supply-chain-guard 4.1.0 → 4.2.0

package/dist/cli.js

@@ -20,7 +20,7 @@ const program = new commander_1.Command();
 program
     .name("supply-chain-guard")
     .description("Open-source supply-chain security scanner. Detects GlassWorm and similar malware campaigns in npm packages, PyPI packages, code repos, VS Code extensions, and project dependencies.")
-    .version("4.1.0");
+    .version("4.2.0");
 // ── scan command ────────────────────────────────────────────────────
 program
     .command("scan")

package/dist/correlation-engine.d.ts

@@ -0,0 +1,21 @@
+/**
+ * Correlation engine (v4.2) — CORE FEATURE.
+ *
+ * Aggregates individual findings into incident-level clusters.
+ * Links related findings, boosts confidence, generates attack narratives,
+ * and reduces noise by grouping related indicators.
+ */
+import type { Finding, IncidentCluster } from "./types.js";
+export interface CorrelationResult {
+    /** Grouped incident clusters */
+    incidents: IncidentCluster[];
+    /** Risk score boost from correlations (0-30) */
+    riskBoost: number;
+    /** Human-readable insights */
+    insights: string[];
+}
+/**
+ * Correlate findings into incident clusters.
+ */
+export declare function correlateFindings(findings: Finding[]): CorrelationResult;
+//# sourceMappingURL=correlation-engine.d.ts.map

package/dist/correlation-engine.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"correlation-engine.d.ts","sourceRoot":"","sources":["../src/correlation-engine.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,KAAK,EAAE,OAAO,EAAY,eAAe,EAAE,MAAM,YAAY,CAAC;AA2JrE,MAAM,WAAW,iBAAiB;IAChC,gCAAgC;IAChC,SAAS,EAAE,eAAe,EAAE,CAAC;IAC7B,gDAAgD;IAChD,SAAS,EAAE,MAAM,CAAC;IAClB,8BAA8B;IAC9B,QAAQ,EAAE,MAAM,EAAE,CAAC;CACpB;AAMD;;GAEG;AACH,wBAAgB,iBAAiB,CAAC,QAAQ,EAAE,OAAO,EAAE,GAAG,iBAAiB,CAoDxE"}

package/dist/correlation-engine.js

@@ -0,0 +1,178 @@
+"use strict";
+/**
+ * Correlation engine (v4.2) — CORE FEATURE.
+ *
+ * Aggregates individual findings into incident-level clusters.
+ * Links related findings, boosts confidence, generates attack narratives,
+ * and reduces noise by grouping related indicators.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.correlateFindings = correlateFindings;
+const CORRELATION_RULES = [
+    // --- Known campaigns ---
+    {
+        rules: ["GLASSWORM_MARKER", "EVAL_ATOB", "ENV_EXFILTRATION", "SOLANA_MAINNET"],
+        minMatch: 2,
+        incident: "GlassWorm Campaign",
+        severity: "critical",
+        confidenceBoost: 0.25,
+        narrative: "Multiple GlassWorm indicators detected. This matches the GlassWorm supply-chain malware campaign that uses Solana blockchain for C2 communication.",
+    },
+    {
+        rules: ["CAMPAIGN_CLAUDE_LURE", "RELEASE_EXE_ARTIFACT", "DEAD_DROP_STEAM", "VIDAR_BROWSER_THEFT"],
+        minMatch: 2,
+        incident: "Claude Code Leak Campaign (Vidar/GhostSocks)",
+        severity: "critical",
+        confidenceBoost: 0.30,
+        narrative: "Matches the April 2026 fake Claude Code campaign distributing Vidar stealer and GhostSocks proxy via GitHub releases with star-farmed repos.",
+    },
+    {
+        rules: ["SHAI_HULUD_WORM", "SHAI_HULUD_CRED_STEAL", "INSTALL_HOOK_NPMRC_READ"],
+        minMatch: 2,
+        incident: "Shai-Hulud npm Worm",
+        severity: "critical",
+        confidenceBoost: 0.25,
+        narrative: "Self-replicating npm worm that steals .npmrc tokens and publishes infected copies of packages.",
+    },
+    // --- Infostealer chains ---
+    {
+        rules: ["DEAD_DROP_STEAM", "DEAD_DROP_TELEGRAM", "VIDAR_BROWSER_THEFT", "VIDAR_WALLET_THEFT", "DROPPER_TEMP_EXEC"],
+        minMatch: 2,
+        incident: "Infostealer Infection (Vidar/Lumma/RedLine)",
+        severity: "critical",
+        confidenceBoost: 0.25,
+        narrative: "Multiple infostealer indicators: dead-drop resolvers for C2, browser credential theft, and crypto wallet targeting. Likely Vidar, Lumma, or RedLine stealer.",
+    },
+    {
+        rules: ["GHOSTSOCKS_SOCKS5", "PROXY_BACKCONNECT", "DROPPER_TEMP_EXEC"],
+        minMatch: 2,
+        incident: "Proxy Malware (GhostSocks)",
+        severity: "critical",
+        confidenceBoost: 0.20,
+        narrative: "SOCKS5 proxy infrastructure detected. Infected machines are enrolled as residential proxy nodes for criminal traffic routing.",
+    },
+    // --- Supply-chain attack chains ---
+    {
+        rules: ["PUBLISH_MAINTAINER_CHANGE", "INSTALL_HOOK_NETWORK", "IOC_KNOWN_C2_DOMAIN"],
+        minMatch: 2,
+        incident: "npm Account Takeover",
+        severity: "critical",
+        confidenceBoost: 0.30,
+        narrative: "Maintainer change combined with new install hooks contacting known C2 infrastructure. Strong indicator of npm account compromise.",
+    },
+    {
+        rules: ["PUBLISH_MAINTAINER_CHANGE", "PUBLISH_SCRIPT_ADDED", "INSTALL_HOOK_ENV_HARVEST"],
+        minMatch: 2,
+        incident: "npm Package Hijack (Credential Theft)",
+        severity: "critical",
+        confidenceBoost: 0.25,
+        narrative: "Package maintainer changed and install scripts added that harvest environment variables. Classic account-takeover-to-credential-theft chain.",
+    },
+    {
+        rules: ["TYPOSQUAT_LEVENSHTEIN", "INSTALL_HOOK_NETWORK", "ENV_EXFILTRATION"],
+        minMatch: 2,
+        incident: "Typosquatting Attack with Data Exfiltration",
+        severity: "critical",
+        confidenceBoost: 0.25,
+        narrative: "Typosquatted package name combined with install-time network access and environment exfiltration. Active data theft via name confusion.",
+    },
+    // --- Fake repo chains ---
+    {
+        rules: ["README_LURE_CRACK", "RELEASE_EXE_ARTIFACT", "REPO_RECENT_CREATION", "REPO_SINGLE_COMMIT"],
+        minMatch: 2,
+        incident: "Fake Repository Malware Distribution",
+        severity: "critical",
+        confidenceBoost: 0.25,
+        narrative: "Recently created repository with piracy/crack lures and executable releases. Classic fake-repo malware distribution pattern.",
+    },
+    {
+        rules: ["CAMPAIGN_AI_TOOL_LURE", "RELEASE_EXE_ARTIFACT", "RELEASE_7Z_ARCHIVE"],
+        minMatch: 2,
+        incident: "Fake AI Tool Campaign",
+        severity: "critical",
+        confidenceBoost: 0.25,
+        narrative: "Matches the 2026 campaign impersonating 25+ AI tool brands to distribute infostealers via GitHub releases.",
+    },
+    // --- CI/CD poisoning ---
+    {
+        rules: ["GHA_CURL_PIPE_EXEC", "GHA_SECRET_CURL", "GHA_UNPINNED_ACTION"],
+        minMatch: 2,
+        incident: "CI/CD Pipeline Poisoning",
+        severity: "critical",
+        confidenceBoost: 0.20,
+        narrative: "GitHub Actions workflow downloads and executes remote code while accessing secrets. CI/CD pipeline compromise risk.",
+    },
+    // --- Obfuscation + exfil = malware ---
+    {
+        rules: ["EVAL_ATOB", "HIGH_ENTROPY_STRING", "ENV_EXFILTRATION", "DEAD_DROP_TELEGRAM"],
+        minMatch: 3,
+        incident: "Obfuscated Malware with C2",
+        severity: "critical",
+        confidenceBoost: 0.20,
+        narrative: "Heavy code obfuscation combined with data exfiltration and dead-drop C2 resolution. Confirmed malicious payload.",
+    },
+    // --- Secrets exposure ---
+    {
+        rules: ["SECRETS_AWS_KEY", "SECRETS_GITHUB_TOKEN", "SECRETS_PRIVATE_KEY", "SECRETS_NPM_TOKEN", "SECRETS_SSH_KEY_READ"],
+        minMatch: 2,
+        incident: "Multi-Credential Exposure",
+        severity: "critical",
+        confidenceBoost: 0.15,
+        narrative: "Multiple credential types exposed in code. Either a secrets leak or targeted credential harvesting malware.",
+    },
+    // --- Lockfile + IOC = compromised dependency ---
+    {
+        rules: ["IOC_KNOWN_BAD_VERSION", "IOC_KNOWN_C2_DOMAIN"],
+        minMatch: 2,
+        incident: "Known Compromised Dependency",
+        severity: "critical",
+        confidenceBoost: 0.30,
+        narrative: "Known-bad package version detected alongside C2 infrastructure. This dependency has been confirmed compromised.",
+    },
+];
+// ---------------------------------------------------------------------------
+// Main correlation function
+// ---------------------------------------------------------------------------
+/**
+ * Correlate findings into incident clusters.
+ */
+function correlateFindings(findings) {
+    const ruleSet = new Set(findings.map((f) => f.rule));
+    const incidents = [];
+    let riskBoost = 0;
+    const insights = [];
+    let clusterId = 0;
+    for (const rule of CORRELATION_RULES) {
+        const minMatch = rule.minMatch ?? rule.rules.length;
+        const matchedRules = rule.rules.filter((r) => ruleSet.has(r));
+        if (matchedRules.length >= minMatch) {
+            const id = `incident-${++clusterId}`;
+            // Collect all findings matching this correlation
+            const clusterFindings = findings.filter((f) => matchedRules.includes(f.rule));
+            // Boost confidence on matched findings
+            for (const f of clusterFindings) {
+                f.correlationId = id;
+                f.confidence = Math.min(1.0, (f.confidence ?? 0.8) + rule.confidenceBoost);
+            }
+            // Calculate compound confidence
+            const avgConfidence = clusterFindings.reduce((sum, f) => sum + (f.confidence ?? 0.8), 0) / clusterFindings.length;
+            incidents.push({
+                id,
+                name: rule.incident,
+                severity: rule.severity,
+                confidence: Math.min(1.0, avgConfidence),
+                findings: clusterFindings,
+                narrative: rule.narrative,
+                indicators: matchedRules,
+            });
+            riskBoost += Math.round(rule.confidenceBoost * 30);
+            insights.push(`${rule.incident}: ${matchedRules.length}/${rule.rules.length} indicators matched (confidence ${(avgConfidence * 100).toFixed(0)}%)`);
+        }
+    }
+    // Cap risk boost at 30
+    riskBoost = Math.min(30, riskBoost);
+    // Sort by confidence descending
+    incidents.sort((a, b) => b.confidence - a.confidence);
+    return { incidents, riskBoost, insights };
+}
+//# sourceMappingURL=correlation-engine.js.map

package/dist/correlation-engine.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"correlation-engine.js","sourceRoot":"","sources":["../src/correlation-engine.ts"],"names":[],"mappings":";AAAA;;;;;;GAMG;;AA6KH,8CAoDC;AA1MD,MAAM,iBAAiB,GAAsB;IAC3C,0BAA0B;IAC1B;QACE,KAAK,EAAE,CAAC,kBAAkB,EAAE,WAAW,EAAE,kBAAkB,EAAE,gBAAgB,CAAC;QAC9E,QAAQ,EAAE,CAAC;QACX,QAAQ,EAAE,oBAAoB;QAC9B,QAAQ,EAAE,UAAU;QACpB,eAAe,EAAE,IAAI;QACrB,SAAS,EAAE,oJAAoJ;KAChK;IACD;QACE,KAAK,EAAE,CAAC,sBAAsB,EAAE,sBAAsB,EAAE,iBAAiB,EAAE,qBAAqB,CAAC;QACjG,QAAQ,EAAE,CAAC;QACX,QAAQ,EAAE,8CAA8C;QACxD,QAAQ,EAAE,UAAU;QACpB,eAAe,EAAE,IAAI;QACrB,SAAS,EAAE,8IAA8I;KAC1J;IACD;QACE,KAAK,EAAE,CAAC,iBAAiB,EAAE,uBAAuB,EAAE,yBAAyB,CAAC;QAC9E,QAAQ,EAAE,CAAC;QACX,QAAQ,EAAE,qBAAqB;QAC/B,QAAQ,EAAE,UAAU;QACpB,eAAe,EAAE,IAAI;QACrB,SAAS,EAAE,gGAAgG;KAC5G;IAED,6BAA6B;IAC7B;QACE,KAAK,EAAE,CAAC,iBAAiB,EAAE,oBAAoB,EAAE,qBAAqB,EAAE,oBAAoB,EAAE,mBAAmB,CAAC;QAClH,QAAQ,EAAE,CAAC;QACX,QAAQ,EAAE,6CAA6C;QACvD,QAAQ,EAAE,UAAU;QACpB,eAAe,EAAE,IAAI;QACrB,SAAS,EAAE,8JAA8J;KAC1K;IACD;QACE,KAAK,EAAE,CAAC,mBAAmB,EAAE,mBAAmB,EAAE,mBAAmB,CAAC;QACtE,QAAQ,EAAE,CAAC;QACX,QAAQ,EAAE,4BAA4B;QACtC,QAAQ,EAAE,UAAU;QACpB,eAAe,EAAE,IAAI;QACrB,SAAS,EAAE,+HAA+H;KAC3I;IAED,qCAAqC;IACrC;QACE,KAAK,EAAE,CAAC,2BAA2B,EAAE,sBAAsB,EAAE,qBAAqB,CAAC;QACnF,QAAQ,EAAE,CAAC;QACX,QAAQ,EAAE,sBAAsB;QAChC,QAAQ,EAAE,UAAU;QACpB,eAAe,EAAE,IAAI;QACrB,SAAS,EAAE,mIAAmI;KAC/I;IACD;QACE,KAAK,EAAE,CAAC,2BAA2B,EAAE,sBAAsB,EAAE,0BAA0B,CAAC;QACxF,QAAQ,EAAE,CAAC;QACX,QAAQ,EAAE,uCAAuC;QACjD,QAAQ,EAAE,UAAU;QACpB,eAAe,EAAE,IAAI;QACrB,SAAS,EAAE,8IAA8I;KAC1J;IACD;QACE,KAAK,EAAE,CAAC,uBAAuB,EAAE,sBAAsB,EAAE,kBAAkB,CAAC;QAC5E,QAAQ,EAAE,CAAC;QACX,QAAQ,EAAE,6CAA6C;QACvD,QAAQ,EAAE,UAAU;QACpB,eAAe,EAAE,IAAI;QACrB,SAAS,EAAE,yIAAyI;KACrJ;IAED,2BAA2B;IAC3B;QACE,KAAK,EAAE,CAAC,mBAAmB,EAAE,sBAAsB,EAAE,sBAAsB,EAAE,oBAAoB,CAAC;QAClG,QAAQ,EAAE,CAAC;QACX,QAAQ,EAAE,sCAAsC;QAChD,QAAQ,EAAE,UAAU;QACpB,eAAe,EAAE,IAAI;QACrB,SAAS,EAAE,8HAA8H;KAC1I;IACD;QACE,KAAK,EAAE,CAAC,uBAAuB,EAAE,sBAAsB,EAAE,oBAAoB,CAAC;QAC9E,QAAQ,EAAE,CAAC;QACX,QAAQ,EAAE,uBAAuB;QACjC,QAAQ,EAAE,UAAU;QACpB,eAAe,EAAE,IAAI;QACrB,SAAS,EAAE,4GAA4G;KACxH;IAED,0BAA0B;IAC1B;QACE,KAAK,EAAE,CAAC,oBAAoB,EAAE,iBAAiB,EAAE,qBAAqB,CAAC;QACvE,QAAQ,EAAE,CAAC;QACX,QAAQ,EAAE,0BAA0B;QACpC,QAAQ,EAAE,UAAU;QACpB,eAAe,EAAE,IAAI;QACrB,SAAS,EAAE,qHAAqH;KACjI;IAED,wCAAwC;IACxC;QACE,KAAK,EAAE,CAAC,WAAW,EAAE,qBAAqB,EAAE,kBAAkB,EAAE,oBAAoB,CAAC;QACrF,QAAQ,EAAE,CAAC;QACX,QAAQ,EAAE,4BAA4B;QACtC,QAAQ,EAAE,UAAU;QACpB,eAAe,EAAE,IAAI;QACrB,SAAS,EAAE,kHAAkH;KAC9H;IAED,2BAA2B;IAC3B;QACE,KAAK,EAAE,CAAC,iBAAiB,EAAE,sBAAsB,EAAE,qBAAqB,EAAE,mBAAmB,EAAE,sBAAsB,CAAC;QACtH,QAAQ,EAAE,CAAC;QACX,QAAQ,EAAE,2BAA2B;QACrC,QAAQ,EAAE,UAAU;QACpB,eAAe,EAAE,IAAI;QACrB,SAAS,EAAE,6GAA6G;KACzH;IAED,kDAAkD;IAClD;QACE,KAAK,EAAE,CAAC,uBAAuB,EAAE,qBAAqB,CAAC;QACvD,QAAQ,EAAE,CAAC;QACX,QAAQ,EAAE,8BAA8B;QACxC,QAAQ,EAAE,UAAU;QACpB,eAAe,EAAE,IAAI;QACrB,SAAS,EAAE,iHAAiH;KAC7H;CACF,CAAC;AAeF,8EAA8E;AAC9E,4BAA4B;AAC5B,8EAA8E;AAE9E;;GAEG;AACH,SAAgB,iBAAiB,CAAC,QAAmB;IACnD,MAAM,OAAO,GAAG,IAAI,GAAG,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC;IACrD,MAAM,SAAS,GAAsB,EAAE,CAAC;IACxC,IAAI,SAAS,GAAG,CAAC,CAAC;IAClB,MAAM,QAAQ,GAAa,EAAE,CAAC;IAC9B,IAAI,SAAS,GAAG,CAAC,CAAC;IAElB,KAAK,MAAM,IAAI,IAAI,iBAAiB,EAAE,CAAC;QACrC,MAAM,QAAQ,GAAG,IAAI,CAAC,QAAQ,IAAI,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC;QACpD,MAAM,YAAY,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;QAE9D,IAAI,YAAY,CAAC,MAAM,IAAI,QAAQ,EAAE,CAAC;YACpC,MAAM,EAAE,GAAG,YAAY,EAAE,SAAS,EAAE,CAAC;YAErC,iDAAiD;YACjD,MAAM,eAAe,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,YAAY,CAAC,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC;YAE9E,uCAAuC;YACvC,KAAK,MAAM,CAAC,IAAI,eAAe,EAAE,CAAC;gBAChC,CAAC,CAAC,aAAa,GAAG,EAAE,CAAC;gBACrB,CAAC,CAAC,UAAU,GAAG,IAAI,CAAC,GAAG,CAAC,GAAG,EAAE,CAAC,CAAC,CAAC,UAAU,IAAI,GAAG,CAAC,GAAG,IAAI,CAAC,eAAe,CAAC,CAAC;YAC7E,CAAC;YAED,gCAAgC;YAChC,MAAM,aAAa,GAAG,eAAe,CAAC,MAAM,CAC1C,CAAC,GAAG,EAAE,CAAC,EAAE,EAAE,CAAC,GAAG,GAAG,CAAC,CAAC,CAAC,UAAU,IAAI,GAAG,CAAC,EAAE,CAAC,CAC3C,GAAG,eAAe,CAAC,MAAM,CAAC;YAE3B,SAAS,CAAC,IAAI,CAAC;gBACb,EAAE;gBACF,IAAI,EAAE,IAAI,CAAC,QAAQ;gBACnB,QAAQ,EAAE,IAAI,CAAC,QAAQ;gBACvB,UAAU,EAAE,IAAI,CAAC,GAAG,CAAC,GAAG,EAAE,aAAa,CAAC;gBACxC,QAAQ,EAAE,eAAe;gBACzB,SAAS,EAAE,IAAI,CAAC,SAAS;gBACzB,UAAU,EAAE,YAAY;aACzB,CAAC,CAAC;YAEH,SAAS,IAAI,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,eAAe,GAAG,EAAE,CAAC,CAAC;YACnD,QAAQ,CAAC,IAAI,CACX,GAAG,IAAI,CAAC,QAAQ,KAAK,YAAY,CAAC,MAAM,IAAI,IAAI,CAAC,KAAK,CAAC,MAAM,mCAAmC,CAAC,aAAa,GAAG,GAAG,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,IAAI,CACrI,CAAC;QACJ,CAAC;IACH,CAAC;IAED,uBAAuB;IACvB,SAAS,GAAG,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,SAAS,CAAC,CAAC;IAEpC,gCAAgC;IAChC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,UAAU,GAAG,CAAC,CAAC,UAAU,CAAC,CAAC;IAEtD,OAAO,EAAE,SAAS,EAAE,SAAS,EAAE,QAAQ,EAAE,CAAC;AAC5C,CAAC"}

package/dist/dependency-risk-analyzer.d.ts

@@ -0,0 +1,16 @@
+/**
+ * Dependency risk analyzer (v4.2).
+ *
+ * Levenshtein-based typosquat detection and namespace squatting.
+ * Checks package names against popular packages to detect mimicry.
+ */
+import type { Finding } from "./types.js";
+/**
+ * Calculate Levenshtein distance between two strings.
+ */
+export declare function levenshtein(a: string, b: string): number;
+/**
+ * Analyze dependencies for typosquatting and confusion risks.
+ */
+export declare function analyzeDependencyRisks(dependencies: Record<string, string>, relativePath: string): Finding[];
+//# sourceMappingURL=dependency-risk-analyzer.d.ts.map

package/dist/dependency-risk-analyzer.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"dependency-risk-analyzer.d.ts","sourceRoot":"","sources":["../src/dependency-risk-analyzer.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,YAAY,CAAC;AAiC1C;;GAEG;AACH,wBAAgB,WAAW,CAAC,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,MAAM,GAAG,MAAM,CAsBxD;AAED;;GAEG;AACH,wBAAgB,sBAAsB,CACpC,YAAY,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,EACpC,YAAY,EAAE,MAAM,GACnB,OAAO,EAAE,CAoEX"}

package/dist/dependency-risk-analyzer.js

@@ -0,0 +1,130 @@
+"use strict";
+/**
+ * Dependency risk analyzer (v4.2).
+ *
+ * Levenshtein-based typosquat detection and namespace squatting.
+ * Checks package names against popular packages to detect mimicry.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.levenshtein = levenshtein;
+exports.analyzeDependencyRisks = analyzeDependencyRisks;
+/** Top 80 most popular npm packages (targets for typosquatting) */
+const POPULAR_PACKAGES = [
+    "lodash", "chalk", "express", "react", "axios", "commander", "debug",
+    "glob", "minimist", "semver", "uuid", "mkdirp", "rimraf", "yargs",
+    "moment", "bluebird", "underscore", "async", "request", "inquirer",
+    "colors", "path", "dotenv", "body-parser", "webpack", "typescript",
+    "eslint", "prettier", "jest", "mocha", "chai", "sinon", "supertest",
+    "mongoose", "sequelize", "pg", "mysql2", "redis", "ioredis",
+    "socket.io", "cors", "helmet", "morgan", "cookie-parser", "jsonwebtoken",
+    "bcrypt", "passport", "nodemailer", "multer", "sharp", "puppeteer",
+    "cheerio", "node-fetch", "got", "superagent", "http-proxy-middleware",
+    "ws", "next", "gatsby", "vue", "angular", "svelte", "tailwindcss",
+    "postcss", "autoprefixer", "sass", "less", "babel", "esbuild",
+    "rollup", "vite", "turbo", "nx", "lerna", "husky", "lint-staged",
+    "cross-env", "concurrently", "nodemon", "pm2", "fastify", "koa",
+    "hapi", "restify",
+];
+/** Patterns that suggest internal/private package names */
+const INTERNAL_PATTERNS = [
+    /^@[^/]+\/internal-/,
+    /^@[^/]+\/private-/,
+    /^@[^/]+\/.+-service$/,
+    /^@[^/]+\/.+-api$/,
+    /^@[^/]+\/.+-lib$/,
+    /^@[^/]+\/.+-utils$/,
+    /^@[^/]+\/.+-common$/,
+    /^@[^/]+\/.+-core$/,
+    /^@[^/]+\/.+-shared$/,
+];
+/**
+ * Calculate Levenshtein distance between two strings.
+ */
+function levenshtein(a, b) {
+    const m = a.length;
+    const n = b.length;
+    const dp = Array.from({ length: m + 1 }, () => Array.from({ length: n + 1 }, () => 0));
+    for (let i = 0; i <= m; i++)
+        dp[i][0] = i;
+    for (let j = 0; j <= n; j++)
+        dp[0][j] = j;
+    for (let i = 1; i <= m; i++) {
+        for (let j = 1; j <= n; j++) {
+            const cost = a[i - 1] === b[j - 1] ? 0 : 1;
+            dp[i][j] = Math.min(dp[i - 1][j] + 1, dp[i][j - 1] + 1, dp[i - 1][j - 1] + cost);
+        }
+    }
+    return dp[m][n];
+}
+/**
+ * Analyze dependencies for typosquatting and confusion risks.
+ */
+function analyzeDependencyRisks(dependencies, relativePath) {
+    const findings = [];
+    const depNames = Object.keys(dependencies);
+    for (const name of depNames) {
+        // Skip scoped packages for Levenshtein (handled separately)
+        if (name.startsWith("@")) {
+            // Check internal name patterns on public registry
+            for (const pattern of INTERNAL_PATTERNS) {
+                if (pattern.test(name)) {
+                    findings.push({
+                        rule: "DEP_INTERNAL_NAME_PUBLIC",
+                        description: `Dependency "${name}" looks like an internal package name. If this is on a public registry, it may be a dependency confusion attack.`,
+                        severity: "critical",
+                        file: relativePath,
+                        confidence: 0.7,
+                        category: "supply-chain",
+                        recommendation: `Verify "${name}" is your organization's real package. If not, this is dependency confusion.`,
+                    });
+                    break;
+                }
+            }
+            continue;
+        }
+        // Levenshtein check against popular packages
+        for (const popular of POPULAR_PACKAGES) {
+            if (name === popular)
+                continue; // Exact match = legitimate
+            if (Math.abs(name.length - popular.length) > 2)
+                continue; // Quick skip
+            const dist = levenshtein(name, popular);
+            if (dist > 0 && dist <= 2) {
+                findings.push({
+                    rule: "TYPOSQUAT_LEVENSHTEIN",
+                    description: `Dependency "${name}" is ${dist} edit(s) away from popular package "${popular}". Likely a typosquat.`,
+                    severity: "high",
+                    file: relativePath,
+                    confidence: dist === 1 ? 0.85 : 0.65,
+                    category: "supply-chain",
+                    recommendation: `Did you mean "${popular}"? Typosquatting replaces popular packages with malicious copies.`,
+                });
+                break; // One match per dep is enough
+            }
+        }
+        // Check if name is similar to another direct dependency
+        for (const otherName of depNames) {
+            if (name === otherName)
+                continue;
+            if (name.startsWith("@") || otherName.startsWith("@"))
+                continue;
+            if (Math.abs(name.length - otherName.length) > 2)
+                continue;
+            const dist = levenshtein(name, otherName);
+            if (dist > 0 && dist <= 1) {
+                findings.push({
+                    rule: "TYPOSQUAT_SIMILAR_TO_DEP",
+                    description: `Dependencies "${name}" and "${otherName}" differ by only ${dist} character(s). One may be a typosquat of the other.`,
+                    severity: "high",
+                    file: relativePath,
+                    confidence: 0.7,
+                    category: "supply-chain",
+                    recommendation: `Review both "${name}" and "${otherName}". Only one should be in your dependencies.`,
+                });
+                break;
+            }
+        }
+    }
+    return findings;
+}
+//# sourceMappingURL=dependency-risk-analyzer.js.map

package/dist/dependency-risk-analyzer.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"dependency-risk-analyzer.js","sourceRoot":"","sources":["../src/dependency-risk-analyzer.ts"],"names":[],"mappings":";AAAA;;;;;GAKG;;AAsCH,kCAsBC;AAKD,wDAuEC;AApID,mEAAmE;AACnE,MAAM,gBAAgB,GAAa;IACjC,QAAQ,EAAE,OAAO,EAAE,SAAS,EAAE,OAAO,EAAE,OAAO,EAAE,WAAW,EAAE,OAAO;IACpE,MAAM,EAAE,UAAU,EAAE,QAAQ,EAAE,MAAM,EAAE,QAAQ,EAAE,QAAQ,EAAE,OAAO;IACjE,QAAQ,EAAE,UAAU,EAAE,YAAY,EAAE,OAAO,EAAE,SAAS,EAAE,UAAU;IAClE,QAAQ,EAAE,MAAM,EAAE,QAAQ,EAAE,aAAa,EAAE,SAAS,EAAE,YAAY;IAClE,QAAQ,EAAE,UAAU,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,OAAO,EAAE,WAAW;IACnE,UAAU,EAAE,WAAW,EAAE,IAAI,EAAE,QAAQ,EAAE,OAAO,EAAE,SAAS;IAC3D,WAAW,EAAE,MAAM,EAAE,QAAQ,EAAE,QAAQ,EAAE,eAAe,EAAE,cAAc;IACxE,QAAQ,EAAE,UAAU,EAAE,YAAY,EAAE,QAAQ,EAAE,OAAO,EAAE,WAAW;IAClE,SAAS,EAAE,YAAY,EAAE,KAAK,EAAE,YAAY,EAAE,uBAAuB;IACrE,IAAI,EAAE,MAAM,EAAE,QAAQ,EAAE,KAAK,EAAE,SAAS,EAAE,QAAQ,EAAE,aAAa;IACjE,SAAS,EAAE,cAAc,EAAE,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,SAAS;IAC7D,QAAQ,EAAE,MAAM,EAAE,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,OAAO,EAAE,aAAa;IAChE,WAAW,EAAE,cAAc,EAAE,SAAS,EAAE,KAAK,EAAE,SAAS,EAAE,KAAK;IAC/D,MAAM,EAAE,SAAS;CAClB,CAAC;AAEF,2DAA2D;AAC3D,MAAM,iBAAiB,GAAG;IACxB,oBAAoB;IACpB,mBAAmB;IACnB,sBAAsB;IACtB,kBAAkB;IAClB,kBAAkB;IAClB,oBAAoB;IACpB,qBAAqB;IACrB,mBAAmB;IACnB,qBAAqB;CACtB,CAAC;AAEF;;GAEG;AACH,SAAgB,WAAW,CAAC,CAAS,EAAE,CAAS;IAC9C,MAAM,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC;IACnB,MAAM,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC;IACnB,MAAM,EAAE,GAAe,KAAK,CAAC,IAAI,CAAC,EAAE,MAAM,EAAE,CAAC,GAAG,CAAC,EAAE,EAAE,GAAG,EAAE,CACxD,KAAK,CAAC,IAAI,CAAC,EAAE,MAAM,EAAE,CAAC,GAAG,CAAC,EAAE,EAAE,GAAG,EAAE,CAAC,CAAC,CAAC,CACvC,CAAC;IAEF,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,IAAI,CAAC,EAAE,CAAC,EAAE;QAAE,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC;IAC1C,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,IAAI,CAAC,EAAE,CAAC,EAAE;QAAE,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC;IAE1C,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,IAAI,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC;QAC5B,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,IAAI,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC;YAC5B,MAAM,IAAI,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;YAC3C,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,GAAG,IAAI,CAAC,GAAG,CACjB,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,EAChB,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,EAChB,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,GAAG,IAAI,CACxB,CAAC;QACJ,CAAC;IACH,CAAC;IAED,OAAO,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;AAClB,CAAC;AAED;;GAEG;AACH,SAAgB,sBAAsB,CACpC,YAAoC,EACpC,YAAoB;IAEpB,MAAM,QAAQ,GAAc,EAAE,CAAC;IAC/B,MAAM,QAAQ,GAAG,MAAM,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;IAE3C,KAAK,MAAM,IAAI,IAAI,QAAQ,EAAE,CAAC;QAC5B,4DAA4D;QAC5D,IAAI,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;YACzB,kDAAkD;YAClD,KAAK,MAAM,OAAO,IAAI,iBAAiB,EAAE,CAAC;gBACxC,IAAI,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;oBACvB,QAAQ,CAAC,IAAI,CAAC;wBACZ,IAAI,EAAE,0BAA0B;wBAChC,WAAW,EAAE,eAAe,IAAI,kHAAkH;wBAClJ,QAAQ,EAAE,UAAU;wBACpB,IAAI,EAAE,YAAY;wBAClB,UAAU,EAAE,GAAG;wBACf,QAAQ,EAAE,cAAc;wBACxB,cAAc,EAAE,WAAW,IAAI,8EAA8E;qBAC9G,CAAC,CAAC;oBACH,MAAM;gBACR,CAAC;YACH,CAAC;YACD,SAAS;QACX,CAAC;QAED,6CAA6C;QAC7C,KAAK,MAAM,OAAO,IAAI,gBAAgB,EAAE,CAAC;YACvC,IAAI,IAAI,KAAK,OAAO;gBAAE,SAAS,CAAC,2BAA2B;YAC3D,IAAI,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,GAAG,CAAC;gBAAE,SAAS,CAAC,aAAa;YAEvE,MAAM,IAAI,GAAG,WAAW,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;YACxC,IAAI,IAAI,GAAG,CAAC,IAAI,IAAI,IAAI,CAAC,EAAE,CAAC;gBAC1B,QAAQ,CAAC,IAAI,CAAC;oBACZ,IAAI,EAAE,uBAAuB;oBAC7B,WAAW,EAAE,eAAe,IAAI,QAAQ,IAAI,uCAAuC,OAAO,wBAAwB;oBAClH,QAAQ,EAAE,MAAM;oBAChB,IAAI,EAAE,YAAY;oBAClB,UAAU,EAAE,IAAI,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI;oBACpC,QAAQ,EAAE,cAAc;oBACxB,cAAc,EAAE,iBAAiB,OAAO,mEAAmE;iBAC5G,CAAC,CAAC;gBACH,MAAM,CAAC,8BAA8B;YACvC,CAAC;QACH,CAAC;QAED,wDAAwD;QACxD,KAAK,MAAM,SAAS,IAAI,QAAQ,EAAE,CAAC;YACjC,IAAI,IAAI,KAAK,SAAS;gBAAE,SAAS;YACjC,IAAI,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,SAAS,CAAC,UAAU,CAAC,GAAG,CAAC;gBAAE,SAAS;YAChE,IAAI,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,MAAM,GAAG,SAAS,CAAC,MAAM,CAAC,GAAG,CAAC;gBAAE,SAAS;YAE3D,MAAM,IAAI,GAAG,WAAW,CAAC,IAAI,EAAE,SAAS,CAAC,CAAC;YAC1C,IAAI,IAAI,GAAG,CAAC,IAAI,IAAI,IAAI,CAAC,EAAE,CAAC;gBAC1B,QAAQ,CAAC,IAAI,CAAC;oBACZ,IAAI,EAAE,0BAA0B;oBAChC,WAAW,EAAE,iBAAiB,IAAI,UAAU,SAAS,oBAAoB,IAAI,qDAAqD;oBAClI,QAAQ,EAAE,MAAM;oBAChB,IAAI,EAAE,YAAY;oBAClB,UAAU,EAAE,GAAG;oBACf,QAAQ,EAAE,cAAc;oBACxB,cAAc,EAAE,gBAAgB,IAAI,UAAU,SAAS,6CAA6C;iBACrG,CAAC,CAAC;gBACH,MAAM;YACR,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC"}

package/dist/index.d.ts

@@ -21,5 +21,11 @@ export { scanCargoFiles } from "./cargo-scanner.js";
 export { scanGoFiles } from "./go-scanner.js";
 export { checkIOCBlocklist, checkBadVersion } from "./ioc-blocklist.js";
 export { analyzeGitHubTrust, parseGitHubUrl, scanReadmeLures } from "./github-trust-scanner.js";
+export { analyzeInstallHooks } from "./install-hook-scanner.js";
+export { analyzeDependencyRisks, levenshtein } from "./dependency-risk-analyzer.js";
+export { analyzePublishingAnomalies } from "./publishing-anomaly-detector.js";
+export { scanReleaseArtifacts } from "./release-scanner.js";
+export { correlateFindings } from "./correlation-engine.js";
+export { calculateTrustBreakdown } from "./trust-breakdown.js";
 export type { Finding, ScanReport, ScanOptions, ScanSummary, Severity, NpmPackageInfo, SolanaMonitorOptions, SolanaTransaction, PatternEntry, WatchlistEntry, WatchlistConfig, WatchlistAlert, } from "./types.js";
 //# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,EAAE,IAAI,EAAE,MAAM,cAAc,CAAC;AACpC,OAAO,EAAE,cAAc,EAAE,MAAM,kBAAkB,CAAC;AAClD,OAAO,EAAE,eAAe,EAAE,MAAM,mBAAmB,CAAC;AACpD,OAAO,EAAE,mBAAmB,EAAE,MAAM,qBAAqB,CAAC;AAC1D,OAAO,EAAE,uBAAuB,EAAE,MAAM,2BAA2B,CAAC;AACpE,OAAO,EACL,aAAa,EACb,WAAW,EACX,WAAW,EACX,aAAa,EACb,aAAa,EACb,cAAc,EACd,mBAAmB,EACnB,aAAa,EACb,gBAAgB,GACjB,MAAM,qBAAqB,CAAC;AAC7B,OAAO,EAAE,YAAY,EAAE,MAAM,eAAe,CAAC;AAC7C,OAAO,EAAE,aAAa,EAAE,MAAM,uBAAuB,CAAC;AACtD,OAAO,EAAE,0BAA0B,EAAE,MAAM,6BAA6B,CAAC;AACzE,OAAO,EAAE,eAAe,EAAE,cAAc,EAAE,MAAM,yBAAyB,CAAC;AAC1E,OAAO,EAAE,eAAe,EAAE,cAAc,EAAE,MAAM,qBAAqB,CAAC;AACtE,OAAO,EAAE,eAAe,EAAE,MAAM,kBAAkB,CAAC;AACnD,OAAO,EAAE,cAAc,EAAE,cAAc,EAAE,MAAM,cAAc,CAAC;AAC9D,OAAO,EAAE,cAAc,EAAE,MAAM,oBAAoB,CAAC;AACpD,OAAO,EAAE,WAAW,EAAE,MAAM,iBAAiB,CAAC;AAC9C,OAAO,EAAE,iBAAiB,EAAE,eAAe,EAAE,MAAM,oBAAoB,CAAC;AACxE,OAAO,EAAE,kBAAkB,EAAE,cAAc,EAAE,eAAe,EAAE,MAAM,2BAA2B,CAAC;AAChG,YAAY,EACV,OAAO,EACP,UAAU,EACV,WAAW,EACX,WAAW,EACX,QAAQ,EACR,cAAc,EACd,oBAAoB,EACpB,iBAAiB,EACjB,YAAY,EACZ,cAAc,EACd,eAAe,EACf,cAAc,GACf,MAAM,YAAY,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,EAAE,IAAI,EAAE,MAAM,cAAc,CAAC;AACpC,OAAO,EAAE,cAAc,EAAE,MAAM,kBAAkB,CAAC;AAClD,OAAO,EAAE,eAAe,EAAE,MAAM,mBAAmB,CAAC;AACpD,OAAO,EAAE,mBAAmB,EAAE,MAAM,qBAAqB,CAAC;AAC1D,OAAO,EAAE,uBAAuB,EAAE,MAAM,2BAA2B,CAAC;AACpE,OAAO,EACL,aAAa,EACb,WAAW,EACX,WAAW,EACX,aAAa,EACb,aAAa,EACb,cAAc,EACd,mBAAmB,EACnB,aAAa,EACb,gBAAgB,GACjB,MAAM,qBAAqB,CAAC;AAC7B,OAAO,EAAE,YAAY,EAAE,MAAM,eAAe,CAAC;AAC7C,OAAO,EAAE,aAAa,EAAE,MAAM,uBAAuB,CAAC;AACtD,OAAO,EAAE,0BAA0B,EAAE,MAAM,6BAA6B,CAAC;AACzE,OAAO,EAAE,eAAe,EAAE,cAAc,EAAE,MAAM,yBAAyB,CAAC;AAC1E,OAAO,EAAE,eAAe,EAAE,cAAc,EAAE,MAAM,qBAAqB,CAAC;AACtE,OAAO,EAAE,eAAe,EAAE,MAAM,kBAAkB,CAAC;AACnD,OAAO,EAAE,cAAc,EAAE,cAAc,EAAE,MAAM,cAAc,CAAC;AAC9D,OAAO,EAAE,cAAc,EAAE,MAAM,oBAAoB,CAAC;AACpD,OAAO,EAAE,WAAW,EAAE,MAAM,iBAAiB,CAAC;AAC9C,OAAO,EAAE,iBAAiB,EAAE,eAAe,EAAE,MAAM,oBAAoB,CAAC;AACxE,OAAO,EAAE,kBAAkB,EAAE,cAAc,EAAE,eAAe,EAAE,MAAM,2BAA2B,CAAC;AAChG,OAAO,EAAE,mBAAmB,EAAE,MAAM,2BAA2B,CAAC;AAChE,OAAO,EAAE,sBAAsB,EAAE,WAAW,EAAE,MAAM,+BAA+B,CAAC;AACpF,OAAO,EAAE,0BAA0B,EAAE,MAAM,kCAAkC,CAAC;AAC9E,OAAO,EAAE,oBAAoB,EAAE,MAAM,sBAAsB,CAAC;AAC5D,OAAO,EAAE,iBAAiB,EAAE,MAAM,yBAAyB,CAAC;AAC5D,OAAO,EAAE,uBAAuB,EAAE,MAAM,sBAAsB,CAAC;AAC/D,YAAY,EACV,OAAO,EACP,UAAU,EACV,WAAW,EACX,WAAW,EACX,QAAQ,EACR,cAAc,EACd,oBAAoB,EACpB,iBAAiB,EACjB,YAAY,EACZ,cAAc,EACd,eAAe,EACf,cAAc,GACf,MAAM,YAAY,CAAC"}

package/dist/index.js

@@ -6,7 +6,7 @@
  * Detects GlassWorm and similar malware campaigns.
  */
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.scanReadmeLures = exports.parseGitHubUrl = exports.analyzeGitHubTrust = exports.checkBadVersion = exports.checkIOCBlocklist = exports.scanGoFiles = exports.scanCargoFiles = exports.shannonEntropy = exports.analyzeEntropy = exports.scanGitSecurity = exports.scanConfigFile = exports.scanConfigFiles = exports.scanDockerFile = exports.scanDockerFiles = exports.scanGitHubActionsWorkflows = exports.checkLockfile = exports.formatReport = exports.monitorWatchlist = exports.listWatchlist = exports.removeFromWatchlist = exports.addToWatchlist = exports.saveWatchlist = exports.loadWatchlist = exports.formatAlert = exports.checkWallet = exports.monitorWallet = exports.scanDependencyConfusion = exports.scanVscodeExtension = exports.scanPypiPackage = exports.scanNpmPackage = exports.scan = void 0;
+exports.calculateTrustBreakdown = exports.correlateFindings = exports.scanReleaseArtifacts = exports.analyzePublishingAnomalies = exports.levenshtein = exports.analyzeDependencyRisks = exports.analyzeInstallHooks = exports.scanReadmeLures = exports.parseGitHubUrl = exports.analyzeGitHubTrust = exports.checkBadVersion = exports.checkIOCBlocklist = exports.scanGoFiles = exports.scanCargoFiles = exports.shannonEntropy = exports.analyzeEntropy = exports.scanGitSecurity = exports.scanConfigFile = exports.scanConfigFiles = exports.scanDockerFile = exports.scanDockerFiles = exports.scanGitHubActionsWorkflows = exports.checkLockfile = exports.formatReport = exports.monitorWatchlist = exports.listWatchlist = exports.removeFromWatchlist = exports.addToWatchlist = exports.saveWatchlist = exports.loadWatchlist = exports.formatAlert = exports.checkWallet = exports.monitorWallet = exports.scanDependencyConfusion = exports.scanVscodeExtension = exports.scanPypiPackage = exports.scanNpmPackage = exports.scan = void 0;
 var scanner_js_1 = require("./scanner.js");
 Object.defineProperty(exports, "scan", { enumerable: true, get: function () { return scanner_js_1.scan; } });
 var npm_scanner_js_1 = require("./npm-scanner.js");
@@ -55,4 +55,17 @@ var github_trust_scanner_js_1 = require("./github-trust-scanner.js");
 Object.defineProperty(exports, "analyzeGitHubTrust", { enumerable: true, get: function () { return github_trust_scanner_js_1.analyzeGitHubTrust; } });
 Object.defineProperty(exports, "parseGitHubUrl", { enumerable: true, get: function () { return github_trust_scanner_js_1.parseGitHubUrl; } });
 Object.defineProperty(exports, "scanReadmeLures", { enumerable: true, get: function () { return github_trust_scanner_js_1.scanReadmeLures; } });
+var install_hook_scanner_js_1 = require("./install-hook-scanner.js");
+Object.defineProperty(exports, "analyzeInstallHooks", { enumerable: true, get: function () { return install_hook_scanner_js_1.analyzeInstallHooks; } });
+var dependency_risk_analyzer_js_1 = require("./dependency-risk-analyzer.js");
+Object.defineProperty(exports, "analyzeDependencyRisks", { enumerable: true, get: function () { return dependency_risk_analyzer_js_1.analyzeDependencyRisks; } });
+Object.defineProperty(exports, "levenshtein", { enumerable: true, get: function () { return dependency_risk_analyzer_js_1.levenshtein; } });
+var publishing_anomaly_detector_js_1 = require("./publishing-anomaly-detector.js");
+Object.defineProperty(exports, "analyzePublishingAnomalies", { enumerable: true, get: function () { return publishing_anomaly_detector_js_1.analyzePublishingAnomalies; } });
+var release_scanner_js_1 = require("./release-scanner.js");
+Object.defineProperty(exports, "scanReleaseArtifacts", { enumerable: true, get: function () { return release_scanner_js_1.scanReleaseArtifacts; } });
+var correlation_engine_js_1 = require("./correlation-engine.js");
+Object.defineProperty(exports, "correlateFindings", { enumerable: true, get: function () { return correlation_engine_js_1.correlateFindings; } });
+var trust_breakdown_js_1 = require("./trust-breakdown.js");
+Object.defineProperty(exports, "calculateTrustBreakdown", { enumerable: true, get: function () { return trust_breakdown_js_1.calculateTrustBreakdown; } });
 //# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":";AAAA;;;;;GAKG;;;AAEH,2CAAoC;AAA3B,kGAAA,IAAI,OAAA;AACb,mDAAkD;AAAzC,gHAAA,cAAc,OAAA;AACvB,qDAAoD;AAA3C,kHAAA,eAAe,OAAA;AACxB,yDAA0D;AAAjD,wHAAA,mBAAmB,OAAA;AAC5B,qEAAoE;AAA3D,kIAAA,uBAAuB,OAAA;AAChC,yDAU6B;AAT3B,kHAAA,aAAa,OAAA;AACb,gHAAA,WAAW,OAAA;AACX,gHAAA,WAAW,OAAA;AACX,kHAAA,aAAa,OAAA;AACb,kHAAA,aAAa,OAAA;AACb,mHAAA,cAAc,OAAA;AACd,wHAAA,mBAAmB,OAAA;AACnB,kHAAA,aAAa,OAAA;AACb,qHAAA,gBAAgB,OAAA;AAElB,6CAA6C;AAApC,2GAAA,YAAY,OAAA;AACrB,6DAAsD;AAA7C,oHAAA,aAAa,OAAA;AACtB,yEAAyE;AAAhE,uIAAA,0BAA0B,OAAA;AACnC,iEAA0E;AAAjE,wHAAA,eAAe,OAAA;AAAE,uHAAA,cAAc,OAAA;AACxC,yDAAsE;AAA7D,oHAAA,eAAe,OAAA;AAAE,mHAAA,cAAc,OAAA;AACxC,mDAAmD;AAA1C,iHAAA,eAAe,OAAA;AACxB,2CAA8D;AAArD,4GAAA,cAAc,OAAA;AAAE,4GAAA,cAAc,OAAA;AACvC,uDAAoD;AAA3C,kHAAA,cAAc,OAAA;AACvB,iDAA8C;AAArC,4GAAA,WAAW,OAAA;AACpB,uDAAwE;AAA/D,qHAAA,iBAAiB,OAAA;AAAE,mHAAA,eAAe,OAAA;AAC3C,qEAAgG;AAAvF,6HAAA,kBAAkB,OAAA;AAAE,yHAAA,cAAc,OAAA;AAAE,0HAAA,eAAe,OAAA"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":";AAAA;;;;;GAKG;;;AAEH,2CAAoC;AAA3B,kGAAA,IAAI,OAAA;AACb,mDAAkD;AAAzC,gHAAA,cAAc,OAAA;AACvB,qDAAoD;AAA3C,kHAAA,eAAe,OAAA;AACxB,yDAA0D;AAAjD,wHAAA,mBAAmB,OAAA;AAC5B,qEAAoE;AAA3D,kIAAA,uBAAuB,OAAA;AAChC,yDAU6B;AAT3B,kHAAA,aAAa,OAAA;AACb,gHAAA,WAAW,OAAA;AACX,gHAAA,WAAW,OAAA;AACX,kHAAA,aAAa,OAAA;AACb,kHAAA,aAAa,OAAA;AACb,mHAAA,cAAc,OAAA;AACd,wHAAA,mBAAmB,OAAA;AACnB,kHAAA,aAAa,OAAA;AACb,qHAAA,gBAAgB,OAAA;AAElB,6CAA6C;AAApC,2GAAA,YAAY,OAAA;AACrB,6DAAsD;AAA7C,oHAAA,aAAa,OAAA;AACtB,yEAAyE;AAAhE,uIAAA,0BAA0B,OAAA;AACnC,iEAA0E;AAAjE,wHAAA,eAAe,OAAA;AAAE,uHAAA,cAAc,OAAA;AACxC,yDAAsE;AAA7D,oHAAA,eAAe,OAAA;AAAE,mHAAA,cAAc,OAAA;AACxC,mDAAmD;AAA1C,iHAAA,eAAe,OAAA;AACxB,2CAA8D;AAArD,4GAAA,cAAc,OAAA;AAAE,4GAAA,cAAc,OAAA;AACvC,uDAAoD;AAA3C,kHAAA,cAAc,OAAA;AACvB,iDAA8C;AAArC,4GAAA,WAAW,OAAA;AACpB,uDAAwE;AAA/D,qHAAA,iBAAiB,OAAA;AAAE,mHAAA,eAAe,OAAA;AAC3C,qEAAgG;AAAvF,6HAAA,kBAAkB,OAAA;AAAE,yHAAA,cAAc,OAAA;AAAE,0HAAA,eAAe,OAAA;AAC5D,qEAAgE;AAAvD,8HAAA,mBAAmB,OAAA;AAC5B,6EAAoF;AAA3E,qIAAA,sBAAsB,OAAA;AAAE,0HAAA,WAAW,OAAA;AAC5C,mFAA8E;AAArE,4IAAA,0BAA0B,OAAA;AACnC,2DAA4D;AAAnD,0HAAA,oBAAoB,OAAA;AAC7B,iEAA4D;AAAnD,0HAAA,iBAAiB,OAAA;AAC1B,2DAA+D;AAAtD,6HAAA,uBAAuB,OAAA"}

package/dist/install-hook-scanner.d.ts

@@ -0,0 +1,26 @@
+/**
+ * Install hook deep analysis scanner (v4.2).
+ *
+ * Goes beyond basic SUSPICIOUS_SCRIPTS patterns to detect sophisticated
+ * install-time attacks: secret harvesting, download-exec chains,
+ * obfuscated one-liners, and embedded binary blobs.
+ */
+import type { Finding } from "./types.js";
+interface InstallScripts {
+    preinstall?: string;
+    postinstall?: string;
+    install?: string;
+    preuninstall?: string;
+    postuninstall?: string;
+    prepare?: string;
+}
+/**
+ * Deep-analyze install hook scripts from package.json.
+ */
+export declare function analyzeInstallHooks(scripts: InstallScripts, relativePath: string): Finding[];
+/**
+ * Extract install scripts from parsed package.json content.
+ */
+export declare function extractInstallScripts(content: string): InstallScripts | null;
+export {};
+//# sourceMappingURL=install-hook-scanner.d.ts.map

package/dist/install-hook-scanner.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"install-hook-scanner.d.ts","sourceRoot":"","sources":["../src/install-hook-scanner.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,YAAY,CAAC;AAE1C,UAAU,cAAc;IACtB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB;AAED;;GAEG;AACH,wBAAgB,mBAAmB,CACjC,OAAO,EAAE,cAAc,EACvB,YAAY,EAAE,MAAM,GACnB,OAAO,EAAE,CA8HX;AAED;;GAEG;AACH,wBAAgB,qBAAqB,CACnC,OAAO,EAAE,MAAM,GACd,cAAc,GAAG,IAAI,CAevB"}

package/dist/install-hook-scanner.js

@@ -0,0 +1,157 @@
+"use strict";
+/**
+ * Install hook deep analysis scanner (v4.2).
+ *
+ * Goes beyond basic SUSPICIOUS_SCRIPTS patterns to detect sophisticated
+ * install-time attacks: secret harvesting, download-exec chains,
+ * obfuscated one-liners, and embedded binary blobs.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.analyzeInstallHooks = analyzeInstallHooks;
+exports.extractInstallScripts = extractInstallScripts;
+/**
+ * Deep-analyze install hook scripts from package.json.
+ */
+function analyzeInstallHooks(scripts, relativePath) {
+    const findings = [];
+    const hookNames = [
+        "preinstall", "postinstall", "install", "preuninstall", "postuninstall", "prepare",
+    ];
+    for (const hook of hookNames) {
+        const script = scripts[hook];
+        if (!script)
+            continue;
+        // Network access in install scripts
+        if (/(?:fetch|https?\.(?:get|request|post)|axios|got|node-fetch|urllib|curl|wget)\b/i.test(script)) {
+            findings.push({
+                rule: "INSTALL_HOOK_NETWORK",
+                description: `${hook} script makes network requests. Install scripts should not access the network.`,
+                severity: "critical",
+                file: relativePath,
+                match: truncate(`${hook}: ${script}`),
+                confidence: 0.9,
+                category: "supply-chain",
+                recommendation: "Remove network calls from install scripts. Use explicit build steps instead.",
+            });
+        }
+        // Download + execute chain
+        if (/(?:curl|wget|fetch).*(?:chmod\s+\+x|exec|spawn|child_process|\.\/|bash|sh\s|node\s)/i.test(script) ||
+            /(?:exec|spawn).*(?:curl|wget|fetch)/i.test(script)) {
+            findings.push({
+                rule: "INSTALL_HOOK_DOWNLOAD_EXEC",
+                description: `${hook} script downloads and executes code. This is the #1 supply-chain attack vector.`,
+                severity: "critical",
+                file: relativePath,
+                match: truncate(`${hook}: ${script}`),
+                confidence: 0.95,
+                category: "malware",
+                recommendation: "Never download and execute code during npm install. This is almost certainly malicious.",
+            });
+        }
+        // Environment variable harvesting (secrets)
+        if (/process\.env\.(?:AWS|GITHUB|NPM|GH_|AZURE|GCP|DOCKER|CI|TRAVIS|CIRCLE|JENKINS|SECRET|TOKEN|KEY|PASSWORD|CREDENTIAL)/i.test(script)) {
+            findings.push({
+                rule: "INSTALL_HOOK_ENV_HARVEST",
+                description: `${hook} script accesses sensitive environment variables (secrets, tokens, keys).`,
+                severity: "critical",
+                file: relativePath,
+                match: truncate(`${hook}: ${script}`),
+                confidence: 0.85,
+                category: "supply-chain",
+                recommendation: "Install scripts should never read CI/CD secrets or API tokens.",
+            });
+        }
+        // .npmrc / credential file access
+        if (/\.npmrc|npm_config_|_authToken|\.ssh[/\\]|id_rsa|id_ed25519|\.gnupg|\.aws\/credentials/i.test(script)) {
+            findings.push({
+                rule: "INSTALL_HOOK_NPMRC_READ",
+                description: `${hook} script accesses credential files (.npmrc, SSH keys, AWS credentials).`,
+                severity: "critical",
+                file: relativePath,
+                match: truncate(`${hook}: ${script}`),
+                confidence: 0.9,
+                category: "malware",
+                recommendation: "Install scripts must not read credential files. This is credential theft.",
+            });
+        }
+        // .env file access
+        if (/\.env\b|dotenv|require\s*\(\s*['"]dotenv/i.test(script)) {
+            findings.push({
+                rule: "INSTALL_HOOK_DOTENV_READ",
+                description: `${hook} script reads .env files. Environment files contain secrets.`,
+                severity: "high",
+                file: relativePath,
+                match: truncate(`${hook}: ${script}`),
+                confidence: 0.7,
+                category: "supply-chain",
+                recommendation: "Install scripts should not load .env files.",
+            });
+        }
+        // Obfuscated script content
+        if (/(?:atob|btoa|Buffer\.from|decodeURIComponent|unescape|String\.fromCharCode)\s*\(/i.test(script)) {
+            findings.push({
+                rule: "INSTALL_HOOK_OBFUSCATED",
+                description: `${hook} script contains encoding/decoding operations. Obfuscated install scripts are a strong malware indicator.`,
+                severity: "high",
+                file: relativePath,
+                match: truncate(`${hook}: ${script}`),
+                confidence: 0.8,
+                category: "malware",
+                recommendation: "Decode the obfuscated content and inspect it before running npm install.",
+            });
+        }
+        // Long one-liner (> 500 chars)
+        if (script.length > 500 && !script.includes("\n")) {
+            findings.push({
+                rule: "INSTALL_HOOK_LONG_ONELINER",
+                description: `${hook} script is a ${script.length}-character one-liner. Long single-line scripts are often obfuscated malware.`,
+                severity: "medium",
+                file: relativePath,
+                match: truncate(`${hook}: ${script}`),
+                confidence: 0.6,
+                category: "supply-chain",
+                recommendation: "Review this script carefully. Legitimate build scripts are rarely this long on one line.",
+            });
+        }
+        // Embedded binary blob (base64 > 1KB)
+        const b64Match = script.match(/[A-Za-z0-9+/=]{1000,}/);
+        if (b64Match) {
+            findings.push({
+                rule: "INSTALL_HOOK_BINARY_BLOB",
+                description: `${hook} script contains an embedded binary blob (${b64Match[0].length} chars). Likely an encoded executable payload.`,
+                severity: "high",
+                file: relativePath,
+                match: truncate(`${hook}: ${b64Match[0].substring(0, 60)}...`),
+                confidence: 0.85,
+                category: "malware",
+                recommendation: "Decode this base64 blob and inspect it. Embedded payloads in install scripts are malware.",
+            });
+        }
+    }
+    return findings;
+}
+/**
+ * Extract install scripts from parsed package.json content.
+ */
+function extractInstallScripts(content) {
+    try {
+        const pkg = JSON.parse(content);
+        if (!pkg.scripts)
+            return null;
+        return {
+            preinstall: pkg.scripts.preinstall,
+            postinstall: pkg.scripts.postinstall,
+            install: pkg.scripts.install,
+            preuninstall: pkg.scripts.preuninstall,
+            postuninstall: pkg.scripts.postuninstall,
+            prepare: pkg.scripts.prepare,
+        };
+    }
+    catch {
+        return null;
+    }
+}
+function truncate(s, max = 120) {
+    return s.length > max ? s.substring(0, max) + "..." : s;
+}
+//# sourceMappingURL=install-hook-scanner.js.map