secure-scan 1.2.2

package/dist/rules/malware/categories/cryptominers.js

@@ -0,0 +1,415 @@
+"use strict";
+/**
+ * @fileoverview Cryptominer Detection Rules
+ * @module rules/malware/categories/cryptominers
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.cryptominerRules = exports.resourceAbuseRules = exports.miningSoftwareRules = exports.walletDetectionRules = exports.poolConnectionRules = exports.browserMinerRules = void 0;
+const types_1 = require("../types");
+// ============================================================================
+// BROWSER MINER DETECTION RULES
+// ============================================================================
+exports.browserMinerRules = [
+    {
+        id: 'MAL-MINE-001',
+        name: 'Browser Cryptominer - Known Services',
+        description: 'Detects references to known browser mining services like CoinHive.',
+        version: '2.0.0',
+        threatType: types_1.MalwareThreatType.CRYPTOMINER,
+        category: types_1.MalwareCategory.CRYPTOMINER,
+        languages: [types_1.SupportedLanguage.JAVASCRIPT, types_1.SupportedLanguage.TYPESCRIPT],
+        severity: types_1.MalwareSeverity.HIGH,
+        confidence: types_1.ConfidenceLevel.CONFIRMED,
+        baseScore: 88,
+        patterns: [
+            {
+                type: types_1.PatternType.REGEX,
+                patternId: 'known-miner-services',
+                pattern: '(?:coinhive|cryptoloot|coin-hive|crypto-loot|minero|webminer|browser-mine|cryptonight)',
+                flags: 'gi',
+                weight: 1.0,
+                description: 'Known browser miner service references'
+            },
+            {
+                type: types_1.PatternType.REGEX,
+                patternId: 'miner-constructor',
+                pattern: 'new\\s+(?:CoinHive|Coinimp)(?:\\.Anonymous)?\\s*\\([\'"][a-zA-Z0-9]{32,}',
+                flags: 'g',
+                weight: 1.0,
+                description: 'Mining service instantiation with key'
+            }
+        ],
+        maliciousExamples: [
+            {
+                code: `var miner = new CoinHive.Anonymous('site-key-123');`,
+                language: types_1.SupportedLanguage.JAVASCRIPT,
+                isMalicious: true,
+                description: 'CoinHive instantiation'
+            }
+        ],
+        impact: {
+            technical: 'Uses visitor CPU for cryptocurrency mining.',
+            business: 'User experience degradation.',
+            affectedAssets: ['Client devices'],
+            dataAtRisk: []
+        },
+        remediation: {
+            summary: 'Remove all cryptominer references.',
+            steps: ['Remove miner scripts', 'Scan for injection point']
+        },
+        mitreAttack: [
+            {
+                tacticId: types_1.MitreTactic.IMPACT,
+                tacticName: 'Impact',
+                techniqueId: 'T1496',
+                techniqueName: 'Resource Hijacking',
+                url: 'https://attack.mitre.org/techniques/T1496/'
+            }
+        ],
+        tags: ['cryptominer', 'browser', 'high'],
+        enabled: true
+    },
+    {
+        id: 'MAL-MINE-002',
+        name: 'WASM Cryptominer',
+        description: 'Detects WebAssembly-based miners.',
+        version: '2.0.0',
+        threatType: types_1.MalwareThreatType.CRYPTOMINER,
+        category: types_1.MalwareCategory.CRYPTOMINER,
+        languages: [types_1.SupportedLanguage.JAVASCRIPT, types_1.SupportedLanguage.TYPESCRIPT],
+        severity: types_1.MalwareSeverity.HIGH,
+        confidence: types_1.ConfidenceLevel.HIGH,
+        baseScore: 85,
+        patterns: [
+            {
+                type: types_1.PatternType.REGEX,
+                patternId: 'wasm-mining-load',
+                pattern: 'WebAssembly\\.instantiate(?:Streaming)?.*(?:hash|mine|crypto)',
+                flags: 'gis',
+                weight: 0.9,
+                description: 'WASM instantiation with mining context'
+            },
+            {
+                type: types_1.PatternType.REGEX,
+                patternId: 'wasm-randomx',
+                pattern: 'randomx|cryptonight.*wasm',
+                flags: 'gi',
+                weight: 0.95,
+                description: 'Known WASM mining algorithms'
+            }
+        ],
+        maliciousExamples: [
+            {
+                code: `WebAssembly.instantiate(wasmCode).then(m => m.exports.cryptonight_hash());`,
+                language: types_1.SupportedLanguage.JAVASCRIPT,
+                isMalicious: true,
+                description: 'WASM cryptominer'
+            }
+        ],
+        impact: {
+            technical: 'High-performance client-side mining.',
+            business: 'Device resource abuse.',
+            affectedAssets: ['Client CPU'],
+            dataAtRisk: []
+        },
+        remediation: {
+            summary: 'Remove WASM miner code.',
+            steps: ['Remove WASM module', 'Remove loader script']
+        },
+        mitreAttack: [
+            {
+                tacticId: types_1.MitreTactic.IMPACT,
+                tacticName: 'Impact',
+                techniqueId: 'T1496',
+                techniqueName: 'Resource Hijacking',
+                url: 'https://attack.mitre.org/techniques/T1496/'
+            }
+        ],
+        tags: ['cryptominer', 'wasm', 'high'],
+        enabled: true
+    }
+];
+// ============================================================================
+// POOL CONNECTION DETECTION RULES
+// ============================================================================
+exports.poolConnectionRules = [
+    {
+        id: 'MAL-MINE-010',
+        name: 'Mining Pool Connection - Stratum Protocol',
+        description: 'Detects Stratum mining pool protocol connections.',
+        version: '2.0.0',
+        threatType: types_1.MalwareThreatType.CRYPTOMINER,
+        category: types_1.MalwareCategory.CRYPTOMINER,
+        languages: [types_1.SupportedLanguage.JAVASCRIPT, types_1.SupportedLanguage.PYTHON],
+        severity: types_1.MalwareSeverity.HIGH,
+        confidence: types_1.ConfidenceLevel.HIGH,
+        baseScore: 85,
+        patterns: [
+            {
+                type: types_1.PatternType.REGEX,
+                patternId: 'stratum-protocol',
+                pattern: 'stratum\\+(?:tcp|ssl):\\/\\/[^\\s"\']+',
+                flags: 'gi',
+                weight: 1.0,
+                description: 'Stratum mining pool URL'
+            },
+            {
+                type: types_1.PatternType.REGEX,
+                patternId: 'pool-domains',
+                pattern: '(?:pool|mining|mine|hashrate)\\.[a-z0-9-]+\\.(?:com|net|org|io)(?::\\d+)?',
+                flags: 'gi',
+                weight: 0.85,
+                description: 'Common mining pool domain pattern'
+            },
+            {
+                type: types_1.PatternType.REGEX,
+                patternId: 'mining-json-rpc',
+                pattern: '(?:mining\\.subscribe|mining\\.authorize|mining\\.submit)',
+                flags: 'gi',
+                weight: 1.0,
+                description: 'Stratum JSON-RPC methods'
+            }
+        ],
+        maliciousExamples: [
+            {
+                code: `connectPool('stratum+tcp://pool.monero.hashrate.io:3333');`,
+                language: types_1.SupportedLanguage.JAVASCRIPT,
+                isMalicious: true,
+                description: 'Mining pool connection'
+            }
+        ],
+        impact: {
+            technical: 'Connects to mining pool infrastructure.',
+            business: 'Unauthorized resource usage.',
+            affectedAssets: ['Network bandwidth', 'CPU'],
+            dataAtRisk: []
+        },
+        remediation: {
+            summary: 'Remove mining pool connections.',
+            steps: ['Remove connection code', 'Block pool domains']
+        },
+        mitreAttack: [
+            {
+                tacticId: types_1.MitreTactic.IMPACT,
+                tacticName: 'Impact',
+                techniqueId: 'T1496',
+                techniqueName: 'Resource Hijacking',
+                url: 'https://attack.mitre.org/techniques/T1496/'
+            }
+        ],
+        tags: ['cryptominer', 'pool', 'stratum', 'high'],
+        enabled: true
+    }
+];
+// ============================================================================
+// WALLET DETECTION RULES
+// ============================================================================
+exports.walletDetectionRules = [
+    {
+        id: 'MAL-MINE-020',
+        name: 'Hardcoded Cryptocurrency Wallet',
+        description: 'Detects hardcoded cryptocurrency wallet addresses.',
+        version: '2.0.0',
+        threatType: types_1.MalwareThreatType.CRYPTOMINER,
+        category: types_1.MalwareCategory.CRYPTOMINER,
+        languages: [types_1.SupportedLanguage.JAVASCRIPT, types_1.SupportedLanguage.PYTHON, types_1.SupportedLanguage.PHP],
+        severity: types_1.MalwareSeverity.MEDIUM,
+        confidence: types_1.ConfidenceLevel.HIGH,
+        baseScore: 75,
+        patterns: [
+            {
+                type: types_1.PatternType.REGEX,
+                patternId: 'monero-wallet',
+                pattern: '(?:[48])[0-9AB][1-9A-HJ-NP-Za-km-z]{93}',
+                flags: 'g',
+                weight: 1.0,
+                description: 'Monero wallet address'
+            },
+            {
+                type: types_1.PatternType.REGEX,
+                patternId: 'bitcoin-wallet',
+                pattern: '(?:bc1|[13])[a-zA-HJ-NP-Z0-9]{25,39}',
+                flags: 'g',
+                weight: 0.9,
+                description: 'Bitcoin wallet address'
+            },
+            {
+                type: types_1.PatternType.REGEX,
+                patternId: 'ethereum-wallet',
+                pattern: '0x[a-fA-F0-9]{40}',
+                flags: 'g',
+                weight: 0.8,
+                description: 'Ethereum wallet address'
+            }
+        ],
+        maliciousExamples: [
+            {
+                code: `const wallet = '0x742d35Cc6634C0532925a3b844Bc9e7595f';`,
+                language: types_1.SupportedLanguage.JAVASCRIPT,
+                isMalicious: true,
+                description: 'Hardcoded ETH wallet'
+            }
+        ],
+        impact: {
+            technical: 'Funds mining proceeds to specific wallet.',
+            business: 'Resource theft.',
+            affectedAssets: ['Computing resources'],
+            dataAtRisk: []
+        },
+        remediation: {
+            summary: 'Remove wallet addresses.',
+            steps: ['Remove hardcoded wallet', 'Investigate mining code']
+        },
+        mitreAttack: [
+            {
+                tacticId: types_1.MitreTactic.IMPACT,
+                tacticName: 'Impact',
+                techniqueId: 'T1496',
+                techniqueName: 'Resource Hijacking',
+                url: 'https://attack.mitre.org/techniques/T1496/'
+            }
+        ],
+        tags: ['cryptominer', 'wallet', 'medium'],
+        enabled: true
+    }
+];
+// ============================================================================
+// MINING SOFTWARE DETECTION RULES
+// ============================================================================
+exports.miningSoftwareRules = [
+    {
+        id: 'MAL-MINE-030',
+        name: 'Mining Software References',
+        description: 'Detects references to known mining software.',
+        version: '2.0.0',
+        threatType: types_1.MalwareThreatType.CRYPTOMINER,
+        category: types_1.MalwareCategory.CRYPTOMINER,
+        languages: [types_1.SupportedLanguage.PYTHON, types_1.SupportedLanguage.SHELL],
+        severity: types_1.MalwareSeverity.HIGH,
+        confidence: types_1.ConfidenceLevel.CONFIRMED,
+        baseScore: 90,
+        patterns: [
+            {
+                type: types_1.PatternType.REGEX,
+                patternId: 'known-miners',
+                pattern: '(?:xmrig|xmr-stak|cpuminer|cgminer|bfgminer|nicehash|minergate|claymore)',
+                flags: 'gi',
+                weight: 1.0,
+                description: 'Known mining software names'
+            },
+            {
+                type: types_1.PatternType.REGEX,
+                patternId: 'miner-execution',
+                pattern: '(?:exec|system|subprocess\\.run).*(?:xmrig|cpuminer)',
+                flags: 'gi',
+                weight: 1.0,
+                description: 'Mining software execution'
+            }
+        ],
+        maliciousExamples: [
+            {
+                code: `subprocess.run(['./xmrig', '-o', 'pool.com:3333']);`,
+                language: types_1.SupportedLanguage.PYTHON,
+                isMalicious: true,
+                description: 'XMRig execution'
+            }
+        ],
+        impact: {
+            technical: 'Executes cryptocurrency mining software.',
+            business: 'Resource abuse.',
+            affectedAssets: ['CPU', 'GPU'],
+            dataAtRisk: []
+        },
+        remediation: {
+            summary: 'Remove mining software references.',
+            steps: ['Remove binaries', 'Remove execution code']
+        },
+        mitreAttack: [
+            {
+                tacticId: types_1.MitreTactic.EXECUTION,
+                tacticName: 'Execution',
+                techniqueId: 'T1204',
+                techniqueName: 'User Execution',
+                url: 'https://attack.mitre.org/techniques/T1204/'
+            }
+        ],
+        tags: ['cryptominer', 'software', 'high'],
+        enabled: true
+    }
+];
+// ============================================================================
+// RESOURCE ABUSE DETECTION RULES
+// ============================================================================
+exports.resourceAbuseRules = [
+    {
+        id: 'MAL-MINE-040',
+        name: 'Resource Abuse - Intensive CPU Loops',
+        description: 'Detects patterns that abuse CPU resources for mining.',
+        version: '2.0.0',
+        threatType: types_1.MalwareThreatType.CRYPTOMINER,
+        category: types_1.MalwareCategory.CRYPTOMINER,
+        languages: [types_1.SupportedLanguage.JAVASCRIPT],
+        severity: types_1.MalwareSeverity.MEDIUM,
+        confidence: types_1.ConfidenceLevel.MEDIUM,
+        baseScore: 70,
+        patterns: [
+            {
+                type: types_1.PatternType.REGEX,
+                patternId: 'webworker-intensive',
+                pattern: 'new\\s+Worker.*(?:while\\s*\\(\\s*true\\s*\\)|for\\s*\\(\\s*;\\s*;\\s*\\))',
+                flags: 'gis',
+                weight: 0.85,
+                description: 'Web Worker with infinite loop'
+            },
+            {
+                type: types_1.PatternType.REGEX,
+                patternId: 'high-cpu-pattern',
+                pattern: '(?:navigator\\.hardwareConcurrency|performance\\.now).*(?:Worker|postMessage)',
+                flags: 'gis',
+                weight: 0.7,
+                description: 'Hardware concurrency check with workers'
+            }
+        ],
+        maliciousExamples: [
+            {
+                code: `for(let i=0; i<navigator.hardwareConcurrency; i++) new Worker(mineScript);`,
+                language: types_1.SupportedLanguage.JAVASCRIPT,
+                isMalicious: true,
+                description: 'Multi-worker mining'
+            }
+        ],
+        impact: {
+            technical: 'High CPU usage for mining.',
+            business: 'Resource drain.',
+            affectedAssets: ['CPU'],
+            dataAtRisk: []
+        },
+        remediation: {
+            summary: 'Remove intensive computation code.',
+            steps: ['Remove workers', 'Audit compute patterns']
+        },
+        mitreAttack: [
+            {
+                tacticId: types_1.MitreTactic.IMPACT,
+                tacticName: 'Impact',
+                techniqueId: 'T1496',
+                techniqueName: 'Resource Hijacking',
+                url: 'https://attack.mitre.org/techniques/T1496/'
+            }
+        ],
+        tags: ['cryptominer', 'resource-abuse', 'medium'],
+        enabled: true
+    }
+];
+// ============================================================================
+// EXPORTS
+// ============================================================================
+exports.cryptominerRules = [
+    ...exports.browserMinerRules,
+    ...exports.poolConnectionRules,
+    ...exports.walletDetectionRules,
+    ...exports.miningSoftwareRules,
+    ...exports.resourceAbuseRules
+];
+exports.default = exports.cryptominerRules;
+//# sourceMappingURL=cryptominers.js.map

package/dist/rules/malware/categories/cryptominers.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"cryptominers.js","sourceRoot":"","sources":["../../../../src/rules/malware/categories/cryptominers.ts"],"names":[],"mappings":";AAAA;;;GAGG;;;AAEH,oCASkB;AAElB,+EAA+E;AAC/E,gCAAgC;AAChC,+EAA+E;AAElE,QAAA,iBAAiB,GAAkB;IAC9C;QACE,EAAE,EAAE,cAAc;QAClB,IAAI,EAAE,sCAAsC;QAC5C,WAAW,EAAE,oEAAoE;QACjF,OAAO,EAAE,OAAO;QAChB,UAAU,EAAE,yBAAiB,CAAC,WAAW;QACzC,QAAQ,EAAE,uBAAe,CAAC,WAAW;QACrC,SAAS,EAAE,CAAC,yBAAiB,CAAC,UAAU,EAAE,yBAAiB,CAAC,UAAU,CAAC;QACvE,QAAQ,EAAE,uBAAe,CAAC,IAAI;QAC9B,UAAU,EAAE,uBAAe,CAAC,SAAS;QACrC,SAAS,EAAE,EAAE;QACb,QAAQ,EAAE;YACR;gBACE,IAAI,EAAE,mBAAW,CAAC,KAAK;gBACvB,SAAS,EAAE,sBAAsB;gBACjC,OAAO,EAAE,wFAAwF;gBACjG,KAAK,EAAE,IAAI;gBACX,MAAM,EAAE,GAAG;gBACX,WAAW,EAAE,wCAAwC;aACtD;YACD;gBACE,IAAI,EAAE,mBAAW,CAAC,KAAK;gBACvB,SAAS,EAAE,mBAAmB;gBAC9B,OAAO,EAAE,0EAA0E;gBACnF,KAAK,EAAE,GAAG;gBACV,MAAM,EAAE,GAAG;gBACX,WAAW,EAAE,uCAAuC;aACrD;SACF;QACD,iBAAiB,EAAE;YACjB;gBACE,IAAI,EAAE,qDAAqD;gBAC3D,QAAQ,EAAE,yBAAiB,CAAC,UAAU;gBACtC,WAAW,EAAE,IAAI;gBACjB,WAAW,EAAE,wBAAwB;aACtC;SACF;QACD,MAAM,EAAE;YACN,SAAS,EAAE,6CAA6C;YACxD,QAAQ,EAAE,8BAA8B;YACxC,cAAc,EAAE,CAAC,gBAAgB,CAAC;YAClC,UAAU,EAAE,EAAE;SACf;QACD,WAAW,EAAE;YACX,OAAO,EAAE,oCAAoC;YAC7C,KAAK,EAAE,CAAC,sBAAsB,EAAE,0BAA0B,CAAC;SAC5D;QACD,WAAW,EAAE;YACX;gBACE,QAAQ,EAAE,mBAAW,CAAC,MAAM;gBAC5B,UAAU,EAAE,QAAQ;gBACpB,WAAW,EAAE,OAAO;gBACpB,aAAa,EAAE,oBAAoB;gBACnC,GAAG,EAAE,4CAA4C;aAClD;SACF;QACD,IAAI,EAAE,CAAC,aAAa,EAAE,SAAS,EAAE,MAAM,CAAC;QACxC,OAAO,EAAE,IAAI;KACd;IACD;QACE,EAAE,EAAE,cAAc;QAClB,IAAI,EAAE,kBAAkB;QACxB,WAAW,EAAE,mCAAmC;QAChD,OAAO,EAAE,OAAO;QAChB,UAAU,EAAE,yBAAiB,CAAC,WAAW;QACzC,QAAQ,EAAE,uBAAe,CAAC,WAAW;QACrC,SAAS,EAAE,CAAC,yBAAiB,CAAC,UAAU,EAAE,yBAAiB,CAAC,UAAU,CAAC;QACvE,QAAQ,EAAE,uBAAe,CAAC,IAAI;QAC9B,UAAU,EAAE,uBAAe,CAAC,IAAI;QAChC,SAAS,EAAE,EAAE;QACb,QAAQ,EAAE;YACR;gBACE,IAAI,EAAE,mBAAW,CAAC,KAAK;gBACvB,SAAS,EAAE,kBAAkB;gBAC7B,OAAO,EAAE,+DAA+D;gBACxE,KAAK,EAAE,KAAK;gBACZ,MAAM,EAAE,GAAG;gBACX,WAAW,EAAE,wCAAwC;aACtD;YACD;gBACE,IAAI,EAAE,mBAAW,CAAC,KAAK;gBACvB,SAAS,EAAE,cAAc;gBACzB,OAAO,EAAE,2BAA2B;gBACpC,KAAK,EAAE,IAAI;gBACX,MAAM,EAAE,IAAI;gBACZ,WAAW,EAAE,8BAA8B;aAC5C;SACF;QACD,iBAAiB,EAAE;YACjB;gBACE,IAAI,EAAE,4EAA4E;gBAClF,QAAQ,EAAE,yBAAiB,CAAC,UAAU;gBACtC,WAAW,EAAE,IAAI;gBACjB,WAAW,EAAE,kBAAkB;aAChC;SACF;QACD,MAAM,EAAE;YACN,SAAS,EAAE,sCAAsC;YACjD,QAAQ,EAAE,wBAAwB;YAClC,cAAc,EAAE,CAAC,YAAY,CAAC;YAC9B,UAAU,EAAE,EAAE;SACf;QACD,WAAW,EAAE;YACX,OAAO,EAAE,yBAAyB;YAClC,KAAK,EAAE,CAAC,oBAAoB,EAAE,sBAAsB,CAAC;SACtD;QACD,WAAW,EAAE;YACX;gBACE,QAAQ,EAAE,mBAAW,CAAC,MAAM;gBAC5B,UAAU,EAAE,QAAQ;gBACpB,WAAW,EAAE,OAAO;gBACpB,aAAa,EAAE,oBAAoB;gBACnC,GAAG,EAAE,4CAA4C;aAClD;SACF;QACD,IAAI,EAAE,CAAC,aAAa,EAAE,MAAM,EAAE,MAAM,CAAC;QACrC,OAAO,EAAE,IAAI;KACd;CACF,CAAC;AAEF,+EAA+E;AAC/E,kCAAkC;AAClC,+EAA+E;AAElE,QAAA,mBAAmB,GAAkB;IAChD;QACE,EAAE,EAAE,cAAc;QAClB,IAAI,EAAE,2CAA2C;QACjD,WAAW,EAAE,mDAAmD;QAChE,OAAO,EAAE,OAAO;QAChB,UAAU,EAAE,yBAAiB,CAAC,WAAW;QACzC,QAAQ,EAAE,uBAAe,CAAC,WAAW;QACrC,SAAS,EAAE,CAAC,yBAAiB,CAAC,UAAU,EAAE,yBAAiB,CAAC,MAAM,CAAC;QACnE,QAAQ,EAAE,uBAAe,CAAC,IAAI;QAC9B,UAAU,EAAE,uBAAe,CAAC,IAAI;QAChC,SAAS,EAAE,EAAE;QACb,QAAQ,EAAE;YACR;gBACE,IAAI,EAAE,mBAAW,CAAC,KAAK;gBACvB,SAAS,EAAE,kBAAkB;gBAC7B,OAAO,EAAE,wCAAwC;gBACjD,KAAK,EAAE,IAAI;gBACX,MAAM,EAAE,GAAG;gBACX,WAAW,EAAE,yBAAyB;aACvC;YACD;gBACE,IAAI,EAAE,mBAAW,CAAC,KAAK;gBACvB,SAAS,EAAE,cAAc;gBACzB,OAAO,EAAE,2EAA2E;gBACpF,KAAK,EAAE,IAAI;gBACX,MAAM,EAAE,IAAI;gBACZ,WAAW,EAAE,mCAAmC;aACjD;YACD;gBACE,IAAI,EAAE,mBAAW,CAAC,KAAK;gBACvB,SAAS,EAAE,iBAAiB;gBAC5B,OAAO,EAAE,2DAA2D;gBACpE,KAAK,EAAE,IAAI;gBACX,MAAM,EAAE,GAAG;gBACX,WAAW,EAAE,0BAA0B;aACxC;SACF;QACD,iBAAiB,EAAE;YACjB;gBACE,IAAI,EAAE,4DAA4D;gBAClE,QAAQ,EAAE,yBAAiB,CAAC,UAAU;gBACtC,WAAW,EAAE,IAAI;gBACjB,WAAW,EAAE,wBAAwB;aACtC;SACF;QACD,MAAM,EAAE;YACN,SAAS,EAAE,yCAAyC;YACpD,QAAQ,EAAE,8BAA8B;YACxC,cAAc,EAAE,CAAC,mBAAmB,EAAE,KAAK,CAAC;YAC5C,UAAU,EAAE,EAAE;SACf;QACD,WAAW,EAAE;YACX,OAAO,EAAE,iCAAiC;YAC1C,KAAK,EAAE,CAAC,wBAAwB,EAAE,oBAAoB,CAAC;SACxD;QACD,WAAW,EAAE;YACX;gBACE,QAAQ,EAAE,mBAAW,CAAC,MAAM;gBAC5B,UAAU,EAAE,QAAQ;gBACpB,WAAW,EAAE,OAAO;gBACpB,aAAa,EAAE,oBAAoB;gBACnC,GAAG,EAAE,4CAA4C;aAClD;SACF;QACD,IAAI,EAAE,CAAC,aAAa,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,CAAC;QAChD,OAAO,EAAE,IAAI;KACd;CACF,CAAC;AAEF,+EAA+E;AAC/E,yBAAyB;AACzB,+EAA+E;AAElE,QAAA,oBAAoB,GAAkB;IACjD;QACE,EAAE,EAAE,cAAc;QAClB,IAAI,EAAE,iCAAiC;QACvC,WAAW,EAAE,oDAAoD;QACjE,OAAO,EAAE,OAAO;QAChB,UAAU,EAAE,yBAAiB,CAAC,WAAW;QACzC,QAAQ,EAAE,uBAAe,CAAC,WAAW;QACrC,SAAS,EAAE,CAAC,yBAAiB,CAAC,UAAU,EAAE,yBAAiB,CAAC,MAAM,EAAE,yBAAiB,CAAC,GAAG,CAAC;QAC1F,QAAQ,EAAE,uBAAe,CAAC,MAAM;QAChC,UAAU,EAAE,uBAAe,CAAC,IAAI;QAChC,SAAS,EAAE,EAAE;QACb,QAAQ,EAAE;YACR;gBACE,IAAI,EAAE,mBAAW,CAAC,KAAK;gBACvB,SAAS,EAAE,eAAe;gBAC1B,OAAO,EAAE,yCAAyC;gBAClD,KAAK,EAAE,GAAG;gBACV,MAAM,EAAE,GAAG;gBACX,WAAW,EAAE,uBAAuB;aACrC;YACD;gBACE,IAAI,EAAE,mBAAW,CAAC,KAAK;gBACvB,SAAS,EAAE,gBAAgB;gBAC3B,OAAO,EAAE,sCAAsC;gBAC/C,KAAK,EAAE,GAAG;gBACV,MAAM,EAAE,GAAG;gBACX,WAAW,EAAE,wBAAwB;aACtC;YACD;gBACE,IAAI,EAAE,mBAAW,CAAC,KAAK;gBACvB,SAAS,EAAE,iBAAiB;gBAC5B,OAAO,EAAE,mBAAmB;gBAC5B,KAAK,EAAE,GAAG;gBACV,MAAM,EAAE,GAAG;gBACX,WAAW,EAAE,yBAAyB;aACvC;SACF;QACD,iBAAiB,EAAE;YACjB;gBACE,IAAI,EAAE,yDAAyD;gBAC/D,QAAQ,EAAE,yBAAiB,CAAC,UAAU;gBACtC,WAAW,EAAE,IAAI;gBACjB,WAAW,EAAE,sBAAsB;aACpC;SACF;QACD,MAAM,EAAE;YACN,SAAS,EAAE,2CAA2C;YACtD,QAAQ,EAAE,iBAAiB;YAC3B,cAAc,EAAE,CAAC,qBAAqB,CAAC;YACvC,UAAU,EAAE,EAAE;SACf;QACD,WAAW,EAAE;YACX,OAAO,EAAE,0BAA0B;YACnC,KAAK,EAAE,CAAC,yBAAyB,EAAE,yBAAyB,CAAC;SAC9D;QACD,WAAW,EAAE;YACX;gBACE,QAAQ,EAAE,mBAAW,CAAC,MAAM;gBAC5B,UAAU,EAAE,QAAQ;gBACpB,WAAW,EAAE,OAAO;gBACpB,aAAa,EAAE,oBAAoB;gBACnC,GAAG,EAAE,4CAA4C;aAClD;SACF;QACD,IAAI,EAAE,CAAC,aAAa,EAAE,QAAQ,EAAE,QAAQ,CAAC;QACzC,OAAO,EAAE,IAAI;KACd;CACF,CAAC;AAEF,+EAA+E;AAC/E,kCAAkC;AAClC,+EAA+E;AAElE,QAAA,mBAAmB,GAAkB;IAChD;QACE,EAAE,EAAE,cAAc;QAClB,IAAI,EAAE,4BAA4B;QAClC,WAAW,EAAE,8CAA8C;QAC3D,OAAO,EAAE,OAAO;QAChB,UAAU,EAAE,yBAAiB,CAAC,WAAW;QACzC,QAAQ,EAAE,uBAAe,CAAC,WAAW;QACrC,SAAS,EAAE,CAAC,yBAAiB,CAAC,MAAM,EAAE,yBAAiB,CAAC,KAAK,CAAC;QAC9D,QAAQ,EAAE,uBAAe,CAAC,IAAI;QAC9B,UAAU,EAAE,uBAAe,CAAC,SAAS;QACrC,SAAS,EAAE,EAAE;QACb,QAAQ,EAAE;YACR;gBACE,IAAI,EAAE,mBAAW,CAAC,KAAK;gBACvB,SAAS,EAAE,cAAc;gBACzB,OAAO,EAAE,0EAA0E;gBACnF,KAAK,EAAE,IAAI;gBACX,MAAM,EAAE,GAAG;gBACX,WAAW,EAAE,6BAA6B;aAC3C;YACD;gBACE,IAAI,EAAE,mBAAW,CAAC,KAAK;gBACvB,SAAS,EAAE,iBAAiB;gBAC5B,OAAO,EAAE,sDAAsD;gBAC/D,KAAK,EAAE,IAAI;gBACX,MAAM,EAAE,GAAG;gBACX,WAAW,EAAE,2BAA2B;aACzC;SACF;QACD,iBAAiB,EAAE;YACjB;gBACE,IAAI,EAAE,qDAAqD;gBAC3D,QAAQ,EAAE,yBAAiB,CAAC,MAAM;gBAClC,WAAW,EAAE,IAAI;gBACjB,WAAW,EAAE,iBAAiB;aAC/B;SACF;QACD,MAAM,EAAE;YACN,SAAS,EAAE,0CAA0C;YACrD,QAAQ,EAAE,iBAAiB;YAC3B,cAAc,EAAE,CAAC,KAAK,EAAE,KAAK,CAAC;YAC9B,UAAU,EAAE,EAAE;SACf;QACD,WAAW,EAAE;YACX,OAAO,EAAE,oCAAoC;YAC7C,KAAK,EAAE,CAAC,iBAAiB,EAAE,uBAAuB,CAAC;SACpD;QACD,WAAW,EAAE;YACX;gBACE,QAAQ,EAAE,mBAAW,CAAC,SAAS;gBAC/B,UAAU,EAAE,WAAW;gBACvB,WAAW,EAAE,OAAO;gBACpB,aAAa,EAAE,gBAAgB;gBAC/B,GAAG,EAAE,4CAA4C;aAClD;SACF;QACD,IAAI,EAAE,CAAC,aAAa,EAAE,UAAU,EAAE,MAAM,CAAC;QACzC,OAAO,EAAE,IAAI;KACd;CACF,CAAC;AAEF,+EAA+E;AAC/E,iCAAiC;AACjC,+EAA+E;AAElE,QAAA,kBAAkB,GAAkB;IAC/C;QACE,EAAE,EAAE,cAAc;QAClB,IAAI,EAAE,sCAAsC;QAC5C,WAAW,EAAE,uDAAuD;QACpE,OAAO,EAAE,OAAO;QAChB,UAAU,EAAE,yBAAiB,CAAC,WAAW;QACzC,QAAQ,EAAE,uBAAe,CAAC,WAAW;QACrC,SAAS,EAAE,CAAC,yBAAiB,CAAC,UAAU,CAAC;QACzC,QAAQ,EAAE,uBAAe,CAAC,MAAM;QAChC,UAAU,EAAE,uBAAe,CAAC,MAAM;QAClC,SAAS,EAAE,EAAE;QACb,QAAQ,EAAE;YACR;gBACE,IAAI,EAAE,mBAAW,CAAC,KAAK;gBACvB,SAAS,EAAE,qBAAqB;gBAChC,OAAO,EAAE,4EAA4E;gBACrF,KAAK,EAAE,KAAK;gBACZ,MAAM,EAAE,IAAI;gBACZ,WAAW,EAAE,+BAA+B;aAC7C;YACD;gBACE,IAAI,EAAE,mBAAW,CAAC,KAAK;gBACvB,SAAS,EAAE,kBAAkB;gBAC7B,OAAO,EAAE,+EAA+E;gBACxF,KAAK,EAAE,KAAK;gBACZ,MAAM,EAAE,GAAG;gBACX,WAAW,EAAE,yCAAyC;aACvD;SACF;QACD,iBAAiB,EAAE;YACjB;gBACE,IAAI,EAAE,4EAA4E;gBAClF,QAAQ,EAAE,yBAAiB,CAAC,UAAU;gBACtC,WAAW,EAAE,IAAI;gBACjB,WAAW,EAAE,qBAAqB;aACnC;SACF;QACD,MAAM,EAAE;YACN,SAAS,EAAE,4BAA4B;YACvC,QAAQ,EAAE,iBAAiB;YAC3B,cAAc,EAAE,CAAC,KAAK,CAAC;YACvB,UAAU,EAAE,EAAE;SACf;QACD,WAAW,EAAE;YACX,OAAO,EAAE,oCAAoC;YAC7C,KAAK,EAAE,CAAC,gBAAgB,EAAE,wBAAwB,CAAC;SACpD;QACD,WAAW,EAAE;YACX;gBACE,QAAQ,EAAE,mBAAW,CAAC,MAAM;gBAC5B,UAAU,EAAE,QAAQ;gBACpB,WAAW,EAAE,OAAO;gBACpB,aAAa,EAAE,oBAAoB;gBACnC,GAAG,EAAE,4CAA4C;aAClD;SACF;QACD,IAAI,EAAE,CAAC,aAAa,EAAE,gBAAgB,EAAE,QAAQ,CAAC;QACjD,OAAO,EAAE,IAAI;KACd;CACF,CAAC;AAEF,+EAA+E;AAC/E,UAAU;AACV,+EAA+E;AAElE,QAAA,gBAAgB,GAAkB;IAC7C,GAAG,yBAAiB;IACpB,GAAG,2BAAmB;IACtB,GAAG,4BAAoB;IACvB,GAAG,2BAAmB;IACtB,GAAG,0BAAkB;CACtB,CAAC;AAEF,kBAAe,wBAAgB,CAAC"}

package/dist/rules/malware/categories/exfiltration.d.ts

@@ -0,0 +1,20 @@
+/**
+ * @fileoverview Data Exfiltration and Credential Theft Detection Rules
+ * @module rules/malware/categories/exfiltration
+ *
+ * Comprehensive rules for detecting data theft including:
+ * - Token stealers (JWT, OAuth, API keys)
+ * - Cookie stealers
+ * - Credential harvesters
+ * - localStorage/sessionStorage theft
+ * - Sensitive data exfiltration
+ */
+import { MalwareRule } from '../types';
+export declare const tokenStealerRules: MalwareRule[];
+export declare const cookieStealerRules: MalwareRule[];
+export declare const credentialHarvesterRules: MalwareRule[];
+export declare const storageTheftRules: MalwareRule[];
+export declare const sensitiveDataRules: MalwareRule[];
+export declare const exfiltrationRules: MalwareRule[];
+export default exfiltrationRules;
+//# sourceMappingURL=exfiltration.d.ts.map

package/dist/rules/malware/categories/exfiltration.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"exfiltration.d.ts","sourceRoot":"","sources":["../../../../src/rules/malware/categories/exfiltration.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,OAAO,EACL,WAAW,EAQZ,MAAM,UAAU,CAAC;AAMlB,eAAO,MAAM,iBAAiB,EAAE,WAAW,EA6J1C,CAAC;AAMF,eAAO,MAAM,kBAAkB,EAAE,WAAW,EAsG3C,CAAC;AAMF,eAAO,MAAM,wBAAwB,EAAE,WAAW,EA6IjD,CAAC;AAMF,eAAO,MAAM,iBAAiB,EAAE,WAAW,EAqI1C,CAAC;AAMF,eAAO,MAAM,kBAAkB,EAAE,WAAW,EA8E3C,CAAC;AAMF,eAAO,MAAM,iBAAiB,EAAE,WAAW,EAM1C,CAAC;AAEF,eAAe,iBAAiB,CAAC"}