secmanifest 1.0.0

package/src/core/reporter.ts

@@ -0,0 +1,170 @@
+import chalk from "chalk";
+import Table from "cli-table3";
+import { t } from "../i18n/index.js";
+import type { AuditReport, Finding, Severity } from "../utils/types.js";
+
+const SEVERITY_COLORS: Record<Severity, (text: string) => string> = {
+  critical: (t: string) => chalk.red.bold(t),
+  high: (t: string) => chalk.hex("#FF6600").bold(t),
+  medium: (t: string) => chalk.yellow(t),
+  low: (t: string) => chalk.cyan(t),
+  info: (t: string) => chalk.gray(t),
+};
+
+const SEVERITY_ICONS: Record<Severity, string> = {
+  critical: "[!!!]",
+  high: "[!!]",
+  medium: "[!]",
+  low: "*",
+  info: "[i]",
+};
+
+const CATEGORY_LABELS: Record<string, string> = {
+  vulnerability: "Vuln",
+  malware: "Malware",
+  backdoor: "Backdoor",
+  drift: "Drift",
+  secrets: "Secrets",
+  license: "License",
+  metadata: "Metadata",
+  obfuscation: "Obfuscation",
+  "node-version": "Node.js",
+};
+
+function getScoreColor(score: number): (text: string) => string {
+  if (score >= 80) return (t: string) => chalk.red.bold(t);
+  if (score >= 60) return (t: string) => chalk.hex("#FF6600").bold(t);
+  if (score >= 40) return (t: string) => chalk.yellow(t);
+  if (score >= 20) return (t: string) => chalk.cyan(t);
+  return (t: string) => chalk.green.bold(t);
+}
+
+function renderBanner(): void {
+  console.log();
+  console.log(chalk.bold.cyan("  ╔══════════════════════════════════════╗"));
+  console.log(chalk.bold.cyan("  ║") + chalk.bold.white(`       ${t("report.banner")}     `) + chalk.bold.cyan("║"));
+  console.log(chalk.bold.cyan("  ╚══════════════════════════════════════╝"));
+  console.log();
+}
+
+function renderSummary(report: AuditReport): void {
+  const totalCritical = report.findings.filter((f) => f.severity === "critical").length;
+  const totalHigh = report.findings.filter((f) => f.severity === "high").length;
+  const totalMedium = report.findings.filter((f) => f.severity === "medium").length;
+  const totalLow = report.findings.filter((f) => f.severity === "low").length;
+
+  console.log(chalk.bold(`  ${t("report.summary")}`));
+  console.log(chalk.gray("  ─────────────────────────────────────"));
+  console.log(`  ${t("report.project")}      ${chalk.bold(report.projectName)}`);
+  console.log(`  ${t("report.directory")}    ${report.projectPath}`);
+  console.log(`  ${t("report.package_manager")}        ${report.packageManager.name ?? "None"} ${report.packageManager.version ? `v${report.packageManager.version}` : ""}`);
+  console.log(`  ${t("report.packages")}      ${chalk.bold(String(report.totalPackages))}`);
+  console.log(`  ${t("report.findings")}     ${chalk.bold(String(report.findings.length))}`);
+  console.log(`  ${t("report.duration")}        ${(report.duration / 1000).toFixed(2)}s`);
+  console.log();
+
+  if (report.findings.length === 0) {
+    console.log(chalk.green.bold(`  ✓ ${t("report.no_issues")}`));
+    console.log();
+    return;
+  }
+
+  console.log(chalk.bold(`  ${t("report.severity_breakdown")}`));
+  if (totalCritical > 0) console.log(`    ${SEVERITY_COLORS.critical(`${SEVERITY_ICONS.critical} ${t("report.severity_critical")}:  ${totalCritical}`)}`);
+  if (totalHigh > 0) console.log(`    ${SEVERITY_COLORS.high(`${SEVERITY_ICONS.high} ${t("report.severity_high")}:      ${totalHigh}`)}`);
+  if (totalMedium > 0) console.log(`    ${SEVERITY_COLORS.medium(`${SEVERITY_ICONS.medium} ${t("report.severity_medium")}:    ${totalMedium}`)}`);
+  if (totalLow > 0) console.log(`    ${SEVERITY_COLORS.low(`${SEVERITY_ICONS.low} ${t("report.severity_low")}:     ${totalLow}`)}`);
+  console.log();
+}
+
+function renderScore(score: number): void {
+  const colorFn = getScoreColor(score);
+  const barLength = 30;
+  const filledLength = Math.round((score / 100) * barLength);
+  const bar = "█".repeat(filledLength) + "░".repeat(barLength - filledLength);
+
+  console.log(chalk.bold(`  ${t("report.score")}`));
+  console.log(`    [${colorFn(bar)}] ${colorFn(String(score))}/100`);
+  console.log();
+
+  if (score >= 80) console.log(chalk.red.bold(`  ⚠ ${t("report.risk_high")}`));
+  else if (score >= 60) console.log(chalk.hex("#FF6600").bold(`  ⚠ ${t("report.risk_significant")}`));
+  else if (score >= 40) console.log(chalk.yellow(`  ℹ ${t("report.risk_moderate")}`));
+  else if (score >= 20) console.log(chalk.cyan(`  ℹ ${t("report.risk_low")}`));
+  else console.log(chalk.green.bold(`  ✓ ${t("report.risk_good")}`));
+  console.log();
+}
+
+function renderFindingsTable(findings: Finding[]): void {
+  if (findings.length === 0) return;
+
+  console.log(chalk.bold(`  ${t("report.detailed_findings")}`));
+  console.log();
+
+  const sorted = [...findings].sort((a, b) => {
+    const order: Record<Severity, number> = { critical: 0, high: 1, medium: 2, low: 3, info: 4 };
+    return order[a.severity] - order[b.severity];
+  });
+
+  const table = new Table({
+    head: [chalk.bold("Severity"), chalk.bold("Category"), chalk.bold("Title"), chalk.bold("Package")],
+    colWidths: [14, 14, 45, 30],
+    style: { head: [], border: [] },
+    wordWrap: true,
+  });
+
+  for (const finding of sorted) {
+    const colorFn = SEVERITY_COLORS[finding.severity];
+    table.push([
+      colorFn(`${SEVERITY_ICONS[finding.severity]} ${finding.severity}`),
+      CATEGORY_LABELS[finding.category] ?? finding.category,
+      finding.title,
+      finding.package ?? "-",
+    ]);
+  }
+
+  console.log(table.toString());
+  console.log();
+}
+
+function renderDetails(findings: Finding[]): void {
+  const detailed = findings.filter((f) => f.severity === "critical" || f.severity === "high");
+  if (detailed.length === 0) return;
+
+  console.log(chalk.bold(`  ${t("report.critical_high_details")}`));
+  console.log(chalk.gray("  ─────────────────────────────────────"));
+
+  for (const finding of detailed) {
+    const colorFn = SEVERITY_COLORS[finding.severity];
+    console.log();
+    console.log(colorFn(`  [${finding.severity.toUpperCase()}]`) + ` ${chalk.bold(finding.title)}`);
+    console.log(`    ${finding.description}`);
+    if (finding.package) console.log(`    Package: ${chalk.cyan(finding.package)}${finding.version ? `@${finding.version}` : ""}`);
+    if (finding.cve) console.log(`    CVE:     ${chalk.yellow(finding.cve)}`);
+    if (finding.recommendation) console.log(`    Action:  ${chalk.green(finding.recommendation)}`);
+  }
+  console.log();
+}
+
+export function renderReport(report: AuditReport): void {
+  renderBanner();
+  renderSummary(report);
+  renderScore(report.score);
+  renderFindingsTable(report.findings);
+  renderDetails(report.findings);
+}
+
+export function calculateScore(findings: Finding[]): number {
+  if (findings.length === 0) return 0;
+  let score = 0;
+  for (const finding of findings) {
+    switch (finding.severity) {
+      case "critical": score += 25; break;
+      case "high": score += 15; break;
+      case "medium": score += 8; break;
+      case "low": score += 3; break;
+      case "info": score += 1; break;
+    }
+  }
+  return Math.min(100, score);
+}

package/src/i18n/index.ts

@@ -0,0 +1,256 @@
+export type Locale = "en" | "es";
+
+const translations: Record<Locale, Record<string, string>> = {
+  en: {
+    // CLI
+    "cli.name": "secmanifest",
+    "cli.description": "Deep security auditing tool for JavaScript/TypeScript projects",
+
+    // Audit
+    "audit.detecting_pm": "Detecting package manager...",
+    "audit.veto_npm": "[VETO] npm is blocked for security reasons.",
+    "audit.veto_npm_reason": "npm has a history of vulnerabilities in dependency script execution.",
+    "audit.veto_npm_required": "pnpm, bun, or yarn are required.",
+    "audit.no_pm_warning": "[WARNING] No secure package manager detected.",
+    "audit.no_pm_reason": "It is recommended to install pnpm, bun, or yarn for better security.",
+    "audit.continue_anyway": "Do you want to continue anyway?",
+    "audit.cancelled": "Operation cancelled by user.",
+    "audit.pm_detected": "Package manager detected:",
+    "audit.analyzing": "Analyzing project...",
+    "audit.project": "Project:",
+    "audit.packages_found": "Packages found:",
+    "audit.scanners_running": "Running security scanners...",
+    "audit.errors_during_scan": "Errors during scan:",
+
+    // Scanners
+    "scanner.malware": "Malware & typosquatting",
+    "scanner.backdoors": "Backdoors in manifests",
+    "scanner.drift": "Lockfile drift",
+    "scanner.secrets": "Secrets & credentials",
+    "scanner.licenses": "Restricted licenses",
+    "scanner.metadata": "Suspicious metadata",
+    "scanner.obfuscation": "Obfuscated code",
+    "scanner.node_version": "Node.js EOL",
+    "scanner.socket_dev": "Socket.dev (supply chain)",
+    "scanner.transitive": "Transitive dependencies",
+    "scanner.binaries": "Suspicious binaries",
+    "scanner.duplicates": "Duplicate dependencies",
+    "scanner.bundle_size": "Bundle size",
+    "scanner.integrity": "Package integrity",
+    "scanner.sonatype": "Sonatype OSS Index (vulnerabilities)",
+    "scanner.outdated": "Outdated packages",
+
+    // Reporter
+    "report.banner": "SECMANIFEST - Security Audit",
+    "report.summary": "Project Summary",
+    "report.project": "Project:",
+    "report.directory": "Directory:",
+    "report.package_manager": "Package Manager:",
+    "report.packages": "Packages:",
+    "report.findings": "Findings:",
+    "report.duration": "Duration:",
+    "report.severity_breakdown": "Severity Breakdown:",
+    "report.severity_critical": "Critical",
+    "report.severity_high": "High",
+    "report.severity_medium": "Medium",
+    "report.severity_low": "Low",
+    "report.score": "Risk Score:",
+    "report.no_issues": "No security issues found.",
+    "report.risk_high": "HIGH RISK PROJECT - Immediate action recommended",
+    "report.risk_significant": "SIGNIFICANT RISKS - Review findings",
+    "report.risk_moderate": "MODERATE RISKS - Review recommended",
+    "report.risk_low": "LOW RISKS - Preventive maintenance",
+    "report.risk_good": "GOOD STATUS - No critical issues",
+    "report.detailed_findings": "Detailed Findings:",
+    "report.critical_high_details": "Critical/High Finding Details:",
+
+    // Fix
+    "fix.searching_safe": "Searching safe version for",
+    "fix.unsafe_version": "Unsafe version:",
+    "fix.safe_version": "Safe version:",
+    "fix.uninstalling": "Uninstalling",
+    "fix.installing": "Installing",
+    "fix.installed_successfully": "installed successfully",
+    "fix.install_error": "Error installing",
+    "fix.restoring": "Restoring original version...",
+    "fix.results": "Auto-Fix Results:",
+    "fix.packages_fixed": "package(s) fixed:",
+    "fix.packages_failed": "package(s) failed:",
+    "fix.no_packages": "No packages need fixing.",
+    "fix.packages_to_fix": "Packages to fix:",
+    "fix.analyzing_packages": "Analyzing packages for auto-fix...",
+    "fix.dry_run": "[DRY RUN] No changes made. Run without --dry-run to apply.",
+    "fix.run_audit": "Run \"secmanifest audit\" to verify.",
+
+    // Watch
+    "watch.title": "SecManifest Watch Mode",
+    "watch.directory": "Directory:",
+    "watch.interval": "Interval:",
+    "watch.stopping": "Watch mode stopped.",
+    "watch.next_scan": "Next scan in",
+    "watch.press_ctrlc": "Press Ctrl+C to stop",
+
+    // Config
+    "config.saved": "Configuration saved.",
+    "config.cache_cleared": "Cache cleared.",
+
+    // HTML Report
+    "html.title": "SecManifest Security Audit",
+    "html.packages": "Packages",
+    "html.critical": "Critical",
+    "html.high": "High",
+    "html.medium": "Medium",
+    "html.low": "Low",
+    "html.risk_score": "Risk Score",
+    "html.findings": "Findings",
+    "html.no_findings": "No security issues found.",
+    "html.generated_by": "Generated by SecManifest",
+
+    // Errors
+    "error.dir_not_found": "Directory not found:",
+    "error.no_package_json": "No package.json found in:",
+    "error.analyze_failed": "Error analyzing project:",
+    "error.fatal": "Fatal error:",
+  },
+
+  es: {
+    // CLI
+    "cli.name": "secmanifest",
+    "cli.description": "Herramienta de auditoria de seguridad profunda para proyectos JavaScript/TypeScript",
+
+    // Audit
+    "audit.detecting_pm": "Detectando gestor de paquetes...",
+    "audit.veto_npm": "[VETO] npm esta bloqueado por razones de seguridad.",
+    "audit.veto_npm_reason": "npm tiene historial de vulnerabilidades en la ejecucion de scripts de dependencias.",
+    "audit.veto_npm_required": "Se requiere pnpm, bun o yarn.",
+    "audit.no_pm_warning": "[AVISO] No se detecto ningún gestor de paquetes seguro.",
+    "audit.no_pm_reason": "Se recomienda instalar pnpm, bun o yarn para mejor seguridad.",
+    "audit.continue_anyway": "Desea continuar de todos modos?",
+    "audit.cancelled": "Operacion cancelada por el usuario.",
+    "audit.pm_detected": "Gestor detectado:",
+    "audit.analyzing": "Analizando proyecto...",
+    "audit.project": "Proyecto:",
+    "audit.packages_found": "Paquetes encontrados:",
+    "audit.scanners_running": "Ejecutando escaners de seguridad...",
+    "audit.errors_during_scan": "Errores durante el escaneo:",
+
+    // Scanners
+    "scanner.malware": "Malware y typosquatting",
+    "scanner.backdoors": "Backdoors en manifiestos",
+    "scanner.drift": "Drift en lockfile",
+    "scanner.secrets": "Secrets y credenciales",
+    "scanner.licenses": "Licencias restrictivas",
+    "scanner.metadata": "Metadatos sospechosos",
+    "scanner.obfuscation": "Codigo ofuscado",
+    "scanner.node_version": "Node.js EOL",
+    "scanner.socket_dev": "Socket.dev (supply chain)",
+    "scanner.transitive": "Dependencias transitivas",
+    "scanner.binaries": "Binarios sospechosos",
+    "scanner.duplicates": "Dependencias duplicadas",
+    "scanner.bundle_size": "Bundle size",
+    "scanner.integrity": "Integridad de paquetes",
+    "scanner.sonatype": "Sonatype OSS Index (vulnerabilidades)",
+    "scanner.outdated": "Paquetes desactualizados",
+
+    // Reporter
+    "report.banner": "SECMANIFEST - Auditoria de Seguridad",
+    "report.summary": "Resumen del Proyecto",
+    "report.project": "Proyecto:",
+    "report.directory": "Directorio:",
+    "report.package_manager": "Gestor de Paquetes:",
+    "report.packages": "Paquetes:",
+    "report.findings": "Hallazgos:",
+    "report.duration": "Tiempo:",
+    "report.severity_breakdown": "Desglose por Severidad:",
+    "report.severity_critical": "Critico",
+    "report.severity_high": "Alto",
+    "report.severity_medium": "Medio",
+    "report.severity_low": "Bajo",
+    "report.score": "Score de Riesgo:",
+    "report.no_issues": "No se encontraron problemas de seguridad.",
+    "report.risk_high": "PROYECTO DE ALTO RIESGO - Se recomienda accion inmediata",
+    "report.risk_significant": "PROYECTO CON RIESGOS SIGNIFICATIVOS - Revisar hallazgos",
+    "report.risk_moderate": "PROYECTO CON RIESGOS MODERADOS - Revision recomendada",
+    "report.risk_low": "PROYECTO CON RIESGOS BAJOS - Mantenimiento preventivo",
+    "report.risk_good": "PROYECTO EN BUEN ESTADO - Sin problemas criticos",
+    "report.detailed_findings": "Hallazgos Detallados:",
+    "report.critical_high_details": "Detalles de Hallazgos Criticos/Altos:",
+
+    // Fix
+    "fix.searching_safe": "Buscando version segura para",
+    "fix.unsafe_version": "Version insegura:",
+    "fix.safe_version": "Version segura:",
+    "fix.uninstalling": "Desinstalando",
+    "fix.installing": "Instalando",
+    "fix.installed_successfully": "instalado exitosamente",
+    "fix.install_error": "Error al instalar",
+    "fix.restoring": "Intentando restaurar version original...",
+    "fix.results": "Resultados del Auto-Fix:",
+    "fix.packages_fixed": "paquete(s) arreglado(s):",
+    "fix.packages_failed": "paquete(s) fallaron:",
+    "fix.no_packages": "No se encontraron paquetes que necesiten arreglo.",
+    "fix.packages_to_fix": "Paquetes a arreglar:",
+    "fix.analyzing_packages": "Analizando paquetes para auto-fix...",
+    "fix.dry_run": "[DRY RUN] No se realizo ningun cambio. Usa sin --dry-run para aplicar.",
+    "fix.run_audit": "Ejecuta \"secmanifest audit\" para verificar.",
+
+    // Watch
+    "watch.title": "Modo Watch de SecManifest",
+    "watch.directory": "Directorio:",
+    "watch.interval": "Intervalo:",
+    "watch.stopping": "Watch mode detenido.",
+    "watch.next_scan": "Proximo scan en",
+    "watch.press_ctrlc": "Presiona Ctrl+C para detener",
+
+    // Config
+    "config.saved": "Configuracion guardada.",
+    "config.cache_cleared": "Cache limpiado.",
+
+    // HTML Report
+    "html.title": "Auditoria de Seguridad SecManifest",
+    "html.packages": "Paquetes",
+    "html.critical": "Criticos",
+    "html.high": "Altos",
+    "html.medium": "Medios",
+    "html.low": "Bajos",
+    "html.risk_score": "Score de Riesgo",
+    "html.findings": "Hallazgos",
+    "html.no_findings": "No se encontraron problemas de seguridad.",
+    "html.generated_by": "Generado por SecManifest",
+
+    // Errors
+    "error.dir_not_found": "Directorio no encontrado:",
+    "error.no_package_json": "No se encontro package.json en:",
+    "error.analyze_failed": "Error al analizar proyecto:",
+    "error.fatal": "Error fatal:",
+  },
+};
+
+let currentLocale: Locale = "en";
+
+function detectSystemLocale(): Locale {
+  const env = process.env.LC_ALL ?? process.env.LC_MESSAGES ?? process.env.LANG ?? process.env.LANGUAGE ?? "";
+  const lang = env.toLowerCase().split(".")[0]?.split("-")[0] ?? "";
+  if (lang === "es" || lang.startsWith("es")) return "es";
+  return "en";
+}
+
+export function setLocale(locale: Locale): void {
+  currentLocale = locale;
+}
+
+export function getLocale(): Locale {
+  return currentLocale;
+}
+
+export function t(key: string): string {
+  return translations[currentLocale]?.[key] ?? translations.en[key] ?? key;
+}
+
+export function initI18n(preferredLocale?: string): void {
+  if (preferredLocale === "es" || preferredLocale === "en") {
+    currentLocale = preferredLocale;
+  } else {
+    currentLocale = detectSystemLocale();
+  }
+}

package/src/scanners/backdoors.ts

@@ -0,0 +1,192 @@
+import type { Finding, ScanResult, ProjectInfo } from "../utils/types.js";
+
+const DANGEROUS_SCRIPTS = [
+  "preinstall",
+  "postinstall",
+  "install",
+  "prepare",
+  "prepublish",
+  "preuninstall",
+  "postuninstall",
+];
+
+const SUSPICIOUS_SCRIPT_PATTERNS = [
+  /curl\s+.*\|\s*(?:bash|sh|node)/i,
+  /wget\s+.*\|\s*(?:bash|sh|node)/i,
+  /eval\s*\(/i,
+  /exec\s*\(/i,
+  /require\s*\(\s*['"]child_process['"]\s*\)/i,
+  /spawn\s*\(/i,
+  /execSync\s*\(/i,
+  /process\.exit\s*\(/i,
+  /fs\.writeFile/i,
+  /fs\.unlink/i,
+  /rimraf\s/i,
+  /rm\s+-rf?\s/i,
+  /chmod\s+777/i,
+  /\/etc\/passwd/i,
+  /\/etc\/shadow/i,
+  /base64\s+(?:--decode|[-d])/i,
+  /atob\s*\(/i,
+  /fromCharCode/i,
+  /\\x[0-9a-f]{2}/i,
+];
+
+const GIT_DEP_PATTERN = /^git(?:hub|lab)?[:/]/;
+const GIT_URL_PATTERN = /^https?:\/\/.*\.git$/;
+
+const OPEN_VERSION_RANGES = ["*", ">=0.0.0", ">=0"];
+const LATEST_VERSION = "latest";
+
+export function scanBackdoors(projectInfo: ProjectInfo): ScanResult {
+  const startTime = Date.now();
+  const findings: Finding[] = [];
+  const errors: Error[] = [];
+
+  analyzeSuspiciousScripts(projectInfo, findings);
+
+  analyzeGitDependencies(projectInfo, findings);
+
+  analyzeVersionRanges(projectInfo, findings);
+
+  analyzeLifecycleHooks(projectInfo, findings);
+
+  return {
+    findings,
+    errors,
+    duration: Date.now() - startTime,
+  };
+}
+
+function analyzeSuspiciousScripts(
+  projectInfo: ProjectInfo,
+  findings: Finding[],
+): void {
+  for (const [scriptName, scriptValue] of Object.entries(
+    projectInfo.scripts,
+  )) {
+    for (const pattern of SUSPICIOUS_SCRIPT_PATTERNS) {
+      if (pattern.test(scriptValue)) {
+        findings.push({
+          id: `backdoor-script-${scriptName}-${pattern.source.slice(0, 20)}`,
+          severity:
+            DANGEROUS_SCRIPTS.includes(scriptName) ? "critical" : "high",
+          category: "backdoor",
+          title: `Script sospechoso en "${scriptName}"`,
+          description: `El script "${scriptName}" contiene patron potencialmente malicioso: ${scriptValue.slice(0, 100)}`,
+          recommendation: `Revisar manualmente el script "${scriptName}" en package.json`,
+        });
+        break;
+      }
+    }
+  }
+}
+
+function analyzeGitDependencies(
+  projectInfo: ProjectInfo,
+  findings: Finding[],
+): void {
+  const allDeps = {
+    ...projectInfo.dependencies,
+    ...projectInfo.devDependencies,
+  };
+
+  for (const [name, version] of Object.entries(allDeps)) {
+    if (GIT_DEP_PATTERN.test(version) || GIT_URL_PATTERN.test(version)) {
+      findings.push({
+        id: `backdoor-git-dep-${name}`,
+        severity: "high",
+        category: "backdoor",
+        title: `Dependencia Git no verificada: ${name}`,
+        description: `${name} apunta a un repositorio Git externo (${version}). Las dependencias Git pueden cambiar sin previo aviso.`,
+        package: name,
+        version,
+        recommendation: `Fijar a una version especifica (tag o commit hash) o usar un paquete del registry.`,
+      });
+    }
+  }
+}
+
+function analyzeVersionRanges(
+  projectInfo: ProjectInfo,
+  findings: Finding[],
+): void {
+  const allDeps = {
+    ...projectInfo.dependencies,
+    ...projectInfo.devDependencies,
+  };
+
+  for (const [name, version] of Object.entries(allDeps)) {
+    if (version === LATEST_VERSION) {
+      findings.push({
+        id: `backdoor-latest-version-${name}`,
+        severity: "high",
+        category: "backdoor",
+        title: `Dependencia con "latest": ${name}`,
+        description: `${name} usa "latest" como version. Esto es un vector de ataque de cadena de suministro - un paquete malicioso podria ser publicado como "latest" y ser instalado automaticamente.`,
+        package: name,
+        version,
+        recommendation: `Fijar a una version especifica (ej: ^1.2.3). Puedes usar "secmanifest fix" para arreglarlo automaticamente.`,
+      });
+      continue;
+    }
+
+    if (OPEN_VERSION_RANGES.includes(version)) {
+      findings.push({
+        id: `backdoor-open-version-${name}`,
+        severity: "medium",
+        category: "backdoor",
+        title: `Rango de version abierto: ${name}`,
+        description: `${name} usa el rango "${version}" que permite cualquier version, incluyendo potencialmente versiones comprometidas.`,
+        package: name,
+        version,
+        recommendation: `Fijar a un rango especifico (ej: ^1.2.3) o version exacta (1.2.3).`,
+      });
+    }
+  }
+}
+
+function analyzeLifecycleHooks(
+  projectInfo: ProjectInfo,
+  findings: Finding[],
+): void {
+  const dangerousHooks = DANGEROUS_SCRIPTS.filter(
+    (hook) => hook in projectInfo.scripts,
+  );
+
+  for (const hook of dangerousHooks) {
+    const scriptValue = projectInfo.scripts[hook];
+    if (!scriptValue) continue;
+
+    if (
+      scriptValue.includes("&&") ||
+      scriptValue.includes(";") ||
+      scriptValue.includes("|")
+    ) {
+      findings.push({
+        id: `backdoor-complex-hook-${hook}`,
+        severity: "high",
+        category: "backdoor",
+        title: `Hook de ciclo de vida complejo: ${hook}`,
+        description: `El hook "${hook}" contiene multiples comandos encadenados: ${scriptValue.slice(0, 100)}. Esto puede usarse para ejecutar codigo malicioso.`,
+        recommendation: `Auditar y simplificar el hook "${hook}". Ejecutar solo comandos necesarios.`,
+      });
+    }
+
+    if (
+      scriptValue.includes("node ") ||
+      scriptValue.includes("npx ") ||
+      scriptValue.includes("bun ")
+    ) {
+      findings.push({
+        id: `backdoor-exec-hook-${hook}`,
+        severity: "medium",
+        category: "backdoor",
+        title: `Hook ejecuta scripts: ${hook}`,
+        description: `El hook "${hook}" ejecuta un script o binario: ${scriptValue.slice(0, 100)}`,
+        package: hook,
+        recommendation: `Verificar que el script ejecutado es seguro y necesario.`,
+      });
+    }
+  }
+}