muaddib-scanner 2.10.2 → 2.10.3

package/bin/muaddib.js

@@ -34,6 +34,7 @@ let noDeobfuscate = false;
 let noModuleGraph = false;
 let noReachability = false;
 let configPath = null;
+let autoSandbox = false;
 let feedLimit = null;
 let feedSeverity = null;
 let feedSince = null;
@@ -137,6 +138,8 @@ for (let i = 0; i < options.length; i++) {
     }
     configPath = cfgPath;
     i++;
+  } else if (options[i] === '--auto-sandbox') {
+    autoSandbox = true;
   } else if (options[i] === '--temporal') {
     temporalMode = true;
   } else if (options[i] === '--limit') {
@@ -429,6 +432,7 @@ const helpText = `
     --temporal-publish  Detect publish frequency anomalies (bursts, dormant spikes)
     --temporal-maintainer  Detect maintainer changes (new maintainer, account takeover)
     --temporal-full     All temporal analyses (lifecycle + AST + publish + maintainer)
+    --auto-sandbox      Auto-trigger sandbox when static scan score >= 20 (requires Docker)
     --no-canary         Disable honey token injection in sandbox
     --no-deobfuscate    Disable deobfuscation pre-processing
     --no-module-graph   Disable cross-file dataflow analysis
@@ -482,7 +486,8 @@ if (command === 'version' || command === '--version' || command === '-v') {
     noDeobfuscate: noDeobfuscate,
     noModuleGraph: noModuleGraph,
     noReachability: noReachability,
-    configPath: configPath
+    configPath: configPath,
+    autoSandbox: autoSandbox
   }).then(exitCode => {
     process.exit(exitCode);
   }).catch(err => {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "muaddib-scanner",
-  "version": "2.10.2",
+  "version": "2.10.3",
   "description": "Supply-chain threat detection & response for npm & PyPI/Python",
   "main": "src/index.js",
   "bin": {

package/src/canary-tokens.js

@@ -71,6 +71,55 @@ function createCanaryNpmrc(tokens) {
   return `//registry.npmjs.org/:_authToken=${tokens.NPM_AUTH_TOKEN}\n`;
 }
 
+/**
+ * Generate fake AWS credentials file content.
+ * Format matches ~/.aws/credentials (INI format, format-valid key IDs).
+ * @param {Record<string, string>} tokens - The token map from generateCanaryTokens()
+ * @returns {string} AWS credentials file content
+ */
+function createCanaryAwsCredentials(tokens) {
+  return [
+    '[default]',
+    `aws_access_key_id = ${tokens.AWS_ACCESS_KEY_ID}`,
+    `aws_secret_access_key = ${tokens.AWS_SECRET_ACCESS_KEY}`,
+    'region = us-east-1',
+    ''
+  ].join('\n');
+}
+
+/**
+ * Generate a fake SSH private key (Ed25519 format).
+ * The key is structurally valid PEM but cryptographically meaningless.
+ * Malware that reads ~/.ssh/id_rsa or id_ed25519 will exfiltrate this.
+ * @returns {string} Fake SSH private key content
+ */
+function createCanarySshKey() {
+  const fakeKeyData = crypto.randomBytes(64).toString('base64');
+  return [
+    '-----BEGIN OPENSSH PRIVATE KEY-----',
+    fakeKeyData.substring(0, 70),
+    fakeKeyData.substring(0, 70),
+    '-----END OPENSSH PRIVATE KEY-----',
+    ''
+  ].join('\n');
+}
+
+/**
+ * Generate a fake .gitconfig with user identity.
+ * Malware fingerprinting the developer will exfiltrate this.
+ * @returns {string} Fake .gitconfig content
+ */
+function createCanaryGitconfig() {
+  return [
+    '[user]',
+    '\tname = John Developer',
+    '\temail = john.dev@company-internal.example.com',
+    '[credential]',
+    '\thelper = store',
+    ''
+  ].join('\n');
+}
+
 /**
  * Search for canary tokens in network logs from sandbox.
  * Network log structure matches sandbox.js report.network:
@@ -199,6 +248,9 @@ module.exports = {
   generateCanaryTokens,
   createCanaryEnvFile,
   createCanaryNpmrc,
+  createCanaryAwsCredentials,
+  createCanarySshKey,
+  createCanaryGitconfig,
   detectCanaryExfiltration,
   detectCanaryInOutput
 };

package/src/index.js

@@ -523,6 +523,35 @@ async function run(targetPath, options = {}) {
     threats.push(...temporalThreats);
   }
 
+  // Auto-sandbox: trigger sandbox analysis when static scan detects threats.
+  // Preliminary score estimate: count CRITICAL/HIGH threats as a quick heuristic.
+  // Only when --auto-sandbox flag is set, no explicit sandboxResult, and Docker available.
+  if (options.autoSandbox && !options.sandboxResult) {
+    const critCount = threats.filter(t => t.severity === 'CRITICAL').length;
+    const highCount = threats.filter(t => t.severity === 'HIGH').length;
+    const prelimScore = Math.min(100, critCount * 25 + highCount * 10);
+    if (prelimScore >= 20) {
+      try {
+        const { isDockerAvailable, buildSandboxImage, runSandbox } = require('./sandbox/index.js');
+        if (isDockerAvailable()) {
+          console.log(`\n[AUTO-SANDBOX] Preliminary score ~${prelimScore} >= 20 — triggering sandbox analysis...`);
+          const built = await buildSandboxImage();
+          if (built) {
+            const sbResult = await runSandbox(targetPath, { local: true, strict: false });
+            if (sbResult && Array.isArray(sbResult.findings)) {
+              options.sandboxResult = sbResult;
+            }
+          }
+        } else {
+          debugLog('[AUTO-SANDBOX] Docker not available — skipping sandbox');
+        }
+      } catch (e) {
+        debugLog('[AUTO-SANDBOX] Error:', e && e.message);
+        // Graceful fallback — sandbox is best-effort
+      }
+    }
+  }
+
   // Sandbox integration
   let sandboxData = null;
   if (options.sandboxResult && Array.isArray(options.sandboxResult.findings)) {

package/src/response/playbooks.js

@@ -585,6 +585,11 @@ const PLAYBOOKS = {
     'Le malware est cache derriere une indirection: package.json → node setup.js → payload malveillant. ' +
     'NE PAS installer. Supprimer le package immediatement. Auditer le fichier reference.',
 
+  uncaught_exception_exfil:
+    'CRITIQUE: Exfiltration silencieuse via process.on("uncaughtException"). ' +
+    'Le handler intercepte les erreurs pour envoyer les credentials (process.env) a un serveur externe. ' +
+    'Regenerer immediatement tous les secrets. Supprimer le package. Auditer les connexions sortantes.',
+
   websocket_credential_exfil:
     'CRITIQUE: Exfiltration de credentials via canal non-HTTP (WebSocket, MQTT, Socket.io). ' +
     'Les proxies HTTP ne detectent pas ce trafic. Regenerer immediatement tous les secrets exposes. ' +

package/src/rules/index.js

@@ -1719,6 +1719,18 @@ const RULES = {
     ],
     mitre: 'T1041'
   },
+  uncaught_exception_exfil: {
+    id: 'MUADDIB-COMPOUND-008',
+    name: 'Uncaught Exception Handler Credential Exfiltration',
+    severity: 'CRITICAL',
+    confidence: 'high',
+    description: 'process.on("uncaughtException") combine avec acces aux variables d\'environnement sensibles et appel reseau. Technique d\'exfiltration silencieuse: le handler intercepte les erreurs pour envoyer les credentials a un serveur externe sans interruption du processus.',
+    references: [
+      'https://attack.mitre.org/techniques/T1041/',
+      'https://nodejs.org/api/process.html#event-uncaughtexception'
+    ],
+    mitre: 'T1041'
+  },
   suspicious_module_sink: {
     id: 'MUADDIB-FLOW-005',
     name: 'Non-HTTP Network Module Sink',

package/src/sandbox/index.js

@@ -6,6 +6,9 @@ const {
   generateCanaryTokens,
   createCanaryEnvFile,
   createCanaryNpmrc,
+  createCanaryAwsCredentials,
+  createCanarySshKey,
+  createCanaryGitconfig,
   detectCanaryExfiltration,
   detectCanaryInOutput
 } = require('../canary-tokens.js');
@@ -154,10 +157,15 @@ async function runSingleSandbox(packageName, options = {}) {
     let timedOut = false;
     const containerName = `npm-audit-${Date.now()}-${crypto.randomBytes(4).toString('hex')}`;
 
+    // Realistic hostname to evade sandbox detection (T1497.001)
+    // Default Docker hostname is a 12-char hex hash — easily fingerprinted.
+    const fakeHostname = `dev-laptop-${crypto.randomBytes(2).toString('hex')}`;
+
     const dockerArgs = [
       'run',
       '--rm',
       `--name=${containerName}`,
+      `--hostname=${fakeHostname}`,
       '--network=bridge',
       '--memory=512m',
       '--cpus=1',
@@ -173,6 +181,9 @@ async function runSingleSandbox(packageName, options = {}) {
       // Also inject canary file contents as env vars for the entrypoint to write
       dockerArgs.push('-e', `CANARY_ENV_CONTENT=${createCanaryEnvFile(canaryTokens).replace(/\r?\n/g, '\\n')}`);
       dockerArgs.push('-e', `CANARY_NPMRC_CONTENT=${createCanaryNpmrc(canaryTokens).replace(/\r?\n/g, '\\n')}`);
+      dockerArgs.push('-e', `CANARY_AWS_CONTENT=${createCanaryAwsCredentials(canaryTokens).replace(/\r?\n/g, '\\n')}`);
+      dockerArgs.push('-e', `CANARY_SSH_KEY=${createCanarySshKey().replace(/\r?\n/g, '\\n')}`);
+      dockerArgs.push('-e', `CANARY_GITCONFIG=${createCanaryGitconfig().replace(/\r?\n/g, '\\n')}`);
     }
 
     // Inject time offset (preload.js deferred to entry point in sandbox-runner.sh)

package/src/scanner/ast-detectors.js

@@ -537,7 +537,16 @@ function handleVariableDeclarator(node, ctx) {
               innerCall.arguments?.length >= 1) {
             const arg = innerCall.arguments[0];
             if (arg.type === 'FunctionExpression' && (arg.async || arg.generator)) {
+              const kind = arg.async ? 'AsyncFunction' : 'GeneratorFunction';
               ctx.evalAliases.set(node.id.name, 'Function');
+              // Emit CRITICAL at declaration — extracting constructor via prototype chain is never benign
+              ctx.hasDynamicExec = true;
+              ctx.threats.push({
+                type: 'dangerous_constructor',
+                severity: 'CRITICAL',
+                message: `${kind} constructor extracted via Object.getPrototypeOf() into "${node.id.name}" — prototype chain code execution evasion.`,
+                file: ctx.relFile
+              });
             }
           }
         }
@@ -664,6 +673,21 @@ function handleVariableDeclarator(node, ctx) {
     }
   }
 
+  // Audit v3 bypass fix: Array destructuring eval alias: const [fn] = [eval]
+  if (node.id?.type === 'ArrayPattern' && node.init?.type === 'ArrayExpression') {
+    const elements = node.init.elements;
+    const patterns = node.id.elements;
+    for (let i = 0; i < Math.min(elements?.length || 0, patterns?.length || 0); i++) {
+      const el = elements[i];
+      const pat = patterns[i];
+      if (el?.type === 'Identifier' && pat?.type === 'Identifier') {
+        if (el.name === 'eval' || el.name === 'Function') {
+          ctx.evalAliases.set(pat.name, el.name);
+        }
+      }
+    }
+  }
+
   // Audit v3 B3: Destructuring of require('module') → track _load as direct function alias
   if (node.id?.type === 'ObjectPattern' &&
       node.init?.type === 'CallExpression') {
@@ -1398,10 +1422,21 @@ function handleCallExpression(node, ctx) {
     } else {
       ctx.hasEvalInFile = true;
       ctx.hasDynamicExec = true;
+      // Audit v3: elevate to CRITICAL when argument contains dangerous API calls
+      let aliasSev = 'HIGH';
+      let aliasMsg = `Indirect ${aliased} via alias "${node.callee.name}" — eval wrapper evasion.`;
+      if (node.arguments.length >= 1) {
+        const aliasArg = node.arguments[0];
+        if (aliasArg?.type === 'Literal' && typeof aliasArg.value === 'string' &&
+            /\b(require|import|exec|execSync|spawn|child_process|process\.env)\b/.test(aliasArg.value)) {
+          aliasSev = 'CRITICAL';
+          aliasMsg = `Indirect ${aliased} via alias "${node.callee.name}" with dangerous payload: "${aliasArg.value.substring(0, 80)}" — eval evasion + code execution.`;
+        }
+      }
       ctx.threats.push({
         type: aliased === 'eval' ? 'dangerous_call_eval' : 'dangerous_call_function',
-        severity: 'HIGH',
-        message: `Indirect ${aliased} via alias "${node.callee.name}" — eval wrapper evasion.`,
+        severity: aliasSev,
+        message: aliasMsg,
         file: ctx.relFile
       });
     }
@@ -1579,10 +1614,19 @@ function handleCallExpression(node, ctx) {
         firstArg.type === 'TemplateLiteral') {
       ctx.hasEvalInFile = true;
       ctx.hasDynamicExec = true;
+      // Audit v3: elevate to CRITICAL when string contains dangerous API calls
+      let timerSeverity = 'HIGH';
+      let timerMsg = `${callName}() with string argument — eval equivalent, executes the string as code.`;
+      if (firstArg.type === 'Literal' && typeof firstArg.value === 'string') {
+        if (/\b(require|import|exec|execSync|spawn|child_process|\.readFile|\.writeFile|process\.env|\.homedir)\b/.test(firstArg.value)) {
+          timerSeverity = 'CRITICAL';
+          timerMsg = `${callName}() with dangerous API in string: "${firstArg.value.substring(0, 80)}" — eval equivalent code execution.`;
+        }
+      }
       ctx.threats.push({
         type: 'dangerous_call_eval',
-        severity: 'HIGH',
-        message: `${callName}() with string argument — eval equivalent, executes the string as code.`,
+        severity: timerSeverity,
+        message: timerMsg,
         file: ctx.relFile
       });
     }
@@ -1929,6 +1973,24 @@ function handleCallExpression(node, ctx) {
           }
         }
       }
+
+      // Audit v3 bypass fix: .constructor.constructor('code')() — double constructor chain
+      // Any expression.constructor.constructor is traversing to Function constructor
+      if (obj?.type === 'MemberExpression') {
+        const innerPropName = obj.computed
+          ? (obj.property?.type === 'Literal' ? String(obj.property.value) : null)
+          : (obj.property?.type === 'Identifier' ? obj.property.name : null);
+        if (innerPropName === 'constructor') {
+          ctx.hasEvalInFile = true;
+          ctx.hasDynamicExec = true;
+          ctx.threats.push({
+            type: 'dangerous_constructor',
+            severity: 'CRITICAL',
+            message: 'Constructor chain traversal: .constructor.constructor() — accesses Function constructor via prototype chain.',
+            file: ctx.relFile
+          });
+        }
+      }
     }
 
     // SANDWORM_MODE: Track writeFileSync/writeFile to temp paths
@@ -1980,17 +2042,45 @@ function handleCallExpression(node, ctx) {
     }
   }
 
+  // Audit v3: JSON.stringify(process.env) — bulk env serialization = env enumeration
+  if (node.callee.type === 'MemberExpression' &&
+      node.callee.object?.type === 'Identifier' && node.callee.object.name === 'JSON' &&
+      node.callee.property?.type === 'Identifier' && node.callee.property.name === 'stringify' &&
+      node.arguments.length >= 1) {
+    const strArg = node.arguments[0];
+    if (strArg.type === 'MemberExpression' &&
+        strArg.object?.type === 'Identifier' && strArg.object.name === 'process' &&
+        strArg.property?.type === 'Identifier' && strArg.property.name === 'env') {
+      ctx.hasEnvEnumeration = true;
+    }
+  }
+
   // Batch 1: vm.* code execution — vm.runInThisContext, vm.runInNewContext, vm.compileFunction, vm.Script
   if (node.callee.type === 'MemberExpression' && node.callee.property?.type === 'Identifier') {
     const vmMethod = node.callee.property.name;
     if (['runInThisContext', 'runInNewContext', 'compileFunction'].includes(vmMethod)) {
-      // NOTE: Do NOT set ctx.hasDynamicExec — vm.* is legitimately used by bundlers
+      // Audit v3: elevate to CRITICAL when argument contains dangerous API calls
+      let vmSeverity = 'HIGH';
+      let vmMsg = `vm.${vmMethod}() — dynamic code execution via Node.js vm module bypasses eval detection.`;
+      const vmArg = node.arguments?.[0];
+      let vmContent = '';
+      if (vmArg?.type === 'Literal' && typeof vmArg.value === 'string') {
+        vmContent = vmArg.value;
+      } else if (vmArg?.type === 'Identifier' && ctx.stringVarValues?.has(vmArg.name)) {
+        vmContent = ctx.stringVarValues.get(vmArg.name);
+      }
+      if (/\b(require|import|exec|execSync|spawn|child_process|process\.env)\b/.test(vmContent)) {
+        vmSeverity = 'CRITICAL';
+        ctx.hasDynamicExec = true;
+        vmMsg = `vm.${vmMethod}() with dangerous API in code: "${vmContent.substring(0, 80)}" — vm module code execution bypass.`;
+      }
+      // NOTE: Do NOT set ctx.hasDynamicExec for generic vm.* calls — legitimately used by bundlers
       // (webpack, jest, etc.) and must not trigger compound detections (zlib_inflate_eval,
       // fetch_decrypt_exec) which were designed for eval/Function patterns.
       ctx.threats.push({
         type: 'vm_code_execution',
-        severity: 'HIGH',
-        message: `vm.${vmMethod}() — dynamic code execution via Node.js vm module bypasses eval detection.`,
+        severity: vmSeverity,
+        message: vmMsg,
         file: ctx.relFile
       });
     }
@@ -2053,6 +2143,19 @@ function handleCallExpression(node, ctx) {
     }
   }
 
+  // Audit v3 bypass fix: process.on('uncaughtException'/'unhandledRejection', handler)
+  // Error handler hijacking for silent credential exfiltration
+  if (node.callee?.type === 'MemberExpression' &&
+      node.callee.object?.type === 'Identifier' && node.callee.object.name === 'process' &&
+      node.callee.property?.type === 'Identifier' && node.callee.property.name === 'on' &&
+      node.arguments.length >= 2) {
+    const eventArg = node.arguments[0];
+    if (eventArg?.type === 'Literal' &&
+        (eventArg.value === 'uncaughtException' || eventArg.value === 'unhandledRejection')) {
+      ctx.hasUncaughtExceptionHandler = true;
+    }
+  }
+
   // SANDWORM_MODE R8: dns.resolve detection moved to walk.ancestor() in ast.js (FIX 5)
 }
 
@@ -2064,9 +2167,11 @@ function handleImportExpression(node, ctx) {
       // Batch 2: strip node: prefix so import('node:child_process') normalizes
       const modName = src.value.startsWith('node:') ? src.value.slice(5) : src.value;
       if (dangerousModules.includes(modName)) {
+        // Audit v3: dynamic import of code execution modules → CRITICAL (evasion technique)
+        const CRITICAL_IMPORTS = ['child_process', 'net', 'dns', 'worker_threads'];
         ctx.threats.push({
           type: 'dynamic_import',
-          severity: 'HIGH',
+          severity: CRITICAL_IMPORTS.includes(modName) ? 'CRITICAL' : 'HIGH',
           message: `Dynamic import() of dangerous module "${src.value}".`,
           file: ctx.relFile
         });
@@ -2815,6 +2920,29 @@ function handlePostWalk(ctx) {
     });
   }
 
+  // Audit v3 bypass fix: uncaughtException + env access + network = silent exfiltration
+  // Pattern: process.on('uncaughtException', handler) that reads env vars and sends to network.
+  // Never legitimate — error handlers don't need to send credentials to external servers.
+  if (ctx.hasUncaughtExceptionHandler && hasSensitiveEnvInFile && ctx.hasNetworkCallInFile) {
+    ctx.threats.push({
+      type: 'uncaught_exception_exfil',
+      severity: 'CRITICAL',
+      message: 'process.on("uncaughtException") + sensitive env access + network — silent credential exfiltration via error handler hijacking.',
+      file: ctx.relFile
+    });
+  }
+  // Also: uncaughtException + env enumeration (Object.entries/keys(process.env)) + network
+  if (ctx.hasUncaughtExceptionHandler && ctx.hasEnvEnumeration && ctx.hasNetworkCallInFile) {
+    if (!ctx.threats.some(t => t.type === 'uncaught_exception_exfil' && t.file === ctx.relFile)) {
+      ctx.threats.push({
+        type: 'uncaught_exception_exfil',
+        severity: 'CRITICAL',
+        message: 'process.on("uncaughtException") + bulk env enumeration + network — silent credential exfiltration via error handler hijacking.',
+        file: ctx.relFile
+      });
+    }
+  }
+
   // GlassWorm: Unicode variation selector decoder = .codePointAt + variation selector constants
   // CRITICAL if combined with eval/exec (GlassWorm always uses dynamic execution),
   // MEDIUM otherwise (.codePointAt + 0xFE00 is legitimate Unicode processing in fonts/text libs)

package/src/scanner/ast.js

@@ -178,7 +178,9 @@ function analyzeFile(content, filePath, basePath) {
     hasVariationSelectorConst: false,
     // GlassWorm: blockchain C2 resolution (Solana import + C2 method + dynamic exec)
     hasSolanaImport: false,
-    hasSolanaC2Method: false
+    hasSolanaC2Method: false,
+    // Audit v3: uncaughtException/unhandledRejection handler for error hijacking detection
+    hasUncaughtExceptionHandler: false
   };
 
   // Compute fetchOnlySafeDomains: check if ALL URLs in file point to known registries