,CAAC;AACJ,CAAC;AAED,+EAA+E;AAE/E,SAAS,aAAa,CAAC,MAAc,EAAE,GAAW;IAChD,MAAM,EAAE,GAAG,IAAI,MAAM,CAAC,IAAI,GAAG,CAAC,OAAO,CAAC,sBAAsB,EAAE,MAAM,CAAC,QAAQ,EAAE,GAAG,CAAC,CAAC;IACpF,MAAM,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;IAC1B,IAAI,CAAC,CAAC;QAAE,OAAO,CAAC,CAAC;IACjB,OAAO,MAAM,CAAC,MAAM,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC;AACjC,CAAC;AAED,SAAS,MAAM,CAAC,MAAc,EAAE,MAAc;IAC5C,IAAI,IAAI,GAAG,CAAC,CAAC;IACb,MAAM,IAAI,GAAG,IAAI,CAAC,GAAG,CAAC,MAAM,EAAE,MAAM,CAAC,MAAM,CAAC,CAAC;IAC7C,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,IAAI,EAAE,CAAC,EAAE,EAAE,CAAC;QAC9B,IAAI,MAAM,CAAC,UAAU,CAAC,CAAC,CAAC,KAAK,EAAE;YAAE,IAAI,EAAE,CAAC;IAC1C,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED,+EAA+E;AAE/E,MAAM,CAAC,MAAM,qBAAqB,GAAa;IAC7C,EAAE,EAAE,6BAA6B;IACjC,OAAO,EACL,gGAAgG;IAElG,OAAO,CAAC,GAAgB;QACtB,OAAO,QAAQ,CAAC,GAAG,CAAC,IAAI,CAAC,KAAK,IAAI,CAAC;IACrC,CAAC;IAED,GAAG,CAAC,GAAgB;QAClB,MAAM,IAAI,GAAG,QAAQ,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;QAChC,IAAI,IAAI,KAAK,IAAI;YAAE,OAAO,EAAE,CAAC;QAE7B,QAAQ,IAAI,EAAE,CAAC;YACb,KAAK,KAAK,CAAC,CAAC,CAAC;gBACX,IAAI,GAAgB,CAAC;gBACrB,IAAI,CAAC;oBACH,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,MAAM,CAAgB,CAAC;gBAC9C,CAAC;gBAAC,MAAM,CAAC;oBACP,OAAO,EAAE,CAAC;gBACZ,CAAC;gBACD,OAAO,OAAO,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC;YAC3B,CAAC;YACD,KAAK,UAAU,CAAC,CAAC,CAAC;gBAChB,IAAI,GAAqB,CAAC;gBAC1B,IAAI,CAAC;oBACH,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,MAAM,CAAqB,CAAC;gBACnD,CAAC;gBAAC,MAAM,CAAC;oBACP,OAAO,EAAE,CAAC;gBACZ,CAAC;gBACD,OAAO,YAAY,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC;YAChC,CAAC;YACD,KAAK,SAAS;gBACZ,OAAO,WAAW,CAAC,GAAG,CAAC,CAAC;YAC1B,KAAK,UAAU;gBACb,OAAO,YAAY,CAAC,GAAG,CAAC,CAAC;YAC3B,KAAK,QAAQ;gBACX,OAAO,UAAU,CAAC,GAAG,CAAC,CAAC;QAC3B,CAAC;IACH,CAAC;CACF,CAAC"}

package/dist/detectors/network-then-exec.d.ts

@@ -0,0 +1,17 @@
+/**
+ * obf.network-then-exec.<lang> — Layer B.
+ *
+ * Fires when network IO output flows into a dynamic-exec sink. The shape:
+ *
+ *   eval(await (await fetch(url)).text())
+ *   exec(requests.get(url).text)
+ *   IEX (New-Object Net.WebClient).DownloadString($u)
+ *   eval "$(curl -s $URL)"
+ *
+ * Unlike decode-then-exec, the source of the executed string is *external*
+ * — strictly worse, because the attacker doesn't even need to be in the
+ * source tree. Always blocks.
+ */
+import type { Detector } from "../types.js";
+export declare const networkThenExec: Detector;
+//# sourceMappingURL=network-then-exec.d.ts.map

package/dist/detectors/network-then-exec.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"network-then-exec.d.ts","sourceRoot":"","sources":["../../src/detectors/network-then-exec.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAEH,OAAO,KAAK,EAAE,QAAQ,EAAwC,MAAM,aAAa,CAAC;AAyFlF,eAAO,MAAM,eAAe,EAAE,QAiD7B,CAAC"}