np-audit 1.4.0 → 1.5.1

package/README.md

@@ -2,6 +2,7 @@
 
 [![npm version](https://img.shields.io/npm/v/np-audit.svg)](https://www.npmjs.com/package/np-audit)
 [![npm downloads](https://img.shields.io/npm/dm/np-audit.svg)](https://www.npmjs.com/package/np-audit)
+[![npm package size](https://img.shields.io/npm/unpacked-size/np-audit)](https://www.npmjs.com/package/np-audit)
 [![GitHub license](https://img.shields.io/github/license/KoblerS/np-audit.svg)](https://github.com/KoblerS/np-audit/blob/main/LICENSE)
 [![CI](https://github.com/KoblerS/np-audit/actions/workflows/ci.yml/badge.svg)](https://github.com/KoblerS/np-audit/actions/workflows/ci.yml)
 
@@ -39,22 +40,44 @@ Real-world examples include:
 - **[ua-parser-js (2021)](https://github.com/advisories/GHSA-pjwm-rvh2-c87w)** — cryptocurrency miner + info-stealer injected via hijacked maintainer account
 - **[node-ipc (2022)](https://snyk.io/blog/peacenotwar-malicious-npm-node-ipc-package-vulnerability/)** — wiper malware targeting systems by geo-IP
 - **[colors / faker (2022)](https://snyk.io/blog/open-source-npm-packages-colors-faker/)** — deliberate sabotage by the maintainer via postinstall
-- **XZ Utils (2024)** — multi-year social engineering + backdoor via build scripts (C ecosystem, but same pattern)
+- **[SAP CAP / cds-dbs (2025)](https://community.sap.com/t5/technology-blog-posts-by-sap/cap-developers-call-to-action-to-mitigate-and-apply-solution-provided-in/ba-p/14387683)** — compromised npm package targeting SAP developers
 
 **`npa` never executes the scripts.** It downloads and statically analyzes them, detecting:
 
-| Signal | Example |
-|---|---|
-| `eval()` / `new Function()` | `eval(atob("aGVsbG8="))` |
-| Obfuscator.io patterns | `var _0x3f2a = [...]` |
-| High-entropy strings | Encrypted/compressed payloads |
-| Hex escape density | `\x68\x65\x6c\x6c\x6f` |
+| Signal                         | Example                                    |
+| ------------------------------ | ------------------------------------------ |
+| `eval()` / `new Function()`    | `eval(atob("aGVsbG8="))`                   |
+| Indirect eval                  | `(0, eval)(x)`, `globalThis['ev'+'al'](x)` |
+| Function constructor prototype | `({}).constructor.constructor("…")()`      |
+| `setTimeout` with string arg   | `setTimeout('alert(1)', 100)`              |
+| Obfuscator.io patterns         | `var _0x3f2a = [...]`                      |
+| High-entropy strings           | Encrypted/compressed payloads              |
+| Split-literal high entropy     | `'aB' + 'cD' + 'eF' + …` (concat chain)    |
+| Hex / Unicode escape density   | `\x68\x65\x6c\x6c\x6f`, `\u0068\u0065…`    |
 | `String.fromCharCode()` chains | `String.fromCharCode(104,101,108,108,111)` |
-| Base64 decode + exec | `Buffer.from(x,'base64')` + `eval` |
-| Shell spawning | `require('child_process').exec(...)` |
-| Large hex literal arrays | `[0x1a, 0x2b, 0x3c, ...]` × 20+ |
-| `process.env` access | Token/credential harvesting |
-| Outbound network calls | Data exfiltration |
+| Decimal char-code arrays       | `[101,118,97,108,...]` (printable ASCII)   |
+| Base64 / hex decode + exec     | `Buffer.from(x,'base64'\|'hex')` + `eval`  |
+| Shell spawning                 | `require('child_process').exec(...)`       |
+| `worker_threads`               | `new Worker(...)`, eval-class surface      |
+| Concealed `require`            | `require('child' + '_process')`            |
+| Dynamic `require` / `import`   | `require(variable)`, `import(expr)`        |
+| Large hex literal arrays       | `[0x1a, 0x2b, 0x3c, ...]` × 20+            |
+| `process.env` access           | Token/credential harvesting                |
+| Outbound network calls         | `https`/`http`/`net`/`dns`/`tls`/`dgram`/`http2`, `node:` prefix, dynamic `import()` |
+| Missing referenced script      | Command references file not in tarball     |
+| Oversized require graph        | Postinstall reaches >50 files or >5 MB     |
+
+### Coverage beyond the entry script
+
+`npa` doesn't just inspect the single file named in the lifecycle command. It:
+
+- Splits chained commands (`&&`, `||`, `;`, `|`) and analyses each segment, so `node setup.js && node payload.js` no longer hides the second invocation.
+- Handles `node -e "…"`, `sh -c "…"`, `python -c "…"` by analysing the inline code rather than just the wrapper command.
+- Reads shell scripts (`sh ./install.sh`), Python scripts, and shebang-invoked files — not only `node` targets.
+- Follows internal `require('./…')` and `import './…'` chains across the package (with cycle detection and per-package caps), so payloads hidden in helper files like `lib/helper.js` are caught.
+- Records dynamic `require(variable)` / `import(expr)` calls as findings, since they can't be resolved statically.
+- Scans the project's **own** `package.json` lifecycle scripts by default, catching PRs and supply-chain attacks that target the repository itself. Opt out with `scanSelf: false` in `.npmauditor.json`.
+- Inspects **all** lifecycle scripts npm may run, not only `preinstall`/`install`/`postinstall`: also `prepare`, `preprepare`, `postprepare`, and `prepublish`.
 
 ---
 
@@ -84,29 +107,29 @@ npa --version
 
 ### Commands
 
-| Command | Alias | Description |
-|---|---|---|
-| `npa install [package]` | `npa i` | Audit then run `npm install` |
-| `npa ci` | — | Audit then run `npm ci` |
-| `npa scan` | `npa s` | Scan only, no install |
-| `npa config get` | `npa c get` | Show current configuration |
-| `npa config set <key> <value>` | `npa c set` | Update a config value |
-| `npa alias` | — | Print shell hook for auto-scanning |
-| `npa alias --install` | — | Install hook to shell profile |
-| `npa alias --uninstall` | — | Remove hook from shell profile |
+| Command                        | Alias       | Description                        |
+| ------------------------------ | ----------- | ---------------------------------- |
+| `npa install [package]`        | `npa i`     | Audit then run `npm install`       |
+| `npa ci`                       | —           | Audit then run `npm ci`            |
+| `npa scan`                     | `npa s`     | Scan only, no install              |
+| `npa config get`               | `npa c get` | Show current configuration         |
+| `npa config set <key> <value>` | `npa c set` | Update a config value              |
+| `npa alias`                    | —           | Print shell hook for auto-scanning |
+| `npa alias --install`          | —           | Install hook to shell profile      |
+| `npa alias --uninstall`        | —           | Remove hook from shell profile     |
 
 Use `npa <command> -h` for detailed help on any command.
 
 ### Flags
 
-| Flag | Alias | Works with | Description |
-|---|---|---|---|
-| `--aware` | `-a` | `install`, `ci` | Interactive mode — choose which scripts to allow |
-| `--json` | — | `install`, `ci`, `scan` | Machine-readable JSON output |
-| `--no-dev` | — | `install`, `ci`, `scan` | Skip devDependencies |
-| `--verbose` | — | all | Show fetch progress and extra detail |
-| `--version` | — | — | Print version and exit |
-| `--help` | `-h` | — | Print help and exit |
+| Flag        | Alias | Works with              | Description                                      |
+| ----------- | ----- | ----------------------- | ------------------------------------------------ |
+| `--review`  | `-r`  | `install`, `ci`         | Interactive mode — choose which scripts to allow |
+| `--json`    | —     | `install`, `ci`, `scan` | Machine-readable JSON output                     |
+| `--no-dev`  | —     | `install`, `ci`, `scan` | Skip devDependencies                             |
+| `--verbose` | —     | all                     | Show fetch progress and extra detail             |
+| `--version` | —     | —                       | Print version and exit                           |
+| `--help`    | `-h`  | —                       | Print help and exit                              |
 
 ### Drop-in replacement for `npm install`
 
@@ -133,23 +156,23 @@ npa s --no-dev       # skip devDependencies
 npa s --verbose      # show fetch progress
 ```
 
-### Interactive `--aware` mode
+### Interactive `--review` mode
 
 Review each install script yourself and decide which to allow:
 
 ```bash
-npa i --aware        # or: npa i -a
-npa ci --aware
+npa i --review        # or: npa i -r
+npa ci --review
 ```
 
 ```
-  npa --aware mode
+  npa --review mode
   Use ↑/↓ to navigate, SPACE to toggle, ENTER to confirm, q to quit
 
   Found 3 package(s) with install scripts:
 
      [✓ allow] esbuild@0.24.2       postinstall: post-install.js     OK
-   ▶ [✗ deny ] evil-sdk@1.0.0       postinstall: install.js          BLOCK (score: 9)
+   ▶ [✗ deny ] evil-sdk@1.0.0       postinstall: install.js          DANGER (score: 9)
      [✓ allow] @scope/pkg@2.1.0     postinstall: install.js          WARN (score: 5)
 
   2 allowed  1 denied
@@ -200,8 +223,8 @@ If issues are found, the install is blocked:
 ```bash
 $ npm install evil-pkg
 [npa] Scanning dependencies before npm install...
-✗ evil-pkg@1.0.0 BLOCK (score: 9)
-[npa] Scan found issues. Run 'npa install --aware' for interactive mode.
+✗ evil-pkg@1.0.0 DANGER (score: 9)
+[npa] Scan found issues. Run 'npa install --review' for interactive mode.
 ```
 
 To remove the hook:
@@ -212,24 +235,26 @@ npa alias --uninstall
 
 #### All config keys
 
-| Key | Default | Description |
-|---|---|---|
-| `blockScore` | `7` | Score threshold for hard block (exit 1) |
-| `warnScore` | `4` | Score threshold for warning (exit 0) |
-| `registry` | `https://registry.npmjs.org` | npm registry URL |
-| `timeout` | `30000` | HTTP request timeout (ms) |
-| `parallelFetches` | `5` | Concurrent tarball downloads |
-| `skipScopes` | `[]` | `@scope` prefixes to skip entirely |
-| `skipPackages` | `[]` | Specific package names to skip |
+| Key               | Default                      | Description                             |
+| ----------------- | ---------------------------- | --------------------------------------- |
+| `blockScore`      | `7`                          | Score threshold for hard block (exit 1) |
+| `warnScore`       | `4`                          | Score threshold for warning (exit 0)    |
+| `registry`        | `https://registry.npmjs.org` | npm registry URL                        |
+| `timeout`         | `30000`                      | HTTP request timeout (ms)               |
+| `parallelFetches` | `5`                          | Concurrent tarball downloads            |
+| `skipScopes`      | `[]`                         | `@scope` prefixes to skip entirely      |
+| `skipPackages`    | `[]`                         | Specific package names to skip          |
+| `silent`          | `false`                      | Suppress output when no issues found    |
+| `scanSelf`        | `true`                       | Also scan the current project's own `package.json` lifecycle scripts |
 
 ---
 
 ## Exit codes
 
-| Code | Meaning |
-|---|---|
-| `0` | All packages clean or only warnings |
-| `1` | One or more packages blocked |
+| Code | Meaning                             |
+| ---- | ----------------------------------- |
+| `0`  | All packages clean or only warnings |
+| `1`  | One or more packages blocked        |
 
 ---
 
@@ -238,10 +263,13 @@ npa alias --uninstall
 1. **Parse** `package-lock.json` (supports v1, v2, v3 formats)
 2. **Filter** packages: skip dev deps (`--no-dev`), skipped scopes/packages, packages without install scripts
 3. **Fetch or read** — for packages in `node_modules`: read from disk. For packages not yet installed: download the tarball from the npm registry and parse it in memory (pure Node.js tar.gz reader, no `tar` package)
-4. **Analyze** each `preinstall`/`install`/`postinstall` script file statically — never execute
-5. **Score** findings (0–10 per signal), classify as BLOCK / WARN / OK based on config thresholds
-6. **Report** results to terminal or `--json`
-7. **Proceed** — run npm normally, or in `--aware` mode let you selectively allow scripts
+4. **Parse the lifecycle command** — split on `&&` / `||` / `;` / `|`, classify each segment by interpreter (`node`, `sh`, `python`, `bun`, …), and treat `node -e` / `sh -c` arguments as inline code
+5. **Walk the require/import graph** from each entry script — following internal `./` / `../` paths, with cycle detection and per-package caps (50 files / 5 MB)
+6. **Analyze** every reached file statically across all lifecycle scripts (`preinstall`, `install`, `postinstall`, `prepare`, `preprepare`, `postprepare`, `prepublish`) — never execute
+7. **Also scan the current project's own** `package.json` lifecycle scripts (unless `scanSelf: false`)
+8. **Score** findings (0–10 per signal), classify as DANGER / WARN / OK based on config thresholds
+9. **Report** results to terminal or `--json` — each finding is tagged with the file it came from
+10. **Proceed** — run npm normally, or in `--review` mode let you selectively allow scripts
 
 ---
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "np-audit",
-  "version": "1.4.0",
+  "version": "1.5.1",
   "description": "Static obfuscation detector for npm lifecycle scripts — supply chain attack prevention",
   "bin": {
     "npa": "bin/npa.js",

package/src/cli.js

@@ -1,6 +1,7 @@
 'use strict';
 
 const { loadConfig, DEFAULT_CONFIG } = require('./utils/config');
+const { checkForUpdate } = require('./utils/updateChecker');
 const commands = require('./commands');
 const output = require('./utils/output');
 
@@ -37,6 +38,7 @@ ${lines.join('\n')}
     parallelFetches  Concurrent downloads (default: ${DEFAULT_CONFIG.parallelFetches})
     skipScopes       Array of @scopes to skip
     skipPackages     Array of package names to skip
+    maxTarballSize   Max unpacked tarball size (default: ${DEFAULT_CONFIG.maxTarballSize})
 `;
 }
 
@@ -108,7 +110,20 @@ async function main() {
     process.exit(1);
   }
 
+  // Fire update check only for scan/install/ci commands (non-blocking)
+  const UPDATE_COMMANDS = ['scan', 's', 'install', 'i', 'ci'];
+  const updatePromise = (UPDATE_COMMANDS.includes(command) && !flags.json && !config.silent)
+    ? checkForUpdate(config, VERSION)
+    : Promise.resolve(null);
+
   await cmd.run({ args, rawArgs, flags, config, cwd });
+
+  // Print update notice after command output
+  const latestVersion = await updatePromise;
+  if (latestVersion) {
+    output.log('');
+    output.log(output.dim(`  Update available: ${VERSION} → ${latestVersion} — run "npm i -g np-audit" to update`));
+  }
 }
 
 main().catch(err => {

package/src/core/detector.js

@@ -3,11 +3,12 @@
 // ─── Constants ───────────────────────────────────────────────────────────────
 
 const MAX_CODE_SIZE = 500000; // 500KB - chunk larger files
+const CHUNK_STRIDE  = 250000; // 50% overlap between adjacent chunks
 
 // ─── Individual detection checks ─────────────────────────────────────────────
 
 /**
- * Detect eval / dynamic code execution.
+ * Detect eval / dynamic code execution, including common indirect-eval tricks.
  * @param {string} code
  * @returns {Finding|null}
  */
@@ -18,6 +19,18 @@ function checkEval(code) {
     /vm\.runInThisContext\s*\(/,
     /vm\.runInNewContext\s*\(/,
     /vm\.Script\s*\(/,
+    // Indirect eval — (0, eval)(...) is the canonical sloppy-mode trick
+    /\(\s*0\s*,\s*eval\s*\)\s*\(/,
+    // Bracket access on a global object: global['eval'], globalThis["eval"], window['eval'],
+    // and the same with the string built from concatenation: globalThis['ev'+'al']
+    /(?:global|globalThis|window|self|this)\s*\[\s*['"`](?:eval|Function)['"`]\s*\]\s*\(/,
+    /(?:global|globalThis|window|self|this)\s*\[\s*['"`][^'"`]*['"`](?:\s*\+\s*['"`][^'"`]*['"`]){1,}\s*\]\s*\(/,
+    // Function constructor accessed via prototype: ({}).constructor.constructor("...")()
+    /\.constructor\s*\.\s*constructor\s*\(/,
+    // setTimeout/setInterval with a string argument is a legacy eval vector
+    /\b(?:setTimeout|setInterval)\s*\(\s*['"`]/,
+    // require('vm') hint when combined with run* — covered above by vm.*, but catch the import too
+    /require\s*\(\s*['"]vm['"]\s*\)/,
   ];
   const matched = patterns.filter(p => p.test(code));
   if (matched.length === 0) return null;
@@ -45,6 +58,7 @@ function checkObfuscatorIo(code) {
 /**
  * Detect high-entropy strings (likely encoded/encrypted payloads).
  * Uses indexOf-based extraction to avoid regex stack overflow on large files.
+ * Also detects concatenation chains used to defeat per-literal entropy checks.
  * @param {string} code
  * @returns {Finding|null}
  */
@@ -77,80 +91,150 @@ function checkHighEntropy(code) {
     }
   }
 
-  if (maxEntropy < 4.5) return null;
-  return {
-    name: 'high-entropy-string',
-    score: 6,
-    detail: `Entropy ${maxEntropy.toFixed(2)} in string "${worst}…"`,
-  };
+  if (maxEntropy >= 4.5) {
+    return {
+      name: 'high-entropy-string',
+      score: 6,
+      detail: `Entropy ${maxEntropy.toFixed(2)} in string "${worst}…"`,
+    };
+  }
+
+  // Concatenation chain: many small string literals joined with `+`.
+  // Captures payloads split into <50-char chunks to dodge the per-literal entropy check.
+  // We measure the entropy of the *aggregated* literals.
+  const concatChainRe = /(?:['"`][^'"`\n]{0,40}['"`]\s*\+\s*){5,}['"`][^'"`\n]{0,40}['"`]/g;
+  let m;
+  let bestChain = '';
+  while ((m = concatChainRe.exec(code)) !== null) {
+    const literals = m[0].match(/['"`]([^'"`\n]{0,40})['"`]/g) || [];
+    const joined = literals.map(l => l.slice(1, -1)).join('');
+    if (joined.length >= 40) {
+      const e = shannonEntropy(joined);
+      if (e > maxEntropy) { maxEntropy = e; bestChain = joined.slice(0, 40); }
+    }
+  }
+
+  if (maxEntropy >= 4.5) {
+    return {
+      name: 'high-entropy-string',
+      score: 6,
+      detail: `Entropy ${maxEntropy.toFixed(2)} in concatenated literals "${bestChain}…"`,
+    };
+  }
+
+  return null;
 }
 
 /**
- * Detect dense hex escape sequences (\x41).
- * Score scales with volume.
+ * Detect dense \xNN and \uXXXX escape sequences.
+ * Score scales with volume; \u and \x are summed.
  * @param {string} code
  * @returns {Finding|null}
  */
 function checkHexEscapes(code) {
-  const hexMatches = (code.match(/\\x[0-9a-fA-F]{2}/g) || []).length;
-  if (hexMatches < 10) return null;
+  const hexMatches     = (code.match(/\\x[0-9a-fA-F]{2}/g) || []).length;
+  const unicodeMatches = (code.match(/\\u[0-9a-fA-F]{4}/g) || []).length
+                       + (code.match(/\\u\{[0-9a-fA-F]+\}/g) || []).length;
+  const total = hexMatches + unicodeMatches;
+  if (total < 10) return null;
   // Scale: 10-50 = 5, 51-200 = 15, 201-1000 = 30, 1000+ = 50
   let score = 5;
-  if (hexMatches > 1000) score = 50;
-  else if (hexMatches > 200) score = 30;
-  else if (hexMatches > 50) score = 15;
-  return { name: 'hex-escape-density', score, detail: `${hexMatches} \\xNN hex escapes found` };
+  if (total > 1000) score = 50;
+  else if (total > 200) score = 30;
+  else if (total > 50) score = 15;
+  const detail = unicodeMatches > 0
+    ? `${hexMatches} \\xNN + ${unicodeMatches} \\uXXXX escapes found`
+    : `${hexMatches} \\xNN hex escapes found`;
+  return { name: 'hex-escape-density', score, detail };
 }
 
 /**
- * Detect String.fromCharCode with many numeric arguments.
+ * Detect String.fromCharCode (and its aliases) with many numeric arguments,
+ * and large arrays of character codes that are typically reassembled into strings.
  * @param {string} code
  * @returns {Finding|null}
  */
 function checkFromCharCode(code) {
-  const re = /String\.fromCharCode\s*\(([^)]+)\)/g;
-  let match;
+  // Direct (or property-access) call: String.fromCharCode(...) or anyObj.fromCharCode(...)
   let maxArgs = 0;
-  while ((match = re.exec(code)) !== null) {
+  const direct = /(?:String|[\w$]+)\.fromCharCode\s*\(([^)]+)\)/g;
+  let match;
+  while ((match = direct.exec(code)) !== null) {
     const args = match[1].split(',').filter(a => /^\s*\d+\s*$/.test(a));
     if (args.length > maxArgs) maxArgs = args.length;
   }
-  if (maxArgs < 5) return null;
-  return { name: 'fromCharCode', score: 7, detail: `String.fromCharCode with ${maxArgs} numeric args` };
+
+  // Decimal char-code arrays of length >= 8 that look like ASCII text
+  // e.g. [101,118,97,108] -> "eval"
+  const arrRe = /\[\s*((?:\d{1,3}\s*,\s*){7,}\d{1,3})\s*\]/g;
+  let arrMatch;
+  let maxArr = 0;
+  while ((arrMatch = arrRe.exec(code)) !== null) {
+    const nums = arrMatch[1].split(',')
+      .map(s => parseInt(s.trim(), 10))
+      .filter(n => !Number.isNaN(n));
+    // ASCII printable range — typical for char-code payloads
+    const printable = nums.filter(n => n >= 32 && n <= 126).length;
+    if (printable / nums.length >= 0.9 && nums.length > maxArr) maxArr = nums.length;
+  }
+
+  if (maxArgs >= 5) {
+    return { name: 'fromCharCode', score: 7, detail: `fromCharCode with ${maxArgs} numeric args` };
+  }
+  if (maxArr >= 16) {
+    // Treat large printable-ascii decimal arrays as equivalent to fromCharCode obfuscation
+    return { name: 'fromCharCode', score: 7, detail: `decimal char-code array of length ${maxArr}` };
+  }
+  return null;
 }
 
 /**
- * Detect base64 decode combined with eval-like execution.
+ * Detect base64 / hex decoding combined with eval-like execution.
  * @param {string} code
  * @returns {Finding|null}
  */
 function checkBase64Exec(code) {
   const hasBase64 = /atob\s*\(|Buffer\.from\s*\([^)]*,\s*['"]base64['"]\)/.test(code);
-  const hasExec   = /eval\s*\(|new\s+Function\s*\(|\.exec\s*\(/.test(code);
-  if (!hasBase64) return null;
-  if (hasBase64 && !hasExec) {
-    return { name: 'base64-decode', score: 3, detail: 'Base64 decode found — verify usage' };
+  const hasHexDecode = /Buffer\.from\s*\([^)]*,\s*['"]hex['"]\)/.test(code);
+  const hasExec   = /\beval\s*\(|new\s+Function\s*\(|\.exec\s*\(|\(\s*0\s*,\s*eval\s*\)\s*\(/.test(code);
+  if (!hasBase64 && !hasHexDecode) return null;
+  if (!hasExec) {
+    const kind = hasBase64 ? 'Base64' : 'Hex';
+    return { name: 'encoded-decode', score: 3, detail: `${kind} decode found — verify usage` };
   }
-  return { name: 'base64-decode+exec', score: 8, detail: 'Base64 decode with code execution found' };
+  const kind = hasBase64 ? 'Base64' : 'Hex';
+  return { name: 'encoded-decode+exec', score: 8, detail: `${kind} decode with code execution found` };
 }
 
 /**
- * Detect child_process / shell execution patterns.
+ * Detect child_process / shell execution patterns, including string-concatenated
+ * `require('child' + '_process')` and access via require.call etc.
  * @param {string} code
  * @returns {Finding|null}
  */
 function checkChildProcess(code) {
   const patterns = [
     /require\s*\(\s*['"]child_process['"]\s*\)/,
+    // node:-prefixed import
+    /require\s*\(\s*['"]node:child_process['"]\s*\)/,
+    // String-concatenation bypass: require('child'+'_process'), require(\`child${''}_process\`)
+    /require\s*\(\s*['"`][^'"`]*['"`](?:\s*\+\s*['"`][^'"`]*['"`])+\s*\)/,
+    // Dynamic require with computed key — flag for review
+    /require\s*\(\s*[a-zA-Z_$][\w$]*\s*\[/,
     /\bexec\s*\(/,
     /\bspawn\s*\(/,
     /\bexecSync\s*\(/,
     /\bspawnSync\s*\(/,
     /\bexecFile\s*\(/,
+    /\bexecFileSync\s*\(/,
+    /\bfork\s*\(/,
+    // Worker threads can host eval-equivalent execution
+    /require\s*\(\s*['"]worker_threads['"]\s*\)/,
+    /new\s+Worker\s*\(/,
   ];
   const matched = patterns.filter(p => p.test(code));
   if (matched.length === 0) return null;
-  return { name: 'child-process', score: 5, detail: `Shell execution found (${matched.length} pattern(s))` };
+  return { name: 'child-process', score: 5, detail: `Shell/process execution found (${matched.length} pattern(s))` };
 }
 
 /**
@@ -192,15 +276,68 @@ function checkNetworkCalls(code) {
     /require\s*\(\s*['"]https?['"]\s*\)/,
     /require\s*\(\s*['"]net['"]\s*\)/,
     /require\s*\(\s*['"]dns['"]\s*\)/,
-    /fetch\s*\(/,
+    /require\s*\(\s*['"]tls['"]\s*\)/,
+    /require\s*\(\s*['"]dgram['"]\s*\)/,
+    /require\s*\(\s*['"]http2['"]\s*\)/,
+    /\bfetch\s*\(/,
     /XMLHttpRequest/,
     /\.request\s*\(/,
+    // node:-prefixed imports (Node 16+)
+    /require\s*\(\s*['"]node:(?:https?|net|dns|tls|dgram|http2)['"]\s*\)/,
+    // Dynamic import of these modules
+    /import\s*\(\s*['"](?:node:)?(?:https?|net|dns|tls|dgram|http2)['"]\s*\)/,
   ];
   const matched = patterns.filter(p => p.test(code));
   if (matched.length === 0) return null;
   return { name: 'network-call', score: 4, detail: `Network call found (${matched.length} pattern(s))` };
 }
 
+/**
+ * Detect filesystem manipulation (potential backdoor installation).
+ * @param {string} code
+ * @returns {Finding|null}
+ */
+function checkFilesystemManipulation(code) {
+  const writePatterns = [
+    /fs\.write(?:File)?(?:Sync)?\s*\(/,
+    /fs\.append(?:File)?(?:Sync)?\s*\(/,
+    /fs\.create(?:WriteStream)?\s*\(/,
+    /\.pipe\s*\(/,
+  ];
+  const permissionPatterns = [
+    /fs\.chmod(?:Sync)?\s*\(/,
+    /fs\.chown(?:Sync)?\s*\(/,
+    /fs\.access(?:Sync)?\s*\(/,
+  ];
+  const linkPatterns = [
+    /fs\.symlink(?:Sync)?\s*\(/,
+    /fs\.link(?:Sync)?\s*\(/,
+  ];
+
+  const writeMatches = writePatterns.filter(p => p.test(code)).length;
+  const permMatches = permissionPatterns.filter(p => p.test(code)).length;
+  const linkMatches = linkPatterns.filter(p => p.test(code)).length;
+
+  if (writeMatches === 0 && permMatches === 0 && linkMatches === 0) return null;
+
+  const details = [];
+  if (writeMatches > 0) details.push(`${writeMatches} write operation(s)`);
+  if (permMatches > 0) details.push(`${permMatches} permission change(s)`);
+  if (linkMatches > 0) details.push(`${linkMatches} symlink operation(s)`);
+
+  // Score 3-4 based on variety of operations
+  let score = 3;
+  if ((writeMatches > 0 ? 1 : 0) + (permMatches > 0 ? 1 : 0) + (linkMatches > 0 ? 1 : 0) >= 2) {
+    score = 4;
+  }
+
+  return {
+    name: 'filesystem-manipulation',
+    score,
+    detail: details.join(', ')
+  };
+}
+
 // ─── Entropy helper ──────────────────────────────────────────────────────────
 
 function shannonEntropy(str) {
@@ -228,11 +365,13 @@ const CHECKS = [
   checkHexArray,
   checkProcessEnv,
   checkNetworkCalls,
+  checkFilesystemManipulation,
 ];
 
 /**
  * Run all checks against a code string.
- * For large files, analyzes multiple chunks and aggregates results.
+ * For large files, uses a sliding window (50% overlap) so payloads cannot
+ * hide in the gaps between fixed start/middle/end chunks.
  * @param {string} code
  * @param {object} config  { blockScore, warnScore }
  * @returns {{ score: number, findings: Finding[], verdict: 'BLOCK'|'WARN'|'OK' }}
@@ -242,14 +381,18 @@ function detectObfuscation(code, config = { blockScore: 50, warnScore: 20 }) {
     return { score: 0, findings: [], verdict: 'OK' };
   }
 
-  // For large files, analyze chunks and take worst results
+  // For large files, slide a window across the entire content. With a 500KB
+  // window and 250KB stride, every byte appears in at least one window — so a
+  // payload at any offset is guaranteed to be analyzed in a single contiguous
+  // chunk.
   const chunks = [];
   if (code.length > MAX_CODE_SIZE) {
-    // Analyze start, middle, and end chunks
-    chunks.push(code.slice(0, MAX_CODE_SIZE));
-    const mid = Math.floor(code.length / 2) - Math.floor(MAX_CODE_SIZE / 2);
-    chunks.push(code.slice(mid, mid + MAX_CODE_SIZE));
-    chunks.push(code.slice(-MAX_CODE_SIZE));
+    let start = 0;
+    while (start < code.length) {
+      chunks.push(code.slice(start, start + MAX_CODE_SIZE));
+      if (start + MAX_CODE_SIZE >= code.length) break;
+      start += CHUNK_STRIDE;
+    }
   } else {
     chunks.push(code);
   }
@@ -297,4 +440,5 @@ module.exports = {
   checkHexArray,
   checkProcessEnv,
   checkNetworkCalls,
+  checkFilesystemManipulation,
 };