npm - skill-checker - Versions diffs - 0.1.12 → 0.1.13 - Mend

skill-checker 0.1.12 → 0.1.13

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

package/dist/cli.js CHANGED Viewed

@@ -1606,8 +1606,8 @@ import { homedir } from "os";
 // src/ioc/indicators.ts
 var DEFAULT_IOC = {
-  version: "2026.03.06",
-  updated: "2026-03-06",
+  version: "2026.03.16",
+  updated: "2026-03-16",
   c2_ips: [
     "91.92.242.30",
     "91.92.242.39",
@@ -1620,32 +1620,61 @@ var DEFAULT_IOC = {
     // as it causes false positives on any empty file.
     "a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2": "clawhavoc-exfiltrator"
   },
-  malicious_domains: [
-    "webhook.site",
-    "requestbin.com",
-    "pipedream.com",
-    "pipedream.net",
-    "hookbin.com",
-    "beeceptor.com",
-    "ngrok.io",
-    "ngrok-free.app",
-    "serveo.net",
-    "localtunnel.me",
-    "bore.pub",
-    "interact.sh",
-    "oast.fun",
-    "oastify.com",
-    "dnslog.cn",
-    "ceye.io",
-    "burpcollaborator.net",
-    "pastebin.com",
-    "paste.ee",
-    "hastebin.com",
-    "ghostbin.com",
-    "evil.com",
-    "malware.com",
-    "exploit.in"
-  ],
+  malicious_domains: {
+    exfiltration: [
+      "webhook.site",
+      "requestbin.com",
+      "requestcatcher.com",
+      "pipedream.com",
+      "pipedream.net",
+      "hookbin.com",
+      "beeceptor.com",
+      "postb.in",
+      "webhook.lol",
+      "requestinspector.com",
+      "mockbin.org"
+    ],
+    tunnel: [
+      "ngrok.io",
+      "ngrok-free.app",
+      "serveo.net",
+      "localtunnel.me",
+      "bore.pub",
+      "localhost.run",
+      "loca.lt",
+      "telebit.cloud",
+      "playit.gg",
+      "portmap.io",
+      "pagekite.me"
+    ],
+    oast: [
+      "interact.sh",
+      "oast.fun",
+      "oastify.com",
+      "dnslog.cn",
+      "ceye.io",
+      "burpcollaborator.net",
+      "canarytokens.com",
+      "requestrepo.com"
+    ],
+    paste: [
+      "pastebin.com",
+      "paste.ee",
+      "hastebin.com",
+      "ghostbin.com",
+      "dpaste.org",
+      "rentry.co",
+      "0bin.net",
+      "privatebin.net",
+      "paste.mozilla.org"
+    ],
+    c2: [
+      "evil.com",
+      "malware.com",
+      "exploit.in",
+      "darkweb.onion"
+    ]
+  },
   typosquat: {
     known_patterns: [
       "clawhub1",
@@ -1702,10 +1731,21 @@ function mergeIOC(base, ext) {
     Object.assign(base.malicious_hashes, ext.malicious_hashes);
   }
   if (ext.malicious_domains) {
-    base.malicious_domains = dedupe([
-      ...base.malicious_domains,
-      ...ext.malicious_domains
-    ]);
+    const categories = [
+      "exfiltration",
+      "tunnel",
+      "oast",
+      "paste",
+      "c2"
+    ];
+    for (const cat of categories) {
+      if (ext.malicious_domains[cat]) {
+        base.malicious_domains[cat] = dedupe([
+          ...base.malicious_domains[cat],
+          ...ext.malicious_domains[cat]
+        ]);
+      }
+    }
   }
   if (ext.typosquat) {
     if (ext.typosquat.known_patterns) {
@@ -1730,6 +1770,22 @@ function mergeIOC(base, ext) {
   if (ext.version) base.version = ext.version;
   if (ext.updated) base.updated = ext.updated;
 }
+function getAllDomains(ioc) {
+  const { exfiltration, tunnel, oast, paste, c2 } = ioc.malicious_domains;
+  return [...exfiltration, ...tunnel, ...oast, ...paste, ...c2];
+}
+function getDomainCategory(ioc, domain) {
+  const d = domain.toLowerCase();
+  const categories = ["exfiltration", "tunnel", "oast", "paste", "c2"];
+  for (const cat of categories) {
+    if (ioc.malicious_domains[cat].some(
+      (entry) => d === entry || d.endsWith("." + entry)
+    )) {
+      return cat;
+    }
+  }
+  return void 0;
+}
 function dedupe(arr) {
   return [...new Set(arr)];
 }
@@ -1738,6 +1794,24 @@ function dedupe(arr) {
 var FALLBACK_SUSPICIOUS_DOMAINS = [
   "darkweb.onion"
 ];
+function isSensitiveDomainCombo(line) {
+  if (/curl\b[^\n]*(?:-d|--data|--data-binary|--data-raw|--data-urlencode)\s+@/i.test(line)) {
+    return true;
+  }
+  if (/curl\b[^\n]*(?:-F|--form)\s+[^\s=]+=@/i.test(line)) {
+    return true;
+  }
+  if (/wget\b[^\n]*--post-file/i.test(line)) {
+    return true;
+  }
+  if (/\|\s*(?:sh|bash|zsh|python|node)\b/i.test(line)) {
+    return true;
+  }
+  if (/(?:\.env|\.ssh|id_rsa|\.aws|credentials|\.netrc|\.git-credentials)/i.test(line)) {
+    return true;
+  }
+  return false;
+}
 var MCP_SERVER_PATTERN = /\bmcp[-_]?server\b/i;
 var NPX_Y_PATTERN = /\bnpx\s+-y\s+/;
 var NPM_INSTALL_PATTERN = /\bnpm\s+install\b/;
@@ -1762,7 +1836,10 @@ var supplyChainChecks = {
     const results = [];
     const allText = getAllText(skill);
     const ioc = loadIOC();
-    const suspiciousDomains = ioc.malicious_domains.length > 0 ? ioc.malicious_domains : FALLBACK_SUSPICIOUS_DOMAINS;
+    const suspiciousDomains = getAllDomains(ioc);
+    if (suspiciousDomains.length === 0) {
+      suspiciousDomains.push(...FALLBACK_SUSPICIOUS_DOMAINS);
+    }
     for (let i = 0; i < allText.length; i++) {
       const { line, lineNum, source } = allText[i];
       if (MCP_SERVER_PATTERN.test(line)) {
@@ -1925,15 +2002,46 @@ var supplyChainChecks = {
         const hostname = extractHostname(url);
         for (const domain of suspiciousDomains) {
           if (hostnameMatchesDomain(hostname, domain)) {
+            const category = getDomainCategory(ioc, domain);
+            const categoryLabel = category ? ` (${category})` : "";
+            let severity = "HIGH";
+            let reducedFrom;
+            let msgSuffix = "";
+            if (isSensitiveDomainCombo(line)) {
+              severity = "CRITICAL";
+              msgSuffix = " [escalated: combined with sensitive operation]";
+            } else {
+              const srcLines = getLinesForSource(skill, source);
+              const localIdx = getLocalIndex(source, lineNum, skill.bodyStartLine);
+              const inCodeBlock = localIdx >= 0 && isInCodeBlock(srcLines, localIdx);
+              if (inCodeBlock) {
+                severity = "MEDIUM";
+                reducedFrom = "HIGH";
+                msgSuffix = " [reduced: in code block]";
+              } else {
+                const allLines = getAllLines(skill);
+                const globalIdx = findGlobalLineIndex(allLines, source, lineNum);
+                const isDoc = source === "SKILL.md" && globalIdx >= 0 && isInDocumentationContext(
+                  allLines.map((l) => l.line),
+                  globalIdx
+                );
+                if (isDoc) {
+                  severity = "LOW";
+                  reducedFrom = "HIGH";
+                  msgSuffix = " [reduced: in documentation context]";
+                }
+              }
+            }
             results.push({
               id: "SUPPLY-007",
               category: "SUPPLY",
-              severity: "CRITICAL",
-              title: "Suspicious domain detected",
-              message: `${source}:${lineNum}: References suspicious domain "${domain}".`,
+              severity,
+              title: `Suspicious domain${categoryLabel} detected`,
+              message: `${source}:${lineNum}: References suspicious domain "${domain}".${msgSuffix}`,
               line: lineNum,
               snippet: url,
-              source
+              source,
+              reducedFrom
             });
             break;
           }