supply-chain-guard 5.2.2 → 5.2.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (4) hide show
  1. package/README.md +28 -0
  2. package/dist/cli.js +1 -1
  3. package/dist/reporter.js +4 -4
  4. package/package.json +1 -1
package/README.md CHANGED
@@ -330,6 +330,34 @@ See [CONTRIBUTING.md](CONTRIBUTING.md) for guidelines. The most impactful contri
330
330
 
331
331
  ## Changelog
332
332
 
333
+ ### v5.2.3 (2026-04-26)
334
+ **Documentation catch-up** — bumps version strings in `src/cli.ts`, `src/reporter.ts` (text header, SARIF, SBOM, HTML footer) that were stuck at `5.2.0` / `5.1.0` since the v5.2.1 and v5.2.2 releases. No behavior change.
335
+
336
+ ### v5.2.2 (2026-04-26)
337
+ **Solana monitor: rate-limit-aware RPC client** — closes [#21](https://github.com/homeofe/supply-chain-guard/issues/21).
338
+
339
+ The public Solana RPC (`api.mainnet-beta.solana.com`) returns HTTP 429 and JSON-RPC error `-32005` when its per-IP quota is exceeded. Previously the monitor surfaced these as fatal poll errors and skipped the interval. Now `solanaRpc()` retries with exponential backoff and recovers automatically.
340
+
341
+ - **Detection**: HTTP 429, JSON-RPC code `-32005`, or message heuristics (`rate.?limit`, `too many requests`, `429`, `-32005`)
342
+ - **Backoff**: exponential 1s -> 32s with +/- 25% jitter, capped at 5 retries
343
+ - **Retry-After**: header (seconds or HTTP-date) is honored when present and overrides backoff
344
+ - **Test seam**: `__setSleepForTesting()` lets tests run instantly without real timers
345
+ - 6 new tests in `src/__tests__/solana-monitor.test.ts` cover 429 retry, `-32005` retry, Retry-After honoring, max-retry exhaustion, non-rate-limit pass-through, and message-based detection
346
+
347
+ ### v5.2.1 (2026-04-26)
348
+ **Threat intel: Checkmarx KICS / Bitwarden CLI supply-chain breach (April 2026)**
349
+
350
+ A single threat actor (claiming "TeamPCP") compromised both the Checkmarx KICS Docker images / VSCode-OpenVSX extensions and the `@bitwarden/cli` npm package on April 22, 2026, using a shared `audit.checkmarx.cx/v1/telemetry` exfiltration endpoint. Targets GitHub tokens, AWS/Azure/GCP credentials, npm tokens, SSH keys, and Claude configs. Marked as a successor to the Shai-Hulud npm worm.
351
+
352
+ - **C2 domains**: `audit.checkmarx.cx`, `checkmarx.cx` (`src/ioc-blocklist.ts`)
353
+ - **C2 IPs**: `94.154.172.43`, `91.195.240.123`
354
+ - **Compromised package**: `@bitwarden/cli@2026.4.0`
355
+ - **New campaign rules** in `src/patterns.ts`:
356
+ - `CHECKMARX_SHAI_HULUD_V3` — matches the `Shai-Hulud: The Third Coming` exfil marker string
357
+ - `CHECKMARX_MCP_ADDON` — matches the `mcpAddon.js` loader filename
358
+ - `BITWARDEN_CLI_LOADER` — matches `bw_setup.js` / `bw1.js` loader/payload pair
359
+ - 4 new tests in `src/__tests__/campaigns.test.ts`
360
+
333
361
  ### v5.2.0 (2026-04-08)
334
362
  **Self-Scan Clean + Text Wrapping** — the scanner no longer flags its own source code. Scanning `supply-chain-guard` itself drops from 100/critical (243 critical + 137 high) to clean.
335
363
 
package/dist/cli.js CHANGED
@@ -20,7 +20,7 @@ const program = new commander_1.Command();
20
20
  program
21
21
  .name("supply-chain-guard")
22
22
  .description("Open-source supply-chain security scanner. Detects GlassWorm and similar malware campaigns in npm packages, PyPI packages, code repos, VS Code extensions, and project dependencies.")
23
- .version("5.2.0");
23
+ .version("5.2.3");
24
24
  // ── scan command ────────────────────────────────────────────────────
25
25
  program
26
26
  .command("scan")
package/dist/reporter.js CHANGED
@@ -55,7 +55,7 @@ function formatJson(report) {
55
55
  function formatText(report) {
56
56
  const lines = [];
57
57
  // ── layout constants ───────────────────────────────────────────────────────
58
- const VERSION = "5.2.0";
58
+ const VERSION = "5.2.3";
59
59
  const W = 76; // visible chars between "│ " and " │" (total line = 80)
60
60
  // ── ANSI helpers ───────────────────────────────────────────────────────────
61
61
  const stripAnsi = (s) => s.replace(/\x1b\[[0-9;]*m/g, "");
@@ -462,7 +462,7 @@ function formatSarif(report) {
462
462
  tool: {
463
463
  driver: {
464
464
  name: "supply-chain-guard",
465
- version: "5.2.0",
465
+ version: "5.2.3",
466
466
  informationUri: "https://github.com/homeofe/supply-chain-guard",
467
467
  rules,
468
468
  },
@@ -524,7 +524,7 @@ function formatSbom(report) {
524
524
  timestamp: report.timestamp,
525
525
  tools: {
526
526
  components: [
527
- { type: "application", name: "supply-chain-guard", version: "5.1.0" },
527
+ { type: "application", name: "supply-chain-guard", version: "5.2.3" },
528
528
  ],
529
529
  },
530
530
  component: {
@@ -676,7 +676,7 @@ footer{text-align:center;padding:24px;color:#94a3b8;font-size:13px}
676
676
  ` : ""}
677
677
 
678
678
  <footer>
679
- Generated by <a href="https://github.com/homeofe/supply-chain-guard">supply-chain-guard</a> v5.2.0
679
+ Generated by <a href="https://github.com/homeofe/supply-chain-guard">supply-chain-guard</a> v5.2.3
680
680
  </footer>
681
681
  </div>
682
682
  <script>
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "supply-chain-guard",
3
- "version": "5.2.2",
3
+ "version": "5.2.3",
4
4
  "description": "Open-source supply-chain security scanner for npm, PyPI, Cargo, Go, Docker, VS Code extensions, GitHub Actions, IaC and Solana C2. Detects GlassWorm, Shai-Hulud, PPE attacks, dependency confusion and 120+ malware indicators. Generates CycloneDX 1.6 SBOMs and verifies SLSA provenance.",
5
5
  "main": "dist/index.js",
6
6
  "types": "dist/index.d.ts",