muaddib-scanner 1.0.8 → 1.0.10

package/README.md

@@ -5,57 +5,63 @@
 <h1 align="center">MUAD'DIB</h1>
 
 <p align="center">
-  <strong>Supply-chain threat detection & response for npm</strong>
+  <strong>Supply-chain threat detection and response for npm</strong>
 </p>
 
 <p align="center">
   <img src="https://img.shields.io/npm/v/muaddib-scanner" alt="npm version">
-  <img src="https://img.shields.io/npm/dt/muaddib-scanner" alt="npm downloads">
   <img src="https://img.shields.io/badge/license-MIT-green" alt="License">
   <img src="https://img.shields.io/badge/node-%3E%3D18-brightgreen" alt="Node">
+  <img src="https://img.shields.io/badge/IOCs-180%2B-red" alt="IOCs">
 </p>
 
 <p align="center">
   <a href="#installation">Installation</a> |
-  <a href="#utilisation">Utilisation</a> |
+  <a href="#usage">Usage</a> |
   <a href="#features">Features</a> |
   <a href="#vs-code">VS Code</a> |
-  <a href="#discord">Discord</a>
+  <a href="#ci-cd">CI/CD</a>
+</p>
+
+<p align="center">
+  <a href="README.fr.md">Version francaise</a>
 </p>
 
 ---
 
-## Pourquoi MUAD'DIB ?
+## Why MUAD'DIB?
 
-Les attaques supply chain npm explosent. Shai-Hulud a compromis 25K+ repos en 2025. Les outils existants detectent, mais n'aident pas a repondre.
+npm supply-chain attacks are exploding. Shai-Hulud compromised 25K+ repos in 2025. Existing tools detect threats but don't help you respond.
 
-MUAD'DIB detecte ET guide la reponse.
+MUAD'DIB detects AND guides your response.
 
-| Feature | MUAD'DIB | Socket | Snyk |
-|---------|----------|--------|------|
-| Detection IOCs | Oui | Oui | Oui |
-| Analyse AST | Oui | Oui | Non |
-| Analyse Dataflow | Oui | Non | Non |
-| Detection Typosquatting | Oui | Oui | Non |
-| Playbooks reponse | Oui | Non | Non |
-| Score de risque | Oui | Oui | Oui |
-| SARIF / GitHub Security | Oui | Oui | Oui |
-| MITRE ATT&CK mapping | Oui | Non | Non |
-| Webhook Discord/Slack | Oui | Non | Non |
-| Extension VS Code | Oui | Oui | Oui |
-| Mode daemon | Oui | Non | Non |
-| 100% Open Source | Oui | Non | Non |
+| Feature | MUAD'DIB | Socket | Snyk | Opengrep |
+|---------|----------|--------|------|----------|
+| IOC Detection | Yes | Yes | Yes | No |
+| AST Analysis | Yes | Yes | No | Yes |
+| Dataflow Analysis | Yes | No | No | No |
+| Typosquatting Detection | Yes | Yes | No | No |
+| Response Playbooks | Yes | No | No | No |
+| Risk Score | Yes | Yes | Yes | No |
+| SARIF / GitHub Security | Yes | Yes | Yes | Yes |
+| MITRE ATT&CK Mapping | Yes | No | No | No |
+| Discord/Slack Webhooks | Yes | No | No | No |
+| VS Code Extension | Yes | Yes | Yes | No |
+| Daemon Mode | Yes | No | No | No |
+| 100% Open Source | Yes | No | No | Yes |
 
 ---
 
 ## Installation
 
-### npm (recommande)
+### npm (recommended)
+
 ```bash
 npm install -g muaddib-scanner
 ```
 
-### Depuis les sources
+### From source
+
 ```bash
 git clone https://github.com/DNSZLSK/muad-dib.git
 cd muad-dib
@@ -64,111 +70,130 @@ npm install
 
 ---
 
-## Utilisation
+## Usage
+
+### Basic scan
 
-### Scan basique
 ```bash
 muaddib scan .
-muaddib scan /chemin/vers/projet
+muaddib scan /path/to/project
 ```
 
-### Score de risque
+### Risk score
+
+Each scan displays a 0-100 risk score:
 
-Chaque scan affiche un score de risque 0-100 :
 ```
 [SCORE] 58/100 [███████████░░░░░░░░░] HIGH
 ```
 
-### Mode explain (details complets)
+### Explain mode (full details)
+
 ```bash
 muaddib scan . --explain
 ```
 
-Affiche pour chaque detection :
+Shows for each detection:
 - Rule ID
 - MITRE ATT&CK technique
 - References (articles, CVEs)
-- Playbook de reponse
+- Response playbook
 
 ### Export
+
 ```bash
 muaddib scan . --json > results.json     # JSON
-muaddib scan . --html rapport.html       # HTML
+muaddib scan . --html report.html        # HTML
 muaddib scan . --sarif results.sarif     # SARIF (GitHub Security)
 ```
 
-### Seuil de severite
+### Severity threshold
+
 ```bash
-muaddib scan . --fail-on critical  # Fail seulement sur CRITICAL
-muaddib scan . --fail-on high      # Fail sur HIGH et CRITICAL (defaut)
-muaddib scan . --fail-on medium    # Fail sur MEDIUM, HIGH, CRITICAL
+muaddib scan . --fail-on critical  # Fail only on CRITICAL
+muaddib scan . --fail-on high      # Fail on HIGH and CRITICAL (default)
+muaddib scan . --fail-on medium    # Fail on MEDIUM, HIGH, CRITICAL
 ```
 
-### Webhook Discord/Slack
+### Discord/Slack webhook
+
 ```bash
 muaddib scan . --webhook "https://discord.com/api/webhooks/..."
 ```
 
-Envoie une alerte avec le score et les menaces sur Discord ou Slack.
+Sends an alert with score and threats to Discord or Slack.
+
+### Real-time monitoring
 
-### Surveillance temps reel
 ```bash
 muaddib watch .
 ```
 
-### Mode daemon
+### Daemon mode
+
 ```bash
 muaddib daemon
 muaddib daemon --webhook "https://discord.com/api/webhooks/..."
 ```
 
-Surveille automatiquement tous les `npm install` et scanne les nouveaux packages.
+Automatically monitors all `npm install` commands and scans new packages.
+
+### Update IOCs
 
-### Mise a jour des IOCs
 ```bash
 muaddib update
 ```
 
+### Scrape new IOCs
+
+```bash
+muaddib scrape
+```
+
+Fetches latest malicious packages from GitHub Advisories, OSV, and other sources.
+
 ---
 
 ## Features
 
-### Detection typosquatting
+### Typosquatting detection
+
+MUAD'DIB detects packages with names similar to popular packages:
 
-MUAD'DIB detecte les packages dont le nom ressemble a un package populaire :
 ```
-[HIGH] Package "lodahs" ressemble a "lodash" (swapped_chars). Possible typosquatting.
+[HIGH] Package "lodahs" looks like "lodash" (swapped_chars). Possible typosquatting.
 ```
 
-### Analyse dataflow
+### Dataflow analysis
+
+Detects when code reads credentials AND sends them over the network:
 
-Detecte quand du code lit des credentials ET les envoie sur le reseau :
 ```
-[CRITICAL] Flux suspect: lecture credentials (readFileSync, GITHUB_TOKEN) + envoi reseau (fetch)
+[CRITICAL] Suspicious flow: credential read (readFileSync, GITHUB_TOKEN) + network send (fetch)
 ```
 
-### Attaques detectees
+### Detected attacks
 
-| Campagne | Packages | Status |
+| Campaign | Packages | Status |
 |----------|----------|--------|
-| Shai-Hulud v1 | @ctrl/tinycolor, ng2-file-upload | Detecte |
-| Shai-Hulud v2 | @asyncapi/specs, posthog-node, kill-port | Detecte |
-| Shai-Hulud v3 | @vietmoney/react-big-calendar | Detecte |
-| event-stream (2018) | flatmap-stream, event-stream | Detecte |
-| eslint-scope (2018) | eslint-scope | Detecte |
-| Protestware | node-ipc, colors, faker | Detecte |
-| Typosquats | crossenv, mongose, babelcli | Detecte |
+| Shai-Hulud v1 | @ctrl/tinycolor, ng2-file-upload | Detected |
+| Shai-Hulud v2 | @asyncapi/specs, posthog-node, kill-port | Detected |
+| Shai-Hulud v3 | @vietmoney/react-big-calendar | Detected |
+| event-stream (2018) | flatmap-stream, event-stream | Detected |
+| eslint-scope (2018) | eslint-scope | Detected |
+| Protestware | node-ipc, colors, faker | Detected |
+| Typosquats | crossenv, mongose, babelcli | Detected |
 
-### Techniques detectees
+### Detected techniques
 
 | Technique | MITRE | Detection |
 |-----------|-------|-----------|
-| Vol credentials (.npmrc, .ssh) | T1552.001 | AST |
-| Exfiltration env vars | T1552.001 | AST |
-| Execution code distant | T1105 | Pattern |
+| Credential theft (.npmrc, .ssh) | T1552.001 | AST |
+| Env var exfiltration | T1552.001 | AST |
+| Remote code execution | T1105 | Pattern |
 | Reverse shell | T1059.004 | Pattern |
 | Dead man's switch | T1485 | Pattern |
-| Code obfusque | T1027 | Heuristiques |
+| Obfuscated code | T1027 | Heuristics |
 | Typosquatting | T1195.002 | Levenshtein |
 | Supply chain compromise | T1195.002 | IOC matching |
 
@@ -176,32 +201,33 @@ Detecte quand du code lit des credentials ET les envoie sur le reseau :
 
 ## VS Code
 
-L'extension VS Code scanne automatiquement vos projets npm.
+The VS Code extension automatically scans your npm projects.
 
 ### Installation
 
-Le dossier `vscode-extension/` contient l'extension. Pour tester :
+Search "MUAD'DIB" in VS Code Extensions, or:
 
-1. Ouvrir le dossier `vscode-extension` dans VS Code
-2. Appuyer sur F5
-3. Dans la nouvelle fenetre, ouvrir un projet npm
+```bash
+code --install-extension dnszlsk.muaddib-vscode
+```
 
-### Commandes
+### Commands
 
-- `MUAD'DIB: Scan Project` - Scanner tout le projet
-- `MUAD'DIB: Scan Current File` - Scanner le fichier actuel
+- `MUAD'DIB: Scan Project` - Scan entire project
+- `MUAD'DIB: Scan Current File` - Scan current file
 
-### Configuration
+### Settings
 
-- `muaddib.autoScan` - Scanner automatiquement a l'ouverture (defaut: true)
-- `muaddib.webhookUrl` - URL webhook Discord/Slack
-- `muaddib.failLevel` - Niveau d'alerte (critical/high/medium/low)
+- `muaddib.autoScan` - Auto-scan on project open (default: true)
+- `muaddib.webhookUrl` - Discord/Slack webhook URL
+- `muaddib.failLevel` - Alert level (critical/high/medium/low)
 
 ---
 
-## Integration CI/CD
+## CI/CD
 
 ### GitHub Actions
+
 ```yaml
 name: Security Scan
 
@@ -225,20 +251,12 @@ jobs:
           sarif_file: results.sarif
 ```
 
-Les alertes apparaissent dans Security > Code scanning alerts.
-
----
-
-## Discord
-
-Rejoignez le serveur Discord pour :
-- Recevoir les alertes de scan
-- Partager des IOCs
-- Contribuer au projet
+Alerts appear in Security > Code scanning alerts.
 
 ---
 
 ## Architecture
+
 ```
 MUAD'DIB Scanner
 |
@@ -259,11 +277,12 @@ Output (CLI, JSON, HTML, SARIF, Webhook)
 
 ---
 
-## Contribuer
+## Contributing
 
-### Ajouter des IOCs
+### Add IOCs
+
+Edit YAML files in `iocs/`:
 
-Editez les fichiers YAML dans `iocs/` :
 ```yaml
 - id: NEW-MALWARE-001
   name: "malicious-package"
@@ -271,13 +290,14 @@ Editez les fichiers YAML dans `iocs/` :
   severity: critical
   confidence: high
   source: community
-  description: "Description de la menace"
+  description: "Threat description"
   references:
     - https://example.com/article
   mitre: T1195.002
 ```
 
-### Developper
+### Development
+
 ```bash
 git clone https://github.com/DNSZLSK/muad-dib.git
 cd muad-dib
@@ -285,16 +305,21 @@ npm install
 npm test
 ```
 
+## Community
+
+- Discord: https://discord.gg/y8zxSmue
+- Issues: https://github.com/DNSZLSK/muad-dib/issues
+
 ---
 
 ## Documentation
 
-- [Threat Model](docs/threat-model.md) - Ce que MUAD'DIB detecte et ne detecte pas
-- [IOCs YAML](iocs/) - Base de donnees des menaces
+- [Threat Model](docs/threat-model.md) - What MUAD'DIB detects and doesn't detect
+- [IOCs YAML](iocs/) - Threat database
 
 ---
 
-## Licence
+## License
 
 MIT
 

package/bin/muaddib.js

@@ -17,6 +17,7 @@ let sarifOutput = null;
 let explainMode = false;
 let failLevel = 'high';
 let webhookUrl = null;
+let paranoidMode = false;
 
 for (let i = 0; i < options.length; i++) {
   if (options[i] === '--json') {
@@ -35,6 +36,8 @@ for (let i = 0; i < options.length; i++) {
   } else if (options[i] === '--webhook') {
     webhookUrl = options[i + 1];
     i++;
+  } else if (options[i] === '--paranoid') {
+    paranoidMode = true;
   } else if (!options[i].startsWith('-')) {
     target = options[i];
   }
@@ -42,24 +45,25 @@ for (let i = 0; i < options.length; i++) {
 
 if (!command) {
   console.log(`
-  MUAD'DIB - Chasseur de vers npm
+  MUAD'DIB - npm Supply Chain Threat Hunter
   
   Usage:
-    muaddib scan [path] [options]   Analyse un projet
-    muaddib watch [path]            Surveille un projet en temps reel
-    muaddib update                  Met a jour les IOCs
-    muaddib help                    Affiche l'aide
+    muaddib scan [path] [options]    Scan a project
+    muaddib watch [path]             Watch a project in real-time
+    muaddib daemon [options]         Start background daemon
+    muaddib update                   Update IOCs
+    muaddib scrape                   Scrape new IOCs from advisories
+    muaddib help                     Show help
   
   Options:
-    --json              Sortie au format JSON
-    --html [file]       Genere un rapport HTML
-    --sarif [file]      Genere un rapport SARIF (GitHub Security)
-    --explain           Affiche les details de chaque detection
-    --fail-on [level]   Niveau de severite pour exit code (critical|high|medium|low)
-                        Defaut: high (fail sur HIGH et CRITICAL)
-    --webhook [url]     Envoie une alerte Discord/Slack
-    muaddib daemon [options]        Lance le daemon de surveillance
-    muaddib scrape                  Scrape les advisories pour nouveaux IOCs
+    --json              Output as JSON
+    --html [file]       Generate HTML report
+    --sarif [file]      Generate SARIF report (GitHub Security)
+    --explain           Show detailed explanations
+    --fail-on [level]   Severity level for exit code (critical|high|medium|low)
+                        Default: high (fail on HIGH and CRITICAL)
+    --webhook [url]     Send Discord/Slack alert
+    --paranoid          Enable ultra-strict rules (more false positives)
   `);
   process.exit(0);
 }
@@ -71,7 +75,8 @@ if (command === 'scan') {
     sarif: sarifOutput,
     explain: explainMode,
     failLevel: failLevel,
-    webhook: webhookUrl
+    webhook: webhookUrl,
+    paranoid: paranoidMode
   }).then(exitCode => {
     process.exit(exitCode);
   });
@@ -81,24 +86,26 @@ if (command === 'scan') {
   updateIOCs().then(() => {
     process.exit(0);
   }).catch(err => {
-    console.error('[ERREUR]', err.message);
+    console.error('[ERROR]', err.message);
     process.exit(1);
   });
-} else if (command === 'help') {
-  console.log('muaddib scan [path] [--json] [--html file] [--sarif file] [--explain] [--fail-on level] [--webhook url]');
-  console.log('muaddib watch [path] - Surveille un projet en temps reel');
-  console.log('muaddib update - Met a jour les IOCs');
-} else if (command === 'daemon') {
-  startDaemon({ webhook: webhookUrl });
 } else if (command === 'scrape') {
   runScraper().then(result => {
-    console.log(`[OK] ${result.added} nouveaux IOCs ajoutes (total: ${result.total})`);
+    console.log(`[OK] ${result.added} new IOCs added (total: ${result.total})`);
     process.exit(0);
   }).catch(err => {
-    console.error('[ERREUR]', err.message);
+    console.error('[ERROR]', err.message);
     process.exit(1);
   });
+} else if (command === 'daemon') {
+  startDaemon({ webhook: webhookUrl });
+} else if (command === 'help') {
+  console.log('muaddib scan [path] [--json] [--html file] [--sarif file] [--explain] [--fail-on level] [--webhook url] [--paranoid]');
+  console.log('muaddib watch [path] - Watch a project in real-time');
+  console.log('muaddib daemon [--webhook url] - Start background daemon');
+  console.log('muaddib update - Update IOCs');
+  console.log('muaddib scrape - Scrape new IOCs');
 } else {
-  console.log(`Commande inconnue: ${command}`);
+  console.log(`Unknown command: ${command}`);
   process.exit(1);
-} 
+}

package/data/iocs.json

@@ -2142,6 +2142,34 @@
       "description": "Potential typosquat of \"socket.io\"",
       "references": [],
       "mitre": "T1195.002"
+    },
+    {
+      "id": "GHSA-gvq6-hvvp-h34h",
+      "name": "@adonisjs/bodyparser",
+      "version": "< 10.1.2",
+      "severity": "critical",
+      "confidence": "high",
+      "source": "github-advisory",
+      "description": "AdonisJS Path Traversal in Multipart File Handling",
+      "references": [
+        "https://github.com/advisories/GHSA-gvq6-hvvp-h34h"
+      ],
+      "mitre": "T1195.002",
+      "cve": "CVE-2026-21440"
+    },
+    {
+      "id": "GHSA-fq56-hvg6-wvm5",
+      "name": "signalk-server",
+      "version": "< 2.19.0",
+      "severity": "critical",
+      "confidence": "high",
+      "source": "github-advisory",
+      "description": "Signal K Server vulnerable to JWT Token Theft via WebSocket Enumeration and Unauthenticated Polling",
+      "references": [
+        "https://github.com/advisories/GHSA-fq56-hvg6-wvm5"
+      ],
+      "mitre": "T1195.002",
+      "cve": "CVE-2025-68620"
     }
   ],
   "hashes": [

package/package.json

@@ -1,10 +1,10 @@
 {
   "name": "muaddib-scanner",
-  "version": "1.0.8",
+  "version": "1.0.10",
   "description": "Supply-chain threat detection & response for npm",
   "main": "src/index.js",
   "bin": {
-    "muaddib": "./bin/muaddib.js"
+    "muaddib": "bin/muaddib.js"
   },
   "scripts": {
     "test": "node tests/run-tests.js",
@@ -26,7 +26,7 @@
   "license": "MIT",
   "repository": {
     "type": "git",
-    "url": "https://github.com/DNSZLSK/muad-dib.git"
+    "url": "git+https://github.com/DNSZLSK/muad-dib.git"
   },
   "homepage": "https://github.com/DNSZLSK/muad-dib",
   "bugs": {