diff --git a/package-lock.json b/package-lock.json
index ff9f4e4..de6d4ae 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -1099,7 +1099,6 @@
       "resolved": "https://registry.npmjs.org/@octokit/core/-/core-7.0.6.tgz",
       "integrity": "sha512-DhGl4xMVFGVIyMwswXeyzdL4uXD5OGILGX5N8Y+f6W7LhC1Ze2poSNrkF/fedpVDHEEZ+PHFW0vL14I+mm8K3Q==",
       "license": "MIT",
-      "peer": true,
       "dependencies": {
         "@octokit/auth-token": "^6.0.0",
         "@octokit/graphql": "^9.0.3",
@@ -1277,7 +1276,6 @@
       "integrity": "sha512-GNWcUTRBgIRJD5zj+Tq0fKOJ5XZajIiBroOF0yvj2bSU1WvNdYS/dn9UxwsujGW4JX06dnHyjV2y9rRaybH0iQ==",
       "devOptional": true,
       "license": "MIT",
-      "peer": true,
       "dependencies": {
         "undici-types": "~7.16.0"
       }
@@ -1362,7 +1360,6 @@
       "integrity": "sha512-jCzKdm/QK0Kg4V4IK/oMlRZlY+QOcdjv89U2NgKHZk1CYTj82/RVSx1mV/0gqCVMJ/DA+Zf/S4NBWNF8GQ+eqQ==",
       "dev": true,
       "license": "MIT",
-      "peer": true,
       "dependencies": {
         "@typescript-eslint/scope-manager": "8.48.0",
         "@typescript-eslint/types": "8.48.0",
@@ -1839,7 +1836,6 @@
       "integrity": "sha512-NZyJarBfL7nWwIq+FDL6Zp/yHEhePMNnnJ0y3qfieCrmNvYct8uvtiV41UvlSe6apAfk0fY1FbWx+NwfmpvtTg==",
       "dev": true,
       "license": "MIT",
-      "peer": true,
       "bin": {
         "acorn": "bin/acorn"
       },
@@ -2218,7 +2214,6 @@
       "integrity": "sha512-BhHmn2yNOFA9H9JmmIVKJmd288g9hrVRDkdoIgRCRuSySRUHH7r/DI6aAXW9T1WwUuY3DFgrcaqB+deURBLR5g==",
       "dev": true,
       "license": "MIT",
-      "peer": true,
       "dependencies": {
         "@eslint-community/eslint-utils": "^4.8.0",
         "@eslint-community/regexpp": "^4.12.1",
@@ -3093,7 +3088,6 @@
       "integrity": "sha512-5gTmgEY/sqK6gFXLIsQNH19lWb4ebPDLA4SdLP7dsWkIXHWlG66oPuVvXSGFPppYZz8ZDZq0dYYrbHfBCVUb1Q==",
       "dev": true,
       "license": "MIT",
-      "peer": true,
       "engines": {
         "node": ">=12"
       },
@@ -3408,7 +3402,6 @@
       "integrity": "sha512-jl1vZzPDinLr9eUt3J/t7V6FgNEw9QjvBPdysz9KfQDD41fQrC2Y4vKQdiaUpFT4bXlb1RHhLpp8wtm6M5TgSw==",
       "dev": true,
       "license": "Apache-2.0",
-      "peer": true,
       "bin": {
         "tsc": "bin/tsc",
         "tsserver": "bin/tsserver"
diff --git a/src/malwareMatcher.ts b/src/malwareMatcher.ts
index 15f7abd..cfae6ab 100644
--- a/src/malwareMatcher.ts
+++ b/src/malwareMatcher.ts
@@ -6,6 +6,15 @@ import path from "path";
 import zlib from "zlib";
 import * as semver from "semver";
 
+// Type alias to improve readability for complex package shape
+type PkgLike = {
+  purl?: string;
+  externalRefs?: Array<{ referenceType?: string; referenceLocator?: string }>;
+  name?: string;
+  version?: string;
+  versionInfo?: string;
+};
+
 const our_tool_name = "SBOM Toolkit";
 const our_tool_url = "https://github.com/advanced-security/github-sbom-toolkit";
 
@@ -23,6 +32,12 @@ export interface MalwareMatch {
   reason: string;
 }
 
+// Type alias for packages used in enumeratePackages
+export type EnumeratedPackage = SbomPackage & {
+  externalRefs?: { referenceType?: string; referenceLocator?: string }[];
+  versionInfo?: string;
+};
+
 // Map GitHub ecosystem enums to purl types
 const ecosystemToPurlType: Record<string, string> = {
   ACTIONS: "githubactions",
@@ -112,11 +127,11 @@ export function matchMalware(advisories: MalwareAdvisoryNode[], sboms: Repositor
   const index = new Map<string, MalwareAdvisoryNode[]>();
   for (const adv of advisories) {
     // Ignore advisories that have been withdrawn
-    if ((adv as unknown as { withdrawnAt?: string | null }).withdrawnAt) continue;
+    if (adv.withdrawnAt) continue;
     // Ignore advisories older than cutoff (must be before cutoff in BOTH publishedAt & updatedAt to be excluded)
     if (cutoffDate) {
-      const pub = new Date((adv as unknown as { publishedAt?: string }).publishedAt || 0);
-      const upd = new Date((adv as unknown as { updatedAt?: string }).updatedAt || 0);
+      const pub = new Date(adv.publishedAt || 0);
+      const upd = new Date(adv.updatedAt || 0);
       if (pub < cutoffDate && upd < cutoffDate) continue;
     }
     for (const vuln of adv.vulnerabilities) {
@@ -131,12 +146,12 @@ export function matchMalware(advisories: MalwareAdvisoryNode[], sboms: Repositor
   }
 
   // Helper to enumerate packages with fallback to raw SPDX packages inside repoSbom.sbom if flattened list empty
-  const enumeratePackages = (repo: RepositorySbom): Array<SbomPackage & { externalRefs?: { referenceType?: string; referenceLocator?: string }[]; versionInfo?: string }> => {
+  const enumeratePackages = (repo: RepositorySbom): EnumeratedPackage[] => {
     const explicit: SbomPackage[] = Array.isArray(repo.packages) ? repo.packages : [];
-    if (explicit.length > 0) return explicit as Array<SbomPackage & { externalRefs?: { referenceType?: string; referenceLocator?: string }[]; versionInfo?: string }>;
+    if (explicit.length > 0) return explicit as EnumeratedPackage[];
     const rawMaybe: unknown = repo.sbom?.packages;
     if (Array.isArray(rawMaybe)) {
-      return rawMaybe as Array<SbomPackage & { externalRefs?: { referenceType?: string; referenceLocator?: string }[]; versionInfo?: string }>;
+      return rawMaybe as EnumeratedPackage[];
     }
     return [];
   };
@@ -146,7 +161,7 @@ export function matchMalware(advisories: MalwareAdvisoryNode[], sboms: Repositor
     if (!pkgs.length) continue;
 
     for (const pkg of pkgs) {
-      const pkgAny = pkg as unknown as { purl?: string; externalRefs?: Array<{ referenceType?: string; referenceLocator?: string }>; name?: string; version?: string; versionInfo?: string };
+      const pkgAny = pkg as unknown as PkgLike;
       const candidatePurls = new Set<string>();
       if (pkgAny.purl) candidatePurls.add(pkgAny.purl);
       if (Array.isArray(pkgAny.externalRefs)) {