muaddib-scanner 2.10.39 → 2.10.41

package/iocs/hashes.yaml

@@ -1,214 +0,0 @@
-# MUAD'DIB IOCs - Hashes SHA256 malveillants
-# Contribuez via PR: https://github.com/DNSZLSK/muad-dib
-
-version: "1.0.0"
-updated: "2026-01-01"
-
-hashes:
-  # ============================================
-  # SHAI-HULUD v2 - bun_environment.js
-  # ============================================
-  - id: HASH-SHAI-V2-001
-    sha256: "62ee164b9b306250c1172583f138c9614139264f889fa99614903c12755468d0"
-    file: "bun_environment.js"
-    source: shai-hulud-v2
-    severity: critical
-    confidence: high
-    description: "Payload Shai-Hulud v2 - exfiltration credentials"
-    references:
-      - https://www.wiz.io/blog/shai-hulud-npm-supply-chain-attack
-
-  - id: HASH-SHAI-V2-002
-    sha256: "cbb9bc5a8496243e02f3cc080efbe3e4a1430ba0671f2e43a202bf45b05479cd"
-    file: "bun_environment.js"
-    source: shai-hulud-v2
-    severity: critical
-    confidence: high
-    description: "Variante Shai-Hulud v2"
-    references:
-      - https://www.wiz.io/blog/shai-hulud-npm-supply-chain-attack
-
-  - id: HASH-SHAI-V2-003
-    sha256: "f099c5d9ec417d4445a0328ac0ada9cde79fc37410914103ae9c609cbc0ee068"
-    file: "bun_environment.js"
-    source: shai-hulud-v2
-    severity: critical
-    confidence: high
-    description: "Variante Shai-Hulud v2"
-    references:
-      - https://www.wiz.io/blog/shai-hulud-npm-supply-chain-attack
-
-  # ============================================
-  # SHAI-HULUD v2 - setup_bun.js
-  # ============================================
-  - id: HASH-SHAI-V2-004
-    sha256: "a3894003ad1d293ba96d77881ccd2071446dc3f65f434669b49b3da92421901a"
-    file: "setup_bun.js"
-    source: shai-hulud-v2
-    severity: critical
-    confidence: high
-    description: "Loader Shai-Hulud v2"
-    references:
-      - https://www.wiz.io/blog/shai-hulud-npm-supply-chain-attack
-
-  - id: HASH-SHAI-V2-005
-    sha256: "f1df4896244500671eb4aa63ebb48ea11cee196fafaa0e9874e17b24ac053c02"
-    file: "setup_bun.js"
-    source: shai-hulud-v2
-    severity: critical
-    confidence: high
-    description: "Variante Shai-Hulud v2"
-    references:
-      - https://blog.phylum.io/shai-hulud-npm-worm
-
-  - id: HASH-SHAI-V2-006
-    sha256: "9d59fd0bcc14b671079824c704575f201b74276238dc07a9c12a93a84195648a"
-    file: "setup_bun.js"
-    source: shai-hulud-v2
-    severity: critical
-    confidence: high
-    description: "Variante Shai-Hulud v2"
-    references:
-      - https://blog.phylum.io/shai-hulud-npm-worm
-
-  - id: HASH-SHAI-V2-007
-    sha256: "e0250076c1d2ac38777ea8f542431daf61fcbaab0ca9c196614b28065ef5b918"
-    file: "setup_bun.js"
-    source: shai-hulud-v2
-    severity: critical
-    confidence: high
-    description: "Variante Shai-Hulud v2"
-    references:
-      - https://blog.phylum.io/shai-hulud-npm-worm
-
-  # ============================================
-  # NODE-IPC PROTESTWARE
-  # ============================================
-  - id: HASH-PROTEST-001
-    sha256: "4b2399646573bb737c4969563303d8ee2e9ddbd1b271f1ca9e35ea78062538db"
-    file: "peacenotwar.js"
-    source: protestware
-    severity: critical
-    confidence: high
-    description: "Payload node-ipc peacenotwar"
-    references:
-      - https://snyk.io/blog/peacenotwar-malicious-npm-node-ipc-package-vulnerability/
-
-  - id: HASH-PROTEST-002
-    sha256: "46faab8ab153fae6e80e7cca38eab363075bb524edd79e42269217a083628f09"
-    file: "peacenotwar.js"
-    source: protestware
-    severity: critical
-    confidence: high
-    description: "Variante node-ipc peacenotwar"
-    references:
-      - https://snyk.io/blog/peacenotwar-malicious-npm-node-ipc-package-vulnerability/
-
-markers:
-  # ============================================
-  # SHAI-HULUD MARKERS
-  # ============================================
-  - id: MARKER-SHAI-001
-    pattern: "Sha1-Hulud"
-    source: shai-hulud-v1
-    severity: critical
-    confidence: high
-    description: "Signature Shai-Hulud v1"
-
-  - id: MARKER-SHAI-002
-    pattern: "Shai-Hulud"
-    source: shai-hulud-v1
-    severity: critical
-    confidence: high
-    description: "Signature Shai-Hulud"
-
-  - id: MARKER-SHAI-003
-    pattern: "The Second Coming"
-    source: shai-hulud-v2
-    severity: critical
-    confidence: high
-    description: "Signature Shai-Hulud v2"
-
-  - id: MARKER-SHAI-004
-    pattern: "Goldox-T3chs"
-    source: shai-hulud-v3
-    severity: critical
-    confidence: high
-    description: "Signature Shai-Hulud v3 Golden Path"
-
-  - id: MARKER-SHAI-005
-    pattern: "Only Happy Girl"
-    source: shai-hulud-v2
-    severity: critical
-    confidence: high
-    description: "Signature Shai-Hulud v2 variante"
-
-  # ============================================
-  # PROTESTWARE MARKERS
-  # ============================================
-  - id: MARKER-PROTEST-001
-    pattern: "peacenotwar"
-    source: protestware
-    severity: critical
-    confidence: high
-    description: "Signature node-ipc protestware"
-
-  # ============================================
-  # GENERIC MALWARE MARKERS
-  # ============================================
-  - id: MARKER-GENERIC-001
-    pattern: "/dev/tcp"
-    source: generic
-    severity: critical
-    confidence: high
-    description: "Reverse shell bash"
-
-  - id: MARKER-GENERIC-002
-    pattern: "discord.com/api/webhooks"
-    source: generic
-    severity: high
-    confidence: medium
-    description: "Exfiltration via Discord webhook"
-
-files:
-  # ============================================
-  # FICHIERS SUSPECTS SHAI-HULUD
-  # ============================================
-  - id: FILE-SHAI-001
-    name: "setup_bun.js"
-    source: shai-hulud-v2
-    severity: critical
-    confidence: high
-    description: "Loader Shai-Hulud"
-
-  - id: FILE-SHAI-002
-    name: "bun_environment.js"
-    source: shai-hulud-v2
-    severity: critical
-    confidence: high
-    description: "Payload Shai-Hulud"
-
-  - id: FILE-SHAI-003
-    name: "bundle.js"
-    source: shai-hulud-v2
-    severity: high
-    confidence: medium
-    description: "Payload obfusque potentiel"
-
-  # ============================================
-  # FICHIERS SUSPECTS GENERIQUES
-  # ============================================
-  - id: FILE-GENERIC-001
-    name: "stealer.js"
-    source: generic
-    severity: critical
-    confidence: high
-    description: "Token stealer potentiel"
-
-  - id: FILE-GENERIC-002
-    name: "token-grabber.js"
-    source: generic
-    severity: critical
-    confidence: high
-    description: "Token stealer potentiel"
-

package/iocs/packages.yaml

@@ -1,481 +0,0 @@
-# MUAD'DIB IOCs - Packages malveillants
-# Contribuez via PR: https://github.com/DNSZLSK/muad-dib
-
-version: "1.0.0"
-updated: "2026-01-01"
-
-packages:
-  # ============================================
-  # SHAI-HULUD v1 (Septembre 2025)
-  # ============================================
-  - id: SHAI-HULUD-V1-001
-    name: "@ctrl/tinycolor"
-    version: "4.1.1"
-    severity: critical
-    confidence: high
-    source: shai-hulud-v1
-    introduced: "2025-09-01"
-    description: "Package compromis par Shai-Hulud v1 - vol de credentials npm/GitHub"
-    references:
-      - https://blog.phylum.io/shai-hulud-npm-worm
-      - https://www.wiz.io/blog/shai-hulud-npm-supply-chain-attack
-    mitre: T1195.002
-
-  - id: SHAI-HULUD-V1-002a
-    name: "ng2-file-upload"
-    version: "7.0.2"
-    severity: critical
-    confidence: high
-    source: shai-hulud-v1
-    introduced: "2025-09-01"
-    description: "Package compromis par Shai-Hulud v1"
-    references:
-      - https://blog.phylum.io/shai-hulud-npm-worm
-    mitre: T1195.002
-
-  - id: SHAI-HULUD-V1-002b
-    name: "ng2-file-upload"
-    version: "7.0.3"
-    severity: critical
-    confidence: high
-    source: shai-hulud-v1
-    introduced: "2025-09-01"
-    description: "Package compromis par Shai-Hulud v1"
-    references:
-      - https://blog.phylum.io/shai-hulud-npm-worm
-    mitre: T1195.002
-
-  - id: SHAI-HULUD-V1-002c
-    name: "ng2-file-upload"
-    version: "8.0.1"
-    severity: critical
-    confidence: high
-    source: shai-hulud-v1
-    introduced: "2025-09-01"
-    description: "Package compromis par Shai-Hulud v1"
-    references:
-      - https://blog.phylum.io/shai-hulud-npm-worm
-    mitre: T1195.002
-
-  - id: SHAI-HULUD-V1-002d
-    name: "ng2-file-upload"
-    version: "8.0.2"
-    severity: critical
-    confidence: high
-    source: shai-hulud-v1
-    introduced: "2025-09-01"
-    description: "Package compromis par Shai-Hulud v1"
-    references:
-      - https://blog.phylum.io/shai-hulud-npm-worm
-    mitre: T1195.002
-
-  - id: SHAI-HULUD-V1-002e
-    name: "ng2-file-upload"
-    version: "8.0.3"
-    severity: critical
-    confidence: high
-    source: shai-hulud-v1
-    introduced: "2025-09-01"
-    description: "Package compromis par Shai-Hulud v1"
-    references:
-      - https://blog.phylum.io/shai-hulud-npm-worm
-    mitre: T1195.002
-
-  - id: SHAI-HULUD-V1-002f
-    name: "ng2-file-upload"
-    version: "9.0.1"
-    severity: critical
-    confidence: high
-    source: shai-hulud-v1
-    introduced: "2025-09-01"
-    description: "Package compromis par Shai-Hulud v1"
-    references:
-      - https://blog.phylum.io/shai-hulud-npm-worm
-    mitre: T1195.002
-
-  - id: SHAI-HULUD-V1-003a
-    name: "ngx-bootstrap"
-    version: "18.1.4"
-    severity: critical
-    confidence: high
-    source: shai-hulud-v1
-    introduced: "2025-09-01"
-    description: "Package compromis par Shai-Hulud v1"
-    references:
-      - https://blog.phylum.io/shai-hulud-npm-worm
-    mitre: T1195.002
-
-  - id: SHAI-HULUD-V1-003b
-    name: "ngx-bootstrap"
-    version: "19.0.3"
-    severity: critical
-    confidence: high
-    source: shai-hulud-v1
-    introduced: "2025-09-01"
-    description: "Package compromis par Shai-Hulud v1"
-    references:
-      - https://blog.phylum.io/shai-hulud-npm-worm
-    mitre: T1195.002
-
-  - id: SHAI-HULUD-V1-003c
-    name: "ngx-bootstrap"
-    version: "19.0.4"
-    severity: critical
-    confidence: high
-    source: shai-hulud-v1
-    introduced: "2025-09-01"
-    description: "Package compromis par Shai-Hulud v1"
-    references:
-      - https://blog.phylum.io/shai-hulud-npm-worm
-    mitre: T1195.002
-
-  - id: SHAI-HULUD-V1-003d
-    name: "ngx-bootstrap"
-    version: "20.0.3"
-    severity: critical
-    confidence: high
-    source: shai-hulud-v1
-    introduced: "2025-09-01"
-    description: "Package compromis par Shai-Hulud v1"
-    references:
-      - https://blog.phylum.io/shai-hulud-npm-worm
-    mitre: T1195.002
-
-  - id: SHAI-HULUD-V1-003e
-    name: "ngx-bootstrap"
-    version: "20.0.4"
-    severity: critical
-    confidence: high
-    source: shai-hulud-v1
-    introduced: "2025-09-01"
-    description: "Package compromis par Shai-Hulud v1"
-    references:
-      - https://blog.phylum.io/shai-hulud-npm-worm
-    mitre: T1195.002
-
-  - id: SHAI-HULUD-V1-003f
-    name: "ngx-bootstrap"
-    version: "20.0.5"
-    severity: critical
-    confidence: high
-    source: shai-hulud-v1
-    introduced: "2025-09-01"
-    description: "Package compromis par Shai-Hulud v1"
-    references:
-      - https://blog.phylum.io/shai-hulud-npm-worm
-    mitre: T1195.002
-
-  - id: SHAI-HULUD-V1-003g
-    name: "ngx-bootstrap"
-    version: "20.0.6"
-    severity: critical
-    confidence: high
-    source: shai-hulud-v1
-    introduced: "2025-09-01"
-    description: "Package compromis par Shai-Hulud v1"
-    references:
-      - https://blog.phylum.io/shai-hulud-npm-worm
-    mitre: T1195.002
-
-  # ============================================
-  # SHAI-HULUD v2 "The Second Coming" (Novembre 2025)
-  # ============================================
-  - id: SHAI-HULUD-V2-001a
-    name: "@asyncapi/specs"
-    version: "6.8.2"
-    severity: critical
-    confidence: high
-    source: shai-hulud-v2
-    introduced: "2025-11-01"
-    description: "Package compromis par Shai-Hulud v2 - inclut dead man's switch"
-    references:
-      - https://www.wiz.io/blog/shai-hulud-npm-supply-chain-attack
-    mitre: T1195.002
-
-  - id: SHAI-HULUD-V2-001b
-    name: "@asyncapi/specs"
-    version: "6.8.3"
-    severity: critical
-    confidence: high
-    source: shai-hulud-v2
-    introduced: "2025-11-01"
-    description: "Package compromis par Shai-Hulud v2 - inclut dead man's switch"
-    references:
-      - https://www.wiz.io/blog/shai-hulud-npm-supply-chain-attack
-    mitre: T1195.002
-
-  - id: SHAI-HULUD-V2-001c
-    name: "@asyncapi/specs"
-    version: "6.9.1"
-    severity: critical
-    confidence: high
-    source: shai-hulud-v2
-    introduced: "2025-11-01"
-    description: "Package compromis par Shai-Hulud v2 - inclut dead man's switch"
-    references:
-      - https://www.wiz.io/blog/shai-hulud-npm-supply-chain-attack
-    mitre: T1195.002
-
-  - id: SHAI-HULUD-V2-001d
-    name: "@asyncapi/specs"
-    version: "6.10.1"
-    severity: critical
-    confidence: high
-    source: shai-hulud-v2
-    introduced: "2025-11-01"
-    description: "Package compromis par Shai-Hulud v2 - inclut dead man's switch"
-    references:
-      - https://www.wiz.io/blog/shai-hulud-npm-supply-chain-attack
-    mitre: T1195.002
-
-  - id: SHAI-HULUD-V2-002
-    name: "get-them-args"
-    version: "1.3.3"
-    severity: critical
-    confidence: high
-    source: shai-hulud-v2
-    introduced: "2025-11-01"
-    description: "Package compromis par Shai-Hulud v2"
-    references:
-      - https://www.wiz.io/blog/shai-hulud-npm-supply-chain-attack
-    mitre: T1195.002
-
-  - id: SHAI-HULUD-V2-003a
-    name: "kill-port"
-    version: "2.0.2"
-    severity: critical
-    confidence: high
-    source: shai-hulud-v2
-    introduced: "2025-11-01"
-    description: "Package compromis par Shai-Hulud v2"
-    references:
-      - https://www.wiz.io/blog/shai-hulud-npm-supply-chain-attack
-    mitre: T1195.002
-
-  - id: SHAI-HULUD-V2-003b
-    name: "kill-port"
-    version: "2.0.3"
-    severity: critical
-    confidence: high
-    source: shai-hulud-v2
-    introduced: "2025-11-01"
-    description: "Package compromis par Shai-Hulud v2"
-    references:
-      - https://www.wiz.io/blog/shai-hulud-npm-supply-chain-attack
-    mitre: T1195.002
-
-  - id: SHAI-HULUD-V2-004a
-    name: "posthog-node"
-    version: "4.18.1"
-    severity: critical
-    confidence: high
-    source: shai-hulud-v2
-    introduced: "2025-11-01"
-    description: "Package compromis par Shai-Hulud v2"
-    references:
-      - https://www.wiz.io/blog/shai-hulud-npm-supply-chain-attack
-    mitre: T1195.002
-
-  - id: SHAI-HULUD-V2-004b
-    name: "posthog-node"
-    version: "5.11.3"
-    severity: critical
-    confidence: high
-    source: shai-hulud-v2
-    introduced: "2025-11-01"
-    description: "Package compromis par Shai-Hulud v2"
-    references:
-      - https://www.wiz.io/blog/shai-hulud-npm-supply-chain-attack
-    mitre: T1195.002
-
-  - id: SHAI-HULUD-V2-004c
-    name: "posthog-node"
-    version: "5.13.3"
-    severity: critical
-    confidence: high
-    source: shai-hulud-v2
-    introduced: "2025-11-01"
-    description: "Package compromis par Shai-Hulud v2"
-    references:
-      - https://www.wiz.io/blog/shai-hulud-npm-supply-chain-attack
-    mitre: T1195.002
-
-  - id: SHAI-HULUD-V2-005
-    name: "posthog-js"
-    version: "1.297.3"
-    severity: critical
-    confidence: high
-    source: shai-hulud-v2
-    introduced: "2025-11-01"
-    description: "Package compromis par Shai-Hulud v2"
-    references:
-      - https://www.wiz.io/blog/shai-hulud-npm-supply-chain-attack
-    mitre: T1195.002
-
-  # ============================================
-  # SHAI-HULUD v3 "Golden Path" (Decembre 2025)
-  # ============================================
-  - id: SHAI-HULUD-V3-001
-    name: "@vietmoney/react-big-calendar"
-    version: "0.26.2"
-    severity: critical
-    confidence: high
-    source: shai-hulud-v3
-    introduced: "2025-12-01"
-    description: "Package compromis par Shai-Hulud v3 Golden Path"
-    references:
-      - https://socket.dev/npm/package/@vietmoney/react-big-calendar
-    mitre: T1195.002
-
-  # ============================================
-  # ATTAQUES HISTORIQUES
-  # ============================================
-  - id: EVENT-STREAM-001
-    name: "flatmap-stream"
-    version: "0.1.1"
-    severity: critical
-    confidence: high
-    source: event-stream-2018
-    introduced: "2018-11-01"
-    description: "Payload malveillant de l'attaque event-stream - vol de Bitcoin wallets"
-    references:
-      - https://blog.npmjs.org/post/180565383195/details-about-the-event-stream-incident
-    mitre: T1195.002
-
-  - id: EVENT-STREAM-002
-    name: "event-stream"
-    version: "3.3.6"
-    severity: critical
-    confidence: high
-    source: event-stream-2018
-    introduced: "2018-11-01"
-    description: "Version compromise de event-stream"
-    references:
-      - https://blog.npmjs.org/post/180565383195/details-about-the-event-stream-incident
-    mitre: T1195.002
-
-  - id: ESLINT-SCOPE-001
-    name: "eslint-scope"
-    version: "3.7.2"
-    severity: critical
-    confidence: high
-    source: eslint-scope-2018
-    introduced: "2018-07-01"
-    description: "Version compromise de eslint-scope - vol de tokens npm"
-    references:
-      - https://eslint.org/blog/2018/07/postmortem-for-malicious-package-publishes
-    mitre: T1195.002
-
-  # ============================================
-  # PROTESTWARE
-  # ============================================
-  - id: PROTESTWARE-001
-    name: "node-ipc"
-    version: "10.1.1"
-    severity: critical
-    confidence: high
-    source: protestware
-    introduced: "2022-03-01"
-    description: "Protestware - supprime fichiers sur machines avec IP russe/bielorusse"
-    references:
-      - https://snyk.io/blog/peacenotwar-malicious-npm-node-ipc-package-vulnerability/
-    mitre: T1485
-
-  - id: PROTESTWARE-002
-    name: "node-ipc"
-    version: "10.1.2"
-    severity: critical
-    confidence: high
-    source: protestware
-    introduced: "2022-03-01"
-    description: "Protestware - version modifiee"
-    references:
-      - https://snyk.io/blog/peacenotwar-malicious-npm-node-ipc-package-vulnerability/
-    mitre: T1485
-
-  - id: PROTESTWARE-002b
-    name: "peacenotwar"
-    version: "*"
-    severity: critical
-    confidence: high
-    source: protestware
-    introduced: "2022-03-01"
-    description: "Protestware dependency - deposite fichier texte sur le bureau via node-ipc"
-    references:
-      - https://snyk.io/blog/peacenotwar-malicious-npm-node-ipc-package-vulnerability/
-    mitre: T1485
-
-  - id: PROTESTWARE-003
-    name: "colors"
-    version: "1.4.1"
-    severity: high
-    confidence: high
-    source: protestware
-    introduced: "2022-01-01"
-    description: "Protestware - boucle infinie intentionnelle"
-    references:
-      - https://www.bleepingcomputer.com/news/security/dev-corrupts-npm-libs-colors-and-faker-breaking-thousands-of-apps/
-    mitre: T1499
-
-  - id: PROTESTWARE-004
-    name: "faker"
-    version: "6.6.6"
-    severity: high
-    confidence: high
-    source: protestware
-    introduced: "2022-01-01"
-    description: "Protestware - sabotage intentionnel"
-    references:
-      - https://www.bleepingcomputer.com/news/security/dev-corrupts-npm-libs-colors-and-faker-breaking-thousands-of-apps/
-    mitre: T1499
-
-  # ============================================
-  # TYPOSQUATS
-  # ============================================
-  - id: TYPOSQUAT-001
-    name: "crossenv"
-    version: "*"
-    severity: high
-    confidence: high
-    source: typosquat
-    introduced: "2017-08-01"
-    description: "Typosquat de cross-env - vol de variables d'environnement"
-    references:
-      - https://blog.npmjs.org/post/163723642530/crossenv-malware-on-the-npm-registry
-    mitre: T1195.002
-
-  - id: TYPOSQUAT-002
-    name: "mongose"
-    version: "*"
-    severity: high
-    confidence: high
-    source: typosquat
-    introduced: "2017-08-01"
-    description: "Typosquat de mongoose"
-    references:
-      - https://blog.npmjs.org/post/163723642530/crossenv-malware-on-the-npm-registry
-    mitre: T1195.002
-
-  - id: TYPOSQUAT-003
-    name: "babelcli"
-    version: "*"
-    severity: high
-    confidence: high
-    source: typosquat
-    introduced: "2017-08-01"
-    description: "Typosquat de babel-cli"
-    references:
-      - https://blog.npmjs.org/post/163723642530/crossenv-malware-on-the-npm-registry
-    mitre: T1195.002
-
-  - id: TYPOSQUAT-004
-    name: "lodahs"
-    version: "*"
-    severity: high
-    confidence: high
-    source: typosquat
-    introduced: "2019-01-01"
-    description: "Typosquat de lodash"
-    references:
-      - https://snyk.io/blog/malicious-code-found-in-npm-package-event-stream/
-    mitre: T1195.002