npm - muaddib-scanner - Versions diffs - 1.6.13 → 1.6.15 - Mend

muaddib-scanner 1.6.13 → 1.6.15

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (10) hide show

package/README.fr.md CHANGED Viewed

@@ -1,5 +1,5 @@
 <p align="center">
-  <img src="MUADDIBLOGO.png" alt="MUAD'DIB Logo" width="200">
+  <img src="assets/logo2removebg.png" alt="MUAD'DIB Logo" width="200">
 </p>
 <h1 align="center">MUAD'DIB</h1>
@@ -387,6 +387,7 @@ Détecte les patterns malveillants dans les fichiers YAML `.github/workflows/`,
 | Reverse shell | T1059.004 | Pattern |
 | Dead man's switch | T1485 | Pattern |
 | Code obfusqué | T1027 | Heuristiques |
+| Analyse entropie Shannon | T1027 | Calcul d'entropie |
 | Typosquatting (npm + PyPI) | T1195.002 | Levenshtein |
 | Supply chain compromise | T1195.002 | IOC matching |
 | Package PyPI malveillant | T1195.002 | IOC matching |
@@ -503,6 +504,7 @@ MUAD'DIB Scanner
 +-- Pattern Matching (shell, scripts)
 +-- Typosquat Detection (npm + PyPI, Levenshtein)
 +-- Python Scanner (requirements.txt, setup.py, pyproject.toml)
++-- Analyse Entropie Shannon
 +-- GitHub Actions Scanner
 +-- Paranoid Mode (ultra-strict)
 +-- Docker Sandbox (behavioral analysis, network capture)

package/README.md CHANGED Viewed

@@ -1,5 +1,5 @@
 <p align="center">
-  <img src="MUADDIBLOGO.png" alt="MUAD'DIB Logo" width="200">
+  <img src="assets/logo2removebg.png" alt="MUAD'DIB Logo" width="200">
 </p>
 <h1 align="center">MUAD'DIB</h1>
@@ -387,6 +387,7 @@ Detects malicious patterns in `.github/workflows/` YAML files, including Shai-Hu
 | Reverse shell | T1059.004 | Pattern |
 | Dead man's switch | T1485 | Pattern |
 | Obfuscated code | T1027 | Heuristics |
+| Shannon entropy analysis | T1027 | Entropy calculation |
 | Typosquatting (npm + PyPI) | T1195.002 | Levenshtein |
 | Supply chain compromise | T1195.002 | IOC matching |
 | PyPI malicious package | T1195.002 | IOC matching |
@@ -503,6 +504,7 @@ MUAD'DIB Scanner
 +-- Pattern Matching (shell, scripts)
 +-- Typosquat Detection (npm + PyPI, Levenshtein)
 +-- Python Scanner (requirements.txt, setup.py, pyproject.toml)
++-- Shannon Entropy Analysis
 +-- GitHub Actions Scanner
 +-- Paranoid Mode (ultra-strict)
 +-- Docker Sandbox (behavioral analysis, network capture)

package/assets/logo.png ADDED Viewed

Binary file

package/assets/logo2removebg.png ADDED Viewed

Binary file

package/logo2removebg.png ADDED Viewed

Binary file

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "muaddib-scanner",
-  "version": "1.6.13",
+  "version": "1.6.15",
   "description": "Supply-chain threat detection & response for npm & PyPI/Python",
   "main": "src/index.js",
   "bin": {

package/src/index.js CHANGED Viewed

@@ -16,6 +16,7 @@ const path = require('path');
 const { scanGitHubActions } = require('./scanner/github-actions.js');
 const { detectPythonProject, normalizePythonName } = require('./scanner/python.js');
 const { loadCachedIOCs } = require('./ioc/updater.js');
+const { scanEntropy } = require('./scanner/entropy.js');
 const { setExtraExcludes, getExtraExcludes } = require('./utils.js');
 // ============================================
@@ -213,7 +214,8 @@ async function run(targetPath, options = {}) {
     typosquatThreats,
     ghActionsThreats,
     pythonThreats,
-    pypiTyposquatThreats
+    pypiTyposquatThreats,
+    entropyThreats
   ] = await Promise.all([
     scanPackageJson(targetPath),
     scanShellScripts(targetPath),
@@ -225,7 +227,8 @@ async function run(targetPath, options = {}) {
     scanTyposquatting(targetPath),
     Promise.resolve(scanGitHubActions(targetPath)),
     Promise.resolve(matchPythonIOCs(pythonDeps, targetPath)),
-    Promise.resolve(checkPyPITyposquatting(pythonDeps, targetPath))
+    Promise.resolve(checkPyPITyposquatting(pythonDeps, targetPath)),
+    Promise.resolve(scanEntropy(targetPath))
   ]);
   const threats = [
@@ -239,7 +242,8 @@ async function run(targetPath, options = {}) {
     ...typosquatThreats,
     ...ghActionsThreats,
     ...pythonThreats,
-    ...pypiTyposquatThreats
+    ...pypiTyposquatThreats,
+    ...entropyThreats
   ];
   // Paranoid mode

package/src/response/playbooks.js CHANGED Viewed

@@ -147,6 +147,11 @@ const PLAYBOOKS = {
     'Package lance des processus inconnus lors de l\'installation. Verifier les commandes executees.',
   sandbox_timeout:
     'CRITIQUE: Le container sandbox a depasse le timeout. Possible boucle infinie ou consommation de ressources.',
+  high_entropy_string:
+    'Chaine a haute entropie detectee. Verifier si c\'est du base64, hex, ou un payload chiffre. Analyser le contexte d\'utilisation.',
+  high_entropy_file:
+    'Fichier avec entropie elevee. Peut etre du code obfusque ou des donnees encodees. Analyser manuellement dans un environnement isole.',
 };
 function getPlaybook(threatType) {

package/src/rules/index.js CHANGED Viewed

@@ -461,6 +461,26 @@ const RULES = {
     references: ['https://attack.mitre.org/techniques/T1499/'],
     mitre: 'T1499'
   },
+  // Entropy detections
+  high_entropy_string: {
+    id: 'MUADDIB-ENTROPY-001',
+    name: 'High Entropy String',
+    severity: 'MEDIUM',
+    confidence: 'medium',
+    description: 'Chaine a haute entropie detectee (base64, hex, payload chiffre). Souvent signe d\'obfuscation ou de donnees encodees.',
+    references: ['https://attack.mitre.org/techniques/T1027/'],
+    mitre: 'T1027'
+  },
+  high_entropy_file: {
+    id: 'MUADDIB-ENTROPY-002',
+    name: 'High Entropy File',
+    severity: 'MEDIUM',
+    confidence: 'low',
+    description: 'Fichier JS avec entropie globale elevee. Peut contenir du code obfusque, des payloads encodes ou des donnees compressees.',
+    references: ['https://attack.mitre.org/techniques/T1027/'],
+    mitre: 'T1027'
+  },
 };
 function getRule(type) {

package/src/scanner/entropy.js ADDED Viewed

@@ -0,0 +1,121 @@
+const fs = require('fs');
+const path = require('path');
+const { findFiles } = require('../utils.js');
+const ENTROPY_EXCLUDED_DIRS = ['.git', '.muaddib-cache'];
+const MAX_FILE_SIZE = 10 * 1024 * 1024; // 10MB
+// Minimum string length to analyze (short strings naturally have low entropy)
+const MIN_STRING_LENGTH = 50;
+// Thresholds
+const FILE_ENTROPY_THRESHOLD = 5.5;
+const STRING_ENTROPY_MEDIUM = 5.5;
+const STRING_ENTROPY_HIGH = 6.5;
+/**
+ * Calculate Shannon entropy of a string.
+ * Returns a value between 0 (completely uniform) and log2(alphabet_size).
+ * For byte data, max is 8 bits.
+ * @param {string} str - Input string
+ * @returns {number} Entropy in bits (0-8)
+ */
+function calculateShannonEntropy(str) {
+  if (!str || str.length === 0) return 0;
+  const freq = {};
+  for (let i = 0; i < str.length; i++) {
+    const ch = str[i];
+    freq[ch] = (freq[ch] || 0) + 1;
+  }
+  const len = str.length;
+  let entropy = 0;
+  for (const ch in freq) {
+    const p = freq[ch] / len;
+    if (p > 0) {
+      entropy -= p * Math.log2(p);
+    }
+  }
+  return entropy;
+}
+/**
+ * Extract string literals from JS source code via regex.
+ * Matches single-quoted, double-quoted, and backtick strings.
+ * @param {string} content - JS source code
+ * @returns {string[]} Array of string contents (without quotes)
+ */
+function extractStringLiterals(content) {
+  const strings = [];
+  // Match "...", '...', `...` — non-greedy, no newlines for single/double
+  const regex = /(?:"([^"\\]*(?:\\.[^"\\]*)*)"|'([^'\\]*(?:\\.[^'\\]*)*)'|`([^`\\]*(?:\\.[^`\\]*)*)`)/g;
+  let match;
+  while ((match = regex.exec(content)) !== null) {
+    const str = match[1] || match[2] || match[3];
+    if (str) strings.push(str);
+  }
+  return strings;
+}
+/**
+ * Scan JavaScript files for high-entropy content (base64, hex, encrypted payloads).
+ * Follows the same pattern as detectObfuscation().
+ * @param {string} targetPath - Directory to scan
+ * @returns {Array} threats
+ */
+function scanEntropy(targetPath) {
+  const threats = [];
+  const files = findFiles(targetPath, { extensions: ['.js'], excludedDirs: ENTROPY_EXCLUDED_DIRS });
+  for (const file of files) {
+    // Size guard
+    try {
+      const stat = fs.statSync(file);
+      if (stat.size > MAX_FILE_SIZE) continue;
+    } catch {
+      continue;
+    }
+    let content;
+    try {
+      content = fs.readFileSync(file, 'utf8');
+    } catch {
+      continue;
+    }
+    const relativePath = path.relative(targetPath, file);
+    // File-level entropy check
+    const fileEntropy = calculateShannonEntropy(content);
+    if (fileEntropy > FILE_ENTROPY_THRESHOLD) {
+      threats.push({
+        type: 'high_entropy_file',
+        severity: 'MEDIUM',
+        message: `High entropy file (${fileEntropy.toFixed(2)} bits) — possibly obfuscated or encoded content`,
+        file: relativePath
+      });
+    }
+    // String-level entropy check
+    const strings = extractStringLiterals(content);
+    for (const str of strings) {
+      if (str.length < MIN_STRING_LENGTH) continue;
+      const strEntropy = calculateShannonEntropy(str);
+      if (strEntropy > STRING_ENTROPY_MEDIUM) {
+        const severity = strEntropy > STRING_ENTROPY_HIGH ? 'HIGH' : 'MEDIUM';
+        threats.push({
+          type: 'high_entropy_string',
+          severity,
+          message: `High entropy string (${strEntropy.toFixed(2)} bits, ${str.length} chars) — possible base64/hex/encrypted payload`,
+          file: relativePath
+        });
+      }
+    }
+  }
+  return threats;
+}
+module.exports = { scanEntropy, calculateShannonEntropy };