UNPKG

worm-sign

Version:

A prescient scanner to detect and banish Shai Hulud malware from your dependencies.

github.com/BranLang/worm-sign

BranLang/worm-sign

74 lines (73 loc) 2.36 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
"use strict"; Object.defineProperty(exports, "__esModule", { value: true }); exports.EntropyCalculator = void 0; exports.calculateEntropy = calculateEntropy; exports.calculateEntropyStream = calculateEntropyStream; exports.isHighEntropy = isHighEntropy; /** * Shannon Entropy Analysis * * This module calculates the Shannon entropy of strings to detect * high-entropy content, which is often indicative of packed or * obfuscated malware payloads (e.g. bun_environment.js). */ class EntropyCalculator { frequencies = {}; totalBytes = 0; update(chunk) { const len = chunk.length; this.totalBytes += len; for (let i = 0; i < len; i++) { const byte = typeof chunk === 'string' ? chunk.charCodeAt(i) : chunk[i]; this.frequencies[byte] = (this.frequencies[byte] || 0) + 1; } } digest() { if (this.totalBytes === 0) return 0; let entropy = 0; for (const count of Object.values(this.frequencies)) { const p = count / this.totalBytes; entropy -= p * Math.log2(p); } return entropy; } } exports.EntropyCalculator = EntropyCalculator; /** * Calculates the Shannon entropy of a string. * Formula: H(X) = - sum(P(xi) * log2(P(xi))) * * @param str The input string * @returns The entropy value (typically between 0 and 8) */ function calculateEntropy(input) { const calculator = new EntropyCalculator(); calculator.update(input); return calculator.digest(); } /** * Calculates entropy from a readable stream. */ function calculateEntropyStream(stream) { return new Promise((resolve, reject) => { const calculator = new EntropyCalculator(); stream.on('data', (chunk) => calculator.update(chunk)); stream.on('error', reject); stream.on('end', () => resolve(calculator.digest())); }); } /** * Checks if a string has suspiciously high entropy. * * @param str The string to check * @param threshold The threshold (default 5.2 based on research) * @returns True if entropy exceeds threshold */ function isHighEntropy(str, threshold = 5.2) { // Short strings can have artificially high or low entropy and are less likely to be packed payloads if (str.length < 50) { return false; } return calculateEntropy(str) > threshold; }