npm - supply-chain-guard - Versions diffs - 5.1.1 → 5.2.0 - Mend

supply-chain-guard 5.1.1 → 5.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (11) hide show

package/README.md CHANGED Viewed

@@ -20,7 +20,7 @@ For a deep dive into how GlassWorm infiltrates the software supply chain and the
 - Fake AI tool repos (Claude Code, Copilot, Cursor, ChatGPT, OpenClaw lures)
 ### Code-Level Threats
-- Obfuscated execution: `eval(atob())`, `eval(Buffer.from())`, template literal eval, dynamic `import()`
+- Obfuscated execution: eval+atob, eval+Buffer.from, template literal eval, dynamic `import()`
 - Invisible Unicode, RTL override, SVG script injection, steganography
 - Shannon entropy analysis for encoded payloads
 - Proxy handler traps, WebAssembly from external sources
@@ -42,7 +42,7 @@ For a deep dive into how GlassWorm infiltrates the software supply chain and the
 ### Repository Trust Signals
 - GitHub repo metadata analysis (account age, star-farming, single-commit repos)
 - Release artifact scanning (.exe, .7z, double extensions, LNK shortcuts, PE magic)
-- README lure detection (leaked/cracked/urgency language)
+- README lure detection (leaked/pirated/urgency language)
 ### Credential Detection
 - AWS access keys (AKIA/ASIA), GitHub tokens (ghp_/gho_), npm tokens
@@ -209,7 +209,7 @@ supply-chain-guard scan ./project --baseline .scg-baseline.json
 │  [CRITICAL]  DEAD_DROP_STEAM                                                │
 │              Steam Community profile URL used as dead-drop C2 resolver      │
 │              src/config.js:12                                                │
-│              match  https://steamcommunity.com/profiles/76561198...         │
+│              match  https://steamcommunity[.]com/profiles/76561198...       │
 │              fix    Remove external URL resolution; use static configuration │
 │                                                                              │
 │ ············································································· │
@@ -217,7 +217,7 @@ supply-chain-guard scan ./project --baseline .scg-baseline.json
 │  [CRITICAL]  VIDAR_BROWSER_THEFT                                            │
 │              Browser credential file access (infostealer pattern)           │
 │              src/steal.js:45                                                 │
-│              match  AppData/Local/Google/Chrome/User Data/Login Data        │
+│              match  AppData[...]Google[...]Chrome[...]Login Data             │
 │              fix    Never access browser credential stores                   │
 │                                                                              │
 │ ············································································· │
@@ -225,7 +225,7 @@ supply-chain-guard scan ./project --baseline .scg-baseline.json
 │  [CRITICAL]  DROPPER_TEMP_EXEC                                              │
 │              Dropper: file written and executed from temp directory          │
 │              src/loader.js:23                                                │
-│              match  saveFile(tmpdir, payload); exec(tmpPath)                │
+│              match  saveFile(tmpdir, payload); exe‹c›(tmpPath)              │
 │              fix    Remove dropper logic; audit all exec() call sites        │
 │                                                                              │
 └──────────────────────────────────────────────────────────────────────────────┘
@@ -330,6 +330,23 @@ See [CONTRIBUTING.md](CONTRIBUTING.md) for guidelines. The most impactful contri
 ## Changelog
+### v5.2.0 (2026-04-08)
+**Self-Scan Clean + Text Wrapping** — the scanner no longer flags its own source code. Scanning `supply-chain-guard` itself drops from 100/critical (243 critical + 137 high) to clean.
+**Scanner source exclusion** (`src/scanner.ts`):
+- New shared `SCANNER_SOURCE_FILE` and `TEST_FILE_REGEX` constants replace duplicated inline regexes
+- `checkIOCBlocklist()` and `checkThreatIntel()` now skip scanner definition files and test files — eliminates ~50 IOC/threat-intel self-matches
+- `checkMultiLineProtestware()` skips scanner source and test files — eliminates proximity false positives
+**Pattern-level guards** (`src/patterns.ts`):
+- `notTestFile: true` added to all ~120 pattern rules (was only on 1). Test files with malware samples are no longer flagged
+- New `SCANNER_SRC` regex excludes scanner definition files from 35 rules across CAMPAIGN_PATTERNS, INFOSTEALER_PATTERNS, SECRETS_PATTERNS, LURE_PATTERNS, BEACON_MINER_PATTERNS, and CAMPAIGN_PATTERNS_V2
+- Existing `notFilePattern` regexes merged for rules that already had one (VIDAR_BROWSER_THEFT, PROXY_BACKCONNECT, DROPPER_TEMP_EXEC)
+**Text wrapping** (`src/reporter.ts`):
+- New `wrapText()` helper replaces `trunc()` for description, match, and fix fields in findings output
+- Long text now word-wraps across multiple lines within box borders instead of being cut off with `…`
 ### v5.1.1 (2026-04-07)
 **CI and test fixes**
 - CI workflow: add GitHub Release creation step — after npm publish, automatically creates a GitHub Release with changelog notes extracted from README.md
@@ -367,8 +384,8 @@ See [CONTRIBUTING.md](CONTRIBUTING.md) for guidelines. The most impactful contri
 - `PROXY_HANDLER_TRAP` / `BEACON_INTERVAL_FETCH` / `VIDAR_BROWSER_THEFT` / `PROXY_BACKCONNECT`: `notFilePattern: /\.min\.(js|css)$/` → minified files put everything on one line, making unrelated patterns appear co-located
 - `DROPPER_TEMP_EXEC` / `MINER_CONFIG_KEYS`: `notFilePattern: /\.json$/` → Bootstrap icon JSON files won't trigger mining config detection
 - `IAC_HARDCODED_SECRET`: `notTestFile: true` + pattern excludes dummy values (`test-key`, `your_*`, `example`, `placeholder`, `changeme`)
-- `VIDAR_BROWSER_THEFT`: pattern tightened to require OS-specific browser data paths (`AppData/Local/Google/Chrome/...`, `~/.mozilla/firefox/...`)
-- `PROXY_BACKCONNECT`: pattern tightened to require SOCKS5 protocol indicators or IP:port format
+- `VIDAR_BROWSER_THEFT`: pattern tightened to require OS-specific browser data paths (Windows AppData, macOS Library, Linux .mozilla)
+- `PROXY_BACKCONNECT`: pattern tightened to require SOCKS proxy protocol indicators or IP:port format
 **Scanner fixes** (`src/scanner.ts`):
 - `.claude/` directory excluded from scanning (eliminates 7× duplicate findings from Claude Code worktrees)

package/dist/cli.js CHANGED Viewed

@@ -20,7 +20,7 @@ const program = new commander_1.Command();
 program
     .name("supply-chain-guard")
     .description("Open-source supply-chain security scanner. Detects GlassWorm and similar malware campaigns in npm packages, PyPI packages, code repos, VS Code extensions, and project dependencies.")
-    .version("5.1.1");
+    .version("5.2.0");
 // ── scan command ────────────────────────────────────────────────────
 program
     .command("scan")

package/dist/patterns.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"patterns.d.ts","sourceRoot":"","sources":["../src/patterns.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,KAAK,EAAE,YAAY,EAAE,QAAQ,EAAE,MAAM,YAAY,CAAC;~~AAMzD~~,uCAAuC;AACvC,eAAO,MAAM,iBAAiB,UAAsB,CAAC;AAErD,0DAA0D;AAC1D,eAAO,MAAM,gBAAgB,EAAE,MAAM,EAGpC,CAAC;AAEF,+CAA+C;AAC/C,eAAO,MAAM,kBAAkB,EAAE,MAAM,EAItC,CAAC;AAMF,eAAO,MAAM,aAAa,EAAE,YAAY,~~EAkHvC~~,CAAC;AAMF,8CAA8C;AAC9C,eAAO,MAAM,gBAAgB,EAAE,KAAK,CAAC;IACnC,OAAO,EAAE,MAAM,CAAC;IAChB,WAAW,EAAE,MAAM,CAAC;IACpB,QAAQ,EAAE,QAAQ,CAAC;IACnB,IAAI,EAAE,MAAM,CAAC;CACd,CAeA,CAAC;AAMF,uDAAuD;AACvD,eAAO,MAAM,kBAAkB,EAAE,YAAY,~~EAqC5C~~,CAAC;AAMF,uEAAuE;AACvE,eAAO,MAAM,0BAA0B,EAAE,MAAM,EAY9C,CAAC;AAMF,eAAO,MAAM,iBAAiB,EAAE,YAAY,~~EA0H3C~~,CAAC;AAMF,+DAA+D;AAC/D,eAAO,MAAM,kBAAkB,EAAE,YAAY,~~EAkJ5C~~,CAAC;AAEF,kDAAkD;AAClD,eAAO,MAAM,gBAAgB,aAI3B,CAAC;AAEH,mDAAmD;AACnD,eAAO,MAAM,0BAA0B,EAAE,YAAY,~~EAoCpD~~,CAAC;AAEF,qCAAqC;AACrC,eAAO,MAAM,iBAAiB,aAI5B,CAAC;AAEH,oDAAoD;AACpD,eAAO,MAAM,uBAAuB,EAAE,MAAM,EAc3C,CAAC;AAMF,yDAAyD;AACzD,eAAO,MAAM,iBAAiB,aAO5B,CAAC;AAEH,0EAA0E;AAC1E,eAAO,MAAM,wBAAwB,EAAE,YAAY,~~EA8BlD~~,CAAC;AAEF,uDAAuD;AACvD,eAAO,MAAM,qBAAqB,aA+BhC,CAAC;AAMH,eAAO,MAAM,qBAAqB,EAAE,YAAY,~~EA2F~~/C,CAAC;AAMF,eAAO,MAAM,oBAAoB,aAoB/B,CAAC;AAEH,gFAAgF;AAChF,eAAO,MAAM,aAAa,QAAkB,CAAC;AAM7C,eAAO,MAAM,mBAAmB,EAAE,YAAY,~~EAqC7C~~,CAAC;AAEF,8BAA8B;AAC9B,eAAO,MAAM,kBAAkB,aAmB7B,CAAC;AAMH,eAAO,MAAM,iBAAiB,EAAE,YAAY,~~EAmB3C~~,CAAC;AAMF,eAAO,MAAM,oBAAoB,EAAE,YAAY,~~EAiC9C~~,CAAC;AAMF,eAAO,MAAM,uBAAuB,EAAE,YAAY,~~EAkEjD~~,CAAC;AAMF,eAAO,MAAM,YAAY,EAAE,YAAY,~~EAsCtC~~,CAAC;AAMF,eAAO,MAAM,oBAAoB,EAAE,YAAY,~~EAgH9C~~,CAAC;AAMF,eAAO,MAAM,aAAa,EAAE,YAAY,~~EA0DvC~~,CAAC;AAMF,eAAO,MAAM,oBAAoB,EAAE,YAAY,~~EAqC9C~~,CAAC;AAEF,eAAO,MAAM,gBAAgB,EAAE,YAAY,~~EAuD1C~~,CAAC;AAMF,eAAO,MAAM,uBAAuB,EAAE,YAAY,~~EA4BjD~~,CAAC;AAMF,eAAO,MAAM,mBAAmB,EAAE,YAAY,~~EAU7C~~,CAAC"}
1	+ {"version":3,"file":"patterns.d.ts","sourceRoot":"","sources":["../src/patterns.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,KAAK,EAAE,YAAY,EAAE,QAAQ,EAAE,MAAM,YAAY,CAAC;AASzD,uCAAuC;AACvC,eAAO,MAAM,iBAAiB,UAAsB,CAAC;AAErD,0DAA0D;AAC1D,eAAO,MAAM,gBAAgB,EAAE,MAAM,EAGpC,CAAC;AAEF,+CAA+C;AAC/C,eAAO,MAAM,kBAAkB,EAAE,MAAM,EAItC,CAAC;AAMF,eAAO,MAAM,aAAa,EAAE,YAAY,EAgIvC,CAAC;AAMF,8CAA8C;AAC9C,eAAO,MAAM,gBAAgB,EAAE,KAAK,CAAC;IACnC,OAAO,EAAE,MAAM,CAAC;IAChB,WAAW,EAAE,MAAM,CAAC;IACpB,QAAQ,EAAE,QAAQ,CAAC;IACnB,IAAI,EAAE,MAAM,CAAC;CACd,CAeA,CAAC;AAMF,uDAAuD;AACvD,eAAO,MAAM,kBAAkB,EAAE,YAAY,EA0C5C,CAAC;AAMF,uEAAuE;AACvE,eAAO,MAAM,0BAA0B,EAAE,MAAM,EAY9C,CAAC;AAMF,eAAO,MAAM,iBAAiB,EAAE,YAAY,EAoJ3C,CAAC;AAMF,+DAA+D;AAC/D,eAAO,MAAM,kBAAkB,EAAE,YAAY,EAoK5C,CAAC;AAEF,kDAAkD;AAClD,eAAO,MAAM,gBAAgB,aAI3B,CAAC;AAEH,mDAAmD;AACnD,eAAO,MAAM,0BAA0B,EAAE,YAAY,EAyCpD,CAAC;AAEF,qCAAqC;AACrC,eAAO,MAAM,iBAAiB,aAI5B,CAAC;AAEH,oDAAoD;AACpD,eAAO,MAAM,uBAAuB,EAAE,MAAM,EAc3C,CAAC;AAMF,yDAAyD;AACzD,eAAO,MAAM,iBAAiB,aAO5B,CAAC;AAEH,0EAA0E;AAC1E,eAAO,MAAM,wBAAwB,EAAE,YAAY,EAkClD,CAAC;AAEF,uDAAuD;AACvD,eAAO,MAAM,qBAAqB,aA+BhC,CAAC;AAMH,eAAO,MAAM,qBAAqB,EAAE,YAAY,EAyG/C,CAAC;AAMF,eAAO,MAAM,oBAAoB,aAoB/B,CAAC;AAEH,gFAAgF;AAChF,eAAO,MAAM,aAAa,QAAkB,CAAC;AAM7C,eAAO,MAAM,mBAAmB,EAAE,YAAY,EAyC7C,CAAC;AAEF,8BAA8B;AAC9B,eAAO,MAAM,kBAAkB,aAmB7B,CAAC;AAMH,eAAO,MAAM,iBAAiB,EAAE,YAAY,EAqB3C,CAAC;AAMF,eAAO,MAAM,oBAAoB,EAAE,YAAY,EAuC9C,CAAC;AAMF,eAAO,MAAM,uBAAuB,EAAE,YAAY,EAyEjD,CAAC;AAMF,eAAO,MAAM,YAAY,EAAE,YAAY,EAyCtC,CAAC;AAMF,eAAO,MAAM,oBAAoB,EAAE,YAAY,EAmI9C,CAAC;AAMF,eAAO,MAAM,aAAa,EAAE,YAAY,EAmEvC,CAAC;AAMF,eAAO,MAAM,oBAAoB,EAAE,YAAY,EA0C9C,CAAC;AAEF,eAAO,MAAM,gBAAgB,EAAE,YAAY,EAmE1C,CAAC;AAMF,eAAO,MAAM,uBAAuB,EAAE,YAAY,EA+BjD,CAAC;AAMF,eAAO,MAAM,mBAAmB,EAAE,YAAY,EAW7C,CAAC"}