muaddib-scanner 1.4.1 → 1.4.3

package/README.fr.md

@@ -246,13 +246,21 @@ Ajoutez a `.pre-commit-config.yaml`:
 ```yaml
 repos:
   - repo: https://github.com/DNSZLSK/muad-dib
-    rev: v1.2.7
+    rev: v1.4.1
     hooks:
       - id: muaddib-scan        # Scanner toutes les menaces
       # - id: muaddib-diff      # Ou: seulement les nouvelles
       # - id: muaddib-paranoid  # Ou: mode ultra-strict
 ```
 
+#### Supprimer les hooks
+
+```bash
+muaddib remove-hooks [path]
+```
+
+Supprime tous les hooks MUAD'DIB (husky et git natif).
+
 #### Avec husky
 
 ```bash
@@ -261,6 +269,10 @@ npx husky add .husky/pre-commit "npx muaddib scan . --fail-on high"
 npx husky add .husky/pre-commit "npx muaddib diff HEAD --fail-on high"
 ```
 
+### Version check
+
+MUAD'DIB verifie automatiquement les nouvelles versions au demarrage et vous notifie si une mise a jour est disponible.
+
 ---
 
 ## Features
@@ -446,7 +458,7 @@ Editez les fichiers YAML dans `iocs/` :
   mitre: T1195.002
 ```
 
-### Développer
+### Developper
 
 ```bash
 git clone https://github.com/DNSZLSK/muad-dib
@@ -455,6 +467,13 @@ npm install
 npm test
 ```
 
+### Tests
+
+- **145 tests unitaires/integration** — 80% coverage via [Codecov](https://codecov.io/gh/DNSZLSK/muad-dib)
+- **56 tests de fuzzing** — YAML malformé, JSON invalide, fichiers binaires, ReDoS, unicode, inputs 10MB
+- **15 tests adversariaux** — Packages malveillants simulés, taux de détection 15/15
+- **Audit ESLint securité** — `eslint-plugin-security` avec 14 règles activées
+
 ---
 
 ## Communauté
@@ -465,8 +484,9 @@ npm test
 
 ## Documentation
 
-- [Threat Model](docs/threat-model.md) - Ce que MUAD'DIB détecte et ne détecte pas
-- [IOCs YAML](iocs/) - Base de données des menaces
+- [Threat Model](docs/threat-model.md) - Ce que MUAD'DIB detecte et ne detecte pas
+- [Rapport d'audit securité v1.4.1](docs/MUADDIB_Security_Audit_Report_v1.4.1.pdf) - Audit complet (58 issues corrigees)
+- [IOCs YAML](iocs/) - Base de donnees des menaces
 
 ---
 

package/README.md

@@ -264,7 +264,7 @@ Add to `.pre-commit-config.yaml`:
 ```yaml
 repos:
   - repo: https://github.com/DNSZLSK/muad-dib
-    rev: v1.2.7
+    rev: v1.4.1
     hooks:
       - id: muaddib-scan        # Scan all threats
       # - id: muaddib-diff      # Or: only new threats
@@ -279,6 +279,14 @@ npx husky add .husky/pre-commit "npx muaddib scan . --fail-on high"
 npx husky add .husky/pre-commit "npx muaddib diff HEAD --fail-on high"
 ```
 
+#### Remove hooks
+
+```bash
+muaddib remove-hooks [path]
+```
+
+Removes all MUAD'DIB hooks (husky and git native).
+
 #### Native git hooks
 
 ```bash
@@ -286,6 +294,10 @@ muaddib init-hooks --type git
 # Creates .git/hooks/pre-commit
 ```
 
+### Version check
+
+MUAD'DIB automatically checks for new versions on startup and notifies you if an update is available.
+
 ---
 
 ## Features
@@ -480,6 +492,13 @@ npm install
 npm test
 ```
 
+### Testing
+
+- **145 unit/integration tests** — 80% code coverage via [Codecov](https://codecov.io/gh/DNSZLSK/muad-dib)
+- **56 fuzz tests** — Malformed YAML, invalid JSON, binary files, ReDoS, unicode, 10MB inputs
+- **15 adversarial tests** — Simulated malicious packages, 15/15 detection rate
+- **ESLint security audit** — `eslint-plugin-security` with 14 rules enabled
+
 ---
 
 ## Community
@@ -491,6 +510,7 @@ npm test
 ## Documentation
 
 - [Threat Model](docs/threat-model.md) - What MUAD'DIB detects and doesn't detect
+- [Security Audit Report v1.4.1](docs/MUADDIB_Security_Audit_Report_v1.4.1.pdf) - Full security audit (58 issues fixed)
 - [IOCs YAML](iocs/) - Threat database
 
 ---

package/bin/muaddib.js

@@ -242,6 +242,7 @@ const helpText = `
     muaddib update                   Update IOCs
     muaddib scrape                   Scrape new IOCs
     muaddib sandbox <pkg>            Analyze in isolated Docker container
+    muaddib version                  Show version
 
   Diff Examples:
     muaddib diff HEAD~1              Compare with previous commit
@@ -267,7 +268,11 @@ const helpText = `
 `;
 
 // Main
-if (!command || command === '--help' || command === '-h') {
+if (command === 'version' || command === '--version' || command === '-v') {
+  const pkg = require('../package.json');
+  console.log(`muaddib-scanner v${pkg.version}`);
+  process.exit(0);
+} else if (!command || command === '--help' || command === '-h') {
   if (command === '--help' || command === '-h') {
     console.log(helpText);
     process.exit(0);

package/eslint.config.mjs

@@ -1,17 +1,32 @@
 import js from "@eslint/js";
 import globals from "globals";
+import security from "eslint-plugin-security";
 import { defineConfig } from "eslint/config";
 
 export default defineConfig([
   {
     files: ["**/*.{js,mjs,cjs}"],
-    plugins: { js },
+    plugins: { js, security },
     extends: ["js/recommended"],
     languageOptions: {
       globals: globals.node
     },
     rules: {
-      "no-unused-vars": ["error", { "argsIgnorePattern": "^_", "varsIgnorePattern": "^_" }]
+      "no-unused-vars": ["error", { "argsIgnorePattern": "^_", "varsIgnorePattern": "^_" }],
+      "security/detect-buffer-noassert": "warn",
+      "security/detect-child-process": "warn",
+      "security/detect-disable-mustache-escape": "warn",
+      "security/detect-eval-with-expression": "warn",
+      "security/detect-new-buffer": "warn",
+      "security/detect-no-csrf-before-method-override": "warn",
+      "security/detect-non-literal-fs-filename": "warn",
+      "security/detect-non-literal-regexp": "warn",
+      "security/detect-non-literal-require": "warn",
+      "security/detect-object-injection": "warn",
+      "security/detect-possible-timing-attacks": "warn",
+      "security/detect-pseudoRandomBytes": "warn",
+      "security/detect-unsafe-regex": "warn",
+      "security/detect-bidi-characters": "warn"
     }
   },
   {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "muaddib-scanner",
-  "version": "1.4.1",
+  "version": "1.4.3",
   "description": "Supply-chain threat detection & response for npm",
   "main": "src/index.js",
   "bin": {
@@ -47,6 +47,7 @@
   "devDependencies": {
     "@eslint/js": "9.39.2",
     "eslint": "9.39.2",
+    "eslint-plugin-security": "^3.0.1",
     "globals": "17.3.0"
   }
 }

package/src/index.js

@@ -150,8 +150,22 @@ async function run(targetPath, options = {}) {
     threats.push(...paranoidThreats);
   }
 
+  // Deduplicate: same file + same type + same message = show once with count
+  const deduped = [];
+  const seen = new Map();
+  for (const t of threats) {
+    const key = `${t.file}::${t.type}::${t.message}`;
+    if (seen.has(key)) {
+      seen.get(key).count++;
+    } else {
+      const entry = { ...t, count: 1 };
+      seen.set(key, entry);
+      deduped.push(entry);
+    }
+  }
+
   // Enrich each threat with rules
-  const enrichedThreats = threats.map(t => {
+  const enrichedThreats = deduped.map(t => {
     const rule = getRule(t.type);
     return {
       ...t,
@@ -164,11 +178,11 @@ async function run(targetPath, options = {}) {
     };
   });
 
-  // Calculate risk score (0-100)
-  const criticalCount = threats.filter(t => t.severity === 'CRITICAL').length;
-  const highCount = threats.filter(t => t.severity === 'HIGH').length;
-  const mediumCount = threats.filter(t => t.severity === 'MEDIUM').length;
-  const lowCount = threats.filter(t => t.severity === 'LOW').length;
+  // Calculate risk score (0-100) using deduplicated threats
+  const criticalCount = deduped.filter(t => t.severity === 'CRITICAL').length;
+  const highCount = deduped.filter(t => t.severity === 'HIGH').length;
+  const mediumCount = deduped.filter(t => t.severity === 'MEDIUM').length;
+  const lowCount = deduped.filter(t => t.severity === 'LOW').length;
 
   let riskScore = 0;
   riskScore += criticalCount * SEVERITY_WEIGHTS.CRITICAL;
@@ -188,7 +202,7 @@ async function run(targetPath, options = {}) {
     timestamp: new Date().toISOString(),
     threats: enrichedThreats,
     summary: {
-      total: threats.length,
+      total: deduped.length,
       critical: criticalCount,
       high: highCount,
       medium: mediumCount,
@@ -222,7 +236,8 @@ async function run(targetPath, options = {}) {
       console.log(`[ALERT] ${enrichedThreats.length} threat(s) detected:\n`);
       enrichedThreats.forEach((t, i) => {
         console.log(`━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━`);
-        console.log(`  ${i + 1}. [${t.severity}] ${t.rule_name}`);
+        const countStr = t.count > 1 ? ` (x${t.count})` : '';
+        console.log(`  ${i + 1}. [${t.severity}] ${t.rule_name}${countStr}`);
         console.log(`     Rule ID:    ${t.rule_id}`);
         console.log(`     File:       ${t.file}`);
         if (t.line) console.log(`     Line:       ${t.line}`);
@@ -245,18 +260,19 @@ async function run(targetPath, options = {}) {
     const scoreBar = '█'.repeat(Math.floor(result.summary.riskScore / 5)) + '░'.repeat(20 - Math.floor(result.summary.riskScore / 5));
     console.log(`[SCORE] ${result.summary.riskScore}/100 [${scoreBar}] ${result.summary.riskLevel}\n`);
 
-    if (threats.length === 0) {
+    if (deduped.length === 0) {
       console.log('[OK] No threats detected.\n');
     } else {
-      console.log(`[ALERT] ${threats.length} threat(s) detected:\n`);
-      threats.forEach((t, i) => {
-        console.log(`  ${i + 1}. [${t.severity}] ${t.type}`);
+      console.log(`[ALERT] ${deduped.length} threat(s) detected:\n`);
+      deduped.forEach((t, i) => {
+        const countStr = t.count > 1 ? ` (x${t.count})` : '';
+        console.log(`  ${i + 1}. [${t.severity}] ${t.type}${countStr}`);
         console.log(`     ${t.message}`);
         console.log(`     File: ${t.file}\n`);
       });
 
       console.log('[RESPONSE] Recommendations:\n');
-      threats.forEach(t => {
+      deduped.forEach(t => {
         const playbook = getPlaybook(t.type);
         if (playbook) {
           console.log(`  -> ${playbook}\n`);
@@ -285,8 +301,8 @@ async function run(targetPath, options = {}) {
   };
   
   const levelsToCheck = severityLevels[failLevel] || severityLevels.high;
-  const failingThreats = threats.filter(t => levelsToCheck.includes(t.severity));
-  
+  const failingThreats = deduped.filter(t => levelsToCheck.includes(t.severity));
+
   return failingThreats.length;
 }
 

package/src/ioc/data/iocs.json

@@ -17564,7 +17564,7 @@
     "pigS3cr3ts.json"
   ],
   "files": [],
-  "updated": "2026-02-09T22:02:04.174Z",
+  "updated": "2026-02-10T18:17:09.546Z",
   "sources": [
     "shai-hulud-detector",
     "datadog-consolidated",

package/src/scanner/ast.js

@@ -24,10 +24,15 @@ const SENSITIVE_STRINGS = [
   'Goldox-T3chs'
 ];
 
+// Env vars that are safe and should NOT be flagged (common config/runtime vars)
+const SAFE_ENV_VARS = [
+  'NODE_ENV', 'PORT', 'HOST', 'HOSTNAME', 'PWD', 'HOME', 'PATH',
+  'LANG', 'TERM', 'CI', 'DEBUG', 'VERBOSE', 'LOG_LEVEL'
+];
+
 // Env var keywords to detect sensitive environment access (separate from SENSITIVE_STRINGS)
-const ENV_SENSITIVE_VARS = [
-  'TOKEN', 'SECRET', 'KEY', 'PASSWORD', 'CREDENTIAL',
-  'AUTH', 'NPM', 'AWS', 'GITHUB', 'SSH', 'NPMRC'
+const ENV_SENSITIVE_KEYWORDS = [
+  'TOKEN', 'SECRET', 'KEY', 'PASSWORD', 'CREDENTIAL', 'AUTH'
 ];
 
 // Strings that are NOT suspicious
@@ -134,14 +139,32 @@ function analyzeFile(content, filePath, basePath) {
         node.object?.object?.name === 'process' &&
         node.object?.property?.name === 'env'
       ) {
-        const envVar = node.property?.name;
-        if (envVar && ENV_SENSITIVE_VARS.some(s => envVar.toUpperCase().includes(s))) {
+        // Dynamic access: process.env[variable] — always flag as MEDIUM
+        if (node.computed) {
           threats.push({
             type: 'env_access',
-            severity: 'HIGH',
-            message: `Access to sensitive variable process.env.${envVar}.`,
+            severity: 'MEDIUM',
+            message: 'Dynamic access to process.env (variable key).',
             file: path.relative(basePath, filePath)
           });
+          return;
+        }
+
+        const envVar = node.property?.name;
+        if (envVar) {
+          // Skip safe/common env vars
+          if (SAFE_ENV_VARS.includes(envVar)) {
+            return;
+          }
+          // Flag only vars containing sensitive keywords
+          if (ENV_SENSITIVE_KEYWORDS.some(s => envVar.toUpperCase().includes(s))) {
+            threats.push({
+              type: 'env_access',
+              severity: 'HIGH',
+              message: `Access to sensitive variable process.env.${envVar}.`,
+              file: path.relative(basePath, filePath)
+            });
+          }
         }
       }
     }