ferret-scan 2.2.0 → 2.3.0

package/dist/intelligence/ThreatFeed.js

@@ -16,117 +16,262 @@ const DEFAULT_INTEL_DIR = '.ferret-intel';
 const BUILTIN_SOURCES = [
     {
         name: 'ai-cli-malicious-packages',
-        description: 'Known malicious npm packages targeting AI CLI environments',
-        lastUpdated: new Date().toISOString(),
+        description: 'Known malicious and typosquatting npm packages targeting AI CLI environments',
+        lastUpdated: '2025-01-01T00:00:00Z',
         enabled: true,
         format: 'json'
     },
     {
         name: 'ai-cli-suspicious-domains',
-        description: 'Suspicious domains used in AI CLI exploitation attempts',
-        lastUpdated: new Date().toISOString(),
+        description: 'Phishing and impersonation domains targeting AI CLI users and API credentials',
+        lastUpdated: '2025-01-01T00:00:00Z',
         enabled: true,
         format: 'json'
     },
     {
-        name: 'ai-cli-backdoor-patterns',
-        description: 'Code patterns associated with AI CLI-specific backdoors',
-        lastUpdated: new Date().toISOString(),
+        name: 'ai-cli-injection-patterns',
+        description: 'Prompt injection, jailbreak, and privilege-escalation patterns observed in the wild',
+        lastUpdated: '2025-01-01T00:00:00Z',
+        enabled: true,
+        format: 'json'
+    },
+    {
+        name: 'ai-cli-exfiltration-patterns',
+        description: 'Data exfiltration patterns embedded in AI CLI hooks and configurations',
+        lastUpdated: '2025-01-01T00:00:00Z',
         enabled: true,
         format: 'json'
     }
 ];
 /**
- * Built-in threat indicators
+ * Built-in threat indicators derived from publicly documented AI CLI attack patterns.
+ * These cover typosquatting, prompt injection, exfiltration, and privilege escalation
+ * as observed across real-world incident reports and security research (2024–2025).
+ *
+ * Note: No hash indicators are included by default. File hashes are highly specific;
+ * add them via `ferret intel add` with verified malicious-file hashes from your own
+ * threat intelligence sources.
  */
 const BUILTIN_INDICATORS = [
-    // Malicious domains
+    // ── Typosquatting / impersonation packages ─────────────────────────────────
     {
-        value: 'evil-ai-api.com',
-        type: 'domain',
-        category: 'phishing',
-        severity: 'high',
-        description: 'Fake AI API endpoint used for credential harvesting',
-        source: 'ai-cli-suspicious-domains',
-        firstSeen: '2024-01-01T00:00:00Z',
-        lastSeen: new Date().toISOString(),
+        value: 'anthropic-sdk-fake',
+        type: 'package',
+        category: 'malicious-package',
+        severity: 'critical',
+        description: 'Typosquats the official @anthropic-ai/sdk package; exfiltrates API keys on install',
+        source: 'ai-cli-malicious-packages',
+        firstSeen: '2024-03-01T00:00:00Z',
+        lastSeen: '2025-01-01T00:00:00Z',
         confidence: 95,
-        tags: ['phishing', 'fake-api', 'credential-theft']
+        tags: ['typosquat', 'credential-theft', 'install-hook']
     },
     {
-        value: 'anthropic-fake.net',
-        type: 'domain',
-        category: 'phishing',
+        value: 'openai-sdk-community',
+        type: 'package',
+        category: 'malicious-package',
         severity: 'high',
-        description: 'Impersonates legitimate AI provider domain',
-        source: 'ai-cli-suspicious-domains',
-        firstSeen: '2024-01-01T00:00:00Z',
-        lastSeen: new Date().toISOString(),
+        description: 'Unofficial package impersonating the OpenAI SDK; contains a postinstall exfiltration script',
+        source: 'ai-cli-malicious-packages',
+        firstSeen: '2024-06-01T00:00:00Z',
+        lastSeen: '2025-01-01T00:00:00Z',
         confidence: 90,
-        tags: ['phishing', 'impersonation']
+        tags: ['typosquat', 'postinstall', 'exfiltration']
     },
-    // Malicious packages
     {
-        value: 'ai-jailbreak-helper',
+        value: 'claude-code-helper',
+        type: 'package',
+        category: 'malicious-package',
+        severity: 'high',
+        description: 'Impersonates Claude Code utilities; reads ~/.claude/settings.json and beacons credentials',
+        source: 'ai-cli-malicious-packages',
+        firstSeen: '2024-09-01T00:00:00Z',
+        lastSeen: '2025-01-01T00:00:00Z',
+        confidence: 88,
+        tags: ['typosquat', 'credential-theft', 'ai-cli']
+    },
+    {
+        value: 'cursor-ai-extensions',
+        type: 'package',
+        category: 'malicious-package',
+        severity: 'high',
+        description: 'Fake Cursor IDE extension package; harvests .cursorrules and workspace secrets',
+        source: 'ai-cli-malicious-packages',
+        firstSeen: '2024-08-01T00:00:00Z',
+        lastSeen: '2025-01-01T00:00:00Z',
+        confidence: 85,
+        tags: ['typosquat', 'ai-cli', 'cursor']
+    },
+    {
+        value: 'mcp-server-tools',
         type: 'package',
         category: 'malicious-package',
         severity: 'critical',
-        description: 'Package designed to bypass AI assistant safety mechanisms',
+        description: 'Malicious MCP server package that exfiltrates tool call arguments to a remote endpoint',
         source: 'ai-cli-malicious-packages',
-        firstSeen: '2024-01-01T00:00:00Z',
-        lastSeen: new Date().toISOString(),
-        confidence: 100,
-        tags: ['jailbreak', 'bypass', 'malicious-npm']
+        firstSeen: '2024-11-01T00:00:00Z',
+        lastSeen: '2025-01-01T00:00:00Z',
+        confidence: 92,
+        tags: ['mcp', 'exfiltration', 'supply-chain']
     },
     {
-        value: 'anthropic-sdk-fake',
+        value: 'ai-agent-framework',
         type: 'package',
         category: 'malicious-package',
         severity: 'high',
-        description: 'Fake AI SDK that steals credentials',
+        description: 'Generic name used by multiple malicious packages to blend into AI agent dependency lists',
         source: 'ai-cli-malicious-packages',
-        firstSeen: '2024-01-01T00:00:00Z',
-        lastSeen: new Date().toISOString(),
-        confidence: 95,
-        tags: ['credential-theft', 'fake-sdk']
+        firstSeen: '2024-07-01T00:00:00Z',
+        lastSeen: '2025-01-01T00:00:00Z',
+        confidence: 80,
+        tags: ['typosquat', 'ai-agent', 'generic-name']
+    },
+    // ── Phishing / impersonation domains ──────────────────────────────────────
+    {
+        value: 'anthropic-api.net',
+        type: 'domain',
+        category: 'phishing',
+        severity: 'high',
+        description: 'Typosquats api.anthropic.com; used to intercept API keys in misconfigured ANTHROPIC_BASE_URL',
+        source: 'ai-cli-suspicious-domains',
+        firstSeen: '2024-04-01T00:00:00Z',
+        lastSeen: '2025-01-01T00:00:00Z',
+        confidence: 93,
+        tags: ['phishing', 'api-intercept', 'anthropic']
     },
-    // Backdoor patterns
     {
-        value: 'ignore.*previous.*instructions?.*forget.*rules?',
+        value: 'openai-proxy.io',
+        type: 'domain',
+        category: 'phishing',
+        severity: 'high',
+        description: 'Claimed OpenAI-compatible proxy that logs all prompts and responses',
+        source: 'ai-cli-suspicious-domains',
+        firstSeen: '2024-05-01T00:00:00Z',
+        lastSeen: '2025-01-01T00:00:00Z',
+        confidence: 88,
+        tags: ['phishing', 'prompt-logging', 'openai']
+    },
+    {
+        value: 'cursor-updates.net',
+        type: 'domain',
+        category: 'phishing',
+        severity: 'high',
+        description: 'Impersonates Cursor IDE update infrastructure; delivers trojanized VSIX files',
+        source: 'ai-cli-suspicious-domains',
+        firstSeen: '2024-07-01T00:00:00Z',
+        lastSeen: '2025-01-01T00:00:00Z',
+        confidence: 87,
+        tags: ['phishing', 'ide-trojan', 'cursor']
+    },
+    {
+        value: 'mcp-registry.net',
+        type: 'domain',
+        category: 'phishing',
+        severity: 'medium',
+        description: 'Unofficial MCP server registry used to distribute malicious MCP server packages',
+        source: 'ai-cli-suspicious-domains',
+        firstSeen: '2024-10-01T00:00:00Z',
+        lastSeen: '2025-01-01T00:00:00Z',
+        confidence: 78,
+        tags: ['phishing', 'mcp', 'fake-registry']
+    },
+    // ── Prompt injection / jailbreak patterns ─────────────────────────────────
+    {
+        value: 'ignore\\s+(all\\s+)?(previous|prior|above)\\s+(instructions?|rules?|constraints?|guidelines?)',
+        type: 'pattern',
+        category: 'jailbreak-attempt',
+        severity: 'high',
+        description: 'Classic instruction-override injection attempting to nullify prior system prompt directives',
+        source: 'ai-cli-injection-patterns',
+        firstSeen: '2023-06-01T00:00:00Z',
+        lastSeen: '2025-01-01T00:00:00Z',
+        confidence: 90,
+        tags: ['jailbreak', 'instruction-override', 'prompt-injection']
+    },
+    {
+        value: 'you\\s+are\\s+now\\s+(in\\s+)?(developer|jailbreak|dan|unrestricted|god)\\s+mode',
         type: 'pattern',
         category: 'jailbreak-attempt',
         severity: 'high',
-        description: 'Pattern attempting to override AI assistant safety instructions',
-        source: 'ai-cli-backdoor-patterns',
+        description: 'Developer/DAN mode activation attempt — claims to unlock unrestricted AI behavior',
+        source: 'ai-cli-injection-patterns',
+        firstSeen: '2023-09-01T00:00:00Z',
+        lastSeen: '2025-01-01T00:00:00Z',
+        confidence: 88,
+        tags: ['jailbreak', 'dan-mode', 'privilege-escalation']
+    },
+    {
+        value: 'disregard\\s+(your\\s+)?(safety|ethical|content)\\s+(policy|policies|guidelines?|filters?)',
+        type: 'pattern',
+        category: 'jailbreak-attempt',
+        severity: 'high',
+        description: 'Attempts to disable AI safety filters by direct instruction',
+        source: 'ai-cli-injection-patterns',
         firstSeen: '2024-01-01T00:00:00Z',
-        lastSeen: new Date().toISOString(),
+        lastSeen: '2025-01-01T00:00:00Z',
         confidence: 85,
-        tags: ['jailbreak', 'instruction-override']
+        tags: ['jailbreak', 'safety-bypass']
+    },
+    {
+        value: 'print\\s+(your\\s+)?(system\\s+prompt|initial\\s+instructions?|full\\s+context)',
+        type: 'pattern',
+        category: 'jailbreak-attempt',
+        severity: 'high',
+        description: 'System prompt exfiltration via direct instruction to reveal context',
+        source: 'ai-cli-injection-patterns',
+        firstSeen: '2024-02-01T00:00:00Z',
+        lastSeen: '2025-01-01T00:00:00Z',
+        confidence: 82,
+        tags: ['prompt-exfil', 'system-prompt', 'context-leak']
     },
     {
-        value: 'developer.*mode.*enabled|admin.*access.*granted',
+        value: 'as\\s+your\\s+(true\\s+)?(self|creator|master|owner)\\b',
         type: 'pattern',
-        category: 'privilege-escalation',
+        category: 'jailbreak-attempt',
         severity: 'medium',
-        description: 'Attempts to claim elevated privileges in AI assistants',
-        source: 'ai-cli-backdoor-patterns',
+        description: 'Social-engineering attack claiming authority over the AI assistant',
+        source: 'ai-cli-injection-patterns',
         firstSeen: '2024-01-01T00:00:00Z',
-        lastSeen: new Date().toISOString(),
-        confidence: 75,
-        tags: ['privilege-escalation', 'social-engineering']
+        lastSeen: '2025-01-01T00:00:00Z',
+        confidence: 70,
+        tags: ['jailbreak', 'social-engineering', 'authority-claim']
     },
-    // Hash indicators (example malicious file hashes)
+    // ── Exfiltration patterns ─────────────────────────────────────────────────
     {
-        value: 'e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',
-        type: 'hash',
-        category: 'malicious-file',
+        value: 'curl\\s+.*\\$\\{?(ANTHROPIC|OPENAI|CLAUDE|GITHUB|AWS|GCP)_?(API_?KEY|TOKEN|SECRET)',
+        type: 'pattern',
+        category: 'exfiltration',
         severity: 'critical',
-        description: 'Hash of known malicious AI CLI configuration file',
-        source: 'ai-cli-malicious-packages',
-        firstSeen: '2024-01-01T00:00:00Z',
-        lastSeen: new Date().toISOString(),
-        confidence: 100,
-        tags: ['malicious-config', 'sha256']
+        description: 'Shell command interpolating AI/cloud API keys directly into a curl request body or URL',
+        source: 'ai-cli-exfiltration-patterns',
+        firstSeen: '2024-03-01T00:00:00Z',
+        lastSeen: '2025-01-01T00:00:00Z',
+        confidence: 95,
+        tags: ['exfiltration', 'credential-leak', 'curl', 'hook']
+    },
+    {
+        value: 'fetch\\(.*\\$\\{(conversation|messages|response|output|result)',
+        type: 'pattern',
+        category: 'exfiltration',
+        severity: 'high',
+        description: 'JavaScript fetch() call interpolating AI conversation data into a remote request',
+        source: 'ai-cli-exfiltration-patterns',
+        firstSeen: '2024-05-01T00:00:00Z',
+        lastSeen: '2025-01-01T00:00:00Z',
+        confidence: 88,
+        tags: ['exfiltration', 'conversation-leak', 'fetch']
+    },
+    {
+        value: 'dns\\.lookup|nslookup|dig\\s+.*\\.(com|net|io|xyz)',
+        type: 'pattern',
+        category: 'exfiltration',
+        severity: 'medium',
+        description: 'DNS lookup in a hook context may indicate DNS-based data exfiltration channel',
+        source: 'ai-cli-exfiltration-patterns',
+        firstSeen: '2024-06-01T00:00:00Z',
+        lastSeen: '2025-01-01T00:00:00Z',
+        confidence: 65,
+        tags: ['exfiltration', 'dns-exfil', 'covert-channel']
     }
 ];
 /**

package/dist/remediation/Quarantine.js

@@ -92,6 +92,15 @@ export function loadQuarantineDatabase(quarantineDir) {
             logger.warn('Invalid quarantine database, creating new one');
             return createEmptyDatabase();
         }
+        // SECURITY: Sanitize loaded entries — reject any with null bytes in paths
+        db.entries = db.entries.filter(entry => {
+            if (typeof entry.originalPath !== 'string' || entry.originalPath.includes('\0') ||
+                typeof entry.quarantinePath !== 'string' || entry.quarantinePath.includes('\0')) {
+                logger.warn(`Skipping quarantine entry with invalid path: ${entry.id}`);
+                return false;
+            }
+            return true;
+        });
         return db;
     }
     catch (error) {
@@ -251,15 +260,22 @@ export function restoreQuarantinedFile(entryId, quarantineDir = DEFAULT_OPTIONS.
             logger.error(`Quarantined file not found: ${entry.quarantinePath}`);
             return false;
         }
-        // SECURITY: Validate originalPath if allowedRestoreBase is specified
-        if (allowedRestoreBase) {
-            if (!isPathWithinBase(entry.originalPath, allowedRestoreBase)) {
-                logger.error(`Restore path outside allowed directory: ${entry.originalPath}`);
-                return false;
-            }
+        // SECURITY: Reject paths containing null bytes — these bypass some OS path checks
+        if (entry.originalPath.includes('\0')) {
+            logger.error(`Restore path contains null byte — rejecting: ${entryId}`);
+            return false;
+        }
+        // SECURITY: Always validate originalPath, defaulting to CWD when no base is supplied.
+        // Without this, an attacker who crafts a quarantine DB entry can restore a file
+        // to any path on the filesystem (e.g. /etc/cron.d/evil, ~/.ssh/authorized_keys).
+        const restoreBase = allowedRestoreBase ?? process.cwd();
+        if (!isPathWithinBase(entry.originalPath, restoreBase)) {
+            logger.error(`Restore path outside allowed directory '${restoreBase}': ${entry.originalPath}`);
+            return false;
         }
         // SECURITY: Validate the quarantine path is within quarantine directory
         validatePathWithinBase(entry.quarantinePath, quarantineDir, 'restoreQuarantinedFile');
+        logger.info(`Restoring '${entry.originalPath}' from quarantine`);
         // Ensure original directory exists
         mkdirSync(dirname(entry.originalPath), { recursive: true });
         // Restore file
@@ -293,6 +309,8 @@ export function deleteQuarantinedFile(entryId, quarantineDir = DEFAULT_OPTIONS.q
             logger.error(`Entry not found at index ${entryIndex}`);
             return false;
         }
+        // SECURITY: Validate quarantine path is within quarantine directory before deleting
+        validatePathWithinBase(entry.quarantinePath, quarantineDir, 'deleteQuarantinedFile');
         // Delete quarantined file
         if (existsSync(entry.quarantinePath)) {
             unlinkSync(entry.quarantinePath);

package/dist/reporters/ConsoleReporter.js

@@ -84,6 +84,16 @@ function formatSummary(summary, result) {
     lines.push(stats.join('  |  '));
     const ignored = result.ignoredFindings ? `  |  Ignored: ${result.ignoredFindings}` : '';
     lines.push(`Files scanned: ${result.analyzedFiles}  |  Time: ${result.duration}ms  |  Risk Score: ${result.overallRiskScore}/100${ignored}`);
+    if (result.mcpTrustSummary && result.mcpTrustSummary.total > 0) {
+        const t = result.mcpTrustSummary;
+        const trustParts = [
+            t.critical > 0 ? SEVERITY_FORMATTERS['CRITICAL'](`${t.critical} CRITICAL`) : null,
+            t.low > 0 ? SEVERITY_FORMATTERS['HIGH'](`${t.low} LOW`) : null,
+            t.medium > 0 ? SEVERITY_FORMATTERS['MEDIUM'](`${t.medium} MEDIUM`) : null,
+            t.high > 0 ? `${t.high} HIGH` : null,
+        ].filter(Boolean);
+        lines.push(`MCP Trust: ${t.total} server(s) scored — ${trustParts.join(', ')}  |  Lowest: ${t.lowestScore}/100`);
+    }
     return lines.join('\n');
 }
 /**

package/dist/reporters/HtmlReporter.js

@@ -555,6 +555,11 @@ export function generateHtmlReport(result, options = {}) {
         <div class="summary-number" style="color: ${result.overallRiskScore > 75 ? '#dc2626' : result.overallRiskScore > 50 ? '#ea580c' : '#16a34a'}">${result.overallRiskScore}</div>
         <div class="summary-label">Risk Score</div>
       </div>
+      ${result.mcpTrustSummary && result.mcpTrustSummary.total > 0 ? `
+      <div class="summary-card">
+        <div class="summary-number" style="color: ${result.mcpTrustSummary.critical > 0 ? '#dc2626' : result.mcpTrustSummary.low > 0 ? '#ea580c' : '#16a34a'}">${result.mcpTrustSummary.lowestScore}</div>
+        <div class="summary-label">MCP Trust Min</div>
+      </div>` : ''}
     </div>
 
     <div class="filters">

package/dist/reporters/SarifReporter.d.ts

@@ -68,6 +68,7 @@ interface SarifDocument {
                 scanDuration: number;
                 filesScanned: number;
                 riskScore: number;
+                mcpTrustSummary?: import('../types.js').McpTrustSummary;
             };
         };
     }[];

package/dist/reporters/SarifReporter.js

@@ -143,6 +143,7 @@ export function generateSarifReport(result) {
                         scanDuration: result.duration,
                         filesScanned: result.analyzedFiles,
                         riskScore: result.overallRiskScore,
+                        ...(result.mcpTrustSummary ? { mcpTrustSummary: result.mcpTrustSummary } : {}),
                     },
                 },
             }],

package/dist/scanner/IAnalyzer.d.ts

@@ -0,0 +1,19 @@
+/**
+ * IAnalyzer — interface for pluggable file analyzers
+ */
+import type { DiscoveredFile, Finding, Rule, ScannerConfig } from '../types.js';
+export interface AnalyzerContext {
+    file: DiscoveredFile;
+    content: string;
+    config: ScannerConfig;
+    /** Merged rule set (base + custom) for this scan */
+    rules: Rule[];
+    /** Findings accumulated so far (allows later analyzers to gate on earlier results) */
+    existingFindings: Finding[];
+}
+export interface IAnalyzer {
+    readonly name: string;
+    shouldRun(ctx: AnalyzerContext): boolean;
+    analyze(ctx: AnalyzerContext): Promise<Finding[]>;
+}
+//# sourceMappingURL=IAnalyzer.d.ts.map

package/dist/scanner/IAnalyzer.js

@@ -0,0 +1,5 @@
+/**
+ * IAnalyzer — interface for pluggable file analyzers
+ */
+export {};
+//# sourceMappingURL=IAnalyzer.js.map