muaddib-scanner 1.0.1 → 1.0.3

package/bin/muaddib.js

@@ -3,6 +3,7 @@
 const { run } = require('../src/index.js');
 const { updateIOCs } = require('../src/ioc/updater.js');
 const { watch } = require('../src/watch.js');
+const { startDaemon } = require('../src/daemon.js');
 
 const args = process.argv.slice(2);
 const command = args[0];
@@ -13,7 +14,8 @@ let jsonOutput = false;
 let htmlOutput = null;
 let sarifOutput = null;
 let explainMode = false;
-let failLevel = 'high'; // Par defaut, fail sur HIGH et CRITICAL
+let failLevel = 'high';
+let webhookUrl = null;
 
 for (let i = 0; i < options.length; i++) {
   if (options[i] === '--json') {
@@ -29,6 +31,9 @@ for (let i = 0; i < options.length; i++) {
   } else if (options[i] === '--fail-on') {
     failLevel = options[i + 1] || 'high';
     i++;
+  } else if (options[i] === '--webhook') {
+    webhookUrl = options[i + 1];
+    i++;
   } else if (!options[i].startsWith('-')) {
     target = options[i];
   }
@@ -51,6 +56,8 @@ if (!command) {
     --explain           Affiche les details de chaque detection
     --fail-on [level]   Niveau de severite pour exit code (critical|high|medium|low)
                         Defaut: high (fail sur HIGH et CRITICAL)
+    --webhook [url]     Envoie une alerte Discord/Slack
+    muaddib daemon [options]        Lance le daemon de surveillance
   `);
   process.exit(0);
 }
@@ -61,7 +68,8 @@ if (command === 'scan') {
     html: htmlOutput, 
     sarif: sarifOutput,
     explain: explainMode,
-    failLevel: failLevel
+    failLevel: failLevel,
+    webhook: webhookUrl
   }).then(exitCode => {
     process.exit(exitCode);
   });
@@ -75,10 +83,12 @@ if (command === 'scan') {
     process.exit(1);
   });
 } else if (command === 'help') {
-  console.log('muaddib scan [path] [--json] [--html file] [--sarif file] [--explain] [--fail-on level]');
+  console.log('muaddib scan [path] [--json] [--html file] [--sarif file] [--explain] [--fail-on level] [--webhook url]');
   console.log('muaddib watch [path] - Surveille un projet en temps reel');
   console.log('muaddib update - Met a jour les IOCs');
+} else if (command === 'daemon') {
+  startDaemon({ webhook: webhookUrl });
 } else {
   console.log(`Commande inconnue: ${command}`);
   process.exit(1);
-}
+} 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "muaddib-scanner",
-  "version": "1.0.1",
+  "version": "1.0.3",
   "description": "Supply-chain threat detection & response for npm",
   "main": "src/index.js",
   "bin": {
@@ -38,6 +38,7 @@
   "dependencies": {
     "acorn": "^8.14.0",
     "acorn-walk": "^8.3.4",
-    "js-yaml": "^4.1.0"
+    "js-yaml": "^4.1.0",
+    "lodash": "^4.17.21"
   }
 }

package/src/daemon.js

@@ -0,0 +1,142 @@
+const fs = require('fs');
+const path = require('path');
+const { spawn } = require('child_process');
+const { run } = require('./index.js');
+
+let webhookUrl = null;
+let watchedDirs = [];
+let isRunning = false;
+
+async function startDaemon(options = {}) {
+  webhookUrl = options.webhook || null;
+  isRunning = true;
+
+  console.log(`
+╔════════════════════════════════════════════╗
+║         MUAD'DIB Security Daemon           ║
+║      Surveillance npm install active       ║
+╚════════════════════════════════════════════╝
+  `);
+
+  console.log('[DAEMON] Demarrage...');
+  console.log(`[DAEMON] Webhook: ${webhookUrl ? 'Configure' : 'Non configure'}`);
+  console.log('[DAEMON] Ctrl+C pour arreter\n');
+
+  // Surveille le dossier courant
+  const cwd = process.cwd();
+  watchDirectory(cwd);
+
+  // Garde le processus actif
+  process.on('SIGINT', () => {
+    console.log('\n[DAEMON] Arret...');
+    isRunning = false;
+    process.exit(0);
+  });
+
+  // Boucle infinie
+  while (isRunning) {
+    await sleep(1000);
+  }
+}
+
+function watchDirectory(dir) {
+  const nodeModulesPath = path.join(dir, 'node_modules');
+  const packageLockPath = path.join(dir, 'package-lock.json');
+  const yarnLockPath = path.join(dir, 'yarn.lock');
+
+  console.log(`[DAEMON] Surveillance de ${dir}`);
+
+  // Surveille package-lock.json
+  if (fs.existsSync(packageLockPath)) {
+    watchFile(packageLockPath, dir);
+  }
+
+  // Surveille yarn.lock
+  if (fs.existsSync(yarnLockPath)) {
+    watchFile(yarnLockPath, dir);
+  }
+
+  // Surveille node_modules
+  if (fs.existsSync(nodeModulesPath)) {
+    watchNodeModules(nodeModulesPath, dir);
+  }
+
+  // Surveille la creation de node_modules
+  fs.watch(dir, (eventType, filename) => {
+    if (filename === 'node_modules' && eventType === 'rename') {
+      const nmPath = path.join(dir, 'node_modules');
+      if (fs.existsSync(nmPath)) {
+        console.log('[DAEMON] node_modules detecte, scan en cours...');
+        triggerScan(dir);
+      }
+    }
+    if (filename === 'package-lock.json' || filename === 'yarn.lock') {
+      console.log(`[DAEMON] ${filename} modifie, scan en cours...`);
+      triggerScan(dir);
+    }
+  });
+}
+
+function watchFile(filePath, projectDir) {
+  let lastMtime = fs.statSync(filePath).mtime.getTime();
+
+  fs.watch(filePath, (eventType) => {
+    if (eventType === 'change') {
+      const currentMtime = fs.statSync(filePath).mtime.getTime();
+      if (currentMtime !== lastMtime) {
+        lastMtime = currentMtime;
+        console.log(`[DAEMON] ${path.basename(filePath)} modifie`);
+        triggerScan(projectDir);
+      }
+    }
+  });
+}
+
+function watchNodeModules(nodeModulesPath, projectDir) {
+  fs.watch(nodeModulesPath, { recursive: true }, (eventType, filename) => {
+    if (filename && filename.includes('package.json')) {
+      console.log(`[DAEMON] Nouveau package detecte: ${filename}`);
+      triggerScan(projectDir);
+    }
+  });
+}
+
+let scanTimeout = null;
+let lastScanTime = 0;
+
+function triggerScan(dir) {
+  const now = Date.now();
+  
+  // Debounce: attend 3 secondes avant de scanner
+  if (scanTimeout) {
+    clearTimeout(scanTimeout);
+  }
+
+  // Evite les scans trop frequents (minimum 10 secondes entre chaque)
+  if (now - lastScanTime < 10000) {
+    scanTimeout = setTimeout(() => triggerScan(dir), 10000 - (now - lastScanTime));
+    return;
+  }
+
+  scanTimeout = setTimeout(async () => {
+    lastScanTime = Date.now();
+    console.log(`\n[DAEMON] ========== SCAN AUTOMATIQUE ==========`);
+    console.log(`[DAEMON] Cible: ${dir}`);
+    console.log(`[DAEMON] Heure: ${new Date().toLocaleTimeString()}\n`);
+
+    try {
+      await run(dir, { webhook: webhookUrl });
+    } catch (err) {
+      console.log(`[DAEMON] Erreur scan: ${err.message}`);
+    }
+
+    console.log(`\n[DAEMON] ======================================\n`);
+    console.log('[DAEMON] En attente de modifications...');
+  }, 3000);
+}
+
+function sleep(ms) {
+  return new Promise(resolve => setTimeout(resolve, ms));
+}
+
+module.exports = { startDaemon };

package/src/index.js

@@ -9,6 +9,8 @@ const { getPlaybook } = require('./response/playbooks.js');
 const { getRule } = require('./rules/index.js');
 const { saveReport } = require('./report.js');
 const { saveSARIF } = require('./sarif.js');
+const { scanTyposquatting } = require('./scanner/typosquat.js');
+const { sendWebhook } = require('./webhook.js');
 
 async function run(targetPath, options = {}) {
   const threats = [];
@@ -34,6 +36,10 @@ async function run(targetPath, options = {}) {
   const dataflowThreats = await analyzeDataFlow(targetPath);
   threats.push(...dataflowThreats);
 
+  // Scan typosquatting
+  const typosquatThreats = await scanTyposquatting(targetPath);
+  threats.push(...typosquatThreats);
+
   // Enrichir chaque menace avec les regles
   const enrichedThreats = threats.map(t => {
     const rule = getRule(t.type);
@@ -48,15 +54,34 @@ async function run(targetPath, options = {}) {
     };
   });
 
+// Calculer le score de risque (0-100)
+  const criticalCount = threats.filter(t => t.severity === 'CRITICAL').length;
+  const highCount = threats.filter(t => t.severity === 'HIGH').length;
+  const mediumCount = threats.filter(t => t.severity === 'MEDIUM').length;
+  
+  let riskScore = 0;
+  riskScore += criticalCount * 25;  // CRITICAL = 25 points
+  riskScore += highCount * 10;       // HIGH = 10 points
+  riskScore += mediumCount * 3;      // MEDIUM = 3 points
+  riskScore = Math.min(100, riskScore); // Cap a 100
+
+  const riskLevel = riskScore >= 75 ? 'CRITICAL' 
+                  : riskScore >= 50 ? 'HIGH'
+                  : riskScore >= 25 ? 'MEDIUM'
+                  : riskScore > 0 ? 'LOW'
+                  : 'SAFE';
+
   const result = {
     target: targetPath,
     timestamp: new Date().toISOString(),
     threats: enrichedThreats,
     summary: {
       total: threats.length,
-      critical: threats.filter(t => t.severity === 'CRITICAL').length,
-      high: threats.filter(t => t.severity === 'HIGH').length,
-      medium: threats.filter(t => t.severity === 'MEDIUM').length
+      critical: criticalCount,
+      high: highCount,
+      medium: mediumCount,
+      riskScore: riskScore,
+      riskLevel: riskLevel
     }
   };
 
@@ -100,10 +125,14 @@ async function run(targetPath, options = {}) {
       });
     }
   }
-  // Sortie normale
+// Sortie normale
   else {
     console.log(`\n[MUADDIB] Scan de ${targetPath}\n`);
 
+    // Afficher le score de risque
+    const scoreBar = '█'.repeat(Math.floor(result.summary.riskScore / 5)) + '░'.repeat(20 - Math.floor(result.summary.riskScore / 5));
+    console.log(`[SCORE] ${result.summary.riskScore}/100 [${scoreBar}] ${result.summary.riskLevel}\n`);
+
     if (threats.length === 0) {
       console.log('[OK] Aucune menace detectee.\n');
     } else {
@@ -124,7 +153,17 @@ async function run(targetPath, options = {}) {
     }
   }
 
-// Calculer exit code selon le niveau de fail
+// Envoyer webhook si configure
+  if (options.webhook) {
+    try {
+      await sendWebhook(options.webhook, result);
+      console.log(`[OK] Alerte envoyee au webhook`);
+    } catch (err) {
+      console.log(`[WARN] Echec envoi webhook: ${err.message}`);
+    }
+  }
+
+  // Calculer exit code selon le niveau de fail
   const failLevel = options.failLevel || 'high';
   const severityLevels = {
     critical: ['CRITICAL'],

package/src/response/playbooks.js

@@ -106,6 +106,9 @@ const PLAYBOOKS = {
 
   suspicious_dataflow:
     'CRITIQUE: Code lit des credentials et les envoie sur le reseau. Exfiltration probable. Isoler la machine, regenerer tous les secrets.',
+
+  typosquat_detected:
+    'ATTENTION: Ce package a un nom tres similaire a un package populaire. Verifier que c\'est bien le bon package. Si erreur de frappe, corriger immediatement.',
 };
 
 function getPlaybook(threatType) {

package/src/rules/index.js

@@ -179,7 +179,20 @@ const RULES = {
       'https://blog.phylum.io/shai-hulud-npm-worm'
     ],
     mitre: 'T1041'
-  }
+  },
+
+  typosquat_detected: {
+    id: 'MUADDIB-TYPO-001',
+    name: 'Typosquatting Detected',
+    severity: 'HIGH',
+    confidence: 'high',
+    description: 'Package avec un nom tres similaire a un package populaire. Possible typosquatting.',
+    references: [
+      'https://blog.npmjs.org/post/163723642530/crossenv-malware-on-the-npm-registry',
+      'https://snyk.io/blog/typosquatting-attacks/'
+    ],
+    mitre: 'T1195.002'
+  },
 };
 
 function getRule(type) {

package/src/scanner/typosquat.js

@@ -0,0 +1,266 @@
+const fs = require('fs');
+const path = require('path');
+
+// Top 100 packages npm les plus populaires (cibles de typosquatting)
+const POPULAR_PACKAGES = [
+  'lodash', 'express', 'react', 'axios', 'chalk', 'commander', 'moment',
+  'request', 'async', 'bluebird', 'underscore', 'uuid', 'debug', 'mkdirp',
+  'glob', 'minimist', 'webpack', 'babel-core', 'typescript', 'eslint',
+  'prettier', 'jest', 'mocha', 'chai', 'sinon', 'mongoose', 'sequelize',
+  'mysql', 'pg', 'redis', 'mongodb', 'socket.io', 'express-session',
+  'body-parser', 'cookie-parser', 'cors', 'helmet', 'morgan', 'dotenv',
+  'jsonwebtoken', 'bcrypt', 'passport', 'nodemailer', 'aws-sdk', 'stripe',
+  'twilio', 'firebase', 'graphql', 'apollo-server', 'next', 'nuxt',
+  'gatsby', 'vue', 'angular', 'svelte', 'electron', 'puppeteer', 'cheerio',
+  'sharp', 'jimp', 'canvas', 'pdf-lib', 'exceljs', 'csv-parser', 'xml2js',
+  'yaml', 'ini', 'config', 'yargs', 'inquirer', 'ora', 'chalk', 'colors',
+  'winston', 'bunyan', 'pino', 'log4js', 'ramda', 'rxjs', 'immutable',
+  'mobx', 'redux', 'zustand', 'formik', 'yup', 'joi', 'ajv', 'validator',
+  'date-fns', 'dayjs', 'luxon', 'numeral', 'accounting', 'currency.js',
+  'lodash-es', 'core-js', 'regenerator-runtime', 'tslib', 'classnames',
+  'prop-types', 'cross-env', 'npm', 'yarn', 'pnpm', 'node-fetch', 'got'
+];
+
+// Packages legitimes qui ressemblent a des populaires mais sont OK
+const WHITELIST = [
+  'acorn',
+  'acorn-walk',
+  'js-yaml',
+  'cross-env',
+  'node-fetch',
+  'node-gyp',
+  'core-js',
+  'lodash-es',
+  'date-fns',
+  'ts-node',
+  'ts-jest',
+  'css-loader',
+  'style-loader',
+  'file-loader',
+  'url-loader',
+  'babel-loader',
+  'vue-loader',
+  'react-dom',
+  'react-router',
+  'react-redux',
+  'vue-router',
+  'express-session',
+  'body-parser',
+  'cookie-parser'
+];
+
+// Techniques de typosquatting connues
+const TYPOSQUAT_PATTERNS = [
+  { type: 'missing_char', fn: (name) => generateMissingChar(name) },
+  { type: 'extra_char', fn: (name) => generateExtraChar(name) },
+  { type: 'swapped_chars', fn: (name) => generateSwappedChars(name) },
+  { type: 'wrong_char', fn: (name) => generateWrongChar(name) },
+  { type: 'hyphen_tricks', fn: (name) => generateHyphenTricks(name) },
+  { type: 'suffix_tricks', fn: (name) => generateSuffixTricks(name) }
+];
+
+async function scanTyposquatting(targetPath) {
+  const threats = [];
+  const packageJsonPath = path.join(targetPath, 'package.json');
+
+  if (!fs.existsSync(packageJsonPath)) {
+    return threats;
+  }
+
+  const packageJson = JSON.parse(fs.readFileSync(packageJsonPath, 'utf8'));
+  const dependencies = {
+    ...packageJson.dependencies,
+    ...packageJson.devDependencies,
+    ...packageJson.peerDependencies,
+    ...packageJson.optionalDependencies
+  };
+
+  for (const depName of Object.keys(dependencies)) {
+    const match = findTyposquatMatch(depName);
+    if (match) {
+      threats.push({
+        type: 'typosquat_detected',
+        severity: 'HIGH',
+        message: `Package "${depName}" ressemble a "${match.original}" (${match.type}). Possible typosquatting.`,
+        file: 'package.json',
+        details: {
+          suspicious: depName,
+          legitimate: match.original,
+          technique: match.type,
+          distance: match.distance
+        }
+      });
+    }
+  }
+
+  return threats;
+}
+
+function findTyposquatMatch(name) {
+  // Ignore les packages whitelistes
+  if (WHITELIST.includes(name)) return null;
+  
+  // Ignore les packages scoped (@org/package)
+  if (name.startsWith('@')) return null;
+
+  for (const popular of POPULAR_PACKAGES) {
+    // Ignore si c'est exactement le meme
+    if (name === popular) continue;
+
+    const distance = levenshteinDistance(name, popular);
+    
+    // Distance de 1 ou 2 = tres suspect
+    if (distance === 1) {
+      return {
+        original: popular,
+        type: detectTyposquatType(name, popular),
+        distance: distance
+      };
+    }
+
+    // Distance de 2 avec nom court = suspect
+    if (distance === 2 && popular.length <= 6) {
+      return {
+        original: popular,
+        type: detectTyposquatType(name, popular),
+        distance: distance
+      };
+    }
+
+    // Verifie les tricks de suffixe
+    if (isSuffixTrick(name, popular)) {
+      return {
+        original: popular,
+        type: 'suffix_trick',
+        distance: distance
+      };
+    }
+  }
+
+  return null;
+}
+
+function detectTyposquatType(typo, original) {
+  if (typo.length === original.length - 1) return 'missing_char';
+  if (typo.length === original.length + 1) return 'extra_char';
+  if (typo.length === original.length) {
+    // Verifie si swap
+    let diffs = 0;
+    for (let i = 0; i < typo.length; i++) {
+      if (typo[i] !== original[i]) diffs++;
+    }
+    if (diffs === 2) return 'swapped_chars';
+    return 'wrong_char';
+  }
+  return 'unknown';
+}
+
+function isSuffixTrick(name, popular) {
+  const suffixes = ['-js', '.js', '-node', '-npm', '-cli', '-api', '-lib', '-pkg', '-dev', '-pro'];
+  for (const suffix of suffixes) {
+    if (name === popular + suffix) return true;
+    if (name === popular.replace('-', '') + suffix) return true;
+  }
+  // Verifie aussi les prefixes
+  const prefixes = ['node-', 'npm-', 'js-', 'get-', 'the-'];
+  for (const prefix of prefixes) {
+    if (name === prefix + popular) return true;
+  }
+  return false;
+}
+
+function levenshteinDistance(a, b) {
+  const matrix = [];
+
+  for (let i = 0; i <= b.length; i++) {
+    matrix[i] = [i];
+  }
+
+  for (let j = 0; j <= a.length; j++) {
+    matrix[0][j] = j;
+  }
+
+  for (let i = 1; i <= b.length; i++) {
+    for (let j = 1; j <= a.length; j++) {
+      if (b.charAt(i - 1) === a.charAt(j - 1)) {
+        matrix[i][j] = matrix[i - 1][j - 1];
+      } else {
+        matrix[i][j] = Math.min(
+          matrix[i - 1][j - 1] + 1, // substitution
+          matrix[i][j - 1] + 1,     // insertion
+          matrix[i - 1][j] + 1      // deletion
+        );
+      }
+    }
+  }
+
+  return matrix[b.length][a.length];
+}
+
+// Generateurs pour tests (pas utilises dans le scan, mais utiles pour enrichir les IOCs)
+function generateMissingChar(name) {
+  const results = [];
+  for (let i = 0; i < name.length; i++) {
+    results.push(name.slice(0, i) + name.slice(i + 1));
+  }
+  return results;
+}
+
+function generateExtraChar(name) {
+  const results = [];
+  const chars = 'abcdefghijklmnopqrstuvwxyz0123456789-';
+  for (let i = 0; i <= name.length; i++) {
+    for (const char of chars) {
+      results.push(name.slice(0, i) + char + name.slice(i));
+    }
+  }
+  return results;
+}
+
+function generateSwappedChars(name) {
+  const results = [];
+  for (let i = 0; i < name.length - 1; i++) {
+    const arr = name.split('');
+    [arr[i], arr[i + 1]] = [arr[i + 1], arr[i]];
+    results.push(arr.join(''));
+  }
+  return results;
+}
+
+function generateWrongChar(name) {
+  const results = [];
+  const keyboard = {
+    'a': 'sqwz', 'b': 'vghn', 'c': 'xdfv', 'd': 'serfcx', 'e': 'wsdfr',
+    'f': 'drtgvc', 'g': 'ftyhbv', 'h': 'gyujnb', 'i': 'ujklo', 'j': 'huikmn',
+    'k': 'jiolm', 'l': 'kop', 'm': 'njk', 'n': 'bhjm', 'o': 'iklp',
+    'p': 'ol', 'q': 'wa', 'r': 'edft', 's': 'awedxz', 't': 'rfgy',
+    'u': 'yhji', 'v': 'cfgb', 'w': 'qase', 'x': 'zsdc', 'y': 'tghu', 'z': 'asx'
+  };
+  for (let i = 0; i < name.length; i++) {
+    const char = name[i].toLowerCase();
+    if (keyboard[char]) {
+      for (const replacement of keyboard[char]) {
+        results.push(name.slice(0, i) + replacement + name.slice(i + 1));
+      }
+    }
+  }
+  return results;
+}
+
+function generateHyphenTricks(name) {
+  const results = [];
+  // Ajouter des hyphens
+  for (let i = 1; i < name.length; i++) {
+    results.push(name.slice(0, i) + '-' + name.slice(i));
+  }
+  // Retirer des hyphens
+  results.push(name.replace(/-/g, ''));
+  return results;
+}
+
+function generateSuffixTricks(name) {
+  const suffixes = ['-js', '.js', '-node', '-npm', '-cli'];
+  return suffixes.map(s => name + s);
+}
+
+module.exports = { scanTyposquatting, levenshteinDistance };

package/src/webhook.js

@@ -0,0 +1,176 @@
+const https = require('https');
+const http = require('http');
+
+async function sendWebhook(url, results) {
+  const isDiscord = url.includes('discord.com');
+  const isSlack = url.includes('hooks.slack.com');
+
+  let payload;
+
+  if (isDiscord) {
+    payload = formatDiscord(results);
+  } else if (isSlack) {
+    payload = formatSlack(results);
+  } else {
+    payload = formatGeneric(results);
+  }
+
+  return send(url, payload);
+}
+
+function formatDiscord(results) {
+  const { summary, threats, target } = results;
+  
+  const color = summary.riskLevel === 'CRITICAL' ? 0xe74c3c
+              : summary.riskLevel === 'HIGH' ? 0xe67e22
+              : summary.riskLevel === 'MEDIUM' ? 0xf1c40f
+              : summary.riskLevel === 'LOW' ? 0x3498db
+              : 0x2ecc71;
+
+  const criticalThreats = threats
+    .filter(t => t.severity === 'CRITICAL')
+    .slice(0, 5)
+    .map(t => `- ${t.message}`)
+    .join('\n');
+
+  return {
+    embeds: [{
+      title: 'MUAD\'DIB Security Scan',
+      description: `Scan de **${target}**`,
+      color: color,
+      fields: [
+        {
+          name: 'Score de risque',
+          value: `**${summary.riskScore}/100** (${summary.riskLevel})`,
+          inline: true
+        },
+        {
+          name: 'Menaces',
+          value: `${summary.critical} CRITICAL\n${summary.high} HIGH\n${summary.medium} MEDIUM`,
+          inline: true
+        },
+        {
+          name: 'Total',
+          value: `**${summary.total}** menace(s)`,
+          inline: true
+        }
+      ],
+      footer: {
+        text: 'MUAD\'DIB - Supply-chain threat detection'
+      },
+      timestamp: results.timestamp
+    }]
+  };
+}
+
+function formatSlack(results) {
+  const { summary, threats, target } = results;
+
+  const emoji = summary.riskLevel === 'CRITICAL' ? ':rotating_light:'
+              : summary.riskLevel === 'HIGH' ? ':warning:'
+              : summary.riskLevel === 'MEDIUM' ? ':large_yellow_circle:'
+              : summary.riskLevel === 'LOW' ? ':information_source:'
+              : ':white_check_mark:';
+
+  const criticalList = threats
+    .filter(t => t.severity === 'CRITICAL')
+    .slice(0, 5)
+    .map(t => `• ${t.message}`)
+    .join('\n');
+
+  return {
+    blocks: [
+      {
+        type: 'header',
+        text: {
+          type: 'plain_text',
+          text: `${emoji} MUAD'DIB Security Scan`
+        }
+      },
+      {
+        type: 'section',
+        fields: [
+          {
+            type: 'mrkdwn',
+            text: `*Cible:*\n${target}`
+          },
+          {
+            type: 'mrkdwn',
+            text: `*Score:*\n${summary.riskScore}/100 (${summary.riskLevel})`
+          }
+        ]
+      },
+      {
+        type: 'section',
+        fields: [
+          {
+            type: 'mrkdwn',
+            text: `*CRITICAL:* ${summary.critical}`
+          },
+          {
+            type: 'mrkdwn',
+            text: `*HIGH:* ${summary.high}`
+          },
+          {
+            type: 'mrkdwn',
+            text: `*MEDIUM:* ${summary.medium}`
+          },
+          {
+            type: 'mrkdwn',
+            text: `*Total:* ${summary.total}`
+          }
+        ]
+      }
+    ]
+  };
+}
+
+function formatGeneric(results) {
+  return {
+    tool: 'MUADDIB',
+    target: results.target,
+    timestamp: results.timestamp,
+    summary: results.summary,
+    threats: results.threats.map(t => ({
+      type: t.type,
+      severity: t.severity,
+      message: t.message,
+      file: t.file
+    }))
+  };
+}
+
+function send(url, payload) {
+  return new Promise((resolve, reject) => {
+    const urlObj = new URL(url);
+    const protocol = urlObj.protocol === 'https:' ? https : http;
+
+    const options = {
+      hostname: urlObj.hostname,
+      port: urlObj.port || (urlObj.protocol === 'https:' ? 443 : 80),
+      path: urlObj.pathname + urlObj.search,
+      method: 'POST',
+      headers: {
+        'Content-Type': 'application/json'
+      }
+    };
+
+    const req = protocol.request(options, (res) => {
+      let data = '';
+      res.on('data', chunk => data += chunk);
+      res.on('end', () => {
+        if (res.statusCode >= 200 && res.statusCode < 300) {
+          resolve({ success: true, status: res.statusCode });
+        } else {
+          reject(new Error(`Webhook failed: HTTP ${res.statusCode}`));
+        }
+      });
+    });
+
+    req.on('error', reject);
+    req.write(JSON.stringify(payload));
+    req.end();
+  });
+}
+
+module.exports = { sendWebhook };

package/tests/run-tests.js

@@ -198,6 +198,32 @@ test('MARQUEURS: Detecte The Second Coming', () => {
   assertIncludes(output, 'Second Coming', 'Devrait detecter marqueur The Second Coming');
 });
 
+// ============================================
+// TESTS UNITAIRES - DETECTION TYPOSQUATTING
+// ============================================
+
+console.log('\n=== TESTS TYPOSQUATTING ===\n');
+
+test('TYPOSQUAT: Detecte lodahs (lodash)', () => {
+  const output = runScan(path.join(TESTS_DIR, 'typosquat'));
+  assertIncludes(output, 'lodahs', 'Devrait detecter lodahs');
+});
+
+test('TYPOSQUAT: Detecte axois (axios)', () => {
+  const output = runScan(path.join(TESTS_DIR, 'typosquat'));
+  assertIncludes(output, 'axois', 'Devrait detecter axois');
+});
+
+test('TYPOSQUAT: Detecte expres (express)', () => {
+  const output = runScan(path.join(TESTS_DIR, 'typosquat'));
+  assertIncludes(output, 'expres', 'Devrait detecter expres');
+});
+
+test('TYPOSQUAT: Severity HIGH', () => {
+  const output = runScan(path.join(TESTS_DIR, 'typosquat'));
+  assertIncludes(output, 'HIGH', 'Devrait etre HIGH');
+});
+
 // ============================================
 // TESTS INTEGRATION - CLI
 // ============================================

package/tests/samples/typosquat/package.json

@@ -0,0 +1,11 @@
+{
+  "name": "test-typosquat",
+  "version": "1.0.0",
+  "dependencies": {
+    "lodahs": "^1.0.0",
+    "axois": "^1.0.0",
+    "expres": "^1.0.0",
+    "recat": "^1.0.0",
+    "momnet": "^1.0.0"
+  }
+}