flagrix 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -0,0 +1,796 @@
1
+ {
2
+ "version": "2025.01.26.001",
3
+ "lastUpdated": "2026-07-04T18:31:51.928Z",
4
+ "maliciousPackages": [
5
+ {
6
+ "name": "beavertail",
7
+ "severity": "critical",
8
+ "source": "lazarus",
9
+ "description": "North Korean Lazarus Group malware loader — targets developers via fake job interviews"
10
+ },
11
+ {
12
+ "name": "invisible-ferret",
13
+ "severity": "critical",
14
+ "source": "lazarus",
15
+ "description": "Python-based data exfiltration malware from Lazarus Group — steals browser data, files, SSH keys"
16
+ },
17
+ {
18
+ "name": "call-bind-apply-helpers",
19
+ "severity": "critical",
20
+ "source": "lazarus",
21
+ "description": "Typosquat with BeaverTail malware payload — mimics legitimate npm utility"
22
+ },
23
+ {
24
+ "name": "cors-parser",
25
+ "severity": "critical",
26
+ "source": "lazarus",
27
+ "description": "Fake CORS parsing package with backdoor — distributed via fake LinkedIn job offers"
28
+ },
29
+ {
30
+ "name": "helmet-async",
31
+ "severity": "critical",
32
+ "source": "lazarus",
33
+ "description": "Typosquat of the legitimate 'helmet' security middleware — contains BeaverTail loader"
34
+ },
35
+ {
36
+ "name": "crossenv",
37
+ "severity": "high",
38
+ "source": "npm-audit",
39
+ "description": "Typosquat of 'cross-env' — published in 2017 npm typosquat attack, steals env vars"
40
+ },
41
+ {
42
+ "name": "lodahs",
43
+ "severity": "high",
44
+ "source": "npm-audit",
45
+ "description": "Typosquat of 'lodash'"
46
+ },
47
+ {
48
+ "name": "lodashs",
49
+ "severity": "high",
50
+ "source": "npm-audit",
51
+ "description": "Typosquat of 'lodash'"
52
+ },
53
+ {
54
+ "name": "electorn",
55
+ "severity": "high",
56
+ "source": "npm-audit",
57
+ "description": "Typosquat of 'electron' — commonly installed by developers"
58
+ },
59
+ {
60
+ "name": "event-stream",
61
+ "severity": "high",
62
+ "source": "npm-audit",
63
+ "version": "3.3.6",
64
+ "description": "Compromised version of the popular event-stream package (v3.3.6) — contained cryptocurrency wallet stealing payload targeting Copay Bitcoin wallet\n"
65
+ },
66
+ {
67
+ "name": "flatmap-stream",
68
+ "severity": "critical",
69
+ "source": "npm-audit",
70
+ "description": "Malicious dependency injected via compromised event-stream — contained the actual payload"
71
+ },
72
+ {
73
+ "name": "bcrypts-js",
74
+ "severity": "high",
75
+ "source": "npm-audit",
76
+ "description": "Typosquat of 'bcrypt-js'"
77
+ },
78
+ {
79
+ "name": "mongose",
80
+ "severity": "high",
81
+ "source": "npm-audit",
82
+ "description": "Typosquat of 'mongoose'"
83
+ },
84
+ {
85
+ "name": "expres",
86
+ "severity": "high",
87
+ "source": "npm-audit",
88
+ "description": "Typosquat of 'express'"
89
+ },
90
+ {
91
+ "name": "colourama",
92
+ "severity": "high",
93
+ "source": "pypi-audit",
94
+ "description": "Typosquat of 'colorama' — steals clipboard content and cryptocurrency addresses"
95
+ },
96
+ {
97
+ "name": "python-dateutils",
98
+ "severity": "high",
99
+ "source": "pypi-audit",
100
+ "description": "Typosquat of 'python-dateutil'"
101
+ },
102
+ {
103
+ "name": "requesrs",
104
+ "severity": "high",
105
+ "source": "pypi-audit",
106
+ "description": "Typosquat of 'requests'"
107
+ },
108
+ {
109
+ "name": "setup-tools",
110
+ "severity": "high",
111
+ "source": "pypi-audit",
112
+ "description": "Typosquat of 'setuptools' — commonly targets CI/CD environments"
113
+ },
114
+ {
115
+ "name": "loguru-logger",
116
+ "severity": "high",
117
+ "source": "pypi-audit",
118
+ "description": "Typosquat of 'loguru' — popular Python logging library"
119
+ }
120
+ ],
121
+ "yaraRules": [
122
+ {
123
+ "id": "BEAVERTAIL_LOADER_V1",
124
+ "name": "BeaverTail Loader Pattern",
125
+ "pattern": "require\\(['\"]child_process['\"]\\)\\.exec.*\\bhttp[s]?://",
126
+ "description": "Matches BeaverTail malware loader pattern used by Lazarus Group in fake job interview repos",
127
+ "tags": [
128
+ "lazarus",
129
+ "beavertail",
130
+ "loader",
131
+ "apt"
132
+ ],
133
+ "severity": "critical"
134
+ },
135
+ {
136
+ "id": "BEAVERTAIL_EXFIL",
137
+ "name": "BeaverTail Data Exfiltration",
138
+ "pattern": "process\\.env.*JSON\\.stringify.*fetch|axios\\.post",
139
+ "description": "Environment variable exfiltration pattern — process.env dumped via fetch/axios POST",
140
+ "tags": [
141
+ "lazarus",
142
+ "beavertail",
143
+ "exfiltration",
144
+ "apt"
145
+ ],
146
+ "severity": "critical"
147
+ },
148
+ {
149
+ "id": "INVISIBLEFERRET_KEYLOG",
150
+ "name": "InvisibleFerret Keylogger",
151
+ "pattern": "keyboard\\.on_press|pynput\\.keyboard|keylogger",
152
+ "description": "Keylogger pattern using pynput — used by Lazarus Group's InvisibleFerret Python malware",
153
+ "tags": [
154
+ "lazarus",
155
+ "invisibleferret",
156
+ "keylogger",
157
+ "apt"
158
+ ],
159
+ "severity": "critical"
160
+ },
161
+ {
162
+ "id": "REVERSE_SHELL",
163
+ "name": "Reverse Shell Pattern",
164
+ "pattern": "\\bnet\\.Socket\\(\\)|socket\\.socket.*SOCK_STREAM.*connect",
165
+ "description": "Socket-based reverse shell connection — creates a TCP connection back to attacker",
166
+ "tags": [
167
+ "shell",
168
+ "backdoor",
169
+ "remote-access"
170
+ ],
171
+ "severity": "critical"
172
+ },
173
+ {
174
+ "id": "CRYPTO_MINER",
175
+ "name": "Cryptocurrency Miner",
176
+ "pattern": "stratum\\+tcp://|xmrig|cryptonight|monero",
177
+ "description": "Cryptocurrency mining code — uses CPU resources for attacker profit",
178
+ "tags": [
179
+ "miner",
180
+ "crypto",
181
+ "resource-abuse"
182
+ ],
183
+ "severity": "high"
184
+ },
185
+ {
186
+ "id": "CREDENTIAL_THEFT",
187
+ "name": "Browser Credential Theft",
188
+ "pattern": "chrome.*Login Data|firefox.*logins\\.json|keychain",
189
+ "description": "Reads browser password databases (Chrome Login Data, Firefox logins.json, macOS Keychain)",
190
+ "tags": [
191
+ "credentials",
192
+ "theft",
193
+ "stealer"
194
+ ],
195
+ "severity": "critical"
196
+ },
197
+ {
198
+ "id": "ENV_EXFIL_WEBHOOK",
199
+ "name": "Environment Variables to Webhook Exfiltration",
200
+ "pattern": "process\\.env.*discord\\.com/api/webhooks|os\\.environ.*webhook.*post|process\\.env.*ntfy\\.sh",
201
+ "description": "Sends environment variables (secrets, API keys) to Discord/ntfy webhook",
202
+ "tags": [
203
+ "exfiltration",
204
+ "webhook",
205
+ "secrets"
206
+ ],
207
+ "severity": "high"
208
+ },
209
+ {
210
+ "id": "DISCORD_WEBHOOK_EXFIL",
211
+ "name": "Discord Webhook Data Exfiltration",
212
+ "pattern": "discord\\.com/api/webhooks.*process\\.env|discord\\.com/api/webhooks.*os\\.environ",
213
+ "description": "Sends sensitive data (env vars, credentials) to Discord webhook endpoint",
214
+ "tags": [
215
+ "exfiltration",
216
+ "discord",
217
+ "webhook"
218
+ ],
219
+ "severity": "high"
220
+ },
221
+ {
222
+ "id": "OBFUSCATED_EVAL",
223
+ "name": "Obfuscated Eval Execution",
224
+ "pattern": "eval\\(atob\\(|eval\\(Buffer\\.from\\(.*base64",
225
+ "description": "Base64-encoded eval execution — decodes and executes hidden payload",
226
+ "tags": [
227
+ "obfuscation",
228
+ "eval",
229
+ "payload"
230
+ ],
231
+ "severity": "high"
232
+ },
233
+ {
234
+ "id": "OBFUSCATED_CODE_EVAL_DYNAMIC",
235
+ "name": "Dynamic Code Execution",
236
+ "pattern": "eval\\s*\\([^)]{0,200}\\)|new\\s+Function\\s*\\([^)]{0,200}\\)|setTimeout\\s*\\(\\s*[\"'`][^\"'`]{0,200}[\"'`]|setInterval\\s*\\(\\s*[\"'`][^\"'`]{0,200}[\"'`]",
237
+ "description": "eval(), new Function(), or setTimeout/setInterval with string argument — executes arbitrary dynamic code",
238
+ "tags": [
239
+ "obfuscation",
240
+ "eval",
241
+ "dynamic-code"
242
+ ],
243
+ "severity": "high"
244
+ },
245
+ {
246
+ "id": "HARDCODED_AWS_KEY",
247
+ "name": "Hardcoded AWS Access Key",
248
+ "pattern": "AKIA[0-9A-Z]{16}",
249
+ "description": "AWS Access Key ID pattern (AKIA...) committed to source code",
250
+ "tags": [
251
+ "secrets",
252
+ "aws",
253
+ "credentials"
254
+ ],
255
+ "severity": "critical"
256
+ },
257
+ {
258
+ "id": "HARDCODED_GITHUB_TOKEN",
259
+ "name": "Hardcoded GitHub Token",
260
+ "pattern": "ghp_[a-zA-Z0-9]{36}|gho_[a-zA-Z0-9]{36}",
261
+ "description": "GitHub Personal Access Token (ghp_) or OAuth token (gho_) in source code",
262
+ "tags": [
263
+ "secrets",
264
+ "github",
265
+ "credentials"
266
+ ],
267
+ "severity": "critical"
268
+ },
269
+ {
270
+ "id": "HARDCODED_STRIPE_KEY",
271
+ "name": "Hardcoded Stripe Live Key",
272
+ "pattern": "sk_live_[a-zA-Z0-9]{24,}",
273
+ "description": "Stripe live secret key pattern in source code",
274
+ "tags": [
275
+ "secrets",
276
+ "stripe",
277
+ "credentials"
278
+ ],
279
+ "severity": "critical"
280
+ },
281
+ {
282
+ "id": "HARDCODED_API_KEY",
283
+ "name": "Hardcoded API Key",
284
+ "pattern": "(?:api[_-]?key|apikey|secret[_-]?key|auth[_-]?token|private[_-]?key)\\s*[:=]\\s*['\"]([^'\"]{20,})['\"]",
285
+ "description": "Generic API key / secret key pattern assigned to a variable",
286
+ "tags": [
287
+ "secrets",
288
+ "credentials",
289
+ "api-key"
290
+ ],
291
+ "severity": "critical"
292
+ },
293
+ {
294
+ "id": "HARDCODED_DB_CONNECTION",
295
+ "name": "Hardcoded Database Connection String",
296
+ "pattern": "(?:mongodb|mongo)[+:\\/\\/]{0,6}[^@\\s]+:[^@\\s]+@|postgres:\\/\\/[^@\\s]+:[^@\\s]+@",
297
+ "description": "MongoDB or PostgreSQL connection string with credentials embedded",
298
+ "tags": [
299
+ "secrets",
300
+ "database",
301
+ "credentials"
302
+ ],
303
+ "severity": "high"
304
+ },
305
+ {
306
+ "id": "NETWORK_DISCORD_WEBHOOK",
307
+ "name": "Discord Webhook URL",
308
+ "pattern": "https?:\\/\\/discord(?:app)?\\.com\\/api\\/webhooks\\/\\d+\\/[a-zA-Z0-9_-]+",
309
+ "description": "Hardcoded Discord webhook URL — frequently used for data exfiltration",
310
+ "tags": [
311
+ "network",
312
+ "discord",
313
+ "exfiltration"
314
+ ],
315
+ "severity": "critical"
316
+ },
317
+ {
318
+ "id": "NETWORK_TELEGRAM_TOKEN",
319
+ "name": "Telegram Bot Token",
320
+ "pattern": "\\d{8,10}:[a-zA-Z0-9_-]{35}",
321
+ "description": "Hardcoded Telegram bot token — used for covert command & control",
322
+ "tags": [
323
+ "network",
324
+ "telegram",
325
+ "c2"
326
+ ],
327
+ "severity": "high"
328
+ },
329
+ {
330
+ "id": "NETWORK_PASTEBIN",
331
+ "name": "Pastebin URL",
332
+ "pattern": "(?:pastebin\\.com|hastebin\\.com|paste\\.ee)\\/[a-zA-Z0-9]+",
333
+ "description": "Pastebin/hastebin URL — often used to host second-stage payloads",
334
+ "tags": [
335
+ "network",
336
+ "pastebin",
337
+ "payload-hosting"
338
+ ],
339
+ "severity": "medium"
340
+ },
341
+ {
342
+ "id": "NETWORK_URL_SHORTENER",
343
+ "name": "URL Shortener in Code",
344
+ "pattern": "(?:bit\\.ly|tinyurl\\.com|t\\.co)\\/[a-zA-Z0-9]+",
345
+ "description": "Shortened URLs (bit.ly, tinyurl) in source code — obfuscates actual destination",
346
+ "tags": [
347
+ "network",
348
+ "url-shortener",
349
+ "obfuscation"
350
+ ],
351
+ "severity": "medium"
352
+ },
353
+ {
354
+ "id": "NETWORK_SUSPICIOUS_TLD",
355
+ "name": "Suspicious Domain TLD",
356
+ "pattern": "https?:\\/\\/[a-zA-Z0-9-]+\\.(?:tk|ml|ga|cf|gq|onion|xyz)(?:\\/|$)",
357
+ "description": "URLs using free/anonymous TLDs (.tk, .ml, .ga, .cf, .gq, .onion, .xyz) — associated with malware hosting",
358
+ "tags": [
359
+ "network",
360
+ "suspicious-domain",
361
+ "malware-hosting"
362
+ ],
363
+ "severity": "high"
364
+ },
365
+ {
366
+ "id": "NETWORK_NGROK_TUNNEL",
367
+ "name": "Ngrok Tunnel URL",
368
+ "pattern": "https?:\\/\\/[a-zA-Z0-9-]+\\.ngrok\\.io",
369
+ "description": "Ngrok tunnel URL in code — used to expose local servers, often for C2",
370
+ "tags": [
371
+ "network",
372
+ "ngrok",
373
+ "c2"
374
+ ],
375
+ "severity": "medium"
376
+ },
377
+ {
378
+ "id": "EXFIL_CLIPBOARD",
379
+ "name": "Clipboard Access",
380
+ "pattern": "navigator\\.clipboard\\.read(?:Text)?\\s*\\(",
381
+ "description": "Reads clipboard content — can steal copied passwords, 2FA codes, crypto addresses",
382
+ "tags": [
383
+ "exfiltration",
384
+ "clipboard",
385
+ "data-theft"
386
+ ],
387
+ "severity": "high"
388
+ },
389
+ {
390
+ "id": "EXFIL_COOKIE",
391
+ "name": "Cookie Access",
392
+ "pattern": "document\\.cookie",
393
+ "description": "Reads browser cookies via document.cookie — can steal session tokens",
394
+ "tags": [
395
+ "exfiltration",
396
+ "cookies",
397
+ "session-theft"
398
+ ],
399
+ "severity": "high"
400
+ },
401
+ {
402
+ "id": "EXFIL_KEYLOGGER",
403
+ "name": "Keylogger Pattern",
404
+ "pattern": "(?:addEventListener|on)\\s*\\(\\s*['\"](?:keydown|keypress|keyup)['\"]",
405
+ "description": "Keyboard event listener (keydown/keypress) — captures user keystrokes",
406
+ "tags": [
407
+ "exfiltration",
408
+ "keylogger",
409
+ "credential-theft"
410
+ ],
411
+ "severity": "critical"
412
+ },
413
+ {
414
+ "id": "BACKDOOR_RCE_ENDPOINT",
415
+ "name": "Remote Code Execution Endpoint",
416
+ "pattern": "eval\\s*\\(\\s*(?:request|req)(?:\\.|\\..body|\\..query)|exec\\s*\\(\\s*(?:request|req)(?:\\.|\\..body|\\..query)",
417
+ "description": "eval() or exec() fed from HTTP request body/query — allows attacker to run arbitrary code",
418
+ "tags": [
419
+ "backdoor",
420
+ "rce",
421
+ "critical"
422
+ ],
423
+ "severity": "critical"
424
+ },
425
+ {
426
+ "id": "BACKDOOR_DYNAMIC_REQUIRE",
427
+ "name": "Dynamic Require from Request",
428
+ "pattern": "require\\s*\\(\\s*(?:request|req)(?:\\.|\\..body|\\..query)",
429
+ "description": "require() fed from HTTP request — allows attacker to load arbitrary modules",
430
+ "tags": [
431
+ "backdoor",
432
+ "rce",
433
+ "dynamic-require"
434
+ ],
435
+ "severity": "critical"
436
+ },
437
+ {
438
+ "id": "BACKDOOR_HARDCODED_AUTH",
439
+ "name": "Hardcoded Auth Bypass",
440
+ "pattern": "(?:password|auth)\\s*(?:===?|==)\\s*['\"][^'\"]{0,20}['\"]\\s*\\)",
441
+ "description": "Hardcoded password check — always-true backdoor condition in auth logic",
442
+ "tags": [
443
+ "backdoor",
444
+ "auth-bypass",
445
+ "hardcoded"
446
+ ],
447
+ "severity": "critical"
448
+ },
449
+ {
450
+ "id": "FILE_ACCESS_CREDENTIALS",
451
+ "name": "SSH/AWS Credentials File Access",
452
+ "pattern": "(?:fs\\.read|readFileSync|readFile)\\s*\\([^)]*(?:\\.ssh|\\.aws|\\.gnupg|\\.docker|id_rsa|credentials)",
453
+ "description": "Reads ~/.ssh/, ~/.aws/, id_rsa, or credentials files — credential theft",
454
+ "tags": [
455
+ "file-access",
456
+ "credentials",
457
+ "ssh",
458
+ "aws"
459
+ ],
460
+ "severity": "critical"
461
+ },
462
+ {
463
+ "id": "FILE_ACCESS_SYSTEM",
464
+ "name": "System File Access",
465
+ "pattern": "(?:fs\\.read|readFileSync|readFile)\\s*\\([^)]*(?:etc\\/passwd|etc\\/shadow|\\.bash_history|\\.zsh_history)",
466
+ "description": "Reads /etc/passwd, /etc/shadow, or shell history files",
467
+ "tags": [
468
+ "file-access",
469
+ "system-files",
470
+ "privilege-escalation"
471
+ ],
472
+ "severity": "critical"
473
+ },
474
+ {
475
+ "id": "FILE_ACCESS_BROWSER_DATA",
476
+ "name": "Browser Password Database Access",
477
+ "pattern": "(?:fs\\.read|readFileSync|readFile)\\s*\\([^)]*(?:Chrome|Firefox|Safari|Edge)[\\w\\s\\/\\\\]*(?:Cookies|Login|History)",
478
+ "description": "Reads Chrome/Firefox/Safari password databases",
479
+ "tags": [
480
+ "file-access",
481
+ "browser-data",
482
+ "credential-theft"
483
+ ],
484
+ "severity": "critical"
485
+ },
486
+ {
487
+ "id": "SOCIAL_ENGINEERING_SECURITY_BYPASS",
488
+ "name": "Security Bypass Instructions in README",
489
+ "pattern": "(?:disable|turn off|bypass)[\\s\\w]*(?:antivirus|firewall|security|protection)",
490
+ "description": "README instructs users to disable antivirus, firewall, or security tools",
491
+ "tags": [
492
+ "social-engineering",
493
+ "security-bypass"
494
+ ],
495
+ "severity": "high"
496
+ },
497
+ {
498
+ "id": "OBF_BASE64_HEAVY",
499
+ "name": "Heavy Base64 Encoding",
500
+ "pattern": "[A-Za-z0-9+/]{50,}={0,2}",
501
+ "description": "6+ base64 strings of 50+ chars in a single file. Base64 is a legitimate encoding, but excessive use in source code is a red flag — it's the most common way to hide malicious payloads, C2 URLs, and commands from static analysis.\n",
502
+ "tags": [
503
+ "base64",
504
+ "obfuscation"
505
+ ],
506
+ "severity": "medium"
507
+ },
508
+ {
509
+ "id": "OBF_HEX_STRINGS",
510
+ "name": "Extensive Hex-Encoded Strings",
511
+ "pattern": "\\\\x[0-9a-fA-F]{2}",
512
+ "description": "20+ hex escape sequences (\\xNN) in a single file. Hex encoding hides the actual string content from developers, often used to conceal URLs, commands, or shellcode.\n",
513
+ "tags": [
514
+ "hex-encoding",
515
+ "obfuscation"
516
+ ],
517
+ "severity": "medium"
518
+ },
519
+ {
520
+ "id": "OBF_EVAL",
521
+ "name": "eval() Usage",
522
+ "pattern": "eval\\s*\\([^)]{0,200}\\)",
523
+ "description": "eval() executes arbitrary dynamic code. While there are legitimate uses, eval() is the #1 technique for executing hidden malicious payloads.\n",
524
+ "tags": [
525
+ "eval",
526
+ "dynamic-code",
527
+ "obfuscation"
528
+ ],
529
+ "severity": "high"
530
+ },
531
+ {
532
+ "id": "OBF_NEW_FUNCTION",
533
+ "name": "new Function() Constructor",
534
+ "pattern": "new\\s+Function\\s*\\([^)]{0,200}\\)",
535
+ "description": "new Function() creates and executes dynamic code similar to eval(). Used to hide malicious logic that bypasses some static analysis tools.\n",
536
+ "tags": [
537
+ "function-constructor",
538
+ "dynamic-code",
539
+ "obfuscation"
540
+ ],
541
+ "severity": "high"
542
+ },
543
+ {
544
+ "id": "OBF_SETTIMEOUT_STRING",
545
+ "name": "setTimeout/setInterval with String Argument",
546
+ "pattern": "(?:setTimeout|setInterval)\\s*\\(\\s*[\"'`][^\"'`]{0,200}[\"'`]",
547
+ "description": "Passing a string to setTimeout/setInterval executes it as code (like eval). A common obfuscation technique: setTimeout(\"maliciousCode()\", 0)\n",
548
+ "tags": [
549
+ "eval",
550
+ "dynamic-code",
551
+ "obfuscation"
552
+ ],
553
+ "severity": "high"
554
+ },
555
+ {
556
+ "id": "OBF_FROMCHARCODE",
557
+ "name": "String.fromCharCode Obfuscation",
558
+ "pattern": "(?:String\\.fromCharCode|fromCharCode)\\s*\\([\\d\\s,]+\\)",
559
+ "description": "Constructs strings from char codes (e.g., String.fromCharCode(101,118,97,108) = \"eval\"). Classic technique to hide malicious keywords from simple string scanning.\n",
560
+ "tags": [
561
+ "fromcharcode",
562
+ "obfuscation",
563
+ "eval-bypass"
564
+ ],
565
+ "severity": "medium"
566
+ },
567
+ {
568
+ "id": "OBF_CHARCODE_ARRAY",
569
+ "name": "Large Character Code Array",
570
+ "pattern": "\\[(?:\\s*\\d{2,3}\\s*,\\s*){20,}\\d{2,3}\\s*\\]",
571
+ "description": "Array of 20+ numbers that look like char codes. Used as an alternative to fromCharCode to build malicious strings character by character.\n",
572
+ "tags": [
573
+ "charcode-array",
574
+ "obfuscation"
575
+ ],
576
+ "severity": "medium"
577
+ }
578
+ ],
579
+ "knownBadHashes": [],
580
+ "userProfileRules": {
581
+ "riskFactors": [
582
+ {
583
+ "id": "VERY_NEW_ACCOUNT",
584
+ "name": "Very New Account",
585
+ "description": "Account created {accountAgeDays} days ago (very new)",
586
+ "weight": 0.3,
587
+ "condition": {
588
+ "field": "accountAgeDays",
589
+ "operator": "lt",
590
+ "value": 30
591
+ }
592
+ },
593
+ {
594
+ "id": "NEW_ACCOUNT",
595
+ "name": "New Account",
596
+ "description": "Account created {accountAgeDays} days ago (new)",
597
+ "weight": 0.2,
598
+ "condition": {
599
+ "field": "accountAgeDays",
600
+ "operator": "lt",
601
+ "value": 90
602
+ },
603
+ "exclusiveWith": "VERY_NEW_ACCOUNT"
604
+ },
605
+ {
606
+ "id": "NO_REPOS",
607
+ "name": "No Public Repositories",
608
+ "description": "No public repositories",
609
+ "weight": 0.25,
610
+ "condition": {
611
+ "field": "ownedReposCount",
612
+ "operator": "eq",
613
+ "value": 0
614
+ }
615
+ },
616
+ {
617
+ "id": "SINGLE_REPO_CONTRIBUTOR",
618
+ "name": "Single Repository Only",
619
+ "description": "Only 1 repository (potential throwaway account)",
620
+ "weight": 0.15,
621
+ "condition": {
622
+ "field": "ownedReposCount",
623
+ "operator": "eq",
624
+ "value": 1
625
+ },
626
+ "exclusiveWith": "NO_REPOS"
627
+ },
628
+ {
629
+ "id": "NO_FOLLOWERS",
630
+ "name": "Zero Followers",
631
+ "description": "Zero followers",
632
+ "weight": 0.2,
633
+ "condition": {
634
+ "field": "followers",
635
+ "operator": "eq",
636
+ "value": 0
637
+ }
638
+ },
639
+ {
640
+ "id": "HIGH_FOLLOWING_RATIO",
641
+ "name": "High Following-to-Follower Ratio",
642
+ "description": "Following {following} but only {followers} followers (bot pattern)",
643
+ "weight": 0.2,
644
+ "condition": {
645
+ "all": [
646
+ {
647
+ "field": "followerFollowingRatio",
648
+ "operator": "gt",
649
+ "value": 10
650
+ },
651
+ {
652
+ "field": "following",
653
+ "operator": "gt",
654
+ "value": 10
655
+ }
656
+ ]
657
+ }
658
+ },
659
+ {
660
+ "id": "NO_PROFILE_PHOTO",
661
+ "name": "Default Avatar",
662
+ "description": "Using default avatar",
663
+ "weight": 0.15,
664
+ "condition": {
665
+ "field": "hasProfilePhoto",
666
+ "operator": "eq",
667
+ "value": false
668
+ }
669
+ },
670
+ {
671
+ "id": "INCOMPLETE_PROFILE",
672
+ "name": "Incomplete Profile",
673
+ "description": "Missing bio, name, or location",
674
+ "weight": 0.1,
675
+ "condition": {
676
+ "field": "isProfileComplete",
677
+ "operator": "eq",
678
+ "value": false
679
+ }
680
+ },
681
+ {
682
+ "id": "NO_RECENT_ACTIVITY",
683
+ "name": "No Recent Activity",
684
+ "description": "No activity in last 90 days",
685
+ "weight": 0.15,
686
+ "condition": {
687
+ "field": "recentEventCount",
688
+ "operator": "eq",
689
+ "value": 0
690
+ }
691
+ }
692
+ ],
693
+ "trustSignals": [
694
+ {
695
+ "id": "VERY_ESTABLISHED",
696
+ "name": "Very Established Account",
697
+ "description": "Account is {accountAgeDays} days old (very established)",
698
+ "weight": -0.25,
699
+ "condition": {
700
+ "field": "accountAgeDays",
701
+ "operator": "gte",
702
+ "value": 1095
703
+ }
704
+ },
705
+ {
706
+ "id": "ESTABLISHED_ACCOUNT",
707
+ "name": "Established Account",
708
+ "description": "Account is {accountAgeDays} days old (established)",
709
+ "weight": -0.15,
710
+ "condition": {
711
+ "field": "accountAgeDays",
712
+ "operator": "gte",
713
+ "value": 365
714
+ },
715
+ "exclusiveWith": "VERY_ESTABLISHED"
716
+ },
717
+ {
718
+ "id": "POPULAR_DEVELOPER",
719
+ "name": "Popular Developer",
720
+ "description": "{followers} followers (popular developer)",
721
+ "weight": -0.25,
722
+ "condition": {
723
+ "field": "followers",
724
+ "operator": "gte",
725
+ "value": 200
726
+ }
727
+ },
728
+ {
729
+ "id": "STRONG_FOLLOWER_BASE",
730
+ "name": "Strong Follower Base",
731
+ "description": "{followers} followers",
732
+ "weight": -0.15,
733
+ "condition": {
734
+ "field": "followers",
735
+ "operator": "gte",
736
+ "value": 50
737
+ },
738
+ "exclusiveWith": "POPULAR_DEVELOPER"
739
+ },
740
+ {
741
+ "id": "PROLIFIC_DEVELOPER",
742
+ "name": "Prolific Developer",
743
+ "description": "{ownedReposCount} repositories (prolific developer)",
744
+ "weight": -0.3,
745
+ "condition": {
746
+ "field": "ownedReposCount",
747
+ "operator": "gte",
748
+ "value": 50
749
+ }
750
+ },
751
+ {
752
+ "id": "ACTIVE_CONTRIBUTOR",
753
+ "name": "Active Contributor",
754
+ "description": "{ownedReposCount} repositories",
755
+ "weight": -0.2,
756
+ "condition": {
757
+ "field": "ownedReposCount",
758
+ "operator": "gte",
759
+ "value": 10
760
+ },
761
+ "exclusiveWith": "PROLIFIC_DEVELOPER"
762
+ },
763
+ {
764
+ "id": "HAS_POPULAR_REPOS",
765
+ "name": "Has Popular Repositories",
766
+ "description": "{totalStars} total stars across repositories",
767
+ "weight": -0.2,
768
+ "condition": {
769
+ "field": "totalStars",
770
+ "operator": "gte",
771
+ "value": 50
772
+ }
773
+ },
774
+ {
775
+ "id": "CONSISTENT_ACTIVITY",
776
+ "name": "Consistent Recent Activity",
777
+ "description": "{veryRecentEventCount} events in last 30 days",
778
+ "weight": -0.15,
779
+ "condition": {
780
+ "field": "veryRecentEventCount",
781
+ "operator": "gt",
782
+ "value": 0
783
+ }
784
+ }
785
+ ],
786
+ "riskLevels": {
787
+ "mediumMinScore": 0.4,
788
+ "highMinScore": 0.7,
789
+ "recommendations": {
790
+ "low": "Profile appears legitimate. Standard caution advised for any collaboration requests.",
791
+ "medium": "Moderate risk. Review profile carefully. Check repository quality and recent activity before accepting collaboration.",
792
+ "high": "High risk profile. Exercise extreme caution. Verify identity through other channels before trusting any collaboration requests."
793
+ }
794
+ }
795
+ }
796
+ }