@trailofbits/vsix-audit 0.1.0 → 0.1.2

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@trailofbits/vsix-audit",
-  "version": "0.1.0",
+  "version": "0.1.2",
   "description": "Security scanner for VS Code extensions",
   "keywords": [
     "audit",

package/dist/scanner/checks/behavioral.d.ts

@@ -1,3 +0,0 @@
-import type { Finding, VsixContents } from "../types.js";
-export declare function checkBehavioral(contents: VsixContents): Finding[];
-//# sourceMappingURL=behavioral.d.ts.map

package/dist/scanner/checks/behavioral.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"behavioral.d.ts","sourceRoot":"","sources":["../../../src/scanner/checks/behavioral.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,OAAO,EAAY,YAAY,EAAE,MAAM,aAAa,CAAC;AA6XnE,wBAAgB,eAAe,CAAC,QAAQ,EAAE,YAAY,GAAG,OAAO,EAAE,CAkDjE"}

package/dist/scanner/checks/behavioral.js

@@ -1,367 +0,0 @@
-import { isScannable, SCANNABLE_EXTENSIONS_PATTERN } from "../constants.js";
-import { findLineNumberByIndex } from "../utils.js";
-const SIGNATURES = [
-    {
-        id: "BEHAVIOR_CREDENTIAL_EXFIL",
-        title: "Credential exfiltration pattern",
-        description: "Code reads sensitive files, encodes the content, and sends it to an external server. This is the classic credential theft attack chain.",
-        severity: "critical",
-        stages: [
-            {
-                action: "file_read",
-                patterns: [
-                    /readFile(?:Sync)?\s*\(/gi,
-                    /fs\.promises\.readFile/gi,
-                    /createReadStream\s*\(/gi,
-                ],
-                description: "File read operation",
-            },
-            {
-                action: "encode",
-                patterns: [
-                    /Buffer\.from\s*\([^)]+\)\.toString\s*\(\s*['"]base64/gi,
-                    /btoa\s*\(/gi,
-                    /\.toString\s*\(\s*['"](?:base64|hex)['"]\s*\)/gi,
-                    /JSON\.stringify\s*\(/gi,
-                ],
-                description: "Data encoding for transmission",
-            },
-            {
-                action: "network",
-                patterns: [
-                    /fetch\s*\(/gi,
-                    /axios\./gi,
-                    /https?\.request/gi,
-                    /\.post\s*\(/gi,
-                    /\.send\s*\(/gi,
-                ],
-                description: "Network transmission",
-            },
-        ],
-        redFlags: [
-            "Reads from home directory or .ssh",
-            "Encodes before sending",
-            "Sends to external domain",
-        ],
-    },
-    {
-        id: "BEHAVIOR_REVERSE_SHELL",
-        title: "Reverse shell pattern",
-        description: "Code establishes network connection and pipes input to command execution. This creates a remote shell for attackers.",
-        severity: "critical",
-        stages: [
-            {
-                action: "network",
-                patterns: [
-                    /net\.Socket/gi,
-                    /net\.connect/gi,
-                    /net\.createConnection/gi,
-                    /new\s+WebSocket/gi,
-                ],
-                description: "Network connection",
-            },
-            {
-                action: "exec",
-                patterns: [/child_process/gi, /\.spawn\s*\(/gi, /\.exec\s*\(/gi, /process\.stdin/gi],
-                description: "Command execution",
-            },
-        ],
-        maxSpan: 1500,
-        redFlags: ["Socket piped to shell", "Remote command execution"],
-    },
-    {
-        id: "BEHAVIOR_SUPPLY_CHAIN_ATTACK",
-        title: "Install script attack pattern",
-        description: "Package lifecycle script accesses environment, executes commands, and phones home. This is a supply chain attack pattern.",
-        severity: "high", // Downgraded - common in legitimate build tools
-        stages: [
-            {
-                action: "env_access",
-                patterns: [
-                    /os\.homedir\s*\(\)/gi,
-                    /os\.userInfo\s*\(\)/gi,
-                    /process\.env\.(?:HOME|USERPROFILE|APPDATA)/gi,
-                ],
-                description: "Home directory access",
-            },
-            {
-                action: "exec",
-                patterns: [/child_process\.exec\s*\(/gi, /execSync\s*\(/gi, /spawnSync\s*\(/gi],
-                description: "Command execution",
-            },
-            {
-                action: "network",
-                patterns: [/fetch\s*\(/gi, /axios\s*\./gi, /curl\s+/gi, /wget\s+/gi],
-                description: "Network activity",
-            },
-        ],
-        minStages: 3, // Require all 3 stages to reduce false positives
-        maxSpan: 1000, // Tighter proximity requirement
-        legitimateUses: ["Build scripts", "Development tools"],
-        redFlags: ["Runs in postinstall", "Collects system info", "Sends to unknown domain"],
-    },
-    {
-        id: "BEHAVIOR_DROPPER",
-        title: "Malware dropper pattern",
-        description: "Code downloads content from remote URL, writes it to file, and executes it. This is a dropper/downloader pattern.",
-        severity: "critical",
-        stages: [
-            {
-                action: "download",
-                patterns: [
-                    /fetch\s*\([^)]*https?:\/\//gi,
-                    /axios\.get\s*\([^)]*https?:\/\//gi,
-                    /https?\.get\s*\(/gi,
-                    /request\s*\([^)]*https?:\/\//gi,
-                ],
-                description: "Remote content download",
-            },
-            {
-                action: "file_read",
-                patterns: [
-                    /writeFile(?:Sync)?\s*\(/gi,
-                    /createWriteStream\s*\(/gi,
-                    /fs\.promises\.writeFile/gi,
-                ],
-                description: "File write",
-            },
-            {
-                action: "exec",
-                patterns: [/child_process/gi, /\.exec\s*\(/gi, /\.spawn\s*\(/gi, /execSync/gi],
-                description: "Execution",
-            },
-        ],
-        maxSpan: 2000,
-        redFlags: [
-            "Downloads executable",
-            "Writes to temp or hidden location",
-            "Executes downloaded content",
-        ],
-    },
-    {
-        id: "BEHAVIOR_KEYLOGGER",
-        title: "Keystroke capture pattern",
-        description: "Code captures keyboard/input events and stores or transmits the data. This indicates keylogging behavior.",
-        severity: "high",
-        stages: [
-            {
-                action: "clipboard",
-                patterns: [
-                    // onDidChangeTextDocument is legitimate for language servers - don't flag it
-                    // Instead, look for actual keystroke monitoring
-                    /keyboard.*event/gi,
-                    /keydown|keyup|keypress/gi,
-                    /clipboard\.readText/gi,
-                    /getSelection\s*\(\s*\)\.toString/gi,
-                ],
-                description: "Keystroke/clipboard capture",
-            },
-            {
-                action: "persistence",
-                patterns: [
-                    /globalState\.update/gi,
-                    /writeFileSync?\s*\([^)]*keystroke/gi,
-                    /localStorage\.setItem/gi,
-                ],
-                description: "Data storage",
-            },
-            {
-                action: "network",
-                patterns: [/discord\.com\/api\/webhooks/gi, /discordapp\.com\/api\/webhooks/gi],
-                description: "Data exfiltration to Discord",
-            },
-        ],
-        minStages: 2,
-        legitimateUses: ["Keyboard shortcut extensions"],
-        redFlags: ["Captures all keystrokes", "Sends to Discord webhook", "No user consent mechanism"],
-    },
-    {
-        id: "BEHAVIOR_CRYPTO_STEALER",
-        title: "Cryptocurrency stealer pattern",
-        description: "Code scans for wallet files, extracts keys/seeds, and exfiltrates them.",
-        severity: "critical",
-        stages: [
-            {
-                action: "file_read",
-                patterns: [
-                    /\.ethereum/gi,
-                    /\.bitcoin/gi,
-                    /wallet\.dat/gi,
-                    /keystore/gi,
-                    /seed.*phrase/gi,
-                    /mnemonic/gi,
-                ],
-                description: "Wallet file access",
-            },
-            {
-                action: "encode",
-                patterns: [
-                    /btoa\s*\(/gi, // More specific - require function call
-                    /Buffer\.from\s*\([^)]*\)\.toString\s*\(\s*['"]base64/gi,
-                    /toString\s*\(\s*['"](?:base64|hex)['"]\s*\)/gi,
-                ],
-                description: "Data encoding for exfil",
-            },
-            {
-                action: "network",
-                patterns: [/discord.*webhook/gi, /\.post\s*\([^)]*wallet/gi],
-                description: "Exfiltration",
-            },
-        ],
-        // Require all 3 stages - wallet access is the key indicator
-        minStages: 3,
-        maxSpan: 1500,
-        redFlags: [
-            "Scans for multiple wallet types",
-            "Extracts private keys",
-            "Sends to Discord/external",
-        ],
-    },
-    {
-        id: "BEHAVIOR_PERSISTENCE",
-        title: "Persistence mechanism pattern",
-        description: "Code modifies startup files, schedules tasks, or installs itself for persistence.",
-        severity: "high",
-        stages: [
-            {
-                action: "file_read",
-                patterns: [
-                    /\.bashrc/gi,
-                    /\.zshrc/gi,
-                    /\.profile/gi,
-                    /crontab/gi,
-                    /startup/gi,
-                    /autostart/gi,
-                ],
-                description: "Startup file access",
-            },
-            {
-                action: "persistence",
-                patterns: [/writeFile/gi, /appendFile/gi, /fs\.promises\.writeFile/gi],
-                description: "File modification",
-            },
-        ],
-        legitimateUses: ["Shell configuration tools", "Development environment setup"],
-        redFlags: ["Writes to startup files", "Adds hidden entries", "No user interaction"],
-    },
-    {
-        id: "BEHAVIOR_SELF_PROPAGATION",
-        title: "Self-propagation pattern",
-        description: "Code accesses package publishing credentials and attempts to publish itself. This is worm-like behavior.",
-        severity: "critical",
-        stages: [
-            {
-                action: "file_read",
-                patterns: [/\.npmrc/gi, /NPM_TOKEN/gi, /OPENVSX_TOKEN/gi, /npm\s+config/gi],
-                description: "Publishing credential access",
-            },
-            {
-                action: "exec",
-                patterns: [/npm\s+publish/gi, /vsce\s+publish/gi, /ovsx\s+publish/gi, /yarn\s+publish/gi],
-                description: "Package publishing",
-            },
-        ],
-        redFlags: ["Accesses publish tokens", "Runs publish commands", "GlassWorm-style worm"],
-    },
-];
-/**
- * Find all matches for patterns in content
- */
-function findPatternMatches(content, patterns) {
-    const matches = [];
-    for (const pattern of patterns) {
-        const regex = new RegExp(pattern.source, pattern.flags);
-        let match;
-        while ((match = regex.exec(content)) !== null) {
-            matches.push({
-                index: match.index,
-                matched: match[0].slice(0, 60),
-            });
-        }
-    }
-    return matches;
-}
-/**
- * Check if a signature matches in the content
- */
-function checkSignature(content, signature) {
-    const stageMatches = [];
-    const minStages = signature.minStages ?? signature.stages.length;
-    const maxSpan = signature.maxSpan ?? 3000;
-    // Find matches for each stage
-    for (const stage of signature.stages) {
-        const matches = findPatternMatches(content, stage.patterns);
-        if (matches.length > 0) {
-            const firstMatch = matches[0];
-            if (firstMatch) {
-                stageMatches.push({
-                    stage,
-                    index: firstMatch.index,
-                    matched: firstMatch.matched,
-                });
-            }
-        }
-    }
-    // Check if enough stages matched
-    if (stageMatches.length < minStages) {
-        return null;
-    }
-    // Check if stages are within maxSpan
-    if (stageMatches.length > 1) {
-        const indices = stageMatches.map((m) => m.index);
-        const span = Math.max(...indices) - Math.min(...indices);
-        if (span > maxSpan) {
-            return null;
-        }
-    }
-    return stageMatches;
-}
-export function checkBehavioral(contents) {
-    const findings = [];
-    const seenFindings = new Set();
-    for (const [filename, buffer] of contents.files) {
-        if (!isScannable(filename, SCANNABLE_EXTENSIONS_PATTERN))
-            continue;
-        const content = buffer.toString("utf8");
-        for (const signature of SIGNATURES) {
-            const stageMatches = checkSignature(content, signature);
-            if (!stageMatches)
-                continue;
-            // Deduplicate
-            const key = `${signature.id}:${filename}`;
-            if (seenFindings.has(key))
-                continue;
-            seenFindings.add(key);
-            const firstMatch = stageMatches[0];
-            if (!firstMatch)
-                continue;
-            findings.push({
-                id: signature.id,
-                title: signature.title,
-                description: signature.description,
-                severity: signature.severity,
-                category: "behavioral",
-                location: {
-                    file: filename,
-                    line: findLineNumberByIndex(content, firstMatch.index),
-                },
-                metadata: {
-                    stagesMatched: stageMatches.length,
-                    totalStages: signature.stages.length,
-                    stages: stageMatches.map((m) => ({
-                        action: m.stage.action,
-                        description: m.stage.description,
-                        matched: m.matched,
-                        line: findLineNumberByIndex(content, m.index),
-                    })),
-                    ...(signature.legitimateUses && {
-                        legitimateUses: signature.legitimateUses,
-                    }),
-                    ...(signature.redFlags && { redFlags: signature.redFlags }),
-                },
-            });
-        }
-    }
-    return findings;
-}
-//# sourceMappingURL=behavioral.js.map

package/dist/scanner/checks/behavioral.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"behavioral.js","sourceRoot":"","sources":["../../../src/scanner/checks/behavioral.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,4BAA4B,EAAE,MAAM,iBAAiB,CAAC;AAE5E,OAAO,EAAE,qBAAqB,EAAE,MAAM,aAAa,CAAC;AA4CpD,MAAM,UAAU,GAA0B;IACxC;QACE,EAAE,EAAE,2BAA2B;QAC/B,KAAK,EAAE,iCAAiC;QACxC,WAAW,EACT,yIAAyI;QAC3I,QAAQ,EAAE,UAAU;QACpB,MAAM,EAAE;YACN;gBACE,MAAM,EAAE,WAAW;gBACnB,QAAQ,EAAE;oBACR,0BAA0B;oBAC1B,0BAA0B;oBAC1B,yBAAyB;iBAC1B;gBACD,WAAW,EAAE,qBAAqB;aACnC;YACD;gBACE,MAAM,EAAE,QAAQ;gBAChB,QAAQ,EAAE;oBACR,wDAAwD;oBACxD,aAAa;oBACb,iDAAiD;oBACjD,wBAAwB;iBACzB;gBACD,WAAW,EAAE,gCAAgC;aAC9C;YACD;gBACE,MAAM,EAAE,SAAS;gBACjB,QAAQ,EAAE;oBACR,cAAc;oBACd,WAAW;oBACX,mBAAmB;oBACnB,eAAe;oBACf,eAAe;iBAChB;gBACD,WAAW,EAAE,sBAAsB;aACpC;SACF;QACD,QAAQ,EAAE;YACR,mCAAmC;YACnC,wBAAwB;YACxB,0BAA0B;SAC3B;KACF;IACD;QACE,EAAE,EAAE,wBAAwB;QAC5B,KAAK,EAAE,uBAAuB;QAC9B,WAAW,EACT,sHAAsH;QACxH,QAAQ,EAAE,UAAU;QACpB,MAAM,EAAE;YACN;gBACE,MAAM,EAAE,SAAS;gBACjB,QAAQ,EAAE;oBACR,eAAe;oBACf,gBAAgB;oBAChB,yBAAyB;oBACzB,mBAAmB;iBACpB;gBACD,WAAW,EAAE,oBAAoB;aAClC;YACD;gBACE,MAAM,EAAE,MAAM;gBACd,QAAQ,EAAE,CAAC,iBAAiB,EAAE,gBAAgB,EAAE,eAAe,EAAE,kBAAkB,CAAC;gBACpF,WAAW,EAAE,mBAAmB;aACjC;SACF;QACD,OAAO,EAAE,IAAI;QACb,QAAQ,EAAE,CAAC,uBAAuB,EAAE,0BAA0B,CAAC;KAChE;IACD;QACE,EAAE,EAAE,8BAA8B;QAClC,KAAK,EAAE,+BAA+B;QACtC,WAAW,EACT,2HAA2H;QAC7H,QAAQ,EAAE,MAAM,EAAE,gDAAgD;QAClE,MAAM,EAAE;YACN;gBACE,MAAM,EAAE,YAAY;gBACpB,QAAQ,EAAE;oBACR,sBAAsB;oBACtB,uBAAuB;oBACvB,8CAA8C;iBAC/C;gBACD,WAAW,EAAE,uBAAuB;aACrC;YACD;gBACE,MAAM,EAAE,MAAM;gBACd,QAAQ,EAAE,CAAC,4BAA4B,EAAE,iBAAiB,EAAE,kBAAkB,CAAC;gBAC/E,WAAW,EAAE,mBAAmB;aACjC;YACD;gBACE,MAAM,EAAE,SAAS;gBACjB,QAAQ,EAAE,CAAC,cAAc,EAAE,cAAc,EAAE,WAAW,EAAE,WAAW,CAAC;gBACpE,WAAW,EAAE,kBAAkB;aAChC;SACF;QACD,SAAS,EAAE,CAAC,EAAE,iDAAiD;QAC/D,OAAO,EAAE,IAAI,EAAE,gCAAgC;QAC/C,cAAc,EAAE,CAAC,eAAe,EAAE,mBAAmB,CAAC;QACtD,QAAQ,EAAE,CAAC,qBAAqB,EAAE,sBAAsB,EAAE,yBAAyB,CAAC;KACrF;IACD;QACE,EAAE,EAAE,kBAAkB;QACtB,KAAK,EAAE,yBAAyB;QAChC,WAAW,EACT,mHAAmH;QACrH,QAAQ,EAAE,UAAU;QACpB,MAAM,EAAE;YACN;gBACE,MAAM,EAAE,UAAU;gBAClB,QAAQ,EAAE;oBACR,8BAA8B;oBAC9B,mCAAmC;oBACnC,oBAAoB;oBACpB,gCAAgC;iBACjC;gBACD,WAAW,EAAE,yBAAyB;aACvC;YACD;gBACE,MAAM,EAAE,WAAW;gBACnB,QAAQ,EAAE;oBACR,2BAA2B;oBAC3B,0BAA0B;oBAC1B,2BAA2B;iBAC5B;gBACD,WAAW,EAAE,YAAY;aAC1B;YACD;gBACE,MAAM,EAAE,MAAM;gBACd,QAAQ,EAAE,CAAC,iBAAiB,EAAE,eAAe,EAAE,gBAAgB,EAAE,YAAY,CAAC;gBAC9E,WAAW,EAAE,WAAW;aACzB;SACF;QACD,OAAO,EAAE,IAAI;QACb,QAAQ,EAAE;YACR,sBAAsB;YACtB,mCAAmC;YACnC,6BAA6B;SAC9B;KACF;IACD;QACE,EAAE,EAAE,oBAAoB;QACxB,KAAK,EAAE,2BAA2B;QAClC,WAAW,EACT,2GAA2G;QAC7G,QAAQ,EAAE,MAAM;QAChB,MAAM,EAAE;YACN;gBACE,MAAM,EAAE,WAAW;gBACnB,QAAQ,EAAE;oBACR,6EAA6E;oBAC7E,gDAAgD;oBAChD,mBAAmB;oBACnB,0BAA0B;oBAC1B,uBAAuB;oBACvB,oCAAoC;iBACrC;gBACD,WAAW,EAAE,6BAA6B;aAC3C;YACD;gBACE,MAAM,EAAE,aAAa;gBACrB,QAAQ,EAAE;oBACR,uBAAuB;oBACvB,qCAAqC;oBACrC,yBAAyB;iBAC1B;gBACD,WAAW,EAAE,cAAc;aAC5B;YACD;gBACE,MAAM,EAAE,SAAS;gBACjB,QAAQ,EAAE,CAAC,+BAA+B,EAAE,kCAAkC,CAAC;gBAC/E,WAAW,EAAE,8BAA8B;aAC5C;SACF;QACD,SAAS,EAAE,CAAC;QACZ,cAAc,EAAE,CAAC,8BAA8B,CAAC;QAChD,QAAQ,EAAE,CAAC,yBAAyB,EAAE,0BAA0B,EAAE,2BAA2B,CAAC;KAC/F;IACD;QACE,EAAE,EAAE,yBAAyB;QAC7B,KAAK,EAAE,gCAAgC;QACvC,WAAW,EAAE,yEAAyE;QACtF,QAAQ,EAAE,UAAU;QACpB,MAAM,EAAE;YACN;gBACE,MAAM,EAAE,WAAW;gBACnB,QAAQ,EAAE;oBACR,cAAc;oBACd,aAAa;oBACb,eAAe;oBACf,YAAY;oBACZ,gBAAgB;oBAChB,YAAY;iBACb;gBACD,WAAW,EAAE,oBAAoB;aAClC;YACD;gBACE,MAAM,EAAE,QAAQ;gBAChB,QAAQ,EAAE;oBACR,aAAa,EAAE,wCAAwC;oBACvD,wDAAwD;oBACxD,+CAA+C;iBAChD;gBACD,WAAW,EAAE,yBAAyB;aACvC;YACD;gBACE,MAAM,EAAE,SAAS;gBACjB,QAAQ,EAAE,CAAC,oBAAoB,EAAE,0BAA0B,CAAC;gBAC5D,WAAW,EAAE,cAAc;aAC5B;SACF;QACD,4DAA4D;QAC5D,SAAS,EAAE,CAAC;QACZ,OAAO,EAAE,IAAI;QACb,QAAQ,EAAE;YACR,iCAAiC;YACjC,uBAAuB;YACvB,2BAA2B;SAC5B;KACF;IACD;QACE,EAAE,EAAE,sBAAsB;QAC1B,KAAK,EAAE,+BAA+B;QACtC,WAAW,EACT,mFAAmF;QACrF,QAAQ,EAAE,MAAM;QAChB,MAAM,EAAE;YACN;gBACE,MAAM,EAAE,WAAW;gBACnB,QAAQ,EAAE;oBACR,YAAY;oBACZ,WAAW;oBACX,aAAa;oBACb,WAAW;oBACX,WAAW;oBACX,aAAa;iBACd;gBACD,WAAW,EAAE,qBAAqB;aACnC;YACD;gBACE,MAAM,EAAE,aAAa;gBACrB,QAAQ,EAAE,CAAC,aAAa,EAAE,cAAc,EAAE,2BAA2B,CAAC;gBACtE,WAAW,EAAE,mBAAmB;aACjC;SACF;QACD,cAAc,EAAE,CAAC,2BAA2B,EAAE,+BAA+B,CAAC;QAC9E,QAAQ,EAAE,CAAC,yBAAyB,EAAE,qBAAqB,EAAE,qBAAqB,CAAC;KACpF;IACD;QACE,EAAE,EAAE,2BAA2B;QAC/B,KAAK,EAAE,0BAA0B;QACjC,WAAW,EACT,0GAA0G;QAC5G,QAAQ,EAAE,UAAU;QACpB,MAAM,EAAE;YACN;gBACE,MAAM,EAAE,WAAW;gBACnB,QAAQ,EAAE,CAAC,WAAW,EAAE,aAAa,EAAE,iBAAiB,EAAE,gBAAgB,CAAC;gBAC3E,WAAW,EAAE,8BAA8B;aAC5C;YACD;gBACE,MAAM,EAAE,MAAM;gBACd,QAAQ,EAAE,CAAC,iBAAiB,EAAE,kBAAkB,EAAE,kBAAkB,EAAE,kBAAkB,CAAC;gBACzF,WAAW,EAAE,oBAAoB;aAClC;SACF;QACD,QAAQ,EAAE,CAAC,yBAAyB,EAAE,uBAAuB,EAAE,sBAAsB,CAAC;KACvF;CACF,CAAC;AAEF;;GAEG;AACH,SAAS,kBAAkB,CACzB,OAAe,EACf,QAAkB;IAElB,MAAM,OAAO,GAAyC,EAAE,CAAC;IAEzD,KAAK,MAAM,OAAO,IAAI,QAAQ,EAAE,CAAC;QAC/B,MAAM,KAAK,GAAG,IAAI,MAAM,CAAC,OAAO,CAAC,MAAM,EAAE,OAAO,CAAC,KAAK,CAAC,CAAC;QACxD,IAAI,KAA6B,CAAC;QAElC,OAAO,CAAC,KAAK,GAAG,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;YAC9C,OAAO,CAAC,IAAI,CAAC;gBACX,KAAK,EAAE,KAAK,CAAC,KAAK;gBAClB,OAAO,EAAE,KAAK,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC;aAC/B,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,OAAO,OAAO,CAAC;AACjB,CAAC;AAED;;GAEG;AACH,SAAS,cAAc,CAAC,OAAe,EAAE,SAA8B;IACrE,MAAM,YAAY,GAAiB,EAAE,CAAC;IACtC,MAAM,SAAS,GAAG,SAAS,CAAC,SAAS,IAAI,SAAS,CAAC,MAAM,CAAC,MAAM,CAAC;IACjE,MAAM,OAAO,GAAG,SAAS,CAAC,OAAO,IAAI,IAAI,CAAC;IAE1C,8BAA8B;IAC9B,KAAK,MAAM,KAAK,IAAI,SAAS,CAAC,MAAM,EAAE,CAAC;QACrC,MAAM,OAAO,GAAG,kBAAkB,CAAC,OAAO,EAAE,KAAK,CAAC,QAAQ,CAAC,CAAC;QAC5D,IAAI,OAAO,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACvB,MAAM,UAAU,GAAG,OAAO,CAAC,CAAC,CAAC,CAAC;YAC9B,IAAI,UAAU,EAAE,CAAC;gBACf,YAAY,CAAC,IAAI,CAAC;oBAChB,KAAK;oBACL,KAAK,EAAE,UAAU,CAAC,KAAK;oBACvB,OAAO,EAAE,UAAU,CAAC,OAAO;iBAC5B,CAAC,CAAC;YACL,CAAC;QACH,CAAC;IACH,CAAC;IAED,iCAAiC;IACjC,IAAI,YAAY,CAAC,MAAM,GAAG,SAAS,EAAE,CAAC;QACpC,OAAO,IAAI,CAAC;IACd,CAAC;IAED,qCAAqC;IACrC,IAAI,YAAY,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC5B,MAAM,OAAO,GAAG,YAAY,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC;QACjD,MAAM,IAAI,GAAG,IAAI,CAAC,GAAG,CAAC,GAAG,OAAO,CAAC,GAAG,IAAI,CAAC,GAAG,CAAC,GAAG,OAAO,CAAC,CAAC;QACzD,IAAI,IAAI,GAAG,OAAO,EAAE,CAAC;YACnB,OAAO,IAAI,CAAC;QACd,CAAC;IACH,CAAC;IAED,OAAO,YAAY,CAAC;AACtB,CAAC;AAED,MAAM,UAAU,eAAe,CAAC,QAAsB;IACpD,MAAM,QAAQ,GAAc,EAAE,CAAC;IAC/B,MAAM,YAAY,GAAG,IAAI,GAAG,EAAU,CAAC;IAEvC,KAAK,MAAM,CAAC,QAAQ,EAAE,MAAM,CAAC,IAAI,QAAQ,CAAC,KAAK,EAAE,CAAC;QAChD,IAAI,CAAC,WAAW,CAAC,QAAQ,EAAE,4BAA4B,CAAC;YAAE,SAAS;QAEnE,MAAM,OAAO,GAAG,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;QAExC,KAAK,MAAM,SAAS,IAAI,UAAU,EAAE,CAAC;YACnC,MAAM,YAAY,GAAG,cAAc,CAAC,OAAO,EAAE,SAAS,CAAC,CAAC;YACxD,IAAI,CAAC,YAAY;gBAAE,SAAS;YAE5B,cAAc;YACd,MAAM,GAAG,GAAG,GAAG,SAAS,CAAC,EAAE,IAAI,QAAQ,EAAE,CAAC;YAC1C,IAAI,YAAY,CAAC,GAAG,CAAC,GAAG,CAAC;gBAAE,SAAS;YACpC,YAAY,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;YAEtB,MAAM,UAAU,GAAG,YAAY,CAAC,CAAC,CAAC,CAAC;YACnC,IAAI,CAAC,UAAU;gBAAE,SAAS;YAE1B,QAAQ,CAAC,IAAI,CAAC;gBACZ,EAAE,EAAE,SAAS,CAAC,EAAE;gBAChB,KAAK,EAAE,SAAS,CAAC,KAAK;gBACtB,WAAW,EAAE,SAAS,CAAC,WAAW;gBAClC,QAAQ,EAAE,SAAS,CAAC,QAAQ;gBAC5B,QAAQ,EAAE,YAAY;gBACtB,QAAQ,EAAE;oBACR,IAAI,EAAE,QAAQ;oBACd,IAAI,EAAE,qBAAqB,CAAC,OAAO,EAAE,UAAU,CAAC,KAAK,CAAC;iBACvD;gBACD,QAAQ,EAAE;oBACR,aAAa,EAAE,YAAY,CAAC,MAAM;oBAClC,WAAW,EAAE,SAAS,CAAC,MAAM,CAAC,MAAM;oBACpC,MAAM,EAAE,YAAY,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;wBAC/B,MAAM,EAAE,CAAC,CAAC,KAAK,CAAC,MAAM;wBACtB,WAAW,EAAE,CAAC,CAAC,KAAK,CAAC,WAAW;wBAChC,OAAO,EAAE,CAAC,CAAC,OAAO;wBAClB,IAAI,EAAE,qBAAqB,CAAC,OAAO,EAAE,CAAC,CAAC,KAAK,CAAC;qBAC9C,CAAC,CAAC;oBACH,GAAG,CAAC,SAAS,CAAC,cAAc,IAAI;wBAC9B,cAAc,EAAE,SAAS,CAAC,cAAc;qBACzC,CAAC;oBACF,GAAG,CAAC,SAAS,CAAC,QAAQ,IAAI,EAAE,QAAQ,EAAE,SAAS,CAAC,QAAQ,EAAE,CAAC;iBAC5D;aACF,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC"}

package/dist/scanner/checks/blocklist.d.ts

@@ -1,3 +0,0 @@
-import type { BlocklistEntry, Finding, VsixManifest } from "../types.js";
-export declare function checkBlocklist(manifest: VsixManifest, blocklist: BlocklistEntry[]): Finding[];
-//# sourceMappingURL=blocklist.d.ts.map

package/dist/scanner/checks/blocklist.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"blocklist.d.ts","sourceRoot":"","sources":["../../../src/scanner/checks/blocklist.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,cAAc,EAAE,OAAO,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAUzE,wBAAgB,cAAc,CAAC,QAAQ,EAAE,YAAY,EAAE,SAAS,EAAE,cAAc,EAAE,GAAG,OAAO,EAAE,CAyB7F"}

package/dist/scanner/checks/blocklist.js

@@ -1,32 +0,0 @@
-function matchesWildcard(extensionId, pattern) {
-    if (pattern.endsWith(".*")) {
-        const prefix = pattern.slice(0, -2);
-        return extensionId.startsWith(prefix + ".");
-    }
-    return extensionId === pattern;
-}
-export function checkBlocklist(manifest, blocklist) {
-    const findings = [];
-    const extensionId = `${manifest.publisher}.${manifest.name}`;
-    for (const entry of blocklist) {
-        if (matchesWildcard(extensionId, entry.id)) {
-            findings.push({
-                id: "BLOCKLIST_MATCH",
-                title: "Extension on malware blocklist",
-                description: `Extension "${extensionId}" matches blocklisted pattern "${entry.id}": ${entry.reason}`,
-                severity: "critical",
-                category: "blocklist",
-                location: {
-                    file: "package.json",
-                },
-                metadata: {
-                    campaign: entry.campaign,
-                    reference: entry.reference,
-                    blocklistEntry: entry.id,
-                },
-            });
-        }
-    }
-    return findings;
-}
-//# sourceMappingURL=blocklist.js.map

package/dist/scanner/checks/blocklist.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"blocklist.js","sourceRoot":"","sources":["../../../src/scanner/checks/blocklist.ts"],"names":[],"mappings":"AAEA,SAAS,eAAe,CAAC,WAAmB,EAAE,OAAe;IAC3D,IAAI,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;QAC3B,MAAM,MAAM,GAAG,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC;QACpC,OAAO,WAAW,CAAC,UAAU,CAAC,MAAM,GAAG,GAAG,CAAC,CAAC;IAC9C,CAAC;IACD,OAAO,WAAW,KAAK,OAAO,CAAC;AACjC,CAAC;AAED,MAAM,UAAU,cAAc,CAAC,QAAsB,EAAE,SAA2B;IAChF,MAAM,QAAQ,GAAc,EAAE,CAAC;IAC/B,MAAM,WAAW,GAAG,GAAG,QAAQ,CAAC,SAAS,IAAI,QAAQ,CAAC,IAAI,EAAE,CAAC;IAE7D,KAAK,MAAM,KAAK,IAAI,SAAS,EAAE,CAAC;QAC9B,IAAI,eAAe,CAAC,WAAW,EAAE,KAAK,CAAC,EAAE,CAAC,EAAE,CAAC;YAC3C,QAAQ,CAAC,IAAI,CAAC;gBACZ,EAAE,EAAE,iBAAiB;gBACrB,KAAK,EAAE,gCAAgC;gBACvC,WAAW,EAAE,cAAc,WAAW,kCAAkC,KAAK,CAAC,EAAE,MAAM,KAAK,CAAC,MAAM,EAAE;gBACpG,QAAQ,EAAE,UAAU;gBACpB,QAAQ,EAAE,WAAW;gBACrB,QAAQ,EAAE;oBACR,IAAI,EAAE,cAAc;iBACrB;gBACD,QAAQ,EAAE;oBACR,QAAQ,EAAE,KAAK,CAAC,QAAQ;oBACxB,SAAS,EAAE,KAAK,CAAC,SAAS;oBAC1B,cAAc,EAAE,KAAK,CAAC,EAAE;iBACzB;aACF,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC"}

package/dist/scanner/checks/blocklist.test.d.ts

@@ -1,2 +0,0 @@
-export {};
-//# sourceMappingURL=blocklist.test.d.ts.map

package/dist/scanner/checks/blocklist.test.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"blocklist.test.d.ts","sourceRoot":"","sources":["../../../src/scanner/checks/blocklist.test.ts"],"names":[],"mappings":""}

package/dist/scanner/checks/blocklist.test.js

@@ -1,74 +0,0 @@
-import { describe, expect, it } from "vitest";
-import { checkBlocklist } from "./blocklist.js";
-describe("checkBlocklist", () => {
-    const blocklist = [
-        {
-            id: "malicious.extension",
-            name: "Malicious Extension",
-            reason: "Known malware",
-            campaign: "Test",
-        },
-        {
-            id: "badpublisher.*",
-            name: "Bad Publisher (all)",
-            reason: "All extensions from this publisher are malicious",
-            campaign: "Test",
-        },
-        {
-            id: "498-00.*",
-            name: "498-00 publisher (all)",
-            reason: "TigerJack republished extensions",
-            campaign: "TigerJack",
-        },
-    ];
-    it("matches exact extension ID", () => {
-        const manifest = {
-            name: "extension",
-            publisher: "malicious",
-            version: "1.0.0",
-        };
-        const findings = checkBlocklist(manifest, blocklist);
-        expect(findings).toHaveLength(1);
-        expect(findings[0]?.id).toBe("BLOCKLIST_MATCH");
-        expect(findings[0]?.severity).toBe("critical");
-    });
-    it("matches wildcard publisher pattern", () => {
-        const manifest = {
-            name: "some-extension",
-            publisher: "badpublisher",
-            version: "1.0.0",
-        };
-        const findings = checkBlocklist(manifest, blocklist);
-        expect(findings).toHaveLength(1);
-        expect(findings[0]?.metadata?.["blocklistEntry"]).toBe("badpublisher.*");
-    });
-    it("matches publisher with special characters in pattern", () => {
-        const manifest = {
-            name: "pythonformat",
-            publisher: "498-00",
-            version: "1.0.0",
-        };
-        const findings = checkBlocklist(manifest, blocklist);
-        expect(findings).toHaveLength(1);
-        expect(findings[0]?.metadata?.["blocklistEntry"]).toBe("498-00.*");
-    });
-    it("does not match clean extension", () => {
-        const manifest = {
-            name: "clean-extension",
-            publisher: "trusted-publisher",
-            version: "1.0.0",
-        };
-        const findings = checkBlocklist(manifest, blocklist);
-        expect(findings).toHaveLength(0);
-    });
-    it("does not match partial ID without wildcard", () => {
-        const manifest = {
-            name: "extension-extra",
-            publisher: "malicious",
-            version: "1.0.0",
-        };
-        const findings = checkBlocklist(manifest, blocklist);
-        expect(findings).toHaveLength(0);
-    });
-});
-//# sourceMappingURL=blocklist.test.js.map

package/dist/scanner/checks/blocklist.test.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"blocklist.test.js","sourceRoot":"","sources":["../../../src/scanner/checks/blocklist.test.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,EAAE,EAAE,EAAE,MAAM,QAAQ,CAAC;AAE9C,OAAO,EAAE,cAAc,EAAE,MAAM,gBAAgB,CAAC;AAEhD,QAAQ,CAAC,gBAAgB,EAAE,GAAG,EAAE;IAC9B,MAAM,SAAS,GAAqB;QAClC;YACE,EAAE,EAAE,qBAAqB;YACzB,IAAI,EAAE,qBAAqB;YAC3B,MAAM,EAAE,eAAe;YACvB,QAAQ,EAAE,MAAM;SACjB;QACD;YACE,EAAE,EAAE,gBAAgB;YACpB,IAAI,EAAE,qBAAqB;YAC3B,MAAM,EAAE,kDAAkD;YAC1D,QAAQ,EAAE,MAAM;SACjB;QACD;YACE,EAAE,EAAE,UAAU;YACd,IAAI,EAAE,wBAAwB;YAC9B,MAAM,EAAE,kCAAkC;YAC1C,QAAQ,EAAE,WAAW;SACtB;KACF,CAAC;IAEF,EAAE,CAAC,4BAA4B,EAAE,GAAG,EAAE;QACpC,MAAM,QAAQ,GAAiB;YAC7B,IAAI,EAAE,WAAW;YACjB,SAAS,EAAE,WAAW;YACtB,OAAO,EAAE,OAAO;SACjB,CAAC;QAEF,MAAM,QAAQ,GAAG,cAAc,CAAC,QAAQ,EAAE,SAAS,CAAC,CAAC;QACrD,MAAM,CAAC,QAAQ,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;QACjC,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,IAAI,CAAC,iBAAiB,CAAC,CAAC;QAChD,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,EAAE,QAAQ,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;IACjD,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,oCAAoC,EAAE,GAAG,EAAE;QAC5C,MAAM,QAAQ,GAAiB;YAC7B,IAAI,EAAE,gBAAgB;YACtB,SAAS,EAAE,cAAc;YACzB,OAAO,EAAE,OAAO;SACjB,CAAC;QAEF,MAAM,QAAQ,GAAG,cAAc,CAAC,QAAQ,EAAE,SAAS,CAAC,CAAC;QACrD,MAAM,CAAC,QAAQ,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;QACjC,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,EAAE,QAAQ,EAAE,CAAC,gBAAgB,CAAC,CAAC,CAAC,IAAI,CAAC,gBAAgB,CAAC,CAAC;IAC3E,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,sDAAsD,EAAE,GAAG,EAAE;QAC9D,MAAM,QAAQ,GAAiB;YAC7B,IAAI,EAAE,cAAc;YACpB,SAAS,EAAE,QAAQ;YACnB,OAAO,EAAE,OAAO;SACjB,CAAC;QAEF,MAAM,QAAQ,GAAG,cAAc,CAAC,QAAQ,EAAE,SAAS,CAAC,CAAC;QACrD,MAAM,CAAC,QAAQ,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;QACjC,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,EAAE,QAAQ,EAAE,CAAC,gBAAgB,CAAC,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;IACrE,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,gCAAgC,EAAE,GAAG,EAAE;QACxC,MAAM,QAAQ,GAAiB;YAC7B,IAAI,EAAE,iBAAiB;YACvB,SAAS,EAAE,mBAAmB;YAC9B,OAAO,EAAE,OAAO;SACjB,CAAC;QAEF,MAAM,QAAQ,GAAG,cAAc,CAAC,QAAQ,EAAE,SAAS,CAAC,CAAC;QACrD,MAAM,CAAC,QAAQ,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;IACnC,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,4CAA4C,EAAE,GAAG,EAAE;QACpD,MAAM,QAAQ,GAAiB;YAC7B,IAAI,EAAE,iBAAiB;YACvB,SAAS,EAAE,WAAW;YACtB,OAAO,EAAE,OAAO;SACjB,CAAC;QAEF,MAAM,QAAQ,GAAG,cAAc,CAAC,QAAQ,EAAE,SAAS,CAAC,CAAC;QACrD,MAAM,CAAC,QAAQ,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;IACnC,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/dist/scanner/checks/chains.d.ts

@@ -1,35 +0,0 @@
-import type { Finding, Severity, VsixContents } from "../types.js";
-/**
- * Unified chain detection for multi-stage attack patterns.
- *
- * This module consolidates DataFlow (2-stage source→sink) and Behavioral (N-stage)
- * detection into a single framework. Both share the same mechanics:
- * - Find pattern matches across stages
- * - Check proximity/span constraints
- * - Deduplicate findings
- */
-export interface ChainStage {
-    id: string;
-    name: string;
-    patterns: RegExp[];
-}
-export interface ChainRule {
-    id: string;
-    title: string;
-    description: string;
-    severity: Severity;
-    stages: ChainStage[];
-    constraints: {
-        /** Minimum stages that must match (default: all) */
-        minStages?: number;
-        /** Maximum distance between first and last stage match (default: 3000 chars) */
-        maxSpan?: number;
-    };
-    legitimateUses?: string[];
-    redFlags?: string[];
-}
-declare const STAGES: Record<string, ChainStage>;
-declare const CHAIN_RULES: ChainRule[];
-export declare function checkChains(contents: VsixContents): Finding[];
-export { CHAIN_RULES, STAGES };
-//# sourceMappingURL=chains.d.ts.map

package/dist/scanner/checks/chains.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"chains.d.ts","sourceRoot":"","sources":["../../../src/scanner/checks/chains.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,OAAO,EAAE,QAAQ,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAGnE;;;;;;;;GAQG;AAEH,MAAM,WAAW,UAAU;IACzB,EAAE,EAAE,MAAM,CAAC;IACX,IAAI,EAAE,MAAM,CAAC;IACb,QAAQ,EAAE,MAAM,EAAE,CAAC;CACpB;AAED,MAAM,WAAW,SAAS;IACxB,EAAE,EAAE,MAAM,CAAC;IACX,KAAK,EAAE,MAAM,CAAC;IACd,WAAW,EAAE,MAAM,CAAC;IACpB,QAAQ,EAAE,QAAQ,CAAC;IACnB,MAAM,EAAE,UAAU,EAAE,CAAC;IACrB,WAAW,EAAE;QACX,oDAAoD;QACpD,SAAS,CAAC,EAAE,MAAM,CAAC;QACnB,gFAAgF;QAChF,OAAO,CAAC,EAAE,MAAM,CAAC;KAClB,CAAC;IACF,cAAc,CAAC,EAAE,MAAM,EAAE,CAAC;IAC1B,QAAQ,CAAC,EAAE,MAAM,EAAE,CAAC;CACrB;AAaD,QAAA,MAAM,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,UAAU,CAgOtC,CAAC;AAMF,QAAA,MAAM,WAAW,EAAE,SAAS,EA6K3B,CAAC;AAyEF,wBAAgB,WAAW,CAAC,QAAQ,EAAE,YAAY,GAAG,OAAO,EAAE,CAmD7D;AAGD,OAAO,EAAE,WAAW,EAAE,MAAM,EAAE,CAAC"}