@q32/signal-scanner 0.1.0 → 0.1.1

package/dist/render.js

@@ -0,0 +1,248 @@
+// Render-and-scan: build a REAL DOM (linkedom), run the page's inline AND
+// external scripts against it with our behavioral surfaces instrumented, then
+// hand back the rendered HTML (to re-scan with the static rules) plus a
+// BehaviorReport (exfil endpoints, runtime redirects, eval'd code, surfaced
+// URLs). This closes the gap where a credential form is injected by an external
+// JS bundle — invisible to inline-only analysis.
+//
+// linkedom replaces only the DOM; the instrumentation (fetch/XHR/sendBeacon/
+// location/eval/Function/atob/cookie) is layered ON the linkedom window so both
+// `fetch(...)` and `window.fetch(...)`/`window.location.href=` are recorded.
+//
+// linkedom + new Function run in any JS isolate (Node + workerd). For UNTRUSTED
+// pages the caller supplies a `run` that executes in a real sandbox (node:vm with
+// a timeout in the CLI; a globalOutbound:null Dynamic Worker in the Worker). The
+// default in-process runner is for trusted/synthetic use (tests).
+import { parseHTML } from "linkedom";
+import { extractInlineScripts, extractScriptSources } from "./dynamic.js";
+const MAX_EXTERNAL_SCRIPTS = 8;
+const MAX_SCRIPT_BYTES = 512 * 1024;
+function emptyReport() {
+    return { redirects: [], network: [], writes: [], evals: [], decoded: [], cookies: [], errors: [] };
+}
+// Host orchestrator: pre-fetch external scripts (IO stays on the host — the
+// isolate has no network), then run the pure renderDom core inside the caller's
+// isolate (or in-process by default).
+export async function renderAndScan(html, options = {}) {
+    let externalScripts = [];
+    if (options.fetchScript) {
+        const sources = extractScriptSources(html).slice(0, options.maxExternalScripts ?? MAX_EXTERNAL_SCRIPTS);
+        externalScripts = (await Promise.all(sources.map(async (src) => {
+            let absolute;
+            try {
+                absolute = new URL(src, options.url ?? "https://invalid.example/").toString();
+            }
+            catch {
+                return "";
+            }
+            if (!/^https?:/i.test(absolute))
+                return "";
+            try {
+                const body = await options.fetchScript(absolute);
+                return (body ?? "").slice(0, MAX_SCRIPT_BYTES);
+            }
+            catch {
+                return "";
+            }
+        }))).filter(Boolean);
+    }
+    const invoke = options.invoke ?? renderDom;
+    return await invoke({ html, url: options.url, externalScripts });
+}
+// The pure, self-contained core: build a real DOM, run inline + provided external
+// scripts against it with instrumented surfaces, return rendered HTML + behaviors.
+// No IO, no host-global mutation — safe to run in-process or bundled into an
+// isolate (isolated-vm / CF Dynamic Worker).
+export function renderDom(input) {
+    const report = emptyReport();
+    let parsed;
+    try {
+        parsed = parseHTML(input.html);
+    }
+    catch {
+        report.errors.push("linkedom parse failed");
+        return { html: input.html, report };
+    }
+    const globals = instrument(parsed.window, parsed.document, input.url, report);
+    const scripts = [...extractInlineScripts(input.html), ...(input.externalScripts ?? [])];
+    for (const body of scripts) {
+        try {
+            // eslint-disable-next-line no-new-func
+            new Function(...Object.keys(globals), body)(...Object.values(globals));
+        }
+        catch (error) {
+            report.errors.push(error instanceof Error ? error.message : "script error");
+        }
+    }
+    let rendered = input.html;
+    try {
+        rendered = parsed.document.toString();
+    }
+    catch {
+        /* keep raw html */
+    }
+    return { html: rendered, report };
+}
+// Install instrumented behavioral surfaces on the linkedom window AND return the
+// matching bare globals (so `fetch(...)` and `window.fetch(...)` both record).
+function instrument(window, document, url, report) {
+    const resolve = (value) => {
+        const raw = String(value ?? "");
+        try {
+            return url ? new URL(raw, url).toString() : raw;
+        }
+        catch {
+            return raw;
+        }
+    };
+    const pushNet = (kind, target) => report.network.push({ kind, url: resolve(target) });
+    const fetchStub = (input) => {
+        pushNet("fetch", typeof input === "object" && input ? input.url ?? input : input);
+        return Promise.resolve({ ok: true, status: 200, text: () => Promise.resolve(""), json: () => Promise.resolve({}), headers: { get: () => null } });
+    };
+    const XHRStub = function () {
+        this.open = (_method, target) => { this._url = target; };
+        this.send = () => { if (this._url)
+            pushNet("xhr", this._url); };
+        this.setRequestHeader = () => { };
+        this.addEventListener = () => { };
+    };
+    const beacon = (target) => { pushNet("beacon", target); return true; };
+    const recordEval = (code) => { report.evals.push(String(code)); return undefined; };
+    const FunctionStub = function (...args) { report.evals.push(String(args[args.length - 1] ?? "")); return function () { }; };
+    const safeAtob = (value) => {
+        let out;
+        try {
+            out = atob(String(value));
+        }
+        catch {
+            out = String(value);
+        }
+        report.decoded.push(out);
+        return out;
+    };
+    const safeBtoa = (value) => { try {
+        return btoa(String(value));
+    }
+    catch {
+        return String(value);
+    } };
+    // Expose the URL's real components — page JS routinely builds its redirect
+    // target from window.location.search / pathname / origin (a cloaking bouncer
+    // does `dest + location.search`). Missing them yields "undefined" in the URL
+    // and we'd follow the wrong destination.
+    let parsedLocation = null;
+    try {
+        parsedLocation = url ? new URL(url) : null;
+    }
+    catch {
+        parsedLocation = null;
+    }
+    const location = new Proxy({
+        href: url ?? "",
+        origin: parsedLocation?.origin ?? "",
+        protocol: parsedLocation?.protocol ?? "",
+        host: parsedLocation?.host ?? "",
+        hostname: parsedLocation?.hostname ?? "",
+        port: parsedLocation?.port ?? "",
+        pathname: parsedLocation?.pathname ?? "/",
+        search: parsedLocation?.search ?? "",
+        hash: parsedLocation?.hash ?? "",
+        assign: (u) => report.redirects.push(resolve(u)),
+        replace: (u) => report.redirects.push(resolve(u)),
+        reload: () => { },
+        toString: () => url ?? ""
+    }, { set: (target, prop, value) => { if (prop === "href")
+            report.redirects.push(resolve(value)); target[prop] = value; return true; } });
+    // Override the surfaces the page reaches via the window object.
+    try {
+        Object.defineProperty(window, "location", { value: location, configurable: true, writable: true });
+    }
+    catch { /* non-configurable */ }
+    try {
+        window.fetch = fetchStub;
+    }
+    catch { }
+    try {
+        window.XMLHttpRequest = XHRStub;
+    }
+    catch { }
+    try {
+        if (window.navigator)
+            window.navigator.sendBeacon = beacon;
+    }
+    catch { }
+    try {
+        Object.defineProperty(document, "cookie", { configurable: true, get: () => "", set: (v) => { report.cookies.push(String(v)); } });
+    }
+    catch { }
+    // document.write/writeln: linkedom doesn't implement them, yet phishing kits
+    // routinely inject their credential form this way. Materialize the markup into
+    // the real DOM so the rendered output (re-scanned by the static rules) contains
+    // the injected form/script — not just a string buried in a <script>.
+    const writeMarkup = (markup) => {
+        const target = document.body ?? document.documentElement;
+        try {
+            target?.insertAdjacentHTML("beforeend", String(markup ?? ""));
+        }
+        catch { }
+    };
+    try {
+        document.write = writeMarkup;
+    }
+    catch { }
+    try {
+        document.writeln = (markup) => writeMarkup(String(markup ?? "") + "\n");
+    }
+    catch { }
+    const noop = () => { };
+    const timerRun = (fn) => { try {
+        if (typeof fn === "function")
+            fn();
+    }
+    catch { } return 0; };
+    return {
+        window,
+        document,
+        self: window,
+        globalThis: window,
+        top: window,
+        parent: window,
+        location,
+        fetch: fetchStub,
+        XMLHttpRequest: XHRStub,
+        navigator: window.navigator ?? { userAgent: "Mozilla/5.0", language: "en-US", platform: "Win32", sendBeacon: beacon },
+        screen: { width: 1920, height: 1080 },
+        history: { pushState: noop, replaceState: noop },
+        atob: safeAtob,
+        btoa: safeBtoa,
+        eval: recordEval,
+        Function: FunctionStub,
+        setTimeout: timerRun,
+        setInterval: () => 0,
+        clearTimeout: noop,
+        clearInterval: noop,
+        requestAnimationFrame: timerRun,
+        queueMicrotask: (fn) => { try {
+            fn();
+        }
+        catch { } },
+        console: { log: noop, warn: noop, error: noop, info: noop, debug: noop },
+        MutationObserver: function () { this.observe = noop; this.disconnect = noop; },
+        IntersectionObserver: function () { this.observe = noop; this.disconnect = noop; }
+    };
+}
+function defaultRun(scripts, globals) {
+    const names = Object.keys(globals);
+    const values = names.map((name) => globals[name]);
+    for (const body of scripts) {
+        try {
+            // eslint-disable-next-line no-new-func
+            new Function(...names, body)(...values);
+        }
+        catch {
+            /* malformed/strict-mode-conflicting script — skip, best effort */
+        }
+    }
+}
+//# sourceMappingURL=render.js.map

package/dist/render.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"render.js","sourceRoot":"","sources":["../src/render.ts"],"names":[],"mappings":"AAAA,0EAA0E;AAC1E,8EAA8E;AAC9E,wEAAwE;AACxE,4EAA4E;AAC5E,gFAAgF;AAChF,iDAAiD;AACjD,EAAE;AACF,6EAA6E;AAC7E,gFAAgF;AAChF,6EAA6E;AAC7E,EAAE;AACF,gFAAgF;AAChF,kFAAkF;AAClF,iFAAiF;AACjF,kEAAkE;AAElE,OAAO,EAAE,SAAS,EAAE,MAAM,UAAU,CAAC;AACrC,OAAO,EAAE,oBAAoB,EAAE,oBAAoB,EAA4C,MAAM,cAAc,CAAC;AAEpH,MAAM,oBAAoB,GAAG,CAAC,CAAC;AAC/B,MAAM,gBAAgB,GAAG,GAAG,GAAG,IAAI,CAAC;AA4BpC,SAAS,WAAW;IAClB,OAAO,EAAE,SAAS,EAAE,EAAE,EAAE,OAAO,EAAE,EAAE,EAAE,MAAM,EAAE,EAAE,EAAE,KAAK,EAAE,EAAE,EAAE,OAAO,EAAE,EAAE,EAAE,OAAO,EAAE,EAAE,EAAE,MAAM,EAAE,EAAE,EAAE,CAAC;AACrG,CAAC;AAED,4EAA4E;AAC5E,gFAAgF;AAChF,sCAAsC;AACtC,MAAM,CAAC,KAAK,UAAU,aAAa,CAAC,IAAY,EAAE,UAAyB,EAAE;IAC3E,IAAI,eAAe,GAAa,EAAE,CAAC;IACnC,IAAI,OAAO,CAAC,WAAW,EAAE,CAAC;QACxB,MAAM,OAAO,GAAG,oBAAoB,CAAC,IAAI,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,OAAO,CAAC,kBAAkB,IAAI,oBAAoB,CAAC,CAAC;QACxG,eAAe,GAAG,CAChB,MAAM,OAAO,CAAC,GAAG,CACf,OAAO,CAAC,GAAG,CAAC,KAAK,EAAE,GAAG,EAAE,EAAE;YACxB,IAAI,QAAgB,CAAC;YACrB,IAAI,CAAC;gBACH,QAAQ,GAAG,IAAI,GAAG,CAAC,GAAG,EAAE,OAAO,CAAC,GAAG,IAAI,0BAA0B,CAAC,CAAC,QAAQ,EAAE,CAAC;YAChF,CAAC;YAAC,MAAM,CAAC;gBACP,OAAO,EAAE,CAAC;YACZ,CAAC;YACD,IAAI,CAAC,WAAW,CAAC,IAAI,CAAC,QAAQ,CAAC;gBAAE,OAAO,EAAE,CAAC;YAC3C,IAAI,CAAC;gBACH,MAAM,IAAI,GAAG,MAAM,OAAO,CAAC,WAAY,CAAC,QAAQ,CAAC,CAAC;gBAClD,OAAO,CAAC,IAAI,IAAI,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,gBAAgB,CAAC,CAAC;YACjD,CAAC;YAAC,MAAM,CAAC;gBACP,OAAO,EAAE,CAAC;YACZ,CAAC;QACH,CAAC,CAAC,CACH,CACF,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;IACpB,CAAC;IACD,MAAM,MAAM,GAAG,OAAO,CAAC,MAAM,IAAI,SAAS,CAAC;IAC3C,OAAO,MAAM,MAAM,CAAC,EAAE,IAAI,EAAE,GAAG,EAAE,OAAO,CAAC,GAAG,EAAE,eAAe,EAAE,CAAC,CAAC;AACnE,CAAC;AAED,kFAAkF;AAClF,mFAAmF;AACnF,6EAA6E;AAC7E,6CAA6C;AAC7C,MAAM,UAAU,SAAS,CAAC,KAAkB;IAC1C,MAAM,MAAM,GAAG,WAAW,EAAE,CAAC;IAC7B,IAAI,MAAsC,CAAC;IAC3C,IAAI,CAAC;QACH,MAAM,GAAG,SAAS,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IACjC,CAAC;IAAC,MAAM,CAAC;QACP,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,uBAAuB,CAAC,CAAC;QAC5C,OAAO,EAAE,IAAI,EAAE,KAAK,CAAC,IAAI,EAAE,MAAM,EAAE,CAAC;IACtC,CAAC;IACD,MAAM,OAAO,GAAG,UAAU,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,QAAQ,EAAE,KAAK,CAAC,GAAG,EAAE,MAAM,CAAC,CAAC;IAC9E,MAAM,OAAO,GAAG,CAAC,GAAG,oBAAoB,CAAC,KAAK,CAAC,IAAI,CAAC,EAAE,GAAG,CAAC,KAAK,CAAC,eAAe,IAAI,EAAE,CAAC,CAAC,CAAC;IACxF,KAAK,MAAM,IAAI,IAAI,OAAO,EAAE,CAAC;QAC3B,IAAI,CAAC;YACH,uCAAuC;YACvC,IAAI,QAAQ,CAAC,GAAG,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,IAAI,CAAC,CAAC,GAAG,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,CAAC;QACzE,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,cAAc,CAAC,CAAC;QAC9E,CAAC;IACH,CAAC;IACD,IAAI,QAAQ,GAAG,KAAK,CAAC,IAAI,CAAC;IAC1B,IAAI,CAAC;QACH,QAAQ,GAAG,MAAM,CAAC,QAAQ,CAAC,QAAQ,EAAE,CAAC;IACxC,CAAC;IAAC,MAAM,CAAC;QACP,mBAAmB;IACrB,CAAC;IACD,OAAO,EAAE,IAAI,EAAE,QAAQ,EAAE,MAAM,EAAE,CAAC;AACpC,CAAC;AAED,iFAAiF;AACjF,+EAA+E;AAC/E,SAAS,UAAU,CAAC,MAAW,EAAE,QAAa,EAAE,GAAuB,EAAE,MAAsB;IAC7F,MAAM,OAAO,GAAG,CAAC,KAAc,EAAU,EAAE;QACzC,MAAM,GAAG,GAAG,MAAM,CAAC,KAAK,IAAI,EAAE,CAAC,CAAC;QAChC,IAAI,CAAC;YACH,OAAO,GAAG,CAAC,CAAC,CAAC,IAAI,GAAG,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC,QAAQ,EAAE,CAAC,CAAC,CAAC,GAAG,CAAC;QAClD,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,GAAG,CAAC;QACb,CAAC;IACH,CAAC,CAAC;IACF,MAAM,OAAO,GAAG,CAAC,IAA4B,EAAE,MAAe,EAAE,EAAE,CAAC,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,GAAG,EAAE,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC;IAEvH,MAAM,SAAS,GAAG,CAAC,KAAc,EAAE,EAAE;QACnC,OAAO,CAAC,OAAO,EAAE,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,CAAC,CAAC,CAAE,KAAa,CAAC,GAAG,IAAI,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC;QAC3F,OAAO,OAAO,CAAC,OAAO,CAAC,EAAE,EAAE,EAAE,IAAI,EAAE,MAAM,EAAE,GAAG,EAAE,IAAI,EAAE,GAAG,EAAE,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE,CAAC,EAAE,IAAI,EAAE,GAAG,EAAE,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE,CAAC,EAAE,OAAO,EAAE,EAAE,GAAG,EAAE,GAAG,EAAE,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC;IACpJ,CAAC,CAAC;IACF,MAAM,OAAO,GAAG;QACd,IAAI,CAAC,IAAI,GAAG,CAAC,OAAe,EAAE,MAAc,EAAE,EAAE,GAAG,IAAI,CAAC,IAAI,GAAG,MAAM,CAAC,CAAC,CAAC,CAAC;QACzE,IAAI,CAAC,IAAI,GAAG,GAAG,EAAE,GAAG,IAAI,IAAI,CAAC,IAAI;YAAE,OAAO,CAAC,KAAK,EAAE,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC;QAChE,IAAI,CAAC,gBAAgB,GAAG,GAAG,EAAE,GAAE,CAAC,CAAC;QACjC,IAAI,CAAC,gBAAgB,GAAG,GAAG,EAAE,GAAE,CAAC,CAAC;IACnC,CAAC,CAAC;IACF,MAAM,MAAM,GAAG,CAAC,MAAe,EAAE,EAAE,GAAG,OAAO,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC,CAAC,OAAO,IAAI,CAAC,CAAC,CAAC,CAAC;IAChF,MAAM,UAAU,GAAG,CAAC,IAAa,EAAE,EAAE,GAAG,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,OAAO,SAAS,CAAC,CAAC,CAAC,CAAC;IAC7F,MAAM,YAAY,GAAG,UAAU,GAAG,IAAe,IAAI,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,GAAG,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC,OAAO,cAAa,CAAC,CAAC,CAAC,CAAC,CAAC;IACtI,MAAM,QAAQ,GAAG,CAAC,KAAc,EAAE,EAAE;QAClC,IAAI,GAAW,CAAC;QAChB,IAAI,CAAC;YAAC,GAAG,GAAG,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC;QAAC,CAAC;QAAC,MAAM,CAAC;YAAC,GAAG,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC;QAAC,CAAC;QACjE,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QACzB,OAAO,GAAG,CAAC;IACb,CAAC,CAAC;IACF,MAAM,QAAQ,GAAG,CAAC,KAAc,EAAE,EAAE,GAAG,IAAI,CAAC;QAAC,OAAO,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC;IAAC,CAAC;IAAC,MAAM,CAAC;QAAC,OAAO,MAAM,CAAC,KAAK,CAAC,CAAC;IAAC,CAAC,CAAC,CAAC,CAAC;IAC7G,2EAA2E;IAC3E,6EAA6E;IAC7E,6EAA6E;IAC7E,yCAAyC;IACzC,IAAI,cAAc,GAAe,IAAI,CAAC;IACtC,IAAI,CAAC;QAAC,cAAc,GAAG,GAAG,CAAC,CAAC,CAAC,IAAI,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;IAAC,CAAC;IAAC,MAAM,CAAC;QAAC,cAAc,GAAG,IAAI,CAAC;IAAC,CAAC;IACpF,MAAM,QAAQ,GAAG,IAAI,KAAK,CACxB;QACE,IAAI,EAAE,GAAG,IAAI,EAAE;QACf,MAAM,EAAE,cAAc,EAAE,MAAM,IAAI,EAAE;QACpC,QAAQ,EAAE,cAAc,EAAE,QAAQ,IAAI,EAAE;QACxC,IAAI,EAAE,cAAc,EAAE,IAAI,IAAI,EAAE;QAChC,QAAQ,EAAE,cAAc,EAAE,QAAQ,IAAI,EAAE;QACxC,IAAI,EAAE,cAAc,EAAE,IAAI,IAAI,EAAE;QAChC,QAAQ,EAAE,cAAc,EAAE,QAAQ,IAAI,GAAG;QACzC,MAAM,EAAE,cAAc,EAAE,MAAM,IAAI,EAAE;QACpC,IAAI,EAAE,cAAc,EAAE,IAAI,IAAI,EAAE;QAChC,MAAM,EAAE,CAAC,CAAU,EAAE,EAAE,CAAC,MAAM,CAAC,SAAS,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC;QACzD,OAAO,EAAE,CAAC,CAAU,EAAE,EAAE,CAAC,MAAM,CAAC,SAAS,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC;QAC1D,MAAM,EAAE,GAAG,EAAE,GAAE,CAAC;QAChB,QAAQ,EAAE,GAAG,EAAE,CAAC,GAAG,IAAI,EAAE;KAC1B,EACD,EAAE,GAAG,EAAE,CAAC,MAAM,EAAE,IAAI,EAAE,KAAK,EAAE,EAAE,GAAG,IAAI,IAAI,KAAK,MAAM;YAAE,MAAM,CAAC,SAAS,CAAC,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,CAAE,MAAc,CAAC,IAAI,CAAC,GAAG,KAAK,CAAC,CAAC,OAAO,IAAI,CAAC,CAAC,CAAC,EAAE,CAC9I,CAAC;IAEF,gEAAgE;IAChE,IAAI,CAAC;QAAC,MAAM,CAAC,cAAc,CAAC,MAAM,EAAE,UAAU,EAAE,EAAE,KAAK,EAAE,QAAQ,EAAE,YAAY,EAAE,IAAI,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC,CAAC;IAAC,CAAC;IAAC,MAAM,CAAC,CAAC,sBAAsB,CAAC,CAAC;IAC5I,IAAI,CAAC;QAAC,MAAM,CAAC,KAAK,GAAG,SAAS,CAAC;IAAC,CAAC;IAAC,MAAM,CAAC,CAAA,CAAC;IAC1C,IAAI,CAAC;QAAC,MAAM,CAAC,cAAc,GAAG,OAAO,CAAC;IAAC,CAAC;IAAC,MAAM,CAAC,CAAA,CAAC;IACjD,IAAI,CAAC;QAAC,IAAI,MAAM,CAAC,SAAS;YAAE,MAAM,CAAC,SAAS,CAAC,UAAU,GAAG,MAAM,CAAC;IAAC,CAAC;IAAC,MAAM,CAAC,CAAA,CAAC;IAC5E,IAAI,CAAC;QAAC,MAAM,CAAC,cAAc,CAAC,QAAQ,EAAE,QAAQ,EAAE,EAAE,YAAY,EAAE,IAAI,EAAE,GAAG,EAAE,GAAG,EAAE,CAAC,EAAE,EAAE,GAAG,EAAE,CAAC,CAAU,EAAE,EAAE,GAAG,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;IAAC,CAAC;IAAC,MAAM,CAAC,CAAA,CAAC;IAC5J,6EAA6E;IAC7E,+EAA+E;IAC/E,gFAAgF;IAChF,qEAAqE;IACrE,MAAM,WAAW,GAAG,CAAC,MAAe,EAAE,EAAE;QACtC,MAAM,MAAM,GAAG,QAAQ,CAAC,IAAI,IAAI,QAAQ,CAAC,eAAe,CAAC;QACzD,IAAI,CAAC;YAAC,MAAM,EAAE,kBAAkB,CAAC,WAAW,EAAE,MAAM,CAAC,MAAM,IAAI,EAAE,CAAC,CAAC,CAAC;QAAC,CAAC;QAAC,MAAM,CAAC,CAAA,CAAC;IACjF,CAAC,CAAC;IACF,IAAI,CAAC;QAAC,QAAQ,CAAC,KAAK,GAAG,WAAW,CAAC;IAAC,CAAC;IAAC,MAAM,CAAC,CAAA,CAAC;IAC9C,IAAI,CAAC;QAAC,QAAQ,CAAC,OAAO,GAAG,CAAC,MAAe,EAAE,EAAE,CAAC,WAAW,CAAC,MAAM,CAAC,MAAM,IAAI,EAAE,CAAC,GAAG,IAAI,CAAC,CAAC;IAAC,CAAC;IAAC,MAAM,CAAC,CAAA,CAAC;IAElG,MAAM,IAAI,GAAG,GAAG,EAAE,GAAE,CAAC,CAAC;IACtB,MAAM,QAAQ,GAAG,CAAC,EAAW,EAAE,EAAE,GAAG,IAAI,CAAC;QAAC,IAAI,OAAO,EAAE,KAAK,UAAU;YAAG,EAAiB,EAAE,CAAC;IAAC,CAAC;IAAC,MAAM,CAAC,CAAA,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,CAAC;IACrH,OAAO;QACL,MAAM;QACN,QAAQ;QACR,IAAI,EAAE,MAAM;QACZ,UAAU,EAAE,MAAM;QAClB,GAAG,EAAE,MAAM;QACX,MAAM,EAAE,MAAM;QACd,QAAQ;QACR,KAAK,EAAE,SAAS;QAChB,cAAc,EAAE,OAAO;QACvB,SAAS,EAAE,MAAM,CAAC,SAAS,IAAI,EAAE,SAAS,EAAE,aAAa,EAAE,QAAQ,EAAE,OAAO,EAAE,QAAQ,EAAE,OAAO,EAAE,UAAU,EAAE,MAAM,EAAE;QACrH,MAAM,EAAE,EAAE,KAAK,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE;QACrC,OAAO,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,YAAY,EAAE,IAAI,EAAE;QAChD,IAAI,EAAE,QAAQ;QACd,IAAI,EAAE,QAAQ;QACd,IAAI,EAAE,UAAU;QAChB,QAAQ,EAAE,YAAY;QACtB,UAAU,EAAE,QAAQ;QACpB,WAAW,EAAE,GAAG,EAAE,CAAC,CAAC;QACpB,YAAY,EAAE,IAAI;QAClB,aAAa,EAAE,IAAI;QACnB,qBAAqB,EAAE,QAAQ;QAC/B,cAAc,EAAE,CAAC,EAAW,EAAE,EAAE,GAAG,IAAI,CAAC;YAAE,EAAiB,EAAE,CAAC;QAAC,CAAC;QAAC,MAAM,CAAC,CAAA,CAAC,CAAC,CAAC;QAC3E,OAAO,EAAE,EAAE,GAAG,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE;QACxE,gBAAgB,EAAE,cAAuB,IAAI,CAAC,OAAO,GAAG,IAAI,CAAC,CAAC,IAAI,CAAC,UAAU,GAAG,IAAI,CAAC,CAAC,CAAC;QACvF,oBAAoB,EAAE,cAAuB,IAAI,CAAC,OAAO,GAAG,IAAI,CAAC,CAAC,IAAI,CAAC,UAAU,GAAG,IAAI,CAAC,CAAC,CAAC;KAC5F,CAAC;AACJ,CAAC;AAED,SAAS,UAAU,CAAC,OAAiB,EAAE,OAAgC;IACrE,MAAM,KAAK,GAAG,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;IACnC,MAAM,MAAM,GAAG,KAAK,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC;IAClD,KAAK,MAAM,IAAI,IAAI,OAAO,EAAE,CAAC;QAC3B,IAAI,CAAC;YACH,uCAAuC;YACvC,IAAI,QAAQ,CAAC,GAAG,KAAK,EAAE,IAAI,CAAC,CAAC,GAAG,MAAM,CAAC,CAAC;QAC1C,CAAC;QAAC,MAAM,CAAC;YACP,kEAAkE;QACpE,CAAC;IACH,CAAC;AACH,CAAC"}

package/dist/rules/packs/binary.d.ts

@@ -0,0 +1,4 @@
+import type { PatternRule, RuleDefinition } from "../types.js";
+export declare const binaryRules: Record<"elf_executable_magic" | "content_type_magic_mismatch" | "elf_writable_executable_stack", RuleDefinition>;
+export declare const binaryStringRules: PatternRule[];
+//# sourceMappingURL=binary.d.ts.map

package/dist/rules/packs/binary.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"binary.d.ts","sourceRoot":"","sources":["../../../src/rules/packs/binary.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,WAAW,EAAE,cAAc,EAAE,MAAM,aAAa,CAAC;AAE/D,eAAO,MAAM,WAAW,EAAE,MAAM,CAAC,sBAAsB,GAAG,6BAA6B,GAAG,+BAA+B,EAAE,cAAc,CA+BxI,CAAC;AAEF,eAAO,MAAM,iBAAiB,EAAE,WAAW,EAmE1C,CAAC"}

package/dist/rules/packs/binary.js

@@ -0,0 +1,101 @@
+export const binaryRules = {
+    elf_executable_magic: {
+        id: "elf_executable_magic",
+        pack: "binary-static",
+        severity: "high",
+        confidence: "high",
+        title: "ELF executable",
+        description: "Content begins with ELF executable magic bytes.",
+        locationType: "binary",
+        score: { base: 55, tags: ["binary"] }
+    },
+    content_type_magic_mismatch: {
+        id: "content_type_magic_mismatch",
+        pack: "binary-static",
+        severity: "high",
+        confidence: "high",
+        title: "Content type does not match magic bytes",
+        description: "Declared content type conflicts with executable magic bytes.",
+        locationType: "binary",
+        score: { base: 45, tags: ["binary", "obfuscation"] }
+    },
+    elf_writable_executable_stack: {
+        id: "elf_writable_executable_stack",
+        pack: "binary-static",
+        severity: "high",
+        confidence: "medium",
+        title: "ELF requests writable executable stack",
+        description: "ELF program headers include a GNU_STACK segment with write and execute permissions.",
+        locationType: "binary",
+        score: { base: 32, tags: ["binary"] }
+    }
+};
+export const binaryStringRules = [
+    {
+        id: "iot_botnet_family_strings",
+        pack: "binary-static",
+        severity: "high",
+        confidence: "high",
+        title: "IoT botnet family strings",
+        description: "Binary strings reference IoT botnet family names or architecture payload naming.",
+        locationType: "binary",
+        pattern: /\b(?:Mozi|mirai|gafgyt|boatnet|Mozi\.[a-z0-9])\b/i,
+        score: { base: 70, tags: ["binary"] }
+    },
+    {
+        id: "iot_device_exploit_strings",
+        pack: "binary-static",
+        severity: "high",
+        confidence: "medium",
+        title: "IoT device exploit strings",
+        description: "Binary strings reference common router, camera, TR-064, HNAP, GPON, or Realtek exploitation paths.",
+        locationType: "binary",
+        pattern: /\b(?:gpon8080|gpon80|realtek|netgear8080|netgear80|huawei|tr064|hnap|camcrossweb|camjaws|dlink|vacron|setup\.cgi|SOAPAction:|AddPortMapping|SetNTPServers)\b/i,
+        score: { base: 42, tags: ["binary"] }
+    },
+    {
+        id: "iot_payload_dropper_commands",
+        pack: "binary-static",
+        severity: "high",
+        confidence: "high",
+        title: "IoT payload dropper commands",
+        description: "Binary strings contain wget/curl, chmod, temporary directory, and shell execution payload chains.",
+        locationType: "binary",
+        pattern: /(?:wget|curl|busybox wget)[\s\S]{0,160}(?:chmod|\/tmp|\/var\/tmp|\/dev\/shm)[\s\S]{0,160}(?:\/bin\/sh|sh\s|\.\/|Mozi\.)/i,
+        score: { base: 64, tags: ["binary", "source"] }
+    },
+    {
+        id: "router_management_hijack_commands",
+        pack: "binary-static",
+        severity: "high",
+        confidence: "high",
+        title: "Router management hijack commands",
+        description: "Binary strings contain TR-069 or router management-server hijack commands.",
+        locationType: "binary",
+        pattern: /(?:cfgtool|sendcmd)[\s\S]{0,240}(?:ManagementServer|MgtServer|Tr069Enable|ConnectionRequestPassword|acsMozi|127\.0\.0\.1)/i,
+        score: { base: 58, tags: ["binary"] }
+    },
+    {
+        id: "firewall_lockout_commands",
+        pack: "binary-static",
+        severity: "medium",
+        confidence: "high",
+        title: "Firewall lockout commands",
+        description: "Binary strings contain iptables rules that block management, TR-069, telnet, or SSH ports.",
+        locationType: "binary",
+        pattern: /iptables[\s\S]{0,120}(?:DROP|--dport|--sport|--destination-port|--source-port)[\s\S]{0,80}\b(?:22|23|2323|35000|50023|7547|58000)\b/i,
+        score: { base: 34, tags: ["binary"] }
+    },
+    {
+        id: "dht_cnc_protocol_strings",
+        pack: "binary-static",
+        severity: "medium",
+        confidence: "high",
+        title: "DHT/CNC protocol strings",
+        description: "Binary strings contain DHT peer protocol and command-and-control markers.",
+        locationType: "binary",
+        pattern: /(?:\[cnc\]|\[atk\]|\[ud\]|\[dip\]|1:q9:find_node|1:q9:get_peers|1:q13:announce_peer|info_hash20|nodes6)/i,
+        score: { base: 34, tags: ["binary"] }
+    }
+];
+//# sourceMappingURL=binary.js.map

package/dist/rules/packs/binary.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"binary.js","sourceRoot":"","sources":["../../../src/rules/packs/binary.ts"],"names":[],"mappings":"AAEA,MAAM,CAAC,MAAM,WAAW,GAAqH;IAC3I,oBAAoB,EAAE;QACpB,EAAE,EAAE,sBAAsB;QAC1B,IAAI,EAAE,eAAe;QACrB,QAAQ,EAAE,MAAM;QAChB,UAAU,EAAE,MAAM;QAClB,KAAK,EAAE,gBAAgB;QACvB,WAAW,EAAE,iDAAiD;QAC9D,YAAY,EAAE,QAAQ;QACtB,KAAK,EAAE,EAAE,IAAI,EAAE,EAAE,EAAE,IAAI,EAAE,CAAC,QAAQ,CAAC,EAAE;KACtC;IACD,2BAA2B,EAAE;QAC3B,EAAE,EAAE,6BAA6B;QACjC,IAAI,EAAE,eAAe;QACrB,QAAQ,EAAE,MAAM;QAChB,UAAU,EAAE,MAAM;QAClB,KAAK,EAAE,yCAAyC;QAChD,WAAW,EAAE,8DAA8D;QAC3E,YAAY,EAAE,QAAQ;QACtB,KAAK,EAAE,EAAE,IAAI,EAAE,EAAE,EAAE,IAAI,EAAE,CAAC,QAAQ,EAAE,aAAa,CAAC,EAAE;KACrD;IACD,6BAA6B,EAAE;QAC7B,EAAE,EAAE,+BAA+B;QACnC,IAAI,EAAE,eAAe;QACrB,QAAQ,EAAE,MAAM;QAChB,UAAU,EAAE,QAAQ;QACpB,KAAK,EAAE,wCAAwC;QAC/C,WAAW,EAAE,qFAAqF;QAClG,YAAY,EAAE,QAAQ;QACtB,KAAK,EAAE,EAAE,IAAI,EAAE,EAAE,EAAE,IAAI,EAAE,CAAC,QAAQ,CAAC,EAAE;KACtC;CACF,CAAC;AAEF,MAAM,CAAC,MAAM,iBAAiB,GAAkB;IAC9C;QACE,EAAE,EAAE,2BAA2B;QAC/B,IAAI,EAAE,eAAe;QACrB,QAAQ,EAAE,MAAM;QAChB,UAAU,EAAE,MAAM;QAClB,KAAK,EAAE,2BAA2B;QAClC,WAAW,EAAE,kFAAkF;QAC/F,YAAY,EAAE,QAAQ;QACtB,OAAO,EAAE,mDAAmD;QAC5D,KAAK,EAAE,EAAE,IAAI,EAAE,EAAE,EAAE,IAAI,EAAE,CAAC,QAAQ,CAAC,EAAE;KACtC;IACD;QACE,EAAE,EAAE,4BAA4B;QAChC,IAAI,EAAE,eAAe;QACrB,QAAQ,EAAE,MAAM;QAChB,UAAU,EAAE,QAAQ;QACpB,KAAK,EAAE,4BAA4B;QACnC,WAAW,EAAE,oGAAoG;QACjH,YAAY,EAAE,QAAQ;QACtB,OAAO,EAAE,+JAA+J;QACxK,KAAK,EAAE,EAAE,IAAI,EAAE,EAAE,EAAE,IAAI,EAAE,CAAC,QAAQ,CAAC,EAAE;KACtC;IACD;QACE,EAAE,EAAE,8BAA8B;QAClC,IAAI,EAAE,eAAe;QACrB,QAAQ,EAAE,MAAM;QAChB,UAAU,EAAE,MAAM;QAClB,KAAK,EAAE,8BAA8B;QACrC,WAAW,EAAE,mGAAmG;QAChH,YAAY,EAAE,QAAQ;QACtB,OAAO,EAAE,0HAA0H;QACnI,KAAK,EAAE,EAAE,IAAI,EAAE,EAAE,EAAE,IAAI,EAAE,CAAC,QAAQ,EAAE,QAAQ,CAAC,EAAE;KAChD;IACD;QACE,EAAE,EAAE,mCAAmC;QACvC,IAAI,EAAE,eAAe;QACrB,QAAQ,EAAE,MAAM;QAChB,UAAU,EAAE,MAAM;QAClB,KAAK,EAAE,mCAAmC;QAC1C,WAAW,EAAE,4EAA4E;QACzF,YAAY,EAAE,QAAQ;QACtB,OAAO,EAAE,4HAA4H;QACrI,KAAK,EAAE,EAAE,IAAI,EAAE,EAAE,EAAE,IAAI,EAAE,CAAC,QAAQ,CAAC,EAAE;KACtC;IACD;QACE,EAAE,EAAE,2BAA2B;QAC/B,IAAI,EAAE,eAAe;QACrB,QAAQ,EAAE,QAAQ;QAClB,UAAU,EAAE,MAAM;QAClB,KAAK,EAAE,2BAA2B;QAClC,WAAW,EAAE,4FAA4F;QACzG,YAAY,EAAE,QAAQ;QACtB,OAAO,EAAE,sIAAsI;QAC/I,KAAK,EAAE,EAAE,IAAI,EAAE,EAAE,EAAE,IAAI,EAAE,CAAC,QAAQ,CAAC,EAAE;KACtC;IACD;QACE,EAAE,EAAE,0BAA0B;QAC9B,IAAI,EAAE,eAAe;QACrB,QAAQ,EAAE,QAAQ;QAClB,UAAU,EAAE,MAAM;QAClB,KAAK,EAAE,0BAA0B;QACjC,WAAW,EAAE,2EAA2E;QACxF,YAAY,EAAE,QAAQ;QACtB,OAAO,EAAE,0GAA0G;QACnH,KAAK,EAAE,EAAE,IAAI,EAAE,EAAE,EAAE,IAAI,EAAE,CAAC,QAAQ,CAAC,EAAE;KACtC;CACF,CAAC"}

package/dist/rules/packs/css.d.ts

@@ -0,0 +1,3 @@
+import type { RuleDefinition } from "../types.js";
+export declare const cssRules: Record<"hidden_link_cluster" | "unicode_bidi_trick" | "css_imports_suspicious_domain" | "invisible_form_overlay", RuleDefinition>;
+//# sourceMappingURL=css.d.ts.map

package/dist/rules/packs/css.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"css.d.ts","sourceRoot":"","sources":["../../../src/rules/packs/css.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,aAAa,CAAC;AAElD,eAAO,MAAM,QAAQ,EAAE,MAAM,CAAC,qBAAqB,GAAG,oBAAoB,GAAG,+BAA+B,GAAG,wBAAwB,EAAE,cAAc,CAyCtJ,CAAC"}

package/dist/rules/packs/css.js

@@ -0,0 +1,43 @@
+export const cssRules = {
+    hidden_link_cluster: {
+        id: "hidden_link_cluster",
+        pack: "seo-spam",
+        severity: "low",
+        confidence: "medium",
+        title: "Hidden CSS content",
+        description: "CSS contains hidden or offscreen content patterns.",
+        locationType: "css",
+        score: { base: 4, tags: ["seo"] }
+    },
+    unicode_bidi_trick: {
+        id: "unicode_bidi_trick",
+        pack: "obfuscation",
+        severity: "medium",
+        confidence: "high",
+        title: "Unicode bidi CSS trick",
+        description: "CSS uses bidi override, which can hide or reorder visible text.",
+        locationType: "css",
+        score: { base: 20, tags: ["obfuscation"] }
+    },
+    css_imports_suspicious_domain: {
+        id: "css_imports_suspicious_domain",
+        pack: "script-risk",
+        severity: "medium",
+        confidence: "medium",
+        title: "CSS imports off-site resource",
+        description: "CSS imports or loads an off-site URL.",
+        locationType: "url",
+        score: { base: 12, tags: ["script", "url"] }
+    },
+    invisible_form_overlay: {
+        id: "invisible_form_overlay",
+        pack: "phishing",
+        severity: "medium",
+        confidence: "medium",
+        title: "Invisible form overlay style",
+        description: "CSS contains fixed/absolute overlay and invisibility patterns that can hide or intercept form input.",
+        locationType: "css",
+        score: { base: 24, tags: ["credential", "phishing"] }
+    }
+};
+//# sourceMappingURL=css.js.map

package/dist/rules/packs/css.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"css.js","sourceRoot":"","sources":["../../../src/rules/packs/css.ts"],"names":[],"mappings":"AAEA,MAAM,CAAC,MAAM,QAAQ,GAAsI;IACzJ,mBAAmB,EAAE;QACnB,EAAE,EAAE,qBAAqB;QACzB,IAAI,EAAE,UAAU;QAChB,QAAQ,EAAE,KAAK;QACf,UAAU,EAAE,QAAQ;QACpB,KAAK,EAAE,oBAAoB;QAC3B,WAAW,EAAE,oDAAoD;QACjE,YAAY,EAAE,KAAK;QACnB,KAAK,EAAE,EAAE,IAAI,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC,KAAK,CAAC,EAAE;KAClC;IACD,kBAAkB,EAAE;QAClB,EAAE,EAAE,oBAAoB;QACxB,IAAI,EAAE,aAAa;QACnB,QAAQ,EAAE,QAAQ;QAClB,UAAU,EAAE,MAAM;QAClB,KAAK,EAAE,wBAAwB;QAC/B,WAAW,EAAE,iEAAiE;QAC9E,YAAY,EAAE,KAAK;QACnB,KAAK,EAAE,EAAE,IAAI,EAAE,EAAE,EAAE,IAAI,EAAE,CAAC,aAAa,CAAC,EAAE;KAC3C;IACD,6BAA6B,EAAE;QAC7B,EAAE,EAAE,+BAA+B;QACnC,IAAI,EAAE,aAAa;QACnB,QAAQ,EAAE,QAAQ;QAClB,UAAU,EAAE,QAAQ;QACpB,KAAK,EAAE,+BAA+B;QACtC,WAAW,EAAE,uCAAuC;QACpD,YAAY,EAAE,KAAK;QACnB,KAAK,EAAE,EAAE,IAAI,EAAE,EAAE,EAAE,IAAI,EAAE,CAAC,QAAQ,EAAE,KAAK,CAAC,EAAE;KAC7C;IACD,sBAAsB,EAAE;QACtB,EAAE,EAAE,wBAAwB;QAC5B,IAAI,EAAE,UAAU;QAChB,QAAQ,EAAE,QAAQ;QAClB,UAAU,EAAE,QAAQ;QACpB,KAAK,EAAE,8BAA8B;QACrC,WAAW,EAAE,sGAAsG;QACnH,YAAY,EAAE,KAAK;QACnB,KAAK,EAAE,EAAE,IAAI,EAAE,EAAE,EAAE,IAAI,EAAE,CAAC,YAAY,EAAE,UAAU,CAAC,EAAE;KACtD;CACF,CAAC"}

package/dist/rules/packs/decoders.d.ts

@@ -0,0 +1,3 @@
+import type { RuleDefinition } from "../types.js";
+export declare const decodedArtifactRules: Record<"large_base64_blob" | "javascript_hex_escapes" | "javascript_unicode_escapes" | "fromcharcode_decoded_string", RuleDefinition>;
+//# sourceMappingURL=decoders.d.ts.map

package/dist/rules/packs/decoders.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"decoders.d.ts","sourceRoot":"","sources":["../../../src/rules/packs/decoders.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,aAAa,CAAC;AAElD,eAAO,MAAM,oBAAoB,EAAE,MAAM,CAAC,mBAAmB,GAAG,wBAAwB,GAAG,4BAA4B,GAAG,6BAA6B,EAAE,cAAc,CA4CtK,CAAC"}

package/dist/rules/packs/decoders.js

@@ -0,0 +1,46 @@
+export const decodedArtifactRules = {
+    large_base64_blob: {
+        id: "large_base64_blob",
+        pack: "obfuscation",
+        severity: "medium",
+        confidence: "medium",
+        title: "Decoded base64 artifact",
+        description: "Scanner decoded a base64 artifact and rescanned it.",
+        locationType: "decoded_artifact",
+        score: { base: 14, tags: ["decoded", "obfuscation"] }
+    },
+    javascript_hex_escapes: {
+        id: "javascript_hex_escapes",
+        pack: "obfuscation",
+        severity: "medium",
+        confidence: "medium",
+        title: "Decoded JavaScript hex escapes",
+        description: "Scanner decoded JavaScript hex escapes and rescanned the artifact.",
+        locationType: "decoded_artifact",
+        score: { base: 18, tags: ["decoded", "obfuscation"] }
+    },
+    javascript_unicode_escapes: {
+        id: "javascript_unicode_escapes",
+        pack: "obfuscation",
+        severity: "low",
+        confidence: "medium",
+        title: "Decoded JavaScript unicode escapes",
+        description: "Scanner decoded JavaScript unicode escapes and rescanned the artifact.",
+        locationType: "decoded_artifact",
+        // Unicode escapes are ubiquitous in legitimate minified/i18n JS. The mere
+        // presence is weak — the conviction comes from rescanning the DECODED
+        // artifact (whose own findings fire separately), not from this marker.
+        score: { base: 8, tags: ["decoded", "obfuscation"] }
+    },
+    fromcharcode_decoded_string: {
+        id: "fromcharcode_decoded_string",
+        pack: "obfuscation",
+        severity: "medium",
+        confidence: "medium",
+        title: "Decoded String.fromCharCode artifact",
+        description: "Scanner decoded a literal String.fromCharCode artifact and rescanned it.",
+        locationType: "decoded_artifact",
+        score: { base: 22, tags: ["decoded", "obfuscation"] }
+    }
+};
+//# sourceMappingURL=decoders.js.map

package/dist/rules/packs/decoders.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"decoders.js","sourceRoot":"","sources":["../../../src/rules/packs/decoders.ts"],"names":[],"mappings":"AAEA,MAAM,CAAC,MAAM,oBAAoB,GAA0I;IACzK,iBAAiB,EAAE;QACjB,EAAE,EAAE,mBAAmB;QACvB,IAAI,EAAE,aAAa;QACnB,QAAQ,EAAE,QAAQ;QAClB,UAAU,EAAE,QAAQ;QACpB,KAAK,EAAE,yBAAyB;QAChC,WAAW,EAAE,qDAAqD;QAClE,YAAY,EAAE,kBAAkB;QAChC,KAAK,EAAE,EAAE,IAAI,EAAE,EAAE,EAAE,IAAI,EAAE,CAAC,SAAS,EAAE,aAAa,CAAC,EAAE;KACtD;IACD,sBAAsB,EAAE;QACtB,EAAE,EAAE,wBAAwB;QAC5B,IAAI,EAAE,aAAa;QACnB,QAAQ,EAAE,QAAQ;QAClB,UAAU,EAAE,QAAQ;QACpB,KAAK,EAAE,gCAAgC;QACvC,WAAW,EAAE,oEAAoE;QACjF,YAAY,EAAE,kBAAkB;QAChC,KAAK,EAAE,EAAE,IAAI,EAAE,EAAE,EAAE,IAAI,EAAE,CAAC,SAAS,EAAE,aAAa,CAAC,EAAE;KACtD;IACD,0BAA0B,EAAE;QAC1B,EAAE,EAAE,4BAA4B;QAChC,IAAI,EAAE,aAAa;QACnB,QAAQ,EAAE,KAAK;QACf,UAAU,EAAE,QAAQ;QACpB,KAAK,EAAE,oCAAoC;QAC3C,WAAW,EAAE,wEAAwE;QACrF,YAAY,EAAE,kBAAkB;QAChC,0EAA0E;QAC1E,sEAAsE;QACtE,uEAAuE;QACvE,KAAK,EAAE,EAAE,IAAI,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC,SAAS,EAAE,aAAa,CAAC,EAAE;KACrD;IACD,2BAA2B,EAAE;QAC3B,EAAE,EAAE,6BAA6B;QACjC,IAAI,EAAE,aAAa;QACnB,QAAQ,EAAE,QAAQ;QAClB,UAAU,EAAE,QAAQ;QACpB,KAAK,EAAE,sCAAsC;QAC7C,WAAW,EAAE,0EAA0E;QACvF,YAAY,EAAE,kBAAkB;QAChC,KAAK,EAAE,EAAE,IAAI,EAAE,EAAE,EAAE,IAAI,EAAE,CAAC,SAAS,EAAE,aAAa,CAAC,EAAE;KACtD;CACF,CAAC"}

package/dist/rules/packs/html.d.ts

@@ -0,0 +1,4 @@
+import type { RuleDefinition } from "../types.js";
+export declare const htmlRules: Record<"external_script_from_unrelated_domain" | "mixed_content_script" | "hidden_iframe_off_origin" | "meta_refresh_external" | "password_form_without_https" | "credential_form_posts_off_origin" | "card_fields_plus_external_script" | "excessive_external_scripts_on_login_page" | "login_page_with_punycode_links" | "credential_ui_rendered_as_image" | "crypto_wallet_login_language" | "crypto_trading_landing_language" | "seo_trademark_stuffing" | "credential_form_on_suspicious_host" | "brand_impersonation_content", RuleDefinition>;
+export declare const htmlTechnologyRules: Record<"legacy_jquery_reference" | "legacy_angularjs_reference" | "legacy_bootstrap_reference" | "legacy_lodash_reference" | "wordpress_surface_reference" | "drupal_surface_reference" | "phpmyadmin_surface_reference", RuleDefinition>;
+//# sourceMappingURL=html.d.ts.map

package/dist/rules/packs/html.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"html.d.ts","sourceRoot":"","sources":["../../../src/rules/packs/html.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,aAAa,CAAC;AAElD,eAAO,MAAM,SAAS,EAAE,MAAM,CAC1B,uCAAuC,GACvC,sBAAsB,GACtB,0BAA0B,GAC1B,uBAAuB,GACvB,6BAA6B,GAC7B,kCAAkC,GAClC,kCAAkC,GAClC,0CAA0C,GAC1C,gCAAgC,GAChC,iCAAiC,GACjC,8BAA8B,GAC9B,iCAAiC,GACjC,wBAAwB,GACxB,oCAAoC,GACpC,6BAA6B,EAC/B,cAAc,CA0Jf,CAAC;AAEF,eAAO,MAAM,mBAAmB,EAAE,MAAM,CACpC,yBAAyB,GACzB,4BAA4B,GAC5B,4BAA4B,GAC5B,yBAAyB,GACzB,6BAA6B,GAC7B,0BAA0B,GAC1B,8BAA8B,EAChC,cAAc,CAwEf,CAAC"}