muaddib-scanner 2.10.41 → 2.10.43

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "muaddib-scanner",
-  "version": "2.10.41",
+  "version": "2.10.43",
   "description": "Supply-chain threat detection & response for npm & PyPI/Python",
   "main": "src/index.js",
   "bin": {

package/src/monitor/classify.js

@@ -56,7 +56,8 @@ const HIGH_CONFIDENCE_MALICE_TYPES = new Set([
   'systemd_persistence',                   // writeFile to systemd/ or systemctl enable (CanisterWorm T1543.002)
   'npm_token_steal',                       // exec("npm config get _authToken") (CanisterWorm findNpmTokens)
   'root_filesystem_wipe',                  // rm -rf / (CanisterWorm kamikaze.sh wiper T1485)
-  'proc_mem_scan'                          // /proc/mem scanning (TeamPCP Trivy credential stealer)
+  'proc_mem_scan',                         // /proc/mem scanning (TeamPCP Trivy credential stealer)
+  'trusted_new_unknown_dependency'         // TRUSTED package added unknown/new (<7d) dependency (account takeover)
 ]);
 
 // Lifecycle compound types that indicate real malicious intent beyond a simple postinstall

package/src/monitor/daemon.js

@@ -12,6 +12,8 @@ const { processQueue, SCAN_CONCURRENCY } = require('./queue.js');
 const { startHealthcheck } = require('./healthcheck.js');
 
 const POLL_INTERVAL = 60_000;
+const PROCESS_LOOP_INTERVAL = 2_000;    // Queue check interval when empty
+const QUEUE_WARNING_THRESHOLD = 5_000;  // Warn if queue depth exceeds this
 
 function sleep(ms) {
   return new Promise((resolve) => setTimeout(resolve, ms));
@@ -171,15 +173,21 @@ async function startMonitor(options, stats, dailyAlerts, recentlyScanned, downlo
   console.log('[MONITOR] npm changes stream enabled (replicate.npmjs.com) with RSS fallback');
   console.log(`[MONITOR] Scan concurrency: ${SCAN_CONCURRENCY} (MUADDIB_SCAN_CONCURRENCY to override)`);
   console.log(`[MONITOR] Sandbox concurrency: ${SANDBOX_CONCURRENCY_MAX} (MUADDIB_SANDBOX_CONCURRENCY to override)`);
-  console.log(`[MONITOR] Polling every ${POLL_INTERVAL / 1000}s. Ctrl+C to stop.\n`);
+  console.log(`[MONITOR] Polling every ${POLL_INTERVAL / 1000}s (decoupled from processing). Ctrl+C to stop.\n`);
 
   let running = true;
+  let pollIntervalHandle = null;  // Decoupled poll timer — set after initial poll
 
   // Graceful shutdown handler (shared by SIGINT and SIGTERM)
   // Daily report is NEVER sent on shutdown — it only fires at 08:00 Paris time.
   // Counters are persisted to disk so they survive the restart.
   async function gracefulShutdown(signal) {
     console.log(`\n[MONITOR] Received ${signal} — shutting down...`);
+    running = false;
+    if (pollIntervalHandle) {
+      clearInterval(pollIntervalHandle);
+      pollIntervalHandle = null;
+    }
     healthcheck.stop();
     // Flush all pending scope groups before exit
     for (const [scope, group] of pendingGrouped) {
@@ -191,25 +199,47 @@ async function startMonitor(options, stats, dailyAlerts, recentlyScanned, downlo
     saveState(state, stats);
     reportStats(stats);
     console.log('[MONITOR] State saved. Bye!');
-    running = false;
     process.exit(0);
   }
 
   process.on('SIGINT', () => gracefulShutdown('SIGINT'));
   process.on('SIGTERM', () => gracefulShutdown('SIGTERM'));
 
-  // Initial poll + scan
+  // Initial poll + scan (sequential for first run)
   await poll(state, scanQueue, stats);
   saveState(state, stats);
   await processQueue(scanQueue, stats, dailyAlerts, recentlyScanned, downloadsCache, sandboxAvailableRef.value);
 
-  // Interval polling
+  // ─── Decoupled polling ───
+  // Poll runs on its own interval, independent of processing.
+  // This ensures new packages are ingested even while a large batch is being scanned.
+  // Without this, a 2h processing batch blocks all polling — packages published and
+  // removed during that window are never seen (e.g. axios/plain-crypto-js 2026-03-30).
+  let pollInProgress = false;
+  pollIntervalHandle = setInterval(async () => {
+    if (!running || pollInProgress) return;
+    pollInProgress = true;
+    try {
+      await poll(state, scanQueue, stats);
+      saveState(state, stats);
+      if (scanQueue.length > QUEUE_WARNING_THRESHOLD) {
+        console.log(`[MONITOR] WARNING: scan queue depth ${scanQueue.length} — processing may be lagging behind ingestion`);
+      }
+    } catch (err) {
+      console.error('[MONITOR] Poll error (interval):', err.message);
+    } finally {
+      pollInProgress = false;
+    }
+  }, POLL_INTERVAL);
+
+  // ─── Continuous processing loop ───
+  // Consumes scanQueue independently of polling. Workers inside processQueue
+  // check scanQueue.length > 0 after each item, so items added by a concurrent
+  // poll are picked up immediately by running workers.
   while (running) {
-    await sleep(POLL_INTERVAL);
-    if (!running) break;
-    await poll(state, scanQueue, stats);
-    saveState(state, stats);
-    await processQueue(scanQueue, stats, dailyAlerts, recentlyScanned, downloadsCache, sandboxAvailableRef.value);
+    if (scanQueue.length > 0) {
+      await processQueue(scanQueue, stats, dailyAlerts, recentlyScanned, downloadsCache, sandboxAvailableRef.value);
+    }
 
     // Hourly stats report + cache purge
     if (Date.now() - stats.lastReportTime >= 3600_000) {
@@ -221,6 +251,9 @@ async function startMonitor(options, stats, dailyAlerts, recentlyScanned, downlo
     if (isDailyReportDue(stats)) {
       await sendDailyReport(stats, dailyAlerts, recentlyScanned, downloadsCache);
     }
+
+    // Short pause before re-checking queue — yields event loop for poll interval
+    await sleep(PROCESS_LOOP_INTERVAL);
   }
 }
 
@@ -231,5 +264,7 @@ module.exports = {
   reportStats,
   isDailyReportDue,
   sleep,
-  POLL_INTERVAL
+  POLL_INTERVAL,
+  PROCESS_LOOP_INTERVAL,
+  QUEUE_WARNING_THRESHOLD
 };

package/src/monitor/ingestion.js

@@ -81,6 +81,105 @@ async function getWeeklyDownloads(packageName) {
   }
 }
 
+// --- Trusted dependency diff check ---
+
+const TRUSTED_DEP_AGE_THRESHOLD_MS = 7 * 24 * 60 * 60 * 1000; // 7 days
+
+/**
+ * Check for new dependencies added to a TRUSTED (popular) package.
+ * Detects supply-chain attacks where a compromised maintainer account adds a
+ * malicious dependency in a patch bump (e.g., axios 1.14.0 → 1.14.1 adding
+ * plain-crypto-js, 2026-03-30).
+ *
+ * @param {string} name - Package name
+ * @param {string} newVersion - Newly published version
+ * @returns {Array} Array of findings (empty if no new deps or on error)
+ */
+async function checkTrustedDepDiff(name, newVersion) {
+  const findings = [];
+  try {
+    // Fetch packument to get version list and dependencies
+    const body = await httpsGet(`https://registry.npmjs.org/${encodeURIComponent(name)}`, 10_000);
+    const packument = JSON.parse(body);
+
+    if (!packument.versions || !packument.time) return findings;
+
+    // Sort versions by publish time (not semver — handles prereleases correctly)
+    const timeMap = packument.time;
+    const versionKeys = Object.keys(packument.versions)
+      .filter(v => timeMap[v])
+      .sort((a, b) => new Date(timeMap[a]) - new Date(timeMap[b]));
+
+    const newIdx = versionKeys.indexOf(newVersion);
+    if (newIdx <= 0) return findings; // First version or not found
+
+    const prevVersion = versionKeys[newIdx - 1];
+
+    const prevDeps = (packument.versions[prevVersion] && packument.versions[prevVersion].dependencies) || {};
+    const newDeps = (packument.versions[newVersion] && packument.versions[newVersion].dependencies) || {};
+
+    // Find newly added dependencies (name not present in previous version)
+    const addedDeps = Object.keys(newDeps).filter(dep => !(dep in prevDeps));
+    if (addedDeps.length === 0) return findings;
+
+    console.log(`[MONITOR] TRUSTED dep diff: ${name} ${prevVersion} → ${newVersion}: +${addedDeps.length} new dep(s): ${addedDeps.join(', ')}`);
+
+    for (const dep of addedDeps) {
+      let ageMs = null;
+      try {
+        const depBody = await httpsGet(`https://registry.npmjs.org/${encodeURIComponent(dep)}`, 5_000);
+        const depData = JSON.parse(depBody);
+        const created = depData.time && depData.time.created;
+        if (created) {
+          ageMs = Date.now() - new Date(created).getTime();
+        }
+      } catch (err) {
+        console.log(`[MONITOR] WARNING: could not check age of dependency ${dep}: ${err.message}`);
+      }
+
+      if (ageMs === null || ageMs < TRUSTED_DEP_AGE_THRESHOLD_MS) {
+        // Unknown or < 7 days old — CRITICAL
+        const ageDays = ageMs !== null ? Math.floor(ageMs / 86400000) : 'unknown';
+        findings.push({
+          type: 'trusted_new_unknown_dependency',
+          severity: 'CRITICAL',
+          confidence: ageMs === null ? 'medium' : 'high',
+          file: 'package.json',
+          message: `TRUSTED package ${name} added unknown dependency ${dep} (age: ${ageDays}d) in version ${prevVersion} → ${newVersion}`,
+          rule_id: 'MUADDIB-TRUSTED-001',
+          mitre: 'T1195.002',
+          dep,
+          depAgeDays: ageDays,
+          prevVersion,
+          newVersion
+        });
+      } else {
+        // Known dependency (>= 7 days old) — HIGH
+        const ageDays = Math.floor(ageMs / 86400000);
+        findings.push({
+          type: 'trusted_new_dependency',
+          severity: 'HIGH',
+          confidence: 'medium',
+          file: 'package.json',
+          message: `TRUSTED package ${name} added new dependency ${dep} (age: ${ageDays}d) in version ${prevVersion} → ${newVersion}`,
+          rule_id: 'MUADDIB-TRUSTED-002',
+          mitre: 'T1195.002',
+          dep,
+          depAgeDays: ageDays,
+          prevVersion,
+          newVersion
+        });
+      }
+    }
+
+    return findings;
+  } catch (err) {
+    // Graceful fallback — log warning, continue as TRUSTED
+    console.log(`[MONITOR] WARNING: trusted dep diff check failed for ${name}@${newVersion}: ${err.message}`);
+    return findings;
+  }
+}
+
 // --- Tarball URL helpers ---
 
 function getNpmTarballUrl(pkgData) {
@@ -583,6 +682,8 @@ module.exports = {
   // HTTP helpers
   httpsGet,
   getWeeklyDownloads,
+  checkTrustedDepDiff,
+  TRUSTED_DEP_AGE_THRESHOLD_MS,
 
   // Tarball URL helpers
   getNpmTarballUrl,

package/src/monitor/queue.js

@@ -98,7 +98,7 @@ const {
 } = require('./temporal.js');
 
 // From ./ingestion.js (will be created — currently in monitor.js)
-const { getNpmLatestTarball, getPyPITarballUrl, getWeeklyDownloads } = require('./ingestion.js');
+const { getNpmLatestTarball, getPyPITarballUrl, getWeeklyDownloads, checkTrustedDepDiff } = require('./ingestion.js');
 
 // From ./tarball-archive.js
 const { archiveSuspectTarball } = require('./tarball-archive.js');
@@ -518,14 +518,34 @@ async function scanPackage(name, version, ecosystem, tarballUrl, registryMeta, s
         if (ecosystem === 'npm' && !hasIOCMatch(result) && !hasTyposquat(result) && !hasHighOrCritical(result)) {
           const downloads = await getWeeklyDownloads(name);
           if (downloads >= POPULAR_THRESHOLD) {
-            stats.scanned++;
-            const elapsed = Date.now() - startTime;
-            stats.totalTimeMs += elapsed;
-            stats.clean++;
-            console.log(`[MONITOR] TRUSTED (popular): ${name}@${version} (${Math.round(downloads / 1000)}k downloads/week, ${counts.join(', ')})`);
-            updateScanStats('clean');
-            recordTrainingSample(result, { name, version, ecosystem, label: 'clean', registryMeta: meta, unpackedSize: meta.unpackedSize, npmRegistryMeta, fileCountTotal, hasTests });
-            return { sandboxResult: null, staticClean: true };
+            // Dependency diff check: detect supply-chain injection on TRUSTED packages
+            // (e.g., axios 1.14.0 → 1.14.1 adding unknown plain-crypto-js, 2026-03-30)
+            const trustedFindings = await checkTrustedDepDiff(name, version);
+            const hasCriticalDepFinding = trustedFindings.some(f => f.severity === 'CRITICAL');
+
+            if (hasCriticalDepFinding) {
+              // CRITICAL: unknown/new dependency — bypass TRUSTED, route to full scan + sandbox
+              console.log(`[MONITOR] TRUSTED BYPASS: ${name}@${version} — new unknown dependency detected, routing to full scan`);
+              result.threats.push(...trustedFindings);
+              for (const f of trustedFindings) {
+                if (f.severity === 'CRITICAL') result.summary.critical = (result.summary.critical || 0) + 1;
+                else if (f.severity === 'HIGH') result.summary.high = (result.summary.high || 0) + 1;
+              }
+              // Fall through to full classification below (do NOT return)
+            } else {
+              // No CRITICAL dep findings — normal TRUSTED skip (log HIGH findings if any)
+              for (const f of trustedFindings) {
+                console.log(`[MONITOR] TRUSTED dep change: ${f.message}`);
+              }
+              stats.scanned++;
+              const elapsed = Date.now() - startTime;
+              stats.totalTimeMs += elapsed;
+              stats.clean++;
+              console.log(`[MONITOR] TRUSTED (popular): ${name}@${version} (${Math.round(downloads / 1000)}k downloads/week, ${counts.join(', ')})`);
+              updateScanStats('clean');
+              recordTrainingSample(result, { name, version, ecosystem, label: 'clean', registryMeta: meta, unpackedSize: meta.unpackedSize, npmRegistryMeta, fileCountTotal, hasTests });
+              return { sandboxResult: null, staticClean: true };
+            }
           }
         }
 

package/src/response/playbooks.js

@@ -829,6 +829,15 @@ const PLAYBOOKS = {
   lifecycle_missing_script:
     'CRITIQUE: Script lifecycle reference un fichier inexistant dans le package. Script fantome. ' +
     'Le payload peut etre injecte dynamiquement ou lors d\'une mise a jour. Installer avec --ignore-scripts. Supprimer le package.',
+
+  trusted_new_unknown_dependency:
+    'CRITIQUE: Package populaire (TRUSTED) a ajoute une dependance inconnue ou tres recente (<7 jours). ' +
+    'Indicateur de compromission de compte mainteneur (supply-chain attack). Bloquer la mise a jour. ' +
+    'Verifier le changelog, les commits recents, et contacter le mainteneur. Inspecter la nouvelle dependance.',
+
+  trusted_new_dependency:
+    'HAUTE: Package populaire (TRUSTED) a ajoute une nouvelle dependance connue. ' +
+    'Verifier le changelog et la legitimite de l\'ajout. Pas de blocage immediat mais surveillance renforcee.',
 };
 
 function getPlaybook(threatType) {

package/src/rules/index.js

@@ -2206,6 +2206,30 @@ const RULES = {
     ],
     mitre: 'T1195.002'
   },
+  // Trusted dependency diff detections (monitor-only)
+  trusted_new_unknown_dependency: {
+    id: 'MUADDIB-TRUSTED-001',
+    name: 'Trusted Package Added Unknown Dependency',
+    severity: 'CRITICAL',
+    confidence: 'high',
+    description: 'Un package TRUSTED (>50k downloads/semaine) a ajoute une nouvelle dependance inconnue ou tres recente (<7 jours) — indicateur de compromission de compte mainteneur (supply-chain attack type axios/plain-crypto-js).',
+    references: [
+      'https://attack.mitre.org/techniques/T1195.002/',
+      'https://blog.sonatype.com/malicious-npm-packages-targeting-popular-libraries'
+    ],
+    mitre: 'T1195.002'
+  },
+  trusted_new_dependency: {
+    id: 'MUADDIB-TRUSTED-002',
+    name: 'Trusted Package Added New Dependency',
+    severity: 'HIGH',
+    confidence: 'medium',
+    description: 'Un package TRUSTED (>50k downloads/semaine) a ajoute une nouvelle dependance connue (>7 jours) dans un bump de version — changement de surface d\'attaque a verifier.',
+    references: [
+      'https://attack.mitre.org/techniques/T1195.002/'
+    ],
+    mitre: 'T1195.002'
+  },
 };
 
 function getRule(type) {