supply-chain-guard 1.0.0

package/LICENSE

@@ -0,0 +1,191 @@
+
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to the Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by the Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding any notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   Copyright 2026 Elvatis - Emre Kohler
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.

package/README.md

@@ -0,0 +1,255 @@
+# 🛡️ supply-chain-guard
+
+Open-source supply-chain security scanner for npm, PyPI, and VS Code extensions. Detects [GlassWorm](https://www.reversinglabs.com/blog/glassworm-backdoor-campaign-npm-vscode) and similar malware campaigns.
+
+[![License](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://opensource.org/licenses/Apache-2.0)
+[![Node.js](https://img.shields.io/badge/Node.js-%3E%3D20-green)](https://nodejs.org)
+
+## What It Does
+
+supply-chain-guard scans code repositories and npm packages for known indicators of compromise (IOCs) associated with supply-chain attacks. It catches threats that traditional security scanners miss because it specifically targets software supply-chain attack patterns.
+
+**Detected threats include:**
+
+- 🔴 **GlassWorm campaign markers** (the `lzcdrtfxyqiplpd` variable and associated IOCs)
+- 🔴 **Obfuscated code execution** (`eval(atob(...))`, `eval(Buffer.from(...))`, `new Function(atob(...))`)
+- 🟠 **Invisible Unicode characters** used to hide malicious code in plain sight
+- 🟠 **Suspicious install scripts** (`postinstall`/`preinstall` that download and execute remote code)
+- 🟠 **Data exfiltration patterns** (environment variables sent over the network)
+- 🟡 **Solana blockchain C2** (mainnet-beta, Helius RPC references used as command-and-control channels)
+- 🟡 **Git history manipulation** (committer dates far newer than author dates)
+- 🔵 **Typosquatting package names** (known malicious npm package patterns)
+
+## Installation
+
+```bash
+npm install -g supply-chain-guard
+```
+
+Or use directly with npx:
+
+```bash
+npx supply-chain-guard scan ./my-project
+```
+
+## Usage
+
+### Scan a Local Directory
+
+```bash
+supply-chain-guard scan ./my-project
+```
+
+### Scan a GitHub Repository
+
+```bash
+supply-chain-guard scan https://github.com/user/repo
+```
+
+### Scan an npm Package
+
+Downloads and analyzes the published tarball without installing it:
+
+```bash
+supply-chain-guard npm express
+supply-chain-guard npm suspicious-package-name
+```
+
+### Monitor a Solana C2 Wallet
+
+Watch a Solana wallet address for memo transactions (used by GlassWorm for C2 communication):
+
+```bash
+# Continuous monitoring
+supply-chain-guard monitor <wallet-address>
+
+# One-shot check
+supply-chain-guard monitor <wallet-address> --once
+
+# Custom polling interval
+supply-chain-guard monitor <wallet-address> --interval 60
+```
+
+### Output Formats
+
+```bash
+# Human-readable text (default)
+supply-chain-guard scan ./project
+
+# JSON (for CI/CD pipelines)
+supply-chain-guard scan ./project --format json
+
+# Markdown (for PR comments)
+supply-chain-guard scan ./project --format markdown
+```
+
+### Filtering
+
+```bash
+# Only show critical and high findings
+supply-chain-guard scan ./project --min-severity high
+
+# Exclude specific rules
+supply-chain-guard scan ./project --exclude SOLANA_MAINNET,HEX_ARRAY
+```
+
+## Example Output
+
+```
+  supply-chain-guard scan report
+  ──────────────────────────────────────────────────────
+  Target:    ./suspicious-package
+  Type:      directory
+  Time:      2026-03-19T02:30:00.000Z
+  Duration:  142ms
+
+  Risk Score: 68/100 (CRITICAL)
+
+  Summary
+  ──────────────────────────────────────────────────────
+  Files:     23/47 scanned
+  Findings:  2 critical, 1 high, 1 medium
+
+  Findings
+  ──────────────────────────────────────────────────────
+
+  🔴 [CRITICAL] GlassWorm campaign marker variable detected
+     Rule: GLASSWORM_MARKER
+     File: src/index.js:42
+     Match: lzcdrtfxyqiplpd
+     Fix: Quarantine this code immediately.
+
+  🔴 [CRITICAL] Base64-encoded eval detected (common malware obfuscation)
+     Rule: EVAL_ATOB
+     File: src/loader.js:15
+     Match: eval(atob("aHR0cHM6Ly..."))
+     Fix: Do not execute this code. Decode the base64 to inspect the payload.
+
+  🟠 [HIGH] Suspicious invisible Unicode characters detected
+     Rule: INVISIBLE_UNICODE
+     File: src/utils.js:3
+     Fix: Inspect this file in a hex editor.
+
+  🟡 [MEDIUM] Solana mainnet RPC reference detected
+     Rule: SOLANA_MAINNET
+     File: src/c2.js:8
+     Fix: If this project has no blockchain functionality, investigate.
+
+  Recommendations
+  ──────────────────────────────────────────────────────
+  • CRITICAL: GlassWorm malware marker detected. Quarantine immediately.
+  • CRITICAL: Encoded code execution detected. Do not run this code.
+  • Review files with invisible Unicode characters.
+  • Solana blockchain references may indicate C2 communication.
+```
+
+## GitHub Action
+
+Add supply-chain-guard to your CI/CD pipeline:
+
+```yaml
+name: Supply Chain Security
+on: [push, pull_request]
+
+jobs:
+  scan:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: homeofe/supply-chain-guard@v1
+        with:
+          fail-on: critical    # Fail CI on critical findings
+          comment-on-pr: true  # Post findings as PR comment
+```
+
+### Action Inputs
+
+| Input | Description | Default |
+|-------|-------------|---------|
+| `path` | Path to scan | `.` |
+| `format` | Output format (text/json/markdown) | `markdown` |
+| `min-severity` | Minimum severity to report | `low` |
+| `exclude-rules` | Comma-separated rule IDs to exclude | |
+| `fail-on` | Fail check at this severity or above | `critical` |
+| `comment-on-pr` | Post findings as PR comment | `true` |
+
+### Action Outputs
+
+| Output | Description |
+|--------|-------------|
+| `score` | Risk score (0-100) |
+| `risk-level` | clean/low/medium/high/critical |
+| `findings-count` | Total number of findings |
+| `report` | Full scan report |
+
+## Detection Rules
+
+| Rule ID | Severity | Description |
+|---------|----------|-------------|
+| `GLASSWORM_MARKER` | Critical | GlassWorm campaign marker variable |
+| `EVAL_ATOB` | Critical | Base64-encoded eval |
+| `EVAL_BUFFER` | Critical | Buffer-encoded eval |
+| `FUNCTION_ATOB` | Critical | Function constructor with base64 |
+| `EVAL_HEX` | Critical | Hex-encoded eval |
+| `SCRIPT_CURL_EXEC` | Critical | Install script with curl pipe to shell |
+| `SCRIPT_WGET_EXEC` | Critical | Install script with wget pipe to shell |
+| `INVISIBLE_UNICODE` | High | Invisible Unicode characters (obfuscation) |
+| `SUSPICIOUS_I_JS` | High | Suspicious i.js file |
+| `SUSPICIOUS_INIT_JSON` | High | GlassWorm persistence file |
+| `EXEC_ENCODED` | High | Encoded exec call |
+| `SCRIPT_NODE_INLINE` | High | Inline Node.js in install script |
+| `SCRIPT_ENCODED` | High | Encoding in install script |
+| `ENV_EXFILTRATION` | High | Environment variable exfiltration |
+| `DNS_EXFILTRATION` | High | DNS-based data exfiltration |
+| `MALICIOUS_PACKAGE_NAME` | High | Known malicious package name pattern |
+| `MALICIOUS_DEPENDENCY` | High | Dependency matches malicious pattern |
+| `SOLANA_MAINNET` | Medium | Solana mainnet RPC reference |
+| `HELIUS_RPC` | Medium | Helius RPC reference |
+| `HEX_ARRAY` | Medium | Large hex array (obfuscated payload) |
+| `CHARCODE_OBFUSCATION` | Medium | Character code string construction |
+| `SCRIPT_PREINSTALL_EXEC` | Medium | Exec in preinstall script |
+| `GIT_DATE_ANOMALY` | Medium | Git commit date manipulation |
+| `COMPLEX_INSTALL_SCRIPT` | Low | Complex install script |
+
+## Adding Custom Patterns
+
+Edit `src/patterns.ts` to add new detection rules. Each pattern needs:
+
+```typescript
+{
+  name: "my-custom-pattern",
+  pattern: "regex-pattern-here",
+  description: "What this detects",
+  severity: "high",
+  rule: "MY_CUSTOM_RULE",
+}
+```
+
+## How It Works
+
+1. **File Scanner**: Recursively scans directories, skipping `node_modules`, `.git`, and build artifacts. Checks file content against known malicious patterns using regex.
+
+2. **npm Scanner**: Downloads package tarballs from the npm registry without installing them. Analyzes package.json scripts, dependencies, and published file contents.
+
+3. **Solana Monitor**: Polls the Solana blockchain for transactions on known C2 wallet addresses. Decodes memo instructions that GlassWorm uses to encode payload URLs.
+
+4. **Scoring**: Each finding contributes to a risk score based on severity. The score determines the overall risk level (clean/low/medium/high/critical).
+
+## Background: The GlassWorm Campaign
+
+In early 2026, researchers discovered the GlassWorm campaign: a coordinated supply-chain attack targeting npm packages and VS Code extensions. The campaign used several novel techniques:
+
+- **Solana blockchain as C2**: Payload URLs encoded as transaction memos on the Solana blockchain, making the C2 channel uncensorable
+- **Invisible Unicode**: Zero-width characters used to hide malicious code in legitimate-looking files
+- **Git history manipulation**: Fake commit dates to make packages appear established
+- **Typosquatting**: Hundreds of packages with names similar to popular libraries
+
+supply-chain-guard was built to detect these specific attack patterns and make the detection rules available to everyone.
+
+## Contributing
+
+See [CONTRIBUTING.md](CONTRIBUTING.md) for guidelines. The most impactful contribution is adding new detection patterns for emerging threats.
+
+## License
+
+[Apache-2.0](LICENSE) - Copyright 2026 Elvatis - Emre Kohler

package/action.yml

@@ -0,0 +1,152 @@
+name: "Supply Chain Guard"
+description: "Scan your repository for supply-chain malware indicators. Detects GlassWorm and similar campaigns."
+author: "Elvatis <emre.kohler@elvatis.com>"
+
+branding:
+  icon: "shield"
+  color: "red"
+
+inputs:
+  path:
+    description: "Path to scan (defaults to repository root)"
+    required: false
+    default: "."
+  format:
+    description: "Output format: text, json, markdown"
+    required: false
+    default: "markdown"
+  min-severity:
+    description: "Minimum severity to report: critical, high, medium, low, info"
+    required: false
+    default: "low"
+  exclude-rules:
+    description: "Comma-separated list of rule IDs to exclude"
+    required: false
+    default: ""
+  fail-on:
+    description: "Fail the check if findings at this severity or above are found: critical, high, medium, low"
+    required: false
+    default: "critical"
+  comment-on-pr:
+    description: "Post findings as a PR comment (true/false)"
+    required: false
+    default: "true"
+
+outputs:
+  score:
+    description: "Risk score (0-100)"
+  risk-level:
+    description: "Risk level: clean, low, medium, high, critical"
+  findings-count:
+    description: "Total number of findings"
+  report:
+    description: "Full scan report in the requested format"
+
+runs:
+  using: "composite"
+  steps:
+    - name: Setup Node.js
+      uses: actions/setup-node@v4
+      with:
+        node-version: "22"
+
+    - name: Install supply-chain-guard
+      shell: bash
+      run: npm install -g supply-chain-guard
+
+    - name: Run scan
+      id: scan
+      shell: bash
+      run: |
+        set +e
+
+        ARGS="scan ${{ inputs.path }} --format ${{ inputs.format }}"
+
+        if [ -n "${{ inputs.min-severity }}" ] && [ "${{ inputs.min-severity }}" != "" ]; then
+          ARGS="$ARGS --min-severity ${{ inputs.min-severity }}"
+        fi
+
+        if [ -n "${{ inputs.exclude-rules }}" ] && [ "${{ inputs.exclude-rules }}" != "" ]; then
+          ARGS="$ARGS --exclude ${{ inputs.exclude-rules }}"
+        fi
+
+        # Run scan and capture output
+        REPORT=$(supply-chain-guard $ARGS 2>&1)
+        EXIT_CODE=$?
+
+        # Also get JSON for parsing
+        JSON_REPORT=$(supply-chain-guard scan ${{ inputs.path }} --format json 2>/dev/null)
+
+        # Extract values from JSON
+        SCORE=$(echo "$JSON_REPORT" | jq -r '.score // 0')
+        RISK_LEVEL=$(echo "$JSON_REPORT" | jq -r '.riskLevel // "unknown"')
+        FINDINGS_COUNT=$(echo "$JSON_REPORT" | jq -r '.findings | length // 0')
+
+        echo "score=$SCORE" >> $GITHUB_OUTPUT
+        echo "risk-level=$RISK_LEVEL" >> $GITHUB_OUTPUT
+        echo "findings-count=$FINDINGS_COUNT" >> $GITHUB_OUTPUT
+
+        # Save report to file for multi-line output
+        echo "$REPORT" > /tmp/scg-report.txt
+        {
+          echo "report<<EOF"
+          cat /tmp/scg-report.txt
+          echo "EOF"
+        } >> $GITHUB_OUTPUT
+
+        # Print report to log
+        echo "$REPORT"
+
+        # Determine if we should fail
+        FAIL_SEVERITY="${{ inputs.fail-on }}"
+        case "$FAIL_SEVERITY" in
+          critical)
+            [ "$(echo "$JSON_REPORT" | jq '.summary.critical')" -gt 0 ] && exit 2
+            ;;
+          high)
+            [ "$(echo "$JSON_REPORT" | jq '.summary.critical + .summary.high')" -gt 0 ] && exit 1
+            ;;
+          medium)
+            [ "$(echo "$JSON_REPORT" | jq '.summary.critical + .summary.high + .summary.medium')" -gt 0 ] && exit 1
+            ;;
+          low)
+            [ "$(echo "$JSON_REPORT" | jq '.summary.critical + .summary.high + .summary.medium + .summary.low')" -gt 0 ] && exit 1
+            ;;
+        esac
+
+        exit 0
+
+    - name: Comment on PR
+      if: inputs.comment-on-pr == 'true' && github.event_name == 'pull_request' && steps.scan.outputs.findings-count != '0'
+      uses: actions/github-script@v7
+      with:
+        script: |
+          const report = `${{ steps.scan.outputs.report }}`;
+          const { data: comments } = await github.rest.issues.listComments({
+            owner: context.repo.owner,
+            repo: context.repo.repo,
+            issue_number: context.issue.number,
+          });
+
+          // Update existing comment or create new one
+          const botComment = comments.find(
+            (c) => c.body?.includes('supply-chain-guard Scan Report')
+          );
+
+          const body = report || '## 🛡️ supply-chain-guard Scan Report\n\n> ✅ No malicious indicators detected.';
+
+          if (botComment) {
+            await github.rest.issues.updateComment({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              comment_id: botComment.id,
+              body,
+            });
+          } else {
+            await github.rest.issues.createComment({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              issue_number: context.issue.number,
+              body,
+            });
+          }

package/dist/cli.d.ts

@@ -0,0 +1,9 @@
+#!/usr/bin/env node
+/**
+ * supply-chain-guard CLI
+ *
+ * Scan code repositories, npm packages, and VS Code extensions
+ * for supply-chain malware indicators.
+ */
+export {};
+//# sourceMappingURL=cli.d.ts.map

package/dist/cli.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"cli.d.ts","sourceRoot":"","sources":["../src/cli.ts"],"names":[],"mappings":";AAEA;;;;;GAKG"}