npm - @surfinguard/core-engine - Versions diffs - 0.1.0 - Mend

@surfinguard/core-engine 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (64) hide show

package/README.md +65 -0
package/dist/analyzers/base.d.ts +38 -0
package/dist/analyzers/base.d.ts.map +1 -0
package/dist/analyzers/base.js +2 -0
package/dist/analyzers/base.js.map +1 -0
package/dist/analyzers/command.d.ts +44 -0
package/dist/analyzers/command.d.ts.map +1 -0
package/dist/analyzers/command.js +544 -0
package/dist/analyzers/command.js.map +1 -0
package/dist/analyzers/file-read.d.ts +31 -0
package/dist/analyzers/file-read.d.ts.map +1 -0
package/dist/analyzers/file-read.js +159 -0
package/dist/analyzers/file-read.js.map +1 -0
package/dist/analyzers/file-write.d.ts +32 -0
package/dist/analyzers/file-write.d.ts.map +1 -0
package/dist/analyzers/file-write.js +177 -0
package/dist/analyzers/file-write.js.map +1 -0
package/dist/analyzers/index.d.ts +7 -0
package/dist/analyzers/index.d.ts.map +1 -0
package/dist/analyzers/index.js +6 -0
package/dist/analyzers/index.js.map +1 -0
package/dist/analyzers/text.d.ts +30 -0
package/dist/analyzers/text.d.ts.map +1 -0
package/dist/analyzers/text.js +139 -0
package/dist/analyzers/text.js.map +1 -0
package/dist/analyzers/url.d.ts +33 -0
package/dist/analyzers/url.d.ts.map +1 -0
package/dist/analyzers/url.js +325 -0
package/dist/analyzers/url.js.map +1 -0
package/dist/classifier.d.ts +7 -0
package/dist/classifier.d.ts.map +1 -0
package/dist/classifier.js +12 -0
package/dist/classifier.js.map +1 -0
package/dist/context.d.ts +10 -0
package/dist/context.d.ts.map +1 -0
package/dist/context.js +9 -0
package/dist/context.js.map +1 -0
package/dist/engine.d.ts +49 -0
package/dist/engine.d.ts.map +1 -0
package/dist/engine.js +122 -0
package/dist/engine.js.map +1 -0
package/dist/index.d.ts +12 -0
package/dist/index.d.ts.map +1 -0
package/dist/index.js +10 -0
package/dist/index.js.map +1 -0
package/dist/patterns.d.ts +8 -0
package/dist/patterns.d.ts.map +1 -0
package/dist/patterns.js +66 -0
package/dist/patterns.js.map +1 -0
package/dist/scorer.d.ts +23 -0
package/dist/scorer.d.ts.map +1 -0
package/dist/scorer.js +52 -0
package/dist/scorer.js.map +1 -0
package/dist/verdict.d.ts +7 -0
package/dist/verdict.d.ts.map +1 -0
package/dist/verdict.js +41 -0
package/dist/verdict.js.map +1 -0
package/package.json +44 -0
package/patterns/brands.json +205 -0
package/patterns/commands.json +44 -0
package/patterns/file-read.json +85 -0
package/patterns/file-write.json +100 -0
package/patterns/text.json +190 -0
package/patterns/urls.json +412 -0

package/patterns/urls.json ADDED Viewed

@@ -0,0 +1,412 @@
+{
+  "version": "2026.02.21",
+  "threats": [
+    {
+      "id": "U01",
+      "name": "Data URI",
+      "primitive": "MANIPULATION",
+      "severity": 10,
+      "description": "Data URI can hide malicious content (XSS, phishing pages)"
+    },
+    {
+      "id": "U02",
+      "name": "JavaScript URI",
+      "primitive": "MANIPULATION",
+      "severity": 10,
+      "description": "JavaScript URI enables code execution"
+    },
+    {
+      "id": "U03",
+      "name": "Malformed URL",
+      "primitive": "MANIPULATION",
+      "severity": 10,
+      "description": "Malformed or invalid URL structure"
+    },
+    {
+      "id": "U04",
+      "name": "IP Address Domain",
+      "primitive": "MANIPULATION",
+      "severity": 7,
+      "description": "Uses IP address instead of domain name to hide identity"
+    },
+    {
+      "id": "U05",
+      "name": "At-Symbol Obfuscation",
+      "primitive": "MANIPULATION",
+      "severity": 6,
+      "description": "URL uses @ to disguise real destination"
+    },
+    {
+      "id": "U06",
+      "name": "Punycode / IDN Homograph",
+      "primitive": "MANIPULATION",
+      "severity": 5,
+      "description": "Internationalized domain may hide lookalike characters"
+    },
+    {
+      "id": "U07",
+      "name": "Brand Impersonation",
+      "primitive": "MANIPULATION",
+      "severity": 7,
+      "description": "Domain impersonates a known brand via typosquatting or homograph"
+    },
+    {
+      "id": "U08",
+      "name": "URL Shortener",
+      "primitive": "MANIPULATION",
+      "severity": 3,
+      "description": "Link shortener hides actual destination"
+    },
+    {
+      "id": "U09",
+      "name": "Free Hosting Platform",
+      "primitive": "MANIPULATION",
+      "severity": 4,
+      "description": "Site hosted on free platform commonly used for scams"
+    },
+    {
+      "id": "U10",
+      "name": "Risky TLD",
+      "primitive": "MANIPULATION",
+      "severity": 3,
+      "description": "Uses high-risk TLD commonly associated with scams"
+    },
+    {
+      "id": "U11",
+      "name": "Redirect Chain",
+      "primitive": "MANIPULATION",
+      "severity": 4,
+      "description": "Nested redirects used to obfuscate final destination"
+    },
+    {
+      "id": "U12",
+      "name": "Suspicious File Extension",
+      "primitive": "DESTRUCTION",
+      "severity": 3,
+      "description": "URL references potentially dangerous executable file type"
+    },
+    {
+      "id": "U13",
+      "name": "Internal/RFC1918 IP",
+      "primitive": "ESCALATION",
+      "severity": 7,
+      "description": "Targets internal network address (SSRF / network probing)"
+    },
+    {
+      "id": "U14",
+      "name": "Cloud Metadata Endpoint",
+      "primitive": "ESCALATION",
+      "severity": 9,
+      "description": "Targets cloud instance metadata endpoint (credential theft)"
+    }
+  ],
+  "trackerDomains": [
+    "googleadservices.com",
+    "googlesyndication.com",
+    "doubleclick.net",
+    "google-analytics.com",
+    "googletagmanager.com",
+    "googletagservices.com",
+    "googleads.g.doubleclick.net",
+    "adservice.google.com",
+    "adtrafficquality.google",
+    "safeframe.googlesyndication.com",
+    "pagead2.googlesyndication.com",
+    "tpc.googlesyndication.com",
+    "googleservices.com",
+    "clickserve.dartsearch.net",
+    "taboola.com",
+    "outbrain.com",
+    "criteo.com",
+    "media.net",
+    "revcontent.com",
+    "mgid.com",
+    "content-recommendation.net",
+    "facebook.net",
+    "fbcdn.net",
+    "connect.facebook.net",
+    "amazon-adsystem.com",
+    "assoc-amazon.com",
+    "ads-twitter.com",
+    "analytics.twitter.com",
+    "bat.bing.com",
+    "clarity.ms",
+    "dxmdp.com",
+    "permutive.com",
+    "aniview.com",
+    "scorecardresearch.com",
+    "quantserve.com",
+    "chartbeat.com",
+    "hotjar.com",
+    "mouseflow.com",
+    "segment.com",
+    "mixpanel.com",
+    "amplitude.com",
+    "newrelic.com",
+    "nr-data.net",
+    "adobedtm.com",
+    "omtrdc.net",
+    "demdex.net",
+    "rubiconproject.com",
+    "pubmatic.com",
+    "openx.net",
+    "adsrvr.org",
+    "adnxs.com",
+    "casalemedia.com",
+    "moatads.com",
+    "serving-sys.com",
+    "sizmek.com",
+    "teads.tv",
+    "smartadserver.com",
+    "yieldmo.com",
+    "indexexchange.com",
+    "33across.com",
+    "cloudfront.net",
+    "akamaized.net",
+    "fastly.net",
+    "cdn.ampproject.org",
+    "ad.doubleclick.net",
+    "l.facebook.com",
+    "lm.facebook.com",
+    "an.facebook.com",
+    "bingads.microsoft.com",
+    "aax-us-iad.amazon.com",
+    "analytics.tiktok.com",
+    "ads.tiktok.com",
+    "advertising.com"
+  ],
+  "adClickParams": [
+    "gclid",
+    "gbraid",
+    "wbraid",
+    "gclsrc",
+    "dclid",
+    "gad_source",
+    "gad_campaignid",
+    "msclkid",
+    "fbclid",
+    "ttclid",
+    "twclid",
+    "li_fat_id",
+    "irclickid"
+  ],
+  "shorteners": [
+    "bit.ly",
+    "tinyurl.com",
+    "t.co",
+    "goo.gl",
+    "is.gd",
+    "cutt.ly",
+    "rebrand.ly",
+    "rb.gy",
+    "ow.ly",
+    "buff.ly",
+    "tiny.cc",
+    "short.io",
+    "bl.ink",
+    "soo.gd",
+    "s.id",
+    "rotf.lol",
+    "fb.me",
+    "youtu.be",
+    "redd.it",
+    "amzn.to",
+    "amzn.eu",
+    "aka.ms",
+    "apple.co",
+    "spoti.fi",
+    "lin.ee",
+    "shorturl.at",
+    "v.gd",
+    "clck.ru",
+    "qps.ru",
+    "u.to"
+  ],
+  "freeHostingPlatforms": [
+    "netlify.app",
+    "vercel.app",
+    "pages.dev",
+    "github.io",
+    "gitlab.io",
+    "surge.sh",
+    "render.com",
+    "fly.dev",
+    "railway.app",
+    "webflow.io",
+    "carrd.co",
+    "wixsite.com",
+    "weebly.com",
+    "squarespace.com",
+    "sites.google.com",
+    "my.canva.site",
+    "herokuapp.com",
+    "azurewebsites.net",
+    "web.app",
+    "firebaseapp.com",
+    "amplifyapp.com",
+    "cloudfront.net",
+    "s3.amazonaws.com",
+    "typeform.com",
+    "jotform.com",
+    "tally.so",
+    "fillout.com",
+    "glitch.me",
+    "replit.dev",
+    "stackblitz.io",
+    "codesandbox.io"
+  ],
+  "riskyTlds": [
+    "zip",
+    "mov",
+    "pdf",
+    "doc",
+    "xls",
+    "click",
+    "top",
+    "xyz",
+    "cam",
+    "work",
+    "icu",
+    "cfd",
+    "rest",
+    "buzz",
+    "surf",
+    "monster",
+    "quest",
+    "bond",
+    "sbs",
+    "cyou",
+    "fun",
+    "website",
+    "space",
+    "online",
+    "site",
+    "store",
+    "tech",
+    "tk",
+    "ml",
+    "ga",
+    "cf",
+    "gq",
+    "ws",
+    "cc",
+    "pw",
+    "to"
+  ],
+  "redirectParamKeys": [
+    "url",
+    "u",
+    "q",
+    "target",
+    "dest",
+    "destination",
+    "next",
+    "redirect",
+    "redir",
+    "redirect_url",
+    "redirect_uri",
+    "return",
+    "returnto",
+    "return_url",
+    "continue",
+    "r",
+    "to",
+    "go",
+    "link",
+    "callback",
+    "cb",
+    "forward",
+    "fwd",
+    "out",
+    "outurl",
+    "exit",
+    "ref",
+    "jump",
+    "click",
+    "goto"
+  ],
+  "highRiskKeywords": [
+    "login",
+    "signin",
+    "sign-in",
+    "logon",
+    "signon",
+    "verify",
+    "verification",
+    "authenticate",
+    "password",
+    "passwd",
+    "pwd",
+    "reset",
+    "recover",
+    "credential",
+    "credentials",
+    "account",
+    "suspend",
+    "suspended",
+    "locked",
+    "unlock",
+    "confirm",
+    "update",
+    "upgrade",
+    "expire",
+    "expired",
+    "wallet",
+    "seed",
+    "phrase",
+    "private-key",
+    "privatekey",
+    "bank",
+    "payment",
+    "billing",
+    "invoice",
+    "mfa",
+    "2fa",
+    "otp",
+    "secure",
+    "security",
+    "support",
+    "helpdesk",
+    "help-desk",
+    "urgent",
+    "immediate",
+    "action-required",
+    "limited"
+  ],
+  "suspiciousExtensions": [
+    ".exe",
+    ".scr",
+    ".bat",
+    ".cmd",
+    ".msi",
+    ".js",
+    ".vbs",
+    ".ps1"
+  ],
+  "internalIpRanges": [
+    "10.",
+    "172.16.",
+    "172.17.",
+    "172.18.",
+    "172.19.",
+    "172.20.",
+    "172.21.",
+    "172.22.",
+    "172.23.",
+    "172.24.",
+    "172.25.",
+    "172.26.",
+    "172.27.",
+    "172.28.",
+    "172.29.",
+    "172.30.",
+    "172.31.",
+    "192.168.",
+    "127."
+  ],
+  "cloudMetadataEndpoints": [
+    "169.254.169.254",
+    "metadata.google.internal",
+    "100.100.100.200"
+  ]
+}