Lines 16-56javascript
16// external URL that is NOT an exfil endpoint (owned by exfil-url) and NOT a raw IP (owned by exfil-ip)
17const PLAIN_EXTERNAL_URL = `https?://(?!(${EXFIL_HOSTS})|[0-9]{1,3}\\.|localhost\\b|127\\.|0\\.0\\.0\\.0|10\\.|192\\.168\\.|169\\.254\\.|172\\.(1[6-9]|2\\d|3[01])\\.)[^'"\`\\s)\\\\]+`;
19// ---- content rules (scanned over node_modules file text; `pattern` is ripgrep-safe ERE, `re` is the
20// JS validator used both to classify rg hits and by the no-rg fallback) ----
21export const CONTENT_RULES = [
26 // mining-pool protocol + specific miner names / pool hosts / xmrig flags. Deliberately NO generic
27 // words ("miner", "hash") — those false-positive on legit crypto/hashing libs.
28 pattern: "stratum\\+(tcp|ssl)://|xmrig|cryptonight|randomx|coinhive|coinimp|cryptoloot|jsecoin|webminepool|minexmr|supportxmr|nanopool\\.org|nicehash\\.com|minergate|--donate-level|--coin\\s+monero",
29 re: /stratum\+(tcp|ssl):\/\/|xmrig|cryptonight|randomx|coinhive|coinimp|cryptoloot|jsecoin|webminepool|minexmr|supportxmr|nanopool\.org|nicehash\.com|minergate|--donate-level|--coin\s+monero/i,
30 what: "crypto-miner signature (mining pool protocol / miner name / xmrig flag)",
36 // canonical reverse/bind shells — a shell wired to a socket. Essentially never legitimate inside a
37 // published package: /dev/tcp redirection, netcat -e, interactive-shell redirect, mkfifo pipe shell.
38 pattern: "/dev/tcp/[0-9]|\\bnc(at)?\\s+-e\\b|\\b(ba)?sh\\s+-i\\b\\s*(2)?>&|mkfifo\\b.{0,60}(ba)?sh\\b|0<&196|socket\\.socket\\(.{0,40}(SOCK_STREAM).{0,80}(/bin/sh|exec)",
39 re: /\/dev\/tcp\/[0-9]|\bnc(at)?\s+-e\b|\b(ba)?sh\s+-i\b\s*(2)?>&|mkfifo\b[\s\S]{0,60}?\b(ba)?sh\b|0<&196|socket\.socket\([\s\S]{0,120}?(connect|SOCK_STREAM)[\s\S]{0,180}?(
40 what: "reverse/bind-shell pattern (interactive shell wired to a socket)",
43 key: "sensitive-file-read",
44 severity: "medium", // strong signal, but backup/dotfile tools touch these too → escalates via co-occurrence
46 // rg pre-filter is the bare path; the JS re REQUIRES a read/copy/exfil verb on the same line — a
47 // credential PATH alone (docs, READMEs, comments) is not a read (that was the app-builder-lib /
48 // bun-types false positive). /etc/passwd + .netrc dropped (too common in prose).
49 pattern: "\\.ssh/(id_rsa|id_ed25519|id_dsa|authorized_keys)|\\.aws/credentials|\\.git-credentials|/etc/shadow|\\.docker/config\\.json|\\.kube/config",
50 re: /(readFileSync|readFile|createReadStream|openSync|\.read\(|copyFile|readlink|Get-Content|\bcat\s|\bscp\s|\bcurl\b[^\n]*-[TF])[\s\S]{0,80}?(\.ssh\/(id_(rsa|ed25519|dsa)|authorized_keys)|\.
51 what: "reads a credential/secret file (SSH key, cloud creds) in a filesystem-read context",
HighCloud Metadata Access
Source reaches cloud instance metadata or link-local credential endpoints.
src/security/registry-sig.rules.jsView on unpkg · L36 54 key: "dynamic-require",