muaddib-scanner 2.10.101 → 2.11.1

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "muaddib-scanner",
-  "version": "2.10.101",
+  "version": "2.11.1",
   "description": "Supply-chain threat detection & response for npm & PyPI/Python",
   "main": "src/index.js",
   "bin": {
@@ -55,8 +55,8 @@
   },
   "devDependencies": {
     "@eslint/js": "10.0.1",
-    "eslint": "10.2.0",
+    "eslint": "10.2.1",
     "eslint-plugin-security": "^4.0.0",
-    "globals": "17.4.0"
+    "globals": "17.5.0"
   }
 }

package/src/integrations/api-ingest.js

@@ -0,0 +1,222 @@
+/**
+ * api-ingest.js — Real-time alert push from monitor to muad-api.
+ *
+ * The monitor calls sendIngest() whenever it decides to fire a Discord
+ * webhook. Fire-and-forget: errors are logged but never block the caller.
+ *
+ * Required env:
+ *   MUADDIB_API_URL    Base URL of muad-api (e.g. https://api.example.com)
+ *   MUADDIB_INGEST_TOKEN  Static shared secret matching the API's INGEST_TOKEN
+ *
+ * Both unset = ingest disabled silently (the monitor still works on its own).
+ */
+
+const https = require('https');
+const http = require('http');
+const dns = require('dns');
+
+const PRIVATE_IP_PATTERNS = [
+  /^127\./,
+  /^10\./,
+  /^172\.(1[6-9]|2[0-9]|3[0-1])\./,
+  /^192\.168\./,
+  /^0\./,
+  /^169\.254\./,
+  /^::1$/,
+  /^::ffff:127\./,
+  /^fc00:/,
+  /^fe80:/
+];
+
+const REQUEST_TIMEOUT_MS = 5000;
+const MAX_FINDINGS = 200;
+const MAX_FINDING_LENGTH = 500;
+
+function getApiUrl() {
+  const url = process.env.MUADDIB_API_URL;
+  return url && url.trim() ? url.replace(/\/$/, '') : null;
+}
+
+function getIngestToken() {
+  return process.env.MUADDIB_INGEST_TOKEN || null;
+}
+
+function isIngestConfigured() {
+  return Boolean(getApiUrl() && getIngestToken());
+}
+
+function isLocalHostname(hostname) {
+  return hostname === 'localhost' || hostname === '127.0.0.1' || hostname === '::1';
+}
+
+function validateApiUrl(url) {
+  let urlObj;
+  try {
+    urlObj = new URL(url);
+  } catch (e) {
+    return { valid: false, error: `Invalid URL: ${e.message}` };
+  }
+  const hostname = urlObj.hostname.toLowerCase();
+  const local = isLocalHostname(hostname);
+  if (urlObj.protocol !== 'https:' && !local) {
+    return { valid: false, error: 'HTTPS required for non-localhost API' };
+  }
+  if (urlObj.protocol !== 'https:' && urlObj.protocol !== 'http:') {
+    return { valid: false, error: `Unsupported protocol: ${urlObj.protocol}` };
+  }
+  if (!local && PRIVATE_IP_PATTERNS.some(p => p.test(hostname))) {
+    return { valid: false, error: 'Private IP not allowed' };
+  }
+  return { valid: true, urlObj, local };
+}
+
+/**
+ * Normalize a threat severity into the API's allowed enum.
+ * API accepts only CRITICAL|HIGH|MEDIUM|LOW. CLEAN/unknown -> LOW.
+ */
+function normalizeSeverity(level) {
+  switch ((level || '').toUpperCase()) {
+    case 'CRITICAL':
+      return 'CRITICAL';
+    case 'HIGH':
+      return 'HIGH';
+    case 'MEDIUM':
+      return 'MEDIUM';
+    default:
+      return 'LOW';
+  }
+}
+
+function computeSeverityFromSummary(summary) {
+  if (!summary) return 'LOW';
+  if (summary.riskLevel) return normalizeSeverity(summary.riskLevel);
+  const score = summary.riskScore || 0;
+  if (score >= 75) return 'CRITICAL';
+  if (score >= 50) return 'HIGH';
+  if (score >= 25) return 'MEDIUM';
+  return 'LOW';
+}
+
+function buildIngestPayload(name, version, result) {
+  const summary = (result && result.summary) || {};
+  const threats = (result && Array.isArray(result.threats)) ? result.threats : [];
+
+  const findings = threats
+    .slice(0, MAX_FINDINGS)
+    .map(t => {
+      const raw = t.message || t.rule_id || t.type || 'unknown';
+      return String(raw).slice(0, MAX_FINDING_LENGTH);
+    })
+    .filter(s => s.length > 0);
+
+  const breakdown = Array.isArray(summary.breakdown) ? summary.breakdown : undefined;
+
+  const payload = {
+    package: name,
+    version: version || 'unknown',
+    score: Math.max(0, Math.min(100, summary.riskScore || 0)),
+    severity: computeSeverityFromSummary(summary),
+    findings
+  };
+  if (breakdown !== undefined) payload.breakdown = breakdown;
+  return payload;
+}
+
+async function resolveAndCheck(hostname, allowPrivate) {
+  if (allowPrivate) {
+    return null;
+  }
+  const [v4, v6] = await Promise.all([
+    dns.promises.resolve4(hostname).catch(() => []),
+    dns.promises.resolve6(hostname).catch(() => [])
+  ]);
+  const all = [...v4, ...v6];
+  if (all.length === 0) {
+    throw new Error(`DNS resolution failed for ${hostname}`);
+  }
+  for (const addr of all) {
+    if (PRIVATE_IP_PATTERNS.some(p => p.test(addr))) {
+      throw new Error(`Hostname ${hostname} resolves to private IP ${addr}`);
+    }
+  }
+  return v4[0] || null;
+}
+
+function postOnce(targetUrl, body, token, resolvedAddress) {
+  return new Promise((resolve, reject) => {
+    const urlObj = new URL(targetUrl);
+    const proto = urlObj.protocol === 'https:' ? https : http;
+    const options = {
+      hostname: resolvedAddress || urlObj.hostname,
+      port: urlObj.port || (urlObj.protocol === 'https:' ? 443 : 80),
+      path: urlObj.pathname + urlObj.search,
+      method: 'POST',
+      headers: {
+        'Content-Type': 'application/json',
+        'Content-Length': Buffer.byteLength(body),
+        'Authorization': `Bearer ${token}`,
+        'Host': urlObj.hostname
+      },
+      servername: urlObj.hostname
+    };
+
+    const req = proto.request(options, (res) => {
+      let size = 0;
+      res.on('data', chunk => {
+        size += chunk.length;
+        if (size > 64 * 1024) res.destroy();
+      });
+      res.on('end', () => {
+        if (res.statusCode >= 200 && res.statusCode < 300) {
+          resolve({ status: res.statusCode });
+        } else {
+          reject(new Error(`HTTP ${res.statusCode}`));
+        }
+      });
+    });
+    req.setTimeout(REQUEST_TIMEOUT_MS, () => {
+      req.destroy();
+      reject(new Error(`Timeout after ${REQUEST_TIMEOUT_MS}ms`));
+    });
+    req.on('error', reject);
+    req.write(body);
+    req.end();
+  });
+}
+
+/**
+ * Push an alert to muad-api. Fire-and-forget: never throws.
+ * Returns { ok: true, status } or { ok: false, error }.
+ */
+async function sendIngest(name, version, result) {
+  if (!isIngestConfigured()) return { ok: false, error: 'not_configured' };
+
+  const apiUrl = getApiUrl();
+  const token = getIngestToken();
+  const validation = validateApiUrl(apiUrl);
+  if (!validation.valid) {
+    console.error(`[INGEST] Invalid MUADDIB_API_URL: ${validation.error}`);
+    return { ok: false, error: validation.error };
+  }
+
+  const target = `${apiUrl}/alerts/ingest`;
+  const payload = buildIngestPayload(name, version, result);
+  const body = JSON.stringify(payload);
+
+  try {
+    const resolved = await resolveAndCheck(validation.urlObj.hostname, validation.local);
+    const res = await postOnce(target, body, token, resolved);
+    return { ok: true, status: res.status };
+  } catch (err) {
+    console.error(`[INGEST] ${name}@${version}: ${err.message}`);
+    return { ok: false, error: err.message };
+  }
+}
+
+module.exports = {
+  sendIngest,
+  buildIngestPayload,
+  computeSeverityFromSummary,
+  isIngestConfigured,
+  validateApiUrl
+};

package/src/ioc/scraper.js

@@ -1037,7 +1037,8 @@ async function runScraper() {
     scrapeDatadogIOCs(),
     scrapeOSSFMaliciousPackages(osvResult.knownIds),
     scrapeGitHubAdvisory(),
-    scrapeOSVPyPIDataDump()
+    scrapeOSVPyPIDataDump(),
+    scrapeAikidoMalwareFeed()
   ]);
 
   const shaiHuludResult = results[0];
@@ -1045,6 +1046,7 @@ async function runScraper() {
   const ossfPackages = results[2];
   const githubPackages = results[3];
   const pypiPackages = results[4];
+  const aikidoResult = results[5];
 
   // Log aggregated warnings
   if (_noVersionSkipCount > 0) {
@@ -1057,7 +1059,8 @@ async function runScraper() {
     ...shaiHuludResult.packages,
     ...datadogResult.packages,
     ...ossfPackages,
-    ...githubPackages
+    ...githubPackages,
+    ...aikidoResult.packages
   ];
 
   // Merge all hashes
@@ -1069,7 +1072,7 @@ async function runScraper() {
   // Smart deduplication: build map of best entry per key
   // For duplicates, keep the one with highest confidence, then most recent date
   const dedupSpinner = new Spinner();
-  dedupSpinner.start('Deduplicating ' + allPackages.length + ' npm + ' + pypiPackages.length + ' PyPI entries...');
+  dedupSpinner.start('Deduplicating ' + allPackages.length + ' npm + ' + (pypiPackages.length + (aikidoResult.pypi_packages || []).length) + ' PyPI entries...');
   const dedupMap = new Map();
 
   // Seed with existing IOCs (with sanitization of stale comma-in-version entries)
@@ -1091,11 +1094,34 @@ async function runScraper() {
     dedupMap.set(key, pkg);
   }
 
-  // Merge new IOCs with smart replacement (with input validation)
+  // Merge new IOCs with smart replacement (with input validation).
+  // Source-aware: each entry accumulates a `sources: [{name, added_at}]` array
+  // tracking every feed that reported this (name, version). A package
+  // reported by >= 3 distinct sources is treated as confidence-max
+  // (used by `getSourceConfidence` for webhook gating).
   let addedPackages = 0;
   let upgradedPackages = 0;
   let skippedInvalid = 0;
   let skippedNeverWildcard = 0;
+  function appendSource(target, pkg) {
+    if (!Array.isArray(target.sources)) target.sources = [];
+    const newSrc = pkg.source || (pkg.freshness && pkg.freshness.source) || 'unknown';
+    if (!target.sources.some(s => s.name === newSrc)) {
+      target.sources.push({
+        name: newSrc,
+        added_at: (pkg.freshness && pkg.freshness.added_at) || pkg.published || new Date().toISOString()
+      });
+    }
+  }
+  function seedSources(pkg) {
+    if (!Array.isArray(pkg.sources)) {
+      const src = pkg.source || (pkg.freshness && pkg.freshness.source) || 'unknown';
+      pkg.sources = [{
+        name: src,
+        added_at: (pkg.freshness && pkg.freshness.added_at) || pkg.published || new Date().toISOString()
+      }];
+    }
+  }
   for (const pkg of allPackages) {
     if (!validateIOCEntry(pkg.name, pkg.version, 'npm')) {
       skippedInvalid++;
@@ -1108,21 +1134,28 @@ async function runScraper() {
     }
     const key = pkg.name + '@' + pkg.version;
     if (!dedupMap.has(key)) {
+      seedSources(pkg);
       dedupMap.set(key, pkg);
       addedPackages++;
     } else {
       const existing = dedupMap.get(key);
+      // Always accumulate source attribution before any replacement decision.
+      seedSources(existing);
+      appendSource(existing, pkg);
       const existingConf = CONFIDENCE_ORDER[existing.confidence] || 0;
       const newConf = CONFIDENCE_ORDER[pkg.confidence] || 0;
       if (newConf > existingConf) {
-        dedupMap.set(key, pkg);
+        // Replace with the higher-confidence entry but preserve the merged sources list
+        const mergedSources = existing.sources;
+        dedupMap.set(key, Object.assign({}, pkg, { sources: mergedSources }));
         upgradedPackages++;
       } else if (newConf === existingConf) {
         // Same confidence: keep most recent
         const existingDate = existing.published || (existing.freshness && existing.freshness.added_at) || '';
         const newDate = pkg.published || (pkg.freshness && pkg.freshness.added_at) || '';
         if (newDate > existingDate) {
-          dedupMap.set(key, pkg);
+          const mergedSources = existing.sources;
+          dedupMap.set(key, Object.assign({}, pkg, { sources: mergedSources }));
           upgradedPackages++;
         }
       }
@@ -1139,21 +1172,27 @@ async function runScraper() {
     pypiDedupMap.set(key, pkg);
   }
   let addedPyPIPackages = 0;
-  for (const pkg of pypiPackages) {
+  // Merge Aikido PyPI feed into the same loop
+  const allPyPIPackages = pypiPackages.concat(aikidoResult.pypi_packages || []);
+  for (const pkg of allPyPIPackages) {
     if (!validateIOCEntry(pkg.name, pkg.version, 'pypi')) {
       skippedInvalid++;
       continue;
     }
     const key = pkg.name + '@' + pkg.version;
     if (!pypiDedupMap.has(key)) {
+      seedSources(pkg);
       pypiDedupMap.set(key, pkg);
       addedPyPIPackages++;
     } else {
       const existing = pypiDedupMap.get(key);
+      seedSources(existing);
+      appendSource(existing, pkg);
       const existingConf = CONFIDENCE_ORDER[existing.confidence] || 0;
       const newConf = CONFIDENCE_ORDER[pkg.confidence] || 0;
       if (newConf > existingConf) {
-        pypiDedupMap.set(key, pkg);
+        const mergedSources = existing.sources;
+        pypiDedupMap.set(key, Object.assign({}, pkg, { sources: mergedSources }));
       }
     }
   }
@@ -1298,6 +1337,80 @@ async function runScraper() {
   };
 }
 
+// ============================================
+// SOURCE 6: Aikido Open Source Malware Feed (npm + PyPI)
+// Free flat JSON feed at malware-list.aikido.dev. Each entry:
+//   { package_name, version, reason: 'MALWARE'|'TELEMETRY'|'PROTESTWARE' }
+// Source: https://github.com/AikidoSec/safe-chain (open-source consumer)
+// ============================================
+async function scrapeAikidoMalwareFeed() {
+  console.log('[SCRAPER] Aikido Open Source Malware Feed...');
+  const npmPackages = [];
+  const pypiPackages = [];
+
+  // npm
+  try {
+    const { status, data } = await fetchJSON('https://malware-list.aikido.dev/malware_predictions.json');
+    if (status === 200 && Array.isArray(data)) {
+      for (const entry of data) {
+        if (!entry || typeof entry.package_name !== 'string') continue;
+        // Only keep MALWARE; TELEMETRY/PROTESTWARE are policy decisions, not security
+        if (entry.reason !== 'MALWARE') continue;
+        const ver = (entry.version && entry.version !== '') ? String(entry.version) : '*';
+        npmPackages.push({
+          id: 'AIKIDO-' + entry.package_name + '-' + ver,
+          name: entry.package_name,
+          version: ver,
+          severity: 'critical',
+          confidence: 'high',
+          source: 'aikido',
+          description: 'Flagged by Aikido Open Source Malware Feed',
+          references: ['https://malware-list.aikido.dev/malware_predictions.json',
+                       'https://www.aikido.dev/code/malware-detection-in-dependencies'],
+          mitre: 'T1195.002',
+          freshness: createFreshness('aikido', 'high')
+        });
+      }
+      console.log('[SCRAPER]   ' + npmPackages.length + ' npm MALWARE entries from Aikido');
+    } else {
+      console.log('[SCRAPER]   Aikido npm feed: HTTP ' + status);
+    }
+  } catch (e) {
+    console.log('[SCRAPER]   Aikido npm error: ' + e.message);
+  }
+
+  // PyPI
+  try {
+    const { status, data } = await fetchJSON('https://malware-list.aikido.dev/malware_pypi.json');
+    if (status === 200 && Array.isArray(data)) {
+      for (const entry of data) {
+        if (!entry || typeof entry.package_name !== 'string') continue;
+        if (entry.reason !== 'MALWARE') continue;
+        const ver = (entry.version && entry.version !== '') ? String(entry.version) : '*';
+        pypiPackages.push({
+          id: 'AIKIDO-PYPI-' + entry.package_name + '-' + ver,
+          name: entry.package_name,
+          version: ver,
+          severity: 'critical',
+          confidence: 'high',
+          source: 'aikido',
+          description: 'Flagged by Aikido Open Source Malware Feed',
+          references: ['https://malware-list.aikido.dev/malware_pypi.json'],
+          mitre: 'T1195.002',
+          freshness: createFreshness('aikido', 'high')
+        });
+      }
+      console.log('[SCRAPER]   ' + pypiPackages.length + ' PyPI MALWARE entries from Aikido');
+    } else {
+      console.log('[SCRAPER]   Aikido PyPI feed: HTTP ' + status);
+    }
+  } catch (e) {
+    console.log('[SCRAPER]   Aikido PyPI error: ' + e.message);
+  }
+
+  return { packages: npmPackages, pypi_packages: pypiPackages };
+}
+
 // ============================================
 // SOURCE 5: OSV.dev Lightweight API
 // Used by `muaddib update` (fast, no zip download)
@@ -1388,9 +1501,36 @@ async function queryOSVBatch(packageNames) {
 function getNoVersionSkipCount() { return _noVersionSkipCount; }
 function resetNoVersionSkipCount() { _noVersionSkipCount = 0; }
 
+/**
+ * Source-aware confidence: a package reported by N distinct feeds is more
+ * confident than one reported by a single source. Used by webhook gating
+ * and the /diff command to prioritize multi-confirmed alerts.
+ *
+ * Tiers:
+ *   N >= 3 → 'high'   (cross-confirmed, alert immediately)
+ *   N === 2 → 'medium' (single-corroboration, alert with sandbox confirm)
+ *   N <= 1 → 'low'    (single-feed only, log + sandbox before alert)
+ *
+ * @param {object} pkg - IOC package entry (with optional `sources` array)
+ * @returns {{ tier: 'high'|'medium'|'low', count: number, sources: string[] }}
+ */
+function getSourceConfidence(pkg) {
+  if (!pkg) return { tier: 'low', count: 0, sources: [] };
+  const sources = Array.isArray(pkg.sources) && pkg.sources.length > 0
+    ? pkg.sources.map(s => s.name || 'unknown')
+    : [pkg.source || (pkg.freshness && pkg.freshness.source) || 'unknown'];
+  const unique = Array.from(new Set(sources));
+  let tier = 'low';
+  if (unique.length >= 3) tier = 'high';
+  else if (unique.length === 2) tier = 'medium';
+  return { tier, count: unique.length, sources: unique };
+}
+
 module.exports = {
   runScraper, scrapeShaiHuludDetector, scrapeDatadogIOCs,
+  scrapeAikidoMalwareFeed,
   scrapeOSVLightweightAPI, queryOSVBatch,
+  getSourceConfidence,
   // Pure utility functions (exported for testing)
   parseCSVLine, parseCSV, extractVersions, parseOSVEntry,
   createFreshness, isAllowedRedirect,

package/src/ioc/updater.js

@@ -136,7 +136,9 @@ function mergeIOCs(target, source) {
     target._hashSet = new Set(target.hashes);
     target._markerSet = new Set(target.markers);
     target._fileSet = new Set(target.files);
+    target._stringIocSet = new Set((target.stringIocs || []).map(s => s.string));
   }
+  if (!target.stringIocs) target.stringIocs = [];
 
   let added = 0;
 
@@ -184,6 +186,16 @@ function mergeIOCs(target, source) {
     }
   }
 
+  // Merge string IOCs (YARA-style)
+  for (const sIoc of source.stringIocs || []) {
+    const literal = sIoc && typeof sIoc.string === 'string' ? sIoc.string : null;
+    if (!literal) continue;
+    if (!target._stringIocSet.has(literal)) {
+      target.stringIocs.push(sIoc);
+      target._stringIocSet.add(literal);
+    }
+  }
+
   return added;
 }
 
@@ -207,7 +219,9 @@ function loadCachedIOCs() {
     pypi_packages: [],
     hashes: yamlIOCs.hashes.map(function(h) { return h.sha256; }),
     markers: yamlIOCs.markers.map(function(m) { return m.pattern; }),
-    files: yamlIOCs.files.map(function(f) { return f.name; })
+    files: yamlIOCs.files.map(function(f) { return f.name; }),
+    // string-IOCs from string-iocs.yaml (YARA-style high-precision artifacts)
+    stringIocs: Array.isArray(yamlIOCs.stringIocs) ? [...yamlIOCs.stringIocs] : []
   };
 
   // Priority 2a: Local scraped IOCs (full enriched file)
@@ -349,6 +363,11 @@ function createOptimizedIOCs(iocs) {
   // Set for suspicious files
   const filesSet = new Set(iocs.files);
 
+  // String IOCs (YARA-style): keep both array (for metadata) and Map keyed by string
+  // for O(1) campaign lookup once a substring match has been confirmed.
+  const stringIocsArr = Array.isArray(iocs.stringIocs) ? iocs.stringIocs : [];
+  const stringIocsMap = new Map(stringIocsArr.map(s => [s.string, s]));
+
   return {
     // Optimized structures (npm)
     packagesMap,
@@ -360,6 +379,9 @@ function createOptimizedIOCs(iocs) {
     hashesSet,
     markersSet,
     filesSet,
+    // String IOCs (YARA-style)
+    stringIocs: stringIocsArr,
+    stringIocsMap,
     // Original arrays for compatibility
     packages: iocs.packages,
     pypi_packages: iocs.pypi_packages || [],

package/src/ioc/yaml-loader.js

@@ -34,7 +34,10 @@ function loadYAMLIOCs() {
     packages: [],
     hashes: [],
     markers: [],
-    files: []
+    files: [],
+    // string-IOCs (YARA-style high-precision artifacts) — see iocs/string-iocs.yaml
+    // Each entry: { string, campaign, severity, source, description }
+    stringIocs: []
   };
 
   // Dedup sets for O(1) lookup during loading
@@ -42,6 +45,7 @@ function loadYAMLIOCs() {
   const seenHashes = new Set();
   const seenMarkers = new Set();
   const seenFiles = new Set();
+  const seenStrings = new Set();
 
   // Charger packages.yaml
   loadPackagesYAML(path.join(IOCS_DIR, 'packages.yaml'), iocs, seenPkgs);
@@ -52,9 +56,53 @@ function loadYAMLIOCs() {
   // Charger hashes.yaml
   loadHashesYAML(path.join(IOCS_DIR, 'hashes.yaml'), iocs, seenHashes, seenMarkers, seenFiles);
 
+  // Charger string-iocs.yaml (YARA-style)
+  loadStringIocsYAML(path.join(IOCS_DIR, 'string-iocs.yaml'), iocs, seenStrings);
+
   return iocs;
 }
 
+/**
+ * Load YARA-style string IOCs from string-iocs.yaml.
+ * Each entry must satisfy the inclusion criteria documented in that file:
+ *   - length >= 6 chars
+ *   - confirmed in >= 1 sample malware
+ *   - absent from benign corpus
+ *   - unique enough that substring match is decisive
+ * Length floor enforced here (defense-in-depth) — anything shorter is dropped
+ * silently with a single warning to avoid spamming the console.
+ */
+function loadStringIocsYAML(filePath, iocs, seenStrings) {
+  if (!fs.existsSync(filePath)) return;
+  const MIN_STRING_LEN = 6;
+  let dropped = 0;
+
+  try {
+    const data = yaml.load(readVerifiedYAML(filePath), { schema: yaml.JSON_SCHEMA });
+    if (!data || !Array.isArray(data.strings)) return;
+
+    for (const s of data.strings) {
+      if (!s || typeof s.string !== 'string') { dropped++; continue; }
+      const literal = s.string;
+      if (literal.length < MIN_STRING_LEN) { dropped++; continue; }
+      if (seenStrings.has(literal)) continue;
+      seenStrings.add(literal);
+      iocs.stringIocs.push({
+        string: literal,
+        campaign: typeof s.campaign === 'string' ? s.campaign : 'unknown',
+        severity: (s.severity === 'HIGH' || s.severity === 'MEDIUM') ? s.severity : 'CRITICAL',
+        source: typeof s.source === 'string' ? s.source : '',
+        description: typeof s.description === 'string' ? s.description : ''
+      });
+    }
+    if (dropped > 0) {
+      console.error(`[WARN] string-iocs.yaml: ${dropped} entries dropped (missing string field or below ${MIN_STRING_LEN} chars)`);
+    }
+  } catch (e) {
+    console.error('[WARN] Erreur parsing string-iocs.yaml:', e.message);
+  }
+}
+
 function loadPackagesYAML(filePath, iocs, seenPkgs) {
   if (!fs.existsSync(filePath)) return;
 

package/src/monitor/webhook.js

@@ -9,6 +9,7 @@ const fs = require('fs');
 const path = require('path');
 
 const { sendWebhook } = require('../webhook.js');
+const { sendIngest, isIngestConfigured } = require('../integrations/api-ingest.js');
 const {
   atomicWriteFileSync,
   ALERTS_LOG_DIR,
@@ -451,6 +452,12 @@ async function trySendWebhook(name, version, ecosystem, result, sandboxResult, m
     alertedPackageRules.set(name, new Set(currentRules));
   }
 
+  // Push to muad-api dashboard (fire-and-forget, fires once per unique package
+  // even when scope grouping batches the Discord webhook).
+  if (isIngestConfigured()) {
+    sendIngest(name, version, result).catch(() => {});
+  }
+
   // Scope grouping: buffer scoped npm packages for grouped webhook
   const scope = extractScope(name);
   if (scope && ecosystem === 'npm') {