muaddib-scanner 1.0.0

package/iocs/hashes.yaml

@@ -0,0 +1,220 @@
+# MUAD'DIB IOCs - Hashes SHA256 malveillants
+# Contribuez via PR: https://github.com/DNSZLSK/muad-dib
+
+version: "1.0.0"
+updated: "2026-01-01"
+
+hashes:
+  # ============================================
+  # SHAI-HULUD v2 - bun_environment.js
+  # ============================================
+  - id: HASH-SHAI-V2-001
+    sha256: "62ee164b9b306250c1172583f138c9614139264f889fa99614903c12755468d0"
+    file: "bun_environment.js"
+    source: shai-hulud-v2
+    severity: critical
+    confidence: high
+    description: "Payload Shai-Hulud v2 - exfiltration credentials"
+    references:
+      - https://www.wiz.io/blog/shai-hulud-npm-supply-chain-attack
+
+  - id: HASH-SHAI-V2-002
+    sha256: "cbb9bc5a8496243e02f3cc080efbe3e4a1430ba0671f2e43a202bf45b05479cd"
+    file: "bun_environment.js"
+    source: shai-hulud-v2
+    severity: critical
+    confidence: high
+    description: "Variante Shai-Hulud v2"
+    references:
+      - https://www.wiz.io/blog/shai-hulud-npm-supply-chain-attack
+
+  - id: HASH-SHAI-V2-003
+    sha256: "f099c5d9ec417d4445a0328ac0ada9cde79fc37410914103ae9c609cbc0ee068"
+    file: "bun_environment.js"
+    source: shai-hulud-v2
+    severity: critical
+    confidence: high
+    description: "Variante Shai-Hulud v2"
+    references:
+      - https://www.wiz.io/blog/shai-hulud-npm-supply-chain-attack
+
+  # ============================================
+  # SHAI-HULUD v2 - setup_bun.js
+  # ============================================
+  - id: HASH-SHAI-V2-004
+    sha256: "a3894003ad1d293ba96d77881ccd2071446dc3f65f434669b49b3da92421901a"
+    file: "setup_bun.js"
+    source: shai-hulud-v2
+    severity: critical
+    confidence: high
+    description: "Loader Shai-Hulud v2"
+    references:
+      - https://www.wiz.io/blog/shai-hulud-npm-supply-chain-attack
+
+  - id: HASH-SHAI-V2-005
+    sha256: "f1df4896244500671eb4aa63ebb48ea11cee196fafaa0e9874e17b24ac053c02"
+    file: "setup_bun.js"
+    source: shai-hulud-v2
+    severity: critical
+    confidence: high
+    description: "Variante Shai-Hulud v2"
+    references:
+      - https://blog.phylum.io/shai-hulud-npm-worm
+
+  - id: HASH-SHAI-V2-006
+    sha256: "9d59fd0bcc14b671079824c704575f201b74276238dc07a9c12a93a84195648a"
+    file: "setup_bun.js"
+    source: shai-hulud-v2
+    severity: critical
+    confidence: high
+    description: "Variante Shai-Hulud v2"
+    references:
+      - https://blog.phylum.io/shai-hulud-npm-worm
+
+  - id: HASH-SHAI-V2-007
+    sha256: "e0250076c1d2ac38777ea8f542431daf61fcbaab0ca9c196614b28065ef5b918"
+    file: "setup_bun.js"
+    source: shai-hulud-v2
+    severity: critical
+    confidence: high
+    description: "Variante Shai-Hulud v2"
+    references:
+      - https://blog.phylum.io/shai-hulud-npm-worm
+
+  # ============================================
+  # NODE-IPC PROTESTWARE
+  # ============================================
+  - id: HASH-PROTEST-001
+    sha256: "4b2399646573bb737c4969563303d8ee2e9ddbd1b271f1ca9e35ea78062538db"
+    file: "peacenotwar.js"
+    source: protestware
+    severity: critical
+    confidence: high
+    description: "Payload node-ipc peacenotwar"
+    references:
+      - https://snyk.io/blog/peacenotwar-malicious-npm-node-ipc-package-vulnerability/
+
+  - id: HASH-PROTEST-002
+    sha256: "46faab8ab153fae6e80e7cca38eab363075bb524edd79e42269217a083628f09"
+    file: "peacenotwar.js"
+    source: protestware
+    severity: critical
+    confidence: high
+    description: "Variante node-ipc peacenotwar"
+    references:
+      - https://snyk.io/blog/peacenotwar-malicious-npm-node-ipc-package-vulnerability/
+
+markers:
+  # ============================================
+  # SHAI-HULUD MARKERS
+  # ============================================
+  - id: MARKER-SHAI-001
+    pattern: "Sha1-Hulud"
+    source: shai-hulud-v1
+    severity: critical
+    confidence: high
+    description: "Signature Shai-Hulud v1"
+
+  - id: MARKER-SHAI-002
+    pattern: "Shai-Hulud"
+    source: shai-hulud-v1
+    severity: critical
+    confidence: high
+    description: "Signature Shai-Hulud"
+
+  - id: MARKER-SHAI-003
+    pattern: "The Second Coming"
+    source: shai-hulud-v2
+    severity: critical
+    confidence: high
+    description: "Signature Shai-Hulud v2"
+
+  - id: MARKER-SHAI-004
+    pattern: "Goldox-T3chs"
+    source: shai-hulud-v3
+    severity: critical
+    confidence: high
+    description: "Signature Shai-Hulud v3 Golden Path"
+
+  - id: MARKER-SHAI-005
+    pattern: "Only Happy Girl"
+    source: shai-hulud-v2
+    severity: critical
+    confidence: high
+    description: "Signature Shai-Hulud v2 variante"
+
+  # ============================================
+  # PROTESTWARE MARKERS
+  # ============================================
+  - id: MARKER-PROTEST-001
+    pattern: "peacenotwar"
+    source: protestware
+    severity: critical
+    confidence: high
+    description: "Signature node-ipc protestware"
+
+  # ============================================
+  # GENERIC MALWARE MARKERS
+  # ============================================
+  - id: MARKER-GENERIC-001
+    pattern: "/dev/tcp"
+    source: generic
+    severity: critical
+    confidence: high
+    description: "Reverse shell bash"
+
+  - id: MARKER-GENERIC-002
+    pattern: "discord.com/api/webhooks"
+    source: generic
+    severity: high
+    confidence: medium
+    description: "Exfiltration via Discord webhook"
+
+files:
+  # ============================================
+  # FICHIERS SUSPECTS SHAI-HULUD
+  # ============================================
+  - id: FILE-SHAI-001
+    name: "setup_bun.js"
+    source: shai-hulud-v2
+    severity: critical
+    confidence: high
+    description: "Loader Shai-Hulud"
+
+  - id: FILE-SHAI-002
+    name: "bun_environment.js"
+    source: shai-hulud-v2
+    severity: critical
+    confidence: high
+    description: "Payload Shai-Hulud"
+
+  - id: FILE-SHAI-003
+    name: "bundle.js"
+    source: shai-hulud-v2
+    severity: high
+    confidence: medium
+    description: "Payload obfusque potentiel"
+
+  # ============================================
+  # FICHIERS SUSPECTS GENERIQUES
+  # ============================================
+  - id: FILE-GENERIC-001
+    name: "stealer.js"
+    source: generic
+    severity: critical
+    confidence: high
+    description: "Token stealer potentiel"
+
+  - id: FILE-GENERIC-002
+    name: "token-grabber.js"
+    source: generic
+    severity: critical
+    confidence: high
+    description: "Token stealer potentiel"
+
+  - id: FILE-GENERIC-003
+    name: "inject.js"
+    source: generic
+    severity: high
+    confidence: medium
+    description: "Code injection potentiel"

package/iocs/packages.yaml

@@ -0,0 +1,265 @@
+# MUAD'DIB IOCs - Packages malveillants
+# Contribuez via PR: https://github.com/DNSZLSK/muad-dib
+
+version: "1.0.0"
+updated: "2026-01-01"
+
+packages:
+  # ============================================
+  # SHAI-HULUD v1 (Septembre 2025)
+  # ============================================
+  - id: SHAI-HULUD-V1-001
+    name: "@ctrl/tinycolor"
+    version: "4.1.1"
+    severity: critical
+    confidence: high
+    source: shai-hulud-v1
+    introduced: "2025-09-01"
+    description: "Package compromis par Shai-Hulud v1 - vol de credentials npm/GitHub"
+    references:
+      - https://blog.phylum.io/shai-hulud-npm-worm
+      - https://www.wiz.io/blog/shai-hulud-npm-supply-chain-attack
+    mitre: T1195.002
+
+  - id: SHAI-HULUD-V1-002
+    name: "ng2-file-upload"
+    version: "*"
+    severity: critical
+    confidence: high
+    source: shai-hulud-v1
+    introduced: "2025-09-01"
+    description: "Package compromis par Shai-Hulud v1"
+    references:
+      - https://blog.phylum.io/shai-hulud-npm-worm
+    mitre: T1195.002
+
+  - id: SHAI-HULUD-V1-003
+    name: "ngx-bootstrap"
+    version: "*"
+    severity: critical
+    confidence: high
+    source: shai-hulud-v1
+    introduced: "2025-09-01"
+    description: "Package compromis par Shai-Hulud v1"
+    references:
+      - https://blog.phylum.io/shai-hulud-npm-worm
+    mitre: T1195.002
+
+  # ============================================
+  # SHAI-HULUD v2 "The Second Coming" (Novembre 2025)
+  # ============================================
+  - id: SHAI-HULUD-V2-001
+    name: "@asyncapi/specs"
+    version: "*"
+    severity: critical
+    confidence: high
+    source: shai-hulud-v2
+    introduced: "2025-11-01"
+    description: "Package compromis par Shai-Hulud v2 - inclut dead man's switch"
+    references:
+      - https://www.wiz.io/blog/shai-hulud-npm-supply-chain-attack
+    mitre: T1195.002
+
+  - id: SHAI-HULUD-V2-002
+    name: "get-them-args"
+    version: "*"
+    severity: critical
+    confidence: high
+    source: shai-hulud-v2
+    introduced: "2025-11-01"
+    description: "Package compromis par Shai-Hulud v2"
+    references:
+      - https://www.wiz.io/blog/shai-hulud-npm-supply-chain-attack
+    mitre: T1195.002
+
+  - id: SHAI-HULUD-V2-003
+    name: "kill-port"
+    version: "*"
+    severity: critical
+    confidence: high
+    source: shai-hulud-v2
+    introduced: "2025-11-01"
+    description: "Package compromis par Shai-Hulud v2"
+    references:
+      - https://www.wiz.io/blog/shai-hulud-npm-supply-chain-attack
+    mitre: T1195.002
+
+  - id: SHAI-HULUD-V2-004
+    name: "posthog-node"
+    version: "*"
+    severity: critical
+    confidence: high
+    source: shai-hulud-v2
+    introduced: "2025-11-01"
+    description: "Package compromis par Shai-Hulud v2"
+    references:
+      - https://www.wiz.io/blog/shai-hulud-npm-supply-chain-attack
+    mitre: T1195.002
+
+  - id: SHAI-HULUD-V2-005
+    name: "posthog-js"
+    version: "*"
+    severity: critical
+    confidence: high
+    source: shai-hulud-v2
+    introduced: "2025-11-01"
+    description: "Package compromis par Shai-Hulud v2"
+    references:
+      - https://www.wiz.io/blog/shai-hulud-npm-supply-chain-attack
+    mitre: T1195.002
+
+  # ============================================
+  # SHAI-HULUD v3 "Golden Path" (Decembre 2025)
+  # ============================================
+  - id: SHAI-HULUD-V3-001
+    name: "@vietmoney/react-big-calendar"
+    version: "0.26.2"
+    severity: critical
+    confidence: high
+    source: shai-hulud-v3
+    introduced: "2025-12-01"
+    description: "Package compromis par Shai-Hulud v3 Golden Path"
+    references:
+      - https://socket.dev/npm/package/@vietmoney/react-big-calendar
+    mitre: T1195.002
+
+  # ============================================
+  # ATTAQUES HISTORIQUES
+  # ============================================
+  - id: EVENT-STREAM-001
+    name: "flatmap-stream"
+    version: "0.1.1"
+    severity: critical
+    confidence: high
+    source: event-stream-2018
+    introduced: "2018-11-01"
+    description: "Payload malveillant de l'attaque event-stream - vol de Bitcoin wallets"
+    references:
+      - https://blog.npmjs.org/post/180565383195/details-about-the-event-stream-incident
+    mitre: T1195.002
+
+  - id: EVENT-STREAM-002
+    name: "event-stream"
+    version: "3.3.6"
+    severity: critical
+    confidence: high
+    source: event-stream-2018
+    introduced: "2018-11-01"
+    description: "Version compromise de event-stream"
+    references:
+      - https://blog.npmjs.org/post/180565383195/details-about-the-event-stream-incident
+    mitre: T1195.002
+
+  - id: ESLINT-SCOPE-001
+    name: "eslint-scope"
+    version: "3.7.2"
+    severity: critical
+    confidence: high
+    source: eslint-scope-2018
+    introduced: "2018-07-01"
+    description: "Version compromise de eslint-scope - vol de tokens npm"
+    references:
+      - https://eslint.org/blog/2018/07/postmortem-for-malicious-package-publishes
+    mitre: T1195.002
+
+  # ============================================
+  # PROTESTWARE
+  # ============================================
+  - id: PROTESTWARE-001
+    name: "node-ipc"
+    version: "10.1.1"
+    severity: critical
+    confidence: high
+    source: protestware
+    introduced: "2022-03-01"
+    description: "Protestware - supprime fichiers sur machines avec IP russe/bielorusse"
+    references:
+      - https://snyk.io/blog/peacenotwar-malicious-npm-node-ipc-package-vulnerability/
+    mitre: T1485
+
+  - id: PROTESTWARE-002
+    name: "node-ipc"
+    version: "10.1.2"
+    severity: critical
+    confidence: high
+    source: protestware
+    introduced: "2022-03-01"
+    description: "Protestware - version modifiee"
+    references:
+      - https://snyk.io/blog/peacenotwar-malicious-npm-node-ipc-package-vulnerability/
+    mitre: T1485
+
+  - id: PROTESTWARE-003
+    name: "colors"
+    version: "1.4.1"
+    severity: high
+    confidence: high
+    source: protestware
+    introduced: "2022-01-01"
+    description: "Protestware - boucle infinie intentionnelle"
+    references:
+      - https://www.bleepingcomputer.com/news/security/dev-corrupts-npm-libs-colors-and-faker-breaking-thousands-of-apps/
+    mitre: T1499
+
+  - id: PROTESTWARE-004
+    name: "faker"
+    version: "6.6.6"
+    severity: high
+    confidence: high
+    source: protestware
+    introduced: "2022-01-01"
+    description: "Protestware - sabotage intentionnel"
+    references:
+      - https://www.bleepingcomputer.com/news/security/dev-corrupts-npm-libs-colors-and-faker-breaking-thousands-of-apps/
+    mitre: T1499
+
+  # ============================================
+  # TYPOSQUATS
+  # ============================================
+  - id: TYPOSQUAT-001
+    name: "crossenv"
+    version: "*"
+    severity: high
+    confidence: high
+    source: typosquat
+    introduced: "2017-08-01"
+    description: "Typosquat de cross-env - vol de variables d'environnement"
+    references:
+      - https://blog.npmjs.org/post/163723642530/crossenv-malware-on-the-npm-registry
+    mitre: T1195.002
+
+  - id: TYPOSQUAT-002
+    name: "mongose"
+    version: "*"
+    severity: high
+    confidence: high
+    source: typosquat
+    introduced: "2017-08-01"
+    description: "Typosquat de mongoose"
+    references:
+      - https://blog.npmjs.org/post/163723642530/crossenv-malware-on-the-npm-registry
+    mitre: T1195.002
+
+  - id: TYPOSQUAT-003
+    name: "babelcli"
+    version: "*"
+    severity: high
+    confidence: high
+    source: typosquat
+    introduced: "2017-08-01"
+    description: "Typosquat de babel-cli"
+    references:
+      - https://blog.npmjs.org/post/163723642530/crossenv-malware-on-the-npm-registry
+    mitre: T1195.002
+
+  - id: TYPOSQUAT-004
+    name: "lodahs"
+    version: "*"
+    severity: high
+    confidence: high
+    source: typosquat
+    introduced: "2019-01-01"
+    description: "Typosquat de lodash"
+    references:
+      - https://snyk.io/blog/malicious-code-found-in-npm-package-event-stream/
+    mitre: T1195.002

package/package.json

@@ -0,0 +1,43 @@
+{
+  "name": "muaddib-scanner",
+  "version": "1.0.0",
+  "description": "Supply-chain threat detection & response for npm",
+  "main": "src/index.js",
+  "bin": {
+    "muaddib": "./bin/muaddib.js"
+  },
+  "scripts": {
+    "test": "node tests/run-tests.js",
+    "scan": "node bin/muaddib.js scan .",
+    "update": "node bin/muaddib.js update"
+  },
+  "keywords": [
+    "security",
+    "npm",
+    "supply-chain",
+    "malware",
+    "scanner",
+    "shai-hulud",
+    "detection",
+    "ast",
+    "sarif"
+  ],
+  "author": "DNSZLSK",
+  "license": "MIT",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/DNSZLSK/muad-dib.git"
+  },
+  "homepage": "https://github.com/DNSZLSK/muad-dib",
+  "bugs": {
+    "url": "https://github.com/DNSZLSK/muad-dib/issues"
+  },
+  "engines": {
+    "node": ">=18.0.0"
+  },
+  "dependencies": {
+    "acorn": "^8.14.0",
+    "acorn-walk": "^8.3.4",
+    "js-yaml": "^4.1.0"
+  }
+}