supply-chain-attack 0.1.7 → 0.1.8

package/README.md

@@ -16,7 +16,7 @@ A cache/store hit means the package was fetched or stored on this machine. A glo
 npx supply-chain-attack
 ```
 
-The CLI prints a compact verdict and exits non-zero when it finds a risky package or suspicious IOC.
+The CLI prints a compact verdict, checks the latest 4 embedded supply-chain attacks against packages found on the machine, shows either the affected libraries present locally or “Nice” for each attack, and exits non-zero when it finds a risky package or suspicious IOC.
 
 Interactive terminals also get a small one-line menu:
 

package/lib/cli.js

@@ -120,16 +120,24 @@ function formatResult(result, options = {}) {
     lines.push(color.bold(COPY.noFindingTitle));
     lines.push(COPY.noFindingBody);
     lines.push('');
+    lines.push(...formatRecentAttackSummary(result, options));
+    lines.push('');
     lines.push(`${color.dim('scan')} ${result.locations.length} store(s), ${result.packages.length} package/version pair(s), snapshot ${result.snapshotDate}`);
     return `${lines.join('\n')}\n`;
   }
 
-  lines.push(color.red(color.bold(COPY.findingsTitle)));
-  for (const finding of result.findings.slice(0, 8)) {
-    const locations = finding.locations.length ? formatCompactList(finding.locations, 3) : 'unknown location';
-    lines.push(`- ${color.dim(finding.ecosystem)} ${color.yellow(color.bold(`${finding.name}@${finding.version}`))} ${color.dim('(')}${color.cyan(locations)}${color.dim(')')}`);
+  lines.push(...formatRecentAttackSummary(result, options));
+
+  const additionalFindings = findingsOutsideRecentAttacks(result.findings || []);
+  if (additionalFindings.length) {
+    lines.push('');
+    lines.push(color.red(color.bold('Additional matched packages')));
+    for (const finding of additionalFindings.slice(0, 8)) {
+      const locations = finding.locations.length ? formatCompactList(finding.locations, 3) : 'unknown location';
+      lines.push(`- ${color.dim(finding.ecosystem)} ${color.yellow(`${finding.name}@${finding.version}`)} ${color.dim('(')}${color.cyan(locations)}${color.dim(')')}`);
+    }
+    if (additionalFindings.length > 8) lines.push(`- ...and ${pluralize(additionalFindings.length - 8, 'more package hit')}. Run with --json for raw evidence.`);
   }
-  if (result.findings.length > 8) lines.push(`- ...and ${pluralize(result.findings.length - 8, 'more package hit')}. Run with --json for raw evidence.`);
 
   if (result.iocs.length) {
     lines.push('');
@@ -208,44 +216,86 @@ function formatVerdictHeader(result, options = {}) {
 
 function formatEducation(result, options = {}) {
   const color = createColor(options.color);
-  const lines = [color.bold(COPY.educationTitle)];
+  const lines = [color.bold('Learn: attacks explained')];
+  const recent = recentAdvisories(4);
+
+  recent.forEach((advisory, index) => {
+    const hits = (result.findings || []).filter((finding) => finding.advisory && finding.advisory.id === advisory.id);
+    const artifactCount = (advisory.packages || []).reduce((count, item) => count + (item.versions || []).length, 0);
+
+    if (index > 0) lines.push('');
+    lines.push(color.yellow(`${index + 1}. ${advisory.title}`));
+    lines.push(`Published: ${advisory.published}`);
+    lines.push(advisory.summary);
+    lines.push(`Affected package/version artifacts tracked: ${artifactCount}`);
+
+    if (!hits.length) {
+      const clean = !hasAnyFindings(result);
+      const message = clean ? 'Nice. You do not have affected packages from this attack.' : 'No affected packages from this attack.';
+      lines.push(clean ? color.green(message) : color.dim(message));
+    }
+  });
 
-  if (!hasAnyFindings(result)) {
-    lines.push(COPY.noMatchExplanation);
-    lines.push(COPY.noGuarantee);
-    lines.push('How to read this: a clean result lowers concern for the specific campaigns in this snapshot, but it does not audit every dependency, shell history entry, CI run, browser extension, or secret on the machine.');
-    lines.push('The good news: this scan is offline and privacy-safe. Your package list was not uploaded anywhere.');
-    return `${lines.join('\n')}\n`;
+  if (result.iocs && result.iocs.length) {
+    lines.push('');
+    lines.push(`${color.red('IOC')} ${color.bold('Suspicious local-file indicators')}`);
+    lines.push(COPY.iocWarning);
   }
 
-  lines.push('This is not a normal vulnerability finding. Supply-chain malware is dangerous because install scripts, package CLIs, and postinstall hooks can run before your app imports anything. The important question is: was the package merely cached, or did attacker-controlled code likely run in a place with secrets?');
+  return `${lines.join('\n')}\n`;
+}
 
-  const groups = groupFindingsByCampaign(result.findings);
-  for (const group of groups) {
-    const packages = formatCompactList(group.findings.map((finding) => `${finding.name}@${finding.version}`), 7);
-    const locations = formatCompactList(group.findings.flatMap((finding) => finding.locations || []), 5) || 'unknown location';
-    const receipts = formatCompactList(group.advisories.map((advisory) => advisory.source), 3);
-    const summaries = formatCompactList(group.advisories.map((advisory) => advisory.summary), 2);
+function formatRecentAttackSummary(result, options = {}) {
+  const color = createColor(options.color);
+  const recent = recentAdvisories(4);
+  const [latest, ...previous] = recent;
+  const lines = [];
 
-    lines.push('');
-    lines.push(color.bold(`${group.name} attack`));
-    if (summaries) lines.push(`What was reported: ${summaries}`);
-    lines.push('Attack chain:');
-    for (const step of attackExplanation(group)) lines.push(`- ${step}`);
-    lines.push(`Evidence on this machine: ${packages} showed up in ${locations}.`);
-    lines.push(`Risk read: ${riskSentence(group.findings)}`);
-    lines.push(`How to interpret the location: ${locationMeaning(group.findings)}`);
-    lines.push('Why this matters: developer machines and CI usually contain npm/GitHub/cloud/deploy/AI-provider credentials. Malware in a devtool can turn one bad install into stolen tokens, poisoned packages, or compromised deployments.');
-    if (receipts) lines.push(`Receipts: ${receipts}`);
+  if (latest) {
+    lines.push(color.bold('LATEST ATTACK'));
+    lines.push(`${color.yellow(latest.title)} ${color.dim(`(${latest.published})`)}`);
+    lines.push(...formatAttackHitLines(latest, result, color));
   }
 
-  if (result.iocs.length) {
+  if (previous.length) {
     lines.push('');
-    lines.push(`${color.red('IOC')} ${color.bold('Suspicious local-file indicators')}`);
-    lines.push(COPY.iocWarning);
+    lines.push(color.bold('Previous attacks'));
+    previous.forEach((advisory, index) => {
+      if (index > 0) lines.push('');
+      lines.push(`${index + 1}. ${color.yellow(advisory.title)} ${color.dim(`(${advisory.published})`)}`);
+      lines.push(...formatAttackHitLines(advisory, result, color));
+    });
   }
 
-  return `${lines.join('\n')}\n`;
+  return lines;
+}
+
+function formatAttackHitLines(advisory, result, color) {
+  const hits = (result.findings || []).filter((finding) => finding.advisory && finding.advisory.id === advisory.id);
+  if (!hits.length) {
+    const clean = !hasAnyFindings(result);
+    const message = clean ? 'Nice. You do not have affected packages from this attack.' : 'No affected packages from this attack.';
+    return [clean ? color.green(message) : color.dim(message)];
+  }
+
+  const lines = [color.red(`Affected: ${pluralize(hits.length, 'package')}`), color.bold('Libraries you had:')];
+  for (const finding of hits.slice(0, 6)) {
+    const locations = formatCompactList(finding.locations || [], 3) || 'unknown location';
+    lines.push(`- ${color.dim(finding.ecosystem)} ${color.yellow(`${finding.name}@${finding.version}`)} ${color.dim('(')}${color.cyan(locations)}${color.dim(')')}`);
+  }
+  if (hits.length > 6) lines.push(`- ...and ${pluralize(hits.length - 6, 'more package hit')}`);
+  return lines;
+}
+
+function findingsOutsideRecentAttacks(findings) {
+  const recentIds = new Set(recentAdvisories(4).map((advisory) => advisory.id));
+  return findings.filter((finding) => !finding.advisory || !recentIds.has(finding.advisory.id));
+}
+
+function recentAdvisories(limit) {
+  return [...advisories]
+    .sort((a, b) => String(b.published || '').localeCompare(String(a.published || '')))
+    .slice(0, limit);
 }
 
 function formatNextActions(result, options = {}) {
@@ -371,15 +421,26 @@ function severityColor(severity, color) {
 }
 
 function createColor(enabled = DEFAULT_COLOR) {
+  // Muted Material-inspired palette: minimal, lower saturation, still readable
+  // on dark terminals, while respecting NO_COLOR.
+  const palette = {
+    red: '210;96;112',
+    yellow: '198;128;92',
+    green: '150;176;128',
+    cyan: '112;164;178',
+    magenta: '158;132;176',
+    dim: '102;116;128',
+  };
   const wrap = (code, value) => enabled ? `\u001b[${code}m${value}\u001b[0m` : String(value);
+  const rgb = (name, value) => wrap(`38;2;${palette[name]}`, value);
   return {
     bold: (value) => wrap('1', value),
-    dim: (value) => wrap('2', value),
-    green: (value) => wrap('32', value),
-    red: (value) => wrap('31', value),
-    yellow: (value) => wrap('33', value),
-    cyan: (value) => wrap('36', value),
-    magenta: (value) => wrap('35', value),
+    dim: (value) => rgb('dim', value),
+    green: (value) => rgb('green', value),
+    red: (value) => rgb('red', value),
+    yellow: (value) => rgb('yellow', value),
+    cyan: (value) => rgb('cyan', value),
+    magenta: (value) => rgb('magenta', value),
   };
 }
 
@@ -597,5 +658,6 @@ module.exports = {
   parseArgs,
   formatResult,
   formatEducation,
+  formatRecentAttackSummary,
   formatNextActions,
 };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "supply-chain-attack",
-  "version": "0.1.7",
+  "version": "0.1.8",
   "description": "Scan local package-manager state for known supply-chain attack indicators.",
   "license": "MIT",
   "repository": {