scriptguard 1.0.0

package/dist/scanners/lifecycle.js

@@ -0,0 +1,202 @@
+"use strict";
+/** ScriptGuard — Lifecycle script parser — reads package.json files from node_modules */
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.analyzePackage = analyzePackage;
+exports.scanInstalledPackages = scanInstalledPackages;
+exports.scanSinglePackage = scanSinglePackage;
+exports.extractLifecycleScripts = extractLifecycleScripts;
+exports.calculateRiskScore = calculateRiskScore;
+exports.riskLevelFromScore = riskLevelFromScore;
+const fs = __importStar(require("node:fs"));
+const path = __importStar(require("node:path"));
+const patterns_js_1 = require("./patterns.js");
+const LIFECYCLE_SCRIPTS = [
+    'preinstall',
+    'install',
+    'postinstall',
+    'preprepare',
+    'prepare',
+    'postprepare',
+    'prepack',
+    'postpack',
+    'preuninstall',
+    'uninstall',
+    'postuninstall',
+    'prerestart',
+    'restart',
+    'postrestart',
+    'preversion',
+    'version',
+    'postversion',
+    'prebuild',
+    'postbuild',
+    'prestart',
+    'poststart',
+    'pretest',
+    'posttest',
+];
+const RISK_WEIGHTS = {
+    low: 5,
+    medium: 25,
+    high: 60,
+    critical: 100,
+};
+function extractLifecycleScripts(scripts) {
+    const result = {};
+    for (const name of LIFECYCLE_SCRIPTS) {
+        if (scripts[name]) {
+            result[name] = scripts[name];
+        }
+    }
+    return result;
+}
+function analyzeScriptContent(packageName, version, scriptName, scriptContent) {
+    const findings = [];
+    for (const rule of patterns_js_1.PATTERN_RULES) {
+        const match = rule.pattern.exec(scriptContent);
+        if (match) {
+            findings.push({
+                package: packageName,
+                scriptName,
+                scriptContent,
+                pattern: rule.name,
+                description: rule.description,
+                riskLevel: rule.riskLevel,
+                match: match[0],
+            });
+        }
+    }
+    return findings;
+}
+function calculateRiskScore(findings) {
+    if (findings.length === 0)
+        return 0;
+    const maxScore = Math.max(...findings.map((f) => RISK_WEIGHTS[f.riskLevel]));
+    const avgScore = findings.reduce((sum, f) => sum + RISK_WEIGHTS[f.riskLevel], 0) / findings.length;
+    return Math.min(100, Math.round((maxScore * 0.6 + avgScore * 0.4)));
+}
+function riskLevelFromScore(score) {
+    if (score >= 75)
+        return 'critical';
+    if (score >= 50)
+        return 'high';
+    if (score >= 25)
+        return 'medium';
+    return 'low';
+}
+function analyzePackage(name, version, scripts) {
+    const lifecycleScripts = extractLifecycleScripts(scripts);
+    const allFindings = [];
+    for (const [scriptName, scriptContent] of Object.entries(lifecycleScripts)) {
+        const scriptFindings = analyzeScriptContent(name, version, scriptName, scriptContent);
+        allFindings.push(...scriptFindings);
+        // Flag any lifecycle script that exists without findings as "low" info
+        if (scriptFindings.length === 0 && ['postinstall', 'preinstall', 'install'].includes(scriptName)) {
+            allFindings.push({
+                package: name,
+                scriptName,
+                scriptContent,
+                pattern: 'lifecycle-script-present',
+                description: `Package runs code during ${scriptName} — review recommended`,
+                riskLevel: 'low',
+                match: scriptContent.substring(0, 60),
+            });
+        }
+    }
+    const riskScore = calculateRiskScore(allFindings);
+    return {
+        name,
+        version,
+        scripts: lifecycleScripts,
+        findings: allFindings,
+        riskScore,
+        riskLevel: riskLevelFromScore(riskScore),
+    };
+}
+function scanInstalledPackages(projectPath, includeDev = false) {
+    const nodeModulesPath = path.join(projectPath, 'node_modules');
+    if (!fs.existsSync(nodeModulesPath)) {
+        throw new Error(`No node_modules found at ${nodeModulesPath}`);
+    }
+    const analyses = [];
+    const visited = new Set();
+    function scanDir(dir) {
+        const entries = fs.readdirSync(dir, { withFileTypes: true });
+        for (const entry of entries) {
+            if (entry.name.startsWith('.'))
+                continue;
+            const fullPath = path.join(dir, entry.name);
+            if (entry.isDirectory()) {
+                // Handle scoped packages (@scope/pkg)
+                if (entry.name.startsWith('@')) {
+                    scanDir(fullPath);
+                    continue;
+                }
+                const pkgJsonPath = path.join(fullPath, 'package.json');
+                if (fs.existsSync(pkgJsonPath)) {
+                    try {
+                        const pkgJson = JSON.parse(fs.readFileSync(pkgJsonPath, 'utf-8'));
+                        const pkgKey = `${pkgJson.name}@${pkgJson.version}`;
+                        if (visited.has(pkgKey))
+                            continue;
+                        visited.add(pkgKey);
+                        if (pkgJson.scripts && Object.keys(pkgJson.scripts).length > 0) {
+                            analyses.push(analyzePackage(pkgJson.name || entry.name, pkgJson.version || 'unknown', pkgJson.scripts));
+                        }
+                    }
+                    catch {
+                        // Skip malformed package.json
+                    }
+                }
+                // Don't recurse into nested node_modules
+                if (!fullPath.includes('node_modules' + path.sep + entry.name + path.sep + 'node_modules')) {
+                    // Check for nested packages
+                    const nested = path.join(fullPath, 'node_modules');
+                    if (!fs.existsSync(nested)) {
+                        // Some packages have sub-packages in subdirectories
+                    }
+                }
+            }
+        }
+    }
+    scanDir(nodeModulesPath);
+    return analyses.sort((a, b) => b.riskScore - a.riskScore);
+}
+function scanSinglePackage(pkgJsonContent) {
+    const pkgJson = JSON.parse(pkgJsonContent);
+    return analyzePackage(pkgJson.name || 'unknown', pkgJson.version || 'unknown', pkgJson.scripts || {});
+}
+//# sourceMappingURL=lifecycle.js.map

package/dist/scanners/lifecycle.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"lifecycle.js","sourceRoot":"","sources":["../../src/scanners/lifecycle.ts"],"names":[],"mappings":";AAAA,yFAAyF;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AA0FzF,wCAoCC;AAED,sDAuDC;AAED,8CAOC;AAEQ,0DAAuB;AAAE,gDAAkB;AAAE,gDAAkB;AAhMxE,4CAA8B;AAC9B,gDAAkC;AAElC,+CAA8C;AAE9C,MAAM,iBAAiB,GAAG;IACxB,YAAY;IACZ,SAAS;IACT,aAAa;IACb,YAAY;IACZ,SAAS;IACT,aAAa;IACb,SAAS;IACT,UAAU;IACV,cAAc;IACd,WAAW;IACX,eAAe;IACf,YAAY;IACZ,SAAS;IACT,aAAa;IACb,YAAY;IACZ,SAAS;IACT,aAAa;IACb,UAAU;IACV,WAAW;IACX,UAAU;IACV,WAAW;IACX,SAAS;IACT,UAAU;CACX,CAAC;AAEF,MAAM,YAAY,GAA8B;IAC9C,GAAG,EAAE,CAAC;IACN,MAAM,EAAE,EAAE;IACV,IAAI,EAAE,EAAE;IACR,QAAQ,EAAE,GAAG;CACd,CAAC;AAEF,SAAS,uBAAuB,CAAC,OAA+B;IAC9D,MAAM,MAAM,GAA2B,EAAE,CAAC;IAC1C,KAAK,MAAM,IAAI,IAAI,iBAAiB,EAAE,CAAC;QACrC,IAAI,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC;YAClB,MAAM,CAAC,IAAI,CAAC,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;QAC/B,CAAC;IACH,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,SAAS,oBAAoB,CAC3B,WAAmB,EACnB,OAAe,EACf,UAAkB,EAClB,aAAqB;IAErB,MAAM,QAAQ,GAAgC,EAAE,CAAC;IAEjD,KAAK,MAAM,IAAI,IAAI,2BAAa,EAAE,CAAC;QACjC,MAAM,KAAK,GAAG,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC;QAC/C,IAAI,KAAK,EAAE,CAAC;YACV,QAAQ,CAAC,IAAI,CAAC;gBACZ,OAAO,EAAE,WAAW;gBACpB,UAAU;gBACV,aAAa;gBACb,OAAO,EAAE,IAAI,CAAC,IAAI;gBAClB,WAAW,EAAE,IAAI,CAAC,WAAW;gBAC7B,SAAS,EAAE,IAAI,CAAC,SAAS;gBACzB,KAAK,EAAE,KAAK,CAAC,CAAC,CAAC;aAChB,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,SAAS,kBAAkB,CAAC,QAAqC;IAC/D,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,CAAC,CAAC;IACpC,MAAM,QAAQ,GAAG,IAAI,CAAC,GAAG,CAAC,GAAG,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,YAAY,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC;IAC7E,MAAM,QAAQ,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,GAAG,EAAE,CAAC,EAAE,EAAE,CAAC,GAAG,GAAG,YAAY,CAAC,CAAC,CAAC,SAAS,CAAC,EAAE,CAAC,CAAC,GAAG,QAAQ,CAAC,MAAM,CAAC;IACnG,OAAO,IAAI,CAAC,GAAG,CAAC,GAAG,EAAE,IAAI,CAAC,KAAK,CAAC,CAAC,QAAQ,GAAG,GAAG,GAAG,QAAQ,GAAG,GAAG,CAAC,CAAC,CAAC,CAAC;AACtE,CAAC;AAED,SAAS,kBAAkB,CAAC,KAAa;IACvC,IAAI,KAAK,IAAI,EAAE;QAAE,OAAO,UAAU,CAAC;IACnC,IAAI,KAAK,IAAI,EAAE;QAAE,OAAO,MAAM,CAAC;IAC/B,IAAI,KAAK,IAAI,EAAE;QAAE,OAAO,QAAQ,CAAC;IACjC,OAAO,KAAK,CAAC;AACf,CAAC;AAED,SAAgB,cAAc,CAC5B,IAAY,EACZ,OAAe,EACf,OAA+B;IAE/B,MAAM,gBAAgB,GAAG,uBAAuB,CAAC,OAAO,CAAC,CAAC;IAC1D,MAAM,WAAW,GAAgC,EAAE,CAAC;IAEpD,KAAK,MAAM,CAAC,UAAU,EAAE,aAAa,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,gBAAgB,CAAC,EAAE,CAAC;QAC3E,MAAM,cAAc,GAAG,oBAAoB,CAAC,IAAI,EAAE,OAAO,EAAE,UAAU,EAAE,aAAa,CAAC,CAAC;QACtF,WAAW,CAAC,IAAI,CAAC,GAAG,cAAc,CAAC,CAAC;QAEpC,uEAAuE;QACvE,IAAI,cAAc,CAAC,MAAM,KAAK,CAAC,IAAI,CAAC,aAAa,EAAE,YAAY,EAAE,SAAS,CAAC,CAAC,QAAQ,CAAC,UAAU,CAAC,EAAE,CAAC;YACjG,WAAW,CAAC,IAAI,CAAC;gBACf,OAAO,EAAE,IAAI;gBACb,UAAU;gBACV,aAAa;gBACb,OAAO,EAAE,0BAA0B;gBACnC,WAAW,EAAE,4BAA4B,UAAU,uBAAuB;gBAC1E,SAAS,EAAE,KAAK;gBAChB,KAAK,EAAE,aAAa,CAAC,SAAS,CAAC,CAAC,EAAE,EAAE,CAAC;aACtC,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,MAAM,SAAS,GAAG,kBAAkB,CAAC,WAAW,CAAC,CAAC;IAElD,OAAO;QACL,IAAI;QACJ,OAAO;QACP,OAAO,EAAE,gBAAgB;QACzB,QAAQ,EAAE,WAAW;QACrB,SAAS;QACT,SAAS,EAAE,kBAAkB,CAAC,SAAS,CAAC;KACzC,CAAC;AACJ,CAAC;AAED,SAAgB,qBAAqB,CAAC,WAAmB,EAAE,UAAU,GAAG,KAAK;IAC3E,MAAM,eAAe,GAAG,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE,cAAc,CAAC,CAAC;IAC/D,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,eAAe,CAAC,EAAE,CAAC;QACpC,MAAM,IAAI,KAAK,CAAC,4BAA4B,eAAe,EAAE,CAAC,CAAC;IACjE,CAAC;IAED,MAAM,QAAQ,GAAsB,EAAE,CAAC;IACvC,MAAM,OAAO,GAAG,IAAI,GAAG,EAAU,CAAC;IAElC,SAAS,OAAO,CAAC,GAAW;QAC1B,MAAM,OAAO,GAAG,EAAE,CAAC,WAAW,CAAC,GAAG,EAAE,EAAE,aAAa,EAAE,IAAI,EAAE,CAAC,CAAC;QAC7D,KAAK,MAAM,KAAK,IAAI,OAAO,EAAE,CAAC;YAC5B,IAAI,KAAK,CAAC,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC;gBAAE,SAAS;YAEzC,MAAM,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,CAAC,CAAC;YAE5C,IAAI,KAAK,CAAC,WAAW,EAAE,EAAE,CAAC;gBACxB,sCAAsC;gBACtC,IAAI,KAAK,CAAC,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;oBAC/B,OAAO,CAAC,QAAQ,CAAC,CAAC;oBAClB,SAAS;gBACX,CAAC;gBAED,MAAM,WAAW,GAAG,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,cAAc,CAAC,CAAC;gBACxD,IAAI,EAAE,CAAC,UAAU,CAAC,WAAW,CAAC,EAAE,CAAC;oBAC/B,IAAI,CAAC;wBACH,MAAM,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC,YAAY,CAAC,WAAW,EAAE,OAAO,CAAC,CAAC,CAAC;wBAClE,MAAM,MAAM,GAAG,GAAG,OAAO,CAAC,IAAI,IAAI,OAAO,CAAC,OAAO,EAAE,CAAC;wBACpD,IAAI,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC;4BAAE,SAAS;wBAClC,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;wBAEpB,IAAI,OAAO,CAAC,OAAO,IAAI,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;4BAC/D,QAAQ,CAAC,IAAI,CACX,cAAc,CAAC,OAAO,CAAC,IAAI,IAAI,KAAK,CAAC,IAAI,EAAE,OAAO,CAAC,OAAO,IAAI,SAAS,EAAE,OAAO,CAAC,OAAO,CAAC,CAC1F,CAAC;wBACJ,CAAC;oBACH,CAAC;oBAAC,MAAM,CAAC;wBACP,8BAA8B;oBAChC,CAAC;gBACH,CAAC;gBAED,yCAAyC;gBACzC,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC,cAAc,GAAG,IAAI,CAAC,GAAG,GAAG,KAAK,CAAC,IAAI,GAAG,IAAI,CAAC,GAAG,GAAG,cAAc,CAAC,EAAE,CAAC;oBAC3F,4BAA4B;oBAC5B,MAAM,MAAM,GAAG,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,cAAc,CAAC,CAAC;oBACnD,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,MAAM,CAAC,EAAE,CAAC;wBAC3B,oDAAoD;oBACtD,CAAC;gBACH,CAAC;YACH,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,CAAC,eAAe,CAAC,CAAC;IACzB,OAAO,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,SAAS,GAAG,CAAC,CAAC,SAAS,CAAC,CAAC;AAC5D,CAAC;AAED,SAAgB,iBAAiB,CAAC,cAAsB;IACtD,MAAM,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,cAAc,CAAC,CAAC;IAC3C,OAAO,cAAc,CACnB,OAAO,CAAC,IAAI,IAAI,SAAS,EACzB,OAAO,CAAC,OAAO,IAAI,SAAS,EAC5B,OAAO,CAAC,OAAO,IAAI,EAAE,CACtB,CAAC;AACJ,CAAC"}

package/dist/scanners/patterns.d.ts

@@ -0,0 +1,4 @@
+/** ScriptGuard — Pattern rules for detecting malicious lifecycle scripts */
+import type { PatternRule } from '../types/index.js';
+export declare const PATTERN_RULES: PatternRule[];
+//# sourceMappingURL=patterns.d.ts.map

package/dist/scanners/patterns.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"patterns.d.ts","sourceRoot":"","sources":["../../src/scanners/patterns.ts"],"names":[],"mappings":"AAAA,4EAA4E;AAE5E,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC;AAErD,eAAO,MAAM,aAAa,EAAE,WAAW,EA2LtC,CAAC"}

package/dist/scanners/patterns.js

@@ -0,0 +1,188 @@
+"use strict";
+/** ScriptGuard — Pattern rules for detecting malicious lifecycle scripts */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.PATTERN_RULES = void 0;
+exports.PATTERN_RULES = [
+    // === NETWORK — data exfiltration vectors ===
+    {
+        name: 'curl-pipe',
+        pattern: /curl\s+[^|]*\|\s*(?:sh|bash|sudo|zsh)/,
+        riskLevel: 'critical',
+        description: 'Downloads and executes remote code via curl pipe',
+        category: 'network',
+    },
+    {
+        name: 'wget-pipe',
+        pattern: /wget\s+.*\|\s*(?:sh|bash|sudo|zsh)/,
+        riskLevel: 'critical',
+        description: 'Downloads and executes remote code via wget pipe',
+        category: 'network',
+    },
+    {
+        name: 'curl-silent',
+        pattern: /curl\s+.*-[sS]\b/,
+        riskLevel: 'high',
+        description: 'Silent HTTP request — common in data exfiltration',
+        category: 'network',
+    },
+    {
+        name: 'curl-post',
+        pattern: /curl\s+.*-[dX]\s+(?:POST|PUT|PATCH)/,
+        riskLevel: 'high',
+        description: 'HTTP POST/PUT request — may send data externally',
+        category: 'network',
+    },
+    {
+        name: 'http-request',
+        pattern: /(?:https?:\/\/[^\s'"]+|fetch\s*\(|request\s*\(|http\.request|http\.get|axios|got\()/,
+        riskLevel: 'medium',
+        description: 'Outbound HTTP request detected',
+        category: 'network',
+    },
+    {
+        name: 'dns-lookup',
+        pattern: /(?:nslookup|dig|host\s+\S+\.\S+|dns\.resolve)/,
+        riskLevel: 'medium',
+        description: 'DNS lookup — can be used for DNS-based data exfiltration',
+        category: 'network',
+    },
+    // === EXECUTION — arbitrary code execution ===
+    {
+        name: 'eval-usage',
+        pattern: /(?:^|\s|;|&&|\|\|)(?:eval|Function)\s*[\($]/,
+        riskLevel: 'high',
+        description: 'eval() or Function() constructor — arbitrary code execution',
+        category: 'execution',
+    },
+    {
+        name: 'child-process',
+        pattern: /(?:exec|execSync|spawn|spawnSync|execFile|fork)\s*\(/,
+        riskLevel: 'medium',
+        description: 'Spawns child process — can execute arbitrary commands',
+        category: 'execution',
+    },
+    {
+        name: 'shell-exec',
+        pattern: /(?:sh\s+-c|bash\s+-c|zsh\s+-c|\/bin\/sh|\/bin\/bash|\/bin\/zsh)/,
+        riskLevel: 'high',
+        description: 'Direct shell execution',
+        category: 'execution',
+    },
+    {
+        name: 'node-eval',
+        pattern: /node\s+-e\s+/,
+        riskLevel: 'high',
+        description: 'Evaluates Node.js code from command line',
+        category: 'execution',
+    },
+    {
+        name: 'require-resolve',
+        pattern: /require\s*\(\s*[^'"]*\+/,
+        riskLevel: 'medium',
+        description: 'Dynamic require with string concatenation',
+        category: 'execution',
+    },
+    // === FILESYSTEM — sensitive file access ===
+    {
+        name: 'ssh-access',
+        pattern: /(?:~\/\.ssh|\/\.ssh|id_rsa|id_ed25519|id_ecdsa)/,
+        riskLevel: 'critical',
+        description: 'Accesses SSH keys — credential theft risk',
+        category: 'filesystem',
+    },
+    {
+        name: 'aws-creds',
+        pattern: /(?:~\/\.aws|\/\.aws|AWS_|aws_access_key|aws_secret_key)/,
+        riskLevel: 'critical',
+        description: 'Accesses AWS credentials — cloud account takeover risk',
+        category: 'filesystem',
+    },
+    {
+        name: 'env-file',
+        pattern: /\.env(?:\.local|\.production|\.staging)?/,
+        riskLevel: 'high',
+        description: 'Reads .env files — may expose secrets',
+        category: 'filesystem',
+    },
+    {
+        name: 'passwd-shadow',
+        pattern: /\/etc\/(?:passwd|shadow|sudoers|hosts)/,
+        riskLevel: 'critical',
+        description: 'Reads system credential files',
+        category: 'filesystem',
+    },
+    {
+        name: 'tmp-write',
+        pattern: /(?:\/tmp\/|os\.tmpdir|tempdir|writeFileSync|writeFile).*\.sh/,
+        riskLevel: 'medium',
+        description: 'Writes executable to temp directory',
+        category: 'filesystem',
+    },
+    {
+        name: 'chmod-exec',
+        pattern: /chmod\s+\+x/,
+        riskLevel: 'medium',
+        description: 'Makes a file executable',
+        category: 'filesystem',
+    },
+    // === EXFILTRATION — stealing data ===
+    {
+        name: 'env-exfil',
+        pattern: /(?:process\.env|export|printenv|env\s)/,
+        riskLevel: 'high',
+        description: 'Reads environment variables — may contain secrets',
+        category: 'exfiltration',
+    },
+    {
+        name: 'clipboard-access',
+        pattern: /(?:pbcopy|xclip|xsel|clipboard)/,
+        riskLevel: 'high',
+        description: 'Accesses system clipboard — can steal copied data',
+        category: 'exfiltration',
+    },
+    {
+        name: 'keychain-access',
+        pattern: /(?:security\s+find|keychain|osascript.*keychain)/,
+        riskLevel: 'critical',
+        description: 'Accesses macOS Keychain or credential store',
+        category: 'exfiltration',
+    },
+    // === OBFUSCATION — hiding malicious intent ===
+    {
+        name: 'base64-exec',
+        pattern: /(?:base64\s+-d|atob|Buffer\.from\s*\([^)]*,\s*['"]base64['"]\))\s*[;|&&\n].*(?:eval|exec|sh|bash)/,
+        riskLevel: 'critical',
+        description: 'Base64 decode + execute — classic obfuscation technique',
+        category: 'obfuscation',
+    },
+    {
+        name: 'hex-encode',
+        pattern: /\\x[0-9a-fA-F]{2}.*\\x[0-9a-fA-F]{2}.*\\x[0-9a-fA-F]{2}/,
+        riskLevel: 'high',
+        description: 'Hex-encoded strings — likely hiding payload',
+        category: 'obfuscation',
+    },
+    {
+        name: 'unicode-escape',
+        pattern: /\\u[0-9a-fA-F]{4}.*\\u[0-9a-fA-F]{4}.*\\u[0-9a-fA-F]{4}/,
+        riskLevel: 'medium',
+        description: 'Unicode-escaped strings — potential obfuscation',
+        category: 'obfuscation',
+    },
+    // === CRYPTO — mining or ransomware ===
+    {
+        name: 'crypto-miner',
+        pattern: /(?:xmrig|minerd|cpuminer|cryptonight|stratum\+tcp)/,
+        riskLevel: 'critical',
+        description: 'Cryptocurrency mining detected',
+        category: 'crypto',
+    },
+    {
+        name: 'reverse-shell',
+        pattern: /(?:nc\s+-|ncat|socat|\/dev\/tcp|bash\s+-i\s+>&)/,
+        riskLevel: 'critical',
+        description: 'Reverse shell pattern — full system takeover',
+        category: 'execution',
+    },
+];
+//# sourceMappingURL=patterns.js.map

package/dist/scanners/patterns.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"patterns.js","sourceRoot":"","sources":["../../src/scanners/patterns.ts"],"names":[],"mappings":";AAAA,4EAA4E;;;AAI/D,QAAA,aAAa,GAAkB;IAC1C,8CAA8C;IAC9C;QACE,IAAI,EAAE,WAAW;QACjB,OAAO,EAAE,uCAAuC;QAChD,SAAS,EAAE,UAAU;QACrB,WAAW,EAAE,kDAAkD;QAC/D,QAAQ,EAAE,SAAS;KACpB;IACD;QACE,IAAI,EAAE,WAAW;QACjB,OAAO,EAAE,oCAAoC;QAC7C,SAAS,EAAE,UAAU;QACrB,WAAW,EAAE,kDAAkD;QAC/D,QAAQ,EAAE,SAAS;KACpB;IACD;QACE,IAAI,EAAE,aAAa;QACnB,OAAO,EAAE,kBAAkB;QAC3B,SAAS,EAAE,MAAM;QACjB,WAAW,EAAE,mDAAmD;QAChE,QAAQ,EAAE,SAAS;KACpB;IACD;QACE,IAAI,EAAE,WAAW;QACjB,OAAO,EAAE,qCAAqC;QAC9C,SAAS,EAAE,MAAM;QACjB,WAAW,EAAE,kDAAkD;QAC/D,QAAQ,EAAE,SAAS;KACpB;IACD;QACE,IAAI,EAAE,cAAc;QACpB,OAAO,EAAE,qFAAqF;QAC9F,SAAS,EAAE,QAAQ;QACnB,WAAW,EAAE,gCAAgC;QAC7C,QAAQ,EAAE,SAAS;KACpB;IACD;QACE,IAAI,EAAE,YAAY;QAClB,OAAO,EAAE,+CAA+C;QACxD,SAAS,EAAE,QAAQ;QACnB,WAAW,EAAE,0DAA0D;QACvE,QAAQ,EAAE,SAAS;KACpB;IAED,+CAA+C;IAC/C;QACE,IAAI,EAAE,YAAY;QAClB,OAAO,EAAE,6CAA6C;QACtD,SAAS,EAAE,MAAM;QACjB,WAAW,EAAE,6DAA6D;QAC1E,QAAQ,EAAE,WAAW;KACtB;IACD;QACE,IAAI,EAAE,eAAe;QACrB,OAAO,EAAE,sDAAsD;QAC/D,SAAS,EAAE,QAAQ;QACnB,WAAW,EAAE,uDAAuD;QACpE,QAAQ,EAAE,WAAW;KACtB;IACD;QACE,IAAI,EAAE,YAAY;QAClB,OAAO,EAAE,iEAAiE;QAC1E,SAAS,EAAE,MAAM;QACjB,WAAW,EAAE,wBAAwB;QACrC,QAAQ,EAAE,WAAW;KACtB;IACD;QACE,IAAI,EAAE,WAAW;QACjB,OAAO,EAAE,cAAc;QACvB,SAAS,EAAE,MAAM;QACjB,WAAW,EAAE,0CAA0C;QACvD,QAAQ,EAAE,WAAW;KACtB;IACD;QACE,IAAI,EAAE,iBAAiB;QACvB,OAAO,EAAE,yBAAyB;QAClC,SAAS,EAAE,QAAQ;QACnB,WAAW,EAAE,2CAA2C;QACxD,QAAQ,EAAE,WAAW;KACtB;IAED,6CAA6C;IAC7C;QACE,IAAI,EAAE,YAAY;QAClB,OAAO,EAAE,iDAAiD;QAC1D,SAAS,EAAE,UAAU;QACrB,WAAW,EAAE,2CAA2C;QACxD,QAAQ,EAAE,YAAY;KACvB;IACD;QACE,IAAI,EAAE,WAAW;QACjB,OAAO,EAAE,yDAAyD;QAClE,SAAS,EAAE,UAAU;QACrB,WAAW,EAAE,wDAAwD;QACrE,QAAQ,EAAE,YAAY;KACvB;IACD;QACE,IAAI,EAAE,UAAU;QAChB,OAAO,EAAE,0CAA0C;QACnD,SAAS,EAAE,MAAM;QACjB,WAAW,EAAE,uCAAuC;QACpD,QAAQ,EAAE,YAAY;KACvB;IACD;QACE,IAAI,EAAE,eAAe;QACrB,OAAO,EAAE,wCAAwC;QACjD,SAAS,EAAE,UAAU;QACrB,WAAW,EAAE,+BAA+B;QAC5C,QAAQ,EAAE,YAAY;KACvB;IACD;QACE,IAAI,EAAE,WAAW;QACjB,OAAO,EAAE,8DAA8D;QACvE,SAAS,EAAE,QAAQ;QACnB,WAAW,EAAE,qCAAqC;QAClD,QAAQ,EAAE,YAAY;KACvB;IACD;QACE,IAAI,EAAE,YAAY;QAClB,OAAO,EAAE,aAAa;QACtB,SAAS,EAAE,QAAQ;QACnB,WAAW,EAAE,yBAAyB;QACtC,QAAQ,EAAE,YAAY;KACvB;IAED,uCAAuC;IACvC;QACE,IAAI,EAAE,WAAW;QACjB,OAAO,EAAE,wCAAwC;QACjD,SAAS,EAAE,MAAM;QACjB,WAAW,EAAE,mDAAmD;QAChE,QAAQ,EAAE,cAAc;KACzB;IACD;QACE,IAAI,EAAE,kBAAkB;QACxB,OAAO,EAAE,iCAAiC;QAC1C,SAAS,EAAE,MAAM;QACjB,WAAW,EAAE,mDAAmD;QAChE,QAAQ,EAAE,cAAc;KACzB;IACD;QACE,IAAI,EAAE,iBAAiB;QACvB,OAAO,EAAE,kDAAkD;QAC3D,SAAS,EAAE,UAAU;QACrB,WAAW,EAAE,6CAA6C;QAC1D,QAAQ,EAAE,cAAc;KACzB;IAED,gDAAgD;IAChD;QACE,IAAI,EAAE,aAAa;QACnB,OAAO,EAAE,mGAAmG;QAC5G,SAAS,EAAE,UAAU;QACrB,WAAW,EAAE,yDAAyD;QACtE,QAAQ,EAAE,aAAa;KACxB;IACD;QACE,IAAI,EAAE,YAAY;QAClB,OAAO,EAAE,yDAAyD;QAClE,SAAS,EAAE,MAAM;QACjB,WAAW,EAAE,6CAA6C;QAC1D,QAAQ,EAAE,aAAa;KACxB;IACD;QACE,IAAI,EAAE,gBAAgB;QACtB,OAAO,EAAE,yDAAyD;QAClE,SAAS,EAAE,QAAQ;QACnB,WAAW,EAAE,iDAAiD;QAC9D,QAAQ,EAAE,aAAa;KACxB;IAED,wCAAwC;IACxC;QACE,IAAI,EAAE,cAAc;QACpB,OAAO,EAAE,oDAAoD;QAC7D,SAAS,EAAE,UAAU;QACrB,WAAW,EAAE,gCAAgC;QAC7C,QAAQ,EAAE,QAAQ;KACnB;IACD;QACE,IAAI,EAAE,eAAe;QACrB,OAAO,EAAE,iDAAiD;QAC1D,SAAS,EAAE,UAAU;QACrB,WAAW,EAAE,8CAA8C;QAC3D,QAAQ,EAAE,WAAW;KACtB;CACF,CAAC"}

package/dist/types/index.d.ts

@@ -0,0 +1,123 @@
+/** ScriptGuard — Type definitions */
+export type RiskLevel = 'low' | 'medium' | 'high' | 'critical';
+export type AIMode = 'basic' | 'standard' | 'thorough';
+export interface AIOptions {
+    enabled: boolean;
+    mode: AIMode;
+    apiKey?: string;
+    maxTokens?: number;
+    timeout?: number;
+    mitigation?: boolean;
+}
+export interface AIInsight {
+    type: 'false-positive' | 'threat' | 'mitigation';
+    severity: RiskLevel;
+    description: string;
+    attackTechnique?: string;
+    remediation?: string;
+    confidence: number;
+}
+export interface AIAnalysis {
+    package: string;
+    version: string;
+    falsePositivesFiltered: number;
+    newThreatsDetected: number;
+    insights: AIInsight[];
+    confidence: number;
+    tokensUsed: number;
+}
+export interface AIBatchRequest {
+    packages: Array<{
+        name: string;
+        version: string;
+        scripts: Record<string, string>;
+        findings: Finding[];
+    }>;
+    mode: AIMode;
+}
+export interface AIBatchResponse {
+    analyses: AIAnalysis[];
+    totalTokensUsed: number;
+}
+export interface Finding {
+    /** The package that triggered this finding */
+    package: string;
+    /** Which lifecycle script (e.g., "postinstall", "preinstall") */
+    scriptName: string;
+    /** The full script content */
+    scriptContent: string;
+    /** What was detected */
+    pattern: string;
+    /** Human-readable description of the risk */
+    description: string;
+    /** How severe */
+    riskLevel: RiskLevel;
+    /** Line/position where found (if applicable) */
+    match: string;
+    /** AI analysis if available */
+    aiAnalysis?: AIAnalysis;
+}
+export interface PackageAnalysis {
+    /** Package name */
+    name: string;
+    /** Package version */
+    version: string;
+    /** All lifecycle scripts found */
+    scripts: Record<string, string>;
+    /** Findings for this package */
+    findings: Finding[];
+    /** Overall risk score 0-100 */
+    riskScore: number;
+    /** Overall risk level */
+    riskLevel: RiskLevel;
+}
+export interface ScanResult {
+    /** Total packages scanned */
+    totalPackages: number;
+    /** Packages with lifecycle scripts */
+    packagesWithScripts: number;
+    /** Individual package analyses */
+    analyses: PackageAnalysis[];
+    /** Total findings */
+    totalFindings: number;
+    /** Findings by risk level */
+    findingsByLevel: Record<RiskLevel, number>;
+    /** Overall risk score (average weighted) */
+    overallRiskScore: number;
+    /** Overall risk level */
+    overallRiskLevel: RiskLevel;
+    /** Duration of scan in ms */
+    scanDurationMs: number;
+    /** AI analysis if enabled */
+    aiAnalysis?: {
+        totalTokensUsed: number;
+        totalFalsePositivesFiltered: number;
+        totalNewThreatsDetected: number;
+        durationMs: number;
+    };
+}
+export interface PatternRule {
+    /** Unique name for this rule */
+    name: string;
+    /** Regex pattern to match */
+    pattern: RegExp;
+    /** Risk level if matched */
+    riskLevel: RiskLevel;
+    /** Human description */
+    description: string;
+    /** What this pattern indicates */
+    category: 'network' | 'execution' | 'filesystem' | 'exfiltration' | 'obfuscation' | 'crypto';
+}
+export interface ScanOptions {
+    /** Path to scan (defaults to cwd) */
+    path: string;
+    /** Include dev dependencies */
+    includeDev: boolean;
+    /** Minimum risk level to report */
+    minRiskLevel: RiskLevel;
+    /** Output format */
+    format: 'table' | 'json' | 'sarif';
+    /** Fail on findings at or above this level (for CI) */
+    failLevel?: RiskLevel;
+}
+//# sourceMappingURL=index.d.ts.map

package/dist/types/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/types/index.ts"],"names":[],"mappings":"AAAA,qCAAqC;AAErC,MAAM,MAAM,SAAS,GAAG,KAAK,GAAG,QAAQ,GAAG,MAAM,GAAG,UAAU,CAAC;AAG/D,MAAM,MAAM,MAAM,GAAG,OAAO,GAAG,UAAU,GAAG,UAAU,CAAC;AAEvD,MAAM,WAAW,SAAS;IACxB,OAAO,EAAE,OAAO,CAAC;IACjB,IAAI,EAAE,MAAM,CAAC;IACb,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,UAAU,CAAC,EAAE,OAAO,CAAC;CACtB;AAED,MAAM,WAAW,SAAS;IACxB,IAAI,EAAE,gBAAgB,GAAG,QAAQ,GAAG,YAAY,CAAC;IACjD,QAAQ,EAAE,SAAS,CAAC;IACpB,WAAW,EAAE,MAAM,CAAC;IACpB,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,UAAU,EAAE,MAAM,CAAC;CACpB;AAED,MAAM,WAAW,UAAU;IACzB,OAAO,EAAE,MAAM,CAAC;IAChB,OAAO,EAAE,MAAM,CAAC;IAChB,sBAAsB,EAAE,MAAM,CAAC;IAC/B,kBAAkB,EAAE,MAAM,CAAC;IAC3B,QAAQ,EAAE,SAAS,EAAE,CAAC;IACtB,UAAU,EAAE,MAAM,CAAC;IACnB,UAAU,EAAE,MAAM,CAAC;CACpB;AAED,MAAM,WAAW,cAAc;IAC7B,QAAQ,EAAE,KAAK,CAAC;QACd,IAAI,EAAE,MAAM,CAAC;QACb,OAAO,EAAE,MAAM,CAAC;QAChB,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;QAChC,QAAQ,EAAE,OAAO,EAAE,CAAC;KACrB,CAAC,CAAC;IACH,IAAI,EAAE,MAAM,CAAC;CACd;AAED,MAAM,WAAW,eAAe;IAC9B,QAAQ,EAAE,UAAU,EAAE,CAAC;IACvB,eAAe,EAAE,MAAM,CAAC;CACzB;AAED,MAAM,WAAW,OAAO;IACtB,8CAA8C;IAC9C,OAAO,EAAE,MAAM,CAAC;IAChB,iEAAiE;IACjE,UAAU,EAAE,MAAM,CAAC;IACnB,8BAA8B;IAC9B,aAAa,EAAE,MAAM,CAAC;IACtB,wBAAwB;IACxB,OAAO,EAAE,MAAM,CAAC;IAChB,6CAA6C;IAC7C,WAAW,EAAE,MAAM,CAAC;IACpB,iBAAiB;IACjB,SAAS,EAAE,SAAS,CAAC;IACrB,gDAAgD;IAChD,KAAK,EAAE,MAAM,CAAC;IACd,+BAA+B;IAC/B,UAAU,CAAC,EAAE,UAAU,CAAC;CACzB;AAED,MAAM,WAAW,eAAe;IAC9B,mBAAmB;IACnB,IAAI,EAAE,MAAM,CAAC;IACb,sBAAsB;IACtB,OAAO,EAAE,MAAM,CAAC;IAChB,kCAAkC;IAClC,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAChC,gCAAgC;IAChC,QAAQ,EAAE,OAAO,EAAE,CAAC;IACpB,+BAA+B;IAC/B,SAAS,EAAE,MAAM,CAAC;IAClB,yBAAyB;IACzB,SAAS,EAAE,SAAS,CAAC;CACtB;AAED,MAAM,WAAW,UAAU;IACzB,6BAA6B;IAC7B,aAAa,EAAE,MAAM,CAAC;IACtB,sCAAsC;IACtC,mBAAmB,EAAE,MAAM,CAAC;IAC5B,kCAAkC;IAClC,QAAQ,EAAE,eAAe,EAAE,CAAC;IAC5B,qBAAqB;IACrB,aAAa,EAAE,MAAM,CAAC;IACtB,6BAA6B;IAC7B,eAAe,EAAE,MAAM,CAAC,SAAS,EAAE,MAAM,CAAC,CAAC;IAC3C,4CAA4C;IAC5C,gBAAgB,EAAE,MAAM,CAAC;IACzB,yBAAyB;IACzB,gBAAgB,EAAE,SAAS,CAAC;IAC5B,6BAA6B;IAC7B,cAAc,EAAE,MAAM,CAAC;IACvB,6BAA6B;IAC7B,UAAU,CAAC,EAAE;QACX,eAAe,EAAE,MAAM,CAAC;QACxB,2BAA2B,EAAE,MAAM,CAAC;QACpC,uBAAuB,EAAE,MAAM,CAAC;QAChC,UAAU,EAAE,MAAM,CAAC;KACpB,CAAC;CACH;AAED,MAAM,WAAW,WAAW;IAC1B,gCAAgC;IAChC,IAAI,EAAE,MAAM,CAAC;IACb,6BAA6B;IAC7B,OAAO,EAAE,MAAM,CAAC;IAChB,4BAA4B;IAC5B,SAAS,EAAE,SAAS,CAAC;IACrB,wBAAwB;IACxB,WAAW,EAAE,MAAM,CAAC;IACpB,kCAAkC;IAClC,QAAQ,EAAE,SAAS,GAAG,WAAW,GAAG,YAAY,GAAG,cAAc,GAAG,aAAa,GAAG,QAAQ,CAAC;CAC9F;AAED,MAAM,WAAW,WAAW;IAC1B,qCAAqC;IACrC,IAAI,EAAE,MAAM,CAAC;IACb,+BAA+B;IAC/B,UAAU,EAAE,OAAO,CAAC;IACpB,mCAAmC;IACnC,YAAY,EAAE,SAAS,CAAC;IACxB,oBAAoB;IACpB,MAAM,EAAE,OAAO,GAAG,MAAM,GAAG,OAAO,CAAC;IACnC,uDAAuD;IACvD,SAAS,CAAC,EAAE,SAAS,CAAC;CACvB"}

package/dist/types/index.js

@@ -0,0 +1,4 @@
+"use strict";
+/** ScriptGuard — Type definitions */
+Object.defineProperty(exports, "__esModule", { value: true });
+//# sourceMappingURL=index.js.map

package/dist/types/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/types/index.ts"],"names":[],"mappings":";AAAA,qCAAqC"}

package/package.json

@@ -0,0 +1,46 @@
+{
+  "name": "scriptguard",
+  "version": "1.0.0",
+  "description": "Security scanner for npm package lifecycle scripts — detect malicious postinstall, preinstall, and prepare scripts before they run",
+  "main": "dist/index.js",
+  "bin": {
+    "scriptguard": "dist/cli.js"
+  },
+  "scripts": {
+    "build": "tsc",
+    "test": "vitest run",
+    "test:watch": "vitest",
+    "lint": "tsc --noEmit",
+    "start": "node dist/cli.js"
+  },
+  "keywords": [
+    "npm",
+    "security",
+    "lifecycle",
+    "scripts",
+    "postinstall",
+    "preinstall",
+    "supply-chain",
+    "audit",
+    "scanner",
+    "malware"
+  ],
+  "author": "Peter Ferriere",
+  "license": "MIT",
+  "dependencies": {
+    "@google/generative-ai": "^0.21.0",
+    "chalk": "^5.3.0",
+    "commander": "^12.0.0",
+    "ora": "^8.0.0",
+    "p-throttle": "^6.0.0",
+    "zod": "^3.22.0"
+  },
+  "devDependencies": {
+    "@types/node": "^20.11.0",
+    "typescript": "^5.4.0",
+    "vitest": "^1.3.0"
+  },
+  "engines": {
+    "node": ">=18.0.0"
+  }
+}