fix: tighten supply-chain ioc markers

2026-05-18 06:43:05 +08:00 · 2026-05-17 06:48:01 -04:00
parent 98592ab6b8
commit fb6d4a7104
2 changed files with 44 additions and 3 deletions
--- a/scripts/ci/scan-supply-chain-iocs.js
+++ b/scripts/ci/scan-supply-chain-iocs.js
@@ -247,6 +247,18 @@ const CRITICAL_TEXT_INDICATORS = [
    'b56b31abc2870c2e',
    'd2e98d6be27fc96',
  ].join(''),
+  [
+    '7c12d8619f2db233',
+    'e3d965a930709335',
+    '5f149d5babc45891',
+    '2757a5e88fec0f54',
+  ].join(''),
+  [
+    '0c0e8730695e997b',
+    '3a53d77483f28573',
+    '392319ec023f8fd6',
+    'd7282121cf7cf192',
+  ].join(''),
  'svksjrhjkcejg',
  'filev2.getsession.org',
  'seed1.getsession.org',
@@ -254,12 +266,15 @@ const CRITICAL_TEXT_INDICATORS = [
  'seed3.getsession.org',
  'signalservice',
  'git-tanstack.com',
+  '169.254.169.254',
+  '169.254.170.2',
+  '127.0.0.1:8200',
  'litter.catbox.moe/h8nc9u.js',
  'litter.catbox.moe/7rrc6l.mjs',
  '83.142.209.194',
  'api.masscan.cloud',
  'claude@users.noreply.github.com',
-  'dependabout/',
+  'dependabot/github_actions/format/',
  'OhNoWhatsGoingOnWithGitHub',
  'voicproducoes',
  'A Mini Shai-Hulud has Appeared',
--- a/tests/ci/scan-supply-chain-iocs.test.js
+++ b/tests/ci/scan-supply-chain-iocs.test.js
@@ -309,7 +309,7 @@ function run() {
        '      - run: echo svksjrhjkcejg',
        '      - run: echo OhNoWhatsGoingOnWithGitHub',
        '      - run: echo claude@users.noreply.github.com',
-        '      - run: echo dependabout/router/setup-formatter',
+        '      - run: echo dependabot/github_actions/format/router',
        '      - run: echo signalservice snode',
      ].join('\n'),
    }, rootDir => {
@@ -321,11 +321,37 @@ function run() {
      assert.ok(indicators.includes('svksjrhjkcejg'));
      assert.ok(indicators.includes('OhNoWhatsGoingOnWithGitHub'));
      assert.ok(indicators.includes('claude@users.noreply.github.com'));
-      assert.ok(indicators.includes('dependabout/'));
+      assert.ok(indicators.includes('dependabot/github_actions/format/'));
      assert.ok(indicators.includes('signalservice'));
    });
  })) passed++; else failed++;

+  if (test('rejects current StepSecurity branch and credential-harvest markers', () => {
+    withFixture({
+      'package.json': JSON.stringify({
+        scripts: {
+          prepare: [
+            'echo 7c12d8619f2db233e3d965a9307093355f149d5babc458912757a5e88fec0f54',
+            'echo 0c0e8730695e997b3a53d77483f28573392319ec023f8fd6d7282121cf7cf192',
+            'curl http://169.254.169.254/latest/meta-data/iam/security-credentials/',
+            'curl http://169.254.170.2/v2/credentials/',
+            'curl http://127.0.0.1:8200/v1/auth/token/lookup-self',
+            'git push origin dependabot/github_actions/format/main',
+          ].join(' && '),
+        },
+      }, null, 2),
+    }, rootDir => {
+      const result = scanSupplyChainIocs({ rootDir });
+      const indicators = result.findings.map(finding => finding.indicator);
+      assert.ok(indicators.includes('7c12d8619f2db233e3d965a9307093355f149d5babc458912757a5e88fec0f54'));
+      assert.ok(indicators.includes('0c0e8730695e997b3a53d77483f28573392319ec023f8fd6d7282121cf7cf192'));
+      assert.ok(indicators.includes('169.254.169.254'));
+      assert.ok(indicators.includes('169.254.170.2'));
+      assert.ok(indicators.includes('127.0.0.1:8200'));
+      assert.ok(indicators.includes('dependabot/github_actions/format/'));
+    });
+  })) passed++; else failed++;
+
  if (test('rejects user-level Python persistence payloads when home scan is enabled', () => {
    withFixture({
      'home/.local/bin/pgmonitor.py': 'print("persistence")',