muaddib-scanner 1.0.9 → 1.0.11

package/.muaddib-cache/iocs.json

@@ -0,0 +1,355 @@
+{
+  "packages": [
+    {
+      "name": "@ctrl/tinycolor",
+      "version": "4.1.1",
+      "source": "shai-hulud-v1"
+    },
+    {
+      "name": "ng2-file-upload",
+      "version": "*",
+      "source": "shai-hulud-v1"
+    },
+    {
+      "name": "ngx-bootstrap",
+      "version": "*",
+      "source": "shai-hulud-v1"
+    },
+    {
+      "name": "@asyncapi/specs",
+      "version": "*",
+      "source": "shai-hulud-v2"
+    },
+    {
+      "name": "@asyncapi/openapi-schema-parser",
+      "version": "*",
+      "source": "shai-hulud-v2"
+    },
+    {
+      "name": "get-them-args",
+      "version": "*",
+      "source": "shai-hulud-v2"
+    },
+    {
+      "name": "kill-port",
+      "version": "*",
+      "source": "shai-hulud-v2"
+    },
+    {
+      "name": "shell-exec",
+      "version": "*",
+      "source": "shai-hulud-v2"
+    },
+    {
+      "name": "posthog-node",
+      "version": "*",
+      "source": "shai-hulud-v2"
+    },
+    {
+      "name": "posthog-js",
+      "version": "*",
+      "source": "shai-hulud-v2"
+    },
+    {
+      "name": "@postman/tunnel-agent",
+      "version": "*",
+      "source": "shai-hulud-v2"
+    },
+    {
+      "name": "@zapier/secret-scrubber",
+      "version": "*",
+      "source": "shai-hulud-v2"
+    },
+    {
+      "name": "@vietmoney/react-big-calendar",
+      "version": "0.26.2",
+      "source": "shai-hulud-v3"
+    },
+    {
+      "name": "flatmap-stream",
+      "version": "0.1.1",
+      "source": "event-stream-2018"
+    },
+    {
+      "name": "event-stream",
+      "version": "3.3.6",
+      "source": "event-stream-2018"
+    },
+    {
+      "name": "eslint-scope",
+      "version": "3.7.2",
+      "source": "eslint-scope-2018"
+    },
+    {
+      "name": "eslint-config-prettier",
+      "version": "8.10.1",
+      "source": "eslint-prettier-2025"
+    },
+    {
+      "name": "eslint-config-prettier",
+      "version": "9.1.1",
+      "source": "eslint-prettier-2025"
+    },
+    {
+      "name": "eslint-plugin-prettier",
+      "version": "4.2.2",
+      "source": "eslint-prettier-2025"
+    },
+    {
+      "name": "synckit",
+      "version": "0.11.9",
+      "source": "eslint-prettier-2025"
+    },
+    {
+      "name": "@pkgr/core",
+      "version": "0.2.8",
+      "source": "eslint-prettier-2025"
+    },
+    {
+      "name": "napi-postinstall",
+      "version": "0.3.1",
+      "source": "eslint-prettier-2025"
+    },
+    {
+      "name": "got-fetch",
+      "version": "5.1.11",
+      "source": "eslint-prettier-2025"
+    },
+    {
+      "name": "is",
+      "version": "3.3.1",
+      "source": "is-package-2025"
+    },
+    {
+      "name": "is",
+      "version": "5.0.0",
+      "source": "is-package-2025"
+    },
+    {
+      "name": "crossenv",
+      "version": "*",
+      "source": "typosquat"
+    },
+    {
+      "name": "cross-env.js",
+      "version": "*",
+      "source": "typosquat"
+    },
+    {
+      "name": "mongose",
+      "version": "*",
+      "source": "typosquat"
+    },
+    {
+      "name": "mssql.js",
+      "version": "*",
+      "source": "typosquat"
+    },
+    {
+      "name": "mssql-node",
+      "version": "*",
+      "source": "typosquat"
+    },
+    {
+      "name": "babelcli",
+      "version": "*",
+      "source": "typosquat"
+    },
+    {
+      "name": "http-proxy.js",
+      "version": "*",
+      "source": "typosquat"
+    },
+    {
+      "name": "proxy.js",
+      "version": "*",
+      "source": "typosquat"
+    },
+    {
+      "name": "shadowsock",
+      "version": "*",
+      "source": "typosquat"
+    },
+    {
+      "name": "smb",
+      "version": "*",
+      "source": "typosquat"
+    },
+    {
+      "name": "nodesass",
+      "version": "*",
+      "source": "typosquat"
+    },
+    {
+      "name": "node-sass.js",
+      "version": "*",
+      "source": "typosquat"
+    },
+    {
+      "name": "node-ipc",
+      "version": "10.1.1",
+      "source": "protestware"
+    },
+    {
+      "name": "node-ipc",
+      "version": "10.1.2",
+      "source": "protestware"
+    },
+    {
+      "name": "node-ipc",
+      "version": "10.1.3",
+      "source": "protestware"
+    },
+    {
+      "name": "colors",
+      "version": "1.4.1",
+      "source": "protestware"
+    },
+    {
+      "name": "colors",
+      "version": "1.4.2",
+      "source": "protestware"
+    },
+    {
+      "name": "faker",
+      "version": "6.6.6",
+      "source": "protestware"
+    },
+    {
+      "name": "ua-parser-js",
+      "version": "0.7.29",
+      "source": "community",
+      "description": "Compromis octobre 2021 - crypto miner"
+    },
+    {
+      "name": "coa",
+      "version": "2.0.3",
+      "source": "community",
+      "description": "Compromis novembre 2021"
+    },
+    {
+      "name": "coa",
+      "version": "2.0.4",
+      "source": "community",
+      "description": "Compromis novembre 2021"
+    },
+    {
+      "name": "rc",
+      "version": "1.2.9",
+      "source": "community",
+      "description": "Compromis novembre 2021"
+    },
+    {
+      "name": "rc",
+      "version": "1.3.9",
+      "source": "community",
+      "description": "Compromis novembre 2021"
+    },
+    {
+      "name": "left-pad",
+      "version": "*",
+      "source": "community",
+      "description": "Incident 2016 - supply chain"
+    },
+    {
+      "name": "lodash-merge",
+      "version": "*",
+      "source": "typosquat",
+      "description": "Typosquat de lodash.merge"
+    },
+    {
+      "name": "loadash",
+      "version": "*",
+      "source": "typosquat",
+      "description": "Typosquat de lodash"
+    },
+    {
+      "name": "electorn",
+      "version": "*",
+      "source": "typosquat",
+      "description": "Typosquat de electron"
+    },
+    {
+      "name": "discord.js-selfbot-v11",
+      "version": "*",
+      "source": "community",
+      "description": "Token stealer Discord"
+    },
+    {
+      "name": "discord-selfbot-tools",
+      "version": "*",
+      "source": "community",
+      "description": "Token stealer Discord"
+    },
+    {
+      "name": "discordsystem",
+      "version": "*",
+      "source": "community",
+      "description": "Token stealer Discord"
+    },
+    {
+      "name": "discord-lofy",
+      "version": "*",
+      "source": "community",
+      "description": "Token stealer Discord"
+    },
+    {
+      "name": "prerequests",
+      "version": "*",
+      "source": "typosquat",
+      "description": "Typosquat de prerequests"
+    },
+    {
+      "name": "requstes",
+      "version": "*",
+      "source": "typosquat",
+      "description": "Typosquat de requests"
+    }
+  ],
+  "files": [
+    "setup_bun.js",
+    "bun_environment.js",
+    "bundle.js",
+    "node-gyp.dll",
+    "preinstall.js",
+    "postinstall.js",
+    "install.js",
+    "discord-webhook.js",
+    "token-grabber.js",
+    "stealer.js",
+    "inject.js"
+  ],
+  "hashes": [
+    "62ee164b9b306250c1172583f138c9614139264f889fa99614903c12755468d0",
+    "cbb9bc5a8496243e02f3cc080efbe3e4a1430ba0671f2e43a202bf45b05479cd",
+    "f099c5d9ec417d4445a0328ac0ada9cde79fc37410914103ae9c609cbc0ee068",
+    "a3894003ad1d293ba96d77881ccd2071446dc3f65f434669b49b3da92421901a",
+    "f1df4896244500671eb4aa63ebb48ea11cee196fafaa0e9874e17b24ac053c02",
+    "9d59fd0bcc14b671079824c704575f201b74276238dc07a9c12a93a84195648a",
+    "e0250076c1d2ac38777ea8f542431daf61fcbaab0ca9c196614b28065ef5b918",
+    "6c9628f72d2bb789fe8f097a611d61c8c53f2f21e47c6a5d8d3e0e0b8e5e8c8f",
+    "a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2",
+    "4b2399646573bb737c4969563303d8ee2e9ddbd1b271f1ca9e35ea78062538db",
+    "46faab8ab153fae6e80e7cca38eab363075bb524edd79e42269217a083628f09",
+    "b74caeaa75e077c99f7d44f46daaf9796a3be43ecf24f2a1fd381844669da777",
+    "dc67467a39b70d1cd4c1f7f7a459b35058163592f4a9e8fb4dffcbba98ef210c",
+    "8f3c4e2a1b5d6c7e9f0a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e",
+    "1a2b3c4d5e6f7a8b9c0d1e2f3a4b5c6d7e8f9a0b1c2d3e4f5a6b7c8d9e0f1a2b"
+  ],
+  "markers": [
+    "Sha1-Hulud",
+    "Shai-Hulud",
+    "The Second Coming",
+    "Goldox-T3chs",
+    "Only Happy Girl",
+    "peacenotwar",
+    "protestware",
+    "/dev/tcp",
+    "reverse shell",
+    "discord.com/api/webhooks",
+    "token grabber",
+    "crypto miner",
+    "xmrig"
+  ],
+  "updated": "2026-01-02T09:21:30.216Z"
+}

package/package.json

@@ -1,10 +1,10 @@
 {
   "name": "muaddib-scanner",
-  "version": "1.0.9",
+  "version": "1.0.11",
   "description": "Supply-chain threat detection & response for npm",
   "main": "src/index.js",
   "bin": {
-    "muaddib": "./bin/muaddib.js"
+    "muaddib": "bin/muaddib.js"
   },
   "scripts": {
     "test": "node tests/run-tests.js",
@@ -26,7 +26,7 @@
   "license": "MIT",
   "repository": {
     "type": "git",
-    "url": "https://github.com/DNSZLSK/muad-dib.git"
+    "url": "git+https://github.com/DNSZLSK/muad-dib.git"
   },
   "homepage": "https://github.com/DNSZLSK/muad-dib",
   "bugs": {

package/rapport.html

@@ -0,0 +1,159 @@
+<!DOCTYPE html>
+<html lang="fr">
+<head>
+  <meta charset="UTF-8">
+  <meta name="viewport" content="width=device-width, initial-scale=1.0">
+  <title>MUAD'DIB - Rapport de scan</title>
+  <style>
+    body {
+      font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, sans-serif;
+      background: #1a1a2e;
+      color: #eee;
+      margin: 0;
+      padding: 20px;
+    }
+    .container {
+      max-width: 1200px;
+      margin: 0 auto;
+    }
+    h1 {
+      color: #e94560;
+      border-bottom: 2px solid #e94560;
+      padding-bottom: 10px;
+    }
+    .summary {
+      display: flex;
+      gap: 20px;
+      margin: 20px 0;
+    }
+    .summary-card {
+      background: #16213e;
+      padding: 20px;
+      border-radius: 8px;
+      flex: 1;
+    }
+    .summary-card h3 {
+      margin: 0 0 10px 0;
+      color: #888;
+      font-size: 14px;
+    }
+    .summary-card .value {
+      font-size: 32px;
+      font-weight: bold;
+    }
+    .critical .value { color: #e94560; }
+    .high .value { color: #ff6b35; }
+    .medium .value { color: #f9c74f; }
+    .total .value { color: #4ecdc4; }
+    table {
+      width: 100%;
+      border-collapse: collapse;
+      margin-top: 20px;
+    }
+    th, td {
+      padding: 12px;
+      text-align: left;
+      border-bottom: 1px solid #333;
+    }
+    th {
+      background: #16213e;
+      color: #e94560;
+    }
+    tr.critical { background: rgba(233, 69, 96, 0.2); }
+    tr.high { background: rgba(255, 107, 53, 0.2); }
+    tr.medium { background: rgba(249, 199, 79, 0.1); }
+    .meta {
+      color: #666;
+      font-size: 12px;
+      margin-top: 40px;
+    }
+    .ok {
+      background: #16213e;
+      padding: 40px;
+      border-radius: 8px;
+      text-align: center;
+      color: #4ecdc4;
+      font-size: 24px;
+    }
+  </style>
+</head>
+<body>
+  <div class="container">
+    <h1>MUAD'DIB - Rapport de scan</h1>
+    
+    <div class="summary">
+      <div class="summary-card total">
+        <h3>TOTAL</h3>
+        <div class="value">4</div>
+      </div>
+      <div class="summary-card critical">
+        <h3>CRITICAL</h3>
+        <div class="value">0</div>
+      </div>
+      <div class="summary-card high">
+        <h3>HIGH</h3>
+        <div class="value">3</div>
+      </div>
+      <div class="summary-card medium">
+        <h3>MEDIUM</h3>
+        <div class="value">1</div>
+      </div>
+    </div>
+
+    
+    <table>
+      <thead>
+        <tr>
+          <th>Severite</th>
+          <th>Type</th>
+          <th>Message</th>
+          <th>Fichier</th>
+          <th>Recommandation</th>
+        </tr>
+      </thead>
+      <tbody>
+        
+    <tr class="high">
+      <td>HIGH</td>
+      <td>sensitive_string</td>
+      <td>Reference a ".npmrc" detectee.</td>
+      <td>malicious.js</td>
+      <td>Reference a un chemin ou identifiant sensible. Verifier le contexte d'utilisation.</td>
+    </tr>
+  
+    <tr class="high">
+      <td>HIGH</td>
+      <td>env_access</td>
+      <td>Acces a variable sensible process.env.GITHUB_TOKEN.</td>
+      <td>malicious.js</td>
+      <td>Acces a une variable d'environnement sensible. Verifier si les donnees sont exfiltrees.</td>
+    </tr>
+  
+    <tr class="high">
+      <td>HIGH</td>
+      <td>sensitive_string</td>
+      <td>Reference a "api.github.com" detectee.</td>
+      <td>malicious.js</td>
+      <td>Reference a un chemin ou identifiant sensible. Verifier le contexte d'utilisation.</td>
+    </tr>
+  
+    <tr class="medium">
+      <td>MEDIUM</td>
+      <td>dangerous_call_exec</td>
+      <td>Appel dangereux "exec" detecte.</td>
+      <td>malicious.js</td>
+      <td>Execution de commande systeme. Verifier les arguments passes.</td>
+    </tr>
+  
+      </tbody>
+    </table>
+    
+
+    <div class="meta">
+      <p>Cible: test/samples</p>
+      <p>Date: 2026-01-01T20:11:35.775Z</p>
+      <p>Genere par MUAD'DIB</p>
+    </div>
+  </div>
+</body>
+</html>

package/src/scanner/ast.js

@@ -11,29 +11,32 @@ const EXCLUDED_FILES = [
   'src/response/playbooks.js'
 ];
 
-const EXCLUDED_DIRS = ['test', 'tests', 'node_modules', '.git', 'src', 'vscode-extension'];
+const EXCLUDED_DIRS = [
+  'test', 'tests', 'node_modules', '.git', 'src', 'vscode-extension',
+  'scripts', 'bin', 'tools', 'build', 'dist', 'fixtures', 'examples',
+  '__tests__', '__mocks__', 'benchmark', 'benchmarks', 'docs', 'doc'
+];
 
 const DANGEROUS_CALLS = [
   'eval',
-  'Function',
-  'exec',
-  'execSync',
-  'spawn',
-  'spawnSync'
+  'Function'
 ];
 
 const SENSITIVE_STRINGS = [
   '.npmrc',
   '.ssh',
-  'GITHUB_TOKEN',
-  'NPM_TOKEN',
-  'AWS_SECRET',
-  'api.github.com',
   'Shai-Hulud',
   'The Second Coming',
   'Goldox-T3chs'
 ];
 
+// Strings qui ne sont PAS suspects
+const SAFE_STRINGS = [
+  'api.github.com',
+  'registry.npmjs.org',
+  'npmjs.com'
+];
+
 async function analyzeAST(targetPath) {
   const threats = [];
   const files = findJsFiles(targetPath);
@@ -45,6 +48,11 @@ async function analyzeAST(targetPath) {
       continue;
     }
     
+    // Ignorer les fichiers dans les dossiers de dev
+    if (isDevFile(relativePath)) {
+      continue;
+    }
+    
     const content = fs.readFileSync(file, 'utf8');
     const fileThreats = analyzeFile(content, file, targetPath);
     threats.push(...fileThreats);
@@ -53,6 +61,27 @@ async function analyzeAST(targetPath) {
   return threats;
 }
 
+function isDevFile(relativePath) {
+  const devPatterns = [
+    /^scripts\//,
+    /^bin\//,
+    /^tools\//,
+    /^build\//,
+    /^fixtures\//,
+    /^examples\//,
+    /^__tests__\//,
+    /^__mocks__\//,
+    /^benchmark/,
+    /^docs?\//,
+    /\.test\.js$/,
+    /\.spec\.js$/,
+    /test\.js$/,
+    /spec\.js$/
+  ];
+  
+  return devPatterns.some(pattern => pattern.test(relativePath));
+}
+
 function analyzeFile(content, filePath, basePath) {
   const threats = [];
   let ast;
@@ -64,7 +93,6 @@ function analyzeFile(content, filePath, basePath) {
       allowHashBang: true
     });
   } catch (e) {
-    // Fichier non parseable, peut etre obfusque
     if (content.length > 1000 && content.split('\n').length < 10) {
       threats.push({
         type: 'possible_obfuscation',
@@ -76,7 +104,6 @@ function analyzeFile(content, filePath, basePath) {
     return threats;
   }
 
-  // Analyse des appels de fonction
   walk.simple(ast, {
     CallExpression(node) {
       const callName = getCallName(node);
@@ -84,7 +111,7 @@ function analyzeFile(content, filePath, basePath) {
       if (DANGEROUS_CALLS.includes(callName)) {
         threats.push({
           type: 'dangerous_call_' + callName.toLowerCase(),
-          severity: callName === 'eval' ? 'HIGH' : 'MEDIUM',
+          severity: 'HIGH',
           message: `Appel dangereux "${callName}" detecte.`,
           file: path.relative(basePath, filePath)
         });
@@ -104,6 +131,11 @@ function analyzeFile(content, filePath, basePath) {
 
     Literal(node) {
       if (typeof node.value === 'string') {
+        // Ignorer les strings safe
+        if (SAFE_STRINGS.some(s => node.value.includes(s))) {
+          return;
+        }
+        
         for (const sensitive of SENSITIVE_STRINGS) {
           if (node.value.includes(sensitive)) {
             threats.push({
@@ -118,7 +150,6 @@ function analyzeFile(content, filePath, basePath) {
     },
 
     MemberExpression(node) {
-      // Detecte process.env.XXX
       if (
         node.object?.object?.name === 'process' &&
         node.object?.property?.name === 'env'