muaddib-scanner 2.10.47 → 2.10.49

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (7) hide show
  1. package/package.json +1 -1
  2. package/src/monitor/daemon.js +8 -8
  3. package/src/monitor/deferred-sandbox.js +21 -26
  4. package/src/monitor/state.js +2 -0
  5. package/src/sandbox/index.js +14 -8
  6. package/ci-test.sarif +0 -3796
  7. package/muaddib-results.sarif +0 -20356
package/ci-test.sarif DELETED
@@ -1,3796 +0,0 @@
1
- {
2
- "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json",
3
- "version": "2.1.0",
4
- "runs": [
5
- {
6
- "tool": {
7
- "driver": {
8
- "name": "MUADDIB",
9
- "version": "2.10.37",
10
- "informationUri": "https://github.com/DNSZLSK/muad-dib",
11
- "rules": [
12
- {
13
- "id": "MUADDIB-AST-001",
14
- "name": "Sensitive String Reference",
15
- "shortDescription": {
16
- "text": "Reference a un chemin ou identifiant sensible (.npmrc, .ssh, tokens)"
17
- },
18
- "fullDescription": {
19
- "text": "Reference a un chemin ou identifiant sensible (.npmrc, .ssh, tokens)"
20
- },
21
- "helpUri": "https://blog.phylum.io/shai-hulud-npm-worm",
22
- "properties": {
23
- "severity": "HIGH",
24
- "confidence": "medium",
25
- "mitre": "T1552.001"
26
- }
27
- },
28
- {
29
- "id": "MUADDIB-AST-002",
30
- "name": "Sensitive Environment Variable Access",
31
- "shortDescription": {
32
- "text": "Acces a une variable d'environnement sensible (GITHUB_TOKEN, NPM_TOKEN, AWS_*)"
33
- },
34
- "fullDescription": {
35
- "text": "Acces a une variable d'environnement sensible (GITHUB_TOKEN, NPM_TOKEN, AWS_*)"
36
- },
37
- "helpUri": "https://blog.phylum.io/shai-hulud-npm-worm",
38
- "properties": {
39
- "severity": "HIGH",
40
- "confidence": "high",
41
- "mitre": "T1552.001"
42
- }
43
- },
44
- {
45
- "id": "MUADDIB-AST-003",
46
- "name": "Dangerous Function Call",
47
- "shortDescription": {
48
- "text": "Appel a une fonction dangereuse (exec, spawn, eval, Function)"
49
- },
50
- "fullDescription": {
51
- "text": "Appel a une fonction dangereuse (exec, spawn, eval, Function)"
52
- },
53
- "helpUri": "https://owasp.org/www-community/attacks/Command_Injection",
54
- "properties": {
55
- "severity": "MEDIUM",
56
- "confidence": "medium",
57
- "mitre": "T1059"
58
- }
59
- },
60
- {
61
- "id": "MUADDIB-AST-004",
62
- "name": "Eval Usage",
63
- "shortDescription": {
64
- "text": "Utilisation de eval() ou new Function() - execution de code dynamique"
65
- },
66
- "fullDescription": {
67
- "text": "Utilisation de eval() ou new Function() - execution de code dynamique"
68
- },
69
- "helpUri": "https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/eval#never_use_eval!",
70
- "properties": {
71
- "severity": "HIGH",
72
- "confidence": "high",
73
- "mitre": "T1059.007"
74
- }
75
- },
76
- {
77
- "id": "MUADDIB-SHELL-001",
78
- "name": "Remote Code Execution via Curl",
79
- "shortDescription": {
80
- "text": "Telecharge et execute du code distant via curl | sh"
81
- },
82
- "fullDescription": {
83
- "text": "Telecharge et execute du code distant via curl | sh"
84
- },
85
- "helpUri": "https://blog.phylum.io/shai-hulud-npm-worm",
86
- "properties": {
87
- "severity": "CRITICAL",
88
- "confidence": "high",
89
- "mitre": "T1105"
90
- }
91
- },
92
- {
93
- "id": "MUADDIB-SHELL-002",
94
- "name": "Reverse Shell",
95
- "shortDescription": {
96
- "text": "Tentative de connexion reverse shell"
97
- },
98
- "fullDescription": {
99
- "text": "Tentative de connexion reverse shell"
100
- },
101
- "helpUri": "https://attack.mitre.org/techniques/T1059/004/",
102
- "properties": {
103
- "severity": "CRITICAL",
104
- "confidence": "high",
105
- "mitre": "T1059.004"
106
- }
107
- },
108
- {
109
- "id": "MUADDIB-SHELL-003",
110
- "name": "Dead Man's Switch",
111
- "shortDescription": {
112
- "text": "Suppression du repertoire home - dead man's switch de Shai-Hulud"
113
- },
114
- "fullDescription": {
115
- "text": "Suppression du repertoire home - dead man's switch de Shai-Hulud"
116
- },
117
- "helpUri": "https://www.wiz.io/blog/shai-hulud-npm-supply-chain-attack",
118
- "properties": {
119
- "severity": "CRITICAL",
120
- "confidence": "high",
121
- "mitre": "T1485"
122
- }
123
- },
124
- {
125
- "id": "MUADDIB-PKG-001",
126
- "name": "Suspicious Lifecycle Script",
127
- "shortDescription": {
128
- "text": "Script preinstall/postinstall suspect dans package.json"
129
- },
130
- "fullDescription": {
131
- "text": "Script preinstall/postinstall suspect dans package.json"
132
- },
133
- "helpUri": "https://blog.npmjs.org/post/141577284765/kik-left-pad-and-npm",
134
- "properties": {
135
- "severity": "MEDIUM",
136
- "confidence": "medium",
137
- "mitre": "T1195.002"
138
- }
139
- },
140
- {
141
- "id": "MUADDIB-OBF-001",
142
- "name": "Code Obfuscation Detected",
143
- "shortDescription": {
144
- "text": "Code fortement obfusque detecte - probablement malveillant"
145
- },
146
- "fullDescription": {
147
- "text": "Code fortement obfusque detecte - probablement malveillant"
148
- },
149
- "helpUri": "https://blog.phylum.io/shai-hulud-npm-worm",
150
- "properties": {
151
- "severity": "HIGH",
152
- "confidence": "medium",
153
- "mitre": "T1027"
154
- }
155
- },
156
- {
157
- "id": "MUADDIB-DEP-001",
158
- "name": "Known Malicious Package",
159
- "shortDescription": {
160
- "text": "Package present dans la base IOC de packages malveillants connus"
161
- },
162
- "fullDescription": {
163
- "text": "Package present dans la base IOC de packages malveillants connus"
164
- },
165
- "helpUri": "https://socket.dev/npm/issue",
166
- "properties": {
167
- "severity": "CRITICAL",
168
- "confidence": "high",
169
- "mitre": "T1195.002"
170
- }
171
- },
172
- {
173
- "id": "MUADDIB-DEP-006",
174
- "name": "Dependency Declared on IOC Package",
175
- "shortDescription": {
176
- "text": "Le package declare une dependance sur un package present dans la base IOC. Signal informatif — ne prouve pas que le package scanne est malveillant."
177
- },
178
- "fullDescription": {
179
- "text": "Le package declare une dependance sur un package present dans la base IOC. Signal informatif — ne prouve pas que le package scanne est malveillant."
180
- },
181
- "helpUri": "https://socket.dev/npm/issue",
182
- "properties": {
183
- "severity": "HIGH",
184
- "confidence": "medium",
185
- "mitre": "T1195.002"
186
- }
187
- },
188
- {
189
- "id": "MUADDIB-PYPI-001",
190
- "name": "Malicious PyPI Package",
191
- "shortDescription": {
192
- "text": "Package PyPI present dans la base IOC de packages malveillants connus (source: OSV)"
193
- },
194
- "fullDescription": {
195
- "text": "Package PyPI present dans la base IOC de packages malveillants connus (source: OSV)"
196
- },
197
- "helpUri": "https://osv.dev/",
198
- "properties": {
199
- "severity": "CRITICAL",
200
- "confidence": "high",
201
- "mitre": "T1195.002"
202
- }
203
- },
204
- {
205
- "id": "MUADDIB-PYPI-002",
206
- "name": "PyPI Typosquatting Detected",
207
- "shortDescription": {
208
- "text": "Dependance PyPI suspecte de typosquatting d'un package populaire (Levenshtein)"
209
- },
210
- "fullDescription": {
211
- "text": "Dependance PyPI suspecte de typosquatting d'un package populaire (Levenshtein)"
212
- },
213
- "helpUri": "https://pypi.org/",
214
- "properties": {
215
- "severity": "HIGH",
216
- "confidence": "medium",
217
- "mitre": "T1195.002"
218
- }
219
- },
220
- {
221
- "id": "MUADDIB-DEP-002",
222
- "name": "Suspicious File in Dependency",
223
- "shortDescription": {
224
- "text": "Fichier suspect detecte dans une dependance (setup_bun.js, etc.)"
225
- },
226
- "fullDescription": {
227
- "text": "Fichier suspect detecte dans une dependance (setup_bun.js, etc.)"
228
- },
229
- "helpUri": "https://blog.phylum.io/shai-hulud-npm-worm",
230
- "properties": {
231
- "severity": "CRITICAL",
232
- "confidence": "high",
233
- "mitre": "T1195.002"
234
- }
235
- },
236
- {
237
- "id": "MUADDIB-DEP-003",
238
- "name": "Shai-Hulud Marker Detected",
239
- "shortDescription": {
240
- "text": "Marqueur Shai-Hulud detecte dans le code"
241
- },
242
- "fullDescription": {
243
- "text": "Marqueur Shai-Hulud detecte dans le code"
244
- },
245
- "helpUri": "https://blog.phylum.io/shai-hulud-npm-worm",
246
- "properties": {
247
- "severity": "CRITICAL",
248
- "confidence": "high",
249
- "mitre": "T1195.002"
250
- }
251
- },
252
- {
253
- "id": "MUADDIB-DEP-004",
254
- "name": "Lifecycle Script in Dependency",
255
- "shortDescription": {
256
- "text": "Une dependance a un script preinstall/postinstall"
257
- },
258
- "fullDescription": {
259
- "text": "Une dependance a un script preinstall/postinstall"
260
- },
261
- "helpUri": "https://docs.npmjs.com/cli/v9/using-npm/scripts#life-cycle-scripts",
262
- "properties": {
263
- "severity": "MEDIUM",
264
- "confidence": "low",
265
- "mitre": "T1195.002"
266
- }
267
- },
268
- {
269
- "id": "MUADDIB-DEP-005",
270
- "name": "Suspicious Dependency URL",
271
- "shortDescription": {
272
- "text": "Dependance declaree avec une URL HTTP/HTTPS au lieu d'une version npm. Les URLs ngrok/localhost/IP privee sont fortement suspectes."
273
- },
274
- "fullDescription": {
275
- "text": "Dependance declaree avec une URL HTTP/HTTPS au lieu d'une version npm. Les URLs ngrok/localhost/IP privee sont fortement suspectes."
276
- },
277
- "helpUri": "https://docs.npmjs.com/cli/v9/configuring-npm/package-json#urls-as-dependencies",
278
- "properties": {
279
- "severity": "HIGH",
280
- "confidence": "high",
281
- "mitre": "T1195.002"
282
- }
283
- },
284
- {
285
- "id": "MUADDIB-HASH-001",
286
- "name": "Known Malicious File Hash",
287
- "shortDescription": {
288
- "text": "Hash SHA256 correspond a un fichier malveillant connu"
289
- },
290
- "fullDescription": {
291
- "text": "Hash SHA256 correspond a un fichier malveillant connu"
292
- },
293
- "helpUri": "https://www.virustotal.com",
294
- "properties": {
295
- "severity": "CRITICAL",
296
- "confidence": "high",
297
- "mitre": "T1195.002"
298
- }
299
- },
300
- {
301
- "id": "MUADDIB-FLOW-001",
302
- "name": "Suspicious Data Flow",
303
- "shortDescription": {
304
- "text": "Flux de donnees suspect: lecture de credentials puis envoi reseau"
305
- },
306
- "fullDescription": {
307
- "text": "Flux de donnees suspect: lecture de credentials puis envoi reseau"
308
- },
309
- "helpUri": "https://blog.phylum.io/shai-hulud-npm-worm",
310
- "properties": {
311
- "severity": "CRITICAL",
312
- "confidence": "high",
313
- "mitre": "T1041"
314
- }
315
- },
316
- {
317
- "id": "MUADDIB-TYPO-001",
318
- "name": "Typosquatting Detected",
319
- "shortDescription": {
320
- "text": "Package avec un nom tres similaire a un package populaire. Possible typosquatting."
321
- },
322
- "fullDescription": {
323
- "text": "Package avec un nom tres similaire a un package populaire. Possible typosquatting."
324
- },
325
- "helpUri": "https://blog.npmjs.org/post/163723642530/crossenv-malware-on-the-npm-registry",
326
- "properties": {
327
- "severity": "HIGH",
328
- "confidence": "high",
329
- "mitre": "T1195.002"
330
- }
331
- },
332
- {
333
- "id": "MUADDIB-PKG-002",
334
- "name": "Curl Pipe to Shell in Script",
335
- "shortDescription": {
336
- "text": "Script lifecycle execute curl | sh - telechargement et execution de code distant"
337
- },
338
- "fullDescription": {
339
- "text": "Script lifecycle execute curl | sh - telechargement et execution de code distant"
340
- },
341
- "helpUri": "https://blog.phylum.io/shai-hulud-npm-worm",
342
- "properties": {
343
- "severity": "CRITICAL",
344
- "confidence": "high",
345
- "mitre": "T1105"
346
- }
347
- },
348
- {
349
- "id": "MUADDIB-PKG-003",
350
- "name": "Wget Pipe to Shell in Script",
351
- "shortDescription": {
352
- "text": "Script lifecycle execute wget | sh - telechargement et execution de code distant"
353
- },
354
- "fullDescription": {
355
- "text": "Script lifecycle execute wget | sh - telechargement et execution de code distant"
356
- },
357
- "helpUri": "https://blog.phylum.io/shai-hulud-npm-worm",
358
- "properties": {
359
- "severity": "CRITICAL",
360
- "confidence": "high",
361
- "mitre": "T1105"
362
- }
363
- },
364
- {
365
- "id": "MUADDIB-PKG-004",
366
- "name": "Eval in Lifecycle Script",
367
- "shortDescription": {
368
- "text": "Utilisation de eval() dans un script lifecycle - execution de code dynamique"
369
- },
370
- "fullDescription": {
371
- "text": "Utilisation de eval() dans un script lifecycle - execution de code dynamique"
372
- },
373
- "helpUri": "https://owasp.org/www-community/attacks/Command_Injection",
374
- "properties": {
375
- "severity": "HIGH",
376
- "confidence": "medium",
377
- "mitre": "T1059.007"
378
- }
379
- },
380
- {
381
- "id": "MUADDIB-PKG-005",
382
- "name": "Child Process in Lifecycle Script",
383
- "shortDescription": {
384
- "text": "Reference a child_process dans un script lifecycle"
385
- },
386
- "fullDescription": {
387
- "text": "Reference a child_process dans un script lifecycle"
388
- },
389
- "helpUri": "https://owasp.org/www-community/attacks/Command_Injection",
390
- "properties": {
391
- "severity": "HIGH",
392
- "confidence": "medium",
393
- "mitre": "T1059"
394
- }
395
- },
396
- {
397
- "id": "MUADDIB-PKG-006",
398
- "name": "npmrc Access",
399
- "shortDescription": {
400
- "text": "Acces au fichier .npmrc detecte - risque de vol de token npm"
401
- },
402
- "fullDescription": {
403
- "text": "Acces au fichier .npmrc detecte - risque de vol de token npm"
404
- },
405
- "helpUri": "https://blog.phylum.io/shai-hulud-npm-worm",
406
- "properties": {
407
- "severity": "HIGH",
408
- "confidence": "high",
409
- "mitre": "T1552.001"
410
- }
411
- },
412
- {
413
- "id": "MUADDIB-PKG-007",
414
- "name": "GitHub Token Access",
415
- "shortDescription": {
416
- "text": "Acces au GITHUB_TOKEN detecte"
417
- },
418
- "fullDescription": {
419
- "text": "Acces au GITHUB_TOKEN detecte"
420
- },
421
- "helpUri": "https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions",
422
- "properties": {
423
- "severity": "HIGH",
424
- "confidence": "high",
425
- "mitre": "T1552.001"
426
- }
427
- },
428
- {
429
- "id": "MUADDIB-PKG-008",
430
- "name": "AWS Credential Access",
431
- "shortDescription": {
432
- "text": "Acces aux credentials AWS detecte"
433
- },
434
- "fullDescription": {
435
- "text": "Acces aux credentials AWS detecte"
436
- },
437
- "helpUri": "https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html",
438
- "properties": {
439
- "severity": "HIGH",
440
- "confidence": "high",
441
- "mitre": "T1552.001"
442
- }
443
- },
444
- {
445
- "id": "MUADDIB-PKG-009",
446
- "name": "Base64 Encoding in Script",
447
- "shortDescription": {
448
- "text": "Encodage base64 dans un script lifecycle - souvent utilise pour obfusquer du code malveillant"
449
- },
450
- "fullDescription": {
451
- "text": "Encodage base64 dans un script lifecycle - souvent utilise pour obfusquer du code malveillant"
452
- },
453
- "helpUri": "https://attack.mitre.org/techniques/T1027/",
454
- "properties": {
455
- "severity": "MEDIUM",
456
- "confidence": "low",
457
- "mitre": "T1027"
458
- }
459
- },
460
- {
461
- "id": "MUADDIB-SHELL-004",
462
- "name": "Curl Pipe to Shell",
463
- "shortDescription": {
464
- "text": "Telechargement et execution via curl | sh dans un script shell"
465
- },
466
- "fullDescription": {
467
- "text": "Telechargement et execution via curl | sh dans un script shell"
468
- },
469
- "helpUri": "https://blog.phylum.io/shai-hulud-npm-worm",
470
- "properties": {
471
- "severity": "CRITICAL",
472
- "confidence": "high",
473
- "mitre": "T1105"
474
- }
475
- },
476
- {
477
- "id": "MUADDIB-SHELL-005",
478
- "name": "Wget Download and Execute",
479
- "shortDescription": {
480
- "text": "Telechargement et execution de binaire via wget + chmod"
481
- },
482
- "fullDescription": {
483
- "text": "Telechargement et execution de binaire via wget + chmod"
484
- },
485
- "helpUri": "https://blog.phylum.io/shai-hulud-npm-worm",
486
- "properties": {
487
- "severity": "CRITICAL",
488
- "confidence": "high",
489
- "mitre": "T1105"
490
- }
491
- },
492
- {
493
- "id": "MUADDIB-SHELL-006",
494
- "name": "Netcat Shell",
495
- "shortDescription": {
496
- "text": "Shell netcat detecte - acces distant non autorise"
497
- },
498
- "fullDescription": {
499
- "text": "Shell netcat detecte - acces distant non autorise"
500
- },
501
- "helpUri": "https://attack.mitre.org/techniques/T1059/004/",
502
- "properties": {
503
- "severity": "CRITICAL",
504
- "confidence": "high",
505
- "mitre": "T1059.004"
506
- }
507
- },
508
- {
509
- "id": "MUADDIB-SHELL-007",
510
- "name": "Home Directory Destruction",
511
- "shortDescription": {
512
- "text": "Destruction de donnees (shred $HOME) - dead man's switch de Shai-Hulud"
513
- },
514
- "fullDescription": {
515
- "text": "Destruction de donnees (shred $HOME) - dead man's switch de Shai-Hulud"
516
- },
517
- "helpUri": "https://www.wiz.io/blog/shai-hulud-npm-supply-chain-attack",
518
- "properties": {
519
- "severity": "CRITICAL",
520
- "confidence": "high",
521
- "mitre": "T1485"
522
- }
523
- },
524
- {
525
- "id": "MUADDIB-SHELL-008",
526
- "name": "Data Exfiltration via Curl",
527
- "shortDescription": {
528
- "text": "Exfiltration de donnees via curl POST"
529
- },
530
- "fullDescription": {
531
- "text": "Exfiltration de donnees via curl POST"
532
- },
533
- "helpUri": "https://attack.mitre.org/techniques/T1041/",
534
- "properties": {
535
- "severity": "HIGH",
536
- "confidence": "high",
537
- "mitre": "T1041"
538
- }
539
- },
540
- {
541
- "id": "MUADDIB-SHELL-009",
542
- "name": "SSH Key Access",
543
- "shortDescription": {
544
- "text": "Acces aux cles SSH detecte"
545
- },
546
- "fullDescription": {
547
- "text": "Acces aux cles SSH detecte"
548
- },
549
- "helpUri": "https://attack.mitre.org/techniques/T1552/004/",
550
- "properties": {
551
- "severity": "HIGH",
552
- "confidence": "high",
553
- "mitre": "T1552.004"
554
- }
555
- },
556
- {
557
- "id": "MUADDIB-SHELL-010",
558
- "name": "Python Reverse Shell",
559
- "shortDescription": {
560
- "text": "Reverse shell via python -c import socket detecte"
561
- },
562
- "fullDescription": {
563
- "text": "Reverse shell via python -c import socket detecte"
564
- },
565
- "helpUri": "https://attack.mitre.org/techniques/T1059/004/",
566
- "properties": {
567
- "severity": "CRITICAL",
568
- "confidence": "high",
569
- "mitre": "T1059.006"
570
- }
571
- },
572
- {
573
- "id": "MUADDIB-SHELL-011",
574
- "name": "Perl Reverse Shell",
575
- "shortDescription": {
576
- "text": "Reverse shell via perl -e socket detecte"
577
- },
578
- "fullDescription": {
579
- "text": "Reverse shell via perl -e socket detecte"
580
- },
581
- "helpUri": "https://attack.mitre.org/techniques/T1059/004/",
582
- "properties": {
583
- "severity": "CRITICAL",
584
- "confidence": "high",
585
- "mitre": "T1059.006"
586
- }
587
- },
588
- {
589
- "id": "MUADDIB-SHELL-012",
590
- "name": "FIFO Reverse Shell",
591
- "shortDescription": {
592
- "text": "Reverse shell via mkfifo /dev/tcp detecte"
593
- },
594
- "fullDescription": {
595
- "text": "Reverse shell via mkfifo /dev/tcp detecte"
596
- },
597
- "helpUri": "https://attack.mitre.org/techniques/T1059/004/",
598
- "properties": {
599
- "severity": "CRITICAL",
600
- "confidence": "high",
601
- "mitre": "T1059.004"
602
- }
603
- },
604
- {
605
- "id": "MUADDIB-SHELL-013",
606
- "name": "FIFO + Netcat Reverse Shell",
607
- "shortDescription": {
608
- "text": "Reverse shell via mkfifo + netcat (sans /dev/tcp). Technique alternative de reverse shell utilisant un named pipe."
609
- },
610
- "fullDescription": {
611
- "text": "Reverse shell via mkfifo + netcat (sans /dev/tcp). Technique alternative de reverse shell utilisant un named pipe."
612
- },
613
- "helpUri": "https://attack.mitre.org/techniques/T1059/004/",
614
- "properties": {
615
- "severity": "CRITICAL",
616
- "confidence": "high",
617
- "mitre": "T1059.004"
618
- }
619
- },
620
- {
621
- "id": "MUADDIB-SHELL-014",
622
- "name": "Base64 Decode Pipe to Shell",
623
- "shortDescription": {
624
- "text": "Payload encode en base64 decode et pipe vers bash/sh. Technique d'obfuscation courante pour cacher des commandes malveillantes."
625
- },
626
- "fullDescription": {
627
- "text": "Payload encode en base64 decode et pipe vers bash/sh. Technique d'obfuscation courante pour cacher des commandes malveillantes."
628
- },
629
- "helpUri": "https://attack.mitre.org/techniques/T1140/",
630
- "properties": {
631
- "severity": "CRITICAL",
632
- "confidence": "high",
633
- "mitre": "T1140"
634
- }
635
- },
636
- {
637
- "id": "MUADDIB-SHELL-015",
638
- "name": "Wget + Base64 Decode",
639
- "shortDescription": {
640
- "text": "Telechargement via wget suivi de decodage base64. Pattern de staging en deux etapes pour dropper un payload."
641
- },
642
- "fullDescription": {
643
- "text": "Telechargement via wget suivi de decodage base64. Pattern de staging en deux etapes pour dropper un payload."
644
- },
645
- "helpUri": "https://attack.mitre.org/techniques/T1105/",
646
- "properties": {
647
- "severity": "HIGH",
648
- "confidence": "high",
649
- "mitre": "T1105"
650
- }
651
- },
652
- {
653
- "id": "MUADDIB-OBF-002",
654
- "name": "Possible Code Obfuscation",
655
- "shortDescription": {
656
- "text": "Fichier potentiellement obfusque (parse echoue, code dense)"
657
- },
658
- "fullDescription": {
659
- "text": "Fichier potentiellement obfusque (parse echoue, code dense)"
660
- },
661
- "helpUri": "https://attack.mitre.org/techniques/T1027/",
662
- "properties": {
663
- "severity": "MEDIUM",
664
- "confidence": "low",
665
- "mitre": "T1027"
666
- }
667
- },
668
- {
669
- "id": "MUADDIB-AST-006",
670
- "name": "Dynamic Require with Concatenation",
671
- "shortDescription": {
672
- "text": "require() avec concatenation de chaines — technique d'obfuscation pour masquer le nom du module"
673
- },
674
- "fullDescription": {
675
- "text": "require() avec concatenation de chaines — technique d'obfuscation pour masquer le nom du module"
676
- },
677
- "helpUri": "https://attack.mitre.org/techniques/T1027/",
678
- "properties": {
679
- "severity": "HIGH",
680
- "confidence": "high",
681
- "mitre": "T1027"
682
- }
683
- },
684
- {
685
- "id": "MUADDIB-AST-007",
686
- "name": "Dangerous Shell Command Execution",
687
- "shortDescription": {
688
- "text": "exec() avec commande shell dangereuse (pipe to shell, reverse shell, netcat)"
689
- },
690
- "fullDescription": {
691
- "text": "exec() avec commande shell dangereuse (pipe to shell, reverse shell, netcat)"
692
- },
693
- "helpUri": "https://owasp.org/www-community/attacks/Command_Injection",
694
- "properties": {
695
- "severity": "CRITICAL",
696
- "confidence": "high",
697
- "mitre": "T1059.004"
698
- }
699
- },
700
- {
701
- "id": "MUADDIB-FLOW-002",
702
- "name": "Staged Payload Execution",
703
- "shortDescription": {
704
- "text": "Telechargement reseau + eval() dans le meme fichier — execution de payload distant"
705
- },
706
- "fullDescription": {
707
- "text": "Telechargement reseau + eval() dans le meme fichier — execution de payload distant"
708
- },
709
- "helpUri": "https://attack.mitre.org/techniques/T1105/",
710
- "properties": {
711
- "severity": "CRITICAL",
712
- "confidence": "high",
713
- "mitre": "T1105"
714
- }
715
- },
716
- {
717
- "id": "MUADDIB-PKG-011",
718
- "name": "Network Module in Lifecycle Script",
719
- "shortDescription": {
720
- "text": "require(https/http) dans un script lifecycle — telechargement au moment de l'installation"
721
- },
722
- "fullDescription": {
723
- "text": "require(https/http) dans un script lifecycle — telechargement au moment de l'installation"
724
- },
725
- "helpUri": "https://blog.phylum.io/shai-hulud-npm-worm",
726
- "properties": {
727
- "severity": "HIGH",
728
- "confidence": "high",
729
- "mitre": "T1105"
730
- }
731
- },
732
- {
733
- "id": "MUADDIB-PKG-012",
734
- "name": "Node Inline Execution in Lifecycle Script",
735
- "shortDescription": {
736
- "text": "node -e dans un script lifecycle — execution de code inline au moment de l'installation"
737
- },
738
- "fullDescription": {
739
- "text": "node -e dans un script lifecycle — execution de code inline au moment de l'installation"
740
- },
741
- "helpUri": "https://owasp.org/www-community/attacks/Command_Injection",
742
- "properties": {
743
- "severity": "HIGH",
744
- "confidence": "high",
745
- "mitre": "T1059.007"
746
- }
747
- },
748
- {
749
- "id": "MUADDIB-AST-008",
750
- "name": "Dynamic import() of Dangerous Module",
751
- "shortDescription": {
752
- "text": "import() dynamique pour charger un module dangereux ou avec argument calcule — technique d'evasion pour eviter la detection de require()"
753
- },
754
- "fullDescription": {
755
- "text": "import() dynamique pour charger un module dangereux ou avec argument calcule — technique d'evasion pour eviter la detection de require()"
756
- },
757
- "helpUri": "https://attack.mitre.org/techniques/T1027/",
758
- "properties": {
759
- "severity": "HIGH",
760
- "confidence": "high",
761
- "mitre": "T1027"
762
- }
763
- },
764
- {
765
- "id": "MUADDIB-AST-009",
766
- "name": "Environment Variable Proxy Interception",
767
- "shortDescription": {
768
- "text": "new Proxy(process.env) detecte — intercepte silencieusement tous les acces aux variables d'environnement pour exfiltration"
769
- },
770
- "fullDescription": {
771
- "text": "new Proxy(process.env) detecte — intercepte silencieusement tous les acces aux variables d'environnement pour exfiltration"
772
- },
773
- "helpUri": "https://attack.mitre.org/techniques/T1552/001/",
774
- "properties": {
775
- "severity": "CRITICAL",
776
- "confidence": "high",
777
- "mitre": "T1552.001"
778
- }
779
- },
780
- {
781
- "id": "MUADDIB-AST-010",
782
- "name": "Command Execution via Dynamic Require",
783
- "shortDescription": {
784
- "text": "exec/execSync appele sur un module charge dynamiquement (require obfusque) — execution de commandes dissimulees"
785
- },
786
- "fullDescription": {
787
- "text": "exec/execSync appele sur un module charge dynamiquement (require obfusque) — execution de commandes dissimulees"
788
- },
789
- "helpUri": "https://attack.mitre.org/techniques/T1059/007/",
790
- "properties": {
791
- "severity": "CRITICAL",
792
- "confidence": "high",
793
- "mitre": "T1059.007"
794
- }
795
- },
796
- {
797
- "id": "MUADDIB-AST-011",
798
- "name": "Sandbox/Container Evasion",
799
- "shortDescription": {
800
- "text": "Detection de sandbox/container (/.dockerenv, /proc/cgroup) — technique anti-analyse pour eviter la detection en environnement controle"
801
- },
802
- "fullDescription": {
803
- "text": "Detection de sandbox/container (/.dockerenv, /proc/cgroup) — technique anti-analyse pour eviter la detection en environnement controle"
804
- },
805
- "helpUri": "https://attack.mitre.org/techniques/T1497/001/",
806
- "properties": {
807
- "severity": "HIGH",
808
- "confidence": "high",
809
- "mitre": "T1497.001"
810
- }
811
- },
812
- {
813
- "id": "MUADDIB-AST-012",
814
- "name": "Detached Background Process",
815
- "shortDescription": {
816
- "text": "spawn/fork avec {detached: true} — le processus survit a la fin de npm install et execute le payload en arriere-plan"
817
- },
818
- "fullDescription": {
819
- "text": "spawn/fork avec {detached: true} — le processus survit a la fin de npm install et execute le payload en arriere-plan"
820
- },
821
- "helpUri": "https://attack.mitre.org/techniques/T1036/009/",
822
- "properties": {
823
- "severity": "HIGH",
824
- "confidence": "high",
825
- "mitre": "T1036.009"
826
- }
827
- },
828
- {
829
- "id": "MUADDIB-AST-005",
830
- "name": "new Function() Constructor",
831
- "shortDescription": {
832
- "text": "Appel new Function() detecte - equivalent a eval()"
833
- },
834
- "fullDescription": {
835
- "text": "Appel new Function() detecte - equivalent a eval()"
836
- },
837
- "helpUri": "https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Function/Function",
838
- "properties": {
839
- "severity": "HIGH",
840
- "confidence": "high",
841
- "mitre": "T1059.007"
842
- }
843
- },
844
- {
845
- "id": "MUADDIB-AST-014",
846
- "name": "Credential Theft via CLI Tool",
847
- "shortDescription": {
848
- "text": "exec/execSync appelle un outil CLI legitime pour voler des tokens d'authentification (gh auth token, gcloud auth, aws sts). Technique s1ngularity/Nx."
849
- },
850
- "fullDescription": {
851
- "text": "exec/execSync appelle un outil CLI legitime pour voler des tokens d'authentification (gh auth token, gcloud auth, aws sts). Technique s1ngularity/Nx."
852
- },
853
- "helpUri": "https://snyk.io/blog/malicious-npm-packages-abuse-ai-agents/",
854
- "properties": {
855
- "severity": "CRITICAL",
856
- "confidence": "high",
857
- "mitre": "T1059"
858
- }
859
- },
860
- {
861
- "id": "MUADDIB-AST-015",
862
- "name": "GitHub Actions Workflow Write",
863
- "shortDescription": {
864
- "text": "fs.writeFileSync cree un fichier dans .github/workflows — injection de workflow GitHub Actions pour persistence. Technique Shai-Hulud 2.0."
865
- },
866
- "fullDescription": {
867
- "text": "fs.writeFileSync cree un fichier dans .github/workflows — injection de workflow GitHub Actions pour persistence. Technique Shai-Hulud 2.0."
868
- },
869
- "helpUri": "https://www.wiz.io/blog/shai-hulud-npm-supply-chain-attack",
870
- "properties": {
871
- "severity": "CRITICAL",
872
- "confidence": "high",
873
- "mitre": "T1195.002"
874
- }
875
- },
876
- {
877
- "id": "MUADDIB-AST-016",
878
- "name": "Binary Dropper Pattern",
879
- "shortDescription": {
880
- "text": "fs.chmodSync avec permissions executables (0o755/0o777) — pattern de dropper binaire: telecharge, ecrit, chmod, execute."
881
- },
882
- "fullDescription": {
883
- "text": "fs.chmodSync avec permissions executables (0o755/0o777) — pattern de dropper binaire: telecharge, ecrit, chmod, execute."
884
- },
885
- "helpUri": "https://www.sonatype.com/blog/phantomraven-supply-chain-attack",
886
- "properties": {
887
- "severity": "CRITICAL",
888
- "confidence": "high",
889
- "mitre": "T1105"
890
- }
891
- },
892
- {
893
- "id": "MUADDIB-AST-017",
894
- "name": "Native API Prototype Hooking",
895
- "shortDescription": {
896
- "text": "Modification du prototype ou remplacement de fonctions natives du navigateur/Node.js (fetch, XMLHttpRequest, http.request). Technique chalk/debug (Sygnia, sept 2025) pour intercepter du trafic."
897
- },
898
- "fullDescription": {
899
- "text": "Modification du prototype ou remplacement de fonctions natives du navigateur/Node.js (fetch, XMLHttpRequest, http.request). Technique chalk/debug (Sygnia, sept 2025) pour intercepter du trafic."
900
- },
901
- "helpUri": "https://www.sygnia.co/blog/malicious-chalk-debug-npm-packages/",
902
- "properties": {
903
- "severity": "HIGH",
904
- "confidence": "high",
905
- "mitre": "T1557"
906
- }
907
- },
908
- {
909
- "id": "MUADDIB-AICONF-001",
910
- "name": "AI Config Prompt Injection",
911
- "shortDescription": {
912
- "text": "Fichier de configuration d'agent IA (.cursorrules, CLAUDE.md, copilot-instructions.md) contient des instructions d'execution de commandes shell ou d'acces a des credentials. Technique ToxicSkills/Clinejection."
913
- },
914
- "fullDescription": {
915
- "text": "Fichier de configuration d'agent IA (.cursorrules, CLAUDE.md, copilot-instructions.md) contient des instructions d'execution de commandes shell ou d'acces a des credentials. Technique ToxicSkills/Clinejection."
916
- },
917
- "helpUri": "https://snyk.io/blog/toxicskills-prompt-injection-ai-agents/",
918
- "properties": {
919
- "severity": "HIGH",
920
- "confidence": "high",
921
- "mitre": "T1059"
922
- }
923
- },
924
- {
925
- "id": "MUADDIB-AICONF-002",
926
- "name": "AI Config Prompt Injection (Critical)",
927
- "shortDescription": {
928
- "text": "Fichier de configuration d'agent IA contient des commandes d'exfiltration (curl POST vers un domaine externe, pipe vers shell) ou une combinaison commande shell + acces credentials. Attaque confirmee."
929
- },
930
- "fullDescription": {
931
- "text": "Fichier de configuration d'agent IA contient des commandes d'exfiltration (curl POST vers un domaine externe, pipe vers shell) ou une combinaison commande shell + acces credentials. Attaque confirmee."
932
- },
933
- "helpUri": "https://snyk.io/blog/toxicskills-prompt-injection-ai-agents/",
934
- "properties": {
935
- "severity": "CRITICAL",
936
- "confidence": "high",
937
- "mitre": "T1059"
938
- }
939
- },
940
- {
941
- "id": "MUADDIB-AST-019",
942
- "name": "Require Cache Poisoning",
943
- "shortDescription": {
944
- "text": "Acces a require.cache pour remplacer ou hijacker des modules Node.js charges. Technique de cache poisoning pour intercepter du trafic ou injecter du code."
945
- },
946
- "fullDescription": {
947
- "text": "Acces a require.cache pour remplacer ou hijacker des modules Node.js charges. Technique de cache poisoning pour intercepter du trafic ou injecter du code."
948
- },
949
- "helpUri": "https://attack.mitre.org/techniques/T1574/006/",
950
- "properties": {
951
- "severity": "CRITICAL",
952
- "confidence": "high",
953
- "mitre": "T1574.006"
954
- }
955
- },
956
- {
957
- "id": "MUADDIB-AST-020",
958
- "name": "Staged Binary Payload Execution",
959
- "shortDescription": {
960
- "text": "Reference a un fichier binaire (.png/.jpg/.wasm) combinee avec eval() dans le meme fichier. Possible execution de payload steganographique cache dans une image."
961
- },
962
- "fullDescription": {
963
- "text": "Reference a un fichier binaire (.png/.jpg/.wasm) combinee avec eval() dans le meme fichier. Possible execution de payload steganographique cache dans une image."
964
- },
965
- "helpUri": "https://attack.mitre.org/techniques/T1027/003/",
966
- "properties": {
967
- "severity": "HIGH",
968
- "confidence": "high",
969
- "mitre": "T1027.003"
970
- }
971
- },
972
- {
973
- "id": "MUADDIB-AST-021",
974
- "name": "Staged Eval Decode",
975
- "shortDescription": {
976
- "text": "eval() ou Function() recoit un argument decode (atob ou Buffer.from base64). Pattern classique de staged payload: le code malveillant est encode en base64 puis decode et execute dynamiquement."
977
- },
978
- "fullDescription": {
979
- "text": "eval() ou Function() recoit un argument decode (atob ou Buffer.from base64). Pattern classique de staged payload: le code malveillant est encode en base64 puis decode et execute dynamiquement."
980
- },
981
- "helpUri": "https://attack.mitre.org/techniques/T1140/",
982
- "properties": {
983
- "severity": "CRITICAL",
984
- "confidence": "high",
985
- "mitre": "T1140"
986
- }
987
- },
988
- {
989
- "id": "MUADDIB-AST-018",
990
- "name": "Environment Variable Key Reconstruction",
991
- "shortDescription": {
992
- "text": "process.env accede avec une cle reconstruite dynamiquement via String.fromCharCode. Technique d'obfuscation pour eviter la detection statique des noms de variables sensibles (GITHUB_TOKEN, etc.)."
993
- },
994
- "fullDescription": {
995
- "text": "process.env accede avec une cle reconstruite dynamiquement via String.fromCharCode. Technique d'obfuscation pour eviter la detection statique des noms de variables sensibles (GITHUB_TOKEN, etc.)."
996
- },
997
- "helpUri": "https://attack.mitre.org/techniques/T1027/",
998
- "properties": {
999
- "severity": "HIGH",
1000
- "confidence": "high",
1001
- "mitre": "T1027"
1002
- }
1003
- },
1004
- {
1005
- "id": "MUADDIB-PKG-016",
1006
- "name": "Lifecycle Script Targets Hidden Payload",
1007
- "shortDescription": {
1008
- "text": "Script lifecycle pointe vers un fichier dans node_modules/ — technique de dissimulation de payload. Les scanners excluent node_modules/ par defaut, rendant le payload invisible. Pattern DPRK/Lazarus interview attack."
1009
- },
1010
- "fullDescription": {
1011
- "text": "Script lifecycle pointe vers un fichier dans node_modules/ — technique de dissimulation de payload. Les scanners excluent node_modules/ par defaut, rendant le payload invisible. Pattern DPRK/Lazarus interview attack."
1012
- },
1013
- "helpUri": "https://unit42.paloaltonetworks.com/operation-dream-job/",
1014
- "properties": {
1015
- "severity": "CRITICAL",
1016
- "confidence": "high",
1017
- "mitre": "T1027.009"
1018
- }
1019
- },
1020
- {
1021
- "id": "MUADDIB-PKG-010",
1022
- "name": "Lifecycle Script Pipes to Shell",
1023
- "shortDescription": {
1024
- "text": "Script lifecycle (preinstall/install/postinstall) execute curl | sh ou wget | bash — telecharge et execute du code distant au moment de npm install."
1025
- },
1026
- "fullDescription": {
1027
- "text": "Script lifecycle (preinstall/install/postinstall) execute curl | sh ou wget | bash — telecharge et execute du code distant au moment de npm install."
1028
- },
1029
- "helpUri": "https://blog.phylum.io/shai-hulud-npm-worm",
1030
- "properties": {
1031
- "severity": "CRITICAL",
1032
- "confidence": "high",
1033
- "mitre": "T1195.002"
1034
- }
1035
- },
1036
- {
1037
- "id": "MUADDIB-FLOW-004",
1038
- "name": "Cross-File Data Exfiltration",
1039
- "shortDescription": {
1040
- "text": "Un module lit des credentials (fs.readFileSync, process.env) et les exporte vers un autre module qui les envoie sur le reseau (fetch, https.request). Exfiltration inter-fichiers confirmee."
1041
- },
1042
- "fullDescription": {
1043
- "text": "Un module lit des credentials (fs.readFileSync, process.env) et les exporte vers un autre module qui les envoie sur le reseau (fetch, https.request). Exfiltration inter-fichiers confirmee."
1044
- },
1045
- "helpUri": "https://blog.phylum.io/shai-hulud-npm-worm",
1046
- "properties": {
1047
- "severity": "CRITICAL",
1048
- "confidence": "high",
1049
- "mitre": "T1041"
1050
- }
1051
- },
1052
- {
1053
- "id": "MUADDIB-FLOW-003",
1054
- "name": "Credential/Cache Tampering",
1055
- "shortDescription": {
1056
- "text": "Ecriture dans un chemin sensible (cache npm _cacache, cache yarn, credentials). Possible cache poisoning: injection de code malveillant dans des packages caches."
1057
- },
1058
- "fullDescription": {
1059
- "text": "Ecriture dans un chemin sensible (cache npm _cacache, cache yarn, credentials). Possible cache poisoning: injection de code malveillant dans des packages caches."
1060
- },
1061
- "helpUri": "https://attack.mitre.org/techniques/T1565/001/",
1062
- "properties": {
1063
- "severity": "CRITICAL",
1064
- "confidence": "high",
1065
- "mitre": "T1565.001"
1066
- }
1067
- },
1068
- {
1069
- "id": "MUADDIB-AST-022",
1070
- "name": "Encrypted Payload Decryption",
1071
- "shortDescription": {
1072
- "text": "crypto.createDecipher/createDecipheriv detecte. Dechiffrement runtime de payload embarque. Pattern canonique de flatmap-stream/event-stream."
1073
- },
1074
- "fullDescription": {
1075
- "text": "crypto.createDecipher/createDecipheriv detecte. Dechiffrement runtime de payload embarque. Pattern canonique de flatmap-stream/event-stream."
1076
- },
1077
- "helpUri": "https://snyk.io/blog/malicious-code-found-in-npm-package-event-stream/",
1078
- "properties": {
1079
- "severity": "HIGH",
1080
- "confidence": "high",
1081
- "mitre": "T1140"
1082
- }
1083
- },
1084
- {
1085
- "id": "MUADDIB-AST-023",
1086
- "name": "Module Compile Execution",
1087
- "shortDescription": {
1088
- "text": "module._compile() detecte. Execution de code arbitraire a partir d'une chaine dans le contexte module. Technique cle de flatmap-stream."
1089
- },
1090
- "fullDescription": {
1091
- "text": "module._compile() detecte. Execution de code arbitraire a partir d'une chaine dans le contexte module. Technique cle de flatmap-stream."
1092
- },
1093
- "helpUri": "https://blog.npmjs.org/post/180565383195/details-about-the-event-stream-incident",
1094
- "properties": {
1095
- "severity": "HIGH",
1096
- "confidence": "high",
1097
- "mitre": "T1059"
1098
- }
1099
- },
1100
- {
1101
- "id": "MUADDIB-AST-024",
1102
- "name": "Obfuscated Payload via Zlib Inflate",
1103
- "shortDescription": {
1104
- "text": "Payload obfusque: zlib inflate + decodage base64 + execution dynamique (eval/Function/Module._compile) dans le meme fichier. Aucun package legitime n'utilise ce pattern. Technique SANDWORM_MODE (fev. 2026)."
1105
- },
1106
- "fullDescription": {
1107
- "text": "Payload obfusque: zlib inflate + decodage base64 + execution dynamique (eval/Function/Module._compile) dans le meme fichier. Aucun package legitime n'utilise ce pattern. Technique SANDWORM_MODE (fev. 2026)."
1108
- },
1109
- "helpUri": "https://socket.dev/blog/sandworm-mode-campaign",
1110
- "properties": {
1111
- "severity": "CRITICAL",
1112
- "confidence": "high",
1113
- "mitre": "T1027.002"
1114
- }
1115
- },
1116
- {
1117
- "id": "MUADDIB-AST-025",
1118
- "name": "Dynamic Module Compile Execution",
1119
- "shortDescription": {
1120
- "text": "Module._compile() avec argument dynamique (non-literal). Execution de code en memoire sans ecriture sur disque. Technique d'evasion malware courante."
1121
- },
1122
- "fullDescription": {
1123
- "text": "Module._compile() avec argument dynamique (non-literal). Execution de code en memoire sans ecriture sur disque. Technique d'evasion malware courante."
1124
- },
1125
- "helpUri": "https://blog.npmjs.org/post/180565383195/details-about-the-event-stream-incident",
1126
- "properties": {
1127
- "severity": "HIGH",
1128
- "confidence": "high",
1129
- "mitre": "T1059"
1130
- }
1131
- },
1132
- {
1133
- "id": "MUADDIB-AST-026",
1134
- "name": "Anti-Forensics Write-Execute-Delete",
1135
- "shortDescription": {
1136
- "text": "Anti-forensique: ecriture dans un repertoire temporaire, execution, puis suppression. Pattern typique de staging malware pour eviter la detection post-mortem."
1137
- },
1138
- "fullDescription": {
1139
- "text": "Anti-forensique: ecriture dans un repertoire temporaire, execution, puis suppression. Pattern typique de staging malware pour eviter la detection post-mortem."
1140
- },
1141
- "helpUri": "https://attack.mitre.org/techniques/T1070/004/",
1142
- "properties": {
1143
- "severity": "HIGH",
1144
- "confidence": "high",
1145
- "mitre": "T1070.004"
1146
- }
1147
- },
1148
- {
1149
- "id": "MUADDIB-AST-027",
1150
- "name": "MCP Config Injection",
1151
- "shortDescription": {
1152
- "text": "Injection de configuration MCP: ecriture dans les fichiers de configuration d'assistants IA (.claude/, .cursor/, .continue/, .vscode/, .windsurf/). Technique SANDWORM_MODE pour empoisonner la chaine d'outils IA."
1153
- },
1154
- "fullDescription": {
1155
- "text": "Injection de configuration MCP: ecriture dans les fichiers de configuration d'assistants IA (.claude/, .cursor/, .continue/, .vscode/, .windsurf/). Technique SANDWORM_MODE pour empoisonner la chaine d'outils IA."
1156
- },
1157
- "helpUri": "https://attack.mitre.org/techniques/T1546/016/",
1158
- "properties": {
1159
- "severity": "CRITICAL",
1160
- "confidence": "high",
1161
- "mitre": "T1546.016"
1162
- }
1163
- },
1164
- {
1165
- "id": "MUADDIB-AST-028",
1166
- "name": "Git Hooks Injection",
1167
- "shortDescription": {
1168
- "text": "Injection de hooks Git: ecriture dans .git/hooks/ ou modification de git config init.templateDir. Technique de persistence via hooks pre-commit, pre-push, post-checkout."
1169
- },
1170
- "fullDescription": {
1171
- "text": "Injection de hooks Git: ecriture dans .git/hooks/ ou modification de git config init.templateDir. Technique de persistence via hooks pre-commit, pre-push, post-checkout."
1172
- },
1173
- "helpUri": "https://attack.mitre.org/techniques/T1546/004/",
1174
- "properties": {
1175
- "severity": "HIGH",
1176
- "confidence": "high",
1177
- "mitre": "T1546.004"
1178
- }
1179
- },
1180
- {
1181
- "id": "MUADDIB-AST-029",
1182
- "name": "Dynamic Environment Variable Harvesting",
1183
- "shortDescription": {
1184
- "text": "Collecte dynamique de variables d'environnement via Object.entries/keys/values(process.env) avec filtrage par patterns sensibles (TOKEN, SECRET, KEY, PASSWORD, AWS, SSH). Technique de vol de credentials."
1185
- },
1186
- "fullDescription": {
1187
- "text": "Collecte dynamique de variables d'environnement via Object.entries/keys/values(process.env) avec filtrage par patterns sensibles (TOKEN, SECRET, KEY, PASSWORD, AWS, SSH). Technique de vol de credentials."
1188
- },
1189
- "helpUri": "https://attack.mitre.org/techniques/T1552/001/",
1190
- "properties": {
1191
- "severity": "HIGH",
1192
- "confidence": "high",
1193
- "mitre": "T1552.001"
1194
- }
1195
- },
1196
- {
1197
- "id": "MUADDIB-AST-030",
1198
- "name": "DNS Chunk Exfiltration",
1199
- "shortDescription": {
1200
- "text": "Exfiltration DNS: donnees encodees en base64 dans les requetes DNS. Canal covert pour contourner les firewalls. Pattern: dns.resolve + Buffer.from().toString(\"base64\")."
1201
- },
1202
- "fullDescription": {
1203
- "text": "Exfiltration DNS: donnees encodees en base64 dans les requetes DNS. Canal covert pour contourner les firewalls. Pattern: dns.resolve + Buffer.from().toString(\"base64\")."
1204
- },
1205
- "helpUri": "https://attack.mitre.org/techniques/T1048/003/",
1206
- "properties": {
1207
- "severity": "HIGH",
1208
- "confidence": "high",
1209
- "mitre": "T1048.003"
1210
- }
1211
- },
1212
- {
1213
- "id": "MUADDIB-AST-031",
1214
- "name": "LLM API Key Harvesting",
1215
- "shortDescription": {
1216
- "text": "Collecte de cles API LLM: acces a 3+ variables d'environnement de providers IA (OPENAI_API_KEY, ANTHROPIC_API_KEY, GOOGLE_API_KEY, etc.). Vecteur de monetisation."
1217
- },
1218
- "fullDescription": {
1219
- "text": "Collecte de cles API LLM: acces a 3+ variables d'environnement de providers IA (OPENAI_API_KEY, ANTHROPIC_API_KEY, GOOGLE_API_KEY, etc.). Vecteur de monetisation."
1220
- },
1221
- "helpUri": "https://attack.mitre.org/techniques/T1552/001/",
1222
- "properties": {
1223
- "severity": "MEDIUM",
1224
- "confidence": "medium",
1225
- "mitre": "T1552.001"
1226
- }
1227
- },
1228
- {
1229
- "id": "MUADDIB-AST-013",
1230
- "name": "AI Agent Weaponization",
1231
- "shortDescription": {
1232
- "text": "Invocation d'un agent IA (Claude, Gemini, Q, Aider) avec des flags qui desactivent les controles de securite (--dangerously-skip-permissions, --yolo, --trust-all-tools). Technique s1ngularity/Nx (aout 2025)."
1233
- },
1234
- "fullDescription": {
1235
- "text": "Invocation d'un agent IA (Claude, Gemini, Q, Aider) avec des flags qui desactivent les controles de securite (--dangerously-skip-permissions, --yolo, --trust-all-tools). Technique s1ngularity/Nx (aout 2025)."
1236
- },
1237
- "helpUri": "https://snyk.io/blog/malicious-npm-packages-abuse-ai-agents/",
1238
- "properties": {
1239
- "severity": "CRITICAL",
1240
- "confidence": "high",
1241
- "mitre": "T1059"
1242
- }
1243
- },
1244
- {
1245
- "id": "MUADDIB-GHA-001",
1246
- "name": "Shai-Hulud GitHub Actions Backdoor",
1247
- "shortDescription": {
1248
- "text": "Backdoor Shai-Hulud dans GitHub Actions via workflow discussion.yaml sur self-hosted runner"
1249
- },
1250
- "fullDescription": {
1251
- "text": "Backdoor Shai-Hulud dans GitHub Actions via workflow discussion.yaml sur self-hosted runner"
1252
- },
1253
- "helpUri": "https://www.wiz.io/blog/shai-hulud-npm-supply-chain-attack",
1254
- "properties": {
1255
- "severity": "CRITICAL",
1256
- "confidence": "high",
1257
- "mitre": "T1195.002"
1258
- }
1259
- },
1260
- {
1261
- "id": "MUADDIB-GHA-002",
1262
- "name": "GitHub Actions Workflow Injection",
1263
- "shortDescription": {
1264
- "text": "Injection potentielle dans GitHub Actions via input non sanitise sur self-hosted runner"
1265
- },
1266
- "fullDescription": {
1267
- "text": "Injection potentielle dans GitHub Actions via input non sanitise sur self-hosted runner"
1268
- },
1269
- "helpUri": "https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions",
1270
- "properties": {
1271
- "severity": "HIGH",
1272
- "confidence": "high",
1273
- "mitre": "T1195.002"
1274
- }
1275
- },
1276
- {
1277
- "id": "MUADDIB-GHA-003",
1278
- "name": "GitHub Actions Pwn Request",
1279
- "shortDescription": {
1280
- "text": "Workflow pull_request_target avec checkout du head ref/sha de la PR — permet execution de code arbitraire (pwn request)"
1281
- },
1282
- "fullDescription": {
1283
- "text": "Workflow pull_request_target avec checkout du head ref/sha de la PR — permet execution de code arbitraire (pwn request)"
1284
- },
1285
- "helpUri": "https://securitylab.github.com/research/github-actions-preventing-pwn-requests/",
1286
- "properties": {
1287
- "severity": "CRITICAL",
1288
- "confidence": "high",
1289
- "mitre": "T1195.002"
1290
- }
1291
- },
1292
- {
1293
- "id": "MUADDIB-SANDBOX-001",
1294
- "name": "Sandbox: Sensitive File Read",
1295
- "shortDescription": {
1296
- "text": "Package reads sensitive credential files during install"
1297
- },
1298
- "fullDescription": {
1299
- "text": "Package reads sensitive credential files during install"
1300
- },
1301
- "helpUri": "https://blog.phylum.io/shai-hulud-npm-worm",
1302
- "properties": {
1303
- "severity": "CRITICAL",
1304
- "confidence": "high",
1305
- "mitre": "T1552.001"
1306
- }
1307
- },
1308
- {
1309
- "id": "MUADDIB-SANDBOX-002",
1310
- "name": "Sandbox: Sensitive File Write",
1311
- "shortDescription": {
1312
- "text": "Package writes to sensitive credential files during install"
1313
- },
1314
- "fullDescription": {
1315
- "text": "Package writes to sensitive credential files during install"
1316
- },
1317
- "helpUri": "https://blog.phylum.io/shai-hulud-npm-worm",
1318
- "properties": {
1319
- "severity": "CRITICAL",
1320
- "confidence": "high",
1321
- "mitre": "T1565.001"
1322
- }
1323
- },
1324
- {
1325
- "id": "MUADDIB-SANDBOX-003",
1326
- "name": "Sandbox: Suspicious Filesystem Change",
1327
- "shortDescription": {
1328
- "text": "Package creates files in suspicious system locations during install"
1329
- },
1330
- "fullDescription": {
1331
- "text": "Package creates files in suspicious system locations during install"
1332
- },
1333
- "helpUri": "https://attack.mitre.org/techniques/T1543/",
1334
- "properties": {
1335
- "severity": "HIGH",
1336
- "confidence": "high",
1337
- "mitre": "T1543"
1338
- }
1339
- },
1340
- {
1341
- "id": "MUADDIB-SANDBOX-004",
1342
- "name": "Sandbox: Suspicious DNS Query",
1343
- "shortDescription": {
1344
- "text": "Package resolves non-registry domain during install"
1345
- },
1346
- "fullDescription": {
1347
- "text": "Package resolves non-registry domain during install"
1348
- },
1349
- "helpUri": "https://attack.mitre.org/techniques/T1071/",
1350
- "properties": {
1351
- "severity": "HIGH",
1352
- "confidence": "medium",
1353
- "mitre": "T1071"
1354
- }
1355
- },
1356
- {
1357
- "id": "MUADDIB-SANDBOX-005",
1358
- "name": "Sandbox: Suspicious Network Connection",
1359
- "shortDescription": {
1360
- "text": "Package makes TCP connection to non-registry host during install"
1361
- },
1362
- "fullDescription": {
1363
- "text": "Package makes TCP connection to non-registry host during install"
1364
- },
1365
- "helpUri": "https://attack.mitre.org/techniques/T1071/",
1366
- "properties": {
1367
- "severity": "HIGH",
1368
- "confidence": "medium",
1369
- "mitre": "T1071"
1370
- }
1371
- },
1372
- {
1373
- "id": "MUADDIB-SANDBOX-006",
1374
- "name": "Sandbox: Dangerous Process Spawned",
1375
- "shortDescription": {
1376
- "text": "Package spawns dangerous command during install (curl, wget, nc, etc.)"
1377
- },
1378
- "fullDescription": {
1379
- "text": "Package spawns dangerous command during install (curl, wget, nc, etc.)"
1380
- },
1381
- "helpUri": "https://attack.mitre.org/techniques/T1059/",
1382
- "properties": {
1383
- "severity": "CRITICAL",
1384
- "confidence": "high",
1385
- "mitre": "T1059"
1386
- }
1387
- },
1388
- {
1389
- "id": "MUADDIB-SANDBOX-007",
1390
- "name": "Sandbox: Unknown Process Spawned",
1391
- "shortDescription": {
1392
- "text": "Package spawns unrecognized process during install"
1393
- },
1394
- "fullDescription": {
1395
- "text": "Package spawns unrecognized process during install"
1396
- },
1397
- "helpUri": "https://attack.mitre.org/techniques/T1059/",
1398
- "properties": {
1399
- "severity": "MEDIUM",
1400
- "confidence": "low",
1401
- "mitre": "T1059"
1402
- }
1403
- },
1404
- {
1405
- "id": "MUADDIB-SANDBOX-008",
1406
- "name": "Sandbox: Container Timeout",
1407
- "shortDescription": {
1408
- "text": "Package install exceeded sandbox timeout - possible infinite loop or resource exhaustion"
1409
- },
1410
- "fullDescription": {
1411
- "text": "Package install exceeded sandbox timeout - possible infinite loop or resource exhaustion"
1412
- },
1413
- "helpUri": "https://attack.mitre.org/techniques/T1499/",
1414
- "properties": {
1415
- "severity": "CRITICAL",
1416
- "confidence": "high",
1417
- "mitre": "T1499"
1418
- }
1419
- },
1420
- {
1421
- "id": "MUADDIB-SANDBOX-009",
1422
- "name": "Sandbox: Suspicious Timer Delay",
1423
- "shortDescription": {
1424
- "text": "Package uses setTimeout/setInterval with delay > 1 hour. Possible time-bomb to evade sandbox analysis."
1425
- },
1426
- "fullDescription": {
1427
- "text": "Package uses setTimeout/setInterval with delay > 1 hour. Possible time-bomb to evade sandbox analysis."
1428
- },
1429
- "helpUri": "https://attack.mitre.org/techniques/T1497/003/",
1430
- "properties": {
1431
- "severity": "MEDIUM",
1432
- "confidence": "medium",
1433
- "mitre": "T1497.003"
1434
- }
1435
- },
1436
- {
1437
- "id": "MUADDIB-SANDBOX-010",
1438
- "name": "Sandbox: Critical Timer Delay (Time-Bomb)",
1439
- "shortDescription": {
1440
- "text": "Package uses setTimeout/setInterval with delay > 24 hours. Strong indicator of time-bomb malware designed to evade sandbox analysis."
1441
- },
1442
- "fullDescription": {
1443
- "text": "Package uses setTimeout/setInterval with delay > 24 hours. Strong indicator of time-bomb malware designed to evade sandbox analysis."
1444
- },
1445
- "helpUri": "https://attack.mitre.org/techniques/T1497/003/",
1446
- "properties": {
1447
- "severity": "CRITICAL",
1448
- "confidence": "high",
1449
- "mitre": "T1497.003"
1450
- }
1451
- },
1452
- {
1453
- "id": "MUADDIB-SANDBOX-011",
1454
- "name": "Sandbox: Preload Sensitive File Read",
1455
- "shortDescription": {
1456
- "text": "Package reads sensitive credential files (.npmrc, .ssh, .aws, .env) detected via runtime monkey-patching."
1457
- },
1458
- "fullDescription": {
1459
- "text": "Package reads sensitive credential files (.npmrc, .ssh, .aws, .env) detected via runtime monkey-patching."
1460
- },
1461
- "helpUri": "https://attack.mitre.org/techniques/T1552/001/",
1462
- "properties": {
1463
- "severity": "HIGH",
1464
- "confidence": "high",
1465
- "mitre": "T1552.001"
1466
- }
1467
- },
1468
- {
1469
- "id": "MUADDIB-SANDBOX-012",
1470
- "name": "Sandbox: Network After Sensitive Read",
1471
- "shortDescription": {
1472
- "text": "Package makes network requests after reading sensitive files. Strong indicator of credential exfiltration."
1473
- },
1474
- "fullDescription": {
1475
- "text": "Package makes network requests after reading sensitive files. Strong indicator of credential exfiltration."
1476
- },
1477
- "helpUri": "https://attack.mitre.org/techniques/T1041/",
1478
- "properties": {
1479
- "severity": "CRITICAL",
1480
- "confidence": "high",
1481
- "mitre": "T1041"
1482
- }
1483
- },
1484
- {
1485
- "id": "MUADDIB-SANDBOX-013",
1486
- "name": "Sandbox: Suspicious Command Execution",
1487
- "shortDescription": {
1488
- "text": "Package executes dangerous commands (curl, wget, bash, sh, powershell) detected via runtime monkey-patching."
1489
- },
1490
- "fullDescription": {
1491
- "text": "Package executes dangerous commands (curl, wget, bash, sh, powershell) detected via runtime monkey-patching."
1492
- },
1493
- "helpUri": "https://attack.mitre.org/techniques/T1059/",
1494
- "properties": {
1495
- "severity": "HIGH",
1496
- "confidence": "high",
1497
- "mitre": "T1059"
1498
- }
1499
- },
1500
- {
1501
- "id": "MUADDIB-SANDBOX-014",
1502
- "name": "Sandbox: Sensitive Env Var Access",
1503
- "shortDescription": {
1504
- "text": "Package accesses sensitive environment variables (TOKEN, SECRET, KEY, PASSWORD) detected via runtime monkey-patching."
1505
- },
1506
- "fullDescription": {
1507
- "text": "Package accesses sensitive environment variables (TOKEN, SECRET, KEY, PASSWORD) detected via runtime monkey-patching."
1508
- },
1509
- "helpUri": "https://attack.mitre.org/techniques/T1552/001/",
1510
- "properties": {
1511
- "severity": "MEDIUM",
1512
- "confidence": "medium",
1513
- "mitre": "T1552.001"
1514
- }
1515
- },
1516
- {
1517
- "id": "MUADDIB-ENTROPY-001",
1518
- "name": "High Entropy String",
1519
- "shortDescription": {
1520
- "text": "Chaine a haute entropie detectee (base64, hex, payload chiffre). Souvent signe d'obfuscation ou de donnees encodees."
1521
- },
1522
- "fullDescription": {
1523
- "text": "Chaine a haute entropie detectee (base64, hex, payload chiffre). Souvent signe d'obfuscation ou de donnees encodees."
1524
- },
1525
- "helpUri": "https://attack.mitre.org/techniques/T1027/",
1526
- "properties": {
1527
- "severity": "MEDIUM",
1528
- "confidence": "medium",
1529
- "mitre": "T1027"
1530
- }
1531
- },
1532
- {
1533
- "id": "MUADDIB-ENTROPY-004",
1534
- "name": "Fragmented High Entropy Cluster",
1535
- "shortDescription": {
1536
- "text": "Cluster de chaines courtes a haute entropie (8-49 chars) detecte. Technique de fragmentation de payload pour contourner le seuil de longueur minimum d'analyse entropique."
1537
- },
1538
- "fullDescription": {
1539
- "text": "Cluster de chaines courtes a haute entropie (8-49 chars) detecte. Technique de fragmentation de payload pour contourner le seuil de longueur minimum d'analyse entropique."
1540
- },
1541
- "helpUri": "https://attack.mitre.org/techniques/T1027/",
1542
- "properties": {
1543
- "severity": "MEDIUM",
1544
- "confidence": "medium",
1545
- "mitre": "T1027"
1546
- }
1547
- },
1548
- {
1549
- "id": "MUADDIB-ENTROPY-003",
1550
- "name": "JS Obfuscation Pattern",
1551
- "shortDescription": {
1552
- "text": "Pattern d'obfuscation JS detecte: variables _0x*, tableaux de strings encodes, eval/Function avec contenu haute entropie, ou long payload base64. Signature de javascript-obfuscator et malwares npm connus."
1553
- },
1554
- "fullDescription": {
1555
- "text": "Pattern d'obfuscation JS detecte: variables _0x*, tableaux de strings encodes, eval/Function avec contenu haute entropie, ou long payload base64. Signature de javascript-obfuscator et malwares npm connus."
1556
- },
1557
- "helpUri": "https://attack.mitre.org/techniques/T1027/002/",
1558
- "properties": {
1559
- "severity": "HIGH",
1560
- "confidence": "high",
1561
- "mitre": "T1027.002"
1562
- }
1563
- },
1564
- {
1565
- "id": "MUADDIB-TEMPORAL-001",
1566
- "name": "Sudden Lifecycle Script Added (Critical)",
1567
- "shortDescription": {
1568
- "text": "Script preinstall/install/postinstall ajoute dans la derniere version. Vecteur d'attaque #1 des supply chain attacks (Shai-Hulud, ua-parser-js, coa)."
1569
- },
1570
- "fullDescription": {
1571
- "text": "Script preinstall/install/postinstall ajoute dans la derniere version. Vecteur d'attaque #1 des supply chain attacks (Shai-Hulud, ua-parser-js, coa)."
1572
- },
1573
- "helpUri": "https://blog.phylum.io/shai-hulud-npm-worm",
1574
- "properties": {
1575
- "severity": "CRITICAL",
1576
- "confidence": "high",
1577
- "mitre": "T1195.002"
1578
- }
1579
- },
1580
- {
1581
- "id": "MUADDIB-TEMPORAL-002",
1582
- "name": "Sudden Lifecycle Script Added",
1583
- "shortDescription": {
1584
- "text": "Script lifecycle (prepare, prepack, etc.) ajoute dans la derniere version. Potentiellement suspect si non justifie."
1585
- },
1586
- "fullDescription": {
1587
- "text": "Script lifecycle (prepare, prepack, etc.) ajoute dans la derniere version. Potentiellement suspect si non justifie."
1588
- },
1589
- "helpUri": "https://docs.npmjs.com/cli/v9/using-npm/scripts#life-cycle-scripts",
1590
- "properties": {
1591
- "severity": "HIGH",
1592
- "confidence": "medium",
1593
- "mitre": "T1195.002"
1594
- }
1595
- },
1596
- {
1597
- "id": "MUADDIB-TEMPORAL-003",
1598
- "name": "Lifecycle Script Modified",
1599
- "shortDescription": {
1600
- "text": "Script lifecycle modifie entre les deux dernieres versions. Verifier si le changement est legitime."
1601
- },
1602
- "fullDescription": {
1603
- "text": "Script lifecycle modifie entre les deux dernieres versions. Verifier si le changement est legitime."
1604
- },
1605
- "helpUri": "https://docs.npmjs.com/cli/v9/using-npm/scripts#life-cycle-scripts",
1606
- "properties": {
1607
- "severity": "MEDIUM",
1608
- "confidence": "medium",
1609
- "mitre": "T1195.002"
1610
- }
1611
- },
1612
- {
1613
- "id": "MUADDIB-TEMPORAL-AST-001",
1614
- "name": "Dangerous API Added (Critical)",
1615
- "shortDescription": {
1616
- "text": "API dangereuse (child_process, eval, Function, net.connect) apparue dans la derniere version. Absente de la version precedente."
1617
- },
1618
- "fullDescription": {
1619
- "text": "API dangereuse (child_process, eval, Function, net.connect) apparue dans la derniere version. Absente de la version precedente."
1620
- },
1621
- "helpUri": "https://blog.phylum.io/shai-hulud-npm-worm",
1622
- "properties": {
1623
- "severity": "CRITICAL",
1624
- "confidence": "high",
1625
- "mitre": "T1195.002"
1626
- }
1627
- },
1628
- {
1629
- "id": "MUADDIB-TEMPORAL-AST-002",
1630
- "name": "Dangerous API Added (High)",
1631
- "shortDescription": {
1632
- "text": "API suspecte (process.env, fetch, http/https) apparue dans la derniere version. Absente de la version precedente."
1633
- },
1634
- "fullDescription": {
1635
- "text": "API suspecte (process.env, fetch, http/https) apparue dans la derniere version. Absente de la version precedente."
1636
- },
1637
- "helpUri": "https://blog.phylum.io/shai-hulud-npm-worm",
1638
- "properties": {
1639
- "severity": "HIGH",
1640
- "confidence": "medium",
1641
- "mitre": "T1195.002"
1642
- }
1643
- },
1644
- {
1645
- "id": "MUADDIB-TEMPORAL-AST-003",
1646
- "name": "Dangerous API Added (Medium)",
1647
- "shortDescription": {
1648
- "text": "API potentiellement suspecte (dns.lookup, fs.readFile sur chemin sensible) apparue dans la derniere version."
1649
- },
1650
- "fullDescription": {
1651
- "text": "API potentiellement suspecte (dns.lookup, fs.readFile sur chemin sensible) apparue dans la derniere version."
1652
- },
1653
- "helpUri": "https://docs.npmjs.com/cli/v9/using-npm/scripts#life-cycle-scripts",
1654
- "properties": {
1655
- "severity": "MEDIUM",
1656
- "confidence": "medium",
1657
- "mitre": "T1195.002"
1658
- }
1659
- },
1660
- {
1661
- "id": "MUADDIB-PUBLISH-001",
1662
- "name": "Publish Burst Detected",
1663
- "shortDescription": {
1664
- "text": "Multiple versions publiees en moins de 24h. Possible compromission de compte ou attaque automatisee."
1665
- },
1666
- "fullDescription": {
1667
- "text": "Multiple versions publiees en moins de 24h. Possible compromission de compte ou attaque automatisee."
1668
- },
1669
- "helpUri": "https://blog.phylum.io/shai-hulud-npm-worm",
1670
- "properties": {
1671
- "severity": "LOW",
1672
- "confidence": "high",
1673
- "mitre": "T1195.002"
1674
- }
1675
- },
1676
- {
1677
- "id": "MUADDIB-PUBLISH-002",
1678
- "name": "Dormant Package Spike",
1679
- "shortDescription": {
1680
- "text": "Package inactif depuis 6+ mois avec une nouvelle version soudaine. Possible changement de mainteneur ou compromission."
1681
- },
1682
- "fullDescription": {
1683
- "text": "Package inactif depuis 6+ mois avec une nouvelle version soudaine. Possible changement de mainteneur ou compromission."
1684
- },
1685
- "helpUri": "https://blog.npmjs.org/post/180565383195/details-about-the-event-stream-incident",
1686
- "properties": {
1687
- "severity": "HIGH",
1688
- "confidence": "medium",
1689
- "mitre": "T1195.002"
1690
- }
1691
- },
1692
- {
1693
- "id": "MUADDIB-PUBLISH-003",
1694
- "name": "Rapid Version Succession",
1695
- "shortDescription": {
1696
- "text": "Versions publiees en succession rapide (moins d'1h). Possible attaque automatisee ou CI/CD compromis."
1697
- },
1698
- "fullDescription": {
1699
- "text": "Versions publiees en succession rapide (moins d'1h). Possible attaque automatisee ou CI/CD compromis."
1700
- },
1701
- "helpUri": "https://docs.npmjs.com/cli/v9/using-npm/scripts#life-cycle-scripts",
1702
- "properties": {
1703
- "severity": "MEDIUM",
1704
- "confidence": "medium",
1705
- "mitre": "T1195.002"
1706
- }
1707
- },
1708
- {
1709
- "id": "MUADDIB-MAINTAINER-001",
1710
- "name": "New Maintainer Added",
1711
- "shortDescription": {
1712
- "text": "Un nouveau maintainer a ete ajoute au package entre les deux dernieres versions. Verifier si le changement est legitime."
1713
- },
1714
- "fullDescription": {
1715
- "text": "Un nouveau maintainer a ete ajoute au package entre les deux dernieres versions. Verifier si le changement est legitime."
1716
- },
1717
- "helpUri": "https://blog.npmjs.org/post/180565383195/details-about-the-event-stream-incident",
1718
- "properties": {
1719
- "severity": "HIGH",
1720
- "confidence": "high",
1721
- "mitre": "T1195.002"
1722
- }
1723
- },
1724
- {
1725
- "id": "MUADDIB-MAINTAINER-002",
1726
- "name": "Suspicious Maintainer Detected",
1727
- "shortDescription": {
1728
- "text": "Maintainer avec un nom suspect (generique, auto-genere, tres court). Risque eleve de compromission de compte."
1729
- },
1730
- "fullDescription": {
1731
- "text": "Maintainer avec un nom suspect (generique, auto-genere, tres court). Risque eleve de compromission de compte."
1732
- },
1733
- "helpUri": "https://blog.npmjs.org/post/180565383195/details-about-the-event-stream-incident",
1734
- "properties": {
1735
- "severity": "CRITICAL",
1736
- "confidence": "high",
1737
- "mitre": "T1195.002"
1738
- }
1739
- },
1740
- {
1741
- "id": "MUADDIB-MAINTAINER-003",
1742
- "name": "Sole Maintainer Changed",
1743
- "shortDescription": {
1744
- "text": "Le seul maintainer du package a change. Indicateur fort de compromission de compte (event-stream attack pattern)."
1745
- },
1746
- "fullDescription": {
1747
- "text": "Le seul maintainer du package a change. Indicateur fort de compromission de compte (event-stream attack pattern)."
1748
- },
1749
- "helpUri": "https://blog.npmjs.org/post/180565383195/details-about-the-event-stream-incident",
1750
- "properties": {
1751
- "severity": "HIGH",
1752
- "confidence": "high",
1753
- "mitre": "T1195.002"
1754
- }
1755
- },
1756
- {
1757
- "id": "MUADDIB-MAINTAINER-004",
1758
- "name": "New Publisher Detected",
1759
- "shortDescription": {
1760
- "text": "La derniere version a ete publiee par un utilisateur different de la version precedente. Verifier la legitimite."
1761
- },
1762
- "fullDescription": {
1763
- "text": "La derniere version a ete publiee par un utilisateur different de la version precedente. Verifier la legitimite."
1764
- },
1765
- "helpUri": "https://blog.npmjs.org/post/180565383195/details-about-the-event-stream-incident",
1766
- "properties": {
1767
- "severity": "MEDIUM",
1768
- "confidence": "medium",
1769
- "mitre": "T1195.002"
1770
- }
1771
- },
1772
- {
1773
- "id": "MUADDIB-CANARY-001",
1774
- "name": "Canary Token Exfiltration",
1775
- "shortDescription": {
1776
- "text": "Le package a tente d'exfiltrer des honey tokens (faux secrets) injectes dans le sandbox. Comportement malveillant confirme."
1777
- },
1778
- "fullDescription": {
1779
- "text": "Le package a tente d'exfiltrer des honey tokens (faux secrets) injectes dans le sandbox. Comportement malveillant confirme."
1780
- },
1781
- "helpUri": "https://canarytokens.org/generate",
1782
- "properties": {
1783
- "severity": "CRITICAL",
1784
- "confidence": "high",
1785
- "mitre": "T1552.001"
1786
- }
1787
- },
1788
- {
1789
- "id": "MUADDIB-AST-032",
1790
- "name": "Suspicious C2/Exfiltration Domain",
1791
- "shortDescription": {
1792
- "text": "Domaine C2 ou d'exfiltration detecte dans le code (oastify.com, burpcollaborator.net, webhook.site, ngrok.io, etc.). Ces domaines sont utilises pour recevoir des donnees volees ou comme relais de commande."
1793
- },
1794
- "fullDescription": {
1795
- "text": "Domaine C2 ou d'exfiltration detecte dans le code (oastify.com, burpcollaborator.net, webhook.site, ngrok.io, etc.). Ces domaines sont utilises pour recevoir des donnees volees ou comme relais de commande."
1796
- },
1797
- "helpUri": "https://attack.mitre.org/techniques/T1071/001/",
1798
- "properties": {
1799
- "severity": "HIGH",
1800
- "confidence": "high",
1801
- "mitre": "T1071.001"
1802
- }
1803
- },
1804
- {
1805
- "id": "MUADDIB-AST-033",
1806
- "name": "Steganographic Payload Chain",
1807
- "shortDescription": {
1808
- "text": "Chaine steganographique: fetch distant + dechiffrement crypto + execution dynamique (eval/Function). Pattern buildrunner-dev: payload cache dans une image, dechiffre a runtime, puis execute."
1809
- },
1810
- "fullDescription": {
1811
- "text": "Chaine steganographique: fetch distant + dechiffrement crypto + execution dynamique (eval/Function). Pattern buildrunner-dev: payload cache dans une image, dechiffre a runtime, puis execute."
1812
- },
1813
- "helpUri": "https://attack.mitre.org/techniques/T1027/003/",
1814
- "properties": {
1815
- "severity": "CRITICAL",
1816
- "confidence": "high",
1817
- "mitre": "T1027.003"
1818
- }
1819
- },
1820
- {
1821
- "id": "MUADDIB-AST-034",
1822
- "name": "Download-Execute Binary Pattern",
1823
- "shortDescription": {
1824
- "text": "Pattern download-execute: telechargement distant + chmod executable + execSync dans le meme fichier. Dropper binaire deguise en compilation native addon (NeoShadow pattern)."
1825
- },
1826
- "fullDescription": {
1827
- "text": "Pattern download-execute: telechargement distant + chmod executable + execSync dans le meme fichier. Dropper binaire deguise en compilation native addon (NeoShadow pattern)."
1828
- },
1829
- "helpUri": "https://attack.mitre.org/techniques/T1105/",
1830
- "properties": {
1831
- "severity": "CRITICAL",
1832
- "confidence": "high",
1833
- "mitre": "T1105"
1834
- }
1835
- },
1836
- {
1837
- "id": "MUADDIB-AST-035",
1838
- "name": "IDE Task Persistence",
1839
- "shortDescription": {
1840
- "text": "Persistence IDE: ecriture dans tasks.json ou Code/User/ avec execution automatique a l'ouverture du dossier (runOn: folderOpen). Pattern FAMOUS CHOLLIMA / StegaBin pour persistance VS Code."
1841
- },
1842
- "fullDescription": {
1843
- "text": "Persistence IDE: ecriture dans tasks.json ou Code/User/ avec execution automatique a l'ouverture du dossier (runOn: folderOpen). Pattern FAMOUS CHOLLIMA / StegaBin pour persistance VS Code."
1844
- },
1845
- "helpUri": "https://attack.mitre.org/techniques/T1546/",
1846
- "properties": {
1847
- "severity": "HIGH",
1848
- "confidence": "high",
1849
- "mitre": "T1546"
1850
- }
1851
- },
1852
- {
1853
- "id": "MUADDIB-AST-036",
1854
- "name": "VM Module Code Execution",
1855
- "shortDescription": {
1856
- "text": "Execution de code dynamique via le module vm de Node.js (vm.runInThisContext, vm.runInNewContext, vm.compileFunction, new vm.Script). Contourne la detection eval/Function."
1857
- },
1858
- "fullDescription": {
1859
- "text": "Execution de code dynamique via le module vm de Node.js (vm.runInThisContext, vm.runInNewContext, vm.compileFunction, new vm.Script). Contourne la detection eval/Function."
1860
- },
1861
- "helpUri": "https://nodejs.org/api/vm.html",
1862
- "properties": {
1863
- "severity": "HIGH",
1864
- "confidence": "high",
1865
- "mitre": "T1059"
1866
- }
1867
- },
1868
- {
1869
- "id": "MUADDIB-AST-037",
1870
- "name": "Reflect API Code Execution",
1871
- "shortDescription": {
1872
- "text": "Execution de code dynamique via Reflect.construct(Function, [...]) ou Reflect.apply(eval, ...). Contourne la detection directe de eval/Function/new Function."
1873
- },
1874
- "fullDescription": {
1875
- "text": "Execution de code dynamique via Reflect.construct(Function, [...]) ou Reflect.apply(eval, ...). Contourne la detection directe de eval/Function/new Function."
1876
- },
1877
- "helpUri": "https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Reflect",
1878
- "properties": {
1879
- "severity": "CRITICAL",
1880
- "confidence": "high",
1881
- "mitre": "T1059"
1882
- }
1883
- },
1884
- {
1885
- "id": "MUADDIB-AST-038",
1886
- "name": "Process Binding Abuse",
1887
- "shortDescription": {
1888
- "text": "Acces direct aux bindings V8 internes via process.binding() ou process._linkedBinding(). Contourne les modules child_process/fs pour execution de commandes ou acces fichiers sans detection."
1889
- },
1890
- "fullDescription": {
1891
- "text": "Acces direct aux bindings V8 internes via process.binding() ou process._linkedBinding(). Contourne les modules child_process/fs pour execution de commandes ou acces fichiers sans detection."
1892
- },
1893
- "helpUri": "https://nodejs.org/api/process.html#processbindingname",
1894
- "properties": {
1895
- "severity": "CRITICAL",
1896
- "confidence": "high",
1897
- "mitre": "T1059"
1898
- }
1899
- },
1900
- {
1901
- "id": "MUADDIB-AST-039",
1902
- "name": "Worker Thread Code Execution",
1903
- "shortDescription": {
1904
- "text": "new Worker() avec eval:true execute du code arbitraire dans un thread worker, contournant la detection du thread principal. Technique d'evasion pour executer du code dynamique hors du scope AST principal."
1905
- },
1906
- "fullDescription": {
1907
- "text": "new Worker() avec eval:true execute du code arbitraire dans un thread worker, contournant la detection du thread principal. Technique d'evasion pour executer du code dynamique hors du scope AST principal."
1908
- },
1909
- "helpUri": "https://nodejs.org/api/worker_threads.html",
1910
- "properties": {
1911
- "severity": "HIGH",
1912
- "confidence": "high",
1913
- "mitre": "T1059"
1914
- }
1915
- },
1916
- {
1917
- "id": "MUADDIB-AST-042",
1918
- "name": "WASM Host Import Sink",
1919
- "shortDescription": {
1920
- "text": "Module WebAssembly charge avec des callbacks host contenant des sinks reseau (fetch/http.request). Le WASM peut invoquer ces callbacks pour exfiltrer des donnees tout en cachant le flux de controle. Aucun package npm legitime ne combine WASM + callbacks reseau host."
1921
- },
1922
- "fullDescription": {
1923
- "text": "Module WebAssembly charge avec des callbacks host contenant des sinks reseau (fetch/http.request). Le WASM peut invoquer ces callbacks pour exfiltrer des donnees tout en cachant le flux de controle. Aucun package npm legitime ne combine WASM + callbacks reseau host."
1924
- },
1925
- "helpUri": "https://attack.mitre.org/techniques/T1059/",
1926
- "properties": {
1927
- "severity": "CRITICAL",
1928
- "confidence": "high",
1929
- "mitre": "T1059"
1930
- }
1931
- },
1932
- {
1933
- "id": "MUADDIB-AST-046",
1934
- "name": "WASM Module Load (Standalone)",
1935
- "shortDescription": {
1936
- "text": "Module WebAssembly charge sans sink reseau detectable. Usage legitime frequent (cryptographie, traitement d'image, codecs). Le WASM cache le flux de controle — verifier le fichier .wasm manuellement."
1937
- },
1938
- "fullDescription": {
1939
- "text": "Module WebAssembly charge sans sink reseau detectable. Usage legitime frequent (cryptographie, traitement d'image, codecs). Le WASM cache le flux de controle — verifier le fichier .wasm manuellement."
1940
- },
1941
- "helpUri": "https://attack.mitre.org/techniques/T1027/",
1942
- "properties": {
1943
- "severity": "MEDIUM",
1944
- "confidence": "medium",
1945
- "mitre": "T1027"
1946
- }
1947
- },
1948
- {
1949
- "id": "MUADDIB-AST-041",
1950
- "name": "Credential Regex Harvesting",
1951
- "shortDescription": {
1952
- "text": "Regex de detection de credentials (token/password/secret/Bearer) combine avec un appel reseau. Technique de harvesting: le code scanne les donnees de flux (streams, requetes) a la recherche de credentials et les exfiltre."
1953
- },
1954
- "fullDescription": {
1955
- "text": "Regex de detection de credentials (token/password/secret/Bearer) combine avec un appel reseau. Technique de harvesting: le code scanne les donnees de flux (streams, requetes) a la recherche de credentials et les exfiltre."
1956
- },
1957
- "helpUri": "https://attack.mitre.org/techniques/T1552/",
1958
- "properties": {
1959
- "severity": "HIGH",
1960
- "confidence": "high",
1961
- "mitre": "T1552"
1962
- }
1963
- },
1964
- {
1965
- "id": "MUADDIB-AST-044",
1966
- "name": "Built-in Method Override Exfiltration",
1967
- "shortDescription": {
1968
- "text": "Override de methode built-in (console.log/warn/error, Object.defineProperty) combine avec un appel reseau. Technique de monkey-patching: le code remplace une API native pour intercepter les donnees en transit et les exfiltrer."
1969
- },
1970
- "fullDescription": {
1971
- "text": "Override de methode built-in (console.log/warn/error, Object.defineProperty) combine avec un appel reseau. Technique de monkey-patching: le code remplace une API native pour intercepter les donnees en transit et les exfiltrer."
1972
- },
1973
- "helpUri": "https://attack.mitre.org/techniques/T1557/",
1974
- "properties": {
1975
- "severity": "HIGH",
1976
- "confidence": "high",
1977
- "mitre": "T1557"
1978
- }
1979
- },
1980
- {
1981
- "id": "MUADDIB-AST-045",
1982
- "name": "Stream Credential Interception",
1983
- "shortDescription": {
1984
- "text": "Classe stream (Transform/Duplex/Writable) avec regex de credentials et appel reseau. Technique de wiretap: le stream intercepte les donnees en transit, scanne pour des credentials (Bearer, password, token) et les exfiltre."
1985
- },
1986
- "fullDescription": {
1987
- "text": "Classe stream (Transform/Duplex/Writable) avec regex de credentials et appel reseau. Technique de wiretap: le stream intercepte les donnees en transit, scanne pour des credentials (Bearer, password, token) et les exfiltre."
1988
- },
1989
- "helpUri": "https://attack.mitre.org/techniques/T1557/",
1990
- "properties": {
1991
- "severity": "HIGH",
1992
- "confidence": "high",
1993
- "mitre": "T1557"
1994
- }
1995
- },
1996
- {
1997
- "id": "MUADDIB-AST-040",
1998
- "name": "Remote Code Loading",
1999
- "shortDescription": {
2000
- "text": "Fetch reseau + eval/Function dans le meme fichier. Technique multi-stage: le code telecharge un payload distant (SVG, HTML, JSON) et l'execute dynamiquement. Aucun package npm legitime ne combine fetch + eval/Function."
2001
- },
2002
- "fullDescription": {
2003
- "text": "Fetch reseau + eval/Function dans le meme fichier. Technique multi-stage: le code telecharge un payload distant (SVG, HTML, JSON) et l'execute dynamiquement. Aucun package npm legitime ne combine fetch + eval/Function."
2004
- },
2005
- "helpUri": "https://attack.mitre.org/techniques/T1105/",
2006
- "properties": {
2007
- "severity": "CRITICAL",
2008
- "confidence": "high",
2009
- "mitre": "T1105"
2010
- }
2011
- },
2012
- {
2013
- "id": "MUADDIB-AST-043",
2014
- "name": "Proxy Data Interception",
2015
- "shortDescription": {
2016
- "text": "Proxy trap (set/get/apply) combine avec un appel reseau dans le meme fichier. Technique d'interception de donnees: le Proxy capture toutes les ecritures/lectures de proprietes et les exfiltre via le reseau. Utilise pour voler des credentials passees via module.exports."
2017
- },
2018
- "fullDescription": {
2019
- "text": "Proxy trap (set/get/apply) combine avec un appel reseau dans le meme fichier. Technique d'interception de donnees: le Proxy capture toutes les ecritures/lectures de proprietes et les exfiltre via le reseau. Utilise pour voler des credentials passees via module.exports."
2020
- },
2021
- "helpUri": "https://attack.mitre.org/techniques/T1557/",
2022
- "properties": {
2023
- "severity": "CRITICAL",
2024
- "confidence": "high",
2025
- "mitre": "T1557"
2026
- }
2027
- },
2028
- {
2029
- "id": "MUADDIB-PKG-013",
2030
- "name": "Bin Field PATH Hijack",
2031
- "shortDescription": {
2032
- "text": "Le champ \"bin\" de package.json shadow une commande systeme (node, npm, git, bash, etc.). A l'install, npm cree un symlink dans node_modules/.bin/ qui intercepte la commande reelle pour tous les npm scripts."
2033
- },
2034
- "fullDescription": {
2035
- "text": "Le champ \"bin\" de package.json shadow une commande systeme (node, npm, git, bash, etc.). A l'install, npm cree un symlink dans node_modules/.bin/ qui intercepte la commande reelle pour tous les npm scripts."
2036
- },
2037
- "helpUri": "https://socket.dev/blog/2025-supply-chain-report",
2038
- "properties": {
2039
- "severity": "CRITICAL",
2040
- "confidence": "high",
2041
- "mitre": "T1574.007"
2042
- }
2043
- },
2044
- {
2045
- "id": "MUADDIB-PKG-014",
2046
- "name": "Git Dependency RCE (PackageGate)",
2047
- "shortDescription": {
2048
- "text": "Dependance utilisant une URL git+ ou git://. Vecteur PackageGate: un .npmrc malveillant peut overrider le binaire git, permettant l'execution de code meme avec --ignore-scripts."
2049
- },
2050
- "fullDescription": {
2051
- "text": "Dependance utilisant une URL git+ ou git://. Vecteur PackageGate: un .npmrc malveillant peut overrider le binaire git, permettant l'execution de code meme avec --ignore-scripts."
2052
- },
2053
- "helpUri": "https://socket.dev/blog/packagegate-npm-rce",
2054
- "properties": {
2055
- "severity": "HIGH",
2056
- "confidence": "medium",
2057
- "mitre": "T1195.002"
2058
- }
2059
- },
2060
- {
2061
- "id": "MUADDIB-PKG-015",
2062
- "name": ".npmrc Git Binary Override",
2063
- "shortDescription": {
2064
- "text": "Fichier .npmrc contient git= override — technique PackageGate: remplace le binaire git par un script controle par l'attaquant."
2065
- },
2066
- "fullDescription": {
2067
- "text": "Fichier .npmrc contient git= override — technique PackageGate: remplace le binaire git par un script controle par l'attaquant."
2068
- },
2069
- "helpUri": "https://socket.dev/blog/packagegate-npm-rce",
2070
- "properties": {
2071
- "severity": "CRITICAL",
2072
- "confidence": "high",
2073
- "mitre": "T1195.002"
2074
- }
2075
- },
2076
- {
2077
- "id": "MUADDIB-AST-048",
2078
- "name": "Write to node_modules/ (Worm Propagation)",
2079
- "shortDescription": {
2080
- "text": "writeFileSync/writeFile/appendFileSync ciblant node_modules/ — technique de propagation worm Shai-Hulud 2.0: modifie d'autres packages installes pour injecter un backdoor persistent."
2081
- },
2082
- "fullDescription": {
2083
- "text": "writeFileSync/writeFile/appendFileSync ciblant node_modules/ — technique de propagation worm Shai-Hulud 2.0: modifie d'autres packages installes pour injecter un backdoor persistent."
2084
- },
2085
- "helpUri": "https://www.wiz.io/blog/shai-hulud-npm-supply-chain-attack",
2086
- "properties": {
2087
- "severity": "CRITICAL",
2088
- "confidence": "high",
2089
- "mitre": "T1195.002"
2090
- }
2091
- },
2092
- {
2093
- "id": "MUADDIB-AST-049",
2094
- "name": "Bun Runtime Evasion",
2095
- "shortDescription": {
2096
- "text": "Invocation du runtime Bun (bun run/exec/install) via exec/spawn — technique Shai-Hulud 2.0: utilise un runtime alternatif pour echapper aux sandboxes et monitoring Node.js."
2097
- },
2098
- "fullDescription": {
2099
- "text": "Invocation du runtime Bun (bun run/exec/install) via exec/spawn — technique Shai-Hulud 2.0: utilise un runtime alternatif pour echapper aux sandboxes et monitoring Node.js."
2100
- },
2101
- "helpUri": "https://www.wiz.io/blog/shai-hulud-npm-supply-chain-attack",
2102
- "properties": {
2103
- "severity": "HIGH",
2104
- "confidence": "medium",
2105
- "mitre": "T1059"
2106
- }
2107
- },
2108
- {
2109
- "id": "MUADDIB-AST-050",
2110
- "name": "Static Timer Bomb",
2111
- "shortDescription": {
2112
- "text": "setTimeout/setInterval avec delai > 1h detecte statiquement. PhantomRaven active le 2nd stage 48h+ apres install. Evasion temporelle: le payload s'active bien apres l'installation pour echapper aux sandboxes."
2113
- },
2114
- "fullDescription": {
2115
- "text": "setTimeout/setInterval avec delai > 1h detecte statiquement. PhantomRaven active le 2nd stage 48h+ apres install. Evasion temporelle: le payload s'active bien apres l'installation pour echapper aux sandboxes."
2116
- },
2117
- "helpUri": "https://www.sonatype.com/blog/phantomraven-supply-chain-attack",
2118
- "properties": {
2119
- "severity": "MEDIUM",
2120
- "confidence": "medium",
2121
- "mitre": "T1497.003"
2122
- }
2123
- },
2124
- {
2125
- "id": "MUADDIB-AST-051",
2126
- "name": "npm publish Worm Propagation",
2127
- "shortDescription": {
2128
- "text": "exec(\"npm publish\") detecte — technique de propagation worm Shai-Hulud: utilise les tokens npm voles pour publier des versions infectees des packages de la victime."
2129
- },
2130
- "fullDescription": {
2131
- "text": "exec(\"npm publish\") detecte — technique de propagation worm Shai-Hulud: utilise les tokens npm voles pour publier des versions infectees des packages de la victime."
2132
- },
2133
- "helpUri": "https://blog.phylum.io/shai-hulud-npm-worm",
2134
- "properties": {
2135
- "severity": "CRITICAL",
2136
- "confidence": "high",
2137
- "mitre": "T1195.002"
2138
- }
2139
- },
2140
- {
2141
- "id": "MUADDIB-AST-052",
2142
- "name": "Ollama Local LLM (Polymorphic Engine)",
2143
- "shortDescription": {
2144
- "text": "Reference au port 11434 (Ollama) detectee. PhantomRaven Wave 4 utilise un LLM local pour reecrire le malware et eviter la detection signature. Moteur polymorphe."
2145
- },
2146
- "fullDescription": {
2147
- "text": "Reference au port 11434 (Ollama) detectee. PhantomRaven Wave 4 utilise un LLM local pour reecrire le malware et eviter la detection signature. Moteur polymorphe."
2148
- },
2149
- "helpUri": "https://www.sonatype.com/blog/phantomraven-supply-chain-attack",
2150
- "properties": {
2151
- "severity": "HIGH",
2152
- "confidence": "medium",
2153
- "mitre": "T1027.005"
2154
- }
2155
- },
2156
- {
2157
- "id": "MUADDIB-SHELL-016",
2158
- "name": "Curl IFS Variable Evasion",
2159
- "shortDescription": {
2160
- "text": "Evasion IFS: curl$IFS ou curl${IFS} pipe vers shell. Technique d'evasion pour contourner la detection de curl|sh en utilisant $IFS comme separateur."
2161
- },
2162
- "fullDescription": {
2163
- "text": "Evasion IFS: curl$IFS ou curl${IFS} pipe vers shell. Technique d'evasion pour contourner la detection de curl|sh en utilisant $IFS comme separateur."
2164
- },
2165
- "helpUri": "https://attack.mitre.org/techniques/T1059/004/",
2166
- "properties": {
2167
- "severity": "CRITICAL",
2168
- "confidence": "high",
2169
- "mitre": "T1059.004"
2170
- }
2171
- },
2172
- {
2173
- "id": "MUADDIB-SHELL-017",
2174
- "name": "Eval Curl Command Substitution",
2175
- "shortDescription": {
2176
- "text": "eval $(curl ...) detecte. Telecharge et execute du code distant via command substitution."
2177
- },
2178
- "fullDescription": {
2179
- "text": "eval $(curl ...) detecte. Telecharge et execute du code distant via command substitution."
2180
- },
2181
- "helpUri": "https://attack.mitre.org/techniques/T1059/004/",
2182
- "properties": {
2183
- "severity": "CRITICAL",
2184
- "confidence": "high",
2185
- "mitre": "T1059.004"
2186
- }
2187
- },
2188
- {
2189
- "id": "MUADDIB-SHELL-018",
2190
- "name": "Shell -c Curl Execution",
2191
- "shortDescription": {
2192
- "text": "sh -c wrapping autour de curl. Technique d'evasion pour masquer l'execution de commandes distantes."
2193
- },
2194
- "fullDescription": {
2195
- "text": "sh -c wrapping autour de curl. Technique d'evasion pour masquer l'execution de commandes distantes."
2196
- },
2197
- "helpUri": "https://attack.mitre.org/techniques/T1059/004/",
2198
- "properties": {
2199
- "severity": "HIGH",
2200
- "confidence": "high",
2201
- "mitre": "T1059.004"
2202
- }
2203
- },
2204
- {
2205
- "id": "MUADDIB-SHELL-019",
2206
- "name": "Python Time Delay Execution",
2207
- "shortDescription": {
2208
- "text": "Execution Python avec delai time.sleep() >= 100s via child process. Technique d'evasion sandbox (T1497.003) : le malware attend que la sandbox expire avant d'executer le payload."
2209
- },
2210
- "fullDescription": {
2211
- "text": "Execution Python avec delai time.sleep() >= 100s via child process. Technique d'evasion sandbox (T1497.003) : le malware attend que la sandbox expire avant d'executer le payload."
2212
- },
2213
- "helpUri": "https://attack.mitre.org/techniques/T1497/003/",
2214
- "properties": {
2215
- "severity": "HIGH",
2216
- "confidence": "medium",
2217
- "mitre": "T1497.003"
2218
- }
2219
- },
2220
- {
2221
- "id": "MUADDIB-AST-047",
2222
- "name": "Detached Process Credential Exfiltration",
2223
- "shortDescription": {
2224
- "text": "Process detache (survit au parent) avec acces aux credentials et appel reseau — technique DPRK/Lazarus pour exfiltrer des secrets en arriere-plan"
2225
- },
2226
- "fullDescription": {
2227
- "text": "Process detache (survit au parent) avec acces aux credentials et appel reseau — technique DPRK/Lazarus pour exfiltrer des secrets en arriere-plan"
2228
- },
2229
- "helpUri": "https://attack.mitre.org/techniques/T1041/",
2230
- "properties": {
2231
- "severity": "CRITICAL",
2232
- "confidence": "high",
2233
- "mitre": "T1041"
2234
- }
2235
- },
2236
- {
2237
- "id": "MUADDIB-INTENT-001",
2238
- "name": "Intent Credential Exfiltration",
2239
- "shortDescription": {
2240
- "text": "Coherence d'intention: lecture de credentials (fichiers sensibles, env vars) combinee avec un sink reseau ou exec dans le meme package. Pattern typique DPRK/Lazarus: code malveillant fragmente sur plusieurs fichiers avec uniquement des APIs legitimes."
2241
- },
2242
- "fullDescription": {
2243
- "text": "Coherence d'intention: lecture de credentials (fichiers sensibles, env vars) combinee avec un sink reseau ou exec dans le meme package. Pattern typique DPRK/Lazarus: code malveillant fragmente sur plusieurs fichiers avec uniquement des APIs legitimes."
2244
- },
2245
- "helpUri": "https://attack.mitre.org/techniques/T1041/",
2246
- "properties": {
2247
- "severity": "CRITICAL",
2248
- "confidence": "high",
2249
- "mitre": "T1041"
2250
- }
2251
- },
2252
- {
2253
- "id": "MUADDIB-INTENT-002",
2254
- "name": "Intent Command Output Exfiltration",
2255
- "shortDescription": {
2256
- "text": "Coherence d'intention: sortie de commande systeme combinee avec un sink reseau. Le code execute des commandes et transmet les resultats sur le reseau — reconnaissance ou exfiltration."
2257
- },
2258
- "fullDescription": {
2259
- "text": "Coherence d'intention: sortie de commande systeme combinee avec un sink reseau. Le code execute des commandes et transmet les resultats sur le reseau — reconnaissance ou exfiltration."
2260
- },
2261
- "helpUri": "https://attack.mitre.org/techniques/T1059/",
2262
- "properties": {
2263
- "severity": "HIGH",
2264
- "confidence": "medium",
2265
- "mitre": "T1059"
2266
- }
2267
- },
2268
- {
2269
- "id": "MUADDIB-OBF-003",
2270
- "name": "Unicode Invisible Character Injection",
2271
- "shortDescription": {
2272
- "text": "Caracteres Unicode invisibles detectes (zero-width, variation selectors). Technique GlassWorm: encodage de payload malveillant via variation selectors (U+FE00-FE0F, U+E0100-E01EF) invisible dans les editeurs."
2273
- },
2274
- "fullDescription": {
2275
- "text": "Caracteres Unicode invisibles detectes (zero-width, variation selectors). Technique GlassWorm: encodage de payload malveillant via variation selectors (U+FE00-FE0F, U+E0100-E01EF) invisible dans les editeurs."
2276
- },
2277
- "helpUri": "https://www.aikido.dev/blog/glassworm-returns-unicode-attack-github-npm-vscode",
2278
- "properties": {
2279
- "severity": "CRITICAL",
2280
- "confidence": "high",
2281
- "mitre": "T1027"
2282
- }
2283
- },
2284
- {
2285
- "id": "MUADDIB-AST-053",
2286
- "name": "Unicode Variation Selector Decoder",
2287
- "shortDescription": {
2288
- "text": "Decodeur de payload Unicode via variation selectors (.codePointAt + 0xFE00/0xE0100). Signature GlassWorm: le code reconstruit un payload octet par octet a partir de caracteres invisibles."
2289
- },
2290
- "fullDescription": {
2291
- "text": "Decodeur de payload Unicode via variation selectors (.codePointAt + 0xFE00/0xE0100). Signature GlassWorm: le code reconstruit un payload octet par octet a partir de caracteres invisibles."
2292
- },
2293
- "helpUri": "https://www.koi.security/blog/glassworm-first-self-propagating-worm-using-invisible-code-hits-openvsx-marketplace",
2294
- "properties": {
2295
- "severity": "CRITICAL",
2296
- "confidence": "high",
2297
- "mitre": "T1140"
2298
- }
2299
- },
2300
- {
2301
- "id": "MUADDIB-AST-054",
2302
- "name": "Blockchain C2 Resolution (Dead Drop)",
2303
- "shortDescription": {
2304
- "text": "Import Solana/Web3 + appel API C2 (getSignaturesForAddress, getTransaction). Technique GlassWorm: la blockchain sert de dead drop resolver pour obtenir l'adresse C2 via le champ memo des transactions."
2305
- },
2306
- "fullDescription": {
2307
- "text": "Import Solana/Web3 + appel API C2 (getSignaturesForAddress, getTransaction). Technique GlassWorm: la blockchain sert de dead drop resolver pour obtenir l'adresse C2 via le champ memo des transactions."
2308
- },
2309
- "helpUri": "https://www.sonatype.com/blog/hijacked-npm-packages-deliver-malware-via-solana-linked-to-glassworm",
2310
- "properties": {
2311
- "severity": "HIGH",
2312
- "confidence": "high",
2313
- "mitre": "T1102"
2314
- }
2315
- },
2316
- {
2317
- "id": "MUADDIB-AST-057",
2318
- "name": "Prototype Chain Constructor Access",
2319
- "shortDescription": {
2320
- "text": "Acces au constructeur AsyncFunction ou GeneratorFunction via Object.getPrototypeOf(). Technique d'evasion permettant d'executer du code arbitraire sans reference directe a eval() ou Function()."
2321
- },
2322
- "fullDescription": {
2323
- "text": "Acces au constructeur AsyncFunction ou GeneratorFunction via Object.getPrototypeOf(). Technique d'evasion permettant d'executer du code arbitraire sans reference directe a eval() ou Function()."
2324
- },
2325
- "helpUri": "https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/AsyncFunction",
2326
- "properties": {
2327
- "severity": "CRITICAL",
2328
- "confidence": "high",
2329
- "mitre": "T1059.007"
2330
- }
2331
- },
2332
- {
2333
- "id": "MUADDIB-AST-058",
2334
- "name": "Split High-Entropy Payload",
2335
- "shortDescription": {
2336
- "text": "Payload haute entropie fragmente en ≥3 chunks concatenes pour contourner la detection par string individuelle. Le resultat concatene passe par eval/Function/atob/Buffer.from, indiquant un dechiffrement ou une execution staged."
2337
- },
2338
- "fullDescription": {
2339
- "text": "Payload haute entropie fragmente en ≥3 chunks concatenes pour contourner la detection par string individuelle. Le resultat concatene passe par eval/Function/atob/Buffer.from, indiquant un dechiffrement ou une execution staged."
2340
- },
2341
- "helpUri": "https://attack.mitre.org/techniques/T1027/002/",
2342
- "properties": {
2343
- "severity": "CRITICAL",
2344
- "confidence": "high",
2345
- "mitre": "T1027.002"
2346
- }
2347
- },
2348
- {
2349
- "id": "MUADDIB-AST-056",
2350
- "name": "Module._load() Internal Loader Bypass",
2351
- "shortDescription": {
2352
- "text": "Module._load() detecte — bypass du module loader interne de Node.js pour charger dynamiquement des modules sans passer par require(). Technique d'evasion contournant les restrictions de chargement de modules."
2353
- },
2354
- "fullDescription": {
2355
- "text": "Module._load() detecte — bypass du module loader interne de Node.js pour charger dynamiquement des modules sans passer par require(). Technique d'evasion contournant les restrictions de chargement de modules."
2356
- },
2357
- "helpUri": "https://nodejs.org/api/modules.html",
2358
- "properties": {
2359
- "severity": "CRITICAL",
2360
- "confidence": "high",
2361
- "mitre": "T1059.007"
2362
- }
2363
- },
2364
- {
2365
- "id": "MUADDIB-AST-055",
2366
- "name": "Hardcoded Blockchain RPC Endpoint",
2367
- "shortDescription": {
2368
- "text": "Endpoint RPC blockchain hardcode (Solana mainnet, Infura Ethereum). Dans un package non-crypto, indique un potentiel canal C2 via blockchain."
2369
- },
2370
- "fullDescription": {
2371
- "text": "Endpoint RPC blockchain hardcode (Solana mainnet, Infura Ethereum). Dans un package non-crypto, indique un potentiel canal C2 via blockchain."
2372
- },
2373
- "helpUri": "https://www.koi.security/blog/glassworm-first-self-propagating-worm-using-invisible-code-hits-openvsx-marketplace",
2374
- "properties": {
2375
- "severity": "MEDIUM",
2376
- "confidence": "medium",
2377
- "mitre": "T1102"
2378
- }
2379
- },
2380
- {
2381
- "id": "MUADDIB-AST-059",
2382
- "name": "Systemd Service Persistence",
2383
- "shortDescription": {
2384
- "text": "Ecriture dans un chemin systemd (*.service, systemd/) ou execution de systemctl enable/start. Technique de persistence CanisterWorm (pgmon.service) et TeamPCP (sysmon.service). Aucun package npm legitime ne cree de services systemd."
2385
- },
2386
- "fullDescription": {
2387
- "text": "Ecriture dans un chemin systemd (*.service, systemd/) ou execution de systemctl enable/start. Technique de persistence CanisterWorm (pgmon.service) et TeamPCP (sysmon.service). Aucun package npm legitime ne cree de services systemd."
2388
- },
2389
- "helpUri": "https://research.jfrog.com/post/canister-worm/",
2390
- "properties": {
2391
- "severity": "CRITICAL",
2392
- "confidence": "high",
2393
- "mitre": "T1543.002"
2394
- }
2395
- },
2396
- {
2397
- "id": "MUADDIB-AST-061",
2398
- "name": "Python .pth Auto-Exec Persistence",
2399
- "shortDescription": {
2400
- "text": "Ecriture d'un fichier .pth detectee. Les fichiers .pth dans site-packages/ sont executes automatiquement par l'interpreteur Python au demarrage, sans import explicite. Technique de persistence LiteLLM/Checkmarx (litellm_init.pth) : le .pth contient du code Python base64-encode qui installe un stealer."
2401
- },
2402
- "fullDescription": {
2403
- "text": "Ecriture d'un fichier .pth detectee. Les fichiers .pth dans site-packages/ sont executes automatiquement par l'interpreteur Python au demarrage, sans import explicite. Technique de persistence LiteLLM/Checkmarx (litellm_init.pth) : le .pth contient du code Python base64-encode qui installe un stealer."
2404
- },
2405
- "helpUri": "https://blog.pypi.org/posts/2026-03-24-litellm-compromise/",
2406
- "properties": {
2407
- "severity": "CRITICAL",
2408
- "confidence": "high",
2409
- "mitre": "T1546.004"
2410
- }
2411
- },
2412
- {
2413
- "id": "MUADDIB-AST-060",
2414
- "name": "NPM Token Extraction via CLI",
2415
- "shortDescription": {
2416
- "text": "Execution de npm config get _authToken ou npm whoami — extraction programmatique de credentials npm. Pattern CanisterWorm findNpmTokens() utilise pour la propagation worm."
2417
- },
2418
- "fullDescription": {
2419
- "text": "Execution de npm config get _authToken ou npm whoami — extraction programmatique de credentials npm. Pattern CanisterWorm findNpmTokens() utilise pour la propagation worm."
2420
- },
2421
- "helpUri": "https://research.jfrog.com/post/canister-worm/",
2422
- "properties": {
2423
- "severity": "CRITICAL",
2424
- "confidence": "high",
2425
- "mitre": "T1552.001"
2426
- }
2427
- },
2428
- {
2429
- "id": "MUADDIB-SHELL-020",
2430
- "name": "Root Filesystem Wipe",
2431
- "shortDescription": {
2432
- "text": "Commande rm -rf / detectee — suppression de tout le systeme de fichiers. Pattern kamikaze.sh (CanisterWorm wiper ciblant Iran via timezone Asia/Tehran). Plus destructif que home_deletion."
2433
- },
2434
- "fullDescription": {
2435
- "text": "Commande rm -rf / detectee — suppression de tout le systeme de fichiers. Pattern kamikaze.sh (CanisterWorm wiper ciblant Iran via timezone Asia/Tehran). Plus destructif que home_deletion."
2436
- },
2437
- "helpUri": "https://www.aikido.dev/blog/teampcp-stage-payload-canisterworm-iran",
2438
- "properties": {
2439
- "severity": "CRITICAL",
2440
- "confidence": "high",
2441
- "mitre": "T1485"
2442
- }
2443
- },
2444
- {
2445
- "id": "MUADDIB-SHELL-021",
2446
- "name": "Process Memory Scanning",
2447
- "shortDescription": {
2448
- "text": "Acces a /proc/*/mem detecte — extraction de secrets depuis la memoire des processus. Technique TeamPCP credential stealer (Trivy v0.69.4) : scan des process Runner.Worker pour extraire les secrets CI/CD."
2449
- },
2450
- "fullDescription": {
2451
- "text": "Acces a /proc/*/mem detecte — extraction de secrets depuis la memoire des processus. Technique TeamPCP credential stealer (Trivy v0.69.4) : scan des process Runner.Worker pour extraire les secrets CI/CD."
2452
- },
2453
- "helpUri": "https://www.wiz.io/blog/trivy-compromised-teampcp-supply-chain-attack",
2454
- "properties": {
2455
- "severity": "CRITICAL",
2456
- "confidence": "high",
2457
- "mitre": "T1003.007"
2458
- }
2459
- },
2460
- {
2461
- "id": "MUADDIB-COMPOUND-001",
2462
- "name": "Steganographic Payload + Crypto Decryption",
2463
- "shortDescription": {
2464
- "text": "Reference a un fichier binaire (.png/.jpg/.wasm) avec eval() combinee avec dechiffrement crypto (createDecipher). Chaine steganographique complete: payload cache dans un fichier binaire, dechiffre a runtime."
2465
- },
2466
- "fullDescription": {
2467
- "text": "Reference a un fichier binaire (.png/.jpg/.wasm) avec eval() combinee avec dechiffrement crypto (createDecipher). Chaine steganographique complete: payload cache dans un fichier binaire, dechiffre a runtime."
2468
- },
2469
- "helpUri": "https://attack.mitre.org/techniques/T1140/",
2470
- "properties": {
2471
- "severity": "CRITICAL",
2472
- "confidence": "high",
2473
- "mitre": "T1140"
2474
- }
2475
- },
2476
- {
2477
- "id": "MUADDIB-COMPOUND-002",
2478
- "name": "Lifecycle Hook on Typosquat Package",
2479
- "shortDescription": {
2480
- "text": "Script lifecycle (preinstall/postinstall) sur un package avec nom similaire a un package populaire. Vecteur classique de dependency confusion: le code s'execute automatiquement a l'installation."
2481
- },
2482
- "fullDescription": {
2483
- "text": "Script lifecycle (preinstall/postinstall) sur un package avec nom similaire a un package populaire. Vecteur classique de dependency confusion: le code s'execute automatiquement a l'installation."
2484
- },
2485
- "helpUri": "https://attack.mitre.org/techniques/T1195/002/",
2486
- "properties": {
2487
- "severity": "CRITICAL",
2488
- "confidence": "high",
2489
- "mitre": "T1195.002"
2490
- }
2491
- },
2492
- {
2493
- "id": "MUADDIB-COMPOUND-004",
2494
- "name": "Lifecycle Hook + Inline Node Execution",
2495
- "shortDescription": {
2496
- "text": "Script lifecycle avec execution inline Node.js (node -e). Le code s'execute automatiquement a npm install avec un payload inline."
2497
- },
2498
- "fullDescription": {
2499
- "text": "Script lifecycle avec execution inline Node.js (node -e). Le code s'execute automatiquement a npm install avec un payload inline."
2500
- },
2501
- "helpUri": "https://attack.mitre.org/techniques/T1059/007/",
2502
- "properties": {
2503
- "severity": "CRITICAL",
2504
- "confidence": "high",
2505
- "mitre": "T1059.007"
2506
- }
2507
- },
2508
- {
2509
- "id": "MUADDIB-COMPOUND-005",
2510
- "name": "Lifecycle Hook + Remote Code Loading",
2511
- "shortDescription": {
2512
- "text": "Script lifecycle avec require(http/https) pour charger du code distant. Le payload est telecharge et execute automatiquement a l'installation."
2513
- },
2514
- "fullDescription": {
2515
- "text": "Script lifecycle avec require(http/https) pour charger du code distant. Le payload est telecharge et execute automatiquement a l'installation."
2516
- },
2517
- "helpUri": "https://attack.mitre.org/techniques/T1105/",
2518
- "properties": {
2519
- "severity": "CRITICAL",
2520
- "confidence": "high",
2521
- "mitre": "T1105"
2522
- }
2523
- },
2524
- {
2525
- "id": "MUADDIB-COMPOUND-007",
2526
- "name": "Lifecycle Script Executes Malicious File",
2527
- "shortDescription": {
2528
- "text": "Un script lifecycle (preinstall/install/postinstall) reference un fichier JS local qui contient des menaces HIGH/CRITICAL. Indicateur fort de malware install-time: le fichier malveillant est cache derriere une indirection lifecycle."
2529
- },
2530
- "fullDescription": {
2531
- "text": "Un script lifecycle (preinstall/install/postinstall) reference un fichier JS local qui contient des menaces HIGH/CRITICAL. Indicateur fort de malware install-time: le fichier malveillant est cache derriere une indirection lifecycle."
2532
- },
2533
- "helpUri": "https://blog.phylum.io/shai-hulud-npm-worm",
2534
- "properties": {
2535
- "severity": "CRITICAL",
2536
- "confidence": "high",
2537
- "mitre": "T1204.002"
2538
- }
2539
- },
2540
- {
2541
- "id": "MUADDIB-COMPOUND-006",
2542
- "name": "WebSocket/MQTT Credential Exfiltration",
2543
- "shortDescription": {
2544
- "text": "Acces a une variable d'environnement sensible combine avec un sink reseau non-HTTP (WebSocket, MQTT, Socket.io) dans le meme fichier. Canal d'exfiltration furtif evitant les proxies HTTP."
2545
- },
2546
- "fullDescription": {
2547
- "text": "Acces a une variable d'environnement sensible combine avec un sink reseau non-HTTP (WebSocket, MQTT, Socket.io) dans le meme fichier. Canal d'exfiltration furtif evitant les proxies HTTP."
2548
- },
2549
- "helpUri": "https://attack.mitre.org/techniques/T1041/",
2550
- "properties": {
2551
- "severity": "CRITICAL",
2552
- "confidence": "high",
2553
- "mitre": "T1041"
2554
- }
2555
- },
2556
- {
2557
- "id": "MUADDIB-COMPOUND-008",
2558
- "name": "Uncaught Exception Handler Credential Exfiltration",
2559
- "shortDescription": {
2560
- "text": "process.on(\"uncaughtException\") combine avec acces aux variables d'environnement sensibles et appel reseau. Technique d'exfiltration silencieuse: le handler intercepte les erreurs pour envoyer les credentials a un serveur externe sans interruption du processus."
2561
- },
2562
- "fullDescription": {
2563
- "text": "process.on(\"uncaughtException\") combine avec acces aux variables d'environnement sensibles et appel reseau. Technique d'exfiltration silencieuse: le handler intercepte les erreurs pour envoyer les credentials a un serveur externe sans interruption du processus."
2564
- },
2565
- "helpUri": "https://attack.mitre.org/techniques/T1041/",
2566
- "properties": {
2567
- "severity": "CRITICAL",
2568
- "confidence": "high",
2569
- "mitre": "T1041"
2570
- }
2571
- },
2572
- {
2573
- "id": "MUADDIB-COMPOUND-009",
2574
- "name": "Lifecycle Hook + Suspicious Dataflow",
2575
- "shortDescription": {
2576
- "text": "Script lifecycle (preinstall/postinstall) combine avec un flux de donnees suspect (credential read → network send). Pattern classique d'exfiltration install-time."
2577
- },
2578
- "fullDescription": {
2579
- "text": "Script lifecycle (preinstall/postinstall) combine avec un flux de donnees suspect (credential read → network send). Pattern classique d'exfiltration install-time."
2580
- },
2581
- "helpUri": "https://attack.mitre.org/techniques/T1041/",
2582
- "properties": {
2583
- "severity": "HIGH",
2584
- "confidence": "high",
2585
- "mitre": "T1041"
2586
- }
2587
- },
2588
- {
2589
- "id": "MUADDIB-COMPOUND-010",
2590
- "name": "Lifecycle Hook + Dangerous Shell Execution",
2591
- "shortDescription": {
2592
- "text": "Script lifecycle combine avec execution de commande shell dangereuse (curl, wget, nc, bash). Injection de commande automatique a l'installation."
2593
- },
2594
- "fullDescription": {
2595
- "text": "Script lifecycle combine avec execution de commande shell dangereuse (curl, wget, nc, bash). Injection de commande automatique a l'installation."
2596
- },
2597
- "helpUri": "https://attack.mitre.org/techniques/T1059/004/",
2598
- "properties": {
2599
- "severity": "CRITICAL",
2600
- "confidence": "high",
2601
- "mitre": "T1059.004"
2602
- }
2603
- },
2604
- {
2605
- "id": "MUADDIB-COMPOUND-011",
2606
- "name": "Obfuscated Lifecycle Credential Access",
2607
- "shortDescription": {
2608
- "text": "Obfuscation + acces aux variables d'environnement sensibles + script lifecycle. Triple signal: le code est intentionnellement masque pour voler des credentials a l'installation."
2609
- },
2610
- "fullDescription": {
2611
- "text": "Obfuscation + acces aux variables d'environnement sensibles + script lifecycle. Triple signal: le code est intentionnellement masque pour voler des credentials a l'installation."
2612
- },
2613
- "helpUri": "https://attack.mitre.org/techniques/T1027/",
2614
- "properties": {
2615
- "severity": "HIGH",
2616
- "confidence": "high",
2617
- "mitre": "T1027"
2618
- }
2619
- },
2620
- {
2621
- "id": "MUADDIB-FLOW-005",
2622
- "name": "Non-HTTP Network Module Sink",
2623
- "shortDescription": {
2624
- "text": "Utilisation d'un module reseau non-HTTP (ws, mqtt, socket.io) comme sink de donnees. Ces modules sont rarement utilises dans les packages benins et peuvent indiquer un canal d'exfiltration furtif."
2625
- },
2626
- "fullDescription": {
2627
- "text": "Utilisation d'un module reseau non-HTTP (ws, mqtt, socket.io) comme sink de donnees. Ces modules sont rarement utilises dans les packages benins et peuvent indiquer un canal d'exfiltration furtif."
2628
- },
2629
- "helpUri": "https://attack.mitre.org/techniques/T1071/",
2630
- "properties": {
2631
- "severity": "MEDIUM",
2632
- "confidence": "medium",
2633
- "mitre": "T1071"
2634
- }
2635
- },
2636
- {
2637
- "id": "MUADDIB-AST-062",
2638
- "name": "Reflect.apply(require) Bypass",
2639
- "shortDescription": {
2640
- "text": "Reflect.apply(require, null, [module]) detecte — contourne la detection statique de require() en passant par l'API Reflect. Permet de charger child_process/fs/net sans appel require() direct."
2641
- },
2642
- "fullDescription": {
2643
- "text": "Reflect.apply(require, null, [module]) detecte — contourne la detection statique de require() en passant par l'API Reflect. Permet de charger child_process/fs/net sans appel require() direct."
2644
- },
2645
- "helpUri": "https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Reflect/apply",
2646
- "properties": {
2647
- "severity": "CRITICAL",
2648
- "confidence": "high",
2649
- "mitre": "T1059"
2650
- }
2651
- },
2652
- {
2653
- "id": "MUADDIB-AST-063",
2654
- "name": "FinalizationRegistry Deferred Execution",
2655
- "shortDescription": {
2656
- "text": "new FinalizationRegistry() avec callback contenant child_process/exec/spawn. Le callback s'execute apres le garbage collection, hors du flux d'execution normal — technique d'evasion sandbox qui differe l'execution malveillante."
2657
- },
2658
- "fullDescription": {
2659
- "text": "new FinalizationRegistry() avec callback contenant child_process/exec/spawn. Le callback s'execute apres le garbage collection, hors du flux d'execution normal — technique d'evasion sandbox qui differe l'execution malveillante."
2660
- },
2661
- "helpUri": "https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/FinalizationRegistry",
2662
- "properties": {
2663
- "severity": "CRITICAL",
2664
- "confidence": "high",
2665
- "mitre": "T1497.003"
2666
- }
2667
- },
2668
- {
2669
- "id": "MUADDIB-AST-064",
2670
- "name": "Function via Prototype Chain",
2671
- "shortDescription": {
2672
- "text": "(function(){}).constructor(code) ou [].constructor.constructor(code) detecte — acces au constructeur Function via la chaine de prototypes, contourne les detections de new Function() et eval()."
2673
- },
2674
- "fullDescription": {
2675
- "text": "(function(){}).constructor(code) ou [].constructor.constructor(code) detecte — acces au constructeur Function via la chaine de prototypes, contourne les detections de new Function() et eval()."
2676
- },
2677
- "helpUri": "https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Function",
2678
- "properties": {
2679
- "severity": "CRITICAL",
2680
- "confidence": "high",
2681
- "mitre": "T1059"
2682
- }
2683
- },
2684
- {
2685
- "id": "MUADDIB-AST-065",
2686
- "name": "Prototype Pollution",
2687
- "shortDescription": {
2688
- "text": "__defineGetter__, __defineSetter__ ou assignation __proto__ detectee — pollution de prototype permettant de detourner les proprietes heritees de tous les objets. Vecteur d'escalade pour injecter du code dans des chemins d'execution inattendus."
2689
- },
2690
- "fullDescription": {
2691
- "text": "__defineGetter__, __defineSetter__ ou assignation __proto__ detectee — pollution de prototype permettant de detourner les proprietes heritees de tous les objets. Vecteur d'escalade pour injecter du code dans des chemins d'execution inattendus."
2692
- },
2693
- "helpUri": "https://portswigger.net/web-security/prototype-pollution",
2694
- "properties": {
2695
- "severity": "HIGH",
2696
- "confidence": "high",
2697
- "mitre": "T1574"
2698
- }
2699
- },
2700
- {
2701
- "id": "MUADDIB-AST-066",
2702
- "name": "Module.wrap Override",
2703
- "shortDescription": {
2704
- "text": "Module.wrap = ... detecte — remplacement de la fonction wrapper du module loader Node.js. Permet d'injecter du code dans CHAQUE module charge apres le remplacement, technique de persistence systemique."
2705
- },
2706
- "fullDescription": {
2707
- "text": "Module.wrap = ... detecte — remplacement de la fonction wrapper du module loader Node.js. Permet d'injecter du code dans CHAQUE module charge apres le remplacement, technique de persistence systemique."
2708
- },
2709
- "helpUri": "https://nodejs.org/api/modules.html",
2710
- "properties": {
2711
- "severity": "CRITICAL",
2712
- "confidence": "high",
2713
- "mitre": "T1574.006"
2714
- }
2715
- },
2716
- {
2717
- "id": "MUADDIB-AST-067",
2718
- "name": "Symbol Property Hiding",
2719
- "shortDescription": {
2720
- "text": "obj[Symbol(...)] = require(module_dangereux) detecte — dissimulation de modules dangereux derriere des proprietes Symbol, invisibles a Object.keys() et JSON.stringify(). Technique anti-forensics."
2721
- },
2722
- "fullDescription": {
2723
- "text": "obj[Symbol(...)] = require(module_dangereux) detecte — dissimulation de modules dangereux derriere des proprietes Symbol, invisibles a Object.keys() et JSON.stringify(). Technique anti-forensics."
2724
- },
2725
- "helpUri": "https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Symbol",
2726
- "properties": {
2727
- "severity": "HIGH",
2728
- "confidence": "high",
2729
- "mitre": "T1564"
2730
- }
2731
- },
2732
- {
2733
- "id": "MUADDIB-AST-068",
2734
- "name": "WithStatement Dangerous Body",
2735
- "shortDescription": {
2736
- "text": "with() statement dont le body contient require/exec/spawn/child_process — injection de scope pour obscurcir les appels dangereux. Le with() rend tous les identifiants ambigus, empechant l'analyse statique de tracer les appels."
2737
- },
2738
- "fullDescription": {
2739
- "text": "with() statement dont le body contient require/exec/spawn/child_process — injection de scope pour obscurcir les appels dangereux. Le with() rend tous les identifiants ambigus, empechant l'analyse statique de tracer les appels."
2740
- },
2741
- "helpUri": "https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Statements/with",
2742
- "properties": {
2743
- "severity": "HIGH",
2744
- "confidence": "high",
2745
- "mitre": "T1027"
2746
- }
2747
- },
2748
- {
2749
- "id": "MUADDIB-AST-069",
2750
- "name": "require(\"process\").mainModule Bypass",
2751
- "shortDescription": {
2752
- "text": "require(\"process\").mainModule.require() detecte — acces indirect au mainModule via require(\"process\") au lieu de l'objet global process. Contourne la detection de process.mainModule.require() qui ne surveille que l'identifiant \"process\"."
2753
- },
2754
- "fullDescription": {
2755
- "text": "require(\"process\").mainModule.require() detecte — acces indirect au mainModule via require(\"process\") au lieu de l'objet global process. Contourne la detection de process.mainModule.require() qui ne surveille que l'identifiant \"process\"."
2756
- },
2757
- "helpUri": "https://nodejs.org/api/process.html",
2758
- "properties": {
2759
- "severity": "CRITICAL",
2760
- "confidence": "high",
2761
- "mitre": "T1059"
2762
- }
2763
- },
2764
- {
2765
- "id": "MUADDIB-AST-070",
2766
- "name": "Shared Memory IPC",
2767
- "shortDescription": {
2768
- "text": "SharedArrayBuffer + Worker Thread detectes — canal IPC memoire partagee qui contourne la surveillance des messages inter-threads."
2769
- },
2770
- "fullDescription": {
2771
- "text": "SharedArrayBuffer + Worker Thread detectes — canal IPC memoire partagee qui contourne la surveillance des messages inter-threads."
2772
- },
2773
- "helpUri": "https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/SharedArrayBuffer",
2774
- "properties": {
2775
- "severity": "MEDIUM",
2776
- "confidence": "medium",
2777
- "mitre": "T1559"
2778
- }
2779
- },
2780
- {
2781
- "id": "MUADDIB-AST-071",
2782
- "name": "WebSocket C2 Channel",
2783
- "shortDescription": {
2784
- "text": "Connexion WebSocket vers un domaine suspect ou avec execution dynamique — canal C2 bidirectionnel persistant."
2785
- },
2786
- "fullDescription": {
2787
- "text": "Connexion WebSocket vers un domaine suspect ou avec execution dynamique — canal C2 bidirectionnel persistant."
2788
- },
2789
- "helpUri": "https://attack.mitre.org/techniques/T1071.001/",
2790
- "properties": {
2791
- "severity": "HIGH",
2792
- "confidence": "high",
2793
- "mitre": "T1071.001"
2794
- }
2795
- },
2796
- {
2797
- "id": "MUADDIB-AST-072",
2798
- "name": "UDP Data Exfiltration",
2799
- "shortDescription": {
2800
- "text": "Module dgram (UDP) avec envoi de donnees — exfiltration via protocole UDP qui contourne les firewalls HTTP."
2801
- },
2802
- "fullDescription": {
2803
- "text": "Module dgram (UDP) avec envoi de donnees — exfiltration via protocole UDP qui contourne les firewalls HTTP."
2804
- },
2805
- "helpUri": "https://nodejs.org/api/dgram.html",
2806
- "properties": {
2807
- "severity": "HIGH",
2808
- "confidence": "high",
2809
- "mitre": "T1048.003"
2810
- }
2811
- },
2812
- {
2813
- "id": "MUADDIB-AST-073",
2814
- "name": "Native Addon Installation",
2815
- "shortDescription": {
2816
- "text": "binding.gyp present avec script lifecycle non-standard — compilation native potentiellement malveillante a l'installation."
2817
- },
2818
- "fullDescription": {
2819
- "text": "binding.gyp present avec script lifecycle non-standard — compilation native potentiellement malveillante a l'installation."
2820
- },
2821
- "helpUri": "https://nodejs.org/api/addons.html",
2822
- "properties": {
2823
- "severity": "HIGH",
2824
- "confidence": "medium",
2825
- "mitre": "T1195.002"
2826
- }
2827
- },
2828
- {
2829
- "id": "MUADDIB-AST-074",
2830
- "name": "String Mutation Obfuscation",
2831
- "shortDescription": {
2832
- "text": "Chaine de 3+ appels .replace() pour reconstruire des noms d'API dangereuses — technique leet-speak/substitution pour contourner la detection statique."
2833
- },
2834
- "fullDescription": {
2835
- "text": "Chaine de 3+ appels .replace() pour reconstruire des noms d'API dangereuses — technique leet-speak/substitution pour contourner la detection statique."
2836
- },
2837
- "helpUri": "https://attack.mitre.org/techniques/T1027/",
2838
- "properties": {
2839
- "severity": "HIGH",
2840
- "confidence": "high",
2841
- "mitre": "T1027"
2842
- }
2843
- },
2844
- {
2845
- "id": "MUADDIB-SHELL-023",
2846
- "name": "Crontab/Cron Write",
2847
- "shortDescription": {
2848
- "text": "Ecriture dans les fichiers cron (/etc/cron*, crontab, /var/spool/cron) — persistence via tache planifiee."
2849
- },
2850
- "fullDescription": {
2851
- "text": "Ecriture dans les fichiers cron (/etc/cron*, crontab, /var/spool/cron) — persistence via tache planifiee."
2852
- },
2853
- "helpUri": "https://attack.mitre.org/techniques/T1053.003/",
2854
- "properties": {
2855
- "severity": "CRITICAL",
2856
- "confidence": "high",
2857
- "mitre": "T1053.003"
2858
- }
2859
- },
2860
- {
2861
- "id": "MUADDIB-SCORE-001",
2862
- "name": "Isolated Suspicious File",
2863
- "shortDescription": {
2864
- "text": "Un seul fichier suspect parmi 10+ fichiers propres — pattern de dissimulation ou le code malveillant est cache dans un package legitime."
2865
- },
2866
- "fullDescription": {
2867
- "text": "Un seul fichier suspect parmi 10+ fichiers propres — pattern de dissimulation ou le code malveillant est cache dans un package legitime."
2868
- },
2869
- "helpUri": "https://attack.mitre.org/techniques/T1036/",
2870
- "properties": {
2871
- "severity": "MEDIUM",
2872
- "confidence": "medium",
2873
- "mitre": "T1036"
2874
- }
2875
- },
2876
- {
2877
- "id": "MUADDIB-SCORE-002",
2878
- "name": "Deeply Nested Suspicious File",
2879
- "shortDescription": {
2880
- "text": "Pattern suspect detecte dans un fichier profondement imbrique (profondeur > 3) — technique de dissimulation dans l'arborescence du package."
2881
- },
2882
- "fullDescription": {
2883
- "text": "Pattern suspect detecte dans un fichier profondement imbrique (profondeur > 3) — technique de dissimulation dans l'arborescence du package."
2884
- },
2885
- "helpUri": "https://attack.mitre.org/techniques/T1036.005/",
2886
- "properties": {
2887
- "severity": "LOW",
2888
- "confidence": "low",
2889
- "mitre": "T1036.005"
2890
- }
2891
- },
2892
- {
2893
- "id": "MUADDIB-AST-075",
2894
- "name": "Module Internals Hijack",
2895
- "shortDescription": {
2896
- "text": "Assignation a Module._resolveFilename, _compile ou _extensions — detournement des mecanismes internes du systeme de modules Node.js. Tous les require() subsequents peuvent etre interceptes."
2897
- },
2898
- "fullDescription": {
2899
- "text": "Assignation a Module._resolveFilename, _compile ou _extensions — detournement des mecanismes internes du systeme de modules Node.js. Tous les require() subsequents peuvent etre interceptes."
2900
- },
2901
- "helpUri": "https://nodejs.org/api/modules.html",
2902
- "properties": {
2903
- "severity": "CRITICAL",
2904
- "confidence": "high",
2905
- "mitre": "T1574.006"
2906
- }
2907
- },
2908
- {
2909
- "id": "MUADDIB-AST-076",
2910
- "name": "JSON Reviver Prototype Pollution",
2911
- "shortDescription": {
2912
- "text": "JSON.parse avec fonction reviver accedant a __proto__ ou prototype — pollution de prototype via donnees JSON non fiables."
2913
- },
2914
- "fullDescription": {
2915
- "text": "JSON.parse avec fonction reviver accedant a __proto__ ou prototype — pollution de prototype via donnees JSON non fiables."
2916
- },
2917
- "helpUri": "https://portswigger.net/web-security/prototype-pollution",
2918
- "properties": {
2919
- "severity": "HIGH",
2920
- "confidence": "high",
2921
- "mitre": "T1059.007"
2922
- }
2923
- },
2924
- {
2925
- "id": "MUADDIB-AST-077",
2926
- "name": "VM Dynamic Code Execution",
2927
- "shortDescription": {
2928
- "text": "vm.runInContext/runInNewContext/compileFunction avec code construit dynamiquement — evasion du sandbox via code genere au runtime."
2929
- },
2930
- "fullDescription": {
2931
- "text": "vm.runInContext/runInNewContext/compileFunction avec code construit dynamiquement — evasion du sandbox via code genere au runtime."
2932
- },
2933
- "helpUri": "https://nodejs.org/api/vm.html",
2934
- "properties": {
2935
- "severity": "CRITICAL",
2936
- "confidence": "high",
2937
- "mitre": "T1059.007"
2938
- }
2939
- },
2940
- {
2941
- "id": "MUADDIB-AST-078",
2942
- "name": "Callback Remote Code Execution",
2943
- "shortDescription": {
2944
- "text": "exec/spawn dans un callback .on('message') ou .on('data') avec child_process — execution de commandes a distance depuis un flux reseau."
2945
- },
2946
- "fullDescription": {
2947
- "text": "exec/spawn dans un callback .on('message') ou .on('data') avec child_process — execution de commandes a distance depuis un flux reseau."
2948
- },
2949
- "helpUri": "https://attack.mitre.org/techniques/T1059/",
2950
- "properties": {
2951
- "severity": "CRITICAL",
2952
- "confidence": "high",
2953
- "mitre": "T1059"
2954
- }
2955
- },
2956
- {
2957
- "id": "MUADDIB-AST-079",
2958
- "name": "Steganographic Binary Execution",
2959
- "shortDescription": {
2960
- "text": "Lecture de fichier binaire/image (PNG, JPG) + execution dynamique (eval/Function) — extraction et execution de payload steganographique."
2961
- },
2962
- "fullDescription": {
2963
- "text": "Lecture de fichier binaire/image (PNG, JPG) + execution dynamique (eval/Function) — extraction et execution de payload steganographique."
2964
- },
2965
- "helpUri": "https://attack.mitre.org/techniques/T1027.003/",
2966
- "properties": {
2967
- "severity": "CRITICAL",
2968
- "confidence": "high",
2969
- "mitre": "T1027.003"
2970
- }
2971
- },
2972
- {
2973
- "id": "MUADDIB-AST-080",
2974
- "name": "AsyncLocalStorage Context Execution",
2975
- "shortDescription": {
2976
- "text": "AsyncLocalStorage + execution dynamique — code malveillant cache dans un contexte asynchrone, echappe a l'analyse de pile d'appels synchrone."
2977
- },
2978
- "fullDescription": {
2979
- "text": "AsyncLocalStorage + execution dynamique — code malveillant cache dans un contexte asynchrone, echappe a l'analyse de pile d'appels synchrone."
2980
- },
2981
- "helpUri": "https://nodejs.org/api/async_context.html",
2982
- "properties": {
2983
- "severity": "HIGH",
2984
- "confidence": "medium",
2985
- "mitre": "T1059.007"
2986
- }
2987
- },
2988
- {
2989
- "id": "MUADDIB-AST-081",
2990
- "name": "Prototype Chain Constructor Access",
2991
- "shortDescription": {
2992
- "text": "Object.getPrototypeOf(variable).constructor extrait dans une variable — traversee de la chaine de prototypes pour atteindre le constructeur Function et executer du code arbitraire."
2993
- },
2994
- "fullDescription": {
2995
- "text": "Object.getPrototypeOf(variable).constructor extrait dans une variable — traversee de la chaine de prototypes pour atteindre le constructeur Function et executer du code arbitraire."
2996
- },
2997
- "helpUri": "https://attack.mitre.org/techniques/T1059.007/",
2998
- "properties": {
2999
- "severity": "CRITICAL",
3000
- "confidence": "high",
3001
- "mitre": "T1059.007"
3002
- }
3003
- },
3004
- {
3005
- "id": "MUADDIB-AST-082",
3006
- "name": "CI Environment Fingerprinting",
3007
- "shortDescription": {
3008
- "text": "References a 3+ variables d'environnement de fournisseurs CI (GITHUB_ACTIONS, GITLAB_CI, etc.) — sondage d'environnement CI pour activation conditionnelle de payload."
3009
- },
3010
- "fullDescription": {
3011
- "text": "References a 3+ variables d'environnement de fournisseurs CI (GITHUB_ACTIONS, GITLAB_CI, etc.) — sondage d'environnement CI pour activation conditionnelle de payload."
3012
- },
3013
- "helpUri": "https://attack.mitre.org/techniques/T1082/",
3014
- "properties": {
3015
- "severity": "HIGH",
3016
- "confidence": "medium",
3017
- "mitre": "T1082"
3018
- }
3019
- },
3020
- {
3021
- "id": "MUADDIB-AST-083",
3022
- "name": "Proxy GlobalThis Interception",
3023
- "shortDescription": {
3024
- "text": "new Proxy(globalThis/global/window/self) — intercepts all global scope access, enabling transparent hooking of eval/Function/require."
3025
- },
3026
- "fullDescription": {
3027
- "text": "new Proxy(globalThis/global/window/self) — intercepts all global scope access, enabling transparent hooking of eval/Function/require."
3028
- },
3029
- "helpUri": "https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Proxy",
3030
- "properties": {
3031
- "severity": "CRITICAL",
3032
- "confidence": "high",
3033
- "mitre": "T1574"
3034
- }
3035
- },
3036
- {
3037
- "id": "MUADDIB-AST-084",
3038
- "name": "Reflect.apply Prototype Method Code Execution",
3039
- "shortDescription": {
3040
- "text": "Reflect.apply(Function.prototype.bind/call/apply, Function, [...]) — indirect code execution via Reflect with prototype method as target."
3041
- },
3042
- "fullDescription": {
3043
- "text": "Reflect.apply(Function.prototype.bind/call/apply, Function, [...]) — indirect code execution via Reflect with prototype method as target."
3044
- },
3045
- "helpUri": "https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Reflect/apply",
3046
- "properties": {
3047
- "severity": "CRITICAL",
3048
- "confidence": "high",
3049
- "mitre": "T1059"
3050
- }
3051
- },
3052
- {
3053
- "id": "MUADDIB-PKG-017",
3054
- "name": "Phantom Lifecycle Script",
3055
- "shortDescription": {
3056
- "text": "Script lifecycle (preinstall/install) reference un fichier qui n'existe pas dans le package — script fantome, le payload peut etre injecte au moment de la publication."
3057
- },
3058
- "fullDescription": {
3059
- "text": "Script lifecycle (preinstall/install) reference un fichier qui n'existe pas dans le package — script fantome, le payload peut etre injecte au moment de la publication."
3060
- },
3061
- "helpUri": "https://attack.mitre.org/techniques/T1195.002/",
3062
- "properties": {
3063
- "severity": "CRITICAL",
3064
- "confidence": "high",
3065
- "mitre": "T1195.002"
3066
- }
3067
- }
3068
- ]
3069
- }
3070
- },
3071
- "properties": {},
3072
- "results": [
3073
- {
3074
- "ruleId": "MUADDIB-AST-006",
3075
- "level": "note",
3076
- "message": {
3077
- "text": "Dynamic require() with member expression argument (object property obfuscation)."
3078
- },
3079
- "locations": [
3080
- {
3081
- "physicalLocation": {
3082
- "artifactLocation": {
3083
- "uri": "scripts/benchmark.js",
3084
- "uriBaseId": "%SRCROOT%"
3085
- },
3086
- "region": {
3087
- "startLine": 1
3088
- }
3089
- }
3090
- }
3091
- ],
3092
- "properties": {
3093
- "confidence": "high",
3094
- "mitre": "T1027"
3095
- }
3096
- },
3097
- {
3098
- "ruleId": "MUADDIB-AST-041",
3099
- "level": "note",
3100
- "message": {
3101
- "text": "Credential regex patterns (token/password/secret/Bearer) + network call in same file — stream data credential harvesting."
3102
- },
3103
- "locations": [
3104
- {
3105
- "physicalLocation": {
3106
- "artifactLocation": {
3107
- "uri": "scripts/sample-npm-random.js",
3108
- "uriBaseId": "%SRCROOT%"
3109
- },
3110
- "region": {
3111
- "startLine": 1
3112
- }
3113
- }
3114
- }
3115
- ],
3116
- "properties": {
3117
- "confidence": "high",
3118
- "mitre": "T1552"
3119
- }
3120
- },
3121
- {
3122
- "ruleId": "MUADDIB-AST-041",
3123
- "level": "note",
3124
- "message": {
3125
- "text": "Credential regex patterns (token/password/secret/Bearer) + network call in same file — stream data credential harvesting."
3126
- },
3127
- "locations": [
3128
- {
3129
- "physicalLocation": {
3130
- "artifactLocation": {
3131
- "uri": "src/commands/evaluate.js",
3132
- "uriBaseId": "%SRCROOT%"
3133
- },
3134
- "region": {
3135
- "startLine": 1
3136
- }
3137
- }
3138
- }
3139
- ],
3140
- "properties": {
3141
- "confidence": "high",
3142
- "mitre": "T1552"
3143
- }
3144
- },
3145
- {
3146
- "ruleId": "MUADDIB-AST-028",
3147
- "level": "error",
3148
- "message": {
3149
- "text": "Git hook injection: writeFileSync() writes to .git/hooks/. Persistence technique."
3150
- },
3151
- "locations": [
3152
- {
3153
- "physicalLocation": {
3154
- "artifactLocation": {
3155
- "uri": "src/commands/hooks-init.js",
3156
- "uriBaseId": "%SRCROOT%"
3157
- },
3158
- "region": {
3159
- "startLine": 1
3160
- }
3161
- }
3162
- }
3163
- ],
3164
- "properties": {
3165
- "confidence": "high",
3166
- "mitre": "T1546.004"
3167
- }
3168
- },
3169
- {
3170
- "ruleId": "MUADDIB-AST-041",
3171
- "level": "note",
3172
- "message": {
3173
- "text": "Credential regex patterns (token/password/secret/Bearer) + network call in same file — stream data credential harvesting."
3174
- },
3175
- "locations": [
3176
- {
3177
- "physicalLocation": {
3178
- "artifactLocation": {
3179
- "uri": "src/intent-graph.js",
3180
- "uriBaseId": "%SRCROOT%"
3181
- },
3182
- "region": {
3183
- "startLine": 1
3184
- }
3185
- }
3186
- }
3187
- ],
3188
- "properties": {
3189
- "confidence": "high",
3190
- "mitre": "T1552"
3191
- }
3192
- },
3193
- {
3194
- "ruleId": "MUADDIB-AST-002",
3195
- "level": "error",
3196
- "message": {
3197
- "text": "Access to sensitive variable process.env.ANTHROPIC_API_KEY."
3198
- },
3199
- "locations": [
3200
- {
3201
- "physicalLocation": {
3202
- "artifactLocation": {
3203
- "uri": "src/ml/llm-detective.js",
3204
- "uriBaseId": "%SRCROOT%"
3205
- },
3206
- "region": {
3207
- "startLine": 1
3208
- }
3209
- }
3210
- }
3211
- ],
3212
- "properties": {
3213
- "confidence": "high",
3214
- "mitre": "T1552.001"
3215
- }
3216
- },
3217
- {
3218
- "ruleId": "MUADDIB-AST-041",
3219
- "level": "note",
3220
- "message": {
3221
- "text": "Credential regex patterns (token/password/secret/Bearer) + network call in same file — stream data credential harvesting."
3222
- },
3223
- "locations": [
3224
- {
3225
- "physicalLocation": {
3226
- "artifactLocation": {
3227
- "uri": "src/ml/llm-detective.js",
3228
- "uriBaseId": "%SRCROOT%"
3229
- },
3230
- "region": {
3231
- "startLine": 1
3232
- }
3233
- }
3234
- }
3235
- ],
3236
- "properties": {
3237
- "confidence": "high",
3238
- "mitre": "T1552"
3239
- }
3240
- },
3241
- {
3242
- "ruleId": "MUADDIB-AST-001",
3243
- "level": "note",
3244
- "message": {
3245
- "text": "Reference to \".npmrc\" detected."
3246
- },
3247
- "locations": [
3248
- {
3249
- "physicalLocation": {
3250
- "artifactLocation": {
3251
- "uri": "src/ml/llm-detective.js",
3252
- "uriBaseId": "%SRCROOT%"
3253
- },
3254
- "region": {
3255
- "startLine": 1
3256
- }
3257
- }
3258
- }
3259
- ],
3260
- "properties": {
3261
- "confidence": "medium",
3262
- "mitre": "T1552.001"
3263
- }
3264
- },
3265
- {
3266
- "ruleId": "MUADDIB-AST-001",
3267
- "level": "note",
3268
- "message": {
3269
- "text": "Reference to \".ssh\" detected."
3270
- },
3271
- "locations": [
3272
- {
3273
- "physicalLocation": {
3274
- "artifactLocation": {
3275
- "uri": "src/ml/llm-detective.js",
3276
- "uriBaseId": "%SRCROOT%"
3277
- },
3278
- "region": {
3279
- "startLine": 1
3280
- }
3281
- }
3282
- }
3283
- ],
3284
- "properties": {
3285
- "confidence": "medium",
3286
- "mitre": "T1552.001"
3287
- }
3288
- },
3289
- {
3290
- "ruleId": "MUADDIB-AST-001",
3291
- "level": "note",
3292
- "message": {
3293
- "text": "Reference to \"/etc/passwd\" detected."
3294
- },
3295
- "locations": [
3296
- {
3297
- "physicalLocation": {
3298
- "artifactLocation": {
3299
- "uri": "src/ml/llm-detective.js",
3300
- "uriBaseId": "%SRCROOT%"
3301
- },
3302
- "region": {
3303
- "startLine": 1
3304
- }
3305
- }
3306
- }
3307
- ],
3308
- "properties": {
3309
- "confidence": "medium",
3310
- "mitre": "T1552.001"
3311
- }
3312
- },
3313
- {
3314
- "ruleId": "MUADDIB-AST-002",
3315
- "level": "error",
3316
- "message": {
3317
- "text": "Access to sensitive variable process.env.ANTHROPIC_API_KEY."
3318
- },
3319
- "locations": [
3320
- {
3321
- "physicalLocation": {
3322
- "artifactLocation": {
3323
- "uri": "src/monitor/classify.js",
3324
- "uriBaseId": "%SRCROOT%"
3325
- },
3326
- "region": {
3327
- "startLine": 1
3328
- }
3329
- }
3330
- }
3331
- ],
3332
- "properties": {
3333
- "confidence": "high",
3334
- "mitre": "T1552.001"
3335
- }
3336
- },
3337
- {
3338
- "ruleId": "MUADDIB-AST-041",
3339
- "level": "note",
3340
- "message": {
3341
- "text": "Credential regex patterns (token/password/secret/Bearer) + network call in same file — stream data credential harvesting."
3342
- },
3343
- "locations": [
3344
- {
3345
- "physicalLocation": {
3346
- "artifactLocation": {
3347
- "uri": "src/monitor/classify.js",
3348
- "uriBaseId": "%SRCROOT%"
3349
- },
3350
- "region": {
3351
- "startLine": 1
3352
- }
3353
- }
3354
- }
3355
- ],
3356
- "properties": {
3357
- "confidence": "high",
3358
- "mitre": "T1552"
3359
- }
3360
- },
3361
- {
3362
- "ruleId": "MUADDIB-AST-002",
3363
- "level": "error",
3364
- "message": {
3365
- "text": "Access to sensitive variable process.env.ANTHROPIC_API_KEY."
3366
- },
3367
- "locations": [
3368
- {
3369
- "physicalLocation": {
3370
- "artifactLocation": {
3371
- "uri": "src/monitor/daemon.js",
3372
- "uriBaseId": "%SRCROOT%"
3373
- },
3374
- "region": {
3375
- "startLine": 1
3376
- }
3377
- }
3378
- }
3379
- ],
3380
- "properties": {
3381
- "confidence": "high",
3382
- "mitre": "T1552.001"
3383
- }
3384
- },
3385
- {
3386
- "ruleId": "MUADDIB-AST-041",
3387
- "level": "note",
3388
- "message": {
3389
- "text": "Credential regex patterns (token/password/secret/Bearer) + network call in same file — stream data credential harvesting."
3390
- },
3391
- "locations": [
3392
- {
3393
- "physicalLocation": {
3394
- "artifactLocation": {
3395
- "uri": "src/monitor/queue.js",
3396
- "uriBaseId": "%SRCROOT%"
3397
- },
3398
- "region": {
3399
- "startLine": 1
3400
- }
3401
- }
3402
- }
3403
- ],
3404
- "properties": {
3405
- "confidence": "high",
3406
- "mitre": "T1552"
3407
- }
3408
- },
3409
- {
3410
- "ruleId": "MUADDIB-AST-041",
3411
- "level": "note",
3412
- "message": {
3413
- "text": "Credential regex patterns (token/password/secret/Bearer) + network call in same file — stream data credential harvesting."
3414
- },
3415
- "locations": [
3416
- {
3417
- "physicalLocation": {
3418
- "artifactLocation": {
3419
- "uri": "src/monitor/temporal.js",
3420
- "uriBaseId": "%SRCROOT%"
3421
- },
3422
- "region": {
3423
- "startLine": 1
3424
- }
3425
- }
3426
- }
3427
- ],
3428
- "properties": {
3429
- "confidence": "high",
3430
- "mitre": "T1552"
3431
- }
3432
- },
3433
- {
3434
- "ruleId": "MUADDIB-AST-001",
3435
- "level": "note",
3436
- "message": {
3437
- "text": "Reference to \".npmrc\" detected."
3438
- },
3439
- "locations": [
3440
- {
3441
- "physicalLocation": {
3442
- "artifactLocation": {
3443
- "uri": "src/rules/index.js",
3444
- "uriBaseId": "%SRCROOT%"
3445
- },
3446
- "region": {
3447
- "startLine": 1
3448
- }
3449
- }
3450
- }
3451
- ],
3452
- "properties": {
3453
- "confidence": "medium",
3454
- "mitre": "T1552.001"
3455
- }
3456
- },
3457
- {
3458
- "ruleId": "MUADDIB-AST-001",
3459
- "level": "note",
3460
- "message": {
3461
- "text": "Reference to \".ssh\" detected."
3462
- },
3463
- "locations": [
3464
- {
3465
- "physicalLocation": {
3466
- "artifactLocation": {
3467
- "uri": "src/rules/index.js",
3468
- "uriBaseId": "%SRCROOT%"
3469
- },
3470
- "region": {
3471
- "startLine": 1
3472
- }
3473
- }
3474
- }
3475
- ],
3476
- "properties": {
3477
- "confidence": "medium",
3478
- "mitre": "T1552.001"
3479
- }
3480
- },
3481
- {
3482
- "ruleId": "MUADDIB-AST-001",
3483
- "level": "note",
3484
- "message": {
3485
- "text": "Reference to \"Shai-Hulud\" detected."
3486
- },
3487
- "locations": [
3488
- {
3489
- "physicalLocation": {
3490
- "artifactLocation": {
3491
- "uri": "src/rules/index.js",
3492
- "uriBaseId": "%SRCROOT%"
3493
- },
3494
- "region": {
3495
- "startLine": 1
3496
- }
3497
- }
3498
- }
3499
- ],
3500
- "properties": {
3501
- "confidence": "medium",
3502
- "mitre": "T1552.001"
3503
- }
3504
- },
3505
- {
3506
- "ruleId": "MUADDIB-AST-032",
3507
- "level": "error",
3508
- "message": {
3509
- "text": "Suspicious C2/exfiltration domain \"oastify.com\" found in string literal."
3510
- },
3511
- "locations": [
3512
- {
3513
- "physicalLocation": {
3514
- "artifactLocation": {
3515
- "uri": "src/rules/index.js",
3516
- "uriBaseId": "%SRCROOT%"
3517
- },
3518
- "region": {
3519
- "startLine": 1
3520
- }
3521
- }
3522
- }
3523
- ],
3524
- "properties": {
3525
- "confidence": "high",
3526
- "mitre": "T1071.001"
3527
- }
3528
- },
3529
- {
3530
- "ruleId": "MUADDIB-AST-032",
3531
- "level": "warning",
3532
- "message": {
3533
- "text": "Suspicious tunnel/proxy domain \"ngrok.io\" found in string literal."
3534
- },
3535
- "locations": [
3536
- {
3537
- "physicalLocation": {
3538
- "artifactLocation": {
3539
- "uri": "src/rules/index.js",
3540
- "uriBaseId": "%SRCROOT%"
3541
- },
3542
- "region": {
3543
- "startLine": 1
3544
- }
3545
- }
3546
- }
3547
- ],
3548
- "properties": {
3549
- "confidence": "high",
3550
- "mitre": "T1071.001"
3551
- }
3552
- },
3553
- {
3554
- "ruleId": "MUADDIB-AST-035",
3555
- "level": "error",
3556
- "message": {
3557
- "text": "IDE persistence: writes tasks.json with auto-execution trigger (runOn/folderOpen). VS Code task persistence technique."
3558
- },
3559
- "locations": [
3560
- {
3561
- "physicalLocation": {
3562
- "artifactLocation": {
3563
- "uri": "src/rules/index.js",
3564
- "uriBaseId": "%SRCROOT%"
3565
- },
3566
- "region": {
3567
- "startLine": 1
3568
- }
3569
- }
3570
- }
3571
- ],
3572
- "properties": {
3573
- "confidence": "high",
3574
- "mitre": "T1546"
3575
- }
3576
- },
3577
- {
3578
- "ruleId": "MUADDIB-AST-041",
3579
- "level": "note",
3580
- "message": {
3581
- "text": "Credential regex patterns (token/password/secret/Bearer) + network call in same file — stream data credential harvesting."
3582
- },
3583
- "locations": [
3584
- {
3585
- "physicalLocation": {
3586
- "artifactLocation": {
3587
- "uri": "src/rules/index.js",
3588
- "uriBaseId": "%SRCROOT%"
3589
- },
3590
- "region": {
3591
- "startLine": 1
3592
- }
3593
- }
3594
- }
3595
- ],
3596
- "properties": {
3597
- "confidence": "high",
3598
- "mitre": "T1552"
3599
- }
3600
- },
3601
- {
3602
- "ruleId": "MUADDIB-AST-001",
3603
- "level": "note",
3604
- "message": {
3605
- "text": "Reference to \".npmrc\" detected."
3606
- },
3607
- "locations": [
3608
- {
3609
- "physicalLocation": {
3610
- "artifactLocation": {
3611
- "uri": "src/sandbox/index.js",
3612
- "uriBaseId": "%SRCROOT%"
3613
- },
3614
- "region": {
3615
- "startLine": 1
3616
- }
3617
- }
3618
- }
3619
- ],
3620
- "properties": {
3621
- "confidence": "medium",
3622
- "mitre": "T1552.001"
3623
- }
3624
- },
3625
- {
3626
- "ruleId": "MUADDIB-AST-041",
3627
- "level": "note",
3628
- "message": {
3629
- "text": "Credential regex patterns (token/password/secret/Bearer) + network call in same file — stream data credential harvesting."
3630
- },
3631
- "locations": [
3632
- {
3633
- "physicalLocation": {
3634
- "artifactLocation": {
3635
- "uri": "src/scoring.js",
3636
- "uriBaseId": "%SRCROOT%"
3637
- },
3638
- "region": {
3639
- "startLine": 1
3640
- }
3641
- }
3642
- }
3643
- ],
3644
- "properties": {
3645
- "confidence": "high",
3646
- "mitre": "T1552"
3647
- }
3648
- },
3649
- {
3650
- "ruleId": "MUADDIB-AST-074",
3651
- "level": "warning",
3652
- "message": {
3653
- "text": "4 chained .replace() calls detected — potential string mutation obfuscation (could not fully resolve)."
3654
- },
3655
- "locations": [
3656
- {
3657
- "physicalLocation": {
3658
- "artifactLocation": {
3659
- "uri": "src/shared/download.js",
3660
- "uriBaseId": "%SRCROOT%"
3661
- },
3662
- "region": {
3663
- "startLine": 1
3664
- }
3665
- }
3666
- }
3667
- ],
3668
- "properties": {
3669
- "confidence": "high",
3670
- "mitre": "T1027"
3671
- }
3672
- },
3673
- {
3674
- "ruleId": "MUADDIB-AST-074",
3675
- "level": "warning",
3676
- "message": {
3677
- "text": "5 chained .replace() calls detected — potential string mutation obfuscation (could not fully resolve)."
3678
- },
3679
- "locations": [
3680
- {
3681
- "physicalLocation": {
3682
- "artifactLocation": {
3683
- "uri": "src/shared/download.js",
3684
- "uriBaseId": "%SRCROOT%"
3685
- },
3686
- "region": {
3687
- "startLine": 1
3688
- }
3689
- }
3690
- }
3691
- ],
3692
- "properties": {
3693
- "confidence": "high",
3694
- "mitre": "T1027"
3695
- }
3696
- },
3697
- {
3698
- "ruleId": "MUADDIB-AST-074",
3699
- "level": "warning",
3700
- "message": {
3701
- "text": "4 chained .replace() calls detected — potential string mutation obfuscation (could not fully resolve)."
3702
- },
3703
- "locations": [
3704
- {
3705
- "physicalLocation": {
3706
- "artifactLocation": {
3707
- "uri": "src/utils.js",
3708
- "uriBaseId": "%SRCROOT%"
3709
- },
3710
- "region": {
3711
- "startLine": 1
3712
- }
3713
- }
3714
- }
3715
- ],
3716
- "properties": {
3717
- "confidence": "high",
3718
- "mitre": "T1027"
3719
- }
3720
- },
3721
- {
3722
- "ruleId": "MUADDIB-AST-074",
3723
- "level": "warning",
3724
- "message": {
3725
- "text": "5 chained .replace() calls detected — potential string mutation obfuscation (could not fully resolve)."
3726
- },
3727
- "locations": [
3728
- {
3729
- "physicalLocation": {
3730
- "artifactLocation": {
3731
- "uri": "src/utils.js",
3732
- "uriBaseId": "%SRCROOT%"
3733
- },
3734
- "region": {
3735
- "startLine": 1
3736
- }
3737
- }
3738
- }
3739
- ],
3740
- "properties": {
3741
- "confidence": "high",
3742
- "mitre": "T1027"
3743
- }
3744
- },
3745
- {
3746
- "ruleId": "MUADDIB-FLOW-001",
3747
- "level": "error",
3748
- "message": {
3749
- "text": "Suspicious flow: command output (child_process.spawnSync, child_process.spawnSync) + network send (get, get)"
3750
- },
3751
- "locations": [
3752
- {
3753
- "physicalLocation": {
3754
- "artifactLocation": {
3755
- "uri": "src/commands/safe-install.js",
3756
- "uriBaseId": "%SRCROOT%"
3757
- },
3758
- "region": {
3759
- "startLine": 1
3760
- }
3761
- }
3762
- }
3763
- ],
3764
- "properties": {
3765
- "confidence": "high",
3766
- "mitre": "T1041"
3767
- }
3768
- },
3769
- {
3770
- "ruleId": "MUADDIB-FLOW-001",
3771
- "level": "error",
3772
- "message": {
3773
- "text": "Suspicious flow: credentials read (ANTHROPIC_API_KEY, ANTHROPIC_API_KEY) + network send (fetch)"
3774
- },
3775
- "locations": [
3776
- {
3777
- "physicalLocation": {
3778
- "artifactLocation": {
3779
- "uri": "src/ml/llm-detective.js",
3780
- "uriBaseId": "%SRCROOT%"
3781
- },
3782
- "region": {
3783
- "startLine": 1
3784
- }
3785
- }
3786
- }
3787
- ],
3788
- "properties": {
3789
- "confidence": "high",
3790
- "mitre": "T1041"
3791
- }
3792
- }
3793
- ]
3794
- }
3795
- ]
3796
- }