muaddib-scanner 1.6.8 → 1.6.9

package/README.fr.md

@@ -202,10 +202,12 @@ muaddib sandbox <nom-package>
 muaddib sandbox <nom-package> --strict
 ```
 
-Analyse un package dans un container Docker isolé. Capture :
-- Connexions réseau (détecte exfiltration vers hosts suspects)
-- Accès fichiers (détecte vol credentials : .npmrc, .ssh, .aws, .env)
-- Spawn de processus (détecte reverse shells, abus curl/wget)
+Analyse un package dans un container Docker isolé avec monitoring multi-couches :
+- **Traçage système** (strace) : accès fichiers, spawn de processus, monitoring syscalls
+- **Capture réseau** (tcpdump) : résolutions DNS avec IPs résolues, requêtes HTTP (méthode, host, path, body), détection TLS SNI
+- **Diff filesystem** : snapshot avant/après install, détecte les fichiers créés dans des emplacements suspects
+- **Détection exfiltration de données** : 16 patterns sensibles (tokens, credentials, clés SSH, clés privées, .env)
+- **Moteur de scoring** : score de risque 0-100 basé sur la sévérité des comportements
 
 Utilisez `--strict` pour bloquer tout trafic réseau sortant non essentiel via iptables.
 

package/README.md

@@ -202,10 +202,12 @@ muaddib sandbox <package-name>
 muaddib sandbox <package-name> --strict
 ```
 
-Analyzes a package in an isolated Docker container. Captures:
-- Network connections (detects exfiltration to suspicious hosts)
-- File access (detects credential theft: .npmrc, .ssh, .aws, .env)
-- Process spawns (detects reverse shells, curl/wget abuse)
+Analyzes a package in an isolated Docker container with multi-layer monitoring:
+- **System tracing** (strace): file access, process spawns, syscall monitoring
+- **Network capture** (tcpdump): DNS resolutions with resolved IPs, HTTP requests (method, host, path, body), TLS SNI detection
+- **Filesystem diff**: snapshot before/after install, detects files created in suspicious locations
+- **Data exfiltration detection**: 16 sensitive patterns (tokens, credentials, SSH keys, private keys, .env)
+- **Scoring engine**: 0-100 risk score based on behavioral severity
 
 Use `--strict` to block all non-essential outbound network traffic via iptables.
 

package/bin/muaddib.js

@@ -1,5 +1,5 @@
 #!/usr/bin/env node
-const { execSync } = require('child_process');
+const { exec } = require('child_process');
 const { run } = require('../src/index.js');
 const { updateIOCs } = require('../src/ioc/updater.js');
 const { watch } = require('../src/watch.js');
@@ -23,6 +23,7 @@ let explainMode = false;
 let failLevel = 'high';
 let webhookUrl = null;
 let paranoidMode = false;
+let excludeDirs = [];
 
 for (let i = 0; i < options.length; i++) {
   if (options[i] === '--json') {
@@ -41,6 +42,11 @@ for (let i = 0; i < options.length; i++) {
   } else if (options[i] === '--webhook') {
     webhookUrl = options[i + 1];
     i++;
+  } else if (options[i] === '--exclude') {
+    if (options[i + 1] && !options[i + 1].startsWith('-')) {
+      excludeDirs.push(options[i + 1]);
+      i++;
+    }
   } else if (options[i] === '--paranoid') {
     paranoidMode = true;
   } else if (options[i] === '--strict') {
@@ -50,17 +56,20 @@ for (let i = 0; i < options.length; i++) {
   }
 }
 
-// Version check (non-blocking, skip for machine-readable output)
+// Version check (truly non-blocking, skip for machine-readable output)
 if (!jsonOutput && !sarifOutput) {
   try {
     const currentVersion = require('../package.json').version;
-    const latest = execSync('npm view muaddib-scanner version', { timeout: 5000 }).toString().trim();
-    if (latest !== currentVersion) {
-      console.log(`\n[UPDATE] New version available: ${currentVersion} -> ${latest}`);
-      console.log(`  Run: npm install -g muaddib-scanner@latest\n`);
-    }
+    exec('npm view muaddib-scanner version', { timeout: 5000 }, (err, stdout) => {
+      if (err) return; // No network or npm unavailable
+      const latest = (stdout || '').toString().trim();
+      if (latest && latest !== currentVersion) {
+        console.log(`\n[UPDATE] New version available: ${currentVersion} -> ${latest}`);
+        console.log(`  Run: npm install -g muaddib-scanner@latest\n`);
+      }
+    });
   } catch {
-    // No network or npm unavailable, skip silently
+    // Skip silently
   }
 }
 
@@ -273,6 +282,7 @@ const helpText = `
     --fail-on [level]   Fail level (critical|high|medium|low)
     --webhook [url]     Discord/Slack webhook
     --paranoid          Ultra-strict mode
+    --exclude [dir]     Exclude directory from scan (repeatable)
     --save-dev, -D      Install as dev dependency
     -g, --global        Install globally
     --force             Force install despite threats
@@ -300,9 +310,13 @@ if (command === 'version' || command === '--version' || command === '-v') {
     explain: explainMode,
     failLevel: failLevel,
     webhook: webhookUrl,
-    paranoid: paranoidMode
+    paranoid: paranoidMode,
+    exclude: excludeDirs
   }).then(exitCode => {
     process.exit(exitCode);
+  }).catch(err => {
+    console.error('[ERROR]', err.message);
+    process.exit(1);
   });
 } else if (command === 'watch') {
   watch(target);
@@ -436,7 +450,7 @@ if (command === 'version' || command === '--version' || command === '-v') {
   console.log(helpText);
   process.exit(0);
 } else {
-  console.log(`Unknown command: ${command}`);
+  console.log(`Unknown command: ${String(command).replace(/[\x00-\x1f\x7f-\x9f]/g, '')}`);
   console.log('Type "muaddib help" to see available commands.');
   process.exit(1);
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "muaddib-scanner",
-  "version": "1.6.8",
+  "version": "1.6.9",
   "description": "Supply-chain threat detection & response for npm & PyPI/Python",
   "main": "src/index.js",
   "bin": {
@@ -52,7 +52,7 @@
   },
   "devDependencies": {
     "@eslint/js": "9.39.2",
-    "eslint": "9.39.2",
+    "eslint": "10.0.0",
     "eslint-plugin-security": "^3.0.1",
     "globals": "17.3.0"
   }

package/src/daemon.js

@@ -3,11 +3,9 @@ const path = require('path');
 const { run } = require('./index.js');
 
 let webhookUrl = null;
-let isRunning = false;
 
 async function startDaemon(options = {}) {
   webhookUrl = options.webhook || null;
-  isRunning = true;
 
   console.log(`
 ╔════════════════════════════════════════════╗
@@ -33,9 +31,8 @@ async function startDaemon(options = {}) {
 
   // Keep process alive until SIGINT
   await new Promise((resolve) => {
-    process.on('SIGINT', () => {
+    process.once('SIGINT', () => {
       console.log('\n[DAEMON] Arret...');
-      isRunning = false;
       cleanup();
       resolve();
     });
@@ -70,6 +67,10 @@ function watchDirectory(dir) {
   }
 
   // Surveille la creation de node_modules
+  if (process.platform === 'linux') {
+    console.log('[DAEMON] Note: recursive fs.watch may not work on Linux');
+  }
+
   const dirWatcher = fs.watch(dir, (eventType, filename) => {
     if (filename === 'node_modules' && eventType === 'rename') {
       const nmPath = path.join(dir, 'node_modules');
@@ -83,6 +84,9 @@ function watchDirectory(dir) {
       triggerScan(dir);
     }
   });
+  dirWatcher.on('error', (err) => {
+    console.log(`[DAEMON] Watcher error on ${dir}: ${err.message}`);
+  });
   watchers.push(dirWatcher);
 
   return watchers;
@@ -96,7 +100,7 @@ function watchFile(filePath, projectDir) {
     return null; // File deleted between existsSync and statSync
   }
 
-  return fs.watch(filePath, (eventType) => {
+  const watcher = fs.watch(filePath, (eventType) => {
     if (eventType === 'change') {
       try {
         const currentMtime = fs.statSync(filePath).mtime.getTime();
@@ -110,36 +114,52 @@ function watchFile(filePath, projectDir) {
       }
     }
   });
+  watcher.on('error', (err) => {
+    console.log(`[DAEMON] Watcher error on ${filePath}: ${err.message}`);
+  });
+  return watcher;
 }
 
 function watchNodeModules(nodeModulesPath, projectDir) {
-  return fs.watch(nodeModulesPath, { recursive: true }, (eventType, filename) => {
+  const watcher = fs.watch(nodeModulesPath, { recursive: true }, (eventType, filename) => {
     if (filename && filename.includes('package.json')) {
       console.log(`[DAEMON] Nouveau package detecte: ${filename}`);
       triggerScan(projectDir);
     }
   });
+  watcher.on('error', (err) => {
+    console.log(`[DAEMON] Watcher error on ${nodeModulesPath}: ${err.message}`);
+  });
+  return watcher;
 }
 
-let scanTimeout = null;
-let lastScanTime = 0;
+// Per-directory scan state to prevent cross-directory scan suppression
+const scanState = new Map();
+
+function getScanState(dir) {
+  if (!scanState.has(dir)) {
+    scanState.set(dir, { timeout: null, lastScanTime: 0 });
+  }
+  return scanState.get(dir);
+}
 
 function triggerScan(dir) {
   const now = Date.now();
-  
+  const state = getScanState(dir);
+
   // Debounce: attend 3 secondes avant de scanner
-  if (scanTimeout) {
-    clearTimeout(scanTimeout);
+  if (state.timeout) {
+    clearTimeout(state.timeout);
   }
 
   // Evite les scans trop frequents (minimum 10 secondes entre chaque)
-  if (now - lastScanTime < 10000) {
-    scanTimeout = setTimeout(() => triggerScan(dir), 10000 - (now - lastScanTime));
+  if (now - state.lastScanTime < 10000) {
+    state.timeout = setTimeout(() => triggerScan(dir), 10000 - (now - state.lastScanTime));
     return;
   }
 
-  scanTimeout = setTimeout(async () => {
-    lastScanTime = Date.now();
+  state.timeout = setTimeout(async () => {
+    state.lastScanTime = Date.now();
     console.log(`\n[DAEMON] ========== SCAN AUTOMATIQUE ==========`);
     console.log(`[DAEMON] Cible: ${dir}`);
     console.log(`[DAEMON] Heure: ${new Date().toLocaleTimeString()}\n`);

package/src/diff.js

@@ -1,4 +1,4 @@
-const { execSync } = require('child_process');
+const { execSync, execFileSync } = require('child_process');
 const { run } = require('./index.js');
 const path = require('path');
 const fs = require('fs');
@@ -18,7 +18,7 @@ function getRecentRefs(targetPath, limit = 10) {
       stdio: ['pipe', 'pipe', 'pipe']
     }).trim().split('\n').filter(Boolean).slice(0, 5);
 
-    const commits = execSync(`git log --oneline -${limit}`, {
+    const commits = execFileSync('git', ['log', '--oneline', `-${Number(limit) || 10}`], {
       cwd: targetPath,
       encoding: 'utf8',
       stdio: ['pipe', 'pipe', 'pipe']
@@ -68,7 +68,7 @@ function resolveRef(targetPath, ref) {
     return null;
   }
   try {
-    return execSync(`git rev-parse ${ref}`, {
+    return execFileSync('git', ['rev-parse', ref], {
       cwd: targetPath,
       encoding: 'utf8',
       stdio: ['pipe', 'pipe', 'pipe']
@@ -106,13 +106,13 @@ function createTempCopyAtCommit(targetPath, commitHash) {
   const tempDir = fs.mkdtempSync(path.join(os.tmpdir(), 'muaddib-diff-'));
 
   try {
-    // Clone the repo to temp directory (use -- to separate paths from options)
-    execSync(`git clone --quiet -- "${targetPath}" "${tempDir}"`, {
+    // Clone the repo to temp directory (use execFileSync to prevent injection)
+    execFileSync('git', ['clone', '--quiet', '--', targetPath, tempDir], {
       stdio: ['pipe', 'pipe', 'pipe']
     });
 
     // Checkout the specific commit
-    execSync(`git checkout --quiet ${commitHash}`, {
+    execFileSync('git', ['checkout', '--quiet', commitHash], {
       cwd: tempDir,
       stdio: ['pipe', 'pipe', 'pipe']
     });

package/src/hooks-init.js

@@ -29,10 +29,12 @@ function detectHookSystem(targetPath) {
 /**
  * Initialize hooks for a project
  */
+const VALID_MODES = ['scan', 'diff'];
+
 async function initHooks(targetPath, options = {}) {
   const resolvedPath = path.resolve(targetPath);
   const hookType = options.type || 'auto';
-  const mode = options.mode || 'scan'; // 'scan' or 'diff'
+  const mode = VALID_MODES.includes(options.mode) ? options.mode : 'scan';
 
   console.log('\n[MUADDIB] Initializing git hooks...\n');
 
@@ -193,11 +195,23 @@ fi
 exit 0
 `;
 
-  // Backup existing hook
+  // Backup existing hook (limit to 3 backups)
   if (fs.existsSync(preCommitPath)) {
     const backup = `${preCommitPath}.backup.${Date.now()}`;
     fs.copyFileSync(preCommitPath, backup);
     console.log(`[INFO] Backed up existing hook to ${backup}`);
+
+    // Cleanup old backups, keep only 3 most recent
+    try {
+      const hooksDir = path.dirname(preCommitPath);
+      const backups = fs.readdirSync(hooksDir)
+        .filter(f => f.startsWith('pre-commit.backup.'))
+        .sort()
+        .reverse();
+      for (const old of backups.slice(3)) {
+        fs.unlinkSync(path.join(hooksDir, old));
+      }
+    } catch { /* ignore cleanup errors */ }
   }
 
   fs.writeFileSync(preCommitPath, hookContent, { mode: 0o755 });

package/src/index.js

@@ -16,6 +16,7 @@ const path = require('path');
 const { scanGitHubActions } = require('./scanner/github-actions.js');
 const { detectPythonProject, normalizePythonName } = require('./scanner/python.js');
 const { loadCachedIOCs } = require('./ioc/updater.js');
+const { setExtraExcludes, getExtraExcludes } = require('./utils.js');
 
 // ============================================
 // SCORING CONSTANTS
@@ -52,12 +53,16 @@ const RISK_THRESHOLDS = {
 // Maximum score (capped)
 const MAX_RISK_SCORE = 100;
 
+const MAX_FILE_SIZE = 10 * 1024 * 1024; // 10MB
+
 // Paranoid mode scanner
 function scanParanoid(targetPath) {
   const threats = [];
 
   function scanFile(filePath) {
     try {
+      const stat = fs.statSync(filePath);
+      if (stat.size > MAX_FILE_SIZE) return;
       const content = fs.readFileSync(filePath, 'utf8');
 
       // Ignore URLs (they often contain patterns like .git)
@@ -81,8 +86,9 @@ function scanParanoid(targetPath) {
     }
   }
 
-  function walkDir(dir) {
-    const excluded = ['node_modules', '.git', 'test', 'tests', 'src', 'vscode-extension', '.muaddib-cache', 'data', 'iocs', 'docker'];
+  function walkDir(dir, depth) {
+    if (depth > 50) return; // Max depth guard (IDX-06)
+    const excluded = ['node_modules', '.git', '.muaddib-cache', ...getExtraExcludes()];
     try {
       const files = fs.readdirSync(dir);
       for (const file of files) {
@@ -94,7 +100,7 @@ function scanParanoid(targetPath) {
 
         if (stat.isDirectory()) {
           if (!excluded.includes(file)) {
-            walkDir(fullPath);
+            walkDir(fullPath, depth + 1);
           }
         } else if (file.endsWith('.js') || file.endsWith('.json') || file.endsWith('.sh')) {
           scanFile(fullPath);
@@ -105,7 +111,7 @@ function scanParanoid(targetPath) {
     }
   }
 
-  walkDir(targetPath);
+  walkDir(targetPath, 0);
   return threats;
 }
 
@@ -187,6 +193,11 @@ function checkPyPITyposquatting(deps, targetPath) {
 }
 
 async function run(targetPath, options = {}) {
+  // Apply --exclude dirs for this scan
+  if (options.exclude && options.exclude.length > 0) {
+    setExtraExcludes(options.exclude);
+  }
+
   // Detect Python project (synchronous, fast file reads)
   const pythonDeps = detectPythonProject(targetPath);
 
@@ -240,7 +251,7 @@ async function run(targetPath, options = {}) {
 
   // Sandbox integration
   let sandboxData = null;
-  if (options.sandboxResult && options.sandboxResult.findings) {
+  if (options.sandboxResult && Array.isArray(options.sandboxResult.findings)) {
     const sr = options.sandboxResult;
     const pkg = sr.raw_report?.package || 'unknown';
     sandboxData = {
@@ -451,7 +462,7 @@ async function run(targetPath, options = {}) {
   }
 
   // Send webhook if configured
-  if (options.webhook && threats.length > 0) {
+  if (options.webhook && enrichedThreats.length > 0) {
     try {
       await sendWebhook(options.webhook, result);
       console.log(`[OK] Alert sent to webhook`);
@@ -472,7 +483,10 @@ async function run(targetPath, options = {}) {
   const levelsToCheck = severityLevels[failLevel] || severityLevels.high;
   const failingThreats = deduped.filter(t => levelsToCheck.includes(t.severity));
 
-  return failingThreats.length;
+  // Clear runtime excludes
+  setExtraExcludes([]);
+
+  return Math.min(failingThreats.length, 125);
 }
 
 module.exports = { run };

package/src/ioc/scraper.js

@@ -118,6 +118,7 @@ function loadStaticIOCs() {
 }
 
 const MAX_REDIRECTS = 5;
+const MAX_RESPONSE_SIZE = 200 * 1024 * 1024; // 200MB
 
 function fetchJSON(url, options = {}, redirectCount = 0) {
   return new Promise((resolve, reject) => {
@@ -135,7 +136,8 @@ function fetchJSON(url, options = {}, redirectCount = 0) {
 
     const req = https.request(reqOptions, (res) => {
       // Handle redirects (with security validation and limit)
-      if (res.statusCode === 301 || res.statusCode === 302) {
+      if ([301, 302, 307, 308].includes(res.statusCode)) {
+        res.resume(); // Drain old response before following redirect
         if (redirectCount >= MAX_REDIRECTS) {
           reject(new Error('Too many redirects'));
           return;
@@ -150,7 +152,16 @@ function fetchJSON(url, options = {}, redirectCount = 0) {
       }
 
       let data = '';
-      res.on('data', chunk => data += chunk);
+      let dataSize = 0;
+      res.on('data', chunk => {
+        dataSize += chunk.length;
+        if (dataSize > MAX_RESPONSE_SIZE) {
+          req.destroy();
+          reject(new Error('Response exceeded maximum size'));
+          return;
+        }
+        data += chunk;
+      });
       res.on('end', () => {
         try {
           resolve({ status: res.statusCode, data: JSON.parse(data) });
@@ -165,11 +176,11 @@ function fetchJSON(url, options = {}, redirectCount = 0) {
       req.destroy();
       reject(new Error('Timeout'));
     });
-    
+
     if (options.body) {
       req.write(JSON.stringify(options.body));
     }
-    
+
     req.end();
   });
 }
@@ -188,7 +199,8 @@ function fetchText(url, redirectCount = 0) {
 
     const req = https.request(reqOptions, (res) => {
       // Handle redirects (with security validation and limit)
-      if (res.statusCode === 301 || res.statusCode === 302) {
+      if ([301, 302, 307, 308].includes(res.statusCode)) {
+        res.resume(); // Drain old response before following redirect
         if (redirectCount >= MAX_REDIRECTS) {
           reject(new Error('Too many redirects'));
           return;
@@ -203,7 +215,16 @@ function fetchText(url, redirectCount = 0) {
       }
 
       let data = '';
-      res.on('data', chunk => data += chunk);
+      let dataSize = 0;
+      res.on('data', chunk => {
+        dataSize += chunk.length;
+        if (dataSize > MAX_RESPONSE_SIZE) {
+          req.destroy();
+          reject(new Error('Response exceeded maximum size'));
+          return;
+        }
+        data += chunk;
+      });
       res.on('end', () => {
         resolve({ status: res.statusCode, data: data });
       });
@@ -232,7 +253,8 @@ function fetchBuffer(url, redirectCount = 0) {
     };
 
     const req = https.request(reqOptions, (res) => {
-      if (res.statusCode === 301 || res.statusCode === 302) {
+      if ([301, 302, 307, 308].includes(res.statusCode)) {
+        res.resume(); // Drain response body before following redirect
         if (redirectCount >= MAX_REDIRECTS) {
           reject(new Error('Too many redirects'));
           return;
@@ -247,12 +269,22 @@ function fetchBuffer(url, redirectCount = 0) {
       }
 
       if (res.statusCode !== 200) {
+        res.resume(); // Drain response body on error
         reject(new Error('HTTP ' + res.statusCode));
         return;
       }
 
       const chunks = [];
-      res.on('data', chunk => chunks.push(chunk));
+      let received = 0;
+      res.on('data', chunk => {
+        received += chunk.length;
+        if (received > MAX_RESPONSE_SIZE) {
+          req.destroy();
+          reject(new Error('Response exceeded maximum size'));
+          return;
+        }
+        chunks.push(chunk);
+      });
       res.on('end', () => resolve(Buffer.concat(chunks)));
     });
 
@@ -283,7 +315,8 @@ function fetchBufferWithProgress(url, label, redirectCount = 0) {
     };
 
     const req = https.request(reqOptions, (res) => {
-      if (res.statusCode === 301 || res.statusCode === 302) {
+      if ([301, 302, 307, 308].includes(res.statusCode)) {
+        res.resume(); // Drain response body before following redirect
         if (redirectCount >= MAX_REDIRECTS) {
           reject(new Error('Too many redirects'));
           return;
@@ -298,6 +331,7 @@ function fetchBufferWithProgress(url, label, redirectCount = 0) {
       }
 
       if (res.statusCode !== 200) {
+        res.resume(); // Drain response body on error
         reject(new Error('HTTP ' + res.statusCode));
         return;
       }
@@ -313,6 +347,12 @@ function fetchBufferWithProgress(url, label, redirectCount = 0) {
       res.on('data', (chunk) => {
         chunks.push(chunk);
         received += chunk.length;
+        if (received > MAX_RESPONSE_SIZE) {
+          req.destroy();
+          spinner.fail('Download exceeded maximum size');
+          reject(new Error('Response exceeded maximum size'));
+          return;
+        }
         const mb = Math.round(received / 1024 / 1024);
         if (totalMb) {
           spinner.update('Downloading ' + label + '... ' + mb + 'MB/' + totalMb + 'MB');
@@ -627,7 +667,7 @@ async function scrapeOSSFMaliciousPackages(knownIds) {
       for (const result of results) {
         if (!result || result.status !== 200 || !result.data) continue;
         const parsed = parseOSVEntry(result.data, 'ossf-malicious');
-        packages.push(...parsed);
+        for (const p of parsed) packages.push(p);
       }
 
       // Progress
@@ -689,7 +729,7 @@ async function scrapeOSVDataDump() {
           const content = entry.getData().toString('utf8');
           const vuln = JSON.parse(content);
           const parsed = parseOSVEntry(vuln, 'osv-malicious');
-          packages.push(...parsed);
+          for (const p of parsed) packages.push(p);
 
           // Track known IDs so OSSF can skip them
           knownIds.add(vuln.id || path.basename(name, '.json'));
@@ -745,7 +785,7 @@ async function scrapeOSVPyPIDataDump() {
           const content = entry.getData().toString('utf8');
           const vuln = JSON.parse(content);
           const parsed = parseOSVEntry(vuln, 'osv-malicious-pypi', 'PyPI');
-          packages.push(...parsed);
+          for (const p of parsed) packages.push(p);
           malCount++;
         } catch {
           // Skip unparseable entries
@@ -1121,15 +1161,19 @@ async function runScraper() {
     'snyk-known'
   ];
 
-  // Save enriched (full) IOCs
+  // Save enriched (full) IOCs — atomic write via .tmp + rename
   const saveSpinner = new Spinner();
   saveSpinner.start('Saving IOCs...');
-  fs.writeFileSync(IOC_FILE, JSON.stringify(existingIOCs, null, 2));
+  const tmpIOCFile = IOC_FILE + '.tmp';
+  fs.writeFileSync(tmpIOCFile, JSON.stringify(existingIOCs, null, 2));
+  fs.renameSync(tmpIOCFile, IOC_FILE);
 
-  // Save compact IOCs (lightweight, shipped in npm)
+  // Save compact IOCs (lightweight, shipped in npm) — atomic write
   saveSpinner.update('Generating compact IOCs...');
   const compactIOCs = generateCompactIOCs(existingIOCs);
-  fs.writeFileSync(COMPACT_IOC_FILE, JSON.stringify(compactIOCs));
+  const tmpCompactFile = COMPACT_IOC_FILE + '.tmp';
+  fs.writeFileSync(tmpCompactFile, JSON.stringify(compactIOCs));
+  fs.renameSync(tmpCompactFile, COMPACT_IOC_FILE);
   saveSpinner.succeed('Saved IOCs + compact format');
 
   // Display summary

package/src/ioc/updater.js

@@ -71,7 +71,10 @@ async function updateIOCs() {
   delete baseIOCs._markerSet;
   delete baseIOCs._fileSet;
 
-  fs.writeFileSync(CACHE_IOC_FILE, JSON.stringify(baseIOCs));
+  // Atomic write: write to .tmp then rename (UP-001)
+  const tmpFile = CACHE_IOC_FILE + '.tmp';
+  fs.writeFileSync(tmpFile, JSON.stringify(baseIOCs));
+  fs.renameSync(tmpFile, CACHE_IOC_FILE);
 
   const totalNpm = baseIOCs.packages.length;
   const totalPyPI = (baseIOCs.pypi_packages || []).length;
@@ -148,7 +151,7 @@ function mergeIOCs(target, source) {
 // Cache to avoid reloading IOCs on each call
 let cachedIOCsResult = null;
 let cachedIOCsTime = 0;
-const CACHE_TTL = 60000; // 1 minute
+const CACHE_TTL = 10000; // 10 seconds
 
 function loadCachedIOCs() {
   // Return cache if still valid
@@ -343,8 +346,11 @@ function expandCompactIOCs(compact) {
   const defaultSev = compact.defaultSeverity || 'critical';
   const overrides = compact.severityOverrides || {};
 
-  // Expand npm wildcards
+  // Expand npm wildcards (deduplicate via Set)
+  const seenWildcards = new Set();
   for (const name of compact.wildcards || []) {
+    if (seenWildcards.has(name)) continue;
+    seenWildcards.add(name);
     const severity = (overrides[name] && overrides[name]['*']) || defaultSev;
     packages.push({ name: name, version: '*', severity: severity });
   }
@@ -381,4 +387,9 @@ function expandCompactIOCs(compact) {
   };
 }
 
-module.exports = { updateIOCs, loadCachedIOCs, generateCompactIOCs, expandCompactIOCs };
+function invalidateCache() {
+  cachedIOCsResult = null;
+  cachedIOCsTime = 0;
+}
+
+module.exports = { updateIOCs, loadCachedIOCs, invalidateCache, generateCompactIOCs, expandCompactIOCs };