muaddib-scanner 1.7.0 → 1.8.1

package/README.fr.md

@@ -283,7 +283,7 @@ Ajoutez à `.pre-commit-config.yaml` :
 ```yaml
 repos:
   - repo: https://github.com/DNSZLSK/muad-dib
-    rev: v1.6.11
+    rev: v1.8.0
     hooks:
       - id: muaddib-scan        # Scanner toutes les menaces
       # - id: muaddib-diff      # Ou: seulement les nouvelles
@@ -313,6 +313,10 @@ muaddib init-hooks --type git
 # Crée .git/hooks/pre-commit
 ```
 
+### Moniteur Zero-Day
+
+MUAD'DIB intègre un moniteur zero-day capable de scanner chaque nouveau package npm et PyPI en temps réel avec analyse sandbox Docker et alertes webhook.
+
 ### Version check
 
 MUAD'DIB vérifie automatiquement les nouvelles versions au démarrage et vous notifie si une mise à jour est disponible.
@@ -504,6 +508,7 @@ MUAD'DIB Scanner
 +-- GitHub Actions Scanner
 +-- Paranoid Mode (ultra-strict)
 +-- Docker Sandbox (behavioral analysis, network capture)
++-- Moniteur Zero-Day (polling RSS npm + PyPI, alertes Discord, rapport quotidien)
 |
 v
 Dataflow Analysis (credential read -> network send)
@@ -547,9 +552,10 @@ npm test
 
 ### Tests
 
-- **296 tests unitaires/intégration** - 80% coverage via [Codecov](https://codecov.io/gh/DNSZLSK/muad-dib)
+- **326 tests unitaires/intégration** - 80% coverage via [Codecov](https://codecov.io/gh/DNSZLSK/muad-dib)
 - **56 tests de fuzzing** - YAML malformé, JSON invalide, fichiers binaires, ReDoS, unicode, inputs 10MB
 - **15 tests adversariaux** - Packages malveillants simulés, taux de détection 15/15
+- **8 tests multi-facteur typosquat** - Cas limites et comportement cache
 - **Audit ESLint sécurité** - `eslint-plugin-security` avec 14 règles activées
 
 ---

package/README.md

@@ -283,7 +283,7 @@ Add to `.pre-commit-config.yaml`:
 ```yaml
 repos:
   - repo: https://github.com/DNSZLSK/muad-dib
-    rev: v1.6.18
+    rev: v1.8.0
     hooks:
       - id: muaddib-scan        # Scan all threats
       # - id: muaddib-diff      # Or: only new threats
@@ -313,6 +313,10 @@ muaddib init-hooks --type git
 # Creates .git/hooks/pre-commit
 ```
 
+### Zero-Day Monitor
+
+MUAD'DIB includes a continuous zero-day monitor capable of scanning every new npm and PyPI package in real-time with Docker sandbox analysis and webhook alerting.
+
 ### Version check
 
 MUAD'DIB automatically checks for new versions on startup and notifies you if an update is available.
@@ -510,6 +514,7 @@ MUAD'DIB Scanner
 |
 +-- Paranoid Mode (ultra-strict)
 +-- Docker Sandbox (behavioral analysis, network capture)
++-- Zero-Day Monitor (npm + PyPI RSS polling, Discord alerts, daily report)
 |
 v
 Dataflow Analysis (credential read -> network send)
@@ -553,9 +558,10 @@ npm test
 
 ### Testing
 
-- **316 unit/integration tests** - 80% code coverage via [Codecov](https://codecov.io/gh/DNSZLSK/muad-dib)
+- **326 unit/integration tests** - 80% code coverage via [Codecov](https://codecov.io/gh/DNSZLSK/muad-dib)
 - **56 fuzz tests** - Malformed YAML, invalid JSON, binary files, ReDoS, unicode, 10MB inputs
 - **15 adversarial tests** - Simulated malicious packages, 15/15 detection rate
+- **8 multi-factor typosquat tests** - Edge cases and cache behavior
 - **False positive validation** - 0 false positives on express, lodash, axios, react
 - **ESLint security audit** - `eslint-plugin-security` with 14 rules enabled
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "muaddib-scanner",
-  "version": "1.7.0",
+  "version": "1.8.1",
   "description": "Supply-chain threat detection & response for npm & PyPI/Python",
   "main": "src/index.js",
   "bin": {

package/src/ioc/scraper.js

@@ -5,7 +5,7 @@ const AdmZip = require('adm-zip');
 
 const IOC_FILE = path.join(__dirname, 'data/iocs.json');
 const COMPACT_IOC_FILE = path.join(__dirname, 'data/iocs-compact.json');
-const STATIC_IOCS_FILE = path.join(__dirname, 'data/static-iocs.json');
+const STATIC_IOCS_FILE = path.join(__dirname, '../../data/static-iocs.json');
 const { generateCompactIOCs } = require('./updater.js');
 const { Spinner } = require('../utils.js');
 

package/src/monitor.js

@@ -21,9 +21,13 @@ const stats = {
   suspect: 0,
   errors: 0,
   totalTimeMs: 0,
-  lastReportTime: Date.now()
+  lastReportTime: Date.now(),
+  lastDailyReportTime: Date.now()
 };
 
+// Track daily suspects for the daily report (name, version, ecosystem, findingsCount)
+const dailyAlerts = [];
+
 // --- Scan queue (FIFO, sequential) ---
 
 const scanQueue = [];
@@ -76,17 +80,43 @@ function buildMonitorWebhookPayload(name, version, ecosystem, result, sandboxRes
   return payload;
 }
 
+function computeRiskLevel(summary) {
+  if (summary.critical > 0) return 'CRITICAL';
+  if (summary.high > 0) return 'HIGH';
+  if (summary.medium > 0) return 'MEDIUM';
+  if (summary.low > 0) return 'LOW';
+  return 'CLEAN';
+}
+
+function computeRiskScore(summary) {
+  const raw = (summary.critical || 0) * 25
+            + (summary.high || 0) * 15
+            + (summary.medium || 0) * 5
+            + (summary.low || 0) * 1;
+  return Math.min(raw, 100);
+}
+
 async function trySendWebhook(name, version, ecosystem, result, sandboxResult) {
   if (!shouldSendWebhook(result, sandboxResult)) return;
   const url = getWebhookUrl();
   const payload = buildMonitorWebhookPayload(name, version, ecosystem, result, sandboxResult);
-  // sendWebhook expects a results-like object; wrap payload for formatGeneric
   const webhookData = {
     target: `${ecosystem}/${name}@${version}`,
     timestamp: payload.timestamp,
-    summary: result.summary,
+    ecosystem,
+    summary: {
+      ...result.summary,
+      riskLevel: computeRiskLevel(result.summary),
+      riskScore: computeRiskScore(result.summary)
+    },
     threats: result.threats
   };
+  if (sandboxResult && sandboxResult.score > 0) {
+    webhookData.sandbox = {
+      score: sandboxResult.score,
+      severity: sandboxResult.severity
+    };
+  }
   try {
     await sendWebhook(url, webhookData);
     console.log(`[MONITOR] Webhook sent for ${name}@${version}`);
@@ -102,11 +132,11 @@ function loadState() {
     const raw = fs.readFileSync(STATE_FILE, 'utf8');
     const state = JSON.parse(raw);
     return {
-      npmLastKey: typeof state.npmLastKey === 'number' ? state.npmLastKey : 0,
+      npmLastPackage: typeof state.npmLastPackage === 'string' ? state.npmLastPackage : '',
       pypiLastPackage: typeof state.pypiLastPackage === 'string' ? state.pypiLastPackage : ''
     };
   } catch {
-    return { npmLastKey: 0, pypiLastPackage: '' };
+    return { npmLastPackage: '', pypiLastPackage: '' };
   }
 }
 
@@ -264,6 +294,19 @@ function appendAlert(alert) {
   }
 }
 
+// --- Bundled tooling false-positive filter ---
+
+const KNOWN_BUNDLED_FILES = ['yarn.js', 'webpack.js', 'terser.js', 'esbuild.js', 'polyfills.js'];
+
+function isBundledToolingOnly(threats) {
+  if (threats.length === 0) return false;
+  return threats.every(t => {
+    if (!t.file) return false;
+    const basename = path.basename(t.file);
+    return KNOWN_BUNDLED_FILES.includes(basename);
+  });
+}
+
 // --- Package scanning ---
 
 async function scanPackage(name, version, ecosystem, tarballUrl) {
@@ -294,53 +337,78 @@ async function scanPackage(name, version, ecosystem, tarballUrl) {
       stats.clean++;
       console.log(`[MONITOR] CLEAN: ${name}@${version} (0 findings, ${(elapsed / 1000).toFixed(1)}s)`);
     } else {
-      stats.suspect++;
       const counts = [];
       if (result.summary.critical > 0) counts.push(`${result.summary.critical} CRITICAL`);
       if (result.summary.high > 0) counts.push(`${result.summary.high} HIGH`);
       if (result.summary.medium > 0) counts.push(`${result.summary.medium} MEDIUM`);
       if (result.summary.low > 0) counts.push(`${result.summary.low} LOW`);
-      console.log(`[MONITOR] SUSPECT: ${name}@${version} (${counts.join(', ')})`);
-
-      // Sandbox: run dynamic analysis on HIGH/CRITICAL findings
-      let sandboxResult = null;
-      if (hasHighOrCritical(result) && isSandboxEnabled() && sandboxAvailable) {
-        try {
-          console.log(`[MONITOR] SANDBOX: launching for ${name}@${version}...`);
-          sandboxResult = await runSandbox(name);
-          console.log(`[MONITOR] SANDBOX: ${name}@${version} → score: ${sandboxResult.score}, severity: ${sandboxResult.severity}`);
-        } catch (err) {
-          console.error(`[MONITOR] SANDBOX error for ${name}@${version}: ${err.message}`);
-        }
-      }
 
-      stats.scanned++;
-      const elapsed = Date.now() - startTime;
-      stats.totalTimeMs += elapsed;
-      console.log(`[MONITOR] ${name}@${version} total time: ${(elapsed / 1000).toFixed(1)}s`);
+      // Check if all findings come from bundled tooling files
+      if (isBundledToolingOnly(result.threats)) {
+        stats.scanned++;
+        const elapsed = Date.now() - startTime;
+        stats.totalTimeMs += elapsed;
+        stats.clean++;
+        console.log(`[MONITOR] SKIPPED (bundled tooling): ${name}@${version} (${counts.join(', ')})`);
+
+        const alert = {
+          timestamp: new Date().toISOString(),
+          name,
+          version,
+          ecosystem,
+          skipped: true,
+          findings: result.threats.map(t => ({
+            rule: t.rule_id || t.type,
+            severity: t.severity,
+            file: t.file
+          }))
+        };
+        appendAlert(alert);
+      } else {
+        stats.suspect++;
+        console.log(`[MONITOR] SUSPECT: ${name}@${version} (${counts.join(', ')})`);
+
+        // Sandbox: run dynamic analysis on HIGH/CRITICAL findings
+        let sandboxResult = null;
+        if (hasHighOrCritical(result) && isSandboxEnabled() && sandboxAvailable) {
+          try {
+            console.log(`[MONITOR] SANDBOX: launching for ${name}@${version}...`);
+            sandboxResult = await runSandbox(name);
+            console.log(`[MONITOR] SANDBOX: ${name}@${version} → score: ${sandboxResult.score}, severity: ${sandboxResult.severity}`);
+          } catch (err) {
+            console.error(`[MONITOR] SANDBOX error for ${name}@${version}: ${err.message}`);
+          }
+        }
 
-      const alert = {
-        timestamp: new Date().toISOString(),
-        name,
-        version,
-        ecosystem,
-        findings: result.threats.map(t => ({
-          rule: t.rule_id || t.type,
-          severity: t.severity,
-          file: t.file
-        }))
-      };
-
-      if (sandboxResult && sandboxResult.score > 0) {
-        alert.sandbox = {
-          score: sandboxResult.score,
-          severity: sandboxResult.severity,
-          findings: sandboxResult.findings
+        stats.scanned++;
+        const elapsed = Date.now() - startTime;
+        stats.totalTimeMs += elapsed;
+        console.log(`[MONITOR] ${name}@${version} total time: ${(elapsed / 1000).toFixed(1)}s`);
+
+        const alert = {
+          timestamp: new Date().toISOString(),
+          name,
+          version,
+          ecosystem,
+          findings: result.threats.map(t => ({
+            rule: t.rule_id || t.type,
+            severity: t.severity,
+            file: t.file
+          }))
         };
-      }
 
-      appendAlert(alert);
-      await trySendWebhook(name, version, ecosystem, result, sandboxResult);
+        if (sandboxResult && sandboxResult.score > 0) {
+          alert.sandbox = {
+            score: sandboxResult.score,
+            severity: sandboxResult.severity,
+            findings: sandboxResult.findings
+          };
+        }
+
+        appendAlert(alert);
+        dailyAlerts.push({ name, version, ecosystem, findingsCount: result.summary.total });
+        await trySendWebhook(name, version, ecosystem, result, sandboxResult);
+      }
     }
   } catch (err) {
     stats.errors++;
@@ -364,7 +432,7 @@ async function processQueue() {
     const item = scanQueue.shift();
     try {
       await Promise.race([
-        scanPackage(item.name, item.version, item.ecosystem, item.tarballUrl),
+        resolveTarballAndScan(item),
         timeoutPromise(SCAN_TIMEOUT_MS)
       ]);
     } catch (err) {
@@ -382,71 +450,140 @@ function reportStats() {
   stats.lastReportTime = Date.now();
 }
 
-// --- npm polling ---
+const DAILY_REPORT_INTERVAL = 24 * 3600_000; // 24 hours
 
-/**
- * Parse the npm /-/all/since response.
- * Returns array of { name, version, tarball } and the max timestamp seen.
- */
-function parseNpmResponse(body) {
-  let data;
+function buildDailyReportEmbed() {
+  const avg = stats.scanned > 0 ? (stats.totalTimeMs / stats.scanned / 1000).toFixed(1) : '0.0';
+
+  // Top 3 suspects sorted by findings count descending
+  const top3 = dailyAlerts
+    .slice()
+    .sort((a, b) => b.findingsCount - a.findingsCount)
+    .slice(0, 3);
+
+  const top3Text = top3.length > 0
+    ? top3.map((a, i) => `${i + 1}. **${a.ecosystem}/${a.name}@${a.version}** — ${a.findingsCount} finding(s)`).join('\n')
+    : 'None';
+
+  const now = new Date();
+  const readableTime = now.toISOString().replace('T', ' ').replace(/\.\d+Z$/, ' UTC');
+
+  return {
+    embeds: [{
+      title: '\uD83D\uDCCA MUAD\'DIB Daily Report',
+      color: 0x3498db,
+      fields: [
+        { name: 'Packages Scanned', value: `${stats.scanned}`, inline: true },
+        { name: 'Clean', value: `${stats.clean}`, inline: true },
+        { name: 'Suspects', value: `${stats.suspect}`, inline: true },
+        { name: 'Errors', value: `${stats.errors}`, inline: true },
+        { name: 'Avg Scan Time', value: `${avg}s/pkg`, inline: true },
+        { name: 'Top Suspects', value: top3Text, inline: false }
+      ],
+      footer: {
+        text: `MUAD'DIB - Daily summary | ${readableTime}`
+      },
+      timestamp: now.toISOString()
+    }]
+  };
+}
+
+async function sendDailyReport() {
+  const url = getWebhookUrl();
+  if (!url) return;
+
+  const payload = buildDailyReportEmbed();
   try {
-    data = JSON.parse(body);
-  } catch {
-    return { packages: [], maxTimestamp: 0 };
+    await sendWebhook(url, payload, { rawPayload: true });
+    console.log('[MONITOR] Daily report sent');
+  } catch (err) {
+    console.error(`[MONITOR] Daily report webhook failed: ${err.message}`);
   }
 
+  // Reset daily counters
+  stats.scanned = 0;
+  stats.clean = 0;
+  stats.suspect = 0;
+  stats.errors = 0;
+  stats.totalTimeMs = 0;
+  dailyAlerts.length = 0;
+  stats.lastDailyReportTime = Date.now();
+}
+
+// --- npm polling ---
+
+/**
+ * Parse npm RSS XML (same regex approach as parsePyPIRss).
+ * Returns array of package names from <title> tags inside <item>.
+ */
+function parseNpmRss(xml) {
   const packages = [];
-  let maxTimestamp = 0;
-
-  // The response is an object keyed by package name.
-  // Each value has name, "dist-tags", time, etc.
-  // There is a special "_updated" key with the latest timestamp.
-  for (const key of Object.keys(data)) {
-    if (key === '_updated') {
-      const ts = Number(data[key]);
-      if (ts > maxTimestamp) maxTimestamp = ts;
-      continue;
+  const itemRegex = /<item>([\s\S]*?)<\/item>/g;
+  let match;
+  while ((match = itemRegex.exec(xml)) !== null) {
+    const itemContent = match[1];
+    const titleMatch = itemContent.match(/<title>([^<]+)<\/title>/);
+    if (titleMatch) {
+      const title = titleMatch[1].trim();
+      const name = title.split(/\s+/)[0];
+      if (name) {
+        packages.push(name);
+      }
     }
-    const pkg = data[key];
-    if (!pkg || typeof pkg !== 'object' || !pkg.name) continue;
-    const version = (pkg['dist-tags'] && pkg['dist-tags'].latest) || '';
-    const tarball = (pkg.dist && pkg.dist.tarball) || '';
-    packages.push({ name: pkg.name, version, tarball });
   }
+  return packages;
+}
 
-  return { packages, maxTimestamp };
+/**
+ * Fetch latest version metadata for an npm package.
+ * Returns { version, tarball } or null on failure.
+ */
+async function getNpmLatestTarball(packageName) {
+  const url = `https://registry.npmjs.org/${encodeURIComponent(packageName)}/latest`;
+  const body = await httpsGet(url);
+  const data = JSON.parse(body);
+  const version = data.version || '';
+  const tarball = (data.dist && data.dist.tarball) || null;
+  return { version, tarball };
 }
 
 async function pollNpm(state) {
-  // First run: use "now - 120s" so we don't get the entire registry
-  const startKey = state.npmLastKey || (Date.now() - 120_000);
-  const url = `https://registry.npmjs.org/-/all/since?stale=update_after&startkey=${startKey}`;
+  const url = 'https://registry.npmjs.org/-/rss?descending=true&limit=50';
 
   try {
     const body = await httpsGet(url);
-    const { packages, maxTimestamp } = parseNpmResponse(body);
-
-    for (const pkg of packages) {
-      console.log(`[MONITOR] New npm: ${pkg.name}@${pkg.version}`);
-      if (pkg.tarball) {
-        scanQueue.push({
-          name: pkg.name,
-          version: pkg.version,
-          ecosystem: 'npm',
-          tarballUrl: pkg.tarball
-        });
+    const packages = parseNpmRss(body);
+
+    // Find new packages (those after the last seen one)
+    let newPackages;
+    if (!state.npmLastPackage) {
+      newPackages = packages;
+    } else {
+      const lastIdx = packages.indexOf(state.npmLastPackage);
+      if (lastIdx === -1) {
+        newPackages = packages;
+      } else {
+        newPackages = packages.slice(0, lastIdx);
       }
     }
 
-    if (maxTimestamp > 0) {
-      state.npmLastKey = maxTimestamp;
-    } else if (packages.length > 0) {
-      // Fallback: advance timestamp to now
-      state.npmLastKey = Date.now();
+    for (const name of newPackages) {
+      console.log(`[MONITOR] New npm: ${name}`);
+      // Queue npm packages — tarball URL resolved during scan
+      scanQueue.push({
+        name,
+        version: '',
+        ecosystem: 'npm',
+        tarballUrl: null // resolved lazily via resolveTarballAndScan
+      });
+    }
+
+    // Remember the most recent package (first in RSS)
+    if (packages.length > 0) {
+      state.npmLastPackage = packages[0];
     }
 
-    return packages.length;
+    return newPackages.length;
   } catch (err) {
     console.error(`[MONITOR] npm poll error: ${err.message}`);
     return 0;
@@ -550,7 +687,7 @@ async function startMonitor() {
   }
 
   const state = loadState();
-  console.log(`[MONITOR] State loaded — npm startKey: ${state.npmLastKey || 'none'}, pypi last: ${state.pypiLastPackage || 'none'}`);
+  console.log(`[MONITOR] State loaded — npm last: ${state.npmLastPackage || 'none'}, pypi last: ${state.pypiLastPackage || 'none'}`);
   console.log(`[MONITOR] Polling every ${POLL_INTERVAL / 1000}s. Ctrl+C to stop.\n`);
 
   let running = true;
@@ -582,6 +719,11 @@ async function startMonitor() {
     if (Date.now() - stats.lastReportTime >= 3600_000) {
       reportStats();
     }
+
+    // Daily webhook report
+    if (Date.now() - stats.lastDailyReportTime >= DAILY_REPORT_INTERVAL) {
+      await sendDailyReport();
+    }
   }
 }
 
@@ -603,6 +745,21 @@ async function poll(state) {
  * For PyPI packages, we need to fetch the JSON API to get the tarball URL.
  */
 async function resolveTarballAndScan(item) {
+  if (item.ecosystem === 'npm' && !item.tarballUrl) {
+    try {
+      const npmInfo = await getNpmLatestTarball(item.name);
+      if (!npmInfo.tarball) {
+        console.log(`[MONITOR] SKIP: ${item.name} — no tarball URL found on npm`);
+        return;
+      }
+      item.tarballUrl = npmInfo.tarball;
+      if (npmInfo.version) item.version = npmInfo.version;
+    } catch (err) {
+      console.error(`[MONITOR] ERROR resolving npm tarball for ${item.name}: ${err.message}`);
+      stats.errors++;
+      return;
+    }
+  }
   if (item.ecosystem === 'pypi' && !item.tarballUrl) {
     try {
       const pypiInfo = await getPyPITarballUrl(item.name);
@@ -627,7 +784,7 @@ function sleep(ms) {
 
 module.exports = {
   startMonitor,
-  parseNpmResponse,
+  parseNpmRss,
   parsePyPIRss,
   loadState,
   saveState,
@@ -636,6 +793,7 @@ module.exports = {
   downloadToFile,
   extractTarGz,
   getNpmTarballUrl,
+  getNpmLatestTarball,
   getPyPITarballUrl,
   scanPackage,
   scanQueue,
@@ -644,8 +802,11 @@ module.exports = {
   timeoutPromise,
   reportStats,
   stats,
+  dailyAlerts,
   resolveTarballAndScan,
   MAX_TARBALL_SIZE,
+  KNOWN_BUNDLED_FILES,
+  isBundledToolingOnly,
   isSandboxEnabled,
   hasHighOrCritical,
   get sandboxAvailable() { return sandboxAvailable; },
@@ -653,7 +814,12 @@ module.exports = {
   getWebhookUrl,
   shouldSendWebhook,
   buildMonitorWebhookPayload,
-  trySendWebhook
+  trySendWebhook,
+  computeRiskLevel,
+  computeRiskScore,
+  buildDailyReportEmbed,
+  sendDailyReport,
+  DAILY_REPORT_INTERVAL
 };
 
 // Standalone entry point: node src/monitor.js

package/src/response/playbooks.js

@@ -125,6 +125,13 @@ const PLAYBOOKS = {
   ssh_key_read:
     'Lecture des cles SSH. Regenerer immediatement toutes les cles: ssh-keygen -t ed25519',
 
+  python_reverse_shell:
+    'CRITIQUE: Reverse shell Python detecte. Machine potentiellement compromise. Isoler immediatement.',
+  perl_reverse_shell:
+    'CRITIQUE: Reverse shell Perl detecte. Machine potentiellement compromise. Isoler immediatement.',
+  fifo_reverse_shell:
+    'CRITIQUE: Reverse shell FIFO/named pipe detecte. Machine potentiellement compromise. Isoler immediatement.',
+
   shai_hulud_backdoor:
     'CRITIQUE: Backdoor Shai-Hulud dans GitHub Actions. Supprimer le workflow et auditer les runs precedents.',
 

package/src/rules/index.js

@@ -347,6 +347,33 @@ const RULES = {
     references: ['https://attack.mitre.org/techniques/T1552/004/'],
     mitre: 'T1552.004'
   },
+  python_reverse_shell: {
+    id: 'MUADDIB-SHELL-010',
+    name: 'Python Reverse Shell',
+    severity: 'CRITICAL',
+    confidence: 'high',
+    description: 'Reverse shell via python -c import socket detecte',
+    references: ['https://attack.mitre.org/techniques/T1059/004/'],
+    mitre: 'T1059.006'
+  },
+  perl_reverse_shell: {
+    id: 'MUADDIB-SHELL-011',
+    name: 'Perl Reverse Shell',
+    severity: 'CRITICAL',
+    confidence: 'high',
+    description: 'Reverse shell via perl -e socket detecte',
+    references: ['https://attack.mitre.org/techniques/T1059/004/'],
+    mitre: 'T1059.006'
+  },
+  fifo_reverse_shell: {
+    id: 'MUADDIB-SHELL-012',
+    name: 'FIFO Reverse Shell',
+    severity: 'CRITICAL',
+    confidence: 'high',
+    description: 'Reverse shell via mkfifo /dev/tcp detecte',
+    references: ['https://attack.mitre.org/techniques/T1059/004/'],
+    mitre: 'T1059.004'
+  },
 
   // AST additional patterns
   possible_obfuscation: {