supply-scan 1.0.0

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 Asyraf Hussin
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,148 @@
+# supply-scan
+
+Universal npm supply chain attack scanner. Detects compromised packages from **12 known attacks** spanning 2018-2026. Zero runtime dependencies.
+
+```bash
+npx supply-scan
+```
+
+## What It Detects
+
+| Attack | Date | Severity | Type |
+|--------|------|----------|------|
+| **Axios** (plain-crypto-js) | 2026-03 | Critical | RAT (North Korea) |
+| **GlassWorm** (invisible Unicode) | 2026-03 | Critical | Stealer via Solana C2 |
+| **Shai-Hulud 2.0** (npm worm) | 2025-11 | Critical | Self-replicating worm |
+| **Chalk/Debug** (18 packages) | 2025-09 | Critical | Crypto wallet stealer |
+| **@solana/web3.js** | 2024-12 | Critical | Private key stealer |
+| **Lottie Player** | 2024-10 | High | Wallet drainer |
+| **node-ipc** (peacenotwar) | 2022-03 | Critical | Geotargeted file wiper |
+| **colors/faker** | 2022-01 | Medium | Sabotage / infinite loop |
+| **coa/rc** (Danabot) | 2021-11 | Critical | Password stealer |
+| **ua-parser-js** | 2021-10 | Critical | Cryptominer + stealer |
+| **event-stream** (flatmap-stream) | 2018-11 | High | Bitcoin wallet stealer |
+| **eslint-scope** | 2018-07 | High | npm token stealer |
+
+## 5 Check Categories
+
+1. **Compromised Packages** — Scans `node_modules` and lockfiles for known bad versions
+2. **Malware Files** — Checks for RAT payloads, droppers, and artifacts on disk
+3. **Network Connections** — Detects active connections to C2 servers
+4. **Suspicious Processes** — Identifies running malware and persistence mechanisms
+5. **NPM Cache** — Scans npm cache for malicious packages
+
+## Usage
+
+### Interactive Mode (default)
+
+```bash
+npx supply-scan
+```
+
+Prompts you to select which attacks to scan for and which directories to scan.
+
+### Scan All Attacks
+
+```bash
+npx supply-scan --all
+```
+
+### Scan Specific Attacks
+
+```bash
+npx supply-scan --rule axios-2026
+npx supply-scan --rule axios-2026 --rule chalk-debug-2025
+```
+
+### Scan Specific Directory
+
+```bash
+npx supply-scan --path ~/projects/my-app
+```
+
+### CI Mode
+
+```bash
+npx supply-scan --ci
+```
+
+Non-interactive, outputs "OK" on clean scan. Exit codes:
+- `0` — All clear
+- `1` — Compromise detected
+- `2` — Warnings found
+
+### List Available Rules
+
+```bash
+npx supply-scan --list
+```
+
+## Adding New Rules
+
+Each attack is defined as a JSON file in the `rules/` directory. To add a new attack, create a new `.json` file:
+
+```json
+{
+  "id": "my-attack-2026",
+  "name": "My Attack Name",
+  "date": "2026-01-01",
+  "severity": "critical",
+  "description": "Description of the attack",
+  "references": ["https://example.com/advisory"],
+  "packages": {
+    "compromised": {
+      "package-name": ["1.0.0", "1.0.1"]
+    },
+    "malicious": {
+      "evil-package": ["0.1.0"]
+    }
+  },
+  "ioc": {
+    "files": {
+      "darwin": ["/path/to/malware"],
+      "linux": ["/tmp/malware"],
+      "win32": ["%TEMP%\\malware.exe"]
+    },
+    "domains": ["evil-c2.com"],
+    "ips": ["1.2.3.4"],
+    "ports": [8080],
+    "processes": ["malware-process"],
+    "strings": ["suspicious-string"]
+  }
+}
+```
+
+No code changes needed — the scanner automatically picks up new rule files.
+
+## Architecture
+
+```
+supply-scan/
+├── bin/supply-scan.js       # CLI entry point
+├── src/                     # TypeScript source
+│   ├── index.ts             # Main orchestrator + CLI
+│   ├── scanner.ts           # Scan engine
+│   ├── ui.ts                # Terminal UI (zero deps)
+│   ├── utils.ts             # Utilities
+│   ├── types.ts             # TypeScript interfaces
+│   └── checks/
+│       ├── packages.ts      # Package/lockfile scanner
+│       ├── files.ts         # Malware file detector
+│       ├── network.ts       # C2 connection checker
+│       ├── processes.ts     # Process scanner
+│       └── cache.ts         # npm cache scanner
+├── rules/                   # Attack definitions (JSON)
+└── dist/                    # Compiled JavaScript
+```
+
+**Zero runtime dependencies.** This is a security scanner — we don't depend on packages that could themselves be compromised.
+
+## Contributing
+
+1. Fork the repository
+2. Add a new rule JSON file in `rules/`
+3. Submit a pull request with a reference link to the attack advisory
+
+## License
+
+MIT

package/dist/index.d.ts

@@ -0,0 +1,3 @@
+declare function run(argv: string[]): Promise<void>;
+
+export { run };