pinata-security-cli 0.5.3 → 0.6.1

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "pinata-security-cli",
-  "version": "0.5.3",
+  "version": "0.6.1",
   "description": "AI-powered test coverage analysis and generation tool. Find security blind spots before attackers do.",
   "type": "module",
   "main": "dist/index.js",
@@ -75,17 +75,24 @@
   },
   "devDependencies": {
     "@eslint/js": "^9.39.2",
+    "@stryker-mutator/core": "^9.5.1",
+    "@stryker-mutator/typescript-checker": "^9.5.1",
+    "@stryker-mutator/vitest-runner": "^9.5.1",
+    "@types/express": "^5.0.6",
     "@types/js-yaml": "^4.0.9",
     "@types/minimatch": "^5.1.2",
     "@types/node": "^20.14.10",
+    "@types/supertest": "^7.2.0",
     "@typescript-eslint/eslint-plugin": "^7.16.0",
     "@typescript-eslint/parser": "^7.16.0",
     "@vitest/coverage-v8": "^4.0.18",
     "eslint": "^8.57.1",
     "eslint-config-prettier": "^9.1.0",
     "eslint-plugin-import": "^2.29.1",
+    "express": "^5.2.1",
     "fast-check": "^4.5.3",
     "prettier": "^3.3.3",
+    "supertest": "^7.2.2",
     "tsup": "^8.1.0",
     "tsx": "^4.21.0",
     "typescript": "^5.5.3",

package/src/categories/definitions/concurrency/idempotency-missing.yml

@@ -35,8 +35,8 @@ detectionPatterns:
     type: regex
     language: python
     pattern: "\\+=\\s*1|counter\\s*\\+|increment\\("
-    confidence: low
-    description: Detects counter increments (verify idempotency)
+    confidence: medium
+    description: Detects counter increments (may need idempotency guards in retry contexts)
 
   - id: python-payment-no-idem
     type: regex
@@ -69,9 +69,9 @@ detectionPatterns:
   - id: ts-counter-update
     type: regex
     language: typescript
-    pattern: "\\+\\+|\\+=\\s*1|\\$inc"
-    confidence: low
-    description: Detects counter updates (verify idempotency)
+    pattern: "\\$inc|\\$push(?!.*idempotency|.*idempotent)"
+    confidence: medium
+    description: Detects MongoDB counter/array updates without idempotency
 
   - id: ts-webhook-no-dedup
     type: regex

package/src/categories/definitions/concurrency/race-condition.yml

@@ -65,9 +65,9 @@ detectionPatterns:
   - id: ts-check-then-act
     type: regex
     language: typescript
-    pattern: "if\\s*\\(.*exists.*\\).*\\{.*create|if\\s*\\(!.*\\).*\\{"
+    pattern: "if\\s*\\(.*exists.*\\).*\\{.*(create|write|mkdir|insert)|if\\s*\\(!.*exists.*\\).*\\{.*(create|write|mkdir|insert)"
     confidence: medium
-    description: Detects check-then-act pattern
+    description: Detects check-then-act TOCTOU pattern (check existence then create)
 
   - id: ts-promise-race-unsafe
     type: regex

package/src/categories/definitions/data/data-race.yml

@@ -28,19 +28,12 @@ detectionPatterns:
     confidence: medium
     description: Detects mutable global state
 
-  - id: python-read-modify-write
+  - id: python-thread-no-lock
     type: regex
     language: python
-    pattern: "\\w+\\s*\\+=|\\w+\\s*-=|\\w+\\s*=\\s*\\w+\\s*\\+\\s*1"
-    confidence: low
-    description: Detects increment/decrement (may need locking)
-
-  - id: python-no-lock
-    type: regex
-    language: python
-    pattern: "threading\\.Thread|multiprocessing\\.Process"
-    confidence: low
-    description: Detects threading (verify locking)
+    pattern: "threading\\.Thread.*(?!Lock\\(|RLock\\(|Semaphore\\()"
+    confidence: medium
+    description: Detects thread creation without visible locking in same scope
     negativePattern: "Lock\\(|RLock\\(|Semaphore\\("
 
   - id: python-check-then-act
@@ -50,12 +43,12 @@ detectionPatterns:
     confidence: medium
     description: Detects check-then-act pattern (TOCTOU)
 
-  - id: ts-shared-variable
+  - id: ts-var-declaration
     type: regex
     language: typescript
-    pattern: "let\\s+\\w+\\s*=|var\\s+\\w+\\s*="
-    confidence: low
-    description: Detects mutable shared state (verify thread safety)
+    pattern: "\\bvar\\s+\\w+\\s*="
+    confidence: medium
+    description: Detects var declarations (function-scoped, potential unintended sharing)
 
   - id: ts-async-race
     type: regex
@@ -67,9 +60,13 @@ detectionPatterns:
   - id: ts-non-atomic-update
     type: regex
     language: typescript
-    pattern: "\\w+\\s*=\\s*\\w+\\s*\\+\\s*1|\\w+\\+\\+"
-    confidence: low
-    description: Detects non-atomic increment
+    pattern: "await.*\\w+\\s*=\\s*\\w+\\s*\\+\\s*1|await.*\\w+\\+\\+|\\w+\\+\\+.*await"
+    confidence: medium
+    description: Detects non-atomic increment in async context (potential race condition)
+    sources:
+      - "\\basync\\b"
+      - "\\bawait\\b"
+      - "\\bPromise\\b"
 
   - id: ts-database-upsert
     type: regex

package/src/categories/definitions/data/encoding-mismatch.yml

@@ -56,7 +56,7 @@ detectionPatterns:
     type: regex
     language: typescript
     pattern: "new TextDecoder\\(\\)|TextDecoder\\(\\)"
-    confidence: low
+    confidence: medium
     description: Detects TextDecoder without explicit encoding
 
   - id: ts-buffer-tostring-default
@@ -76,9 +76,9 @@ detectionPatterns:
   - id: ts-length-emoji
     type: regex
     language: typescript
-    pattern: "\\.length(?!\\s*[=!<>])"
-    confidence: low
-    description: Detects string length (verify emoji handling)
+    pattern: "\\.length\\s*[<>]=?\\s*\\d+.*\\.charAt|\\.length.*\\.charCodeAt|\\.split\\(.*\\)\\.length"
+    confidence: medium
+    description: Detects string length used with char operations (may be wrong for emoji)
     negativePattern: "\\[\\.\\.\\.\\w+\\]\\.length|Array\\.from\\("
 
 testTemplates:

package/src/categories/definitions/data/null-handling.yml

@@ -41,12 +41,12 @@ detectionPatterns:
     confidence: high
     description: Detects arithmetic with potential None values
 
-  - id: python-json-null
+  - id: python-json-no-default
     type: regex
     language: python
-    pattern: "json\\.loads|json\\.load"
-    confidence: low
-    description: Detects JSON parsing (verify null handling)
+    pattern: "json\\.loads?\\(.*\\)\\[|json\\.loads?\\(.*\\)\\."
+    confidence: medium
+    description: Detects JSON parse result accessed without null check
     negativePattern: "or\\s+\\{\\}|or\\s+\\[\\]|\\.get\\("
 
   - id: ts-null-vs-undefined
@@ -56,27 +56,12 @@ detectionPatterns:
     confidence: medium
     description: Detects checking only null or undefined, not both
 
-  - id: ts-optional-chain-missing
-    type: regex
-    language: typescript
-    pattern: "\\w+\\.\\w+\\.\\w+(?!\\.?)"
-    confidence: low
-    description: Detects deep property access without optional chaining
-    negativePattern: "\\?\\."
-
-  - id: ts-nullable-db-field
+  - id: ts-json-parse-no-try
     type: regex
     language: typescript
-    pattern: "String\\s*\\|\\s*null|number\\s*\\|\\s*null"
-    confidence: low
-    description: Detects nullable types (verify null handling)
-
-  - id: ts-json-parse-null
-    type: regex
-    language: typescript
-    pattern: "JSON\\.parse\\s*\\("
-    confidence: low
-    description: Detects JSON parsing (verify null handling)
+    pattern: "JSON\\.parse\\s*\\((?!.*try|.*catch)"
+    confidence: medium
+    description: Detects JSON.parse without visible error handling
 
 testTemplates:
   - id: pytest-null-handling

package/src/categories/definitions/input/boundary-testing.yml

@@ -21,54 +21,26 @@ references:
   - https://en.wikipedia.org/wiki/Boundary_testing
 
 detectionPatterns:
-  - id: python-range-access
+  - id: python-unchecked-index-user-input
     type: regex
     language: python
-    pattern: "\\[\\w+\\]|\\[\\w+\\s*-\\s*1\\]|\\[\\w+\\s*\\+\\s*1\\]"
-    confidence: low
-    description: Detects array index access (verify boundary checks)
-
-  - id: python-comparison-boundary
-    type: regex
-    language: python
-    pattern: "if\\s+\\w+\\s*[<>]=?\\s*\\d+|if\\s+\\d+\\s*[<>]=?\\s*\\w+"
-    confidence: low
-    description: Detects numeric comparisons (verify off-by-one)
-
-  - id: python-slice-operation
-    type: regex
-    language: python
-    pattern: "\\[:\\d+\\]|\\[\\d+:\\]|\\[-\\d+:\\]"
-    confidence: low
-    description: Detects slice operations (verify bounds)
-
-  - id: python-loop-range
-    type: regex
-    language: python
-    pattern: "for\\s+\\w+\\s+in\\s+range\\("
-    confidence: low
-    description: Detects range loops (verify inclusive/exclusive)
-
-  - id: ts-array-access
-    type: regex
-    language: typescript
-    pattern: "\\[\\w+\\]|\\[\\.length\\s*-\\s*1\\]"
-    confidence: low
-    description: Detects array index access
+    pattern: "\\w+\\[\\s*(request\\.|params\\.|args\\.|input)"
+    confidence: medium
+    description: Detects array indexing with user-controlled input without bounds check
 
-  - id: ts-comparison-boundary
+  - id: ts-unchecked-index-user-input
     type: regex
     language: typescript
-    pattern: "if\\s*\\(.*[<>]=?\\s*\\d+|\\w+\\s*[<>]=?\\s*\\w+\\.length"
-    confidence: low
-    description: Detects numeric/length comparisons
+    pattern: "\\w+\\[\\s*(req\\.|params\\.|query\\.|body\\.|input)"
+    confidence: medium
+    description: Detects array indexing with user-controlled input without bounds check
 
-  - id: ts-substring
+  - id: python-no-length-check-slice
     type: regex
-    language: typescript
-    pattern: "\\.substring\\s*\\(|\\.slice\\s*\\(|\\.substr\\s*\\("
+    language: python
+    pattern: "\\w+\\[.*:\\s*\\]\\s*(?!.*(?:len|if|assert))"
     confidence: low
-    description: Detects string slicing operations
+    description: Detects array slicing without prior length validation that may cause unexpected empty results
 
 testTemplates:
   - id: pytest-boundary-testing

package/src/categories/definitions/input/injection-fuzzing.yml

@@ -59,6 +59,12 @@ detectionPatterns:
     pattern: "eval\\(|new Function\\(|setTimeout\\(.*\\+"
     confidence: high
     description: Detects dynamic code evaluation
+    sources:
+      - "req\\.(body|params|query|headers)"
+      - "\\buser[Ii]nput\\b"
+      - "searchParams\\.get\\("
+      - "\\bprocess\\.argv"
+      - "\\breadline"
 
   - id: ts-innerhtml-input
     type: regex
@@ -66,6 +72,19 @@ detectionPatterns:
     pattern: "\\.innerHTML\\s*=|\\.outerHTML\\s*="
     confidence: high
     description: Detects innerHTML assignment
+    sources:
+      - "req\\.(body|params|query|headers)"
+      - "\\buser[Ii]nput\\b"
+      - "searchParams\\.get\\("
+      - "\\blocation\\.(hash|search|href)"
+      - "\\bwindow\\.location"
+      - "\\bURLSearchParams"
+    sanitizers:
+      - "DOMPurify\\.sanitize\\("
+      - "escapeHtml\\("
+      - "sanitizeHtml\\("
+      - "encodeURIComponent\\("
+      - "textContent\\s*="
 
   - id: ts-template-injection
     type: regex

package/src/categories/definitions/input/null-undefined.yml

@@ -20,54 +20,26 @@ references:
   - https://cwe.mitre.org/data/definitions/457.html
 
 detectionPatterns:
-  - id: python-no-none-check
+  - id: ts-non-null-assertion
     type: regex
-    language: python
-    pattern: "\\w+\\.\\w+(?!.*if.*is\\s+not\\s+None)"
-    confidence: low
-    description: Detects attribute access without None check
+    language: typescript
+    pattern: "\\w+!\\.|\\w+!\\["
+    confidence: high
+    description: Detects non-null assertion operator (unsafe type narrowing bypass)
 
-  - id: python-dict-access-no-get
+  - id: python-none-attribute-access
     type: regex
     language: python
-    pattern: "\\w+\\[[\"']\\w+[\"']\\](?!.*\\.get\\()"
+    pattern: "(?:return|=)\\s+\\w+\\.\\w+.*(?!.*(?:if|is not None|is None))"
     confidence: medium
-    description: Detects dict access that may raise KeyError
+    description: Detects attribute access on a variable that may be None without a prior null check
 
-  - id: python-optional-no-default
+  - id: python-no-default-dict-access
     type: regex
     language: python
-    pattern: "Optional\\[.*\\](?!.*=\\s*None)"
-    confidence: medium
-    description: Detects Optional type without default value
-
-  - id: ts-no-null-check
-    type: regex
-    language: typescript
-    pattern: "\\w+\\.\\w+(?!.*\\?\\.|.*&&|.*\\|\\|)"
-    confidence: low
-    description: Detects property access without null check
-
-  - id: ts-undefined-equality
-    type: regex
-    language: typescript
-    pattern: "===\\s*undefined(?!.*null)|!==\\s*undefined(?!.*null)"
-    confidence: medium
-    description: Detects undefined check without null check
-
-  - id: ts-non-null-assertion
-    type: regex
-    language: typescript
-    pattern: "\\w+!\\.|\\w+!\\["
-    confidence: high
-    description: Detects non-null assertion operator
-
-  - id: ts-optional-chaining-missing
-    type: regex
-    language: typescript
-    pattern: "\\w+\\.\\w+\\.\\w+(?!\\?\\.)"
+    pattern: "\\w+\\[\\s*['\"]\\w+['\"]\\s*\\](?!.*\\.get)"
     confidence: low
-    description: Detects deep access without optional chaining
+    description: Detects direct dictionary bracket access without using .get() which raises KeyError on missing keys
 
 testTemplates:
   - id: pytest-null-undefined

package/src/categories/definitions/network/connection-failure.yml

@@ -70,9 +70,15 @@ detectionPatterns:
   - id: ts-no-econnrefused
     type: regex
     language: typescript
-    pattern: "catch\\s*\\([^)]*\\)\\s*\\{(?!.*ECONNREFUSED|.*code)"
-    confidence: low
-    description: Detects catch block not checking error codes
+    pattern: "(fetch|axios|got|request|http\\.get|https\\.get).*catch\\s*\\([^)]*\\)\\s*\\{(?!.*ECONNREFUSED|.*code|.*retry)"
+    confidence: medium
+    description: Detects network request catch block not checking error codes
+    sources:
+      - "\\bfetch\\("
+      - "\\baxios\\b"
+      - "\\bgot\\("
+      - "\\bhttp\\.get\\("
+      - "\\bhttps\\.get\\("
 
   - id: ts-socket-no-error-event
     type: regex

package/src/categories/definitions/resource/memory-leak.yml

@@ -25,19 +25,12 @@ references:
   - https://developer.chrome.com/docs/devtools/memory-problems/
 
 detectionPatterns:
-  - id: python-cache-no-limit
+  - id: python-global-list-append
     type: regex
     language: python
-    pattern: "\\{\\}|dict\\(\\)(?!.*maxsize|.*lru_cache|.*TTLCache)"
-    confidence: low
-    description: Detects unbounded dict cache (verify eviction)
-
-  - id: python-list-append-loop
-    type: regex
-    language: python
-    pattern: "while.*\\.append\\(|for.*\\.append\\("
-    confidence: low
-    description: Detects list growing in loop (verify bounds)
+    pattern: "^\\w+\\s*=\\s*\\[\\].*\\.append\\("
+    confidence: medium
+    description: Detects module-level list accumulation without bounds
 
   - id: python-global-accumulator
     type: regex
@@ -60,12 +53,12 @@ detectionPatterns:
     confidence: medium
     description: Detects potential circular references
 
-  - id: ts-cache-no-limit
+  - id: ts-module-level-map
     type: regex
     language: typescript
-    pattern: "new\\s+Map\\(\\)|new\\s+Set\\(\\)|\\{\\}\\s*as\\s+Record"
-    confidence: low
-    description: Detects unbounded cache structures
+    pattern: "^(?:export\\s+)?const\\s+\\w+\\s*=\\s*new\\s+Map\\(\\)"
+    confidence: medium
+    description: Detects module-level Map without eviction (potential memory leak in long-running servers)
 
   - id: ts-event-listener-no-remove
     type: regex
@@ -84,9 +77,14 @@ detectionPatterns:
   - id: ts-array-push-unbounded
     type: regex
     language: typescript
-    pattern: "\\.push\\(.*\\)(?!.*slice|.*splice|.*shift|.*length\\s*=)"
+    pattern: "\\bmodule\\b.*\\.push\\(|\\bglobal\\b.*\\.push\\(|\\bthis\\.\\w+\\.push\\("
     confidence: low
-    description: Detects array growth without bounds
+    description: Detects unbounded growth on module/global/instance arrays (potential leak in long-running processes)
+    sources:
+      - "\\bsetInterval\\("
+      - "\\b\\.on\\("
+      - "\\bEventEmitter\\b"
+      - "\\bserver\\b"
 
 testTemplates:
   - id: pytest-memory-leak

package/src/categories/definitions/security/auth-failures.yml

@@ -118,6 +118,14 @@ detectionPatterns:
     description: |
       [REVIEW REQUIRED] User ID taken from request parameter.
       Verify ownership check exists before accessing resources.
+    sources:
+      - "req\\.(body|params|query|headers)"
+      - "searchParams\\.get\\("
+    sanitizers:
+      - "req\\.user\\.id\\s*===|req\\.user\\.id\\s*=="
+      - "ownershipCheck\\(|verifyOwnership\\("
+      - "isOwner\\("
+      - "req\\.user\\.id\\s*!==.*throw|req\\.user\\.id\\s*!=.*throw"
 
   - id: idor-direct-lookup
     type: regex

package/src/categories/definitions/security/command-injection.yml

@@ -77,6 +77,16 @@ detectionPatterns:
     pattern: "child_process\\.exec\\s*\\(|exec\\s*\\(`.*\\$\\{"
     confidence: high
     description: Detects child_process.exec with potential user input
+    sources:
+      - "req\\.(body|params|query|headers)"
+      - "\\buser[Ii]nput\\b"
+      - "searchParams\\.get\\("
+      - "\\bprocess\\.argv"
+    sanitizers:
+      - "\\bexecFile\\("
+      - "\\bspawnSync\\(.*\\["
+      - "\\bshellEscape\\("
+      - "\\bescapeShellArg\\("
 
   - id: ts-child-process-spawn-shell
     type: regex
@@ -84,6 +94,13 @@ detectionPatterns:
     pattern: "spawn\\s*\\(.*shell:\\s*true"
     confidence: high
     description: Detects spawn with shell option enabled
+    sources:
+      - "req\\.(body|params|query|headers)"
+      - "\\buser[Ii]nput\\b"
+      - "searchParams\\.get\\("
+    sanitizers:
+      - "\\bshellEscape\\("
+      - "\\bescapeShellArg\\("
 
   - id: ts-execsync
     type: regex

package/src/categories/definitions/security/csrf.yml

@@ -64,6 +64,16 @@ detectionPatterns:
     confidence: low
     description: Detects Express state-changing routes without csrf middleware
     negativePattern: "csurf|csrf\\(|csrfProtection"
+    sources:
+      - "req\\.(body|params|query|headers)"
+      - "\\buser[Ii]nput\\b"
+    sanitizers:
+      - "csurf\\("
+      - "csrfProtection"
+      - "csrf\\("
+      - "SameSite=Strict|sameSite:\\s*[\"']strict[\"']"
+      - "SameSite=Lax|sameSite:\\s*[\"']lax[\"']"
+      - "lusca\\.csrf"
 
   - id: ts-fetch-no-credentials
     type: regex
@@ -72,6 +82,15 @@ detectionPatterns:
     confidence: low
     description: Detects fetch with state-changing methods (needs CSRF token)
     negativePattern: "X-CSRF|csrf|_token"
+    sources:
+      - "req\\.(body|params|query|headers)"
+      - "\\buser[Ii]nput\\b"
+    sanitizers:
+      - "X-CSRF-Token"
+      - "csrf[Tt]oken"
+      - "_csrf"
+      - "SameSite=Strict|sameSite:\\s*[\"']strict[\"']"
+      - "SameSite=Lax|sameSite:\\s*[\"']lax[\"']"
 
   - id: ts-axios-no-csrf
     type: regex

package/src/categories/definitions/security/data-exposure.yml

@@ -51,6 +51,13 @@ detectionPatterns:
       [REVIEW REQUIRED] API returns full user/account object.
       Verify sensitive fields (password, SSN, etc.) are excluded.
     negativePattern: "\\.omit\\(|\\.pick\\(|\\.select\\(|exclude|sanitize"
+    sanitizers:
+      - "\\.select\\("
+      - "\\.omit\\("
+      - "\\bpick\\("
+      - "\\bomit\\("
+      - "\\.exclude\\("
+      - "\\bsanitize(User|Response)\\("
 
   - id: returning-full-object-py
     type: regex
@@ -79,6 +86,11 @@ detectionPatterns:
     description: |
       [REVIEW REQUIRED] SELECT * query on user table.
       Select only required fields to prevent data leakage.
+    sanitizers:
+      - "\\.select\\("
+      - "SELECT\\s+(id|name|email|username)"
+      - "\\.omit\\("
+      - "\\bpick\\("
 
   # ORM without field selection
   - id: prisma-findmany-no-select
@@ -89,6 +101,11 @@ detectionPatterns:
     description: |
       [REVIEW REQUIRED] Prisma query without select clause.
       Returns all fields by default.
+    sanitizers:
+      - "select:"
+      - "\\.omit\\("
+      - "\\bpick\\("
+      - "exclude:"
 
   - id: sequelize-findall-no-attributes
     type: regex
@@ -134,6 +151,13 @@ detectionPatterns:
     description: |
       [REVIEW REQUIRED] Spreading user object in response.
       May include sensitive fields unintentionally.
+    sanitizers:
+      - "\\.select\\("
+      - "\\.omit\\("
+      - "\\bpick\\("
+      - "\\bomit\\("
+      - "\\bexclude\\("
+      - "const\\s*\\{\\s*password.*\\}\\s*=.*user"
 
 testTemplates:
   - id: pytest-data-exposure-review

package/src/categories/definitions/security/dependency-risks.yml

@@ -88,16 +88,16 @@ detectionPatterns:
   - id: lodash-typosquat
     type: regex
     language: typescript
-    pattern: "(l0dash|lodahs|1odash|lodassh|lodsh)(?![a-z])"
+    pattern: "(import|require).*[\"'](l0dash|lodahs|1odash|lodassh|lodsh)[\"']"
     confidence: high
-    description: Potential lodash typosquat detected
+    description: Potential lodash typosquat in import/require statement
 
   - id: express-typosquat
     type: regex
     language: typescript
-    pattern: "(expres(?!s)|expresss|3xpress)(?![a-z])"
+    pattern: "(import|require).*[\"'](expres|expresss|3xpress)[\"']"
     confidence: high
-    description: Potential express typosquat detected
+    description: Potential express typosquat in import/require statement
 
   - id: requests-typosquat
     type: regex
@@ -130,7 +130,7 @@ detectionPatterns:
   - id: shai-hulud-packages
     type: regex
     language: typescript
-    pattern: "[\"'`](ngx-bootstrap|ng2-file-upload|@ctrl/tinycolor|valor-software/ngx-bootstrap)[\"'`]"
+    pattern: "(import|require|from).*[\"'`](ngx-bootstrap|ng2-file-upload|@ctrl/tinycolor)[\"'`]"
     confidence: high
     description: |
       CRITICAL: Package affected by Shai-Hulud supply chain attack (Sep 2025).
@@ -139,7 +139,7 @@ detectionPatterns:
   - id: compromised-packages-wave2
     type: regex
     language: typescript
-    pattern: "[\"'`](@acitons/artifact|huggingface-cli|react-dom-utils-helper)[\"'`]"
+    pattern: "(import|require|from).*[\"'`](@acitons/artifact|huggingface-cli|react-dom-utils-helper)[\"'`]"
     confidence: high
     description: |
       CRITICAL: Known malicious/typosquatted package.