muaddib-scanner 2.10.91 → 2.10.92

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (3) hide show
  1. package/package.json +1 -1
  2. package/src/monitor/classify.js +5 -1
  3. package/src/scoring.js +5 -1
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "muaddib-scanner",
3
- "version": "2.10.91",
3
+ "version": "2.10.92",
4
4
  "description": "Supply-chain threat detection & response for npm & PyPI/Python",
5
5
  "main": "src/index.js",
6
6
  "bin": {
package/src/monitor/classify.js CHANGED
@@ -57,7 +57,11 @@ const HIGH_CONFIDENCE_MALICE_TYPES = new Set([
57
57
  'npm_token_steal', // exec("npm config get _authToken") (CanisterWorm findNpmTokens)
58
58
  'root_filesystem_wipe', // rm -rf / (CanisterWorm kamikaze.sh wiper T1485)
59
59
  'proc_mem_scan', // /proc/mem scanning (TeamPCP Trivy credential stealer)
60
- 'trusted_new_unknown_dependency' // TRUSTED package added unknown/new (<7d) dependency (account takeover)
60
+ 'trusted_new_unknown_dependency', // TRUSTED package added unknown/new (<7d) dependency (account takeover)
61
+ // v2.10.89: Security review findings — always malicious regardless of lifecycle
62
+ 'curl_env_exfil', // curl/wget + env/base64 in lifecycle (exfiltration)
63
+ 'function_constructor_require', // new Function.constructor("require") (RCE evasion)
64
+ 'newsletter_auto_follow' // Baileys WhatsApp newsletter hijack
61
65
  ]);
62
66
 
63
67
  // Lifecycle compound types that indicate real malicious intent beyond a simple postinstall
package/src/scoring.js CHANGED
@@ -966,7 +966,11 @@ function calculateRiskScore(deduped, intentResult) {
966
966
  );
967
967
  const _hasHC = deduped.some(t => HIGH_CONFIDENCE_MALICE_TYPES.has(t.type));
968
968
  const _hasCompound = deduped.some(t => t.compound === true);
969
- if (!_hasLifecycle && !_hasHC && !_hasCompound) {
969
+ // v2.10.89: staged_payload + suspicious_domain(HIGH) = confirmed C2 eval, bypass MT-1 cap
970
+ // json-spacer, reactvora: eval(data.content) from jsonkeeper.com is always malicious
971
+ const _hasStagedC2 = deduped.some(t => t.type === 'staged_payload') &&
972
+ deduped.some(t => t.type === 'suspicious_domain' && t.severity === 'HIGH');
973
+ if (!_hasLifecycle && !_hasHC && !_hasCompound && !_hasStagedC2) {
970
974
  riskScore = Math.min(riskScore, 35);
971
975
  }
972
976