muaddib-scanner 2.11.115 → 2.11.117

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "muaddib-scanner",
-  "version": "2.11.115",
+  "version": "2.11.117",
   "description": "Supply-chain threat detection & response for npm & PyPI/Python",
   "main": "src/index.js",
   "bin": {

package/{self-scan-v2.11.115.json → self-scan-v2.11.117.json}

@@ -1,6 +1,6 @@
 {
   "target": "node_modules",
-  "timestamp": "2026-06-14T16:22:45.950Z",
+  "timestamp": "2026-06-14T18:18:10.262Z",
   "threats": [
     {
       "type": "string_mutation_obfuscation",

package/src/scanner/ast.js

@@ -17,6 +17,13 @@ const {
 // Check if credential keywords appear INSIDE regex literals or new RegExp() patterns.
 // Only true when the keyword is part of the regex pattern itself, not just a string elsewhere in the file.
 const CREDENTIAL_REGEX_KEYWORDS = /bearer|password|secret|token|credential|api.?key/i;
+// axios call shapes — a network call the legacy regexes miss (caught only by ioc_string_match).
+// Covers BOTH the identifier form (axios(...) / axios.get|post|...(...)) and the inline-require
+// form (require('axios').get(...) — the chalk-pro/jsonkeeper staged-loader shape). Call-shaped
+// only, so it never matches a bare `require('axios')` import, `import axios`, `myaxios.get`, or
+// `axios` in a comment/string. Bare instance-var calls (const c = axios.create(); c.get()) are a
+// known follow-up gap; the create() verb catches the create site itself.
+const AXIOS_NETWORK_CALL_RE = /(?:\baxios|require\s*\(\s*['"]axios['"]\s*\))\s*(?:\(|\.\s*(?:get|post|put|patch|delete|request|head|options|create)\s*\()/;
 function hasCredentialInsideRegex(content) {
   // Check regex literals: /...pattern.../flags
   const regexLiteralRe = /\/(?!\*)(?:[^/\\]|\\.)+\/[gimsuy]*/g;
@@ -172,9 +179,9 @@ function analyzeFile(content, filePath, basePath) {
     // SANDWORM_MODE P2: env harvesting co-occurrence
     hasEnvEnumeration: false,  // Object.entries/keys/values(process.env)
     hasEnvHarvestPattern: /\b(KEY|SECRET|TOKEN|PASSWORD|CREDENTIAL|NPM|AWS|SSH|WEBHOOK)\b/.test(content),
-    hasNetworkCallInFile: /\b(fetch|https?\.request|https?\.get|dns\.resolve)\b/.test(content),
-    // C5: Non-fetch network calls indicate independent network channel (NOT WASM loading)
-    hasNonFetchNetworkCall: /\bhttps?\.request\b|\bhttps?\.get\b|\bdns\.resolve\b/.test(content),
+    hasNetworkCallInFile: /\b(fetch|https?\.request|https?\.get|dns\.resolve)\b/.test(content) || AXIOS_NETWORK_CALL_RE.test(content),
+    // C5: Non-fetch network calls indicate independent network channel (NOT WASM loading). axios is non-fetch.
+    hasNonFetchNetworkCall: /\bhttps?\.request\b|\bhttps?\.get\b|\bdns\.resolve\b/.test(content) || AXIOS_NETWORK_CALL_RE.test(content),
     // Credential regex harvesting: regex literals or new RegExp() whose PATTERN contains credential keywords
     // Must check that the keyword is inside the regex, not just anywhere in the file
     hasCredentialRegex: hasCredentialInsideRegex(content),
@@ -197,7 +204,7 @@ function analyzeFile(content, filePath, basePath) {
     gitHooksPathVars: new Map(),
     ideConfigPathVars: new Map(),
     // Wave 4: compound detection — fetch + decrypt + eval chain
-    hasRemoteFetch: /\bhttps?\.(get|request)\b/.test(content) || /\bfetch\s*\(/.test(content),
+    hasRemoteFetch: /\bhttps?\.(get|request)\b/.test(content) || /\bfetch\s*\(/.test(content) || AXIOS_NETWORK_CALL_RE.test(content),
     // Safe domain exclusion: if ALL URLs in file are from known registries, suppress download_exec_binary
     fetchOnlySafeDomains: false, // computed below after URL extraction
     hasCryptoDecipher: /\bcreateDecipher(iv)?\s*\(/.test(content),

package/src/scanner/dataflow.js

@@ -1149,58 +1149,10 @@ function isCredentialPath(arg, sensitivePathVars) {
   return false;
 }
 
-// System identity env vars used for fingerprinting/exfiltration
-const SYSTEM_IDENTITY_ENVS = new Set([
-  'USER', 'USERNAME', 'LOGNAME', 'HOME', 'HOSTNAME',
-  'USERPROFILE', 'COMPUTERNAME', 'WHOAMI'
-]);
-
-// Env var prefixes for tool-internal configuration (not external credentials)
-const SAFE_ENV_PREFIXES = ['MUADDIB_', 'npm_config_', 'npm_lifecycle_', 'npm_package_'];
-
-// P6: Node.js runtime config env vars that are not credentials.
-// NODE_TLS_REJECT_UNAUTHORIZED matches "AUTH" in "UNAUTHORIZED" → false positive.
-// Real credential exfiltration targets API_KEY, TOKEN, SECRET, PASSWORD.
-const DATAFLOW_SAFE_ENV_VARS = new Set([
-  'NODE_TLS_REJECT_UNAUTHORIZED', 'NODE_OPTIONS', 'NODE_EXTRA_CA_CERTS',
-  'NODE_ENV', 'NODE_PATH', 'NODE_DEBUG',
-  'DEBUG', 'CI', 'HTTPS_PROXY', 'HTTP_PROXY', 'NO_PROXY',
-  'LANG', 'TZ', 'PORT', 'HOST'
-  // Note: HOME, USER, HOSTNAME stay sensitive — fingerprint exfiltration detection.
-]);
-
-function isSensitiveEnv(name) {
-  const upper = name.toUpperCase();
-  if (DATAFLOW_SAFE_ENV_VARS.has(upper)) return false;
-  if (SYSTEM_IDENTITY_ENVS.has(upper)) return true;
-  if (SAFE_ENV_PREFIXES.some(p => upper.startsWith(p))) return false;
-  const sensitive = ['TOKEN', 'SECRET', 'KEY', 'PASSWORD', 'CREDENTIAL', 'AUTH', 'NPM', 'AWS', 'AZURE', 'GCP'];
-  return sensitive.some(s => upper.includes(s));
-}
-
-// Audit 2026-05 DF-C4: credential-tier env vars distinguished from generic env_read.
-// These represent authentication material (NPM_TOKEN, GITHUB_TOKEN, AWS_SECRET_ACCESS_KEY,
-// STRIPE_API_KEY etc.) — strictly narrower than isSensitiveEnv. Sources of this type
-// participate in hasHighRiskSource so credential exfil patterns are NOT downgraded by the
-// HIGH→MEDIUM graduation. System identity vars (HOME, USER) remain plain env_read since
-// they are fingerprinting signals, not credentials.
-const KNOWN_CREDENTIAL_ENV_VARS = new Set([
-  'NPM_TOKEN', 'GITHUB_TOKEN', 'GH_TOKEN', 'NODE_AUTH_TOKEN',
-  'CIRCLE_TOKEN', 'GITLAB_TOKEN', 'CARGO_REGISTRY_TOKEN', 'PYPI_TOKEN',
-  'GOOGLE_APPLICATION_CREDENTIALS', 'AZURE_CLIENT_SECRET',
-  'SENTRY_AUTH_TOKEN', 'NPM_AUTH_TOKEN', 'NPM_CONFIG_AUTHTOKEN'
-]);
-
-const CREDENTIAL_ENV_SUFFIX_RE = /(?:^|_)(?:TOKEN|SECRET|PASSWORD|PASSPHRASE|CREDENTIAL|CREDENTIALS|API_KEY|ACCESS_KEY|ACCESS_KEY_ID|SECRET_KEY|PRIVATE_KEY|SIGNING_KEY|SESSION_TOKEN|REFRESH_TOKEN|AUTH_TOKEN)$/;
-
-function isCredentialEnv(name) {
-  const upper = name.toUpperCase();
-  // System identity vars are fingerprinting, not credentials
-  if (SYSTEM_IDENTITY_ENVS.has(upper)) return false;
-  // Public keys are not credentials (e.g., SSH_PUBLIC_KEY, GPG_PUBLIC_KEY)
-  if (upper.includes('PUBLIC_KEY') || upper.includes('PUBKEY')) return false;
-  if (KNOWN_CREDENTIAL_ENV_VARS.has(upper)) return true;
-  return CREDENTIAL_ENV_SUFFIX_RE.test(upper);
-}
+// Env-var credential classification (isSensitiveEnv / isCredentialEnv + their sets) was
+// extracted to a shared leaf module so the module-graph cross-file taint can apply the EXACT
+// same credential-vs-config distinction (it previously tainted any process.env read). Imported
+// at module load → in scope for the analyzeDataFlow call sites above. Behavior unchanged here.
+const { isSensitiveEnv, isCredentialEnv } = require('./env-var-classification.js');
 
 module.exports = { analyzeDataFlow };

package/src/scanner/env-var-classification.js

@@ -0,0 +1,75 @@
+'use strict';
+
+// Environment-variable credential classification (shared leaf module).
+// Extracted verbatim from dataflow.js so the SAME credential-vs-config distinction can
+// gate every taint source — dataflow (scanner/dataflow.js) AND the module-graph cross-file
+// taint (scanner/module-graph/annotate-tainted.js), which previously tainted ANY process.env
+// read indiscriminately (config vars like STORYBOARD_SERVER_URL → false credential_exfil).
+// No project dependencies → safe to require from any scanner, no cycles.
+
+// System identity env vars used for fingerprinting/exfiltration
+const SYSTEM_IDENTITY_ENVS = new Set([
+  'USER', 'USERNAME', 'LOGNAME', 'HOME', 'HOSTNAME',
+  'USERPROFILE', 'COMPUTERNAME', 'WHOAMI'
+]);
+
+// Env var prefixes for tool-internal configuration (not external credentials)
+const SAFE_ENV_PREFIXES = ['MUADDIB_', 'npm_config_', 'npm_lifecycle_', 'npm_package_'];
+
+// P6: Node.js runtime config env vars that are not credentials.
+// NODE_TLS_REJECT_UNAUTHORIZED matches "AUTH" in "UNAUTHORIZED" → false positive.
+// Real credential exfiltration targets API_KEY, TOKEN, SECRET, PASSWORD.
+const DATAFLOW_SAFE_ENV_VARS = new Set([
+  'NODE_TLS_REJECT_UNAUTHORIZED', 'NODE_OPTIONS', 'NODE_EXTRA_CA_CERTS',
+  'NODE_ENV', 'NODE_PATH', 'NODE_DEBUG',
+  'DEBUG', 'CI', 'HTTPS_PROXY', 'HTTP_PROXY', 'NO_PROXY',
+  'LANG', 'TZ', 'PORT', 'HOST'
+  // Note: HOME, USER, HOSTNAME stay sensitive — fingerprint exfiltration detection.
+]);
+
+// True when an env var name is a sensitive source (credential material OR system-identity
+// fingerprinting). Config vars (URL/HOST/PORT/NODE_ENV/proxy/...) return false. This is the
+// classification module-graph cross-file taint now shares (it formerly tainted every read).
+function isSensitiveEnv(name) {
+  const upper = name.toUpperCase();
+  if (DATAFLOW_SAFE_ENV_VARS.has(upper)) return false;
+  if (SYSTEM_IDENTITY_ENVS.has(upper)) return true;
+  if (SAFE_ENV_PREFIXES.some(p => upper.startsWith(p))) return false;
+  const sensitive = ['TOKEN', 'SECRET', 'KEY', 'PASSWORD', 'CREDENTIAL', 'AUTH', 'NPM', 'AWS', 'AZURE', 'GCP'];
+  return sensitive.some(s => upper.includes(s));
+}
+
+// Audit 2026-05 DF-C4: credential-tier env vars distinguished from generic env_read.
+// These represent authentication material (NPM_TOKEN, GITHUB_TOKEN, AWS_SECRET_ACCESS_KEY,
+// STRIPE_API_KEY etc.) — strictly narrower than isSensitiveEnv. Sources of this type
+// participate in hasHighRiskSource so credential exfil patterns are NOT downgraded by the
+// HIGH→MEDIUM graduation. System identity vars (HOME, USER) remain plain env_read since
+// they are fingerprinting signals, not credentials.
+const KNOWN_CREDENTIAL_ENV_VARS = new Set([
+  'NPM_TOKEN', 'GITHUB_TOKEN', 'GH_TOKEN', 'NODE_AUTH_TOKEN',
+  'CIRCLE_TOKEN', 'GITLAB_TOKEN', 'CARGO_REGISTRY_TOKEN', 'PYPI_TOKEN',
+  'GOOGLE_APPLICATION_CREDENTIALS', 'AZURE_CLIENT_SECRET',
+  'SENTRY_AUTH_TOKEN', 'NPM_AUTH_TOKEN', 'NPM_CONFIG_AUTHTOKEN'
+]);
+
+const CREDENTIAL_ENV_SUFFIX_RE = /(?:^|_)(?:TOKEN|SECRET|PASSWORD|PASSPHRASE|CREDENTIAL|CREDENTIALS|API_KEY|ACCESS_KEY|ACCESS_KEY_ID|SECRET_KEY|PRIVATE_KEY|SIGNING_KEY|SESSION_TOKEN|REFRESH_TOKEN|AUTH_TOKEN)$/;
+
+function isCredentialEnv(name) {
+  const upper = name.toUpperCase();
+  // System identity vars are fingerprinting, not credentials
+  if (SYSTEM_IDENTITY_ENVS.has(upper)) return false;
+  // Public keys are not credentials (e.g., SSH_PUBLIC_KEY, GPG_PUBLIC_KEY)
+  if (upper.includes('PUBLIC_KEY') || upper.includes('PUBKEY')) return false;
+  if (KNOWN_CREDENTIAL_ENV_VARS.has(upper)) return true;
+  return CREDENTIAL_ENV_SUFFIX_RE.test(upper);
+}
+
+module.exports = {
+  SYSTEM_IDENTITY_ENVS,
+  SAFE_ENV_PREFIXES,
+  DATAFLOW_SAFE_ENV_VARS,
+  KNOWN_CREDENTIAL_ENV_VARS,
+  CREDENTIAL_ENV_SUFFIX_RE,
+  isSensitiveEnv,
+  isCredentialEnv,
+};

package/src/scanner/module-graph/annotate-tainted.js

@@ -2,6 +2,7 @@
 
 const path = require('path');
 const { SENSITIVE_MODULES } = require('./constants.js');
+const { isSensitiveEnv } = require('../env-var-classification.js');
 const {
   parseFile, walkAST, isRequireCall, isModuleExportsAssign,
   getExportName, getFunctionBody, getMemberChain, extractLiteralArg
@@ -272,6 +273,11 @@ function checkNodeTaint(node, moduleVars) {
     const chain = getMemberChain(node);
     if (chain.startsWith('process.env')) {
       const detail = chain.length > 'process.env'.length ? chain.slice('process.env.'.length) : '';
+      // Source-precision (segment A): a SPECIFIC non-credential config var (URL/HOST/PORT/
+      // NODE_ENV/...) is not a credential taint source — consistent with dataflow.js's
+      // isSensitiveEnv (DF-C4). Whole-object `process.env` (detail '') stays tainted: an env
+      // dump exfiltrates every secret. System-identity vars (HOME/USER) stay tainted too.
+      if (detail && !isSensitiveEnv(detail)) return null;
       return { source: 'process.env', detail };
     }
   }
@@ -332,9 +338,21 @@ function scanBodyForTaint(body, moduleVars, taintedVars) {
   // Collect local tainted vars within this function scope too
   const localTainted = Object.assign(Object.create(null), taintedVars);
 
+  // A `process.env.X` read is matched as a unit by checkNodeTaint (gated on isSensitiveEnv).
+  // Record the inner bare `process.env` node of each so the pre-order walker does not RE-match
+  // it standalone (detail '' = whole-env dump), which would defeat the per-var gate for config
+  // vars. A genuinely standalone `process.env` (a different node) still taints as a dump.
+  const innerEnvNodes = new WeakSet();
+
   let found = null;
   walkAST({ type: 'Program', body }, (node) => {
     if (found) return;
+    if (innerEnvNodes.has(node)) return;
+
+    if (node.type === 'MemberExpression' && node.object &&
+        node.object.type === 'MemberExpression' && getMemberChain(node.object) === 'process.env') {
+      innerEnvNodes.add(node.object);
+    }
 
     // Variable assignment inside function
     if (node.type === 'VariableDeclaration') {

package/src/scanner/module-graph/constants.js

@@ -18,11 +18,15 @@ const ACORN_OPTIONS = {
 };
 
 // --- Sink patterns for cross-file detection ---
-const SINK_CALLEE_NAMES = new Set(['fetch', 'eval', 'Function', 'WebSocket', 'XMLHttpRequest']);
+const SINK_CALLEE_NAMES = new Set(['fetch', 'eval', 'Function', 'WebSocket', 'XMLHttpRequest', 'axios']);
 const SINK_MEMBER_METHODS = new Set([
   'https.request', 'https.get', 'http.request', 'http.get',
   'child_process.exec', 'child_process.execSync', 'child_process.spawn',
   'dns.resolveTxt', 'dns.resolve', 'dns.resolve4', 'dns.resolve6',
+  // axios as a cross-file network sink (axios.get(taintedData) etc.). Instance form
+  // (const c = axios.create(); c.get(...)) is NOT added to SINK_INSTANCE_METHODS — that
+  // would match every .get/.post receiver and explode FPs; it's a known follow-up gap.
+  'axios.get', 'axios.post', 'axios.put', 'axios.patch', 'axios.delete', 'axios.request',
 ]);
 const SINK_INSTANCE_METHODS = new Set(['connect', 'write', 'send']);
 

package/src/scanner/typosquat.js

@@ -73,6 +73,23 @@ const LEGIT_BOUNDARY_TOKENS = new Set([
   'v2', 'v3', 'v4', 'next', 'latest', 'stable', 'lts', 'legacy', 'beta', 'alpha'
 ]);
 
+// RT-C1-FPR (2026-06, n=61 blind adjudication → boundary-squat measured 100% FP): popular
+// packages whose names are GENERIC tech/English words appear as a legitimate TRAILING token
+// in countless real packages — class-validator, graphile-config, ansi-colors, sinon-chai,
+// react-helmet-async, swagger-ui-express, short-uuid, react-router-redux, openapi-typescript,
+// tree-sitter-c-sharp, agent-commander. Suffix boundary-squat on these is unreliable, so they
+// are NOT matched. Distinctive brand names (axios, lodash, chalk, crypto-js — incl. the
+// plain-crypto-js / secure-axios FN-guards) stay matchable. A genuine `<x>-<generic>` squat is
+// caught by its CODE (exfil/RCE + the Track-R malice floor), not by name shape (see below).
+const GENERIC_POPULAR_NAMES = new Set([
+  'validator', 'config', 'colors', 'async', 'chai', 'typescript', 'request', 'uuid',
+  'redux', 'express', 'sharp', 'commander', 'debug', 'glob', 'yaml', 'cors', 'helmet',
+  'canvas', 'immutable', 'classnames',
+  // Infra/framework brands that are also common legit trailing tokens (rate-limit-redis,
+  // connect-redis, shadcn-svelte, authentikt-svelte) — same measured-FP class, same FN floor.
+  'redis', 'svelte',
+]);
+
 // Packages legitimes courts ou qui ressemblent a des populaires
 const WHITELIST = new Set([
   // Packages tres courts legitimes
@@ -456,14 +473,13 @@ function findDependencyBoundarySquat(name) {
     if (lower === popular) continue;
 
     if (popular.includes('-')) {
-      // Multi-token popular (e.g. crypto-js): match prefix or suffix at hyphen boundary
-      let extra = null;
-      if (lower.endsWith('-' + popular)) {
-        extra = lower.slice(0, lower.length - popular.length - 1);
-      } else if (lower.startsWith(popular + '-')) {
-        extra = lower.slice(popular.length + 1);
-      }
-      if (extra === null || extra.length === 0) continue;
+      // Multi-token popular (e.g. crypto-js): a squat PREPENDS a deceptive qualifier
+      // (plain-crypto-js → endsWith). The reverse `<popular>-<suffix>` (date-fns-tz,
+      // aws-sdk-client-mock, core-js-compat) is the popular package's OWN ecosystem extension —
+      // never a squat — so the prefix-position match is dropped (2026-06 FPR fix, 100% FP).
+      if (!lower.endsWith('-' + popular)) continue;
+      const extra = lower.slice(0, lower.length - popular.length - 1);
+      if (extra.length === 0) continue;
       // Reject if extra is a legit boundary token (single token only)
       if (!extra.includes('-') && LEGIT_BOUNDARY_TOKENS.has(extra)) continue;
       return { original: POPULAR_PACKAGES[i], type: 'boundary_squat', distance: extra.length, extra };
@@ -480,6 +496,10 @@ function findDependencyBoundarySquat(name) {
       const tokens = lower.split('-');
       if (tokens.length === 1) continue;
       if (tokens[tokens.length - 1] !== popular) continue;     // popular must be the trailing token
+      // Generic-word popular (validator/config/colors/async/chai/typescript/...) is a common
+      // legitimate trailing token (class-validator, graphile-config, ansi-colors) — 100% FP in
+      // the 2026-06 measurement. Distinctive brands (axios → secure-axios FN-guard) still match.
+      if (GENERIC_POPULAR_NAMES.has(popular)) continue;
       const siblings = tokens.slice(0, -1);
       // Benign ecosystem variant if every prefix token is a legit qualifier (ts-jest, babel-jest).
       if (siblings.every(t => LEGIT_BOUNDARY_TOKENS.has(t) || isLegitimateVariant(t))) continue;