supply-chain-guard 5.2.19 → 5.2.21

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (26) hide show
  1. package/README.md +45 -11
  2. package/dist/cli.js +1 -1
  3. package/dist/ioc-blocklist.d.ts +0 -3
  4. package/dist/ioc-blocklist.d.ts.map +1 -1
  5. package/dist/ioc-blocklist.js +8 -0
  6. package/dist/ioc-blocklist.js.map +1 -1
  7. package/dist/lockfile-checker.js +6 -1
  8. package/dist/lockfile-checker.js.map +1 -1
  9. package/dist/patterns.d.ts.map +1 -1
  10. package/dist/patterns.js +81 -60
  11. package/dist/patterns.js.map +1 -1
  12. package/dist/reporter.js +4 -4
  13. package/dist/scanner.d.ts.map +1 -1
  14. package/dist/scanner.js +13 -3
  15. package/dist/scanner.js.map +1 -1
  16. package/dist/slsa-verifier.d.ts.map +1 -1
  17. package/dist/slsa-verifier.js +5 -0
  18. package/dist/slsa-verifier.js.map +1 -1
  19. package/dist/threat-intel.d.ts +0 -3
  20. package/dist/threat-intel.d.ts.map +1 -1
  21. package/dist/threat-intel.js +8 -0
  22. package/dist/threat-intel.js.map +1 -1
  23. package/dist/triage-engine.d.ts.map +1 -1
  24. package/dist/triage-engine.js +18 -11
  25. package/dist/triage-engine.js.map +1 -1
  26. package/package.json +1 -1
package/dist/patterns.js CHANGED
@@ -8,7 +8,18 @@
8
8
  Object.defineProperty(exports, "__esModule", { value: true });
9
9
  exports.PROVENANCE_PATTERNS = exports.OBFUSCATION_V3_PATTERNS = exports.SECRETS_PATTERNS = exports.C2_EXTENDED_PATTERNS = exports.PROMPT_INJECTION_PATTERNS = exports.LURE_PATTERNS = exports.INFOSTEALER_PATTERNS = exports.IAC_PATTERNS = exports.OBFUSCATION_PATTERNS_V2 = exports.CAMPAIGN_PATTERNS_V2 = exports.MONOREPO_PATTERNS = exports.BUILD_CONFIG_FILES = exports.BUILD_TOOL_PATTERNS = exports.MAX_FILE_SIZE = exports.SCANNABLE_EXTENSIONS = exports.BEACON_MINER_PATTERNS = exports.KNOWN_NATIVE_PACKAGES = exports.BINARY_DOWNLOAD_PATTERNS = exports.BINARY_EXTENSIONS = exports.PYPI_TYPOSQUAT_PATTERNS = exports.PYTHON_EXTENSIONS = exports.PYPI_INSTALL_HOOK_PATTERNS = exports.PYPI_SETUP_FILES = exports.PYPI_FILE_PATTERNS = exports.CAMPAIGN_PATTERNS = exports.MALICIOUS_PACKAGE_PATTERNS = exports.SUSPICIOUS_SCRIPTS = exports.SUSPICIOUS_FILES = exports.FILE_PATTERNS = exports.C2_DOMAIN_PATTERNS = exports.KNOWN_C2_WALLETS = exports.GLASSWORM_MARKERS = void 0;
10
10
  /** Matches the scanner's own source files — used to prevent self-scan false positives. */
11
- const SCANNER_SRC = /(?:patterns|scanner|playbooks|correlation-engine|ioc-blocklist|threat-intel|remediation-engine|secret-simulator|workflow-modeler|config-scanner|install-hook-scanner|github-trust-scanner|dependency-confusion|attack-graph|reporter|active-validation)\.(ts|js)$/;
11
+ const SCANNER_SRC = /(?:patterns|scanner|playbooks|correlation-engine|ioc-blocklist|threat-intel|remediation-engine|secret-simulator|workflow-modeler|config-scanner|install-hook-scanner|github-trust-scanner|dependency-confusion|attack-graph|reporter|active-validation|solana-monitor|solana-watchlist|slsa-verifier|sbom-generator)\.(ts|js)$/;
12
+ // v5.2.21: documentation files (.md/.markdown/.txt/.rst) legitimately discuss
13
+ // malware markers as part of threat-intel write-ups, changelog entries, blog
14
+ // posts, and academic research. Patterns that match source-code-embedded
15
+ // markers (campaign signatures, IOC strings, infostealer paths, C2 references)
16
+ // must skip these to avoid flagging discussion as malware.
17
+ //
18
+ // Used together with SCANNER_SRC via SCANNER_SRC_OR_DOCS. Patterns whose
19
+ // design is to fire on documentation (LURE_PATTERNS, PROMPT_INJECTION_PATTERNS)
20
+ // keep plain SCANNER_SRC and stay on their onlyFilePattern scope.
21
+ const BENIGN_DOC_FILES = /\.(md|markdown|txt|rst)$/i;
22
+ const SCANNER_SRC_OR_DOCS = new RegExp(`(?:${SCANNER_SRC.source})|(?:${BENIGN_DOC_FILES.source})`, "i");
12
23
  // ---------------------------------------------------------------------------
13
24
  // GlassWorm-specific IOCs
14
25
  // ---------------------------------------------------------------------------
@@ -36,7 +47,7 @@ exports.FILE_PATTERNS = [
36
47
  description: "GlassWorm campaign marker variable detected",
37
48
  severity: "critical",
38
49
  rule: "GLASSWORM_MARKER",
39
- notFilePattern: SCANNER_SRC,
50
+ notFilePattern: SCANNER_SRC_OR_DOCS,
40
51
  notTestFile: true,
41
52
  },
42
53
  // Invisible Unicode characters (zero-width spaces, joiners, etc.)
@@ -96,6 +107,7 @@ exports.FILE_PATTERNS = [
96
107
  description: "Solana mainnet RPC reference detected (potential C2 channel)",
97
108
  severity: "medium",
98
109
  rule: "SOLANA_MAINNET",
110
+ notFilePattern: SCANNER_SRC_OR_DOCS,
99
111
  notTestFile: true,
100
112
  },
101
113
  {
@@ -249,7 +261,7 @@ exports.CAMPAIGN_PATTERNS = [
249
261
  severity: "critical",
250
262
  rule: "XZ_GET_CPUID",
251
263
  notTestFile: true,
252
- notFilePattern: SCANNER_SRC,
264
+ notFilePattern: SCANNER_SRC_OR_DOCS,
253
265
  },
254
266
  {
255
267
  name: "xz-lzma-crc64",
@@ -258,7 +270,7 @@ exports.CAMPAIGN_PATTERNS = [
258
270
  severity: "high",
259
271
  rule: "XZ_LZMA_CRC64",
260
272
  notTestFile: true,
261
- notFilePattern: SCANNER_SRC,
273
+ notFilePattern: SCANNER_SRC_OR_DOCS,
262
274
  },
263
275
  {
264
276
  name: "xz-build-inject",
@@ -267,7 +279,7 @@ exports.CAMPAIGN_PATTERNS = [
267
279
  severity: "high",
268
280
  rule: "XZ_BUILD_INJECT",
269
281
  notTestFile: true,
270
- notFilePattern: SCANNER_SRC,
282
+ notFilePattern: SCANNER_SRC_OR_DOCS,
271
283
  },
272
284
  {
273
285
  name: "xz-obfuscated-test",
@@ -276,7 +288,7 @@ exports.CAMPAIGN_PATTERNS = [
276
288
  severity: "high",
277
289
  rule: "XZ_OBFUSCATED_TEST",
278
290
  notTestFile: true,
279
- notFilePattern: SCANNER_SRC,
291
+ notFilePattern: SCANNER_SRC_OR_DOCS,
280
292
  },
281
293
  // --- Codecov Bash Uploader ---
282
294
  {
@@ -286,7 +298,7 @@ exports.CAMPAIGN_PATTERNS = [
286
298
  severity: "high",
287
299
  rule: "CODECOV_CURL_BASH",
288
300
  notTestFile: true,
289
- notFilePattern: SCANNER_SRC,
301
+ notFilePattern: SCANNER_SRC_OR_DOCS,
290
302
  },
291
303
  {
292
304
  name: "codecov-exfil",
@@ -295,7 +307,7 @@ exports.CAMPAIGN_PATTERNS = [
295
307
  severity: "high",
296
308
  rule: "CODECOV_EXFIL",
297
309
  notTestFile: true,
298
- notFilePattern: SCANNER_SRC,
310
+ notFilePattern: SCANNER_SRC_OR_DOCS,
299
311
  },
300
312
  // --- SolarWinds SUNBURST ---
301
313
  {
@@ -305,7 +317,7 @@ exports.CAMPAIGN_PATTERNS = [
305
317
  severity: "critical",
306
318
  rule: "SUNBURST_DGA",
307
319
  notTestFile: true,
308
- notFilePattern: SCANNER_SRC,
320
+ notFilePattern: SCANNER_SRC_OR_DOCS,
309
321
  },
310
322
  {
311
323
  name: "sunburst-orion-class",
@@ -314,7 +326,7 @@ exports.CAMPAIGN_PATTERNS = [
314
326
  severity: "critical",
315
327
  rule: "SUNBURST_ORION_CLASS",
316
328
  notTestFile: true,
317
- notFilePattern: SCANNER_SRC,
329
+ notFilePattern: SCANNER_SRC_OR_DOCS,
318
330
  },
319
331
  {
320
332
  name: "sunburst-delayed-exec",
@@ -323,7 +335,7 @@ exports.CAMPAIGN_PATTERNS = [
323
335
  severity: "high",
324
336
  rule: "SUNBURST_DELAYED_EXEC",
325
337
  notTestFile: true,
326
- notFilePattern: SCANNER_SRC,
338
+ notFilePattern: SCANNER_SRC_OR_DOCS,
327
339
  },
328
340
  // --- ua-parser-js hijack ---
329
341
  {
@@ -333,7 +345,7 @@ exports.CAMPAIGN_PATTERNS = [
333
345
  severity: "critical",
334
346
  rule: "UAPARSER_MINER",
335
347
  notTestFile: true,
336
- notFilePattern: SCANNER_SRC,
348
+ notFilePattern: SCANNER_SRC_OR_DOCS,
337
349
  },
338
350
  {
339
351
  name: "uaparser-preinstall-download",
@@ -342,7 +354,7 @@ exports.CAMPAIGN_PATTERNS = [
342
354
  severity: "critical",
343
355
  rule: "UAPARSER_PREINSTALL_DL",
344
356
  notTestFile: true,
345
- notFilePattern: SCANNER_SRC,
357
+ notFilePattern: SCANNER_SRC_OR_DOCS,
346
358
  },
347
359
  // --- Checkmarx KICS / Bitwarden CLI supply-chain breach (April 2026) ---
348
360
  {
@@ -352,7 +364,7 @@ exports.CAMPAIGN_PATTERNS = [
352
364
  severity: "critical",
353
365
  rule: "CHECKMARX_SHAI_HULUD_V3",
354
366
  notTestFile: true,
355
- notFilePattern: SCANNER_SRC,
367
+ notFilePattern: SCANNER_SRC_OR_DOCS,
356
368
  },
357
369
  {
358
370
  name: "checkmarx-mcp-addon",
@@ -361,7 +373,7 @@ exports.CAMPAIGN_PATTERNS = [
361
373
  severity: "critical",
362
374
  rule: "CHECKMARX_MCP_ADDON",
363
375
  notTestFile: true,
364
- notFilePattern: SCANNER_SRC,
376
+ notFilePattern: SCANNER_SRC_OR_DOCS,
365
377
  },
366
378
  {
367
379
  name: "bitwarden-cli-loader",
@@ -370,7 +382,7 @@ exports.CAMPAIGN_PATTERNS = [
370
382
  severity: "critical",
371
383
  rule: "BITWARDEN_CLI_LOADER",
372
384
  notTestFile: true,
373
- notFilePattern: SCANNER_SRC,
385
+ notFilePattern: SCANNER_SRC_OR_DOCS,
374
386
  },
375
387
  // --- LofyGang / LofyStealer (April 2026) ---
376
388
  {
@@ -380,7 +392,7 @@ exports.CAMPAIGN_PATTERNS = [
380
392
  severity: "critical",
381
393
  rule: "LOFYSTEALER_MARKER",
382
394
  notTestFile: true,
383
- notFilePattern: SCANNER_SRC,
395
+ notFilePattern: SCANNER_SRC_OR_DOCS,
384
396
  },
385
397
  {
386
398
  name: "lofygang-minecraft-lure",
@@ -389,7 +401,7 @@ exports.CAMPAIGN_PATTERNS = [
389
401
  severity: "high",
390
402
  rule: "LOFYGANG_MINECRAFT_LURE",
391
403
  notTestFile: true,
392
- notFilePattern: SCANNER_SRC,
404
+ notFilePattern: SCANNER_SRC_OR_DOCS,
393
405
  },
394
406
  // --- DPRK AI-inserted npm malware (April 2026) ---
395
407
  {
@@ -399,7 +411,7 @@ exports.CAMPAIGN_PATTERNS = [
399
411
  severity: "critical",
400
412
  rule: "DPRK_VALIDATE_SDK",
401
413
  notTestFile: true,
402
- notFilePattern: SCANNER_SRC,
414
+ notFilePattern: SCANNER_SRC_OR_DOCS,
403
415
  },
404
416
  // --- ZiChatBot PyPI campaign (May 2026) ---
405
417
  {
@@ -409,7 +421,7 @@ exports.CAMPAIGN_PATTERNS = [
409
421
  severity: "critical",
410
422
  rule: "ZICHATBOT_PACKAGE",
411
423
  notTestFile: true,
412
- notFilePattern: SCANNER_SRC,
424
+ notFilePattern: SCANNER_SRC_OR_DOCS,
413
425
  },
414
426
  // --- Mini Shai-Hulud / TeamPCP supply chain worm (April 2026) ---
415
427
  {
@@ -419,7 +431,7 @@ exports.CAMPAIGN_PATTERNS = [
419
431
  severity: "critical",
420
432
  rule: "MINI_SHAI_HULUD_MARKER",
421
433
  notTestFile: true,
422
- notFilePattern: SCANNER_SRC,
434
+ notFilePattern: SCANNER_SRC_OR_DOCS,
423
435
  },
424
436
  {
425
437
  name: "mini-shai-hulud-bun-loader",
@@ -428,7 +440,7 @@ exports.CAMPAIGN_PATTERNS = [
428
440
  severity: "high",
429
441
  rule: "MINI_SHAI_HULUD_LOADER",
430
442
  notTestFile: true,
431
- notFilePattern: SCANNER_SRC,
443
+ notFilePattern: SCANNER_SRC_OR_DOCS,
432
444
  },
433
445
  {
434
446
  name: "mini-shai-hulud-preinstall-bun",
@@ -437,7 +449,7 @@ exports.CAMPAIGN_PATTERNS = [
437
449
  severity: "critical",
438
450
  rule: "MINI_SHAI_HULUD_PREINSTALL",
439
451
  notTestFile: true,
440
- notFilePattern: SCANNER_SRC,
452
+ notFilePattern: SCANNER_SRC_OR_DOCS,
441
453
  },
442
454
  // --- Mini Shai-Hulud @antv / Nx Console / actions-cool wave (May 2026) ---
443
455
  // Triple-wave TeamPCP attack: @antv ecosystem (637 versions), Nx Console
@@ -452,7 +464,7 @@ exports.CAMPAIGN_PATTERNS = [
452
464
  severity: "critical",
453
465
  rule: "ANTV_WAVE_KITTY_PERSISTENCE",
454
466
  notTestFile: true,
455
- notFilePattern: SCANNER_SRC,
467
+ notFilePattern: SCANNER_SRC_OR_DOCS,
456
468
  },
457
469
  {
458
470
  name: "antv-wave-firedalazer-deaddrop",
@@ -461,7 +473,7 @@ exports.CAMPAIGN_PATTERNS = [
461
473
  severity: "critical",
462
474
  rule: "ANTV_WAVE_FIREDALAZER",
463
475
  notTestFile: true,
464
- notFilePattern: SCANNER_SRC,
476
+ notFilePattern: SCANNER_SRC_OR_DOCS,
465
477
  },
466
478
  {
467
479
  name: "antv-wave-otel-c2-masquerade",
@@ -470,7 +482,7 @@ exports.CAMPAIGN_PATTERNS = [
470
482
  severity: "critical",
471
483
  rule: "ANTV_WAVE_OTEL_C2",
472
484
  notTestFile: true,
473
- notFilePattern: SCANNER_SRC,
485
+ notFilePattern: SCANNER_SRC_OR_DOCS,
474
486
  },
475
487
  // --- DPRK OtterCookie Node.js stealer (May 22, 2026) ---
476
488
  // SANS ISC diary 33006. Sample uploaded to VT as "extracted-decoded.js"; obfuscator.io-style;
@@ -483,7 +495,7 @@ exports.CAMPAIGN_PATTERNS = [
483
495
  severity: "critical",
484
496
  rule: "OTTERCOOKIE_HMAC_KEY",
485
497
  notTestFile: true,
486
- notFilePattern: SCANNER_SRC,
498
+ notFilePattern: SCANNER_SRC_OR_DOCS,
487
499
  },
488
500
  {
489
501
  name: "ottercookie-notify-endpoint",
@@ -492,7 +504,7 @@ exports.CAMPAIGN_PATTERNS = [
492
504
  severity: "critical",
493
505
  rule: "OTTERCOOKIE_C2_ENDPOINT",
494
506
  notTestFile: true,
495
- notFilePattern: SCANNER_SRC,
507
+ notFilePattern: SCANNER_SRC_OR_DOCS,
496
508
  },
497
509
  // --- Megalodon GitHub Actions workflow injection (May 22, 2026) ---
498
510
  // 5,718 malicious commits to 5,561 GitHub repositories in 6 hours via throwaway accounts
@@ -506,7 +518,7 @@ exports.CAMPAIGN_PATTERNS = [
506
518
  severity: "critical",
507
519
  rule: "MEGALODON_C2_ENDPOINT",
508
520
  notTestFile: true,
509
- notFilePattern: SCANNER_SRC,
521
+ notFilePattern: SCANNER_SRC_OR_DOCS,
510
522
  },
511
523
  // --- coa/rc npm hijack ---
512
524
  {
@@ -516,7 +528,7 @@ exports.CAMPAIGN_PATTERNS = [
516
528
  severity: "critical",
517
529
  rule: "COA_RC_SDD_DLL",
518
530
  notTestFile: true,
519
- notFilePattern: SCANNER_SRC,
531
+ notFilePattern: SCANNER_SRC_OR_DOCS,
520
532
  },
521
533
  {
522
534
  name: "coa-rc-postinstall-encoded",
@@ -525,7 +537,7 @@ exports.CAMPAIGN_PATTERNS = [
525
537
  severity: "critical",
526
538
  rule: "COA_RC_POSTINSTALL",
527
539
  notTestFile: true,
528
- notFilePattern: SCANNER_SRC,
540
+ notFilePattern: SCANNER_SRC_OR_DOCS,
529
541
  },
530
542
  ];
531
543
  // ---------------------------------------------------------------------------
@@ -850,7 +862,7 @@ exports.BEACON_MINER_PATTERNS = [
850
862
  description: "Periodic network request detected (setInterval + fetch). This is a common beacon pattern for C2 communication.",
851
863
  severity: "medium",
852
864
  rule: "BEACON_INTERVAL_FETCH",
853
- notFilePattern: /\.min\.(js|css)$/,
865
+ notFilePattern: /\.min\.(js|css)$|\.(md|markdown|txt|rst)$/i,
854
866
  notTestFile: true,
855
867
  },
856
868
  {
@@ -869,7 +881,7 @@ exports.BEACON_MINER_PATTERNS = [
869
881
  severity: "critical",
870
882
  rule: "MINER_STRATUM_PROTOCOL",
871
883
  notTestFile: true,
872
- notFilePattern: SCANNER_SRC,
884
+ notFilePattern: SCANNER_SRC_OR_DOCS,
873
885
  },
874
886
  {
875
887
  name: "mining-pool-domain",
@@ -878,7 +890,7 @@ exports.BEACON_MINER_PATTERNS = [
878
890
  severity: "critical",
879
891
  rule: "MINER_POOL_DOMAIN",
880
892
  notTestFile: true,
881
- notFilePattern: SCANNER_SRC,
893
+ notFilePattern: SCANNER_SRC_OR_DOCS,
882
894
  },
883
895
  {
884
896
  name: "mining-config-keys",
@@ -886,7 +898,7 @@ exports.BEACON_MINER_PATTERNS = [
886
898
  description: "Mining configuration keys detected. This may be a cryptocurrency miner configuration.",
887
899
  severity: "high",
888
900
  rule: "MINER_CONFIG_KEYS",
889
- notFilePattern: /\.json$/,
901
+ notFilePattern: /\.json$|\.(md|markdown|txt|rst)$/i,
890
902
  notTestFile: true,
891
903
  },
892
904
  {
@@ -896,7 +908,7 @@ exports.BEACON_MINER_PATTERNS = [
896
908
  severity: "critical",
897
909
  rule: "MINER_LIBRARY_REF",
898
910
  notTestFile: true,
899
- notFilePattern: SCANNER_SRC,
911
+ notFilePattern: SCANNER_SRC_OR_DOCS,
900
912
  },
901
913
  // Suspicious WebSocket connections
902
914
  {
@@ -914,7 +926,7 @@ exports.BEACON_MINER_PATTERNS = [
914
926
  description: "Locale/timezone check followed by destructive code. This is a protestware pattern that targets users by geography.",
915
927
  severity: "critical",
916
928
  rule: "PROTESTWARE_LOCALE_DESTRUCT",
917
- notFilePattern: SCANNER_SRC,
929
+ notFilePattern: SCANNER_SRC_OR_DOCS,
918
930
  notTestFile: true,
919
931
  },
920
932
  {
@@ -923,7 +935,7 @@ exports.BEACON_MINER_PATTERNS = [
923
935
  description: "GeoIP lookup combined with destructive operations detected. This is a protestware/geo-targeted attack pattern.",
924
936
  severity: "critical",
925
937
  rule: "PROTESTWARE_GEOIP_DESTRUCT",
926
- notFilePattern: SCANNER_SRC,
938
+ notFilePattern: SCANNER_SRC_OR_DOCS,
927
939
  notTestFile: true,
928
940
  },
929
941
  ];
@@ -1045,7 +1057,7 @@ exports.CAMPAIGN_PATTERNS_V2 = [
1045
1057
  rule: "SHAI_HULUD_WORM",
1046
1058
  onlyExtensions: [".js", ".mjs", ".cjs", ".ts", ".tsx", ".jsx", ".py", ".sh", ".bash"],
1047
1059
  notTestFile: true,
1048
- notFilePattern: SCANNER_SRC,
1060
+ notFilePattern: SCANNER_SRC_OR_DOCS,
1049
1061
  },
1050
1062
  {
1051
1063
  name: "shai-hulud-npmrc-steal",
@@ -1055,7 +1067,7 @@ exports.CAMPAIGN_PATTERNS_V2 = [
1055
1067
  rule: "SHAI_HULUD_CRED_STEAL",
1056
1068
  onlyExtensions: [".js", ".mjs", ".cjs", ".ts", ".tsx", ".jsx", ".py", ".sh", ".bash"],
1057
1069
  notTestFile: true,
1058
- notFilePattern: SCANNER_SRC,
1070
+ notFilePattern: SCANNER_SRC_OR_DOCS,
1059
1071
  },
1060
1072
  // Expanded protestware
1061
1073
  {
@@ -1065,7 +1077,7 @@ exports.CAMPAIGN_PATTERNS_V2 = [
1065
1077
  severity: "critical",
1066
1078
  rule: "PROTESTWARE_IP_GEO_V2",
1067
1079
  notTestFile: true,
1068
- notFilePattern: SCANNER_SRC,
1080
+ notFilePattern: SCANNER_SRC_OR_DOCS,
1069
1081
  },
1070
1082
  ];
1071
1083
  // ---------------------------------------------------------------------------
@@ -1086,7 +1098,7 @@ exports.OBFUSCATION_PATTERNS_V2 = [
1086
1098
  description: "Proxy handler trap detected. Proxy objects can intercept and modify all object operations.",
1087
1099
  severity: "high",
1088
1100
  rule: "PROXY_HANDLER_TRAP",
1089
- notFilePattern: /\.min\.(js|css)$|(?:\/static\/js\/|\/vendor\/|\/public\/js\/|\/assets\/js\/).*\.js$/,
1101
+ notFilePattern: /\.min\.(js|css)$|(?:\/static\/js\/|\/vendor\/|\/public\/js\/|\/assets\/js\/).*\.js$|\.(md|markdown|txt|rst)$/i,
1090
1102
  notTestFile: true,
1091
1103
  },
1092
1104
  {
@@ -1180,7 +1192,7 @@ exports.INFOSTEALER_PATTERNS = [
1180
1192
  severity: "critical",
1181
1193
  rule: "DEAD_DROP_STEAM",
1182
1194
  notTestFile: true,
1183
- notFilePattern: SCANNER_SRC,
1195
+ notFilePattern: SCANNER_SRC_OR_DOCS,
1184
1196
  },
1185
1197
  {
1186
1198
  name: "dead-drop-telegram",
@@ -1189,7 +1201,7 @@ exports.INFOSTEALER_PATTERNS = [
1189
1201
  severity: "critical",
1190
1202
  rule: "DEAD_DROP_TELEGRAM",
1191
1203
  notTestFile: true,
1192
- notFilePattern: SCANNER_SRC,
1204
+ notFilePattern: SCANNER_SRC_OR_DOCS,
1193
1205
  },
1194
1206
  {
1195
1207
  name: "dead-drop-pastebin",
@@ -1198,7 +1210,7 @@ exports.INFOSTEALER_PATTERNS = [
1198
1210
  severity: "high",
1199
1211
  rule: "DEAD_DROP_PASTEBIN",
1200
1212
  notTestFile: true,
1201
- notFilePattern: SCANNER_SRC,
1213
+ notFilePattern: SCANNER_SRC_OR_DOCS,
1202
1214
  },
1203
1215
  {
1204
1216
  name: "dead-drop-dns-txt",
@@ -1207,7 +1219,7 @@ exports.INFOSTEALER_PATTERNS = [
1207
1219
  severity: "medium",
1208
1220
  rule: "DEAD_DROP_DNS_TXT",
1209
1221
  notTestFile: true,
1210
- notFilePattern: SCANNER_SRC,
1222
+ notFilePattern: SCANNER_SRC_OR_DOCS,
1211
1223
  },
1212
1224
  // Browser credential theft patterns
1213
1225
  {
@@ -1216,7 +1228,7 @@ exports.INFOSTEALER_PATTERNS = [
1216
1228
  description: "Browser credential/cookie file access pattern. Infostealers (Vidar, Lumma, RedLine) steal browser data from these paths.",
1217
1229
  severity: "high",
1218
1230
  rule: "VIDAR_BROWSER_THEFT",
1219
- notFilePattern: /\.min\.(js|css)$|(?:patterns|scanner|playbooks|correlation-engine|ioc-blocklist|threat-intel|remediation-engine|secret-simulator|workflow-modeler|config-scanner|install-hook-scanner|github-trust-scanner|dependency-confusion|attack-graph|reporter|active-validation)\.(ts|js)$/,
1231
+ notFilePattern: /\.min\.(js|css)$|(?:patterns|scanner|playbooks|correlation-engine|ioc-blocklist|threat-intel|remediation-engine|secret-simulator|workflow-modeler|config-scanner|install-hook-scanner|github-trust-scanner|dependency-confusion|attack-graph|reporter|active-validation|solana-monitor|solana-watchlist|slsa-verifier|sbom-generator)\.(ts|js)$|\.(md|markdown|txt|rst)$/i,
1220
1232
  notTestFile: true,
1221
1233
  },
1222
1234
  // Crypto wallet theft patterns
@@ -1227,7 +1239,7 @@ exports.INFOSTEALER_PATTERNS = [
1227
1239
  severity: "high",
1228
1240
  rule: "VIDAR_WALLET_THEFT",
1229
1241
  notTestFile: true,
1230
- notFilePattern: SCANNER_SRC,
1242
+ notFilePattern: SCANNER_SRC_OR_DOCS,
1231
1243
  },
1232
1244
  // SOCKS5 proxy / backconnect patterns
1233
1245
  {
@@ -1237,7 +1249,7 @@ exports.INFOSTEALER_PATTERNS = [
1237
1249
  severity: "critical",
1238
1250
  rule: "GHOSTSOCKS_SOCKS5",
1239
1251
  notTestFile: true,
1240
- notFilePattern: SCANNER_SRC,
1252
+ notFilePattern: SCANNER_SRC_OR_DOCS,
1241
1253
  },
1242
1254
  {
1243
1255
  name: "proxy-backconnect",
@@ -1245,7 +1257,7 @@ exports.INFOSTEALER_PATTERNS = [
1245
1257
  description: "Reverse proxy/backconnect pattern. Infected machines are registered as proxy nodes for criminal infrastructure.",
1246
1258
  severity: "high",
1247
1259
  rule: "PROXY_BACKCONNECT",
1248
- notFilePattern: /\.min\.(js|css)$|(?:patterns|scanner|playbooks|correlation-engine|ioc-blocklist|threat-intel|remediation-engine|secret-simulator|workflow-modeler|config-scanner|install-hook-scanner|github-trust-scanner|dependency-confusion|attack-graph|reporter|active-validation)\.(ts|js)$/,
1260
+ notFilePattern: /\.min\.(js|css)$|(?:patterns|scanner|playbooks|correlation-engine|ioc-blocklist|threat-intel|remediation-engine|secret-simulator|workflow-modeler|config-scanner|install-hook-scanner|github-trust-scanner|dependency-confusion|attack-graph|reporter|active-validation|solana-monitor|solana-watchlist|slsa-verifier|sbom-generator)\.(ts|js)$|\.(md|markdown|txt|rst)$/i,
1249
1261
  notTestFile: true,
1250
1262
  },
1251
1263
  // Dropper / loader patterns
@@ -1255,7 +1267,7 @@ exports.INFOSTEALER_PATTERNS = [
1255
1267
  description: "Dropper pattern: writing and executing files in temporary directories.",
1256
1268
  severity: "critical",
1257
1269
  rule: "DROPPER_TEMP_EXEC",
1258
- notFilePattern: /\.json$|(?:patterns|scanner|playbooks|correlation-engine|ioc-blocklist|threat-intel|remediation-engine|secret-simulator|workflow-modeler|config-scanner|install-hook-scanner|github-trust-scanner|dependency-confusion|attack-graph|reporter|active-validation)\.(ts|js)$/,
1270
+ notFilePattern: /\.json$|(?:patterns|scanner|playbooks|correlation-engine|ioc-blocklist|threat-intel|remediation-engine|secret-simulator|workflow-modeler|config-scanner|install-hook-scanner|github-trust-scanner|dependency-confusion|attack-graph|reporter|active-validation|solana-monitor|solana-watchlist|slsa-verifier|sbom-generator)\.(ts|js)$|\.(md|markdown|txt|rst)$/i,
1259
1271
  notTestFile: true,
1260
1272
  },
1261
1273
  {
@@ -1265,7 +1277,7 @@ exports.INFOSTEALER_PATTERNS = [
1265
1277
  severity: "high",
1266
1278
  rule: "DROPPER_ANTIVM",
1267
1279
  notTestFile: true,
1268
- notFilePattern: SCANNER_SRC,
1280
+ notFilePattern: SCANNER_SRC_OR_DOCS,
1269
1281
  },
1270
1282
  {
1271
1283
  name: "dropper-sleep-evasion",
@@ -1274,7 +1286,7 @@ exports.INFOSTEALER_PATTERNS = [
1274
1286
  severity: "high",
1275
1287
  rule: "DROPPER_SLEEP_EVASION",
1276
1288
  notTestFile: true,
1277
- notFilePattern: SCANNER_SRC,
1289
+ notFilePattern: SCANNER_SRC_OR_DOCS,
1278
1290
  },
1279
1291
  ];
1280
1292
  // ---------------------------------------------------------------------------
@@ -1315,6 +1327,7 @@ exports.LURE_PATTERNS = [
1315
1327
  severity: "critical",
1316
1328
  rule: "CAMPAIGN_CLAUDE_LURE",
1317
1329
  notTestFile: true,
1330
+ // Stay on .md - lure patterns target malicious READMEs by design.
1318
1331
  notFilePattern: SCANNER_SRC,
1319
1332
  },
1320
1333
  {
@@ -1360,6 +1373,7 @@ exports.PROMPT_INJECTION_PATTERNS = [
1360
1373
  severity: "high",
1361
1374
  rule: "PROMPT_INJECTION_SYSTEM_REMINDER",
1362
1375
  onlyFilePattern: DOC_FILE_PATTERN,
1376
+ // Prompt-injection patterns target docs - stay on .md, only exclude scanner source.
1363
1377
  notFilePattern: SCANNER_SRC,
1364
1378
  notTestFile: true,
1365
1379
  },
@@ -1371,6 +1385,7 @@ exports.PROMPT_INJECTION_PATTERNS = [
1371
1385
  severity: "high",
1372
1386
  rule: "PROMPT_INJECTION_CHATML",
1373
1387
  onlyFilePattern: DOC_FILE_PATTERN,
1388
+ // Prompt-injection patterns target docs - stay on .md, only exclude scanner source.
1374
1389
  notFilePattern: SCANNER_SRC,
1375
1390
  notTestFile: true,
1376
1391
  },
@@ -1383,6 +1398,7 @@ exports.PROMPT_INJECTION_PATTERNS = [
1383
1398
  severity: "high",
1384
1399
  rule: "PROMPT_INJECTION_INST_TAG",
1385
1400
  onlyFilePattern: DOC_FILE_PATTERN,
1401
+ // Prompt-injection patterns target docs - stay on .md, only exclude scanner source.
1386
1402
  notFilePattern: SCANNER_SRC,
1387
1403
  notTestFile: true,
1388
1404
  },
@@ -1394,6 +1410,7 @@ exports.PROMPT_INJECTION_PATTERNS = [
1394
1410
  severity: "high",
1395
1411
  rule: "PROMPT_INJECTION_ROLE_TOKEN",
1396
1412
  onlyFilePattern: DOC_FILE_PATTERN,
1413
+ // Prompt-injection patterns target docs - stay on .md, only exclude scanner source.
1397
1414
  notFilePattern: SCANNER_SRC,
1398
1415
  notTestFile: true,
1399
1416
  },
@@ -1407,6 +1424,7 @@ exports.PROMPT_INJECTION_PATTERNS = [
1407
1424
  severity: "high",
1408
1425
  rule: "PROMPT_INJECTION_OVERRIDE_PROSE",
1409
1426
  onlyFilePattern: DOC_FILE_PATTERN,
1427
+ // Prompt-injection patterns target docs - stay on .md, only exclude scanner source.
1410
1428
  notFilePattern: SCANNER_SRC,
1411
1429
  notTestFile: true,
1412
1430
  },
@@ -1421,7 +1439,7 @@ exports.C2_EXTENDED_PATTERNS = [
1421
1439
  description: "DNS-over-HTTPS (DoH) resolver in code. Malware uses DoH to resolve C2 domains while bypassing network monitoring.",
1422
1440
  severity: "medium",
1423
1441
  rule: "C2_DOH_RESOLVER",
1424
- notFilePattern: SCANNER_SRC,
1442
+ notFilePattern: SCANNER_SRC_OR_DOCS,
1425
1443
  notTestFile: true,
1426
1444
  },
1427
1445
  {
@@ -1430,6 +1448,7 @@ exports.C2_EXTENDED_PATTERNS = [
1430
1448
  description: "GitHub Gist used as dead-drop resolver. Gists store C2 configuration that changes without updating malware code.",
1431
1449
  severity: "high",
1432
1450
  rule: "DEAD_DROP_GIST",
1451
+ notFilePattern: SCANNER_SRC_OR_DOCS,
1433
1452
  notTestFile: true,
1434
1453
  },
1435
1454
  {
@@ -1438,6 +1457,7 @@ exports.C2_EXTENDED_PATTERNS = [
1438
1457
  description: "Dynamic config fetch followed by code execution. Runtime C2 command pattern.",
1439
1458
  severity: "high",
1440
1459
  rule: "C2_DYNAMIC_CONFIG",
1460
+ notFilePattern: SCANNER_SRC_OR_DOCS,
1441
1461
  notTestFile: true,
1442
1462
  },
1443
1463
  {
@@ -1446,6 +1466,7 @@ exports.C2_EXTENDED_PATTERNS = [
1446
1466
  description: "WebSocket connection with dynamically constructed URL. Hides C2 server address.",
1447
1467
  severity: "high",
1448
1468
  rule: "C2_WEBSOCKET_DYNAMIC",
1469
+ notFilePattern: SCANNER_SRC_OR_DOCS,
1449
1470
  notTestFile: true,
1450
1471
  },
1451
1472
  ];
@@ -1457,7 +1478,7 @@ exports.SECRETS_PATTERNS = [
1457
1478
  severity: "critical",
1458
1479
  rule: "SECRETS_AWS_KEY",
1459
1480
  notTestFile: true,
1460
- notFilePattern: SCANNER_SRC,
1481
+ notFilePattern: SCANNER_SRC_OR_DOCS,
1461
1482
  },
1462
1483
  {
1463
1484
  name: "secrets-github-token",
@@ -1466,7 +1487,7 @@ exports.SECRETS_PATTERNS = [
1466
1487
  severity: "critical",
1467
1488
  rule: "SECRETS_GITHUB_TOKEN",
1468
1489
  notTestFile: true,
1469
- notFilePattern: SCANNER_SRC,
1490
+ notFilePattern: SCANNER_SRC_OR_DOCS,
1470
1491
  },
1471
1492
  {
1472
1493
  name: "secrets-private-key",
@@ -1475,7 +1496,7 @@ exports.SECRETS_PATTERNS = [
1475
1496
  severity: "critical",
1476
1497
  rule: "SECRETS_PRIVATE_KEY",
1477
1498
  notTestFile: true,
1478
- notFilePattern: SCANNER_SRC,
1499
+ notFilePattern: SCANNER_SRC_OR_DOCS,
1479
1500
  },
1480
1501
  {
1481
1502
  name: "secrets-ssh-key-read",
@@ -1484,7 +1505,7 @@ exports.SECRETS_PATTERNS = [
1484
1505
  severity: "critical",
1485
1506
  rule: "SECRETS_SSH_KEY_READ",
1486
1507
  notTestFile: true,
1487
- notFilePattern: SCANNER_SRC,
1508
+ notFilePattern: SCANNER_SRC_OR_DOCS,
1488
1509
  },
1489
1510
  {
1490
1511
  name: "secrets-npm-token",
@@ -1493,7 +1514,7 @@ exports.SECRETS_PATTERNS = [
1493
1514
  severity: "critical",
1494
1515
  rule: "SECRETS_NPM_TOKEN",
1495
1516
  notTestFile: true,
1496
- notFilePattern: SCANNER_SRC,
1517
+ notFilePattern: SCANNER_SRC_OR_DOCS,
1497
1518
  },
1498
1519
  {
1499
1520
  name: "secrets-generic-api-key",
@@ -1502,7 +1523,7 @@ exports.SECRETS_PATTERNS = [
1502
1523
  severity: "high",
1503
1524
  rule: "SECRETS_GENERIC_API_KEY",
1504
1525
  notTestFile: true,
1505
- notFilePattern: SCANNER_SRC,
1526
+ notFilePattern: SCANNER_SRC_OR_DOCS,
1506
1527
  },
1507
1528
  ];
1508
1529
  // ---------------------------------------------------------------------------