muaddib-scanner 2.10.39 → 2.10.41

package/src/sandbox/index.js

@@ -15,6 +15,8 @@ const {
 
 const { NPM_PACKAGE_REGEX } = require('../shared/constants.js');
 const { analyzePreloadLog } = require('./analyzer.js');
+const { classifyDomain } = require('./network-allowlist.js');
+const { parseGvisorLogs, cleanupGvisorLogs } = require('./gvisor-parser.js');
 
 const DOCKER_IMAGE = 'muaddib-sandbox';
 const CONTAINER_TIMEOUT = 120000; // 120 seconds
@@ -134,6 +136,17 @@ function imageExists() {
   }
 }
 
+// ── gVisor availability check ──
+
+function isGvisorAvailable() {
+  try {
+    const info = execSync('docker info', { encoding: 'utf8', stdio: 'pipe', timeout: 10000 });
+    return /\brunsc\b/.test(info);
+  } catch {
+    return false;
+  }
+}
+
 // ── Build image (with cache) ──
 
 async function buildSandboxImage() {
@@ -185,6 +198,7 @@ async function runSingleSandbox(packageName, options = {}) {
   const mode = strict ? 'strict' : 'permissive';
   const timeOffset = options.timeOffset || 0;
   const runTimeout = options.runTimeout || CONTAINER_TIMEOUT;
+  const gvisorMode = options.gvisor || false;
 
   return new Promise((resolve) => {
     let stdout = '';
@@ -208,6 +222,12 @@ async function runSingleSandbox(packageName, options = {}) {
       '--cap-drop=ALL'
     ];
 
+    // gVisor runtime: use runsc instead of default runc
+    if (gvisorMode) {
+      dockerArgs.push('--runtime=runsc');
+      dockerArgs.push('-e', 'MUADDIB_GVISOR=1');
+    }
+
     // Inject canary tokens as environment variables
     if (canaryTokens) {
       for (const [key, value] of Object.entries(canaryTokens)) {
@@ -238,11 +258,14 @@ async function runSingleSandbox(packageName, options = {}) {
     }
 
     // Both modes need NET_RAW for tcpdump (runs as root in entrypoint).
+    // gVisor mode: no tcpdump needed — gVisor captures via --strace/--log-packets.
     // Strict mode also needs NET_ADMIN for iptables network blocking.
     // SYS_PTRACE is not needed: strace traces its own child (npm install via su).
     // SETUID + SETGID required for su (privilege drop to sandboxuser).
     // CHOWN required for chown in sandbox-runner.sh.
-    dockerArgs.push('--cap-add=NET_RAW');
+    if (!gvisorMode) {
+      dockerArgs.push('--cap-add=NET_RAW');
+    }
     dockerArgs.push('--cap-add=SETUID');
     dockerArgs.push('--cap-add=SETGID');
     dockerArgs.push('--cap-add=CHOWN');
@@ -269,6 +292,7 @@ async function runSingleSandbox(packageName, options = {}) {
     dockerArgs.push(mode);
 
     const proc = spawn('docker', dockerArgs);
+    let gvisorContainerId = null;
 
     // Timeout: kill container
     const timer = setTimeout(() => {
@@ -293,6 +317,16 @@ async function runSingleSandbox(packageName, options = {}) {
 
     proc.stderr.on('data', (data) => {
       stderr += data.toString();
+
+      // Capture container ID for gVisor log retrieval (once, while container is running)
+      if (gvisorMode && !gvisorContainerId) {
+        try {
+          gvisorContainerId = execFileSync('docker', ['inspect', '--format={{.Id}}', containerName], {
+            encoding: 'utf8', stdio: 'pipe', timeout: 5000
+          }).trim();
+        } catch { /* container not yet ready, will retry on next data event */ }
+      }
+
       // Forward sandbox progress logs (sanitize ANSI escape sequences)
       const text = data.toString().replace(/\x1b\[[0-9;]*[a-zA-Z]/g, '');
       for (const line of text.split(/\r?\n/)) {
@@ -365,6 +399,43 @@ async function runSingleSandbox(packageName, options = {}) {
         return;
       }
 
+      // In gVisor mode, merge kernel-level strace data from gVisor debug logs.
+      // sandbox-runner.sh skips strace/tcpdump in gVisor mode, so file access,
+      // connections, and process data come from gVisor's kernel-level tracing.
+      if (gvisorMode && gvisorContainerId) {
+        const gvisorLogDir = process.env.MUADDIB_GVISOR_LOG_DIR || '/tmp/runsc';
+        const gvisorData = parseGvisorLogs(gvisorContainerId, gvisorLogDir);
+
+        // Merge gVisor findings into report without duplicating
+        if (!report.sensitive_files) report.sensitive_files = { read: [], written: [] };
+        if (!report.network) report.network = {};
+        if (!report.processes) report.processes = { spawned: [] };
+
+        const existingReads = new Set(report.sensitive_files.read || []);
+        for (const f of gvisorData.sensitive_files.read) {
+          if (!existingReads.has(f)) report.sensitive_files.read.push(f);
+        }
+
+        const existingWrites = new Set(report.sensitive_files.written || []);
+        for (const f of gvisorData.sensitive_files.written) {
+          if (!existingWrites.has(f)) report.sensitive_files.written.push(f);
+        }
+
+        const existingConns = new Set((report.network.http_connections || []).map(c => `${c.host}:${c.port}`));
+        if (!report.network.http_connections) report.network.http_connections = [];
+        for (const c of gvisorData.network.http_connections) {
+          if (!existingConns.has(`${c.host}:${c.port}`)) report.network.http_connections.push(c);
+        }
+
+        const existingProcs = new Set((report.processes.spawned || []).map(p => p.command));
+        for (const p of gvisorData.processes.spawned) {
+          if (!existingProcs.has(p.command)) report.processes.spawned.push(p);
+        }
+
+        // Cleanup gVisor logs to prevent disk fill
+        cleanupGvisorLogs(gvisorContainerId, gvisorLogDir);
+      }
+
       const { score, findings } = scoreFindings(report);
 
       // Analyze preload log for behavioral findings
@@ -474,6 +545,17 @@ async function runSandbox(packageName, options = {}) {
     return cleanResult;
   }
 
+  // Detect sandbox runtime (gVisor or default Docker/runc)
+  let useGvisor = process.env.MUADDIB_SANDBOX_RUNTIME === 'gvisor';
+  if (useGvisor) {
+    if (isGvisorAvailable()) {
+      console.log('[SANDBOX] Runtime: gvisor (runsc)');
+    } else {
+      console.log('[SANDBOX] Runtime: gvisor requested but runsc not configured in Docker. Falling back to Docker standard.');
+      useGvisor = false;
+    }
+  }
+
   // Generate canary tokens for this sandbox session
   let canaryTokens = null;
   if (canaryEnabled) {
@@ -491,7 +573,8 @@ async function runSandbox(packageName, options = {}) {
   await acquireSandboxSlot();
 
   try {
-    console.log(`[SANDBOX] Analyzing "${displayName}" in isolated container (mode: ${mode}${canaryEnabled ? ', canary: on' : ''}${local ? ', local' : ''}, runs: ${TIME_OFFSETS.length}, slots: ${_sandboxSemaphore.active}/${SANDBOX_CONCURRENCY_MAX})...`);
+    const runtimeLabel = useGvisor ? 'gvisor' : 'docker';
+    console.log(`[SANDBOX] Analyzing "${displayName}" in isolated container (mode: ${mode}, runtime: ${runtimeLabel}${canaryEnabled ? ', canary: on' : ''}${local ? ', local' : ''}, runs: ${TIME_OFFSETS.length}, slots: ${_sandboxSemaphore.active}/${SANDBOX_CONCURRENCY_MAX})...`);
 
     const allRuns = [];
     let bestResult = cleanResult;
@@ -507,7 +590,8 @@ async function runSandbox(packageName, options = {}) {
         localAbsPath,
         displayName,
         timeOffset: offset,
-        runTimeout: SINGLE_RUN_TIMEOUT
+        runTimeout: SINGLE_RUN_TIMEOUT,
+        gvisor: useGvisor
       });
 
       allRuns.push({
@@ -646,34 +730,56 @@ function scoreFindings(report) {
     }
   }
 
-  // 4a. DNS queries (exclude safe domains)
+  // 4a. DNS queries — classify via network allowlist
   for (const domain of (report.network?.dns_queries || [])) {
-    if (isSafeDomain(domain)) continue;
-    score += 20;
-    findings.push({ type: 'suspicious_dns', severity: 'HIGH', detail: `DNS query to non-registry domain: ${domain}`, evidence: domain });
+    const cls = classifyDomain(domain);
+    if (cls === 'safe') continue;
+    if (cls === 'blacklisted') {
+      score += 50;
+      findings.push({ type: 'sandbox_known_exfil_domain', severity: 'CRITICAL', detail: `DNS query to known exfiltration domain: ${domain}`, evidence: domain });
+    } else if (cls === 'tunnel') {
+      score += 30;
+      findings.push({ type: 'sandbox_network_outlier', severity: 'HIGH', detail: `DNS query to tunnel/proxy domain: ${domain}`, evidence: domain });
+    } else {
+      score += 20;
+      findings.push({ type: 'sandbox_network_outlier', severity: 'HIGH', detail: `DNS query to non-registry domain: ${domain}`, evidence: domain });
+    }
   }
 
   // 4b. DNS resolutions — extra detail
   for (const res of (report.network?.dns_resolutions || [])) {
-    if (isSafeDomain(res.domain)) continue;
+    const cls = classifyDomain(res.domain);
+    if (cls === 'safe') continue;
     // Already scored in 4a via dns_queries, but flag the resolution for reporting
     findings.push({ type: 'dns_resolution', severity: 'INFO', detail: `${res.domain} → ${res.ip}`, evidence: `${res.domain}:${res.ip}` });
   }
 
-  // 5a. TCP connections (exclude safe hosts, probe ports, localhost)
+  // 5a. TCP connections — classify via network allowlist
   for (const conn of (report.network?.http_connections || [])) {
-    if (isSafeHost(conn.host)) continue;
     if (SAFE_IPS.includes(conn.host)) continue;
     if (PROBE_PORTS.includes(conn.port)) continue;
-    score += 25;
-    findings.push({ type: 'suspicious_connection', severity: 'HIGH', detail: `TCP connection to ${conn.host}:${conn.port}`, evidence: `${conn.host}:${conn.port}` });
+    const cls = classifyDomain(conn.host);
+    if (cls === 'safe') continue;
+    if (cls === 'blacklisted') {
+      score += 50;
+      findings.push({ type: 'sandbox_known_exfil_domain', severity: 'CRITICAL', detail: `TCP connection to known exfiltration host: ${conn.host}:${conn.port}`, evidence: `${conn.host}:${conn.port}` });
+    } else {
+      score += 25;
+      findings.push({ type: 'suspicious_connection', severity: 'HIGH', detail: `TCP connection to ${conn.host}:${conn.port}`, evidence: `${conn.host}:${conn.port}` });
+    }
   }
 
-  // 5b. TLS connections — non-safe domains
+  // 5b. TLS connections — classify via network allowlist
   for (const tls of (report.network?.tls_connections || [])) {
-    if (isSafeDomain(tls.domain)) continue;
-    score += 20;
-    findings.push({ type: 'suspicious_tls', severity: 'HIGH', detail: `TLS connection to ${tls.domain} (${tls.ip}:${tls.port})`, evidence: tls.domain });
+    const cls = classifyDomain(tls.domain);
+    if (cls === 'safe') continue;
+    if (cls === 'blacklisted') {
+      score += 50;
+      findings.push({ type: 'sandbox_known_exfil_domain', severity: 'CRITICAL', detail: `TLS to known exfiltration domain: ${tls.domain} (${tls.ip}:${tls.port})`, evidence: tls.domain });
+    } else {
+      score += 20;
+      findings.push({ type: 'suspicious_tls', severity: 'HIGH', detail: `TLS connection to ${tls.domain} (${tls.ip}:${tls.port})`, evidence: tls.domain });
+    }
   }
 
   // 5c. HTTP exfiltration detection — scan body snippets for sensitive data
@@ -692,11 +798,17 @@ function scoreFindings(report) {
     }
   }
 
-  // 5d. HTTP requests to non-safe hosts
+  // 5d. HTTP requests — classify via network allowlist
   for (const req of (report.network?.http_requests || [])) {
-    if (isSafeDomain(req.host)) continue;
-    score += 20;
-    findings.push({ type: 'suspicious_http_request', severity: 'HIGH', detail: `${req.method} ${req.host}${req.path}`, evidence: `${req.method} ${req.host}${req.path}` });
+    const cls = classifyDomain(req.host);
+    if (cls === 'safe') continue;
+    if (cls === 'blacklisted') {
+      score += 50;
+      findings.push({ type: 'sandbox_known_exfil_domain', severity: 'CRITICAL', detail: `HTTP request to known exfiltration host: ${req.method} ${req.host}${req.path}`, evidence: `${req.method} ${req.host}${req.path}` });
+    } else {
+      score += 20;
+      findings.push({ type: 'suspicious_http_request', severity: 'HIGH', detail: `${req.method} ${req.host}${req.path}`, evidence: `${req.method} ${req.host}${req.path}` });
+    }
   }
 
   // 5e. Blocked connections (strict mode)
@@ -865,4 +977,4 @@ function displayResults(result) {
   }
 }
 
-module.exports = { buildSandboxImage, runSandbox, runSingleSandbox, scoreFindings, generateNetworkReport, EXFIL_PATTERNS, SAFE_DOMAINS, getSeverity, displayResults, isDockerAvailable, imageExists, STATIC_CANARY_TOKENS, detectStaticCanaryExfiltration, analyzePreloadLog, TIME_OFFSETS, SAFE_SANDBOX_CMDS, SANDBOX_CONCURRENCY_MAX, acquireSandboxSlot, releaseSandboxSlot, resetSandboxLimiter, getSandboxSemaphore };
+module.exports = { buildSandboxImage, runSandbox, runSingleSandbox, scoreFindings, generateNetworkReport, EXFIL_PATTERNS, SAFE_DOMAINS, getSeverity, displayResults, isDockerAvailable, imageExists, isGvisorAvailable, STATIC_CANARY_TOKENS, detectStaticCanaryExfiltration, analyzePreloadLog, TIME_OFFSETS, SAFE_SANDBOX_CMDS, SANDBOX_CONCURRENCY_MAX, acquireSandboxSlot, releaseSandboxSlot, resetSandboxLimiter, getSandboxSemaphore };

package/src/sandbox/network-allowlist.js

@@ -0,0 +1,162 @@
+'use strict';
+
+// ── Network Allowlist & Blacklist for Sandbox Analysis ──
+//
+// Classifies domains/IPs contacted during npm install into three categories:
+//   - safe:        legitimate install-time traffic (registries, CDNs, GitHub)
+//   - blacklisted: known exfiltration/C2 infrastructure (OAST, webhook sinks, campaign IPs)
+//   - unknown:     everything else — potential outlier requiring investigation
+//
+// Threat model: SafeDep found only 0.027% of 3M+ packages make DNS queries to
+// non-npm domains during install. Network outliers are the highest-precision
+// signal available for detecting supply chain attacks at install time.
+
+// ── Safe domains: legitimate traffic during npm install ──
+// These domains are expected during normal package installation.
+// Subdomains are matched (e.g., foo.github.com matches github.com).
+const SAFE_INSTALL_DOMAINS = [
+  // npm registry
+  'registry.npmjs.org',
+  'npmjs.com',
+  'npmjs.org',
+  // yarn registry
+  'registry.yarnpkg.com',
+  'yarnpkg.com',
+  // GitHub (source tarballs, git deps)
+  'github.com',
+  'api.github.com',
+  'objects.githubusercontent.com',
+  'raw.githubusercontent.com',
+  'codeload.github.com',
+  'github.githubassets.com',
+  // CDNs (native binary downloads via node-gyp, prebuild)
+  'cdn.jsdelivr.net',
+  'unpkg.com',
+  'cdnjs.cloudflare.com',
+  'cloudflare.com',
+  // AWS S3 (prebuild binaries: sharp, canvas, sqlite3, etc.)
+  'amazonaws.com',
+  // Google (googleapis client, protobuf downloads)
+  'googleapis.com',
+  'storage.googleapis.com',
+  // Node.js (node-gyp headers)
+  'nodejs.org',
+  // GitLab (git deps)
+  'gitlab.com',
+  // Bitbucket (git deps)
+  'bitbucket.org'
+];
+
+// ── Known exfiltration / C2 domains ──
+// Any contact during install is near-certain malicious (quasi-zero FP).
+// Sources: OAST tooling, known campaign C2, webhook sink services.
+const KNOWN_EXFIL_DOMAINS = [
+  // OAST / Interactsh / BurpSuite
+  'oastify.com',
+  'oast.fun',
+  'oast.me',
+  'oast.live',
+  'oast.online',
+  'oast.site',
+  'burpcollaborator.net',
+  'interact.sh',
+  // Webhook sink services
+  'webhook.site',
+  'pipedream.net',
+  'requestbin.com',
+  'hookbin.com',
+  'canarytokens.com',
+  // GlassWorm C2 IPs (mars 2026, 433+ packages)
+  '217.69.3.218',
+  '217.69.3.152',
+  '199.247.10.166',
+  '199.247.13.106',
+  '140.82.52.31',
+  '45.32.150.251',
+  // TeamPCP / CanisterWorm C2 (mars 2026)
+  'icp0.io',
+  'raw.icp0.io',
+  'ic0.app',
+  'hackmoltrepeat.com',
+  'recv.hackmoltrepeat.com',
+  'scan.aquasecurtiy.org',    // Trivy exfil C2 (typosquat of aquasecurity)
+  'api.telegram.org',          // Telegram bot exfiltration
+  'checkmarx.zone',
+  '45.148.10.212',
+  '83.142.209.11'
+];
+
+// ── Regex patterns for wildcard exfil domains ──
+// Matches subdomains of OAST/exfil infrastructure.
+const KNOWN_EXFIL_PATTERNS = [
+  /\.oast\.(online|site|live|fun|me)$/i,
+  /\.oastify\.com$/i,
+  /\.burpcollaborator\.net$/i,
+  /\.interact\.sh$/i,
+  /\.webhook\.site$/i,
+  /\.pipedream\.net$/i,
+  /\.requestbin\.com$/i
+];
+
+// ── Suspicious tunnel/proxy domains (not blacklisted, but escalate unknown → suspicious) ──
+const TUNNEL_DOMAINS = [
+  'ngrok.io',
+  'ngrok-free.app',
+  'serveo.net',
+  'localhost.run',
+  'loca.lt',
+  'trycloudflare.com'
+];
+
+// Parse MUADDIB_SANDBOX_NETWORK_ALLOWLIST env var (comma-separated domains)
+function getCustomAllowlist() {
+  const envVal = process.env.MUADDIB_SANDBOX_NETWORK_ALLOWLIST;
+  if (!envVal) return [];
+  return envVal.split(',')
+    .map(d => d.trim().toLowerCase())
+    .filter(d => d.length > 0 && d.length < 256);
+}
+
+/**
+ * Classify a domain/IP contacted during sandbox install.
+ *
+ * @param {string} domain - Domain name or IP address
+ * @returns {'safe'|'blacklisted'|'tunnel'|'unknown'} classification
+ */
+function classifyDomain(domain) {
+  if (!domain || typeof domain !== 'string') return 'unknown';
+  const d = domain.toLowerCase().trim();
+  if (d.length === 0) return 'unknown';
+
+  // Check safe domains (exact or subdomain match)
+  const allSafe = SAFE_INSTALL_DOMAINS.concat(getCustomAllowlist());
+  for (const safe of allSafe) {
+    if (d === safe || d.endsWith('.' + safe)) return 'safe';
+  }
+
+  // Check blacklisted domains (exact match)
+  for (const exfil of KNOWN_EXFIL_DOMAINS) {
+    if (d === exfil || d.endsWith('.' + exfil)) return 'blacklisted';
+  }
+
+  // Check blacklisted patterns (regex — catches subdomains like abc123.oast.online)
+  for (const pat of KNOWN_EXFIL_PATTERNS) {
+    if (pat.test(d)) return 'blacklisted';
+  }
+
+  // Check tunnel domains
+  for (const tunnel of TUNNEL_DOMAINS) {
+    if (d === tunnel || d.endsWith('.' + tunnel)) return 'tunnel';
+  }
+
+  return 'unknown';
+}
+
+module.exports = {
+  SAFE_INSTALL_DOMAINS,
+  KNOWN_EXFIL_DOMAINS,
+  KNOWN_EXFIL_PATTERNS,
+  TUNNEL_DOMAINS,
+  classifyDomain,
+  getCustomAllowlist
+};

package/iocs/builtin.yaml

@@ -1,239 +0,0 @@
-version: "1.1.0"
-updated: "2026-01-08"
-
-packages:
-  # Shai-Hulud v1 (septembre 2025)
-  - name: "@ctrl/tinycolor"
-    version: "4.1.1"
-    source: shai-hulud-v1
-  - name: "ng2-file-upload"
-    version: "7.0.2"
-    source: shai-hulud-v1
-  - name: "ng2-file-upload"
-    version: "7.0.3"
-    source: shai-hulud-v1
-  - name: "ng2-file-upload"
-    version: "8.0.1"
-    source: shai-hulud-v1
-  - name: "ng2-file-upload"
-    version: "8.0.2"
-    source: shai-hulud-v1
-  - name: "ng2-file-upload"
-    version: "8.0.3"
-    source: shai-hulud-v1
-  - name: "ng2-file-upload"
-    version: "9.0.1"
-    source: shai-hulud-v1
-  - name: "ngx-bootstrap"
-    version: "18.1.4"
-    source: shai-hulud-v1
-  - name: "ngx-bootstrap"
-    version: "19.0.3"
-    source: shai-hulud-v1
-  - name: "ngx-bootstrap"
-    version: "19.0.4"
-    source: shai-hulud-v1
-  - name: "ngx-bootstrap"
-    version: "20.0.3"
-    source: shai-hulud-v1
-  - name: "ngx-bootstrap"
-    version: "20.0.4"
-    source: shai-hulud-v1
-  - name: "ngx-bootstrap"
-    version: "20.0.5"
-    source: shai-hulud-v1
-  - name: "ngx-bootstrap"
-    version: "20.0.6"
-    source: shai-hulud-v1
-
-  # Shai-Hulud v2 (novembre 2025)
-  - name: "@asyncapi/specs"
-    version: "6.8.2"
-    source: shai-hulud-v2
-  - name: "@asyncapi/specs"
-    version: "6.8.3"
-    source: shai-hulud-v2
-  - name: "@asyncapi/specs"
-    version: "6.9.1"
-    source: shai-hulud-v2
-  - name: "@asyncapi/specs"
-    version: "6.10.1"
-    source: shai-hulud-v2
-  - name: "@asyncapi/openapi-schema-parser"
-    version: "3.0.25"
-    source: shai-hulud-v2
-  - name: "@asyncapi/openapi-schema-parser"
-    version: "3.0.26"
-    source: shai-hulud-v2
-  - name: "get-them-args"
-    version: "1.3.3"
-    source: shai-hulud-v2
-  - name: "kill-port"
-    version: "2.0.2"
-    source: shai-hulud-v2
-  - name: "kill-port"
-    version: "2.0.3"
-    source: shai-hulud-v2
-  - name: "shell-exec"
-    version: "1.1.3"
-    source: shai-hulud-v2
-  - name: "shell-exec"
-    version: "1.1.4"
-    source: shai-hulud-v2
-  - name: "posthog-node"
-    version: "4.18.1"
-    source: shai-hulud-v2
-  - name: "posthog-node"
-    version: "5.11.3"
-    source: shai-hulud-v2
-  - name: "posthog-node"
-    version: "5.13.3"
-    source: shai-hulud-v2
-  - name: "posthog-js"
-    version: "1.297.3"
-    source: shai-hulud-v2
-  - name: "@postman/tunnel-agent"
-    version: "0.6.5"
-    source: shai-hulud-v2
-  - name: "@postman/tunnel-agent"
-    version: "0.6.6"
-    source: shai-hulud-v2
-  - name: "@postman/tunnel-agent"
-    version: "0.6.7"
-    source: shai-hulud-v2
-  - name: "@zapier/secret-scrubber"
-    version: "1.1.3"
-    source: shai-hulud-v2
-  - name: "@zapier/secret-scrubber"
-    version: "1.1.4"
-    source: shai-hulud-v2
-  - name: "@zapier/secret-scrubber"
-    version: "1.1.5"
-    source: shai-hulud-v2
-
-  # Shai-Hulud v3 Golden Path (28 decembre 2025)
-  - name: "@vietmoney/react-big-calendar"
-    version: "0.26.2"
-    source: shai-hulud-v3
-    description: "First confirmed v3 payload - testing phase"
-
-  # GlassWorm hijacked packages (mars 2026)
-  - name: "@aifabrix/miso-client"
-    version: "4.7.2"
-    source: glassworm
-  - name: "@iflow-mcp/watercrawl-watercrawl-mcp"
-    version: "1.3.0"
-    source: glassworm
-  - name: "@iflow-mcp/watercrawl-watercrawl-mcp"
-    version: "1.3.1"
-    source: glassworm
-  - name: "@iflow-mcp/watercrawl-watercrawl-mcp"
-    version: "1.3.2"
-    source: glassworm
-  - name: "@iflow-mcp/watercrawl-watercrawl-mcp"
-    version: "1.3.3"
-    source: glassworm
-  - name: "@iflow-mcp/watercrawl-watercrawl-mcp"
-    version: "1.3.4"
-    source: glassworm
-  - name: "react-native-country-select"
-    version: "0.3.91"
-    source: glassworm
-  - name: "react-native-international-phone-number"
-    version: "0.11.8"
-    source: glassworm
-
-  # Attaques historiques
-  - name: "flatmap-stream"
-    version: "0.1.1"
-    source: event-stream-2018
-  - name: "event-stream"
-    version: "3.3.6"
-    source: event-stream-2018
-  - name: "eslint-scope"
-    version: "3.7.2"
-    source: eslint-scope-2018
-
-  # Protestware
-  - name: "node-ipc"
-    version: "10.1.1"
-    source: protestware
-  - name: "node-ipc"
-    version: "10.1.2"
-    source: protestware
-  - name: "node-ipc"
-    version: "10.1.3"
-    source: protestware
-  - name: "colors"
-    version: "1.4.1"
-    source: protestware
-  - name: "colors"
-    version: "1.4.2"
-    source: protestware
-  - name: "faker"
-    version: "6.6.6"
-    source: protestware
-
-  # Typosquats historiques confirmes
-  - name: "crossenv"
-    version: "*"
-    source: typosquat
-  - name: "cross-env.js"
-    version: "*"
-    source: typosquat
-  - name: "mongose"
-    version: "*"
-    source: typosquat
-  - name: "babelcli"
-    version: "*"
-    source: typosquat
-
-files:
-  # Shai-Hulud v2
-  - setup_bun.js
-  - bun_environment.js
-  - node-gyp.dll
-  # Shai-Hulud v3 (nouveaux noms)
-  - bun_installer.js
-  - environment_source.js
-  - cl0vd.json
-  - pigS3cr3ts.json
-  - actionsSecrets.json
-  # Artefacts exfiltration v3
-  - 3nvir0nm3nt.json
-  - c9nt3nts.json
-  - c0nt3nts.json
-  # GlassWorm (mars 2026)
-  - i.js
-  - init.json
-  # LiteLLM/Checkmarx (mars 2026) — .pth = Python auto-exec persistence
-  - litellm_init.pth
-
-hashes:
-  # Shai-Hulud v2 payloads
-  - "62ee164b9b306250c1172583f138c9614139264f889fa99614903c12755468d0"
-  - "cbb9bc5a8496243e02f3cc080efbe3e4a1430ba0671f2e43a202bf45b05479cd"
-  - "f099c5d9ec417d4445a0328ac0ada9cde79fc37410914103ae9c609cbc0ee068"
-  - "a3894003ad1d293ba96d77881ccd2071446dc3f65f434669b49b3da92421901a"
-  - "4b2399646573bb737c4969563303d8ee2e9ddbd1b271f1ca9e35ea78062538db"
-  # GlassWorm install.js (React Native hijack)
-  - "59221aa9623d86c930357dba7e3f54138c7ccbd0daa9c483d766cd8ce1b6ad26"
-
-markers:
-  # Shai-Hulud v1/v2
-  - "Shai-Hulud"
-  - "Sha1-Hulud"
-  - "The Second Coming"
-  # Shai-Hulud v3
-  - "Goldox-T3chs"
-  - "Only Happy Girl"
-  - "SHA1HULUD"
-  # Protestware
-  - "peacenotwar"
-  # Generic malicious
-  - "/dev/tcp"
-  # GlassWorm (mars 2026)
-  - "lzcdrtfxyqiplpd"
-  - "28PKnu7RzizxBzFPoLp69HLXp9bJL3JFtT2s5QzHsEA2"
-  - "BjVeAjPrSKFiingBn4vZvghsGj9KCE8AJVtbc9S8o8SC"
-  - "6YGcuyFRJKZtcaYCCFba9fScNUvPkGXodXE1mJiSzqDJ"