muaddib-scanner 2.11.120 → 2.11.121

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "muaddib-scanner",
-  "version": "2.11.120",
+  "version": "2.11.121",
   "description": "Supply-chain threat detection & response for npm & PyPI/Python",
   "main": "src/index.js",
   "bin": {

package/{self-scan-v2.11.120.json → self-scan-v2.11.121.json}

@@ -1,6 +1,6 @@
 {
   "target": "node_modules",
-  "timestamp": "2026-06-18T19:56:37.339Z",
+  "timestamp": "2026-06-19T09:42:28.283Z",
   "threats": [
     {
       "type": "string_mutation_obfuscation",

package/src/response/playbooks.js

@@ -807,6 +807,13 @@ const PLAYBOOKS = {
     'Vecteur classique de dependency confusion: le code s\'execute a l\'installation. ' +
     'NE PAS installer. Verifier le nom exact du package. Signaler sur npm.',
 
+  lifecycle_version99:
+    'CRITIQUE: Version a major repdigit "win-semver" (99/999/9999) + hook lifecycle = ' +
+    'dependency confusion complete. La version elevee force npm a resoudre vers ce package ' +
+    'public au lieu du package interne prive, et le hook execute le payload a l\'installation. ' +
+    'NE PAS installer. Verifier si un package interne du meme nom existe. Regenerer les secrets ' +
+    'exposes. Signaler sur npm.',
+
   lifecycle_inline_exec:
     'CRITIQUE: Script lifecycle avec node -e (execution inline). Le code s\'execute automatiquement a npm install. ' +
     'NE PAS installer. Si deja installe: considerer la machine compromise. ' +

package/src/rules/index.js

@@ -2699,6 +2699,19 @@ const RULES = {
     ],
     mitre: 'T1195.002'
   },
+  lifecycle_version99: {
+    id: 'MUADDIB-COMPOUND-018',
+    name: 'Lifecycle Hook + Dependency-Confusion Version',
+    severity: 'CRITICAL',
+    confidence: 'high',
+    domain: 'malware',
+    description: 'Version a major repdigit "win-semver" (99/999/9999) AVEC hook lifecycle (preinstall/install/postinstall). Chaine complete de dependency confusion: la version elevee force la resolution npm vers le package public malveillant au lieu du package interne prive, et le hook execute le payload a l\'installation. Compound: version_99_preinstall + lifecycle_script (gate-FPR-test 2026-06-19: 0/3901 FP).',
+    references: [
+      'https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610',
+      'https://attack.mitre.org/techniques/T1195.002/'
+    ],
+    mitre: 'T1195.002'
+  },
   lifecycle_inline_exec: {
     id: 'MUADDIB-COMPOUND-004',
     name: 'Lifecycle Hook + Inline Node Execution',

package/src/scanner/package.js

@@ -165,17 +165,24 @@ async function scanPackageJson(targetPath) {
     }
   }
 
-  // v2.10.89: Dependency confusion indicator — version >= 99 with install hooks
+  // v2.10.89: Dependency confusion indicator — repdigit "win-semver" major with install hooks.
   // Catches: @corpweb-ui/wmkt-library, @toprank/partner, @adac-fahrzeugplattform/ui
+  // v2.11.118 (2026-06-19, gate-FPR-test on the GHSA-2026 miss corpus): tightened from a
+  // plain `major >= 99` to the repdigit set {99, 999, 9999}. `>= 99` also fired on calendar
+  // versions (2026.x — 51 in the FP corpus) and legit high-version packages (chromedriver@148,
+  // taskcluster@100, @jetbrains/junie@1966, salt@3008) — masked only because the lone signal
+  // stayed HIGH (<20). Restricting to repdigit majors keeps 27/27 corpus dep-conf MALWARE at
+  // ZERO benign hits, and unblocks the lifecycle_version99 compound below (which would
+  // otherwise inherit the calendar FPs once escalated to CRITICAL).
   const versionStr = pkg.version || '';
   const majorVersion = parseInt(versionStr.split('.')[0], 10);
-  if (majorVersion >= 99) {
+  if ([99, 999, 9999].includes(majorVersion)) {
     const hasInstallHook = ['preinstall', 'install', 'postinstall'].some(s => scripts[s]);
     if (hasInstallHook) {
       threats.push({
         type: 'version_99_preinstall',
         severity: 'HIGH',
-        message: `Version ${versionStr} (major >= 99) with lifecycle hook — dependency confusion attack pattern.`,
+        message: `Version ${versionStr} (repdigit win-semver major ${majorVersion}) with lifecycle hook — dependency confusion attack pattern.`,
         file: 'package.json'
       });
     }

package/src/scoring.js

@@ -536,6 +536,23 @@ const SCORING_COMPOUNDS = [
     message: 'Lifecycle hook on typosquat package — dependency confusion attack vector (scoring compound).',
     fileFrom: 'typosquat_detected'
   },
+  {
+    // 2026-06-19 detection-gap (GHSA-2026 misses): a repdigit "win-semver" version
+    // (version_99_preinstall: major 99/999/9999) + an install lifecycle hook is the full
+    // dependency-confusion RCE chain. version_99_preinstall alone is HIGH (10), below the
+    // 20 alert threshold, so these scored ~13 and were missed (e.g. @doaction/* @99.99.99).
+    // Gate-FPR-tested on the confirmed corpus: repdigit-major + lifecycle_script = 0/3901
+    // benign FP (the 3 repdigit-version FPs have no install hook), 22/42 GT MALWARE.
+    // Both signals are package.json-level (no sameFile / excludeIfBundled needed).
+    // requireOriginalSeverityHigh anchors on version_99_preinstall (HIGH) so a lone
+    // lifecycle_script (MEDIUM, fires on every install hook) can never trip this alone.
+    type: 'lifecycle_version99',
+    requires: ['version_99_preinstall', 'lifecycle_script'],
+    severity: 'CRITICAL',
+    message: 'Dependency-confusion version (repdigit major 99/999/9999) + install lifecycle hook — install-time RCE via dependency confusion (scoring compound).',
+    fileFrom: 'version_99_preinstall',
+    requireOriginalSeverityHigh: true
+  },
   {
     // RT-C1: Boundary-squat dep declared AND require()d in code → CRITICAL.
     // Pattern Axios UNC1069 (March 2026): wrapper looks benign, payload is in the dep.