muaddib-scanner 2.10.22 → 2.10.23

package/bin/muaddib.js

@@ -1,4 +1,26 @@
 #!/usr/bin/env node
+
+// Auto-respawn with memory flags for evaluate command (OOM prevention)
+if (process.argv[2] === 'evaluate') {
+  const hasMaxOld = process.execArgv.some(a => a.includes('--max-old-space-size'));
+  const hasGC = process.execArgv.some(a => a === '--expose-gc');
+  if (!hasMaxOld || !hasGC) {
+    const { execFileSync } = require('child_process');
+    const flags = [];
+    if (!hasMaxOld) flags.push('--max-old-space-size=8192');
+    if (!hasGC) flags.push('--expose-gc');
+    try {
+      execFileSync(process.execPath, [...flags, __filename, ...process.argv.slice(2)], {
+        stdio: 'inherit',
+        env: process.env
+      });
+      process.exit(0);
+    } catch (e) {
+      process.exit(e.status || 1);
+    }
+  }
+}
+
 const { execFile } = require('child_process');
 const { run } = require('../src/index.js');
 const { updateIOCs } = require('../src/ioc/updater.js');

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "muaddib-scanner",
-  "version": "2.10.22",
+  "version": "2.10.23",
   "description": "Supply-chain threat detection & response for npm & PyPI/Python",
   "main": "src/index.js",
   "bin": {

package/src/response/playbooks.js

@@ -740,6 +740,76 @@ const PLAYBOOKS = {
     'CRITIQUE: require("process").mainModule.require() detecte — contournement de la detection ' +
     'process.mainModule.require() via require("process") au lieu de l\'objet global. ' +
     'Aucun package legitime n\'utilise ce pattern. Supprimer immediatement.',
+
+  // Blue Team v8 — New playbook entries
+  shared_memory_ipc:
+    'SharedArrayBuffer + Worker Thread detectes. Canal IPC memoire partagee qui contourne la surveillance. ' +
+    'Verifier si les workers manipulent des donnees sensibles. Isoler si combine avec eval/exec.',
+
+  websocket_c2:
+    'HAUTE: Connexion WebSocket vers domaine suspect ou avec execution dynamique. Canal C2 persistant bidirectionnel. ' +
+    'Analyser l\'URL de connexion. Bloquer les connexions WebSocket sortantes. Verifier les messages echanges.',
+
+  udp_exfiltration:
+    'HAUTE: Socket UDP (dgram) avec envoi de donnees. Exfiltration contournant les firewalls HTTP. ' +
+    'Verifier les destinations IP. Bloquer le trafic UDP sortant non-DNS. Auditer les donnees envoyees.',
+
+  native_addon_install:
+    'HAUTE: binding.gyp avec script lifecycle non-standard. Code natif compile a l\'installation. ' +
+    'Verifier le contenu de binding.gyp et les sources C/C++. Installer avec --ignore-scripts si suspect.',
+
+  string_mutation_obfuscation:
+    'HAUTE: Chaine de .replace() reconstruisant des noms d\'API dangereuses (leet-speak). ' +
+    'Technique d\'evasion par substitution de caracteres. Decoder la chaine finale. Supprimer si malveillant.',
+
+  crontab_systemd_write:
+    'CRITIQUE: Ecriture dans les fichiers cron/crontab. Persistence via tache planifiee. ' +
+    'Verifier /etc/cron*, /var/spool/cron. Supprimer les entrees ajoutees. Auditer crontab -l.',
+
+  isolated_suspicious_file:
+    'Un seul fichier suspect parmi de nombreux fichiers propres. Pattern de dissimulation typique ' +
+    'ou le code malveillant est cache dans un package apparemment legitime. Examiner le fichier suspect en detail.',
+
+  deep_suspicious_file:
+    'Pattern suspect dans un fichier profondement imbrique. Technique pour echapper aux analyses superficielles. ' +
+    'Verifier le contenu du fichier et son role dans l\'arborescence du package.',
+
+  // Blue Team v8b playbooks
+  module_internals_hijack:
+    'CRITIQUE: Assignation a Module._resolveFilename/_compile/_extensions. Detournement du systeme de modules Node.js. ' +
+    'Tous les require() sont interceptes. Supprimer le package immediatement. Auditer tous les modules charges apres installation.',
+
+  json_reviver_pollution:
+    'HAUTE: JSON.parse avec reviver accedant a __proto__/prototype. Pollution de prototype via JSON. ' +
+    'Ne jamais passer de JSON non fiable avec un reviver manipulant __proto__. Verifier les sources de donnees JSON.',
+
+  vm_dynamic_code:
+    'CRITIQUE: vm.runInContext/compileFunction avec code construit dynamiquement. Evasion de sandbox. ' +
+    'Verifier d\'ou provient le code execute. Bloquer l\'acces au module vm. Supprimer si non justifie.',
+
+  callback_exec_rce:
+    'CRITIQUE: exec/spawn dans callback .on(\'message\'|\'data\'). Execution de commandes depuis flux reseau. ' +
+    'Pattern C2: commandes recues par WebSocket/TCP executees via child_process. Supprimer immediatement.',
+
+  stego_binary_exec:
+    'CRITIQUE: Lecture de fichier image/binaire + eval/Function. Payload steganographique. ' +
+    'Verifier le contenu du fichier image. Scanner avec des outils stego. Supprimer le fichier et le code d\'extraction.',
+
+  asynclocal_context_exec:
+    'HAUTE: AsyncLocalStorage + execution dynamique. Code malveillant cache dans un contexte async. ' +
+    'Examiner les callbacks AsyncLocalStorage. Verifier ce qui est stocke et execute dans le store.',
+
+  prototype_chain_constructor:
+    'CRITIQUE: Object.getPrototypeOf(var).constructor stocke dans une variable. Traversee de prototype pour Function. ' +
+    'Technique d\'evasion avancee. Supprimer le code. Verifier si le constructeur est appele avec du code dynamique.',
+
+  ci_environment_probe:
+    'HAUTE: Detection de 3+ fournisseurs CI (GitHub Actions, GitLab CI, etc.) dans le meme fichier. ' +
+    'Sondage d\'environnement CI pour activation conditionnelle. Verifier la logique conditionnelle associee.',
+
+  lifecycle_missing_script:
+    'CRITIQUE: Script lifecycle reference un fichier inexistant dans le package. Script fantome. ' +
+    'Le payload peut etre injecte dynamiquement ou lors d\'une mise a jour. Installer avec --ignore-scripts. Supprimer le package.',
 };
 
 function getPlaybook(threatType) {

package/src/rules/index.js

@@ -1948,6 +1948,212 @@ const RULES = {
     ],
     mitre: 'T1059'
   },
+
+  // Blue Team v8 — New detections (AST-070 to AST-077, SHELL-023, SCORE-001/002)
+  shared_memory_ipc: {
+    id: 'MUADDIB-AST-070',
+    name: 'Shared Memory IPC',
+    severity: 'MEDIUM',
+    confidence: 'medium',
+    description: 'SharedArrayBuffer + Worker Thread detectes — canal IPC memoire partagee qui contourne la surveillance des messages inter-threads.',
+    references: [
+      'https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/SharedArrayBuffer',
+      'https://attack.mitre.org/techniques/T1559/'
+    ],
+    mitre: 'T1559'
+  },
+  websocket_c2: {
+    id: 'MUADDIB-AST-071',
+    name: 'WebSocket C2 Channel',
+    severity: 'HIGH',
+    confidence: 'high',
+    description: 'Connexion WebSocket vers un domaine suspect ou avec execution dynamique — canal C2 bidirectionnel persistant.',
+    references: [
+      'https://attack.mitre.org/techniques/T1071.001/',
+      'https://owasp.org/www-community/attacks/WebSocket_Hijacking'
+    ],
+    mitre: 'T1071.001'
+  },
+  udp_exfiltration: {
+    id: 'MUADDIB-AST-072',
+    name: 'UDP Data Exfiltration',
+    severity: 'HIGH',
+    confidence: 'high',
+    description: 'Module dgram (UDP) avec envoi de donnees — exfiltration via protocole UDP qui contourne les firewalls HTTP.',
+    references: [
+      'https://nodejs.org/api/dgram.html',
+      'https://attack.mitre.org/techniques/T1048.003/'
+    ],
+    mitre: 'T1048.003'
+  },
+  native_addon_install: {
+    id: 'MUADDIB-AST-073',
+    name: 'Native Addon Installation',
+    severity: 'HIGH',
+    confidence: 'medium',
+    description: 'binding.gyp present avec script lifecycle non-standard — compilation native potentiellement malveillante a l\'installation.',
+    references: [
+      'https://nodejs.org/api/addons.html',
+      'https://attack.mitre.org/techniques/T1195.002/'
+    ],
+    mitre: 'T1195.002'
+  },
+  string_mutation_obfuscation: {
+    id: 'MUADDIB-AST-074',
+    name: 'String Mutation Obfuscation',
+    severity: 'HIGH',
+    confidence: 'high',
+    description: 'Chaine de 3+ appels .replace() pour reconstruire des noms d\'API dangereuses — technique leet-speak/substitution pour contourner la detection statique.',
+    references: [
+      'https://attack.mitre.org/techniques/T1027/',
+      'https://attack.mitre.org/techniques/T1140/'
+    ],
+    mitre: 'T1027'
+  },
+  crontab_systemd_write: {
+    id: 'MUADDIB-SHELL-023',
+    name: 'Crontab/Cron Write',
+    severity: 'CRITICAL',
+    confidence: 'high',
+    description: 'Ecriture dans les fichiers cron (/etc/cron*, crontab, /var/spool/cron) — persistence via tache planifiee.',
+    references: [
+      'https://attack.mitre.org/techniques/T1053.003/',
+      'https://attack.mitre.org/techniques/T1543/'
+    ],
+    mitre: 'T1053.003'
+  },
+  isolated_suspicious_file: {
+    id: 'MUADDIB-SCORE-001',
+    name: 'Isolated Suspicious File',
+    severity: 'MEDIUM',
+    confidence: 'medium',
+    description: 'Un seul fichier suspect parmi 10+ fichiers propres — pattern de dissimulation ou le code malveillant est cache dans un package legitime.',
+    references: [
+      'https://attack.mitre.org/techniques/T1036/'
+    ],
+    mitre: 'T1036'
+  },
+  deep_suspicious_file: {
+    id: 'MUADDIB-SCORE-002',
+    name: 'Deeply Nested Suspicious File',
+    severity: 'LOW',
+    confidence: 'low',
+    description: 'Pattern suspect detecte dans un fichier profondement imbrique (profondeur > 3) — technique de dissimulation dans l\'arborescence du package.',
+    references: [
+      'https://attack.mitre.org/techniques/T1036.005/'
+    ],
+    mitre: 'T1036.005'
+  },
+
+  // Blue Team v8b — New detections (AST-075 to AST-082, PKG-017)
+  module_internals_hijack: {
+    id: 'MUADDIB-AST-075',
+    name: 'Module Internals Hijack',
+    severity: 'CRITICAL',
+    confidence: 'high',
+    description: 'Assignation a Module._resolveFilename, _compile ou _extensions — detournement des mecanismes internes du systeme de modules Node.js. Tous les require() subsequents peuvent etre interceptes.',
+    references: [
+      'https://nodejs.org/api/modules.html',
+      'https://attack.mitre.org/techniques/T1574.006/'
+    ],
+    mitre: 'T1574.006'
+  },
+  json_reviver_pollution: {
+    id: 'MUADDIB-AST-076',
+    name: 'JSON Reviver Prototype Pollution',
+    severity: 'HIGH',
+    confidence: 'high',
+    description: 'JSON.parse avec fonction reviver accedant a __proto__ ou prototype — pollution de prototype via donnees JSON non fiables.',
+    references: [
+      'https://portswigger.net/web-security/prototype-pollution',
+      'https://attack.mitre.org/techniques/T1059.007/'
+    ],
+    mitre: 'T1059.007'
+  },
+  vm_dynamic_code: {
+    id: 'MUADDIB-AST-077',
+    name: 'VM Dynamic Code Execution',
+    severity: 'CRITICAL',
+    confidence: 'high',
+    description: 'vm.runInContext/runInNewContext/compileFunction avec code construit dynamiquement — evasion du sandbox via code genere au runtime.',
+    references: [
+      'https://nodejs.org/api/vm.html',
+      'https://attack.mitre.org/techniques/T1059.007/'
+    ],
+    mitre: 'T1059.007'
+  },
+  callback_exec_rce: {
+    id: 'MUADDIB-AST-078',
+    name: 'Callback Remote Code Execution',
+    severity: 'CRITICAL',
+    confidence: 'high',
+    description: 'exec/spawn dans un callback .on(\'message\') ou .on(\'data\') avec child_process — execution de commandes a distance depuis un flux reseau.',
+    references: [
+      'https://attack.mitre.org/techniques/T1059/',
+      'https://attack.mitre.org/techniques/T1071/'
+    ],
+    mitre: 'T1059'
+  },
+  stego_binary_exec: {
+    id: 'MUADDIB-AST-079',
+    name: 'Steganographic Binary Execution',
+    severity: 'CRITICAL',
+    confidence: 'high',
+    description: 'Lecture de fichier binaire/image (PNG, JPG) + execution dynamique (eval/Function) — extraction et execution de payload steganographique.',
+    references: [
+      'https://attack.mitre.org/techniques/T1027.003/',
+      'https://attack.mitre.org/techniques/T1140/'
+    ],
+    mitre: 'T1027.003'
+  },
+  asynclocal_context_exec: {
+    id: 'MUADDIB-AST-080',
+    name: 'AsyncLocalStorage Context Execution',
+    severity: 'HIGH',
+    confidence: 'medium',
+    description: 'AsyncLocalStorage + execution dynamique — code malveillant cache dans un contexte asynchrone, echappe a l\'analyse de pile d\'appels synchrone.',
+    references: [
+      'https://nodejs.org/api/async_context.html',
+      'https://attack.mitre.org/techniques/T1059.007/'
+    ],
+    mitre: 'T1059.007'
+  },
+  prototype_chain_constructor: {
+    id: 'MUADDIB-AST-081',
+    name: 'Prototype Chain Constructor Access',
+    severity: 'CRITICAL',
+    confidence: 'high',
+    description: 'Object.getPrototypeOf(variable).constructor extrait dans une variable — traversee de la chaine de prototypes pour atteindre le constructeur Function et executer du code arbitraire.',
+    references: [
+      'https://attack.mitre.org/techniques/T1059.007/',
+      'https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Object/getPrototypeOf'
+    ],
+    mitre: 'T1059.007'
+  },
+  ci_environment_probe: {
+    id: 'MUADDIB-AST-082',
+    name: 'CI Environment Fingerprinting',
+    severity: 'HIGH',
+    confidence: 'medium',
+    description: 'References a 3+ variables d\'environnement de fournisseurs CI (GITHUB_ACTIONS, GITLAB_CI, etc.) — sondage d\'environnement CI pour activation conditionnelle de payload.',
+    references: [
+      'https://attack.mitre.org/techniques/T1082/',
+      'https://attack.mitre.org/techniques/T1497/'
+    ],
+    mitre: 'T1082'
+  },
+  lifecycle_missing_script: {
+    id: 'MUADDIB-PKG-017',
+    name: 'Phantom Lifecycle Script',
+    severity: 'CRITICAL',
+    confidence: 'high',
+    description: 'Script lifecycle (preinstall/install) reference un fichier qui n\'existe pas dans le package — script fantome, le payload peut etre injecte au moment de la publication.',
+    references: [
+      'https://attack.mitre.org/techniques/T1195.002/',
+      'https://blog.npmjs.org/post/166316363605/the-lifecycle-script-vulnerability'
+    ],
+    mitre: 'T1195.002'
+  },
 };
 
 function getRule(type) {

package/src/scanner/ast-detectors.js

@@ -223,9 +223,14 @@ const BLOCKCHAIN_RPC_ENDPOINTS = [
 // Solana/Web3 C2 methods — used for dead drop resolver (GlassWorm)
 const SOLANA_C2_METHODS = [
   'getSignaturesForAddress', 'getAccountInfo', 'getTransaction',
-  'getConfirmedSignaturesForAddress2', 'getParsedTransaction'
+  'getConfirmedSignaturesForAddress2', 'getParsedTransaction',
+  // Blue Team v8: extended Ethereum/Web3 C2 methods
+  'eth_call', 'getCode', 'getLogs'
 ];
 
+// Blue Team v8: Ethereum/Web3 package names for compound blockchain C2 detection
+const ETHEREUM_PACKAGES = ['ethers', 'web3', '@ethersproject/providers', '@ethersproject/contracts'];
+
 // Solana/Web3 package names
 const SOLANA_PACKAGES = ['@solana/web3.js', 'solana-web3.js', '@solana/web3'];
 
@@ -531,6 +536,7 @@ function handleVariableDeclarator(node, ctx) {
     }
 
     // Audit v3 B3: const AF = Object.getPrototypeOf(async function(){}).constructor
+    // Blue Team v8: Extended to detect nested getPrototypeOf chains (2+ levels deep)
     if (node.init?.type === 'MemberExpression') {
       const initProp = node.init.computed
         ? (node.init.property?.type === 'Literal' ? String(node.init.property.value) : null)
@@ -557,6 +563,33 @@ function handleVariableDeclarator(node, ctx) {
                 file: ctx.relFile
               });
             }
+            // Blue Team v8: Nested getPrototypeOf — Object.getPrototypeOf(Object.getPrototypeOf(...)).constructor
+            // Walking up prototype chain 2+ levels to reach Function constructor from any object
+            if (arg.type === 'CallExpression' && arg.callee?.type === 'MemberExpression' &&
+                arg.callee.property?.name === 'getPrototypeOf') {
+              ctx.evalAliases.set(node.id.name, 'Function');
+              ctx.hasDynamicExec = true;
+              ctx.threats.push({
+                type: 'dangerous_constructor',
+                severity: 'CRITICAL',
+                message: `Nested Object.getPrototypeOf() chain (2+ levels) + .constructor into "${node.id.name}" — deep prototype traversal to reach Function constructor.`,
+                file: ctx.relFile
+              });
+            }
+            // Blue Team v8b (A3): Object.getPrototypeOf(variable).constructor
+            // When a variable (possibly holding a prototype chain result) is passed to
+            // getPrototypeOf and .constructor is extracted — prototype chain traversal attack.
+            // Covers: const C = Object.getPrototypeOf(protoVar).constructor
+            if (arg.type === 'Identifier') {
+              ctx.evalAliases.set(node.id.name, 'Function');
+              ctx.hasDynamicExec = true;
+              ctx.threats.push({
+                type: 'prototype_chain_constructor',
+                severity: 'CRITICAL',
+                message: `Object.getPrototypeOf(${arg.name}).constructor extracted into "${node.id.name}" — prototype chain traversal to reach Function constructor.`,
+                file: ctx.relFile
+              });
+            }
           }
         }
       }
@@ -591,6 +624,21 @@ function handleVariableDeclarator(node, ctx) {
       ctx.stringVarValues.set(node.id.name, strVal);
     }
 
+    // Blue Team v8b (B7): Track path.join() results where last arg is an image/binary filename
+    // Enables steganographic payload detection when the variable is used with fs.readFileSync
+    if (!strVal && node.init?.type === 'CallExpression') {
+      const initCallName = getCallName(node.init);
+      if ((initCallName === 'join' || initCallName === 'resolve') &&
+          node.init.callee?.type === 'MemberExpression' &&
+          node.init.arguments?.length > 0) {
+        const lastArg = node.init.arguments[node.init.arguments.length - 1];
+        if (lastArg?.type === 'Literal' && typeof lastArg.value === 'string') {
+          // Store the last path component so image extension check works later
+          ctx.stringVarValues.set(node.id.name, lastArg.value);
+        }
+      }
+    }
+
     // Track variables assigned from require.cache[...] (module cache references)
     // Used to detect writes to cached module exports (require.cache poisoning)
     if (node.init?.type === 'MemberExpression' && node.init.computed) {
@@ -890,6 +938,14 @@ function handleCallExpression(node, ctx) {
     if (reqStr && SOLANA_PACKAGES.some(pkg => reqStr === pkg)) {
       ctx.hasSolanaImport = true;
     }
+    // Blue Team v8: track Ethereum/Web3 imports
+    if (reqStr && ETHEREUM_PACKAGES.some(pkg => reqStr === pkg || reqStr.startsWith(pkg))) {
+      ctx.hasSolanaImport = true; // reuse flag — both indicate blockchain SDK usage
+    }
+    // Blue Team v8: track require('ws') for WebSocket C2 detection
+    if (reqStr === 'ws' || reqStr === 'websocket') {
+      ctx.hasWebSocketNew = true; // ws module provides WebSocket functionality
+    }
   }
 
   // Detect process.mainModule.require('child_process') — module system bypass
@@ -1062,6 +1118,29 @@ function handleCallExpression(node, ctx) {
     }
   }
 
+  // Blue Team v8b (C10): require('child_process').execSync/exec(variable) — inline require + variable command
+  // When require is literal 'child_process' but the command argument is not resolvable (MemberExpression, Identifier),
+  // this is a hidden exec with runtime-determined command (C2 pattern: cmd from network data)
+  if ((execName || memberExec) && node.callee.type === 'MemberExpression' &&
+      node.callee.object?.type === 'CallExpression') {
+    const innerCall = node.callee.object;
+    const innerName = getCallName(innerCall);
+    if (innerName === 'require' && innerCall.arguments.length > 0 &&
+        innerCall.arguments[0]?.type === 'Literal' && innerCall.arguments[0].value === 'child_process') {
+      const cmdArg = node.arguments[0];
+      if (cmdArg && cmdArg.type !== 'Literal') {
+        // Non-literal command argument with inline require — opaque shell execution
+        ctx.hasDynamicExec = true;
+        ctx.threats.push({
+          type: 'dangerous_exec',
+          severity: 'HIGH',
+          message: `Inline require('child_process').${execName || memberExec}(variable) — hidden import with runtime-determined command. Typical C2 or RCE payload pattern.`,
+          file: ctx.relFile
+        });
+      }
+    }
+  }
+
   // Detect sandbox/container evasion
   if (node.callee.type === 'MemberExpression' && node.callee.property?.type === 'Identifier') {
     const fsMethod = node.callee.property.name;
@@ -2260,6 +2339,144 @@ function handleCallExpression(node, ctx) {
     }
   }
 
+  // Blue Team v8: process.dlopen() — direct native module loading bypass
+  if (node.callee.type === 'MemberExpression' &&
+      node.callee.object?.type === 'Identifier' && node.callee.object.name === 'process' &&
+      node.callee.property?.type === 'Identifier' && node.callee.property.name === 'dlopen' &&
+      node.arguments.length >= 1) {
+    ctx.threats.push({
+      type: 'process_binding_abuse',
+      severity: 'CRITICAL',
+      message: 'process.dlopen() — direct native module loading bypasses require() and all module system checks.',
+      file: ctx.relFile
+    });
+  }
+
+  // Blue Team v8: dgram.createSocket() / socket.send() — UDP exfiltration tracking
+  if (node.callee.type === 'MemberExpression' && node.callee.property?.type === 'Identifier') {
+    const dgramMethod = node.callee.property.name;
+    if (dgramMethod === 'createSocket' && ctx.hasDgramImport) {
+      ctx.hasDgramSend = true; // createSocket implies intent to use UDP
+    }
+    if (dgramMethod === 'send' && ctx.hasDgramImport) {
+      ctx.hasDgramSend = true;
+    }
+  }
+
+  // Blue Team v8: Crontab/cron write detection — fs.writeFileSync to cron paths
+  if (node.callee.type === 'MemberExpression' && node.callee.property?.type === 'Identifier') {
+    const cronWriteMethod = node.callee.property.name;
+    if (['writeFileSync', 'writeFile', 'appendFileSync'].includes(cronWriteMethod) && node.arguments.length >= 1) {
+      const cronPathArg = node.arguments[0];
+      let cronPathStr = extractStringValueDeep(cronPathArg);
+      if (!cronPathStr && cronPathArg?.type === 'Identifier' && ctx.stringVarValues?.has(cronPathArg.name)) {
+        cronPathStr = ctx.stringVarValues.get(cronPathArg.name);
+      }
+      if (cronPathStr && (/\/etc\/cron/i.test(cronPathStr) || /crontab/i.test(cronPathStr) ||
+          /\/var\/spool\/cron/i.test(cronPathStr))) {
+        ctx.hasCrontabWrite = true;
+        ctx.threats.push({
+          type: 'crontab_systemd_write',
+          severity: 'CRITICAL',
+          message: `${cronWriteMethod}() writes to cron path: "${cronPathStr.substring(0, 80)}" — scheduled task persistence.`,
+          file: ctx.relFile
+        });
+      }
+    }
+  }
+
+  // Blue Team v8: .replace() chain detection — 3+ chained .replace() calls for string mutation obfuscation
+  // Pattern: 'l33t'.replace(/3/g, 'e').replace(/1/g, 'i') to reconstruct dangerous strings
+  if (node.callee.type === 'MemberExpression' && node.callee.property?.type === 'Identifier' &&
+      node.callee.property.name === 'replace' && node.arguments.length >= 2) {
+    // Walk up the chain to count .replace() depth and try to resolve
+    let depth = 1;
+    let baseNode = node.callee.object;
+    while (baseNode?.type === 'CallExpression' &&
+           baseNode.callee?.type === 'MemberExpression' &&
+           baseNode.callee.property?.type === 'Identifier' &&
+           baseNode.callee.property.name === 'replace' &&
+           baseNode.arguments?.length >= 2) {
+      depth++;
+      baseNode = baseNode.callee.object;
+    }
+    if (depth >= 3) {
+      // Try to statically resolve the chain
+      let resolved = null;
+      if (baseNode?.type === 'Literal' && typeof baseNode.value === 'string') {
+        resolved = baseNode.value;
+      } else if (baseNode?.type === 'Identifier' && ctx.stringVarValues?.has(baseNode.name)) {
+        resolved = ctx.stringVarValues.get(baseNode.name);
+      }
+      if (resolved !== null) {
+        // Apply each .replace() in order (walk the chain from inner to outer)
+        const replaceCalls = [];
+        let currentNode = node;
+        while (currentNode?.type === 'CallExpression' &&
+               currentNode.callee?.type === 'MemberExpression' &&
+               currentNode.callee.property?.name === 'replace') {
+          replaceCalls.unshift(currentNode.arguments);
+          currentNode = currentNode.callee.object;
+        }
+        for (const args of replaceCalls) {
+          if (args.length >= 2) {
+            let pattern = null;
+            let replacement = null;
+            // Extract regex or string pattern
+            if (args[0].type === 'Literal' && args[0].regex) {
+              try { pattern = new RegExp(args[0].regex.pattern, args[0].regex.flags); } catch { /* skip */ }
+            } else if (args[0].type === 'Literal' && typeof args[0].value === 'string') {
+              pattern = args[0].value;
+            }
+            if (args[1].type === 'Literal' && typeof args[1].value === 'string') {
+              replacement = args[1].value;
+            }
+            if (pattern !== null && replacement !== null) {
+              resolved = resolved.replace(pattern, replacement);
+            } else {
+              resolved = null;
+              break;
+            }
+          }
+        }
+      }
+      const DANGEROUS_REPLACE_KEYWORDS = /\b(child_process|eval|exec|spawn|Function|http|net|dns|require|process)\b/;
+      if (resolved && DANGEROUS_REPLACE_KEYWORDS.test(resolved)) {
+        ctx.threats.push({
+          type: 'string_mutation_obfuscation',
+          severity: 'HIGH',
+          message: `String mutation via ${depth} chained .replace() calls resolves to "${resolved.substring(0, 80)}" — leet-speak/substitution evasion.`,
+          file: ctx.relFile
+        });
+      } else if (depth >= 4) {
+        // 4+ replace chains without resolution is still suspicious
+        ctx.threats.push({
+          type: 'string_mutation_obfuscation',
+          severity: 'MEDIUM',
+          message: `${depth} chained .replace() calls detected — potential string mutation obfuscation (could not fully resolve).`,
+          file: ctx.relFile
+        });
+      }
+    }
+  }
+
+  // Blue Team v8b (A1): X.apply(require, null, [...]) — indirect require via Reflect.apply
+  // Detect Reflect.apply(require, ...) or anyVar.apply(require, ...) pattern
+  // This is an evasion where the attacker uses reflection to invoke require dynamically
+  if (node.callee?.type === 'MemberExpression' &&
+      node.callee.property?.type === 'Identifier' && node.callee.property.name === 'apply' &&
+      node.arguments.length >= 2) {
+    const firstArg = node.arguments[0];
+    if (firstArg?.type === 'Identifier' && firstArg.name === 'require') {
+      ctx.threats.push({
+        type: 'dynamic_require',
+        severity: 'CRITICAL',
+        message: '.apply(require, ...) — indirect require() invocation via Reflect.apply or Function.prototype.apply. Evasion technique to dynamically load modules.',
+        file: ctx.relFile
+      });
+    }
+  }
+
   // Audit v3 bypass fix: process.on('uncaughtException'/'unhandledRejection', handler)
   // Error handler hijacking for silent credential exfiltration
   if (node.callee?.type === 'MemberExpression' &&
@@ -2274,6 +2491,116 @@ function handleCallExpression(node, ctx) {
   }
 
   // SANDWORM_MODE R8: dns.resolve detection moved to walk.ancestor() in ast.js (FIX 5)
+
+  // Blue Team v8b (A7): JSON.parse with reviver that checks __proto__
+  // JSON.parse(str, function(key, value) { if (key === '__proto__') ... })
+  // Note: getCallName returns 'parse' (property only), so check object.name === 'JSON'
+  if (callName === 'parse' && node.callee?.type === 'MemberExpression' &&
+      node.callee.object?.type === 'Identifier' && node.callee.object.name === 'JSON' &&
+      node.arguments.length >= 2) {
+    const reviver = node.arguments[1];
+    if (reviver && (reviver.type === 'FunctionExpression' || reviver.type === 'ArrowFunctionExpression')) {
+      // Check if reviver body contains __proto__ reference
+      const reviverSrc = reviver.start !== undefined && reviver.end !== undefined
+        ? ctx._sourceCode?.slice(reviver.start, reviver.end) : '';
+      if (reviverSrc && /__proto__|prototype\s*[.[]/.test(reviverSrc)) {
+        ctx.hasJsonReviverProto = true;
+        const hasRequireInReviver = /\brequire\s*\(/.test(reviverSrc);
+        const hasProtoAssign = /Object\.prototype\s*\./.test(reviverSrc) || /\.__proto__\s*=/.test(reviverSrc);
+        ctx.threats.push({
+          type: 'json_reviver_pollution',
+          severity: (hasRequireInReviver || hasProtoAssign) ? 'CRITICAL' : 'HIGH',
+          message: (hasRequireInReviver || hasProtoAssign)
+            ? 'JSON.parse reviver accesses __proto__/prototype with require() or prototype assignment — prototype pollution for code injection.'
+            : 'JSON.parse reviver accesses __proto__/prototype — potential prototype pollution via untrusted JSON input.',
+          file: ctx.relFile
+        });
+      }
+    }
+  }
+
+  // Blue Team v8b (C2): vm.runInContext/runInNewContext/compileFunction with dynamic code
+  // Detect when the code argument is built from Buffer.from/base64/concat, not a string literal
+  if (node.callee?.type === 'MemberExpression' && node.callee.property?.type === 'Identifier') {
+    const vmMethods = ['runInContext', 'runInNewContext', 'runInThisContext', 'compileFunction'];
+    if (vmMethods.includes(node.callee.property.name) && node.arguments.length > 0) {
+      const codeArg = node.arguments[0];
+      // Dynamic code: not a string literal, could be variable, concat, Buffer.from, etc.
+      if (codeArg && codeArg.type !== 'Literal') {
+        const isDynamic = codeArg.type === 'Identifier' || codeArg.type === 'BinaryExpression' ||
+          codeArg.type === 'CallExpression' || codeArg.type === 'TemplateLiteral';
+        if (isDynamic) {
+          ctx.hasVmDynamicExec = true;
+          ctx.hasDynamicExec = true;
+          ctx.threats.push({
+            type: 'vm_dynamic_code',
+            severity: 'CRITICAL',
+            message: `vm.${node.callee.property.name}() with dynamically constructed code — vm sandbox escape via runtime-built code string.`,
+            file: ctx.relFile
+          });
+        }
+      }
+    }
+  }
+
+  // Blue Team v8b (C2): vm.createContext() with custom require injection + sensitive modules
+  // Detects sandbox setup that provides module access to untrusted code
+  if (callName === 'createContext' && node.callee?.type === 'MemberExpression' &&
+      node.callee.object?.type === 'Identifier') {
+    const src = ctx._sourceCode || '';
+    // Check if the same file defines a custom require for the sandbox
+    const hasRequireInjection = /\.require\s*=\s*(?:\(|function\b)/.test(src) ||
+      /require\s*:\s*(?:\(|function\b)/.test(src);
+    const hasSensitiveModules = /require\s*\(\s*['"](?:fs|http|https|net|child_process)['"]/.test(src);
+    if (hasRequireInjection && hasSensitiveModules) {
+      ctx.hasDynamicExec = true;
+      ctx.threats.push({
+        type: 'vm_dynamic_code',
+        severity: 'CRITICAL',
+        message: 'vm.createContext() with custom require() injection and access to sensitive modules (fs/http/net) — sandbox that enables untrusted code execution with elevated privileges.',
+        file: ctx.relFile
+      });
+    }
+  }
+
+  // Blue Team v8b (B7): fs.readFileSync on image/binary files (stego pattern)
+  if (node.callee?.type === 'MemberExpression' && node.callee.property?.type === 'Identifier' &&
+      ['readFileSync', 'readFile'].includes(node.callee.property.name)) {
+    const fileArg = node.arguments?.[0];
+    let filePath = '';
+    if (fileArg?.type === 'Literal' && typeof fileArg.value === 'string') {
+      filePath = fileArg.value;
+    } else if (fileArg?.type === 'Identifier' && ctx.stringVarValues?.has(fileArg.name)) {
+      filePath = ctx.stringVarValues.get(fileArg.name);
+    }
+    if (/\.(png|jpg|jpeg|gif|bmp|ico|svg)$/i.test(filePath)) {
+      ctx.hasBinaryFileRead = true;
+    }
+  }
+
+  // Blue Team v8b (C10): execSync/exec inside .on('message') or .on('data') callback
+  if (node.callee?.type === 'MemberExpression' && node.callee.property?.type === 'Identifier' &&
+      node.callee.property.name === 'on' && node.arguments.length >= 2) {
+    const eventArg = node.arguments[0];
+    if (eventArg?.type === 'Literal' && ['message', 'data'].includes(eventArg.value)) {
+      const callback = node.arguments[1];
+      if (callback && (callback.type === 'FunctionExpression' || callback.type === 'ArrowFunctionExpression')) {
+        const cbSrc = callback.start !== undefined && callback.end !== undefined
+          ? ctx._sourceCode?.slice(callback.start, callback.end) : '';
+        if (cbSrc && /\b(execSync|exec|spawn|spawnSync)\s*\(/.test(cbSrc) &&
+            /\brequire\s*\(\s*['"]child_process['"]\s*\)/.test(cbSrc)) {
+          ctx.hasCallbackExec = true;
+          ctx.hasDynamicExec = true;
+          ctx.threats.push({
+            type: 'callback_exec_rce',
+            severity: 'CRITICAL',
+            message: `exec/spawn inside .on('${eventArg.value}') callback with require('child_process') — remote command execution from network input.`,
+            file: ctx.relFile
+          });
+        }
+      }
+    }
+  }
 }
 
 function handleImportExpression(node, ctx) {
@@ -2298,10 +2625,16 @@ function handleImportExpression(node, ctx) {
         ctx.hasSolanaImport = true;
       }
     } else {
+      // Blue Team v8b (C6): Dynamic import with non-literal arg — if it's a variable
+      // built from URL manipulation, this is remote code loading
+      const isCritical = node.source.type === 'Identifier' || node.source.type === 'TemplateLiteral' ||
+        (node.source.type === 'CallExpression' && node.source.callee?.property?.name === 'replace');
       ctx.threats.push({
         type: 'dynamic_import',
-        severity: 'HIGH',
-        message: 'Dynamic import() with computed argument (possible obfuscation).',
+        severity: isCritical ? 'CRITICAL' : 'HIGH',
+        message: isCritical
+          ? 'Dynamic import() with computed URL argument — remote code loading from dynamically constructed URL.'
+          : 'Dynamic import() with computed argument (possible obfuscation).',
         file: ctx.relFile
       });
     }
@@ -2384,17 +2717,59 @@ function handleNewExpression(node, ctx) {
 
   // Batch 2: new Worker(code, { eval: true }) — worker_threads code execution
   if (node.callee.type === 'Identifier' && node.callee.name === 'Worker' &&
-      node.arguments.length >= 2) {
-    const opts = node.arguments[1];
-    if (opts?.type === 'ObjectExpression') {
-      const evalProp = opts.properties?.find(p =>
-        p.key?.name === 'eval' && p.value?.value === true);
-      if (evalProp) {
-        ctx.hasDynamicExec = true;
+      node.arguments.length >= 1) {
+    ctx.hasWorkerThread = true;
+    if (node.arguments.length >= 2) {
+      const opts = node.arguments[1];
+      if (opts?.type === 'ObjectExpression') {
+        const evalProp = opts.properties?.find(p =>
+          p.key?.name === 'eval' && p.value?.value === true);
+        if (evalProp) {
+          ctx.hasDynamicExec = true;
+          ctx.threats.push({
+            type: 'worker_thread_exec',
+            severity: 'HIGH',
+            message: 'new Worker() with eval:true — executes arbitrary code in worker thread, bypasses main thread detection.',
+            file: ctx.relFile
+          });
+        }
+      }
+    }
+    // Blue Team v8: new Worker('data:...') — data URL code injection into worker
+    const firstArg = node.arguments[0];
+    if (firstArg?.type === 'Literal' && typeof firstArg.value === 'string' &&
+        firstArg.value.startsWith('data:')) {
+      ctx.hasDynamicExec = true;
+      ctx.threats.push({
+        type: 'worker_thread_exec',
+        severity: 'HIGH',
+        message: 'new Worker() with data: URL — inline code injection into worker thread.',
+        file: ctx.relFile
+      });
+    }
+  }
+
+  // Blue Team v8: new SharedArrayBuffer() — shared memory for covert IPC
+  if (node.callee.type === 'Identifier' && node.callee.name === 'SharedArrayBuffer') {
+    ctx.hasSharedArrayBuffer = true;
+  }
+
+  // Blue Team v8: new WebSocket(url) — track for C2 compound detection
+  if (node.callee.type === 'Identifier' && node.callee.name === 'WebSocket' &&
+      node.arguments.length >= 1) {
+    ctx.hasWebSocketNew = true;
+    // Check if URL points to suspicious domain
+    const wsArg = node.arguments[0];
+    const wsUrl = extractStringValueDeep(wsArg);
+    if (wsUrl) {
+      const wsLower = wsUrl.toLowerCase();
+      const isSuspiciousWs = SUSPICIOUS_DOMAINS_HIGH.some(d => wsLower.includes(d)) ||
+                             SUSPICIOUS_DOMAINS_MEDIUM.some(d => wsLower.includes(d));
+      if (isSuspiciousWs) {
         ctx.threats.push({
-          type: 'worker_thread_exec',
+          type: 'websocket_c2',
           severity: 'HIGH',
-          message: 'new Worker() with eval:true — executes arbitrary code in worker thread, bypasses main thread detection.',
+          message: `new WebSocket() connecting to suspicious domain: "${wsUrl.substring(0, 80)}" — potential C2 channel.`,
           file: ctx.relFile
         });
       }
@@ -2609,6 +2984,32 @@ function handleAssignmentExpression(node, ctx) {
     }
   }
 
+  // Blue Team v8b (A4): Module._resolveFilename / _compile / _extensions hijack
+  // Any assignment to these private Module APIs is a supply-chain attack vector
+  if (node.left?.type === 'MemberExpression' && !node.left.computed &&
+      node.left.property?.type === 'Identifier' &&
+      ['_resolveFilename', '_compile', '_extensions', '_findPath', '_nodeModulePaths'].includes(node.left.property.name)) {
+    // Check if the object is Module, a module alias, or a constructor chain
+    const obj = node.left.object;
+    const isModuleRef = (obj?.type === 'Identifier' && (ctx.moduleAliases?.has(obj.name) || obj.name === 'Module')) ||
+      // require('module')._resolveFilename = ...
+      (obj?.type === 'CallExpression' && getCallName(obj) === 'require' && obj.arguments?.[0]?.value === 'module') ||
+      // x.constructor._resolveFilename = ... (any .constructor chain)
+      (obj?.type === 'MemberExpression' && obj.property?.type === 'Identifier' && obj.property.name === 'constructor');
+    // Also match: proc.mainModule.constructor._resolveFilename (deeper chain)
+    const isDeepChain = obj?.type === 'MemberExpression' && obj.property?.type === 'Identifier' &&
+      ['_resolveFilename', '_compile', '_extensions', '_findPath', '_nodeModulePaths'].includes(node.left.property.name);
+    if (isModuleRef || isDeepChain || (obj?.type === 'MemberExpression' && obj.property?.name === 'constructor')) {
+      ctx.hasModuleInternalsHijack = true;
+      ctx.threats.push({
+        type: 'module_internals_hijack',
+        severity: 'CRITICAL',
+        message: `Assignment to Module.${node.left.property.name} — module system internals hijacked. All subsequent require() calls can be intercepted.`,
+        file: ctx.relFile
+      });
+    }
+  }
+
   // Detect object property indirection: obj.exec = require('child_process').exec
   // or obj.fn = eval — stashing dangerous functions in object properties
   if (node.left?.type === 'MemberExpression' && node.right) {
@@ -3188,6 +3589,150 @@ function handlePostWalk(ctx) {
       file: ctx.relFile
     });
   }
+
+  // Blue Team v8: SharedArrayBuffer + Worker = covert shared memory IPC
+  // Pattern: SharedArrayBuffer enables worker-to-main-thread communication
+  // that bypasses message channel monitoring. Alone = MEDIUM, with exec = HIGH.
+  if (ctx.hasSharedArrayBuffer && ctx.hasWorkerThread) {
+    ctx.threats.push({
+      type: 'shared_memory_ipc',
+      severity: ctx.hasDynamicExec ? 'HIGH' : 'MEDIUM',
+      message: ctx.hasDynamicExec
+        ? 'SharedArrayBuffer + Worker + dynamic execution — covert shared memory IPC with code execution.'
+        : 'SharedArrayBuffer + Worker — shared memory IPC channel bypasses standard message monitoring.',
+      file: ctx.relFile
+    });
+  }
+
+  // Blue Team v8: dgram/UDP exfiltration — dgram import + send in same file
+  if (ctx.hasDgramImport && ctx.hasDgramSend) {
+    const hasExfilSignal = ctx.threats.some(t =>
+      t.file === ctx.relFile && (t.type === 'env_access' || t.type === 'sensitive_string')
+    );
+    ctx.threats.push({
+      type: 'udp_exfiltration',
+      severity: hasExfilSignal ? 'CRITICAL' : 'HIGH',
+      message: hasExfilSignal
+        ? 'UDP socket (dgram) with credential/env access — data exfiltration via UDP bypasses HTTP-level monitoring.'
+        : 'UDP socket (dgram) createSocket + send — non-HTTP data channel. UDP exfiltration bypasses HTTP firewalls.',
+      file: ctx.relFile
+    });
+  }
+
+  // Blue Team v8: WebSocket C2 compound — WebSocket + exec/spawn in same file
+  if (ctx.hasWebSocketNew && ctx.hasDynamicExec) {
+    // Only emit if no websocket_c2 already emitted (from suspicious domain detection)
+    if (!ctx.threats.some(t => t.type === 'websocket_c2' && t.file === ctx.relFile)) {
+      ctx.threats.push({
+        type: 'websocket_c2',
+        severity: 'HIGH',
+        message: 'WebSocket connection + dynamic execution in same file — potential WebSocket C2 channel for remote command execution.',
+        file: ctx.relFile
+      });
+    }
+  }
+
+  // Blue Team v8: Extended blockchain C2 — Ethereum/Web3 import + C2 methods
+  // Extends GlassWorm detection to cover ethers.js/web3.js patterns
+  if (!ctx.hasSolanaImport && ctx.hasSolanaC2Method) {
+    // C2 method detected without Solana import — check if Ethereum packages are used
+    const hasEthImport = /\brequire\s*\(\s*['"](?:ethers|web3|@ethersproject)/i.test(ctx._sourceCode || '');
+    if (hasEthImport) {
+      ctx.threats.push({
+        type: 'blockchain_c2_resolution',
+        severity: ctx.hasDynamicExec ? 'CRITICAL' : 'HIGH',
+        message: 'Ethereum/Web3 import + blockchain C2 method — ' +
+          (ctx.hasDynamicExec
+            ? 'dead drop resolver with dynamic execution. Blockchain C2 pattern confirmed.'
+            : 'potential dead drop resolver. Technique: C2 commands stored in blockchain transactions.'),
+        file: ctx.relFile
+      });
+    }
+  }
+
+  // Blue Team v8b (A6): with statement + Proxy + require/exec in same file = sandbox escape compound
+  // Boost: if with_body_dangerous AND proxy trap detected → ensure minimum CRITICAL score
+  const hasWithDangerous = ctx.threats.some(t => t.type === 'with_body_dangerous' && t.file === ctx.relFile);
+  const hasProxyInFile = ctx.hasProxyTrap || ctx.proxyHandlerVars?.size > 0;
+  if (hasWithDangerous && hasProxyInFile) {
+    // Elevate existing with_body_dangerous to CRITICAL if not already
+    for (const t of ctx.threats) {
+      if (t.type === 'with_body_dangerous' && t.file === ctx.relFile && t.severity !== 'CRITICAL') {
+        t.severity = 'CRITICAL';
+        t.message = 'with() + Proxy compound: Proxy trap intercepts all scope resolution inside with block — complete API hijacking for sandbox escape.';
+      }
+    }
+  }
+
+  // Blue Team v8b (B7): Binary file read + new Function/eval = steganographic payload
+  if (ctx.hasBinaryFileRead && ctx.hasDynamicExec) {
+    ctx.threats.push({
+      type: 'stego_binary_exec',
+      severity: 'CRITICAL',
+      message: 'Binary/image file read + dynamic execution (eval/Function) — steganographic payload extraction and execution.',
+      file: ctx.relFile
+    });
+  } else if (ctx.hasImageFileRef && ctx.hasDynamicExec && ctx.hasWriteFileSyncInContent) {
+    // Fallback: image reference + eval in same file (may not directly readFile the image)
+    ctx.threats.push({
+      type: 'stego_binary_exec',
+      severity: 'HIGH',
+      message: 'Image file reference + dynamic execution + file I/O in same file — potential steganographic payload pattern.',
+      file: ctx.relFile
+    });
+  }
+
+  // Blue Team v8b (C1): AsyncLocalStorage + credential file read + exec/network
+  // Trigger on hasDynamicExec OR when dynamic_require is present (require('child_' + 'process') stored in context)
+  const hasDynReqInFile = ctx.threats.some(t => t.type === 'dynamic_require' && t.file === ctx.relFile);
+  if (ctx.hasAsyncLocalStorage && (ctx.hasDynamicExec || hasDynReqInFile)) {
+    ctx.threats.push({
+      type: 'asynclocal_context_exec',
+      severity: 'HIGH',
+      message: 'AsyncLocalStorage + dynamic execution/require — code execution hidden in async context, evades synchronous call-stack analysis.',
+      file: ctx.relFile
+    });
+  }
+
+  // Blue Team v8b (C10): net.Socket + exec = WebSocket/TCP C2
+  // Trigger on callbackExec (exec in .on('message') callback) OR hasDynamicExec (exec anywhere in file)
+  if (ctx.hasNetSocketCreate && (ctx.hasCallbackExec || ctx.hasDynamicExec)) {
+    if (!ctx.threats.some(t => t.type === 'websocket_c2' && t.file === ctx.relFile)) {
+      ctx.threats.push({
+        type: 'websocket_c2',
+        severity: 'CRITICAL',
+        message: 'net.Socket + exec in same file — persistent TCP/WebSocket C2 with remote command execution.',
+        file: ctx.relFile
+      });
+    }
+  }
+
+  // Blue Team v8b (B2): CI environment fingerprinting probe — 3+ CI provider env vars in same file
+  // Indicates multi-provider CI detection for conditional payload activation
+  if (ctx.ciProviderCount >= 3) {
+    ctx.threats.push({
+      type: 'ci_environment_probe',
+      severity: 'HIGH',
+      message: `File references ${ctx.ciProviderCount} CI provider environment variables (GITHUB_ACTIONS, GITLAB_CI, etc.) — CI environment fingerprinting for targeted execution.`,
+      file: ctx.relFile
+    });
+  }
+
+  // Blue Team v8: Hardcoded contract address (40-char hex) + blockchain import = C2 address
+  if ((ctx.hasSolanaImport || /\brequire\s*\(\s*['"](?:ethers|web3|@ethersproject|@solana)/i.test(ctx._sourceCode || '')) &&
+      /\b0x[0-9a-fA-F]{40}\b/.test(ctx._sourceCode || '')) {
+    const existingBlockchain = ctx.threats.some(t =>
+      t.type === 'blockchain_c2_resolution' && t.file === ctx.relFile
+    );
+    if (!existingBlockchain) {
+      ctx.threats.push({
+        type: 'blockchain_c2_resolution',
+        severity: 'MEDIUM',
+        message: 'Blockchain import + hardcoded contract address (0x...) — potential smart contract C2 endpoint.',
+        file: ctx.relFile
+      });
+    }
+  }
 }
 
 function handleWithStatement(node, ctx) {
@@ -3225,10 +3770,14 @@ function handleWithStatement(node, ctx) {
     const bodySource = node.body.start !== undefined && node.body.end !== undefined
       ? ctx._sourceCode?.slice(node.body.start, node.body.end) : null;
     if (bodySource && /\b(require\s*\(\s*['"]child_process['"]\s*\)|child_process|exec\s*\(|execSync\s*\(|spawn\s*\()/.test(bodySource)) {
+      // Blue Team v8: Elevate to CRITICAL when with() scope object is a known Proxy variable
+      const isProxyScope = node.object?.type === 'Identifier' && ctx.proxyHandlerVars?.has(node.object.name);
       ctx.threats.push({
         type: 'with_body_dangerous',
-        severity: 'HIGH',
-        message: 'with() statement body contains require/exec/spawn — scope injection used to obscure dangerous API calls.',
+        severity: isProxyScope ? 'CRITICAL' : 'HIGH',
+        message: isProxyScope
+          ? `with(Proxy) + exec/require in body — Proxy trap intercepts all name resolution, enabling complete API hijacking.`
+          : 'with() statement body contains require/exec/spawn — scope injection used to obscure dangerous API calls.',
         file: ctx.relFile
       });
     }

package/src/scanner/ast.js

@@ -75,6 +75,32 @@ function analyzeFile(content, filePath, basePath) {
         file: path.relative(basePath, filePath)
       });
     }
+
+    // Blue Team v8b (A6): Detect Proxy + require('child_process') + exec in files that fail to parse
+    // This covers 'use strict' + with(Proxy) evasion where acorn can't parse the with statement
+    if (/\bnew\s+Proxy\b/.test(content) && /\brequire\s*\(\s*['"]child_process['"]\s*\)/.test(content)) {
+      const hasExecInContent = /\bexec\s*\(/.test(content) || /\bexecSync\s*\(/.test(content) || /\bspawn\s*\(/.test(content);
+      if (hasExecInContent) {
+        threats.push({
+          type: 'dangerous_exec',
+          severity: 'CRITICAL',
+          message: 'Proxy + require(\'child_process\') + exec in unparseable file — scope hijack evasion (regex fallback).',
+          file: path.relative(basePath, filePath)
+        });
+      }
+    }
+
+    // Content-level: require('child_process') + exec/spawn with shell command patterns
+    if (/\brequire\s*\(\s*['"]child_process['"]\s*\)/.test(content) &&
+        /\bcurl\b.*\|\s*(sh|bash)\b/.test(content)) {
+      threats.push({
+        type: 'dangerous_exec',
+        severity: 'CRITICAL',
+        message: 'require(\'child_process\') + curl pipe to shell in unparseable file — remote code execution (regex fallback).',
+        file: path.relative(basePath, filePath)
+      });
+    }
+
     return threats;
   }
 
@@ -183,6 +209,37 @@ function analyzeFile(content, filePath, basePath) {
     hasUncaughtExceptionHandler: false,
     // Audit v3 B2: FinalizationRegistry deferred exec detection
     hasFinalizationRegistry: false,
+    // Blue Team v8: SharedArrayBuffer + Worker IPC detection
+    hasSharedArrayBuffer: false,
+    hasWorkerThread: false,  // set when Worker (worker_threads) usage detected
+    // Blue Team v8: dgram/UDP exfiltration
+    hasDgramImport: /\brequire\s*\(\s*['"](?:node:)?dgram['"]\s*\)/.test(content),
+    hasDgramSend: false,
+    // Blue Team v8: WebSocket C2
+    hasWebSocketNew: false,  // set when new WebSocket() detected
+    // Blue Team v8: crontab/cron write detection
+    hasCrontabWrite: false,
+    // Blue Team v8b: Module internals hijack (Module._resolveFilename, _compile, _extensions)
+    hasModuleInternalsHijack: false,
+    // Blue Team v8b: JSON.parse reviver with __proto__ check
+    hasJsonReviverProto: false,
+    // Blue Team v8b: vm.runInContext/runInNewContext with dynamic code
+    hasVmDynamicExec: false,
+    // Blue Team v8b: binary file read + new Function/eval in same file (stego)
+    hasBinaryFileRead: false,  // set when fs.readFileSync on .png/.jpg/.gif/.bmp/.ico
+    // Blue Team v8b: AsyncLocalStorage usage
+    hasAsyncLocalStorage: /\bAsyncLocalStorage\b/.test(content),
+    // Blue Team v8b: image file reference for stego detection
+    hasImageFileRef: /\.(png|jpg|jpeg|gif|bmp|ico)\b/i.test(content),
+    // Blue Team v8b: net.Socket creation (for WebSocket C2 detection)
+    hasNetSocketCreate: /\bnew\s+net\.Socket\b/.test(content) || /\bnet\.createConnection\b/.test(content),
+    // Blue Team v8b: execSync/exec in callback contexts (set when exec inside .on('message'|'data'))
+    hasCallbackExec: false,
+    // Blue Team v8b (B2): CI environment fingerprinting — count of CI provider env vars referenced
+    ciProviderCount: (() => {
+      const CI_VARS = ['GITHUB_ACTIONS', 'GITLAB_CI', 'CIRCLECI', 'TRAVIS', 'JENKINS_URL', 'BUILDKITE', 'CONTINUOUS_INTEGRATION', 'TEAMCITY_VERSION', 'CODEBUILD_BUILD_ID', 'BITBUCKET_PIPELINE_UUID'];
+      return CI_VARS.filter(v => content.includes(v)).length;
+    })(),
     // Audit v3: source code reference for callback body analysis
     _sourceCode: content
   };

package/src/scanner/package.js

@@ -125,6 +125,25 @@ async function scanPackageJson(targetPath) {
           file: 'package.json'
         });
       }
+
+      // Blue Team v8b (B8): Lifecycle script references non-existent file in package
+      // Pattern: "node path/to/script.js" where the file does not exist — phantom install script
+      // Strong signal: preinstall/install scripts pointing to missing files can't be build artifacts
+      if (['preinstall', 'install', 'postinstall'].includes(scriptName)) {
+        const nodeFileMatch = scriptContent.match(/^node\s+(\S+)/);
+        if (nodeFileMatch) {
+          const scriptFile = nodeFileMatch[1];
+          const fullScriptPath = path.join(targetPath, scriptFile);
+          if (!fs.existsSync(fullScriptPath) && !fs.existsSync(fullScriptPath + '.js')) {
+            threats.push({
+              type: 'lifecycle_missing_script',
+              severity: scriptName === 'postinstall' ? 'HIGH' : 'CRITICAL',
+              message: `Lifecycle "${scriptName}" references "${scriptFile}" which does not exist in the package — phantom install script, payload may be injected at publish time.`,
+              file: 'package.json'
+            });
+          }
+        }
+      }
     }
   }
 
@@ -181,6 +200,57 @@ async function scanPackageJson(targetPath) {
     } catch { /* permission error */ }
   }
 
+  // Blue Team v8: binding.gyp + lifecycle script = native addon install risk
+  // binding.gyp triggers node-gyp compilation during install. Combined with lifecycle scripts
+  // that aren't standard node-gyp build tools, this indicates potentially malicious native code.
+  const bindingGypPath = path.join(targetPath, 'binding.gyp');
+  if (fs.existsSync(bindingGypPath)) {
+    const hasInstallLifecycle = ['preinstall', 'install', 'postinstall'].some(s => scripts[s]);
+    const installScript = scripts.install || scripts.postinstall || scripts.preinstall || '';
+    // node-gyp rebuild / prebuild-install / cmake-js are legitimate native addon builders
+    const isStandardBuild = /\b(node-gyp|prebuild|cmake-js|napi|prebuildify|neon)\b/i.test(installScript);
+
+    // Blue Team v8b (C7): Check binding.gyp content for shell commands in actions
+    let gypContent = '';
+    try { gypContent = fs.readFileSync(bindingGypPath, 'utf8'); } catch {}
+    const hasShellActions = /\baction\b.*\bsh\b/.test(gypContent) || /\bcurl\b/.test(gypContent) ||
+      /\bwget\b/.test(gypContent) || /\$\(whoami\)/.test(gypContent) || /\$\(uname/.test(gypContent);
+    // Check if binding.gyp references C/C++ source files
+    const hasNativeSources = /\.(c|cc|cpp|cxx|h|hpp)\b/.test(gypContent);
+
+    if (hasShellActions) {
+      threats.push({
+        type: 'native_addon_install',
+        severity: 'CRITICAL',
+        message: `binding.gyp contains shell commands in build actions (curl/sh/whoami) — build-time code execution and exfiltration.`,
+        file: 'binding.gyp'
+      });
+    } else if (hasInstallLifecycle && !isStandardBuild) {
+      threats.push({
+        type: 'native_addon_install',
+        severity: 'HIGH',
+        message: `binding.gyp present with non-standard lifecycle script: "${installScript.substring(0, 100)}" — potential malicious native compilation.`,
+        file: 'package.json'
+      });
+    } else if (hasInstallLifecycle && hasNativeSources) {
+      // Standard build but with native C/C++ sources — HIGH (native code is opaque)
+      threats.push({
+        type: 'native_addon_install',
+        severity: 'HIGH',
+        message: `binding.gyp with C/C++ source files + lifecycle script — native addon compilation. Native code is opaque to static analysis.`,
+        file: 'package.json'
+      });
+    } else if (hasInstallLifecycle) {
+      // Standard build tool — informational only
+      threats.push({
+        type: 'native_addon_install',
+        severity: 'LOW',
+        message: 'binding.gyp with standard build tool (node-gyp/prebuild) in lifecycle script — legitimate native addon.',
+        file: 'package.json'
+      });
+    }
+  }
+
   // Scan declared dependencies against IOCs
   let iocs;
   try {

package/src/scoring.js

@@ -108,7 +108,11 @@ const PACKAGE_LEVEL_TYPES = new Set([
   'sandbox_canary_exfiltration',
   // Compound scoring rules — package-level co-occurrences
   'lifecycle_typosquat', 'lifecycle_inline_exec', 'lifecycle_remote_require',
-  'lifecycle_dataflow', 'lifecycle_dangerous_exec', 'obfuscated_lifecycle_env'
+  'lifecycle_dataflow', 'lifecycle_dangerous_exec', 'obfuscated_lifecycle_env',
+  // Blue Team v8: package-level boost signals
+  'isolated_suspicious_file', 'deep_suspicious_file',
+  // Blue Team v8b: phantom lifecycle scripts
+  'lifecycle_missing_script'
 ]);
 
 /**
@@ -299,7 +303,8 @@ const REACHABILITY_EXEMPT_TYPES = new Set([
   'typosquat_detected', 'pypi_typosquat_detected',
   'pypi_malicious_package',
   'ai_config_injection', 'ai_config_injection_compound',
-  'detached_credential_exfil' // DPRK/Lazarus: invoked via lifecycle, not require/import
+  'detached_credential_exfil', // DPRK/Lazarus: invoked via lifecycle, not require/import
+  'native_addon_install' // binding.gyp executes during npm install but isn't require()'d
 ]);
 
 // ============================================
@@ -728,6 +733,50 @@ function applyFPReductions(threats, reachableFiles, packageName, packageDeps) {
   }
 }
 
+/**
+ * Blue Team v8: Inject package-level boost threats that detect dissimulation patterns.
+ * Called within calculateRiskScore after file scores are computed.
+ * @param {Array} deduped - deduplicated threat array (mutated in place)
+ * @param {Object} fileScores - map of file → score
+ * @param {Map} fileGroups - map of file → threats array
+ * @param {Array} packageLevelThreats - package-level threats
+ */
+function applyPackageLevelBoosts(deduped, fileScores, fileGroups, packageLevelThreats) {
+  const fileNames = Object.keys(fileScores);
+  const totalFiles = fileNames.length;
+
+  // 1. isolated_suspicious_file: exactly 1 file has score > 0, 10+ files have score 0
+  if (totalFiles >= 10) {
+    const filesWithScore = fileNames.filter(f => fileScores[f] > 0);
+    const filesWithZero = totalFiles - filesWithScore.length;
+    if (filesWithScore.length === 1 && filesWithZero >= 10) {
+      deduped.push({
+        type: 'isolated_suspicious_file',
+        severity: 'MEDIUM',
+        message: `Single suspicious file among ${totalFiles} files — potential dissimulation pattern (malicious code hidden in clean package).`,
+        file: filesWithScore[0],
+        boostSignal: true
+      });
+    }
+  }
+
+  // 2. deep_suspicious_file: finding in a file at depth > 3 from package root
+  for (const [file, threats] of fileGroups) {
+    if (!file || file === '(unknown)') continue;
+    const segments = file.replace(/\\/g, '/').split('/').filter(Boolean);
+    if (segments.length > 3 && threats.some(t => t.severity !== 'LOW')) {
+      deduped.push({
+        type: 'deep_suspicious_file',
+        severity: 'LOW',
+        message: `Suspicious pattern found in deeply nested file (depth ${segments.length}): ${file} — potential hiding technique.`,
+        file: file,
+        boostSignal: true
+      });
+      break; // Only emit once per package
+    }
+  }
+}
+
 /**
  * Calculate per-file max risk score from deduplicated threats.
  * Formula: riskScore = min(100, max(file_scores + intent_bonus) + package_level_score)
@@ -795,6 +844,27 @@ function calculateRiskScore(deduped, intentResult) {
     crossFileBonus = Math.min(crossFileBonus, 25);
   }
 
+  // 5b. Blue Team v8: Package-level boost signals — detect dissimulation patterns
+  applyPackageLevelBoosts(deduped, fileScores, fileGroups, packageLevelThreats);
+  // Recompute packageScore after boosts may have added new package-level threats
+  const boostPackageThreats = deduped.filter(t => isPackageLevelThreat(t) && t.boostSignal);
+  if (boostPackageThreats.length > 0) {
+    packageScore = computeGroupScore([...packageLevelThreats, ...boostPackageThreats]);
+    if (packageScore >= 25 && [...packageLevelThreats, ...boostPackageThreats].some(t => t.severity === 'CRITICAL')) {
+      packageScore = Math.max(packageScore, 50);
+    }
+  }
+
+  // 5c. Blue Team v8: lifecycle_plus_finding boost — lifecycle + any finding = +10 package score
+  const hasActiveLifecycleForBoost = packageLevelThreats.some(t =>
+    t.type === 'lifecycle_script' && t.severity !== 'LOW'
+  );
+  const hasAnyFileFinding = fileLevelThreats.some(t => t.severity !== 'LOW');
+  let lifecycleBoost = 0;
+  if (hasActiveLifecycleForBoost && hasAnyFileFinding) {
+    lifecycleBoost = 10;
+  }
+
   // 6. Intent coherence bonus: additive score from source→sink pairs
   let intentBonus = 0;
   if (intentResult && intentResult.intentScore > 0) {
@@ -802,8 +872,8 @@ function calculateRiskScore(deduped, intentResult) {
     intentBonus = Math.min(intentResult.intentScore, 30);
   }
 
-  // 7. Final score = max file score + cross-file bonus + intent bonus + package-level score, capped at 100
-  const riskScore = Math.min(MAX_RISK_SCORE, maxFileScore + crossFileBonus + intentBonus + packageScore);
+  // 7. Final score = max file score + cross-file bonus + intent bonus + package-level score + lifecycle boost, capped at 100
+  const riskScore = Math.min(MAX_RISK_SCORE, maxFileScore + crossFileBonus + intentBonus + packageScore + lifecycleBoost);
 
   // 8. Old global score for comparison (sum of ALL findings)
   const globalRiskScore = computeGroupScore(deduped);

package/src/shared/constants.js

@@ -108,7 +108,7 @@ const crypto = require('crypto');
  * Key = sha256(code) + '|' + optionsKey (collision-free content-addressable key)
  */
 const _astCache = new Map();
-const _AST_CACHE_MAX = 600; // Max entries (one scan ≈ 500 files max)
+const _AST_CACHE_MAX = 200; // Max entries (reduced from 600 to limit memory during evaluate)
 
 /**
  * Parse JS source with module-mode fallback to script-mode.