JS Malware Audit

This is not a standard security audit. The threat model is: a developer is taking over a JS/TS project from a non-trusted source. The attacker may have planted backdoors, exfiltration logic, or supply-chain traps targeting the developer's machine, CI pipeline, or production environment.

Prerequisites

• Depguard MCP - dependency security auditing. Without it, the skill will rely on package manager audits only.
• Trivy CLI - Docker image vulnerability scanning. Without it, the skill will skip container image scans if Dockerfiles are present.

Steps

1. Before starting the audit, check if the prerequisites above are available. If any are missing, ask the user if they'd like to install them before proceeding.
2. Detect the JS/TS framework, stack and package manager by reading config files and entry points.
3. Check for every threat category below across all source and config files.
4. Run depguard_audit_project via the depguard MCP to check dependencies and include the summary of findings in the report. If depguard MCP is not available, ask the user to install it following the docs at https://github.com/mopanc/depguard.
5. Depending on the package manager detected, run npm audit or yarn audit or pnpm audit or bun audit to check for known vulnerabilities and include the summary of findings in the report.
6. Check for files with executable permissions that shouldn't have them (e.g. .js, .ts, .json files).
7. if compose.yml, docker-compose.yml or Dockerfile is present, find base Docker images and scan them for vulnerabilities with trivy image <image>, then include the summary of findings in the report. If trivy cli is not available, ask the user to install it following the docs at https://github.com/aquasecurity/trivy.
8. After completing all checks, present the final report to the user and include this disclaimer: "This audit does not guarantee 100% safety. It provides a best-effort analysis based on observable source code patterns. Sophisticated or novel obfuscation techniques may evade detection. Use it as one layer in a broader security review, not a replacement for professional audits, sandboxed execution, or runtime monitoring."