guardvibe 3.1.24 → 3.1.25

package/CHANGELOG.md

@@ -5,6 +5,23 @@ All notable changes to GuardVibe are documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [3.1.25] - 2026-05-16
+
+### Added — 2 new rules (422 → 424)
+- **VG1069** node-ipc malicious versions detection (CVE-2022-23812 / peacenotwar). Flags `node-ipc` pins on 9.2.2, 10.1.1–10.1.3, and the entire 11.x line — these versions ship maintainer-authored sabotage payloads (file overwrite on RU/BY-geolocated hosts and propaganda-file drops to `~/Desktop`). Fix advises pinning via `overrides`/`resolutions` to 12.0.0+ and treating any install host as compromised
+- **VG1070** CI npm install/ci without supply-chain hardening flag. Fires on `.github/workflows/*.yml` (or any YAML CI file) that calls `npm ci`, `npm install`, or `npm i` without `--expect-provenance` (npm 10.2+) or `--ignore-scripts`. Mitigates lifecycle-script execution from typosquatted or compromised packages — the same path the 2026 @tanstack Mini Shai-Hulud wave used to reach CI secrets
+
+### Changed
+- Dogfood: GuardVibe's own `.github/workflows/ci.yml` and `publish.yml` now run `npm ci --ignore-scripts` (was plain `npm ci`)
+- CLI `rulesApplied` default 422 → 424 (src/index.ts + src/tools/full-audit.ts)
+- package.json description refreshed: 422 → 424 rules, 60 → 61 CVE rules, mentions VG1070 supply-chain hardening
+
+### Skipped from the 2026-05-16 briefing (already covered)
+- P1 Next.js 15.5.18 / 16.2.6 upgrade → VG1047 (May 2026 cluster) already detects 12.2.0–15.5.17 and 16.0.0–16.2.5
+- P1 @tanstack/* compromised versions → VG1056 already detects the May 2026 Mini Shai-Hulud wave
+- P2 MCP Tool Poisoning kural seti → VG1068 already implements the OWASP MCP Top 10 tool-description prompt-injection markers
+- P3 EU AI Act August 2026 → handled by existing compliance_report module via `EUAIACT:Art14` / `EUAIACT:Art15` mappings; no new rule
+
 ## [3.1.24] - 2026-05-14
 
 ### Changed — docs / metadata refresh

package/build/data/rules/cicd.js

@@ -83,4 +83,16 @@ export const cicdRules = [
         fixCode: '# Use pull_request for untrusted code\non:\n  pull_request:\n    branches: [main]\nsteps:\n  - uses: actions/checkout@v4\n  - run: npm test  # safe: runs YOUR code, not PR code',
         compliance: ["SOC2:CC7.1"],
     },
+    {
+        id: "VG1070",
+        name: "CI npm install/ci Without Supply-Chain Hardening Flag (--expect-provenance / --ignore-scripts)",
+        severity: "medium",
+        owasp: "A08:2025 Software & Data Integrity Failures",
+        description: "A CI workflow runs `npm install` or `npm ci` without `--expect-provenance` (npm 10.2+, requires every installed package to ship an SLSA provenance attestation signed against the npm registry) or `--ignore-scripts` (skips lifecycle scripts that typosquats and compromised maintainers use as the execution beachhead). One of the two should be on every CI install step. The 2026 @tanstack mass-malware wave, the 2022 node-ipc protestware, and the long tail of post-install crypto-miners all execute through lifecycle scripts the first time the package lands on a build runner — once that command runs, the runner's secrets are reachable. `--expect-provenance` raises the bar further by refusing unsigned packages entirely; pair it with `--ignore-scripts` for packages whose maintainers have not yet published provenance.",
+        pattern: /(?:^|\n)\s*(?:-\s+)?(?:run|cmd|shell):\s*[|>-]?\s*["'`]?[^"'`\n]*\bnpm\s+(?:ci|install|i)\b(?![^\n"'`]*--(?:expect-provenance|ignore-scripts))[^\n"'`]*/gi,
+        languages: ["yaml"],
+        fix: "Add `--expect-provenance` (recommended for new pipelines) or `--ignore-scripts` (broadest compatibility) to every `npm install` / `npm ci` invocation in CI. `--expect-provenance` will fail the install if any package lacks a signed SLSA attestation — combine with `--ignore-scripts` while upstream packages catch up to provenance. For deployments that must run `postinstall` (e.g. native binary build), narrow the allowlist instead of disabling the flag globally.",
+        fixCode: "# BAD — no supply-chain gate\n- run: npm ci\n\n# GOOD — strict\n- run: npm ci --expect-provenance --ignore-scripts\n\n# GOOD — minimal\n- run: npm ci --ignore-scripts",
+        compliance: ["SOC2:CC7.1", "SOC2:CC8.1", "PCI-DSS:Req6.2"],
+    },
 ];

package/build/data/rules/cve-versions.js

@@ -721,4 +721,16 @@ export const cveVersionRules = [
         fixCode: '// package.json\n"@trpc/server": "^11.8.0"  // or "^10.45.3" for v10\n\n// Defence-in-depth — strict schema + frozen prototype\nimport { z } from "zod";\nconst input = z.object({ id: z.string() }).strict();  // rejects __proto__\nObject.freeze(Object.prototype);  // run once at bootstrap',
         compliance: ["SOC2:CC7.1", "PCI-DSS:Req6.5.1"],
     },
+    {
+        id: "VG1069",
+        name: "node-ipc Malicious Versions — Embedded Sabotage Payload (CVE-2022-23812 / peacenotwar)",
+        severity: "critical",
+        owasp: "A08:2025 Software & Data Integrity Failures",
+        description: "node-ipc versions 9.2.2 (hidden functionality, GHSA-8gr3-2gjw-jj7g), 10.1.1–10.1.3 (embedded malicious code overwriting files on hosts geo-located to RU/BY, CVE-2022-23812, GHSA-97m3-w2cp-4xx6), and the entire 11.x line (peacenotwar dependency that writes propaganda files to the user's Desktop, GHSA-3mpp-xfvh-qh37) ship attacker-authored protestware as the maintainer's intentional payload. The package is still pulled in transitively today by older Salesforce CLI builds and a handful of legacy tooling. Any install that resolves to one of these versions is treated as a confirmed compromise — rotate any secrets reachable from the install host and re-image build agents.",
+        pattern: /["']node-ipc["']\s*:\s*["'](?:\^|~|>=?)?\s*(?:9\.2\.2|10\.1\.[1-3]|11\.\d+\.\d+)["']/g,
+        languages: ["json"],
+        fix: "Pin node-ipc to 12.0.0+ via `overrides` / `resolutions` / `pnpm.overrides` to break transitive resolution onto the compromised 9.2.2 / 10.1.1–10.1.3 / 11.x band. Audit the install host: rotate any developer / CI secrets the install machine could read, re-image build agents, and check `~/Desktop/WITH-LOVE-FROM-AMERICA.txt` and similar paths for the protestware drop. If the dependency is no longer needed, remove it entirely.",
+        fixCode: '// package.json\n"overrides": { "node-ipc": "^12.0.0" }\n\n// pnpm-only\n// "pnpm": { "overrides": { "node-ipc": "^12.0.0" } }\n\n// yarn classic / berry\n// "resolutions": { "node-ipc": "^12.0.0" }',
+        compliance: ["SOC2:CC7.1", "SOC2:CC8.1", "PCI-DSS:Req6.2"],
+    },
 ];

package/build/index.js

@@ -889,7 +889,7 @@ server.tool("deep_scan", "LLM-powered deep security analysis for vulnerabilities
     return { content: [{ type: "text", text: output }] };
 });
 // Tool 33: Full audit — single source of truth
-server.tool("full_audit", "Single command that runs ALL checks: code scan (422 rules), secret detection, dependency CVEs, config audit, taint analysis, and auth coverage. Returns PASS/FAIL/WARN verdict with deterministic hash. IMPORTANT: If verdict is FAIL or WARN, you MUST call remediation_plan next to get a section-by-section fix checklist — do NOT skip any section. After fixing, call verify_remediation to confirm ALL sections are addressed. Example: full_audit({path: '.'})", {
+server.tool("full_audit", "Single command that runs ALL checks: code scan (424 rules), secret detection, dependency CVEs, config audit, taint analysis, and auth coverage. Returns PASS/FAIL/WARN verdict with deterministic hash. IMPORTANT: If verdict is FAIL or WARN, you MUST call remediation_plan next to get a section-by-section fix checklist — do NOT skip any section. After fixing, call verify_remediation to confirm ALL sections are addressed. Example: full_audit({path: '.'})", {
     path: z.string().default(".").describe("Project root directory"),
     format: z.enum(["markdown", "json"]).default("markdown").describe("Output format"),
     skipDeps: z.boolean().default(false).describe("Skip dependency vulnerability check"),

package/build/tools/full-audit.js

@@ -392,7 +392,7 @@ export async function runFullAudit(path, options) {
     const totalHigh = sections.reduce((s, sec) => s + sec.high, 0);
     const totalMedium = sections.reduce((s, sec) => s + sec.medium, 0);
     const totalFindings = sections.reduce((s, sec) => s + sec.findings, 0);
-    const rulesApplied = rules.length > 0 ? rules.length : 422;
+    const rulesApplied = rules.length > 0 ? rules.length : 424;
     // Adjust score to reflect ALL sections, not just code
     // Each critical finding deducts 5 points, high deducts 3, medium deducts 1
     // Score from code scan is the baseline, other sections reduce it further

package/package.json

@@ -1,8 +1,8 @@
 {
   "name": "guardvibe",
-  "version": "3.1.24",
+  "version": "3.1.25",
   "mcpName": "io.github.goklab/guardvibe",
-  "description": "Security MCP for vibe coding. 422 rules, 36 tools, CLI + doctor. Host security, auth coverage mapping, LLM-powered deep scan (IDOR/business logic), taint analysis. 60 CVE rules refreshed daily from GHSA/OSV/CISA KEV — Next.js May 2026 13-advisory cluster, Drizzle/MikroORM/Kysely SQL injection, Clerk SSRF, tRPC prototype pollution, @tanstack supply-chain, OpenClaude sandbox bypass, plus the full AI-generated stack (Supabase, Stripe, Prisma, Hono, GraphQL, Convex, Turso, Uploadthing, AI SDK). 68 AI-native rules including OWASP MCP Top 10 tool-description prompt injection (VG1068) and model-controlled sandbox-disable flag detection (VG1063).",
+  "description": "Security MCP for vibe coding. 424 rules, 36 tools, CLI + doctor. Host security, auth coverage mapping, LLM-powered deep scan (IDOR/business logic), taint analysis. 61 CVE rules refreshed daily from GHSA/OSV/CISA KEV — Next.js May 2026 13-advisory cluster, Drizzle/MikroORM/Kysely SQL injection, Clerk SSRF, tRPC prototype pollution, @tanstack supply-chain, node-ipc protestware, OpenClaude sandbox bypass, plus the full AI-generated stack (Supabase, Stripe, Prisma, Hono, GraphQL, Convex, Turso, Uploadthing, AI SDK). 68 AI-native rules including OWASP MCP Top 10 tool-description prompt injection (VG1068), model-controlled sandbox-disable flag detection (VG1063), and CI/CD supply-chain hardening (VG1070 npm --expect-provenance / --ignore-scripts enforcement).",
   "type": "module",
   "bin": {
     "guardvibe": "build/cli.js",