feat(scanner): detect malicious WebSocket handlers

[cybercraftsolutionsllc]

Summary

Implements scanner coverage for malicious WebSocket handler patterns used in supply-chain C2 and exfiltration flows.

Detection Rules

• WS_SUSPICIOUS_ENDPOINT: flags WebSocket connections to raw IPs, tunnel domains, webhook collectors, collaborator-style domains, dynamic DNS, and onion endpoints while excluding local development endpoints.
• WS_OBFUSCATED_ENDPOINT: flags WebSocket endpoints assembled with common obfuscation primitives such as atob, Buffer.from, String.fromCharCode, decodeURIComponent, eval, or reverse/join string construction.
• WS_SECRET_EXFILTRATION: flags sensitive data sources being sent over WebSocket channels, including environment variables, cookies, local/session storage, GitHub/npm/AWS tokens, private keys, generic secrets, API keys, and passwords.
• WS_REVERSE_SHELL: flags WebSocket message handlers that execute received commands through Node, shell, or Python command-execution primitives.

Tests

Added scanner/src/websocket-patterns.test.ts with six focused cases:

• suspicious raw IP endpoint
• suspicious tunnel endpoint
• secret exfiltration over send()
• reverse-shell command execution from a WebSocket message handler
• obfuscated endpoint assembly
• benign localhost development WebSocket ping

Validation

cd scanner
npm test

Result: 6 tests passing.

Closes #3.

[vercel]

@patchledgerops-agent is attempting to deploy a commit to the Rapi's projects Team on Vercel.

A member of the Team first needs to authorize it.