muaddib-scanner 2.10.91 → 2.10.93

package/README.md

@@ -292,7 +292,7 @@ repos:
 | **FPR** (Benign random) | **7.5%** (15/200) | 200 random npm packages, stratified sampling |
 | **ADR** (Adversarial + Holdout) | **96.3%** (103/107) | 67 adversarial + 40 holdout (107 available on disk), global threshold=20 |
 
-**3134 tests** across 66 files. **200 rules** (195 RULES + 5 PARANOID).
+**3230 tests** across 66 files. **207 rules** (202 RULES + 5 PARANOID).
 
 > **ML retrain methodology (v2.10.51):**
 > - Ground truth: 377 confirmed_malicious via auto-labeler (OSSF malicious-packages, GitHub Advisory Database, npm registry takedown correlation)
@@ -340,7 +340,7 @@ npm test
 
 ### Testing
 
-- **3134 tests** across 66 modular test files
+- **3230 tests** across 66 modular test files
 - **56 fuzz tests** - Malformed inputs, ReDoS, unicode, binary
 - **Datadog 17K benchmark** - 14,587 confirmed malware samples (in-scope)
 - **Ground truth validation** - 67 real-world attacks (93.75% TPR@3, 85.9% TPR@20)
@@ -362,7 +362,7 @@ npm test
 - [Evaluation Methodology](docs/EVALUATION_METHODOLOGY.md) - Experimental protocol, holdout scores
 - [Threat Model](docs/threat-model.md) - What MUAD'DIB detects and doesn't detect
 - [Adversarial Evaluation](ADVERSARIAL.md) - Red team samples and ADR results
-- [Security Policy](SECURITY.md) - Detection rules reference (200 rules)
+- [Security Policy](SECURITY.md) - Detection rules reference (207 rules)
 - [Security Audit](docs/SECURITY_AUDIT.md) - Bypass validation report
 - [FP Analysis](docs/EVALUATION.md) - Historical false positive analysis
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "muaddib-scanner",
-  "version": "2.10.91",
+  "version": "2.10.93",
   "description": "Supply-chain threat detection & response for npm & PyPI/Python",
   "main": "src/index.js",
   "bin": {

package/src/monitor/classify.js

@@ -57,7 +57,13 @@ const HIGH_CONFIDENCE_MALICE_TYPES = new Set([
   'npm_token_steal',                       // exec("npm config get _authToken") (CanisterWorm findNpmTokens)
   'root_filesystem_wipe',                  // rm -rf / (CanisterWorm kamikaze.sh wiper T1485)
   'proc_mem_scan',                         // /proc/mem scanning (TeamPCP Trivy credential stealer)
-  'trusted_new_unknown_dependency'         // TRUSTED package added unknown/new (<7d) dependency (account takeover)
+  'trusted_new_unknown_dependency',        // TRUSTED package added unknown/new (<7d) dependency (account takeover)
+  // v2.10.89: Security review findings — always malicious regardless of lifecycle
+  'curl_env_exfil',                        // curl/wget + env/base64 in lifecycle (exfiltration)
+  'function_constructor_require',          // new Function.constructor("require") (RCE evasion)
+  'newsletter_auto_follow',                // Baileys WhatsApp newsletter hijack
+  // v2.10.93: Security review 2026-04-10→17 findings
+  'self_destruct_eval'                     // dynamic exec + unlink __filename (csec anti-forensics)
 ]);
 
 // Lifecycle compound types that indicate real malicious intent beyond a simple postinstall

package/src/response/playbooks.js

@@ -881,6 +881,11 @@ const PLAYBOOKS = {
   lifecycle_env_exfil:
     'CRITIQUE: Lifecycle hook + exfiltration env via curl/wget a l\'installation. ' +
     'Machine compromise si deja installe. Rotation immediate de TOUS les secrets.',
+
+  self_destruct_eval:
+    'CRITIQUE: Execution dynamique de code (eval/new Function/Module._compile) + auto-suppression du fichier execute (unlinkSync/renameSync sur __filename). ' +
+    'Pattern anti-forensique professionnel: le malware execute son payload obfusque puis efface ses traces. Campagne csec-crypto-toolkit (avril 2026) exfiltre .env, GITHUB_TOKEN, NPM_TOKEN, AWS/SSH keys vers csec-supply-chain-attack.vercel.app, puis unlinkSync(__filename). ' +
+    'Machine compromise si deja installe. Rotation immediate de TOUS les secrets (.env, tokens CI/CD, cles SSH). Verifier les .env des repertoires parents jusqu\'a 6 niveaux. Supprimer le package.',
 };
 
 function getPlaybook(threatType) {

package/src/rules/index.js

@@ -2264,6 +2264,18 @@ const RULES = {
     ],
     mitre: 'T1496'
   },
+  self_destruct_eval: {
+    id: 'MUADDIB-AST-089',
+    name: 'Self-Destructing Dynamic Execution',
+    severity: 'CRITICAL',
+    confidence: 'high',
+    description: 'Execution dynamique de code (eval/new Function/Module._compile) combinee a la suppression ou renommage du fichier en cours d\'execution (unlinkSync/rmSync/renameSync sur __filename, module.filename, ou require.main.filename). Anti-forensics: le malware execute son payload obfusque puis efface ses traces. Aucun package legitime ne detruit son propre source apres execution de code dynamique. Campagne csec-crypto-toolkit (avril 2026): XOR(OrDeR_7077)+base64+new Function, exfiltre .env/.ssh/.npmrc vers csec-supply-chain-attack.vercel.app, puis unlinkSync(__filename).',
+    references: [
+      'https://attack.mitre.org/techniques/T1070.004/',
+      'https://attack.mitre.org/techniques/T1140/'
+    ],
+    mitre: 'T1070.004'
+  },
   version_99_preinstall: {
     id: 'MUADDIB-PKG-019',
     name: 'Dependency Confusion Version Indicator',

package/src/scanner/ast-detectors/constants.js

@@ -144,7 +144,12 @@ const GIT_HOOKS = [
 
 // Suspicious C2/exfiltration domains (HIGH severity)
 const SUSPICIOUS_DOMAINS_HIGH = [
+  // OAST (Out-of-band Application Security Testing) callback domains.
+  // Legitimate only for authorized pentesting — in published npm packages,
+  // these are always reconnaissance/exfiltration callbacks (dependency confusion, SSRF confirmation).
   'oastify.com', 'oast.fun', 'oast.me', 'oast.live',
+  'oast.online', 'oast.pro',
+  'interact.sh', 'projectdiscovery.io',
   'burpcollaborator.net', 'webhook.site', 'pipedream.net',
   'requestbin.com', 'hookbin.com', 'canarytokens.com',
   // GlassWorm C2 IPs (mars 2026)
@@ -167,7 +172,11 @@ const SUSPICIOUS_DOMAINS_HIGH = [
   'minhdong.site',                                 // Facebook credential proxy (fca-mmtat)
   'ltidi.storage.googleapis.com',                  // KuCoin dependency confusion payload
   'jsonkeeper.com',                                // Robert King campaign C2 dead drop
-  'npoint.io'                                      // Robert King campaign C2 dead drop
+  'npoint.io',                                     // Robert King campaign C2 dead drop
+  // v2.10.93: Security review 2026-04-10→17 findings
+  'csec-supply-chain-attack.vercel.app',           // csec-crypto-toolkit credential stealer C2 (XOR+Function+unlink)
+  'files.giftedtech.co.ke',                        // silva-baileys V3 newsletter JID remote loader
+  'phish.sh'                                       // JET/SkipTheDishes depconf webhook exfil
 ];
 
 // Suspicious tunnel/proxy domains (MEDIUM severity)

package/src/scanner/ast-detectors/handle-post-walk.js

@@ -23,6 +23,26 @@ function handlePostWalk(ctx) {
     });
   }
 
+  // v2.10.93: csec-style credential stealer — dynamic exec + self-deletion of __filename.
+  // csec-crypto-toolkit (avril 2026): XOR-obfuscated setup.js that exfiltrates
+  // .env/.ssh/.npmrc to csec-supply-chain-attack.vercel.app, then unlinks itself
+  // and replaces package.json with package.md to erase traces.
+  // Threat model: the combination of (a) dynamic code execution from a variable
+  // (eval/new Function/Module._compile) with (b) self-deletion of the currently
+  // executing file is a professional anti-forensics signature. Legitimate packages
+  // do not destroy their own source after executing obfuscated code.
+  // Suppressed in dist/build to avoid bundler self-cleanup FPs (rare but possible).
+  if (ctx.hasDynamicExec && ctx.hasSelfDelete) {
+    const isDistFile = /^(dist|build|out|output)[/\\]/i.test(ctx.relFile) ||
+                       /\.(bundle|min)\.js$/i.test(ctx.relFile);
+    ctx.threats.push({
+      type: 'self_destruct_eval',
+      severity: isDistFile ? 'HIGH' : 'CRITICAL',
+      message: 'Anti-forensics: dynamic code execution (eval/new Function/Module._compile) + self-deletion of __filename — malware staging with trace removal (csec pattern).',
+      file: ctx.relFile
+    });
+  }
+
   // SANDWORM_MODE R7: env harvesting = Object.entries/keys/values(process.env) + sensitive pattern in file
   if (ctx.hasEnvEnumeration && ctx.hasEnvHarvestPattern && ctx.hasNetworkCallInFile) {
     ctx.threats.push({

package/src/scanner/ast.js

@@ -140,6 +140,10 @@ function analyzeFile(content, filePath, basePath) {
     hasTempFileExec: false,
     hasFileDelete: false,
     hasDevShmInContent: /\/dev\/shm\b/.test(content),
+    // v2.10.93: csec-style self-deletion — unlink/rename of __filename targets the
+    // executing file itself. Distinct from hasFileDelete (any file). Combined with
+    // hasDynamicExec in a compound to flag anti-forensics obfuscated stealers.
+    hasSelfDelete: /\b(?:unlinkSync|unlink|rmSync|renameSync|rm)\s*\(\s*(?:__filename|module\.filename|require\.main\.filename)\b/.test(content),
     // SANDWORM_MODE P2: env harvesting co-occurrence
     hasEnvEnumeration: false,  // Object.entries/keys/values(process.env)
     hasEnvHarvestPattern: /\b(KEY|SECRET|TOKEN|PASSWORD|CREDENTIAL|NPM|AWS|SSH|WEBHOOK)\b/.test(content),

package/src/scanner/package.js

@@ -324,11 +324,41 @@ async function scanPackageJson(targetPath) {
         /\/\/192\.168\.\d{1,3}\.\d{1,3}[:/]/,
         /\/\/172\.(1[6-9]|2\d|3[01])\.\d{1,3}\.\d{1,3}[:/]/
       ].some(p => p.test(urlLower));
+
+      // v2.10.93: External raw tarball URL as dep — ltidi chain attack pattern.
+      // GitHub/GitLab/Bitbucket release tarballs are legitimate; everything else
+      // pointing to .tgz/.tar.gz/.zip is payload delivery via third-party storage
+      // (GCS, S3, CDNs). The stub package bypasses all lifecycle/obfuscation scanners
+      // because the malicious code lives in the external tarball fetched at install.
+      const isTarballUrl = /\.(tgz|tar\.gz|tar\.bz2|zip)(\?|#|$)/.test(urlLower);
+      const isLegitTarballHost = [
+        /\/\/github\.com\//,
+        /\/\/codeload\.github\.com\//,
+        /\/\/objects\.githubusercontent\.com\//,
+        /\/\/gitlab\.com\//,
+        /\/\/bitbucket\.org\//,
+        /\/\/registry\.npmjs\.org\//,
+        /\/\/registry\.yarnpkg\.com\//
+      ].some(p => p.test(urlLower));
+      const isExternalTarball = isTarballUrl && !isLegitTarballHost;
+
+      let severity;
+      let note;
+      if (isSuspicious) {
+        severity = 'CRITICAL';
+        note = ' (tunnel/private/localhost)';
+      } else if (isExternalTarball) {
+        severity = 'CRITICAL';
+        note = ' (external raw tarball on third-party host — chain attack pattern, npm registry audit bypass)';
+      } else {
+        severity = 'HIGH';
+        note = ' (unusual, verify source)';
+      }
+
       threats.push({
         type: 'dependency_url_suspicious',
-        severity: isSuspicious ? 'CRITICAL' : 'HIGH',
-        message: `Dependency "${depName}" uses HTTP URL: ${depVersion}` +
-          (isSuspicious ? ' (tunnel/private/localhost)' : ' (unusual, verify source)'),
+        severity,
+        message: `Dependency "${depName}" uses HTTP URL: ${depVersion}${note}`,
         file: 'package.json'
       });
     }

package/src/scoring.js

@@ -253,6 +253,7 @@ const DIST_EXEMPT_TYPES = new Set([
   'npm_publish_worm',         // exec("npm publish") (worm propagation)
   'curl_env_exfil',           // curl/wget env exfil in lifecycle (always malicious)
   'function_constructor_require', // new Function.constructor("require") (always malicious)
+  'self_destruct_eval',       // dynamic exec + unlink __filename (csec anti-forensics)
   // Dangerous shell commands in dist/ are real threats, never bundler output
   'dangerous_exec',
   // Compound scoring rules — co-occurrence signals, never FP
@@ -966,7 +967,11 @@ function calculateRiskScore(deduped, intentResult) {
   );
   const _hasHC = deduped.some(t => HIGH_CONFIDENCE_MALICE_TYPES.has(t.type));
   const _hasCompound = deduped.some(t => t.compound === true);
-  if (!_hasLifecycle && !_hasHC && !_hasCompound) {
+  // v2.10.89: staged_payload + suspicious_domain(HIGH) = confirmed C2 eval, bypass MT-1 cap
+  // json-spacer, reactvora: eval(data.content) from jsonkeeper.com is always malicious
+  const _hasStagedC2 = deduped.some(t => t.type === 'staged_payload') &&
+    deduped.some(t => t.type === 'suspicious_domain' && t.severity === 'HIGH');
+  if (!_hasLifecycle && !_hasHC && !_hasCompound && !_hasStagedC2) {
     riskScore = Math.min(riskScore, 35);
   }