supply-chain-guard 1.0.0

package/dist/scanner.js

@@ -0,0 +1,423 @@
+"use strict";
+/**
+ * Core file scanner
+ *
+ * Scans local directories and GitHub repos for supply-chain malware indicators.
+ */
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.scan = scan;
+const fs = __importStar(require("node:fs"));
+const path = __importStar(require("node:path"));
+const node_child_process_1 = require("node:child_process");
+const types_js_1 = require("./types.js");
+const patterns_js_1 = require("./patterns.js");
+const TOOL_VERSION = "1.0.0";
+/**
+ * Scan a local directory or GitHub repo for malware indicators.
+ */
+async function scan(options) {
+    const startTime = Date.now();
+    const target = options.target;
+    let scanDir = target;
+    let scanType = "directory";
+    let tempDir = null;
+    // If target is a GitHub URL, clone it
+    if (target.startsWith("https://github.com/")) {
+        scanType = "github";
+        tempDir = fs.mkdtempSync(path.join("/tmp", "scg-"));
+        try {
+            (0, node_child_process_1.execSync)(`git clone --depth 1 "${target}" "${tempDir}/repo"`, {
+                stdio: "pipe",
+            });
+        }
+        catch {
+            throw new Error(`Failed to clone repository: ${target}`);
+        }
+        scanDir = path.join(tempDir, "repo");
+    }
+    // Validate directory exists
+    if (!fs.existsSync(scanDir)) {
+        throw new Error(`Target directory does not exist: ${scanDir}`);
+    }
+    const stat = fs.statSync(scanDir);
+    if (!stat.isDirectory()) {
+        throw new Error(`Target is not a directory: ${scanDir}`);
+    }
+    // Collect files
+    const allFiles = collectFiles(scanDir, options.maxDepth ?? 20);
+    const findings = [];
+    // Scan each file
+    let filesScanned = 0;
+    for (const filePath of allFiles) {
+        const ext = path.extname(filePath).toLowerCase();
+        const basename = path.basename(filePath);
+        const relativePath = path.relative(scanDir, filePath);
+        // Check suspicious file names
+        checkSuspiciousFileName(basename, relativePath, findings);
+        // Only scan content of known file types
+        if (!patterns_js_1.SCANNABLE_EXTENSIONS.has(ext))
+            continue;
+        // Skip large files
+        const fileStat = fs.statSync(filePath);
+        if (fileStat.size > patterns_js_1.MAX_FILE_SIZE)
+            continue;
+        filesScanned++;
+        try {
+            const content = fs.readFileSync(filePath, "utf-8");
+            // Check file content patterns
+            checkFilePatterns(content, relativePath, findings);
+            // Check package.json specifically
+            if (basename === "package.json") {
+                checkPackageJson(content, relativePath, findings);
+            }
+        }
+        catch {
+            // Skip files that can't be read (binary, permissions, etc.)
+        }
+    }
+    // Check git commit dates if it's a git repo
+    if (fs.existsSync(path.join(scanDir, ".git"))) {
+        checkGitDateAnomalies(scanDir, findings);
+    }
+    // Filter by severity and excluded rules
+    const filteredFindings = filterFindings(findings, options);
+    // Calculate summary and score
+    const summary = calculateSummary(allFiles.length, filesScanned, filteredFindings);
+    const score = calculateScore(filteredFindings);
+    const riskLevel = getRiskLevel(score);
+    const recommendations = generateRecommendations(filteredFindings);
+    // Cleanup temp directory
+    if (tempDir) {
+        fs.rmSync(tempDir, { recursive: true, force: true });
+    }
+    return {
+        tool: `supply-chain-guard v${TOOL_VERSION}`,
+        timestamp: new Date().toISOString(),
+        target,
+        scanType,
+        durationMs: Date.now() - startTime,
+        findings: filteredFindings,
+        summary,
+        score,
+        riskLevel,
+        recommendations,
+    };
+}
+/**
+ * Recursively collect all files in a directory.
+ */
+function collectFiles(dir, maxDepth, depth = 0) {
+    if (depth > maxDepth)
+        return [];
+    const files = [];
+    let entries;
+    try {
+        entries = fs.readdirSync(dir, { withFileTypes: true });
+    }
+    catch {
+        return files;
+    }
+    for (const entry of entries) {
+        const fullPath = path.join(dir, entry.name);
+        // Skip common non-relevant directories
+        if (entry.isDirectory()) {
+            if (entry.name === "node_modules" ||
+                entry.name === ".git" ||
+                entry.name === "dist" ||
+                entry.name === "build" ||
+                entry.name === ".next" ||
+                entry.name === "__pycache__" ||
+                entry.name === ".venv" ||
+                entry.name === "venv") {
+                continue;
+            }
+            files.push(...collectFiles(fullPath, maxDepth, depth + 1));
+        }
+        else if (entry.isFile()) {
+            files.push(fullPath);
+        }
+    }
+    return files;
+}
+/**
+ * Check if a filename matches known suspicious patterns.
+ */
+function checkSuspiciousFileName(basename, relativePath, findings) {
+    for (const suspicious of patterns_js_1.SUSPICIOUS_FILES) {
+        const regex = new RegExp(suspicious.pattern);
+        if (regex.test(basename)) {
+            findings.push({
+                rule: suspicious.rule,
+                description: suspicious.description,
+                severity: suspicious.severity,
+                file: relativePath,
+                recommendation: `Inspect ${relativePath} manually. This filename is commonly associated with malware campaigns.`,
+            });
+        }
+    }
+}
+/**
+ * Scan file content against known malicious patterns.
+ */
+function checkFilePatterns(content, relativePath, findings) {
+    const lines = content.split("\n");
+    for (const pattern of patterns_js_1.FILE_PATTERNS) {
+        const regex = new RegExp(pattern.pattern, "g");
+        for (let i = 0; i < lines.length; i++) {
+            const line = lines[i];
+            const match = regex.exec(line);
+            if (match) {
+                findings.push({
+                    rule: pattern.rule,
+                    description: pattern.description,
+                    severity: pattern.severity,
+                    file: relativePath,
+                    line: i + 1,
+                    match: truncateMatch(match[0]),
+                    recommendation: getRecommendation(pattern.rule),
+                });
+                // Reset regex lastIndex for next line
+                regex.lastIndex = 0;
+            }
+        }
+    }
+}
+/**
+ * Check package.json for suspicious install scripts.
+ */
+function checkPackageJson(content, relativePath, findings) {
+    let pkg;
+    try {
+        pkg = JSON.parse(content);
+    }
+    catch {
+        return;
+    }
+    const scripts = pkg.scripts;
+    if (!scripts)
+        return;
+    const dangerousHooks = ["preinstall", "postinstall", "preuninstall", "postuninstall"];
+    for (const hook of dangerousHooks) {
+        const script = scripts[hook];
+        if (!script)
+            continue;
+        // Check against suspicious script patterns
+        for (const pattern of patterns_js_1.SUSPICIOUS_SCRIPTS) {
+            const regex = new RegExp(pattern.pattern, "i");
+            if (regex.test(script)) {
+                findings.push({
+                    rule: pattern.rule,
+                    description: `${hook}: ${pattern.description}`,
+                    severity: pattern.severity,
+                    file: relativePath,
+                    match: truncateMatch(`${hook}: ${script}`),
+                    recommendation: `Review the ${hook} script in ${relativePath}. Suspicious install scripts are a primary vector for supply-chain attacks.`,
+                });
+            }
+        }
+        // Flag any non-trivial postinstall/preinstall
+        if ((hook === "postinstall" || hook === "preinstall") &&
+            script.length > 50 &&
+            !findings.some((f) => f.file === relativePath &&
+                f.rule.startsWith("SCRIPT_"))) {
+            findings.push({
+                rule: "COMPLEX_INSTALL_SCRIPT",
+                description: `Complex ${hook} script detected (${script.length} chars). Long install scripts warrant manual review.`,
+                severity: "low",
+                file: relativePath,
+                match: truncateMatch(`${hook}: ${script}`),
+                recommendation: `Review the ${hook} script to ensure it only performs expected build/setup operations.`,
+            });
+        }
+    }
+}
+/**
+ * Check for git commit date anomalies (committer date much newer than author date).
+ */
+function checkGitDateAnomalies(dir, findings) {
+    try {
+        const log = (0, node_child_process_1.execSync)(`git -C "${dir}" log --format="%H|%aI|%cI" -20 2>/dev/null`, { encoding: "utf-8", stdio: ["pipe", "pipe", "pipe"] });
+        const lines = log.trim().split("\n").filter(Boolean);
+        for (const line of lines) {
+            const [hash, authorDate, committerDate] = line.split("|");
+            if (!hash || !authorDate || !committerDate)
+                continue;
+            const authorTime = new Date(authorDate).getTime();
+            const committerTime = new Date(committerDate).getTime();
+            const diffHours = (committerTime - authorTime) / (1000 * 60 * 60);
+            // Flag if committer date is more than 30 days newer than author date
+            if (diffHours > 30 * 24) {
+                findings.push({
+                    rule: "GIT_DATE_ANOMALY",
+                    description: `Git commit date anomaly: committer date is ${Math.round(diffHours / 24)} days newer than author date. This can indicate repository history manipulation.`,
+                    severity: "medium",
+                    match: `commit ${hash?.substring(0, 8)}: authored ${authorDate}, committed ${committerDate}`,
+                    recommendation: "Investigate the commit history. Large gaps between author and committer dates may indicate a hijacked or manipulated repository.",
+                });
+            }
+        }
+    }
+    catch {
+        // Not a git repo or git not available
+    }
+}
+/**
+ * Filter findings based on scan options.
+ */
+function filterFindings(findings, options) {
+    const severityOrder = {
+        critical: 4,
+        high: 3,
+        medium: 2,
+        low: 1,
+        info: 0,
+    };
+    let filtered = findings;
+    if (options.minSeverity) {
+        const minLevel = severityOrder[options.minSeverity] ?? 0;
+        filtered = filtered.filter((f) => (severityOrder[f.severity] ?? 0) >= minLevel);
+    }
+    if (options.excludeRules?.length) {
+        const excluded = new Set(options.excludeRules);
+        filtered = filtered.filter((f) => !excluded.has(f.rule));
+    }
+    return filtered;
+}
+/**
+ * Calculate summary statistics.
+ */
+function calculateSummary(totalFiles, filesScanned, findings) {
+    return {
+        totalFiles,
+        filesScanned,
+        critical: findings.filter((f) => f.severity === "critical").length,
+        high: findings.filter((f) => f.severity === "high").length,
+        medium: findings.filter((f) => f.severity === "medium").length,
+        low: findings.filter((f) => f.severity === "low").length,
+        info: findings.filter((f) => f.severity === "info").length,
+    };
+}
+/**
+ * Calculate overall risk score (0-100).
+ */
+function calculateScore(findings) {
+    let score = 0;
+    for (const finding of findings) {
+        score += types_js_1.SEVERITY_SCORES[finding.severity];
+    }
+    return Math.min(100, score);
+}
+/**
+ * Derive risk level from score.
+ */
+function getRiskLevel(score) {
+    if (score === 0)
+        return "clean";
+    if (score <= 10)
+        return "low";
+    if (score <= 30)
+        return "medium";
+    if (score <= 60)
+        return "high";
+    return "critical";
+}
+/**
+ * Generate human-readable recommendations.
+ */
+function generateRecommendations(findings) {
+    const recommendations = [];
+    const rules = new Set(findings.map((f) => f.rule));
+    if (rules.has("GLASSWORM_MARKER")) {
+        recommendations.push("CRITICAL: GlassWorm malware marker detected. Quarantine this code immediately and audit all downstream dependencies.");
+    }
+    if (rules.has("EVAL_ATOB") || rules.has("EVAL_BUFFER") || rules.has("FUNCTION_ATOB")) {
+        recommendations.push("CRITICAL: Encoded code execution detected. This is a strong indicator of malicious obfuscation. Do not run this code.");
+    }
+    if (rules.has("INVISIBLE_UNICODE")) {
+        recommendations.push("Review files with invisible Unicode characters. These can hide malicious code in otherwise normal-looking files.");
+    }
+    if (rules.has("SOLANA_MAINNET") || rules.has("HELIUS_RPC")) {
+        recommendations.push("Solana blockchain references detected. If this project has no legitimate blockchain functionality, this may indicate C2 communication via the Solana blockchain.");
+    }
+    if (rules.has("SCRIPT_CURL_EXEC") ||
+        rules.has("SCRIPT_WGET_EXEC") ||
+        rules.has("SCRIPT_NODE_INLINE")) {
+        recommendations.push("Dangerous install scripts detected. These scripts download and execute remote code, which is a common supply-chain attack vector.");
+    }
+    if (rules.has("GIT_DATE_ANOMALY")) {
+        recommendations.push("Git commit date anomalies detected. Verify the repository history has not been manipulated.");
+    }
+    if (rules.has("ENV_EXFILTRATION") || rules.has("DNS_EXFILTRATION")) {
+        recommendations.push("Potential data exfiltration patterns detected. Environment variables may be sent to external servers.");
+    }
+    if (recommendations.length === 0 && findings.length > 0) {
+        recommendations.push("Review the listed findings and assess whether they represent legitimate functionality or potential threats.");
+    }
+    if (findings.length === 0) {
+        recommendations.push("No malicious indicators detected. The scanned code appears clean.");
+    }
+    return recommendations;
+}
+/**
+ * Get a recommendation string for a specific rule.
+ */
+function getRecommendation(rule) {
+    const map = {
+        GLASSWORM_MARKER: "Quarantine this code immediately. This is a known GlassWorm campaign indicator.",
+        INVISIBLE_UNICODE: "Inspect this file in a hex editor. Invisible characters may hide malicious code.",
+        EVAL_ATOB: "Do not execute this code. Decode the base64 content to inspect what would be evaluated.",
+        EVAL_BUFFER: "Do not execute this code. Inspect the Buffer contents to see the hidden payload.",
+        FUNCTION_ATOB: "Do not execute this code. The Function constructor with encoded content is a strong malware indicator.",
+        EVAL_HEX: "Do not execute this code. Decode the hex string to inspect the hidden payload.",
+        EXEC_ENCODED: "Review what this exec call is decoding and running.",
+        SOLANA_MAINNET: "If this project has no blockchain functionality, this reference may indicate C2 communication.",
+        HELIUS_RPC: "Helius RPC references in non-blockchain projects are suspicious. Investigate.",
+        HEX_ARRAY: "Large hex arrays may contain obfuscated payloads. Decode and inspect.",
+        CHARCODE_OBFUSCATION: "String construction from character codes is a common obfuscation technique.",
+        ENV_EXFILTRATION: "This pattern combines environment variable access with network requests, which is a data exfiltration indicator.",
+        DNS_EXFILTRATION: "DNS-based exfiltration encodes data in DNS queries. This is a covert data theft technique.",
+    };
+    return map[rule] ?? "Review this finding manually and assess the risk.";
+}
+/**
+ * Truncate a match string for display.
+ */
+function truncateMatch(match, maxLen = 120) {
+    if (match.length <= maxLen)
+        return match;
+    return match.substring(0, maxLen) + "...";
+}
+//# sourceMappingURL=scanner.js.map

package/dist/scanner.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"scanner.js","sourceRoot":"","sources":["../src/scanner.ts"],"names":[],"mappings":";AAAA;;;;GAIG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAoBH,oBAoGC;AAtHD,4CAA8B;AAC9B,gDAAkC;AAClC,2DAA8C;AAE9C,yCAA6C;AAC7C,+CAMuB;AAEvB,MAAM,YAAY,GAAG,OAAO,CAAC;AAE7B;;GAEG;AACI,KAAK,UAAU,IAAI,CAAC,OAAoB;IAC7C,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IAC7B,MAAM,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IAC9B,IAAI,OAAO,GAAG,MAAM,CAAC;IACrB,IAAI,QAAQ,GAA2B,WAAW,CAAC;IACnD,IAAI,OAAO,GAAkB,IAAI,CAAC;IAElC,sCAAsC;IACtC,IAAI,MAAM,CAAC,UAAU,CAAC,qBAAqB,CAAC,EAAE,CAAC;QAC7C,QAAQ,GAAG,QAAQ,CAAC;QACpB,OAAO,GAAG,EAAE,CAAC,WAAW,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC,CAAC;QACpD,IAAI,CAAC;YACH,IAAA,6BAAQ,EAAC,wBAAwB,MAAM,MAAM,OAAO,QAAQ,EAAE;gBAC5D,KAAK,EAAE,MAAM;aACd,CAAC,CAAC;QACL,CAAC;QAAC,MAAM,CAAC;YACP,MAAM,IAAI,KAAK,CAAC,+BAA+B,MAAM,EAAE,CAAC,CAAC;QAC3D,CAAC;QACD,OAAO,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;IACvC,CAAC;IAED,4BAA4B;IAC5B,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,OAAO,CAAC,EAAE,CAAC;QAC5B,MAAM,IAAI,KAAK,CAAC,oCAAoC,OAAO,EAAE,CAAC,CAAC;IACjE,CAAC;IAED,MAAM,IAAI,GAAG,EAAE,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;IAClC,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE,EAAE,CAAC;QACxB,MAAM,IAAI,KAAK,CAAC,8BAA8B,OAAO,EAAE,CAAC,CAAC;IAC3D,CAAC;IAED,gBAAgB;IAChB,MAAM,QAAQ,GAAG,YAAY,CAAC,OAAO,EAAE,OAAO,CAAC,QAAQ,IAAI,EAAE,CAAC,CAAC;IAC/D,MAAM,QAAQ,GAAc,EAAE,CAAC;IAE/B,iBAAiB;IACjB,IAAI,YAAY,GAAG,CAAC,CAAC;IACrB,KAAK,MAAM,QAAQ,IAAI,QAAQ,EAAE,CAAC;QAChC,MAAM,GAAG,GAAG,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC,WAAW,EAAE,CAAC;QACjD,MAAM,QAAQ,GAAG,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;QACzC,MAAM,YAAY,GAAG,IAAI,CAAC,QAAQ,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC;QAEtD,8BAA8B;QAC9B,uBAAuB,CAAC,QAAQ,EAAE,YAAY,EAAE,QAAQ,CAAC,CAAC;QAE1D,wCAAwC;QACxC,IAAI,CAAC,kCAAoB,CAAC,GAAG,CAAC,GAAG,CAAC;YAAE,SAAS;QAE7C,mBAAmB;QACnB,MAAM,QAAQ,GAAG,EAAE,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;QACvC,IAAI,QAAQ,CAAC,IAAI,GAAG,2BAAa;YAAE,SAAS;QAE5C,YAAY,EAAE,CAAC;QAEf,IAAI,CAAC;YACH,MAAM,OAAO,GAAG,EAAE,CAAC,YAAY,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;YAEnD,8BAA8B;YAC9B,iBAAiB,CAAC,OAAO,EAAE,YAAY,EAAE,QAAQ,CAAC,CAAC;YAEnD,kCAAkC;YAClC,IAAI,QAAQ,KAAK,cAAc,EAAE,CAAC;gBAChC,gBAAgB,CAAC,OAAO,EAAE,YAAY,EAAE,QAAQ,CAAC,CAAC;YACpD,CAAC;QACH,CAAC;QAAC,MAAM,CAAC;YACP,4DAA4D;QAC9D,CAAC;IACH,CAAC;IAED,4CAA4C;IAC5C,IAAI,EAAE,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC,EAAE,CAAC;QAC9C,qBAAqB,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC;IAC3C,CAAC;IAED,wCAAwC;IACxC,MAAM,gBAAgB,GAAG,cAAc,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;IAE3D,8BAA8B;IAC9B,MAAM,OAAO,GAAG,gBAAgB,CAAC,QAAQ,CAAC,MAAM,EAAE,YAAY,EAAE,gBAAgB,CAAC,CAAC;IAClF,MAAM,KAAK,GAAG,cAAc,CAAC,gBAAgB,CAAC,CAAC;IAC/C,MAAM,SAAS,GAAG,YAAY,CAAC,KAAK,CAAC,CAAC;IACtC,MAAM,eAAe,GAAG,uBAAuB,CAAC,gBAAgB,CAAC,CAAC;IAElE,yBAAyB;IACzB,IAAI,OAAO,EAAE,CAAC;QACZ,EAAE,CAAC,MAAM,CAAC,OAAO,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;IACvD,CAAC;IAED,OAAO;QACL,IAAI,EAAE,uBAAuB,YAAY,EAAE;QAC3C,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;QACnC,MAAM;QACN,QAAQ;QACR,UAAU,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS;QAClC,QAAQ,EAAE,gBAAgB;QAC1B,OAAO;QACP,KAAK;QACL,SAAS;QACT,eAAe;KAChB,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,SAAS,YAAY,CAAC,GAAW,EAAE,QAAgB,EAAE,KAAK,GAAG,CAAC;IAC5D,IAAI,KAAK,GAAG,QAAQ;QAAE,OAAO,EAAE,CAAC;IAEhC,MAAM,KAAK,GAAa,EAAE,CAAC;IAC3B,IAAI,OAAoB,CAAC;IAEzB,IAAI,CAAC;QACH,OAAO,GAAG,EAAE,CAAC,WAAW,CAAC,GAAG,EAAE,EAAE,aAAa,EAAE,IAAI,EAAE,CAAC,CAAC;IACzD,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;IAED,KAAK,MAAM,KAAK,IAAI,OAAO,EAAE,CAAC;QAC5B,MAAM,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,CAAC,CAAC;QAE5C,uCAAuC;QACvC,IAAI,KAAK,CAAC,WAAW,EAAE,EAAE,CAAC;YACxB,IACE,KAAK,CAAC,IAAI,KAAK,cAAc;gBAC7B,KAAK,CAAC,IAAI,KAAK,MAAM;gBACrB,KAAK,CAAC,IAAI,KAAK,MAAM;gBACrB,KAAK,CAAC,IAAI,KAAK,OAAO;gBACtB,KAAK,CAAC,IAAI,KAAK,OAAO;gBACtB,KAAK,CAAC,IAAI,KAAK,aAAa;gBAC5B,KAAK,CAAC,IAAI,KAAK,OAAO;gBACtB,KAAK,CAAC,IAAI,KAAK,MAAM,EACrB,CAAC;gBACD,SAAS;YACX,CAAC;YACD,KAAK,CAAC,IAAI,CAAC,GAAG,YAAY,CAAC,QAAQ,EAAE,QAAQ,EAAE,KAAK,GAAG,CAAC,CAAC,CAAC,CAAC;QAC7D,CAAC;aAAM,IAAI,KAAK,CAAC,MAAM,EAAE,EAAE,CAAC;YAC1B,KAAK,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;QACvB,CAAC;IACH,CAAC;IAED,OAAO,KAAK,CAAC;AACf,CAAC;AAED;;GAEG;AACH,SAAS,uBAAuB,CAC9B,QAAgB,EAChB,YAAoB,EACpB,QAAmB;IAEnB,KAAK,MAAM,UAAU,IAAI,8BAAgB,EAAE,CAAC;QAC1C,MAAM,KAAK,GAAG,IAAI,MAAM,CAAC,UAAU,CAAC,OAAO,CAAC,CAAC;QAC7C,IAAI,KAAK,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,CAAC;YACzB,QAAQ,CAAC,IAAI,CAAC;gBACZ,IAAI,EAAE,UAAU,CAAC,IAAI;gBACrB,WAAW,EAAE,UAAU,CAAC,WAAW;gBACnC,QAAQ,EAAE,UAAU,CAAC,QAAQ;gBAC7B,IAAI,EAAE,YAAY;gBAClB,cAAc,EAAE,WAAW,YAAY,yEAAyE;aACjH,CAAC,CAAC;QACL,CAAC;IACH,CAAC;AACH,CAAC;AAED;;GAEG;AACH,SAAS,iBAAiB,CACxB,OAAe,EACf,YAAoB,EACpB,QAAmB;IAEnB,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAElC,KAAK,MAAM,OAAO,IAAI,2BAAa,EAAE,CAAC;QACpC,MAAM,KAAK,GAAG,IAAI,MAAM,CAAC,OAAO,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC;QAE/C,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;YACtC,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;YACtB,MAAM,KAAK,GAAG,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YAC/B,IAAI,KAAK,EAAE,CAAC;gBACV,QAAQ,CAAC,IAAI,CAAC;oBACZ,IAAI,EAAE,OAAO,CAAC,IAAI;oBAClB,WAAW,EAAE,OAAO,CAAC,WAAW;oBAChC,QAAQ,EAAE,OAAO,CAAC,QAAQ;oBAC1B,IAAI,EAAE,YAAY;oBAClB,IAAI,EAAE,CAAC,GAAG,CAAC;oBACX,KAAK,EAAE,aAAa,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;oBAC9B,cAAc,EAAE,iBAAiB,CAAC,OAAO,CAAC,IAAI,CAAC;iBAChD,CAAC,CAAC;gBACH,sCAAsC;gBACtC,KAAK,CAAC,SAAS,GAAG,CAAC,CAAC;YACtB,CAAC;QACH,CAAC;IACH,CAAC;AACH,CAAC;AAED;;GAEG;AACH,SAAS,gBAAgB,CACvB,OAAe,EACf,YAAoB,EACpB,QAAmB;IAEnB,IAAI,GAA4B,CAAC;IACjC,IAAI,CAAC;QACH,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,CAA4B,CAAC;IACvD,CAAC;IAAC,MAAM,CAAC;QACP,OAAO;IACT,CAAC;IAED,MAAM,OAAO,GAAG,GAAG,CAAC,OAA6C,CAAC;IAClE,IAAI,CAAC,OAAO;QAAE,OAAO;IAErB,MAAM,cAAc,GAAG,CAAC,YAAY,EAAE,aAAa,EAAE,cAAc,EAAE,eAAe,CAAC,CAAC;IAEtF,KAAK,MAAM,IAAI,IAAI,cAAc,EAAE,CAAC;QAClC,MAAM,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;QAC7B,IAAI,CAAC,MAAM;YAAE,SAAS;QAEtB,2CAA2C;QAC3C,KAAK,MAAM,OAAO,IAAI,gCAAkB,EAAE,CAAC;YACzC,MAAM,KAAK,GAAG,IAAI,MAAM,CAAC,OAAO,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC;YAC/C,IAAI,KAAK,CAAC,IAAI,CAAC,MAAM,CAAC,EAAE,CAAC;gBACvB,QAAQ,CAAC,IAAI,CAAC;oBACZ,IAAI,EAAE,OAAO,CAAC,IAAI;oBAClB,WAAW,EAAE,GAAG,IAAI,KAAK,OAAO,CAAC,WAAW,EAAE;oBAC9C,QAAQ,EAAE,OAAO,CAAC,QAAQ;oBAC1B,IAAI,EAAE,YAAY;oBAClB,KAAK,EAAE,aAAa,CAAC,GAAG,IAAI,KAAK,MAAM,EAAE,CAAC;oBAC1C,cAAc,EAAE,cAAc,IAAI,cAAc,YAAY,6EAA6E;iBAC1I,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAED,8CAA8C;QAC9C,IACE,CAAC,IAAI,KAAK,aAAa,IAAI,IAAI,KAAK,YAAY,CAAC;YACjD,MAAM,CAAC,MAAM,GAAG,EAAE;YAClB,CAAC,QAAQ,CAAC,IAAI,CACZ,CAAC,CAAC,EAAE,EAAE,CACJ,CAAC,CAAC,IAAI,KAAK,YAAY;gBACvB,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,SAAS,CAAC,CAC/B,EACD,CAAC;YACD,QAAQ,CAAC,IAAI,CAAC;gBACZ,IAAI,EAAE,wBAAwB;gBAC9B,WAAW,EAAE,WAAW,IAAI,qBAAqB,MAAM,CAAC,MAAM,sDAAsD;gBACpH,QAAQ,EAAE,KAAK;gBACf,IAAI,EAAE,YAAY;gBAClB,KAAK,EAAE,aAAa,CAAC,GAAG,IAAI,KAAK,MAAM,EAAE,CAAC;gBAC1C,cAAc,EAAE,cAAc,IAAI,qEAAqE;aACxG,CAAC,CAAC;QACL,CAAC;IACH,CAAC;AACH,CAAC;AAED;;GAEG;AACH,SAAS,qBAAqB,CAAC,GAAW,EAAE,QAAmB;IAC7D,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,IAAA,6BAAQ,EAClB,WAAW,GAAG,6CAA6C,EAC3D,EAAE,QAAQ,EAAE,OAAO,EAAE,KAAK,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,CACvD,CAAC;QAEF,MAAM,KAAK,GAAG,GAAG,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;QAErD,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;YACzB,MAAM,CAAC,IAAI,EAAE,UAAU,EAAE,aAAa,CAAC,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;YAC1D,IAAI,CAAC,IAAI,IAAI,CAAC,UAAU,IAAI,CAAC,aAAa;gBAAE,SAAS;YAErD,MAAM,UAAU,GAAG,IAAI,IAAI,CAAC,UAAU,CAAC,CAAC,OAAO,EAAE,CAAC;YAClD,MAAM,aAAa,GAAG,IAAI,IAAI,CAAC,aAAa,CAAC,CAAC,OAAO,EAAE,CAAC;YACxD,MAAM,SAAS,GAAG,CAAC,aAAa,GAAG,UAAU,CAAC,GAAG,CAAC,IAAI,GAAG,EAAE,GAAG,EAAE,CAAC,CAAC;YAElE,qEAAqE;YACrE,IAAI,SAAS,GAAG,EAAE,GAAG,EAAE,EAAE,CAAC;gBACxB,QAAQ,CAAC,IAAI,CAAC;oBACZ,IAAI,EAAE,kBAAkB;oBACxB,WAAW,EAAE,8CAA8C,IAAI,CAAC,KAAK,CAAC,SAAS,GAAG,EAAE,CAAC,kFAAkF;oBACvK,QAAQ,EAAE,QAAQ;oBAClB,KAAK,EAAE,UAAU,IAAI,EAAE,SAAS,CAAC,CAAC,EAAE,CAAC,CAAC,cAAc,UAAU,eAAe,aAAa,EAAE;oBAC5F,cAAc,EACZ,kIAAkI;iBACrI,CAAC,CAAC;YACL,CAAC;QACH,CAAC;IACH,CAAC;IAAC,MAAM,CAAC;QACP,sCAAsC;IACxC,CAAC;AACH,CAAC;AAED;;GAEG;AACH,SAAS,cAAc,CAAC,QAAmB,EAAE,OAAoB;IAC/D,MAAM,aAAa,GAA2B;QAC5C,QAAQ,EAAE,CAAC;QACX,IAAI,EAAE,CAAC;QACP,MAAM,EAAE,CAAC;QACT,GAAG,EAAE,CAAC;QACN,IAAI,EAAE,CAAC;KACR,CAAC;IAEF,IAAI,QAAQ,GAAG,QAAQ,CAAC;IAExB,IAAI,OAAO,CAAC,WAAW,EAAE,CAAC;QACxB,MAAM,QAAQ,GAAG,aAAa,CAAC,OAAO,CAAC,WAAW,CAAC,IAAI,CAAC,CAAC;QACzD,QAAQ,GAAG,QAAQ,CAAC,MAAM,CACxB,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,aAAa,CAAC,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,IAAI,QAAQ,CACpD,CAAC;IACJ,CAAC;IAED,IAAI,OAAO,CAAC,YAAY,EAAE,MAAM,EAAE,CAAC;QACjC,MAAM,QAAQ,GAAG,IAAI,GAAG,CAAC,OAAO,CAAC,YAAY,CAAC,CAAC;QAC/C,QAAQ,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC;IAC3D,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED;;GAEG;AACH,SAAS,gBAAgB,CACvB,UAAkB,EAClB,YAAoB,EACpB,QAAmB;IAEnB,OAAO;QACL,UAAU;QACV,YAAY;QACZ,QAAQ,EAAE,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,UAAU,CAAC,CAAC,MAAM;QAClE,IAAI,EAAE,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,MAAM,CAAC,CAAC,MAAM;QAC1D,MAAM,EAAE,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,QAAQ,CAAC,CAAC,MAAM;QAC9D,GAAG,EAAE,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,KAAK,CAAC,CAAC,MAAM;QACxD,IAAI,EAAE,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,MAAM,CAAC,CAAC,MAAM;KAC3D,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,SAAS,cAAc,CAAC,QAAmB;IACzC,IAAI,KAAK,GAAG,CAAC,CAAC;IACd,KAAK,MAAM,OAAO,IAAI,QAAQ,EAAE,CAAC;QAC/B,KAAK,IAAI,0BAAe,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC;IAC7C,CAAC;IACD,OAAO,IAAI,CAAC,GAAG,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC;AAC9B,CAAC;AAED;;GAEG;AACH,SAAS,YAAY,CAAC,KAAa;IACjC,IAAI,KAAK,KAAK,CAAC;QAAE,OAAO,OAAO,CAAC;IAChC,IAAI,KAAK,IAAI,EAAE;QAAE,OAAO,KAAK,CAAC;IAC9B,IAAI,KAAK,IAAI,EAAE;QAAE,OAAO,QAAQ,CAAC;IACjC,IAAI,KAAK,IAAI,EAAE;QAAE,OAAO,MAAM,CAAC;IAC/B,OAAO,UAAU,CAAC;AACpB,CAAC;AAED;;GAEG;AACH,SAAS,uBAAuB,CAAC,QAAmB;IAClD,MAAM,eAAe,GAAa,EAAE,CAAC;IACrC,MAAM,KAAK,GAAG,IAAI,GAAG,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC;IAEnD,IAAI,KAAK,CAAC,GAAG,CAAC,kBAAkB,CAAC,EAAE,CAAC;QAClC,eAAe,CAAC,IAAI,CAClB,sHAAsH,CACvH,CAAC;IACJ,CAAC;IACD,IAAI,KAAK,CAAC,GAAG,CAAC,WAAW,CAAC,IAAI,KAAK,CAAC,GAAG,CAAC,aAAa,CAAC,IAAI,KAAK,CAAC,GAAG,CAAC,eAAe,CAAC,EAAE,CAAC;QACrF,eAAe,CAAC,IAAI,CAClB,uHAAuH,CACxH,CAAC;IACJ,CAAC;IACD,IAAI,KAAK,CAAC,GAAG,CAAC,mBAAmB,CAAC,EAAE,CAAC;QACnC,eAAe,CAAC,IAAI,CAClB,kHAAkH,CACnH,CAAC;IACJ,CAAC;IACD,IAAI,KAAK,CAAC,GAAG,CAAC,gBAAgB,CAAC,IAAI,KAAK,CAAC,GAAG,CAAC,YAAY,CAAC,EAAE,CAAC;QAC3D,eAAe,CAAC,IAAI,CAClB,kKAAkK,CACnK,CAAC;IACJ,CAAC;IACD,IACE,KAAK,CAAC,GAAG,CAAC,kBAAkB,CAAC;QAC7B,KAAK,CAAC,GAAG,CAAC,kBAAkB,CAAC;QAC7B,KAAK,CAAC,GAAG,CAAC,oBAAoB,CAAC,EAC/B,CAAC;QACD,eAAe,CAAC,IAAI,CAClB,mIAAmI,CACpI,CAAC;IACJ,CAAC;IACD,IAAI,KAAK,CAAC,GAAG,CAAC,kBAAkB,CAAC,EAAE,CAAC;QAClC,eAAe,CAAC,IAAI,CAClB,6FAA6F,CAC9F,CAAC;IACJ,CAAC;IACD,IAAI,KAAK,CAAC,GAAG,CAAC,kBAAkB,CAAC,IAAI,KAAK,CAAC,GAAG,CAAC,kBAAkB,CAAC,EAAE,CAAC;QACnE,eAAe,CAAC,IAAI,CAClB,uGAAuG,CACxG,CAAC;IACJ,CAAC;IAED,IAAI,eAAe,CAAC,MAAM,KAAK,CAAC,IAAI,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACxD,eAAe,CAAC,IAAI,CAClB,6GAA6G,CAC9G,CAAC;IACJ,CAAC;IACD,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC1B,eAAe,CAAC,IAAI,CAAC,mEAAmE,CAAC,CAAC;IAC5F,CAAC;IAED,OAAO,eAAe,CAAC;AACzB,CAAC;AAED;;GAEG;AACH,SAAS,iBAAiB,CAAC,IAAY;IACrC,MAAM,GAAG,GAA2B;QAClC,gBAAgB,EACd,iFAAiF;QACnF,iBAAiB,EACf,kFAAkF;QACpF,SAAS,EACP,yFAAyF;QAC3F,WAAW,EACT,kFAAkF;QACpF,aAAa,EACX,wGAAwG;QAC1G,QAAQ,EACN,gFAAgF;QAClF,YAAY,EACV,qDAAqD;QACvD,cAAc,EACZ,gGAAgG;QAClG,UAAU,EACR,+EAA+E;QACjF,SAAS,EACP,uEAAuE;QACzE,oBAAoB,EAClB,6EAA6E;QAC/E,gBAAgB,EACd,kHAAkH;QACpH,gBAAgB,EACd,4FAA4F;KAC/F,CAAC;IAEF,OAAO,GAAG,CAAC,IAAI,CAAC,IAAI,mDAAmD,CAAC;AAC1E,CAAC;AAED;;GAEG;AACH,SAAS,aAAa,CAAC,KAAa,EAAE,MAAM,GAAG,GAAG;IAChD,IAAI,KAAK,CAAC,MAAM,IAAI,MAAM;QAAE,OAAO,KAAK,CAAC;IACzC,OAAO,KAAK,CAAC,SAAS,CAAC,CAAC,EAAE,MAAM,CAAC,GAAG,KAAK,CAAC;AAC5C,CAAC"}

package/dist/solana-monitor.d.ts

@@ -0,0 +1,39 @@
+/**
+ * Solana C2 wallet monitor
+ *
+ * Monitors Solana wallet addresses for transactions containing memo instructions.
+ * GlassWorm and similar campaigns encode C2 URLs as Solana transaction memos,
+ * making the blockchain an uncensorable command-and-control channel.
+ */
+import type { SolanaMonitorOptions } from "./types.js";
+interface TransactionDetail {
+    signature: string;
+    blockTime: number | null;
+    memos: string[];
+}
+/**
+ * Monitor a Solana wallet for C2 memo transactions.
+ * Runs continuously until stopped.
+ */
+export declare function monitorWallet(options: SolanaMonitorOptions, onAlert: (alert: C2Alert) => void): Promise<void>;
+/**
+ * One-shot check: get recent transactions and check for memos.
+ */
+export declare function checkWallet(address: string, limit?: number): Promise<TransactionDetail[]>;
+/**
+ * Alert structure for detected C2 communications.
+ */
+export interface C2Alert {
+    timestamp: string;
+    wallet: string;
+    signature: string;
+    memo: string;
+    decodedUrls: string[];
+    blockTime: number | null;
+}
+/**
+ * Format a C2 alert for display.
+ */
+export declare function formatAlert(alert: C2Alert): string;
+export {};
+//# sourceMappingURL=solana-monitor.d.ts.map

package/dist/solana-monitor.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"solana-monitor.d.ts","sourceRoot":"","sources":["../src/solana-monitor.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAGH,OAAO,KAAK,EAAE,oBAAoB,EAAqB,MAAM,YAAY,CAAC;AAK1E,UAAU,iBAAiB;IACzB,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,EAAE,MAAM,GAAG,IAAI,CAAC;IACzB,KAAK,EAAE,MAAM,EAAE,CAAC;CACjB;AAED;;;GAGG;AACH,wBAAsB,aAAa,CACjC,OAAO,EAAE,oBAAoB,EAC7B,OAAO,EAAE,CAAC,KAAK,EAAE,OAAO,KAAK,IAAI,GAChC,OAAO,CAAC,IAAI,CAAC,CA6Df;AAED;;GAEG;AACH,wBAAsB,WAAW,CAC/B,OAAO,EAAE,MAAM,EACf,KAAK,SAAK,GACT,OAAO,CAAC,iBAAiB,EAAE,CAAC,CAY9B;AA8ID;;GAEG;AACH,MAAM,WAAW,OAAO;IACtB,SAAS,EAAE,MAAM,CAAC;IAClB,MAAM,EAAE,MAAM,CAAC;IACf,SAAS,EAAE,MAAM,CAAC;IAClB,IAAI,EAAE,MAAM,CAAC;IACb,WAAW,EAAE,MAAM,EAAE,CAAC;IACtB,SAAS,EAAE,MAAM,GAAG,IAAI,CAAC;CAC1B;AAED;;GAEG;AACH,wBAAgB,WAAW,CAAC,KAAK,EAAE,OAAO,GAAG,MAAM,CAwBlD"}