muaddib-scanner 1.0.8 → 1.0.10

package/.muaddib-cache/iocs.json

@@ -0,0 +1,355 @@
+{
+  "packages": [
+    {
+      "name": "@ctrl/tinycolor",
+      "version": "4.1.1",
+      "source": "shai-hulud-v1"
+    },
+    {
+      "name": "ng2-file-upload",
+      "version": "*",
+      "source": "shai-hulud-v1"
+    },
+    {
+      "name": "ngx-bootstrap",
+      "version": "*",
+      "source": "shai-hulud-v1"
+    },
+    {
+      "name": "@asyncapi/specs",
+      "version": "*",
+      "source": "shai-hulud-v2"
+    },
+    {
+      "name": "@asyncapi/openapi-schema-parser",
+      "version": "*",
+      "source": "shai-hulud-v2"
+    },
+    {
+      "name": "get-them-args",
+      "version": "*",
+      "source": "shai-hulud-v2"
+    },
+    {
+      "name": "kill-port",
+      "version": "*",
+      "source": "shai-hulud-v2"
+    },
+    {
+      "name": "shell-exec",
+      "version": "*",
+      "source": "shai-hulud-v2"
+    },
+    {
+      "name": "posthog-node",
+      "version": "*",
+      "source": "shai-hulud-v2"
+    },
+    {
+      "name": "posthog-js",
+      "version": "*",
+      "source": "shai-hulud-v2"
+    },
+    {
+      "name": "@postman/tunnel-agent",
+      "version": "*",
+      "source": "shai-hulud-v2"
+    },
+    {
+      "name": "@zapier/secret-scrubber",
+      "version": "*",
+      "source": "shai-hulud-v2"
+    },
+    {
+      "name": "@vietmoney/react-big-calendar",
+      "version": "0.26.2",
+      "source": "shai-hulud-v3"
+    },
+    {
+      "name": "flatmap-stream",
+      "version": "0.1.1",
+      "source": "event-stream-2018"
+    },
+    {
+      "name": "event-stream",
+      "version": "3.3.6",
+      "source": "event-stream-2018"
+    },
+    {
+      "name": "eslint-scope",
+      "version": "3.7.2",
+      "source": "eslint-scope-2018"
+    },
+    {
+      "name": "eslint-config-prettier",
+      "version": "8.10.1",
+      "source": "eslint-prettier-2025"
+    },
+    {
+      "name": "eslint-config-prettier",
+      "version": "9.1.1",
+      "source": "eslint-prettier-2025"
+    },
+    {
+      "name": "eslint-plugin-prettier",
+      "version": "4.2.2",
+      "source": "eslint-prettier-2025"
+    },
+    {
+      "name": "synckit",
+      "version": "0.11.9",
+      "source": "eslint-prettier-2025"
+    },
+    {
+      "name": "@pkgr/core",
+      "version": "0.2.8",
+      "source": "eslint-prettier-2025"
+    },
+    {
+      "name": "napi-postinstall",
+      "version": "0.3.1",
+      "source": "eslint-prettier-2025"
+    },
+    {
+      "name": "got-fetch",
+      "version": "5.1.11",
+      "source": "eslint-prettier-2025"
+    },
+    {
+      "name": "is",
+      "version": "3.3.1",
+      "source": "is-package-2025"
+    },
+    {
+      "name": "is",
+      "version": "5.0.0",
+      "source": "is-package-2025"
+    },
+    {
+      "name": "crossenv",
+      "version": "*",
+      "source": "typosquat"
+    },
+    {
+      "name": "cross-env.js",
+      "version": "*",
+      "source": "typosquat"
+    },
+    {
+      "name": "mongose",
+      "version": "*",
+      "source": "typosquat"
+    },
+    {
+      "name": "mssql.js",
+      "version": "*",
+      "source": "typosquat"
+    },
+    {
+      "name": "mssql-node",
+      "version": "*",
+      "source": "typosquat"
+    },
+    {
+      "name": "babelcli",
+      "version": "*",
+      "source": "typosquat"
+    },
+    {
+      "name": "http-proxy.js",
+      "version": "*",
+      "source": "typosquat"
+    },
+    {
+      "name": "proxy.js",
+      "version": "*",
+      "source": "typosquat"
+    },
+    {
+      "name": "shadowsock",
+      "version": "*",
+      "source": "typosquat"
+    },
+    {
+      "name": "smb",
+      "version": "*",
+      "source": "typosquat"
+    },
+    {
+      "name": "nodesass",
+      "version": "*",
+      "source": "typosquat"
+    },
+    {
+      "name": "node-sass.js",
+      "version": "*",
+      "source": "typosquat"
+    },
+    {
+      "name": "node-ipc",
+      "version": "10.1.1",
+      "source": "protestware"
+    },
+    {
+      "name": "node-ipc",
+      "version": "10.1.2",
+      "source": "protestware"
+    },
+    {
+      "name": "node-ipc",
+      "version": "10.1.3",
+      "source": "protestware"
+    },
+    {
+      "name": "colors",
+      "version": "1.4.1",
+      "source": "protestware"
+    },
+    {
+      "name": "colors",
+      "version": "1.4.2",
+      "source": "protestware"
+    },
+    {
+      "name": "faker",
+      "version": "6.6.6",
+      "source": "protestware"
+    },
+    {
+      "name": "ua-parser-js",
+      "version": "0.7.29",
+      "source": "community",
+      "description": "Compromis octobre 2021 - crypto miner"
+    },
+    {
+      "name": "coa",
+      "version": "2.0.3",
+      "source": "community",
+      "description": "Compromis novembre 2021"
+    },
+    {
+      "name": "coa",
+      "version": "2.0.4",
+      "source": "community",
+      "description": "Compromis novembre 2021"
+    },
+    {
+      "name": "rc",
+      "version": "1.2.9",
+      "source": "community",
+      "description": "Compromis novembre 2021"
+    },
+    {
+      "name": "rc",
+      "version": "1.3.9",
+      "source": "community",
+      "description": "Compromis novembre 2021"
+    },
+    {
+      "name": "left-pad",
+      "version": "*",
+      "source": "community",
+      "description": "Incident 2016 - supply chain"
+    },
+    {
+      "name": "lodash-merge",
+      "version": "*",
+      "source": "typosquat",
+      "description": "Typosquat de lodash.merge"
+    },
+    {
+      "name": "loadash",
+      "version": "*",
+      "source": "typosquat",
+      "description": "Typosquat de lodash"
+    },
+    {
+      "name": "electorn",
+      "version": "*",
+      "source": "typosquat",
+      "description": "Typosquat de electron"
+    },
+    {
+      "name": "discord.js-selfbot-v11",
+      "version": "*",
+      "source": "community",
+      "description": "Token stealer Discord"
+    },
+    {
+      "name": "discord-selfbot-tools",
+      "version": "*",
+      "source": "community",
+      "description": "Token stealer Discord"
+    },
+    {
+      "name": "discordsystem",
+      "version": "*",
+      "source": "community",
+      "description": "Token stealer Discord"
+    },
+    {
+      "name": "discord-lofy",
+      "version": "*",
+      "source": "community",
+      "description": "Token stealer Discord"
+    },
+    {
+      "name": "prerequests",
+      "version": "*",
+      "source": "typosquat",
+      "description": "Typosquat de prerequests"
+    },
+    {
+      "name": "requstes",
+      "version": "*",
+      "source": "typosquat",
+      "description": "Typosquat de requests"
+    }
+  ],
+  "files": [
+    "setup_bun.js",
+    "bun_environment.js",
+    "bundle.js",
+    "node-gyp.dll",
+    "preinstall.js",
+    "postinstall.js",
+    "install.js",
+    "discord-webhook.js",
+    "token-grabber.js",
+    "stealer.js",
+    "inject.js"
+  ],
+  "hashes": [
+    "62ee164b9b306250c1172583f138c9614139264f889fa99614903c12755468d0",
+    "cbb9bc5a8496243e02f3cc080efbe3e4a1430ba0671f2e43a202bf45b05479cd",
+    "f099c5d9ec417d4445a0328ac0ada9cde79fc37410914103ae9c609cbc0ee068",
+    "a3894003ad1d293ba96d77881ccd2071446dc3f65f434669b49b3da92421901a",
+    "f1df4896244500671eb4aa63ebb48ea11cee196fafaa0e9874e17b24ac053c02",
+    "9d59fd0bcc14b671079824c704575f201b74276238dc07a9c12a93a84195648a",
+    "e0250076c1d2ac38777ea8f542431daf61fcbaab0ca9c196614b28065ef5b918",
+    "6c9628f72d2bb789fe8f097a611d61c8c53f2f21e47c6a5d8d3e0e0b8e5e8c8f",
+    "a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2",
+    "4b2399646573bb737c4969563303d8ee2e9ddbd1b271f1ca9e35ea78062538db",
+    "46faab8ab153fae6e80e7cca38eab363075bb524edd79e42269217a083628f09",
+    "b74caeaa75e077c99f7d44f46daaf9796a3be43ecf24f2a1fd381844669da777",
+    "dc67467a39b70d1cd4c1f7f7a459b35058163592f4a9e8fb4dffcbba98ef210c",
+    "8f3c4e2a1b5d6c7e9f0a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e",
+    "1a2b3c4d5e6f7a8b9c0d1e2f3a4b5c6d7e8f9a0b1c2d3e4f5a6b7c8d9e0f1a2b"
+  ],
+  "markers": [
+    "Sha1-Hulud",
+    "Shai-Hulud",
+    "The Second Coming",
+    "Goldox-T3chs",
+    "Only Happy Girl",
+    "peacenotwar",
+    "protestware",
+    "/dev/tcp",
+    "reverse shell",
+    "discord.com/api/webhooks",
+    "token grabber",
+    "crypto miner",
+    "xmrig"
+  ],
+  "updated": "2026-01-02T09:21:30.216Z"
+}

package/README.fr.md

@@ -0,0 +1,310 @@
+<p align="center">
+  <img src="MUADDIBLOGO.png" alt="MUAD'DIB Logo" width="200">
+</p>
+
+<h1 align="center">MUAD'DIB</h1>
+
+<p align="center">
+  <strong>Supply-chain threat detection & response for npm</strong>
+</p>
+
+<p align="center">
+  <img src="https://img.shields.io/npm/v/muaddib-scanner" alt="npm version">
+  <img src="https://img.shields.io/badge/license-MIT-green" alt="License">
+  <img src="https://img.shields.io/badge/node-%3E%3D18-brightgreen" alt="Node">
+  <img src="https://img.shields.io/badge/IOCs-180%2B-red" alt="IOCs">
+</p>
+
+<p align="center">
+  <a href="#installation">Installation</a> |
+  <a href="#utilisation">Utilisation</a> |
+  <a href="#features">Features</a> |
+  <a href="#vs-code">VS Code</a> |
+  <a href="#discord">Discord</a>
+</p>
+
+---
+
+## Pourquoi MUAD'DIB ?
+
+Les attaques supply chain npm explosent. Shai-Hulud a compromis 25K+ repos en 2025. Les outils existants detectent, mais n'aident pas a repondre.
+
+MUAD'DIB detecte ET guide la reponse.
+
+| Feature | MUAD'DIB | Socket | Snyk |
+|---------|----------|--------|------|
+| Detection IOCs | Oui | Oui | Oui |
+| Analyse AST | Oui | Oui | Non |
+| Analyse Dataflow | Oui | Non | Non |
+| Detection Typosquatting | Oui | Oui | Non |
+| Playbooks reponse | Oui | Non | Non |
+| Score de risque | Oui | Oui | Oui |
+| SARIF / GitHub Security | Oui | Oui | Oui |
+| MITRE ATT&CK mapping | Oui | Non | Non |
+| Webhook Discord/Slack | Oui | Non | Non |
+| Extension VS Code | Oui | Oui | Oui |
+| Mode daemon | Oui | Non | Non |
+| 100% Open Source | Oui | Non | Non |
+
+---
+
+## Installation
+
+### npm (recommande)
+```bash
+npm install -g muaddib-scanner
+```
+
+### Depuis les sources
+```bash
+git clone https://github.com/DNSZLSK/muad-dib.git
+cd muad-dib
+npm install
+```
+
+---
+
+## Utilisation
+
+### Scan basique
+```bash
+muaddib scan .
+muaddib scan /chemin/vers/projet
+```
+
+### Score de risque
+
+Chaque scan affiche un score de risque 0-100 :
+```
+[SCORE] 58/100 [███████████░░░░░░░░░] HIGH
+```
+
+### Mode explain (details complets)
+```bash
+muaddib scan . --explain
+```
+
+Affiche pour chaque detection :
+- Rule ID
+- MITRE ATT&CK technique
+- References (articles, CVEs)
+- Playbook de reponse
+
+### Export
+```bash
+muaddib scan . --json > results.json     # JSON
+muaddib scan . --html rapport.html       # HTML
+muaddib scan . --sarif results.sarif     # SARIF (GitHub Security)
+```
+
+### Seuil de severite
+```bash
+muaddib scan . --fail-on critical  # Fail seulement sur CRITICAL
+muaddib scan . --fail-on high      # Fail sur HIGH et CRITICAL (defaut)
+muaddib scan . --fail-on medium    # Fail sur MEDIUM, HIGH, CRITICAL
+```
+
+### Webhook Discord/Slack
+```bash
+muaddib scan . --webhook "https://discord.com/api/webhooks/..."
+```
+
+Envoie une alerte avec le score et les menaces sur Discord ou Slack.
+
+### Surveillance temps reel
+```bash
+muaddib watch .
+```
+
+### Mode daemon
+```bash
+muaddib daemon
+muaddib daemon --webhook "https://discord.com/api/webhooks/..."
+```
+
+Surveille automatiquement tous les `npm install` et scanne les nouveaux packages.
+
+### Mise a jour des IOCs
+```bash
+muaddib update
+```
+
+---
+
+## Features
+
+### Detection typosquatting
+
+MUAD'DIB detecte les packages dont le nom ressemble a un package populaire :
+```
+[HIGH] Package "lodahs" ressemble a "lodash" (swapped_chars). Possible typosquatting.
+```
+
+### Analyse dataflow
+
+Detecte quand du code lit des credentials ET les envoie sur le reseau :
+```
+[CRITICAL] Flux suspect: lecture credentials (readFileSync, GITHUB_TOKEN) + envoi reseau (fetch)
+```
+
+### Attaques detectees
+
+| Campagne | Packages | Status |
+|----------|----------|--------|
+| Shai-Hulud v1 | @ctrl/tinycolor, ng2-file-upload | Detecte |
+| Shai-Hulud v2 | @asyncapi/specs, posthog-node, kill-port | Detecte |
+| Shai-Hulud v3 | @vietmoney/react-big-calendar | Detecte |
+| event-stream (2018) | flatmap-stream, event-stream | Detecte |
+| eslint-scope (2018) | eslint-scope | Detecte |
+| Protestware | node-ipc, colors, faker | Detecte |
+| Typosquats | crossenv, mongose, babelcli | Detecte |
+
+### Techniques detectees
+
+| Technique | MITRE | Detection |
+|-----------|-------|-----------|
+| Vol credentials (.npmrc, .ssh) | T1552.001 | AST |
+| Exfiltration env vars | T1552.001 | AST |
+| Execution code distant | T1105 | Pattern |
+| Reverse shell | T1059.004 | Pattern |
+| Dead man's switch | T1485 | Pattern |
+| Code obfusque | T1027 | Heuristiques |
+| Typosquatting | T1195.002 | Levenshtein |
+| Supply chain compromise | T1195.002 | IOC matching |
+
+---
+
+## VS Code
+
+L'extension VS Code scanne automatiquement vos projets npm.
+
+### Installation
+
+Le dossier `vscode-extension/` contient l'extension. Pour tester :
+
+1. Ouvrir le dossier `vscode-extension` dans VS Code
+2. Appuyer sur F5
+3. Dans la nouvelle fenetre, ouvrir un projet npm
+
+### Commandes
+
+- `MUAD'DIB: Scan Project` - Scanner tout le projet
+- `MUAD'DIB: Scan Current File` - Scanner le fichier actuel
+
+### Configuration
+
+- `muaddib.autoScan` - Scanner automatiquement a l'ouverture (defaut: true)
+- `muaddib.webhookUrl` - URL webhook Discord/Slack
+- `muaddib.failLevel` - Niveau d'alerte (critical/high/medium/low)
+
+---
+
+## Integration CI/CD
+
+### GitHub Actions
+```yaml
+name: Security Scan
+
+on: [push, pull_request]
+
+jobs:
+  scan:
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+      contents: read
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
+        with:
+          node-version: '20'
+      - run: npm install -g muaddib-scanner
+      - run: muaddib scan . --sarif results.sarif
+      - uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: results.sarif
+```
+
+Les alertes apparaissent dans Security > Code scanning alerts.
+
+---
+
+## Discord
+
+Rejoignez le serveur Discord pour :
+- Recevoir les alertes de scan
+- Partager des IOCs
+- Contribuer au projet
+
+---
+
+## Architecture
+```
+MUAD'DIB Scanner
+|
++-- IOC Match (YAML DB)
++-- AST Parse (acorn)
++-- Pattern Matching (shell, scripts)
++-- Typosquat Detection (Levenshtein)
+|
+v
+Dataflow Analysis (credential read -> network send)
+|
+v
+Threat Enrichment (rules, MITRE ATT&CK, playbooks)
+|
+v
+Output (CLI, JSON, HTML, SARIF, Webhook)
+```
+
+---
+
+## Contribuer
+
+### Ajouter des IOCs
+
+Editez les fichiers YAML dans `iocs/` :
+```yaml
+- id: NEW-MALWARE-001
+  name: "malicious-package"
+  version: "*"
+  severity: critical
+  confidence: high
+  source: community
+  description: "Description de la menace"
+  references:
+    - https://example.com/article
+  mitre: T1195.002
+```
+
+### Developper
+```bash
+git clone https://github.com/DNSZLSK/muad-dib.git
+cd muad-dib
+npm install
+npm test
+```
+
+## Communaute
+
+- Discord: https://discord.gg/y8zxSmue
+- Issues: https://github.com/DNSZLSK/muad-dib/issues
+
+---
+
+## Documentation
+
+- [Threat Model](docs/threat-model.md) - Ce que MUAD'DIB detecte et ne detecte pas
+- [IOCs YAML](iocs/) - Base de donnees des menaces
+
+---
+
+## Licence
+
+MIT
+
+---
+
+<p align="center">
+  <strong>The spice must flow. The worms must die.</strong>
+</p>