npm - muaddib-scanner - Versions diffs - 2.10.42 → 2.10.43 - Mend

muaddib-scanner 2.10.42 → 2.10.43

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

package/package.json +1 -1
package/src/monitor/classify.js +2 -1
package/src/monitor/ingestion.js +101 -0
package/src/monitor/queue.js +29 -9
package/src/response/playbooks.js +9 -0
package/src/rules/index.js +24 -0

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "muaddib-scanner",
-  "version": "2.10.42",
+  "version": "2.10.43",
   "description": "Supply-chain threat detection & response for npm & PyPI/Python",
   "main": "src/index.js",
   "bin": {

package/src/monitor/classify.js CHANGED Viewed

@@ -56,7 +56,8 @@ const HIGH_CONFIDENCE_MALICE_TYPES = new Set([
   'systemd_persistence',                   // writeFile to systemd/ or systemctl enable (CanisterWorm T1543.002)
   'npm_token_steal',                       // exec("npm config get _authToken") (CanisterWorm findNpmTokens)
   'root_filesystem_wipe',                  // rm -rf / (CanisterWorm kamikaze.sh wiper T1485)
-  'proc_mem_scan'                          // /proc/mem scanning (TeamPCP Trivy credential stealer)
+  'proc_mem_scan',                         // /proc/mem scanning (TeamPCP Trivy credential stealer)
+  'trusted_new_unknown_dependency'         // TRUSTED package added unknown/new (<7d) dependency (account takeover)
 ]);
 // Lifecycle compound types that indicate real malicious intent beyond a simple postinstall

package/src/monitor/ingestion.js CHANGED Viewed

@@ -81,6 +81,105 @@ async function getWeeklyDownloads(packageName) {
   }
 }
+// --- Trusted dependency diff check ---
+const TRUSTED_DEP_AGE_THRESHOLD_MS = 7 * 24 * 60 * 60 * 1000; // 7 days
+/**
+ * Check for new dependencies added to a TRUSTED (popular) package.
+ * Detects supply-chain attacks where a compromised maintainer account adds a
+ * malicious dependency in a patch bump (e.g., axios 1.14.0 → 1.14.1 adding
+ * plain-crypto-js, 2026-03-30).
+ *
+ * @param {string} name - Package name
+ * @param {string} newVersion - Newly published version
+ * @returns {Array} Array of findings (empty if no new deps or on error)
+ */
+async function checkTrustedDepDiff(name, newVersion) {
+  const findings = [];
+  try {
+    // Fetch packument to get version list and dependencies
+    const body = await httpsGet(`https://registry.npmjs.org/${encodeURIComponent(name)}`, 10_000);
+    const packument = JSON.parse(body);
+    if (!packument.versions || !packument.time) return findings;
+    // Sort versions by publish time (not semver — handles prereleases correctly)
+    const timeMap = packument.time;
+    const versionKeys = Object.keys(packument.versions)
+      .filter(v => timeMap[v])
+      .sort((a, b) => new Date(timeMap[a]) - new Date(timeMap[b]));
+    const newIdx = versionKeys.indexOf(newVersion);
+    if (newIdx <= 0) return findings; // First version or not found
+    const prevVersion = versionKeys[newIdx - 1];
+    const prevDeps = (packument.versions[prevVersion] && packument.versions[prevVersion].dependencies) || {};
+    const newDeps = (packument.versions[newVersion] && packument.versions[newVersion].dependencies) || {};
+    // Find newly added dependencies (name not present in previous version)
+    const addedDeps = Object.keys(newDeps).filter(dep => !(dep in prevDeps));
+    if (addedDeps.length === 0) return findings;
+    console.log(`[MONITOR] TRUSTED dep diff: ${name} ${prevVersion} → ${newVersion}: +${addedDeps.length} new dep(s): ${addedDeps.join(', ')}`);
+    for (const dep of addedDeps) {
+      let ageMs = null;
+      try {
+        const depBody = await httpsGet(`https://registry.npmjs.org/${encodeURIComponent(dep)}`, 5_000);
+        const depData = JSON.parse(depBody);
+        const created = depData.time && depData.time.created;
+        if (created) {
+          ageMs = Date.now() - new Date(created).getTime();
+        }
+      } catch (err) {
+        console.log(`[MONITOR] WARNING: could not check age of dependency ${dep}: ${err.message}`);
+      }
+      if (ageMs === null || ageMs < TRUSTED_DEP_AGE_THRESHOLD_MS) {
+        // Unknown or < 7 days old — CRITICAL
+        const ageDays = ageMs !== null ? Math.floor(ageMs / 86400000) : 'unknown';
+        findings.push({
+          type: 'trusted_new_unknown_dependency',
+          severity: 'CRITICAL',
+          confidence: ageMs === null ? 'medium' : 'high',
+          file: 'package.json',
+          message: `TRUSTED package ${name} added unknown dependency ${dep} (age: ${ageDays}d) in version ${prevVersion} → ${newVersion}`,
+          rule_id: 'MUADDIB-TRUSTED-001',
+          mitre: 'T1195.002',
+          dep,
+          depAgeDays: ageDays,
+          prevVersion,
+          newVersion
+        });
+      } else {
+        // Known dependency (>= 7 days old) — HIGH
+        const ageDays = Math.floor(ageMs / 86400000);
+        findings.push({
+          type: 'trusted_new_dependency',
+          severity: 'HIGH',
+          confidence: 'medium',
+          file: 'package.json',
+          message: `TRUSTED package ${name} added new dependency ${dep} (age: ${ageDays}d) in version ${prevVersion} → ${newVersion}`,
+          rule_id: 'MUADDIB-TRUSTED-002',
+          mitre: 'T1195.002',
+          dep,
+          depAgeDays: ageDays,
+          prevVersion,
+          newVersion
+        });
+      }
+    }
+    return findings;
+  } catch (err) {
+    // Graceful fallback — log warning, continue as TRUSTED
+    console.log(`[MONITOR] WARNING: trusted dep diff check failed for ${name}@${newVersion}: ${err.message}`);
+    return findings;
+  }
+}
 // --- Tarball URL helpers ---
 function getNpmTarballUrl(pkgData) {
@@ -583,6 +682,8 @@ module.exports = {
   // HTTP helpers
   httpsGet,
   getWeeklyDownloads,
+  checkTrustedDepDiff,
+  TRUSTED_DEP_AGE_THRESHOLD_MS,
   // Tarball URL helpers
   getNpmTarballUrl,

package/src/monitor/queue.js CHANGED Viewed

@@ -98,7 +98,7 @@ const {
 } = require('./temporal.js');
 // From ./ingestion.js (will be created — currently in monitor.js)
-const { getNpmLatestTarball, getPyPITarballUrl, getWeeklyDownloads } = require('./ingestion.js');
+const { getNpmLatestTarball, getPyPITarballUrl, getWeeklyDownloads, checkTrustedDepDiff } = require('./ingestion.js');
 // From ./tarball-archive.js
 const { archiveSuspectTarball } = require('./tarball-archive.js');
@@ -518,14 +518,34 @@ async function scanPackage(name, version, ecosystem, tarballUrl, registryMeta, s
         if (ecosystem === 'npm' && !hasIOCMatch(result) && !hasTyposquat(result) && !hasHighOrCritical(result)) {
           const downloads = await getWeeklyDownloads(name);
           if (downloads >= POPULAR_THRESHOLD) {
-            stats.scanned++;
-            const elapsed = Date.now() - startTime;
-            stats.totalTimeMs += elapsed;
-            stats.clean++;
-            console.log(`[MONITOR] TRUSTED (popular): ${name}@${version} (${Math.round(downloads / 1000)}k downloads/week, ${counts.join(', ')})`);
-            updateScanStats('clean');
-            recordTrainingSample(result, { name, version, ecosystem, label: 'clean', registryMeta: meta, unpackedSize: meta.unpackedSize, npmRegistryMeta, fileCountTotal, hasTests });
-            return { sandboxResult: null, staticClean: true };
+            // Dependency diff check: detect supply-chain injection on TRUSTED packages
+            // (e.g., axios 1.14.0 → 1.14.1 adding unknown plain-crypto-js, 2026-03-30)
+            const trustedFindings = await checkTrustedDepDiff(name, version);
+            const hasCriticalDepFinding = trustedFindings.some(f => f.severity === 'CRITICAL');
+            if (hasCriticalDepFinding) {
+              // CRITICAL: unknown/new dependency — bypass TRUSTED, route to full scan + sandbox
+              console.log(`[MONITOR] TRUSTED BYPASS: ${name}@${version} — new unknown dependency detected, routing to full scan`);
+              result.threats.push(...trustedFindings);
+              for (const f of trustedFindings) {
+                if (f.severity === 'CRITICAL') result.summary.critical = (result.summary.critical || 0) + 1;
+                else if (f.severity === 'HIGH') result.summary.high = (result.summary.high || 0) + 1;
+              }
+              // Fall through to full classification below (do NOT return)
+            } else {
+              // No CRITICAL dep findings — normal TRUSTED skip (log HIGH findings if any)
+              for (const f of trustedFindings) {
+                console.log(`[MONITOR] TRUSTED dep change: ${f.message}`);
+              }
+              stats.scanned++;
+              const elapsed = Date.now() - startTime;
+              stats.totalTimeMs += elapsed;
+              stats.clean++;
+              console.log(`[MONITOR] TRUSTED (popular): ${name}@${version} (${Math.round(downloads / 1000)}k downloads/week, ${counts.join(', ')})`);
+              updateScanStats('clean');
+              recordTrainingSample(result, { name, version, ecosystem, label: 'clean', registryMeta: meta, unpackedSize: meta.unpackedSize, npmRegistryMeta, fileCountTotal, hasTests });
+              return { sandboxResult: null, staticClean: true };
+            }
           }
         }

package/src/response/playbooks.js CHANGED Viewed

@@ -829,6 +829,15 @@ const PLAYBOOKS = {
   lifecycle_missing_script:
     'CRITIQUE: Script lifecycle reference un fichier inexistant dans le package. Script fantome. ' +
     'Le payload peut etre injecte dynamiquement ou lors d\'une mise a jour. Installer avec --ignore-scripts. Supprimer le package.',
+  trusted_new_unknown_dependency:
+    'CRITIQUE: Package populaire (TRUSTED) a ajoute une dependance inconnue ou tres recente (<7 jours). ' +
+    'Indicateur de compromission de compte mainteneur (supply-chain attack). Bloquer la mise a jour. ' +
+    'Verifier le changelog, les commits recents, et contacter le mainteneur. Inspecter la nouvelle dependance.',
+  trusted_new_dependency:
+    'HAUTE: Package populaire (TRUSTED) a ajoute une nouvelle dependance connue. ' +
+    'Verifier le changelog et la legitimite de l\'ajout. Pas de blocage immediat mais surveillance renforcee.',
 };
 function getPlaybook(threatType) {

package/src/rules/index.js CHANGED Viewed

@@ -2206,6 +2206,30 @@ const RULES = {
     ],
     mitre: 'T1195.002'
   },
+  // Trusted dependency diff detections (monitor-only)
+  trusted_new_unknown_dependency: {
+    id: 'MUADDIB-TRUSTED-001',
+    name: 'Trusted Package Added Unknown Dependency',
+    severity: 'CRITICAL',
+    confidence: 'high',
+    description: 'Un package TRUSTED (>50k downloads/semaine) a ajoute une nouvelle dependance inconnue ou tres recente (<7 jours) — indicateur de compromission de compte mainteneur (supply-chain attack type axios/plain-crypto-js).',
+    references: [
+      'https://attack.mitre.org/techniques/T1195.002/',
+      'https://blog.sonatype.com/malicious-npm-packages-targeting-popular-libraries'
+    ],
+    mitre: 'T1195.002'
+  },
+  trusted_new_dependency: {
+    id: 'MUADDIB-TRUSTED-002',
+    name: 'Trusted Package Added New Dependency',
+    severity: 'HIGH',
+    confidence: 'medium',
+    description: 'Un package TRUSTED (>50k downloads/semaine) a ajoute une nouvelle dependance connue (>7 jours) dans un bump de version — changement de surface d\'attaque a verifier.',
+    references: [
+      'https://attack.mitre.org/techniques/T1195.002/'
+    ],
+    mitre: 'T1195.002'
+  },
 };
 function getRule(type) {