muaddib-scanner 1.4.2 → 1.4.3

package/bin/muaddib.js

@@ -242,6 +242,7 @@ const helpText = `
     muaddib update                   Update IOCs
     muaddib scrape                   Scrape new IOCs
     muaddib sandbox <pkg>            Analyze in isolated Docker container
+    muaddib version                  Show version
 
   Diff Examples:
     muaddib diff HEAD~1              Compare with previous commit
@@ -267,7 +268,11 @@ const helpText = `
 `;
 
 // Main
-if (!command || command === '--help' || command === '-h') {
+if (command === 'version' || command === '--version' || command === '-v') {
+  const pkg = require('../package.json');
+  console.log(`muaddib-scanner v${pkg.version}`);
+  process.exit(0);
+} else if (!command || command === '--help' || command === '-h') {
   if (command === '--help' || command === '-h') {
     console.log(helpText);
     process.exit(0);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "muaddib-scanner",
-  "version": "1.4.2",
+  "version": "1.4.3",
   "description": "Supply-chain threat detection & response for npm",
   "main": "src/index.js",
   "bin": {

package/src/index.js

@@ -150,8 +150,22 @@ async function run(targetPath, options = {}) {
     threats.push(...paranoidThreats);
   }
 
+  // Deduplicate: same file + same type + same message = show once with count
+  const deduped = [];
+  const seen = new Map();
+  for (const t of threats) {
+    const key = `${t.file}::${t.type}::${t.message}`;
+    if (seen.has(key)) {
+      seen.get(key).count++;
+    } else {
+      const entry = { ...t, count: 1 };
+      seen.set(key, entry);
+      deduped.push(entry);
+    }
+  }
+
   // Enrich each threat with rules
-  const enrichedThreats = threats.map(t => {
+  const enrichedThreats = deduped.map(t => {
     const rule = getRule(t.type);
     return {
       ...t,
@@ -164,11 +178,11 @@ async function run(targetPath, options = {}) {
     };
   });
 
-  // Calculate risk score (0-100)
-  const criticalCount = threats.filter(t => t.severity === 'CRITICAL').length;
-  const highCount = threats.filter(t => t.severity === 'HIGH').length;
-  const mediumCount = threats.filter(t => t.severity === 'MEDIUM').length;
-  const lowCount = threats.filter(t => t.severity === 'LOW').length;
+  // Calculate risk score (0-100) using deduplicated threats
+  const criticalCount = deduped.filter(t => t.severity === 'CRITICAL').length;
+  const highCount = deduped.filter(t => t.severity === 'HIGH').length;
+  const mediumCount = deduped.filter(t => t.severity === 'MEDIUM').length;
+  const lowCount = deduped.filter(t => t.severity === 'LOW').length;
 
   let riskScore = 0;
   riskScore += criticalCount * SEVERITY_WEIGHTS.CRITICAL;
@@ -188,7 +202,7 @@ async function run(targetPath, options = {}) {
     timestamp: new Date().toISOString(),
     threats: enrichedThreats,
     summary: {
-      total: threats.length,
+      total: deduped.length,
       critical: criticalCount,
       high: highCount,
       medium: mediumCount,
@@ -222,7 +236,8 @@ async function run(targetPath, options = {}) {
       console.log(`[ALERT] ${enrichedThreats.length} threat(s) detected:\n`);
       enrichedThreats.forEach((t, i) => {
         console.log(`━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━`);
-        console.log(`  ${i + 1}. [${t.severity}] ${t.rule_name}`);
+        const countStr = t.count > 1 ? ` (x${t.count})` : '';
+        console.log(`  ${i + 1}. [${t.severity}] ${t.rule_name}${countStr}`);
         console.log(`     Rule ID:    ${t.rule_id}`);
         console.log(`     File:       ${t.file}`);
         if (t.line) console.log(`     Line:       ${t.line}`);
@@ -245,18 +260,19 @@ async function run(targetPath, options = {}) {
     const scoreBar = '█'.repeat(Math.floor(result.summary.riskScore / 5)) + '░'.repeat(20 - Math.floor(result.summary.riskScore / 5));
     console.log(`[SCORE] ${result.summary.riskScore}/100 [${scoreBar}] ${result.summary.riskLevel}\n`);
 
-    if (threats.length === 0) {
+    if (deduped.length === 0) {
       console.log('[OK] No threats detected.\n');
     } else {
-      console.log(`[ALERT] ${threats.length} threat(s) detected:\n`);
-      threats.forEach((t, i) => {
-        console.log(`  ${i + 1}. [${t.severity}] ${t.type}`);
+      console.log(`[ALERT] ${deduped.length} threat(s) detected:\n`);
+      deduped.forEach((t, i) => {
+        const countStr = t.count > 1 ? ` (x${t.count})` : '';
+        console.log(`  ${i + 1}. [${t.severity}] ${t.type}${countStr}`);
         console.log(`     ${t.message}`);
         console.log(`     File: ${t.file}\n`);
       });
 
       console.log('[RESPONSE] Recommendations:\n');
-      threats.forEach(t => {
+      deduped.forEach(t => {
         const playbook = getPlaybook(t.type);
         if (playbook) {
           console.log(`  -> ${playbook}\n`);
@@ -285,8 +301,8 @@ async function run(targetPath, options = {}) {
   };
   
   const levelsToCheck = severityLevels[failLevel] || severityLevels.high;
-  const failingThreats = threats.filter(t => levelsToCheck.includes(t.severity));
-  
+  const failingThreats = deduped.filter(t => levelsToCheck.includes(t.severity));
+
   return failingThreats.length;
 }
 

package/src/ioc/data/iocs.json

@@ -17564,7 +17564,7 @@
     "pigS3cr3ts.json"
   ],
   "files": [],
-  "updated": "2026-02-09T23:17:51.587Z",
+  "updated": "2026-02-10T18:17:09.546Z",
   "sources": [
     "shai-hulud-detector",
     "datadog-consolidated",

package/src/scanner/ast.js

@@ -24,10 +24,15 @@ const SENSITIVE_STRINGS = [
   'Goldox-T3chs'
 ];
 
+// Env vars that are safe and should NOT be flagged (common config/runtime vars)
+const SAFE_ENV_VARS = [
+  'NODE_ENV', 'PORT', 'HOST', 'HOSTNAME', 'PWD', 'HOME', 'PATH',
+  'LANG', 'TERM', 'CI', 'DEBUG', 'VERBOSE', 'LOG_LEVEL'
+];
+
 // Env var keywords to detect sensitive environment access (separate from SENSITIVE_STRINGS)
-const ENV_SENSITIVE_VARS = [
-  'TOKEN', 'SECRET', 'KEY', 'PASSWORD', 'CREDENTIAL',
-  'AUTH', 'NPM', 'AWS', 'GITHUB', 'SSH', 'NPMRC'
+const ENV_SENSITIVE_KEYWORDS = [
+  'TOKEN', 'SECRET', 'KEY', 'PASSWORD', 'CREDENTIAL', 'AUTH'
 ];
 
 // Strings that are NOT suspicious
@@ -134,14 +139,32 @@ function analyzeFile(content, filePath, basePath) {
         node.object?.object?.name === 'process' &&
         node.object?.property?.name === 'env'
       ) {
-        const envVar = node.property?.name;
-        if (envVar && ENV_SENSITIVE_VARS.some(s => envVar.toUpperCase().includes(s))) {
+        // Dynamic access: process.env[variable] — always flag as MEDIUM
+        if (node.computed) {
           threats.push({
             type: 'env_access',
-            severity: 'HIGH',
-            message: `Access to sensitive variable process.env.${envVar}.`,
+            severity: 'MEDIUM',
+            message: 'Dynamic access to process.env (variable key).',
             file: path.relative(basePath, filePath)
           });
+          return;
+        }
+
+        const envVar = node.property?.name;
+        if (envVar) {
+          // Skip safe/common env vars
+          if (SAFE_ENV_VARS.includes(envVar)) {
+            return;
+          }
+          // Flag only vars containing sensitive keywords
+          if (ENV_SENSITIVE_KEYWORDS.some(s => envVar.toUpperCase().includes(s))) {
+            threats.push({
+              type: 'env_access',
+              severity: 'HIGH',
+              message: `Access to sensitive variable process.env.${envVar}.`,
+              file: path.relative(basePath, filePath)
+            });
+          }
         }
       }
     }