muaddib-scanner 1.4.0 → 1.4.1

package/bin/muaddib.js

@@ -8,7 +8,7 @@ const { runScraper } = require('../src/ioc/scraper.js');
 const { safeInstall } = require('../src/safe-install.js');
 const { buildSandboxImage, runSandbox } = require('../src/sandbox.js');
 const { diff, showRefs } = require('../src/diff.js');
-const { initHooks } = require('../src/hooks-init.js');
+const { initHooks, removeHooks } = require('../src/hooks-init.js');
 
 const args = process.argv.slice(2);
 const command = args[0];
@@ -238,6 +238,7 @@ const helpText = `
     muaddib watch [path]             Watch in real-time
     muaddib daemon [options]         Start daemon
     muaddib init-hooks [options]     Setup git pre-commit hooks
+    muaddib remove-hooks [path]      Remove MUAD'DIB git hooks
     muaddib update                   Update IOCs
     muaddib scrape                   Scrape new IOCs
     muaddib sandbox <pkg>            Analyze in isolated Docker container
@@ -385,6 +386,13 @@ if (!command || command === '--help' || command === '-h') {
     console.error('[ERROR]', err.message);
     process.exit(1);
   });
+} else if (command === 'remove-hooks') {
+  removeHooks(target).then(success => {
+    process.exit(success ? 0 : 1);
+  }).catch(err => {
+    console.error('[ERROR]', err.message);
+    process.exit(1);
+  });
 } else if (command === 'help') {
   console.log(helpText);
   process.exit(0);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "muaddib-scanner",
-  "version": "1.4.0",
+  "version": "1.4.1",
   "description": "Supply-chain threat detection & response for npm",
   "main": "src/index.js",
   "bin": {

package/src/daemon.js

@@ -31,18 +31,17 @@ async function startDaemon(options = {}) {
     }
   }
 
-  // Garde le processus actif
-  process.on('SIGINT', () => {
-    console.log('\n[DAEMON] Arret...');
-    isRunning = false;
-    cleanup();
-    process.exit(0);
+  // Keep process alive until SIGINT
+  await new Promise((resolve) => {
+    process.on('SIGINT', () => {
+      console.log('\n[DAEMON] Arret...');
+      isRunning = false;
+      cleanup();
+      resolve();
+    });
   });
 
-  // Boucle infinie
-  while (isRunning) {
-    await sleep(1000);
-  }
+  process.exit(0);
 }
 
 function watchDirectory(dir) {
@@ -55,12 +54,14 @@ function watchDirectory(dir) {
 
   // Surveille package-lock.json
   if (fs.existsSync(packageLockPath)) {
-    watchers.push(watchFile(packageLockPath, dir));
+    const w = watchFile(packageLockPath, dir);
+    if (w) watchers.push(w);
   }
 
   // Surveille yarn.lock
   if (fs.existsSync(yarnLockPath)) {
-    watchers.push(watchFile(yarnLockPath, dir));
+    const w = watchFile(yarnLockPath, dir);
+    if (w) watchers.push(w);
   }
 
   // Surveille node_modules
@@ -88,7 +89,12 @@ function watchDirectory(dir) {
 }
 
 function watchFile(filePath, projectDir) {
-  let lastMtime = fs.statSync(filePath).mtime.getTime();
+  let lastMtime;
+  try {
+    lastMtime = fs.statSync(filePath).mtime.getTime();
+  } catch {
+    return null; // File deleted between existsSync and statSync
+  }
 
   return fs.watch(filePath, (eventType) => {
     if (eventType === 'change') {
@@ -149,8 +155,4 @@ function triggerScan(dir) {
   }, 3000);
 }
 
-function sleep(ms) {
-  return new Promise(resolve => setTimeout(resolve, ms));
-}
-
 module.exports = { startDaemon };

package/src/hooks-init.js

@@ -2,6 +2,15 @@ const { execSync } = require('child_process');
 const fs = require('fs');
 const path = require('path');
 
+// Read version from package.json for pre-commit config
+const PKG_VERSION = (() => {
+  try {
+    return 'v' + JSON.parse(fs.readFileSync(path.join(__dirname, '..', 'package.json'), 'utf8')).version;
+  } catch {
+    return 'v1.0.0';
+  }
+})();
+
 /**
  * Detect which hook system is available
  */
@@ -131,7 +140,7 @@ async function initPreCommit(targetPath, mode) {
   const hookId = mode === 'diff' ? 'muaddib-diff' : 'muaddib-scan';
   const muaddibConfig = `
   - repo: https://github.com/DNSZLSK/muad-dib
-    rev: v1.2.7
+    rev: ${PKG_VERSION}
     hooks:
       - id: ${hookId}
 `;

package/src/index.js

@@ -192,6 +192,7 @@ async function run(targetPath, options = {}) {
       critical: criticalCount,
       high: highCount,
       medium: mediumCount,
+      low: lowCount,
       riskScore: riskScore,
       riskLevel: riskLevel
     }

package/src/ioc/data/iocs.json

@@ -17564,7 +17564,7 @@
     "pigS3cr3ts.json"
   ],
   "files": [],
-  "updated": "2026-02-09T21:29:10.442Z",
+  "updated": "2026-02-09T22:02:04.174Z",
   "sources": [
     "shai-hulud-detector",
     "datadog-consolidated",

package/src/ioc/scraper.js

@@ -111,7 +111,9 @@ function loadStaticIOCs() {
   return { socket: [], phylum: [], npmRemoved: [] };
 }
 
-function fetchJSON(url, options = {}) {
+const MAX_REDIRECTS = 5;
+
+function fetchJSON(url, options = {}, redirectCount = 0) {
   return new Promise((resolve, reject) => {
     const urlObj = new URL(url);
     const reqOptions = {
@@ -126,14 +128,18 @@ function fetchJSON(url, options = {}) {
     };
 
     const req = https.request(reqOptions, (res) => {
-      // Handle redirects (with security validation)
+      // Handle redirects (with security validation and limit)
       if (res.statusCode === 301 || res.statusCode === 302) {
+        if (redirectCount >= MAX_REDIRECTS) {
+          reject(new Error('Too many redirects'));
+          return;
+        }
         const redirectUrl = res.headers.location;
         if (!isAllowedRedirect(redirectUrl)) {
           reject(new Error(`Unauthorized redirect to: ${redirectUrl}`));
           return;
         }
-        fetchJSON(redirectUrl, options).then(resolve).catch(reject);
+        fetchJSON(redirectUrl, options, redirectCount + 1).then(resolve).catch(reject);
         return;
       }
 
@@ -162,7 +168,7 @@ function fetchJSON(url, options = {}) {
   });
 }
 
-function fetchText(url) {
+function fetchText(url, redirectCount = 0) {
   return new Promise((resolve, reject) => {
     const urlObj = new URL(url);
     const reqOptions = {
@@ -175,14 +181,18 @@ function fetchText(url) {
     };
 
     const req = https.request(reqOptions, (res) => {
-      // Handle redirects (with security validation)
+      // Handle redirects (with security validation and limit)
       if (res.statusCode === 301 || res.statusCode === 302) {
+        if (redirectCount >= MAX_REDIRECTS) {
+          reject(new Error('Too many redirects'));
+          return;
+        }
         const redirectUrl = res.headers.location;
         if (!isAllowedRedirect(redirectUrl)) {
           reject(new Error(`Unauthorized redirect to: ${redirectUrl}`));
           return;
         }
-        fetchText(redirectUrl).then(resolve).catch(reject);
+        fetchText(redirectUrl, redirectCount + 1).then(resolve).catch(reject);
         return;
       }
 

package/src/ioc/updater.js

@@ -72,58 +72,93 @@ async function updateIOCs() {
 }
 
 /**
- * Merge source IOCs into target without duplicates
- * Returns number of packages added
+ * Merge source IOCs into target without duplicates.
+ * Uses Sets for O(1) dedup. Lazily initializes _sets on target.
+ * Returns number of packages added.
  */
 function mergeIOCs(target, source) {
+  // Lazily initialize dedup sets on the target object
+  if (!target._pkgKeys) {
+    target._pkgKeys = new Set(target.packages.map(p => p.name + '@' + p.version));
+    target._hashSet = new Set(target.hashes);
+    target._markerSet = new Set(target.markers);
+    target._fileSet = new Set(target.files);
+  }
+
   let added = 0;
-  
+
   // Merge packages
   for (const pkg of source.packages || []) {
-    const exists = target.packages.find(function(p) {
-      return p.name === pkg.name && p.version === pkg.version;
-    });
-    if (!exists) {
+    const key = pkg.name + '@' + pkg.version;
+    if (!target._pkgKeys.has(key)) {
       target.packages.push(pkg);
+      target._pkgKeys.add(key);
       added++;
     }
   }
-  
+
   // Merge hashes
   for (const hash of source.hashes || []) {
-    if (!target.hashes.includes(hash)) {
+    if (!target._hashSet.has(hash)) {
       target.hashes.push(hash);
+      target._hashSet.add(hash);
     }
   }
-  
+
   // Merge markers
   for (const marker of source.markers || []) {
-    if (!target.markers.includes(marker)) {
+    if (!target._markerSet.has(marker)) {
       target.markers.push(marker);
+      target._markerSet.add(marker);
     }
   }
-  
+
   // Merge files
   for (const file of source.files || []) {
-    if (!target.files.includes(file)) {
+    if (!target._fileSet.has(file)) {
       target.files.push(file);
+      target._fileSet.add(file);
     }
   }
-  
+
   return added;
 }
 
+// Allowed redirect domains for fetchUrl (SSRF protection)
+const ALLOWED_FETCH_DOMAINS = [
+  'raw.githubusercontent.com',
+  'github.com',
+  'objects.githubusercontent.com'
+];
+
+function isAllowedFetchRedirect(redirectUrl, originalUrl) {
+  try {
+    // Handle relative URLs by resolving against original
+    const resolved = new URL(redirectUrl, originalUrl);
+    return ALLOWED_FETCH_DOMAINS.includes(resolved.hostname);
+  } catch {
+    return false;
+  }
+}
+
 function fetchUrl(url, redirectCount = 0) {
   const MAX_REDIRECTS = 5;
   return new Promise(function(resolve, reject) {
     https.get(url, function(res) {
-      // Handle redirects with limit
+      // Handle redirects with limit and domain validation
       if (res.statusCode === 301 || res.statusCode === 302) {
         if (redirectCount >= MAX_REDIRECTS) {
           reject(new Error('Too many redirects'));
           return;
         }
-        fetchUrl(res.headers.location, redirectCount + 1).then(resolve).catch(reject);
+        const redirectTarget = res.headers.location;
+        if (!isAllowedFetchRedirect(redirectTarget, url)) {
+          reject(new Error('Redirect to unauthorized domain: ' + redirectTarget));
+          return;
+        }
+        // Resolve relative URLs against original
+        const resolvedUrl = new URL(redirectTarget, url).href;
+        fetchUrl(resolvedUrl, redirectCount + 1).then(resolve).catch(reject);
         return;
       }
       if (res.statusCode !== 200) {

package/src/ioc/yaml-loader.js

@@ -12,26 +12,34 @@ function loadYAMLIOCs() {
     files: []
   };
 
+  // Dedup sets for O(1) lookup during loading
+  const seenPkgs = new Set();
+  const seenHashes = new Set();
+  const seenMarkers = new Set();
+  const seenFiles = new Set();
+
   // Charger packages.yaml
-  loadPackagesYAML(path.join(IOCS_DIR, 'packages.yaml'), iocs);
-  
+  loadPackagesYAML(path.join(IOCS_DIR, 'packages.yaml'), iocs, seenPkgs);
+
   // Charger builtin.yaml (fallback)
-  loadBuiltinYAML(path.join(IOCS_DIR, 'builtin.yaml'), iocs);
+  loadBuiltinYAML(path.join(IOCS_DIR, 'builtin.yaml'), iocs, seenPkgs, seenHashes, seenMarkers, seenFiles);
 
   // Charger hashes.yaml
-  loadHashesYAML(path.join(IOCS_DIR, 'hashes.yaml'), iocs);
+  loadHashesYAML(path.join(IOCS_DIR, 'hashes.yaml'), iocs, seenHashes, seenMarkers, seenFiles);
 
   return iocs;
 }
 
-function loadPackagesYAML(filePath, iocs) {
+function loadPackagesYAML(filePath, iocs, seenPkgs) {
   if (!fs.existsSync(filePath)) return;
-  
+
   try {
-    const data = yaml.load(fs.readFileSync(filePath, 'utf8'));
+    const data = yaml.load(fs.readFileSync(filePath, 'utf8'), { schema: yaml.JSON_SCHEMA });
     if (data && data.packages) {
       for (const p of data.packages) {
-        if (!iocs.packages.find(x => x.name === p.name && x.version === p.version)) {
+        const key = p.name + '@' + p.version;
+        if (!seenPkgs.has(key)) {
+          seenPkgs.add(key);
           iocs.packages.push({
             id: p.id,
             name: p.name,
@@ -51,16 +59,18 @@ function loadPackagesYAML(filePath, iocs) {
   }
 }
 
-function loadBuiltinYAML(filePath, iocs) {
+function loadBuiltinYAML(filePath, iocs, seenPkgs, seenHashes, seenMarkers, seenFiles) {
   if (!fs.existsSync(filePath)) return;
-  
+
   try {
-    const data = yaml.load(fs.readFileSync(filePath, 'utf8'));
-    
+    const data = yaml.load(fs.readFileSync(filePath, 'utf8'), { schema: yaml.JSON_SCHEMA });
+
     // Packages
     if (data && data.packages) {
       for (const p of data.packages) {
-        if (!iocs.packages.find(x => x.name === p.name && x.version === p.version)) {
+        const key = p.name + '@' + p.version;
+        if (!seenPkgs.has(key)) {
+          seenPkgs.add(key);
           iocs.packages.push({
             id: `BUILTIN-${p.name}`,
             name: p.name,
@@ -75,12 +85,13 @@ function loadBuiltinYAML(filePath, iocs) {
         }
       }
     }
-    
+
     // Files
     if (data && data.files) {
       for (const f of data.files) {
         const fileName = typeof f === 'string' ? f : f.name;
-        if (!iocs.files.find(x => x.name === fileName)) {
+        if (!seenFiles.has(fileName)) {
+          seenFiles.add(fileName);
           iocs.files.push({
             id: `BUILTIN-FILE-${fileName}`,
             name: fileName,
@@ -92,12 +103,13 @@ function loadBuiltinYAML(filePath, iocs) {
         }
       }
     }
-    
+
     // Hashes
     if (data && data.hashes) {
       for (const h of data.hashes) {
         const hash = typeof h === 'string' ? h : h.sha256;
-        if (!iocs.hashes.find(x => x.sha256 === hash)) {
+        if (!seenHashes.has(hash)) {
+          seenHashes.add(hash);
           iocs.hashes.push({
             id: `BUILTIN-HASH-${hash.slice(0, 8)}`,
             sha256: hash,
@@ -109,12 +121,13 @@ function loadBuiltinYAML(filePath, iocs) {
         }
       }
     }
-    
+
     // Markers
     if (data && data.markers) {
       for (const m of data.markers) {
         const pattern = typeof m === 'string' ? m : m.pattern;
-        if (!iocs.markers.find(x => x.pattern === pattern)) {
+        if (!seenMarkers.has(pattern)) {
+          seenMarkers.add(pattern);
           iocs.markers.push({
             id: `BUILTIN-MARKER-${pattern.slice(0, 10)}`,
             pattern: pattern,
@@ -131,15 +144,16 @@ function loadBuiltinYAML(filePath, iocs) {
   }
 }
 
-function loadHashesYAML(filePath, iocs) {
+function loadHashesYAML(filePath, iocs, seenHashes, seenMarkers, seenFiles) {
   if (!fs.existsSync(filePath)) return;
-  
+
   try {
-    const data = yaml.load(fs.readFileSync(filePath, 'utf8'));
-    
+    const data = yaml.load(fs.readFileSync(filePath, 'utf8'), { schema: yaml.JSON_SCHEMA });
+
     if (data && data.hashes) {
       for (const h of data.hashes) {
-        if (!iocs.hashes.find(x => x.sha256 === h.sha256)) {
+        if (!seenHashes.has(h.sha256)) {
+          seenHashes.add(h.sha256);
           iocs.hashes.push({
             id: h.id,
             sha256: h.sha256,
@@ -153,10 +167,11 @@ function loadHashesYAML(filePath, iocs) {
         }
       }
     }
-    
+
     if (data && data.markers) {
       for (const m of data.markers) {
-        if (!iocs.markers.find(x => x.pattern === m.pattern)) {
+        if (!seenMarkers.has(m.pattern)) {
+          seenMarkers.add(m.pattern);
           iocs.markers.push({
             id: m.id,
             pattern: m.pattern,
@@ -168,10 +183,11 @@ function loadHashesYAML(filePath, iocs) {
         }
       }
     }
-    
+
     if (data && data.files) {
       for (const f of data.files) {
-        if (!iocs.files.find(x => x.name === f.name)) {
+        if (!seenFiles.has(f.name)) {
+          seenFiles.add(f.name);
           iocs.files.push({
             id: f.id,
             name: f.name,
@@ -198,4 +214,4 @@ function getIOCStats() {
   };
 }
 
-module.exports = { loadYAMLIOCs, getIOCStats };
+module.exports = { loadYAMLIOCs, getIOCStats };

package/src/response/playbooks.js

@@ -20,9 +20,6 @@ const PLAYBOOKS = {
   npmrc_access:
     'Acces au fichier .npmrc detecte. Risque de vol de token npm. Regenerer le token.',
   
-  npmrc_read:
-    'Lecture du .npmrc. Regenerer immediatement: npm token revoke && npm login',
-  
   github_token_access:
     'Acces au GITHUB_TOKEN. Verifier les permissions. Regenerer si compromis.',
   
@@ -41,24 +38,15 @@ const PLAYBOOKS = {
   reverse_shell:
     'CRITIQUE: Reverse shell detecte. Machine potentiellement compromise. Isoler immediatement.',
   
-  netcat_shell:
-    'CRITIQUE: Shell netcat detecte. Machine potentiellement compromise. Isoler immediatement.',
-  
   home_deletion:
     'CRITIQUE: Tentative de suppression du repertoire home. Dead man\'s switch probable.',
   
-  shred_home:
-    'CRITIQUE: Destruction de donnees detectee. Dead man\'s switch de Shai-Hulud.',
-  
   curl_exfiltration:
     'Exfiltration de donnees via curl. Verifier les donnees envoyees et la destination.',
   
   ssh_access:
     'Acces aux cles SSH. Regenerer les cles si compromis: ssh-keygen -t ed25519',
   
-  ssh_key_read:
-    'Lecture des cles SSH. Regenerer immediatement toutes les cles.',
-  
   github_api_call:
     'Appel a l\'API GitHub. Verifier le contexte. Peut etre legitime ou exfiltration.',
   
@@ -68,9 +56,6 @@ const PLAYBOOKS = {
   exec_wget:
     'Execution de wget via child_process. Verifier l\'URL et les donnees.',
   
-  wget_chmod_exec:
-    'Telechargement et execution de binaire. Ne pas executer. Analyser le fichier.',
-
   known_malicious_package:
     'CRITIQUE: Supprimer immediatement. rm -rf node_modules && npm cache clean --force && npm install',
 

package/src/rules/index.js

@@ -193,6 +193,176 @@ const RULES = {
     ],
     mitre: 'T1195.002'
   },
+
+  // Package.json script patterns
+  curl_pipe_sh: {
+    id: 'MUADDIB-PKG-002',
+    name: 'Curl Pipe to Shell in Script',
+    severity: 'CRITICAL',
+    confidence: 'high',
+    description: 'Script lifecycle execute curl | sh - telechargement et execution de code distant',
+    references: ['https://blog.phylum.io/shai-hulud-npm-worm'],
+    mitre: 'T1105'
+  },
+  wget_pipe_sh: {
+    id: 'MUADDIB-PKG-003',
+    name: 'Wget Pipe to Shell in Script',
+    severity: 'CRITICAL',
+    confidence: 'high',
+    description: 'Script lifecycle execute wget | sh - telechargement et execution de code distant',
+    references: ['https://blog.phylum.io/shai-hulud-npm-worm'],
+    mitre: 'T1105'
+  },
+  eval_usage: {
+    id: 'MUADDIB-PKG-004',
+    name: 'Eval in Lifecycle Script',
+    severity: 'HIGH',
+    confidence: 'medium',
+    description: 'Utilisation de eval() dans un script lifecycle - execution de code dynamique',
+    references: ['https://owasp.org/www-community/attacks/Command_Injection'],
+    mitre: 'T1059.007'
+  },
+  child_process: {
+    id: 'MUADDIB-PKG-005',
+    name: 'Child Process in Lifecycle Script',
+    severity: 'HIGH',
+    confidence: 'medium',
+    description: 'Reference a child_process dans un script lifecycle',
+    references: ['https://owasp.org/www-community/attacks/Command_Injection'],
+    mitre: 'T1059'
+  },
+  npmrc_access: {
+    id: 'MUADDIB-PKG-006',
+    name: 'npmrc Access',
+    severity: 'HIGH',
+    confidence: 'high',
+    description: 'Acces au fichier .npmrc detecte - risque de vol de token npm',
+    references: ['https://blog.phylum.io/shai-hulud-npm-worm'],
+    mitre: 'T1552.001'
+  },
+  github_token_access: {
+    id: 'MUADDIB-PKG-007',
+    name: 'GitHub Token Access',
+    severity: 'HIGH',
+    confidence: 'high',
+    description: 'Acces au GITHUB_TOKEN detecte',
+    references: ['https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions'],
+    mitre: 'T1552.001'
+  },
+  aws_credential_access: {
+    id: 'MUADDIB-PKG-008',
+    name: 'AWS Credential Access',
+    severity: 'HIGH',
+    confidence: 'high',
+    description: 'Acces aux credentials AWS detecte',
+    references: ['https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html'],
+    mitre: 'T1552.001'
+  },
+  base64_encoding: {
+    id: 'MUADDIB-PKG-009',
+    name: 'Base64 Encoding in Script',
+    severity: 'MEDIUM',
+    confidence: 'low',
+    description: 'Encodage base64 dans un script lifecycle - souvent utilise pour obfusquer du code malveillant',
+    references: ['https://attack.mitre.org/techniques/T1027/'],
+    mitre: 'T1027'
+  },
+
+  // Shell script patterns
+  curl_pipe_shell: {
+    id: 'MUADDIB-SHELL-004',
+    name: 'Curl Pipe to Shell',
+    severity: 'CRITICAL',
+    confidence: 'high',
+    description: 'Telechargement et execution via curl | sh dans un script shell',
+    references: ['https://blog.phylum.io/shai-hulud-npm-worm'],
+    mitre: 'T1105'
+  },
+  wget_chmod_exec: {
+    id: 'MUADDIB-SHELL-005',
+    name: 'Wget Download and Execute',
+    severity: 'CRITICAL',
+    confidence: 'high',
+    description: 'Telechargement et execution de binaire via wget + chmod',
+    references: ['https://blog.phylum.io/shai-hulud-npm-worm'],
+    mitre: 'T1105'
+  },
+  netcat_shell: {
+    id: 'MUADDIB-SHELL-006',
+    name: 'Netcat Shell',
+    severity: 'CRITICAL',
+    confidence: 'high',
+    description: 'Shell netcat detecte - acces distant non autorise',
+    references: ['https://attack.mitre.org/techniques/T1059/004/'],
+    mitre: 'T1059.004'
+  },
+  shred_home: {
+    id: 'MUADDIB-SHELL-007',
+    name: 'Home Directory Destruction',
+    severity: 'CRITICAL',
+    confidence: 'high',
+    description: 'Destruction de donnees (shred $HOME) - dead man\'s switch de Shai-Hulud',
+    references: ['https://www.wiz.io/blog/shai-hulud-npm-supply-chain-attack'],
+    mitre: 'T1485'
+  },
+  curl_exfiltration: {
+    id: 'MUADDIB-SHELL-008',
+    name: 'Data Exfiltration via Curl',
+    severity: 'HIGH',
+    confidence: 'high',
+    description: 'Exfiltration de donnees via curl POST',
+    references: ['https://attack.mitre.org/techniques/T1041/'],
+    mitre: 'T1041'
+  },
+  ssh_access: {
+    id: 'MUADDIB-SHELL-009',
+    name: 'SSH Key Access',
+    severity: 'HIGH',
+    confidence: 'high',
+    description: 'Acces aux cles SSH detecte',
+    references: ['https://attack.mitre.org/techniques/T1552/004/'],
+    mitre: 'T1552.004'
+  },
+
+  // AST additional patterns
+  possible_obfuscation: {
+    id: 'MUADDIB-OBF-002',
+    name: 'Possible Code Obfuscation',
+    severity: 'MEDIUM',
+    confidence: 'low',
+    description: 'Fichier potentiellement obfusque (parse echoue, code dense)',
+    references: ['https://attack.mitre.org/techniques/T1027/'],
+    mitre: 'T1027'
+  },
+  dangerous_call_function: {
+    id: 'MUADDIB-AST-005',
+    name: 'new Function() Constructor',
+    severity: 'HIGH',
+    confidence: 'high',
+    description: 'Appel new Function() detecte - equivalent a eval()',
+    references: ['https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Function/Function'],
+    mitre: 'T1059.007'
+  },
+
+  // GitHub Actions patterns
+  shai_hulud_backdoor: {
+    id: 'MUADDIB-GHA-001',
+    name: 'Shai-Hulud GitHub Actions Backdoor',
+    severity: 'CRITICAL',
+    confidence: 'high',
+    description: 'Backdoor Shai-Hulud dans GitHub Actions via workflow discussion.yaml sur self-hosted runner',
+    references: ['https://www.wiz.io/blog/shai-hulud-npm-supply-chain-attack'],
+    mitre: 'T1195.002'
+  },
+  workflow_injection: {
+    id: 'MUADDIB-GHA-002',
+    name: 'GitHub Actions Workflow Injection',
+    severity: 'HIGH',
+    confidence: 'high',
+    description: 'Injection potentielle dans GitHub Actions via input non sanitise sur self-hosted runner',
+    references: ['https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions'],
+    mitre: 'T1195.002'
+  },
 };
 
 function getRule(type) {

package/src/safe-install.js

@@ -13,7 +13,7 @@ const NPM_PACKAGE_REGEX = /^(@[a-z0-9-~][a-z0-9-._~]*\/)?[a-z0-9-~][a-z0-9-._~]*
 function isValidPackageName(pkgName) {
   // Remove version if present
   const nameOnly = pkgName.split('@').filter((p, i) => i === 0 || !p.match(/^\d/)).join('@');
-  return NPM_PACKAGE_REGEX.test(nameOnly) || (nameOnly.startsWith('@') && NPM_PACKAGE_REGEX.test(nameOnly));
+  return NPM_PACKAGE_REGEX.test(nameOnly);
 }
 
 // Known safe packages that legitimately use "suspicious" patterns
@@ -164,8 +164,8 @@ async function scanPackageRecursive(pkg, depth = 0, maxDepth = 3) {
     }
     pkgInfo = JSON.parse(result.stdout);
   } catch {
-    if (depth === 0) console.log(`[!] Package ${pkgName} not found on npm`);
-    return { safe: true };
+    if (depth === 0) console.log(`[!] Invalid npm response for ${pkgName}`);
+    return { safe: false, package: pkgName, reason: 'invalid_npm_response', source: 'npm-registry', description: 'Invalid or unparseable npm response', depth };
   }
   
   // Scan the dependencies

package/src/scanner/ast.js

@@ -8,7 +8,6 @@ const EXCLUDED_FILES = [
   'src/scanner/ast.js',
   'src/scanner/shell.js',
   'src/scanner/package.js',
-  'src/ioc/feeds.js',
   'src/response/playbooks.js'
 ];
 
@@ -25,6 +24,12 @@ const SENSITIVE_STRINGS = [
   'Goldox-T3chs'
 ];
 
+// Env var keywords to detect sensitive environment access (separate from SENSITIVE_STRINGS)
+const ENV_SENSITIVE_VARS = [
+  'TOKEN', 'SECRET', 'KEY', 'PASSWORD', 'CREDENTIAL',
+  'AUTH', 'NPM', 'AWS', 'GITHUB', 'SSH', 'NPMRC'
+];
+
 // Strings that are NOT suspicious
 const SAFE_STRINGS = [
   'api.github.com',
@@ -130,7 +135,7 @@ function analyzeFile(content, filePath, basePath) {
         node.object?.property?.name === 'env'
       ) {
         const envVar = node.property?.name;
-        if (envVar && SENSITIVE_STRINGS.some(s => envVar.includes(s.replace('.', '')))) {
+        if (envVar && ENV_SENSITIVE_VARS.some(s => envVar.toUpperCase().includes(s))) {
           threats.push({
             type: 'env_access',
             severity: 'HIGH',

package/src/scanner/dependencies.js

@@ -47,6 +47,17 @@ async function scanDependencies(targetPath) {
 
   const packages = listPackages(nodeModulesPath);
 
+  // Pre-compute files and markers lists once (outside the loop)
+  const suspiciousFilesRaw = iocs.filesSet || iocs.files || [];
+  const filesToCheck = suspiciousFilesRaw instanceof Set
+    ? Array.from(suspiciousFilesRaw)
+    : suspiciousFilesRaw;
+
+  const markersRaw = iocs.markersSet || iocs.markers || [];
+  const markersToCheck = markersRaw instanceof Set
+    ? Array.from(markersRaw)
+    : markersRaw;
+
   for (const pkg of packages) {
     // D'abord verifier la whitelist des packages rehabilites
     const rehabStatus = checkRehabilitatedPackage(pkg.name, pkg.version);
@@ -107,12 +118,6 @@ async function scanDependencies(targetPath) {
     if (TRUSTED_PACKAGES.includes(pkg.name)) continue;
 
     // Verifie les fichiers suspects (IOCs caches) avec whitelist
-    // Utilise Set ou Array selon la structure disponible
-    const suspiciousFiles = iocs.filesSet || iocs.files || [];
-    const filesToCheck = suspiciousFiles instanceof Set
-      ? Array.from(suspiciousFiles)
-      : suspiciousFiles;
-
     for (const suspFile of filesToCheck) {
       // Skip si fichier legitime pour ce package
       if (SAFE_FILES[suspFile] && SAFE_FILES[suspFile].includes(pkg.name)) {
@@ -137,12 +142,6 @@ async function scanDependencies(targetPath) {
         const pkgContent = fs.readFileSync(pkgJsonPath, 'utf8');
 
         // Verifie les marqueurs Shai-Hulud
-        // Utilise Set ou Array selon la structure disponible
-        const markers = iocs.markersSet || iocs.markers || [];
-        const markersToCheck = markers instanceof Set
-          ? Array.from(markers)
-          : markers;
-
         for (const marker of markersToCheck) {
           if (pkgContent.includes(marker)) {
             threats.push({

package/src/scanner/github-actions.js

@@ -10,10 +10,23 @@ function scanGitHubActions(targetPath) {
   }
   
   const files = fs.readdirSync(workflowsPath);
-  
+
   for (const file of files) {
     const filePath = path.join(workflowsPath, file);
-    const content = fs.readFileSync(filePath, 'utf8');
+
+    try {
+      const stat = fs.statSync(filePath);
+      if (!stat.isFile()) continue;
+    } catch {
+      continue;
+    }
+
+    let content;
+    try {
+      content = fs.readFileSync(filePath, 'utf8');
+    } catch {
+      continue; // Skip unreadable files
+    }
     
     // Détection du backdoor Shai-Hulud discussion.yaml
     if (file === 'discussion.yaml' || file === 'discussion.yml') {

package/src/scanner/hash.js

@@ -2,13 +2,11 @@ const fs = require('fs');
 const path = require('path');
 const nodeCrypto = require('crypto');
 const { loadCachedIOCs } = require('../ioc/updater.js');
+const { findFiles } = require('../utils.js');
 
 // Hash cache: filePath -> { hash, mtime }
 const hashCache = new Map();
 
-// Depth limit to avoid infinite recursion
-const MAX_DEPTH = 50;
-
 async function scanHashes(targetPath) {
   const threats = [];
   const iocs = loadCachedIOCs();
@@ -28,10 +26,8 @@ async function scanHashes(targetPath) {
     return threats;
   }
 
-  // Set to track visited inodes (avoids symlink loops)
-  const visitedInodes = new Set();
-
-  const jsFiles = findAllJsFiles(nodeModulesPath, [], visitedInodes, 0);
+  // Use shared findFiles utility (with symlink protection and depth limit)
+  const jsFiles = findFiles(nodeModulesPath, { extensions: ['.js'], excludedDirs: [], maxDepth: 50 });
 
   for (const file of jsFiles) {
     const hash = computeHashCached(file);
@@ -88,77 +84,6 @@ function computeHash(filePath) {
   return nodeCrypto.createHash('sha256').update(content).digest('hex');
 }
 
-/**
- * Recursive search for JS files with symlink protection
- * @param {string} dir - Directory to scan
- * @param {string[]} results - Accumulator array
- * @param {Set<number>} visitedInodes - Already visited inodes
- * @param {number} depth - Current depth
- * @returns {string[]} List of .js files
- */
-function findAllJsFiles(dir, results = [], visitedInodes = new Set(), depth = 0) {
-  // Protection against infinite recursion
-  if (depth > MAX_DEPTH) {
-    return results;
-  }
-
-  if (!fs.existsSync(dir)) return results;
-
-  try {
-    const items = fs.readdirSync(dir);
-
-    for (const item of items) {
-      const fullPath = path.join(dir, item);
-
-      try {
-        // Use lstatSync to detect symlinks WITHOUT following them
-        const lstat = fs.lstatSync(fullPath);
-
-        // Check if it's a symlink
-        if (lstat.isSymbolicLink()) {
-          // Resolve the symlink and check the target
-          try {
-            const realPath = fs.realpathSync(fullPath);
-            const realStat = fs.statSync(realPath);
-
-            // Check if we already visited this inode (avoids loops)
-            if (visitedInodes.has(realStat.ino)) {
-              continue; // Loop detected, skip
-            }
-
-            // If it's a directory, traverse it
-            if (realStat.isDirectory()) {
-              visitedInodes.add(realStat.ino);
-              findAllJsFiles(realPath, results, visitedInodes, depth + 1);
-            } else if (item.endsWith('.js')) {
-              visitedInodes.add(realStat.ino);
-              results.push(realPath);
-            }
-          } catch {
-            // Broken or inaccessible symlink, ignore
-          }
-          continue;
-        }
-
-        // Mark the inode as visited
-        visitedInodes.add(lstat.ino);
-
-        if (lstat.isDirectory()) {
-          findAllJsFiles(fullPath, results, visitedInodes, depth + 1);
-        } else if (item.endsWith('.js')) {
-          results.push(fullPath);
-        }
-      } catch {
-        // Ignore permission errors
-      }
-    }
-  } catch {
-    // Ignore directory read errors
-  }
-
-  return results;
-}
-
 /**
  * Clears the hash cache (useful for tests)
  */

package/src/scanner/obfuscation.js

@@ -9,7 +9,12 @@ function detectObfuscation(targetPath) {
   const files = findFiles(targetPath, { extensions: ['.js'], excludedDirs: OBF_EXCLUDED_DIRS });
 
   for (const file of files) {
-    const content = fs.readFileSync(file, 'utf8');
+    let content;
+    try {
+      content = fs.readFileSync(file, 'utf8');
+    } catch {
+      continue; // Skip unreadable files
+    }
     const relativePath = path.relative(targetPath, file);
 
     const signals = [];

package/src/scanner/package.js

@@ -71,14 +71,28 @@ async function scanPackageJson(targetPath) {
   };
 
   for (const [depName, depVersion] of Object.entries(allDeps)) {
-    const malicious = iocs.packages.find(p => {
-      if (p.name !== depName) return false;
-      if (p.version === '*') return true;
-      // Exact version match only (strip semver range prefixes ^~>=)
-      const cleanVersion = depVersion.replace(/^[^0-9]*/, '');
-      if (p.version === cleanVersion || p.version === depVersion) return true;
-      return false;
-    });
+    let malicious = null;
+
+    // Use optimized Map for O(1) lookup if available
+    if (iocs.packagesMap) {
+      if (iocs.wildcardPackages && iocs.wildcardPackages.has(depName)) {
+        const pkgList = iocs.packagesMap.get(depName);
+        malicious = pkgList ? pkgList.find(p => p.version === '*') : null;
+      } else if (iocs.packagesMap.has(depName)) {
+        const pkgList = iocs.packagesMap.get(depName);
+        const cleanVersion = depVersion.replace(/^[^0-9]*/, '');
+        malicious = pkgList.find(p => p.version === cleanVersion || p.version === depVersion);
+      }
+    } else {
+      // Fallback: linear search for compatibility
+      malicious = iocs.packages.find(p => {
+        if (p.name !== depName) return false;
+        if (p.version === '*') return true;
+        const cleanVersion = depVersion.replace(/^[^0-9]*/, '');
+        if (p.version === cleanVersion || p.version === depVersion) return true;
+        return false;
+      });
+    }
 
     if (malicious) {
       threats.push({

package/src/scanner/typosquat.js

@@ -70,6 +70,9 @@ const WHITELIST = [
 ];
 
 
+// Pre-computed lowercase versions for performance
+const POPULAR_PACKAGES_LOWER = POPULAR_PACKAGES.map(p => p.toLowerCase());
+
 // Seuil minimum de longueur pour eviter faux positifs
 const MIN_PACKAGE_LENGTH = 4;
 
@@ -125,15 +128,18 @@ function findTyposquatMatch(name) {
   // Ignore les packages avec suffixes legitimes courants
   if (isLegitimateVariant(nameLower)) return null;
 
-  for (const popular of POPULAR_PACKAGES) {
+  for (let i = 0; i < POPULAR_PACKAGES.length; i++) {
+    const popularLower = POPULAR_PACKAGES_LOWER[i];
+    const popular = POPULAR_PACKAGES[i];
+
     // Ignore si c'est exactement le meme
-    if (nameLower === popular.toLowerCase()) continue;
+    if (nameLower === popularLower) continue;
 
     // Ignore si le package populaire est trop court
     if (popular.length < MIN_PACKAGE_LENGTH) continue;
 
-    const distance = levenshteinDistance(nameLower, popular.toLowerCase());
-    
+    const distance = levenshteinDistance(nameLower, popularLower);
+
     // Distance de 1 = tres suspect (une seule lettre de difference)
     if (distance === 1) {
       return {

package/src/utils.js

@@ -49,7 +49,8 @@ function isDevFile(relativePath) {
  * @param {string[]} [options.excludedDirs=EXCLUDED_DIRS] - Dirs to skip
  * @param {number} [options.maxDepth=100] - Max recursion depth
  * @param {string[]} [options.results=[]] - Accumulator (internal)
- * @param {Set} [options.visitedInodes=new Set()] - Symlink loop detection
+ * @param {Set} [options.visitedInodes=new Set()] - Symlink loop detection (note: inode tracking
+ *   is unreliable on Windows where stat.ino may be 0; maxDepth serves as fallback protection)
  * @param {number} [options.depth=0] - Current depth (internal)
  * @returns {string[]} List of matching file paths
  */

package/src/watch.js

@@ -20,11 +20,16 @@ function watch(targetPath) {
 
   for (const watchPath of watchPaths) {
     if (fs.existsSync(watchPath)) {
+      // Note: recursive option only works on macOS and Windows.
+      // On Linux, only top-level changes in watchPath are detected.
+      if (process.platform === 'linux' && watchPath.includes('node_modules')) {
+        console.log(`[WARN] recursive watch not supported on Linux for ${watchPath}`);
+      }
       fs.watch(watchPath, { recursive: true }, (eventType, filename) => {
         if (debounceTimer) clearTimeout(debounceTimer);
 
         debounceTimer = setTimeout(() => {
-          console.log(`\n[CHANGE] ${filename} modifie`);
+          console.log(`\n[CHANGE] ${filename || 'unknown file'} modifie`);
           console.log('[MUADDIB] Re-scan...\n');
           run(targetPath, { json: false }).catch(err => console.error('[ERROR]', err.message));
         }, 1000);