pkgradar 0.1.0 → 0.1.2

package/bin/pkgradar.js

@@ -2,13 +2,17 @@
 'use strict';
 const os = require('os');
 const { scan, SEV } = require('../lib/scan');
+const PKG = require('../package.json');
 
-const args = process.argv.slice(2);
-const has = (f) => args.includes(f);
-const val = (f, d) => { const i = args.indexOf(f); return i >= 0 && args[i + 1] ? args[i + 1] : d; };
+// ----------------------------------------------------------------------------
+// args
+// ----------------------------------------------------------------------------
+const argv = process.argv.slice(2);
+const has = (f) => argv.includes(f);
+const val = (f, d) => { const i = argv.indexOf(f); return i >= 0 && argv[i + 1] ? argv[i + 1] : d; };
 
 if (has('-h') || has('--help')) {
-  console.log(`pkgradar  -  content-based supply-chain scanner for npm / pnpm / yarn / bun
+  process.stdout.write(`pkgradar  -  content-based supply-chain scanner for npm / pnpm / yarn / bun
 
 It opens the package files you actually installed and looks for what malware
 does (install hooks, obfuscated payloads, known worm artifacts), instead of
@@ -20,6 +24,7 @@ USAGE
 OPTIONS
   --online            also cross-reference OSV.dev for known advisories (network)
   --json              machine-readable output
+  --full              expanded per-finding output instead of the summary table
   --min-sev LEVEL     report findings at or above LEVEL
                       critical | high | medium | low | info        [default: medium]
   --stores LIST       comma list to limit which stores are scanned
@@ -40,28 +45,80 @@ const SEV_FROM_NAME = { critical: SEV.CRITICAL, high: SEV.HIGH, medium: SEV.MEDI
 const minSevName = (val('--min-sev', 'medium') || 'medium').toLowerCase();
 const minSev = SEV_FROM_NAME[minSevName] ?? SEV.MEDIUM;
 
-const useColor = process.stdout.isTTY && !process.env.NO_COLOR;
-const e = (code) => useColor ? `\x1b[${code}m` : '';
-const wrap = (code) => (s) => useColor ? `\x1b[${code}m${s}\x1b[0m` : `${s}`;
+// ----------------------------------------------------------------------------
+// colour helpers
+// ----------------------------------------------------------------------------
+const COLOR = process.stdout.isTTY && !process.env.NO_COLOR;
+const paint = (code) => (s) => COLOR ? `\x1b[${code}m${s}\x1b[0m` : `${s}`;
 const C = {
-  bold: wrap('1'), dim: wrap('2'), red: wrap('31'), grn: wrap('32'), ylw: wrap('33'),
-  blu: wrap('34'), mag: wrap('35'), cyan: wrap('36'), gray: wrap('90'),
+  bold: paint('1'), dim: paint('2'), red: paint('31'), grn: paint('32'), ylw: paint('33'),
+  blu: paint('34'), mag: paint('35'), cyan: paint('36'), gray: paint('90'),
 };
-// severity badge: white text on a coloured background, padded
-const badge = (sev) => {
+// coloured "  CRITICAL  " cell: white-on-colour, fixed width
+function sevCell(sev, width) {
   const bg = { CRITICAL: '41', HIGH: '45', MEDIUM: '43', LOW: '100', INFO: '100' }[sev] || '100';
   const fg = sev === 'MEDIUM' ? '30' : '97';
-  const label = ` ${sev} `.padEnd(10);
-  return useColor ? `\x1b[${bg};${fg};1m${label}\x1b[0m` : `[${sev}]`.padEnd(10);
-};
+  const label = sev.padStart((width + sev.length) >> 1).padEnd(width);
+  return COLOR ? `\x1b[${bg};${fg};1m${label}\x1b[0m` : label;
+}
 const SEV_TEXT = { CRITICAL: C.red, HIGH: C.mag, MEDIUM: C.ylw, LOW: C.gray, INFO: C.gray };
 const homeShort = (p) => (p && p.startsWith(os.homedir())) ? '~' + p.slice(os.homedir().length) : p;
 
-function rule(ch = '─', n = 64) { return C.gray(ch.repeat(n)); }
+// ----------------------------------------------------------------------------
+// foreground spinner (writes to stderr so stdout stays pipe-clean)
+// ----------------------------------------------------------------------------
+function makeSpinner() {
+  const frames = ['⠋', '⠙', '⠹', '⠸', '⠼', '⠴', '⠦', '⠧', '⠇', '⠏'];
+  const on = process.stderr.isTTY && !process.env.NO_COLOR;
+  let i = 0, msg = 'starting', timer = null;
+  const render = () => process.stderr.write(`\r\x1b[2K${C.cyan(frames[i = (i + 1) % frames.length])} ${C.gray(msg + ' …')}`);
+  return {
+    start() { if (!on) return; timer = setInterval(render, 80); render(); },
+    set(m) { msg = m; },
+    stop() { if (timer) clearInterval(timer); if (on) process.stderr.write('\r\x1b[2K'); },
+  };
+}
+
+// ----------------------------------------------------------------------------
+// table renderer
+// ----------------------------------------------------------------------------
+const clip = (s, n) => { s = String(s == null ? '' : s); return s.length <= n ? s : s.slice(0, Math.max(0, n - 1)) + '…'; };
+const padTo = (s, n) => s + ' '.repeat(Math.max(0, n - s.length));
+
+/**
+ * Render an array of row objects as a box-drawn table.
+ * @param {{key:string,label:string,width:number,color?:Function,raw?:boolean}[]} cols
+ * @param {object[]} rows
+ */
+function table(cols, rows) {
+  const B = COLOR ? C.gray : (s) => s;
+  const line = (l, m, r) => B(l + cols.map((c) => '─'.repeat(c.width + 2)).join(m) + r);
+  const out = [];
+  out.push('  ' + line('┌', '┬', '┐'));
+  out.push('  ' + B('│') + cols.map((c) => ' ' + C.bold(padTo(clip(c.label, c.width), c.width)) + ' ').join(B('│')) + B('│'));
+  out.push('  ' + line('├', '┼', '┤'));
+  for (const row of rows) {
+    const cells = cols.map((c) => {
+      const v = clip(row[c.key], c.width);
+      if (c.raw) return ' ' + row[c.key] + ' ';                       // pre-formatted (already padded/coloured)
+      const txt = padTo(v, c.width);
+      return ' ' + (c.color ? c.color(txt) : txt) + ' ';
+    });
+    out.push('  ' + B('│') + cells.join(B('│')) + B('│'));
+  }
+  out.push('  ' + line('└', '┴', '┘'));
+  return out.join('\n');
+}
 
+// ----------------------------------------------------------------------------
+// main
+// ----------------------------------------------------------------------------
 (async () => {
+  const spin = makeSpinner();
+  spin.start();
+  spin.set('discovering package stores');
   let res;
-  const started = Date.now();
+  const t0 = Date.now();
   try {
     res = await scan({
       cwd: val('--cwd', process.cwd()),
@@ -70,89 +127,107 @@ function rule(ch = '─', n = 64) { return C.gray(ch.repeat(n)); }
       maxDepth: parseInt(val('--max-depth', '12'), 10) || 12,
       stores: (val('--stores', '') || '').split(',').map((s) => s.trim()).filter(Boolean),
       noAllowlist: has('--no-allowlist'),
+      onPhase: (m) => spin.set(m),
     });
   } catch (err) {
-    console.error(C.red('pkgradar error: ') + (err && err.stack || err));
+    spin.stop();
+    process.stderr.write(C.red('pkgradar error: ') + (err && err.stack || err) + '\n');
     process.exit(2);
   }
-  const secs = ((Date.now() - started) / 1000).toFixed(1);
+  spin.stop();
+  const secs = ((Date.now() - t0) / 1000).toFixed(1);
 
   if (has('--json')) {
-    console.log(JSON.stringify({ ...res, durationSeconds: Number(secs) }, null, 2));
+    process.stdout.write(JSON.stringify({ ...res, durationSeconds: Number(secs) }, null, 2) + '\n');
     process.exit(res.findings.some((f) => f.sevNum >= minSev) ? 1 : 0);
   }
 
   const counts = { CRITICAL: 0, HIGH: 0, MEDIUM: 0, LOW: 0, INFO: 0 };
   for (const f of res.findings) counts[f.severity]++;
-  const localFindings = res.findings.filter((f) => f.code !== 'osv-advisory');
-  const osvFindings = res.findings.filter((f) => f.code === 'osv-advisory');
-  const hits = res.findings.length;
   const worst = ['CRITICAL', 'HIGH', 'MEDIUM', 'LOW', 'INFO'].find((k) => counts[k]) || null;
+  const p = (...a) => process.stdout.write(a.join(' ') + '\n');
 
   // ---- header ----
-  console.log('');
-  console.log(`  ${C.bold('pkgradar')} ${C.gray('v' + require('../package.json').version)}   ${C.gray('content-based supply-chain scan')}`);
-  console.log(`  ${C.gray('project')} ${homeShort(res.cwd)}   ${C.gray(res.stores.length + ' stores, ' + secs + 's')}`);
-  console.log('');
+  p('');
+  p(`  ${C.bold('pkgradar')} ${C.gray('v' + PKG.version)}   ${C.gray('content-based supply-chain scan')}   ${C.gray(secs + 's')}`);
+  p(`  ${C.gray('project')} ${homeShort(res.cwd)}`);
+  p('');
 
   // ---- stores table ----
-  const nameW = Math.max(...res.stores.map((s) => s.kind.length), 6);
-  for (const s of res.stores) {
-    console.log(`  ${C.cyan(s.kind.padEnd(nameW))}  ${C.dim(String(s.packages).padStart(5) + ' pkgs')}  ${C.gray(homeShort(s.root))}`);
-  }
-  console.log(`  ${C.gray('total:')} ${C.bold(res.totalPackages)} ${C.gray('unique package@version,')} ${C.bold(res.totalScanned)} ${C.gray('locations inspected')}`);
-  if (res.osv && res.osv.error) console.log(`  ${C.ylw('OSV lookup failed:')} ${C.dim(res.osv.error)}`);
-  if (!res.osv && !has('--online')) console.log(`  ${C.gray('tip: add')} ${C.dim('--online')} ${C.gray('to also cross-check known advisories on OSV.dev')}`);
-  console.log('');
-
-  // ---- verdict line ----
-  if (!hits) {
-    console.log(`  ${C.grn('●')} ${C.bold('Verdict:')} ${C.grn('clean')} ${C.gray('- nothing tripped the heuristics at')} ${C.dim(minSevName)} ${C.gray('and above')}`);
-    console.log(`  ${C.gray('  (this inspects installed bytes; a clean run is not a proof of safety)')}`);
-    console.log('');
+  p(table(
+    [
+      { key: 'kind', label: 'STORE', width: 14, color: C.cyan },
+      { key: 'pkgs', label: 'PKGS', width: 6, color: C.dim },
+      { key: 'root', label: 'PATH', width: Math.max(28, (process.stdout.columns || 120) - 32) },
+    ],
+    res.stores.map((s) => ({ kind: s.kind, pkgs: String(s.packages), root: homeShort(s.root) })),
+  ));
+  p(`  ${C.gray('total:')} ${C.bold(res.totalPackages)} ${C.gray('unique package@version,')} ${C.bold(res.totalScanned)} ${C.gray('locations inspected')}`);
+  if (res.osv && res.osv.error) p(`  ${C.ylw('OSV lookup failed:')} ${C.dim(res.osv.error)}`);
+  else if (!has('--online')) p(`  ${C.gray('tip: add')} ${C.dim('--online')} ${C.gray('to cross-check known advisories on OSV.dev')}`);
+  p('');
+
+  // ---- verdict ----
+  if (!res.findings.length) {
+    p(`  ${C.grn('●')} ${C.bold('Verdict:')} ${C.grn('clean')}  ${C.gray('nothing tripped the heuristics at ' + minSevName + ' and above')}`);
+    p(`  ${C.gray('  (this inspects installed bytes; a clean run is not a proof of safety)')}`);
+    p('');
     process.exit(0);
   }
-  const summaryBits = ['CRITICAL', 'HIGH', 'MEDIUM', 'LOW', 'INFO'].filter((k) => counts[k]).map((k) => SEV_TEXT[k](`${counts[k]} ${k.toLowerCase()}`));
-  const dot = worst === 'CRITICAL' || worst === 'HIGH' ? C.red('●') : worst === 'MEDIUM' ? C.ylw('●') : C.gray('●');
-  console.log(`  ${dot} ${C.bold('Verdict:')} ${C.bold(hits + (hits === 1 ? ' finding' : ' findings'))}  ${C.gray('(')}${summaryBits.join(C.gray(', '))}${C.gray(')')}`);
-  if (localFindings.length && osvFindings.length) {
-    console.log(`  ${C.gray('  ' + localFindings.length + ' from inspecting installed code, ' + osvFindings.length + ' known advisories (OSV.dev)')}`);
-  }
-  console.log('');
-
-  // ---- findings, grouped by severity, local first then OSV ----
-  const ORDER = ['CRITICAL', 'HIGH', 'MEDIUM', 'LOW', 'INFO'];
-  const printGroup = (title, list) => {
-    if (!list.length) return;
-    console.log(`  ${rule()}`);
-    console.log(`  ${C.bold(title)}`);
-    console.log('');
-    list.sort((a, b) => b.sevNum - a.sevNum || a.package.localeCompare(b.package));
-    for (const f of list) {
-      console.log(`  ${badge(f.severity)} ${C.bold(f.package + '@' + f.version)}  ${C.gray(f.store)}  ${C.cyan(f.code)}`);
-      console.log(`     ${f.message}`);
-      if (f.evidence) console.log(`     ${C.gray('→ ' + f.evidence)}`);
-      if (f.note) console.log(`     ${C.gray('note: ' + f.note)}`);
-      if (f.dir) console.log(`     ${C.gray(homeShort(f.dir))}`);
-      console.log('');
+  const bits = ['CRITICAL', 'HIGH', 'MEDIUM', 'LOW', 'INFO'].filter((k) => counts[k]).map((k) => SEV_TEXT[k](`${counts[k]} ${k.toLowerCase()}`));
+  const dot = (worst === 'CRITICAL' || worst === 'HIGH') ? C.red('●') : worst === 'MEDIUM' ? C.ylw('●') : C.gray('●');
+  p(`  ${dot} ${C.bold('Verdict:')} ${C.bold(res.findings.length + ' ' + (res.findings.length === 1 ? 'finding' : 'findings'))}  ${C.gray('(')}${bits.join(C.gray(', '))}${C.gray(')')}`);
+  p('');
+
+  // ---- findings ----
+  const sorted = res.findings.slice().sort((a, b) => b.sevNum - a.sevNum || a.code.localeCompare(b.code) || a.package.localeCompare(b.package));
+
+  if (has('--full')) {
+    for (const f of sorted) {
+      p(`  ${sevCell(f.severity, 10)} ${C.bold(f.package + '@' + f.version)}  ${C.gray(f.store)}  ${C.cyan(f.code)}`);
+      p(`     ${f.message}`);
+      if (f.evidence) p(`     ${C.gray('→ ' + f.evidence)}`);
+      if (f.note) p(`     ${C.gray('note: ' + f.note)}`);
+      if (f.dir) p(`     ${C.gray(homeShort(f.dir))}`);
+      p('');
     }
-  };
-  printGroup('From inspecting installed code', localFindings);
-  printGroup('Known advisories (OSV.dev)', osvFindings);
+  } else {
+    const term = process.stdout.columns || 120;
+    const W_PKG = 28, W_TYPE = 21, W_WHERE = 16;
+    const W_DETAIL = Math.max(24, term - (2 + 3 + 10 + W_PKG + W_TYPE + W_WHERE + 3 * 5 + 1));
+    const SHOW = 60;
+    const rows = sorted.slice(0, SHOW).map((f) => ({
+      sev: sevCell(f.severity, 10),
+      pkg: f.package + '@' + f.version,
+      type: f.code,
+      where: f.store,
+      detail: (f.evidence ? f.evidence + '  ' : '') + f.message,
+    }));
+    p(table(
+      [
+        { key: 'sev', label: 'SEVERITY', width: 10, raw: true },
+        { key: 'pkg', label: 'PACKAGE', width: W_PKG, color: C.bold },
+        { key: 'type', label: 'TYPE', width: W_TYPE, color: C.cyan },
+        { key: 'where', label: 'WHERE', width: W_WHERE, color: C.dim },
+        { key: 'detail', label: 'DETAIL', width: W_DETAIL, color: C.gray },
+      ],
+      rows,
+    ));
+    if (sorted.length > SHOW) p(`  ${C.gray('... and ' + (sorted.length - SHOW) + ' more (use --json for the full list)')}`);
+    p(`  ${C.gray('use')} ${C.dim('--full')} ${C.gray('for untruncated details and on-disk paths')}`);
+  }
+  p('');
 
-  // ---- next steps ----
-  console.log(`  ${rule()}`);
-  console.log(`  ${C.bold('What to do')}`);
+  // ---- what to do ----
+  p(`  ${C.bold('What to do')}`);
   if (counts.CRITICAL || counts.HIGH) {
-    console.log(`  ${C.red('•')} Treat ${C.bold('CRITICAL / HIGH "installed code" findings')} as suspect: do not run install`);
-    console.log(`    scripts, remove the package, clear the relevant cache, and rotate any npm /`);
-    console.log(`    GitHub / cloud tokens this machine has held.`);
+    p(`  ${C.red('•')} Treat ${C.bold('CRITICAL / HIGH "installed code" findings')} as suspect: don't run install`);
+    p(`    scripts, remove the package, clear the relevant cache, rotate npm / GitHub / cloud tokens.`);
   }
-  console.log(`  ${C.gray('•')} Check a flagged version against the registry: ${C.dim('npm view <pkg> versions')} ${C.gray('and look at')}`);
-  console.log(`    ${C.gray('publish dates and provenance.')}`);
-  if (osvFindings.length) console.log(`  ${C.gray('•')} OSV findings are the usual "known CVE in a dependency" set: ${C.dim('npm audit fix')} ${C.gray('/ bump.')}`);
-  if (!has('--online')) console.log(`  ${C.gray('•')} Re-run with ${C.dim('--online')} ${C.gray('to add OSV.dev advisory matching by exact version.')}`);
-  console.log('');
+  p(`  ${C.gray('•')} Check a flagged version against the registry: ${C.dim('npm view <pkg> versions')} ${C.gray('(publish dates, provenance).')}`);
+  if (sorted.some((f) => f.code === 'osv-advisory')) p(`  ${C.gray('•')} OSV rows are the usual "known CVE in a dependency" set: ${C.dim('npm audit fix')} ${C.gray('/ bump.')}`);
+  if (!has('--online')) p(`  ${C.gray('•')} Re-run with ${C.dim('--online')} ${C.gray('to add OSV.dev advisory matching by exact version.')}`);
+  p('');
 
   process.exit(res.findings.some((f) => f.sevNum >= minSev) ? 1 : 0);
 })();

package/lib/checks.js

@@ -95,14 +95,11 @@ function checkWormFiles(pkg) {
         out.push({ sev: SEV.CRITICAL, code: 'worm-ioc-file', msg: `known worm artifact file: ${e.name}`, evidence: path.relative(pkg.dir, full) });
       }
       if (/(^|[\\/])\.github[\\/]workflows([\\/]|$)/.test(d) && /\.ya?ml$/i.test(low)) {
-        // Many legit packages publish their whole repo (incl. .github). On its own this
-        // is barely a signal, so it is INFO. A *malicious* workflow file would also be
-        // caught by name (worm-ioc-file) or by content checks.
-        const wf = readSafe(full, 200_000);
-        const nasty = wf && /\b(curl|wget)\b[^|;&\n]*[|;&]+\s*(ba|z|d)?sh\b|secrets\.[A-Z_]+\b[\s\S]{0,80}(curl|nc |bash -c|http)/.test(wf.text);
-        out.push(nasty
-          ? { sev: SEV.CRITICAL, code: 'malicious-gh-workflow', msg: `bundled GitHub Actions workflow runs a piped shell download / exfiltrates secrets`, evidence: path.relative(pkg.dir, full) }
-          : { sev: SEV.INFO, code: 'embedded-gh-workflow', msg: `package ships a GitHub Actions workflow (${e.name})`, evidence: path.relative(pkg.dir, full) });
+        // Lots of legit packages publish their whole repo, .github included, and plenty
+        // of normal CI workflows pipe an installer into a shell. On its own this is not a
+        // signal, so it is INFO only. A genuinely malicious workflow file with a known
+        // name is already caught by worm-ioc-file.
+        out.push({ sev: SEV.INFO, code: 'embedded-gh-workflow', msg: `package ships a GitHub Actions workflow (${e.name})`, evidence: path.relative(pkg.dir, full) });
       }
     }
   }
@@ -158,21 +155,28 @@ function checkObfuscation(pkg) {
     const weak = [];      // weak reasons only matter in combination
     let critical = false;
 
-    // --- hard worm markers: any one => critical ---
-    for (const m of WORM_HARD_MARKERS) if (t.includes(m)) { strong.push(`worm IOC string: ${m}`); critical = true; }
-    // --- soft worm markers: need >=3 distinct in one file (so a tool's advisory text won't trip it) ---
-    const softHits = WORM_SOFT_MARKERS.filter((m) => t.includes(m));
-    if (softHits.length >= 3) { strong.push(`co-occurring worm terms: ${softHits.slice(0, 6).join(', ')}`); }
-    else if (softHits.length) weak.push(`worm term(s): ${softHits.join(', ')}`);
-
-    // --- javascript-obfuscator signature ---
+    // --- "executable payload" context: dynamic code execution over decoded data, or
+    //     heavy identifier mangling. Worm IOC strings are only damning when they sit
+    //     alongside one of these; on their own they also appear in scanners, advisories,
+    //     and writeups (this file included). ---
     const hexIds = (t.match(/_0x[a-f0-9]{4,6}\b/g) || []).length;
+    const evalOverDecoded = /(eval|new Function|Function\()\s*\(?\s*(atob|Buffer\.from\s*\([^)]*base64|unescape|decodeURIComponent)/.test(t);
+    const procFromDecoded = /\bchild_process\b[\s\S]{0,400}\b(atob|Buffer\.from\s*\([^)]*base64)/.test(t);
+    const execContext = evalOverDecoded || procFromDecoded || hexIds > 80;
+    if (evalOverDecoded) strong.push('constructs & executes decoded payload (eval/Function over atob/Buffer.from)');
+    if (procFromDecoded) strong.push('spawns a process from decoded data');
     if (hexIds > 80) strong.push(`${hexIds} _0x… mangled identifiers (javascript-obfuscator)`);
     else if (hexIds > 20) weak.push(`${hexIds} _0x… identifiers`);
 
-    // --- code building & executing decoded data dynamically ---
-    if (/(eval|new Function|Function\()\s*\(?\s*(atob|Buffer\.from\s*\([^)]*base64|unescape|decodeURIComponent)/.test(t)) strong.push('constructs & executes decoded payload (eval/Function over atob/Buffer.from)');
-    if (/\bchild_process\b[\s\S]{0,400}\b(atob|Buffer\.from\s*\([^)]*base64)/.test(t)) strong.push('spawns a process from decoded data');
+    // --- worm IOC strings ---
+    const hardHits = WORM_HARD_MARKERS.filter((m) => t.includes(m));
+    if (hardHits.length) {
+      if (execContext) { strong.push(`worm IOC string(s) in an executing payload: ${hardHits.join(', ')}`); critical = true; }
+      else weak.push(`contains known IOC string(s): ${hardHits.join(', ')} (also found in security tooling / advisories / writeups)`);
+    }
+    const softHits = WORM_SOFT_MARKERS.filter((m) => t.includes(m));
+    if (softHits.length >= 3 && execContext) strong.push(`co-occurring worm terms with an executable payload: ${softHits.slice(0, 6).join(', ')}`);
+    else if (softHits.length) weak.push(`worm term(s): ${softHits.slice(0, 6).join(', ')}`);
 
     // --- weak structural signals (modern bundlers do these constantly) ---
     const longest = t.split('\n').reduce((m, l) => Math.max(m, l.length), 0);
@@ -217,7 +221,13 @@ function checkManifestAnomalies(pkg) {
   return out;
 }
 
+let SELF = null;
+try { SELF = require('../package.json').name; } catch { /* ignore */ }
+
 function runAll(pkg) {
+  // Don't scan our own package: this file necessarily contains the IOC strings it
+  // searches for, so scanning a cached copy of pkgradar would flag pkgradar.
+  if (SELF && pkg && pkg.manifest && pkg.manifest.name === SELF) return [];
   const findings = [];
   for (const fn of [checkLifecycleHooks, checkWormFiles, checkManifestAnomalies, checkObfuscation]) {
     try { findings.push(...fn(pkg)); } catch (e) { /* ignore per-check failure */ }

package/lib/scan.js

@@ -24,11 +24,17 @@ async function scan(opts = {}) {
   const findings = [];
   const allPkgList = [];
 
+  const tick = typeof opts.onPhase === 'function' ? opts.onPhase : () => {};
+  const yieldToLoop = () => new Promise((r) => setImmediate(r));
+
   for (const store of stores) {
     if (kindFilter && !kindFilter.has(store.kind)) continue;
+    tick(`scanning ${store.kind}`);
+    await yieldToLoop();
     let count = 0;
     for (const pkg of packagesInStore(store, { maxDepth: opts.maxDepth })) {
       count++;
+      if (count % 100 === 0) { tick(`scanning ${store.kind} (${count} packages)`); await yieldToLoop(); }
       const key = `${pkg.name}@${pkg.version}@${pkg.dir || store.root}`;
       if (seen.has(key)) continue;
       seen.set(key, pkg);
@@ -53,6 +59,7 @@ async function scan(opts = {}) {
   let osv = null;
   if (opts.online) {
     try {
+      tick('cross-checking OSV.dev advisories');
       const map = await queryOSV(allPkgList);
       osv = [];
       const SEV_RANK = { CRITICAL: SEV.CRITICAL, HIGH: SEV.HIGH, MEDIUM: SEV.MEDIUM, LOW: SEV.LOW };
@@ -76,9 +83,22 @@ async function scan(opts = {}) {
     }
   }
 
-  findings.sort((a, b) => b.sevNum - a.sevNum || a.package.localeCompare(b.package));
+  // Collapse identical findings that show up in several stores (e.g. the same package
+  // cached under multiple npx hashes) into one, noting how many places it was seen.
+  const byKey = new Map();
+  for (const f of findings) {
+    const k = `${f.package}@${f.version}|${f.code}|${f.evidence || ''}|${f.message}`;
+    const prev = byKey.get(k);
+    if (prev) { prev._copies = (prev._copies || 1) + 1; if (!prev._stores.includes(f.store)) prev._stores.push(f.store); }
+    else { f._copies = 1; f._stores = [f.store]; byKey.set(k, f); }
+  }
+  const deduped = [...byKey.values()].map((f) => {
+    if (f._copies > 1) { f.store = `${f._stores.join(', ')} (${f._copies}x)`; }
+    delete f._copies; delete f._stores; return f;
+  });
+  deduped.sort((a, b) => b.sevNum - a.sevNum || a.package.localeCompare(b.package));
   const totalPackages = [...new Set(allPkgList.map((p) => `${p.name}@${p.version}`))].length;
-  return { cwd, stores: storeStats, totalPackages, totalScanned: seen.size, findings, osv };
+  return { cwd, stores: storeStats, totalPackages, totalScanned: seen.size, findings: deduped, osv };
 }
 
 function splitNV(nv) { const i = nv.lastIndexOf('@'); return [nv.slice(0, i), nv.slice(i + 1)]; }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "pkgradar",
-  "version": "0.1.0",
+  "version": "0.1.2",
   "description": "Content-based supply-chain scanner for npm/pnpm/yarn/bun: inspects the bytes you actually installed (lifecycle hooks, obfuscated payloads, worm IOCs) instead of just matching package names against an advisory list.",
   "bin": {
     "pkgradar": "bin/pkgradar.js"