muaddib-scanner 1.1.6 → 1.2.0

package/bin/muaddib.js

@@ -5,6 +5,7 @@ const { watch } = require('../src/watch.js');
 const { startDaemon } = require('../src/daemon.js');
 const { runScraper } = require('../src/ioc/scraper.js');
 const { safeInstall } = require('../src/safe-install.js');
+const { buildSandboxImage, runSandbox } = require('../src/sandbox.js');
 
 const args = process.argv.slice(2);
 const command = args[0];
@@ -65,6 +66,7 @@ async function interactiveMenu() {
       { name: 'Start daemon', value: 'daemon' },
       { name: 'Update IOCs', value: 'update' },
       { name: 'Scrape new IOCs', value: 'scrape' },
+      { name: 'Sandbox analysis', value: 'sandbox' },
       { name: 'Quit', value: 'quit' }
     ]
   });
@@ -151,6 +153,21 @@ async function interactiveMenu() {
     console.log(`[OK] ${result.added} new IOCs (total: ${result.total})`);
     process.exit(0);
   }
+
+  if (action === 'sandbox') {
+    const packageName = await input({
+      message: 'Package name to analyze:'
+    });
+    
+    if (!packageName.trim()) {
+      console.log('No package specified.');
+      process.exit(1);
+    }
+    
+    await buildSandboxImage();
+    const results = await runSandbox(packageName.trim());
+    process.exit(results.suspicious ? 1 : 0);
+  }
 }
 
 const helpText = `
@@ -164,6 +181,7 @@ const helpText = `
     muaddib daemon [options]         Start daemon
     muaddib update                   Update IOCs
     muaddib scrape                   Scrape new IOCs
+    muaddib sandbox <pkg>            Analyse un package dans un container Docker isole
     
   Options:
     --json              JSON output
@@ -238,7 +256,23 @@ if (!command || command === '--help' || command === '-h') {
   }).catch(err => {
     console.error('[ERROR]', err.message);
     process.exit(1);
-  });  
+  });
+} else if (command === 'sandbox') {
+  const packageName = options[0];
+  if (!packageName) {
+    console.log('Usage: muaddib sandbox <package-name>');
+    process.exit(1);
+  }
+  
+  buildSandboxImage()
+    .then(() => runSandbox(packageName))
+    .then((results) => {
+      process.exit(results.suspicious ? 1 : 0);
+    })
+    .catch((err) => {
+      console.error('[ERROR]', err.message);
+      process.exit(1);
+    });
 } else if (command === 'help') {
   console.log(helpText);
   process.exit(0);

package/data/iocs.json

@@ -1,6 +1,6 @@
 {
   "version": "1.1.0",
-  "updated": "2026-01-08T21:13:53.854Z",
+  "updated": "2026-01-10T12:17:04.991Z",
   "description": "IOCs communautaires MUAD'DIB - Contribuez via PR",
   "packages": [
     {

package/docker/Dockerfile

@@ -0,0 +1,19 @@
+FROM node:20-alpine
+
+# Outils de monitoring
+RUN apk add --no-cache strace curl tcpdump
+
+# User non-root
+RUN adduser -D sandboxuser
+
+# Dossier de travail avec bonnes permissions
+WORKDIR /sandbox
+RUN chown sandboxuser:sandboxuser /sandbox
+
+# Script d'analyse
+COPY sandbox-runner.sh /sandbox/
+RUN chmod +x /sandbox/sandbox-runner.sh
+
+USER sandboxuser
+
+ENTRYPOINT ["/sandbox/sandbox-runner.sh"]

package/docker/sandbox-runner.sh

@@ -0,0 +1,26 @@
+#!/bin/sh
+PACKAGE=$1
+
+echo "[SANDBOX] Installing $PACKAGE..."
+
+# Capturer les connexions réseau en background
+tcpdump -i any -w /tmp/network.pcap 2>/dev/null &
+TCPDUMP_PID=$!
+
+# Installer le package avec strace pour capturer les appels système
+strace -f -e trace=network,process,file -o /tmp/strace.log npm install "$PACKAGE" --ignore-scripts=false 2>&1
+
+# Arrêter tcpdump
+kill $TCPDUMP_PID 2>/dev/null
+
+# Analyser les résultats
+echo "[SANDBOX] === NETWORK CONNECTIONS ==="
+grep -E "connect|sendto" /tmp/strace.log | head -20
+
+echo "[SANDBOX] === PROCESS SPAWNS ==="
+grep -E "execve|clone" /tmp/strace.log | head -20
+
+echo "[SANDBOX] === FILE ACCESS ==="
+grep -E "openat.*npmrc|openat.*ssh|openat.*aws" /tmp/strace.log | head -20
+
+echo "[SANDBOX] Done."

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "muaddib-scanner",
-  "version": "1.1.6",
+  "version": "1.2.0",
   "description": "Supply-chain threat detection & response for npm",
   "main": "src/index.js",
   "bin": {

package/src/index.js

@@ -13,6 +13,7 @@ const { scanTyposquatting } = require('./scanner/typosquat.js');
 const { sendWebhook } = require('./webhook.js');
 const fs = require('fs');
 const path = require('path');
+const { scanGitHubActions } = require('./scanner/github-actions.js');
 
 // Scan paranoid mode
 function scanParanoid(targetPath) {
@@ -95,6 +96,9 @@ async function run(targetPath, options = {}) {
   const typosquatThreats = await scanTyposquatting(targetPath);
   threats.push(...typosquatThreats);
 
+  const ghActionsThreats = scanGitHubActions(targetPath);
+  threats.push(...ghActionsThreats);
+
   // Paranoid mode
   if (options.paranoid) {
     console.log('[PARANOID] Mode ultra-strict active\n');
@@ -215,7 +219,7 @@ async function run(targetPath, options = {}) {
   }
 
   // Envoyer webhook si configure
-  if (options.webhook) {
+  if (options.webhook && threats.length > 0) {
     try {
       await sendWebhook(options.webhook, result);
       console.log(`[OK] Alerte envoyee au webhook`);

package/src/ioc/feeds.js

@@ -15,7 +15,22 @@ const KNOWN_MALICIOUS_HASHES = [
 const SUSPICIOUS_REPO_MARKERS = [
   'Sha1-Hulud',
   'Shai-Hulud',
-  'The Second Coming'
+  'The Second Coming',
+  'The Continued Coming',
+  'F**K Guillermo',
+  'F**K VERCEL',
+  'SHA1HULUD',
+  'Only Happy Girl',
+  'Goldox-T3chs',
+  'Free AI at api.airforce'
+];
+
+const SUSPICIOUS_FILES = [
+  'setup_bun.js',
+  'bun_environment.js',
+  'bun_installer.js',
+  'environment_source.js',
+  '.github/workflows/discussion.yaml'
 ];
 
 function isKnownMalicious(packageName) {
@@ -32,11 +47,17 @@ function hasSuspiciousMarker(text) {
   );
 }
 
+function isSuspiciousFile(filename) {
+  return SUSPICIOUS_FILES.some(f => filename.includes(f));
+}
+
 module.exports = { 
   isKnownMalicious, 
   isKnownMaliciousHash, 
   hasSuspiciousMarker,
+  isSuspiciousFile,
   KNOWN_MALICIOUS_PACKAGES,
   KNOWN_MALICIOUS_HASHES,
-  SUSPICIOUS_REPO_MARKERS
+  SUSPICIOUS_REPO_MARKERS,
+  SUSPICIOUS_FILES
 };

package/src/sandbox.js

@@ -0,0 +1,154 @@
+const { spawn } = require('child_process');
+const path = require('path');
+
+const DOCKER_IMAGE = 'muaddib-sandbox';
+
+async function buildSandboxImage() {
+  console.log('[SANDBOX] Building Docker image...');
+  
+  return new Promise((resolve, reject) => {
+    const dockerfilePath = path.join(__dirname, '..', 'docker');
+    const proc = spawn('docker', ['build', '-t', DOCKER_IMAGE, dockerfilePath], {
+      stdio: 'inherit'
+    });
+    
+    proc.on('close', (code) => {
+      if (code === 0) {
+        console.log('[SANDBOX] Image built successfully.');
+        resolve();
+      } else {
+        reject(new Error(`Docker build failed with code ${code}`));
+      }
+    });
+    
+    proc.on('error', reject);
+  });
+}
+
+async function runSandbox(packageName) {
+  console.log(`\n[SANDBOX] Analyzing "${packageName}" in isolated container...\n`);
+  
+  const results = {
+    package: packageName,
+    timestamp: new Date().toISOString(),
+    network: [],
+    processes: [],
+    fileAccess: [],
+    suspicious: false,
+    threats: []
+  };
+  
+  return new Promise((resolve, reject) => {
+    const proc = spawn('docker', [
+      'run',
+      '--rm',
+      '--network=bridge',
+      '--memory=512m',
+      '--cpus=1',
+      '--pids-limit=100',
+      DOCKER_IMAGE,
+      packageName
+    ]);
+    
+    let output = '';
+    let currentSection = null;
+    
+    proc.stdout.on('data', (data) => {
+      const text = data.toString();
+      output += text;
+      process.stdout.write(text);
+      
+      // Parse sections
+      if (text.includes('=== NETWORK CONNECTIONS ===')) {
+        currentSection = 'network';
+      } else if (text.includes('=== PROCESS SPAWNS ===')) {
+        currentSection = 'processes';
+      } else if (text.includes('=== FILE ACCESS ===')) {
+        currentSection = 'fileAccess';
+      } else if (currentSection && text.trim()) {
+        results[currentSection].push(text.trim());
+      }
+    });
+    
+    proc.stderr.on('data', (data) => {
+      process.stderr.write(data);
+    });
+    
+    proc.on('close', (code) => {
+      // Analyze results
+      results.suspicious = analyzeResults(results);
+      
+      if (results.suspicious) {
+        console.log('\n[SANDBOX] ⚠️  SUSPICIOUS BEHAVIOR DETECTED!\n');
+        for (const threat of results.threats) {
+          console.log(`  [${threat.severity}] ${threat.message}`);
+        }
+      } else {
+        console.log('\n[SANDBOX] ✓ No suspicious behavior detected.\n');
+      }
+      
+      resolve(results);
+    });
+    
+    proc.on('error', (err) => {
+      if (err.message.includes('ENOENT')) {
+        reject(new Error('Docker not found. Please install Docker Desktop.'));
+      } else {
+        reject(err);
+      }
+    });
+  });
+}
+
+function analyzeResults(results) {
+  let suspicious = false;
+  
+  // Check for suspicious network connections
+  const suspiciousHosts = ['pastebin', 'discord.com/api/webhooks', 'ngrok', 'burpcollaborator'];
+  for (const conn of results.network) {
+    for (const host of suspiciousHosts) {
+      if (conn.toLowerCase().includes(host)) {
+        results.threats.push({
+          severity: 'CRITICAL',
+          type: 'suspicious_network',
+          message: `Connection to suspicious host: ${host}`
+        });
+        suspicious = true;
+      }
+    }
+  }
+  
+  // Check for credential file access
+  const sensitiveFiles = ['.npmrc', '.ssh', '.aws', '.gitconfig', '.env'];
+  for (const access of results.fileAccess) {
+    for (const file of sensitiveFiles) {
+      if (access.includes(file)) {
+        results.threats.push({
+          severity: 'HIGH',
+          type: 'credential_access',
+          message: `Access to sensitive file: ${file}`
+        });
+        suspicious = true;
+      }
+    }
+  }
+  
+  // Check for suspicious process spawns
+  const suspiciousProcesses = ['curl ', 'wget ', '/nc ', 'netcat', 'bash -c', 'sh -c', 'powershell'];
+  for (const proc of results.processes) {
+    for (const suspicious_proc of suspiciousProcesses) {
+      if (proc.toLowerCase().includes(suspicious_proc)) {
+        results.threats.push({
+          severity: 'HIGH',
+          type: 'suspicious_process',
+          message: `Suspicious process spawn: ${suspicious_proc}`
+        });
+        suspicious = true;
+      }
+    }
+  }
+  
+  return suspicious;
+}
+
+module.exports = { buildSandboxImage, runSandbox };

package/src/scanner/github-actions.js

@@ -0,0 +1,46 @@
+const fs = require('fs');
+const path = require('path');
+
+function scanGitHubActions(targetPath) {
+  const threats = [];
+  const workflowsPath = path.join(targetPath, '.github', 'workflows');
+  
+  if (!fs.existsSync(workflowsPath)) {
+    return threats;
+  }
+  
+  const files = fs.readdirSync(workflowsPath);
+  
+  for (const file of files) {
+    const filePath = path.join(workflowsPath, file);
+    const content = fs.readFileSync(filePath, 'utf8');
+    
+    // Détection du backdoor Shai-Hulud discussion.yaml
+    if (file === 'discussion.yaml' || file === 'discussion.yml') {
+      if (content.includes('runs-on: self-hosted') && content.includes('github.event.discussion.body')) {
+        threats.push({
+          type: 'shai_hulud_backdoor',
+          severity: 'CRITICAL',
+          message: 'Backdoor Shai-Hulud détecté: workflow discussion.yaml avec injection via self-hosted runner',
+          file: `.github/workflows/${file}`
+        });
+      }
+    }
+    
+    // Détection générique de workflows suspects
+    if (content.includes('runs-on: self-hosted')) {
+      if (content.includes('${{ github.event.') && (content.includes('.body') || content.includes('.title'))) {
+        threats.push({
+          type: 'workflow_injection',
+          severity: 'HIGH',
+          message: 'Injection potentielle dans GitHub Actions: input non sanitisé sur self-hosted runner',
+          file: `.github/workflows/${file}`
+        });
+      }
+    }
+  }
+  
+  return threats;
+}
+
+module.exports = { scanGitHubActions };