scriptguard 1.0.0

package/dist/ai/analyzers/insight-generator.js

@@ -0,0 +1,384 @@
+"use strict";
+/** ScriptGuard — Insight generator for actionable security guidance */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.generateInsights = generateInsights;
+/**
+ * Generate actionable security insights for findings
+ */
+function generateInsights(analysis, includeMitigation = true) {
+    const insights = [];
+    // Group findings by severity
+    const findingsBySeverity = groupBySeverity(analysis.findings);
+    // Generate insights for each severity level
+    for (const [severity, findings] of Object.entries(findingsBySeverity)) {
+        if (findings.length === 0)
+            continue;
+        const severityInsights = generateInsightsForSeverity(findings, severity, analysis, includeMitigation);
+        insights.push(...severityInsights);
+    }
+    return insights;
+}
+/**
+ * Generate insights for a specific severity level
+ */
+function generateInsightsForSeverity(findings, severity, analysis, includeMitigation) {
+    const insights = [];
+    switch (severity) {
+        case 'critical':
+            insights.push(generateCriticalInsight(findings, analysis, includeMitigation));
+            break;
+        case 'high':
+            insights.push(...generateHighInsights(findings, analysis, includeMitigation));
+            break;
+        case 'medium':
+            insights.push(...generateMediumInsights(findings, analysis, includeMitigation));
+            break;
+        case 'low':
+            insights.push(generateLowInsight(findings, analysis));
+            break;
+    }
+    return insights;
+}
+/**
+ * Generate insights for critical findings
+ */
+function generateCriticalInsight(findings, analysis, includeMitigation) {
+    const threatTypes = findings.map(f => f.pattern);
+    const uniqueThreats = [...new Set(threatTypes)];
+    const descriptions = [];
+    const techniques = [];
+    for (const threat of uniqueThreats) {
+        switch (threat) {
+            case 'curl-pipe':
+            case 'wget-pipe':
+                descriptions.push('Remote code execution via download pipe');
+                techniques.push('Remote payload execution');
+                break;
+            case 'ssh-access':
+                descriptions.push('SSH private key access detected');
+                techniques.push('Credential theft');
+                break;
+            case 'aws-creds':
+                descriptions.push('AWS credentials being accessed');
+                techniques.push('Cloud credential theft');
+                break;
+            case 'passwd-shadow':
+                descriptions.push('System credential file access');
+                techniques.push('Privilege escalation / credential harvesting');
+                break;
+            case 'keychain-access':
+                descriptions.push('macOS Keychain access detected');
+                techniques.push('Credential theft');
+                break;
+            case 'base64-exec':
+                descriptions.push('Base64-encoded payload execution');
+                techniques.push('Obfuscated code execution');
+                break;
+            case 'crypto-miner':
+                descriptions.push('Cryptocurrency mining software detected');
+                techniques.push('Resource hijacking');
+                break;
+            case 'reverse-shell':
+                descriptions.push('Reverse shell backdoor detected');
+                techniques.push('Remote access trojan (RAT)');
+                break;
+            default:
+                descriptions.push(`Critical threat: ${threat}`);
+                techniques.push('Unknown critical threat');
+        }
+    }
+    return {
+        type: 'threat',
+        severity: 'critical',
+        description: `Package ${analysis.name}@${analysis.version} contains ${findings.length} critical security issue${findings.length > 1 ? 's' : ''}: ${descriptions.join(', ')}. This package should NOT be installed.`,
+        attackTechnique: techniques.join(', '),
+        remediation: includeMitigation ? generateCriticalMitigation(findings, analysis) : undefined,
+        confidence: 0.95,
+    };
+}
+/**
+ * Generate insights for high findings
+ */
+function generateHighInsights(findings, analysis, includeMitigation) {
+    const insights = [];
+    // Group by pattern to avoid duplicate insights
+    const findingsByPattern = new Map();
+    for (const finding of findings) {
+        const existing = findingsByPattern.get(finding.pattern) || [];
+        existing.push(finding);
+        findingsByPattern.set(finding.pattern, existing);
+    }
+    for (const [pattern, patternFindings] of findingsByPattern) {
+        const insight = generateHighInsightForPattern(pattern, patternFindings, analysis, includeMitigation);
+        insights.push(insight);
+    }
+    return insights;
+}
+function generateHighInsightForPattern(pattern, findings, analysis, includeMitigation) {
+    const scriptsAffected = [...new Set(findings.map(f => f.scriptName))];
+    switch (pattern) {
+        case 'curl-silent':
+        case 'curl-post':
+            return {
+                type: 'threat',
+                severity: 'high',
+                description: `Silent or outbound HTTP requests in ${scriptsAffected.join(', ')} scripts. This may indicate data exfiltration or command & control communication.`,
+                attackTechnique: 'Data exfiltration / C2 communication',
+                remediation: includeMitigation
+                    ? 'Review the destination URLs. If unknown, block network access for this package and consider removing it.'
+                    : undefined,
+                confidence: 0.8,
+            };
+        case 'eval-usage':
+            return {
+                type: 'threat',
+                severity: 'high',
+                description: `Dynamic code execution (eval/Function) detected in ${scriptsAffected.join(', ')} scripts. This allows arbitrary code execution and is extremely dangerous.`,
+                attackTechnique: 'Arbitrary code execution',
+                remediation: includeMitigation
+                    ? 'Avoid this package. Dynamic code execution in lifecycle scripts is unacceptable for production dependencies.'
+                    : undefined,
+                confidence: 0.9,
+            };
+        case 'shell-exec':
+            return {
+                type: 'threat',
+                severity: 'high',
+                description: `Direct shell execution detected in ${scriptsAffected.join(', ')} scripts. This can execute arbitrary system commands.`,
+                attackTechnique: 'Arbitrary command execution',
+                remediation: includeMitigation
+                    ? 'Review what commands are being executed. If unclear or suspicious, remove this package.'
+                    : undefined,
+                confidence: 0.85,
+            };
+        case 'node-eval':
+            return {
+                type: 'threat',
+                severity: 'high',
+                description: `Node.js evaluating code from command line in ${scriptsAffected.join(', ')} scripts. This executes arbitrary JavaScript code.`,
+                attackTechnique: 'Arbitrary code execution',
+                remediation: includeMitigation
+                    ? 'Determine what code is being evaluated. If not absolutely necessary, remove this package.'
+                    : undefined,
+                confidence: 0.85,
+            };
+        case 'env-file':
+            return {
+                type: 'threat',
+                severity: 'high',
+                description: `Reading .env files in ${scriptsAffected.join(', ')} scripts. May expose API keys, database credentials, or other secrets.`,
+                attackTechnique: 'Secret exfiltration',
+                remediation: includeMitigation
+                    ? 'Check if this package legitimately needs .env access. If not, remove it. Consider using environment variables directly instead.'
+                    : undefined,
+                confidence: 0.75,
+            };
+        case 'env-exfil':
+            return {
+                type: 'threat',
+                severity: 'high',
+                description: `Accessing environment variables in ${scriptsAffected.join(', ')} scripts. Could exfiltrate sensitive data like API keys or tokens.`,
+                attackTechnique: 'Credential theft',
+                remediation: includeMitigation
+                    ? 'Review which environment variables are accessed. If suspicious, remove the package and rotate any exposed credentials.'
+                    : undefined,
+                confidence: 0.7,
+            };
+        case 'clipboard-access':
+            return {
+                type: 'threat',
+                severity: 'high',
+                description: `Accessing system clipboard in ${scriptsAffected.join(', ')} scripts. Can steal sensitive data recently copied by the user.`,
+                attackTechnique: 'Data theft',
+                remediation: includeMitigation
+                    ? 'Avoid packages that access the clipboard. This is highly suspicious behavior for an npm package.'
+                    : undefined,
+                confidence: 0.85,
+            };
+        case 'hex-encode':
+            return {
+                type: 'threat',
+                severity: 'high',
+                description: `Hex-encoded strings detected in ${scriptsAffected.join(', ')} scripts. This is likely obfuscation to hide malicious code.`,
+                attackTechnique: 'Obfuscation',
+                remediation: includeMitigation
+                    ? 'Decode the hex strings to reveal the actual code. If the purpose is unclear, treat this package as compromised.'
+                    : undefined,
+                confidence: 0.8,
+            };
+        default:
+            return {
+                type: 'threat',
+                severity: 'high',
+                description: `High-risk pattern "${pattern}" detected in ${scriptsAffected.join(', ')} scripts.`,
+                attackTechnique: 'Unknown high-severity threat',
+                remediation: includeMitigation
+                    ? 'Review the script content manually. If the purpose is unclear, remove this package.'
+                    : undefined,
+                confidence: 0.7,
+            };
+    }
+}
+/**
+ * Generate insights for medium findings
+ */
+function generateMediumInsights(findings, analysis, includeMitigation) {
+    const insights = [];
+    // Group by pattern
+    const findingsByPattern = new Map();
+    for (const finding of findings) {
+        const existing = findingsByPattern.get(finding.pattern) || [];
+        existing.push(finding);
+        findingsByPattern.set(finding.pattern, existing);
+    }
+    for (const [pattern, patternFindings] of findingsByPattern) {
+        const insight = generateMediumInsightForPattern(pattern, patternFindings, analysis, includeMitigation);
+        insights.push(insight);
+    }
+    return insights;
+}
+function generateMediumInsightForPattern(pattern, findings, analysis, includeMitigation) {
+    const scriptsAffected = [...new Set(findings.map(f => f.scriptName))];
+    switch (pattern) {
+        case 'http-request':
+            return {
+                type: 'threat',
+                severity: 'medium',
+                description: `Outbound HTTP requests in ${scriptsAffected.join(', ')} scripts. Verify destination URLs are legitimate.`,
+                attackTechnique: 'Network activity',
+                remediation: includeMitigation
+                    ? 'Check the destination URLs. If unknown or suspicious, remove the package.'
+                    : undefined,
+                confidence: 0.6,
+            };
+        case 'dns-lookup':
+            return {
+                type: 'threat',
+                severity: 'medium',
+                description: `DNS lookups in ${scriptsAffected.join(', ')} scripts. May be used for DNS tunneling data exfiltration.`,
+                attackTechnique: 'DNS tunneling',
+                remediation: includeMitigation
+                    ? 'Verify why DNS lookups are needed. If unclear, review the package source code.'
+                    : undefined,
+                confidence: 0.65,
+            };
+        case 'child-process':
+            return {
+                type: 'threat',
+                severity: 'medium',
+                description: `Spawning child processes in ${scriptsAffected.join(', ')} scripts. This is common for build tools but can execute arbitrary commands.`,
+                attackTechnique: 'Command execution',
+                remediation: includeMitigation
+                    ? 'If this is a build tool package, it may be legitimate. Otherwise, review what commands are executed.'
+                    : undefined,
+                confidence: 0.5,
+            };
+        case 'require-resolve':
+            return {
+                type: 'threat',
+                severity: 'medium',
+                description: `Dynamic require() calls in ${scriptsAffected.join(', ')} scripts. This can load arbitrary code at runtime.`,
+                attackTechnique: 'Dynamic code loading',
+                remediation: includeMitigation
+                    ? 'Determine what modules are being loaded dynamically. If unclear, treat as suspicious.'
+                    : undefined,
+                confidence: 0.6,
+            };
+        case 'tmp-write':
+            return {
+                type: 'threat',
+                severity: 'medium',
+                description: `Writing to temp directory in ${scriptsAffected.join(', ')} scripts. May be used for staging malicious files.`,
+                attackTechnique: 'File system activity',
+                remediation: includeMitigation
+                    ? 'Check what files are being written and why. If unclear, review the package source.'
+                    : undefined,
+                confidence: 0.5,
+            };
+        case 'chmod-exec':
+            return {
+                type: 'threat',
+                severity: 'medium',
+                description: `Making files executable in ${scriptsAffected.join(', ')} scripts. Verify what files are affected.`,
+                attackTechnique: 'Permission modification',
+                remediation: includeMitigation
+                    ? 'Review what files are being made executable. If not necessary for the package, this is suspicious.'
+                    : undefined,
+                confidence: 0.55,
+            };
+        case 'unicode-escape':
+            return {
+                type: 'threat',
+                severity: 'medium',
+                description: `Unicode-escaped strings in ${scriptsAffected.join(', ')} scripts. May be obfuscating malicious code.`,
+                attackTechnique: 'Obfuscation',
+                remediation: includeMitigation
+                    ? 'Unescape the strings to check what they contain. If suspicious, remove the package.'
+                    : undefined,
+                confidence: 0.6,
+            };
+        default:
+            return {
+                type: 'threat',
+                severity: 'medium',
+                description: `Medium-risk pattern "${pattern}" detected in ${scriptsAffected.join(', ')} scripts.`,
+                attackTechnique: 'Unknown medium-severity threat',
+                remediation: includeMitigation
+                    ? 'Review the script content to understand if this is legitimate for the package functionality.'
+                    : undefined,
+                confidence: 0.5,
+            };
+    }
+}
+/**
+ * Generate insights for low findings
+ */
+function generateLowInsight(findings, analysis) {
+    const scriptsAffected = [...new Set(findings.map(f => f.scriptName))];
+    return {
+        type: 'threat',
+        severity: 'low',
+        description: `Package ${analysis.name}@${analysis.version} has ${findings.length} low-risk finding${findings.length > 1 ? 's' : ''} in ${scriptsAffected.join(', ')} scripts. These are often lifecycle scripts with no detected malicious patterns - review as needed.`,
+        confidence: 0.4,
+    };
+}
+/**
+ * Generate mitigation guidance for critical findings
+ */
+function generateCriticalMitigation(findings, analysis) {
+    const steps = [];
+    steps.push('IMMEDIATE ACTIONS:');
+    steps.push(`1. Uninstall this package: npm uninstall ${analysis.name}`);
+    steps.push('2. Review all packages installed around the same time');
+    steps.push('3. Check for unauthorized access or data exfiltration');
+    steps.push('4. Scan your system for compromise');
+    steps.push('5. Rotate any credentials that may have been exposed');
+    steps.push('\nINVESTIGATION:');
+    steps.push('- Check package installation date and source');
+    steps.push('- Review the full script content in node_modules');
+    steps.push('- Check network logs for suspicious connections');
+    steps.push('- Audit system logs for unusual activity');
+    steps.push('\nPREVENTION:');
+    steps.push('- Always audit packages before installation');
+    steps.push('- Use `npm audit` and `scriptguard scan` regularly');
+    steps.push('- Pin dependency versions to prevent surprise updates');
+    steps.push('- Consider using a private npm registry');
+    steps.push('- Enable 2FA on your npm account');
+    return steps.join('\n');
+}
+/**
+ * Group findings by severity
+ */
+function groupBySeverity(findings) {
+    const grouped = {
+        low: [],
+        medium: [],
+        high: [],
+        critical: [],
+    };
+    for (const finding of findings) {
+        grouped[finding.riskLevel].push(finding);
+    }
+    return grouped;
+}
+//# sourceMappingURL=insight-generator.js.map

package/dist/ai/analyzers/insight-generator.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"insight-generator.js","sourceRoot":"","sources":["../../../src/ai/analyzers/insight-generator.ts"],"names":[],"mappings":";AAAA,uEAAuE;;AAOvE,4CAwBC;AA3BD;;GAEG;AACH,SAAgB,gBAAgB,CAC9B,QAAyB,EACzB,oBAA6B,IAAI;IAEjC,MAAM,QAAQ,GAAgB,EAAE,CAAC;IAEjC,6BAA6B;IAC7B,MAAM,kBAAkB,GAAG,eAAe,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;IAE9D,4CAA4C;IAC5C,KAAK,MAAM,CAAC,QAAQ,EAAE,QAAQ,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,kBAAkB,CAAC,EAAE,CAAC;QACtE,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC;YAAE,SAAS;QAEpC,MAAM,gBAAgB,GAAG,2BAA2B,CAClD,QAAQ,EACR,QAAqB,EACrB,QAAQ,EACR,iBAAiB,CAClB,CAAC;QAEF,QAAQ,CAAC,IAAI,CAAC,GAAG,gBAAgB,CAAC,CAAC;IACrC,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED;;GAEG;AACH,SAAS,2BAA2B,CAClC,QAAmB,EACnB,QAAmB,EACnB,QAAyB,EACzB,iBAA0B;IAE1B,MAAM,QAAQ,GAAgB,EAAE,CAAC;IAEjC,QAAQ,QAAQ,EAAE,CAAC;QACjB,KAAK,UAAU;YACb,QAAQ,CAAC,IAAI,CAAC,uBAAuB,CAAC,QAAQ,EAAE,QAAQ,EAAE,iBAAiB,CAAC,CAAC,CAAC;YAC9E,MAAM;QAER,KAAK,MAAM;YACT,QAAQ,CAAC,IAAI,CAAC,GAAG,oBAAoB,CAAC,QAAQ,EAAE,QAAQ,EAAE,iBAAiB,CAAC,CAAC,CAAC;YAC9E,MAAM;QAER,KAAK,QAAQ;YACX,QAAQ,CAAC,IAAI,CAAC,GAAG,sBAAsB,CAAC,QAAQ,EAAE,QAAQ,EAAE,iBAAiB,CAAC,CAAC,CAAC;YAChF,MAAM;QAER,KAAK,KAAK;YACR,QAAQ,CAAC,IAAI,CAAC,kBAAkB,CAAC,QAAQ,EAAE,QAAQ,CAAC,CAAC,CAAC;YACtD,MAAM;IACV,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED;;GAEG;AACH,SAAS,uBAAuB,CAC9B,QAAmB,EACnB,QAAyB,EACzB,iBAA0B;IAE1B,MAAM,WAAW,GAAG,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC;IACjD,MAAM,aAAa,GAAG,CAAC,GAAG,IAAI,GAAG,CAAC,WAAW,CAAC,CAAC,CAAC;IAEhD,MAAM,YAAY,GAAa,EAAE,CAAC;IAClC,MAAM,UAAU,GAAa,EAAE,CAAC;IAEhC,KAAK,MAAM,MAAM,IAAI,aAAa,EAAE,CAAC;QACnC,QAAQ,MAAM,EAAE,CAAC;YACf,KAAK,WAAW,CAAC;YACjB,KAAK,WAAW;gBACd,YAAY,CAAC,IAAI,CAAC,yCAAyC,CAAC,CAAC;gBAC7D,UAAU,CAAC,IAAI,CAAC,0BAA0B,CAAC,CAAC;gBAC5C,MAAM;YAER,KAAK,YAAY;gBACf,YAAY,CAAC,IAAI,CAAC,iCAAiC,CAAC,CAAC;gBACrD,UAAU,CAAC,IAAI,CAAC,kBAAkB,CAAC,CAAC;gBACpC,MAAM;YAER,KAAK,WAAW;gBACd,YAAY,CAAC,IAAI,CAAC,gCAAgC,CAAC,CAAC;gBACpD,UAAU,CAAC,IAAI,CAAC,wBAAwB,CAAC,CAAC;gBAC1C,MAAM;YAER,KAAK,eAAe;gBAClB,YAAY,CAAC,IAAI,CAAC,+BAA+B,CAAC,CAAC;gBACnD,UAAU,CAAC,IAAI,CAAC,8CAA8C,CAAC,CAAC;gBAChE,MAAM;YAER,KAAK,iBAAiB;gBACpB,YAAY,CAAC,IAAI,CAAC,gCAAgC,CAAC,CAAC;gBACpD,UAAU,CAAC,IAAI,CAAC,kBAAkB,CAAC,CAAC;gBACpC,MAAM;YAER,KAAK,aAAa;gBAChB,YAAY,CAAC,IAAI,CAAC,kCAAkC,CAAC,CAAC;gBACtD,UAAU,CAAC,IAAI,CAAC,2BAA2B,CAAC,CAAC;gBAC7C,MAAM;YAER,KAAK,cAAc;gBACjB,YAAY,CAAC,IAAI,CAAC,yCAAyC,CAAC,CAAC;gBAC7D,UAAU,CAAC,IAAI,CAAC,oBAAoB,CAAC,CAAC;gBACtC,MAAM;YAER,KAAK,eAAe;gBAClB,YAAY,CAAC,IAAI,CAAC,iCAAiC,CAAC,CAAC;gBACrD,UAAU,CAAC,IAAI,CAAC,4BAA4B,CAAC,CAAC;gBAC9C,MAAM;YAER;gBACE,YAAY,CAAC,IAAI,CAAC,oBAAoB,MAAM,EAAE,CAAC,CAAC;gBAChD,UAAU,CAAC,IAAI,CAAC,yBAAyB,CAAC,CAAC;QAC/C,CAAC;IACH,CAAC;IAED,OAAO;QACL,IAAI,EAAE,QAAQ;QACd,QAAQ,EAAE,UAAU;QACpB,WAAW,EAAE,WAAW,QAAQ,CAAC,IAAI,IAAI,QAAQ,CAAC,OAAO,aAAa,QAAQ,CAAC,MAAM,2BAA2B,QAAQ,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,KAAK,YAAY,CAAC,IAAI,CAAC,IAAI,CAAC,yCAAyC;QACnN,eAAe,EAAE,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC;QACtC,WAAW,EAAE,iBAAiB,CAAC,CAAC,CAAC,0BAA0B,CAAC,QAAQ,EAAE,QAAQ,CAAC,CAAC,CAAC,CAAC,SAAS;QAC3F,UAAU,EAAE,IAAI;KACjB,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,SAAS,oBAAoB,CAC3B,QAAmB,EACnB,QAAyB,EACzB,iBAA0B;IAE1B,MAAM,QAAQ,GAAgB,EAAE,CAAC;IAEjC,+CAA+C;IAC/C,MAAM,iBAAiB,GAAG,IAAI,GAAG,EAAqB,CAAC;IACvD,KAAK,MAAM,OAAO,IAAI,QAAQ,EAAE,CAAC;QAC/B,MAAM,QAAQ,GAAG,iBAAiB,CAAC,GAAG,CAAC,OAAO,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC;QAC9D,QAAQ,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QACvB,iBAAiB,CAAC,GAAG,CAAC,OAAO,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC;IACnD,CAAC;IAED,KAAK,MAAM,CAAC,OAAO,EAAE,eAAe,CAAC,IAAI,iBAAiB,EAAE,CAAC;QAC3D,MAAM,OAAO,GAAG,6BAA6B,CAAC,OAAO,EAAE,eAAe,EAAE,QAAQ,EAAE,iBAAiB,CAAC,CAAC;QACrG,QAAQ,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;IACzB,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,SAAS,6BAA6B,CACpC,OAAe,EACf,QAAmB,EACnB,QAAyB,EACzB,iBAA0B;IAE1B,MAAM,eAAe,GAAG,CAAC,GAAG,IAAI,GAAG,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC;IAEtE,QAAQ,OAAO,EAAE,CAAC;QAChB,KAAK,aAAa,CAAC;QACnB,KAAK,WAAW;YACd,OAAO;gBACL,IAAI,EAAE,QAAQ;gBACd,QAAQ,EAAE,MAAM;gBAChB,WAAW,EAAE,uCAAuC,eAAe,CAAC,IAAI,CAAC,IAAI,CAAC,mFAAmF;gBACjK,eAAe,EAAE,sCAAsC;gBACvD,WAAW,EAAE,iBAAiB;oBAC5B,CAAC,CAAC,0GAA0G;oBAC5G,CAAC,CAAC,SAAS;gBACb,UAAU,EAAE,GAAG;aAChB,CAAC;QAEJ,KAAK,YAAY;YACf,OAAO;gBACL,IAAI,EAAE,QAAQ;gBACd,QAAQ,EAAE,MAAM;gBAChB,WAAW,EAAE,sDAAsD,eAAe,CAAC,IAAI,CAAC,IAAI,CAAC,4EAA4E;gBACzK,eAAe,EAAE,0BAA0B;gBAC3C,WAAW,EAAE,iBAAiB;oBAC5B,CAAC,CAAC,8GAA8G;oBAChH,CAAC,CAAC,SAAS;gBACb,UAAU,EAAE,GAAG;aAChB,CAAC;QAEJ,KAAK,YAAY;YACf,OAAO;gBACL,IAAI,EAAE,QAAQ;gBACd,QAAQ,EAAE,MAAM;gBAChB,WAAW,EAAE,sCAAsC,eAAe,CAAC,IAAI,CAAC,IAAI,CAAC,uDAAuD;gBACpI,eAAe,EAAE,6BAA6B;gBAC9C,WAAW,EAAE,iBAAiB;oBAC5B,CAAC,CAAC,yFAAyF;oBAC3F,CAAC,CAAC,SAAS;gBACb,UAAU,EAAE,IAAI;aACjB,CAAC;QAEJ,KAAK,WAAW;YACd,OAAO;gBACL,IAAI,EAAE,QAAQ;gBACd,QAAQ,EAAE,MAAM;gBAChB,WAAW,EAAE,gDAAgD,eAAe,CAAC,IAAI,CAAC,IAAI,CAAC,oDAAoD;gBAC3I,eAAe,EAAE,0BAA0B;gBAC3C,WAAW,EAAE,iBAAiB;oBAC5B,CAAC,CAAC,2FAA2F;oBAC7F,CAAC,CAAC,SAAS;gBACb,UAAU,EAAE,IAAI;aACjB,CAAC;QAEJ,KAAK,UAAU;YACb,OAAO;gBACL,IAAI,EAAE,QAAQ;gBACd,QAAQ,EAAE,MAAM;gBAChB,WAAW,EAAE,yBAAyB,eAAe,CAAC,IAAI,CAAC,IAAI,CAAC,wEAAwE;gBACxI,eAAe,EAAE,qBAAqB;gBACtC,WAAW,EAAE,iBAAiB;oBAC5B,CAAC,CAAC,iIAAiI;oBACnI,CAAC,CAAC,SAAS;gBACb,UAAU,EAAE,IAAI;aACjB,CAAC;QAEJ,KAAK,WAAW;YACd,OAAO;gBACL,IAAI,EAAE,QAAQ;gBACd,QAAQ,EAAE,MAAM;gBAChB,WAAW,EAAE,sCAAsC,eAAe,CAAC,IAAI,CAAC,IAAI,CAAC,oEAAoE;gBACjJ,eAAe,EAAE,kBAAkB;gBACnC,WAAW,EAAE,iBAAiB;oBAC5B,CAAC,CAAC,wHAAwH;oBAC1H,CAAC,CAAC,SAAS;gBACb,UAAU,EAAE,GAAG;aAChB,CAAC;QAEJ,KAAK,kBAAkB;YACrB,OAAO;gBACL,IAAI,EAAE,QAAQ;gBACd,QAAQ,EAAE,MAAM;gBAChB,WAAW,EAAE,iCAAiC,eAAe,CAAC,IAAI,CAAC,IAAI,CAAC,iEAAiE;gBACzI,eAAe,EAAE,YAAY;gBAC7B,WAAW,EAAE,iBAAiB;oBAC5B,CAAC,CAAC,kGAAkG;oBACpG,CAAC,CAAC,SAAS;gBACb,UAAU,EAAE,IAAI;aACjB,CAAC;QAEJ,KAAK,YAAY;YACf,OAAO;gBACL,IAAI,EAAE,QAAQ;gBACd,QAAQ,EAAE,MAAM;gBAChB,WAAW,EAAE,mCAAmC,eAAe,CAAC,IAAI,CAAC,IAAI,CAAC,8DAA8D;gBACxI,eAAe,EAAE,aAAa;gBAC9B,WAAW,EAAE,iBAAiB;oBAC5B,CAAC,CAAC,iHAAiH;oBACnH,CAAC,CAAC,SAAS;gBACb,UAAU,EAAE,GAAG;aAChB,CAAC;QAEJ;YACE,OAAO;gBACL,IAAI,EAAE,QAAQ;gBACd,QAAQ,EAAE,MAAM;gBAChB,WAAW,EAAE,sBAAsB,OAAO,iBAAiB,eAAe,CAAC,IAAI,CAAC,IAAI,CAAC,WAAW;gBAChG,eAAe,EAAE,8BAA8B;gBAC/C,WAAW,EAAE,iBAAiB;oBAC5B,CAAC,CAAC,qFAAqF;oBACvF,CAAC,CAAC,SAAS;gBACb,UAAU,EAAE,GAAG;aAChB,CAAC;IACN,CAAC;AACH,CAAC;AAED;;GAEG;AACH,SAAS,sBAAsB,CAC7B,QAAmB,EACnB,QAAyB,EACzB,iBAA0B;IAE1B,MAAM,QAAQ,GAAgB,EAAE,CAAC;IAEjC,mBAAmB;IACnB,MAAM,iBAAiB,GAAG,IAAI,GAAG,EAAqB,CAAC;IACvD,KAAK,MAAM,OAAO,IAAI,QAAQ,EAAE,CAAC;QAC/B,MAAM,QAAQ,GAAG,iBAAiB,CAAC,GAAG,CAAC,OAAO,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC;QAC9D,QAAQ,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QACvB,iBAAiB,CAAC,GAAG,CAAC,OAAO,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC;IACnD,CAAC;IAED,KAAK,MAAM,CAAC,OAAO,EAAE,eAAe,CAAC,IAAI,iBAAiB,EAAE,CAAC;QAC3D,MAAM,OAAO,GAAG,+BAA+B,CAAC,OAAO,EAAE,eAAe,EAAE,QAAQ,EAAE,iBAAiB,CAAC,CAAC;QACvG,QAAQ,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;IACzB,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,SAAS,+BAA+B,CACtC,OAAe,EACf,QAAmB,EACnB,QAAyB,EACzB,iBAA0B;IAE1B,MAAM,eAAe,GAAG,CAAC,GAAG,IAAI,GAAG,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC;IAEtE,QAAQ,OAAO,EAAE,CAAC;QAChB,KAAK,cAAc;YACjB,OAAO;gBACL,IAAI,EAAE,QAAQ;gBACd,QAAQ,EAAE,QAAQ;gBAClB,WAAW,EAAE,6BAA6B,eAAe,CAAC,IAAI,CAAC,IAAI,CAAC,mDAAmD;gBACvH,eAAe,EAAE,kBAAkB;gBACnC,WAAW,EAAE,iBAAiB;oBAC5B,CAAC,CAAC,2EAA2E;oBAC7E,CAAC,CAAC,SAAS;gBACb,UAAU,EAAE,GAAG;aAChB,CAAC;QAEJ,KAAK,YAAY;YACf,OAAO;gBACL,IAAI,EAAE,QAAQ;gBACd,QAAQ,EAAE,QAAQ;gBAClB,WAAW,EAAE,kBAAkB,eAAe,CAAC,IAAI,CAAC,IAAI,CAAC,4DAA4D;gBACrH,eAAe,EAAE,eAAe;gBAChC,WAAW,EAAE,iBAAiB;oBAC5B,CAAC,CAAC,gFAAgF;oBAClF,CAAC,CAAC,SAAS;gBACb,UAAU,EAAE,IAAI;aACjB,CAAC;QAEJ,KAAK,eAAe;YAClB,OAAO;gBACL,IAAI,EAAE,QAAQ;gBACd,QAAQ,EAAE,QAAQ;gBAClB,WAAW,EAAE,+BAA+B,eAAe,CAAC,IAAI,CAAC,IAAI,CAAC,8EAA8E;gBACpJ,eAAe,EAAE,mBAAmB;gBACpC,WAAW,EAAE,iBAAiB;oBAC5B,CAAC,CAAC,sGAAsG;oBACxG,CAAC,CAAC,SAAS;gBACb,UAAU,EAAE,GAAG;aAChB,CAAC;QAEJ,KAAK,iBAAiB;YACpB,OAAO;gBACL,IAAI,EAAE,QAAQ;gBACd,QAAQ,EAAE,QAAQ;gBAClB,WAAW,EAAE,8BAA8B,eAAe,CAAC,IAAI,CAAC,IAAI,CAAC,oDAAoD;gBACzH,eAAe,EAAE,sBAAsB;gBACvC,WAAW,EAAE,iBAAiB;oBAC5B,CAAC,CAAC,uFAAuF;oBACzF,CAAC,CAAC,SAAS;gBACb,UAAU,EAAE,GAAG;aAChB,CAAC;QAEJ,KAAK,WAAW;YACd,OAAO;gBACL,IAAI,EAAE,QAAQ;gBACd,QAAQ,EAAE,QAAQ;gBAClB,WAAW,EAAE,gCAAgC,eAAe,CAAC,IAAI,CAAC,IAAI,CAAC,oDAAoD;gBAC3H,eAAe,EAAE,sBAAsB;gBACvC,WAAW,EAAE,iBAAiB;oBAC5B,CAAC,CAAC,oFAAoF;oBACtF,CAAC,CAAC,SAAS;gBACb,UAAU,EAAE,GAAG;aAChB,CAAC;QAEJ,KAAK,YAAY;YACf,OAAO;gBACL,IAAI,EAAE,QAAQ;gBACd,QAAQ,EAAE,QAAQ;gBAClB,WAAW,EAAE,8BAA8B,eAAe,CAAC,IAAI,CAAC,IAAI,CAAC,2CAA2C;gBAChH,eAAe,EAAE,yBAAyB;gBAC1C,WAAW,EAAE,iBAAiB;oBAC5B,CAAC,CAAC,oGAAoG;oBACtG,CAAC,CAAC,SAAS;gBACb,UAAU,EAAE,IAAI;aACjB,CAAC;QAEJ,KAAK,gBAAgB;YACnB,OAAO;gBACL,IAAI,EAAE,QAAQ;gBACd,QAAQ,EAAE,QAAQ;gBAClB,WAAW,EAAE,8BAA8B,eAAe,CAAC,IAAI,CAAC,IAAI,CAAC,8CAA8C;gBACnH,eAAe,EAAE,aAAa;gBAC9B,WAAW,EAAE,iBAAiB;oBAC5B,CAAC,CAAC,qFAAqF;oBACvF,CAAC,CAAC,SAAS;gBACb,UAAU,EAAE,GAAG;aAChB,CAAC;QAEJ;YACE,OAAO;gBACL,IAAI,EAAE,QAAQ;gBACd,QAAQ,EAAE,QAAQ;gBAClB,WAAW,EAAE,wBAAwB,OAAO,iBAAiB,eAAe,CAAC,IAAI,CAAC,IAAI,CAAC,WAAW;gBAClG,eAAe,EAAE,gCAAgC;gBACjD,WAAW,EAAE,iBAAiB;oBAC5B,CAAC,CAAC,8FAA8F;oBAChG,CAAC,CAAC,SAAS;gBACb,UAAU,EAAE,GAAG;aAChB,CAAC;IACN,CAAC;AACH,CAAC;AAED;;GAEG;AACH,SAAS,kBAAkB,CACzB,QAAmB,EACnB,QAAyB;IAEzB,MAAM,eAAe,GAAG,CAAC,GAAG,IAAI,GAAG,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC;IAEtE,OAAO;QACL,IAAI,EAAE,QAAQ;QACd,QAAQ,EAAE,KAAK;QACf,WAAW,EAAE,WAAW,QAAQ,CAAC,IAAI,IAAI,QAAQ,CAAC,OAAO,QAAQ,QAAQ,CAAC,MAAM,oBAAoB,QAAQ,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,OAAO,eAAe,CAAC,IAAI,CAAC,IAAI,CAAC,qGAAqG;QACxQ,UAAU,EAAE,GAAG;KAChB,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,SAAS,0BAA0B,CAAC,QAAmB,EAAE,QAAyB;IAChF,MAAM,KAAK,GAAa,EAAE,CAAC;IAE3B,KAAK,CAAC,IAAI,CAAC,oBAAoB,CAAC,CAAC;IACjC,KAAK,CAAC,IAAI,CAAC,4CAA4C,QAAQ,CAAC,IAAI,EAAE,CAAC,CAAC;IACxE,KAAK,CAAC,IAAI,CAAC,uDAAuD,CAAC,CAAC;IACpE,KAAK,CAAC,IAAI,CAAC,uDAAuD,CAAC,CAAC;IACpE,KAAK,CAAC,IAAI,CAAC,oCAAoC,CAAC,CAAC;IACjD,KAAK,CAAC,IAAI,CAAC,sDAAsD,CAAC,CAAC;IAEnE,KAAK,CAAC,IAAI,CAAC,kBAAkB,CAAC,CAAC;IAC/B,KAAK,CAAC,IAAI,CAAC,8CAA8C,CAAC,CAAC;IAC3D,KAAK,CAAC,IAAI,CAAC,kDAAkD,CAAC,CAAC;IAC/D,KAAK,CAAC,IAAI,CAAC,iDAAiD,CAAC,CAAC;IAC9D,KAAK,CAAC,IAAI,CAAC,0CAA0C,CAAC,CAAC;IAEvD,KAAK,CAAC,IAAI,CAAC,eAAe,CAAC,CAAC;IAC5B,KAAK,CAAC,IAAI,CAAC,6CAA6C,CAAC,CAAC;IAC1D,KAAK,CAAC,IAAI,CAAC,oDAAoD,CAAC,CAAC;IACjE,KAAK,CAAC,IAAI,CAAC,uDAAuD,CAAC,CAAC;IACpE,KAAK,CAAC,IAAI,CAAC,yCAAyC,CAAC,CAAC;IACtD,KAAK,CAAC,IAAI,CAAC,kCAAkC,CAAC,CAAC;IAE/C,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AAC1B,CAAC;AAED;;GAEG;AACH,SAAS,eAAe,CAAC,QAAmB;IAC1C,MAAM,OAAO,GAAiC;QAC5C,GAAG,EAAE,EAAE;QACP,MAAM,EAAE,EAAE;QACV,IAAI,EAAE,EAAE;QACR,QAAQ,EAAE,EAAE;KACb,CAAC;IAEF,KAAK,MAAM,OAAO,IAAI,QAAQ,EAAE,CAAC;QAC/B,OAAO,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;IAC3C,CAAC;IAED,OAAO,OAAO,CAAC;AACjB,CAAC"}

package/dist/ai/analyzers/threat-detector.d.ts

@@ -0,0 +1,7 @@
+/** ScriptGuard — Advanced threat detector analyzer */
+import type { PackageAnalysis, AIInsight } from '../../types/index.js';
+/**
+ * Detect advanced threats that may have been missed by regex patterns
+ */
+export declare function detectAdvancedThreats(analysis: PackageAnalysis, aiInsights: AIInsight[]): AIInsight[];
+//# sourceMappingURL=threat-detector.d.ts.map

package/dist/ai/analyzers/threat-detector.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"threat-detector.d.ts","sourceRoot":"","sources":["../../../src/ai/analyzers/threat-detector.ts"],"names":[],"mappings":"AAAA,sDAAsD;AAEtD,OAAO,KAAK,EAAE,eAAe,EAAE,SAAS,EAAE,MAAM,sBAAsB,CAAC;AAEvE;;GAEG;AACH,wBAAgB,qBAAqB,CACnC,QAAQ,EAAE,eAAe,EACzB,UAAU,EAAE,SAAS,EAAE,GACtB,SAAS,EAAE,CAqBb"}

package/dist/ai/analyzers/threat-detector.js

@@ -0,0 +1,249 @@
+"use strict";
+/** ScriptGuard — Advanced threat detector analyzer */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.detectAdvancedThreats = detectAdvancedThreats;
+/**
+ * Detect advanced threats that may have been missed by regex patterns
+ */
+function detectAdvancedThreats(analysis, aiInsights) {
+    const threats = [];
+    // Add AI-identified threats
+    for (const insight of aiInsights) {
+        if (insight.type === 'threat') {
+            threats.push(insight);
+        }
+    }
+    // Run additional detection heuristics
+    const obfuscationThreats = detectObfuscation(analysis);
+    threats.push(...obfuscationThreats);
+    const correlationThreats = detectMultiStageAttacks(analysis);
+    threats.push(...correlationThreats);
+    const novelThreats = detectNovelPatterns(analysis);
+    threats.push(...novelThreats);
+    return threats;
+}
+/**
+ * Detect obfuscation techniques
+ */
+function detectObfuscation(analysis) {
+    const threats = [];
+    const { scripts, name } = analysis;
+    for (const [scriptName, content] of Object.entries(scripts)) {
+        // Check for various obfuscation techniques
+        // 1. Excessive encoding (base64, hex, unicode)
+        const encodingCount = [
+            (content.match(/\\x[0-9a-fA-F]{2}/g) || []).length,
+            (content.match(/\\u[0-9a-fA-F]{4}/g) || []).length,
+            (content.match(/atob\s*\(/g) || []).length,
+            (content.match(/btoa\s*\(/g) || []).length,
+            (content.match(/Buffer\.from\s*\(/g) || []).length,
+            (content.match(/toString\s*\(\s*['"](base64|hex|binary)['"]\s*\)/g) || []).length,
+        ].reduce((sum, count) => sum + count, 0);
+        if (encodingCount > 3) {
+            threats.push({
+                type: 'threat',
+                severity: 'high',
+                description: `Script "${scriptName}" uses extensive encoding (${encodingCount} instances). This is a strong indicator of obfuscated malicious code attempting to hide its true purpose.`,
+                attackTechnique: 'Obfuscation via encoding',
+                remediation: 'Review the decoded content to understand what the script actually does. Avoid packages with heavily obfuscated lifecycle scripts.',
+                confidence: Math.min(0.95, 0.5 + encodingCount * 0.1),
+            });
+        }
+        // 2. String concatenation to hide keywords
+        const concatenationPatterns = [
+            /['"][\w\s]{1,5}['"]\s*\+\s*['"][\w\s]{1,5}['"]\s*\+\s*['"][\w\s]{1,5}['"]/g,
+            /['"][\w\s]{1,5}['"]\s*\+\s*\w+\s*\+\s*['"][\w\s]{1,5}['"]/g,
+        ];
+        let concatenationCount = 0;
+        for (const pattern of concatenationPatterns) {
+            const matches = content.match(pattern);
+            if (matches)
+                concatenationCount += matches.length;
+        }
+        if (concatenationCount > 2) {
+            threats.push({
+                type: 'threat',
+                severity: 'medium',
+                description: `Script "${scriptName}" uses extensive string concatenation (${concatenationCount} instances). This may be used to hide malicious keywords from detection.`,
+                attackTechnique: 'Keyword obfuscation',
+                remediation: 'Deobfuscate the string concatenations to reveal the actual code. Be suspicious of packages trying to hide what their scripts do.',
+                confidence: Math.min(0.85, 0.4 + concatenationCount * 0.15),
+            });
+        }
+        // 3. Eval-like patterns (beyond basic regex)
+        const advancedEvalPatterns = [
+            /Function\s*\(\s*['"]+[\w\s]*['"]+\s*\)/g, // Function("code")()
+            /new\s+Function\s*\(/g,
+            /setInterval\s*\(\s*['"]/g, // setInterval("code")
+            /setTimeout\s*\(\s*['"]/g, // setTimeout("code")
+            /require\s*\(\s*[^'"]*\+/g, // dynamic require
+        ];
+        for (const pattern of advancedEvalPatterns) {
+            if (pattern.test(content)) {
+                threats.push({
+                    type: 'threat',
+                    severity: 'high',
+                    description: `Script "${scriptName}" uses dynamic code execution patterns. This allows arbitrary code execution and is commonly used in malware.`,
+                    attackTechnique: 'Dynamic code execution',
+                    remediation: 'Avoid packages with dynamic code execution in lifecycle scripts. This is extremely dangerous even if the code looks innocent.',
+                    confidence: 0.8,
+                });
+                break; // Only add once per script
+            }
+        }
+        // 4. Polyglot code (code that can execute in multiple contexts)
+        const polyglotIndicators = [
+            /\/\/\s*@<script>/i, // JavaScript inside HTML
+            /\/\*\s*@if\s*\(/, // Conditional compilation
+            /<\?[pP][hH][pP]/, // PHP tags
+            /<%/g, // ASP tags
+        ];
+        for (const indicator of polyglotIndicators) {
+            if (indicator.test(content)) {
+                threats.push({
+                    type: 'threat',
+                    severity: 'critical',
+                    description: `Script "${scriptName}" contains polyglot code patterns. This can execute in multiple contexts and is a hallmark of sophisticated malware.`,
+                    attackTechnique: 'Polyglot code injection',
+                    remediation: 'Immediately remove this package. Polyglot code in lifecycle scripts is almost always malicious.',
+                    confidence: 0.9,
+                });
+                break;
+            }
+        }
+    }
+    return threats;
+}
+/**
+ * Detect multi-stage attacks across multiple scripts
+ */
+function detectMultiStageAttacks(analysis) {
+    const threats = [];
+    const { scripts, name } = analysis;
+    const scriptNames = Object.keys(scripts);
+    if (scriptNames.length < 2) {
+        return threats;
+    }
+    // Check for attack chains across scripts
+    // 1. preinstall → postinstall chain (setup then execute)
+    if (scripts.preinstall && scripts.postinstall) {
+        const preinstallDownloads = /\b(curl|wget|fetch|request|http\.get|axios)\b/i.test(scripts.preinstall);
+        const postinstallExecutes = /\b(eval|exec|spawn|bash|sh|node\s+-e)\b/i.test(scripts.postinstall);
+        if (preinstallDownloads && postinstallExecutes) {
+            threats.push({
+                type: 'threat',
+                severity: 'critical',
+                description: `Multi-stage attack detected: preinstall downloads content, postinstall executes it. This is a classic supply chain attack pattern.`,
+                attackTechnique: 'Multi-stage payload delivery',
+                remediation: 'Immediately remove this package and review all packages installed around the same time. Scan your system for compromise.',
+                confidence: 0.95,
+            });
+        }
+    }
+    // 2. Multiple scripts accessing sensitive data
+    let sensitiveAccessCount = 0;
+    const sensitivePatterns = [
+        /~\/\.ssh/, /\.aws/, /process\.env/, /\.env/, /credential/, /secret/, /key/i
+    ];
+    for (const [scriptName, content] of Object.entries(scripts)) {
+        for (const pattern of sensitivePatterns) {
+            if (pattern.test(content)) {
+                sensitiveAccessCount++;
+                break;
+            }
+        }
+    }
+    if (sensitiveAccessCount >= 2) {
+        threats.push({
+            type: 'threat',
+            severity: 'high',
+            description: `${sensitiveAccessCount} lifecycle scripts access sensitive data. This coordinated access pattern suggests data exfiltration preparation.`,
+            attackTechnique: 'Credential harvesting',
+            remediation: 'Review all scripts to understand what data they\'re accessing. Consider this package compromised unless you can verify legitimacy.',
+            confidence: 0.75,
+        });
+    }
+    // 3. Scripts that create other scripts (persistence mechanism)
+    let scriptCreationCount = 0;
+    for (const [scriptName, content] of Object.entries(scripts)) {
+        const createsScripts = /\b(writeFile|writeFileSync|appendFile|createWriteStream|\.js|\.sh|\.bash)\b/i.test(content);
+        if (createsScripts) {
+            scriptCreationCount++;
+        }
+    }
+    if (scriptCreationCount >= 2) {
+        threats.push({
+            type: 'threat',
+            severity: 'high',
+            description: `${scriptCreationCount} lifecycle scripts create files. This may be a persistence mechanism to maintain access after installation.`,
+            attackTechnique: 'Persistence via file creation',
+            remediation: 'Search for any unusual files created by this package. Check for newly created scripts in node_modules, /tmp, or home directory.',
+            confidence: 0.7,
+        });
+    }
+    return threats;
+}
+/**
+ * Detect novel attack patterns not covered by regex rules
+ */
+function detectNovelPatterns(analysis) {
+    const threats = [];
+    const { scripts, name, findings } = analysis;
+    // 1. Packages with no regex findings but suspicious behavior
+    if (findings.length === 0 && Object.keys(scripts).length > 0) {
+        const hasComplexScript = Object.values(scripts).some(content => content.length > 300 || content.includes('&&') || content.includes('||'));
+        if (hasComplexScript) {
+            threats.push({
+                type: 'threat',
+                severity: 'low',
+                description: `Package has complex lifecycle scripts but didn't match known malicious patterns. This doesn't mean it's safe - novel attacks may not match existing rules.`,
+                attackTechnique: 'Unknown / novel attack',
+                remediation: 'Manually review all lifecycle scripts. Consider whether the functionality is necessary and if you trust the package maintainer.',
+                confidence: 0.4,
+            });
+        }
+    }
+    // 2. Suspicious package naming patterns
+    const suspiciousNaming = [
+        /update/i, /patch/i, /fix/i, /critical/i, /security/i,
+        /urgent/i, /important/i, /official/i, /verified/i
+    ];
+    for (const pattern of suspiciousNaming) {
+        if (pattern.test(name) && !isWellKnownPackage(name)) {
+            threats.push({
+                type: 'threat',
+                severity: 'medium',
+                description: `Package name "${name}" includes urgency/authority keywords. Attackers often use such names to trick users into installing malicious packages.`,
+                attackTechnique: 'Typosquatting / impersonation',
+                remediation: 'Verify this is the official package. Check spelling, publisher, and download count. Look for the official package instead.',
+                confidence: 0.6,
+            });
+            break;
+        }
+    }
+    // 3. Recently created packages with invasive scripts
+    // (We can't check creation date without npm registry API, but we can flag for review)
+    if (Object.keys(scripts).length > 2) {
+        threats.push({
+            type: 'threat',
+            severity: 'low',
+            description: `Package has ${Object.keys(scripts).length} lifecycle scripts. Most legitimate packages only need 1-2. Multiple scripts may indicate unnecessary complexity or malicious intent.`,
+            attackTechnique: 'Excessive script footprint',
+            remediation: 'Review each script to understand its purpose. Be suspicious of packages with more lifecycle scripts than necessary.',
+            confidence: 0.5,
+        });
+    }
+    return threats;
+}
+/**
+ * Check if package is well-known/legitimate
+ */
+function isWellKnownPackage(packageName) {
+    const knownPackages = [
+        'eslint', 'prettier', 'typescript', 'babel', 'webpack',
+        'vite', 'rollup', 'esbuild', 'jest', 'vitest',
+        'lodash', 'axios', 'react', 'vue', 'angular'
+    ];
+    return knownPackages.some(known => packageName.startsWith(known));
+}
+//# sourceMappingURL=threat-detector.js.map