fix: tighten supply-chain ioc markers

scripts/ci/scan-supply-chain-iocs.js

@@ -247,6 +247,18 @@ const CRITICAL_TEXT_INDICATORS = [
     'b56b31abc2870c2e',
     'd2e98d6be27fc96',
   ].join(''),
+  [
+    '7c12d8619f2db233',
+    'e3d965a930709335',
+    '5f149d5babc45891',
+    '2757a5e88fec0f54',
+  ].join(''),
+  [
+    '0c0e8730695e997b',
+    '3a53d77483f28573',
+    '392319ec023f8fd6',
+    'd7282121cf7cf192',
+  ].join(''),
   'svksjrhjkcejg',
   'filev2.getsession.org',
   'seed1.getsession.org',
@@ -254,12 +266,15 @@ const CRITICAL_TEXT_INDICATORS = [
   'seed3.getsession.org',
   'signalservice',
   'git-tanstack.com',
+  '169.254.169.254',
+  '169.254.170.2',
+  '127.0.0.1:8200',
   'litter.catbox.moe/h8nc9u.js',
   'litter.catbox.moe/7rrc6l.mjs',
   '83.142.209.194',
   'api.masscan.cloud',
   'claude@users.noreply.github.com',
-  'dependabout/',
+  'dependabot/github_actions/format/',
   'OhNoWhatsGoingOnWithGitHub',
   'voicproducoes',
   'A Mini Shai-Hulud has Appeared',

tests/ci/scan-supply-chain-iocs.test.js

@@ -309,7 +309,7 @@ function run() {
         '      - run: echo svksjrhjkcejg',
         '      - run: echo OhNoWhatsGoingOnWithGitHub',
         '      - run: echo claude@users.noreply.github.com',
-        '      - run: echo dependabout/router/setup-formatter',
+        '      - run: echo dependabot/github_actions/format/router',
         '      - run: echo signalservice snode',
       ].join('\n'),
     }, rootDir => {
@@ -321,11 +321,37 @@ function run() {
       assert.ok(indicators.includes('svksjrhjkcejg'));
       assert.ok(indicators.includes('OhNoWhatsGoingOnWithGitHub'));
       assert.ok(indicators.includes('claude@users.noreply.github.com'));
-      assert.ok(indicators.includes('dependabout/'));
+      assert.ok(indicators.includes('dependabot/github_actions/format/'));
       assert.ok(indicators.includes('signalservice'));
     });
   })) passed++; else failed++;
 
+  if (test('rejects current StepSecurity branch and credential-harvest markers', () => {
+    withFixture({
+      'package.json': JSON.stringify({
+        scripts: {
+          prepare: [
+            'echo 7c12d8619f2db233e3d965a9307093355f149d5babc458912757a5e88fec0f54',
+            'echo 0c0e8730695e997b3a53d77483f28573392319ec023f8fd6d7282121cf7cf192',
+            'curl http://169.254.169.254/latest/meta-data/iam/security-credentials/',
+            'curl http://169.254.170.2/v2/credentials/',
+            'curl http://127.0.0.1:8200/v1/auth/token/lookup-self',
+            'git push origin dependabot/github_actions/format/main',
+          ].join(' && '),
+        },
+      }, null, 2),
+    }, rootDir => {
+      const result = scanSupplyChainIocs({ rootDir });
+      const indicators = result.findings.map(finding => finding.indicator);
+      assert.ok(indicators.includes('7c12d8619f2db233e3d965a9307093355f149d5babc458912757a5e88fec0f54'));
+      assert.ok(indicators.includes('0c0e8730695e997b3a53d77483f28573392319ec023f8fd6d7282121cf7cf192'));
+      assert.ok(indicators.includes('169.254.169.254'));
+      assert.ok(indicators.includes('169.254.170.2'));
+      assert.ok(indicators.includes('127.0.0.1:8200'));
+      assert.ok(indicators.includes('dependabot/github_actions/format/'));
+    });
+  })) passed++; else failed++;
+
   if (test('rejects user-level Python persistence payloads when home scan is enabled', () => {
     withFixture({
       'home/.local/bin/pgmonitor.py': 'print("persistence")',