muaddib-scanner 1.0.19 → 1.0.20

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (4) hide show
  1. package/.muaddib-cache/iocs.json +4 -1
  2. package/iocs/builtin.yaml +3 -0
  3. package/package.json +1 -1
  4. package/src/scanner/package.js +31 -1
package/.muaddib-cache/iocs.json CHANGED
@@ -12037,6 +12037,9 @@
12037
12037
  "node-gyp.dll",
12038
12038
  "bun_installer.js",
12039
12039
  "environment_source.js",
12040
+ "cl0vd.json",
12041
+ "pigS3cr3ts.json",
12042
+ "actionsSecrets.json",
12040
12043
  "3nvir0nm3nt.json",
12041
12044
  "c9nt3nts.json",
12042
12045
  "c0nt3nts.json",
@@ -12046,5 +12049,5 @@
12046
12049
  "discord-webhook.js",
12047
12050
  "inject.js"
12048
12051
  ],
12049
- "updated": "2026-01-08T15:51:22.567Z"
12052
+ "updated": "2026-01-08T19:41:50.038Z"
12050
12053
  }
package/iocs/builtin.yaml CHANGED
@@ -101,6 +101,9 @@ files:
101
101
  # Shai-Hulud v3 (nouveaux noms)
102
102
  - bun_installer.js
103
103
  - environment_source.js
104
+ - cl0vd.json
105
+ - pigS3cr3ts.json
106
+ - actionsSecrets.json
104
107
  # Artefacts exfiltration v3
105
108
  - 3nvir0nm3nt.json
106
109
  - c9nt3nts.json
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "muaddib-scanner",
3
- "version": "1.0.19",
3
+ "version": "1.0.20",
4
4
  "description": "Supply-chain threat detection & response for npm",
5
5
  "main": "src/index.js",
6
6
  "bin": {
package/src/scanner/package.js CHANGED
@@ -1,5 +1,6 @@
1
1
  const fs = require('fs');
2
2
  const path = require('path');
3
+ const { loadCachedIOCs } = require('../ioc/updater.js');
3
4
 
4
5
  const SUSPICIOUS_SCRIPTS = [
5
6
  'preinstall',
@@ -23,13 +24,14 @@ async function scanPackageJson(targetPath) {
23
24
  const threats = [];
24
25
  const pkgPath = path.join(targetPath, 'package.json');
25
26
 
26
- if (!fs.existsSync(pkgPath)) {
27
+ if (!fs.existsSync(pkgPath)) {
27
28
  return threats;
28
29
  }
29
30
 
30
31
  const pkg = JSON.parse(fs.readFileSync(pkgPath, 'utf8'));
31
32
  const scripts = pkg.scripts || {};
32
33
 
34
+ // Scan lifecycle scripts
33
35
  for (const scriptName of SUSPICIOUS_SCRIPTS) {
34
36
  if (scripts[scriptName]) {
35
37
  const scriptContent = scripts[scriptName];
@@ -54,6 +56,34 @@ if (!fs.existsSync(pkgPath)) {
54
56
  }
55
57
  }
56
58
 
59
+ // Scan declared dependencies against IOCs
60
+ const iocs = loadCachedIOCs();
61
+ const allDeps = {
62
+ ...pkg.dependencies,
63
+ ...pkg.devDependencies,
64
+ ...pkg.optionalDependencies,
65
+ ...pkg.peerDependencies
66
+ };
67
+
68
+ for (const [depName, depVersion] of Object.entries(allDeps)) {
69
+ const malicious = iocs.packages.find(p => {
70
+ if (p.name !== depName) return false;
71
+ if (p.version === '*' || p.version === depVersion) return true;
72
+ // Check if declared version matches malicious version
73
+ if (depVersion.includes(p.version)) return true;
74
+ return false;
75
+ });
76
+
77
+ if (malicious) {
78
+ threats.push({
79
+ type: 'known_malicious_package',
80
+ severity: 'CRITICAL',
81
+ message: `Dependance malveillante declaree: ${depName}@${depVersion} (source: ${malicious.source || 'IOC'})`,
82
+ file: 'package.json'
83
+ });
84
+ }
85
+ }
86
+
57
87
  return threats;
58
88
  }
59
89