ship-safe 6.4.0 → 7.0.0

package/README.md

@@ -74,8 +74,6 @@ npx ship-safe hooks status
 npx ship-safe hooks remove
 ```
 
-![ship-safe terminal demo](.github/assets/ship%20safe%20terminal.jpg)
-
 ---
 
 ## The `audit` Command

package/cli/agents/agent-config-scanner.js

@@ -37,11 +37,24 @@ const AGENT_RULES_FILES = [
   '.github/copilot-instructions.md',
   '.aider.conf.yml',
   '.continue/config.json',
+  // Gemini CLI
+  '.gemini/settings.json',
+  '.gemini/rules.md',
+  // Cody (Sourcegraph)
+  '.cody/config.json',
+  '.cody/context.json',
+  // Augment Code
+  '.augment/config.json',
 ];
 
 const AGENT_RULES_GLOBS = [
   '.cursor/rules/*.mdc',
   '.claude/commands/*.md',
+  // Gemini CLI commands
+  '.gemini/commands/*.md',
+  // Cody custom commands
+  '.cody/commands/*.md',
+  '.cody/rules/*.md',
 ];
 
 const OPENCLAW_FILES = [
@@ -84,6 +97,8 @@ const MEMORY_GLOBS = [
   '.claude/memory/**',
   '.cursor/memory/**',
   '.continue/memory/**',
+  '.gemini/memory/**',
+  '.cody/memory/**',
 ];
 
 // =============================================================================

package/cli/agents/deep-analyzer.js

@@ -25,8 +25,15 @@ import { createProvider, autoDetectProvider } from '../providers/llm-provider.js
 // CONSTANTS
 // =============================================================================
 
-/** Max file content to send per finding (tokens are expensive) */
-const MAX_FILE_CHARS = 4000;
+/** Max file content per finding for standard providers (tokens cost money) */
+const MAX_FILE_CHARS_DEFAULT = 4000;
+
+/**
+ * Max file content per finding for large-context providers (Gemma 4 128K–256K).
+ * Sending the full file enables cross-function taint tracing that a 40-line
+ * window cannot catch.
+ */
+const MAX_FILE_CHARS_LARGE_CTX = 80000;
 
 /** Max findings to analyze per run (cost control) */
 const MAX_FINDINGS = 30;
@@ -84,6 +91,14 @@ export class DeepAnalyzer {
     this.verbose = options.verbose || false;
     this.spentCents = 0;
     this.analyzedCount = 0;
+
+    // If the provider advertises a large context window (Gemma 4, etc.),
+    // increase file context and batch size to take full advantage.
+    const ctxWindow = this.provider?.contextWindow ?? 0;
+    this.largeContext = ctxWindow >= 65536;
+    this.maxFileChars = this.largeContext ? MAX_FILE_CHARS_LARGE_CTX : MAX_FILE_CHARS_DEFAULT;
+    // Larger batches for local large-context models (no per-token cost)
+    this.batchSize = this.largeContext ? 15 : 5;
   }
 
   /**
@@ -91,11 +106,11 @@ export class DeepAnalyzer {
    * Returns null if no provider is available.
    */
   static create(rootPath, options = {}) {
-    // --local flag: use Ollama
+    // --local flag: use Gemma 4 via Ollama (structured output, large context)
     if (options.local) {
-      const provider = createProvider('ollama', null, {
-        model: options.model || 'llama3.2',
-        baseUrl: options.ollamaUrl || 'http://localhost:11434/api/chat',
+      const provider = createProvider('gemma4', null, {
+        model:   options.model,
+        baseUrl: options.ollamaUrl,
       });
       return new DeepAnalyzer({ provider, ...options });
     }
@@ -141,11 +156,10 @@ export class DeepAnalyzer {
       toAnalyze.length = Math.max(1, affordable);
     }
 
-    // Batch findings (5 per request to balance cost vs. context)
-    const batchSize = 5;
+    // Batch findings — larger batches for large-context providers (Gemma 4 etc.)
     const results = new Map();
 
-    for (let i = 0; i < toAnalyze.length; i += batchSize) {
+    for (let i = 0; i < toAnalyze.length; i += this.batchSize) {
       // Budget check before each batch
       if (this.spentCents >= this.budgetCents) {
         if (this.verbose) {
@@ -154,7 +168,7 @@ export class DeepAnalyzer {
         break;
       }
 
-      const batch = toAnalyze.slice(i, i + batchSize);
+      const batch = toAnalyze.slice(i, i + this.batchSize);
       const prompt = this._buildPrompt(batch, context);
 
       try {
@@ -261,16 +275,22 @@ ${JSON.stringify(items, null, 2)}`;
       const lines = content.split('\n');
       const lineNum = finding.line || 1;
 
-      // Get a window of ~40 lines around the finding
-      const start = Math.max(0, lineNum - 21);
-      const end = Math.min(lines.length, lineNum + 20);
-      let context = lines.slice(start, end)
-        .map((l, i) => `${start + i + 1}: ${l}`)
-        .join('\n');
+      let context;
+      if (this.largeContext) {
+        // Large-context providers (Gemma 4): send the entire file so the model
+        // can trace taint flows across functions, not just the immediate window.
+        context = lines.map((l, i) => `${i + 1}: ${l}`).join('\n');
+      } else {
+        // Standard providers: 40-line window around the finding
+        const start = Math.max(0, lineNum - 21);
+        const end = Math.min(lines.length, lineNum + 20);
+        context = lines.slice(start, end)
+          .map((l, i) => `${start + i + 1}: ${l}`)
+          .join('\n');
+      }
 
-      // Truncate if too long
-      if (context.length > MAX_FILE_CHARS) {
-        context = context.slice(0, MAX_FILE_CHARS) + '\n... (truncated)';
+      if (context.length > this.maxFileChars) {
+        context = context.slice(0, this.maxFileChars) + '\n... (truncated)';
       }
 
       return context;

package/cli/agents/index.js

@@ -26,6 +26,7 @@ export { PIIComplianceAgent } from './pii-compliance-agent.js';
 export { VibeCodingAgent } from './vibe-coding-agent.js';
 export { ExceptionHandlerAgent } from './exception-handler-agent.js';
 export { AgentConfigScanner } from './agent-config-scanner.js';
+export { MemoryPoisoningAgent } from './memory-poisoning-agent.js';
 export { LegalRiskAgent, LEGALLY_RISKY_PACKAGES } from './legal-risk-agent.js';
 export { ABOMGenerator } from './abom-generator.js';
 export { VerifierAgent } from './verifier-agent.js';
@@ -36,7 +37,7 @@ export { PolicyEngine } from './policy-engine.js';
 export { HTMLReporter } from './html-reporter.js';
 
 /**
- * Create a fully configured orchestrator with all 16 scanning agents.
+ * Create a fully configured orchestrator with all 19 scanning agents.
  * (VerifierAgent and DeepAnalyzer run as post-processors, not in the agent pool.)
  */
 import { Orchestrator as OrchestratorClass } from './orchestrator.js';
@@ -58,6 +59,7 @@ import { PIIComplianceAgent as PIIComplianceAgentClass } from './pii-compliance-
 import { VibeCodingAgent as VibeCodingAgentClass } from './vibe-coding-agent.js';
 import { ExceptionHandlerAgent as ExceptionHandlerAgentClass } from './exception-handler-agent.js';
 import { AgentConfigScanner as AgentConfigScannerClass } from './agent-config-scanner.js';
+import { MemoryPoisoningAgent as MemoryPoisoningAgentClass } from './memory-poisoning-agent.js';
 
 export function buildOrchestrator() {
   const orchestrator = new OrchestratorClass();
@@ -80,6 +82,7 @@ export function buildOrchestrator() {
     new VibeCodingAgentClass(),
     new ExceptionHandlerAgentClass(),
     new AgentConfigScannerClass(),
+    new MemoryPoisoningAgentClass(),
   ]);
   return orchestrator;
 }

package/cli/agents/memory-poisoning-agent.js

@@ -0,0 +1,304 @@
+/**
+ * Memory Poisoning Detection Agent
+ * ==================================
+ *
+ * Detects instruction injection in AI agent memory and context files.
+ *
+ * Memory poisoning occurs when an adversary implants false or malicious
+ * instructions into an agent's persistent storage — the agent "learns"
+ * the instruction and recalls it in future sessions.
+ *
+ * Targets:
+ *   - Claude Code memory files (.claude/memory/*.md, CLAUDE.md)
+ *   - Cursor rules (.cursorrules, .cursor/rules/*.mdc)
+ *   - Continue config (.continue/config.json, .continue/rules/*.md)
+ *   - Windsurf rules (.windsurfrules)
+ *   - Cody config (.cody/)
+ *   - Gemini CLI (.gemini/)
+ *   - Project docs that agents ingest (README, CONTRIBUTING, docs/)
+ *
+ * Attack vectors detected:
+ *   1. Direct instruction injection — "ignore previous instructions"
+ *   2. Hidden directives in markdown — invisible chars, HTML comments
+ *   3. Exfiltration instructions — "send", "upload", "POST to"
+ *   4. Tool abuse instructions — "run bash", "write to", "delete"
+ *   5. Persona hijacking — "you are now", "your new role"
+ *   6. Memory persistence — instructions designed to survive context resets
+ *
+ * Maps to: OWASP Agentic ASI01 (Agent Goal Hijacking),
+ *          ASI05 (Memory/Context Poisoning)
+ */
+
+import path from 'path';
+import fg from 'fast-glob';
+import { BaseAgent, createFinding } from './base-agent.js';
+
+// =============================================================================
+// MEMORY / CONTEXT FILES TO SCAN
+// =============================================================================
+
+const MEMORY_GLOBS = [
+  // Claude Code
+  '.claude/memory/*.md',
+  '.claude/commands/*.md',
+  'CLAUDE.md',
+  // Cursor
+  '.cursorrules',
+  '.cursor/rules/*.mdc',
+  '.cursor/rules/*.md',
+  // Windsurf
+  '.windsurfrules',
+  // Continue
+  '.continue/config.json',
+  '.continue/rules/*.md',
+  // Cody
+  '.cody/*.md',
+  '.cody/config.json',
+  // Gemini CLI
+  '.gemini/*.md',
+  '.gemini/settings.json',
+  // Copilot
+  '.github/copilot-instructions.md',
+  // Aider
+  '.aider.conf.yml',
+];
+
+// Project docs that agents commonly ingest as context
+const DOC_GLOBS = [
+  'README.md',
+  'CONTRIBUTING.md',
+  'docs/**/*.md',
+  'AGENTS.md',
+  '.github/PULL_REQUEST_TEMPLATE.md',
+  '.github/ISSUE_TEMPLATE/*.md',
+];
+
+// =============================================================================
+// DETECTION PATTERNS
+// =============================================================================
+
+const INJECTION_PATTERNS = [
+  {
+    regex: /(?:ignore|disregard|forget|override)\s+(?:all\s+)?(?:previous|prior|above|earlier|system)\s+(?:instructions?|rules?|prompts?|constraints?|guidelines?)/gi,
+    rule: 'MEMORY_POISON_OVERRIDE',
+    title: 'Instruction Override in Agent Memory',
+    severity: 'critical',
+    description: 'File contains instructions to override previous agent rules. This is a classic prompt injection pattern that persists in agent memory.',
+    owasp: 'ASI01',
+    cwe: 'CWE-74',
+    fix: 'Remove the override instruction. If intentional, use the agent\'s official configuration mechanism instead.',
+  },
+  {
+    regex: /(?:you\s+are\s+now|your\s+new\s+(?:role|persona|identity)|from\s+now\s+on\s+you\s+(?:are|will|must|should))\s+/gi,
+    rule: 'MEMORY_POISON_PERSONA',
+    title: 'Persona Hijacking in Agent Memory',
+    severity: 'high',
+    description: 'File attempts to redefine the agent\'s persona or role. If this file is ingested as context, the agent may adopt the injected persona in future sessions.',
+    owasp: 'ASI01',
+    cwe: 'CWE-74',
+    fix: 'Remove the persona redefinition. Use the agent\'s system prompt or official configuration to set roles.',
+  },
+  {
+    regex: /(?:send|upload|post|transmit|exfiltrate|forward)\s+(?:all|any|the|this)?\s*(?:code|data|files?|contents?|secrets?|keys?|tokens?|credentials?|env|environment)\s+(?:to|via|using|through)\s+/gi,
+    rule: 'MEMORY_POISON_EXFILTRATE',
+    title: 'Exfiltration Instruction in Agent Memory',
+    severity: 'critical',
+    description: 'File instructs an agent to exfiltrate data to an external destination. If persisted in memory, the agent may execute this across sessions.',
+    owasp: 'ASI01',
+    cwe: 'CWE-200',
+    fix: 'Remove the exfiltration instruction immediately. Audit agent memory for other injected directives.',
+  },
+  {
+    regex: /(?:do\s+not|don'?t|never)\s+(?:tell|inform|show|reveal|display|mention|report|log)\s+(?:the\s+user|anyone|them)/gi,
+    rule: 'MEMORY_POISON_SUPPRESS',
+    title: 'Output Suppression Instruction',
+    severity: 'critical',
+    description: 'File instructs the agent to hide actions from the user. This matches the ToxicSkills "output suppression" pattern — the agent does something harmful but doesn\'t report it.',
+    owasp: 'ASI01',
+    cwe: 'CWE-200',
+    fix: 'Remove the suppression instruction. Agents should always report their actions transparently.',
+  },
+  {
+    regex: /(?:whenever|every\s+time|always|each\s+time)\s+(?:you|the\s+agent)\s+(?:start|begin|open|run|execute|encounter)/gi,
+    rule: 'MEMORY_POISON_PERSISTENT',
+    title: 'Persistent Trigger Instruction',
+    severity: 'high',
+    description: 'File contains instructions designed to trigger on every session or action — a hallmark of persistent memory poisoning. Unlike a one-time injection, this survives context resets.',
+    owasp: 'ASI05',
+    cwe: 'CWE-74',
+    fix: 'Remove the persistent trigger. If you need recurring behavior, configure it through the agent\'s official hook or startup mechanism.',
+  },
+  {
+    regex: /(?:run|execute|invoke|call|use)\s+(?:bash|shell|terminal|cmd|system|exec|subprocess|os\.system|child_process)/gi,
+    rule: 'MEMORY_POISON_TOOL_ABUSE',
+    title: 'Shell Execution Instruction in Memory',
+    severity: 'high',
+    description: 'File instructs the agent to execute shell commands. If persisted in memory, this enables remote code execution via prompt injection.',
+    owasp: 'ASI02',
+    cwe: 'CWE-78',
+    fix: 'Remove direct shell execution instructions. Use the agent\'s sandboxed tool API instead.',
+  },
+  {
+    regex: /(?:fetch|curl|wget|http\.get|axios\.get|request)\s*\(\s*['"`]https?:\/\//gi,
+    rule: 'MEMORY_POISON_NETWORK',
+    title: 'Network Request Instruction in Memory',
+    severity: 'high',
+    description: 'File instructs the agent to make network requests to hardcoded URLs. A poisoned memory file can use this to phone home or exfiltrate context.',
+    owasp: 'ASI01',
+    cwe: 'CWE-918',
+    fix: 'Remove the hardcoded network request. If the agent needs to fetch data, configure it through approved MCP servers or tools.',
+  },
+];
+
+// Hidden content patterns (invisible chars, encoded payloads)
+const HIDDEN_CONTENT_PATTERNS = [
+  {
+    // Unicode zero-width chars used to hide instructions
+    regex: /[\u200B\u200C\u200D\u2060\uFEFF]{3,}/g,
+    rule: 'MEMORY_HIDDEN_UNICODE',
+    title: 'Hidden Unicode Content in Agent File',
+    severity: 'critical',
+    description: 'File contains clusters of zero-width Unicode characters. These are invisible to humans but may encode hidden instructions that the agent processes.',
+    owasp: 'ASI01',
+    cwe: 'CWE-116',
+    fix: 'Strip all zero-width characters from this file. Use a hex editor to inspect for hidden content.',
+  },
+  {
+    // HTML comments in markdown that could contain injected instructions
+    regex: /<!--[\s\S]*?(?:ignore|override|system|role|always|execute|send\s+to|curl|bash)[\s\S]*?-->/gi,
+    rule: 'MEMORY_HIDDEN_COMMENT',
+    title: 'Suspicious HTML Comment in Agent File',
+    severity: 'high',
+    description: 'An HTML comment contains what appears to be an injected instruction. Some agents process HTML comments as context, making this a viable injection vector.',
+    owasp: 'ASI05',
+    cwe: 'CWE-74',
+    fix: 'Remove the suspicious HTML comment or move the content to a visible location.',
+  },
+  {
+    // Base64 encoded content in markdown/config files
+    regex: /(?:^|[\s"':=])([A-Za-z0-9+/]{60,}={0,2})(?:[\s"',]|$)/gm,
+    rule: 'MEMORY_HIDDEN_BASE64',
+    title: 'Base64-Encoded Content in Agent File',
+    severity: 'medium',
+    description: 'File contains a long base64-encoded string. This could hide instructions or payloads that the agent decodes and executes.',
+    owasp: 'ASI05',
+    cwe: 'CWE-116',
+    confidence: 'medium',
+    fix: 'Decode the base64 content and verify it is benign. Remove if it contains instructions or executable content.',
+  },
+];
+
+// =============================================================================
+// AGENT
+// =============================================================================
+
+export class MemoryPoisoningAgent extends BaseAgent {
+  constructor() {
+    super(
+      'MemoryPoisoningAgent',
+      'Detects instruction injection in AI agent memory and context files',
+      'agentic'
+    );
+  }
+
+  shouldRun() {
+    return true; // Always run — memory poisoning applies to any project
+  }
+
+  async analyze(context) {
+    const { rootPath } = context;
+    const findings = [];
+
+    // Discover all memory/context files
+    const memoryFiles = await fg(MEMORY_GLOBS, {
+      cwd: rootPath,
+      absolute: true,
+      dot: true,
+    });
+
+    const docFiles = await fg(DOC_GLOBS, {
+      cwd: rootPath,
+      absolute: true,
+      dot: true,
+    });
+
+    // Scan memory files with higher severity (direct agent context)
+    for (const file of memoryFiles) {
+      findings.push(...this._scanFile(file, true));
+    }
+
+    // Scan doc files with slightly lower confidence (indirect context)
+    for (const file of docFiles) {
+      findings.push(...this._scanFile(file, false));
+    }
+
+    return findings;
+  }
+
+  _scanFile(filePath, isDirectMemory) {
+    const content = this.readFile(filePath);
+    if (!content) return [];
+
+    const findings = [];
+    const lines = content.split('\n');
+
+    // Check injection patterns
+    for (const pattern of INJECTION_PATTERNS) {
+      for (let i = 0; i < lines.length; i++) {
+        const line = lines[i];
+        if (this.isSuppressed(line)) continue;
+
+        pattern.regex.lastIndex = 0;
+        const match = pattern.regex.exec(line);
+        if (match) {
+          findings.push(createFinding({
+            file: filePath,
+            line: i + 1,
+            severity: pattern.severity,
+            category: 'agentic',
+            rule: pattern.rule,
+            title: pattern.title,
+            description: pattern.description + (isDirectMemory
+              ? ' This file is directly loaded into agent context.'
+              : ' This file may be ingested by agents as project context.'),
+            matched: match[0],
+            confidence: isDirectMemory ? 'high' : 'medium',
+            cwe: pattern.cwe,
+            owasp: pattern.owasp,
+            fix: pattern.fix,
+          }));
+        }
+      }
+    }
+
+    // Check hidden content patterns (full content, not per-line)
+    for (const pattern of HIDDEN_CONTENT_PATTERNS) {
+      pattern.regex.lastIndex = 0;
+      const match = pattern.regex.exec(content);
+      if (match) {
+        // Find approximate line number
+        const beforeMatch = content.slice(0, match.index);
+        const lineNum = (beforeMatch.match(/\n/g) || []).length + 1;
+
+        findings.push(createFinding({
+          file: filePath,
+          line: lineNum,
+          severity: pattern.severity,
+          category: 'agentic',
+          rule: pattern.rule,
+          title: pattern.title,
+          description: pattern.description,
+          matched: match[0].slice(0, 100),
+          confidence: pattern.confidence || (isDirectMemory ? 'high' : 'medium'),
+          cwe: pattern.cwe,
+          owasp: pattern.owasp,
+          fix: pattern.fix,
+        }));
+      }
+    }
+
+    return findings;
+  }
+}
+
+export default MemoryPoisoningAgent;

package/cli/agents/scoring-engine.js

@@ -11,7 +11,7 @@
 
 import fs from 'fs';
 import path from 'path';
-import { getComplianceSummary } from '../utils/compliance-map.js';
+import { getComplianceSummary, getAgenticSummary, enrichAgenticRisk } from '../utils/compliance-map.js';
 
 // =============================================================================
 // SCORING CONFIGURATION
@@ -49,6 +49,7 @@ const FALLBACK_CATEGORY_MAP = {
   'vibe': 'injection',        // Vibe coding findings → Code Vulnerabilities
   'exception': 'injection',   // OWASP A10:2025 — Mishandling of Exceptional Conditions
   'agent-config': 'llm',      // Agent config security → AI/LLM category
+  'memory-poisoning': 'llm',  // Memory poisoning → AI/LLM category
   'recon': null,               // skip recon findings
 };
 
@@ -87,6 +88,11 @@ export class ScoringEngine {
       };
     }
 
+    // ── Enrich findings with OWASP Agentic AI Top 10 metadata ──────────────
+    for (const finding of findings) {
+      enrichAgenticRisk(finding);
+    }
+
     // ── Classify findings into categories ─────────────────────────────────────
     for (const finding of findings) {
       const cat = this.resolveCategory(finding.category);
@@ -146,6 +152,14 @@ export class ScoringEngine {
       compliance = null;
     }
 
+    // ── OWASP Agentic AI Top 10 summary ──────────────────────────────────
+    let agenticSummary;
+    try {
+      agenticSummary = getAgenticSummary(findings);
+    } catch {
+      agenticSummary = null;
+    }
+
     return {
       score,
       grade,
@@ -153,6 +167,7 @@ export class ScoringEngine {
       totalFindings: findings.length,
       totalDepVulns: depVulns.length,
       compliance,
+      agenticSummary,
     };
   }
 

package/cli/agents/supply-chain-agent.js

@@ -582,7 +582,8 @@ export class SupplyChainAudit extends BaseAgent {
       }));
     }
 
-    // ── 9. Blockchain C2 indicators (CanisterWorm / ICP) ──────────────────────
+    // ── 9. Trojanized package behavioral signatures ───────────────────────────
+    //    Patterns from Axios 1.8.2, LiteLLM 1.82.7, TeamPCP campaign (Mar 2026)
     if (fs.existsSync(path.join(rootPath, 'node_modules'))) {
       try {
         const pkg = JSON.parse(fs.readFileSync(pkgPath, 'utf-8'));
@@ -590,7 +591,132 @@ export class SupplyChainAudit extends BaseAgent {
           ...(pkg.dependencies || {}),
           ...(pkg.devDependencies || {}),
         };
-        for (const depName of Object.keys(allDeps)) {
+
+        for (const depName of Object.keys(allDeps).slice(0, 80)) {
+          const depDir = path.join(rootPath, 'node_modules', depName);
+          const depPkgPath = path.join(depDir, 'package.json');
+          if (!fs.existsSync(depPkgPath)) continue;
+
+          try {
+            const depPkg = JSON.parse(fs.readFileSync(depPkgPath, 'utf-8'));
+
+            // 9a. Hidden dependencies added by attacker
+            //     Axios 1.8.2 injected a hidden malicious dep that wasn't in the legitimate version.
+            //     Check for deps that only exist in certain version ranges.
+            const depDeps = depPkg.dependencies || {};
+            for (const [subDep, subVer] of Object.entries(depDeps)) {
+              // Packages with very high download counts that suddenly gain unknown subdependencies
+              if (/^[a-z]+-[a-z0-9]+-[a-z0-9]+$/.test(subDep) && typeof subVer === 'string' && subVer.startsWith('git+')) {
+                findings.push(createFinding({
+                  file: depPkgPath,
+                  line: 0,
+                  severity: 'critical',
+                  category: 'supply-chain',
+                  rule: 'TROJAN_HIDDEN_DEP',
+                  title: `Suspicious Hidden Dependency in ${depName}: ${subDep}`,
+                  description: `"${depName}" depends on "${subDep}" via a git URL. This matches the Axios/TeamPCP trojanization pattern where attackers inject a malicious dependency into a popular package.`,
+                  matched: `${subDep}: ${subVer}`,
+                  fix: `Compare this version's dependencies against the official release. If "${subDep}" was not in the previous version, this package may be trojanized.`,
+                }));
+              }
+            }
+
+            // 9b. Install scripts that read and exfiltrate env vars
+            //     LiteLLM 1.82.7 harvested AWS/GCP/Azure tokens + SSH keys
+            const scripts = depPkg.scripts || {};
+            for (const hook of ['preinstall', 'install', 'postinstall']) {
+              const cmd = scripts[hook];
+              if (!cmd) continue;
+
+              // Environment variable harvesting
+              if (/process\.env|os\.environ|ENV\[|getenv/i.test(cmd) &&
+                  /https?:|fetch|request|axios|curl|wget|net\./i.test(cmd)) {
+                findings.push(createFinding({
+                  file: depPkgPath,
+                  line: 0,
+                  severity: 'critical',
+                  category: 'supply-chain',
+                  rule: 'TROJAN_ENV_EXFIL',
+                  title: `Credential Harvesting in ${hook}: ${depName}`,
+                  description: `"${depName}" reads environment variables and makes network requests during ${hook}. This is the exact pattern used in the LiteLLM/TeamPCP attack to steal cloud credentials.`,
+                  matched: cmd.slice(0, 200),
+                  fix: 'Remove this package immediately. Rotate any credentials (AWS, GCP, Azure tokens, SSH keys) that may have been exfiltrated.',
+                }));
+              }
+
+              // SSH key / credential file access in install scripts
+              if (/\.ssh|\.aws|\.azure|\.gcp|\.kube|\.docker|credentials|\.npmrc|\.pypirc/i.test(cmd)) {
+                findings.push(createFinding({
+                  file: depPkgPath,
+                  line: 0,
+                  severity: 'critical',
+                  category: 'supply-chain',
+                  rule: 'TROJAN_CREDENTIAL_ACCESS',
+                  title: `Credential File Access in ${hook}: ${depName}`,
+                  description: `"${depName}" accesses credential files (.ssh, .aws, .kube, etc.) during ${hook}. This matches the TeamPCP credential theft pattern.`,
+                  matched: cmd.slice(0, 200),
+                  fix: 'Remove this package immediately and rotate all credentials in the accessed directories.',
+                }));
+              }
+            }
+
+            // 9c. Scan actual JS entry files for runtime exfiltration patterns
+            const main = depPkg.main || 'index.js';
+            const entryPath = path.join(depDir, main);
+            if (fs.existsSync(entryPath)) {
+              try {
+                const entryContent = fs.readFileSync(entryPath, 'utf-8');
+                if (entryContent.length < 500_000) {
+                  // DNS-based exfiltration (encode data in subdomain)
+                  if (/dns\.resolve|dns\.lookup/i.test(entryContent) &&
+                      /process\.env|os\.hostname/i.test(entryContent)) {
+                    findings.push(createFinding({
+                      file: entryPath,
+                      line: 1,
+                      severity: 'high',
+                      category: 'supply-chain',
+                      rule: 'TROJAN_DNS_EXFIL',
+                      title: `DNS Exfiltration Pattern: ${depName}`,
+                      description: `"${depName}" combines DNS lookups with system/env data reads — a known technique for exfiltrating data via DNS subdomains to bypass firewalls.`,
+                      matched: 'dns.resolve + process.env',
+                      confidence: 'medium',
+                      fix: 'Inspect the DNS usage. Legitimate packages rarely combine DNS with environment variable reading.',
+                    }));
+                  }
+
+                  // WebSocket-based C2
+                  if (/new\s+WebSocket/i.test(entryContent) &&
+                      /process\.env|child_process|exec/i.test(entryContent)) {
+                    findings.push(createFinding({
+                      file: entryPath,
+                      line: 1,
+                      severity: 'critical',
+                      category: 'supply-chain',
+                      rule: 'TROJAN_WEBSOCKET_C2',
+                      title: `WebSocket C2 Pattern: ${depName}`,
+                      description: `"${depName}" opens WebSocket connections combined with system command execution — consistent with a Remote Access Trojan.`,
+                      matched: 'WebSocket + child_process',
+                      fix: 'Remove this package immediately. Scan for persistence mechanisms (cron jobs, startup scripts).',
+                    }));
+                  }
+                }
+              } catch { /* skip */ }
+            }
+
+          } catch { /* skip */ }
+        }
+      } catch { /* skip */ }
+    }
+
+    // ── 10. Blockchain C2 indicators (CanisterWorm / ICP) ────────────────────
+    if (fs.existsSync(path.join(rootPath, 'node_modules'))) {
+      try {
+        const pkg2 = JSON.parse(fs.readFileSync(pkgPath, 'utf-8'));
+        const allDeps2 = {
+          ...(pkg2.dependencies || {}),
+          ...(pkg2.devDependencies || {}),
+        };
+        for (const depName of Object.keys(allDeps2)) {
           const depPkgPath = path.join(rootPath, 'node_modules', depName, 'package.json');
           if (!fs.existsSync(depPkgPath)) continue;
           try {