muaddib-scanner 2.10.21 → 2.10.23

package/src/scanner/ast.js

@@ -75,6 +75,32 @@ function analyzeFile(content, filePath, basePath) {
         file: path.relative(basePath, filePath)
       });
     }
+
+    // Blue Team v8b (A6): Detect Proxy + require('child_process') + exec in files that fail to parse
+    // This covers 'use strict' + with(Proxy) evasion where acorn can't parse the with statement
+    if (/\bnew\s+Proxy\b/.test(content) && /\brequire\s*\(\s*['"]child_process['"]\s*\)/.test(content)) {
+      const hasExecInContent = /\bexec\s*\(/.test(content) || /\bexecSync\s*\(/.test(content) || /\bspawn\s*\(/.test(content);
+      if (hasExecInContent) {
+        threats.push({
+          type: 'dangerous_exec',
+          severity: 'CRITICAL',
+          message: 'Proxy + require(\'child_process\') + exec in unparseable file — scope hijack evasion (regex fallback).',
+          file: path.relative(basePath, filePath)
+        });
+      }
+    }
+
+    // Content-level: require('child_process') + exec/spawn with shell command patterns
+    if (/\brequire\s*\(\s*['"]child_process['"]\s*\)/.test(content) &&
+        /\bcurl\b.*\|\s*(sh|bash)\b/.test(content)) {
+      threats.push({
+        type: 'dangerous_exec',
+        severity: 'CRITICAL',
+        message: 'require(\'child_process\') + curl pipe to shell in unparseable file — remote code execution (regex fallback).',
+        file: path.relative(basePath, filePath)
+      });
+    }
+
     return threats;
   }
 
@@ -180,7 +206,42 @@ function analyzeFile(content, filePath, basePath) {
     hasSolanaImport: false,
     hasSolanaC2Method: false,
     // Audit v3: uncaughtException/unhandledRejection handler for error hijacking detection
-    hasUncaughtExceptionHandler: false
+    hasUncaughtExceptionHandler: false,
+    // Audit v3 B2: FinalizationRegistry deferred exec detection
+    hasFinalizationRegistry: false,
+    // Blue Team v8: SharedArrayBuffer + Worker IPC detection
+    hasSharedArrayBuffer: false,
+    hasWorkerThread: false,  // set when Worker (worker_threads) usage detected
+    // Blue Team v8: dgram/UDP exfiltration
+    hasDgramImport: /\brequire\s*\(\s*['"](?:node:)?dgram['"]\s*\)/.test(content),
+    hasDgramSend: false,
+    // Blue Team v8: WebSocket C2
+    hasWebSocketNew: false,  // set when new WebSocket() detected
+    // Blue Team v8: crontab/cron write detection
+    hasCrontabWrite: false,
+    // Blue Team v8b: Module internals hijack (Module._resolveFilename, _compile, _extensions)
+    hasModuleInternalsHijack: false,
+    // Blue Team v8b: JSON.parse reviver with __proto__ check
+    hasJsonReviverProto: false,
+    // Blue Team v8b: vm.runInContext/runInNewContext with dynamic code
+    hasVmDynamicExec: false,
+    // Blue Team v8b: binary file read + new Function/eval in same file (stego)
+    hasBinaryFileRead: false,  // set when fs.readFileSync on .png/.jpg/.gif/.bmp/.ico
+    // Blue Team v8b: AsyncLocalStorage usage
+    hasAsyncLocalStorage: /\bAsyncLocalStorage\b/.test(content),
+    // Blue Team v8b: image file reference for stego detection
+    hasImageFileRef: /\.(png|jpg|jpeg|gif|bmp|ico)\b/i.test(content),
+    // Blue Team v8b: net.Socket creation (for WebSocket C2 detection)
+    hasNetSocketCreate: /\bnew\s+net\.Socket\b/.test(content) || /\bnet\.createConnection\b/.test(content),
+    // Blue Team v8b: execSync/exec in callback contexts (set when exec inside .on('message'|'data'))
+    hasCallbackExec: false,
+    // Blue Team v8b (B2): CI environment fingerprinting — count of CI provider env vars referenced
+    ciProviderCount: (() => {
+      const CI_VARS = ['GITHUB_ACTIONS', 'GITLAB_CI', 'CIRCLECI', 'TRAVIS', 'JENKINS_URL', 'BUILDKITE', 'CONTINUOUS_INTEGRATION', 'TEAMCITY_VERSION', 'CODEBUILD_BUILD_ID', 'BITBUCKET_PIPELINE_UUID'];
+      return CI_VARS.filter(v => content.includes(v)).length;
+    })(),
+    // Audit v3: source code reference for callback body analysis
+    _sourceCode: content
   };
 
   // Compute fetchOnlySafeDomains: check if ALL URLs in file point to known registries

package/src/scanner/package.js

@@ -125,6 +125,25 @@ async function scanPackageJson(targetPath) {
           file: 'package.json'
         });
       }
+
+      // Blue Team v8b (B8): Lifecycle script references non-existent file in package
+      // Pattern: "node path/to/script.js" where the file does not exist — phantom install script
+      // Strong signal: preinstall/install scripts pointing to missing files can't be build artifacts
+      if (['preinstall', 'install', 'postinstall'].includes(scriptName)) {
+        const nodeFileMatch = scriptContent.match(/^node\s+(\S+)/);
+        if (nodeFileMatch) {
+          const scriptFile = nodeFileMatch[1];
+          const fullScriptPath = path.join(targetPath, scriptFile);
+          if (!fs.existsSync(fullScriptPath) && !fs.existsSync(fullScriptPath + '.js')) {
+            threats.push({
+              type: 'lifecycle_missing_script',
+              severity: scriptName === 'postinstall' ? 'HIGH' : 'CRITICAL',
+              message: `Lifecycle "${scriptName}" references "${scriptFile}" which does not exist in the package — phantom install script, payload may be injected at publish time.`,
+              file: 'package.json'
+            });
+          }
+        }
+      }
     }
   }
 
@@ -181,6 +200,57 @@ async function scanPackageJson(targetPath) {
     } catch { /* permission error */ }
   }
 
+  // Blue Team v8: binding.gyp + lifecycle script = native addon install risk
+  // binding.gyp triggers node-gyp compilation during install. Combined with lifecycle scripts
+  // that aren't standard node-gyp build tools, this indicates potentially malicious native code.
+  const bindingGypPath = path.join(targetPath, 'binding.gyp');
+  if (fs.existsSync(bindingGypPath)) {
+    const hasInstallLifecycle = ['preinstall', 'install', 'postinstall'].some(s => scripts[s]);
+    const installScript = scripts.install || scripts.postinstall || scripts.preinstall || '';
+    // node-gyp rebuild / prebuild-install / cmake-js are legitimate native addon builders
+    const isStandardBuild = /\b(node-gyp|prebuild|cmake-js|napi|prebuildify|neon)\b/i.test(installScript);
+
+    // Blue Team v8b (C7): Check binding.gyp content for shell commands in actions
+    let gypContent = '';
+    try { gypContent = fs.readFileSync(bindingGypPath, 'utf8'); } catch {}
+    const hasShellActions = /\baction\b.*\bsh\b/.test(gypContent) || /\bcurl\b/.test(gypContent) ||
+      /\bwget\b/.test(gypContent) || /\$\(whoami\)/.test(gypContent) || /\$\(uname/.test(gypContent);
+    // Check if binding.gyp references C/C++ source files
+    const hasNativeSources = /\.(c|cc|cpp|cxx|h|hpp)\b/.test(gypContent);
+
+    if (hasShellActions) {
+      threats.push({
+        type: 'native_addon_install',
+        severity: 'CRITICAL',
+        message: `binding.gyp contains shell commands in build actions (curl/sh/whoami) — build-time code execution and exfiltration.`,
+        file: 'binding.gyp'
+      });
+    } else if (hasInstallLifecycle && !isStandardBuild) {
+      threats.push({
+        type: 'native_addon_install',
+        severity: 'HIGH',
+        message: `binding.gyp present with non-standard lifecycle script: "${installScript.substring(0, 100)}" — potential malicious native compilation.`,
+        file: 'package.json'
+      });
+    } else if (hasInstallLifecycle && hasNativeSources) {
+      // Standard build but with native C/C++ sources — HIGH (native code is opaque)
+      threats.push({
+        type: 'native_addon_install',
+        severity: 'HIGH',
+        message: `binding.gyp with C/C++ source files + lifecycle script — native addon compilation. Native code is opaque to static analysis.`,
+        file: 'package.json'
+      });
+    } else if (hasInstallLifecycle) {
+      // Standard build tool — informational only
+      threats.push({
+        type: 'native_addon_install',
+        severity: 'LOW',
+        message: 'binding.gyp with standard build tool (node-gyp/prebuild) in lifecycle script — legitimate native addon.',
+        file: 'package.json'
+      });
+    }
+  }
+
   // Scan declared dependencies against IOCs
   let iocs;
   try {

package/src/scanner/shell.js

@@ -6,15 +6,15 @@ const { MAX_FILE_SIZE, getMaxFileSize } = require('../shared/constants.js');
 const SHELL_EXCLUDED_DIRS = ['node_modules', '.git', '.muaddib-cache'];
 
 const MALICIOUS_PATTERNS = [
-  { pattern: /curl.*\|.*sh/m, name: 'curl_pipe_shell', severity: 'HIGH' },
-  { pattern: /wget.*&&.*chmod.*\+x/m, name: 'wget_chmod_exec', severity: 'HIGH' },
+  { pattern: /curl[^\n]{0,5000}\|[^\n]{0,5000}sh/m, name: 'curl_pipe_shell', severity: 'HIGH' },
+  { pattern: /wget[^\n]{0,5000}&&[^\n]{0,5000}chmod[^\n]{0,5000}\+x/m, name: 'wget_chmod_exec', severity: 'HIGH' },
   { pattern: /bash\s+-i\s+>&\s+\/dev\/tcp/m, name: 'reverse_shell', severity: 'CRITICAL' },
   { pattern: /nc\s+-e\s+\/bin\/(ba)?sh/m, name: 'netcat_shell', severity: 'CRITICAL' },
   { pattern: /rm\s+-rf\s+(~\/|\$HOME|\/home)/m, name: 'home_deletion', severity: 'CRITICAL' },
   { pattern: /shred.*\$HOME/m, name: 'shred_home', severity: 'CRITICAL' },
-  { pattern: /curl.*-X\s*POST.*-d/m, name: 'curl_exfiltration', severity: 'HIGH' },
-  { pattern: /(?:cat|readFile|cp|mv|curl\s+file:\/\/|tar\s+.*|scp\s+).*\.npmrc/m, name: 'npmrc_access', severity: 'HIGH' },
-  { pattern: /(?:cat|readFile|cp|mv|curl\s+file:\/\/|tar\s+.*|scp\s+).*\.ssh/m, name: 'ssh_access', severity: 'HIGH' },
+  { pattern: /curl[^\n]{0,5000}-X\s*POST[^\n]{0,5000}-d/m, name: 'curl_exfiltration', severity: 'HIGH' },
+  { pattern: /(?:cat|readFile|cp|mv|curl\s+file:\/\/|tar\s+[^\n]{0,5000}|scp\s+)[^\n]{0,5000}\.npmrc/m, name: 'npmrc_access', severity: 'HIGH' },
+  { pattern: /(?:cat|readFile|cp|mv|curl\s+file:\/\/|tar\s+[^\n]{0,5000}|scp\s+)[^\n]{0,5000}\.ssh/m, name: 'ssh_access', severity: 'HIGH' },
   { pattern: /python\s+-c.*import\s+socket/m, name: 'python_reverse_shell', severity: 'CRITICAL' },
   { pattern: /perl\s+-e.*socket/m, name: 'perl_reverse_shell', severity: 'CRITICAL' },
   { pattern: /mkfifo.*\/dev\/tcp/m, name: 'fifo_reverse_shell', severity: 'CRITICAL' },

package/src/scoring.js

@@ -102,13 +102,17 @@ const PACKAGE_LEVEL_TYPES = new Set([
   'shai_hulud_marker', 'suspicious_file',
   'pypi_malicious_package', 'pypi_typosquat_detected',
   'dangerous_api_added_critical', 'dangerous_api_added_high', 'dangerous_api_added_medium',
-  'publish_burst', 'publish_dormant_spike', 'publish_rapid_succession',
-  'maintainer_new_suspicious', 'maintainer_sole_change',
+  'publish_burst', 'dormant_spike', 'rapid_succession',
+  'suspicious_maintainer', 'sole_maintainer_change',
   'sandbox_network_activity', 'sandbox_file_changes', 'sandbox_process_spawns',
   'sandbox_canary_exfiltration',
   // Compound scoring rules — package-level co-occurrences
   'lifecycle_typosquat', 'lifecycle_inline_exec', 'lifecycle_remote_require',
-  'lifecycle_dataflow', 'lifecycle_dangerous_exec', 'obfuscated_lifecycle_env'
+  'lifecycle_dataflow', 'lifecycle_dangerous_exec', 'obfuscated_lifecycle_env',
+  // Blue Team v8: package-level boost signals
+  'isolated_suspicious_file', 'deep_suspicious_file',
+  // Blue Team v8b: phantom lifecycle scripts
+  'lifecycle_missing_script'
 ]);
 
 /**
@@ -299,7 +303,8 @@ const REACHABILITY_EXEMPT_TYPES = new Set([
   'typosquat_detected', 'pypi_typosquat_detected',
   'pypi_malicious_package',
   'ai_config_injection', 'ai_config_injection_compound',
-  'detached_credential_exfil' // DPRK/Lazarus: invoked via lifecycle, not require/import
+  'detached_credential_exfil', // DPRK/Lazarus: invoked via lifecycle, not require/import
+  'native_addon_install' // binding.gyp executes during npm install but isn't require()'d
 ]);
 
 // ============================================
@@ -728,6 +733,50 @@ function applyFPReductions(threats, reachableFiles, packageName, packageDeps) {
   }
 }
 
+/**
+ * Blue Team v8: Inject package-level boost threats that detect dissimulation patterns.
+ * Called within calculateRiskScore after file scores are computed.
+ * @param {Array} deduped - deduplicated threat array (mutated in place)
+ * @param {Object} fileScores - map of file → score
+ * @param {Map} fileGroups - map of file → threats array
+ * @param {Array} packageLevelThreats - package-level threats
+ */
+function applyPackageLevelBoosts(deduped, fileScores, fileGroups, packageLevelThreats) {
+  const fileNames = Object.keys(fileScores);
+  const totalFiles = fileNames.length;
+
+  // 1. isolated_suspicious_file: exactly 1 file has score > 0, 10+ files have score 0
+  if (totalFiles >= 10) {
+    const filesWithScore = fileNames.filter(f => fileScores[f] > 0);
+    const filesWithZero = totalFiles - filesWithScore.length;
+    if (filesWithScore.length === 1 && filesWithZero >= 10) {
+      deduped.push({
+        type: 'isolated_suspicious_file',
+        severity: 'MEDIUM',
+        message: `Single suspicious file among ${totalFiles} files — potential dissimulation pattern (malicious code hidden in clean package).`,
+        file: filesWithScore[0],
+        boostSignal: true
+      });
+    }
+  }
+
+  // 2. deep_suspicious_file: finding in a file at depth > 3 from package root
+  for (const [file, threats] of fileGroups) {
+    if (!file || file === '(unknown)') continue;
+    const segments = file.replace(/\\/g, '/').split('/').filter(Boolean);
+    if (segments.length > 3 && threats.some(t => t.severity !== 'LOW')) {
+      deduped.push({
+        type: 'deep_suspicious_file',
+        severity: 'LOW',
+        message: `Suspicious pattern found in deeply nested file (depth ${segments.length}): ${file} — potential hiding technique.`,
+        file: file,
+        boostSignal: true
+      });
+      break; // Only emit once per package
+    }
+  }
+}
+
 /**
  * Calculate per-file max risk score from deduplicated threats.
  * Formula: riskScore = min(100, max(file_scores + intent_bonus) + package_level_score)
@@ -795,6 +844,27 @@ function calculateRiskScore(deduped, intentResult) {
     crossFileBonus = Math.min(crossFileBonus, 25);
   }
 
+  // 5b. Blue Team v8: Package-level boost signals — detect dissimulation patterns
+  applyPackageLevelBoosts(deduped, fileScores, fileGroups, packageLevelThreats);
+  // Recompute packageScore after boosts may have added new package-level threats
+  const boostPackageThreats = deduped.filter(t => isPackageLevelThreat(t) && t.boostSignal);
+  if (boostPackageThreats.length > 0) {
+    packageScore = computeGroupScore([...packageLevelThreats, ...boostPackageThreats]);
+    if (packageScore >= 25 && [...packageLevelThreats, ...boostPackageThreats].some(t => t.severity === 'CRITICAL')) {
+      packageScore = Math.max(packageScore, 50);
+    }
+  }
+
+  // 5c. Blue Team v8: lifecycle_plus_finding boost — lifecycle + any finding = +10 package score
+  const hasActiveLifecycleForBoost = packageLevelThreats.some(t =>
+    t.type === 'lifecycle_script' && t.severity !== 'LOW'
+  );
+  const hasAnyFileFinding = fileLevelThreats.some(t => t.severity !== 'LOW');
+  let lifecycleBoost = 0;
+  if (hasActiveLifecycleForBoost && hasAnyFileFinding) {
+    lifecycleBoost = 10;
+  }
+
   // 6. Intent coherence bonus: additive score from source→sink pairs
   let intentBonus = 0;
   if (intentResult && intentResult.intentScore > 0) {
@@ -802,8 +872,8 @@ function calculateRiskScore(deduped, intentResult) {
     intentBonus = Math.min(intentResult.intentScore, 30);
   }
 
-  // 7. Final score = max file score + cross-file bonus + intent bonus + package-level score, capped at 100
-  const riskScore = Math.min(MAX_RISK_SCORE, maxFileScore + crossFileBonus + intentBonus + packageScore);
+  // 7. Final score = max file score + cross-file bonus + intent bonus + package-level score + lifecycle boost, capped at 100
+  const riskScore = Math.min(MAX_RISK_SCORE, maxFileScore + crossFileBonus + intentBonus + packageScore + lifecycleBoost);
 
   // 8. Old global score for comparison (sum of ALL findings)
   const globalRiskScore = computeGroupScore(deduped);

package/src/shared/constants.js

@@ -99,16 +99,16 @@ function resetMaxFileSize() { _maxFileSize = MAX_FILE_SIZE; }
 const ACORN_OPTIONS = { ecmaVersion: 2024, sourceType: 'module', allowHashBang: true };
 
 const acorn = require('acorn');
+const crypto = require('crypto');
 
 /**
  * AST parse cache — same content+options returns the same AST.
  * Scanners do not mutate AST nodes (verified: only read comparisons).
  * Cleared between scans via clearASTCache().
- * Key = code.length + '|' + optionsKey + '|' + code.slice(0,128) + code.slice(-64)
- * (length-prefixed partial key for fast Map lookup; collisions resolved by full WeakRef check)
+ * Key = sha256(code) + '|' + optionsKey (collision-free content-addressable key)
  */
 const _astCache = new Map();
-const _AST_CACHE_MAX = 600; // Max entries (one scan ≈ 500 files max)
+const _AST_CACHE_MAX = 200; // Max entries (reduced from 600 to limit memory during evaluate)
 
 /**
  * Parse JS source with module-mode fallback to script-mode.
@@ -117,9 +117,9 @@ const _AST_CACHE_MAX = 600; // Max entries (one scan ≈ 500 files max)
  * Returns AST or null if both modes fail.
  */
 function safeParse(code, extraOptions = {}) {
-  // Build cache key: options signature + content fingerprint
+  // Build cache key: sha256 content hash + options signature
   const optKey = Object.keys(extraOptions).length === 0 ? '' : JSON.stringify(extraOptions);
-  const cacheKey = code.length + '|' + optKey + '|' + code.slice(0, 128) + code.slice(-64);
+  const cacheKey = crypto.createHash('sha256').update(code).digest('hex') + '|' + optKey;
 
   const cached = _astCache.get(cacheKey);
   if (cached !== undefined) return cached;

package/src/utils.js

@@ -23,6 +23,7 @@ let _scanRoot = '';
  */
 const _fileListCache = new Map();
 let _filesCapped = false;
+let _overflowFiles = [];
 
 /**
  * File content cache — read each file once, reused across all scanners in a single scan.
@@ -121,6 +122,7 @@ function findFiles(dir, options = {}) {
         return depthA - depthB;
       });
       const capped = result.slice(0, maxFiles);
+      _overflowFiles = result.slice(maxFiles);
       _fileListCache.set(cacheKey, [...capped]);
       _filesCapped = true;
       return capped;
@@ -227,12 +229,17 @@ function clearFileListCache() {
   _fileContentCache.clear();
   clearASTCache();
   _filesCapped = false;
+  _overflowFiles = [];
 }
 
 function wasFilesCapped() {
   return _filesCapped;
 }
 
+function getOverflowFiles() {
+  return _overflowFiles;
+}
+
 /**
  * Escapes HTML characters to prevent XSS
  * @param {string} str - String to escape
@@ -394,6 +401,7 @@ module.exports = {
   findJsFiles,
   clearFileListCache,
   wasFilesCapped,
+  getOverflowFiles,
   escapeHtml,
   getCallName,
   Spinner,