muaddib-scanner 1.0.0 → 1.0.2

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "muaddib-scanner",
-  "version": "1.0.0",
+  "version": "1.0.2",
   "description": "Supply-chain threat detection & response for npm",
   "main": "src/index.js",
   "bin": {
@@ -40,4 +40,4 @@
     "acorn-walk": "^8.3.4",
     "js-yaml": "^4.1.0"
   }
-}
+}

package/src/index.js

@@ -9,6 +9,7 @@ const { getPlaybook } = require('./response/playbooks.js');
 const { getRule } = require('./rules/index.js');
 const { saveReport } = require('./report.js');
 const { saveSARIF } = require('./sarif.js');
+const { scanTyposquatting } = require('./scanner/typosquat.js');
 
 async function run(targetPath, options = {}) {
   const threats = [];
@@ -34,6 +35,10 @@ async function run(targetPath, options = {}) {
   const dataflowThreats = await analyzeDataFlow(targetPath);
   threats.push(...dataflowThreats);
 
+  // Scan typosquatting
+  const typosquatThreats = await scanTyposquatting(targetPath);
+  threats.push(...typosquatThreats);
+
   // Enrichir chaque menace avec les regles
   const enrichedThreats = threats.map(t => {
     const rule = getRule(t.type);

package/src/response/playbooks.js

@@ -106,6 +106,9 @@ const PLAYBOOKS = {
 
   suspicious_dataflow:
     'CRITIQUE: Code lit des credentials et les envoie sur le reseau. Exfiltration probable. Isoler la machine, regenerer tous les secrets.',
+
+  typosquat_detected:
+    'ATTENTION: Ce package a un nom tres similaire a un package populaire. Verifier que c\'est bien le bon package. Si erreur de frappe, corriger immediatement.',
 };
 
 function getPlaybook(threatType) {

package/src/rules/index.js

@@ -179,7 +179,20 @@ const RULES = {
       'https://blog.phylum.io/shai-hulud-npm-worm'
     ],
     mitre: 'T1041'
-  }
+  },
+
+  typosquat_detected: {
+    id: 'MUADDIB-TYPO-001',
+    name: 'Typosquatting Detected',
+    severity: 'HIGH',
+    confidence: 'high',
+    description: 'Package avec un nom tres similaire a un package populaire. Possible typosquatting.',
+    references: [
+      'https://blog.npmjs.org/post/163723642530/crossenv-malware-on-the-npm-registry',
+      'https://snyk.io/blog/typosquatting-attacks/'
+    ],
+    mitre: 'T1195.002'
+  },
 };
 
 function getRule(type) {

package/src/scanner/ast.js

@@ -11,7 +11,7 @@ const EXCLUDED_FILES = [
   'src/response/playbooks.js'
 ];
 
-const EXCLUDED_DIRS = ['test', 'node_modules', '.git', 'src'];
+const EXCLUDED_DIRS = ['test', 'tests', 'node_modules', '.git', 'src'];
 
 const DANGEROUS_CALLS = [
   'eval',

package/src/scanner/dataflow.js

@@ -3,7 +3,7 @@ const path = require('path');
 const acorn = require('acorn');
 const walk = require('acorn-walk');
 
-const EXCLUDED_DIRS = ['test', 'node_modules', '.git', 'src'];
+const EXCLUDED_DIRS = ['test', 'tests', 'node_modules', '.git', 'src'];
 
 async function analyzeDataFlow(targetPath) {
   const threats = [];

package/src/scanner/obfuscation.js

@@ -66,12 +66,7 @@ function detectObfuscation(targetPath) {
   return threats;
 }
 
-const EXCLUDED_DIRS = [
-  'test',
-  'node_modules',
-  '.git',
-  'src'
-];
+const EXCLUDED_DIRS = ['test', 'tests', 'node_modules', '.git', 'src'];
 
 function findJsFiles(dir) {
   const results = [];

package/src/scanner/shell.js

@@ -45,7 +45,7 @@ function findFiles(dir, extension) {
   const items = fs.readdirSync(dir);
   
   for (const item of items) {
-    if (item === 'node_modules' || item === '.git') continue;
+    if (item === 'node_modules' || item === '.git' || item === 'test' || item === 'tests' || item === 'src') continue;
     
     const fullPath = path.join(dir, item);
     const stat = fs.statSync(fullPath);

package/src/scanner/typosquat.js

@@ -0,0 +1,235 @@
+const fs = require('fs');
+const path = require('path');
+
+// Top 100 packages npm les plus populaires (cibles de typosquatting)
+const POPULAR_PACKAGES = [
+  'lodash', 'express', 'react', 'axios', 'chalk', 'commander', 'moment',
+  'request', 'async', 'bluebird', 'underscore', 'uuid', 'debug', 'mkdirp',
+  'glob', 'minimist', 'webpack', 'babel-core', 'typescript', 'eslint',
+  'prettier', 'jest', 'mocha', 'chai', 'sinon', 'mongoose', 'sequelize',
+  'mysql', 'pg', 'redis', 'mongodb', 'socket.io', 'express-session',
+  'body-parser', 'cookie-parser', 'cors', 'helmet', 'morgan', 'dotenv',
+  'jsonwebtoken', 'bcrypt', 'passport', 'nodemailer', 'aws-sdk', 'stripe',
+  'twilio', 'firebase', 'graphql', 'apollo-server', 'next', 'nuxt',
+  'gatsby', 'vue', 'angular', 'svelte', 'electron', 'puppeteer', 'cheerio',
+  'sharp', 'jimp', 'canvas', 'pdf-lib', 'exceljs', 'csv-parser', 'xml2js',
+  'yaml', 'ini', 'config', 'yargs', 'inquirer', 'ora', 'chalk', 'colors',
+  'winston', 'bunyan', 'pino', 'log4js', 'ramda', 'rxjs', 'immutable',
+  'mobx', 'redux', 'zustand', 'formik', 'yup', 'joi', 'ajv', 'validator',
+  'date-fns', 'dayjs', 'luxon', 'numeral', 'accounting', 'currency.js',
+  'lodash-es', 'core-js', 'regenerator-runtime', 'tslib', 'classnames',
+  'prop-types', 'cross-env', 'npm', 'yarn', 'pnpm', 'node-fetch', 'got'
+];
+
+// Techniques de typosquatting connues
+const TYPOSQUAT_PATTERNS = [
+  { type: 'missing_char', fn: (name) => generateMissingChar(name) },
+  { type: 'extra_char', fn: (name) => generateExtraChar(name) },
+  { type: 'swapped_chars', fn: (name) => generateSwappedChars(name) },
+  { type: 'wrong_char', fn: (name) => generateWrongChar(name) },
+  { type: 'hyphen_tricks', fn: (name) => generateHyphenTricks(name) },
+  { type: 'suffix_tricks', fn: (name) => generateSuffixTricks(name) }
+];
+
+async function scanTyposquatting(targetPath) {
+  const threats = [];
+  const packageJsonPath = path.join(targetPath, 'package.json');
+
+  if (!fs.existsSync(packageJsonPath)) {
+    return threats;
+  }
+
+  const packageJson = JSON.parse(fs.readFileSync(packageJsonPath, 'utf8'));
+  const dependencies = {
+    ...packageJson.dependencies,
+    ...packageJson.devDependencies,
+    ...packageJson.peerDependencies,
+    ...packageJson.optionalDependencies
+  };
+
+  for (const depName of Object.keys(dependencies)) {
+    const match = findTyposquatMatch(depName);
+    if (match) {
+      threats.push({
+        type: 'typosquat_detected',
+        severity: 'HIGH',
+        message: `Package "${depName}" ressemble a "${match.original}" (${match.type}). Possible typosquatting.`,
+        file: 'package.json',
+        details: {
+          suspicious: depName,
+          legitimate: match.original,
+          technique: match.type,
+          distance: match.distance
+        }
+      });
+    }
+  }
+
+  return threats;
+}
+
+function findTyposquatMatch(name) {
+  // Ignore les packages scoped (@org/package)
+  if (name.startsWith('@')) return null;
+
+  for (const popular of POPULAR_PACKAGES) {
+    // Ignore si c'est exactement le meme
+    if (name === popular) continue;
+
+    const distance = levenshteinDistance(name, popular);
+    
+    // Distance de 1 ou 2 = tres suspect
+    if (distance === 1) {
+      return {
+        original: popular,
+        type: detectTyposquatType(name, popular),
+        distance: distance
+      };
+    }
+
+    // Distance de 2 avec nom court = suspect
+    if (distance === 2 && popular.length <= 6) {
+      return {
+        original: popular,
+        type: detectTyposquatType(name, popular),
+        distance: distance
+      };
+    }
+
+    // Verifie les tricks de suffixe
+    if (isSuffixTrick(name, popular)) {
+      return {
+        original: popular,
+        type: 'suffix_trick',
+        distance: distance
+      };
+    }
+  }
+
+  return null;
+}
+
+function detectTyposquatType(typo, original) {
+  if (typo.length === original.length - 1) return 'missing_char';
+  if (typo.length === original.length + 1) return 'extra_char';
+  if (typo.length === original.length) {
+    // Verifie si swap
+    let diffs = 0;
+    for (let i = 0; i < typo.length; i++) {
+      if (typo[i] !== original[i]) diffs++;
+    }
+    if (diffs === 2) return 'swapped_chars';
+    return 'wrong_char';
+  }
+  return 'unknown';
+}
+
+function isSuffixTrick(name, popular) {
+  const suffixes = ['-js', '.js', '-node', '-npm', '-cli', '-api', '-lib', '-pkg', '-dev', '-pro'];
+  for (const suffix of suffixes) {
+    if (name === popular + suffix) return true;
+    if (name === popular.replace('-', '') + suffix) return true;
+  }
+  // Verifie aussi les prefixes
+  const prefixes = ['node-', 'npm-', 'js-', 'get-', 'the-'];
+  for (const prefix of prefixes) {
+    if (name === prefix + popular) return true;
+  }
+  return false;
+}
+
+function levenshteinDistance(a, b) {
+  const matrix = [];
+
+  for (let i = 0; i <= b.length; i++) {
+    matrix[i] = [i];
+  }
+
+  for (let j = 0; j <= a.length; j++) {
+    matrix[0][j] = j;
+  }
+
+  for (let i = 1; i <= b.length; i++) {
+    for (let j = 1; j <= a.length; j++) {
+      if (b.charAt(i - 1) === a.charAt(j - 1)) {
+        matrix[i][j] = matrix[i - 1][j - 1];
+      } else {
+        matrix[i][j] = Math.min(
+          matrix[i - 1][j - 1] + 1, // substitution
+          matrix[i][j - 1] + 1,     // insertion
+          matrix[i - 1][j] + 1      // deletion
+        );
+      }
+    }
+  }
+
+  return matrix[b.length][a.length];
+}
+
+// Generateurs pour tests (pas utilises dans le scan, mais utiles pour enrichir les IOCs)
+function generateMissingChar(name) {
+  const results = [];
+  for (let i = 0; i < name.length; i++) {
+    results.push(name.slice(0, i) + name.slice(i + 1));
+  }
+  return results;
+}
+
+function generateExtraChar(name) {
+  const results = [];
+  const chars = 'abcdefghijklmnopqrstuvwxyz0123456789-';
+  for (let i = 0; i <= name.length; i++) {
+    for (const char of chars) {
+      results.push(name.slice(0, i) + char + name.slice(i));
+    }
+  }
+  return results;
+}
+
+function generateSwappedChars(name) {
+  const results = [];
+  for (let i = 0; i < name.length - 1; i++) {
+    const arr = name.split('');
+    [arr[i], arr[i + 1]] = [arr[i + 1], arr[i]];
+    results.push(arr.join(''));
+  }
+  return results;
+}
+
+function generateWrongChar(name) {
+  const results = [];
+  const keyboard = {
+    'a': 'sqwz', 'b': 'vghn', 'c': 'xdfv', 'd': 'serfcx', 'e': 'wsdfr',
+    'f': 'drtgvc', 'g': 'ftyhbv', 'h': 'gyujnb', 'i': 'ujklo', 'j': 'huikmn',
+    'k': 'jiolm', 'l': 'kop', 'm': 'njk', 'n': 'bhjm', 'o': 'iklp',
+    'p': 'ol', 'q': 'wa', 'r': 'edft', 's': 'awedxz', 't': 'rfgy',
+    'u': 'yhji', 'v': 'cfgb', 'w': 'qase', 'x': 'zsdc', 'y': 'tghu', 'z': 'asx'
+  };
+  for (let i = 0; i < name.length; i++) {
+    const char = name[i].toLowerCase();
+    if (keyboard[char]) {
+      for (const replacement of keyboard[char]) {
+        results.push(name.slice(0, i) + replacement + name.slice(i + 1));
+      }
+    }
+  }
+  return results;
+}
+
+function generateHyphenTricks(name) {
+  const results = [];
+  // Ajouter des hyphens
+  for (let i = 1; i < name.length; i++) {
+    results.push(name.slice(0, i) + '-' + name.slice(i));
+  }
+  // Retirer des hyphens
+  results.push(name.replace(/-/g, ''));
+  return results;
+}
+
+function generateSuffixTricks(name) {
+  const suffixes = ['-js', '.js', '-node', '-npm', '-cli'];
+  return suffixes.map(s => name + s);
+}
+
+module.exports = { scanTyposquatting, levenshteinDistance };

package/tests/run-tests.js

@@ -198,6 +198,32 @@ test('MARQUEURS: Detecte The Second Coming', () => {
   assertIncludes(output, 'Second Coming', 'Devrait detecter marqueur The Second Coming');
 });
 
+// ============================================
+// TESTS UNITAIRES - DETECTION TYPOSQUATTING
+// ============================================
+
+console.log('\n=== TESTS TYPOSQUATTING ===\n');
+
+test('TYPOSQUAT: Detecte lodahs (lodash)', () => {
+  const output = runScan(path.join(TESTS_DIR, 'typosquat'));
+  assertIncludes(output, 'lodahs', 'Devrait detecter lodahs');
+});
+
+test('TYPOSQUAT: Detecte axois (axios)', () => {
+  const output = runScan(path.join(TESTS_DIR, 'typosquat'));
+  assertIncludes(output, 'axois', 'Devrait detecter axois');
+});
+
+test('TYPOSQUAT: Detecte expres (express)', () => {
+  const output = runScan(path.join(TESTS_DIR, 'typosquat'));
+  assertIncludes(output, 'expres', 'Devrait detecter expres');
+});
+
+test('TYPOSQUAT: Severity HIGH', () => {
+  const output = runScan(path.join(TESTS_DIR, 'typosquat'));
+  assertIncludes(output, 'HIGH', 'Devrait etre HIGH');
+});
+
 // ============================================
 // TESTS INTEGRATION - CLI
 // ============================================

package/tests/samples/typosquat/package.json

@@ -0,0 +1,11 @@
+{
+  "name": "test-typosquat",
+  "version": "1.0.0",
+  "dependencies": {
+    "lodahs": "^1.0.0",
+    "axois": "^1.0.0",
+    "expres": "^1.0.0",
+    "recat": "^1.0.0",
+    "momnet": "^1.0.0"
+  }
+}