scan-compromised 1.0.1

package/README.md

@@ -0,0 +1,78 @@
+# scan-compromised
+
+🔍 A CLI tool to detect known compromised npm packages in your project.
+
+This scanner checks your `package.json`, `package-lock.json`, `yarn.lock`, and `pnpm-lock.yaml` files for any packages that were compromised in recent supply chain attacks — including the September 2025 Shai-Hulud incident.
+
+It flags:
+- ❌ Known malicious versions (fails the scan)
+- ⚠️ Safe versions of previously compromised packages (warns but does not fail)
+
+---
+
+## 🚀 Installation
+
+### Run directly with `npx` (no install)
+```bash
+npx scan-compromised
+```
+Or install globally
+```bash
+npm install -g scan-compromised
+scan-compromised
+```
+## 📦 Usage
+### Basic scan
+```bash
+scan-compromised
+```
+### JSON output (for CI integration)
+```bash
+scan-compromised --json
+```
+## 📁 Threat List
+The tool uses a local `threats.json` file located in the root of the CLI package. This file contains a list of known compromised packages and their malicious versions.
+
+Example `threats.json`
+```json
+{
+  "@ctrl/tinycolor": ["4.1.1", "4.1.2"],
+  "ngx-toastr": ["19.0.1", "19.0.2"]
+}
+```
+You can update this file manually as new threats are discovered. Trusted sources include:
+
+StepSecurity
+
+GitHub Security Advisories
+
+Snyk Vulnerability Database
+
+## 🧪 GitHub Actions Integration
+You can run this tool automatically on every push or pull request using GitHub Actions.
+
+`.github/workflows/scan.yml`
+```yaml
+name: Scan for Compromised Packages
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+
+jobs:
+  scan:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - name: Setup Node
+        uses: actions/setup-node@v3
+        with:
+          node-version: '18'
+      - name: Install scanner
+        run: npm install scan-compromised
+      - name: Run scan
+        run: npx scan-compromised
+```
+## 🛡️ License
+MIT © Jonathan Blades

package/index.js

@@ -0,0 +1,224 @@
+#!/usr/bin/env node
+const fs = require("fs");
+const path = require("path");
+const https = require("https");
+
+function loadThreats() {
+  const threatPath = path.join(__dirname, "threats.json");
+  if (!fs.existsSync(threatPath)) {
+    console.error("❌ threats.json not found in CLI directory.");
+    process.exit(1);
+  }
+  try {
+    const raw = fs.readFileSync(threatPath, "utf8");
+    return JSON.parse(raw);
+  } catch (err) {
+    console.error("❌ Failed to parse threats.json:", err.message);
+    process.exit(1);
+  }
+}
+
+const compromised = loadThreats();
+
+const filesToCheck = [
+  "package.json",
+  "package-lock.json",
+  "yarn.lock",
+  "pnpm-lock.yaml"
+];
+
+function escRe(s) {
+  return s.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+}
+
+function getCompromisedMap() {
+  const map = new Map();
+  for (const [pkg, versions] of Object.entries(compromised)) {
+    map.set(pkg, new Set(versions));
+  }
+  return map;
+}
+
+function recordFinding(findings, type, file, pkg, version, where) {
+  findings.push({ type, file, pkg, version, where });
+}
+
+// -------- Scanners --------
+
+// package.json
+function scanPackageJson(content, bad) {
+  const findings = [];
+  try {
+    const json = JSON.parse(content);
+    const allDeps = {
+      ...(json.dependencies || {}),
+      ...(json.devDependencies || {}),
+      ...(json.peerDependencies || {}),
+      ...(json.optionalDependencies || {})
+    };
+    for (const [pkg, range] of Object.entries(allDeps)) {
+      if (!bad.has(pkg)) continue;
+      let type = "warn";
+      for (const v of bad.get(pkg)) {
+        if (range === v || range === `=${v}`) {
+          type = "bad";
+          break;
+        }
+      }
+      recordFinding(findings, type, "package.json", pkg, range, "declared dependency");
+    }
+  } catch {}
+  return findings;
+}
+
+// package-lock.json
+function scanPackageLock(content, bad) {
+  const findings = [];
+  try {
+    const lock = JSON.parse(content);
+    const stack = [];
+
+    function visitDeps(obj, pathArr = []) {
+      if (!obj) return;
+      const deps = obj.dependencies || {};
+      for (const [name, meta] of Object.entries(deps)) {
+        const version = meta.version;
+        if (bad.has(name)) {
+          const type = bad.get(name).has(version) ? "bad" : "warn";
+          recordFinding(findings, type, "package-lock.json", name, version, pathArr.concat(name).join(" > "));
+        }
+        visitDeps(meta, pathArr.concat(name));
+      }
+    }
+
+    if (lock.packages && typeof lock.packages === "object") {
+      for (const [pkgPath, meta] of Object.entries(lock.packages)) {
+        if (!meta || !meta.version) continue;
+        const name = meta.name || (pkgPath.includes("node_modules/") ? pkgPath.split("node_modules/").pop() : null);
+        if (!name) continue;
+        if (bad.has(name)) {
+          const type = bad.get(name).has(meta.version) ? "bad" : "warn";
+          recordFinding(findings, type, "package-lock.json", name, meta.version, pkgPath || "(root)");
+        }
+      }
+    } else {
+      visitDeps(lock, []);
+    }
+  } catch {}
+  return findings;
+}
+
+// yarn.lock v1
+function scanYarnLockV1(content, bad) {
+  const findings = [];
+  const entries = content.split(/\n{2,}/g);
+  for (const entry of entries) {
+    const headerMatch = entry.match(/^"([^"]+)"\s*:\s*$/m);
+    if (!headerMatch) continue;
+    const header = headerMatch[1];
+    const versionMatch = entry.match(/^\s*version\s+"([^"]+)"/m);
+    if (!versionMatch) continue;
+    const version = versionMatch[1];
+    const keys = header.split(/,\s*/g);
+    const packageNames = new Set();
+    for (const key of keys) {
+      if (key.startsWith("@")) {
+        const parts = key.split("@");
+        if (parts.length >= 2) packageNames.add("@" + parts[1]);
+      } else {
+        const at = key.lastIndexOf("@");
+        if (at > 0) packageNames.add(key.slice(0, at));
+      }
+    }
+    for (const name of packageNames) {
+      if (bad.has(name)) {
+        const type = bad.get(name).has(version) ? "bad" : "warn";
+        recordFinding(findings, type, "yarn.lock", name, version, header);
+      }
+    }
+  }
+  return findings;
+}
+
+// Yarn Berry (v2+)
+function scanYarnBerryLock(content, bad) {
+  const findings = [];
+  const blockRe = /^("?([^"\n]+)"?):\n((?: {2}.+\n)+)/gm;
+  let m;
+  while ((m = blockRe.exec(content))) {
+    const key = m[2];
+    const block = m[3];
+    const v = block.match(/^\s{2}version:\s+("?)([^"\n]+)\1/m);
+    if (!v) continue;
+    const version = v[2];
+    let name = key;
+    const protoAt = key.indexOf("@npm:");
+    if (protoAt !== -1) name = key.slice(0, protoAt);
+    else {
+      const at = key.lastIndexOf("@");
+      if (at > 0) name = key.slice(0, at);
+    }
+    if (bad.has(name)) {
+      const type = bad.get(name).has(version) ? "bad" : "warn";
+      recordFinding(findings, type, "yarn.lock", name, version, key);
+    }
+  }
+  return findings;
+}
+
+// pnpm-lock.yaml
+function scanPnpmLock(content, bad) {
+  const findings = [];
+  const re = /^\s*\/?(@?[^@\s/][^@:\s/]*\/?[^@:\s/]*)@([0-9][^:\s]+):/gm;
+  let m;
+  while ((m = re.exec(content))) {
+    const name = m[1];
+    const version = m[2];
+    if (bad.has(name)) {
+      const type = bad.get(name).has(version) ? "bad" : "warn";
+      recordFinding(findings, type, "pnpm-lock.yaml", name, version, `${name}@${version}`);
+    }
+  }
+  return findings;
+}
+
+// -------- Runner --------
+(function main() {
+  const bad = getCompromisedMap();
+  const allFindings = [];
+
+  for (const file of filesToCheck) {
+    const filePath = path.join(process.cwd(), file);
+    if (!fs.existsSync(filePath)) continue;
+    const content = fs.readFileSync(filePath, "utf8");
+
+    if (file === "package.json") {
+      allFindings.push(...scanPackageJson(content, bad));
+    } else if (file === "package-lock.json") {
+      allFindings.push(...scanPackageLock(content, bad));
+    } else if (file === "yarn.lock") {
+      const f1 = scanYarnLockV1(content, bad);
+      const f2 = f1.length ? [] : scanYarnBerryLock(content, bad);
+      allFindings.push(...f1, ...f2);
+    } else if (file === "pnpm-lock.yaml") {
+      allFindings.push(...scanPnpmLock(content, bad));
+    }
+  }
+
+  const badFindings = allFindings.filter(f => f.type === "bad");
+  const warnFindings = allFindings.filter(f => f.type === "warn");
+
+  warnFindings.forEach(f =>
+    console.log(`⚠️  WARNING: ${f.pkg}@${f.version} in ${f.file} (${f.where}) — package was targeted in past attack, but version is not flagged as malicious`)
+  );
+
+  badFindings.forEach(f =>
+    console.log(`❌ ALERT: ${f.pkg}@${f.version} in ${f.file} (${f.where}) — known malicious version`)
+  );
+
+  if (badFindings.length === 0) {
+    console.log("✅ No known malicious versions detected.");
+  } else {
+    process.exit(1);
+  }
+})();

package/package.json

@@ -0,0 +1,15 @@
+{
+  "name": "scan-compromised",
+  "version": "1.0.1",
+  "description": "A simple npm CLI tool (starter template)",
+  "main": "index.js",
+  "bin": {
+    "scan-compromised": "./index.js"
+  },
+  "files": ["index.js", "threats.json"],
+  "scripts": {
+    "start": "node index.js"
+  },
+  "author": "",
+  "license": "MIT"
+}

package/threats.json

@@ -0,0 +1,39 @@
+{
+  "@ctrl/deluge": ["7.2.1", "7.2.2"],
+  "@ctrl/golang-template": ["1.4.2", "1.4.3"],
+  "@ctrl/magnet-link": ["4.0.3", "4.0.4"],
+  "@ctrl/ngx-codemirror": ["7.0.1", "7.0.2"],
+  "@ctrl/ngx-csv": ["6.0.1", "6.0.2"],
+  "@ctrl/ngx-emoji-mart": ["9.2.1", "9.2.2"],
+  "@ctrl/ngx-rightclick": ["4.0.1", "4.0.2"],
+  "@ctrl/qbittorrent": ["9.7.1", "9.7.2"],
+  "@ctrl/react-adsense": ["2.0.1", "2.0.2"],
+  "@ctrl/shared-torrent": ["6.3.1", "6.3.2"],
+  "@ctrl/tinycolor": ["4.1.1", "4.1.2"],
+  "@ctrl/torrent-file": ["4.1.1", "4.1.2"],
+  "@ctrl/transmission": ["7.3.1"],
+  "@ctrl/ts-base32": ["4.0.1", "4.0.2"],
+  "angulartics2": ["14.1.1", "14.1.2"],
+  "json-rules-engine-simplified": ["0.2.1", "0.2.4"],
+  "koa2-swagger-ui": ["5.11.1", "5.11.2"],
+  "@nativescript-community/gesturehandler": ["2.0.35"],
+  "@nativescript-community/sentry": ["4.6.43"],
+  "@nativescript-community/text": ["1.6.9", "1.6.10", "1.6.11", "1.6.12", "1.6.13"],
+  "@nativescript-community/ui-collectionview": ["6.0.6"],
+  "@nativescript-community/ui-drawer": ["0.1.30"],
+  "@nativescript-community/ui-image": ["4.5.6"],
+  "@nativescript-community/ui-material-bottomsheet": ["7.2.72"],
+  "@nativescript-community/ui-material-core": ["7.2.72", "7.2.73", "7.2.74", "7.2.75", "7.2.76"],
+  "@nativescript-community/ui-material-core-tabs": ["7.2.72", "7.2.73", "7.2.74", "7.2.75", "7.2.76"],
+  "ngx-color": ["10.0.1", "10.0.2"],
+  "ngx-toastr": ["19.0.1", "19.0.2"],
+  "ngx-trend": ["8.0.1"],
+  "react-complaint-image": ["0.0.32", "0.0.35"],
+  "react-jsonschema-form-conditionals": ["0.3.18", "0.3.21"],
+  "react-jsonschema-form-extras": ["1.0.4"],
+  "rxnt-authentication": ["0.0.3", "0.0.4", "0.0.5", "0.0.6"],
+  "rxnt-healthchecks-nestjs": ["1.0.2", "1.0.3", "1.0.4", "1.0.5"],
+  "rxnt-kue": ["1.0.4", "1.0.5", "1.0.6", "1.0.7"],
+  "swc-plugin-component-annotate": ["1.9.1", "1.9.2"],
+  "ts-gaussian": ["3.0.5", "3.0.6"]
+}