muaddib-scanner 2.10.37 → 2.10.40

package/bin/muaddib.js

@@ -260,10 +260,12 @@ if (command === 'version' || command === '--version' || command === '-v') {
     configPath: configPath,
     autoSandbox: autoSandbox
   }).then(exitCode => {
-    process.exit(exitCode);
+    // Use process.exitCode instead of process.exit() to let pending async work
+    // (the non-blocking version update check) complete before the process exits.
+    process.exitCode = exitCode;
   }).catch(err => {
     console.error('[ERROR]', err.message);
-    process.exit(1);
+    process.exitCode = 1;
   });
 } else if (command === 'feed') {
   if (wantHelp) showHelp('feed');

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "muaddib-scanner",
-  "version": "2.10.37",
+  "version": "2.10.40",
   "description": "Supply-chain threat detection & response for npm & PyPI/Python",
   "main": "src/index.js",
   "bin": {

package/scripts/ossf-benchmark.js

@@ -0,0 +1,560 @@
+#!/usr/bin/env node
+'use strict';
+
+/**
+ * MUAD'DIB OpenSSF Benchmark
+ *
+ * Fetches the OpenSSF malicious-packages dataset (via OSV.dev API),
+ * downloads available npm packages, scans them with MUAD'DIB, and
+ * produces a benchmark results file consumed by `muaddib evaluate`.
+ *
+ * Usage:
+ *   node scripts/ossf-benchmark.js [--sample N] [--seed N] [--refresh]
+ *
+ * Options:
+ *   --sample N   Number of packages to sample (default: 500)
+ *   --seed N     Random seed for reproducibility (default: 42)
+ *   --refresh    Force re-download of cached tarballs
+ *
+ * Output:
+ *   datasets/real-world/ossf-benchmark-results.json
+ */
+
+const fs = require('fs');
+const path = require('path');
+const zlib = require('zlib');
+const { execSync } = require('child_process');
+
+const ROOT = path.join(__dirname, '..');
+const RESULTS_FILE = path.join(ROOT, 'datasets', 'real-world', 'ossf-benchmark-results.json');
+const CACHE_DIR = path.join(ROOT, '.muaddib-cache', 'ossf-tarballs');
+const PACK_TIMEOUT_MS = 30000;
+const SCAN_TIMEOUT_MS = 30000;
+const SAFE_PKG_RE = /^(@[\w._-]+\/)?[\w._-]+$/;
+
+// --- CLI args ---
+const SAMPLE_SIZE = parseInt(process.argv.find((a, i) => process.argv[i - 1] === '--sample') || '5000', 10);
+const SEED = parseInt(process.argv.find((a, i) => process.argv[i - 1] === '--seed') || '42', 10);
+const REFRESH = process.argv.includes('--refresh');
+
+// --- Seeded PRNG (Mulberry32) ---
+function mulberry32(seed) {
+  let s = seed | 0;
+  return function() {
+    s = (s + 0x6D2B79F5) | 0;
+    let t = Math.imul(s ^ (s >>> 15), 1 | s);
+    t = (t + Math.imul(t ^ (t >>> 7), 61 | t)) ^ t;
+    return ((t ^ (t >>> 14)) >>> 0) / 4294967296;
+  };
+}
+
+// --- Native tgz extraction (same as evaluate.js) ---
+function extractTgz(tgzPath, destDir) {
+  const compressed = fs.readFileSync(tgzPath);
+  const tarData = zlib.gunzipSync(compressed);
+
+  let offset = 0;
+  while (offset + 512 <= tarData.length) {
+    const header = tarData.subarray(offset, offset + 512);
+    if (header.every(b => b === 0)) break;
+
+    const name = header.subarray(0, 100).toString('utf8').replace(/\0+$/, '');
+    const sizeOctal = header.subarray(124, 136).toString('utf8').replace(/\0+$/, '').trim();
+    const size = parseInt(sizeOctal, 8) || 0;
+    const typeFlag = String.fromCharCode(header[156]);
+
+    offset += 512;
+
+    if (name && (typeFlag === '0' || typeFlag === '\0') && size > 0) {
+      const resolved = path.resolve(destDir, name);
+      const rel = path.relative(path.resolve(destDir), resolved);
+      if (rel.startsWith('..') || path.isAbsolute(rel)) {
+        offset += Math.ceil(size / 512) * 512;
+        continue;
+      }
+      fs.mkdirSync(path.dirname(resolved), { recursive: true });
+      fs.writeFileSync(resolved, tarData.subarray(offset, offset + size));
+    }
+
+    offset += Math.ceil(size / 512) * 512;
+  }
+}
+
+function pkgToCacheName(name, version) {
+  return (name + '@' + version).replace(/\//g, '_').replace(/@/g, '_');
+}
+
+// --- Step 1: Fetch OSV npm MAL-* index via zip dump ---
+async function fetchOSSFIndex() {
+  console.log('\n[1/5] Fetching OSV npm malware index...');
+
+  // Use the OSV zip dump (same as scrapeOSVDataDump) for the full index
+  // This is more complete than the query API which has pagination limits
+  const https = require('https');
+  const AdmZip = require('adm-zip');
+
+  const zipUrl = 'https://osv-vulnerabilities.storage.googleapis.com/npm/all.zip';
+
+  console.log('  Downloading npm OSV zip...');
+  const zipBuffer = await new Promise(function(resolve, reject) {
+    const chunks = [];
+    let totalBytes = 0;
+
+    https.get(zipUrl, { headers: { 'User-Agent': 'MUADDIB-Scanner/3.0' } }, function(res) {
+      if ([301, 302, 307, 308].includes(res.statusCode) && res.headers.location) {
+        https.get(res.headers.location, { headers: { 'User-Agent': 'MUADDIB-Scanner/3.0' } }, function(res2) {
+          res2.on('data', function(chunk) {
+            chunks.push(chunk);
+            totalBytes += chunk.length;
+            if (totalBytes % (10 * 1024 * 1024) < chunk.length) {
+              process.stdout.write('\r  Downloaded: ' + (totalBytes / 1024 / 1024).toFixed(1) + ' MB');
+            }
+          });
+          res2.on('end', function() {
+            process.stdout.write('\r  Downloaded: ' + (totalBytes / 1024 / 1024).toFixed(1) + ' MB\n');
+            resolve(Buffer.concat(chunks));
+          });
+          res2.on('error', reject);
+        }).on('error', reject);
+        return;
+      }
+
+      res.on('data', function(chunk) {
+        chunks.push(chunk);
+        totalBytes += chunk.length;
+        if (totalBytes % (10 * 1024 * 1024) < chunk.length) {
+          process.stdout.write('\r  Downloaded: ' + (totalBytes / 1024 / 1024).toFixed(1) + ' MB');
+        }
+      });
+      res.on('end', function() {
+        process.stdout.write('\r  Downloaded: ' + (totalBytes / 1024 / 1024).toFixed(1) + ' MB\n');
+        resolve(Buffer.concat(chunks));
+      });
+      res.on('error', reject);
+    }).on('error', reject);
+  });
+
+  console.log('  Parsing MAL-* entries...');
+  const zip = new AdmZip(zipBuffer);
+  const entries = zip.getEntries();
+
+  // Deduplicate by name@version, keep first MAL-* ID encountered
+  const dedupMap = new Map(); // key: "name@version" -> entry
+  let malCount = 0;
+
+  for (const entry of entries) {
+    const entryName = entry.entryName;
+    if (!entryName.startsWith('MAL-') || !entryName.endsWith('.json')) continue;
+
+    // Size guard
+    const entrySize = entry.header ? entry.header.size : 0;
+    if (entrySize > 10 * 1024 * 1024) continue; // skip >10MB entries
+
+    try {
+      const vuln = JSON.parse(entry.getData().toString('utf8'));
+      if (!vuln.affected) continue;
+
+      for (const affected of vuln.affected) {
+        if (!affected.package || affected.package.ecosystem !== 'npm') continue;
+
+        const pkgName = affected.package.name;
+        const versions = [];
+
+        // Extract versions from ranges or explicit list
+        if (affected.versions && affected.versions.length > 0) {
+          for (const v of affected.versions) versions.push(v);
+        } else if (affected.ranges) {
+          for (const range of affected.ranges) {
+            if (range.events) {
+              for (const evt of range.events) {
+                if (evt.introduced && evt.introduced !== '0') versions.push(evt.introduced);
+              }
+            }
+          }
+        }
+
+        // If no specific version, use wildcard marker
+        if (versions.length === 0) versions.push('*');
+
+        // Determine source from database_specific
+        let source = 'unknown';
+        if (vuln.database_specific && vuln.database_specific['malicious-packages-origins']) {
+          const origins = vuln.database_specific['malicious-packages-origins'];
+          if (origins.length > 0 && origins[0].source) {
+            source = origins[0].source;
+          }
+        }
+
+        for (const ver of versions) {
+          const key = pkgName + '@' + ver;
+          if (!dedupMap.has(key)) {
+            dedupMap.set(key, {
+              name: pkgName,
+              version: ver,
+              osv_id: vuln.id,
+              source: source,
+              summary: (vuln.summary || '').slice(0, 200),
+              published: vuln.published || null
+            });
+          }
+        }
+      }
+
+      malCount++;
+    } catch { /* skip unparseable */ }
+  }
+
+  const index = Array.from(dedupMap.values());
+  console.log('  Parsed ' + malCount + ' MAL-* reports -> ' + index.length + ' unique name@version entries');
+
+  return index;
+}
+
+// --- Step 2: Stratified sampling ---
+function stratifySample(index, sampleSize, seed) {
+  console.log('\n[2/5] Stratified sampling (' + sampleSize + ' packages, seed=' + seed + ')...');
+
+  const rng = mulberry32(seed);
+
+  // Filter out wildcard versions (can't download *)
+  const downloadable = index.filter(e => e.version !== '*' && SAFE_PKG_RE.test(e.name));
+  console.log('  Downloadable (non-wildcard, valid name): ' + downloadable.length);
+
+  // Filter out spam packages (SEO junk uploaded to npm — never available, waste time)
+  const SPAM_WORDS = /\b(watch|movie|free|generator|download|stream|online|full|episode|subtitle)\b/i;
+  const filtered = downloadable.filter(function(e) {
+    if (e.name.length > 100) return false;
+    if (/\s/.test(e.name)) return false;
+    if (SPAM_WORDS.test(e.name)) return false;
+    return true;
+  });
+  const spamRemoved = downloadable.length - filtered.length;
+  if (spamRemoved > 0) console.log('  Spam filtered: ' + spamRemoved + ' entries removed');
+  console.log('  After spam filter: ' + filtered.length);
+
+  // Group by source
+  const bySource = {};
+  for (const entry of filtered) {
+    const src = entry.source || 'unknown';
+    if (!bySource[src]) bySource[src] = [];
+    bySource[src].push(entry);
+  }
+
+  console.log('  Sources: ' + Object.entries(bySource).map(([k, v]) => k + '=' + v.length).join(', '));
+
+  // Shuffle each source group with seeded RNG
+  for (const src of Object.keys(bySource)) {
+    const arr = bySource[src];
+    for (let i = arr.length - 1; i > 0; i--) {
+      const j = Math.floor(rng() * (i + 1));
+      const tmp = arr[i];
+      arr[i] = arr[j];
+      arr[j] = tmp;
+    }
+  }
+
+  // Proportional allocation per source
+  const sources = Object.keys(bySource);
+  const totalDownloadable = filtered.length;
+  const sample = [];
+
+  for (const src of sources) {
+    const proportion = bySource[src].length / totalDownloadable;
+    const count = Math.max(1, Math.round(proportion * sampleSize));
+    const take = bySource[src].slice(0, count);
+    sample.push(...take);
+  }
+
+  // Trim to exact sample size
+  while (sample.length > sampleSize) sample.pop();
+
+  console.log('  Sampled: ' + sample.length + ' packages');
+  return sample;
+}
+
+// --- Step 3: Check npm availability ---
+async function checkAvailability(sample) {
+  console.log('\n[3/5] Checking npm availability...');
+
+  let available = 0;
+  let unavailable = 0;
+  let errors = 0;
+
+  const npmCmd = process.platform === 'win32' ? 'npm.cmd' : 'npm';
+
+  for (let i = 0; i < sample.length; i++) {
+    const entry = sample[i];
+
+    if (process.stdout.isTTY) {
+      process.stdout.write('\r  Checking [' + (i + 1) + '/' + sample.length + '] ' + entry.name + '@' + entry.version + '          ');
+    }
+
+    try {
+      execSync(npmCmd + ' view ' + entry.name + '@' + entry.version + ' version --json', {
+        encoding: 'utf8',
+        timeout: 10000,
+        stdio: ['pipe', 'pipe', 'pipe']
+      });
+      entry.status = 'available';
+      available++;
+    } catch (err) {
+      const stderr = (err.stderr || '').toLowerCase();
+      if (stderr.includes('404') || stderr.includes('not found') || stderr.includes('not in this registry')) {
+        entry.status = 'unavailable';
+        unavailable++;
+      } else {
+        entry.status = 'error';
+        entry.error = (err.message || '').slice(0, 100);
+        errors++;
+      }
+    }
+  }
+
+  if (process.stdout.isTTY) {
+    process.stdout.write('\r' + ''.padEnd(80) + '\r');
+  }
+
+  console.log('  Available: ' + available + ', Unavailable: ' + unavailable + ', Errors: ' + errors);
+  return sample;
+}
+
+// --- Step 4: Download and scan ---
+async function downloadAndScan(sample) {
+  console.log('\n[4/5] Downloading and scanning available packages...');
+
+  const { run } = require('../src/index.js');
+  const { clearFileListCache } = require('../src/utils.js');
+
+  fs.mkdirSync(CACHE_DIR, { recursive: true });
+
+  const scannable = sample.filter(e => e.status === 'available');
+  console.log('  Scannable: ' + scannable.length + ' packages');
+
+  let scanned = 0;
+  let detected = 0;
+  let scanErrors = 0;
+  let scanCount = 0;
+
+  for (let i = 0; i < scannable.length; i++) {
+    const entry = scannable[i];
+    const progress = '[' + (i + 1) + '/' + scannable.length + ']';
+
+    if (process.stdout.isTTY) {
+      process.stdout.write('\r  Scanning ' + progress + ' ' + entry.name + '@' + entry.version + '          ');
+    }
+
+    // Download
+    const cacheName = pkgToCacheName(entry.name, entry.version);
+    const pkgCacheDir = path.join(CACHE_DIR, cacheName);
+    let extractedDir = null;
+
+    if (!REFRESH && fs.existsSync(path.join(pkgCacheDir, 'package'))) {
+      extractedDir = path.join(pkgCacheDir, 'package');
+    } else {
+      fs.mkdirSync(pkgCacheDir, { recursive: true });
+      try {
+        const output = execSync('npm pack ' + entry.name + '@' + entry.version, {
+          cwd: pkgCacheDir,
+          encoding: 'utf8',
+          timeout: PACK_TIMEOUT_MS,
+          stdio: ['pipe', 'pipe', 'pipe']
+        });
+        const tgzFilename = output.trim().split(/\r?\n/).pop().trim();
+        const tgzPath = path.join(pkgCacheDir, tgzFilename);
+
+        if (fs.existsSync(tgzPath)) {
+          extractTgz(tgzPath, pkgCacheDir);
+          try { fs.unlinkSync(tgzPath); } catch { /* ignore */ }
+          if (fs.existsSync(path.join(pkgCacheDir, 'package'))) {
+            extractedDir = path.join(pkgCacheDir, 'package');
+          }
+        }
+      } catch {
+        // Download failed — mark as unavailable (possibly removed between check and download)
+        entry.status = 'unavailable';
+        entry.error = 'npm pack failed';
+        fs.rmSync(pkgCacheDir, { recursive: true, force: true });
+      }
+    }
+
+    if (!extractedDir) {
+      if (entry.status === 'available') {
+        entry.status = 'error';
+        entry.error = 'extraction failed';
+        scanErrors++;
+      }
+      continue;
+    }
+
+    // Scan
+    try {
+      const result = await Promise.race([
+        run(extractedDir, { _capture: true }),
+        new Promise(function(_, reject) {
+          setTimeout(function() { reject(new Error('scan timeout')); }, SCAN_TIMEOUT_MS);
+        })
+      ]);
+
+      const score = result.summary.riskScore || 0;
+      entry.score = score;
+      entry.detected = score >= 20;
+      entry.threat_count = result.summary.total || 0;
+      entry.threats = (result.threats || []).slice(0, 20).map(function(t) {
+        return { type: t.type, severity: t.severity, file: t.file };
+      });
+      entry.status = 'scanned';
+
+      scanned++;
+      if (entry.detected) detected++;
+    } catch (err) {
+      entry.status = 'error';
+      entry.error = (err.message || '').slice(0, 100);
+      entry.score = 0;
+      entry.detected = false;
+      scanErrors++;
+    }
+
+    // Memory management
+    clearFileListCache();
+    scanCount++;
+    if (scanCount % 20 === 0 && global.gc) {
+      global.gc();
+      const used = Math.round(process.memoryUsage().heapUsed / 1024 / 1024);
+      console.log('\n  [Memory] ' + used + ' MB after ' + scanCount + ' scans');
+    }
+  }
+
+  if (process.stdout.isTTY) {
+    process.stdout.write('\r' + ''.padEnd(80) + '\r');
+  }
+
+  console.log('  Scanned: ' + scanned + ', Detected: ' + detected + ', Errors: ' + scanErrors);
+  return { scanned, detected, scanErrors };
+}
+
+// --- Step 5: Save results ---
+function saveResults(sample, index, stats) {
+  console.log('\n[5/5] Saving results...');
+
+  // Compute per-source breakdown
+  const bySource = {};
+  for (const entry of sample) {
+    const src = entry.source || 'unknown';
+    if (!bySource[src]) bySource[src] = { total: 0, scanned: 0, detected: 0, unavailable: 0 };
+    bySource[src].total++;
+    if (entry.status === 'scanned') {
+      bySource[src].scanned++;
+      if (entry.detected) bySource[src].detected++;
+    } else if (entry.status === 'unavailable') {
+      bySource[src].unavailable++;
+    }
+  }
+
+  // Compute TPR per source
+  for (const src of Object.keys(bySource)) {
+    const d = bySource[src];
+    d.tpr = d.scanned > 0 ? d.detected / d.scanned : 0;
+  }
+
+  // Score distribution
+  const scannedEntries = sample.filter(e => e.status === 'scanned');
+  const scoreDistribution = { '0': 0, '1-9': 0, '10-19': 0, '20-49': 0, '50-74': 0, '75-100': 0 };
+  for (const e of scannedEntries) {
+    const s = e.score || 0;
+    if (s === 0) scoreDistribution['0']++;
+    else if (s <= 9) scoreDistribution['1-9']++;
+    else if (s <= 19) scoreDistribution['10-19']++;
+    else if (s <= 49) scoreDistribution['20-49']++;
+    else if (s <= 74) scoreDistribution['50-74']++;
+    else scoreDistribution['75-100']++;
+  }
+
+  const results = {
+    metadata: {
+      benchmark: 'OpenSSF Malicious Packages',
+      version: 'v1',
+      repo: 'https://github.com/ossf/malicious-packages',
+      scanned_at: new Date().toISOString(),
+      seed: SEED,
+      total_osv_npm_unique: index.length,
+      sampled: sample.length,
+      available_on_npm: sample.filter(e => e.status === 'scanned' || e.status === 'available').length,
+      scanned: stats.scanned,
+      detected: stats.detected,
+      missed: stats.scanned - stats.detected,
+      errors: stats.scanErrors,
+      unavailable: sample.filter(e => e.status === 'unavailable').length,
+      threshold: 20,
+      tpr: stats.scanned > 0 ? ((stats.detected / stats.scanned * 100).toFixed(1) + '%') : 'N/A',
+      coverage: ((stats.scanned / sample.length * 100).toFixed(1) + '%'),
+      by_source: bySource,
+      score_distribution: scoreDistribution
+    },
+    results: sample.map(function(e) {
+      return {
+        name: e.name,
+        version: e.version,
+        osv_id: e.osv_id,
+        source: e.source,
+        status: e.status,
+        score: e.score || 0,
+        detected: e.detected || false,
+        threat_count: e.threat_count || 0,
+        threats: e.threats || [],
+        error: e.error || undefined
+      };
+    })
+  };
+
+  fs.mkdirSync(path.dirname(RESULTS_FILE), { recursive: true });
+  fs.writeFileSync(RESULTS_FILE, JSON.stringify(results, null, 2));
+  console.log('  Saved to: ' + RESULTS_FILE);
+
+  return results;
+}
+
+// --- Main ---
+async function main() {
+  const startTime = Date.now();
+
+  console.log('='.repeat(60));
+  console.log('  MUAD\'DIB OpenSSF Benchmark');
+  console.log('  Sample: ' + SAMPLE_SIZE + ', Seed: ' + SEED);
+  console.log('='.repeat(60));
+
+  // 1. Fetch full OSV npm index
+  const index = await fetchOSSFIndex();
+
+  // 2. Stratified sample
+  const sample = stratifySample(index, SAMPLE_SIZE, SEED);
+
+  // 3. Check npm availability
+  await checkAvailability(sample);
+
+  // 4. Download + scan
+  const stats = await downloadAndScan(sample);
+
+  // 5. Save results
+  const results = saveResults(sample, index, stats);
+
+  const elapsed = ((Date.now() - startTime) / 1000).toFixed(1);
+
+  console.log('\n' + '='.repeat(60));
+  console.log('  RESULTS');
+  console.log('='.repeat(60));
+  console.log('  Total OSV npm unique:  ' + index.length);
+  console.log('  Sampled:               ' + sample.length);
+  console.log('  Available on npm:      ' + results.metadata.available_on_npm);
+  console.log('  Scanned:               ' + stats.scanned);
+  console.log('  Detected (score>=20):  ' + stats.detected);
+  console.log('  TPR:                   ' + results.metadata.tpr);
+  console.log('  Coverage:              ' + results.metadata.coverage);
+  console.log('  Elapsed:               ' + elapsed + 's');
+  console.log('='.repeat(60) + '\n');
+}
+
+main().catch(function(err) {
+  console.error('[FATAL] ' + err.message);
+  console.error(err.stack);
+  process.exit(1);
+});

package/src/integrations/publish-anomaly.js

@@ -132,7 +132,7 @@ async function detectPublishAnomaly(packageName) {
       const spanHours = Math.round(spanMs / MS_PER_HOUR * 10) / 10;
       findings.push({
         type: 'publish_burst',
-        severity: 'HIGH',
+        severity: 'LOW',
         description: `${inWindow.length} versions published in ${spanHours} hours (avg interval: ${stats.avgIntervalDays} days)`,
         versions: inWindow.map(e => e.version)
       });

package/src/ioc/scraper.js

@@ -1283,12 +1283,99 @@ async function runScraper() {
   };
 }
 
+// ============================================
+// SOURCE 5: OSV.dev Lightweight API
+// Used by `muaddib update` (fast, no zip download)
+// ============================================
+
+/**
+ * Lightweight OSV.dev query — fetches recent npm MAL-* entries via REST API.
+ * Used by `muaddib update` as a fast complement to the full zip scrape.
+ * @returns {Promise<Array>} Parsed IOC package entries
+ */
+async function scrapeOSVLightweightAPI() {
+  console.log('[SCRAPER] OSV.dev lightweight API...');
+  const packages = [];
+
+  try {
+    const resp = await fetchJSON('https://api.osv.dev/v1/query', {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json' },
+      body: { package: { ecosystem: 'npm' } }
+    });
+
+    if (resp.status === 200 && resp.data && resp.data.vulns) {
+      for (const vuln of resp.data.vulns) {
+        if (vuln.id && vuln.id.startsWith('MAL-')) {
+          const parsed = parseOSVEntry(vuln, 'osv-api');
+          for (const p of parsed) packages.push(p);
+        }
+      }
+    }
+
+    console.log('[SCRAPER]   ' + packages.length + ' MAL-* packages from OSV API');
+  } catch (e) {
+    console.log('[SCRAPER]   OSV API error: ' + e.message);
+  }
+
+  return packages;
+}
+
+/**
+ * Batch query OSV.dev for specific package names.
+ * Returns all MAL-* entries matching the given packages.
+ * Used by the OpenSSF benchmark script (W1).
+ * @param {string[]} packageNames - npm package names to query
+ * @returns {Promise<Array>} Parsed IOC entries with osv_id
+ */
+async function queryOSVBatch(packageNames) {
+  const BATCH_SIZE = 1000;
+  const allResults = [];
+
+  for (let i = 0; i < packageNames.length; i += BATCH_SIZE) {
+    const batch = packageNames.slice(i, i + BATCH_SIZE);
+    const queries = batch.map(function(name) {
+      return { package: { name: name, ecosystem: 'npm' } };
+    });
+
+    try {
+      const resp = await fetchJSON('https://api.osv.dev/v1/querybatch', {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/json' },
+        body: { queries: queries }
+      });
+
+      if (resp.status === 200 && resp.data && resp.data.results) {
+        for (let j = 0; j < resp.data.results.length; j++) {
+          const vulns = resp.data.results[j].vulns || [];
+          for (const vuln of vulns) {
+            if (vuln.id && vuln.id.startsWith('MAL-')) {
+              const parsed = parseOSVEntry(vuln, 'osv-batch');
+              for (const p of parsed) allResults.push(p);
+            }
+          }
+        }
+      }
+    } catch (e) {
+      console.log('[SCRAPER] OSV batch error (offset ' + i + '): ' + e.message);
+    }
+
+    // Courtesy delay between batches
+    if (i + BATCH_SIZE < packageNames.length) {
+      await new Promise(function(r) { setTimeout(r, 200); });
+    }
+  }
+
+  return allResults;
+}
+
 // Test helpers for aggregated warning counters
 function getNoVersionSkipCount() { return _noVersionSkipCount; }
 function resetNoVersionSkipCount() { _noVersionSkipCount = 0; }
 
 module.exports = {
   runScraper, scrapeShaiHuludDetector, scrapeDatadogIOCs,
+  scrapeOSVLightweightAPI, queryOSVBatch,
   // Pure utility functions (exported for testing)
   parseCSVLine, parseCSV, extractVersions, parseOSVEntry,
   createFreshness, isAllowedRedirect,

package/src/ioc/updater.js

@@ -39,24 +39,25 @@ async function updateIOCs() {
   mergeIOCs(baseIOCs, yamlStandard);
   console.log('[2/4] YAML IOCs: ' + yamlStandard.packages.length + ' packages, ' + yamlStandard.hashes.length + ' hashes');
 
-  // Step 3: Download additional IOCs from GitHub (GenSecAI + DataDog — small files, fast)
-  const { scrapeShaiHuludDetector, scrapeDatadogIOCs } = require('./scraper.js');
-  console.log('[3/4] Downloading GitHub IOCs...');
+  // Step 3: Download additional IOCs from GitHub + OSV API (GenSecAI + DataDog + OSV lightweight)
+  const { scrapeShaiHuludDetector, scrapeDatadogIOCs, scrapeOSVLightweightAPI } = require('./scraper.js');
+  console.log('[3/4] Downloading GitHub + OSV API IOCs...');
 
-  const [shaiHulud, datadog] = await Promise.all([
+  const [shaiHulud, datadog, osvApi] = await Promise.all([
     scrapeShaiHuludDetector(),
-    scrapeDatadogIOCs()
+    scrapeDatadogIOCs(),
+    scrapeOSVLightweightAPI()
   ]);
 
   const githubIOCs = {
-    packages: [].concat(shaiHulud.packages, datadog.packages),
+    packages: [].concat(shaiHulud.packages, datadog.packages, osvApi),
     pypi_packages: [],
     hashes: [].concat(shaiHulud.hashes || [], datadog.hashes || []),
     markers: [],
     files: []
   };
   mergeIOCs(baseIOCs, githubIOCs);
-  console.log('     +' + shaiHulud.packages.length + ' GenSecAI, +' + datadog.packages.length + ' DataDog');
+  console.log('     +' + shaiHulud.packages.length + ' GenSecAI, +' + datadog.packages.length + ' DataDog, +' + osvApi.length + ' OSV API');
 
   // Step 3b: Load existing cache IOCs (from bootstrap download or previous update)
   if (fs.existsSync(CACHE_IOC_FILE)) {
@@ -90,7 +91,7 @@ async function updateIOCs() {
   }
 
   baseIOCs.updated = new Date().toISOString();
-  baseIOCs.sources = ['compact', 'yaml', 'shai-hulud-detector', 'datadog', 'cache'];
+  baseIOCs.sources = ['compact', 'yaml', 'shai-hulud-detector', 'datadog', 'osv-api', 'cache'];
 
   // Clean internal dedup sets before serialization
   delete baseIOCs._pkgKeys;

package/src/ml/llm-detective.js

@@ -92,9 +92,15 @@ function resetDailyCounter() {
   _dailyCounter.resetDate = null;
 }
 
+// ── Credit exhaustion kill switch (session-level) ──
+// When the Anthropic API returns a 400 with "credit balance is too low",
+// we disable the LLM for the rest of the session to avoid error spam.
+let _creditExhausted = false;
+
 // ── Feature flags ──
 
 function isLlmEnabled() {
+  if (_creditExhausted) return false;
   if (!process.env.ANTHROPIC_API_KEY) return false;
   const env = process.env.MUADDIB_LLM_ENABLED;
   if (env !== undefined && env.toLowerCase() === 'false') return false;
@@ -441,6 +447,14 @@ async function callAnthropicAPI(system, messages) {
       }
 
       const errorText = await response.text().catch(() => '');
+
+      // Credit exhaustion: disable LLM for entire session (not just this call)
+      if (response.status === 400 && /credit balance is too low/i.test(errorText)) {
+        _creditExhausted = true;
+        console.warn('[LLM] API credits exhausted — LLM Detective disabled for this session');
+        throw new Error('API credits exhausted');
+      }
+
       throw new Error(`API ${response.status}: ${errorText.slice(0, 200)}`);
     } catch (err) {
       clearTimeout(timeout);
@@ -602,6 +616,14 @@ function resetLlmLimiter() {
   _semaphore.queue.length = 0;
 }
 
+function resetCreditExhausted() {
+  _creditExhausted = false;
+}
+
+function isCreditExhausted() {
+  return _creditExhausted;
+}
+
 module.exports = {
   investigatePackage,
   isLlmEnabled,
@@ -614,6 +636,8 @@ module.exports = {
   resetStats,
   resetDailyCounter,
   resetLlmLimiter,
+  resetCreditExhausted,
+  isCreditExhausted,
   // Exported for testing
   collectSourceContext,
   buildPrompt,

package/src/monitor/classify.js

@@ -49,6 +49,7 @@ const HIGH_CONFIDENCE_MALICE_TYPES = new Set([
   'cross_file_dataflow',                   // proven taint cross-modules
   'canary_exfiltration',                   // canary sandbox exfiltrated
   'sandbox_network_after_sensitive_read',  // compound sandbox detection
+  'sandbox_known_exfil_domain',            // known exfil/C2 domain contacted during install
   'detached_credential_exfil',            // detached process + credential exfil (DPRK/Lazarus)
   'node_modules_write',                    // writeFile to node_modules/ (worm propagation)
   'npm_publish_worm',                      // exec("npm publish") (worm propagation)
@@ -331,6 +332,35 @@ function evaluateCacheTrigger(name, docMeta, doc) {
   return { shouldCache: false, reason: '', retentionDays: 0 };
 }
 
+/**
+ * Determine if a first-publish package is high-risk and should be sandboxed
+ * even with a clean static scan (0 findings).
+ *
+ * First-publish is where malware concentrates: new packages from unknown
+ * maintainers with no linked repository are the highest-risk population.
+ *
+ * @param {Object|null} cacheTrigger - From evaluateCacheTrigger()
+ * @param {Object|null} npmRegistryMeta - From getPackageMetadata()
+ * @returns {boolean} true if package should be sandboxed regardless of static score
+ */
+function isFirstPublishHighRisk(cacheTrigger, npmRegistryMeta) {
+  if (!cacheTrigger || cacheTrigger.reason !== 'first_publish') return false;
+
+  // With registry metadata, require at least one additional risk signal
+  if (npmRegistryMeta) {
+    // No linked repository — high risk
+    if (!npmRegistryMeta.has_repository) return true;
+    // New maintainer (only 1 package ever published)
+    if (npmRegistryMeta.author_package_count <= 1) return true;
+    // Package age < 1 day with registry metadata but no strong signals — skip sandbox
+    // (has repo + experienced maintainer = likely legitimate)
+    return false;
+  }
+
+  // Without registry metadata, sandbox by default (precautionary)
+  return true;
+}
+
 module.exports = {
   // Constants
   IOC_MATCH_TYPES,
@@ -367,4 +397,5 @@ module.exports = {
   setVerboseMode,
   quickTyposquatCheck,
   evaluateCacheTrigger,
+  isFirstPublishHighRisk,
 };

package/src/monitor/queue.js

@@ -54,6 +54,7 @@ const {
   classifyError,
   formatFindings,
   evaluateCacheTrigger,
+  isFirstPublishHighRisk,
   POPULAR_THRESHOLD,
   downloadsCache: classifyDownloadsCache,
   DOWNLOADS_CACHE_TTL,
@@ -109,6 +110,11 @@ const SCAN_TIMEOUT_MS = 180_000; // 3 minutes per package
 const STATIC_SCAN_TIMEOUT_MS = 45_000; // 45s for static analysis only
 const LARGE_PACKAGE_SIZE = 10 * 1024 * 1024; // 10MB
 
+// First-publish sandbox: max pending sandbox items before deferring first-publish clean scans
+// Prevents starving T1a sandbox capacity when many first-publish packages arrive at once
+const FIRST_PUBLISH_SANDBOX_MAX_QUEUE = parseInt(process.env.MUADDIB_FIRST_PUBLISH_SANDBOX_MAX_QUEUE, 10) || 10;
+const FIRST_PUBLISH_SANDBOX_ENABLED = process.env.MUADDIB_FIRST_PUBLISH_SANDBOX !== '0';
+
 // --- Bundled tooling false-positive filter ---
 
 const KNOWN_BUNDLED_FILES = ['yarn.js', 'webpack.js', 'terser.js', 'esbuild.js', 'polyfills.js'];
@@ -401,10 +407,14 @@ async function scanPackage(name, version, ecosystem, tarballUrl, registryMeta, s
       throw staticErr;
     }
 
-    // ML Phase 2a: Fetch npm registry metadata once for packages with findings.
+    // First-publish detection: used for sandbox priority below
+    const isFirstPublish = cacheTrigger && cacheTrigger.reason === 'first_publish';
+
+    // ML Phase 2a: Fetch npm registry metadata once for packages with findings
+    // OR for first-publish packages (needed for isFirstPublishHighRisk decision).
     // Reused for both training records (enriched features) and reputation scoring.
     let npmRegistryMeta = null;
-    if (result.summary.total > 0 && ecosystem === 'npm') {
+    if ((result.summary.total > 0 || isFirstPublish) && ecosystem === 'npm') {
       try {
         const { getPackageMetadata } = require('../scanner/npm-registry.js');
         npmRegistryMeta = await getPackageMetadata(name);
@@ -413,15 +423,61 @@ async function scanPackage(name, version, ecosystem, tarballUrl, registryMeta, s
       }
     }
 
+    // First-publish sandbox priority: sandbox even with 0 static findings
+    // if the package is from a new/unknown maintainer without a linked repository.
+    const firstPublishSandbox = isFirstPublish &&
+      FIRST_PUBLISH_SANDBOX_ENABLED &&
+      isFirstPublishHighRisk(cacheTrigger, npmRegistryMeta) &&
+      isSandboxEnabled() && sandboxAvailable &&
+      scanQueue.length < FIRST_PUBLISH_SANDBOX_MAX_QUEUE;
+
     if (result.summary.total === 0) {
-      stats.scanned++;
-      const elapsed = Date.now() - startTime;
-      stats.totalTimeMs += elapsed;
-      stats.clean++;
-      console.log(`[MONITOR] CLEAN: ${name}@${version} (0 findings, ${(elapsed / 1000).toFixed(1)}s)`);
-      updateScanStats('clean');
-      recordTrainingSample(result, { name, version, ecosystem, label: 'clean', registryMeta: meta, unpackedSize: meta.unpackedSize, npmRegistryMeta, fileCountTotal, hasTests });
-      return { sandboxResult: null, staticClean: true };
+      if (firstPublishSandbox) {
+        // First-publish sandbox priority: run sandbox even with 0 static findings
+        console.log(`[MONITOR] FIRST-PUBLISH SANDBOX: ${name}@${version} (0 findings, sandboxing anyway)`);
+        stats.firstPublishSandboxed = (stats.firstPublishSandboxed || 0) + 1;
+
+        let sandboxResult = null;
+        try {
+          const canary = isCanaryEnabled();
+          console.log(`[MONITOR] SANDBOX (first-publish): launching for ${name}@${version}${canary ? ' (canary: on)' : ''}...`);
+          sandboxResult = await runSandbox(name, { canary });
+          console.log(`[MONITOR] SANDBOX: ${name}@${version} → score: ${sandboxResult.score}, severity: ${sandboxResult.severity}`);
+        } catch (err) {
+          console.error(`[MONITOR] SANDBOX ERROR: ${name}@${version} — ${err.message}`);
+        }
+
+        const sandboxScore = sandboxResult ? (sandboxResult.score || 0) : 0;
+        if (sandboxScore > 0) {
+          // Sandbox found something — treat as suspect
+          stats.suspect++;
+          stats.scanned++;
+          const elapsed = Date.now() - startTime;
+          stats.totalTimeMs += elapsed;
+          updateScanStats('suspect');
+          recordTrainingSample(result, { name, version, ecosystem, label: 'suspect', registryMeta: meta, unpackedSize: meta.unpackedSize, npmRegistryMeta, fileCountTotal, hasTests });
+          return { sandboxResult, staticClean: false, firstPublishSandbox: true };
+        } else {
+          // Sandbox clean — still CLEAN
+          stats.scanned++;
+          const elapsed = Date.now() - startTime;
+          stats.totalTimeMs += elapsed;
+          stats.clean++;
+          console.log(`[MONITOR] CLEAN (first-publish sandbox OK): ${name}@${version} (${(elapsed / 1000).toFixed(1)}s)`);
+          updateScanStats('clean');
+          recordTrainingSample(result, { name, version, ecosystem, label: 'clean', registryMeta: meta, unpackedSize: meta.unpackedSize, npmRegistryMeta, fileCountTotal, hasTests });
+          return { sandboxResult, staticClean: true, firstPublishSandbox: true };
+        }
+      } else {
+        stats.scanned++;
+        const elapsed = Date.now() - startTime;
+        stats.totalTimeMs += elapsed;
+        stats.clean++;
+        console.log(`[MONITOR] CLEAN: ${name}@${version} (0 findings, ${(elapsed / 1000).toFixed(1)}s)`);
+        updateScanStats('clean');
+        recordTrainingSample(result, { name, version, ecosystem, label: 'clean', registryMeta: meta, unpackedSize: meta.unpackedSize, npmRegistryMeta, fileCountTotal, hasTests });
+        return { sandboxResult: null, staticClean: true };
+      }
     } else {
       const counts = [];
       if (result.summary.critical > 0) counts.push(`${result.summary.critical} CRITICAL`);
@@ -1023,6 +1079,8 @@ module.exports = {
   SCAN_TIMEOUT_MS,
   STATIC_SCAN_TIMEOUT_MS,
   LARGE_PACKAGE_SIZE,
+  FIRST_PUBLISH_SANDBOX_MAX_QUEUE,
+  FIRST_PUBLISH_SANDBOX_ENABLED,
   KNOWN_BUNDLED_FILES,
   KNOWN_BUNDLED_PATHS,
   ML_EXCLUDED_DIRS,

package/src/response/playbooks.js

@@ -243,6 +243,15 @@ const PLAYBOOKS = {
     'Acces a des variables d\'environnement sensibles detecte via monkey-patching runtime (TOKEN, SECRET, KEY, PASSWORD). ' +
     'Verifier si le package a une raison legitime d\'acceder a ces variables. Revoquer les credentials si necessaire.',
 
+  sandbox_network_outlier:
+    'Package contacte un domaine/IP hors allowlist pendant l\'installation. Seulement 0.027% des packages font du DNS hors infrastructure npm. ' +
+    'Verifier le domaine contacte. Si aucune raison legitime (CDN de binaires, service declare en dep), considerer comme suspect.',
+
+  sandbox_known_exfil_domain:
+    'CRITIQUE: Package contacte un domaine d\'exfiltration/C2 connu (OAST, webhook.site, infrastructure de campagne). ' +
+    'Taux de faux positif quasi-nul. Actions: 1. NE PAS installer. 2. Signaler au registry. ' +
+    '3. Si deja installe, isoler la machine et regenerer TOUS les secrets.',
+
   high_entropy_string:
     'Chaine a haute entropie detectee. Verifier si c\'est du base64, hex, ou un payload chiffre. Analyser le contexte d\'utilisation.',
   js_obfuscation_pattern:

package/src/rules/index.js

@@ -1011,6 +1011,29 @@ const RULES = {
     mitre: 'T1552.001'
   },
 
+  // Sandbox network outlier detections
+  sandbox_network_outlier: {
+    id: 'MUADDIB-SANDBOX-015',
+    name: 'Sandbox: Network Outlier',
+    severity: 'HIGH',
+    confidence: 'medium',
+    description: 'Package contacts a non-registry domain/IP during install. Only 0.027% of packages make DNS queries outside npm infrastructure — this is a high-precision outlier signal.',
+    references: ['https://attack.mitre.org/techniques/T1071/001/'],
+    mitre: 'T1071.001'
+  },
+  sandbox_known_exfil_domain: {
+    id: 'MUADDIB-SANDBOX-016',
+    name: 'Sandbox: Known Exfiltration Domain',
+    severity: 'CRITICAL',
+    confidence: 'high',
+    description: 'Package contacts a known exfiltration/C2 domain during install (OAST, webhook sinks, campaign infrastructure). Near-zero false positive rate.',
+    references: [
+      'https://attack.mitre.org/techniques/T1041/',
+      'https://attack.mitre.org/techniques/T1071/001/'
+    ],
+    mitre: 'T1041'
+  },
+
   // Entropy detections
   high_entropy_string: {
     id: 'MUADDIB-ENTROPY-001',

package/src/sandbox/index.js

@@ -15,6 +15,7 @@ const {
 
 const { NPM_PACKAGE_REGEX } = require('../shared/constants.js');
 const { analyzePreloadLog } = require('./analyzer.js');
+const { classifyDomain } = require('./network-allowlist.js');
 
 const DOCKER_IMAGE = 'muaddib-sandbox';
 const CONTAINER_TIMEOUT = 120000; // 120 seconds
@@ -646,34 +647,56 @@ function scoreFindings(report) {
     }
   }
 
-  // 4a. DNS queries (exclude safe domains)
+  // 4a. DNS queries — classify via network allowlist
   for (const domain of (report.network?.dns_queries || [])) {
-    if (isSafeDomain(domain)) continue;
-    score += 20;
-    findings.push({ type: 'suspicious_dns', severity: 'HIGH', detail: `DNS query to non-registry domain: ${domain}`, evidence: domain });
+    const cls = classifyDomain(domain);
+    if (cls === 'safe') continue;
+    if (cls === 'blacklisted') {
+      score += 50;
+      findings.push({ type: 'sandbox_known_exfil_domain', severity: 'CRITICAL', detail: `DNS query to known exfiltration domain: ${domain}`, evidence: domain });
+    } else if (cls === 'tunnel') {
+      score += 30;
+      findings.push({ type: 'sandbox_network_outlier', severity: 'HIGH', detail: `DNS query to tunnel/proxy domain: ${domain}`, evidence: domain });
+    } else {
+      score += 20;
+      findings.push({ type: 'sandbox_network_outlier', severity: 'HIGH', detail: `DNS query to non-registry domain: ${domain}`, evidence: domain });
+    }
   }
 
   // 4b. DNS resolutions — extra detail
   for (const res of (report.network?.dns_resolutions || [])) {
-    if (isSafeDomain(res.domain)) continue;
+    const cls = classifyDomain(res.domain);
+    if (cls === 'safe') continue;
     // Already scored in 4a via dns_queries, but flag the resolution for reporting
     findings.push({ type: 'dns_resolution', severity: 'INFO', detail: `${res.domain} → ${res.ip}`, evidence: `${res.domain}:${res.ip}` });
   }
 
-  // 5a. TCP connections (exclude safe hosts, probe ports, localhost)
+  // 5a. TCP connections — classify via network allowlist
   for (const conn of (report.network?.http_connections || [])) {
-    if (isSafeHost(conn.host)) continue;
     if (SAFE_IPS.includes(conn.host)) continue;
     if (PROBE_PORTS.includes(conn.port)) continue;
-    score += 25;
-    findings.push({ type: 'suspicious_connection', severity: 'HIGH', detail: `TCP connection to ${conn.host}:${conn.port}`, evidence: `${conn.host}:${conn.port}` });
+    const cls = classifyDomain(conn.host);
+    if (cls === 'safe') continue;
+    if (cls === 'blacklisted') {
+      score += 50;
+      findings.push({ type: 'sandbox_known_exfil_domain', severity: 'CRITICAL', detail: `TCP connection to known exfiltration host: ${conn.host}:${conn.port}`, evidence: `${conn.host}:${conn.port}` });
+    } else {
+      score += 25;
+      findings.push({ type: 'suspicious_connection', severity: 'HIGH', detail: `TCP connection to ${conn.host}:${conn.port}`, evidence: `${conn.host}:${conn.port}` });
+    }
   }
 
-  // 5b. TLS connections — non-safe domains
+  // 5b. TLS connections — classify via network allowlist
   for (const tls of (report.network?.tls_connections || [])) {
-    if (isSafeDomain(tls.domain)) continue;
-    score += 20;
-    findings.push({ type: 'suspicious_tls', severity: 'HIGH', detail: `TLS connection to ${tls.domain} (${tls.ip}:${tls.port})`, evidence: tls.domain });
+    const cls = classifyDomain(tls.domain);
+    if (cls === 'safe') continue;
+    if (cls === 'blacklisted') {
+      score += 50;
+      findings.push({ type: 'sandbox_known_exfil_domain', severity: 'CRITICAL', detail: `TLS to known exfiltration domain: ${tls.domain} (${tls.ip}:${tls.port})`, evidence: tls.domain });
+    } else {
+      score += 20;
+      findings.push({ type: 'suspicious_tls', severity: 'HIGH', detail: `TLS connection to ${tls.domain} (${tls.ip}:${tls.port})`, evidence: tls.domain });
+    }
   }
 
   // 5c. HTTP exfiltration detection — scan body snippets for sensitive data
@@ -692,11 +715,17 @@ function scoreFindings(report) {
     }
   }
 
-  // 5d. HTTP requests to non-safe hosts
+  // 5d. HTTP requests — classify via network allowlist
   for (const req of (report.network?.http_requests || [])) {
-    if (isSafeDomain(req.host)) continue;
-    score += 20;
-    findings.push({ type: 'suspicious_http_request', severity: 'HIGH', detail: `${req.method} ${req.host}${req.path}`, evidence: `${req.method} ${req.host}${req.path}` });
+    const cls = classifyDomain(req.host);
+    if (cls === 'safe') continue;
+    if (cls === 'blacklisted') {
+      score += 50;
+      findings.push({ type: 'sandbox_known_exfil_domain', severity: 'CRITICAL', detail: `HTTP request to known exfiltration host: ${req.method} ${req.host}${req.path}`, evidence: `${req.method} ${req.host}${req.path}` });
+    } else {
+      score += 20;
+      findings.push({ type: 'suspicious_http_request', severity: 'HIGH', detail: `${req.method} ${req.host}${req.path}`, evidence: `${req.method} ${req.host}${req.path}` });
+    }
   }
 
   // 5e. Blocked connections (strict mode)

package/src/sandbox/network-allowlist.js

@@ -0,0 +1,162 @@
+'use strict';
+
+// ── Network Allowlist & Blacklist for Sandbox Analysis ──
+//
+// Classifies domains/IPs contacted during npm install into three categories:
+//   - safe:        legitimate install-time traffic (registries, CDNs, GitHub)
+//   - blacklisted: known exfiltration/C2 infrastructure (OAST, webhook sinks, campaign IPs)
+//   - unknown:     everything else — potential outlier requiring investigation
+//
+// Threat model: SafeDep found only 0.027% of 3M+ packages make DNS queries to
+// non-npm domains during install. Network outliers are the highest-precision
+// signal available for detecting supply chain attacks at install time.
+
+// ── Safe domains: legitimate traffic during npm install ──
+// These domains are expected during normal package installation.
+// Subdomains are matched (e.g., foo.github.com matches github.com).
+const SAFE_INSTALL_DOMAINS = [
+  // npm registry
+  'registry.npmjs.org',
+  'npmjs.com',
+  'npmjs.org',
+  // yarn registry
+  'registry.yarnpkg.com',
+  'yarnpkg.com',
+  // GitHub (source tarballs, git deps)
+  'github.com',
+  'api.github.com',
+  'objects.githubusercontent.com',
+  'raw.githubusercontent.com',
+  'codeload.github.com',
+  'github.githubassets.com',
+  // CDNs (native binary downloads via node-gyp, prebuild)
+  'cdn.jsdelivr.net',
+  'unpkg.com',
+  'cdnjs.cloudflare.com',
+  'cloudflare.com',
+  // AWS S3 (prebuild binaries: sharp, canvas, sqlite3, etc.)
+  'amazonaws.com',
+  // Google (googleapis client, protobuf downloads)
+  'googleapis.com',
+  'storage.googleapis.com',
+  // Node.js (node-gyp headers)
+  'nodejs.org',
+  // GitLab (git deps)
+  'gitlab.com',
+  // Bitbucket (git deps)
+  'bitbucket.org'
+];
+
+// ── Known exfiltration / C2 domains ──
+// Any contact during install is near-certain malicious (quasi-zero FP).
+// Sources: OAST tooling, known campaign C2, webhook sink services.
+const KNOWN_EXFIL_DOMAINS = [
+  // OAST / Interactsh / BurpSuite
+  'oastify.com',
+  'oast.fun',
+  'oast.me',
+  'oast.live',
+  'oast.online',
+  'oast.site',
+  'burpcollaborator.net',
+  'interact.sh',
+  // Webhook sink services
+  'webhook.site',
+  'pipedream.net',
+  'requestbin.com',
+  'hookbin.com',
+  'canarytokens.com',
+  // GlassWorm C2 IPs (mars 2026, 433+ packages)
+  '217.69.3.218',
+  '217.69.3.152',
+  '199.247.10.166',
+  '199.247.13.106',
+  '140.82.52.31',
+  '45.32.150.251',
+  // TeamPCP / CanisterWorm C2 (mars 2026)
+  'icp0.io',
+  'raw.icp0.io',
+  'ic0.app',
+  'hackmoltrepeat.com',
+  'recv.hackmoltrepeat.com',
+  'scan.aquasecurtiy.org',    // Trivy exfil C2 (typosquat of aquasecurity)
+  'api.telegram.org',          // Telegram bot exfiltration
+  'checkmarx.zone',
+  '45.148.10.212',
+  '83.142.209.11'
+];
+
+// ── Regex patterns for wildcard exfil domains ──
+// Matches subdomains of OAST/exfil infrastructure.
+const KNOWN_EXFIL_PATTERNS = [
+  /\.oast\.(online|site|live|fun|me)$/i,
+  /\.oastify\.com$/i,
+  /\.burpcollaborator\.net$/i,
+  /\.interact\.sh$/i,
+  /\.webhook\.site$/i,
+  /\.pipedream\.net$/i,
+  /\.requestbin\.com$/i
+];
+
+// ── Suspicious tunnel/proxy domains (not blacklisted, but escalate unknown → suspicious) ──
+const TUNNEL_DOMAINS = [
+  'ngrok.io',
+  'ngrok-free.app',
+  'serveo.net',
+  'localhost.run',
+  'loca.lt',
+  'trycloudflare.com'
+];
+
+// Parse MUADDIB_SANDBOX_NETWORK_ALLOWLIST env var (comma-separated domains)
+function getCustomAllowlist() {
+  const envVal = process.env.MUADDIB_SANDBOX_NETWORK_ALLOWLIST;
+  if (!envVal) return [];
+  return envVal.split(',')
+    .map(d => d.trim().toLowerCase())
+    .filter(d => d.length > 0 && d.length < 256);
+}
+
+/**
+ * Classify a domain/IP contacted during sandbox install.
+ *
+ * @param {string} domain - Domain name or IP address
+ * @returns {'safe'|'blacklisted'|'tunnel'|'unknown'} classification
+ */
+function classifyDomain(domain) {
+  if (!domain || typeof domain !== 'string') return 'unknown';
+  const d = domain.toLowerCase().trim();
+  if (d.length === 0) return 'unknown';
+
+  // Check safe domains (exact or subdomain match)
+  const allSafe = SAFE_INSTALL_DOMAINS.concat(getCustomAllowlist());
+  for (const safe of allSafe) {
+    if (d === safe || d.endsWith('.' + safe)) return 'safe';
+  }
+
+  // Check blacklisted domains (exact match)
+  for (const exfil of KNOWN_EXFIL_DOMAINS) {
+    if (d === exfil || d.endsWith('.' + exfil)) return 'blacklisted';
+  }
+
+  // Check blacklisted patterns (regex — catches subdomains like abc123.oast.online)
+  for (const pat of KNOWN_EXFIL_PATTERNS) {
+    if (pat.test(d)) return 'blacklisted';
+  }
+
+  // Check tunnel domains
+  for (const tunnel of TUNNEL_DOMAINS) {
+    if (d === tunnel || d.endsWith('.' + tunnel)) return 'tunnel';
+  }
+
+  return 'unknown';
+}
+
+module.exports = {
+  SAFE_INSTALL_DOMAINS,
+  KNOWN_EXFIL_DOMAINS,
+  KNOWN_EXFIL_PATTERNS,
+  TUNNEL_DOMAINS,
+  classifyDomain,
+  getCustomAllowlist
+};

package/src/scoring.js

@@ -1,4 +1,5 @@
 const { getRule } = require('./rules/index.js');
+const { HIGH_CONFIDENCE_MALICE_TYPES } = require('./monitor/classify.js');
 
 // ============================================
 // SCORING CONSTANTS
@@ -873,7 +874,22 @@ function calculateRiskScore(deduped, intentResult) {
   }
 
   // 7. Final score = max file score + cross-file bonus + intent bonus + package-level score + lifecycle boost, capped at 100
-  const riskScore = Math.min(MAX_RISK_SCORE, maxFileScore + crossFileBonus + intentBonus + packageScore + lifecycleBoost);
+  let riskScore = Math.min(MAX_RISK_SCORE, maxFileScore + crossFileBonus + intentBonus + packageScore + lifecycleBoost);
+
+  // 7b. MT-1: Score ceiling for packages without lifecycle scripts.
+  // 56% of real malware uses install scripts. Packages without lifecycle that score high
+  // (minified bundles, frameworks) are quasi-exclusively false positives.
+  // Cap at 35 to prevent webhook triggers (threshold ~20-25 post-reputation).
+  // Bypass: HC malice types, compound detections — these are never benign regardless of lifecycle.
+  const _hasLifecycle = deduped.some(t =>
+    t.type === 'lifecycle_script' || t.type === 'lifecycle_file_exec' ||
+    t.type === 'lifecycle_shell_pipe' || t.type === 'lifecycle_remote_fetch'
+  );
+  const _hasHC = deduped.some(t => HIGH_CONFIDENCE_MALICE_TYPES.has(t.type));
+  const _hasCompound = deduped.some(t => t.compound === true);
+  if (!_hasLifecycle && !_hasHC && !_hasCompound) {
+    riskScore = Math.min(riskScore, 35);
+  }
 
   // 8. Old global score for comparison (sum of ALL findings)
   const globalRiskScore = computeGroupScore(deduped);