npm - muaddib-scanner - Versions diffs - 2.11.13 → 2.11.14 - Mend

muaddib-scanner 2.11.13 → 2.11.14

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (8) hide show

package/package.json +1 -1
package/src/monitor/classify.js +3 -1
package/src/response/playbooks.js +17 -0
package/src/rules/confidence-tiers.js +3 -1
package/src/rules/index.js +36 -0
package/src/scanner/ai-config.js +111 -1
package/src/scanner/ast.js +17 -0
package/src/scanner/github-actions.js +12 -0

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "muaddib-scanner",
-  "version": "2.11.13",
+  "version": "2.11.14",
   "description": "Supply-chain threat detection & response for npm & PyPI/Python",
   "main": "src/index.js",
   "bin": {

package/src/monitor/classify.js CHANGED Viewed

@@ -71,7 +71,9 @@ const HIGH_CONFIDENCE_MALICE_TYPES = new Set([
   // String.fromCharCode() to evade static analysis. Structurally unique to malware —
   // no legitimate code reconstructs env var names from character codes. Bypasses MT-1
   // cap since the attack uses optionalDependencies + prepare hook (no direct lifecycle).
-  'env_charcode_reconstruction'            // fromCharCode + process.env[computed] (TeamPCP credential stealer)
+  'env_charcode_reconstruction',           // fromCharCode + process.env[computed] (TeamPCP credential stealer)
+  'ide_hook_autoexec',                     // .claude/settings.json SessionStart hook, .vscode/tasks.json folderOpen (Shai-Hulud)
+  'workflow_secrets_dump'                  // toJSON(secrets) in GitHub Actions workflow (Shai-Hulud)
 ]);
 // Lifecycle compound types that indicate real malicious intent beyond a simple postinstall

package/src/response/playbooks.js CHANGED Viewed

@@ -224,6 +224,11 @@ const PLAYBOOKS = {
   workflow_pwn_request:
     'CRITIQUE: Pwn request detecte — pull_request_target avec checkout du head de la PR permet l\'execution de code arbitraire. Remplacer par pull_request ou utiliser une strategie de checkout securisee (base ref uniquement).',
+  workflow_secrets_dump:
+    'CRITIQUE: Workflow GitHub Actions utilise toJSON(secrets) pour dumper tous les secrets du repository. ' +
+    'Technique Shai-Hulud (TeamPCP). Supprimer le workflow immediatement. ' +
+    'Si le workflow a ete execute, considerer tous les secrets du repository compromis et les regenerer.',
   sandbox_sensitive_file_read:
     'CRITIQUE: Package lit des fichiers sensibles (credentials) lors de l\'installation. Ne pas installer. Supprimer immediatement.',
   sandbox_sensitive_file_write:
@@ -374,6 +379,13 @@ const PLAYBOOKS = {
     'NE PAS ouvrir ce projet avec un agent IA. Supprimer les fichiers de config compromis. ' +
     'Si deja ouvert avec un agent IA, considerer la machine compromise. Regenerer tous les secrets.',
+  ide_hook_autoexec:
+    'CRITIQUE: Fichier de configuration IDE avec hooks d\'auto-execution detecte. ' +
+    'NE PAS ouvrir ce projet dans un IDE ou agent IA. Le fichier execute du code ' +
+    'automatiquement a l\'ouverture du projet (SessionStart, folderOpen). ' +
+    'Technique Shai-Hulud (TeamPCP). Supprimer les fichiers .claude/settings.json ' +
+    'et .vscode/tasks.json avant ouverture.',
   ai_agent_abuse:
     'CRITIQUE: Un agent IA (Claude, Gemini, Q) est invoque avec des flags de bypass de securite ' +
     '(--dangerously-skip-permissions, --yolo, --trust-all-tools). Technique s1ngularity/Nx. ' +
@@ -728,6 +740,11 @@ const PLAYBOOKS = {
     'Pattern kamikaze.sh du wiper CanisterWorm ciblant les systemes Iran (Asia/Tehran). ' +
     'NE PAS executer. Isoler immediatement. Signaler comme destructware.',
+  geo_evasion_killswitch:
+    'Code verifie la locale systeme pour "ru" et fait process.exit — technique CIS kill switch ' +
+    'classique de malware (TeamPCP, Lazarus) pour eviter de cibler les systemes russophones. ' +
+    'Signal fort en combinaison avec d\'autres indicateurs. Analyser le code complet du package.',
   proc_mem_scan:
     'CRITIQUE: Acces a /proc/*/mem — extraction de secrets depuis la memoire des processus. ' +
     'Technique TeamPCP credential stealer dans Trivy v0.69.4. ' +

package/src/rules/confidence-tiers.js CHANGED Viewed

@@ -100,7 +100,9 @@ const HIGH_TIER_EXTRA = new Set([
   'anti_forensic_xor_autodelete',
   'detached_credential_exfil',
   // Workflow injection
-  'workflow_write'
+  'workflow_write',
+  // Geo-evasion (locale check + country code + exit = compound evidence)
+  'geo_evasion_killswitch'
 ]);
 // Heuristic / count-based / weak-signal types. Always low tier regardless

package/src/rules/index.js CHANGED Viewed

@@ -705,6 +705,18 @@ const RULES = {
     ],
     mitre: 'T1059'
   },
+  ide_hook_autoexec: {
+    id: 'MUADDIB-AICONF-003',
+    name: 'IDE Hook Auto-Execution',
+    severity: 'CRITICAL',
+    confidence: 'high',
+    description: 'Fichier de configuration IDE (.claude/settings.json, .vscode/tasks.json, .kiro/settings/mcp.json) contient des hooks qui executent du code automatiquement a l\'ouverture du projet. Technique Shai-Hulud (TeamPCP, mai 2026).',
+    references: [
+      'https://github.com/g00dfe11ow/Shai-Hulud-Open-Source',
+      'https://www.wiz.io/blog/mini-shai-hulud-supply-chain-sap-npm'
+    ],
+    mitre: 'T1546'
+  },
   require_cache_poison: {
     id: 'MUADDIB-AST-019',
@@ -975,6 +987,18 @@ const RULES = {
     ],
     mitre: 'T1195.002'
   },
+  workflow_secrets_dump: {
+    id: 'MUADDIB-GHA-004',
+    name: 'GitHub Actions Secrets Dump',
+    severity: 'CRITICAL',
+    confidence: 'high',
+    description: 'Workflow utilise toJSON(secrets) pour exfiltrer tous les secrets du repository. Technique Shai-Hulud (TeamPCP, mai 2026).',
+    references: [
+      'https://github.com/g00dfe11ow/Shai-Hulud-Open-Source',
+      'https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions'
+    ],
+    mitre: 'T1552.001'
+  },
   // Sandbox detections
   sandbox_sensitive_file_read: {
@@ -2458,6 +2482,18 @@ const RULES = {
     ],
     mitre: 'T1059.007'
   },
+  geo_evasion_killswitch: {
+    id: 'MUADDIB-AST-091',
+    name: 'Geo-Evasion CIS Kill Switch',
+    severity: 'HIGH',
+    confidence: 'medium',
+    description: 'Code verifie la locale systeme (Intl.DateTimeFormat, LC_ALL/LANG) pour "ru" et fait process.exit — technique CIS kill switch pour eviter de cibler les pays de l\'operateur. Pattern TeamPCP/Shai-Hulud.',
+    references: [
+      'https://github.com/g00dfe11ow/Shai-Hulud-Open-Source',
+      'https://attack.mitre.org/techniques/T1614/'
+    ],
+    mitre: 'T1614'
+  },
   external_tarball_dep: {
     id: 'MUADDIB-PKG-020',
     name: 'External Tarball Dependency URL',

package/src/scanner/ai-config.js CHANGED Viewed

@@ -19,7 +19,7 @@
 const fs = require('fs');
 const path = require('path');
-// AI agent config files to scan (relative to project root)
+// AI agent config files to scan for prompt injection (relative to project root)
 const AI_CONFIG_FILES = [
   '.cursorrules',
   '.cursorignore',
@@ -31,6 +31,17 @@ const AI_CONFIG_FILES = [
   '.github/copilot-setup-steps.yml'
 ];
+// IDE/agent config files to scan for auto-exec hooks (JSON, relative to project root)
+// These are distinct from AI_CONFIG_FILES: they contain machine-readable hooks
+// that execute code on project open, not human-readable prompt injection.
+// Technique: Shai-Hulud (TeamPCP, May 2026) — .claude/settings.json SessionStart hook.
+const IDE_HOOK_FILES = [
+  '.claude/settings.json',
+  '.claude/settings.local.json',
+  '.vscode/tasks.json',
+  '.kiro/settings/mcp.json'
+];
 // Dangerous shell command patterns in AI config files
 const SHELL_COMMAND_PATTERNS = [
   // Download and execute
@@ -104,6 +115,105 @@ function scanAIConfig(targetPath) {
     threats.push(...fileThreats);
   }
+  // Scan IDE hook files for auto-exec patterns (separate from prompt injection)
+  for (const hookFile of IDE_HOOK_FILES) {
+    const filePath = path.join(targetPath, hookFile);
+    if (!fs.existsSync(filePath)) continue;
+    let content;
+    try {
+      const stat = fs.statSync(filePath);
+      if (stat.size > 1024 * 1024) continue;
+      content = fs.readFileSync(filePath, 'utf8');
+    } catch {
+      continue;
+    }
+    const hookThreats = analyzeIDEHookFile(content, hookFile);
+    threats.push(...hookThreats);
+  }
+  return threats;
+}
+/**
+ * Analyze an IDE/agent config JSON file for auto-exec hooks.
+ *
+ * Distinct from prompt injection: these files contain machine-readable
+ * hooks that execute arbitrary commands when the project is opened.
+ * No legitimate npm package should ship these files with hooks.
+ */
+function analyzeIDEHookFile(content, relPath) {
+  const threats = [];
+  let parsed;
+  try {
+    parsed = JSON.parse(content);
+  } catch {
+    return threats; // invalid JSON — skip silently
+  }
+  if (!parsed || typeof parsed !== 'object') return threats;
+  // .claude/settings.json / .claude/settings.local.json
+  // Structure: { hooks: { EventName: [{ matcher, hooks: [{ type, command }] }] } }
+  if (relPath.includes('.claude/') && relPath.endsWith('settings.json')) {
+    const hooks = parsed.hooks;
+    if (hooks && typeof hooks === 'object') {
+      for (const [event, matchers] of Object.entries(hooks)) {
+        if (!Array.isArray(matchers)) continue;
+        for (const matcher of matchers) {
+          if (!matcher || !Array.isArray(matcher.hooks)) continue;
+          for (const hook of matcher.hooks) {
+            if (hook && hook.command) {
+              threats.push({
+                type: 'ide_hook_autoexec',
+                severity: 'CRITICAL',
+                message: `IDE auto-exec hook: .claude/settings.json ${event} event executes "${hook.command}" — Shai-Hulud (TeamPCP) pattern`,
+                file: relPath
+              });
+            }
+          }
+        }
+      }
+    }
+  }
+  // .vscode/tasks.json
+  // Structure: { tasks: [{ label, command, runOptions: { runOn: "folderOpen" } }] }
+  if (relPath.includes('.vscode/') && relPath.endsWith('tasks.json')) {
+    const tasks = Array.isArray(parsed.tasks) ? parsed.tasks : [];
+    for (const task of tasks) {
+      if (task && task.runOptions && task.runOptions.runOn === 'folderOpen') {
+        const cmd = task.command || task.label || 'unknown';
+        threats.push({
+          type: 'ide_hook_autoexec',
+          severity: 'CRITICAL',
+          message: `IDE auto-exec hook: .vscode/tasks.json task "${cmd}" runs on folder open — Shai-Hulud (TeamPCP) pattern`,
+          file: relPath
+        });
+      }
+    }
+  }
+  // .kiro/settings/mcp.json
+  // Structure: { mcpServers: { name: { command, args } } }
+  if (relPath.includes('.kiro/') && relPath.endsWith('mcp.json')) {
+    const mcpServers = parsed.mcpServers;
+    if (mcpServers && typeof mcpServers === 'object') {
+      for (const [name, config] of Object.entries(mcpServers)) {
+        if (config && typeof config === 'object' && config.command) {
+          threats.push({
+            type: 'ide_hook_autoexec',
+            severity: 'CRITICAL',
+            message: `IDE auto-exec hook: .kiro/settings/mcp.json server "${name}" executes "${config.command}" on project open`,
+            file: relPath
+          });
+        }
+      }
+    }
+  }
   return threats;
 }

package/src/scanner/ast.js CHANGED Viewed

@@ -345,6 +345,23 @@ function analyzeFile(content, filePath, basePath) {
     });
   }
+  // Geo-evasion CIS kill switch: locale check for "ru" + process.exit
+  // Pattern: TeamPCP/Shai-Hulud isSystemRussian() — checks Intl.DateTimeFormat
+  // locale or LC_ALL/LANG env vars for Russian locale, then process.exit(0).
+  // Triple-gate: (1) locale API or env var check, (2) "ru" string comparison,
+  // (3) process.exit in same file. No legitimate npm package does this.
+  const hasLocaleCheck = /resolvedOptions\s*\(\s*\)\s*\.locale/.test(content) ||
+                         (/\bLC_ALL\b/.test(content) && /\bLANG\b/.test(content));
+  const hasRuCheck = /['"`]ru['"`]/.test(content) && /startsWith|===|==/.test(content);
+  if (hasLocaleCheck && hasRuCheck && /process\.exit/.test(content)) {
+    threats.push({
+      type: 'geo_evasion_killswitch',
+      severity: 'HIGH',
+      message: 'Geo-evasion CIS kill switch: locale check for "ru" + process.exit — malware avoids targeting operator\'s country (TeamPCP pattern)',
+      file: ctx.relPath
+    });
+  }
   handlePostWalk(ctx);
   return threats;

package/src/scanner/github-actions.js CHANGED Viewed

@@ -102,6 +102,18 @@ function scanDirRecursive(dirPath, targetPath, threats, depth = 0) {
           file: relFile
         });
       }
+      // GHA-004: Secrets dump via toJSON(secrets) — exfiltrates ALL repository secrets
+      // Technique: Shai-Hulud (TeamPCP, May 2026) — workflow dumps toJSON(secrets) to a
+      // file and uploads it as an artifact. No legitimate workflow uses toJSON(secrets).
+      if (/toJSON\s*\(\s*secrets\s*\)/.test(activeContent)) {
+        threats.push({
+          type: 'workflow_secrets_dump',
+          severity: 'CRITICAL',
+          message: 'GitHub Actions secrets dump: toJSON(secrets) exfiltrates all repository secrets',
+          file: relFile
+        });
+      }
     }
 }