muaddib-scanner 2.11.159 → 2.11.160
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"target": "node_modules",
|
|
3
|
-
"timestamp": "2026-07-
|
|
3
|
+
"timestamp": "2026-07-07T14:05:05.690Z",
|
|
4
4
|
"threats": [
|
|
5
5
|
{
|
|
6
6
|
"type": "string_mutation_obfuscation",
|
|
@@ -468,26 +468,6 @@
|
|
|
468
468
|
"playbook": "CRITIQUE: Assignation a Module._resolveFilename/_compile/_extensions. Detournement du systeme de modules Node.js. Tous les require() sont interceptes. Supprimer le package immediatement. Auditer tous les modules charges apres installation.",
|
|
469
469
|
"points": 25
|
|
470
470
|
},
|
|
471
|
-
{
|
|
472
|
-
"type": "dynamic_require",
|
|
473
|
-
"severity": "HIGH",
|
|
474
|
-
"message": "Dynamic require() with computed argument (possible decode obfuscation).",
|
|
475
|
-
"file": "ajv/scripts/bundle.js",
|
|
476
|
-
"count": 2,
|
|
477
|
-
"reductions": [],
|
|
478
|
-
"originalSeverity": "HIGH",
|
|
479
|
-
"confidenceTier": "medium",
|
|
480
|
-
"rule_id": "MUADDIB-AST-006",
|
|
481
|
-
"rule_name": "Dynamic Require with Concatenation",
|
|
482
|
-
"confidence": "high",
|
|
483
|
-
"domain": "malware",
|
|
484
|
-
"references": [
|
|
485
|
-
"https://attack.mitre.org/techniques/T1027/"
|
|
486
|
-
],
|
|
487
|
-
"mitre": "T1027",
|
|
488
|
-
"playbook": "require() avec concatenation detecte. Technique d'obfuscation pour masquer le module charge. Analyser les variables concatenees.",
|
|
489
|
-
"points": 10
|
|
490
|
-
},
|
|
491
471
|
{
|
|
492
472
|
"type": "env_access",
|
|
493
473
|
"severity": "MEDIUM",
|
|
@@ -2090,9 +2070,9 @@
|
|
|
2090
2070
|
],
|
|
2091
2071
|
"python": null,
|
|
2092
2072
|
"summary": {
|
|
2093
|
-
"total":
|
|
2073
|
+
"total": 91,
|
|
2094
2074
|
"critical": 7,
|
|
2095
|
-
"high":
|
|
2075
|
+
"high": 9,
|
|
2096
2076
|
"medium": 44,
|
|
2097
2077
|
"low": 31,
|
|
2098
2078
|
"riskScore": 35,
|
|
@@ -2106,7 +2086,6 @@
|
|
|
2106
2086
|
"web-tree-sitter/web-tree-sitter.cjs": 42,
|
|
2107
2087
|
"web-tree-sitter/web-tree-sitter.js": 42,
|
|
2108
2088
|
"ajv/lib/ajv.js": 25,
|
|
2109
|
-
"ajv/scripts/bundle.js": 10,
|
|
2110
2089
|
"debug/src/node.js": 3,
|
|
2111
2090
|
"eslint/bin/eslint.js": 10,
|
|
2112
2091
|
"fast-json-stable-stringify/benchmark/index.js": 10,
|
|
@@ -2129,7 +2108,6 @@
|
|
|
2129
2108
|
"web-tree-sitter/web-tree-sitter.cjs": 165707,
|
|
2130
2109
|
"web-tree-sitter/web-tree-sitter.js": 153666,
|
|
2131
2110
|
"ajv/lib/ajv.js": 15837,
|
|
2132
|
-
"ajv/scripts/bundle.js": 1795,
|
|
2133
2111
|
"debug/src/node.js": 4728,
|
|
2134
2112
|
"eslint/bin/eslint.js": 6028,
|
|
2135
2113
|
"fast-json-stable-stringify/benchmark/index.js": 740,
|
|
@@ -2202,12 +2180,6 @@
|
|
|
2202
2180
|
"points": 10,
|
|
2203
2181
|
"reason": "Binary file reference (.png/.jpg/.wasm/etc.) + eval() in same file — possible steganographic payload execution."
|
|
2204
2182
|
},
|
|
2205
|
-
{
|
|
2206
|
-
"rule": "MUADDIB-AST-006",
|
|
2207
|
-
"type": "dynamic_require",
|
|
2208
|
-
"points": 10,
|
|
2209
|
-
"reason": "Dynamic require() with computed argument (possible decode obfuscation)."
|
|
2210
|
-
},
|
|
2211
2183
|
{
|
|
2212
2184
|
"rule": "MUADDIB-AST-006",
|
|
2213
2185
|
"type": "dynamic_require",
|
|
@@ -2698,7 +2670,7 @@
|
|
|
2698
2670
|
"tierCounts": {
|
|
2699
2671
|
"verified": 0,
|
|
2700
2672
|
"high": 0,
|
|
2701
|
-
"medium":
|
|
2673
|
+
"medium": 17,
|
|
2702
2674
|
"low": 74
|
|
2703
2675
|
},
|
|
2704
2676
|
"perceivedFlagged": 0
|
|
@@ -219,9 +219,18 @@ function handleCallExpression(node, ctx) {
|
|
|
219
219
|
file: ctx.relFile
|
|
220
220
|
});
|
|
221
221
|
} else if (arg.type === 'CallExpression') {
|
|
222
|
-
|
|
223
|
-
//
|
|
224
|
-
|
|
222
|
+
// Skip safe path-builder patterns: require(path.join(...)), require(path.resolve(...)).
|
|
223
|
+
// NB: getCallName(arg) returns the bare method name ('join'/'resolve'), NOT 'path.join', so
|
|
224
|
+
// the previous `argCallName !== 'path.join'` guard never matched — a dead check that let the
|
|
225
|
+
// standard require(path.join(...)) idiom raise a HIGH dynamic_require FP. Inspect the
|
|
226
|
+
// MemberExpression object directly instead. Real obfuscation still fires: require(atob(...)),
|
|
227
|
+
// require(decoder.decode(...)), require(Buffer.from(...).toString()) all have object!=='path'.
|
|
228
|
+
const callee = arg.callee;
|
|
229
|
+
const isPathBuilder =
|
|
230
|
+
callee.type === 'MemberExpression' &&
|
|
231
|
+
callee.object && callee.object.name === 'path' &&
|
|
232
|
+
callee.property && (callee.property.name === 'join' || callee.property.name === 'resolve');
|
|
233
|
+
if (!isPathBuilder) {
|
|
225
234
|
const hasDecode = containsDecodePattern(arg);
|
|
226
235
|
ctx.threats.push({
|
|
227
236
|
type: 'dynamic_require',
|