@7nsane/zift 3.0.0 → 4.0.0

package/README.md

@@ -1,19 +1,20 @@
-# 🛡️ Zift (v3.0.0)
+# 🛡️ Zift (v4.0.0)
 
 [![npm version](https://img.shields.io/npm/v/@7nsane/zift.svg?style=flat-square)](https://www.npmjs.com/package/@7nsane/zift)
 [![License](https://img.shields.io/npm/l/@7nsane/zift.svg?style=flat-square)](https://www.npmjs.com/package/@7nsane/zift)
 [![Build Status](https://img.shields.io/badge/CI-passing-brightgreen?style=flat-square)](https://github.com/7nsane/zift)
 
-**The Intelligent Ecosystem Security Engine for JavaScript.**
+**The Deeply Hardened Ecosystem Security Engine for JavaScript.**
 
-Zift v3.0 is a massive leap forward, moving beyond static analysis into **Cross-File Intelligence** and **Runtime Protection**. It is designed to identify and stop advanced supply-chain attacks (credential exfiltration, reverse-shell droppers) before they hit your production environment.
+Zift v4.0 is the "Deep Hardening" release, featuring **Immutable Runtime Guards** and **Opaque Payload Detection**, specifically designed to resist active attacker bypasses.
 
-## 🚀 Major Features (v3.0.0)
+## 🚀 Key Advancements (v4.0.0)
 
-- **🌍 Cross-File Taint Tracking**: Tracks sensitive data (e.g., `process.env.TOKEN`) across `import/export` and `require` boundaries.
-- **🧠 VM-Based De-obfuscation**: Safe, sandboxed evaluation of string manipulation logic (e.g., character arrays, reverse/join) to reveal hidden malicious signals.
-- **🛡️ Zift Shield (Runtime Guard)**: A real-time audit layer for network and shell activity. Run `zift protect` to monitor your app's dependencies in real-world conditions.
-- **🔒 Lockfile Security**: Automatic auditing of `package-lock.json` and `yarn.lock` for registry confusion.
+- **🛡️ Immutable Zift Shield**: Runtime sinks (`http`, `child_process`) are now immutable. Attackers cannot delete or re-assign them to bypass protection.
+- **🧩 Opaque Payload Detection**: Automatically flags compiled native binaries (`.node`) as high-risk.
+- **🧵 Universal Protection**: Zift Shield now automatically propagates into `worker_threads`.
+- **🕵️ Evasion Tracking**: Detects non-deterministic sink construction (e.g., using `Date.now()` or `Math.random()` to hide strings).
+- **🌍 Cross-File Intelligence**: Full multi-pass taint tracking for ESM and CommonJS.
 
 ## 📦 Quick Start
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@7nsane/zift",
-  "version": "3.0.0",
+  "version": "4.0.0",
   "description": "A high-performance, deterministic security scanner for npm packages.",
   "main": "src/scanner.js",
   "bin": {

package/src/collector.js

@@ -27,7 +27,9 @@ class ASTCollector {
             REMOTE_FETCH_SIGNAL: [],
             PIPE_TO_SHELL_SIGNAL: [],
             EXPORTS: [],
-            IMPORTS: []
+            IMPORTS: [],
+            OPAQUE_STRING_SKIP: [],
+            NON_DETERMINISTIC_SINK: []
         };
         const flows = [];
         const sourceCode = code;
@@ -46,7 +48,20 @@ class ASTCollector {
 
         walk.ancestor(ast, {
             Literal: (node) => {
-                if (typeof node.value === 'string' && node.value.length > 20 && node.value.length < this.maxStringLengthForEntropy) {
+                if (typeof node.value === 'string' && node.value.length > 20) {
+                    if (node.value.length > this.maxStringLengthForEntropy) {
+                        // High Entropy Skip Warning
+                        const sample = node.value.substring(0, 100);
+                        const sampleEntropy = calculateEntropy(sample);
+                        if (sampleEntropy > this.entropyThreshold) {
+                            facts.OPAQUE_STRING_SKIP.push({
+                                file: filePath,
+                                line: node.loc.start.line,
+                                reason: `Large string skipped (>2KB) but sample has high entropy (${sampleEntropy.toFixed(2)})`
+                            });
+                        }
+                        return;
+                    }
                     const entropy = calculateEntropy(node.value);
                     if (entropy > this.entropyThreshold) {
                         facts.OBFUSCATION.push({
@@ -226,6 +241,18 @@ class ASTCollector {
                             });
                         }
                     }
+
+                    // v4.0 Hardening: Non-deterministic constructor
+                    if (['Math.random', 'Date.now', 'Date()'].some(t => argCode.includes(t))) {
+                        if (evaluated === 'eval' || evaluated === 'Function' || this.isShellSink(calleeCode)) {
+                            facts.NON_DETERMINISTIC_SINK.push({
+                                file: filePath,
+                                line: node.loc.start.line,
+                                callee: calleeCode,
+                                reason: `Sink uses non-deterministic argument (${argCode})`
+                            });
+                        }
+                    }
                 });
             },
             MemberExpression: (node) => {

package/src/rules/definitions.js

@@ -110,13 +110,40 @@ const RULES = [
         priority: 2,
         baseScore: 60,
         description: 'Detection of attempts to modify package.json scripts or npm configuration.'
+    },
+    {
+        id: 'ZFT-013',
+        alias: 'OPAQUE_BINARY_PAYLOAD',
+        name: 'Opaque Binary Payload',
+        requires: ['NATIVE_BINARY_DETECTED'],
+        priority: 2,
+        baseScore: 40,
+        description: 'Detection of compiled native binaries (.node) which are opaque to static analysis.'
+    },
+    {
+        id: 'ZFT-014',
+        alias: 'EVASIVE_SINK_CONSTRUCTION',
+        name: 'Evasive Sink Construction',
+        requires: ['NON_DETERMINISTIC_SINK'],
+        priority: 3,
+        baseScore: 50,
+        description: 'Detection of dangerous sinks using non-deterministic construction (Date.now, Math.random) to evade analysis.'
+    },
+    {
+        id: 'ZFT-015',
+        alias: 'HIGH_ENTROPY_OPAQUE_STRING',
+        name: 'High Entropy Opaque String',
+        requires: ['OPAQUE_STRING_SKIP'],
+        priority: 1,
+        baseScore: 25,
+        description: 'Detection of very large high-entropy strings that exceed scanning limits.'
     }
 ];
 
 const CATEGORIES = {
     SOURCES: ['ENV_READ', 'FILE_READ_SENSITIVE', 'MASS_ENV_ACCESS'],
     SINKS: ['NETWORK_SINK', 'DNS_SINK', 'RAW_SOCKET_SINK', 'DYNAMIC_EXECUTION', 'SHELL_EXECUTION', 'DYNAMIC_REQUIRE'],
-    SIGNALS: ['OBFUSCATION', 'ENCODER_USE', 'REMOTE_FETCH_SIGNAL', 'PIPE_TO_SHELL_SIGNAL'],
+    SIGNALS: ['OBFUSCATION', 'ENCODER_USE', 'REMOTE_FETCH_SIGNAL', 'PIPE_TO_SHELL_SIGNAL', 'NATIVE_BINARY_DETECTED', 'OPAQUE_STRING_SKIP', 'NON_DETERMINISTIC_SINK'],
     PERSISTENCE: ['FILE_WRITE_STARTUP'],
     CONTEXT: ['LIFECYCLE_CONTEXT']
 };

package/src/scanner.js

@@ -43,7 +43,9 @@ class PackageScanner {
                 PIPE_TO_SHELL_SIGNAL: [],
                 LIFECYCLE_CONTEXT: [],
                 EXPORTS: [],
-                IMPORTS: []
+                IMPORTS: [],
+                NATIVE_BINARY_DETECTED: [],
+                OPAQUE_STRING_SKIP: []
             },
             flows: []
         };
@@ -55,6 +57,13 @@ class PackageScanner {
         for (let i = 0; i < files.length; i += concurrency) {
             const chunk = files.slice(i, i + concurrency);
             await Promise.all(chunk.map(async (file) => {
+                if (file.endsWith('.node')) {
+                    allFacts.facts.NATIVE_BINARY_DETECTED.push({
+                        file,
+                        reason: 'Compiled native binary detected (Opaque Payload)'
+                    });
+                    return;
+                }
                 const stats = fs.statSync(file);
                 if (stats.size > 512 * 1024) return;
 
@@ -166,7 +175,7 @@ class PackageScanner {
                 const stat = fs.statSync(fullPath);
                 if (stat && stat.isDirectory()) {
                     results.push(...getJsFiles(fullPath));
-                } else if (file.endsWith('.js')) {
+                } else if (file.endsWith('.js') || file.endsWith('.node')) {
                     results.push(fullPath);
                 }
             }

package/src/shield.js

@@ -14,31 +14,38 @@ function setupShield() {
         console.warn(`[ZIFT-SHIELD] 🌐 Outbound Connection: ${address}:${port}`);
     });
 
-    // 2. Wrap Child Process (for shell command execution)
+    // 2. Wrap Child Process (for shell command execution) - IMMUTABLE
     const cp = require('node:child_process');
     ['exec', 'spawn', 'execSync', 'spawnSync'].forEach(method => {
         const original = cp[method];
-        cp[method] = function (...args) {
+        if (!original) return;
+
+        const wrapper = function (...args) {
             const command = args[0];
-            const cmdStr = typeof command === 'string' ? command : (args[1] ? args[1].join(' ') : 'unknown');
+            const cmdStr = typeof command === 'string' ? command : (Array.isArray(args[1]) ? args[1].join(' ') : String(command));
             console.warn(`[ZIFT-SHIELD] 🐚 Shell Execution: ${cmdStr}`);
 
-            // Heuristic Check: Is it a potential dropper?
-            if (cmdStr.includes('curl') || cmdStr.includes('wget') || cmdStr.includes('| sh')) {
+            if (cmdStr.includes('curl') || cmdStr.includes('wget') || cmdStr.includes('| sh') || cmdStr.includes('| bash')) {
                 console.error(`[ZIFT-SHIELD] ⚠️  CRITICAL: Potential Remote Dropper detected in shell execution!`);
             }
 
             return original.apply(this, args);
         };
+
+        try {
+            Object.defineProperty(cp, method, { value: wrapper, writable: false, configurable: false });
+        } catch (e) {
+            cp[method] = wrapper; // Fallback
+        }
     });
 
-    // 3. Monitor HTTP/HTTPS
+    // 3. Monitor HTTP/HTTPS - IMMUTABLE
     const http = require('node:http');
     const https = require('node:https');
     [http, https].forEach(mod => {
         ['request', 'get'].forEach(method => {
             const original = mod[method];
-            mod[method] = function (...args) {
+            const wrapper = function (...args) {
                 let url = args[0];
                 if (typeof url === 'object' && url.href) url = url.href;
                 else if (typeof url === 'string') url = url;
@@ -47,8 +54,42 @@ function setupShield() {
                 console.warn(`[ZIFT-SHIELD] 📡 HTTP Request: ${url}`);
                 return original.apply(this, args);
             };
+
+            try {
+                Object.defineProperty(mod, method, { value: wrapper, writable: false, configurable: false });
+            } catch (e) {
+                mod[method] = wrapper;
+            }
         });
     });
+
+    // 4. Propagate to Worker Threads
+    try {
+        const { Worker } = require('node:worker_threads');
+        const originalWorker = Worker;
+        const shieldPath = __filename;
+
+        const WorkerWrapper = class extends originalWorker {
+            constructor(filename, options = {}) {
+                options.workerData = options.workerData || {};
+                options.execArgv = options.execArgv || [];
+                if (!options.execArgv.includes('-r')) {
+                    options.execArgv.push('-r', shieldPath);
+                }
+                super(filename, options);
+            }
+        };
+
+        Object.defineProperty(require('node:worker_threads'), 'Worker', { value: WorkerWrapper, writable: false, configurable: false });
+    } catch (e) { }
+
+    // 5. Undici (Modern Fetch) support
+    try {
+        const undiciChannel = diagnostics.channel('undici:request:create');
+        undiciChannel.subscribe(({ request }) => {
+            console.warn(`[ZIFT-SHIELD] 🚀 Undici/Fetch Request: ${request.origin}${request.path}`);
+        });
+    } catch (e) { }
 }
 
 // Auto-activate if required via node -r