mitnick-cli 1.0.0

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 Mitnick Contributors
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,193 @@
+# mitnick
+
+Pre-install security analysis CLI for npm packages. Analyze packages **before** installation to detect vulnerabilities, malicious code, typosquatting, and supply chain attacks.
+
+Named after [Kevin Mitnick](https://en.wikipedia.org/wiki/Kevin_Mitnick), one of the most famous security experts in history.
+
+## Why?
+
+npm supply chain attacks are escalating. In 2025 alone, packages like `debug` and `chalk` (2.6B+ weekly downloads) were compromised. Existing tools like `npm audit` only work **after** installation — by then, malicious `postinstall` scripts have already executed.
+
+**mitnick** fetches and analyzes package tarballs from the npm registry without ever executing their code. Nothing runs on your machine except mitnick itself.
+
+## Install
+
+```bash
+npm install -g mitnick
+```
+
+Or use directly with npx:
+
+```bash
+npx mitnick check express
+```
+
+## Usage
+
+```bash
+# Check a single package
+mitnick check express
+
+# Check a specific version
+mitnick check express@4.19.2
+
+# Check multiple packages at once
+mitnick check express lodash chalk
+
+# JSON output for scripts and tooling
+mitnick check --json express
+
+# SARIF output for GitHub Security tab
+mitnick check --sarif express
+
+# CI mode — exit code 1 if any finding meets the severity threshold
+mitnick check --fail-on high express
+
+# Verbose output with extra details
+mitnick check --verbose express
+```
+
+## Output
+
+```
+  mitnick v1.0.0 — Security Analysis
+
+  Checking express@4.19.2...
+
+  ✓ Vulnerability Scanner     2 findings
+  ✓ Install Scripts           0 findings
+  ✓ Typosquatting             0 findings
+  ✓ Obfuscation               0 findings
+  ✓ Network Calls             1 finding
+  ✓ Sensitive Data            0 findings
+  ✓ License                   0 findings
+  ✓ Maintainer                1 finding
+  ✓ Dependency Confusion      0 findings
+  ✓ Dormant Package           0 findings
+  ✓ Prototype Pollution       0 findings
+
+  Score: 79/100 (C)
+
+  ┌──────────┬──────────┬──────────────────────────────────────┐
+  │ Severity │ Analyzer │ Finding                              │
+  ├──────────┼──────────┼──────────────────────────────────────┤
+  │ HIGH     │ Vuln     │ CVE-2024-XXXX in qs@6.5.2           │
+  │ MEDIUM   │ Vuln     │ CVE-2024-YYYY in path-to-regexp@0.1 │
+  │ MEDIUM   │ Network  │ Uses http module for outbound calls  │
+  │ LOW      │ Maint    │ Single maintainer (bus factor = 1)   │
+  └──────────┴──────────┴──────────────────────────────────────┘
+
+  Analyzed in 1.2s
+```
+
+## Security Analyzers
+
+mitnick runs 11 security analyzers on every package:
+
+| Analyzer | What it detects |
+|----------|----------------|
+| **Vulnerability Scanner** | Known CVEs via the [OSV](https://osv.dev) database and GitHub Advisory DB |
+| **Install Scripts** | `preinstall`/`postinstall` hooks with suspicious commands (curl, wget, eval, shell spawning) |
+| **Typosquatting** | Package names suspiciously similar to popular packages (Levenshtein distance, character substitution) |
+| **Obfuscation** | High-entropy strings, `eval()`, `new Function()`, Base64 blobs, hex-encoded code |
+| **Network Calls** | `fetch()`, `http.request()`, axios/got imports, hardcoded IP addresses |
+| **Sensitive Data** | `process.env` harvesting, access to `~/.ssh`, `~/.aws`, `~/.npmrc`, credential files |
+| **License** | Missing licenses, copyleft (GPL/AGPL), SPDX compliance |
+| **Maintainer** | Single-maintainer risk (bus factor), new/inactive accounts |
+| **Dependency Confusion** | Public packages mimicking internal/private naming patterns |
+| **Dormant Package** | Packages reactivated after long inactivity (common attack vector) |
+| **Prototype Pollution** | `__proto__` access, `Object.prototype` mutation, unsafe merge functions |
+
+## Scoring
+
+Each package gets a score from 0 to 100 based on findings:
+
+| Severity | Points deducted |
+|----------|----------------|
+| Critical | -25 |
+| High | -15 |
+| Medium | -8 |
+| Low | -3 |
+| Info | 0 |
+
+| Score | Grade |
+|-------|-------|
+| 90-100 | A |
+| 80-89 | B |
+| 70-79 | C |
+| 50-69 | D |
+| 0-49 | F |
+
+## CI/CD Integration
+
+### Exit codes
+
+Use `--fail-on` to fail your pipeline when findings meet a severity threshold:
+
+```bash
+# Fail if any critical or high severity finding exists
+mitnick check --fail-on high express
+```
+
+Exit code `1` means findings were found at or above the threshold. Exit code `0` means the package passed.
+
+### GitHub Actions
+
+```yaml
+- name: Security check dependencies
+  run: npx mitnick check --fail-on medium $(cat package.json | jq -r '.dependencies | keys[]')
+```
+
+### SARIF upload to GitHub Security tab
+
+```yaml
+- name: Run mitnick
+  run: npx mitnick check --sarif express > results.sarif
+
+- name: Upload SARIF
+  uses: github/codeql-action/upload-sarif@v3
+  with:
+    sarif_file: results.sarif
+```
+
+## Requirements
+
+- Node.js >= 18.0.0
+
+## Development
+
+```bash
+# Clone and install
+git clone https://github.com/your-username/mitnick.git
+cd mitnick
+npm install
+
+# Build
+npm run build
+
+# Run tests (298 tests)
+npm test
+
+# Run tests with coverage
+npm run test:coverage
+
+# Type check
+npm run typecheck
+```
+
+## Architecture
+
+```
+src/
+├── cli/          CLI entry point, commands, formatters (terminal/JSON/SARIF)
+├── core/         Analysis engine, scoring system, shared types
+├── registry/     npm registry client, tarball download and extraction
+├── analyzers/    11 security analyzers (each implements Analyzer interface)
+└── utils/        AST parsing, HTTP client, filesystem helpers, logger
+```
+
+All analyzers implement a shared `Analyzer` interface and are executed in parallel. Adding a new analyzer requires zero changes to existing code (Open/Closed Principle).
+
+## License
+
+[MIT](LICENSE)

package/dist/analyzers/analyzer.interface.d.ts

@@ -0,0 +1,32 @@
+import type { AnalysisContext, AnalyzerResult } from '../core/types.js';
+/**
+ * Contract for all security analyzers.
+ *
+ * Each analyzer is a self-contained strategy that examines a specific
+ * security concern. Analyzers are registered with the engine and executed
+ * in parallel during analysis.
+ *
+ * To add a new analyzer:
+ * 1. Create a new directory under src/analyzers/
+ * 2. Implement this interface
+ * 3. Register it in analyzer.registry.ts
+ *
+ * No existing code needs to change (Open/Closed Principle).
+ */
+export interface Analyzer {
+    /** Unique identifier for this analyzer (e.g., "vulnerability-scanner") */
+    readonly name: string;
+    /** Human-readable description shown in reports */
+    readonly description: string;
+    /**
+     * Analyze a package and return findings.
+     *
+     * Implementations must:
+     * - Never throw — catch errors and return empty findings with a warning
+     * - Never execute code from the analyzed package
+     * - Be stateless — no side effects between calls
+     * - Return duration in milliseconds
+     */
+    analyze(context: AnalysisContext): Promise<AnalyzerResult>;
+}
+//# sourceMappingURL=analyzer.interface.d.ts.map

package/dist/analyzers/analyzer.interface.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"analyzer.interface.d.ts","sourceRoot":"","sources":["../../src/analyzers/analyzer.interface.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,eAAe,EAAE,cAAc,EAAE,MAAM,kBAAkB,CAAC;AAExE;;;;;;;;;;;;;GAaG;AACH,MAAM,WAAW,QAAQ;IACvB,0EAA0E;IAC1E,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IAEtB,kDAAkD;IAClD,QAAQ,CAAC,WAAW,EAAE,MAAM,CAAC;IAE7B;;;;;;;;OAQG;IACH,OAAO,CAAC,OAAO,EAAE,eAAe,GAAG,OAAO,CAAC,cAAc,CAAC,CAAC;CAC5D"}

package/dist/analyzers/analyzer.interface.js

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=analyzer.interface.js.map

package/dist/analyzers/analyzer.interface.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"analyzer.interface.js","sourceRoot":"","sources":["../../src/analyzers/analyzer.interface.ts"],"names":[],"mappings":""}

package/dist/analyzers/analyzer.registry.d.ts

@@ -0,0 +1,16 @@
+/**
+ * Analyzer registry — factory that creates all analyzer instances.
+ *
+ * Each analyzer is imported from its own directory and instantiated
+ * with a no-arg constructor. Adding a new analyzer requires only
+ * adding an import and appending to the array (Open/Closed Principle).
+ */
+import type { Analyzer } from './analyzer.interface.js';
+/**
+ * Create and return all registered analyzer instances.
+ *
+ * Returns a readonly array to prevent mutation of the registry
+ * after creation. The engine receives this array via DI.
+ */
+export declare function createAnalyzers(): readonly Analyzer[];
+//# sourceMappingURL=analyzer.registry.d.ts.map

package/dist/analyzers/analyzer.registry.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"analyzer.registry.d.ts","sourceRoot":"","sources":["../../src/analyzers/analyzer.registry.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,yBAAyB,CAAC;AAaxD;;;;;GAKG;AACH,wBAAgB,eAAe,IAAI,SAAS,QAAQ,EAAE,CAcrD"}

package/dist/analyzers/analyzer.registry.js

@@ -0,0 +1,40 @@
+/**
+ * Analyzer registry — factory that creates all analyzer instances.
+ *
+ * Each analyzer is imported from its own directory and instantiated
+ * with a no-arg constructor. Adding a new analyzer requires only
+ * adding an import and appending to the array (Open/Closed Principle).
+ */
+import { VulnerabilityAnalyzer } from './vulnerability/index.js';
+import { InstallScriptAnalyzer } from './install-scripts/index.js';
+import { TyposquattingAnalyzer } from './typosquatting/index.js';
+import { ObfuscationAnalyzer } from './obfuscation/index.js';
+import { NetworkCallsAnalyzer } from './network-calls/index.js';
+import { SensitiveDataAnalyzer } from './sensitive-data/index.js';
+import { LicenseAnalyzer } from './license/index.js';
+import { MaintainerAnalyzer } from './maintainer/index.js';
+import { DependencyConfusionAnalyzer } from './dependency-confusion/index.js';
+import { DormantPackageAnalyzer } from './dormant-package/index.js';
+import { PrototypePollutionAnalyzer } from './prototype-pollution/index.js';
+/**
+ * Create and return all registered analyzer instances.
+ *
+ * Returns a readonly array to prevent mutation of the registry
+ * after creation. The engine receives this array via DI.
+ */
+export function createAnalyzers() {
+    return [
+        new VulnerabilityAnalyzer(),
+        new InstallScriptAnalyzer(),
+        new TyposquattingAnalyzer(),
+        new ObfuscationAnalyzer(),
+        new NetworkCallsAnalyzer(),
+        new SensitiveDataAnalyzer(),
+        new LicenseAnalyzer(),
+        new MaintainerAnalyzer(),
+        new DependencyConfusionAnalyzer(),
+        new DormantPackageAnalyzer(),
+        new PrototypePollutionAnalyzer(),
+    ];
+}
+//# sourceMappingURL=analyzer.registry.js.map

package/dist/analyzers/analyzer.registry.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"analyzer.registry.js","sourceRoot":"","sources":["../../src/analyzers/analyzer.registry.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAGH,OAAO,EAAE,qBAAqB,EAAE,MAAM,0BAA0B,CAAC;AACjE,OAAO,EAAE,qBAAqB,EAAE,MAAM,4BAA4B,CAAC;AACnE,OAAO,EAAE,qBAAqB,EAAE,MAAM,0BAA0B,CAAC;AACjE,OAAO,EAAE,mBAAmB,EAAE,MAAM,wBAAwB,CAAC;AAC7D,OAAO,EAAE,oBAAoB,EAAE,MAAM,0BAA0B,CAAC;AAChE,OAAO,EAAE,qBAAqB,EAAE,MAAM,2BAA2B,CAAC;AAClE,OAAO,EAAE,eAAe,EAAE,MAAM,oBAAoB,CAAC;AACrD,OAAO,EAAE,kBAAkB,EAAE,MAAM,uBAAuB,CAAC;AAC3D,OAAO,EAAE,2BAA2B,EAAE,MAAM,iCAAiC,CAAC;AAC9E,OAAO,EAAE,sBAAsB,EAAE,MAAM,4BAA4B,CAAC;AACpE,OAAO,EAAE,0BAA0B,EAAE,MAAM,gCAAgC,CAAC;AAE5E;;;;;GAKG;AACH,MAAM,UAAU,eAAe;IAC7B,OAAO;QACL,IAAI,qBAAqB,EAAE;QAC3B,IAAI,qBAAqB,EAAE;QAC3B,IAAI,qBAAqB,EAAE;QAC3B,IAAI,mBAAmB,EAAE;QACzB,IAAI,oBAAoB,EAAE;QAC1B,IAAI,qBAAqB,EAAE;QAC3B,IAAI,eAAe,EAAE;QACrB,IAAI,kBAAkB,EAAE;QACxB,IAAI,2BAA2B,EAAE;QACjC,IAAI,sBAAsB,EAAE;QAC5B,IAAI,0BAA0B,EAAE;KACxB,CAAC;AACb,CAAC"}

package/dist/analyzers/dependency-confusion/index.d.ts

@@ -0,0 +1,14 @@
+/**
+ * Dependency Confusion Analyzer — detects packages that may be exploiting
+ * dependency confusion by mimicking internal/private package naming patterns.
+ */
+import type { Analyzer } from '../analyzer.interface.js';
+import type { AnalysisContext, AnalyzerResult } from '../../core/types.js';
+export declare class DependencyConfusionAnalyzer implements Analyzer {
+    readonly name = "dependency-confusion";
+    readonly description = "Detects packages that may exploit dependency confusion attacks";
+    analyze(context: AnalysisContext): Promise<AnalyzerResult>;
+    private isRecentlyPublished;
+    private hasOrgLookingSegments;
+}
+//# sourceMappingURL=index.d.ts.map

package/dist/analyzers/dependency-confusion/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/analyzers/dependency-confusion/index.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,0BAA0B,CAAC;AACzD,OAAO,KAAK,EAAE,eAAe,EAAE,cAAc,EAAW,MAAM,qBAAqB,CAAC;AAkCpF,qBAAa,2BAA4B,YAAW,QAAQ;IAC1D,QAAQ,CAAC,IAAI,0BAA0B;IACvC,QAAQ,CAAC,WAAW,oEAAoE;IAExF,OAAO,CAAC,OAAO,EAAE,eAAe,GAAG,OAAO,CAAC,cAAc,CAAC;IAiG1D,OAAO,CAAC,mBAAmB;IAe3B,OAAO,CAAC,qBAAqB;CAsB9B"}

package/dist/analyzers/dependency-confusion/index.js

@@ -0,0 +1,147 @@
+/**
+ * Dependency Confusion Analyzer — detects packages that may be exploiting
+ * dependency confusion by mimicking internal/private package naming patterns.
+ */
+import { logger } from '../../utils/logger.js';
+// ─── Constants ────────────────────────────────────────────
+/** Suffixes commonly used for internal packages. */
+const INTERNAL_SUFFIXES = [
+    '-internal',
+    '-private',
+    '-corp',
+    '-enterprise',
+    '-dev',
+    '-staging',
+    '-infra',
+    '-platform',
+    '-core-internal',
+    '-sdk-internal',
+];
+/** Prefixes commonly used for company/org internal packages. */
+const ORG_PREFIXES = [
+    'company-',
+    'corp-',
+    'internal-',
+    'private-',
+    'enterprise-',
+    'intranet-',
+];
+/** Maximum age in days for a "very recently published" package. */
+const RECENT_PUBLISH_DAYS = 30;
+// ─── Analyzer ─────────────────────────────────────────────
+export class DependencyConfusionAnalyzer {
+    name = 'dependency-confusion';
+    description = 'Detects packages that may exploit dependency confusion attacks';
+    analyze(context) {
+        const start = performance.now();
+        const findings = [];
+        try {
+            const packageName = context.packageName;
+            // Skip scoped packages — they're namespaced and less vulnerable to confusion
+            if (packageName.startsWith('@')) {
+                return Promise.resolve({
+                    analyzer: this.name,
+                    findings: [],
+                    duration: performance.now() - start,
+                });
+            }
+            const lowerName = packageName.toLowerCase();
+            // Check for internal-looking suffixes
+            const matchedSuffix = INTERNAL_SUFFIXES.find((suffix) => lowerName.endsWith(suffix));
+            if (matchedSuffix !== undefined) {
+                findings.push({
+                    analyzer: this.name,
+                    severity: 'high',
+                    title: `Package name suggests internal origin: "${matchedSuffix}" suffix`,
+                    description: `The package name "${packageName}" ends with "${matchedSuffix}", ` +
+                        'which is commonly used for internal/private packages. ' +
+                        'This public package may be attempting a dependency confusion attack.',
+                    recommendation: 'Verify this is the intended package and not a malicious squatter ' +
+                        'targeting your internal package name.',
+                });
+            }
+            // Check for org-like prefixes
+            const matchedPrefix = ORG_PREFIXES.find((prefix) => lowerName.startsWith(prefix));
+            if (matchedPrefix !== undefined) {
+                findings.push({
+                    analyzer: this.name,
+                    severity: 'high',
+                    title: `Package name suggests organizational origin: "${matchedPrefix}" prefix`,
+                    description: `The package name "${packageName}" starts with "${matchedPrefix}", ` +
+                        'which mimics organizational/internal naming conventions. ' +
+                        'A public package with this naming pattern may be a dependency confusion attempt.',
+                    recommendation: 'Confirm this package is from a trusted source, not mimicking an internal dependency.',
+                });
+            }
+            // Check for very recently published packages with organizational naming
+            const isRecentlyPublished = this.isRecentlyPublished(context);
+            const hasOrgNaming = matchedSuffix !== undefined || matchedPrefix !== undefined;
+            if (isRecentlyPublished && hasOrgNaming) {
+                findings.push({
+                    analyzer: this.name,
+                    severity: 'high',
+                    title: 'Recently published package with internal naming pattern',
+                    description: `The package "${packageName}" was recently published and uses naming conventions ` +
+                        'typical of internal packages. This strongly suggests a dependency confusion attack.',
+                    recommendation: 'Do NOT install this package without verifying it is not targeting your internal dependencies.',
+                });
+            }
+            // Check for recently published + few versions (suspicious new package)
+            if (isRecentlyPublished && context.registryMetadata.versions.length <= 2 && !hasOrgNaming) {
+                // Only flag if the name also looks somewhat organizational
+                if (this.hasOrgLookingSegments(lowerName)) {
+                    findings.push({
+                        analyzer: this.name,
+                        severity: 'medium',
+                        title: 'New package with organizational naming segments',
+                        description: `The package "${packageName}" was recently published with few versions ` +
+                            'and contains segments that look like organizational identifiers.',
+                        recommendation: 'Verify the package origin and ensure it is not a dependency confusion attempt.',
+                    });
+                }
+            }
+        }
+        catch (error) {
+            logger.warn(`[${this.name}] Unexpected error: ${error instanceof Error ? error.message : String(error)}`);
+        }
+        return Promise.resolve({
+            analyzer: this.name,
+            findings,
+            duration: performance.now() - start,
+        });
+    }
+    isRecentlyPublished(context) {
+        const { publishedAt, timeMap, version } = context.registryMetadata;
+        // Try the specific version's publish time first
+        const versionTime = timeMap[version];
+        const timeStr = versionTime ?? publishedAt;
+        if (timeStr === undefined || timeStr === '')
+            return false;
+        const publishDate = new Date(timeStr);
+        const now = new Date();
+        const ageInDays = (now.getTime() - publishDate.getTime()) / (1000 * 60 * 60 * 24);
+        return ageInDays < RECENT_PUBLISH_DAYS;
+    }
+    hasOrgLookingSegments(name) {
+        const segments = name.split('-');
+        const orgIndicators = [
+            'team',
+            'org',
+            'dept',
+            'group',
+            'division',
+            'unit',
+            'service',
+            'svc',
+            'api',
+            'lib',
+            'util',
+            'utils',
+            'common',
+            'shared',
+            'infra',
+        ];
+        return segments.some((segment) => orgIndicators.includes(segment));
+    }
+}
+//# sourceMappingURL=index.js.map

package/dist/analyzers/dependency-confusion/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/analyzers/dependency-confusion/index.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAIH,OAAO,EAAE,MAAM,EAAE,MAAM,uBAAuB,CAAC;AAE/C,6DAA6D;AAE7D,oDAAoD;AACpD,MAAM,iBAAiB,GAAsB;IAC3C,WAAW;IACX,UAAU;IACV,OAAO;IACP,aAAa;IACb,MAAM;IACN,UAAU;IACV,QAAQ;IACR,WAAW;IACX,gBAAgB;IAChB,eAAe;CAChB,CAAC;AAEF,gEAAgE;AAChE,MAAM,YAAY,GAAsB;IACtC,UAAU;IACV,OAAO;IACP,WAAW;IACX,UAAU;IACV,aAAa;IACb,WAAW;CACZ,CAAC;AAEF,mEAAmE;AACnE,MAAM,mBAAmB,GAAG,EAAE,CAAC;AAE/B,6DAA6D;AAE7D,MAAM,OAAO,2BAA2B;IAC7B,IAAI,GAAG,sBAAsB,CAAC;IAC9B,WAAW,GAAG,gEAAgE,CAAC;IAExF,OAAO,CAAC,OAAwB;QAC9B,MAAM,KAAK,GAAG,WAAW,CAAC,GAAG,EAAE,CAAC;QAChC,MAAM,QAAQ,GAAc,EAAE,CAAC;QAE/B,IAAI,CAAC;YACH,MAAM,WAAW,GAAG,OAAO,CAAC,WAAW,CAAC;YAExC,6EAA6E;YAC7E,IAAI,WAAW,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;gBAChC,OAAO,OAAO,CAAC,OAAO,CAAC;oBACrB,QAAQ,EAAE,IAAI,CAAC,IAAI;oBACnB,QAAQ,EAAE,EAAE;oBACZ,QAAQ,EAAE,WAAW,CAAC,GAAG,EAAE,GAAG,KAAK;iBACpC,CAAC,CAAC;YACL,CAAC;YAED,MAAM,SAAS,GAAG,WAAW,CAAC,WAAW,EAAE,CAAC;YAE5C,sCAAsC;YACtC,MAAM,aAAa,GAAG,iBAAiB,CAAC,IAAI,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,SAAS,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC;YACrF,IAAI,aAAa,KAAK,SAAS,EAAE,CAAC;gBAChC,QAAQ,CAAC,IAAI,CAAC;oBACZ,QAAQ,EAAE,IAAI,CAAC,IAAI;oBACnB,QAAQ,EAAE,MAAM;oBAChB,KAAK,EAAE,2CAA2C,aAAa,UAAU;oBACzE,WAAW,EACT,qBAAqB,WAAW,gBAAgB,aAAa,KAAK;wBAClE,wDAAwD;wBACxD,sEAAsE;oBACxE,cAAc,EACZ,mEAAmE;wBACnE,uCAAuC;iBAC1C,CAAC,CAAC;YACL,CAAC;YAED,8BAA8B;YAC9B,MAAM,aAAa,GAAG,YAAY,CAAC,IAAI,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,SAAS,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC,CAAC;YAClF,IAAI,aAAa,KAAK,SAAS,EAAE,CAAC;gBAChC,QAAQ,CAAC,IAAI,CAAC;oBACZ,QAAQ,EAAE,IAAI,CAAC,IAAI;oBACnB,QAAQ,EAAE,MAAM;oBAChB,KAAK,EAAE,iDAAiD,aAAa,UAAU;oBAC/E,WAAW,EACT,qBAAqB,WAAW,kBAAkB,aAAa,KAAK;wBACpE,2DAA2D;wBAC3D,kFAAkF;oBACpF,cAAc,EACZ,sFAAsF;iBACzF,CAAC,CAAC;YACL,CAAC;YAED,wEAAwE;YACxE,MAAM,mBAAmB,GAAG,IAAI,CAAC,mBAAmB,CAAC,OAAO,CAAC,CAAC;YAC9D,MAAM,YAAY,GAAG,aAAa,KAAK,SAAS,IAAI,aAAa,KAAK,SAAS,CAAC;YAEhF,IAAI,mBAAmB,IAAI,YAAY,EAAE,CAAC;gBACxC,QAAQ,CAAC,IAAI,CAAC;oBACZ,QAAQ,EAAE,IAAI,CAAC,IAAI;oBACnB,QAAQ,EAAE,MAAM;oBAChB,KAAK,EAAE,yDAAyD;oBAChE,WAAW,EACT,gBAAgB,WAAW,uDAAuD;wBAClF,qFAAqF;oBACvF,cAAc,EACZ,+FAA+F;iBAClG,CAAC,CAAC;YACL,CAAC;YAED,uEAAuE;YACvE,IAAI,mBAAmB,IAAI,OAAO,CAAC,gBAAgB,CAAC,QAAQ,CAAC,MAAM,IAAI,CAAC,IAAI,CAAC,YAAY,EAAE,CAAC;gBAC1F,2DAA2D;gBAC3D,IAAI,IAAI,CAAC,qBAAqB,CAAC,SAAS,CAAC,EAAE,CAAC;oBAC1C,QAAQ,CAAC,IAAI,CAAC;wBACZ,QAAQ,EAAE,IAAI,CAAC,IAAI;wBACnB,QAAQ,EAAE,QAAQ;wBAClB,KAAK,EAAE,iDAAiD;wBACxD,WAAW,EACT,gBAAgB,WAAW,6CAA6C;4BACxE,kEAAkE;wBACpE,cAAc,EACZ,gFAAgF;qBACnF,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;QACH,CAAC;QAAC,OAAO,KAAc,EAAE,CAAC;YACxB,MAAM,CAAC,IAAI,CACT,IAAI,IAAI,CAAC,IAAI,uBAAuB,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,CAC7F,CAAC;QACJ,CAAC;QAED,OAAO,OAAO,CAAC,OAAO,CAAC;YACrB,QAAQ,EAAE,IAAI,CAAC,IAAI;YACnB,QAAQ;YACR,QAAQ,EAAE,WAAW,CAAC,GAAG,EAAE,GAAG,KAAK;SACpC,CAAC,CAAC;IACL,CAAC;IAEO,mBAAmB,CAAC,OAAwB;QAClD,MAAM,EAAE,WAAW,EAAE,OAAO,EAAE,OAAO,EAAE,GAAG,OAAO,CAAC,gBAAgB,CAAC;QAEnE,gDAAgD;QAChD,MAAM,WAAW,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;QACrC,MAAM,OAAO,GAAG,WAAW,IAAI,WAAW,CAAC;QAC3C,IAAI,OAAO,KAAK,SAAS,IAAI,OAAO,KAAK,EAAE;YAAE,OAAO,KAAK,CAAC;QAE1D,MAAM,WAAW,GAAG,IAAI,IAAI,CAAC,OAAO,CAAC,CAAC;QACtC,MAAM,GAAG,GAAG,IAAI,IAAI,EAAE,CAAC;QACvB,MAAM,SAAS,GAAG,CAAC,GAAG,CAAC,OAAO,EAAE,GAAG,WAAW,CAAC,OAAO,EAAE,CAAC,GAAG,CAAC,IAAI,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,CAAC,CAAC;QAElF,OAAO,SAAS,GAAG,mBAAmB,CAAC;IACzC,CAAC;IAEO,qBAAqB,CAAC,IAAY;QACxC,MAAM,QAAQ,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QACjC,MAAM,aAAa,GAAG;YACpB,MAAM;YACN,KAAK;YACL,MAAM;YACN,OAAO;YACP,UAAU;YACV,MAAM;YACN,SAAS;YACT,KAAK;YACL,KAAK;YACL,KAAK;YACL,MAAM;YACN,OAAO;YACP,QAAQ;YACR,QAAQ;YACR,OAAO;SACR,CAAC;QAEF,OAAO,QAAQ,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,aAAa,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,CAAC;IACrE,CAAC;CACF"}

package/dist/analyzers/dormant-package/index.d.ts

@@ -0,0 +1,14 @@
+/**
+ * Dormant Package Analyzer — detects packages that were reactivated after
+ * a long period of inactivity, which may indicate a hijacked or compromised package.
+ */
+import type { Analyzer } from '../analyzer.interface.js';
+import type { AnalysisContext, AnalyzerResult } from '../../core/types.js';
+export declare class DormantPackageAnalyzer implements Analyzer {
+    readonly name = "dormant-package";
+    readonly description = "Detects packages reactivated after long periods of inactivity";
+    analyze(context: AnalysisContext): Promise<AnalyzerResult>;
+    private buildSortedVersionDates;
+    private checkHistoricalGaps;
+}
+//# sourceMappingURL=index.d.ts.map

package/dist/analyzers/dormant-package/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/analyzers/dormant-package/index.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,0BAA0B,CAAC;AACzD,OAAO,KAAK,EAAE,eAAe,EAAE,cAAc,EAAW,MAAM,qBAAqB,CAAC;AAoBpF,qBAAa,sBAAuB,YAAW,QAAQ;IACrD,QAAQ,CAAC,IAAI,qBAAqB;IAClC,QAAQ,CAAC,WAAW,mEAAmE;IAEvF,OAAO,CAAC,OAAO,EAAE,eAAe,GAAG,OAAO,CAAC,cAAc,CAAC;IAmG1D,OAAO,CAAC,uBAAuB;IAqB/B,OAAO,CAAC,mBAAmB;CA8B5B"}

package/dist/analyzers/dormant-package/index.js

@@ -0,0 +1,137 @@
+/**
+ * Dormant Package Analyzer — detects packages that were reactivated after
+ * a long period of inactivity, which may indicate a hijacked or compromised package.
+ */
+import { logger } from '../../utils/logger.js';
+// ─── Constants ────────────────────────────────────────────
+/** Minimum gap in days to consider a package dormant. */
+const DORMANCY_THRESHOLD_DAYS = 365;
+/** Milliseconds per day. */
+const MS_PER_DAY = 1000 * 60 * 60 * 24;
+// ─── Analyzer ─────────────────────────────────────────────
+export class DormantPackageAnalyzer {
+    name = 'dormant-package';
+    description = 'Detects packages reactivated after long periods of inactivity';
+    analyze(context) {
+        const start = performance.now();
+        const findings = [];
+        try {
+            const { versions, timeMap, maintainers } = context.registryMetadata;
+            if (versions.length < 2) {
+                // Need at least 2 versions to check for dormancy gaps
+                return Promise.resolve({
+                    analyzer: this.name,
+                    findings: [],
+                    duration: performance.now() - start,
+                });
+            }
+            // Build a sorted list of (version, date) pairs
+            const versionDates = this.buildSortedVersionDates(versions, timeMap);
+            if (versionDates.length < 2) {
+                return Promise.resolve({
+                    analyzer: this.name,
+                    findings: [],
+                    duration: performance.now() - start,
+                });
+            }
+            // Check the gap between the latest version and the one before it
+            const latest = versionDates[versionDates.length - 1];
+            const previous = versionDates[versionDates.length - 2];
+            if (!latest || !previous) {
+                return Promise.resolve({
+                    analyzer: this.name,
+                    findings: [],
+                    duration: performance.now() - start,
+                });
+            }
+            const gapDays = Math.floor((latest.date.getTime() - previous.date.getTime()) / MS_PER_DAY);
+            if (gapDays > DORMANCY_THRESHOLD_DAYS) {
+                const gapMonths = Math.floor(gapDays / 30);
+                const gapYears = (gapDays / 365).toFixed(1);
+                // Check if we're looking at the current version
+                const isCurrentVersion = latest.version === context.version ||
+                    latest.version === context.registryMetadata.distTags['latest'];
+                if (isCurrentVersion) {
+                    findings.push({
+                        analyzer: this.name,
+                        severity: 'medium',
+                        title: `Package reactivated after ${gapMonths} months of dormancy`,
+                        description: `The latest version (${latest.version}) was published on ` +
+                            `${latest.date.toISOString().split('T')[0] ?? 'unknown'} after a gap of ${gapDays} days ` +
+                            `(~${gapYears} years) since the previous version (${previous.version}, ` +
+                            `published ${previous.date.toISOString().split('T')[0] ?? 'unknown'}). ` +
+                            'Reactivation after long dormancy can indicate a hijacked package.',
+                        recommendation: 'Review the changelog and recent commits. Verify the maintainer identity ' +
+                            'and check for unexpected changes in package behavior.',
+                    });
+                    // Check if maintainer list looks different (heuristic: very few maintainers
+                    // combined with dormancy is extra suspicious)
+                    if (maintainers.length === 1) {
+                        findings.push({
+                            analyzer: this.name,
+                            severity: 'high',
+                            title: 'Dormant package reactivated by single maintainer',
+                            description: `The package was dormant for ${gapDays} days and is now maintained by a single person ` +
+                                `(${maintainers[0]?.name ?? 'unknown'}). This pattern is consistent with package takeover.`,
+                            recommendation: 'Verify the maintainer identity. Compare with previous version maintainers ' +
+                                'if possible. Consider alternatives if the package seems compromised.',
+                        });
+                    }
+                }
+                // Also check for large gaps anywhere in the version history
+                this.checkHistoricalGaps(versionDates, findings);
+            }
+        }
+        catch (error) {
+            logger.warn(`[${this.name}] Unexpected error: ${error instanceof Error ? error.message : String(error)}`);
+        }
+        return Promise.resolve({
+            analyzer: this.name,
+            findings,
+            duration: performance.now() - start,
+        });
+    }
+    buildSortedVersionDates(versions, timeMap) {
+        const result = [];
+        for (const version of versions) {
+            const timeStr = timeMap[version];
+            if (timeStr === undefined || timeStr === '')
+                continue;
+            const date = new Date(timeStr);
+            if (isNaN(date.getTime()))
+                continue;
+            result.push({ version, date });
+        }
+        // Sort by date ascending
+        result.sort((a, b) => a.date.getTime() - b.date.getTime());
+        return result;
+    }
+    checkHistoricalGaps(versionDates, findings) {
+        // Find the largest historical gap (excluding the latest, already checked above)
+        let maxGap = 0;
+        let maxGapStart;
+        let maxGapEnd;
+        for (let i = 1; i < versionDates.length - 1; i++) {
+            const prev = versionDates[i - 1];
+            const curr = versionDates[i];
+            if (!prev || !curr)
+                continue;
+            const gap = (curr.date.getTime() - prev.date.getTime()) / MS_PER_DAY;
+            if (gap > maxGap) {
+                maxGap = gap;
+                maxGapStart = prev;
+                maxGapEnd = curr;
+            }
+        }
+        if (maxGap > DORMANCY_THRESHOLD_DAYS * 2 && maxGapStart && maxGapEnd) {
+            findings.push({
+                analyzer: this.name,
+                severity: 'info',
+                title: `Historical dormancy gap: ${Math.floor(maxGap)} days`,
+                description: `Between versions ${maxGapStart.version} and ${maxGapEnd.version}, ` +
+                    `there was a gap of ${Math.floor(maxGap)} days.`,
+            });
+        }
+    }
+}
+//# sourceMappingURL=index.js.map