muaddib-scanner 2.11.18 → 2.11.20

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "muaddib-scanner",
-  "version": "2.11.18",
+  "version": "2.11.20",
   "description": "Supply-chain threat detection & response for npm & PyPI/Python",
   "main": "src/index.js",
   "bin": {

package/src/response/playbooks.js

@@ -168,6 +168,11 @@ const PLAYBOOKS = {
     'Le code charge cette dep typosquattee via require/import. Si ce n\'est pas intentionnel, supprimer la dep et la reference, puis reinstaller avec --ignore-scripts.',
   dependency_typosquat_require:
     'CRITIQUE — pattern Axios UNC1069 detecte: dep typosquattee declaree ET chargee dans le code. Le wrapper apparent est probablement legitime mais sa dep contient le payload. Bloquer l\'install (--ignore-scripts), supprimer la dep, auditer le history de modifications.',
+  // RT-C1-FPR (audit 2026-05)
+  typosquat_lifecycle:
+    'CRITIQUE — pattern boundary-squat avec hook lifecycle: la dep typosquattee sera executee a l\'install. Bloquer l\'install (--ignore-scripts), supprimer la dep, regenerer les secrets exposes, auditer le history.',
+  typosquat_dataflow:
+    'IMPORTANT — dep boundary-squat coexistante avec un flux credentials → reseau dans le code. Verifier si la dep est require()d depuis le fichier d\'exfil. Si oui = CRITICAL (compound dependency_typosquat_require complementaire).',
 
   dangerous_call_function:
     'Appel new Function() detecte. Equivalent a eval(). Verifier la source des donnees.',

package/src/rules/index.js

@@ -350,9 +350,13 @@ const RULES = {
   dependency_typosquat: {
     id: 'MUADDIB-TYPO-002',
     name: 'Dependency Boundary-Squat',
-    severity: 'HIGH',
+    // RT-C1-FPR (audit 2026-05): demoted HIGH -> MEDIUM. Boundary-squat alone is
+    // a name-resemblance heuristic without execution proof. Compounds typosquat_lifecycle
+    // (CRITICAL), typosquat_dataflow (HIGH), dependency_typosquat_require (CRITICAL)
+    // escalate when co-occurring with real execution/exfil signals.
+    severity: 'MEDIUM',
     confidence: 'high',
-    description: 'Une dependance declaree porte le nom d\'un package populaire prefixe/suffixe d\'un token suspect (Axios UNC1069, mars 2026). Le wrapper innocent declare un sub-dep malveillant.',
+    description: 'Une dependance declaree porte le nom d\'un package populaire prefixe/suffixe d\'un token suspect (Axios UNC1069, mars 2026). Le wrapper innocent declare un sub-dep malveillant. Signal solo MEDIUM, escalade CRITICAL via compounds lifecycle/dataflow/require.',
     references: [
       'https://snyk.io/blog/typosquatting-attacks/',
       'https://attack.mitre.org/techniques/T1195/002/'
@@ -377,6 +381,25 @@ const RULES = {
     references: ['https://attack.mitre.org/techniques/T1195/002/'],
     mitre: 'T1195.002'
   },
+  // RT-C1-FPR (audit 2026-05): compounds escaladant dependency_typosquat solo (MEDIUM)
+  typosquat_lifecycle: {
+    id: 'MUADDIB-COMPOUND-014',
+    name: 'Boundary-Squat Dep + Lifecycle Hook',
+    severity: 'CRITICAL',
+    confidence: 'high',
+    description: 'Dependance boundary-squat declaree avec script lifecycle (preinstall/postinstall) — install-time payload delivery via typosquat sub-dep.',
+    references: ['https://attack.mitre.org/techniques/T1195/002/'],
+    mitre: 'T1195.002'
+  },
+  typosquat_dataflow: {
+    id: 'MUADDIB-COMPOUND-015',
+    name: 'Boundary-Squat Dep + Suspicious Dataflow',
+    severity: 'HIGH',
+    confidence: 'high',
+    description: 'Dependance boundary-squat declaree avec flux de donnees suspect (lecture credentials + envoi reseau) — typosquat dep co-occurring with exfiltration.',
+    references: ['https://attack.mitre.org/techniques/T1195/002/'],
+    mitre: 'T1195.002'
+  },
 
   // Package.json script patterns
   curl_pipe_sh: {

package/src/scanner/dataflow.js

@@ -831,7 +831,7 @@ function analyzeFile(content, filePath, basePath) {
             const envVar = node.property?.name || '';
             if (isSensitiveEnv(envVar)) {
               sources.push({
-                type: 'env_read',
+                type: isCredentialEnv(envVar) ? 'credential_env_read' : 'env_read',
                 name: envVar,
                 line: node.loc?.start?.line,
                 taint_tracked: true
@@ -857,7 +857,7 @@ function analyzeFile(content, filePath, basePath) {
         const envVar = node.property?.name || '';
         if (isSensitiveEnv(envVar)) {
           sources.push({
-            type: 'env_read',
+            type: isCredentialEnv(envVar) ? 'credential_env_read' : 'env_read',
             name: envVar,
             line: node.loc?.start?.line
           });
@@ -948,7 +948,7 @@ function analyzeFile(content, filePath, basePath) {
     if (taint && EXFIL_PRONE_MODULES.has(taint.source)) exfilProneInScope.push(taint.source);
   }
   if (exfilProneInScope.length > 0 &&
-      sources.some(s => s.type === 'env_read' || s.type === 'credential_read')) {
+      sources.some(s => s.type === 'env_read' || s.type === 'credential_env_read' || s.type === 'credential_read')) {
     const moduleList = [...new Set(exfilProneInScope)].join(', ');
     const firstSourceLine = sources.find(s => s.line)?.line || 0;
     threats.push({
@@ -1028,12 +1028,16 @@ function analyzeFile(content, filePath, basePath) {
     }
 
     // Graduation: HIGH → MEDIUM for env/telemetry-only sources (no credential file reads,
-    // no fingerprint reads, no command output). Distant env/telemetry → network_send
-    // is the dominant FP pattern (SDK/API usage, binary wrappers, config libraries).
-    // Real credential exfiltration uses credential_read or fingerprint_read sources.
+    // no fingerprint reads, no command output, no credential-tier env vars). Distant
+    // env/telemetry → network_send is the dominant FP pattern (SDK/API usage, binary
+    // wrappers, config libraries). Real credential exfiltration uses credential_read,
+    // fingerprint_read, or credential_env_read sources (audit 2026-05 DF-C4: NPM_TOKEN,
+    // GITHUB_TOKEN, AWS_SECRET_* now classified as credential_env_read upstream and
+    // retained at HIGH instead of downgrading to MEDIUM with the rest of env_read).
     if (severity === 'HIGH') {
       const hasHighRiskSource = sources.some(s =>
-        s.type === 'credential_read' || s.type === 'fingerprint_read' || s.type === 'command_output'
+        s.type === 'credential_read' || s.type === 'fingerprint_read' ||
+        s.type === 'command_output' || s.type === 'credential_env_read'
       );
       if (!hasHighRiskSource) {
         severity = 'MEDIUM';
@@ -1169,4 +1173,29 @@ function isSensitiveEnv(name) {
   return sensitive.some(s => upper.includes(s));
 }
 
+// Audit 2026-05 DF-C4: credential-tier env vars distinguished from generic env_read.
+// These represent authentication material (NPM_TOKEN, GITHUB_TOKEN, AWS_SECRET_ACCESS_KEY,
+// STRIPE_API_KEY etc.) — strictly narrower than isSensitiveEnv. Sources of this type
+// participate in hasHighRiskSource so credential exfil patterns are NOT downgraded by the
+// HIGH→MEDIUM graduation. System identity vars (HOME, USER) remain plain env_read since
+// they are fingerprinting signals, not credentials.
+const KNOWN_CREDENTIAL_ENV_VARS = new Set([
+  'NPM_TOKEN', 'GITHUB_TOKEN', 'GH_TOKEN', 'NODE_AUTH_TOKEN',
+  'CIRCLE_TOKEN', 'GITLAB_TOKEN', 'CARGO_REGISTRY_TOKEN', 'PYPI_TOKEN',
+  'GOOGLE_APPLICATION_CREDENTIALS', 'AZURE_CLIENT_SECRET',
+  'SENTRY_AUTH_TOKEN', 'NPM_AUTH_TOKEN', 'NPM_CONFIG_AUTHTOKEN'
+]);
+
+const CREDENTIAL_ENV_SUFFIX_RE = /(?:^|_)(?:TOKEN|SECRET|PASSWORD|PASSPHRASE|CREDENTIAL|CREDENTIALS|API_KEY|ACCESS_KEY|ACCESS_KEY_ID|SECRET_KEY|PRIVATE_KEY|SIGNING_KEY|SESSION_TOKEN|REFRESH_TOKEN|AUTH_TOKEN)$/;
+
+function isCredentialEnv(name) {
+  const upper = name.toUpperCase();
+  // System identity vars are fingerprinting, not credentials
+  if (SYSTEM_IDENTITY_ENVS.has(upper)) return false;
+  // Public keys are not credentials (e.g., SSH_PUBLIC_KEY, GPG_PUBLIC_KEY)
+  if (upper.includes('PUBLIC_KEY') || upper.includes('PUBKEY')) return false;
+  if (KNOWN_CREDENTIAL_ENV_VARS.has(upper)) return true;
+  return CREDENTIAL_ENV_SUFFIX_RE.test(upper);
+}
+
 module.exports = { analyzeDataFlow };

package/src/scanner/typosquat.js

@@ -30,6 +30,23 @@ const POPULAR_PACKAGES = [
   'crypto-js'
 ];
 
+// RT-C1-FPR (audit 2026-05): frameworks dont les packages d'ecosysteme ont la
+// convention <framework>-<role>-<extension> (eslint-plugin-react, babel-preset-env,
+// gatsby-plugin-mdx, eslint-import-resolver-typescript). Un dep dont le PREMIER
+// segment hyphene est dans ce Set est une extension legitime du framework, jamais
+// un squat d'un autre package -- quelles que soient les autres segments.
+// EXCLUS volontairement : react, vue, angular, svelte, typescript. Leurs packages
+// d'ecosysteme ont le framework EN SUFFIXE (eslint-plugin-react), donc la convention
+// prefixe ne s'applique pas et conserver la detection de squats `react-token-exfil`
+// reste prioritaire.
+const ECOSYSTEM_FRAMEWORK_PREFIXES = new Set([
+  'eslint', 'babel', 'webpack', 'rollup', 'vite', 'parcel', 'esbuild', 'swc', 'tsup',
+  'gatsby', 'next', 'nuxt', 'remix', 'expo', 'metro',
+  'jest', 'mocha', 'karma', 'cypress', 'playwright', 'vitest',
+  'postcss', 'stylelint', 'prettier', 'typedoc',
+  'storybook', 'docusaurus', 'astro'
+]);
+
 // RT-C1: Hyphen tokens that legitimately PREFIX or SUFFIX popular package names.
 // `<token>-<popular>` or `<popular>-<token>` is considered benign when the extra
 // token is in this set (ecosystem qualifiers, framework prefixes, official scopes).
@@ -372,7 +389,11 @@ async function scanTyposquatting(targetPath) {
       + bMatch.original + '" (extra token: "' + bMatch.extra + '"). Axios UNC1069 pattern.';
     threats.push({
       type: 'dependency_typosquat',
-      severity: 'HIGH',
+      // RT-C1-FPR (audit 2026-05): demoted HIGH -> MEDIUM. Boundary-squat alone is
+      // a heuristic signal (name resemblance, no execution proof). The compounds
+      // typosquat_lifecycle (CRITICAL) and typosquat_dataflow (HIGH) escalate when
+      // co-occurring with real execution/exfil signals.
+      severity: 'MEDIUM',
       message: declMsg,
       file: 'package.json',
       details: {
@@ -557,6 +578,14 @@ function findTyposquatMatch(name) {
 }
 
 function isLegitimateVariant(name) {
+  // RT-C1-FPR (audit 2026-05): ecosystem framework prefix -> legitimate extension.
+  // Ex: eslint-import-resolver-typescript, babel-loader-svelte, gatsby-source-fs.
+  const firstHyphen = name.indexOf('-');
+  if (firstHyphen > 0) {
+    const prefix = name.slice(0, firstHyphen);
+    if (ECOSYSTEM_FRAMEWORK_PREFIXES.has(prefix)) return true;
+  }
+
   // Suffixes legitimes qui ne sont PAS du typosquatting
   const legitimateSuffixes = [
     '-cli', '-core', '-utils', '-plugin', '-loader', '-webpack',

package/src/scoring.js

@@ -183,13 +183,11 @@ function isPackageLevelThreat(threat) {
  * @param {Array} threats - array of threat objects (after FP reductions)
  * @returns {number} score 0-100
  */
-// Hybrid v3 Phase 3: when enabled, threats tagged with replacedByCompound
-// (their compound has fired and represents their score) contribute 0 to the
-// group score. Avoids the additive double-count of compound + constituents.
-const _COMPOUND_REPLACE_ENABLED = () => process.env.MUADDIB_COMPOUND_REPLACE === '1';
-function _isReplacedByCompound(t) {
-  return _COMPOUND_REPLACE_ENABLED() && t.replacedByCompound;
-}
+// Hybrid v3 Phase 3: threats tagged with replacedByCompound (their compound has
+// fired and represents their score) contribute 0 to the group score. Avoids the
+// additive double-count of compound + constituents. Audit 2026-05 SC-C1: the
+// previous MUADDIB_COMPOUND_REPLACE env-var gate is removed — the tag posed by
+// applyCompoundBoosts is now honored unconditionally.
 
 function computeGroupScore(threats) {
   // Score decay default ON since v2.11.9 (FPR plan Chantier 1). Opt-out: MUADDIB_DECAY=0.
@@ -199,7 +197,7 @@ function computeGroupScore(threats) {
   let dataflowMediumPoints = 0;
 
   for (const t of threats) {
-    if (_isReplacedByCompound(t)) continue;
+    if (t.replacedByCompound) continue;
     const weight = _severityWeights[t.severity] || 0;
     const rule = getRule(t.type);
     const factor = CONFIDENCE_FACTORS[rule.confidence] || 1.0;
@@ -257,7 +255,7 @@ function computeGroupScoreDecay(threats) {
   const typeBuckets = new Map();
 
   for (const t of threats) {
-    if (_isReplacedByCompound(t)) continue;
+    if (t.replacedByCompound) continue;
     const weight = _severityWeights[t.severity] || 0;
     const rule = getRule(t.type);
     const factor = CONFIDENCE_FACTORS[rule.confidence] || 1.0;
@@ -303,7 +301,11 @@ const FP_COUNT_THRESHOLDS = {
   // Real malware uses 1-2 targeted Function() calls.
   dangerous_call_function: { maxCount: 5, to: 'LOW' },
   require_cache_poison: { maxCount: 3, from: 'CRITICAL', to: 'LOW' },
-  suspicious_dataflow: { maxCount: 3, to: 'LOW' },
+  // Audit 2026-05 SC-C2: floorEligible: true opts suspicious_dataflow into the
+  // dilution floor without adding a `from` constraint (which would block MEDIUM
+  // count-threshold downgrades). Restores 1 instance at original severity so an
+  // attacker can't dilute real exfil flows by injecting benign data flows.
+  suspicious_dataflow: { maxCount: 3, to: 'LOW', floorEligible: true },
   obfuscation_detected: { maxCount: 3, to: 'LOW' },
   module_compile_dynamic: { maxCount: 3, from: 'HIGH', to: 'LOW' },
   module_compile: { maxCount: 3, from: 'HIGH', to: 'LOW' },
@@ -322,8 +324,10 @@ const FP_COUNT_THRESHOLDS = {
   // P6: HTTP client libraries (undici, aws-sdk, nodemailer, jsdom) parse Authorization/Bearer headers
   // with 3+ credential regexes. Real harvesters use 1-2 targeted regexes.
   // Audit v3: removed `from` constraint — ALL severity levels downgraded when count > 2.
-  // This eliminates the dilution floor (floor requires `from` field) for complete suppression.
-  credential_regex_harvest: { maxCount: 2, to: 'LOW' },
+  // Audit 2026-05 SC-C2: floorEligible: true restores 1 instance at original
+  // severity. Without it an attacker injects 3+ benign header regexes (Authorization,
+  // Cookie, X-Forwarded-For) and downgrades all real exfil regexes to LOW.
+  credential_regex_harvest: { maxCount: 2, to: 'LOW', floorEligible: true },
   // P7→Audit v3: Config frameworks (pm2, nx, dotenv, aws-sdk, oclif) read 5+ env vars — not credential theft.
   // Real stealers access 1-4 targeted env vars. Count >4 = config loader pattern.
   // Lowered from 10→4 for better FP reduction. B5 network_sink_immunity protects genuine exfiltration.
@@ -505,6 +509,30 @@ const SCORING_COMPOUNDS = [
     message: 'Boundary-squat dependency declared AND require()d in code — Axios UNC1069 pattern (scoring compound).',
     fileFrom: 'dependency_typosquat_used'
   },
+  {
+    // RT-C1-FPR (audit 2026-05): boundary-squat dep + lifecycle hook → install-time
+    // payload delivery via typosquat sub-dep. Mirror of dependency_typosquat_require
+    // but with lifecycle instead of _used: stronger signal — proves install-time
+    // execution intent without requiring explicit require() in scanned code.
+    type: 'typosquat_lifecycle',
+    requires: ['dependency_typosquat', 'lifecycle_script'],
+    severity: 'CRITICAL',
+    message: 'Boundary-squat dependency + lifecycle hook — install-time payload delivery via typosquat sub-dep (scoring compound).',
+    fileFrom: 'dependency_typosquat'
+    // No sameFile: both are package.json-level
+  },
+  {
+    // RT-C1-FPR (audit 2026-05): boundary-squat dep + suspicious dataflow → typosquat
+    // dep co-occurring with credential exfil. Mirror of lifecycle_dataflow (HIGH) —
+    // co-occurrence without direct causal link, so HIGH not CRITICAL.
+    type: 'typosquat_dataflow',
+    requires: ['dependency_typosquat', 'suspicious_dataflow'],
+    severity: 'HIGH',
+    message: 'Boundary-squat dependency + suspicious dataflow — typosquat dep co-occurring with credential exfil (scoring compound).',
+    fileFrom: 'suspicious_dataflow',
+    // No sameFile: dep is package.json, dataflow is src/*.js
+    excludeIfBundled: true
+  },
   {
     type: 'lifecycle_inline_exec',
     requires: ['lifecycle_script', 'node_inline_exec'],
@@ -1015,16 +1043,16 @@ function applyFPReductions(threats, reachableFiles, packageName, packageDeps, re
 
   // Dilution floor: retain at least one instance at original severity per type
   // to prevent complete count-threshold dilution by injected benign patterns.
-  // Only applies to types with low maxCount (≤3) and a severity constraint (from field),
-  // where injection of benign patterns is feasible. High-count types (dynamic_require,
-  // env_access) and unconstrained types (suspicious_dataflow) represent legitimate
-  // framework patterns and should allow full downgrade.
+  // Applies to types with low maxCount (≤3) AND either a `from` severity
+  // constraint OR an explicit `floorEligible: true` opt-in (audit 2026-05 SC-C2).
+  // High-count types (dynamic_require, env_access) represent legitimate framework
+  // patterns and remain ineligible (no floor → full downgrade allowed).
   const restoredTypes = new Set();
   for (const t of threats) {
     const lastReduction = t.reductions?.find(r => r.rule === 'count_threshold');
     if (lastReduction && !restoredTypes.has(t.type)) {
       const rule = FP_COUNT_THRESHOLDS[t.type];
-      if (rule && rule.from && rule.maxCount <= 3) {
+      if (rule && (rule.from || rule.floorEligible) && rule.maxCount <= 3) {
         t.severity = lastReduction.from;
         t.reductions = t.reductions.filter(r => r.rule !== 'count_threshold');
         t.reductions.push({ rule: 'count_threshold_floor', note: 'retained one instance at original severity' });