muaddib-scanner 2.2.28 → 2.3.0

package/src/scanner/typosquat.js

@@ -1,512 +1,536 @@
-const fs = require('fs');
-const path = require('path');
-const { getPackageMetadata } = require('./npm-registry.js');
-
-// In-memory cache to avoid re-querying the same package in one scan
-const metadataCache = new Map();
-const MAX_METADATA_CACHE_SIZE = 500;
-const CACHE_TTL_MS = 5 * 60 * 1000; // 5 minutes
-
-// Top 100 packages npm les plus populaires (cibles de typosquatting)
-const POPULAR_PACKAGES = [
-  'lodash', 'express', 'react', 'axios', 'chalk', 'commander', 'moment',
-  'request', 'async', 'bluebird', 'underscore', 'uuid', 'debug', 'mkdirp',
-  'glob', 'minimist', 'webpack', 'babel-core', 'typescript', 'eslint',
-  'prettier', 'jest', 'mocha', 'chai', 'sinon', 'mongoose', 'sequelize',
-  'redis', 'mongodb', 'socket.io', 'express-session',
-  'body-parser', 'cookie-parser', 'cors', 'helmet', 'morgan', 'dotenv',
-  'jsonwebtoken', 'bcrypt', 'passport', 'nodemailer', 'aws-sdk', 'stripe',
-  'twilio', 'firebase', 'graphql', 'apollo-server', 'nuxt',
-  'gatsby', 'angular', 'svelte', 'electron', 'puppeteer', 'cheerio',
-  'sharp', 'jimp', 'canvas', 'pdf-lib', 'exceljs', 'csv-parser', 'xml2js',
-  'yaml', 'config', 'yargs', 'colors',
-  'winston', 'bunyan', 'pino', 'log4js', 'ramda', 'immutable',
-  'mobx', 'redux', 'zustand', 'formik', 'yup', 'ajv', 'validator',
-  'date-fns', 'dayjs', 'luxon', 'numeral', 'accounting', 'currency.js',
-  'lodash-es', 'core-js', 'regenerator-runtime', 'tslib', 'classnames',
-  'prop-types', 'cross-env', 'node-fetch', 'got'
-];
-
-// Packages legitimes courts ou qui ressemblent a des populaires
-const WHITELIST = new Set([
-  // Packages tres courts legitimes
-  'qs', 'pg', 'ms', 'ws', 'ip', 'on', 'is', 'it', 'to', 'or', 'fs', 'os',
-  'co', 'q', 'n', 'i', 'a', 'v', 'x', 'y', 'z',
-  'ejs', 'nyc', 'ini', 'joi', 'vue', 'npm', 'got', 'ora',
-  'vary', 'mime', 'send', 'etag', 'raw', 'tar', 'uid', 'cjs',
-  'rxjs', 'yarn', 'pnpm', 'next', 'targz',
-  
-  // Packages legitimes avec noms similaires
-  'acorn', 'acorn-walk', 'js-yaml', 'cross-env', 'node-fetch', 'node-gyp',
-  'core-js', 'lodash-es', 'date-fns', 'ts-node', 'ts-jest',
-  'css-loader', 'style-loader', 'file-loader', 'url-loader', 'babel-loader',
-  'vue-loader', 'react-dom', 'react-router', 'react-redux', 'vue-router',
-  'express-session', 'body-parser', 'cookie-parser',
-  
-  // Packages Express.js communs
-  'accepts', 'array-flatten', 'content-disposition', 'content-type',
-  'depd', 'destroy', 'encodeurl', 'escape-html', 'fresh', 'merge-descriptors',
-  'methods', 'on-finished', 'parseurl', 'path-to-regexp', 'proxy-addr',
-  'range-parser', 'safe-buffer', 'safer-buffer', 'setprototypeof',
-  'statuses', 'type-is', 'unpipe', 'utils-merge',
-  
-  // Packages CLI et outils legitimes
-  'jest-cli', 'prettier-2', 'prettier-1', 'eslint-cli',
-  'inquirer', 'enquirer', 'prompts',
-  'mysql2', 'pg-native', 'sqlite3', 'better-sqlite3',
-  'node-sass', 'sass', 'less',
-  'esbuild', 'rollup', 'parcel', 'vite',
-  'husky', 'lint-staged', 'commitlint',
-  'nodemon', 'pm2', 'forever', 'concurrently',
-  'lerna', 'turbo', 'nx',
-  'chalk', 'colors', 'picocolors', 'colorette',
-  'commander', 'yargs', 'meow', 'cac',
-  'execa', 'shelljs', 'cross-spawn',
-  'rimraf', 'del', 'trash-cli',
-  'globby', 'fast-glob', 'tiny-glob',
-  'chokidar', 'watchpack', 'nsfw',
-  'dotenv', 'dotenv-expand', 'env-cmd',
-
-  // Packages Vite et outils associes
-  'vitest', 'vitepress',
-  'eslint-config-prettier', 'eslint-plugin-prettier',
-  'eslint-scope', 'eslint-visitor-keys',
-  'esbuild-register',
-  'neo-async',
-
-  // Packages with names close to other popular packages (not typosquats)
-  'chai',       // resembles chalk (missing_char)
-  'pino',       // resembles sinon (missing_char)
-  'ioredis',    // resembles redis (extra prefix)
-  'bcryptjs',   // resembles bcrypt (suffix)
-  'recast',     // resembles react (extra_char)
-  'asyncdi',    // resembles async (suffix)
-  'redux',      // resembles redis (wrong_char)
-  'args',       // resembles yargs (missing_char)
-  'oxlint',     // resembles eslint (wrong_char)
-  'vasync'      // resembles async (extra prefix)
-]);
-
-
-// Pre-computed lowercase versions for performance
-const POPULAR_PACKAGES_LOWER = POPULAR_PACKAGES.map(p => p.toLowerCase());
-
-// Seuil minimum de longueur pour eviter faux positifs
-const MIN_PACKAGE_LENGTH = 4;
-
-const SEVERITY_ORDER = ['LOW', 'MEDIUM', 'HIGH', 'CRITICAL'];
-
-function maxSeverity(a, b) {
-  return SEVERITY_ORDER.indexOf(a) >= SEVERITY_ORDER.indexOf(b) ? a : b;
-}
-
-async function getCachedMetadata(packageName) {
-  if (metadataCache.has(packageName)) {
-    const entry = metadataCache.get(packageName);
-    // TTL check: evict stale entries
-    if (Date.now() - entry.ts < CACHE_TTL_MS) {
-      return entry.data;
-    }
-    metadataCache.delete(packageName);
-  }
-  const result = await getPackageMetadata(packageName);
-  // Bounded cache: evict oldest entry if at limit
-  if (metadataCache.size >= MAX_METADATA_CACHE_SIZE) {
-    const firstKey = metadataCache.keys().next().value;
-    metadataCache.delete(firstKey);
-  }
-  metadataCache.set(packageName, { data: result, ts: Date.now() });
-  return result;
-}
-
-function scoreMetadata(meta) {
-  let score = 0;
-  let severity = 'HIGH'; // base severity from Levenshtein match
-
-  if (!meta) {
-    // Package not found on npm = suspect
-    return { score: 20, severity: 'HIGH', factors: ['not_on_npm'] };
-  }
-
-  const factors = [];
-
-  // 1. Age
-  if (meta.age_days !== null && meta.age_days < 7) {
-    score += 30;
-    severity = maxSeverity(severity, 'CRITICAL');
-    factors.push('age<7d');
-  } else if (meta.age_days !== null && meta.age_days < 30) {
-    score += 15;
-    severity = maxSeverity(severity, 'HIGH');
-    factors.push('age<30d');
-  }
-
-  // 2. Downloads
-  if (meta.weekly_downloads < 100) {
-    score += 25;
-    severity = maxSeverity(severity, 'HIGH');
-    factors.push('downloads<100');
-  } else if (meta.weekly_downloads < 1000) {
-    score += 10;
-    severity = maxSeverity(severity, 'MEDIUM');
-    factors.push('downloads<1000');
-  }
-
-  // 3. Author package count
-  if (meta.author_package_count <= 1) {
-    score += 20;
-    severity = maxSeverity(severity, 'HIGH');
-    factors.push('single_pkg_author');
-  }
-
-  // 4. No README
-  if (!meta.has_readme) {
-    score += 10;
-    severity = maxSeverity(severity, 'MEDIUM');
-    factors.push('no_readme');
-  }
-
-  // 5. No repository
-  if (!meta.has_repository) {
-    score += 10;
-    severity = maxSeverity(severity, 'MEDIUM');
-    factors.push('no_repo');
-  }
-
-  return { score, severity, factors };
-}
-
-const PROTO_KEYS = new Set(['__proto__', 'constructor', 'prototype']);
-
-/**
- * Safely merge dependency objects, filtering out prototype pollution keys.
- */
-function safeMerge(...objs) {
-  const result = {};
-  for (const obj of objs) {
-    if (!obj || typeof obj !== 'object') continue;
-    for (const [key, value] of Object.entries(obj)) {
-      if (!PROTO_KEYS.has(key)) {
-        result[key] = value;
-      }
-    }
-  }
-  return result;
-}
-
-async function scanTyposquatting(targetPath) {
-  const threats = [];
-  metadataCache.clear();
-  const packageJsonPath = path.join(targetPath, 'package.json');
-
-  if (!fs.existsSync(packageJsonPath)) {
-    return threats;
-  }
-
-  let packageJson;
-  try {
-    packageJson = JSON.parse(fs.readFileSync(packageJsonPath, 'utf8'));
-  } catch {
-    return threats;
-  }
-  const dependencies = safeMerge(
-    packageJson.dependencies,
-    packageJson.devDependencies,
-    packageJson.peerDependencies,
-    packageJson.optionalDependencies
-  );
-
-  // Phase 1: Levenshtein matches (synchronous)
-  const candidates = [];
-  for (const depName of Object.keys(dependencies)) {
-    const match = findTyposquatMatch(depName);
-    if (match) {
-      candidates.push({ depName, match });
-    }
-  }
-
-  if (candidates.length === 0) return threats;
-
-  // Phase 2: API enrichment (batched to avoid socket exhaustion)
-  const BATCH_SIZE = 10;
-  const metadataResults = [];
-  for (let i = 0; i < candidates.length; i += BATCH_SIZE) {
-    const batch = candidates.slice(i, i + BATCH_SIZE);
-    const batchResults = await Promise.all(
-      batch.map(c => getCachedMetadata(c.depName))
-    );
-    metadataResults.push(...batchResults);
-  }
-
-  // Phase 3: Composite scoring
-  for (let i = 0; i < candidates.length; i++) {
-    const { depName, match } = candidates[i];
-    const meta = metadataResults[i];
-    const mf = scoreMetadata(meta);
-
-    const finalSeverity = maxSeverity('HIGH', mf.severity);
-
-    // Build detail message
-    let details;
-    if (!meta) {
-      details = 'Package not found on npm (suspect).';
-    } else {
-      details = 'Age: ' + meta.age_days + 'd'
-        + ', Downloads: ' + meta.weekly_downloads + '/week'
-        + ', Author packages: ' + meta.author_package_count
-        + ', No README: ' + String(!meta.has_readme)
-        + ', No repo: ' + String(!meta.has_repository);
-    }
-
-    const confidence = mf.score >= 40 ? 'CRITICAL'
-      : mf.score >= 20 ? 'HIGH'
-      : mf.score > 0 ? 'MEDIUM'
-      : 'LOW';
-
-    const message = 'Package "' + depName + '" resembles "' + match.original
-      + '" (' + match.type + '). ' + details + '. Confidence: ' + confidence;
-
-    threats.push({
-      type: 'typosquat_detected',
-      severity: finalSeverity,
-      message: message,
-      file: 'package.json',
-      details: {
-        suspicious: depName,
-        legitimate: match.original,
-        technique: match.type,
-        distance: match.distance,
-        composite_score: mf.score,
-        factors: mf.factors,
-        metadata: meta
-      }
-    });
-  }
-
-  return threats;
-}
-
-function findTyposquatMatch(name) {
-  const nameLower = name.toLowerCase();
-  
-  // Ignore les packages whitelistes
-  if (WHITELIST.has(nameLower)) return null;
-  
-  // Ignore les packages scoped (@org/package)
-  if (name.startsWith('@')) return null;
-
-  // Ignore les packages tres courts (trop de faux positifs)
-  if (name.length < MIN_PACKAGE_LENGTH) return null;
-
-  // Ignore les packages avec suffixes legitimes courants
-  if (isLegitimateVariant(nameLower)) return null;
-
-  for (let i = 0; i < POPULAR_PACKAGES.length; i++) {
-    const popularLower = POPULAR_PACKAGES_LOWER[i];
-    const popular = POPULAR_PACKAGES[i];
-
-    // Ignore si c'est exactement le meme
-    if (nameLower === popularLower) continue;
-
-    // Ignore si le package populaire est trop court
-    if (popular.length < MIN_PACKAGE_LENGTH) continue;
-
-    // Length pre-filter: Levenshtein distance >= |len(a) - len(b)|
-    if (Math.abs(nameLower.length - popularLower.length) > 2) continue;
-
-    const distance = levenshteinDistance(nameLower, popularLower);
-
-    // Distance de 1 = tres suspect (une seule lettre de difference)
-    if (distance === 1) {
-      return {
-        original: popular,
-        type: detectTyposquatType(name, popular),
-        distance: distance
-      };
-    }
-
-    // Distance de 2 seulement si le package est assez long (>= 5 chars)
-    if (distance === 2 && popular.length >= 5) {
-      return {
-        original: popular,
-        type: detectTyposquatType(name, popular),
-        distance: distance
-      };
-    }
-  }
-
-  return null;
-}
-
-function isLegitimateVariant(name) {
-  // Suffixes legitimes qui ne sont PAS du typosquatting
-  const legitimateSuffixes = [
-    '-cli', '-core', '-utils', '-plugin', '-loader', '-webpack',
-    '-react', '-vue', '-angular', '-node', '-browser',
-    '-esm', '-cjs', '-umd', '-vite',
-    '-types', '-typings',
-    '2', '3', '4', '5', // versions majeures (mysql2, etc)
-    '-v2', '-v3', '-next', '-latest', '-stable', '-lts'
-  ];
-  
-  for (const suffix of legitimateSuffixes) {
-    if (name.endsWith(suffix)) return true;
-  }
-  
-  // Prefixes legitimes
-  const legitimatePrefixes = [
-    '@types/', '@babel/', '@jest/', '@testing-library/',
-    'eslint-plugin-', 'eslint-config-',
-    'babel-plugin-', 'babel-preset-',
-    'webpack-plugin-', 'rollup-plugin-', 'vite-plugin-'
-  ];
-  
-  for (const prefix of legitimatePrefixes) {
-    if (name.startsWith(prefix)) return true;
-  }
-  
-  return false;
-}
-
-function detectTyposquatType(typo, original) {
-  if (typo.length === original.length - 1) return 'missing_char';
-  if (typo.length === original.length + 1) return 'extra_char';
-  if (typo.length === original.length) {
-    // Check for adjacent character swap
-    for (let i = 0; i < typo.length - 1; i++) {
-      if (typo[i] === original[i + 1] && typo[i + 1] === original[i]) {
-        // Verify remaining chars match
-        const before = typo.slice(0, i) === original.slice(0, i);
-        const after = typo.slice(i + 2) === original.slice(i + 2);
-        if (before && after) return 'swapped_chars';
-      }
-    }
-    return 'wrong_char';
-  }
-  return 'unknown';
-}
-
-function levenshteinDistance(a, b) {
-  // Two-row optimization: O(min(m,n)) space instead of O(m*n)
-  if (a.length < b.length) { const t = a; a = b; b = t; }
-  let prev = new Array(b.length + 1);
-  let curr = new Array(b.length + 1);
-
-  for (let j = 0; j <= b.length; j++) prev[j] = j;
-
-  for (let i = 1; i <= a.length; i++) {
-    curr[0] = i;
-    for (let j = 1; j <= b.length; j++) {
-      if (a.charAt(i - 1) === b.charAt(j - 1)) {
-        curr[j] = prev[j - 1];
-      } else {
-        curr[j] = Math.min(prev[j - 1] + 1, curr[j - 1] + 1, prev[j] + 1);
-      }
-    }
-    const tmp = prev; prev = curr; curr = tmp;
-  }
-
-  return prev[b.length];
-}
-
-function clearMetadataCache() {
-  metadataCache.clear();
-}
-
-// ============================================
-// PyPI TYPOSQUATTING
-// ============================================
-
-// Top 50 PyPI packages les plus populaires (cibles de typosquatting)
-const POPULAR_PYPI_PACKAGES = [
-  'requests', 'flask', 'django', 'numpy', 'pandas', 'scipy', 'matplotlib',
-  'pillow', 'boto3', 'setuptools', 'pip', 'wheel', 'urllib3', 'certifi',
-  'six', 'python-dateutil', 'pyyaml', 'cryptography', 'jinja2', 'markupsafe',
-  'click', 'sqlalchemy', 'beautifulsoup4', 'lxml', 'pytest', 'coverage',
-  'tox', 'black', 'mypy', 'pylint', 'fastapi', 'uvicorn', 'gunicorn',
-  'celery', 'redis', 'psycopg2', 'pymongo', 'httpx', 'aiohttp', 'tornado',
-  'scrapy', 'selenium', 'paramiko', 'fabric', 'ansible', 'tensorflow',
-  'torch', 'scikit-learn', 'keras', 'transformers'
-];
-
-// PEP 503 normalization: case-insensitive, hyphens/underscores/dots equivalent
-function normalizePyPI(name) {
-  return name.toLowerCase().replace(/[-_.]+/g, '-');
-}
-
-// Pre-computed normalized versions for O(n) comparison
-const POPULAR_PYPI_NORMALIZED = POPULAR_PYPI_PACKAGES.map(normalizePyPI);
-
-// Set for O(1) exact-match check (skip popular packages themselves)
-const POPULAR_PYPI_SET = new Set(POPULAR_PYPI_NORMALIZED);
-
-// Legitimate PyPI packages that look like typosquats but are not
-const PYPI_WHITELIST = new Set([
-  'boto',              // legitimate AWS SDK predecessor of boto3
-  'torchvision',       // legitimate PyTorch ecosystem
-  'torchaudio',        // legitimate PyTorch ecosystem
-  'tensorflow-gpu',    // legitimate TF variant
-  'scikit-image',      // legitimate scikit ecosystem
-  'scikit-optimize',   // legitimate scikit ecosystem
-  'paramiko2',         // fork of paramiko
-]);
-
-const MIN_PYPI_LENGTH = 4;
-
-/**
- * Find a PyPI typosquat match using PEP 503 normalization + Levenshtein.
- * No npm-registry-style API scoring — just distance-based detection.
- *
- * @param {string} name - PyPI package name from dependency file
- * @returns {{original: string, type: string, distance: number}|null}
- */
-function findPyPITyposquatMatch(name) {
-  const normalized = normalizePyPI(name);
-
-  // Skip if it IS a popular package (exact match after normalization)
-  if (POPULAR_PYPI_SET.has(normalized)) return null;
-
-  // Skip whitelisted
-  if (PYPI_WHITELIST.has(normalized)) return null;
-
-  // Skip very short names (too many false positives)
-  if (normalized.length < MIN_PYPI_LENGTH) return null;
-
-  for (let i = 0; i < POPULAR_PYPI_PACKAGES.length; i++) {
-    const popularNorm = POPULAR_PYPI_NORMALIZED[i];
-    const popular = POPULAR_PYPI_PACKAGES[i];
-
-    // Skip exact match (after normalization)
-    if (normalized === popularNorm) continue;
-
-    // Skip short popular packages
-    if (popularNorm.length < MIN_PYPI_LENGTH) continue;
-
-    // Length pre-filter: Levenshtein distance >= |len(a) - len(b)|
-    if (Math.abs(normalized.length - popularNorm.length) > 2) continue;
-
-    const distance = levenshteinDistance(normalized, popularNorm);
-
-    // Distance 1 = very suspect (one char difference)
-    if (distance === 1) {
-      return {
-        original: popular,
-        type: detectTyposquatType(normalized, popularNorm),
-        distance: distance
-      };
-    }
-
-    // Distance 2 only for longer packages (>= 5 chars)
-    if (distance === 2 && popularNorm.length >= 5) {
-      return {
-        original: popular,
-        type: detectTyposquatType(normalized, popularNorm),
-        distance: distance
-      };
-    }
-  }
-
-  return null;
-}
-
+const fs = require('fs');
+const path = require('path');
+const { getPackageMetadata } = require('./npm-registry.js');
+
+// In-memory cache to avoid re-querying the same package in one scan
+const metadataCache = new Map();
+const MAX_METADATA_CACHE_SIZE = 500;
+const CACHE_TTL_MS = 5 * 60 * 1000; // 5 minutes
+
+// Top 100 packages npm les plus populaires (cibles de typosquatting)
+const POPULAR_PACKAGES = [
+  'lodash', 'express', 'react', 'axios', 'chalk', 'commander', 'moment',
+  'request', 'async', 'bluebird', 'underscore', 'uuid', 'debug', 'mkdirp',
+  'glob', 'minimist', 'webpack', 'babel-core', 'typescript', 'eslint',
+  'prettier', 'jest', 'mocha', 'chai', 'sinon', 'mongoose', 'sequelize',
+  'redis', 'mongodb', 'socket.io', 'express-session',
+  'body-parser', 'cookie-parser', 'cors', 'helmet', 'morgan', 'dotenv',
+  'jsonwebtoken', 'bcrypt', 'passport', 'nodemailer', 'aws-sdk', 'stripe',
+  'twilio', 'firebase', 'graphql', 'apollo-server', 'nuxt',
+  'gatsby', 'angular', 'svelte', 'electron', 'puppeteer', 'cheerio',
+  'sharp', 'jimp', 'canvas', 'pdf-lib', 'exceljs', 'csv-parser', 'xml2js',
+  'yaml', 'config', 'yargs', 'colors',
+  'winston', 'bunyan', 'pino', 'log4js', 'ramda', 'immutable',
+  'mobx', 'redux', 'zustand', 'formik', 'yup', 'ajv', 'validator',
+  'date-fns', 'dayjs', 'luxon', 'numeral', 'accounting', 'currency.js',
+  'lodash-es', 'core-js', 'regenerator-runtime', 'tslib', 'classnames',
+  'prop-types', 'cross-env', 'node-fetch', 'got'
+];
+
+// Packages legitimes courts ou qui ressemblent a des populaires
+const WHITELIST = new Set([
+  // Packages tres courts legitimes
+  'qs', 'pg', 'ms', 'ws', 'ip', 'on', 'is', 'it', 'to', 'or', 'fs', 'os',
+  'co', 'q', 'n', 'i', 'a', 'v', 'x', 'y', 'z',
+  'ejs', 'nyc', 'ini', 'joi', 'vue', 'npm', 'got', 'ora',
+  'vary', 'mime', 'send', 'etag', 'raw', 'tar', 'uid', 'cjs',
+  'rxjs', 'yarn', 'pnpm', 'next', 'targz',
+  
+  // Packages legitimes avec noms similaires
+  'acorn', 'acorn-walk', 'js-yaml', 'cross-env', 'node-fetch', 'node-gyp',
+  'core-js', 'lodash-es', 'date-fns', 'ts-node', 'ts-jest',
+  'css-loader', 'style-loader', 'file-loader', 'url-loader', 'babel-loader',
+  'vue-loader', 'react-dom', 'react-router', 'react-redux', 'vue-router',
+  'express-session', 'body-parser', 'cookie-parser',
+  
+  // Packages Express.js communs
+  'accepts', 'array-flatten', 'content-disposition', 'content-type',
+  'depd', 'destroy', 'encodeurl', 'escape-html', 'fresh', 'merge-descriptors',
+  'methods', 'on-finished', 'parseurl', 'path-to-regexp', 'proxy-addr',
+  'range-parser', 'safe-buffer', 'safer-buffer', 'setprototypeof',
+  'statuses', 'type-is', 'unpipe', 'utils-merge',
+  
+  // Packages CLI et outils legitimes
+  'jest-cli', 'prettier-2', 'prettier-1', 'eslint-cli',
+  'inquirer', 'enquirer', 'prompts',
+  'mysql2', 'pg-native', 'sqlite3', 'better-sqlite3',
+  'node-sass', 'sass', 'less',
+  'esbuild', 'rollup', 'parcel', 'vite',
+  'husky', 'lint-staged', 'commitlint',
+  'nodemon', 'pm2', 'forever', 'concurrently',
+  'lerna', 'turbo', 'nx',
+  'chalk', 'colors', 'picocolors', 'colorette',
+  'commander', 'yargs', 'meow', 'cac',
+  'execa', 'shelljs', 'cross-spawn',
+  'rimraf', 'del', 'trash-cli',
+  'globby', 'fast-glob', 'tiny-glob',
+  'chokidar', 'watchpack', 'nsfw',
+  'dotenv', 'dotenv-expand', 'env-cmd',
+
+  // Packages Vite et outils associes
+  'vitest', 'vitepress',
+  'eslint-config-prettier', 'eslint-plugin-prettier',
+  'eslint-scope', 'eslint-visitor-keys',
+  'esbuild-register',
+  'neo-async',
+
+  // Packages with names close to other popular packages (not typosquats)
+  'chai',       // resembles chalk (missing_char)
+  'pino',       // resembles sinon (missing_char)
+  'ioredis',    // resembles redis (extra prefix)
+  'bcryptjs',   // resembles bcrypt (suffix)
+  'recast',     // resembles react (extra_char)
+  'asyncdi',    // resembles async (suffix)
+  'redux',      // resembles redis (wrong_char)
+  'args',       // resembles yargs (missing_char)
+  'oxlint',     // resembles eslint (wrong_char)
+  'vasync',     // resembles async (extra prefix)
+
+  // FPR P1: Benign packages falsely flagged as typosquat in evaluation
+  'conf',       // resembles config
+  'defu',       // resembles debug
+  'ohash',      // resembles lodash
+  'cors',       // resembles colors
+  'meant',      // resembles react
+  'whelk',      // resembles chalk
+  'tslog',      // resembles tslib
+  'mkdist',     // resembles mkdirp
+  'jshint',     // resembles eslint
+  'dtslint',    // resembles eslint
+  'redis',      // resembles redux
+  'cypress',    // resembles express
+  'colord',     // resembles colors
+  'read',       // resembles react
+  'ulid',       // resembles uuid
+  'tslint',     // resembles eslint
+  'jison',      // resembles sinon
+  'reds',       // resembles redis
+  'docdash',    // resembles lodash
+  'yarpm',      // resembles yargs
+  'canvg',      // resembles canvas
+  'obug'        // internal sub-dependency
+]);
+
+
+// Pre-computed lowercase versions for performance
+const POPULAR_PACKAGES_LOWER = POPULAR_PACKAGES.map(p => p.toLowerCase());
+
+// Seuil minimum de longueur pour eviter faux positifs
+const MIN_PACKAGE_LENGTH = 4;
+
+const SEVERITY_ORDER = ['LOW', 'MEDIUM', 'HIGH', 'CRITICAL'];
+
+function maxSeverity(a, b) {
+  return SEVERITY_ORDER.indexOf(a) >= SEVERITY_ORDER.indexOf(b) ? a : b;
+}
+
+async function getCachedMetadata(packageName) {
+  if (metadataCache.has(packageName)) {
+    const entry = metadataCache.get(packageName);
+    // TTL check: evict stale entries
+    if (Date.now() - entry.ts < CACHE_TTL_MS) {
+      return entry.data;
+    }
+    metadataCache.delete(packageName);
+  }
+  const result = await getPackageMetadata(packageName);
+  // Bounded cache: evict oldest entry if at limit
+  if (metadataCache.size >= MAX_METADATA_CACHE_SIZE) {
+    const firstKey = metadataCache.keys().next().value;
+    metadataCache.delete(firstKey);
+  }
+  metadataCache.set(packageName, { data: result, ts: Date.now() });
+  return result;
+}
+
+function scoreMetadata(meta) {
+  let score = 0;
+  let severity = 'HIGH'; // base severity from Levenshtein match
+
+  if (!meta) {
+    // Package not found on npm = suspect
+    return { score: 20, severity: 'HIGH', factors: ['not_on_npm'] };
+  }
+
+  const factors = [];
+
+  // 1. Age
+  if (meta.age_days !== null && meta.age_days < 7) {
+    score += 30;
+    severity = maxSeverity(severity, 'CRITICAL');
+    factors.push('age<7d');
+  } else if (meta.age_days !== null && meta.age_days < 30) {
+    score += 15;
+    severity = maxSeverity(severity, 'HIGH');
+    factors.push('age<30d');
+  }
+
+  // 2. Downloads
+  if (meta.weekly_downloads < 100) {
+    score += 25;
+    severity = maxSeverity(severity, 'HIGH');
+    factors.push('downloads<100');
+  } else if (meta.weekly_downloads < 1000) {
+    score += 10;
+    severity = maxSeverity(severity, 'MEDIUM');
+    factors.push('downloads<1000');
+  }
+
+  // 3. Author package count
+  if (meta.author_package_count <= 1) {
+    score += 20;
+    severity = maxSeverity(severity, 'HIGH');
+    factors.push('single_pkg_author');
+  }
+
+  // 4. No README
+  if (!meta.has_readme) {
+    score += 10;
+    severity = maxSeverity(severity, 'MEDIUM');
+    factors.push('no_readme');
+  }
+
+  // 5. No repository
+  if (!meta.has_repository) {
+    score += 10;
+    severity = maxSeverity(severity, 'MEDIUM');
+    factors.push('no_repo');
+  }
+
+  return { score, severity, factors };
+}
+
+const PROTO_KEYS = new Set(['__proto__', 'constructor', 'prototype']);
+
+/**
+ * Safely merge dependency objects, filtering out prototype pollution keys.
+ */
+function safeMerge(...objs) {
+  const result = {};
+  for (const obj of objs) {
+    if (!obj || typeof obj !== 'object') continue;
+    for (const [key, value] of Object.entries(obj)) {
+      if (!PROTO_KEYS.has(key)) {
+        result[key] = value;
+      }
+    }
+  }
+  return result;
+}
+
+async function scanTyposquatting(targetPath) {
+  const threats = [];
+  metadataCache.clear();
+  const packageJsonPath = path.join(targetPath, 'package.json');
+
+  if (!fs.existsSync(packageJsonPath)) {
+    return threats;
+  }
+
+  let packageJson;
+  try {
+    packageJson = JSON.parse(fs.readFileSync(packageJsonPath, 'utf8'));
+  } catch {
+    return threats;
+  }
+  const dependencies = safeMerge(
+    packageJson.dependencies,
+    packageJson.devDependencies,
+    packageJson.peerDependencies,
+    packageJson.optionalDependencies
+  );
+
+  // Phase 1: Levenshtein matches (synchronous)
+  const candidates = [];
+  for (const depName of Object.keys(dependencies)) {
+    const match = findTyposquatMatch(depName);
+    if (match) {
+      candidates.push({ depName, match });
+    }
+  }
+
+  if (candidates.length === 0) return threats;
+
+  // Phase 2: API enrichment (batched to avoid socket exhaustion)
+  const BATCH_SIZE = 10;
+  const metadataResults = [];
+  for (let i = 0; i < candidates.length; i += BATCH_SIZE) {
+    const batch = candidates.slice(i, i + BATCH_SIZE);
+    const batchResults = await Promise.all(
+      batch.map(c => getCachedMetadata(c.depName))
+    );
+    metadataResults.push(...batchResults);
+  }
+
+  // Phase 3: Composite scoring
+  for (let i = 0; i < candidates.length; i++) {
+    const { depName, match } = candidates[i];
+    const meta = metadataResults[i];
+    const mf = scoreMetadata(meta);
+
+    const finalSeverity = maxSeverity('HIGH', mf.severity);
+
+    // Build detail message
+    let details;
+    if (!meta) {
+      details = 'Package not found on npm (suspect).';
+    } else {
+      details = 'Age: ' + meta.age_days + 'd'
+        + ', Downloads: ' + meta.weekly_downloads + '/week'
+        + ', Author packages: ' + meta.author_package_count
+        + ', No README: ' + String(!meta.has_readme)
+        + ', No repo: ' + String(!meta.has_repository);
+    }
+
+    const confidence = mf.score >= 40 ? 'CRITICAL'
+      : mf.score >= 20 ? 'HIGH'
+      : mf.score > 0 ? 'MEDIUM'
+      : 'LOW';
+
+    const message = 'Package "' + depName + '" resembles "' + match.original
+      + '" (' + match.type + '). ' + details + '. Confidence: ' + confidence;
+
+    threats.push({
+      type: 'typosquat_detected',
+      severity: finalSeverity,
+      message: message,
+      file: 'package.json',
+      details: {
+        suspicious: depName,
+        legitimate: match.original,
+        technique: match.type,
+        distance: match.distance,
+        composite_score: mf.score,
+        factors: mf.factors,
+        metadata: meta
+      }
+    });
+  }
+
+  return threats;
+}
+
+function findTyposquatMatch(name) {
+  const nameLower = name.toLowerCase();
+  
+  // Ignore les packages whitelistes
+  if (WHITELIST.has(nameLower)) return null;
+  
+  // Ignore les packages scoped (@org/package)
+  if (name.startsWith('@')) return null;
+
+  // Ignore les packages tres courts (trop de faux positifs)
+  if (name.length < MIN_PACKAGE_LENGTH) return null;
+
+  // Ignore les packages avec suffixes legitimes courants
+  if (isLegitimateVariant(nameLower)) return null;
+
+  for (let i = 0; i < POPULAR_PACKAGES.length; i++) {
+    const popularLower = POPULAR_PACKAGES_LOWER[i];
+    const popular = POPULAR_PACKAGES[i];
+
+    // Ignore si c'est exactement le meme
+    if (nameLower === popularLower) continue;
+
+    // Ignore si le package populaire est trop court
+    if (popular.length < MIN_PACKAGE_LENGTH) continue;
+
+    // Length pre-filter: Levenshtein distance >= |len(a) - len(b)|
+    if (Math.abs(nameLower.length - popularLower.length) > 2) continue;
+
+    const distance = levenshteinDistance(nameLower, popularLower);
+
+    // Distance de 1 = tres suspect (une seule lettre de difference)
+    if (distance === 1) {
+      return {
+        original: popular,
+        type: detectTyposquatType(name, popular),
+        distance: distance
+      };
+    }
+
+    // Distance de 2 seulement si le package est assez long (>= 5 chars)
+    if (distance === 2 && popular.length >= 5) {
+      return {
+        original: popular,
+        type: detectTyposquatType(name, popular),
+        distance: distance
+      };
+    }
+  }
+
+  return null;
+}
+
+function isLegitimateVariant(name) {
+  // Suffixes legitimes qui ne sont PAS du typosquatting
+  const legitimateSuffixes = [
+    '-cli', '-core', '-utils', '-plugin', '-loader', '-webpack',
+    '-react', '-vue', '-angular', '-node', '-browser',
+    '-esm', '-cjs', '-umd', '-vite',
+    '-types', '-typings',
+    '2', '3', '4', '5', // versions majeures (mysql2, etc)
+    '-v2', '-v3', '-next', '-latest', '-stable', '-lts'
+  ];
+  
+  for (const suffix of legitimateSuffixes) {
+    if (name.endsWith(suffix)) return true;
+  }
+  
+  // Prefixes legitimes
+  const legitimatePrefixes = [
+    '@types/', '@babel/', '@jest/', '@testing-library/',
+    'eslint-plugin-', 'eslint-config-',
+    'babel-plugin-', 'babel-preset-',
+    'webpack-plugin-', 'rollup-plugin-', 'vite-plugin-'
+  ];
+  
+  for (const prefix of legitimatePrefixes) {
+    if (name.startsWith(prefix)) return true;
+  }
+  
+  return false;
+}
+
+function detectTyposquatType(typo, original) {
+  if (typo.length === original.length - 1) return 'missing_char';
+  if (typo.length === original.length + 1) return 'extra_char';
+  if (typo.length === original.length) {
+    // Check for adjacent character swap
+    for (let i = 0; i < typo.length - 1; i++) {
+      if (typo[i] === original[i + 1] && typo[i + 1] === original[i]) {
+        // Verify remaining chars match
+        const before = typo.slice(0, i) === original.slice(0, i);
+        const after = typo.slice(i + 2) === original.slice(i + 2);
+        if (before && after) return 'swapped_chars';
+      }
+    }
+    return 'wrong_char';
+  }
+  return 'unknown';
+}
+
+function levenshteinDistance(a, b) {
+  // Two-row optimization: O(min(m,n)) space instead of O(m*n)
+  if (a.length < b.length) { const t = a; a = b; b = t; }
+  let prev = new Array(b.length + 1);
+  let curr = new Array(b.length + 1);
+
+  for (let j = 0; j <= b.length; j++) prev[j] = j;
+
+  for (let i = 1; i <= a.length; i++) {
+    curr[0] = i;
+    for (let j = 1; j <= b.length; j++) {
+      if (a.charAt(i - 1) === b.charAt(j - 1)) {
+        curr[j] = prev[j - 1];
+      } else {
+        curr[j] = Math.min(prev[j - 1] + 1, curr[j - 1] + 1, prev[j] + 1);
+      }
+    }
+    const tmp = prev; prev = curr; curr = tmp;
+  }
+
+  return prev[b.length];
+}
+
+function clearMetadataCache() {
+  metadataCache.clear();
+}
+
+// ============================================
+// PyPI TYPOSQUATTING
+// ============================================
+
+// Top 50 PyPI packages les plus populaires (cibles de typosquatting)
+const POPULAR_PYPI_PACKAGES = [
+  'requests', 'flask', 'django', 'numpy', 'pandas', 'scipy', 'matplotlib',
+  'pillow', 'boto3', 'setuptools', 'pip', 'wheel', 'urllib3', 'certifi',
+  'six', 'python-dateutil', 'pyyaml', 'cryptography', 'jinja2', 'markupsafe',
+  'click', 'sqlalchemy', 'beautifulsoup4', 'lxml', 'pytest', 'coverage',
+  'tox', 'black', 'mypy', 'pylint', 'fastapi', 'uvicorn', 'gunicorn',
+  'celery', 'redis', 'psycopg2', 'pymongo', 'httpx', 'aiohttp', 'tornado',
+  'scrapy', 'selenium', 'paramiko', 'fabric', 'ansible', 'tensorflow',
+  'torch', 'scikit-learn', 'keras', 'transformers'
+];
+
+// PEP 503 normalization: case-insensitive, hyphens/underscores/dots equivalent
+function normalizePyPI(name) {
+  return name.toLowerCase().replace(/[-_.]+/g, '-');
+}
+
+// Pre-computed normalized versions for O(n) comparison
+const POPULAR_PYPI_NORMALIZED = POPULAR_PYPI_PACKAGES.map(normalizePyPI);
+
+// Set for O(1) exact-match check (skip popular packages themselves)
+const POPULAR_PYPI_SET = new Set(POPULAR_PYPI_NORMALIZED);
+
+// Legitimate PyPI packages that look like typosquats but are not
+const PYPI_WHITELIST = new Set([
+  'boto',              // legitimate AWS SDK predecessor of boto3
+  'torchvision',       // legitimate PyTorch ecosystem
+  'torchaudio',        // legitimate PyTorch ecosystem
+  'tensorflow-gpu',    // legitimate TF variant
+  'scikit-image',      // legitimate scikit ecosystem
+  'scikit-optimize',   // legitimate scikit ecosystem
+  'paramiko2',         // fork of paramiko
+]);
+
+const MIN_PYPI_LENGTH = 4;
+
+/**
+ * Find a PyPI typosquat match using PEP 503 normalization + Levenshtein.
+ * No npm-registry-style API scoring — just distance-based detection.
+ *
+ * @param {string} name - PyPI package name from dependency file
+ * @returns {{original: string, type: string, distance: number}|null}
+ */
+function findPyPITyposquatMatch(name) {
+  const normalized = normalizePyPI(name);
+
+  // Skip if it IS a popular package (exact match after normalization)
+  if (POPULAR_PYPI_SET.has(normalized)) return null;
+
+  // Skip whitelisted
+  if (PYPI_WHITELIST.has(normalized)) return null;
+
+  // Skip very short names (too many false positives)
+  if (normalized.length < MIN_PYPI_LENGTH) return null;
+
+  for (let i = 0; i < POPULAR_PYPI_PACKAGES.length; i++) {
+    const popularNorm = POPULAR_PYPI_NORMALIZED[i];
+    const popular = POPULAR_PYPI_PACKAGES[i];
+
+    // Skip exact match (after normalization)
+    if (normalized === popularNorm) continue;
+
+    // Skip short popular packages
+    if (popularNorm.length < MIN_PYPI_LENGTH) continue;
+
+    // Length pre-filter: Levenshtein distance >= |len(a) - len(b)|
+    if (Math.abs(normalized.length - popularNorm.length) > 2) continue;
+
+    const distance = levenshteinDistance(normalized, popularNorm);
+
+    // Distance 1 = very suspect (one char difference)
+    if (distance === 1) {
+      return {
+        original: popular,
+        type: detectTyposquatType(normalized, popularNorm),
+        distance: distance
+      };
+    }
+
+    // Distance 2 only for longer packages (>= 5 chars)
+    if (distance === 2 && popularNorm.length >= 5) {
+      return {
+        original: popular,
+        type: detectTyposquatType(normalized, popularNorm),
+        distance: distance
+      };
+    }
+  }
+
+  return null;
+}
+
 module.exports = { scanTyposquatting, levenshteinDistance, clearMetadataCache, findPyPITyposquatMatch };