supply-scan 1.0.0

package/dist/index.js

@@ -0,0 +1,1017 @@
+#!/usr/bin/env node
+
+// src/index.ts
+import { fileURLToPath } from "url";
+import { dirname, join as join4 } from "path";
+
+// src/utils.ts
+import { readFileSync, readdirSync, existsSync, statSync } from "fs";
+import { join, resolve } from "path";
+import { platform, homedir } from "os";
+import { execSync } from "child_process";
+import { createInterface } from "readline";
+function getOS() {
+  return platform();
+}
+function readJSON(path) {
+  try {
+    const content = readFileSync(path, "utf-8");
+    return JSON.parse(content);
+  } catch {
+    return null;
+  }
+}
+function getPkgVersion(pkgJsonPath) {
+  const pkg = readJSON(pkgJsonPath);
+  return pkg?.version ?? null;
+}
+function isVersionCompromised(version, badVersions) {
+  if (!version) return false;
+  return badVersions.includes(version);
+}
+function expandPath(p) {
+  let result2 = p;
+  if (result2.startsWith("~")) {
+    result2 = join(homedir(), result2.slice(1));
+  }
+  if (result2.includes("%PROGRAMDATA%")) {
+    result2 = result2.replace("%PROGRAMDATA%", process.env.PROGRAMDATA || "C:\\ProgramData");
+  }
+  if (result2.includes("%TEMP%")) {
+    result2 = result2.replace("%TEMP%", process.env.TEMP || "/tmp");
+  }
+  if (result2.includes("%USERPROFILE%")) {
+    result2 = result2.replace("%USERPROFILE%", homedir());
+  }
+  return result2;
+}
+function findProjects(baseDirs, maxDepth = 8) {
+  const projects = /* @__PURE__ */ new Set();
+  function walk(dir, depth) {
+    if (depth > maxDepth) return;
+    try {
+      const entries = readdirSync(dir, { withFileTypes: true });
+      for (const entry of entries) {
+        if (!entry.isDirectory()) {
+          if (entry.name === "package.json" && depth > 0) {
+            projects.add(dir);
+          }
+          continue;
+        }
+        const skip = [
+          "node_modules",
+          ".git",
+          "bower_components",
+          ".cache",
+          ".Trash",
+          "Library",
+          ".npm"
+        ];
+        if (skip.includes(entry.name)) continue;
+        walk(join(dir, entry.name), depth + 1);
+      }
+    } catch {
+    }
+  }
+  for (const base of baseDirs) {
+    if (!existsSync(base)) continue;
+    if (existsSync(join(base, "package.json"))) {
+      projects.add(base);
+    }
+    walk(base, 0);
+  }
+  return Array.from(projects);
+}
+function getCommonProjectDirs() {
+  const home = homedir();
+  const candidates = [
+    "Desktop",
+    "Documents",
+    "Projects",
+    "projects",
+    "Developer",
+    "dev",
+    "code",
+    "Code",
+    "Sites",
+    "sites",
+    "www",
+    "Work",
+    "work",
+    "workspace",
+    "Workspace",
+    "repos",
+    "Repos",
+    "src",
+    "github",
+    "GitHub"
+  ];
+  return candidates.map((d) => join(home, d)).filter((d) => existsSync(d));
+}
+function loadRules(rulesDir) {
+  const rules = [];
+  try {
+    const files = readdirSync(rulesDir).filter((f) => f.endsWith(".json"));
+    for (const file of files) {
+      const rule = readJSON(join(rulesDir, file));
+      if (rule && rule.id && rule.packages) {
+        rules.push(rule);
+      }
+    }
+  } catch {
+  }
+  rules.sort((a, b) => b.date.localeCompare(a.date));
+  return rules;
+}
+function parseArgs(argv) {
+  const opts = {
+    rules: [],
+    all: false,
+    list: false,
+    path: null,
+    ci: false,
+    help: false,
+    version: false
+  };
+  for (let i = 0; i < argv.length; i++) {
+    const arg = argv[i];
+    switch (arg) {
+      case "--all":
+      case "-a":
+        opts.all = true;
+        break;
+      case "--list":
+      case "-l":
+        opts.list = true;
+        break;
+      case "--ci":
+        opts.ci = true;
+        opts.all = true;
+        break;
+      case "--help":
+      case "-h":
+        opts.help = true;
+        break;
+      case "--version":
+      case "-v":
+        opts.version = true;
+        break;
+      case "--rule":
+      case "-r":
+        if (i + 1 < argv.length) {
+          opts.rules.push(argv[++i]);
+        }
+        break;
+      case "--path":
+      case "-p":
+        if (i + 1 < argv.length) {
+          opts.path = resolve(argv[++i]);
+        }
+        break;
+    }
+  }
+  return opts;
+}
+function runCommand(cmd) {
+  try {
+    return execSync(cmd, { encoding: "utf-8", timeout: 1e4, stdio: ["pipe", "pipe", "pipe"] }).trim();
+  } catch {
+    return "";
+  }
+}
+function prompt(question) {
+  const rl = createInterface({
+    input: process.stdin,
+    output: process.stdout
+  });
+  return new Promise((resolve2) => {
+    rl.question(question, (answer) => {
+      rl.close();
+      resolve2(answer.trim());
+    });
+  });
+}
+function fileExists(path) {
+  try {
+    return statSync(path).isFile();
+  } catch {
+    return false;
+  }
+}
+function dirExists(path) {
+  try {
+    return statSync(path).isDirectory();
+  } catch {
+    return false;
+  }
+}
+
+// src/ui.ts
+var ESC = "\x1B";
+var c = {
+  red: `${ESC}[1;31m`,
+  green: `${ESC}[1;32m`,
+  yellow: `${ESC}[1;33m`,
+  cyan: `${ESC}[1;36m`,
+  white: `${ESC}[1;37m`,
+  dim: `${ESC}[2m`,
+  bold: `${ESC}[1m`,
+  reset: `${ESC}[0m`,
+  bgRed: `${ESC}[41m`,
+  bgGreen: `${ESC}[42m`,
+  bgYellow: `${ESC}[43m`,
+  bgBlue: `${ESC}[44m`
+};
+var sym = {
+  pass: "\u2705",
+  fail: "\u{1F6A8}",
+  warn: "\u26A0\uFE0F ",
+  info: "\u{1F4A1}",
+  scan: "\u{1F50D}",
+  shield: "\u{1F6E1}\uFE0F ",
+  skull: "\u{1F480}",
+  clean: "\u2728",
+  gear: "\u2699\uFE0F ",
+  pkg: "\u{1F4E6}",
+  lock: "\u{1F512}",
+  globe: "\u{1F310}",
+  folder: "\u{1F4C1}"
+};
+function banner(ruleCount) {
+  const w = process.stdout.write.bind(process.stdout);
+  w("\n");
+  w(`${c.cyan}   ___ _   _ ___ ___ _   _   _    ___  ___   _   _  _ ${c.reset}
+`);
+  w(`${c.cyan}  / __| | | | _ \\ _ \\ | | | | |  / __|/ __| /_\\ | \\| |${c.reset}
+`);
+  w(`${c.cyan}  \\__ \\ |_| |  _/  _/ |_| |_| |_| (__| (__ / _ \\| .\` |${c.reset}
+`);
+  w(`${c.cyan}  |___/\\___/|_| |_|  \\__, |_____|\\___|\\___|_/ \\_\\_|\\_|${c.reset}
+`);
+  w(`${c.cyan}                      |___/        ${c.dim}v1.0.0${c.reset}
+`);
+  w("\n");
+  w(`  ${c.white}Universal npm Supply Chain Attack Scanner${c.reset}
+`);
+  w(`  ${c.dim}Detects ${ruleCount} known attacks | Zero dependencies${c.reset}
+`);
+  w("\n");
+  divider();
+}
+function divider() {
+  console.log(`${c.dim}${"\u2500".repeat(60)}${c.reset}`);
+}
+function sectionHeader(num, total, title, icon) {
+  console.log("");
+  console.log(`${c.bgBlue}${c.white}${c.bold}  ${icon}  CHECK ${num}/${total}  \u2502  ${title}  ${c.reset}`);
+  divider();
+}
+function result(type, msg) {
+  const icons = {
+    pass: sym.pass,
+    fail: sym.fail,
+    warn: sym.warn,
+    info: sym.info
+  };
+  const colors = {
+    pass: c.green,
+    fail: `${c.red}${c.bold}`,
+    warn: c.yellow,
+    info: c.dim
+  };
+  console.log(`   ${icons[type]} ${colors[type]}${msg}${c.reset}`);
+}
+function resultDetail(msg) {
+  console.log(`      ${c.red}\u2192 ${msg}${c.reset}`);
+}
+var SPIN_FRAMES = ["\u280B", "\u2819", "\u2839", "\u2838", "\u283C", "\u2834", "\u2826", "\u2827", "\u2807", "\u280F"];
+var spinnerTimer = null;
+var spinnerFrame = 0;
+function spinnerStart(msg) {
+  spinnerFrame = 0;
+  spinnerTimer = setInterval(() => {
+    const frame = SPIN_FRAMES[spinnerFrame % SPIN_FRAMES.length];
+    process.stdout.write(`\r   ${c.cyan}${frame}${c.reset} ${c.dim}${msg}${c.reset}`);
+    spinnerFrame++;
+  }, 80);
+}
+function spinnerStop() {
+  if (spinnerTimer) {
+    clearInterval(spinnerTimer);
+    spinnerTimer = null;
+    process.stdout.write("\r\x1B[K");
+  }
+}
+var severityColors = {
+  critical: c.red,
+  high: c.yellow,
+  medium: c.cyan,
+  low: c.dim
+};
+function printRuleList(rules) {
+  console.log("");
+  console.log(`  ${c.white}Available attack rules (${rules.length}):${c.reset}`);
+  console.log("");
+  for (const rule of rules) {
+    const sc = severityColors[rule.severity] || c.dim;
+    const pkgCount = Object.keys(rule.packages.compromised).length + Object.keys(rule.packages.malicious).length;
+    console.log(
+      `   ${c.dim}\u2022${c.reset} ${c.white}${rule.id.padEnd(25)}${c.reset} ${sc}${rule.severity.padEnd(10)}${c.reset} ${c.dim}${rule.date}${c.reset}  ${c.dim}(${pkgCount} pkgs)${c.reset}`
+    );
+    console.log(`     ${c.dim}${rule.description}${c.reset}`);
+  }
+  console.log("");
+}
+function printSummary(summary) {
+  console.log("");
+  console.log(`${c.cyan}${"\u2550".repeat(60)}${c.reset}`);
+  console.log(`  ${sym.shield} ${c.white}${c.bold}SCAN COMPLETE${c.reset}`);
+  console.log(`${c.cyan}${"\u2550".repeat(60)}${c.reset}`);
+  console.log("");
+  console.log(`   ${c.dim}Projects scanned:${c.reset}  ${c.white}${summary.projectsScanned}${c.reset}`);
+  console.log(`   ${c.dim}Rules checked:${c.reset}     ${c.white}${summary.rulesChecked}${c.reset}`);
+  console.log(`   ${c.dim}Total checks:${c.reset}      ${c.white}${summary.totalChecks}${c.reset}`);
+  console.log(`   ${c.green}Passed:${c.reset}            ${c.green}${summary.passed}${c.reset}`);
+  console.log(`   ${c.yellow}Warnings:${c.reset}          ${c.yellow}${summary.warnings}${c.reset}`);
+  console.log(`   ${c.red}Failed:${c.reset}            ${c.red}${summary.failed}${c.reset}`);
+  console.log("");
+  divider();
+  if (summary.failed > 0) {
+    console.log("");
+    console.log(`   ${c.bgRed}${c.white}${c.bold}  \u26D4  COMPROMISE DETECTED  \u26D4  ${c.reset}`);
+    console.log("");
+    console.log(`   ${c.red}${c.bold}Immediate Actions Required:${c.reset}`);
+    console.log("");
+    console.log(`   ${c.red}1.${c.reset} Disconnect from the network`);
+    console.log(`   ${c.red}2.${c.reset} Rotate ALL credentials, tokens, API keys, SSH keys`);
+    console.log(`   ${c.red}3.${c.reset} Remove compromised packages: ${c.white}npm install <pkg>@latest${c.reset}`);
+    console.log(`   ${c.red}4.${c.reset} Clean npm cache: ${c.white}npm cache clean --force${c.reset}`);
+    console.log(`   ${c.red}5.${c.reset} Review system for backdoors and persistence mechanisms`);
+    console.log(`   ${c.red}6.${c.reset} Consider full system wipe if RAT/worm was executed`);
+    console.log("");
+    if (summary.compromisedProjects.length > 0) {
+      console.log(`   ${c.red}${c.bold}Compromised Projects:${c.reset}`);
+      for (const proj of summary.compromisedProjects) {
+        console.log(`      ${c.red}${sym.skull} ${proj}${c.reset}`);
+      }
+      console.log("");
+    }
+    const failedByRule = /* @__PURE__ */ new Map();
+    for (const r of summary.results.filter((r2) => r2.type === "fail")) {
+      const arr = failedByRule.get(r.rule) || [];
+      arr.push(r);
+      failedByRule.set(r.rule, arr);
+    }
+    for (const [rule, results] of failedByRule) {
+      console.log(`   ${c.red}${c.bold}${rule}:${c.reset}`);
+      for (const r of results) {
+        console.log(`      ${c.red}\u2192 ${r.message}${c.reset}`);
+        if (r.details) console.log(`        ${c.dim}${r.details}${c.reset}`);
+      }
+      console.log("");
+    }
+  } else if (summary.warnings > 0) {
+    console.log("");
+    console.log(`   ${c.bgYellow}${c.white}${c.bold}  \u26A0  WARNINGS FOUND \u2014 REVIEW RECOMMENDED  \u26A0  ${c.reset}`);
+    console.log("");
+    console.log(`   ${c.yellow}Some items need manual review. Check the warnings above.${c.reset}`);
+    console.log("");
+  } else {
+    console.log("");
+    console.log(`   ${c.bgGreen}${c.white}${c.bold}  ${sym.clean} ALL CLEAR \u2014 NO COMPROMISE DETECTED ${sym.clean}  ${c.reset}`);
+    console.log("");
+    console.log(`   ${c.green}Your system appears clean from all known supply chain attacks.${c.reset}`);
+    console.log("");
+    console.log(`   ${c.dim}Prevention tips:${c.reset}`);
+    console.log(`   ${c.cyan}\u203A${c.reset} Use lockfiles and verify package integrity`);
+    console.log(`   ${c.cyan}\u203A${c.reset} Pin dependencies to exact versions`);
+    console.log(`   ${c.cyan}\u203A${c.reset} Enable npm audit in your CI/CD pipeline`);
+    console.log(`   ${c.cyan}\u203A${c.reset} Monitor for SLSA provenance on critical packages`);
+    console.log("");
+  }
+  divider();
+  console.log("");
+  console.log(`   ${c.dim}Scan completed at ${(/* @__PURE__ */ new Date()).toISOString()}${c.reset}`);
+  console.log(`   ${c.dim}https://github.com/AsyrafHussin/supply-scan${c.reset}`);
+  console.log("");
+}
+
+// src/checks/packages.ts
+import { join as join2 } from "path";
+import { readFileSync as readFileSync2 } from "fs";
+function checkPackages(rules, projectDirs) {
+  const results = [];
+  for (const dir of projectDirs) {
+    const lockfileCache = readLockfiles(dir);
+    for (const rule of rules) {
+      for (const [pkg, badVersions] of Object.entries(rule.packages.compromised)) {
+        const version = getPkgVersion(join2(dir, "node_modules", pkg, "package.json"));
+        if (version && isVersionCompromised(version, badVersions)) {
+          results.push({
+            type: "fail",
+            rule: rule.id,
+            check: "packages",
+            message: `${pkg}@${version} is COMPROMISED`,
+            details: `${rule.name} \u2014 ${dir}`
+          });
+        }
+      }
+      for (const [pkg] of Object.entries(rule.packages.malicious)) {
+        const pkgDir = join2(dir, "node_modules", pkg);
+        if (dirExists(pkgDir)) {
+          const version = getPkgVersion(join2(pkgDir, "package.json"));
+          results.push({
+            type: "fail",
+            rule: rule.id,
+            check: "packages",
+            message: `Malicious package ${pkg}${version ? `@${version}` : ""} found`,
+            details: `${rule.name} \u2014 ${dir}`
+          });
+        }
+      }
+      checkLockfilesForRule(lockfileCache, dir, rule, results);
+    }
+  }
+  return results;
+}
+function readLockfiles(dir) {
+  const cache = /* @__PURE__ */ new Map();
+  const lockfiles = [
+    "package-lock.json",
+    "yarn.lock",
+    "pnpm-lock.yaml",
+    "bun.lock",
+    // bun text-based lockfile (bun v1.2+)
+    "bun.lockb"
+    // bun binary lockfile (older bun)
+  ];
+  for (const name of lockfiles) {
+    try {
+      const encoding = name === "bun.lockb" ? "latin1" : "utf-8";
+      cache.set(name, readFileSync2(join2(dir, name), encoding));
+    } catch {
+    }
+  }
+  return cache;
+}
+function checkLockfilesForRule(lockfileCache, dir, rule, results) {
+  for (const [lockfile, content] of lockfileCache) {
+    for (const pkg of Object.keys(rule.packages.malicious)) {
+      if (content.includes(pkg)) {
+        results.push({
+          type: "fail",
+          rule: rule.id,
+          check: "lockfile",
+          message: `${lockfile} references malicious package "${pkg}"`,
+          details: `${rule.name} \u2014 ${dir}`
+        });
+      }
+    }
+    for (const [pkg, versions] of Object.entries(rule.packages.compromised)) {
+      for (const ver of versions) {
+        const tied = [
+          `"${pkg}": "${ver}"`,
+          // package-lock.json / bun.lock
+          `${pkg}@${ver}`,
+          // yarn.lock / pnpm-lock.yaml
+          `"${pkg}","${ver}"`
+          // bun.lockb binary format
+        ];
+        if (tied.some((p) => content.includes(p))) {
+          results.push({
+            type: "warn",
+            rule: rule.id,
+            check: "lockfile",
+            message: `${lockfile} may reference ${pkg}@${ver}`,
+            details: `${rule.name} \u2014 ${dir}`
+          });
+        }
+      }
+    }
+  }
+}
+
+// src/checks/files.ts
+function checkFiles(rules) {
+  const results = [];
+  const os = getOS();
+  for (const rule of rules) {
+    const filePaths = rule.ioc.files?.[os];
+    if (!filePaths || filePaths.length === 0) continue;
+    for (const rawPath of filePaths) {
+      const path = expandPath(rawPath);
+      if (fileExists(path)) {
+        results.push({
+          type: "fail",
+          rule: rule.id,
+          check: "files",
+          message: `Malware artifact found: ${path}`,
+          details: rule.name
+        });
+      }
+    }
+  }
+  return results;
+}
+
+// src/checks/network.ts
+import { readFileSync as readFileSync3 } from "fs";
+function checkNetwork(rules) {
+  const results = [];
+  const os = getOS();
+  const allIPs = /* @__PURE__ */ new Set();
+  const allDomains = /* @__PURE__ */ new Set();
+  const ruleByIOC = /* @__PURE__ */ new Map();
+  for (const rule of rules) {
+    for (const ip of rule.ioc.ips ?? []) {
+      allIPs.add(ip);
+      ruleByIOC.set(ip, rule.id);
+    }
+    for (const domain of rule.ioc.domains ?? []) {
+      allDomains.add(domain);
+      ruleByIOC.set(domain, rule.id);
+    }
+  }
+  if (allIPs.size === 0 && allDomains.size === 0) return results;
+  const connections = getActiveConnections(os);
+  for (const ip of allIPs) {
+    if (connections.includes(ip)) {
+      results.push({
+        type: "fail",
+        rule: ruleByIOC.get(ip) || "unknown",
+        check: "network",
+        message: `Active connection to C2 IP: ${ip}`,
+        details: "Disconnect from network immediately!"
+      });
+    }
+  }
+  for (const domain of allDomains) {
+    if (connections.includes(domain)) {
+      results.push({
+        type: "fail",
+        rule: ruleByIOC.get(domain) || "unknown",
+        check: "network",
+        message: `Active connection to C2 domain: ${domain}`,
+        details: "Disconnect from network immediately!"
+      });
+    }
+  }
+  checkHostsFile(allIPs, allDomains, ruleByIOC, results);
+  return results;
+}
+function getActiveConnections(os) {
+  if (os === "darwin" || os === "linux") {
+    return runCommand("lsof -i -n -P 2>/dev/null || netstat -an 2>/dev/null");
+  } else if (os === "win32") {
+    return runCommand("netstat -an");
+  }
+  return "";
+}
+function checkHostsFile(ips, domains, ruleByIOC, results) {
+  try {
+    const hosts = readFileSync3("/etc/hosts", "utf-8");
+    for (const ip of ips) {
+      if (hosts.includes(ip)) {
+        results.push({
+          type: "warn",
+          rule: ruleByIOC.get(ip) || "unknown",
+          check: "network",
+          message: `C2 IP ${ip} found in /etc/hosts`
+        });
+      }
+    }
+    for (const domain of domains) {
+      if (hosts.includes(domain)) {
+        results.push({
+          type: "warn",
+          rule: ruleByIOC.get(domain) || "unknown",
+          check: "network",
+          message: `C2 domain ${domain} found in /etc/hosts`
+        });
+      }
+    }
+  } catch {
+  }
+}
+
+// src/checks/processes.ts
+function checkProcesses(rules) {
+  const results = [];
+  const os = getOS();
+  const processPatterns = /* @__PURE__ */ new Map();
+  for (const rule of rules) {
+    for (const proc of rule.ioc.processes ?? []) {
+      processPatterns.set(proc, rule.id);
+    }
+  }
+  if (processPatterns.size === 0) return results;
+  const processList = getProcessList(os);
+  if (!processList) return results;
+  for (const [pattern, ruleId] of processPatterns) {
+    if (processList.includes(pattern)) {
+      results.push({
+        type: "fail",
+        rule: ruleId,
+        check: "processes",
+        message: `Suspicious process running: ${pattern}`,
+        details: "This may indicate an active compromise"
+      });
+    }
+  }
+  if (os === "darwin") {
+    checkMacOSPersistence(rules, results);
+  }
+  return results;
+}
+function getProcessList(os) {
+  if (os === "darwin" || os === "linux") {
+    return runCommand("ps aux 2>/dev/null");
+  } else if (os === "win32") {
+    return runCommand("tasklist /v 2>nul");
+  }
+  return "";
+}
+function checkMacOSPersistence(rules, results) {
+  const launchDirs = [
+    `${process.env.HOME}/Library/LaunchAgents`,
+    "/Library/LaunchAgents",
+    "/Library/LaunchDaemons"
+  ];
+  const searchStrings = /* @__PURE__ */ new Map();
+  for (const rule of rules) {
+    for (const s of rule.ioc.strings ?? []) {
+      searchStrings.set(s, rule.id);
+    }
+    for (const domain of rule.ioc.domains ?? []) {
+      searchStrings.set(domain, rule.id);
+    }
+    for (const ip of rule.ioc.ips ?? []) {
+      searchStrings.set(ip, rule.id);
+    }
+  }
+  const existingDirs = launchDirs.filter(dirExists);
+  if (existingDirs.length === 0 || searchStrings.size === 0) return;
+  const pattern = Array.from(searchStrings.keys()).join("|");
+  const hits = runCommand(
+    `grep -rlE "${pattern}" ${existingDirs.map((d) => `"${d}"`).join(" ")} 2>/dev/null`
+  );
+  if (hits) {
+    for (const file of hits.split("\n").filter(Boolean)) {
+      const content = runCommand(`cat "${file}" 2>/dev/null`);
+      let matchedRule = "unknown";
+      for (const [s, ruleId] of searchStrings) {
+        if (content.includes(s)) {
+          matchedRule = ruleId;
+          break;
+        }
+      }
+      results.push({
+        type: "fail",
+        rule: matchedRule,
+        check: "processes",
+        message: `Suspicious LaunchAgent/Daemon: ${file}`,
+        details: "May indicate malware persistence"
+      });
+    }
+  }
+}
+
+// src/checks/cache.ts
+import { join as join3 } from "path";
+import { homedir as homedir2 } from "os";
+function detectCaches() {
+  const home = homedir2();
+  const caches = [];
+  const npmCache = runCommand("npm config get cache") || join3(home, ".npm");
+  if (dirExists(npmCache)) {
+    caches.push({ name: "npm", dir: npmCache, cleanCmd: "npm cache clean --force" });
+  }
+  const pnpmStore = runCommand("pnpm store path 2>/dev/null");
+  if (pnpmStore && dirExists(pnpmStore)) {
+    caches.push({ name: "pnpm", dir: pnpmStore, cleanCmd: "pnpm store prune" });
+  }
+  const yarnCache = runCommand("yarn cache dir 2>/dev/null");
+  if (yarnCache && dirExists(yarnCache)) {
+    caches.push({ name: "yarn", dir: yarnCache, cleanCmd: "yarn cache clean" });
+  }
+  const yarnBerryCache = join3(process.cwd(), ".yarn", "cache");
+  if (dirExists(yarnBerryCache)) {
+    caches.push({ name: "yarn-berry", dir: yarnBerryCache, cleanCmd: "yarn cache clean --all" });
+  }
+  const bunCache = join3(home, ".bun", "install", "cache");
+  if (dirExists(bunCache)) {
+    caches.push({ name: "bun", dir: bunCache, cleanCmd: "bun pm cache rm" });
+  }
+  return caches;
+}
+function checkCache(rules) {
+  const results = [];
+  const caches = detectCaches();
+  if (caches.length === 0) return results;
+  const maliciousPkgs = /* @__PURE__ */ new Map();
+  const compromisedTarballs = /* @__PURE__ */ new Map();
+  for (const rule of rules) {
+    for (const pkg of Object.keys(rule.packages.malicious)) {
+      maliciousPkgs.set(pkg, rule.id);
+    }
+    for (const [pkg, versions] of Object.entries(rule.packages.compromised)) {
+      for (const ver of versions) {
+        compromisedTarballs.set(`${pkg}-${ver}.tgz`, rule.id);
+      }
+    }
+  }
+  if (maliciousPkgs.size === 0 && compromisedTarballs.size === 0) return results;
+  for (const cache of caches) {
+    scanCacheDir(cache, maliciousPkgs, compromisedTarballs, results);
+  }
+  return results;
+}
+function scanCacheDir(cache, maliciousPkgs, compromisedTarballs, results) {
+  if (maliciousPkgs.size > 0) {
+    const nameArgs = Array.from(maliciousPkgs.keys()).map((n) => `-name "${n}"`).join(" -o ");
+    const found = runCommand(
+      `find "${cache.dir}" -maxdepth 4 -type d \\( ${nameArgs} \\) 2>/dev/null`
+    );
+    if (found) {
+      for (const line of found.split("\n").filter(Boolean)) {
+        const name = line.split("/").pop() || "";
+        const ruleId = maliciousPkgs.get(name);
+        if (ruleId) {
+          results.push({
+            type: "fail",
+            rule: ruleId,
+            check: "cache",
+            message: `Malicious package "${name}" found in ${cache.name} cache`,
+            details: `Run: ${cache.cleanCmd}`
+          });
+        }
+      }
+    }
+  }
+  if (compromisedTarballs.size > 0) {
+    const nameArgs = Array.from(compromisedTarballs.keys()).map((n) => `-name "${n}"`).join(" -o ");
+    const found = runCommand(
+      `find "${cache.dir}" -maxdepth 4 -type f \\( ${nameArgs} \\) 2>/dev/null`
+    );
+    if (found) {
+      for (const line of found.split("\n").filter(Boolean)) {
+        const name = line.split("/").pop() || "";
+        const ruleId = compromisedTarballs.get(name);
+        if (ruleId) {
+          results.push({
+            type: "warn",
+            rule: ruleId,
+            check: "cache",
+            message: `Compromised tarball ${name} in ${cache.name} cache`,
+            details: `Run: ${cache.cleanCmd}`
+          });
+        }
+      }
+    }
+  }
+}
+
+// src/scanner.ts
+async function scan(options) {
+  const { rules, projectDirs, ci } = options;
+  const allResults = [];
+  const checks = [
+    {
+      title: "COMPROMISED PACKAGES",
+      icon: "\u{1F4E6}",
+      passMessage: `All ${projectDirs.length} projects clean \u2014 no compromised packages`,
+      run: () => checkPackages(rules, projectDirs)
+    },
+    {
+      title: "MALWARE FILES",
+      icon: "\u{1F480}",
+      passMessage: "No malware artifacts found on disk",
+      run: () => checkFiles(rules)
+    },
+    {
+      title: "NETWORK CONNECTIONS",
+      icon: "\u{1F310}",
+      passMessage: "No active C2 connections detected",
+      run: () => checkNetwork(rules)
+    },
+    {
+      title: "SUSPICIOUS PROCESSES",
+      icon: "\u2699\uFE0F ",
+      passMessage: "No suspicious processes detected",
+      run: () => checkProcesses(rules)
+    },
+    {
+      title: "PACKAGE MANAGER CACHES",
+      icon: "\u{1F4C1}",
+      passMessage: "All package manager caches are clean",
+      run: () => checkCache(rules)
+    }
+  ];
+  const totalChecks = checks.length;
+  for (let i = 0; i < checks.length; i++) {
+    const check = checks[i];
+    if (!ci) sectionHeader(i + 1, totalChecks, check.title, check.icon);
+    if (!ci) spinnerStart(`Running ${check.title.toLowerCase()} check...`);
+    const results = check.run();
+    allResults.push(...results);
+    if (!ci) spinnerStop();
+    if (!ci) displayResults(results, check.passMessage);
+  }
+  return buildSummary(allResults, projectDirs.length, rules.length, totalChecks);
+}
+function displayResults(results, passMessage) {
+  if (results.filter((r) => r.type === "fail" || r.type === "warn").length === 0) {
+    result("pass", passMessage);
+  }
+  for (const r of results) {
+    result(r.type, r.message);
+    if (r.details) resultDetail(r.details);
+  }
+}
+function buildSummary(results, projectsScanned, rulesChecked, totalChecks) {
+  const compromisedProjects = /* @__PURE__ */ new Set();
+  for (const r of results) {
+    if (r.type === "fail" && r.details) {
+      const match = r.details.match(/— (.+)$/);
+      if (match) compromisedProjects.add(match[1]);
+    }
+  }
+  const failCount = results.filter((r) => r.type === "fail").length;
+  const warnCount = results.filter((r) => r.type === "warn").length;
+  return {
+    projectsScanned,
+    rulesChecked,
+    totalChecks: results.length || totalChecks,
+    passed: results.length === 0 ? totalChecks : results.length - failCount - warnCount,
+    failed: failCount,
+    warnings: warnCount,
+    results,
+    compromisedProjects: Array.from(compromisedProjects)
+  };
+}
+
+// src/index.ts
+var __filename = fileURLToPath(import.meta.url);
+var __dirname = dirname(__filename);
+var RULES_DIR = join4(__dirname, "..", "rules");
+var VERSION = "1.0.0";
+var HELP_TEXT = `
+${c.white}supply-scan${c.reset} \u2014 Universal npm supply chain attack scanner
+
+${c.yellow}USAGE${c.reset}
+  npx supply-scan                     Interactive mode (default)
+  npx supply-scan --all               Scan all attacks, skip prompts
+  npx supply-scan --rule axios-2026   Scan specific attack(s)
+  npx supply-scan --list              List all available rules
+  npx supply-scan --ci                CI mode (non-interactive)
+
+${c.yellow}OPTIONS${c.reset}
+  -a, --all              Scan all attacks (skip rule selection)
+  -r, --rule <id>        Scan specific rule (repeatable)
+  -p, --path <dir>       Scan specific directory
+  -l, --list             List all available rules
+  --ci                   CI mode (non-interactive, exit codes only)
+  -h, --help             Show this help
+  -v, --version          Show version
+
+${c.yellow}EXIT CODES${c.reset}
+  0  All clear
+  1  Compromise detected
+  2  Warnings found
+
+${c.yellow}EXAMPLES${c.reset}
+  npx supply-scan --path ~/projects/my-app
+  npx supply-scan --rule axios-2026 --rule node-ipc-2022
+  npx supply-scan --ci --all
+`;
+async function run(argv) {
+  const opts = parseArgs(argv);
+  if (opts.version) {
+    console.log(VERSION);
+    process.exit(0);
+  }
+  if (opts.help) {
+    console.log(HELP_TEXT);
+    process.exit(0);
+  }
+  const allRules = loadRules(RULES_DIR);
+  if (allRules.length === 0) {
+    console.error(`${c.red}No rules found in ${RULES_DIR}${c.reset}`);
+    process.exit(1);
+  }
+  if (opts.list) {
+    banner(allRules.length);
+    printRuleList(allRules);
+    process.exit(0);
+  }
+  let selectedRules;
+  if (opts.rules.length > 0) {
+    selectedRules = allRules.filter((r) => opts.rules.includes(r.id));
+    if (selectedRules.length === 0) {
+      console.error(`${c.red}No matching rules found. Use --list to see available rules.${c.reset}`);
+      process.exit(1);
+    }
+  } else if (opts.all || opts.ci) {
+    selectedRules = allRules;
+  } else {
+    banner(allRules.length);
+    selectedRules = await interactiveRuleSelection(allRules);
+  }
+  if (!opts.ci && (opts.all || opts.rules.length > 0)) {
+    banner(selectedRules.length);
+  }
+  let projectDirs;
+  if (opts.path) {
+    if (!opts.ci) spinnerStart("Searching for npm projects...");
+    projectDirs = findProjects([opts.path]);
+    if (!opts.ci) spinnerStop();
+  } else if (opts.ci || opts.all) {
+    if (!opts.ci) spinnerStart("Searching for npm projects...");
+    projectDirs = findProjects([process.cwd()]);
+    if (!opts.ci) spinnerStop();
+  } else {
+    projectDirs = await interactivePathSelection();
+  }
+  if (!opts.ci) {
+    console.log(`
+   ${c.dim}Scanning ${projectDirs.length} projects with ${selectedRules.length} rules...${c.reset}`);
+  }
+  const summary = await scan({
+    rules: selectedRules,
+    projectDirs,
+    ci: opts.ci
+  });
+  if (!opts.ci) {
+    printSummary(summary);
+  }
+  if (summary.failed > 0) {
+    process.exit(1);
+  } else if (summary.warnings > 0) {
+    process.exit(2);
+  } else {
+    if (opts.ci) {
+      console.log("OK");
+    }
+    process.exit(0);
+  }
+}
+async function interactiveRuleSelection(rules) {
+  console.log("");
+  console.log(`   ${c.white}Select attacks to scan:${c.reset}`);
+  console.log("");
+  console.log(`   ${c.cyan}0${c.reset}) ${c.green}All attacks (${rules.length} rules)${c.reset}`);
+  for (let i = 0; i < rules.length; i++) {
+    const r = rules[i];
+    const sc = severityColors[r.severity] || c.dim;
+    console.log(`   ${c.cyan}${i + 1}${c.reset}) ${r.name} ${sc}(${r.severity})${c.reset}`);
+  }
+  console.log("");
+  const answer = await prompt(`   ${c.yellow}Enter numbers separated by commas (default=0): ${c.reset}`);
+  if (!answer || answer === "0") {
+    return rules;
+  }
+  const indices = answer.split(",").map((s) => parseInt(s.trim(), 10) - 1);
+  const selected = indices.filter((i) => i >= 0 && i < rules.length).map((i) => rules[i]);
+  return selected.length > 0 ? selected : rules;
+}
+async function interactivePathSelection() {
+  console.log("");
+  console.log(`   ${c.white}Where should I scan?${c.reset}`);
+  console.log("");
+  console.log(`   ${c.cyan}1${c.reset}) Current directory`);
+  console.log(`   ${c.cyan}2${c.reset}) Common project directories`);
+  console.log(`   ${c.cyan}3${c.reset}) Enter a custom path`);
+  console.log("");
+  const choice = await prompt(`   ${c.yellow}Choose (1/2/3, default=1): ${c.reset}`);
+  let baseDirs;
+  switch (choice) {
+    case "2":
+      baseDirs = getCommonProjectDirs();
+      if (baseDirs.length === 0) {
+        console.log(`   ${c.dim}No common directories found, scanning current directory...${c.reset}`);
+        baseDirs = [process.cwd()];
+      }
+      break;
+    case "3": {
+      const customPath = await prompt(`   ${c.cyan}Enter path: ${c.reset}`);
+      baseDirs = [customPath.replace(/^~/, process.env.HOME || "")];
+      break;
+    }
+    default:
+      baseDirs = [process.cwd()];
+  }
+  console.log("");
+  spinnerStart("Searching for npm projects...");
+  const projects = findProjects(baseDirs);
+  spinnerStop();
+  console.log(`   ${c.dim}Found ${projects.length} npm projects${c.reset}`);
+  return projects;
+}
+var isCLI = process.argv[1]?.includes("supply-scan") || process.argv[1]?.includes("dist/index");
+if (isCLI) {
+  run(process.argv.slice(2));
+}
+export {
+  run
+};
+//# sourceMappingURL=index.js.map