@trailofbits/vsix-audit 0.1.0

package/dist/scanner/checks/ioc.test.js

@@ -0,0 +1,298 @@
+import { describe, expect, it } from "vitest";
+import { checkDomains, checkHashes, checkIocs, checkIps, checkWallets, isLikelySolanaAddress, } from "./ioc.js";
+function makeContents(files) {
+    const manifest = {
+        name: "test",
+        publisher: "test",
+        version: "1.0.0",
+    };
+    const fileMap = new Map();
+    fileMap.set("package.json", Buffer.from(JSON.stringify(manifest)));
+    for (const [name, content] of Object.entries(files)) {
+        fileMap.set(name, Buffer.from(content));
+    }
+    return {
+        manifest,
+        files: fileMap,
+        basePath: "/test",
+    };
+}
+function makeZooData(overrides = {}) {
+    return {
+        blocklist: [],
+        hashes: new Set(),
+        domains: new Set(),
+        ips: new Set(),
+        maliciousNpmPackages: new Set(),
+        wallets: new Set(),
+        blockchainAllowlist: new Set(),
+        ...overrides,
+    };
+}
+function makeContentsWithPublisher(files, publisher, name) {
+    const manifest = {
+        name,
+        publisher,
+        version: "1.0.0",
+    };
+    const fileMap = new Map();
+    fileMap.set("package.json", Buffer.from(JSON.stringify(manifest)));
+    for (const [fname, content] of Object.entries(files)) {
+        fileMap.set(fname, Buffer.from(content));
+    }
+    return {
+        manifest,
+        files: fileMap,
+        basePath: "/test",
+    };
+}
+describe("checkHashes", () => {
+    it("detects known malware hash", () => {
+        const contents = makeContents({ "malware.js": "malicious code" });
+        // Get hash of the malware.js file content
+        const malwareHash = "69d58c3edfcb35a3b17e38b0ed3c86e8a5f5e5d0c7e9b8d7b4a3b2c1d0e9f8a7";
+        const knownHashes = new Set([malwareHash]);
+        // Compute the actual hash of "malicious code"
+        const crypto = require("node:crypto");
+        const actualHash = crypto.createHash("sha256").update("malicious code").digest("hex");
+        knownHashes.add(actualHash);
+        const findings = checkHashes(contents, knownHashes);
+        expect(findings.some((f) => f.id === "KNOWN_MALWARE_HASH")).toBe(true);
+        expect(findings[0]?.severity).toBe("critical");
+    });
+    it("does not flag unknown files", () => {
+        const contents = makeContents({ "clean.js": "clean code" });
+        const knownHashes = new Set([
+            "0000000000000000000000000000000000000000000000000000000000000000",
+        ]);
+        const findings = checkHashes(contents, knownHashes);
+        expect(findings).toHaveLength(0);
+    });
+});
+describe("checkDomains", () => {
+    it("detects known C2 domain in JS file", () => {
+        const contents = makeContents({
+            "extension.js": 'fetch("https://evil-c2.example.com/exfil")',
+        });
+        const knownDomains = new Set(["evil-c2.example.com"]);
+        const findings = checkDomains(contents, knownDomains);
+        expect(findings.some((f) => f.id === "KNOWN_C2_DOMAIN")).toBe(true);
+        expect(findings[0]?.severity).toBe("critical");
+        expect(findings[0]?.metadata?.["domain"]).toBe("evil-c2.example.com");
+    });
+    it("detects domain in JSON file", () => {
+        const contents = makeContents({
+            "config.json": '{"url": "https://malware.badsite.net/api"}',
+        });
+        const knownDomains = new Set(["malware.badsite.net"]);
+        const findings = checkDomains(contents, knownDomains);
+        expect(findings.some((f) => f.id === "KNOWN_C2_DOMAIN")).toBe(true);
+    });
+    it("skips non-scannable files", () => {
+        const contents = makeContents({
+            "image.png": "evil-c2.example.com",
+        });
+        const knownDomains = new Set(["evil-c2.example.com"]);
+        const findings = checkDomains(contents, knownDomains);
+        expect(findings).toHaveLength(0);
+    });
+    it("does not flag unknown domains", () => {
+        const contents = makeContents({
+            "extension.js": 'fetch("https://api.github.com/repos")',
+        });
+        const knownDomains = new Set(["evil-c2.example.com"]);
+        const findings = checkDomains(contents, knownDomains);
+        expect(findings).toHaveLength(0);
+    });
+});
+describe("checkIps", () => {
+    it("detects known C2 IP address", () => {
+        const contents = makeContents({
+            "extension.js": 'const server = "185.234.123.45:8080";',
+        });
+        const knownIps = new Set(["185.234.123.45"]);
+        const findings = checkIps(contents, knownIps);
+        expect(findings.some((f) => f.id === "KNOWN_C2_IP")).toBe(true);
+        expect(findings[0]?.severity).toBe("critical");
+        expect(findings[0]?.metadata?.["ip"]).toBe("185.234.123.45");
+    });
+    it("ignores private/localhost IPs", () => {
+        const contents = makeContents({
+            "extension.js": 'const local = "127.0.0.1"; const private = "192.168.1.1";',
+        });
+        const knownIps = new Set(["127.0.0.1", "192.168.1.1"]);
+        const findings = checkIps(contents, knownIps);
+        // These should be filtered out by isValidIp
+        expect(findings).toHaveLength(0);
+    });
+    it("does not flag unknown IPs", () => {
+        const contents = makeContents({
+            "extension.js": 'const api = "8.8.8.8";',
+        });
+        const knownIps = new Set(["185.234.123.45"]);
+        const findings = checkIps(contents, knownIps);
+        expect(findings).toHaveLength(0);
+    });
+});
+describe("checkWallets", () => {
+    it("detects Bitcoin wallet address", () => {
+        const contents = makeContents({
+            "extension.js": `const addr = "1A1zP1eP5QGefi2DMPTfTL5SLmv7DivfNa";`,
+        });
+        const findings = checkWallets(contents, new Set());
+        expect(findings).toHaveLength(1);
+        expect(findings[0]?.id).toBe("CRYPTO_WALLET_DETECTED");
+        expect(findings[0]?.severity).toBe("high");
+        expect(findings[0]?.metadata?.["currency"]).toBe("BTC");
+    });
+    it("detects Ethereum wallet address", () => {
+        const contents = makeContents({
+            "extension.js": `const eth = "0x742d35Cc6634C0532925a3b844Bc9e7595f8fE42";`,
+        });
+        const findings = checkWallets(contents, new Set());
+        expect(findings).toHaveLength(1);
+        expect(findings[0]?.id).toBe("CRYPTO_WALLET_DETECTED");
+        expect(findings[0]?.metadata?.["currency"]).toBe("ETH");
+    });
+    it("detects Solana wallet address", () => {
+        const contents = makeContents({
+            "extension.js": `const sol = "BjVeAjPrSKFiingBn4vZvghsGj9KCE8AJVtbc9S8o8SC";`,
+        });
+        const findings = checkWallets(contents, new Set());
+        expect(findings).toHaveLength(1);
+        expect(findings[0]?.id).toBe("CRYPTO_WALLET_DETECTED");
+        expect(findings[0]?.metadata?.["currency"]).toBe("SOL");
+    });
+    it("escalates known malicious wallet to critical", () => {
+        const knownWallet = "BjVeAjPrSKFiingBn4vZvghsGj9KCE8AJVtbc9S8o8SC";
+        const contents = makeContents({
+            "extension.js": `const payout = "${knownWallet}";`,
+        });
+        const knownWallets = new Set([knownWallet]);
+        const findings = checkWallets(contents, knownWallets);
+        expect(findings).toHaveLength(1);
+        expect(findings[0]?.id).toBe("KNOWN_MALWARE_WALLET");
+        expect(findings[0]?.severity).toBe("critical");
+        expect(findings[0]?.metadata?.["knownMalicious"]).toBe(true);
+    });
+    it("skips non-scannable files", () => {
+        const contents = makeContents({
+            "image.png": "1A1zP1eP5QGefi2DMPTfTL5SLmv7DivfNa",
+        });
+        const findings = checkWallets(contents, new Set());
+        expect(findings).toHaveLength(0);
+    });
+});
+describe("checkIocs", () => {
+    it("combines all IOC checks", () => {
+        const contents = makeContents({
+            "extension.js": 'fetch("https://evil.example.com"); const ip = "185.234.123.45";',
+        });
+        const zooData = makeZooData({
+            domains: new Set(["evil.example.com"]),
+            ips: new Set(["185.234.123.45"]),
+        });
+        const findings = checkIocs(contents, zooData);
+        expect(findings.some((f) => f.id === "KNOWN_C2_DOMAIN")).toBe(true);
+        expect(findings.some((f) => f.id === "KNOWN_C2_IP")).toBe(true);
+    });
+    it("returns empty for clean extension", () => {
+        const contents = makeContents({
+            "extension.js": 'console.log("hello world");',
+        });
+        const zooData = makeZooData({
+            domains: new Set(["evil.example.com"]),
+            ips: new Set(["185.234.123.45"]),
+            hashes: new Set(["0000000000000000000000000000000000000000000000000000000000000000"]),
+        });
+        const findings = checkIocs(contents, zooData);
+        expect(findings).toHaveLength(0);
+    });
+});
+describe("isLikelySolanaAddress", () => {
+    it("returns true for real Solana addresses with digits distributed throughout", () => {
+        // Real SOL address with digits distributed
+        expect(isLikelySolanaAddress("FvGoyLXBSPu2pwx788zuWdCtWX7Hy9mwk")).toBe(true);
+        expect(isLikelySolanaAddress("BjVeAjPrSKFiingBn4vZvghsGj9KCE8AJVtbc9S8o8SC")).toBe(true);
+        // Address with digits early in string
+        expect(isLikelySolanaAddress("9WzDXwBbmkg8ZTbNMqUxvQRAyrZzDsGYdLVL9zYtAWWM")).toBe(true);
+    });
+    it("returns false for camelCase JS identifiers without digits", () => {
+        // Common VS Code API identifiers that triggered false positives
+        expect(isLikelySolanaAddress("registerDocumentSemanticTokensProvider")).toBe(false);
+        expect(isLikelySolanaAddress("createDiagnosticCollection")).toBe(false);
+        expect(isLikelySolanaAddress("onDidChangeConfiguration")).toBe(false);
+        expect(isLikelySolanaAddress("executeDocumentSymbolProvider")).toBe(false);
+    });
+    it("returns false for identifiers with only trailing digits", () => {
+        // JS identifiers with trailing numbers (e.g., Type2, Handler3)
+        expect(isLikelySolanaAddress("DidChangeConfigurationNotification2")).toBe(false);
+        expect(isLikelySolanaAddress("DocumentSymbolRequest1")).toBe(false);
+        expect(isLikelySolanaAddress("CompletionItemKind25")).toBe(false);
+    });
+    it("returns false for strings with only one digit", () => {
+        expect(isLikelySolanaAddress("registerDocument1SemanticTokensProvider")).toBe(false);
+        expect(isLikelySolanaAddress("abc1defghijklmnopqrstuvwxyzabcdefgh")).toBe(false);
+    });
+    it("returns false for lowercase hex strings (git hashes, checksums)", () => {
+        // Git commit hashes (40 hex chars)
+        expect(isLikelySolanaAddress("7751e69b615c6eca6f783a81e292a55725af6b85")).toBe(false);
+        expect(isLikelySolanaAddress("85d8f7c97ae473ccb9473f6c8d27e4ec957f4be1")).toBe(false);
+        // Shorter integrity checksums
+        expect(isLikelySolanaAddress("e69de29bb2d1d6434b8b29ae775ad8c2e48c5391")).toBe(false);
+        expect(isLikelySolanaAddress("82f85941b4acf562dfb6bb4d69f2d842")).toBe(false);
+    });
+    it("returns false for identifiers without uppercase letters", () => {
+        // Pure lowercase strings should be rejected
+        expect(isLikelySolanaAddress("fromcertificatewithsha256thumbprint")).toBe(false);
+        expect(isLikelySolanaAddress("pubbbf48e6d78dae54bceaa4acf463299bf")).toBe(false);
+    });
+});
+describe("checkWallets blockchain allowlist", () => {
+    it("skips wallet detection for allowlisted blockchain extensions", () => {
+        const contents = makeContentsWithPublisher({
+            "extension.js": `const ens = "0x00000000000C2E074eC69A0dFb2997BA6C7d2e1e";`,
+        }, "JuanBlanco", "solidity");
+        const allowlist = new Set(["JuanBlanco.solidity"]);
+        const findings = checkWallets(contents, new Set(), allowlist);
+        expect(findings).toHaveLength(0);
+    });
+    it("detects wallets in non-allowlisted extensions", () => {
+        const contents = makeContentsWithPublisher({
+            "extension.js": `const eth = "0x742d35Cc6634C0532925a3b844Bc9e7595f8fE42";`,
+        }, "unknown", "suspicious");
+        const allowlist = new Set(["JuanBlanco.solidity"]);
+        const findings = checkWallets(contents, new Set(), allowlist);
+        expect(findings).toHaveLength(1);
+        expect(findings[0]?.id).toBe("CRYPTO_WALLET_DETECTED");
+    });
+    it("detects wallets when allowlist is undefined", () => {
+        const contents = makeContentsWithPublisher({
+            "extension.js": `const eth = "0x742d35Cc6634C0532925a3b844Bc9e7595f8fE42";`,
+        }, "unknown", "extension");
+        const findings = checkWallets(contents, new Set(), undefined);
+        expect(findings).toHaveLength(1);
+    });
+});
+describe("checkWallets SOL validation", () => {
+    it("filters out JS identifiers that match SOL pattern", () => {
+        const contents = makeContents({
+            "extension.js": `
+        vscode.languages.registerDocumentSemanticTokensProvider();
+        const handler = DidChangeConfigurationNotification2;
+      `,
+        });
+        const findings = checkWallets(contents, new Set());
+        // Should not flag any of these as SOL wallets
+        expect(findings).toHaveLength(0);
+    });
+    it("detects real Solana addresses with digits distributed", () => {
+        const contents = makeContents({
+            "extension.js": `const wallet = "FvGoyLXBSPu2pwx788zuWdCtWX7Hy9mwk";`,
+        });
+        const findings = checkWallets(contents, new Set());
+        expect(findings).toHaveLength(1);
+        expect(findings[0]?.metadata?.["currency"]).toBe("SOL");
+    });
+});
+//# sourceMappingURL=ioc.test.js.map

package/dist/scanner/checks/ioc.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"ioc.test.js","sourceRoot":"","sources":["../../../src/scanner/checks/ioc.test.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,EAAE,EAAE,EAAE,MAAM,QAAQ,CAAC;AAE9C,OAAO,EACL,YAAY,EACZ,WAAW,EACX,SAAS,EACT,QAAQ,EACR,YAAY,EACZ,qBAAqB,GACtB,MAAM,UAAU,CAAC;AAElB,SAAS,YAAY,CAAC,KAA6B;IACjD,MAAM,QAAQ,GAAiB;QAC7B,IAAI,EAAE,MAAM;QACZ,SAAS,EAAE,MAAM;QACjB,OAAO,EAAE,OAAO;KACjB,CAAC;IACF,MAAM,OAAO,GAAG,IAAI,GAAG,EAAkB,CAAC;IAC1C,OAAO,CAAC,GAAG,CAAC,cAAc,EAAE,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC;IACnE,KAAK,MAAM,CAAC,IAAI,EAAE,OAAO,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;QACpD,OAAO,CAAC,GAAG,CAAC,IAAI,EAAE,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC;IAC1C,CAAC;IACD,OAAO;QACL,QAAQ;QACR,KAAK,EAAE,OAAO;QACd,QAAQ,EAAE,OAAO;KAClB,CAAC;AACJ,CAAC;AAED,SAAS,WAAW,CAAC,YAA8B,EAAE;IACnD,OAAO;QACL,SAAS,EAAE,EAAE;QACb,MAAM,EAAE,IAAI,GAAG,EAAE;QACjB,OAAO,EAAE,IAAI,GAAG,EAAE;QAClB,GAAG,EAAE,IAAI,GAAG,EAAE;QACd,oBAAoB,EAAE,IAAI,GAAG,EAAE;QAC/B,OAAO,EAAE,IAAI,GAAG,EAAE;QAClB,mBAAmB,EAAE,IAAI,GAAG,EAAE;QAC9B,GAAG,SAAS;KACb,CAAC;AACJ,CAAC;AAED,SAAS,yBAAyB,CAChC,KAA6B,EAC7B,SAAiB,EACjB,IAAY;IAEZ,MAAM,QAAQ,GAAiB;QAC7B,IAAI;QACJ,SAAS;QACT,OAAO,EAAE,OAAO;KACjB,CAAC;IACF,MAAM,OAAO,GAAG,IAAI,GAAG,EAAkB,CAAC;IAC1C,OAAO,CAAC,GAAG,CAAC,cAAc,EAAE,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC;IACnE,KAAK,MAAM,CAAC,KAAK,EAAE,OAAO,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;QACrD,OAAO,CAAC,GAAG,CAAC,KAAK,EAAE,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC;IAC3C,CAAC;IACD,OAAO;QACL,QAAQ;QACR,KAAK,EAAE,OAAO;QACd,QAAQ,EAAE,OAAO;KAClB,CAAC;AACJ,CAAC;AAED,QAAQ,CAAC,aAAa,EAAE,GAAG,EAAE;IAC3B,EAAE,CAAC,4BAA4B,EAAE,GAAG,EAAE;QACpC,MAAM,QAAQ,GAAG,YAAY,CAAC,EAAE,YAAY,EAAE,gBAAgB,EAAE,CAAC,CAAC;QAClE,0CAA0C;QAC1C,MAAM,WAAW,GAAG,kEAAkE,CAAC;QACvF,MAAM,WAAW,GAAG,IAAI,GAAG,CAAC,CAAC,WAAW,CAAC,CAAC,CAAC;QAE3C,8CAA8C;QAC9C,MAAM,MAAM,GAAG,OAAO,CAAC,aAAa,CAAC,CAAC;QACtC,MAAM,UAAU,GAAG,MAAM,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,gBAAgB,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;QACtF,WAAW,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;QAE5B,MAAM,QAAQ,GAAG,WAAW,CAAC,QAAQ,EAAE,WAAW,CAAC,CAAC;QACpD,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,oBAAoB,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACvE,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,EAAE,QAAQ,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;IACjD,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,6BAA6B,EAAE,GAAG,EAAE;QACrC,MAAM,QAAQ,GAAG,YAAY,CAAC,EAAE,UAAU,EAAE,YAAY,EAAE,CAAC,CAAC;QAC5D,MAAM,WAAW,GAAG,IAAI,GAAG,CAAC;YAC1B,kEAAkE;SACnE,CAAC,CAAC;QAEH,MAAM,QAAQ,GAAG,WAAW,CAAC,QAAQ,EAAE,WAAW,CAAC,CAAC;QACpD,MAAM,CAAC,QAAQ,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;IACnC,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,QAAQ,CAAC,cAAc,EAAE,GAAG,EAAE;IAC5B,EAAE,CAAC,oCAAoC,EAAE,GAAG,EAAE;QAC5C,MAAM,QAAQ,GAAG,YAAY,CAAC;YAC5B,cAAc,EAAE,4CAA4C;SAC7D,CAAC,CAAC;QACH,MAAM,YAAY,GAAG,IAAI,GAAG,CAAC,CAAC,qBAAqB,CAAC,CAAC,CAAC;QAEtD,MAAM,QAAQ,GAAG,YAAY,CAAC,QAAQ,EAAE,YAAY,CAAC,CAAC;QACtD,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,iBAAiB,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACpE,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,EAAE,QAAQ,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;QAC/C,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,EAAE,QAAQ,EAAE,CAAC,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,qBAAqB,CAAC,CAAC;IACxE,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,6BAA6B,EAAE,GAAG,EAAE;QACrC,MAAM,QAAQ,GAAG,YAAY,CAAC;YAC5B,aAAa,EAAE,4CAA4C;SAC5D,CAAC,CAAC;QACH,MAAM,YAAY,GAAG,IAAI,GAAG,CAAC,CAAC,qBAAqB,CAAC,CAAC,CAAC;QAEtD,MAAM,QAAQ,GAAG,YAAY,CAAC,QAAQ,EAAE,YAAY,CAAC,CAAC;QACtD,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,iBAAiB,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACtE,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,2BAA2B,EAAE,GAAG,EAAE;QACnC,MAAM,QAAQ,GAAG,YAAY,CAAC;YAC5B,WAAW,EAAE,qBAAqB;SACnC,CAAC,CAAC;QACH,MAAM,YAAY,GAAG,IAAI,GAAG,CAAC,CAAC,qBAAqB,CAAC,CAAC,CAAC;QAEtD,MAAM,QAAQ,GAAG,YAAY,CAAC,QAAQ,EAAE,YAAY,CAAC,CAAC;QACtD,MAAM,CAAC,QAAQ,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;IACnC,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,+BAA+B,EAAE,GAAG,EAAE;QACvC,MAAM,QAAQ,GAAG,YAAY,CAAC;YAC5B,cAAc,EAAE,uCAAuC;SACxD,CAAC,CAAC;QACH,MAAM,YAAY,GAAG,IAAI,GAAG,CAAC,CAAC,qBAAqB,CAAC,CAAC,CAAC;QAEtD,MAAM,QAAQ,GAAG,YAAY,CAAC,QAAQ,EAAE,YAAY,CAAC,CAAC;QACtD,MAAM,CAAC,QAAQ,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;IACnC,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,QAAQ,CAAC,UAAU,EAAE,GAAG,EAAE;IACxB,EAAE,CAAC,6BAA6B,EAAE,GAAG,EAAE;QACrC,MAAM,QAAQ,GAAG,YAAY,CAAC;YAC5B,cAAc,EAAE,uCAAuC;SACxD,CAAC,CAAC;QACH,MAAM,QAAQ,GAAG,IAAI,GAAG,CAAC,CAAC,gBAAgB,CAAC,CAAC,CAAC;QAE7C,MAAM,QAAQ,GAAG,QAAQ,CAAC,QAAQ,EAAE,QAAQ,CAAC,CAAC;QAC9C,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,aAAa,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAChE,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,EAAE,QAAQ,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;QAC/C,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,EAAE,QAAQ,EAAE,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,gBAAgB,CAAC,CAAC;IAC/D,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,+BAA+B,EAAE,GAAG,EAAE;QACvC,MAAM,QAAQ,GAAG,YAAY,CAAC;YAC5B,cAAc,EAAE,2DAA2D;SAC5E,CAAC,CAAC;QACH,MAAM,QAAQ,GAAG,IAAI,GAAG,CAAC,CAAC,WAAW,EAAE,aAAa,CAAC,CAAC,CAAC;QAEvD,MAAM,QAAQ,GAAG,QAAQ,CAAC,QAAQ,EAAE,QAAQ,CAAC,CAAC;QAC9C,4CAA4C;QAC5C,MAAM,CAAC,QAAQ,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;IACnC,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,2BAA2B,EAAE,GAAG,EAAE;QACnC,MAAM,QAAQ,GAAG,YAAY,CAAC;YAC5B,cAAc,EAAE,wBAAwB;SACzC,CAAC,CAAC;QACH,MAAM,QAAQ,GAAG,IAAI,GAAG,CAAC,CAAC,gBAAgB,CAAC,CAAC,CAAC;QAE7C,MAAM,QAAQ,GAAG,QAAQ,CAAC,QAAQ,EAAE,QAAQ,CAAC,CAAC;QAC9C,MAAM,CAAC,QAAQ,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;IACnC,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,QAAQ,CAAC,cAAc,EAAE,GAAG,EAAE;IAC5B,EAAE,CAAC,gCAAgC,EAAE,GAAG,EAAE;QACxC,MAAM,QAAQ,GAAG,YAAY,CAAC;YAC5B,cAAc,EAAE,oDAAoD;SACrE,CAAC,CAAC;QAEH,MAAM,QAAQ,GAAG,YAAY,CAAC,QAAQ,EAAE,IAAI,GAAG,EAAE,CAAC,CAAC;QAEnD,MAAM,CAAC,QAAQ,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;QACjC,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,IAAI,CAAC,wBAAwB,CAAC,CAAC;QACvD,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,EAAE,QAAQ,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QAC3C,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,EAAE,QAAQ,EAAE,CAAC,UAAU,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IAC1D,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,iCAAiC,EAAE,GAAG,EAAE;QACzC,MAAM,QAAQ,GAAG,YAAY,CAAC;YAC5B,cAAc,EAAE,2DAA2D;SAC5E,CAAC,CAAC;QAEH,MAAM,QAAQ,GAAG,YAAY,CAAC,QAAQ,EAAE,IAAI,GAAG,EAAE,CAAC,CAAC;QAEnD,MAAM,CAAC,QAAQ,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;QACjC,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,IAAI,CAAC,wBAAwB,CAAC,CAAC;QACvD,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,EAAE,QAAQ,EAAE,CAAC,UAAU,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IAC1D,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,+BAA+B,EAAE,GAAG,EAAE;QACvC,MAAM,QAAQ,GAAG,YAAY,CAAC;YAC5B,cAAc,EAAE,6DAA6D;SAC9E,CAAC,CAAC;QAEH,MAAM,QAAQ,GAAG,YAAY,CAAC,QAAQ,EAAE,IAAI,GAAG,EAAE,CAAC,CAAC;QAEnD,MAAM,CAAC,QAAQ,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;QACjC,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,IAAI,CAAC,wBAAwB,CAAC,CAAC;QACvD,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,EAAE,QAAQ,EAAE,CAAC,UAAU,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IAC1D,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,8CAA8C,EAAE,GAAG,EAAE;QACtD,MAAM,WAAW,GAAG,8CAA8C,CAAC;QACnE,MAAM,QAAQ,GAAG,YAAY,CAAC;YAC5B,cAAc,EAAE,mBAAmB,WAAW,IAAI;SACnD,CAAC,CAAC;QACH,MAAM,YAAY,GAAG,IAAI,GAAG,CAAC,CAAC,WAAW,CAAC,CAAC,CAAC;QAE5C,MAAM,QAAQ,GAAG,YAAY,CAAC,QAAQ,EAAE,YAAY,CAAC,CAAC;QAEtD,MAAM,CAAC,QAAQ,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;QACjC,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,IAAI,CAAC,sBAAsB,CAAC,CAAC;QACrD,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,EAAE,QAAQ,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;QAC/C,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,EAAE,QAAQ,EAAE,CAAC,gBAAgB,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAC/D,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,2BAA2B,EAAE,GAAG,EAAE;QACnC,MAAM,QAAQ,GAAG,YAAY,CAAC;YAC5B,WAAW,EAAE,oCAAoC;SAClD,CAAC,CAAC;QAEH,MAAM,QAAQ,GAAG,YAAY,CAAC,QAAQ,EAAE,IAAI,GAAG,EAAE,CAAC,CAAC;QAEnD,MAAM,CAAC,QAAQ,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;IACnC,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,QAAQ,CAAC,WAAW,EAAE,GAAG,EAAE;IACzB,EAAE,CAAC,yBAAyB,EAAE,GAAG,EAAE;QACjC,MAAM,QAAQ,GAAG,YAAY,CAAC;YAC5B,cAAc,EAAE,iEAAiE;SAClF,CAAC,CAAC;QACH,MAAM,OAAO,GAAG,WAAW,CAAC;YAC1B,OAAO,EAAE,IAAI,GAAG,CAAC,CAAC,kBAAkB,CAAC,CAAC;YACtC,GAAG,EAAE,IAAI,GAAG,CAAC,CAAC,gBAAgB,CAAC,CAAC;SACjC,CAAC,CAAC;QAEH,MAAM,QAAQ,GAAG,SAAS,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;QAC9C,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,iBAAiB,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACpE,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,aAAa,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAClE,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,mCAAmC,EAAE,GAAG,EAAE;QAC3C,MAAM,QAAQ,GAAG,YAAY,CAAC;YAC5B,cAAc,EAAE,6BAA6B;SAC9C,CAAC,CAAC;QACH,MAAM,OAAO,GAAG,WAAW,CAAC;YAC1B,OAAO,EAAE,IAAI,GAAG,CAAC,CAAC,kBAAkB,CAAC,CAAC;YACtC,GAAG,EAAE,IAAI,GAAG,CAAC,CAAC,gBAAgB,CAAC,CAAC;YAChC,MAAM,EAAE,IAAI,GAAG,CAAC,CAAC,kEAAkE,CAAC,CAAC;SACtF,CAAC,CAAC;QAEH,MAAM,QAAQ,GAAG,SAAS,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;QAC9C,MAAM,CAAC,QAAQ,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;IACnC,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,QAAQ,CAAC,uBAAuB,EAAE,GAAG,EAAE;IACrC,EAAE,CAAC,2EAA2E,EAAE,GAAG,EAAE;QACnF,2CAA2C;QAC3C,MAAM,CAAC,qBAAqB,CAAC,mCAAmC,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC9E,MAAM,CAAC,qBAAqB,CAAC,8CAA8C,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACzF,sCAAsC;QACtC,MAAM,CAAC,qBAAqB,CAAC,8CAA8C,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAC3F,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,2DAA2D,EAAE,GAAG,EAAE;QACnE,gEAAgE;QAChE,MAAM,CAAC,qBAAqB,CAAC,wCAAwC,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACpF,MAAM,CAAC,qBAAqB,CAAC,4BAA4B,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACxE,MAAM,CAAC,qBAAqB,CAAC,0BAA0B,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACtE,MAAM,CAAC,qBAAqB,CAAC,+BAA+B,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IAC7E,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,yDAAyD,EAAE,GAAG,EAAE;QACjE,+DAA+D;QAC/D,MAAM,CAAC,qBAAqB,CAAC,qCAAqC,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACjF,MAAM,CAAC,qBAAqB,CAAC,wBAAwB,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACpE,MAAM,CAAC,qBAAqB,CAAC,sBAAsB,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IACpE,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,+CAA+C,EAAE,GAAG,EAAE;QACvD,MAAM,CAAC,qBAAqB,CAAC,yCAAyC,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACrF,MAAM,CAAC,qBAAqB,CAAC,qCAAqC,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IACnF,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,iEAAiE,EAAE,GAAG,EAAE;QACzE,mCAAmC;QACnC,MAAM,CAAC,qBAAqB,CAAC,0CAA0C,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACtF,MAAM,CAAC,qBAAqB,CAAC,0CAA0C,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACtF,8BAA8B;QAC9B,MAAM,CAAC,qBAAqB,CAAC,0CAA0C,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACtF,MAAM,CAAC,qBAAqB,CAAC,kCAAkC,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IAChF,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,yDAAyD,EAAE,GAAG,EAAE;QACjE,4CAA4C;QAC5C,MAAM,CAAC,qBAAqB,CAAC,qCAAqC,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACjF,MAAM,CAAC,qBAAqB,CAAC,qCAAqC,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IACnF,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,QAAQ,CAAC,mCAAmC,EAAE,GAAG,EAAE;IACjD,EAAE,CAAC,8DAA8D,EAAE,GAAG,EAAE;QACtE,MAAM,QAAQ,GAAG,yBAAyB,CACxC;YACE,cAAc,EAAE,2DAA2D;SAC5E,EACD,YAAY,EACZ,UAAU,CACX,CAAC;QACF,MAAM,SAAS,GAAG,IAAI,GAAG,CAAC,CAAC,qBAAqB,CAAC,CAAC,CAAC;QAEnD,MAAM,QAAQ,GAAG,YAAY,CAAC,QAAQ,EAAE,IAAI,GAAG,EAAE,EAAE,SAAS,CAAC,CAAC;QAE9D,MAAM,CAAC,QAAQ,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;IACnC,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,+CAA+C,EAAE,GAAG,EAAE;QACvD,MAAM,QAAQ,GAAG,yBAAyB,CACxC;YACE,cAAc,EAAE,2DAA2D;SAC5E,EACD,SAAS,EACT,YAAY,CACb,CAAC;QACF,MAAM,SAAS,GAAG,IAAI,GAAG,CAAC,CAAC,qBAAqB,CAAC,CAAC,CAAC;QAEnD,MAAM,QAAQ,GAAG,YAAY,CAAC,QAAQ,EAAE,IAAI,GAAG,EAAE,EAAE,SAAS,CAAC,CAAC;QAE9D,MAAM,CAAC,QAAQ,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;QACjC,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,IAAI,CAAC,wBAAwB,CAAC,CAAC;IACzD,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,6CAA6C,EAAE,GAAG,EAAE;QACrD,MAAM,QAAQ,GAAG,yBAAyB,CACxC;YACE,cAAc,EAAE,2DAA2D;SAC5E,EACD,SAAS,EACT,WAAW,CACZ,CAAC;QAEF,MAAM,QAAQ,GAAG,YAAY,CAAC,QAAQ,EAAE,IAAI,GAAG,EAAE,EAAE,SAAS,CAAC,CAAC;QAE9D,MAAM,CAAC,QAAQ,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;IACnC,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,QAAQ,CAAC,6BAA6B,EAAE,GAAG,EAAE;IAC3C,EAAE,CAAC,mDAAmD,EAAE,GAAG,EAAE;QAC3D,MAAM,QAAQ,GAAG,YAAY,CAAC;YAC5B,cAAc,EAAE;;;OAGf;SACF,CAAC,CAAC;QAEH,MAAM,QAAQ,GAAG,YAAY,CAAC,QAAQ,EAAE,IAAI,GAAG,EAAE,CAAC,CAAC;QAEnD,8CAA8C;QAC9C,MAAM,CAAC,QAAQ,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;IACnC,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,uDAAuD,EAAE,GAAG,EAAE;QAC/D,MAAM,QAAQ,GAAG,YAAY,CAAC;YAC5B,cAAc,EAAE,qDAAqD;SACtE,CAAC,CAAC;QAEH,MAAM,QAAQ,GAAG,YAAY,CAAC,QAAQ,EAAE,IAAI,GAAG,EAAE,CAAC,CAAC;QAEnD,MAAM,CAAC,QAAQ,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;QACjC,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,EAAE,QAAQ,EAAE,CAAC,UAAU,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IAC1D,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/dist/scanner/checks/manifest.d.ts

@@ -0,0 +1,6 @@
+import type { Finding, VsixManifest } from "../types.js";
+export declare function checkActivationEvents(manifest: VsixManifest): Finding[];
+export declare function checkThemeAbuse(manifest: VsixManifest): Finding[];
+export declare function checkSuspiciousPermissions(manifest: VsixManifest): Finding[];
+export declare function checkManifest(manifest: VsixManifest): Finding[];
+//# sourceMappingURL=manifest.d.ts.map

package/dist/scanner/checks/manifest.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"manifest.d.ts","sourceRoot":"","sources":["../../../src/scanner/checks/manifest.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,OAAO,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAEzD,wBAAgB,qBAAqB,CAAC,QAAQ,EAAE,YAAY,GAAG,OAAO,EAAE,CAmDvE;AAED,wBAAgB,eAAe,CAAC,QAAQ,EAAE,YAAY,GAAG,OAAO,EAAE,CAsCjE;AAED,wBAAgB,0BAA0B,CAAC,QAAQ,EAAE,YAAY,GAAG,OAAO,EAAE,CAkC5E;AAED,wBAAgB,aAAa,CAAC,QAAQ,EAAE,YAAY,GAAG,OAAO,EAAE,CAM/D"}

package/dist/scanner/checks/manifest.js

@@ -0,0 +1,123 @@
+export function checkActivationEvents(manifest) {
+    const findings = [];
+    if (manifest.activationEvents?.includes("*")) {
+        findings.push({
+            id: "ACTIVATION_WILDCARD",
+            title: "Extension activates on all events",
+            description: 'Extension uses "activationEvents": ["*"] which activates on every VS Code action. This is often used by malware to ensure immediate execution, but may be legitimate for extensions that need to respond to many different events.',
+            severity: "high",
+            category: "manifest",
+            location: {
+                file: "package.json",
+            },
+            metadata: {
+                legitimateUses: ["Extensions with many contribution points", "Global workspace tools"],
+                redFlags: [
+                    "Simple extension with wildcard activation",
+                    "Combined with suspicious patterns",
+                ],
+            },
+        });
+    }
+    if (manifest.activationEvents?.includes("onStartupFinished")) {
+        findings.push({
+            id: "ACTIVATION_STARTUP",
+            title: "Extension activates on startup",
+            description: 'Extension uses "onStartupFinished" activation event. Common in extensions that need to initialize early (git integration, status bar items, language servers). Review if early activation is necessary for the extension\'s purpose.',
+            severity: "medium",
+            category: "manifest",
+            location: {
+                file: "package.json",
+            },
+            metadata: {
+                legitimateUses: [
+                    "Git integration",
+                    "Status bar extensions",
+                    "Language servers",
+                    "Background services",
+                ],
+                redFlags: [
+                    "Combined with network activity on startup",
+                    "No obvious need for early activation",
+                ],
+            },
+        });
+    }
+    return findings;
+}
+export function checkThemeAbuse(manifest) {
+    const findings = [];
+    const hasMain = Boolean(manifest.main || manifest.browser);
+    const hasThemes = (manifest.contributes?.themes?.length ?? 0) > 0 ||
+        (manifest.contributes?.iconThemes?.length ?? 0) > 0;
+    if (hasThemes && hasMain) {
+        findings.push({
+            id: "THEME_WITH_CODE",
+            title: "Theme extension has code entry point",
+            description: "This extension contributes themes/icon themes but also has a code entry point (main/browser). Pure themes don't need executable code. However, some legitimate extensions combine themes with additional functionality (commands, settings sync).",
+            severity: "high",
+            category: "manifest",
+            location: {
+                file: "package.json",
+            },
+            metadata: {
+                main: manifest.main,
+                browser: manifest.browser,
+                themes: manifest.contributes?.themes?.length ?? 0,
+                iconThemes: manifest.contributes?.iconThemes?.length ?? 0,
+                legitimateUses: [
+                    "Theme packs with additional commands",
+                    "Theme switchers",
+                    "Theme previews",
+                ],
+                redFlags: [
+                    "Theme-only description but runs code",
+                    "Network activity from theme extension",
+                    "Known malware pattern",
+                ],
+            },
+        });
+    }
+    return findings;
+}
+export function checkSuspiciousPermissions(manifest) {
+    const findings = [];
+    const extensionDependencies = manifest["extensionDependencies"];
+    if (extensionDependencies) {
+        for (const dep of extensionDependencies) {
+            if (dep.includes("remote-ssh") || dep.includes("remote-wsl")) {
+                findings.push({
+                    id: "REMOTE_DEPENDENCY",
+                    title: "Extension depends on remote access extension",
+                    description: `Extension depends on "${dep}" which provides remote system access. This is expected for extensions that enhance remote development workflows.`,
+                    severity: "medium",
+                    category: "manifest",
+                    location: {
+                        file: "package.json",
+                    },
+                    metadata: {
+                        dependency: dep,
+                        legitimateUses: [
+                            "Remote development helpers",
+                            "SSH workflow tools",
+                            "Container development",
+                        ],
+                        redFlags: [
+                            "No clear remote development purpose",
+                            "Combined with credential access patterns",
+                        ],
+                    },
+                });
+            }
+        }
+    }
+    return findings;
+}
+export function checkManifest(manifest) {
+    return [
+        ...checkActivationEvents(manifest),
+        ...checkThemeAbuse(manifest),
+        ...checkSuspiciousPermissions(manifest),
+    ];
+}
+//# sourceMappingURL=manifest.js.map

package/dist/scanner/checks/manifest.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"manifest.js","sourceRoot":"","sources":["../../../src/scanner/checks/manifest.ts"],"names":[],"mappings":"AAEA,MAAM,UAAU,qBAAqB,CAAC,QAAsB;IAC1D,MAAM,QAAQ,GAAc,EAAE,CAAC;IAE/B,IAAI,QAAQ,CAAC,gBAAgB,EAAE,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;QAC7C,QAAQ,CAAC,IAAI,CAAC;YACZ,EAAE,EAAE,qBAAqB;YACzB,KAAK,EAAE,mCAAmC;YAC1C,WAAW,EACT,oOAAoO;YACtO,QAAQ,EAAE,MAAM;YAChB,QAAQ,EAAE,UAAU;YACpB,QAAQ,EAAE;gBACR,IAAI,EAAE,cAAc;aACrB;YACD,QAAQ,EAAE;gBACR,cAAc,EAAE,CAAC,0CAA0C,EAAE,wBAAwB,CAAC;gBACtF,QAAQ,EAAE;oBACR,2CAA2C;oBAC3C,mCAAmC;iBACpC;aACF;SACF,CAAC,CAAC;IACL,CAAC;IAED,IAAI,QAAQ,CAAC,gBAAgB,EAAE,QAAQ,CAAC,mBAAmB,CAAC,EAAE,CAAC;QAC7D,QAAQ,CAAC,IAAI,CAAC;YACZ,EAAE,EAAE,oBAAoB;YACxB,KAAK,EAAE,gCAAgC;YACvC,WAAW,EACT,sOAAsO;YACxO,QAAQ,EAAE,QAAQ;YAClB,QAAQ,EAAE,UAAU;YACpB,QAAQ,EAAE;gBACR,IAAI,EAAE,cAAc;aACrB;YACD,QAAQ,EAAE;gBACR,cAAc,EAAE;oBACd,iBAAiB;oBACjB,uBAAuB;oBACvB,kBAAkB;oBAClB,qBAAqB;iBACtB;gBACD,QAAQ,EAAE;oBACR,2CAA2C;oBAC3C,sCAAsC;iBACvC;aACF;SACF,CAAC,CAAC;IACL,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,MAAM,UAAU,eAAe,CAAC,QAAsB;IACpD,MAAM,QAAQ,GAAc,EAAE,CAAC;IAC/B,MAAM,OAAO,GAAG,OAAO,CAAC,QAAQ,CAAC,IAAI,IAAI,QAAQ,CAAC,OAAO,CAAC,CAAC;IAC3D,MAAM,SAAS,GACb,CAAC,QAAQ,CAAC,WAAW,EAAE,MAAM,EAAE,MAAM,IAAI,CAAC,CAAC,GAAG,CAAC;QAC/C,CAAC,QAAQ,CAAC,WAAW,EAAE,UAAU,EAAE,MAAM,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC;IAEtD,IAAI,SAAS,IAAI,OAAO,EAAE,CAAC;QACzB,QAAQ,CAAC,IAAI,CAAC;YACZ,EAAE,EAAE,iBAAiB;YACrB,KAAK,EAAE,sCAAsC;YAC7C,WAAW,EACT,mPAAmP;YACrP,QAAQ,EAAE,MAAM;YAChB,QAAQ,EAAE,UAAU;YACpB,QAAQ,EAAE;gBACR,IAAI,EAAE,cAAc;aACrB;YACD,QAAQ,EAAE;gBACR,IAAI,EAAE,QAAQ,CAAC,IAAI;gBACnB,OAAO,EAAE,QAAQ,CAAC,OAAO;gBACzB,MAAM,EAAE,QAAQ,CAAC,WAAW,EAAE,MAAM,EAAE,MAAM,IAAI,CAAC;gBACjD,UAAU,EAAE,QAAQ,CAAC,WAAW,EAAE,UAAU,EAAE,MAAM,IAAI,CAAC;gBACzD,cAAc,EAAE;oBACd,sCAAsC;oBACtC,iBAAiB;oBACjB,gBAAgB;iBACjB;gBACD,QAAQ,EAAE;oBACR,sCAAsC;oBACtC,uCAAuC;oBACvC,uBAAuB;iBACxB;aACF;SACF,CAAC,CAAC;IACL,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,MAAM,UAAU,0BAA0B,CAAC,QAAsB;IAC/D,MAAM,QAAQ,GAAc,EAAE,CAAC;IAE/B,MAAM,qBAAqB,GAAG,QAAQ,CAAC,uBAAuB,CAAyB,CAAC;IACxF,IAAI,qBAAqB,EAAE,CAAC;QAC1B,KAAK,MAAM,GAAG,IAAI,qBAAqB,EAAE,CAAC;YACxC,IAAI,GAAG,CAAC,QAAQ,CAAC,YAAY,CAAC,IAAI,GAAG,CAAC,QAAQ,CAAC,YAAY,CAAC,EAAE,CAAC;gBAC7D,QAAQ,CAAC,IAAI,CAAC;oBACZ,EAAE,EAAE,mBAAmB;oBACvB,KAAK,EAAE,8CAA8C;oBACrD,WAAW,EAAE,yBAAyB,GAAG,mHAAmH;oBAC5J,QAAQ,EAAE,QAAQ;oBAClB,QAAQ,EAAE,UAAU;oBACpB,QAAQ,EAAE;wBACR,IAAI,EAAE,cAAc;qBACrB;oBACD,QAAQ,EAAE;wBACR,UAAU,EAAE,GAAG;wBACf,cAAc,EAAE;4BACd,4BAA4B;4BAC5B,oBAAoB;4BACpB,uBAAuB;yBACxB;wBACD,QAAQ,EAAE;4BACR,qCAAqC;4BACrC,0CAA0C;yBAC3C;qBACF;iBACF,CAAC,CAAC;YACL,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,MAAM,UAAU,aAAa,CAAC,QAAsB;IAClD,OAAO;QACL,GAAG,qBAAqB,CAAC,QAAQ,CAAC;QAClC,GAAG,eAAe,CAAC,QAAQ,CAAC;QAC5B,GAAG,0BAA0B,CAAC,QAAQ,CAAC;KACxC,CAAC;AACJ,CAAC"}

package/dist/scanner/checks/manifest.test.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=manifest.test.d.ts.map

package/dist/scanner/checks/manifest.test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"manifest.test.d.ts","sourceRoot":"","sources":["../../../src/scanner/checks/manifest.test.ts"],"names":[],"mappings":""}

package/dist/scanner/checks/manifest.test.js

@@ -0,0 +1,108 @@
+import { describe, expect, it } from "vitest";
+import { checkActivationEvents, checkManifest, checkThemeAbuse } from "./manifest.js";
+describe("checkActivationEvents", () => {
+    it("flags wildcard activation event", () => {
+        const manifest = {
+            name: "test",
+            publisher: "test",
+            version: "1.0.0",
+            activationEvents: ["*"],
+        };
+        const findings = checkActivationEvents(manifest);
+        expect(findings.some((f) => f.id === "ACTIVATION_WILDCARD")).toBe(true);
+        expect(findings[0]?.severity).toBe("high");
+    });
+    it("flags onStartupFinished activation event", () => {
+        const manifest = {
+            name: "test",
+            publisher: "test",
+            version: "1.0.0",
+            activationEvents: ["onStartupFinished"],
+        };
+        const findings = checkActivationEvents(manifest);
+        expect(findings.some((f) => f.id === "ACTIVATION_STARTUP")).toBe(true);
+        expect(findings[0]?.severity).toBe("medium");
+    });
+    it("does not flag normal activation events", () => {
+        const manifest = {
+            name: "test",
+            publisher: "test",
+            version: "1.0.0",
+            activationEvents: ["onCommand:test.command", "onLanguage:typescript"],
+        };
+        const findings = checkActivationEvents(manifest);
+        expect(findings).toHaveLength(0);
+    });
+});
+describe("checkThemeAbuse", () => {
+    it("flags theme extension with code entry point", () => {
+        const manifest = {
+            name: "test-theme",
+            publisher: "test",
+            version: "1.0.0",
+            main: "./extension.js",
+            contributes: {
+                themes: [{ id: "dark-theme", label: "Dark Theme", path: "./themes/dark.json" }],
+            },
+        };
+        const findings = checkThemeAbuse(manifest);
+        expect(findings.some((f) => f.id === "THEME_WITH_CODE")).toBe(true);
+        expect(findings[0]?.severity).toBe("high");
+    });
+    it("flags icon theme extension with code entry point", () => {
+        const manifest = {
+            name: "test-icons",
+            publisher: "test",
+            version: "1.0.0",
+            main: "./extension.js",
+            contributes: {
+                iconThemes: [{ id: "material-icons", label: "Material Icons", path: "./icons.json" }],
+            },
+        };
+        const findings = checkThemeAbuse(manifest);
+        expect(findings.some((f) => f.id === "THEME_WITH_CODE")).toBe(true);
+    });
+    it("does not flag pure theme without code", () => {
+        const manifest = {
+            name: "test-theme",
+            publisher: "test",
+            version: "1.0.0",
+            contributes: {
+                themes: [{ id: "dark-theme", label: "Dark Theme", path: "./themes/dark.json" }],
+            },
+        };
+        const findings = checkThemeAbuse(manifest);
+        expect(findings).toHaveLength(0);
+    });
+    it("does not flag extension with code but no themes", () => {
+        const manifest = {
+            name: "test-extension",
+            publisher: "test",
+            version: "1.0.0",
+            main: "./extension.js",
+            contributes: {
+                commands: [{ command: "test.command", title: "Test Command" }],
+            },
+        };
+        const findings = checkThemeAbuse(manifest);
+        expect(findings).toHaveLength(0);
+    });
+});
+describe("checkManifest", () => {
+    it("combines all manifest checks", () => {
+        const manifest = {
+            name: "suspicious-theme",
+            publisher: "suspicious",
+            version: "1.0.0",
+            main: "./extension.js",
+            activationEvents: ["*"],
+            contributes: {
+                themes: [{ id: "theme", label: "Theme", path: "./theme.json" }],
+            },
+        };
+        const findings = checkManifest(manifest);
+        expect(findings.some((f) => f.id === "ACTIVATION_WILDCARD")).toBe(true);
+        expect(findings.some((f) => f.id === "THEME_WITH_CODE")).toBe(true);
+    });
+});
+//# sourceMappingURL=manifest.test.js.map

package/dist/scanner/checks/manifest.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"manifest.test.js","sourceRoot":"","sources":["../../../src/scanner/checks/manifest.test.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,EAAE,EAAE,EAAE,MAAM,QAAQ,CAAC;AAE9C,OAAO,EAAE,qBAAqB,EAAE,aAAa,EAAE,eAAe,EAAE,MAAM,eAAe,CAAC;AAEtF,QAAQ,CAAC,uBAAuB,EAAE,GAAG,EAAE;IACrC,EAAE,CAAC,iCAAiC,EAAE,GAAG,EAAE;QACzC,MAAM,QAAQ,GAAiB;YAC7B,IAAI,EAAE,MAAM;YACZ,SAAS,EAAE,MAAM;YACjB,OAAO,EAAE,OAAO;YAChB,gBAAgB,EAAE,CAAC,GAAG,CAAC;SACxB,CAAC;QAEF,MAAM,QAAQ,GAAG,qBAAqB,CAAC,QAAQ,CAAC,CAAC;QACjD,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,qBAAqB,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACxE,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,EAAE,QAAQ,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;IAC7C,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,0CAA0C,EAAE,GAAG,EAAE;QAClD,MAAM,QAAQ,GAAiB;YAC7B,IAAI,EAAE,MAAM;YACZ,SAAS,EAAE,MAAM;YACjB,OAAO,EAAE,OAAO;YAChB,gBAAgB,EAAE,CAAC,mBAAmB,CAAC;SACxC,CAAC;QAEF,MAAM,QAAQ,GAAG,qBAAqB,CAAC,QAAQ,CAAC,CAAC;QACjD,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,oBAAoB,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACvE,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,EAAE,QAAQ,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;IAC/C,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,wCAAwC,EAAE,GAAG,EAAE;QAChD,MAAM,QAAQ,GAAiB;YAC7B,IAAI,EAAE,MAAM;YACZ,SAAS,EAAE,MAAM;YACjB,OAAO,EAAE,OAAO;YAChB,gBAAgB,EAAE,CAAC,wBAAwB,EAAE,uBAAuB,CAAC;SACtE,CAAC;QAEF,MAAM,QAAQ,GAAG,qBAAqB,CAAC,QAAQ,CAAC,CAAC;QACjD,MAAM,CAAC,QAAQ,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;IACnC,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,QAAQ,CAAC,iBAAiB,EAAE,GAAG,EAAE;IAC/B,EAAE,CAAC,6CAA6C,EAAE,GAAG,EAAE;QACrD,MAAM,QAAQ,GAAiB;YAC7B,IAAI,EAAE,YAAY;YAClB,SAAS,EAAE,MAAM;YACjB,OAAO,EAAE,OAAO;YAChB,IAAI,EAAE,gBAAgB;YACtB,WAAW,EAAE;gBACX,MAAM,EAAE,CAAC,EAAE,EAAE,EAAE,YAAY,EAAE,KAAK,EAAE,YAAY,EAAE,IAAI,EAAE,oBAAoB,EAAE,CAAC;aAChF;SACF,CAAC;QAEF,MAAM,QAAQ,GAAG,eAAe,CAAC,QAAQ,CAAC,CAAC;QAC3C,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,iBAAiB,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACpE,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,EAAE,QAAQ,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;IAC7C,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,kDAAkD,EAAE,GAAG,EAAE;QAC1D,MAAM,QAAQ,GAAiB;YAC7B,IAAI,EAAE,YAAY;YAClB,SAAS,EAAE,MAAM;YACjB,OAAO,EAAE,OAAO;YAChB,IAAI,EAAE,gBAAgB;YACtB,WAAW,EAAE;gBACX,UAAU,EAAE,CAAC,EAAE,EAAE,EAAE,gBAAgB,EAAE,KAAK,EAAE,gBAAgB,EAAE,IAAI,EAAE,cAAc,EAAE,CAAC;aACtF;SACF,CAAC;QAEF,MAAM,QAAQ,GAAG,eAAe,CAAC,QAAQ,CAAC,CAAC;QAC3C,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,iBAAiB,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACtE,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,uCAAuC,EAAE,GAAG,EAAE;QAC/C,MAAM,QAAQ,GAAiB;YAC7B,IAAI,EAAE,YAAY;YAClB,SAAS,EAAE,MAAM;YACjB,OAAO,EAAE,OAAO;YAChB,WAAW,EAAE;gBACX,MAAM,EAAE,CAAC,EAAE,EAAE,EAAE,YAAY,EAAE,KAAK,EAAE,YAAY,EAAE,IAAI,EAAE,oBAAoB,EAAE,CAAC;aAChF;SACF,CAAC;QAEF,MAAM,QAAQ,GAAG,eAAe,CAAC,QAAQ,CAAC,CAAC;QAC3C,MAAM,CAAC,QAAQ,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;IACnC,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,iDAAiD,EAAE,GAAG,EAAE;QACzD,MAAM,QAAQ,GAAiB;YAC7B,IAAI,EAAE,gBAAgB;YACtB,SAAS,EAAE,MAAM;YACjB,OAAO,EAAE,OAAO;YAChB,IAAI,EAAE,gBAAgB;YACtB,WAAW,EAAE;gBACX,QAAQ,EAAE,CAAC,EAAE,OAAO,EAAE,cAAc,EAAE,KAAK,EAAE,cAAc,EAAE,CAAC;aAC/D;SACF,CAAC;QAEF,MAAM,QAAQ,GAAG,eAAe,CAAC,QAAQ,CAAC,CAAC;QAC3C,MAAM,CAAC,QAAQ,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;IACnC,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,QAAQ,CAAC,eAAe,EAAE,GAAG,EAAE;IAC7B,EAAE,CAAC,8BAA8B,EAAE,GAAG,EAAE;QACtC,MAAM,QAAQ,GAAiB;YAC7B,IAAI,EAAE,kBAAkB;YACxB,SAAS,EAAE,YAAY;YACvB,OAAO,EAAE,OAAO;YAChB,IAAI,EAAE,gBAAgB;YACtB,gBAAgB,EAAE,CAAC,GAAG,CAAC;YACvB,WAAW,EAAE;gBACX,MAAM,EAAE,CAAC,EAAE,EAAE,EAAE,OAAO,EAAE,KAAK,EAAE,OAAO,EAAE,IAAI,EAAE,cAAc,EAAE,CAAC;aAChE;SACF,CAAC;QAEF,MAAM,QAAQ,GAAG,aAAa,CAAC,QAAQ,CAAC,CAAC;QACzC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,qBAAqB,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACxE,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,iBAAiB,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACtE,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/dist/scanner/checks/obfuscation.d.ts

@@ -0,0 +1,3 @@
+import type { Finding, VsixContents } from "../types.js";
+export declare function checkObfuscation(contents: VsixContents): Finding[];
+//# sourceMappingURL=obfuscation.d.ts.map

package/dist/scanner/checks/obfuscation.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"obfuscation.d.ts","sourceRoot":"","sources":["../../../src/scanner/checks/obfuscation.ts"],"names":[],"mappings":"AAMA,OAAO,KAAK,EAAE,OAAO,EAAY,YAAY,EAAE,MAAM,aAAa,CAAC;AAwgBnE,wBAAgB,gBAAgB,CAAC,QAAQ,EAAE,YAAY,GAAG,OAAO,EAAE,CAUlE"}