muaddib-scanner 2.10.30 → 2.10.32

package/README.md

@@ -30,7 +30,7 @@
 
 npm and PyPI supply-chain attacks are exploding. Shai-Hulud compromised 25K+ repos in 2025. Existing tools detect threats but don't help you respond.
 
-MUAD'DIB combines **14 parallel scanners** (176 detection rules), a **deobfuscation engine**, **inter-module dataflow analysis**, **compound scoring**, **ML classifiers** (XGBoost), and Docker sandbox to detect known threats and suspicious behavioral patterns in npm and PyPI packages.
+MUAD'DIB combines **14 parallel scanners** (195 detection rules), a **deobfuscation engine**, **inter-module dataflow analysis**, **compound scoring**, **ML classifiers** (XGBoost), and Docker sandbox to detect known threats and suspicious behavioral patterns in npm and PyPI packages.
 
 ---
 
@@ -195,7 +195,7 @@ muaddib replay                     # Ground truth validation (46/49 TPR)
 | GitHub Actions | Shai-Hulud backdoor detection |
 | Hash Scanner | Known malicious file hashes |
 
-### 176 detection rules
+### 195 detection rules
 
 All rules are mapped to MITRE ATT&CK techniques. See [SECURITY.md](SECURITY.md#detection-rules-v21021) for the complete rules reference.
 
@@ -271,7 +271,7 @@ With pre-commit framework:
 ```yaml
 repos:
   - repo: https://github.com/DNSZLSK/muad-dib
-    rev: v2.10.21
+    rev: v2.10.31
     hooks:
       - id: muaddib-scan
 ```
@@ -288,7 +288,7 @@ repos:
 | **FPR** (Benign random) | **7.5%** (15/200) | 200 random npm packages, stratified sampling |
 | **ADR** (Adversarial + Holdout) | **94.0%** (101/107) | 67 adversarial + 40 holdout (107 available on disk), global threshold=20 |
 
-**2793 tests** across 57 files. **176 rules** (171 RULES + 5 PARANOID).
+**2868 tests** across 62 files. **195 rules** (190 RULES + 5 PARANOID).
 
 > **Methodology caveats:**
 > - TPR measured on 49 Node.js attack samples (3 browser-only excluded from 51 total)
@@ -329,7 +329,7 @@ npm test
 
 ### Testing
 
-- **2793 tests** across 57 modular test files
+- **2868 tests** across 62 modular test files
 - **56 fuzz tests** - Malformed inputs, ReDoS, unicode, binary
 - **Datadog 17K benchmark** - 14,587 confirmed malware samples (in-scope)
 - **Ground truth validation** - 51 real-world attacks (93.9% TPR)
@@ -351,7 +351,7 @@ npm test
 - [Evaluation Methodology](docs/EVALUATION_METHODOLOGY.md) - Experimental protocol, holdout scores
 - [Threat Model](docs/threat-model.md) - What MUAD'DIB detects and doesn't detect
 - [Adversarial Evaluation](ADVERSARIAL.md) - Red team samples and ADR results
-- [Security Policy](SECURITY.md) - Detection rules reference (176 rules)
+- [Security Policy](SECURITY.md) - Detection rules reference (195 rules)
 - [Security Audit](docs/SECURITY_AUDIT.md) - Bypass validation report
 - [FP Analysis](docs/EVALUATION.md) - Historical false positive analysis
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "muaddib-scanner",
-  "version": "2.10.30",
+  "version": "2.10.32",
   "description": "Supply-chain threat detection & response for npm & PyPI/Python",
   "main": "src/index.js",
   "bin": {
@@ -55,7 +55,7 @@
   },
   "devDependencies": {
     "@eslint/js": "10.0.1",
-    "eslint": "10.0.3",
+    "eslint": "10.1.0",
     "eslint-plugin-security": "^4.0.0",
     "globals": "17.4.0"
   }

package/src/monitor/daemon.js

@@ -1,7 +1,8 @@
+const { execFileSync } = require('child_process');
 const fs = require('fs');
 const path = require('path');
 const os = require('os');
-const { isDockerAvailable } = require('../sandbox/index.js');
+const { isDockerAvailable, SANDBOX_CONCURRENCY_MAX } = require('../sandbox/index.js');
 const { setVerboseMode, isSandboxEnabled, isCanaryEnabled } = require('./classify.js');
 const { loadState, saveState, loadDailyStats, saveDailyStats, purgeTarballCache, getParisHour } = require('./state.js');
 const { isTemporalEnabled, isTemporalAstEnabled, isTemporalPublishEnabled, isTemporalMaintainerEnabled } = require('./temporal.js');
@@ -33,6 +34,26 @@ function cleanupOrphanTmpDirs() {
   } catch {}
 }
 
+function cleanupOrphanContainers() {
+  try {
+    // List running containers with the sandbox name prefix (npm-audit-*)
+    const output = execFileSync('docker', ['ps', '-q', '--filter', 'name=npm-audit-'], {
+      stdio: ['pipe', 'pipe', 'pipe'],
+      timeout: 10000
+    }).toString().trim();
+    if (!output) return;
+    const ids = output.split(/\s+/).filter(Boolean);
+    for (const id of ids) {
+      try {
+        execFileSync('docker', ['rm', '-f', id], { stdio: 'pipe', timeout: 10000 });
+      } catch {}
+    }
+    console.log(`[MONITOR] Cleaned up ${ids.length} orphan sandbox container(s)`);
+  } catch {
+    // Docker not available or command failed — skip silently
+  }
+}
+
 function reportStats(stats) {
   const avg = stats.scanned > 0 ? (stats.totalTimeMs / stats.scanned / 1000).toFixed(1) : '0.0';
   const { t1, t1a, t1b, t2, t3 } = stats.suspectByTier;
@@ -67,6 +88,8 @@ async function startMonitor(options, stats, dailyAlerts, recentlyScanned, downlo
 
   // Cleanup temp dirs from previous runs (SIGTERM/crash may leave orphans)
   cleanupOrphanTmpDirs();
+  // Kill orphan sandbox containers from previous crash (npm-audit-* prefix)
+  cleanupOrphanContainers();
   // Layer 3: Purge expired cached tarballs on startup
   purgeTarballCache();
 
@@ -137,6 +160,7 @@ async function startMonitor(options, stats, dailyAlerts, recentlyScanned, downlo
   console.log(`[MONITOR] State loaded — npm last: ${state.npmLastPackage || 'none'}, pypi last: ${state.pypiLastPackage || 'none'}, npm seq: ${state.npmLastSeq || 'none'}`);
   console.log('[MONITOR] npm changes stream enabled (replicate.npmjs.com) with RSS fallback');
   console.log(`[MONITOR] Scan concurrency: ${SCAN_CONCURRENCY} (MUADDIB_SCAN_CONCURRENCY to override)`);
+  console.log(`[MONITOR] Sandbox concurrency: ${SANDBOX_CONCURRENCY_MAX} (MUADDIB_SANDBOX_CONCURRENCY to override)`);
   console.log(`[MONITOR] Polling every ${POLL_INTERVAL / 1000}s. Ctrl+C to stop.\n`);
 
   let running = true;
@@ -193,6 +217,7 @@ async function startMonitor(options, stats, dailyAlerts, recentlyScanned, downlo
 module.exports = {
   startMonitor,
   cleanupOrphanTmpDirs,
+  cleanupOrphanContainers,
   reportStats,
   isDailyReportDue,
   sleep,

package/src/response/playbooks.js

@@ -511,6 +511,13 @@ const PLAYBOOKS = {
     'CRITIQUE: Un Proxy JavaScript avec trap set/get/apply est combine avec un appel reseau. ' +
     'Technique d\'interception: le Proxy capture toutes les ecritures de proprietes (credentials, tokens, config) ' +
     'et les exfiltre via HTTPS/fetch/dgram. Supprimer le package. Auditer tous les modules qui importent ce package.',
+  proxy_globalthis_intercept:
+    'CRITIQUE: new Proxy(globalThis/global) intercepte tous les acces au scope global. ' +
+    'L\'attaquant peut hooker eval, Function, require de maniere transparente via le handler Proxy. ' +
+    'Supprimer le package immediatement.',
+  reflect_bind_code_execution:
+    'CRITIQUE: Reflect.apply() avec methode prototype (bind/call/apply) et thisArg=Function/eval. ' +
+    'Evasion de 2nd niveau contournant la detection Reflect.apply(eval). Supprimer le package.',
   detached_credential_exfil:
     'CRITIQUE: Process detache avec acces aux credentials et exfiltration reseau. ' +
     'Technique DPRK/Lazarus: le process fils survit au parent (detached:true, unref()) et exfiltre des secrets en arriere-plan. ' +

package/src/rules/index.js

@@ -2142,6 +2142,24 @@ const RULES = {
     ],
     mitre: 'T1082'
   },
+  proxy_globalthis_intercept: {
+    id: 'MUADDIB-AST-083',
+    name: 'Proxy GlobalThis Interception',
+    severity: 'CRITICAL',
+    confidence: 'high',
+    description: 'new Proxy(globalThis/global/window/self) — intercepts all global scope access, enabling transparent hooking of eval/Function/require.',
+    references: ['https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Proxy'],
+    mitre: 'T1574'
+  },
+  reflect_bind_code_execution: {
+    id: 'MUADDIB-AST-084',
+    name: 'Reflect.apply Prototype Method Code Execution',
+    severity: 'CRITICAL',
+    confidence: 'high',
+    description: 'Reflect.apply(Function.prototype.bind/call/apply, Function, [...]) — indirect code execution via Reflect with prototype method as target.',
+    references: ['https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Reflect/apply'],
+    mitre: 'T1059'
+  },
   lifecycle_missing_script: {
     id: 'MUADDIB-PKG-017',
     name: 'Phantom Lifecycle Script',

package/src/sandbox/index.js

@@ -20,6 +20,41 @@ const DOCKER_IMAGE = 'muaddib-sandbox';
 const CONTAINER_TIMEOUT = 120000; // 120 seconds
 const SINGLE_RUN_TIMEOUT = 60000; // 60 seconds per run in multi-run mode
 
+// ── Sandbox concurrency limiter ──
+// Prevents Docker container saturation under load (16 workers × 3 runs = 48 containers).
+// Pattern: same semaphore as src/shared/http-limiter.js.
+const SANDBOX_CONCURRENCY_MAX = Math.max(1, parseInt(process.env.MUADDIB_SANDBOX_CONCURRENCY, 10) || 3);
+
+const _sandboxSemaphore = { active: 0, queue: [] };
+
+function acquireSandboxSlot() {
+  if (_sandboxSemaphore.active < SANDBOX_CONCURRENCY_MAX) {
+    _sandboxSemaphore.active++;
+    return Promise.resolve();
+  }
+  return new Promise(resolve => {
+    _sandboxSemaphore.queue.push(resolve);
+  });
+}
+
+function releaseSandboxSlot() {
+  if (_sandboxSemaphore.queue.length > 0) {
+    const next = _sandboxSemaphore.queue.shift();
+    next(); // Transfers slot to next waiter (active count stays the same)
+  } else {
+    _sandboxSemaphore.active--;
+  }
+}
+
+function resetSandboxLimiter() {
+  _sandboxSemaphore.active = 0;
+  _sandboxSemaphore.queue.length = 0;
+}
+
+function getSandboxSemaphore() {
+  return _sandboxSemaphore;
+}
+
 // Time offsets for multi-run sandbox execution (ms)
 const TIME_OFFSETS = [
   { offset: 0, label: 'immediate' },
@@ -238,11 +273,17 @@ async function runSingleSandbox(packageName, options = {}) {
     // Timeout: kill container
     const timer = setTimeout(() => {
       timedOut = true;
-      console.log(`[SANDBOX] Timeout (${runTimeout / 1000}s). Killing container...`);
+      console.log(`[SANDBOX] Timeout (${runTimeout / 1000}s). Killing container ${containerName}...`);
       try {
         execFileSync('docker', ['kill', containerName], { stdio: 'pipe', timeout: 5000 });
       } catch {
-        proc.kill('SIGKILL');
+        // docker kill failed (container in intermediate state) — force remove
+        try {
+          execFileSync('docker', ['rm', '-f', containerName], { stdio: 'pipe', timeout: 5000 });
+        } catch {
+          // Last resort: kill the docker client process (container may survive as orphan)
+          proc.kill('SIGKILL');
+        }
       }
     }, runTimeout);
 
@@ -441,69 +482,81 @@ async function runSandbox(packageName, options = {}) {
   }
 
   const mode = strict ? 'strict' : 'permissive';
-  console.log(`[SANDBOX] Analyzing "${displayName}" in isolated container (mode: ${mode}${canaryEnabled ? ', canary: on' : ''}${local ? ', local' : ''}, runs: ${TIME_OFFSETS.length})...`);
-
-  const allRuns = [];
-  let bestResult = cleanResult;
-
-  for (let i = 0; i < TIME_OFFSETS.length; i++) {
-    const { offset, label } = TIME_OFFSETS[i];
-    console.log(`[SANDBOX] Run ${i + 1}/${TIME_OFFSETS.length} (${label})...`);
-
-    const runResult = await runSingleSandbox(packageName, {
-      strict,
-      canaryTokens,
-      local,
-      localAbsPath,
-      displayName,
-      timeOffset: offset,
-      runTimeout: SINGLE_RUN_TIMEOUT
-    });
 
-    allRuns.push({
-      run: i + 1,
-      label,
-      timeOffset: offset,
-      score: runResult.score,
-      severity: runResult.severity,
-      findingCount: runResult.findings.length
-    });
+  // Acquire sandbox slot — blocks if SANDBOX_CONCURRENCY_MAX containers already running
+  const queueLen = _sandboxSemaphore.queue.length;
+  if (queueLen > 0) {
+    console.log(`[SANDBOX] Waiting for sandbox slot (${_sandboxSemaphore.active}/${SANDBOX_CONCURRENCY_MAX} active, ${queueLen} queued)...`);
+  }
+  await acquireSandboxSlot();
 
-    // Keep the result with the highest score
-    if (runResult.score > bestResult.score) {
-      bestResult = runResult;
+  try {
+    console.log(`[SANDBOX] Analyzing "${displayName}" in isolated container (mode: ${mode}${canaryEnabled ? ', canary: on' : ''}${local ? ', local' : ''}, runs: ${TIME_OFFSETS.length}, slots: ${_sandboxSemaphore.active}/${SANDBOX_CONCURRENCY_MAX})...`);
+
+    const allRuns = [];
+    let bestResult = cleanResult;
+
+    for (let i = 0; i < TIME_OFFSETS.length; i++) {
+      const { offset, label } = TIME_OFFSETS[i];
+      console.log(`[SANDBOX] Run ${i + 1}/${TIME_OFFSETS.length} (${label})...`);
+
+      const runResult = await runSingleSandbox(packageName, {
+        strict,
+        canaryTokens,
+        local,
+        localAbsPath,
+        displayName,
+        timeOffset: offset,
+        runTimeout: SINGLE_RUN_TIMEOUT
+      });
+
+      allRuns.push({
+        run: i + 1,
+        label,
+        timeOffset: offset,
+        score: runResult.score,
+        severity: runResult.severity,
+        findingCount: runResult.findings.length
+      });
+
+      // Keep the result with the highest score
+      if (runResult.score > bestResult.score) {
+        bestResult = runResult;
+      }
+
+      // Early exit: CRITICAL found, skip remaining runs
+      if (runResult.score >= 80) {
+        console.log(`[SANDBOX] Critical score (${runResult.score}) detected in run ${i + 1}. Skipping remaining runs.`);
+        break;
+      }
     }
 
-    // Early exit: CRITICAL found, skip remaining runs
-    if (runResult.score >= 80) {
-      console.log(`[SANDBOX] Critical score (${runResult.score}) detected in run ${i + 1}. Skipping remaining runs.`);
-      break;
+    // If all runs were inconclusive (timeout), propagate inconclusive status
+    // instead of returning CLEAN (which would cause false FP relabeling)
+    if (bestResult.score === 0 && allRuns.length > 0 && allRuns.every(r => r.score === -1)) {
+      bestResult = {
+        score: -1,
+        severity: 'INCONCLUSIVE',
+        findings: [{
+          type: 'timeout',
+          severity: 'MEDIUM',
+          detail: `All ${allRuns.length} runs exceeded timeout — package too large or slow install`,
+          evidence: `All ${allRuns.length} runs timed out`
+        }],
+        raw_report: null,
+        suspicious: false,
+        inconclusive: true
+      };
     }
-  }
 
-  // If all runs were inconclusive (timeout), propagate inconclusive status
-  // instead of returning CLEAN (which would cause false FP relabeling)
-  if (bestResult.score === 0 && allRuns.length > 0 && allRuns.every(r => r.score === -1)) {
-    bestResult = {
-      score: -1,
-      severity: 'INCONCLUSIVE',
-      findings: [{
-        type: 'timeout',
-        severity: 'MEDIUM',
-        detail: `All ${allRuns.length} runs exceeded timeout — package too large or slow install`,
-        evidence: `All ${allRuns.length} runs timed out`
-      }],
-      raw_report: null,
-      suspicious: false,
-      inconclusive: true
-    };
-  }
-
-  // Attach multi-run metadata
-  bestResult.all_runs = allRuns;
-
-  displayResults(bestResult);
-  return bestResult;
+    // Attach multi-run metadata
+    bestResult.all_runs = allRuns;
+
+    displayResults(bestResult);
+    return bestResult;
+  } finally {
+    releaseSandboxSlot();
+  }
 }
 
 // ── Static canary detection ──
@@ -812,4 +865,4 @@ function displayResults(result) {
   }
 }
 
-module.exports = { buildSandboxImage, runSandbox, runSingleSandbox, scoreFindings, generateNetworkReport, EXFIL_PATTERNS, SAFE_DOMAINS, getSeverity, displayResults, isDockerAvailable, imageExists, STATIC_CANARY_TOKENS, detectStaticCanaryExfiltration, analyzePreloadLog, TIME_OFFSETS, SAFE_SANDBOX_CMDS };
+module.exports = { buildSandboxImage, runSandbox, runSingleSandbox, scoreFindings, generateNetworkReport, EXFIL_PATTERNS, SAFE_DOMAINS, getSeverity, displayResults, isDockerAvailable, imageExists, STATIC_CANARY_TOKENS, detectStaticCanaryExfiltration, analyzePreloadLog, TIME_OFFSETS, SAFE_SANDBOX_CMDS, SANDBOX_CONCURRENCY_MAX, acquireSandboxSlot, releaseSandboxSlot, resetSandboxLimiter, getSandboxSemaphore };

package/src/scanner/ast-detectors/handle-call-expression.js

@@ -1496,6 +1496,26 @@ function handleCallExpression(node, ctx) {
           file: ctx.relFile
         });
       }
+      // Bypass fix: Reflect.apply(Function.prototype.bind/call/apply, Function, [...])
+      if (target.type === 'MemberExpression') {
+        const methodProp = target.property;
+        const methodName = methodProp?.type === 'Identifier' ? methodProp.name :
+                           (methodProp?.type === 'Literal' ? String(methodProp.value) : null);
+        if (methodName === 'bind' || methodName === 'call' || methodName === 'apply') {
+          const thisArg = node.arguments[1];
+          if (thisArg?.type === 'Identifier' &&
+              (thisArg.name === 'Function' || thisArg.name === 'eval' ||
+               ctx.evalAliases?.has(thisArg.name))) {
+            ctx.hasDynamicExec = true;
+            ctx.threats.push({
+              type: 'reflect_bind_code_execution',
+              severity: 'CRITICAL',
+              message: `Reflect.apply(*.${methodName}, ${thisArg.name}, [...]) — indirect ${thisArg.name} invocation via prototype method, bypasses Reflect.apply(${thisArg.name}) detection.`,
+              file: ctx.relFile
+            });
+          }
+        }
+      }
       // B1: Reflect.apply(require, null, ['child_process']) — bypasses require() call detection
       if (target.type === 'Identifier' && target.name === 'require') {
         const argsArray = node.arguments[2];

package/src/scanner/ast-detectors/handle-new-expression.js

@@ -58,6 +58,18 @@ function handleNewExpression(node, ctx) {
         file: ctx.relFile
       });
     }
+    // Detect new Proxy(globalThis/global/window/self, handler) — intercepts all global access
+    if (target.type === 'Identifier' &&
+        (target.name === 'globalThis' || target.name === 'global' ||
+         target.name === 'window' || target.name === 'self' ||
+         ctx.globalThisAliases.has(target.name))) {
+      ctx.threats.push({
+        type: 'proxy_globalthis_intercept',
+        severity: 'CRITICAL',
+        message: `new Proxy(${target.name}, handler) — intercepts all global object access. Attacker can hook eval/Function/require transparently.`,
+        file: ctx.relFile
+      });
+    }
     // Detect new Proxy(obj, handler) where handler has set/get traps — data interception
     // Real-world technique: export a Proxy that intercepts all property sets/gets to exfiltrate
     // data flowing through the module. Combined with network (hasNetworkInFile) → credential theft.

package/src/scanner/ast-detectors/handle-variable-declarator.js

@@ -58,6 +58,19 @@ function handleVariableDeclarator(node, ctx) {
       ctx.globalThisAliases.add(node.id.name);
     }
 
+    // Track Proxy(globalThis) as globalThis alias for downstream detection
+    if (node.init?.type === 'NewExpression' &&
+        node.init.callee?.type === 'Identifier' && node.init.callee.name === 'Proxy' &&
+        node.init.arguments?.length >= 2) {
+      const proxyTarget = node.init.arguments[0];
+      if (proxyTarget?.type === 'Identifier' &&
+          (proxyTarget.name === 'globalThis' || proxyTarget.name === 'global' ||
+           proxyTarget.name === 'window' || proxyTarget.name === 'self' ||
+           ctx.globalThisAliases.has(proxyTarget.name))) {
+        ctx.globalThisAliases.add(node.id.name);
+      }
+    }
+
     // B1: const E = eval; const F = Function;
     if (node.init?.type === 'Identifier' &&
         (node.init.name === 'eval' || node.init.name === 'Function')) {