np-audit 1.5.1 → 2.0.0

package/README.md

@@ -8,7 +8,7 @@
 
 # np-audit — npm package auditor
 
-Statically detect obfuscated code in npm `preinstall`/`postinstall` scripts **before** they run. Drop-in replacement for `npm install` and `npm ci`.
+Static security analysis for npm packages — detects obfuscated lifecycle scripts, known vulnerabilities, and malicious patterns **before** they run. Drop-in replacement for `npm install` and `npm ci`.
 
 **Zero dependencies.** Pure Node.js built-ins only.
 
@@ -246,6 +246,52 @@ npa alias --uninstall
 | `skipPackages`    | `[]`                         | Specific package names to skip          |
 | `silent`          | `false`                      | Suppress output when no issues found    |
 | `scanSelf`        | `true`                       | Also scan the current project's own `package.json` lifecycle scripts |
+| `maxTarballSize`  | `50MB`                       | Max unpacked tarball size (zip bomb protection) |
+| `checkVulnerabilities` | `true`                  | Check packages against known vulnerability databases |
+| `deepResolve`     | `false`                      | Recursively resolve full transitive dependency tree |
+
+---
+
+### Vulnerability Scanning (CVE)
+
+np-audit checks every scanned package against known vulnerability databases. This runs alongside the obfuscation detection and flags packages with known CVEs.
+
+**Default: OSV.dev (no setup required)**
+
+Works out of the box — queries the free [OSV.dev](https://osv.dev/) API for known vulnerabilities and malicious package advisories.
+
+**Optional: Snyk API (richer data)**
+
+For more detailed vulnerability information, configure a Snyk API token:
+
+```bash
+# Option 1: Environment variable
+export SNYK_API_TOKEN=your-token-here
+
+# Option 2: Snyk CLI config (if you have Snyk CLI installed)
+snyk auth
+```
+
+np-audit checks for the token in this order:
+1. `SNYK_API_TOKEN` environment variable
+2. `SNYK_TOKEN` environment variable
+3. `~/.config/configstore/snyk.json` (created by `snyk auth`)
+
+**Scoring:**
+| Severity | Score | Verdict |
+| -------- | ----- | ------- |
+| Malicious package | 80 | DANGER |
+| 10+ vulnerabilities | 6 | WARN |
+| 5-9 vulnerabilities | 5 | WARN |
+| 1-4 vulnerabilities | 4 | WARN |
+
+Non-malicious CVEs produce warnings but never block installation. Only confirmed malicious packages trigger DANGER.
+
+**Disable vulnerability checks:**
+
+```bash
+npa config set checkVulnerabilities false
+```
 
 ---
 
@@ -273,16 +319,28 @@ npa alias --uninstall
 
 ---
 
-## Development
+## Marshallers
 
-```bash
-git clone https://github.com/KoblerS/np-audit.git
-cd np-audit
-npm test          # run all unit + E2E tests
-npm link          # install npa globally from source
-```
+Detection is split into modular marshallers — each one detects a single attack signal:
+
+| Marshaller | What it detects | Score |
+| ---------- | --------------- | ----- |
+| `eval/dynamic-exec` | `eval()`, `new Function()`, indirect eval, `vm.*`, `setTimeout` with string | 8 |
+| `obfuscator.io` | `_0x` variable naming patterns (obfuscator.io output) | 9–80 |
+| `high-entropy-string` | Long strings or concatenation chains with high Shannon entropy | 6 |
+| `hex-escape-density` | Dense `\xNN` and `\uXXXX` escape sequences | 5–50 |
+| `fromCharCode` | `String.fromCharCode` with many args, large decimal char-code arrays | 7 |
+| `encoded-decode` | Base64/hex decode (`atob`, `Buffer.from`) optionally combined with `eval` | 3–8 |
+| `child-process` | `require('child_process')`, `exec`, `spawn`, `fork`, worker_threads | 5 |
+| `hex-array` | Large numbers of `0x` hex literal values | 7–60 |
+| `process-env` | `process.env` access (credential exfiltration signal) | 3 |
+| `network-call` | `require('https')`, `fetch()`, `dns`, `net`, `tls` | 4 |
+| `filesystem-manipulation` | `fs.writeFile`, `chmod`, `symlink` (backdoor persistence) | 3–4 |
+| `known-vulnerability` | Known CVEs via Snyk API or OSV.dev | 4–6 (WARN), 80 (malicious) |
+
+Scores scale with severity — higher counts of obfuscation indicators produce higher scores. The final verdict is based on the highest individual score across all marshallers.
 
-No build step, no transpilation — plain Node.js ≥ 18.
+See [CONTRIBUTING.md](CONTRIBUTING.md) for the marshaller architecture and how to write custom ones.
 
 ---
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "np-audit",
-  "version": "1.5.1",
+  "version": "2.0.0",
   "description": "Static obfuscation detector for npm lifecycle scripts — supply chain attack prevention",
   "bin": {
     "npa": "bin/npa.js",

package/src/cli.js

@@ -17,7 +17,7 @@ function buildMainHelp() {
 
   return `
   npa — npm package auditor ${VERSION}
-  Statically detects obfuscated code in npm install scripts.
+  Static security analysis for npm packages.
 
   Usage:
 ${lines.join('\n')}
@@ -100,14 +100,29 @@ async function main() {
   }
 
   if (flags.help || !command) {
+    output.printLogo(VERSION);
     process.stdout.write(buildMainHelp() + '\n');
     return;
   }
 
   const cmd = commands.get(command);
   if (!cmd) {
-    output.error(`Unknown command: "${command}". Run npa --help for usage.`);
-    process.exit(1);
+    // Forward unknown commands to npm (allows `alias npm='npa'`)
+    const { spawnSync } = require('child_process');
+    const npmCmd = process.platform === 'win32' ? 'npm.cmd' : 'npm';
+    const result = spawnSync(npmCmd, process.argv.slice(2), {
+      stdio: 'inherit',
+      cwd,
+    });
+    process.exit(result.status || 0);
+    return;
+  }
+
+  // Deprecation notice for old shell hook
+  if (process.env.NPA_RUNNING && !flags.json && !config.silent) {
+    output.warn('Deprecated: The old npa shell hook is no longer needed.');
+    output.log(output.dim('  Run: npa alias --install   to upgrade to the simpler alias.'));
+    output.log('');
   }
 
   // Fire update check only for scan/install/ci commands (non-blocking)

package/src/commands/alias.js

@@ -6,10 +6,10 @@ const os = require('os');
 const output = require('../utils/output');
 
 const BASH_HOOK = `# npa npm hook
-npm() { [[ -n "$NPA_RUNNING" ]] && { command npm "$@"; return; }; case "$1" in scan) npa scan "\${@:2}"; return;; install|i|add) command -v npa >/dev/null && { local pkgs=(); for a in "\${@:2}"; do [[ "$a" != -* ]] && pkgs+=("$a"); done; if [[ \${#pkgs[@]} -gt 0 ]]; then npa scan "\${pkgs[@]}" || { echo "[npa] Blocked. Use 'npa install --review'"; return 1; }; else npa scan || { echo "[npa] Blocked. Use 'npa install --review'"; return 1; }; fi; };; ci) command -v npa >/dev/null && { npa scan || { echo "[npa] Blocked. Use 'npa ci --review'"; return 1; }; };; esac; command npm "$@"; }`;
+alias npm='npa'`;
 
 const POWERSHELL_HOOK = `# npa npm hook
-function npm { if($env:NPA_RUNNING){& npm.cmd @args;return}; if($args[0] -eq 'scan'){& npa scan @($args|Select-Object -Skip 1);return}; if($args[0] -in @('install','i','add')){$pkgs=@($args|Where-Object{$_ -notmatch '^-'}|Select-Object -Skip 1); if($pkgs.Count -gt 0){& npa scan @pkgs; if($LASTEXITCODE -ne 0){Write-Host "[npa] Blocked.";return 1}}else{& npa scan; if($LASTEXITCODE -ne 0){Write-Host "[npa] Blocked.";return 1}}}; if($args[0] -eq 'ci'){& npa scan; if($LASTEXITCODE -ne 0){Write-Host "[npa] Blocked.";return 1}}; & npm.cmd @args }`;
+Set-Alias -Name npm -Value npa`;
 
 module.exports = {
   name: 'alias',
@@ -18,20 +18,21 @@ module.exports = {
 
   help() {
     return `
-  npa alias — Shell hook to auto-scan before npm install/ci
+  npa alias — Shell alias to use npa as an npm drop-in replacement
 
   Usage:
-    npa alias                Print the shell hook
-    npa alias --install      Add hook to shell profile (~/.zshrc or ~/.bashrc)
-    npa alias --uninstall    Remove hook from shell profile
+    npa alias                Print the shell alias
+    npa alias --install      Add alias to shell profile (~/.zshrc or ~/.bashrc)
+    npa alias --uninstall    Remove alias from shell profile
 
-  The hook intercepts npm install/ci/add commands and runs npa scan first.
-  If issues are found, the install is blocked until resolved.
+  With the alias active, all npm commands pass through npa.
+  Install/ci/add commands are scanned before execution.
+  All other commands (run, test, publish, etc.) forward directly to npm.
 
   Examples:
-    npa alias                     Print hook for manual installation
+    npa alias                     Print alias for manual installation
     npa alias --install           Auto-install to detected shell
-    eval "$(npa alias)"           Load hook in current session only
+    eval "$(npa alias)"           Load alias in current session only
 `;
   },
 
@@ -86,7 +87,9 @@ function doUninstall(profilePath) {
     return;
   }
 
-  const cleaned = content.replace(/\n*# npa npm hook\nnpm\(\)[^\n]+\n*/g, '\n');
+  // Remove all known hook formats (old function, new alias)
+  const cleaned = content
+    .replace(/\n*# npa npm hook\n(?:npm\(\) \{[\s\S]*?\n\}|npm\(\)[^\n]+|alias npm='npa'|Set-Alias[^\n]*)\n*/g, '\n');
   fs.writeFileSync(profilePath, cleaned);
   output.success(`Removed npa hook from ${profilePath}`);
   output.log(output.dim('  Run: source ' + profilePath + ' (or restart your terminal)'));
@@ -100,6 +103,22 @@ function doInstall(hook, profilePath) {
   }
 
   const content = fs.existsSync(profilePath) ? fs.readFileSync(profilePath, 'utf8') : '';
+
+  // Migrate from old format (function or multi-line) to new alias
+  const hasOldHook = content.includes('# npa npm hook') && !content.includes("alias npm='npa'");
+  if (hasOldHook) {
+    output.warn('Deprecated: The old npm() shell function hook is no longer needed.');
+    output.log(output.dim('  npa now forwards unknown commands to npm directly.'));
+    output.log(output.dim('  Replacing with: alias npm=\'npa\''));
+    output.log('');
+    const migrated = content
+      .replace(/\n*# npa npm hook\n(?:npm\(\) \{[\s\S]*?\n\}|npm\(\)[^\n]+)\n*/g, '\n\n' + hook + '\n');
+    fs.writeFileSync(profilePath, migrated);
+    output.success(`Migrated npa hook to new format in ${profilePath}`);
+    output.log(output.dim('  Run: source ' + profilePath + ' (or restart your terminal)'));
+    return;
+  }
+
   if (content.includes('# npa npm hook')) {
     output.warn('npa hook already installed in ' + profilePath);
     return;

package/src/commands/ci.js

@@ -30,7 +30,10 @@ module.exports = {
   },
 
   async run({ flags, config, cwd }) {
+    const spinner = !flags.json && !config.silent ? output.createSpinner('Auditing packages...') : null;
+    if (spinner) spinner.start();
     const results = await scan({ cwd, config, noDev: flags.noDev, verbose: flags.verbose });
+    if (spinner) spinner.stop();
     const hasIssues = results.some(r => r.verdict !== 'OK');
     const silent = config.silent && !hasIssues;
 
@@ -45,7 +48,7 @@ module.exports = {
     const blocked = results.filter(r => r.verdict === 'BLOCK');
 
     if (blocked.length > 0 && !flags.review) {
-      output.error(`${blocked.length} package(s) blocked due to obfuscated install scripts.`);
+      output.error(`${blocked.length} package(s) blocked — suspicious or malicious packages detected.`);
       process.exit(1);
     }
 
@@ -62,7 +65,7 @@ module.exports = {
 function printResults(results, silent = false) {
   if (silent) return;
   if (results.length === 0) {
-    output.success('No packages with install scripts found.');
+    output.success('No issues found.');
     return;
   }
   for (const r of results) {

package/src/commands/install.js

@@ -33,6 +33,8 @@ module.exports = {
   async run({ args, flags, config, cwd }) {
     const packages = args.filter(a => !a.startsWith('-'));
 
+    const spinner = !flags.json && !config.silent ? output.createSpinner('Auditing packages...') : null;
+    if (spinner) spinner.start();
     const results = await scan({
       cwd,
       config,
@@ -40,6 +42,7 @@ module.exports = {
       verbose:       flags.verbose,
       packages:      packages.length > 0 ? packages : null,
     });
+    if (spinner) spinner.stop();
 
     const hasIssues = results.some(r => r.verdict !== 'OK');
     const silent = config.silent && !hasIssues;
@@ -55,7 +58,7 @@ module.exports = {
     const blocked = results.filter(r => r.verdict === 'BLOCK');
 
     if (blocked.length > 0 && !flags.review) {
-      output.error(`${blocked.length} package(s) blocked due to obfuscated install scripts.`);
+      output.error(`${blocked.length} package(s) blocked — suspicious or malicious packages detected.`);
       output.log(output.dim('  Run with --review to interactively decide which scripts to allow.'));
       process.exit(1);
     }
@@ -81,7 +84,7 @@ module.exports = {
 function printResults(results, silent = false) {
   if (silent) return;
   if (results.length === 0) {
-    output.success('No packages with install scripts found.');
+    output.success('No issues found.');
     return;
   }
   for (const r of results) {

package/src/commands/scan.js

@@ -10,7 +10,7 @@ module.exports = {
 
   help() {
     return `
-  npa scan — Scan dependencies for obfuscated install scripts
+  npa scan — Scan dependencies for security issues
 
   Usage:
     npa scan [package] [options]
@@ -31,7 +31,10 @@ module.exports = {
 
   async run({ args, flags, config, cwd }) {
     const packages = args.filter(a => !a.startsWith('-'));
+    const spinner = !flags.json && !config.silent ? output.createSpinner('Auditing packages...') : null;
+    if (spinner) spinner.start();
     const results = await scan({ cwd, config, noDev: flags.noDev, verbose: flags.verbose, packages: packages.length > 0 ? packages : null });
+    if (spinner) spinner.stop();
     const hasIssues = results.some(r => r.verdict !== 'OK');
     const silent = config.silent && !hasIssues;
 
@@ -54,7 +57,7 @@ module.exports = {
 function printResults(results, silent = false) {
   if (silent) return;
   if (results.length === 0) {
-    output.success('No packages with install scripts found.');
+    output.success('No issues found.');
     return;
   }
   for (const r of results) {

package/src/core/detector.js

@@ -1,5 +1,7 @@
 'use strict';
 
+const { shannonEntropy } = require('../utils/entropy');
+
 // ─── Constants ───────────────────────────────────────────────────────────────
 
 const MAX_CODE_SIZE = 500000; // 500KB - chunk larger files
@@ -338,19 +340,7 @@ function checkFilesystemManipulation(code) {
   };
 }
 
-// ─── Entropy helper ──────────────────────────────────────────────────────────
-
-function shannonEntropy(str) {
-  if (!str || str.length === 0) return 0;
-  const freq = {};
-  for (const ch of str) freq[ch] = (freq[ch] || 0) + 1;
-  let entropy = 0;
-  for (const count of Object.values(freq)) {
-    const p = count / str.length;
-    entropy -= p * Math.log2(p);
-  }
-  return entropy;
-}
+// ─── Entropy helper (re-exported from utils/entropy.js) ─────────────────────
 
 // ─── Main detection function ─────────────────────────────────────────────────
 

package/src/core/scanner.js

@@ -8,6 +8,7 @@ const { parseTarGz, extractFile, getPackageJson }        = require('../utils/tar
 const { detectObfuscation }            = require('./detector');
 const { walkRequires, MAX_FILES_PER_PACKAGE, MAX_TOTAL_BYTES } = require('./requireWalker');
 const { parseCommand }                 = require('../utils/command');
+const { getPackageMarshallers }        = require('../marshallers');
 const output                           = require('../utils/output');
 
 // Lifecycle scripts that npm executes during install. The original tool only
@@ -73,10 +74,7 @@ async function scan(opts) {
     }
   }
 
-  // Track packages without install scripts (for skipped count)
-  let skippedCount = 0;
-
-  // Apply skip filters
+  // Apply user skip filters (scopes, packages, dev)
   packages = packages.filter(pkg => {
     if (noDev && pkg.dev) return false;
     if (pkg.inBundle || pkg.link) return false;
@@ -86,15 +84,15 @@ async function scan(opts) {
         if (pkg.name.startsWith(scope + '/') || pkg.name === scope) return false;
       }
     }
-    // For explicit packages, always include them but track if they have no scripts
-    if (explicitPackageNames.has(pkg.name)) {
-      if (!pkg.hasInstallScript) {
-        skippedCount++;
-        return false;
-      }
-      return true;
-    }
-    // v2/v3 lockfiles reliably report hasInstallScript — skip definitive negatives
+    return true;
+  });
+
+  // All non-skipped packages are eligible for package-level marshallers (CVE)
+  const allPackages = packages;
+
+  // Filter to only packages with lifecycle scripts for code analysis
+  packages = packages.filter(pkg => {
+    if (explicitPackageNames.has(pkg.name)) return true;
     if (lockfileVersion >= 2 && pkg.hasInstallScript === false) return false;
     return true;
   });
@@ -106,23 +104,48 @@ async function scan(opts) {
     return scanPackage(pkg, cwd, config, verbose);
   });
 
+  // Run package-level marshallers (CVE checks) on ALL packages, not just those with scripts
+  if (config.checkVulnerabilities) {
+    const packageMarshallers = getPackageMarshallers();
+    const cveResults = await mapWithConcurrency(allPackages, config.parallelFetches, async (pkg) => {
+      for (const marshaller of packageMarshallers) {
+        const finding = await marshaller.checkPackage(pkg, config);
+        if (finding) return { pkg, finding };
+      }
+      return null;
+    });
+
+    for (const cveResult of cveResults) {
+      if (!cveResult) continue;
+      const { pkg, finding } = cveResult;
+      const existing = results.find(r => r && r.pkg && r.pkg.name === pkg.name);
+      if (existing) {
+        existing.findings.push(finding);
+        if (finding.score > existing.score) {
+          existing.score = finding.score;
+          existing.verdict = verdictFromScore(finding.score, config);
+        }
+      } else {
+        results.push({
+          pkg,
+          scripts: [],
+          score: finding.score,
+          findings: [finding],
+          verdict: verdictFromScore(finding.score, config),
+        });
+      }
+    }
+  }
+
   const scanned = results.filter(Boolean);
-  // Add packages that returned null from scanPackage (no scripts found during scan)
-  skippedCount += results.filter(r => r === null).length;
-
-  // Optionally scan the *current project's own* lifecycle scripts. This is
-  // off by default to avoid surprising users — `npa` is a drop-in replacement
-  // for `npm install` and most projects' own postinstall scripts are
-  // intentionally local. Set `scanSelf: true` in .npmauditor.json (or pass
-  // --scan-self) to opt in. Useful for CI on third-party PRs.
+
+  // Optionally scan the *current project's own* lifecycle scripts.
   if (config.scanSelf) {
     const selfResult = scanCwdProject(cwd, config);
     if (selfResult) scanned.unshift(selfResult);
-    else skippedCount++;
   }
 
-  // Attach metadata to results array
-  scanned.skippedCount = skippedCount;
+  scanned.totalPackages = allPackages.length;
   return scanned;
 }
 
@@ -647,24 +670,55 @@ async function resolveSinglePackage(packageSpec, config) {
   const packages = [];
   const seen = new Set();
 
-  function collectDeps(deps) {
-    for (const [depName, range] of Object.entries(deps || {})) {
-      if (seen.has(depName)) continue;
-      seen.add(depName);
-      // Extract the first clean semver from the range (e.g. "4.22.1 || ^5" → "4.22.1", "^5.1.0" → "5.1.0")
+  async function collectDeps(deps, recurse) {
+    const queue = Object.entries(deps || {}).filter(([depName]) => !seen.has(depName));
+    // Mark all as seen first to avoid duplicate fetches
+    for (const [depName] of queue) seen.add(depName);
+
+    const resolutions = await mapWithConcurrency(queue, config.parallelFetches, async ([depName, range]) => {
       const exactVersion = extractSemver(range);
-      if (!exactVersion) continue; // skip unresolvable ranges — lockfile scan will cover them
-      packages.push({
-        name:             depName,
-        version:          exactVersion,
-        resolved:         buildTarballUrl(depName, exactVersion, config.registry),
-        integrity:        '',
-        hasInstallScript: false,
-        dev:              false,
-        optional:         false,
-        inBundle:         false,
-        link:             false,
-      });
+      if (!exactVersion) return null;
+
+      let depScripts = false;
+      let depDeps = null;
+      let depTarball = buildTarballUrl(depName, exactVersion, config.registry);
+      let depIntegrity = '';
+
+      try {
+        const encodedDep = depName.startsWith('@') ? `@${encodeURIComponent(depName.slice(1))}` : encodeURIComponent(depName);
+        const depMeta = await fetchJSON(`${config.registry}/${encodedDep}`, { timeout: config.timeout });
+        const depData = depMeta.versions && depMeta.versions[exactVersion];
+        if (depData) {
+          depScripts = !!(depData.scripts &&
+            (depData.scripts.preinstall || depData.scripts.postinstall || depData.scripts.install));
+          depTarball = depData.dist && depData.dist.tarball || depTarball;
+          depIntegrity = depData.dist && depData.dist.integrity || '';
+          depDeps = depData.dependencies;
+        }
+      } catch {
+        // Failed to fetch dep metadata — add with what we have
+      }
+
+      return {
+        pkg: {
+          name:             depName,
+          version:          exactVersion,
+          resolved:         depTarball,
+          integrity:        depIntegrity,
+          hasInstallScript: depScripts,
+          dev:              false,
+          optional:         false,
+          inBundle:         false,
+          link:             false,
+        },
+        depDeps,
+      };
+    });
+
+    for (const r of resolutions) {
+      if (!r) continue;
+      packages.push(r.pkg);
+      if (recurse && r.depDeps) await collectDeps(r.depDeps, true);
     }
   }
 
@@ -682,7 +736,8 @@ async function resolveSinglePackage(packageSpec, config) {
     link: false,
   });
 
-  collectDeps(versionData.dependencies);
+  seen.add(name);
+  await collectDeps(versionData.dependencies, !!config.deepResolve);
 
   return packages;
 }

package/src/marshallers/base.js

@@ -0,0 +1,18 @@
+'use strict';
+
+class Marshaller {
+  constructor(name, title) {
+    this.name = name;
+    this.title = title;
+  }
+
+  check(code) {
+    return null;
+  }
+
+  async checkPackage(pkg, config) {
+    return null;
+  }
+}
+
+module.exports = { Marshaller };

package/src/marshallers/base64Exec.js

@@ -0,0 +1,23 @@
+'use strict';
+
+const { Marshaller } = require('./base');
+
+class Base64ExecMarshaller extends Marshaller {
+  constructor() {
+    super('encoded-decode', 'Encoded decode + execution detection');
+  }
+
+  check(code) {
+    const hasBase64 = /atob\s*\(|Buffer\.from\s*\([^)]*,\s*['"]base64['"]\)/.test(code);
+    const hasHexDecode = /Buffer\.from\s*\([^)]*,\s*['"]hex['"]\)/.test(code);
+    const hasExec   = /\beval\s*\(|new\s+Function\s*\(|\.exec\s*\(|\(\s*0\s*,\s*eval\s*\)\s*\(/.test(code);
+    if (!hasBase64 && !hasHexDecode) return null;
+    const kind = hasBase64 ? 'Base64' : 'Hex';
+    if (!hasExec) {
+      return { name: 'encoded-decode', score: 3, detail: `${kind} decode found — verify usage` };
+    }
+    return { name: 'encoded-decode+exec', score: 8, detail: `${kind} decode with code execution found` };
+  }
+}
+
+module.exports = new Base64ExecMarshaller();

package/src/marshallers/childProcess.js

@@ -0,0 +1,32 @@
+'use strict';
+
+const { Marshaller } = require('./base');
+
+class ChildProcessMarshaller extends Marshaller {
+  constructor() {
+    super('child-process', 'Shell / process execution detection');
+  }
+
+  check(code) {
+    const patterns = [
+      /require\s*\(\s*['"]child_process['"]\s*\)/,
+      /require\s*\(\s*['"]node:child_process['"]\s*\)/,
+      /require\s*\(\s*['"`][^'"`]*['"`](?:\s*\+\s*['"`][^'"`]*['"`])+\s*\)/,
+      /require\s*\(\s*[a-zA-Z_$][\w$]*\s*\[/,
+      /\bexec\s*\(/,
+      /\bspawn\s*\(/,
+      /\bexecSync\s*\(/,
+      /\bspawnSync\s*\(/,
+      /\bexecFile\s*\(/,
+      /\bexecFileSync\s*\(/,
+      /\bfork\s*\(/,
+      /require\s*\(\s*['"]worker_threads['"]\s*\)/,
+      /new\s+Worker\s*\(/,
+    ];
+    const matched = patterns.filter(p => p.test(code));
+    if (matched.length === 0) return null;
+    return { name: this.name, score: 5, detail: `Shell/process execution found (${matched.length} pattern(s))` };
+  }
+}
+
+module.exports = new ChildProcessMarshaller();

package/src/marshallers/cve.js

@@ -0,0 +1,116 @@
+'use strict';
+
+const fs   = require('fs');
+const path = require('path');
+const os   = require('os');
+const { Marshaller } = require('./base');
+
+const SNYK_CONFIG_FILE = '.config/configstore/snyk.json';
+
+class CveMarshaller extends Marshaller {
+  constructor() {
+    super('known-vulnerability', 'Known vulnerability check (Snyk / OSV.dev)');
+  }
+
+  async checkPackage(pkg, config) {
+    if (!pkg.name || !pkg.version) return null;
+
+    try {
+      const token = this.getSnykToken();
+      const timeout = Math.min(config.timeout || 10000, 10000);
+      const result = token
+        ? await this.querySnyk(pkg.name, pkg.version, token, timeout)
+        : await this.queryOsv(pkg.name, pkg.version, timeout);
+
+      if (result.issuesCount === 0) return null;
+
+      if (result.isMalicious) {
+        return {
+          name: this.name,
+          score: 80,
+          detail: `Malicious package detected — ${result.issuesCount} advisory(ies) found`,
+        };
+      }
+
+      // Non-malicious CVEs are informational (WARN, never BLOCK)
+      let score = 4;
+      if (result.issuesCount >= 10) score = 6;
+      else if (result.issuesCount >= 5) score = 5;
+
+      const source = token ? 'Snyk' : 'OSV.dev';
+      return {
+        name: this.name,
+        score,
+        detail: `${result.issuesCount} known vulnerability(ies) via ${source}`,
+      };
+    } catch {
+      return null;
+    }
+  }
+
+  getSnykToken() {
+    const token = process.env.SNYK_API_TOKEN || process.env.SNYK_TOKEN;
+    if (token) return token;
+
+    try {
+      const configPath = path.join(os.homedir(), SNYK_CONFIG_FILE);
+      const cfg = JSON.parse(fs.readFileSync(configPath, 'utf8'));
+      if (cfg && cfg.api) return cfg.api;
+    } catch {
+      // No Snyk config
+    }
+
+    return null;
+  }
+
+  async querySnyk(packageName, packageVersion, token, timeout) {
+    const { fetchJSON } = require('../utils/fetcher');
+    const apiUrl = process.env.SNYK_API_URL || process.env.SNYK_API || 'https://snyk.io/api/v1/vuln/npm';
+    const url = `${apiUrl}/${encodeURIComponent(packageName + '@' + packageVersion)}`;
+
+    const data = await fetchJSON(url, {
+      timeout,
+      headers: { Authorization: `token ${token}` },
+    });
+
+    if (data && data.vulnerabilities) {
+      const isMalicious = data.vulnerabilities.some(v => v.title === 'Malicious Package');
+      return { issuesCount: data.vulnerabilities.length, isMalicious };
+    }
+    return { issuesCount: 0, isMalicious: false };
+  }
+
+  async queryOsv(packageName, packageVersion, timeout) {
+    const { fetchJSON } = require('../utils/fetcher');
+    const url = 'https://api.osv.dev/v1/query';
+
+    const body = JSON.stringify({
+      version: packageVersion,
+      package: { name: packageName, ecosystem: 'npm' },
+    });
+
+    const data = await fetchJSON(url, {
+      timeout,
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json' },
+      body,
+    });
+
+    if (data && data.vulns && data.vulns.length > 0) {
+      const isMalicious = data.vulns.some(vuln => {
+        const ds = vuln.database_specific;
+        if (ds && ds['malicious-packages-origins'] && Array.isArray(ds['malicious-packages-origins'])) {
+          return true;
+        }
+        if (typeof vuln.summary === 'string' && vuln.summary.toLowerCase().startsWith('malicious')) {
+          return true;
+        }
+        return false;
+      });
+      return { issuesCount: data.vulns.length, isMalicious };
+    }
+    return { issuesCount: 0, isMalicious: false };
+  }
+}
+
+module.exports = new CveMarshaller();

package/src/marshallers/eval.js

@@ -0,0 +1,30 @@
+'use strict';
+
+const { Marshaller } = require('./base');
+
+class EvalMarshaller extends Marshaller {
+  constructor() {
+    super('eval/dynamic-exec', 'Eval / dynamic code execution');
+  }
+
+  check(code) {
+    const patterns = [
+      /\beval\s*\(/,
+      /new\s+Function\s*\(/,
+      /vm\.runInThisContext\s*\(/,
+      /vm\.runInNewContext\s*\(/,
+      /vm\.Script\s*\(/,
+      /\(\s*0\s*,\s*eval\s*\)\s*\(/,
+      /(?:global|globalThis|window|self|this)\s*\[\s*['"`](?:eval|Function)['"`]\s*\]\s*\(/,
+      /(?:global|globalThis|window|self|this)\s*\[\s*['"`][^'"`]*['"`](?:\s*\+\s*['"`][^'"`]*['"`]){1,}\s*\]\s*\(/,
+      /\.constructor\s*\.\s*constructor\s*\(/,
+      /\b(?:setTimeout|setInterval)\s*\(\s*['"`]/,
+      /require\s*\(\s*['"]vm['"]\s*\)/,
+    ];
+    const matched = patterns.filter(p => p.test(code));
+    if (matched.length === 0) return null;
+    return { name: this.name, score: 8, detail: `eval-like call found (${matched.length} pattern(s))` };
+  }
+}
+
+module.exports = new EvalMarshaller();

package/src/marshallers/filesystemManipulation.js

@@ -0,0 +1,47 @@
+'use strict';
+
+const { Marshaller } = require('./base');
+
+class FilesystemManipulationMarshaller extends Marshaller {
+  constructor() {
+    super('filesystem-manipulation', 'Filesystem manipulation detection');
+  }
+
+  check(code) {
+    const writePatterns = [
+      /fs\.write(?:File)?(?:Sync)?\s*\(/,
+      /fs\.append(?:File)?(?:Sync)?\s*\(/,
+      /fs\.create(?:WriteStream)?\s*\(/,
+      /\.pipe\s*\(/,
+    ];
+    const permissionPatterns = [
+      /fs\.chmod(?:Sync)?\s*\(/,
+      /fs\.chown(?:Sync)?\s*\(/,
+      /fs\.access(?:Sync)?\s*\(/,
+    ];
+    const linkPatterns = [
+      /fs\.symlink(?:Sync)?\s*\(/,
+      /fs\.link(?:Sync)?\s*\(/,
+    ];
+
+    const writeMatches = writePatterns.filter(p => p.test(code)).length;
+    const permMatches = permissionPatterns.filter(p => p.test(code)).length;
+    const linkMatches = linkPatterns.filter(p => p.test(code)).length;
+
+    if (writeMatches === 0 && permMatches === 0 && linkMatches === 0) return null;
+
+    const details = [];
+    if (writeMatches > 0) details.push(`${writeMatches} write operation(s)`);
+    if (permMatches > 0) details.push(`${permMatches} permission change(s)`);
+    if (linkMatches > 0) details.push(`${linkMatches} symlink operation(s)`);
+
+    let score = 3;
+    if ((writeMatches > 0 ? 1 : 0) + (permMatches > 0 ? 1 : 0) + (linkMatches > 0 ? 1 : 0) >= 2) {
+      score = 4;
+    }
+
+    return { name: this.name, score, detail: details.join(', ') };
+  }
+}
+
+module.exports = new FilesystemManipulationMarshaller();

package/src/marshallers/fromCharCode.js

@@ -0,0 +1,40 @@
+'use strict';
+
+const { Marshaller } = require('./base');
+
+class FromCharCodeMarshaller extends Marshaller {
+  constructor() {
+    super('fromCharCode', 'String.fromCharCode obfuscation detection');
+  }
+
+  check(code) {
+    let maxArgs = 0;
+    const direct = /(?:String|[\w$]+)\.fromCharCode\s*\(([^)]+)\)/g;
+    let match;
+    while ((match = direct.exec(code)) !== null) {
+      const args = match[1].split(',').filter(a => /^\s*\d+\s*$/.test(a));
+      if (args.length > maxArgs) maxArgs = args.length;
+    }
+
+    const arrRe = /\[\s*((?:\d{1,3}\s*,\s*){7,}\d{1,3})\s*\]/g;
+    let arrMatch;
+    let maxArr = 0;
+    while ((arrMatch = arrRe.exec(code)) !== null) {
+      const nums = arrMatch[1].split(',')
+        .map(s => parseInt(s.trim(), 10))
+        .filter(n => !Number.isNaN(n));
+      const printable = nums.filter(n => n >= 32 && n <= 126).length;
+      if (printable / nums.length >= 0.9 && nums.length > maxArr) maxArr = nums.length;
+    }
+
+    if (maxArgs >= 5) {
+      return { name: this.name, score: 7, detail: `fromCharCode with ${maxArgs} numeric args` };
+    }
+    if (maxArr >= 16) {
+      return { name: this.name, score: 7, detail: `decimal char-code array of length ${maxArr}` };
+    }
+    return null;
+  }
+}
+
+module.exports = new FromCharCodeMarshaller();

package/src/marshallers/hexArray.js

@@ -0,0 +1,21 @@
+'use strict';
+
+const { Marshaller } = require('./base');
+
+class HexArrayMarshaller extends Marshaller {
+  constructor() {
+    super('hex-array', 'Hex literal array detection');
+  }
+
+  check(code) {
+    const hexLiterals = (code.match(/\b0x[0-9a-fA-F]+\b/g) || []).length;
+    if (hexLiterals < 20) return null;
+    let score = 7;
+    if (hexLiterals > 2000) score = 60;
+    else if (hexLiterals > 500) score = 40;
+    else if (hexLiterals > 100) score = 20;
+    return { name: this.name, score, detail: `${hexLiterals} hex literal values found` };
+  }
+}
+
+module.exports = new HexArrayMarshaller();

package/src/marshallers/hexEscapes.js

@@ -0,0 +1,27 @@
+'use strict';
+
+const { Marshaller } = require('./base');
+
+class HexEscapesMarshaller extends Marshaller {
+  constructor() {
+    super('hex-escape-density', 'Dense hex/unicode escape detection');
+  }
+
+  check(code) {
+    const hexMatches     = (code.match(/\\x[0-9a-fA-F]{2}/g) || []).length;
+    const unicodeMatches = (code.match(/\\u[0-9a-fA-F]{4}/g) || []).length
+                         + (code.match(/\\u\{[0-9a-fA-F]+\}/g) || []).length;
+    const total = hexMatches + unicodeMatches;
+    if (total < 10) return null;
+    let score = 5;
+    if (total > 1000) score = 50;
+    else if (total > 200) score = 30;
+    else if (total > 50) score = 15;
+    const detail = unicodeMatches > 0
+      ? `${hexMatches} \\xNN + ${unicodeMatches} \\uXXXX escapes found`
+      : `${hexMatches} \\xNN hex escapes found`;
+    return { name: this.name, score, detail };
+  }
+}
+
+module.exports = new HexEscapesMarshaller();

package/src/marshallers/highEntropy.js

@@ -0,0 +1,70 @@
+'use strict';
+
+const { Marshaller } = require('./base');
+const { shannonEntropy } = require('../utils/entropy');
+
+class HighEntropyMarshaller extends Marshaller {
+  constructor() {
+    super('high-entropy-string', 'High-entropy string detection');
+  }
+
+  check(code) {
+    let maxEntropy = 0;
+    let worst = '';
+    const minLen = 50;
+
+    for (const quote of ['"', "'", '`']) {
+      let pos = 0;
+      while (pos < code.length) {
+        const start = code.indexOf(quote, pos);
+        if (start === -1) break;
+
+        let end = start + 1;
+        while (end < code.length) {
+          if (code[end] === '\\') { end += 2; continue; }
+          if (code[end] === quote) break;
+          end++;
+        }
+
+        if (end < code.length && end - start - 1 >= minLen) {
+          const s = code.slice(start + 1, end);
+          const e = shannonEntropy(s);
+          if (e > maxEntropy) { maxEntropy = e; worst = s.slice(0, 40); }
+        }
+        pos = end + 1;
+      }
+    }
+
+    if (maxEntropy >= 4.5) {
+      return {
+        name: this.name,
+        score: 6,
+        detail: `Entropy ${maxEntropy.toFixed(2)} in string "${worst}…"`,
+      };
+    }
+
+    const concatChainRe = /(?:['"`][^'"`\n]{0,40}['"`]\s*\+\s*){5,}['"`][^'"`\n]{0,40}['"`]/g;
+    let m;
+    let bestChain = '';
+    while ((m = concatChainRe.exec(code)) !== null) {
+      const literals = m[0].match(/['"`]([^'"`\n]{0,40})['"`]/g) || [];
+      const joined = literals.map(l => l.slice(1, -1)).join('');
+      if (joined.length >= 40) {
+        const e = shannonEntropy(joined);
+        if (e > maxEntropy) { maxEntropy = e; bestChain = joined.slice(0, 40); }
+      }
+    }
+
+    if (maxEntropy >= 4.5) {
+      return {
+        name: this.name,
+        score: 6,
+        detail: `Entropy ${maxEntropy.toFixed(2)} in concatenated literals "${bestChain}…"`,
+      };
+    }
+
+    return null;
+  }
+}
+
+module.exports = new HighEntropyMarshaller();

package/src/marshallers/index.js

@@ -0,0 +1,25 @@
+'use strict';
+
+const fs   = require('fs');
+const path = require('path');
+
+const MARSHALLERS_DIR = __dirname;
+const EXCLUDE = new Set(['index.js', 'base.js', 'cve.js']);
+
+let _staticMarshallers = null;
+
+function getStaticMarshallers() {
+  if (_staticMarshallers) return _staticMarshallers;
+
+  _staticMarshallers = fs.readdirSync(MARSHALLERS_DIR)
+    .filter(f => f.endsWith('.js') && !EXCLUDE.has(f))
+    .map(f => require(path.join(MARSHALLERS_DIR, f)));
+
+  return _staticMarshallers;
+}
+
+function getPackageMarshallers() {
+  return [require('./cve')];
+}
+
+module.exports = { getStaticMarshallers, getPackageMarshallers };

package/src/marshallers/networkCalls.js

@@ -0,0 +1,30 @@
+'use strict';
+
+const { Marshaller } = require('./base');
+
+class NetworkCallsMarshaller extends Marshaller {
+  constructor() {
+    super('network-call', 'Suspicious network call detection');
+  }
+
+  check(code) {
+    const patterns = [
+      /require\s*\(\s*['"]https?['"]\s*\)/,
+      /require\s*\(\s*['"]net['"]\s*\)/,
+      /require\s*\(\s*['"]dns['"]\s*\)/,
+      /require\s*\(\s*['"]tls['"]\s*\)/,
+      /require\s*\(\s*['"]dgram['"]\s*\)/,
+      /require\s*\(\s*['"]http2['"]\s*\)/,
+      /\bfetch\s*\(/,
+      /XMLHttpRequest/,
+      /\.request\s*\(/,
+      /require\s*\(\s*['"]node:(?:https?|net|dns|tls|dgram|http2)['"]\s*\)/,
+      /import\s*\(\s*['"](?:node:)?(?:https?|net|dns|tls|dgram|http2)['"]\s*\)/,
+    ];
+    const matched = patterns.filter(p => p.test(code));
+    if (matched.length === 0) return null;
+    return { name: this.name, score: 4, detail: `Network call found (${matched.length} pattern(s))` };
+  }
+}
+
+module.exports = new NetworkCallsMarshaller();

package/src/marshallers/obfuscatorIo.js

@@ -0,0 +1,22 @@
+'use strict';
+
+const { Marshaller } = require('./base');
+
+class ObfuscatorIoMarshaller extends Marshaller {
+  constructor() {
+    super('obfuscator.io', 'Obfuscator.io signature detection');
+  }
+
+  check(code) {
+    const matches = code.match(/_0x[0-9a-fA-F]+/g) || [];
+    if (matches.length < 3) return null;
+    let score = 9;
+    if (matches.length > 1000) score = 80;
+    else if (matches.length > 200) score = 50;
+    else if (matches.length > 50) score = 30;
+    else if (matches.length > 10) score = 15;
+    return { name: this.name, score, detail: `${matches.length} _0x identifiers found` };
+  }
+}
+
+module.exports = new ObfuscatorIoMarshaller();

package/src/marshallers/processEnv.js

@@ -0,0 +1,17 @@
+'use strict';
+
+const { Marshaller } = require('./base');
+
+class ProcessEnvMarshaller extends Marshaller {
+  constructor() {
+    super('process-env', 'Process environment access detection');
+  }
+
+  check(code) {
+    const matches = (code.match(/process\.env\b/g) || []).length;
+    if (matches === 0) return null;
+    return { name: this.name, score: 3, detail: `${matches} process.env access(es)` };
+  }
+}
+
+module.exports = new ProcessEnvMarshaller();

package/src/utils/config.js

@@ -17,6 +17,8 @@ const DEFAULT_CONFIG = Object.freeze({
   silent:          false,
   scanSelf:        true,
   maxTarballSize:  '50MB', // Max unpacked tarball size (e.g. '5MB', '1GB', or bytes as number)
+  checkVulnerabilities: true,
+  deepResolve: false,
 });
 
 const VALID_KEYS = new Set(Object.keys(DEFAULT_CONFIG));

package/src/utils/entropy.js

@@ -0,0 +1,15 @@
+'use strict';
+
+function shannonEntropy(str) {
+  if (!str || str.length === 0) return 0;
+  const freq = {};
+  for (const ch of str) freq[ch] = (freq[ch] || 0) + 1;
+  let entropy = 0;
+  for (const count of Object.values(freq)) {
+    const p = count / str.length;
+    entropy -= p * Math.log2(p);
+  }
+  return entropy;
+}
+
+module.exports = { shannonEntropy };

package/src/utils/fetcher.js

@@ -9,10 +9,10 @@ const MAX_REDIRECTS = 5;
 const DEFAULT_TIMEOUT = 30000;
 
 /**
- * Perform an HTTP/HTTPS GET and collect the response body as a Buffer.
+ * Perform an HTTP/HTTPS request and collect the response body as a Buffer.
  * Follows redirects up to MAX_REDIRECTS.
  * @param {string} rawUrl
- * @param {object} opts  { timeout?, headers? }
+ * @param {object} opts  { timeout?, headers?, method?, body? }
  * @returns {Promise<Buffer>}
  */
 function fetch(rawUrl, opts = {}) {
@@ -28,7 +28,7 @@ function fetch(rawUrl, opts = {}) {
         hostname: parsed.hostname,
         port:     parsed.port || (isHttps ? 443 : 80),
         path:     parsed.pathname + parsed.search,
-        method:   'GET',
+        method:   opts.method || 'GET',
         headers:  Object.assign({
           'User-Agent': 'npa/1.0.0 (npm-auditor)',
           'Accept':     '*/*',
@@ -61,6 +61,7 @@ function fetch(rawUrl, opts = {}) {
       });
 
       req.on('error', reject);
+      if (opts.body) req.write(opts.body);
       req.end();
     }
 
@@ -87,7 +88,7 @@ function fetchTarball(tarballUrl, opts = {}) {
 async function fetchJSON(jsonUrl, opts = {}) {
   const buf = await fetch(jsonUrl, {
     ...opts,
-    headers: { 'Accept': 'application/json' },
+    headers: { 'Accept': 'application/json', ...opts.headers },
   });
   return JSON.parse(buf.toString('utf8'));
 }

package/src/utils/output.js

@@ -29,10 +29,12 @@ function cyan(text) { return c(CYAN, text); }
 function white(text) { return c(WHITE, text); }
 
 function error(msg) {
+  if (process.stderr.isTTY) process.stderr.write('\r\x1b[2K');
   process.stderr.write(red(`✖ ${msg}`) + '\n');
 }
 
 function warn(msg) {
+  if (process.stderr.isTTY) process.stderr.write('\r\x1b[2K');
   process.stderr.write(yellow(`⚠ ${msg}`) + '\n');
 }
 
@@ -67,12 +69,17 @@ const ASCII_LOGO = `
 
 function printScanHeader(silent = false) {
   if (silent) return;
-  log(blue(ASCII_LOGO));
-  log(dim('  npm package auditor — static obfuscation detection'));
+  log('');
   log(dim('─'.repeat(60)));
   log('');
 }
 
+function printLogo(version) {
+  log(blue(ASCII_LOGO));
+  log(dim(`  npm package auditor v${version}`));
+  log('');
+}
+
 function printPackageResult(pkg, result) {
   const badge = verdictBadge(result.verdict);
   const name = bold(`${pkg.name}@${pkg.version}`);
@@ -86,22 +93,45 @@ function printPackageResult(pkg, result) {
 function printSummary(results) {
   const blocked = results.filter(r => r.verdict === 'BLOCK').length;
   const warned  = results.filter(r => r.verdict === 'WARN').length;
-  const ok      = results.filter(r => r.verdict === 'OK').length;
-  const skipped = results.skippedCount || 0;
+  const total   = results.totalPackages || results.length;
+  const ok      = total - blocked - warned;
 
   log('');
   log(dim('─'.repeat(60)));
-  let summary = `  ${green(String(ok))} clean   ${yellow(String(warned))} warnings   ${red(String(blocked))} blocked`;
-  if (skipped > 0) {
-    summary += `   ${dim(String(skipped) + ' skipped (no install scripts)')}`;
-  }
-  log(summary);
+  log(`  ${green(String(ok))} clean   ${yellow(String(warned))} warnings   ${red(String(blocked))} blocked`);
   log('');
 }
 
+const SPINNER_FRAMES = ['▉', '▊', '▋', '▌', '▍', '▎', '▏', '▎', '▍', '▌', '▋', '▊', '▉'];
+
+function createSpinner(message) {
+  if (NO_COLOR || !process.stderr.isTTY) {
+    return { start() {}, stop() {} };
+  }
+  let i = 0;
+  let timer = null;
+  const clear = () => process.stderr.write('\r\x1b[2K');
+  return {
+    start() {
+      process.stderr.write(`\x1b[?25l`);
+      process.stderr.write(`  ${cyan(SPINNER_FRAMES[0])} ${white(message)}`);
+      timer = setInterval(() => {
+        i = (i + 1) % SPINNER_FRAMES.length;
+        process.stderr.write(`\r\x1b[2K  ${cyan(SPINNER_FRAMES[i])} ${white(message)}`);
+      }, 60);
+    },
+    stop() {
+      if (timer) clearInterval(timer);
+      clear();
+      process.stderr.write(`\x1b[?25h`);
+    },
+  };
+}
+
 module.exports = {
   bold, dim, red, green, yellow, blue, cyan, white,
   error, warn, info, success, log,
   verdictBadge, printScanHeader, printPackageResult, printSummary,
+  printLogo, createSpinner,
   RESET, BOLD, DIM, RED, GREEN, YELLOW, BLUE, CYAN,
 };