mitnick-cli 1.0.0

package/dist/analyzers/network-calls/index.js

@@ -0,0 +1,212 @@
+/**
+ * Network Call Analyzer — detects outbound HTTP requests, WebSocket
+ * connections, hardcoded IPs, and imports of networking libraries.
+ */
+import { parseSource, walkAST, getNodeLine, isCallTo, optionalLine } from '../../utils/ast.js';
+import { FileBasedAnalyzer } from '../file-based-analyzer.js';
+// ─── Constants ────────────────────────────────────────────
+const NETWORKING_MODULES = new Set([
+    'axios',
+    'got',
+    'node-fetch',
+    'request',
+    'superagent',
+    'urllib',
+    'undici',
+    'ky',
+    'bent',
+    'phin',
+]);
+const HARDCODED_IP_REGEX = /\b(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\b/g;
+/** IPs that are generally safe / not suspicious. */
+const SAFE_IPS = new Set(['127.0.0.1', '0.0.0.0', '255.255.255.255']);
+// ─── Analyzer ─────────────────────────────────────────────
+export class NetworkCallsAnalyzer extends FileBasedAnalyzer {
+    name = 'network-calls';
+    description = 'Detects outbound network requests, hardcoded IPs, and networking library imports';
+    analyzeFile(source, relPath) {
+        const findings = [];
+        findings.push(...this.detectNetworkAPIs(source, relPath));
+        findings.push(...this.detectNetworkImports(source, relPath));
+        findings.push(...this.detectHardcodedIPs(source, relPath));
+        return findings;
+    }
+    detectNetworkAPIs(source, relPath) {
+        const findings = [];
+        const parsed = parseSource(source, relPath);
+        if (!parsed.ok)
+            return findings;
+        const seenAPIs = new Set();
+        walkAST(parsed.ast, (node) => {
+            // fetch()
+            if (isCallTo(node, 'fetch') && !seenAPIs.has('fetch')) {
+                seenAPIs.add('fetch');
+                findings.push({
+                    analyzer: this.name,
+                    severity: 'medium',
+                    title: 'fetch() call detected',
+                    description: 'The package makes outbound HTTP requests using the fetch API.',
+                    file: relPath,
+                    ...optionalLine(getNodeLine(node)),
+                    recommendation: 'Verify the fetch targets are expected and not exfiltrating data.',
+                });
+            }
+            // http.request(), http.get(), https.request(), https.get()
+            if (node.type === 'CallExpression') {
+                const callee = node['callee'];
+                if (typeof callee === 'object' && callee !== null) {
+                    const calleeNode = callee;
+                    if (calleeNode['type'] === 'MemberExpression') {
+                        const obj = calleeNode['object'];
+                        const prop = calleeNode['property'];
+                        if (obj?.['type'] === 'Identifier' &&
+                            (obj['name'] === 'http' || obj['name'] === 'https') &&
+                            prop?.['type'] === 'Identifier' &&
+                            (prop['name'] === 'request' || prop['name'] === 'get')) {
+                            const apiName = `${obj['name']}.${prop['name']}`;
+                            if (!seenAPIs.has(apiName)) {
+                                seenAPIs.add(apiName);
+                                findings.push({
+                                    analyzer: this.name,
+                                    severity: 'medium',
+                                    title: `${apiName}() call detected`,
+                                    description: `The package uses Node.js ${apiName}() for outbound HTTP requests.`,
+                                    file: relPath,
+                                    ...optionalLine(getNodeLine(node)),
+                                    recommendation: 'Verify that the HTTP targets are expected endpoints.',
+                                });
+                            }
+                        }
+                    }
+                }
+            }
+            // XMLHttpRequest
+            if (node.type === 'NewExpression' &&
+                typeof node['callee'] === 'object' &&
+                node['callee'] !== null &&
+                node['callee']['type'] === 'Identifier' &&
+                node['callee']['name'] === 'XMLHttpRequest' &&
+                !seenAPIs.has('XMLHttpRequest')) {
+                seenAPIs.add('XMLHttpRequest');
+                findings.push({
+                    analyzer: this.name,
+                    severity: 'medium',
+                    title: 'XMLHttpRequest usage detected',
+                    description: 'The package creates XMLHttpRequest instances for HTTP communication.',
+                    file: relPath,
+                    ...optionalLine(getNodeLine(node)),
+                    recommendation: 'Review the network communication targets.',
+                });
+            }
+            // new WebSocket(...)
+            if (node.type === 'NewExpression' &&
+                typeof node['callee'] === 'object' &&
+                node['callee'] !== null &&
+                node['callee']['type'] === 'Identifier' &&
+                node['callee']['name'] === 'WebSocket' &&
+                !seenAPIs.has('WebSocket')) {
+                seenAPIs.add('WebSocket');
+                findings.push({
+                    analyzer: this.name,
+                    severity: 'medium',
+                    title: 'WebSocket connection detected',
+                    description: 'The package creates WebSocket connections for real-time communication.',
+                    file: relPath,
+                    ...optionalLine(getNodeLine(node)),
+                    recommendation: 'Verify the WebSocket server URL and intended use.',
+                });
+            }
+        });
+        return findings;
+    }
+    detectNetworkImports(source, relPath) {
+        const findings = [];
+        const parsed = parseSource(source, relPath);
+        if (!parsed.ok)
+            return findings;
+        const seenImports = new Set();
+        walkAST(parsed.ast, (node) => {
+            // import declarations: import axios from 'axios'
+            if (node.type === 'ImportDeclaration') {
+                const moduleSource = node['source'];
+                if (typeof moduleSource === 'object' && moduleSource !== null) {
+                    const value = moduleSource['value'];
+                    if (typeof value === 'string' &&
+                        NETWORKING_MODULES.has(value) &&
+                        !seenImports.has(value)) {
+                        seenImports.add(value);
+                        findings.push({
+                            analyzer: this.name,
+                            severity: 'medium',
+                            title: `Networking library imported: ${value}`,
+                            description: `The package imports "${value}", an HTTP networking library.`,
+                            file: relPath,
+                            ...optionalLine(getNodeLine(node)),
+                            recommendation: 'Review how this library is used in the package.',
+                        });
+                    }
+                }
+            }
+            // require() calls: const axios = require('axios')
+            if (isCallTo(node, 'require')) {
+                const args = node['arguments'];
+                if (Array.isArray(args) && args.length > 0) {
+                    const firstArg = args[0];
+                    if (firstArg?.['type'] === 'Literal' && typeof firstArg['value'] === 'string') {
+                        const moduleName = firstArg['value'];
+                        if (NETWORKING_MODULES.has(moduleName) && !seenImports.has(moduleName)) {
+                            seenImports.add(moduleName);
+                            findings.push({
+                                analyzer: this.name,
+                                severity: 'medium',
+                                title: `Networking library required: ${moduleName}`,
+                                description: `The package requires "${moduleName}", an HTTP networking library.`,
+                                file: relPath,
+                                ...optionalLine(getNodeLine(node)),
+                                recommendation: 'Review how this library is used in the package.',
+                            });
+                        }
+                    }
+                }
+            }
+        });
+        return findings;
+    }
+    detectHardcodedIPs(source, relPath) {
+        const findings = [];
+        const seenIPs = new Set();
+        const lines = source.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+            const line = lines[i];
+            if (line === undefined)
+                continue;
+            let match;
+            HARDCODED_IP_REGEX.lastIndex = 0;
+            while ((match = HARDCODED_IP_REGEX.exec(line)) !== null) {
+                const ip = match[1];
+                if (ip === undefined || SAFE_IPS.has(ip) || seenIPs.has(ip))
+                    continue;
+                const octets = ip.split('.');
+                const isValidIP = octets.every((o) => {
+                    const n = parseInt(o, 10);
+                    return n >= 0 && n <= 255;
+                });
+                if (!isValidIP)
+                    continue;
+                seenIPs.add(ip);
+                findings.push({
+                    analyzer: this.name,
+                    severity: 'high',
+                    title: `Hardcoded IP address: ${ip}`,
+                    description: `A hardcoded IP address (${ip}) was found. ` +
+                        'Hardcoded IPs in packages may indicate data exfiltration or C2 communication.',
+                    file: relPath,
+                    line: i + 1,
+                    recommendation: 'Investigate what this IP address is used for.',
+                });
+            }
+        }
+        return findings;
+    }
+}
+//# sourceMappingURL=index.js.map

package/dist/analyzers/network-calls/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/analyzers/network-calls/index.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAGH,OAAO,EAAE,WAAW,EAAE,OAAO,EAAE,WAAW,EAAE,QAAQ,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAC;AAC/F,OAAO,EAAE,iBAAiB,EAAE,MAAM,2BAA2B,CAAC;AAE9D,6DAA6D;AAE7D,MAAM,kBAAkB,GAAG,IAAI,GAAG,CAAC;IACjC,OAAO;IACP,KAAK;IACL,YAAY;IACZ,SAAS;IACT,YAAY;IACZ,QAAQ;IACR,QAAQ;IACR,IAAI;IACJ,MAAM;IACN,MAAM;CACP,CAAC,CAAC;AAEH,MAAM,kBAAkB,GAAG,2CAA2C,CAAC;AAEvE,oDAAoD;AACpD,MAAM,QAAQ,GAAG,IAAI,GAAG,CAAC,CAAC,WAAW,EAAE,SAAS,EAAE,iBAAiB,CAAC,CAAC,CAAC;AAEtE,6DAA6D;AAE7D,MAAM,OAAO,oBAAqB,SAAQ,iBAAiB;IAChD,IAAI,GAAG,eAAe,CAAC;IACvB,WAAW,GAClB,kFAAkF,CAAC;IAE3E,WAAW,CAAC,MAAc,EAAE,OAAe;QACnD,MAAM,QAAQ,GAAc,EAAE,CAAC;QAE/B,QAAQ,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC,iBAAiB,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC,CAAC;QAC1D,QAAQ,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC,oBAAoB,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC,CAAC;QAC7D,QAAQ,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC,kBAAkB,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC,CAAC;QAE3D,OAAO,QAAQ,CAAC;IAClB,CAAC;IAEO,iBAAiB,CAAC,MAAc,EAAE,OAAe;QACvD,MAAM,QAAQ,GAAc,EAAE,CAAC;QAC/B,MAAM,MAAM,GAAG,WAAW,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;QAC5C,IAAI,CAAC,MAAM,CAAC,EAAE;YAAE,OAAO,QAAQ,CAAC;QAEhC,MAAM,QAAQ,GAAG,IAAI,GAAG,EAAU,CAAC;QAEnC,OAAO,CAAC,MAAM,CAAC,GAAG,EAAE,CAAC,IAAI,EAAE,EAAE;YAC3B,UAAU;YACV,IAAI,QAAQ,CAAC,IAAI,EAAE,OAAO,CAAC,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,OAAO,CAAC,EAAE,CAAC;gBACtD,QAAQ,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;gBACtB,QAAQ,CAAC,IAAI,CAAC;oBACZ,QAAQ,EAAE,IAAI,CAAC,IAAI;oBACnB,QAAQ,EAAE,QAAQ;oBAClB,KAAK,EAAE,uBAAuB;oBAC9B,WAAW,EAAE,+DAA+D;oBAC5E,IAAI,EAAE,OAAO;oBACb,GAAG,YAAY,CAAC,WAAW,CAAC,IAAI,CAAC,CAAC;oBAClC,cAAc,EAAE,kEAAkE;iBACnF,CAAC,CAAC;YACL,CAAC;YAED,2DAA2D;YAC3D,IAAI,IAAI,CAAC,IAAI,KAAK,gBAAgB,EAAE,CAAC;gBACnC,MAAM,MAAM,GAAG,IAAI,CAAC,QAAQ,CAAC,CAAC;gBAC9B,IAAI,OAAO,MAAM,KAAK,QAAQ,IAAI,MAAM,KAAK,IAAI,EAAE,CAAC;oBAClD,MAAM,UAAU,GAAG,MAAiC,CAAC;oBACrD,IAAI,UAAU,CAAC,MAAM,CAAC,KAAK,kBAAkB,EAAE,CAAC;wBAC9C,MAAM,GAAG,GAAG,UAAU,CAAC,QAAQ,CAAwC,CAAC;wBACxE,MAAM,IAAI,GAAG,UAAU,CAAC,UAAU,CAAwC,CAAC;wBAC3E,IACE,GAAG,EAAE,CAAC,MAAM,CAAC,KAAK,YAAY;4BAC9B,CAAC,GAAG,CAAC,MAAM,CAAC,KAAK,MAAM,IAAI,GAAG,CAAC,MAAM,CAAC,KAAK,OAAO,CAAC;4BACnD,IAAI,EAAE,CAAC,MAAM,CAAC,KAAK,YAAY;4BAC/B,CAAC,IAAI,CAAC,MAAM,CAAC,KAAK,SAAS,IAAI,IAAI,CAAC,MAAM,CAAC,KAAK,KAAK,CAAC,EACtD,CAAC;4BACD,MAAM,OAAO,GAAG,GAAG,GAAG,CAAC,MAAM,CAAW,IAAI,IAAI,CAAC,MAAM,CAAW,EAAE,CAAC;4BACrE,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,OAAO,CAAC,EAAE,CAAC;gCAC3B,QAAQ,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;gCACtB,QAAQ,CAAC,IAAI,CAAC;oCACZ,QAAQ,EAAE,IAAI,CAAC,IAAI;oCACnB,QAAQ,EAAE,QAAQ;oCAClB,KAAK,EAAE,GAAG,OAAO,kBAAkB;oCACnC,WAAW,EAAE,4BAA4B,OAAO,gCAAgC;oCAChF,IAAI,EAAE,OAAO;oCACb,GAAG,YAAY,CAAC,WAAW,CAAC,IAAI,CAAC,CAAC;oCAClC,cAAc,EAAE,sDAAsD;iCACvE,CAAC,CAAC;4BACL,CAAC;wBACH,CAAC;oBACH,CAAC;gBACH,CAAC;YACH,CAAC;YAED,iBAAiB;YACjB,IACE,IAAI,CAAC,IAAI,KAAK,eAAe;gBAC7B,OAAO,IAAI,CAAC,QAAQ,CAAC,KAAK,QAAQ;gBAClC,IAAI,CAAC,QAAQ,CAAC,KAAK,IAAI;gBACtB,IAAI,CAAC,QAAQ,CAA6B,CAAC,MAAM,CAAC,KAAK,YAAY;gBACnE,IAAI,CAAC,QAAQ,CAA6B,CAAC,MAAM,CAAC,KAAK,gBAAgB;gBACxE,CAAC,QAAQ,CAAC,GAAG,CAAC,gBAAgB,CAAC,EAC/B,CAAC;gBACD,QAAQ,CAAC,GAAG,CAAC,gBAAgB,CAAC,CAAC;gBAC/B,QAAQ,CAAC,IAAI,CAAC;oBACZ,QAAQ,EAAE,IAAI,CAAC,IAAI;oBACnB,QAAQ,EAAE,QAAQ;oBAClB,KAAK,EAAE,+BAA+B;oBACtC,WAAW,EAAE,sEAAsE;oBACnF,IAAI,EAAE,OAAO;oBACb,GAAG,YAAY,CAAC,WAAW,CAAC,IAAI,CAAC,CAAC;oBAClC,cAAc,EAAE,2CAA2C;iBAC5D,CAAC,CAAC;YACL,CAAC;YAED,qBAAqB;YACrB,IACE,IAAI,CAAC,IAAI,KAAK,eAAe;gBAC7B,OAAO,IAAI,CAAC,QAAQ,CAAC,KAAK,QAAQ;gBAClC,IAAI,CAAC,QAAQ,CAAC,KAAK,IAAI;gBACtB,IAAI,CAAC,QAAQ,CAA6B,CAAC,MAAM,CAAC,KAAK,YAAY;gBACnE,IAAI,CAAC,QAAQ,CAA6B,CAAC,MAAM,CAAC,KAAK,WAAW;gBACnE,CAAC,QAAQ,CAAC,GAAG,CAAC,WAAW,CAAC,EAC1B,CAAC;gBACD,QAAQ,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC;gBAC1B,QAAQ,CAAC,IAAI,CAAC;oBACZ,QAAQ,EAAE,IAAI,CAAC,IAAI;oBACnB,QAAQ,EAAE,QAAQ;oBAClB,KAAK,EAAE,+BAA+B;oBACtC,WAAW,EAAE,wEAAwE;oBACrF,IAAI,EAAE,OAAO;oBACb,GAAG,YAAY,CAAC,WAAW,CAAC,IAAI,CAAC,CAAC;oBAClC,cAAc,EAAE,mDAAmD;iBACpE,CAAC,CAAC;YACL,CAAC;QACH,CAAC,CAAC,CAAC;QAEH,OAAO,QAAQ,CAAC;IAClB,CAAC;IAEO,oBAAoB,CAAC,MAAc,EAAE,OAAe;QAC1D,MAAM,QAAQ,GAAc,EAAE,CAAC;QAC/B,MAAM,MAAM,GAAG,WAAW,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;QAC5C,IAAI,CAAC,MAAM,CAAC,EAAE;YAAE,OAAO,QAAQ,CAAC;QAEhC,MAAM,WAAW,GAAG,IAAI,GAAG,EAAU,CAAC;QAEtC,OAAO,CAAC,MAAM,CAAC,GAAG,EAAE,CAAC,IAAI,EAAE,EAAE;YAC3B,iDAAiD;YACjD,IAAI,IAAI,CAAC,IAAI,KAAK,mBAAmB,EAAE,CAAC;gBACtC,MAAM,YAAY,GAAG,IAAI,CAAC,QAAQ,CAAC,CAAC;gBACpC,IAAI,OAAO,YAAY,KAAK,QAAQ,IAAI,YAAY,KAAK,IAAI,EAAE,CAAC;oBAC9D,MAAM,KAAK,GAAI,YAAwC,CAAC,OAAO,CAAC,CAAC;oBACjE,IACE,OAAO,KAAK,KAAK,QAAQ;wBACzB,kBAAkB,CAAC,GAAG,CAAC,KAAK,CAAC;wBAC7B,CAAC,WAAW,CAAC,GAAG,CAAC,KAAK,CAAC,EACvB,CAAC;wBACD,WAAW,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;wBACvB,QAAQ,CAAC,IAAI,CAAC;4BACZ,QAAQ,EAAE,IAAI,CAAC,IAAI;4BACnB,QAAQ,EAAE,QAAQ;4BAClB,KAAK,EAAE,gCAAgC,KAAK,EAAE;4BAC9C,WAAW,EAAE,wBAAwB,KAAK,gCAAgC;4BAC1E,IAAI,EAAE,OAAO;4BACb,GAAG,YAAY,CAAC,WAAW,CAAC,IAAI,CAAC,CAAC;4BAClC,cAAc,EAAE,iDAAiD;yBAClE,CAAC,CAAC;oBACL,CAAC;gBACH,CAAC;YACH,CAAC;YAED,kDAAkD;YAClD,IAAI,QAAQ,CAAC,IAAI,EAAE,SAAS,CAAC,EAAE,CAAC;gBAC9B,MAAM,IAAI,GAAG,IAAI,CAAC,WAAW,CAAC,CAAC;gBAC/B,IAAI,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,IAAI,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;oBAC3C,MAAM,QAAQ,GAAG,IAAI,CAAC,CAAC,CAAwC,CAAC;oBAChE,IAAI,QAAQ,EAAE,CAAC,MAAM,CAAC,KAAK,SAAS,IAAI,OAAO,QAAQ,CAAC,OAAO,CAAC,KAAK,QAAQ,EAAE,CAAC;wBAC9E,MAAM,UAAU,GAAG,QAAQ,CAAC,OAAO,CAAC,CAAC;wBACrC,IAAI,kBAAkB,CAAC,GAAG,CAAC,UAAU,CAAC,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,UAAU,CAAC,EAAE,CAAC;4BACvE,WAAW,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;4BAC5B,QAAQ,CAAC,IAAI,CAAC;gCACZ,QAAQ,EAAE,IAAI,CAAC,IAAI;gCACnB,QAAQ,EAAE,QAAQ;gCAClB,KAAK,EAAE,gCAAgC,UAAU,EAAE;gCACnD,WAAW,EAAE,yBAAyB,UAAU,gCAAgC;gCAChF,IAAI,EAAE,OAAO;gCACb,GAAG,YAAY,CAAC,WAAW,CAAC,IAAI,CAAC,CAAC;gCAClC,cAAc,EAAE,iDAAiD;6BAClE,CAAC,CAAC;wBACL,CAAC;oBACH,CAAC;gBACH,CAAC;YACH,CAAC;QACH,CAAC,CAAC,CAAC;QAEH,OAAO,QAAQ,CAAC;IAClB,CAAC;IAEO,kBAAkB,CAAC,MAAc,EAAE,OAAe;QACxD,MAAM,QAAQ,GAAc,EAAE,CAAC;QAC/B,MAAM,OAAO,GAAG,IAAI,GAAG,EAAU,CAAC;QAElC,MAAM,KAAK,GAAG,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;QACjC,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;YACtC,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;YACtB,IAAI,IAAI,KAAK,SAAS;gBAAE,SAAS;YACjC,IAAI,KAA6B,CAAC;YAClC,kBAAkB,CAAC,SAAS,GAAG,CAAC,CAAC;YACjC,OAAO,CAAC,KAAK,GAAG,kBAAkB,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;gBACxD,MAAM,EAAE,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;gBACpB,IAAI,EAAE,KAAK,SAAS,IAAI,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC,IAAI,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC;oBAAE,SAAS;gBAEtE,MAAM,MAAM,GAAG,EAAE,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;gBAC7B,MAAM,SAAS,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE;oBACnC,MAAM,CAAC,GAAG,QAAQ,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;oBAC1B,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,GAAG,CAAC;gBAC5B,CAAC,CAAC,CAAC;gBACH,IAAI,CAAC,SAAS;oBAAE,SAAS;gBAEzB,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;gBAChB,QAAQ,CAAC,IAAI,CAAC;oBACZ,QAAQ,EAAE,IAAI,CAAC,IAAI;oBACnB,QAAQ,EAAE,MAAM;oBAChB,KAAK,EAAE,yBAAyB,EAAE,EAAE;oBACpC,WAAW,EACT,2BAA2B,EAAE,eAAe;wBAC5C,+EAA+E;oBACjF,IAAI,EAAE,OAAO;oBACb,IAAI,EAAE,CAAC,GAAG,CAAC;oBACX,cAAc,EAAE,+CAA+C;iBAChE,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAED,OAAO,QAAQ,CAAC;IAClB,CAAC;CACF"}

package/dist/analyzers/obfuscation/index.d.ts

@@ -0,0 +1,19 @@
+/**
+ * Obfuscation Analyzer — detects obfuscated code via entropy analysis,
+ * eval/Function patterns, base64 blobs, and hex-encoded strings.
+ */
+import type { AnalysisContext, AnalyzerResult, Finding } from '../../core/types.js';
+import { FileBasedAnalyzer } from '../file-based-analyzer.js';
+export declare class ObfuscationAnalyzer extends FileBasedAnalyzer {
+    readonly name = "obfuscation";
+    readonly description = "Detects obfuscated code using entropy analysis and pattern matching";
+    analyze(context: AnalysisContext): Promise<AnalyzerResult>;
+    protected analyzeFile(source: string, relPath: string): Finding[];
+    private detectDynamicExecution;
+    private detectBufferBase64;
+    private detectHighEntropyStrings;
+    private detectHexEncoded;
+    private detectBase64Blobs;
+    private escalateEvalPlusObfuscation;
+}
+//# sourceMappingURL=index.d.ts.map

package/dist/analyzers/obfuscation/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/analyzers/obfuscation/index.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,KAAK,EAAE,eAAe,EAAE,cAAc,EAAE,OAAO,EAAE,MAAM,qBAAqB,CAAC;AASpF,OAAO,EAAE,iBAAiB,EAAE,MAAM,2BAA2B,CAAC;AAkC9D,qBAAa,mBAAoB,SAAQ,iBAAiB;IACxD,QAAQ,CAAC,IAAI,iBAAiB;IAC9B,QAAQ,CAAC,WAAW,yEAAyE;IAEvF,OAAO,CAAC,OAAO,EAAE,eAAe,GAAG,OAAO,CAAC,cAAc,CAAC;IAYhE,SAAS,CAAC,WAAW,CAAC,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,GAAG,OAAO,EAAE;IAYjE,OAAO,CAAC,sBAAsB;IA0C9B,OAAO,CAAC,kBAAkB;IA6C1B,OAAO,CAAC,wBAAwB;IAyChC,OAAO,CAAC,gBAAgB;IAkBxB,OAAO,CAAC,iBAAiB;IAuBzB,OAAO,CAAC,2BAA2B;CA6BpC"}

package/dist/analyzers/obfuscation/index.js

@@ -0,0 +1,218 @@
+/**
+ * Obfuscation Analyzer — detects obfuscated code via entropy analysis,
+ * eval/Function patterns, base64 blobs, and hex-encoded strings.
+ */
+import { parseSource, walkAST, extractStringLiterals, getNodeLine, isCallTo, optionalLine, } from '../../utils/ast.js';
+import { FileBasedAnalyzer } from '../file-based-analyzer.js';
+// ─── Constants ────────────────────────────────────────────
+const ENTROPY_THRESHOLD = 4.5;
+const MIN_STRING_LENGTH_FOR_ENTROPY = 20;
+const BASE64_MIN_LENGTH = 256;
+const BASE64_PATTERN = /^[A-Za-z0-9+/=]{256,}$/;
+const HEX_ENCODED_PATTERN = /(\\x[0-9a-fA-F]{2}){8,}/;
+// ─── Helpers ──────────────────────────────────────────────
+function shannonEntropy(str) {
+    if (str.length === 0)
+        return 0;
+    const freq = new Map();
+    for (const char of str) {
+        freq.set(char, (freq.get(char) ?? 0) + 1);
+    }
+    let entropy = 0;
+    const len = str.length;
+    for (const count of freq.values()) {
+        const p = count / len;
+        if (p > 0) {
+            entropy -= p * Math.log2(p);
+        }
+    }
+    return entropy;
+}
+// ─── Analyzer ─────────────────────────────────────────────
+export class ObfuscationAnalyzer extends FileBasedAnalyzer {
+    name = 'obfuscation';
+    description = 'Detects obfuscated code using entropy analysis and pattern matching';
+    async analyze(context) {
+        const result = await super.analyze(context);
+        // Escalate if both eval and obfuscation signals are present in the same package
+        const escalation = this.escalateEvalPlusObfuscation(result.findings);
+        return {
+            ...result,
+            findings: [...result.findings, ...escalation],
+        };
+    }
+    analyzeFile(source, relPath) {
+        const findings = [];
+        findings.push(...this.detectDynamicExecution(source, relPath));
+        findings.push(...this.detectBufferBase64(source, relPath));
+        findings.push(...this.detectHighEntropyStrings(source, relPath));
+        findings.push(...this.detectHexEncoded(source, relPath));
+        findings.push(...this.detectBase64Blobs(source, relPath));
+        return findings;
+    }
+    detectDynamicExecution(source, relPath) {
+        const findings = [];
+        const parsed = parseSource(source, relPath);
+        if (!parsed.ok)
+            return findings;
+        walkAST(parsed.ast, (node) => {
+            if (isCallTo(node, 'eval')) {
+                findings.push({
+                    analyzer: this.name,
+                    severity: 'high',
+                    title: 'eval() detected',
+                    description: 'Use of eval() can execute arbitrary code and is a common obfuscation technique.',
+                    file: relPath,
+                    ...optionalLine(getNodeLine(node)),
+                    recommendation: 'Review the eval() usage and consider replacing with safer alternatives.',
+                });
+            }
+            if (node.type === 'NewExpression' &&
+                typeof node['callee'] === 'object' &&
+                node['callee'] !== null &&
+                node['callee']['type'] === 'Identifier' &&
+                node['callee']['name'] === 'Function') {
+                findings.push({
+                    analyzer: this.name,
+                    severity: 'high',
+                    title: 'new Function() detected',
+                    description: 'new Function() dynamically creates code from strings, commonly used for obfuscation.',
+                    file: relPath,
+                    ...optionalLine(getNodeLine(node)),
+                    recommendation: 'Review the dynamic function creation and ensure it is not malicious.',
+                });
+            }
+        });
+        return findings;
+    }
+    detectBufferBase64(source, relPath) {
+        const findings = [];
+        const parsed = parseSource(source, relPath);
+        if (!parsed.ok)
+            return findings;
+        walkAST(parsed.ast, (node) => {
+            if (node.type !== 'CallExpression')
+                return;
+            const callee = node['callee'];
+            if (typeof callee !== 'object' || callee === null)
+                return;
+            const calleeNode = callee;
+            if (calleeNode['type'] !== 'MemberExpression')
+                return;
+            const obj = calleeNode['object'];
+            const prop = calleeNode['property'];
+            if (obj?.['type'] === 'Identifier' &&
+                obj['name'] === 'Buffer' &&
+                prop?.['type'] === 'Identifier' &&
+                prop['name'] === 'from') {
+                const args = node['arguments'];
+                if (Array.isArray(args) && args.length >= 2) {
+                    const encodingArg = args[1];
+                    if (encodingArg?.['type'] === 'Literal' && encodingArg['value'] === 'base64') {
+                        findings.push({
+                            analyzer: this.name,
+                            severity: 'high',
+                            title: 'Buffer.from() with base64 encoding',
+                            description: 'Buffer.from(..., "base64") is commonly used to hide malicious payloads.',
+                            file: relPath,
+                            ...optionalLine(getNodeLine(node)),
+                            recommendation: 'Decode and inspect the base64 content for malicious code.',
+                        });
+                    }
+                }
+            }
+        });
+        return findings;
+    }
+    detectHighEntropyStrings(source, relPath) {
+        const findings = [];
+        const strings = extractStringLiterals(source, relPath);
+        let flagCount = 0;
+        for (const str of strings) {
+            if (str.length < MIN_STRING_LENGTH_FOR_ENTROPY)
+                continue;
+            const entropy = shannonEntropy(str);
+            if (entropy > ENTROPY_THRESHOLD) {
+                flagCount++;
+                if (flagCount <= 5) {
+                    findings.push({
+                        analyzer: this.name,
+                        severity: 'high',
+                        title: 'High-entropy string detected',
+                        description: `String literal with Shannon entropy ${entropy.toFixed(2)} ` +
+                            `(threshold: ${ENTROPY_THRESHOLD}). Length: ${str.length} chars. ` +
+                            `Preview: "${str.slice(0, 60)}..."`,
+                        file: relPath,
+                        recommendation: 'High-entropy strings may indicate encoded/encrypted malicious payloads.',
+                    });
+                }
+            }
+        }
+        if (flagCount > 5) {
+            findings.push({
+                analyzer: this.name,
+                severity: 'high',
+                title: `${flagCount - 5} additional high-entropy strings omitted`,
+                description: `File contains ${flagCount} total high-entropy strings.`,
+                file: relPath,
+                recommendation: 'Manual review recommended for files with many high-entropy strings.',
+            });
+        }
+        return findings;
+    }
+    detectHexEncoded(source, relPath) {
+        const findings = [];
+        if (HEX_ENCODED_PATTERN.test(source)) {
+            findings.push({
+                analyzer: this.name,
+                severity: 'high',
+                title: 'Hex-encoded string sequences detected',
+                description: 'Long sequences of hex-encoded characters (\\xNN) were found, which may hide malicious content.',
+                file: relPath,
+                recommendation: 'Decode and inspect the hex content.',
+            });
+        }
+        return findings;
+    }
+    detectBase64Blobs(source, relPath) {
+        const findings = [];
+        const strings = extractStringLiterals(source, relPath);
+        for (const str of strings) {
+            if (str.length >= BASE64_MIN_LENGTH && BASE64_PATTERN.test(str)) {
+                findings.push({
+                    analyzer: this.name,
+                    severity: 'high',
+                    title: 'Large Base64 blob detected',
+                    description: `A Base64-encoded string of ${str.length} characters was found. ` +
+                        `Large base64 blobs may contain hidden executable code.`,
+                    file: relPath,
+                    recommendation: 'Decode the base64 content and inspect it for malicious payloads.',
+                });
+                break;
+            }
+        }
+        return findings;
+    }
+    escalateEvalPlusObfuscation(findings) {
+        const hasEval = findings.some((f) => f.title.includes('eval()') || f.title.includes('new Function()'));
+        const hasObfuscation = findings.some((f) => f.title.includes('entropy') ||
+            f.title.includes('Base64') ||
+            f.title.includes('base64') ||
+            f.title.includes('Hex-encoded'));
+        if (hasEval && hasObfuscation) {
+            return [
+                {
+                    analyzer: this.name,
+                    severity: 'critical',
+                    title: 'Eval combined with obfuscation signals',
+                    description: 'This package contains both dynamic code execution (eval/new Function) and ' +
+                        'obfuscation indicators (high-entropy strings, base64, or hex encoding). ' +
+                        'This combination is a strong indicator of malicious intent.',
+                    recommendation: 'Do NOT install this package without thorough manual review.',
+                },
+            ];
+        }
+        return [];
+    }
+}
+//# sourceMappingURL=index.js.map

package/dist/analyzers/obfuscation/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/analyzers/obfuscation/index.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAGH,OAAO,EACL,WAAW,EACX,OAAO,EACP,qBAAqB,EACrB,WAAW,EACX,QAAQ,EACR,YAAY,GACb,MAAM,oBAAoB,CAAC;AAC5B,OAAO,EAAE,iBAAiB,EAAE,MAAM,2BAA2B,CAAC;AAE9D,6DAA6D;AAE7D,MAAM,iBAAiB,GAAG,GAAG,CAAC;AAC9B,MAAM,6BAA6B,GAAG,EAAE,CAAC;AACzC,MAAM,iBAAiB,GAAG,GAAG,CAAC;AAC9B,MAAM,cAAc,GAAG,wBAAwB,CAAC;AAChD,MAAM,mBAAmB,GAAG,yBAAyB,CAAC;AAEtD,6DAA6D;AAE7D,SAAS,cAAc,CAAC,GAAW;IACjC,IAAI,GAAG,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,CAAC,CAAC;IAE/B,MAAM,IAAI,GAAG,IAAI,GAAG,EAAkB,CAAC;IACvC,KAAK,MAAM,IAAI,IAAI,GAAG,EAAE,CAAC;QACvB,IAAI,CAAC,GAAG,CAAC,IAAI,EAAE,CAAC,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;IAC5C,CAAC;IAED,IAAI,OAAO,GAAG,CAAC,CAAC;IAChB,MAAM,GAAG,GAAG,GAAG,CAAC,MAAM,CAAC;IACvB,KAAK,MAAM,KAAK,IAAI,IAAI,CAAC,MAAM,EAAE,EAAE,CAAC;QAClC,MAAM,CAAC,GAAG,KAAK,GAAG,GAAG,CAAC;QACtB,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC;YACV,OAAO,IAAI,CAAC,GAAG,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAC9B,CAAC;IACH,CAAC;IAED,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,6DAA6D;AAE7D,MAAM,OAAO,mBAAoB,SAAQ,iBAAiB;IAC/C,IAAI,GAAG,aAAa,CAAC;IACrB,WAAW,GAAG,qEAAqE,CAAC;IAE7F,KAAK,CAAC,OAAO,CAAC,OAAwB;QACpC,MAAM,MAAM,GAAG,MAAM,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC;QAE5C,gFAAgF;QAChF,MAAM,UAAU,GAAG,IAAI,CAAC,2BAA2B,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;QAErE,OAAO;YACL,GAAG,MAAM;YACT,QAAQ,EAAE,CAAC,GAAG,MAAM,CAAC,QAAQ,EAAE,GAAG,UAAU,CAAC;SAC9C,CAAC;IACJ,CAAC;IAES,WAAW,CAAC,MAAc,EAAE,OAAe;QACnD,MAAM,QAAQ,GAAc,EAAE,CAAC;QAE/B,QAAQ,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC,sBAAsB,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC,CAAC;QAC/D,QAAQ,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC,kBAAkB,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC,CAAC;QAC3D,QAAQ,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC,wBAAwB,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC,CAAC;QACjE,QAAQ,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC,gBAAgB,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC,CAAC;QACzD,QAAQ,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC,iBAAiB,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC,CAAC;QAE1D,OAAO,QAAQ,CAAC;IAClB,CAAC;IAEO,sBAAsB,CAAC,MAAc,EAAE,OAAe;QAC5D,MAAM,QAAQ,GAAc,EAAE,CAAC;QAC/B,MAAM,MAAM,GAAG,WAAW,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;QAC5C,IAAI,CAAC,MAAM,CAAC,EAAE;YAAE,OAAO,QAAQ,CAAC;QAEhC,OAAO,CAAC,MAAM,CAAC,GAAG,EAAE,CAAC,IAAI,EAAE,EAAE;YAC3B,IAAI,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC,EAAE,CAAC;gBAC3B,QAAQ,CAAC,IAAI,CAAC;oBACZ,QAAQ,EAAE,IAAI,CAAC,IAAI;oBACnB,QAAQ,EAAE,MAAM;oBAChB,KAAK,EAAE,iBAAiB;oBACxB,WAAW,EACT,iFAAiF;oBACnF,IAAI,EAAE,OAAO;oBACb,GAAG,YAAY,CAAC,WAAW,CAAC,IAAI,CAAC,CAAC;oBAClC,cAAc,EAAE,yEAAyE;iBAC1F,CAAC,CAAC;YACL,CAAC;YAED,IACE,IAAI,CAAC,IAAI,KAAK,eAAe;gBAC7B,OAAO,IAAI,CAAC,QAAQ,CAAC,KAAK,QAAQ;gBAClC,IAAI,CAAC,QAAQ,CAAC,KAAK,IAAI;gBACtB,IAAI,CAAC,QAAQ,CAA6B,CAAC,MAAM,CAAC,KAAK,YAAY;gBACnE,IAAI,CAAC,QAAQ,CAA6B,CAAC,MAAM,CAAC,KAAK,UAAU,EAClE,CAAC;gBACD,QAAQ,CAAC,IAAI,CAAC;oBACZ,QAAQ,EAAE,IAAI,CAAC,IAAI;oBACnB,QAAQ,EAAE,MAAM;oBAChB,KAAK,EAAE,yBAAyB;oBAChC,WAAW,EACT,sFAAsF;oBACxF,IAAI,EAAE,OAAO;oBACb,GAAG,YAAY,CAAC,WAAW,CAAC,IAAI,CAAC,CAAC;oBAClC,cAAc,EAAE,sEAAsE;iBACvF,CAAC,CAAC;YACL,CAAC;QACH,CAAC,CAAC,CAAC;QAEH,OAAO,QAAQ,CAAC;IAClB,CAAC;IAEO,kBAAkB,CAAC,MAAc,EAAE,OAAe;QACxD,MAAM,QAAQ,GAAc,EAAE,CAAC;QAC/B,MAAM,MAAM,GAAG,WAAW,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;QAC5C,IAAI,CAAC,MAAM,CAAC,EAAE;YAAE,OAAO,QAAQ,CAAC;QAEhC,OAAO,CAAC,MAAM,CAAC,GAAG,EAAE,CAAC,IAAI,EAAE,EAAE;YAC3B,IAAI,IAAI,CAAC,IAAI,KAAK,gBAAgB;gBAAE,OAAO;YAE3C,MAAM,MAAM,GAAG,IAAI,CAAC,QAAQ,CAAC,CAAC;YAC9B,IAAI,OAAO,MAAM,KAAK,QAAQ,IAAI,MAAM,KAAK,IAAI;gBAAE,OAAO;YAE1D,MAAM,UAAU,GAAG,MAAiC,CAAC;YACrD,IAAI,UAAU,CAAC,MAAM,CAAC,KAAK,kBAAkB;gBAAE,OAAO;YAEtD,MAAM,GAAG,GAAG,UAAU,CAAC,QAAQ,CAAwC,CAAC;YACxE,MAAM,IAAI,GAAG,UAAU,CAAC,UAAU,CAAwC,CAAC;YAE3E,IACE,GAAG,EAAE,CAAC,MAAM,CAAC,KAAK,YAAY;gBAC9B,GAAG,CAAC,MAAM,CAAC,KAAK,QAAQ;gBACxB,IAAI,EAAE,CAAC,MAAM,CAAC,KAAK,YAAY;gBAC/B,IAAI,CAAC,MAAM,CAAC,KAAK,MAAM,EACvB,CAAC;gBACD,MAAM,IAAI,GAAG,IAAI,CAAC,WAAW,CAAC,CAAC;gBAC/B,IAAI,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,IAAI,CAAC,MAAM,IAAI,CAAC,EAAE,CAAC;oBAC5C,MAAM,WAAW,GAAG,IAAI,CAAC,CAAC,CAAwC,CAAC;oBACnE,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,KAAK,SAAS,IAAI,WAAW,CAAC,OAAO,CAAC,KAAK,QAAQ,EAAE,CAAC;wBAC7E,QAAQ,CAAC,IAAI,CAAC;4BACZ,QAAQ,EAAE,IAAI,CAAC,IAAI;4BACnB,QAAQ,EAAE,MAAM;4BAChB,KAAK,EAAE,oCAAoC;4BAC3C,WAAW,EACT,yEAAyE;4BAC3E,IAAI,EAAE,OAAO;4BACb,GAAG,YAAY,CAAC,WAAW,CAAC,IAAI,CAAC,CAAC;4BAClC,cAAc,EAAE,2DAA2D;yBAC5E,CAAC,CAAC;oBACL,CAAC;gBACH,CAAC;YACH,CAAC;QACH,CAAC,CAAC,CAAC;QAEH,OAAO,QAAQ,CAAC;IAClB,CAAC;IAEO,wBAAwB,CAAC,MAAc,EAAE,OAAe;QAC9D,MAAM,QAAQ,GAAc,EAAE,CAAC;QAC/B,MAAM,OAAO,GAAG,qBAAqB,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;QAEvD,IAAI,SAAS,GAAG,CAAC,CAAC;QAClB,KAAK,MAAM,GAAG,IAAI,OAAO,EAAE,CAAC;YAC1B,IAAI,GAAG,CAAC,MAAM,GAAG,6BAA6B;gBAAE,SAAS;YACzD,MAAM,OAAO,GAAG,cAAc,CAAC,GAAG,CAAC,CAAC;YACpC,IAAI,OAAO,GAAG,iBAAiB,EAAE,CAAC;gBAChC,SAAS,EAAE,CAAC;gBACZ,IAAI,SAAS,IAAI,CAAC,EAAE,CAAC;oBACnB,QAAQ,CAAC,IAAI,CAAC;wBACZ,QAAQ,EAAE,IAAI,CAAC,IAAI;wBACnB,QAAQ,EAAE,MAAM;wBAChB,KAAK,EAAE,8BAA8B;wBACrC,WAAW,EACT,uCAAuC,OAAO,CAAC,OAAO,CAAC,CAAC,CAAC,GAAG;4BAC5D,eAAe,iBAAiB,cAAc,GAAG,CAAC,MAAM,UAAU;4BAClE,aAAa,GAAG,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,MAAM;wBACrC,IAAI,EAAE,OAAO;wBACb,cAAc,EACZ,yEAAyE;qBAC5E,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;QACH,CAAC;QAED,IAAI,SAAS,GAAG,CAAC,EAAE,CAAC;YAClB,QAAQ,CAAC,IAAI,CAAC;gBACZ,QAAQ,EAAE,IAAI,CAAC,IAAI;gBACnB,QAAQ,EAAE,MAAM;gBAChB,KAAK,EAAE,GAAG,SAAS,GAAG,CAAC,0CAA0C;gBACjE,WAAW,EAAE,iBAAiB,SAAS,8BAA8B;gBACrE,IAAI,EAAE,OAAO;gBACb,cAAc,EAAE,qEAAqE;aACtF,CAAC,CAAC;QACL,CAAC;QAED,OAAO,QAAQ,CAAC;IAClB,CAAC;IAEO,gBAAgB,CAAC,MAAc,EAAE,OAAe;QACtD,MAAM,QAAQ,GAAc,EAAE,CAAC;QAE/B,IAAI,mBAAmB,CAAC,IAAI,CAAC,MAAM,CAAC,EAAE,CAAC;YACrC,QAAQ,CAAC,IAAI,CAAC;gBACZ,QAAQ,EAAE,IAAI,CAAC,IAAI;gBACnB,QAAQ,EAAE,MAAM;gBAChB,KAAK,EAAE,uCAAuC;gBAC9C,WAAW,EACT,gGAAgG;gBAClG,IAAI,EAAE,OAAO;gBACb,cAAc,EAAE,qCAAqC;aACtD,CAAC,CAAC;QACL,CAAC;QAED,OAAO,QAAQ,CAAC;IAClB,CAAC;IAEO,iBAAiB,CAAC,MAAc,EAAE,OAAe;QACvD,MAAM,QAAQ,GAAc,EAAE,CAAC;QAC/B,MAAM,OAAO,GAAG,qBAAqB,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;QAEvD,KAAK,MAAM,GAAG,IAAI,OAAO,EAAE,CAAC;YAC1B,IAAI,GAAG,CAAC,MAAM,IAAI,iBAAiB,IAAI,cAAc,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC;gBAChE,QAAQ,CAAC,IAAI,CAAC;oBACZ,QAAQ,EAAE,IAAI,CAAC,IAAI;oBACnB,QAAQ,EAAE,MAAM;oBAChB,KAAK,EAAE,4BAA4B;oBACnC,WAAW,EACT,8BAA8B,GAAG,CAAC,MAAM,yBAAyB;wBACjE,wDAAwD;oBAC1D,IAAI,EAAE,OAAO;oBACb,cAAc,EAAE,kEAAkE;iBACnF,CAAC,CAAC;gBACH,MAAM;YACR,CAAC;QACH,CAAC;QAED,OAAO,QAAQ,CAAC;IAClB,CAAC;IAEO,2BAA2B,CAAC,QAA4B;QAC9D,MAAM,OAAO,GAAG,QAAQ,CAAC,IAAI,CAC3B,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,KAAK,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,KAAK,CAAC,QAAQ,CAAC,gBAAgB,CAAC,CACxE,CAAC;QACF,MAAM,cAAc,GAAG,QAAQ,CAAC,IAAI,CAClC,CAAC,CAAC,EAAE,EAAE,CACJ,CAAC,CAAC,KAAK,CAAC,QAAQ,CAAC,SAAS,CAAC;YAC3B,CAAC,CAAC,KAAK,CAAC,QAAQ,CAAC,QAAQ,CAAC;YAC1B,CAAC,CAAC,KAAK,CAAC,QAAQ,CAAC,QAAQ,CAAC;YAC1B,CAAC,CAAC,KAAK,CAAC,QAAQ,CAAC,aAAa,CAAC,CAClC,CAAC;QAEF,IAAI,OAAO,IAAI,cAAc,EAAE,CAAC;YAC9B,OAAO;gBACL;oBACE,QAAQ,EAAE,IAAI,CAAC,IAAI;oBACnB,QAAQ,EAAE,UAAU;oBACpB,KAAK,EAAE,wCAAwC;oBAC/C,WAAW,EACT,4EAA4E;wBAC5E,0EAA0E;wBAC1E,6DAA6D;oBAC/D,cAAc,EAAE,6DAA6D;iBAC9E;aACF,CAAC;QACJ,CAAC;QAED,OAAO,EAAE,CAAC;IACZ,CAAC;CACF"}

package/dist/analyzers/prototype-pollution/index.d.ts

@@ -0,0 +1,18 @@
+/**
+ * Prototype Pollution Analyzer — detects __proto__ access, Object.prototype
+ * mutation, constructor.prototype patterns, and recursive merge/extend
+ * functions without hasOwnProperty guards.
+ */
+import type { Finding } from '../../core/types.js';
+import { FileBasedAnalyzer } from '../file-based-analyzer.js';
+export declare class PrototypePollutionAnalyzer extends FileBasedAnalyzer {
+    readonly name = "prototype-pollution";
+    readonly description = "Detects prototype pollution vectors including __proto__ access and unsafe merge patterns";
+    protected analyzeFile(source: string, relPath: string): Finding[];
+    private detectProtoAccess;
+    private detectPrototypeMutation;
+    private detectConstructorPrototype;
+    private detectUnsafeMerge;
+    private bodyHasOwnPropertyGuard;
+}
+//# sourceMappingURL=index.d.ts.map

package/dist/analyzers/prototype-pollution/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/analyzers/prototype-pollution/index.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,qBAAqB,CAAC;AAEnD,OAAO,EAAE,iBAAiB,EAAE,MAAM,2BAA2B,CAAC;AA0B9D,qBAAa,0BAA2B,SAAQ,iBAAiB;IAC/D,QAAQ,CAAC,IAAI,yBAAyB;IACtC,QAAQ,CAAC,WAAW,8FACyE;IAE7F,SAAS,CAAC,WAAW,CAAC,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,GAAG,OAAO,EAAE;IAWjE,OAAO,CAAC,iBAAiB;IA8DzB,OAAO,CAAC,uBAAuB;IA0C/B,OAAO,CAAC,0BAA0B;IAgClC,OAAO,CAAC,iBAAiB;IAwEzB,OAAO,CAAC,uBAAuB;CA8ChC"}