npm-scan-plus 1.0.0

package/src/lib/patterns.ts

@@ -0,0 +1,404 @@
+/**
+ * Detection patterns for malicious code, obfuscation, and suspicious behavior
+ */
+
+import * as fs from 'fs';
+import * as path from 'path';
+import type { FileThreat, ThreatType } from '../types';
+
+// Patterns that indicate obfuscated code
+const OBFUSCATION_PATTERNS = [
+  {
+    pattern: /eval\s*\(\s*(?:atob|fromCharCode|String\.fromCharCode)/gi,
+    type: 'obfuscation' as ThreatType,
+    severity: 'high' as const,
+    message: 'eval() with character code decoding - common obfuscation technique'
+  },
+  {
+    pattern: /eval\s*\(\s*["'`]([A-Za-z0-9+\/=]{100,})["'`]*/gi,
+    type: 'obfuscation' as ThreatType,
+    severity: 'high' as const,
+    message: 'eval() with base64-encoded string'
+  },
+  {
+    pattern: /new\s+Function\s*\(\s*(?:atob|fromCharCode)/gi,
+    type: 'obfuscation' as ThreatType,
+    severity: 'high' as const,
+    message: 'Dynamic Function with character code decoding'
+  },
+  {
+    pattern: /\\x([0-9a-fA-F]{2})/g,
+    type: 'obfuscation' as ThreatType,
+    severity: 'medium' as const,
+    message: 'Hex-encoded characters in code'
+  },
+  {
+    pattern: /\\u([0-9a-fA-F]{4})/g,
+    type: 'obfuscation' as ThreatType,
+    severity: 'medium' as const,
+    message: 'Unicode-escaped characters in code'
+  },
+  {
+    pattern: /(?:atob|btoa)\s*\([^)]*\)/g,
+    type: 'obfuscation' as ThreatType,
+    severity: 'medium' as const,
+    message: 'Base64 encoding/decoding functions detected'
+  },
+  {
+    pattern: /String\.fromCharCode\((?:\s*\d+\s*,?)+\)/g,
+    type: 'obfuscation' as ThreatType,
+    severity: 'medium' as const,
+    message: 'String.fromCharCode() to hide code'
+  },
+  {
+    pattern: /\$_\s*=\s*["'`]/g,
+    type: 'obfuscation' as ThreatType,
+    severity: 'low' as const,
+    message: 'Unusual variable naming pattern'
+  }
+];
+
+// Patterns that indicate malicious/malware behavior
+const SUSPICIOUS_PATTERNS = [
+  {
+    pattern: /(?:process\.env|process)\s*\.\s*(?:env|argv)\s*\[.*?(?:KEY|SECRET|TOKEN|PASS|Auth|Credential)/gi,
+    type: 'suspicious_code' as ThreatType,
+    severity: 'critical' as const,
+    message: 'Accessing environment variables with sensitive keywords'
+  },
+  {
+    pattern: /fetch\s*\(\s*["'](?:https?:)?\/\/(?:[0-9]{1,3}\.){3}[0-9]{1,3}/gi,
+    type: 'suspicious_code' as ThreatType,
+    severity: 'high' as const,
+    message: 'Network request to IP address (bypasses DNS)'
+  },
+  {
+    pattern: /https?:\/\/(?:pastebin|hastebin|ipfs\.io|cloudflare|workers\.dev)\.\w+/gi,
+    type: 'suspicious_code' as ThreatType,
+    severity: 'high' as const,
+    message: 'Network request to external code hosting service'
+  },
+  {
+    pattern: /child_process\s*\.\s*(?:exec|spawn|sync)\s*\(\s*["'`]/gi,
+    type: 'suspicious_code' as ThreatType,
+    severity: 'high' as const,
+    message: 'Executing shell commands from package code'
+  },
+  {
+    pattern: /net\.connect\(|require\s*\(\s*["'](?:net|http|tls|crypto)["']\s*\)/gi,
+    type: 'suspicious_code' as ThreatType,
+    severity: 'medium' as const,
+    message: 'Network or crypto module required'
+  },
+  {
+    pattern: /require\s*\(\s*["'](?:child_process|exec|spawn)["']\s*\)/gi,
+    type: 'suspicious_code' as ThreatType,
+    severity: 'high' as const,
+    message: 'child_process module required - potential command execution'
+  },
+  {
+    pattern: /setTimeout\s*\(\s*["'`]/gi,
+    type: 'suspicious_code' as ThreatType,
+    severity: 'low' as const,
+    message: 'Delayed code execution'
+  },
+  {
+    pattern: /setInterval\s*\(\s*["'`]/gi,
+    type: 'suspicious_code' as ThreatType,
+    severity: 'low' as const,
+    message: 'Repeating scheduled code execution'
+  },
+  {
+    pattern: /\.exec\s*\(|child_process\.\s*exec/gi,
+    type: 'suspicious_code' as ThreatType,
+    severity: 'high' as const,
+    message: 'Shell command execution'
+  },
+  {
+    pattern: /fs\s*\.\s*(?:readFile|writeFile|appendFile|readFileSync|writeFileSync)\s*\(\s*(?:__dirname|process\.cwd\(\))/gi,
+    type: 'suspicious_code' as ThreatType,
+    severity: 'medium' as const,
+    message: 'File system access in package root'
+  },
+  {
+    pattern: /(?:readdirSync|readdir|readFileSync|readlinkSync)\s*\(\s*(?:\.|process\.cwd)/gi,
+    type: 'suspicious_code' as ThreatType,
+    severity: 'medium' as const,
+    message: 'Scanning directories outside package'
+  },
+  {
+    pattern: /eval\s*\(\s*process\.env/gi,
+    type: 'suspicious_code' as ThreatType,
+    severity: 'critical' as const,
+    message: 'Evaluating environment variables'
+  },
+  {
+    pattern: /require\s*\(\s*["'](?:https?|http)["']\s*\)/gi,
+    type: 'suspicious_code' as ThreatType,
+    severity: 'medium' as const,
+    message: 'HTTP/HTTPS module required'
+  },
+  {
+    pattern: /crypto\s*\.\s*createHash\s*\(\s*["'](?:sha|md5)["']\s*\)/gi,
+    type: 'suspicious_code' as ThreatType,
+    severity: 'low' as const,
+    message: 'Cryptographic hashing'
+  },
+  {
+    // Crypto mining patterns
+    pattern: /(?:stratum\+tcp|stratum\.bitcoin|cgminer|antminer|cryptonight)/gi,
+    type: 'suspicious_code' as ThreatType,
+    severity: 'critical' as const,
+    message: 'Crypto mining pool connection detected'
+  },
+  {
+    // Keylogging patterns
+    pattern: /(?:addEventListener\s*\(\s*["'](?:keydown|keypress|keyup)|onkey)/gi,
+    type: 'suspicious_code' as ThreatType,
+    severity: 'high' as const,
+    message: 'Keyboard event listener - potential keylogger'
+  },
+  {
+    pattern: /(?:key|code)\s*:\s*(?:\d{1,3}\s*,?\s*){3,}/gi,
+    type: 'suspicious_code' as ThreatType,
+    severity: 'high' as const,
+    message: 'Potential keyboard scanning code'
+  }
+];
+
+// Suspicious lifecycle scripts in package.json
+const SUSPICIOUS_SCRIPTS = [
+  {
+    script: 'postinstall',
+    severity: 'high' as const,
+    message: 'postinstall script executes automatically after install'
+  },
+  {
+    script: 'preinstall',
+    severity: 'medium' as const,
+    message: 'preinstall script runs before package installs'
+  },
+  {
+    script: 'postpublish',
+    severity: 'medium' as const,
+    message: 'postpublish script runs after package is published'
+  },
+  {
+    script: 'preuninstall',
+    severity: 'low' as const,
+    message: 'preuninstall script runs before uninstall'
+  },
+  {
+    script: 'postuninstall',
+    severity: 'medium' as const,
+    message: 'postuninstall script runs after uninstall'
+  },
+  {
+    script: 'preversion',
+    severity: 'low' as const,
+    message: 'preversion script runs before version bump'
+  },
+  {
+    script: 'postversion',
+    severity: 'low' as const,
+    message: 'postversion script runs after version bump'
+  },
+  {
+    script: 'prepack',
+    severity: 'low' as const,
+    message: 'prepack script runs before packing'
+  },
+  {
+    script: 'postpack',
+    severity: 'low' as const,
+    message: 'postpack script runs after packing'
+  },
+  {
+    script: 'prepare',
+    severity: 'low' as const,
+    message: 'prepare script runs on install and publish'
+  }
+];
+
+// Sensitive files that should not be in packages
+const SENSITIVE_FILES = [
+  /\.env$/,
+  /\.env\.[a-z]+$/,
+  /\.git\/config$/,
+  /\.aws\/credentials$/,
+  /\.ssh\/id_.*$/,
+  /credentials\.json$/,
+  /\.npmrc$/,
+  /\.htpasswd$/,
+  /secrets\.ya?ml$/,
+  /\.pem$/,
+  /\.key$/,
+  /\.p12$/,
+  /\.pfx$/,
+  /id_rsa/,
+  /id_dsa/,
+  /\.bash_history$/,
+  /\.zsh_history$/,
+  /\.history$/,
+  /_history$/,
+  /\.sql$/,
+  /\.db$/
+];
+
+// File extensions that might contain executable code
+const CODE_EXTENSIONS = [
+  '.js', '.mjs', '.cjs', '.ts', '.tsx', '.jsx',
+  '.py', '.rb', '.php', '.pl', '.sh', '.bash',
+  '.exe', '.dll', '.so', '.dylib', '.bin',
+  '.wasm', '.class', '.jar'
+];
+
+export interface PatternMatch {
+  pattern: RegExp;
+  type: ThreatType;
+  severity: 'low' | 'medium' | 'high' | 'critical';
+  message: string;
+}
+
+/**
+ * Scan a single file for suspicious patterns
+ */
+export function scanFile(filePath: string, content: string): FileThreat[] {
+  const threats: FileThreat[] = [];
+  const fileName = path.basename(filePath);
+  const ext = path.extname(filePath).toLowerCase();
+
+  // Skip node_modules packages themselves
+  if (filePath.includes('node_modules/')) {
+    return [];
+  }
+
+  // Check for obfuscation patterns
+  for (const { pattern, type, severity, message } of OBFUSCATION_PATTERNS) {
+    const matches = content.match(pattern);
+    if (matches) {
+      threats.push({
+        package: 'scanning',
+        file: fileName,
+        type,
+        severity,
+        message,
+        code: matches[0].substring(0, 100)
+      });
+    }
+  }
+
+  // Check for suspicious patterns (only in code files)
+  if (CODE_EXTENSIONS.includes(ext)) {
+    for (const { pattern, type, severity, message } of SUSPICIOUS_PATTERNS) {
+      const matches = content.match(pattern);
+      if (matches) {
+        threats.push({
+          package: 'scanning',
+          file: fileName,
+          type,
+          severity,
+          message,
+          code: matches[0].substring(0, 100)
+        });
+      }
+    }
+  }
+
+  // Check for sensitive files
+  for (const pattern of SENSITIVE_FILES) {
+    if (pattern.test(fileName)) {
+      threats.push({
+        package: 'scanning',
+        file: fileName,
+        type: 'suspicious_code',
+        severity: 'high',
+        message: `Sensitive file detected in package: ${fileName}`
+      });
+    }
+  }
+
+  return threats;
+}
+
+/**
+ * Check package.json scripts for suspicious behavior
+ */
+export function scanPackageJsonScripts(scripts: Record<string, string>): FileThreat[] {
+  const threats: FileThreat[] = [];
+
+  if (!scripts) return threats;
+
+  for (const [scriptName, scriptContent] of Object.entries(scripts)) {
+    const scriptDef = SUSPICIOUS_SCRIPTS.find(s => s.script === scriptName);
+
+    if (scriptDef) {
+      // Check if script content is suspicious
+      const isSuspicious = /curl|wget|npm|node|yarn|python|perl|bash|sh|\||&&|\$\(|;/.test(scriptContent) ||
+        scriptContent.length > 200;
+
+      threats.push({
+        package: 'scanning',
+        file: 'package.json',
+        type: isSuspicious ? 'suspicious_script' : 'supply_chain',
+        severity: isSuspicious ? scriptDef.severity : 'low',
+        message: `${scriptDef.message}: "${scriptName}"`,
+        code: scriptContent.substring(0, 100)
+      });
+    }
+  }
+
+  return threats;
+}
+
+/**
+ * Scan directory for all files
+ */
+export function scanDirectory(dirPath: string, extensions?: string[]): Map<string, string> {
+  const files = new Map<string, string>();
+  const codeExtensions = extensions || CODE_EXTENSIONS;
+
+  function walkDir(dir: string, basePath: string = '') {
+    try {
+      const entries = fs.readdirSync(dir, { withFileTypes: true });
+
+      for (const entry of entries) {
+        const fullPath = path.join(dir, entry.name);
+        const relativePath = path.join(basePath, entry.name);
+
+        if (entry.isDirectory()) {
+          // Skip certain directories
+          if (['node_modules', '.git', 'test', '__tests__', 'coverage'].includes(entry.name)) {
+            continue;
+          }
+          walkDir(fullPath, relativePath);
+        } else if (entry.isFile()) {
+          const ext = path.extname(entry.name).toLowerCase();
+          if (codeExtensions.includes(ext)) {
+            try {
+              const content = fs.readFileSync(fullPath, 'utf-8');
+              if (content.length < 1_000_000) { // Skip files > 1MB
+                files.set(relativePath, content);
+              }
+            } catch (e) {
+              // Skip binary or unreadable files
+            }
+          }
+        }
+      }
+    } catch (e) {
+      // Skip inaccessible directories
+    }
+  }
+
+  walkDir(dirPath);
+  return files;
+}
+
+export {
+  OBFUSCATION_PATTERNS,
+  SUSPICIOUS_PATTERNS,
+  SUSPICIOUS_SCRIPTS,
+  SENSITIVE_FILES,
+  CODE_EXTENSIONS
+};

package/src/lib/registry.ts

@@ -0,0 +1,146 @@
+/**
+ * npm registry API client
+ * Fetches package metadata and tarballs from npm registry using native fetch
+ */
+
+import * as fs from 'fs';
+import * as path from 'path';
+import * as os from 'os';
+import * as tar from 'tar';
+import * as crypto from 'crypto';
+
+const DEFAULT_REGISTRY = 'https://registry.npmjs.org';
+
+export class RegistryClient {
+  private registry: string;
+  private cache: any = new Map();
+
+  constructor(options?: { registry?: string }) {
+    this.registry = options?.registry || DEFAULT_REGISTRY;
+  }
+
+  /**
+   * Fetch package metadata from npm registry
+   */
+  async getPackageMetadata(packageName: string, version?: string): Promise<any> {
+    const cacheKey = `${packageName}@${version || 'latest'}`;
+
+    if (this.cache.has(cacheKey)) {
+      return this.cache.get(cacheKey);
+    }
+
+    const url = `${this.registry}/${packageName}${version ? `/${version}` : ''}`;
+
+    try {
+      const response = await fetch(url);
+
+      if (!response.ok) {
+        if (response.status === 404) {
+          throw new Error(`Package not found: ${packageName}`);
+        }
+        throw new Error(`Failed to fetch ${packageName}: ${response.statusText}`);
+      }
+
+      const data = await response.json();
+      this.cache.set(cacheKey, data);
+      return data;
+    } catch (error: any) {
+      throw new Error(`Failed to fetch ${packageName}: ${error.message}`);
+    }
+  }
+
+  /**
+   * Download and extract package tarball to temp directory
+   */
+  async downloadPackage(packageName: string, version?: string): Promise<{
+    tempDir: string;
+    files: string[];
+    integrity: string;
+  }> {
+    const metadata = await this.getPackageMetadata(packageName, version);
+    const dist = metadata.dist || {};
+
+    if (!dist.tarball) {
+      throw new Error(`No tarball found for ${packageName}`);
+    }
+
+    const tempDir = path.join(os.tmpdir(), `npm-scan-${Date.now()}-${Math.random().toString(36).substr(2, 9)}`);
+    fs.mkdirSync(tempDir, { recursive: true });
+
+    const tarballPath = path.join(tempDir, 'package.tgz');
+
+    // Download tarball
+    const response = await fetch(dist.tarball);
+    const arrayBuffer = await response.arrayBuffer();
+    const buffer = Buffer.from(arrayBuffer);
+    fs.writeFileSync(tarballPath, buffer);
+
+    // Calculate integrity hash (sha512)
+    const integrity = 'sha512-' + crypto.createHash('sha512').update(buffer).digest('base64');
+
+    // Extract tarball
+    const extractDir = path.join(tempDir, 'package');
+    fs.mkdirSync(extractDir, { recursive: true });
+
+    await tar.extract({
+      file: tarballPath,
+      cwd: extractDir
+    });
+
+    // Get list of extracted files
+    const files = this.getAllFiles(extractDir);
+
+    return { tempDir, files, integrity };
+  }
+
+  /**
+   * Recursively get all files in directory
+   */
+  private getAllFiles(dir: string, baseDir?: string): string[] {
+    const files: string[] = [];
+    const base = baseDir || dir;
+
+    try {
+      const entries = fs.readdirSync(dir, { withFileTypes: true });
+
+      for (const entry of entries) {
+        const fullPath = path.join(dir, entry.name);
+        const relativePath = path.relative(base, fullPath);
+
+        if (entry.isDirectory()) {
+          files.push(...this.getAllFiles(fullPath, base));
+        } else if (entry.isFile()) {
+          files.push(relativePath);
+        }
+      }
+    } catch (e) {
+      // Skip inaccessible
+    }
+
+    return files;
+  }
+
+  /**
+   * Clean up temp directory
+   */
+  cleanup(tempDir: string): void {
+    try {
+      fs.rmSync(tempDir, { recursive: true, force: true });
+    } catch (e) {
+      // Ignore cleanup errors
+    }
+  }
+
+  /**
+   * Get all available versions of a package
+   */
+  async getVersions(packageName: string): Promise<string[]> {
+    const response = await fetch(`${this.registry}/${packageName}`);
+    const data: any = await response.json();
+    return Object.keys(data.versions || {}).sort();
+  }
+}
+
+export function createRegistryClient(options?: any): RegistryClient {
+  return new RegistryClient({ registry: options?.registry });
+}