muaddib-scanner 1.0.8 → 1.0.10

package/rapport.html

@@ -0,0 +1,159 @@
+<!DOCTYPE html>
+<html lang="fr">
+<head>
+  <meta charset="UTF-8">
+  <meta name="viewport" content="width=device-width, initial-scale=1.0">
+  <title>MUAD'DIB - Rapport de scan</title>
+  <style>
+    body {
+      font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, sans-serif;
+      background: #1a1a2e;
+      color: #eee;
+      margin: 0;
+      padding: 20px;
+    }
+    .container {
+      max-width: 1200px;
+      margin: 0 auto;
+    }
+    h1 {
+      color: #e94560;
+      border-bottom: 2px solid #e94560;
+      padding-bottom: 10px;
+    }
+    .summary {
+      display: flex;
+      gap: 20px;
+      margin: 20px 0;
+    }
+    .summary-card {
+      background: #16213e;
+      padding: 20px;
+      border-radius: 8px;
+      flex: 1;
+    }
+    .summary-card h3 {
+      margin: 0 0 10px 0;
+      color: #888;
+      font-size: 14px;
+    }
+    .summary-card .value {
+      font-size: 32px;
+      font-weight: bold;
+    }
+    .critical .value { color: #e94560; }
+    .high .value { color: #ff6b35; }
+    .medium .value { color: #f9c74f; }
+    .total .value { color: #4ecdc4; }
+    table {
+      width: 100%;
+      border-collapse: collapse;
+      margin-top: 20px;
+    }
+    th, td {
+      padding: 12px;
+      text-align: left;
+      border-bottom: 1px solid #333;
+    }
+    th {
+      background: #16213e;
+      color: #e94560;
+    }
+    tr.critical { background: rgba(233, 69, 96, 0.2); }
+    tr.high { background: rgba(255, 107, 53, 0.2); }
+    tr.medium { background: rgba(249, 199, 79, 0.1); }
+    .meta {
+      color: #666;
+      font-size: 12px;
+      margin-top: 40px;
+    }
+    .ok {
+      background: #16213e;
+      padding: 40px;
+      border-radius: 8px;
+      text-align: center;
+      color: #4ecdc4;
+      font-size: 24px;
+    }
+  </style>
+</head>
+<body>
+  <div class="container">
+    <h1>MUAD'DIB - Rapport de scan</h1>
+    
+    <div class="summary">
+      <div class="summary-card total">
+        <h3>TOTAL</h3>
+        <div class="value">4</div>
+      </div>
+      <div class="summary-card critical">
+        <h3>CRITICAL</h3>
+        <div class="value">0</div>
+      </div>
+      <div class="summary-card high">
+        <h3>HIGH</h3>
+        <div class="value">3</div>
+      </div>
+      <div class="summary-card medium">
+        <h3>MEDIUM</h3>
+        <div class="value">1</div>
+      </div>
+    </div>
+
+    
+    <table>
+      <thead>
+        <tr>
+          <th>Severite</th>
+          <th>Type</th>
+          <th>Message</th>
+          <th>Fichier</th>
+          <th>Recommandation</th>
+        </tr>
+      </thead>
+      <tbody>
+        
+    <tr class="high">
+      <td>HIGH</td>
+      <td>sensitive_string</td>
+      <td>Reference a ".npmrc" detectee.</td>
+      <td>malicious.js</td>
+      <td>Reference a un chemin ou identifiant sensible. Verifier le contexte d'utilisation.</td>
+    </tr>
+  
+    <tr class="high">
+      <td>HIGH</td>
+      <td>env_access</td>
+      <td>Acces a variable sensible process.env.GITHUB_TOKEN.</td>
+      <td>malicious.js</td>
+      <td>Acces a une variable d'environnement sensible. Verifier si les donnees sont exfiltrees.</td>
+    </tr>
+  
+    <tr class="high">
+      <td>HIGH</td>
+      <td>sensitive_string</td>
+      <td>Reference a "api.github.com" detectee.</td>
+      <td>malicious.js</td>
+      <td>Reference a un chemin ou identifiant sensible. Verifier le contexte d'utilisation.</td>
+    </tr>
+  
+    <tr class="medium">
+      <td>MEDIUM</td>
+      <td>dangerous_call_exec</td>
+      <td>Appel dangereux "exec" detecte.</td>
+      <td>malicious.js</td>
+      <td>Execution de commande systeme. Verifier les arguments passes.</td>
+    </tr>
+  
+      </tbody>
+    </table>
+    
+
+    <div class="meta">
+      <p>Cible: test/samples</p>
+      <p>Date: 2026-01-01T20:11:35.775Z</p>
+      <p>Genere par MUAD'DIB</p>
+    </div>
+  </div>
+</body>
+</html>

package/src/index.js

@@ -6,11 +6,64 @@ const { scanDependencies } = require('./scanner/dependencies.js');
 const { scanHashes } = require('./scanner/hash.js');
 const { analyzeDataFlow } = require('./scanner/dataflow.js');
 const { getPlaybook } = require('./response/playbooks.js');
-const { getRule } = require('./rules/index.js');
+const { getRule, PARANOID_RULES } = require('./rules/index.js');
 const { saveReport } = require('./report.js');
 const { saveSARIF } = require('./sarif.js');
 const { scanTyposquatting } = require('./scanner/typosquat.js');
 const { sendWebhook } = require('./webhook.js');
+const fs = require('fs');
+const path = require('path');
+
+// Scan paranoid mode
+function scanParanoid(targetPath) {
+  const threats = [];
+  
+  function scanFile(filePath) {
+    try {
+      const content = fs.readFileSync(filePath, 'utf8');
+      
+      for (const [ruleKey, rule] of Object.entries(PARANOID_RULES)) {
+        for (const pattern of rule.patterns) {
+          if (content.includes(pattern)) {
+            threats.push({
+              type: rule.id,
+              severity: rule.severity.toUpperCase(),
+              message: `${rule.message}: "${pattern}"`,
+              file: path.relative(targetPath, filePath),
+              mitre: rule.mitre
+            });
+          }
+        }
+      }
+    } catch (e) {
+      // Ignore read errors
+    }
+  }
+  
+  function walkDir(dir) {
+    const excluded = ['node_modules', '.git', 'test', 'tests', 'src', 'vscode-extension'];
+    try {
+      const files = fs.readdirSync(dir);
+      for (const file of files) {
+        const fullPath = path.join(dir, file);
+        const stat = fs.statSync(fullPath);
+        
+        if (stat.isDirectory()) {
+          if (!excluded.includes(file)) {
+            walkDir(fullPath);
+          }
+        } else if (file.endsWith('.js') || file.endsWith('.json') || file.endsWith('.sh')) {
+          scanFile(fullPath);
+        }
+      }
+    } catch (e) {
+      // Ignore walk errors
+    }
+  }
+  
+  walkDir(targetPath);
+  return threats;
+}
 
 async function run(targetPath, options = {}) {
   const threats = [];
@@ -36,34 +89,40 @@ async function run(targetPath, options = {}) {
   const dataflowThreats = await analyzeDataFlow(targetPath);
   threats.push(...dataflowThreats);
 
-  // Scan typosquatting
   const typosquatThreats = await scanTyposquatting(targetPath);
   threats.push(...typosquatThreats);
 
+  // Paranoid mode
+  if (options.paranoid) {
+    console.log('[PARANOID] Mode ultra-strict active\n');
+    const paranoidThreats = scanParanoid(targetPath);
+    threats.push(...paranoidThreats);
+  }
+
   // Enrichir chaque menace avec les regles
   const enrichedThreats = threats.map(t => {
     const rule = getRule(t.type);
     return {
       ...t,
-      rule_id: rule.id,
-      rule_name: rule.name,
-      confidence: rule.confidence,
-      references: rule.references,
-      mitre: rule.mitre,
+      rule_id: rule.id || t.type,
+      rule_name: rule.name || t.type,
+      confidence: rule.confidence || 'medium',
+      references: rule.references || [],
+      mitre: t.mitre || rule.mitre,
       playbook: getPlaybook(t.type)
     };
   });
 
-// Calculer le score de risque (0-100)
+  // Calculer le score de risque (0-100)
   const criticalCount = threats.filter(t => t.severity === 'CRITICAL').length;
   const highCount = threats.filter(t => t.severity === 'HIGH').length;
   const mediumCount = threats.filter(t => t.severity === 'MEDIUM').length;
   
   let riskScore = 0;
-  riskScore += criticalCount * 25;  // CRITICAL = 25 points
-  riskScore += highCount * 10;       // HIGH = 10 points
-  riskScore += mediumCount * 3;      // MEDIUM = 3 points
-  riskScore = Math.min(100, riskScore); // Cap a 100
+  riskScore += criticalCount * 25;
+  riskScore += highCount * 10;
+  riskScore += mediumCount * 3;
+  riskScore = Math.min(100, riskScore);
 
   const riskLevel = riskScore >= 75 ? 'CRITICAL' 
                   : riskScore >= 50 ? 'HIGH'
@@ -125,11 +184,10 @@ async function run(targetPath, options = {}) {
       });
     }
   }
-// Sortie normale
+  // Sortie normale
   else {
     console.log(`\n[MUADDIB] Scan de ${targetPath}\n`);
 
-    // Afficher le score de risque
     const scoreBar = '█'.repeat(Math.floor(result.summary.riskScore / 5)) + '░'.repeat(20 - Math.floor(result.summary.riskScore / 5));
     console.log(`[SCORE] ${result.summary.riskScore}/100 [${scoreBar}] ${result.summary.riskLevel}\n`);
 
@@ -153,7 +211,7 @@ async function run(targetPath, options = {}) {
     }
   }
 
-// Envoyer webhook si configure
+  // Envoyer webhook si configure
   if (options.webhook) {
     try {
       await sendWebhook(options.webhook, result);

package/src/ioc/scraper.js

@@ -52,7 +52,6 @@ async function scrapeGitHubAdvisories() {
   const packages = [];
   
   try {
-    // Plusieurs pages
     for (let page = 1; page <= 5; page++) {
       const url = `https://api.github.com/advisories?ecosystem=npm&per_page=100&page=${page}`;
       const { status, data } = await fetchJSON(url);
@@ -97,7 +96,6 @@ async function scrapeOSV() {
   const packages = [];
   
   try {
-    // Query malware specifique
     const queries = [
       { package: { ecosystem: 'npm' }, query: 'malware' },
       { package: { ecosystem: 'npm' }, query: 'malicious' },
@@ -140,54 +138,24 @@ async function scrapeOSV() {
 }
 
 // ============================================
-// SOURCE 3: Snyk Vulnerability DB (publique)
-// ============================================
-async function scrapeSnyk() {
-  console.log('[SCRAPER] Snyk Vulnerability DB...');
-  const packages = [];
-  
-  // Packages malveillants connus de Snyk (liste statique car API payante)
-  const knownMalicious = [
-    'event-stream', 'flatmap-stream', 'eslint-scope', 'eslint-config-eslint',
-    'getcookies', 'mailparser', 'nodemailer', 'nodemailer-js', 'node-ipc',
-    'peacenotwar', 'colors', 'faker', 'ua-parser-js', 'rc', 'coa',
-    'pac-resolver', 'set-value', 'ansi-html', 'ini', 'y18n', 'node-notifier',
-    'trim', 'trim-newlines', 'glob-parent', 'is-svg', 'css-what', 'normalize-url',
-    'hosted-git-info', 'ssri', 'tar', 'path-parse', 'json-schema',
-    'underscore', 'handlebars', 'lodash', 'marked', 'minimist', 'kind-of'
-  ];
-  
-  // On ne les ajoute que s'ils ont des versions malveillantes specifiques
-  // Pour l'instant on skip car c'est trop de faux positifs
-  console.log(`[SCRAPER]   -> Skip (API payante)`);
-  
-  return packages;
-}
-
-// ============================================
-// SOURCE 4: Socket.dev (via leur blog/reports)
+// SOURCE 3: Socket.dev reports
 // ============================================
 async function scrapeSocketReports() {
   console.log('[SCRAPER] Socket.dev reports...');
   const packages = [];
   
-  // Packages malveillants reportes par Socket.dev
   const socketMalicious = [
-    // Shai-Hulud variants
     { name: '@pnpm.exe/pnpm', severity: 'critical', source: 'socket-shai-hulud' },
     { name: '@nicklason/npm', severity: 'critical', source: 'socket-shai-hulud' },
     { name: 'bb-builder', severity: 'critical', source: 'socket-shai-hulud' },
     { name: 'codespaces-blank', severity: 'critical', source: 'socket-shai-hulud' },
-    // Crypto stealers
     { name: 'crypto-browserify-aes', severity: 'critical', source: 'socket-crypto-stealer' },
     { name: 'eth-wallet-gen', severity: 'critical', source: 'socket-crypto-stealer' },
     { name: 'solana-wallet-tools', severity: 'critical', source: 'socket-crypto-stealer' },
-    // Discord token stealers
     { name: 'discord-selfbot-tools', severity: 'critical', source: 'socket-discord-stealer' },
     { name: 'discord-selfbot-v13', severity: 'critical', source: 'socket-discord-stealer' },
     { name: 'discord-token-grabber', severity: 'critical', source: 'socket-discord-stealer' },
     { name: 'discordbot-tokens', severity: 'critical', source: 'socket-discord-stealer' },
-    // Typosquats recents
     { name: 'electorn', severity: 'high', source: 'socket-typosquat' },
     { name: 'electrn', severity: 'high', source: 'socket-typosquat' },
     { name: 'reqeusts', severity: 'high', source: 'socket-typosquat' },
@@ -205,7 +173,6 @@ async function scrapeSocketReports() {
     { name: 'reactt', severity: 'high', source: 'socket-typosquat' },
     { name: 'chalks', severity: 'high', source: 'socket-typosquat' },
     { name: 'chalkk', severity: 'high', source: 'socket-typosquat' },
-    // Protestware
     { name: 'styled-components-native', severity: 'high', source: 'socket-protestware' },
     { name: 'es5-ext', severity: 'medium', source: 'socket-protestware' }
   ];
@@ -229,28 +196,22 @@ async function scrapeSocketReports() {
 }
 
 // ============================================
-// SOURCE 5: Phylum Research
+// SOURCE 4: Phylum Research
 // ============================================
 async function scrapePhylum() {
   console.log('[SCRAPER] Phylum Research...');
   const packages = [];
   
-  // Packages malveillants reportes par Phylum
   const phylumMalicious = [
-    // Shai-Hulud original
     { name: '@nicklason/npm-register', severity: 'critical' },
     { name: 'lemaaa', severity: 'critical' },
     { name: 'badshell', severity: 'critical' },
-    // Reverse shells
     { name: 'node-shell', severity: 'critical' },
     { name: 'reverse-shell-as-a-service', severity: 'critical' },
-    // Data exfiltration
     { name: 'browserify-sign-steal', severity: 'critical' },
     { name: 'npm-script-demo', severity: 'high' },
-    // Malware loaders
     { name: 'load-from-cwd-or-npm', severity: 'high' },
     { name: 'loadyaml-', severity: 'high' },
-    // Install scripts malicious
     { name: 'preinstall-script', severity: 'high' },
     { name: 'postinstall-script', severity: 'high' }
   ];
@@ -274,13 +235,12 @@ async function scrapePhylum() {
 }
 
 // ============================================
-// SOURCE 6: npm unpublished/removed packages
+// SOURCE 5: npm removed packages
 // ============================================
 async function scrapeNpmRemoved() {
   console.log('[SCRAPER] npm removed packages...');
   const packages = [];
   
-  // Packages retires de npm pour raisons de securite
   const removedPackages = [
     { name: 'event-stream', version: '3.3.6', reason: 'Malicious code injection' },
     { name: 'flatmap-stream', version: '0.1.1', reason: 'Bitcoin wallet stealer' },
@@ -314,13 +274,12 @@ async function scrapeNpmRemoved() {
 }
 
 // ============================================
-// SOURCE 7: Known typosquats generator
+// SOURCE 6: Typosquats generator
 // ============================================
 async function generateTyposquats() {
   console.log('[SCRAPER] Typosquats generation...');
   const packages = [];
   
-  // Top packages npm et leurs typosquats connus
   const typosquatMap = {
     'lodash': ['lodahs', 'lodasg', 'lodash-', '-lodash', 'lodas', 'lodashh'],
     'express': ['expres', 'expresss', 'exprees', 'exprss', 'exppress'],
@@ -364,6 +323,90 @@ async function generateTyposquats() {
   return packages;
 }
 
+// ============================================
+// SOURCE 7: AlienVault OTX
+// ============================================
+async function scrapeAlienVault() {
+  console.log('[SCRAPER] AlienVault OTX...');
+  const packages = [];
+  
+  try {
+    const searches = ['npm%20malware', 'nodejs%20malware', 'supply%20chain%20npm'];
+    
+    for (const search of searches) {
+      const url = `https://otx.alienvault.com/api/v1/search/pulses?q=${search}&limit=20`;
+      const { status, data } = await fetchJSON(url);
+      
+      if (status === 200 && data?.results) {
+        for (const pulse of data.results) {
+          if (pulse.indicators) {
+            for (const indicator of pulse.indicators) {
+              if (indicator.type === 'hostname' || indicator.type === 'domain' || indicator.type === 'FileHash-SHA256') {
+                const name = indicator.indicator;
+                // Filtre pour noms de packages npm potentiels
+                if (name && !name.includes('.') && !name.includes('/') && name.length > 2 && name.length < 50) {
+                  packages.push({
+                    id: `OTX-${pulse.id}-${name.slice(0, 20)}`,
+                    name: name,
+                    version: '*',
+                    severity: 'high',
+                    confidence: 'medium',
+                    source: 'alienvault-otx',
+                    description: (pulse.name || 'AlienVault OTX threat intelligence').slice(0, 200),
+                    references: [`https://otx.alienvault.com/pulse/${pulse.id}`],
+                    mitre: 'T1195.002'
+                  });
+                }
+              }
+            }
+          }
+        }
+      }
+    }
+    
+    console.log(`[SCRAPER]   -> ${packages.length} packages trouves`);
+  } catch (e) {
+    console.log(`[SCRAPER]   -> Erreur: ${e.message}`);
+  }
+  
+  return packages;
+}
+
+// ============================================
+// SOURCE 8: Aikido Intel (leur feed public)
+// ============================================
+async function scrapeAikidoIntel() {
+  console.log('[SCRAPER] Aikido Intel...');
+  const packages = [];
+  
+  try {
+    const url = 'https://intel.aikido.dev/api/v1/malware?ecosystem=npm&limit=100';
+    const { status, data } = await fetchJSON(url);
+    
+    if (status === 200 && Array.isArray(data)) {
+      for (const pkg of data) {
+        packages.push({
+          id: `AIKIDO-${pkg.name || pkg.id}`,
+          name: pkg.name,
+          version: pkg.version || '*',
+          severity: pkg.severity || 'high',
+          confidence: 'high',
+          source: 'aikido-intel',
+          description: (pkg.description || 'Malware detected by Aikido Intel').slice(0, 200),
+          references: ['https://intel.aikido.dev'],
+          mitre: 'T1195.002'
+        });
+      }
+    }
+    
+    console.log(`[SCRAPER]   -> ${packages.length} packages trouves`);
+  } catch (e) {
+    console.log(`[SCRAPER]   -> Erreur: ${e.message}`);
+  }
+  
+  return packages;
+}
+
 // ============================================
 // MAIN SCRAPER
 // ============================================
@@ -372,7 +415,6 @@ async function runScraper() {
   console.log('║      MUAD\'DIB IOC Scraper                  ║');
   console.log('╚════════════════════════════════════════════╝\n');
   
-  // Charger les IOCs existants
   let existingIOCs = { packages: [], hashes: [], markers: [], files: [] };
   if (fs.existsSync(IOC_FILE)) {
     existingIOCs = JSON.parse(fs.readFileSync(IOC_FILE, 'utf8'));
@@ -381,17 +423,17 @@ async function runScraper() {
   const existingNames = new Set(existingIOCs.packages.map(p => p.name));
   const initialCount = existingIOCs.packages.length;
   
-  // Scraper toutes les sources
   const results = await Promise.all([
     scrapeGitHubAdvisories(),
     scrapeOSV(),
     scrapeSocketReports(),
     scrapePhylum(),
     scrapeNpmRemoved(),
-    generateTyposquats()
+    generateTyposquats(),
+    scrapeAlienVault(),
+    scrapeAikidoIntel()
   ]);
   
-  // Fusionner sans doublons
   let added = 0;
   for (const pkgList of results) {
     for (const pkg of pkgList) {
@@ -403,7 +445,6 @@ async function runScraper() {
     }
   }
   
-  // Sauvegarder
   fs.writeFileSync(IOC_FILE, JSON.stringify(existingIOCs, null, 2));
   
   console.log('\n╔════════════════════════════════════════════╗');

package/src/rules/index.js

@@ -207,4 +207,43 @@ function getRule(type) {
   };
 }
 
-module.exports = { RULES, getRule };
+// Paranoid rules (ultra-strict)
+const PARANOID_RULES = {
+  network_access: {
+    id: 'MUADDIB-PARANOID-001',
+    severity: 'HIGH',
+    patterns: ['fetch', 'axios', 'http.request', 'https.request', 'net.connect', 'XMLHttpRequest'],
+    message: 'Network access detected (paranoid mode)',
+    mitre: 'T1071'
+  },
+  sensitive_file_access: {
+    id: 'MUADDIB-PARANOID-002',
+    severity: 'HIGH',
+    patterns: ['.env', '.npmrc', '.ssh', '.git', 'id_rsa', 'credentials', 'secrets'],
+    message: 'Sensitive file access detected (paranoid mode)',
+    mitre: 'T1552.001'
+  },
+  dynamic_execution: {
+    id: 'MUADDIB-PARANOID-003',
+    severity: 'CRITICAL',
+    patterns: ['eval', 'Function', 'vm.runInContext'],
+    message: 'Dynamic code execution detected (paranoid mode)',
+    mitre: 'T1059'
+  },
+  subprocess: {
+    id: 'MUADDIB-PARANOID-004',
+    severity: 'CRITICAL',
+    patterns: ['child_process', 'spawn', 'exec', 'execSync', 'spawnSync', 'fork'],
+    message: 'Subprocess execution detected (paranoid mode)',
+    mitre: 'T1059.004'
+  },
+  env_access: {
+    id: 'MUADDIB-PARANOID-005',
+    severity: 'MEDIUM',
+    patterns: ['process.env'],
+    message: 'Environment variable access detected (paranoid mode)',
+    mitre: 'T1552.001'
+  }
+};
+
+module.exports = { RULES, getRule, PARANOID_RULES };