npm - muaddib-scanner - Versions diffs - 1.0.9 → 1.0.11 - Mend

muaddib-scanner 1.0.9 → 1.0.11

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (33) hide show

package/.muaddib-cache/iocs.json +355 -0
package/package.json +3 -3
package/rapport.html +159 -0
package/src/scanner/ast.js +45 -14
package/src/scanner/dataflow.js +39 -11
package/src/scanner/typosquat.js +97 -140
package/.github/workflows/scan.yml +0 -33
package/CONTRIBUTING.md +0 -98
package/docs/threat-model.md +0 -116
package/test/samples/malicious.js +0 -20
package/tests/run-tests.js +0 -389
package/tests/samples/ast/malicious.js +0 -20
package/tests/samples/clean/safe.js +0 -14
package/tests/samples/dataflow/exfiltration.js +0 -20
package/tests/samples/edge/empty/empty.js +0 -0
package/tests/samples/edge/invalid-syntax/broken.js +0 -5
package/tests/samples/edge/large-file/large.js +0 -6
package/tests/samples/edge/non-js/readme.txt +0 -3
package/tests/samples/markers/shai-hulud.js +0 -10
package/tests/samples/obfuscation/obfuscated.js +0 -1
package/tests/samples/package/package.json +0 -9
package/tests/samples/shell/malicious.sh +0 -13
package/tests/samples/typosquat/package.json +0 -11
package/vscode-extension/.vscode/launch.json +0 -13
package/vscode-extension/.vscodeignore +0 -0
package/vscode-extension/LICENSE +0 -21
package/vscode-extension/README.md +0 -0
package/vscode-extension/extension.js +0 -271
package/vscode-extension/icon.png +0 -0
package/vscode-extension/muaddib-vscode-1.0.0.vsix +0 -0
package/vscode-extension/package.json +0 -69
package/vscode-extension/vscode-extension/README.md +0 -44
package/vscode-extension/vscode-extension/package.json +0 -64

package/src/scanner/dataflow.js CHANGED Viewed

@@ -3,13 +3,24 @@ const path = require('path');
 const acorn = require('acorn');
 const walk = require('acorn-walk');
-const EXCLUDED_DIRS = ['test', 'tests', 'node_modules', '.git', 'src', 'vscode-extension'];
+const EXCLUDED_DIRS = [
+  'test', 'tests', 'node_modules', '.git', 'src', 'vscode-extension',
+  'scripts', 'bin', 'tools', 'build', 'dist', 'fixtures', 'examples',
+  '__tests__', '__mocks__', 'benchmark', 'benchmarks', 'docs', 'doc'
+];
 async function analyzeDataFlow(targetPath) {
   const threats = [];
   const files = findJsFiles(targetPath);
   for (const file of files) {
+    const relativePath = path.relative(targetPath, file).replace(/\\/g, '/');
+    // Ignorer les fichiers de dev/build/scripts
+    if (isDevFile(relativePath)) {
+      continue;
+    }
     const content = fs.readFileSync(file, 'utf8');
     const fileThreats = analyzeFile(content, file, targetPath);
     threats.push(...fileThreats);
@@ -18,6 +29,29 @@ async function analyzeDataFlow(targetPath) {
   return threats;
 }
+function isDevFile(relativePath) {
+  const devPatterns = [
+    /^scripts\//,
+    /^bin\//,
+    /^tools\//,
+    /^build\//,
+    /^fixtures\//,
+    /^examples\//,
+    /^__tests__\//,
+    /^__mocks__\//,
+    /^benchmark/,
+    /^docs?\//,
+    /^compiler\//,
+    /^packages\/.*\/scripts\//,
+    /\.test\.js$/,
+    /\.spec\.js$/,
+    /test\.js$/,
+    /spec\.js$/
+  ];
+  return devPatterns.some(pattern => pattern.test(relativePath));
+}
 function analyzeFile(content, filePath, basePath) {
   const threats = [];
   let ast;
@@ -32,15 +66,13 @@ function analyzeFile(content, filePath, basePath) {
     return threats;
   }
-  const sources = [];  // Ou les donnees sensibles sont lues
-  const sinks = [];    // Ou les donnees sont envoyees
+  const sources = [];
+  const sinks = [];
   walk.simple(ast, {
-    // Detecte les lectures de fichiers sensibles
     CallExpression(node) {
       const callName = getCallName(node);
-      // fs.readFileSync, fs.readFile
       if (callName === 'readFileSync' || callName === 'readFile') {
         const arg = node.arguments[0];
         if (arg && isCredentialPath(arg, content)) {
@@ -52,7 +84,6 @@ function analyzeFile(content, filePath, basePath) {
         }
       }
-      // Detecte les envois reseau
       if (callName === 'request' || callName === 'fetch' || callName === 'post' || callName === 'get') {
         sinks.push({
           type: 'network_send',
@@ -61,7 +92,6 @@ function analyzeFile(content, filePath, basePath) {
         });
       }
-      // exec avec curl/wget
       if (callName === 'exec' || callName === 'execSync') {
         const arg = node.arguments[0];
         if (arg && arg.type === 'Literal' && typeof arg.value === 'string') {
@@ -76,7 +106,6 @@ function analyzeFile(content, filePath, basePath) {
       }
     },
-    // Detecte les acces process.env sensibles
     MemberExpression(node) {
       if (
         node.object?.object?.name === 'process' &&
@@ -94,7 +123,6 @@ function analyzeFile(content, filePath, basePath) {
     }
   });
-  // Si on a des sources ET des sinks = flux suspect
   if (sources.length > 0 && sinks.length > 0) {
     threats.push({
       type: 'suspicious_dataflow',
@@ -126,7 +154,6 @@ function isCredentialPath(arg, content) {
            val.includes('.gitconfig') ||
            val.includes('.env');
   }
-  // Verifie aussi les templates strings et concatenations
   if (arg.type === 'TemplateLiteral' || arg.type === 'BinaryExpression') {
     return content.includes('.npmrc') ||
            content.includes('.ssh') ||
@@ -136,7 +163,8 @@ function isCredentialPath(arg, content) {
 }
 function isSensitiveEnv(name) {
-  const sensitive = ['TOKEN', 'SECRET', 'KEY', 'PASSWORD', 'CREDENTIAL', 'AUTH', 'NPM', 'GITHUB', 'AWS', 'AZURE', 'GCP'];
+  const sensitive = ['TOKEN', 'SECRET', 'KEY', 'PASSWORD', 'CREDENTIAL', 'AUTH', 'NPM', 'AWS', 'AZURE', 'GCP'];
+  // Ignore GITHUB — trop de faux positifs dans les scripts de release
   return sensitive.some(s => name.toUpperCase().includes(s));
 }

package/src/scanner/typosquat.js CHANGED Viewed

@@ -7,57 +7,63 @@ const POPULAR_PACKAGES = [
   'request', 'async', 'bluebird', 'underscore', 'uuid', 'debug', 'mkdirp',
   'glob', 'minimist', 'webpack', 'babel-core', 'typescript', 'eslint',
   'prettier', 'jest', 'mocha', 'chai', 'sinon', 'mongoose', 'sequelize',
-  'mysql', 'pg', 'redis', 'mongodb', 'socket.io', 'express-session',
+  'redis', 'mongodb', 'socket.io', 'express-session',
   'body-parser', 'cookie-parser', 'cors', 'helmet', 'morgan', 'dotenv',
   'jsonwebtoken', 'bcrypt', 'passport', 'nodemailer', 'aws-sdk', 'stripe',
-  'twilio', 'firebase', 'graphql', 'apollo-server', 'next', 'nuxt',
-  'gatsby', 'vue', 'angular', 'svelte', 'electron', 'puppeteer', 'cheerio',
+  'twilio', 'firebase', 'graphql', 'apollo-server', 'nuxt',
+  'gatsby', 'angular', 'svelte', 'electron', 'puppeteer', 'cheerio',
   'sharp', 'jimp', 'canvas', 'pdf-lib', 'exceljs', 'csv-parser', 'xml2js',
-  'yaml', 'ini', 'config', 'yargs', 'inquirer', 'ora', 'chalk', 'colors',
-  'winston', 'bunyan', 'pino', 'log4js', 'ramda', 'rxjs', 'immutable',
-  'mobx', 'redux', 'zustand', 'formik', 'yup', 'joi', 'ajv', 'validator',
+  'yaml', 'config', 'yargs', 'colors',
+  'winston', 'bunyan', 'pino', 'log4js', 'ramda', 'immutable',
+  'mobx', 'redux', 'zustand', 'formik', 'yup', 'ajv', 'validator',
   'date-fns', 'dayjs', 'luxon', 'numeral', 'accounting', 'currency.js',
   'lodash-es', 'core-js', 'regenerator-runtime', 'tslib', 'classnames',
-  'prop-types', 'cross-env', 'npm', 'yarn', 'pnpm', 'node-fetch', 'got'
+  'prop-types', 'cross-env', 'node-fetch', 'got'
 ];
-// Packages legitimes qui ressemblent a des populaires mais sont OK
+// Packages legitimes courts ou qui ressemblent a des populaires
 const WHITELIST = [
-  'acorn',
-  'acorn-walk',
-  'js-yaml',
-  'cross-env',
-  'node-fetch',
-  'node-gyp',
-  'core-js',
-  'lodash-es',
-  'date-fns',
-  'ts-node',
-  'ts-jest',
-  'css-loader',
-  'style-loader',
-  'file-loader',
-  'url-loader',
-  'babel-loader',
-  'vue-loader',
-  'react-dom',
-  'react-router',
-  'react-redux',
-  'vue-router',
-  'express-session',
-  'body-parser',
-  'cookie-parser'
+  // Packages tres courts legitimes
+  'qs', 'pg', 'ms', 'ws', 'ip', 'on', 'is', 'it', 'to', 'or', 'fs', 'os',
+  'co', 'q', 'n', 'i', 'a', 'v', 'x', 'y', 'z',
+  'ejs', 'nyc', 'ini', 'joi', 'vue', 'npm', 'got', 'ora',
+  'vary', 'mime', 'send', 'etag', 'raw', 'tar', 'uid', 'cjs',
+  'rxjs', 'yarn', 'pnpm', 'next',
+  // Packages legitimes avec noms similaires
+  'acorn', 'acorn-walk', 'js-yaml', 'cross-env', 'node-fetch', 'node-gyp',
+  'core-js', 'lodash-es', 'date-fns', 'ts-node', 'ts-jest',
+  'css-loader', 'style-loader', 'file-loader', 'url-loader', 'babel-loader',
+  'vue-loader', 'react-dom', 'react-router', 'react-redux', 'vue-router',
+  'express-session', 'body-parser', 'cookie-parser',
+  // Packages Express.js communs
+  'accepts', 'array-flatten', 'content-disposition', 'content-type',
+  'depd', 'destroy', 'encodeurl', 'escape-html', 'fresh', 'merge-descriptors',
+  'methods', 'on-finished', 'parseurl', 'path-to-regexp', 'proxy-addr',
+  'range-parser', 'safe-buffer', 'safer-buffer', 'setprototypeof',
+  'statuses', 'type-is', 'unpipe', 'utils-merge',
+  // Packages CLI et outils legitimes
+  'jest-cli', 'prettier-2', 'prettier-1', 'eslint-cli',
+  'inquirer', 'enquirer', 'prompts',
+  'mysql2', 'pg-native', 'sqlite3', 'better-sqlite3',
+  'node-sass', 'sass', 'less',
+  'esbuild', 'rollup', 'parcel', 'vite',
+  'husky', 'lint-staged', 'commitlint',
+  'nodemon', 'pm2', 'forever', 'concurrently',
+  'lerna', 'turbo', 'nx',
+  'chalk', 'colors', 'picocolors', 'colorette',
+  'commander', 'yargs', 'meow', 'cac',
+  'execa', 'shelljs', 'cross-spawn',
+  'rimraf', 'del', 'trash-cli',
+  'globby', 'fast-glob', 'tiny-glob',
+  'chokidar', 'watchpack', 'nsfw',
+  'dotenv', 'dotenv-expand', 'env-cmd'
 ];
-// Techniques de typosquatting connues
-const TYPOSQUAT_PATTERNS = [
-  { type: 'missing_char', fn: (name) => generateMissingChar(name) },
-  { type: 'extra_char', fn: (name) => generateExtraChar(name) },
-  { type: 'swapped_chars', fn: (name) => generateSwappedChars(name) },
-  { type: 'wrong_char', fn: (name) => generateWrongChar(name) },
-  { type: 'hyphen_tricks', fn: (name) => generateHyphenTricks(name) },
-  { type: 'suffix_tricks', fn: (name) => generateSuffixTricks(name) }
-];
+// Seuil minimum de longueur pour eviter faux positifs
+const MIN_PACKAGE_LENGTH = 4;
 async function scanTyposquatting(targetPath) {
   const threats = [];
@@ -97,19 +103,30 @@ async function scanTyposquatting(targetPath) {
 }
 function findTyposquatMatch(name) {
+  const nameLower = name.toLowerCase();
   // Ignore les packages whitelistes
-  if (WHITELIST.includes(name)) return null;
+  if (WHITELIST.includes(nameLower)) return null;
   // Ignore les packages scoped (@org/package)
   if (name.startsWith('@')) return null;
+  // Ignore les packages tres courts (trop de faux positifs)
+  if (name.length < MIN_PACKAGE_LENGTH) return null;
+  // Ignore les packages avec suffixes legitimes courants
+  if (isLegitimateVariant(nameLower)) return null;
   for (const popular of POPULAR_PACKAGES) {
     // Ignore si c'est exactement le meme
-    if (name === popular) continue;
+    if (nameLower === popular.toLowerCase()) continue;
-    const distance = levenshteinDistance(name, popular);
+    // Ignore si le package populaire est trop court
+    if (popular.length < MIN_PACKAGE_LENGTH) continue;
+    const distance = levenshteinDistance(nameLower, popular.toLowerCase());
-    // Distance de 1 ou 2 = tres suspect
+    // Distance de 1 = tres suspect (une seule lettre de difference)
     if (distance === 1) {
       return {
         original: popular,
@@ -118,33 +135,53 @@ function findTyposquatMatch(name) {
       };
     }
-    // Distance de 2 avec nom court = suspect
-    if (distance === 2 && popular.length <= 6) {
+    // Distance de 2 seulement si le package est assez long (>= 8 chars)
+    if (distance === 2 && popular.length >= 8) {
       return {
         original: popular,
         type: detectTyposquatType(name, popular),
         distance: distance
       };
     }
-    // Verifie les tricks de suffixe
-    if (isSuffixTrick(name, popular)) {
-      return {
-        original: popular,
-        type: 'suffix_trick',
-        distance: distance
-      };
-    }
   }
   return null;
 }
+function isLegitimateVariant(name) {
+  // Suffixes legitimes qui ne sont PAS du typosquatting
+  const legitimateSuffixes = [
+    '-cli', '-core', '-utils', '-plugin', '-loader', '-webpack',
+    '-react', '-vue', '-angular', '-node', '-browser',
+    '-esm', '-cjs', '-umd',
+    '-types', '-typings',
+    '2', '3', '4', '5', // versions majeures (mysql2, etc)
+    '-v2', '-v3', '-next', '-latest', '-stable', '-lts'
+  ];
+  for (const suffix of legitimateSuffixes) {
+    if (name.endsWith(suffix)) return true;
+  }
+  // Prefixes legitimes
+  const legitimatePrefixes = [
+    '@types/', '@babel/', '@jest/', '@testing-library/',
+    'eslint-plugin-', 'eslint-config-',
+    'babel-plugin-', 'babel-preset-',
+    'webpack-plugin-', 'rollup-plugin-', 'vite-plugin-'
+  ];
+  for (const prefix of legitimatePrefixes) {
+    if (name.startsWith(prefix)) return true;
+  }
+  return false;
+}
 function detectTyposquatType(typo, original) {
   if (typo.length === original.length - 1) return 'missing_char';
   if (typo.length === original.length + 1) return 'extra_char';
   if (typo.length === original.length) {
-    // Verifie si swap
     let diffs = 0;
     for (let i = 0; i < typo.length; i++) {
       if (typo[i] !== original[i]) diffs++;
@@ -155,20 +192,6 @@ function detectTyposquatType(typo, original) {
   return 'unknown';
 }
-function isSuffixTrick(name, popular) {
-  const suffixes = ['-js', '.js', '-node', '-npm', '-cli', '-api', '-lib', '-pkg', '-dev', '-pro'];
-  for (const suffix of suffixes) {
-    if (name === popular + suffix) return true;
-    if (name === popular.replace('-', '') + suffix) return true;
-  }
-  // Verifie aussi les prefixes
-  const prefixes = ['node-', 'npm-', 'js-', 'get-', 'the-'];
-  for (const prefix of prefixes) {
-    if (name === prefix + popular) return true;
-  }
-  return false;
-}
 function levenshteinDistance(a, b) {
   const matrix = [];
@@ -186,9 +209,9 @@ function levenshteinDistance(a, b) {
         matrix[i][j] = matrix[i - 1][j - 1];
       } else {
         matrix[i][j] = Math.min(
-          matrix[i - 1][j - 1] + 1, // substitution
-          matrix[i][j - 1] + 1,     // insertion
-          matrix[i - 1][j] + 1      // deletion
+          matrix[i - 1][j - 1] + 1,
+          matrix[i][j - 1] + 1,
+          matrix[i - 1][j] + 1
         );
       }
     }
@@ -197,70 +220,4 @@ function levenshteinDistance(a, b) {
   return matrix[b.length][a.length];
 }
-// Generateurs pour tests (pas utilises dans le scan, mais utiles pour enrichir les IOCs)
-function generateMissingChar(name) {
-  const results = [];
-  for (let i = 0; i < name.length; i++) {
-    results.push(name.slice(0, i) + name.slice(i + 1));
-  }
-  return results;
-}
-function generateExtraChar(name) {
-  const results = [];
-  const chars = 'abcdefghijklmnopqrstuvwxyz0123456789-';
-  for (let i = 0; i <= name.length; i++) {
-    for (const char of chars) {
-      results.push(name.slice(0, i) + char + name.slice(i));
-    }
-  }
-  return results;
-}
-function generateSwappedChars(name) {
-  const results = [];
-  for (let i = 0; i < name.length - 1; i++) {
-    const arr = name.split('');
-    [arr[i], arr[i + 1]] = [arr[i + 1], arr[i]];
-    results.push(arr.join(''));
-  }
-  return results;
-}
-function generateWrongChar(name) {
-  const results = [];
-  const keyboard = {
-    'a': 'sqwz', 'b': 'vghn', 'c': 'xdfv', 'd': 'serfcx', 'e': 'wsdfr',
-    'f': 'drtgvc', 'g': 'ftyhbv', 'h': 'gyujnb', 'i': 'ujklo', 'j': 'huikmn',
-    'k': 'jiolm', 'l': 'kop', 'm': 'njk', 'n': 'bhjm', 'o': 'iklp',
-    'p': 'ol', 'q': 'wa', 'r': 'edft', 's': 'awedxz', 't': 'rfgy',
-    'u': 'yhji', 'v': 'cfgb', 'w': 'qase', 'x': 'zsdc', 'y': 'tghu', 'z': 'asx'
-  };
-  for (let i = 0; i < name.length; i++) {
-    const char = name[i].toLowerCase();
-    if (keyboard[char]) {
-      for (const replacement of keyboard[char]) {
-        results.push(name.slice(0, i) + replacement + name.slice(i + 1));
-      }
-    }
-  }
-  return results;
-}
-function generateHyphenTricks(name) {
-  const results = [];
-  // Ajouter des hyphens
-  for (let i = 1; i < name.length; i++) {
-    results.push(name.slice(0, i) + '-' + name.slice(i));
-  }
-  // Retirer des hyphens
-  results.push(name.replace(/-/g, ''));
-  return results;
-}
-function generateSuffixTricks(name) {
-  const suffixes = ['-js', '.js', '-node', '-npm', '-cli'];
-  return suffixes.map(s => name + s);
-}
 module.exports = { scanTyposquatting, levenshteinDistance };

package/.github/workflows/scan.yml DELETED Viewed

@@ -1,33 +0,0 @@
-name: MUADDIB Security Scan
-on:
-  push:
-    branches: [master, main]
-  pull_request:
-    branches: [master, main]
-jobs:
-  scan:
-    runs-on: ubuntu-latest
-    permissions:
-      security-events: write
-      contents: read
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v4
-      - name: Setup Node.js
-        uses: actions/setup-node@v4
-        with:
-          node-version: '20'
-      - name: Install dependencies
-        run: npm install
-      - name: Run MUADDIB scan
-        run: node bin/muaddib.js scan . --sarif results.sarif || true
-      - name: Upload SARIF to GitHub Security
-        uses: github/codeql-action/upload-sarif@v3
-        with:
-          sarif_file: results.sarif

package/CONTRIBUTING.md DELETED Viewed

@@ -1,98 +0,0 @@
-# Contributing to MUAD'DIB
-Thanks for your interest in improving MUAD'DIB!
-## Ways to contribute
-### 1. Add new IOCs (Indicators of Compromise)
-Edit `iocs/packages.yaml` and add:
-```yaml
-- id: MALWARE-XXX-001
-  name: "malicious-package-name"
-  version: "*"
-  severity: critical
-  confidence: high
-  source: your-name
-  description: "Short description of the threat"
-  references:
-    - https://link-to-blog-or-advisory
-  mitre: T1195.002
-```
-**Severity levels:** critical, high, medium, low
-**MITRE techniques:**
-- T1195.002 — Supply chain compromise
-- T1552.001 — Credentials in files
-- T1059 — Command execution
-- T1027 — Obfuscation
-- T1041 — Exfiltration
-### 2. Add detection rules
-Edit `src/rules/index.js` and add a new rule:
-```javascript
-my_new_rule: {
-  id: 'MUADDIB-XXX-001',
-  name: 'My New Detection',
-  severity: 'HIGH',
-  confidence: 'high',
-  description: 'What this rule detects',
-  references: ['https://...'],
-  mitre: 'T1195.002'
-}
-```
-### 3. Add response playbooks
-Edit `src/response/playbooks.js` and add:
-```javascript
-case 'my_new_rule':
-  return 'Step-by-step response instructions';
-```
-### 4. Report false positives
-Open an issue with:
-- Package name
-- Detection rule triggered
-- Why it's a false positive
-### 5. Report missed detections
-Open an issue with:
-- Malicious package name
-- What it does
-- Links to advisories
-## Development
-```bash
-git clone https://github.com/DNSZLSK/muad-dib.git
-cd muad-dib
-npm install
-npm test
-```
-## Testing your changes
-```bash
-node bin/muaddib.js scan tests/samples --explain
-```
-## Pull request process
-1. Fork the repo
-2. Create a branch (`git checkout -b feature/my-feature`)
-3. Make your changes
-4. Run tests (`npm test`)
-5. Commit (`git commit -m "Add my feature"`)
-6. Push (`git push origin feature/my-feature`)
-7. Open a Pull Request
-## Code of conduct
-Be respectful. We're all here to make npm safer.
-## Questions?
-Open an issue or join our Discord: https://discord.gg/y8zxSmue

package/docs/threat-model.md DELETED Viewed

@@ -1,116 +0,0 @@
-# MUAD'DIB Threat Model
-## Ce que MUAD'DIB detecte
-### Attaques Supply Chain npm
-| Technique | Detection | Confidence |
-|-----------|-----------|------------|
-| Packages malveillants connus | Hash SHA256 + nom | HIGH |
-| Shai-Hulud v1/v2/v3 | Marqueurs + fichiers + comportements | HIGH |
-| event-stream (2018) | Nom + version | HIGH |
-| Typosquatting | Liste de packages connus | MEDIUM |
-| Protestware (node-ipc, colors) | Nom + version | HIGH |
-### Comportements malveillants
-| Technique | Detection | Confidence |
-|-----------|-----------|------------|
-| Vol de credentials (.npmrc, .ssh) | Analyse AST | HIGH |
-| Exfiltration via env vars (GITHUB_TOKEN) | Analyse AST | HIGH |
-| Execution de code distant (curl \| sh) | Pattern matching | HIGH |
-| Reverse shell | Pattern matching | HIGH |
-| Dead man's switch (rm -rf $HOME) | Pattern matching | HIGH |
-| Code obfusque | Heuristiques | MEDIUM |
-### Flux de donnees suspects
-| Technique | Detection | Confidence |
-|-----------|-----------|------------|
-| Lecture credential + envoi reseau | Analyse dataflow | HIGH |
-| Acces process.env + fetch/request | Analyse dataflow | HIGH |
-## Ce que MUAD'DIB NE detecte PAS
-### Limitations connues
-| Technique | Raison |
-|-----------|--------|
-| Malware polymorphe | Pas d'analyse dynamique |
-| Obfuscation avancee | Heuristiques limitees |
-| Zero-day (packages inconnus) | Base IOC reactive |
-| Attaques via binaires natifs | Pas d'analyse binaire |
-| Backdoors subtiles | Pas de review de code semantique |
-| Time bombs (declenchement differe) | Pas d'analyse temporelle |
-### Faux negatifs potentiels
-- Code malveillant dans des fichiers non-JS (WASM, binaires)
-- Exfiltration via DNS ou autres canaux couverts
-- Malware qui detecte l'environnement d'analyse
-- Attaques multi-etapes avec payload distant
-## Hypotheses
-1. **Le code source est disponible** — MUAD'DIB analyse le code, pas les binaires
-2. **Les IOCs sont a jour** — La detection depend de la base IOC
-3. **L'attaquant utilise des techniques connues** — Zero-days passent a travers
-4. **Le scan est execute avant l'installation** — Apres `npm install`, c'est trop tard si preinstall a execute
-## Architecture de detection
-```
-┌─────────────────────────────────────────────────────────────┐
-│                      MUAD'DIB Scanner                        │
-├─────────────────────────────────────────────────────────────┤
-│  ┌─────────────┐  ┌─────────────┐  ┌─────────────────────┐  │
-│  │  IOC Match  │  │  AST Parse  │  │  Pattern Matching   │  │
-│  │  (hashes,   │  │  (acorn)    │  │  (shell, scripts)   │  │
-│  │  packages)  │  │             │  │                     │  │
-│  └──────┬──────┘  └──────┬──────┘  └──────────┬──────────┘  │
-│         │                │                     │             │
-│         v                v                     v             │
-│  ┌─────────────────────────────────────────────────────────┐│
-│  │                   Dataflow Analysis                      ││
-│  │            (credential read -> network send)             ││
-│  └─────────────────────────────────────────────────────────┘│
-│         │                │                     │             │
-│         v                v                     v             │
-│  ┌─────────────────────────────────────────────────────────┐│
-│  │                   Threat Enrichment                      ││
-│  │         (rules, MITRE ATT&CK, playbooks)                 ││
-│  └─────────────────────────────────────────────────────────┘│
-└─────────────────────────────────────────────────────────────┘
-```
-## Mapping MITRE ATT&CK
-| Technique | ID | Detection MUAD'DIB |
-|-----------|----|--------------------|
-| Credentials in Files | T1552.001 | AST analysis |
-| Command and Scripting Interpreter | T1059 | Pattern matching |
-| Supply Chain Compromise | T1195.002 | IOC matching |
-| Obfuscated Files | T1027 | Heuristics |
-| Exfiltration Over C2 Channel | T1041 | Dataflow analysis |
-| Data Destruction | T1485 | Pattern matching |
-| Ingress Tool Transfer | T1105 | Pattern matching |
-## Recommandations
-### Pour les utilisateurs
-1. Executer `muaddib scan .` AVANT `npm install`
-2. Mettre a jour les IOCs regulierement (`muaddib update`)
-3. Utiliser le mode `--explain` pour comprendre les detections
-4. Integrer dans CI/CD avec sortie SARIF
-### Pour les equipes securite
-1. Completer avec une analyse dynamique (sandbox)
-2. Monitorer les nouveaux packages avant adoption
-3. Utiliser `--sarif` pour integration SIEM
-4. Contribuer des IOCs via PR sur le repo
-## Contacts
-- Repository: https://github.com/DNSZLSK/muad-dib
-- Issues: https://github.com/DNSZLSK/muad-dib/issues