muaddib-scanner 2.11.19 → 2.11.20

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "muaddib-scanner",
-  "version": "2.11.19",
+  "version": "2.11.20",
   "description": "Supply-chain threat detection & response for npm & PyPI/Python",
   "main": "src/index.js",
   "bin": {

package/src/response/playbooks.js

@@ -168,6 +168,11 @@ const PLAYBOOKS = {
     'Le code charge cette dep typosquattee via require/import. Si ce n\'est pas intentionnel, supprimer la dep et la reference, puis reinstaller avec --ignore-scripts.',
   dependency_typosquat_require:
     'CRITIQUE — pattern Axios UNC1069 detecte: dep typosquattee declaree ET chargee dans le code. Le wrapper apparent est probablement legitime mais sa dep contient le payload. Bloquer l\'install (--ignore-scripts), supprimer la dep, auditer le history de modifications.',
+  // RT-C1-FPR (audit 2026-05)
+  typosquat_lifecycle:
+    'CRITIQUE — pattern boundary-squat avec hook lifecycle: la dep typosquattee sera executee a l\'install. Bloquer l\'install (--ignore-scripts), supprimer la dep, regenerer les secrets exposes, auditer le history.',
+  typosquat_dataflow:
+    'IMPORTANT — dep boundary-squat coexistante avec un flux credentials → reseau dans le code. Verifier si la dep est require()d depuis le fichier d\'exfil. Si oui = CRITICAL (compound dependency_typosquat_require complementaire).',
 
   dangerous_call_function:
     'Appel new Function() detecte. Equivalent a eval(). Verifier la source des donnees.',

package/src/rules/index.js

@@ -350,9 +350,13 @@ const RULES = {
   dependency_typosquat: {
     id: 'MUADDIB-TYPO-002',
     name: 'Dependency Boundary-Squat',
-    severity: 'HIGH',
+    // RT-C1-FPR (audit 2026-05): demoted HIGH -> MEDIUM. Boundary-squat alone is
+    // a name-resemblance heuristic without execution proof. Compounds typosquat_lifecycle
+    // (CRITICAL), typosquat_dataflow (HIGH), dependency_typosquat_require (CRITICAL)
+    // escalate when co-occurring with real execution/exfil signals.
+    severity: 'MEDIUM',
     confidence: 'high',
-    description: 'Une dependance declaree porte le nom d\'un package populaire prefixe/suffixe d\'un token suspect (Axios UNC1069, mars 2026). Le wrapper innocent declare un sub-dep malveillant.',
+    description: 'Une dependance declaree porte le nom d\'un package populaire prefixe/suffixe d\'un token suspect (Axios UNC1069, mars 2026). Le wrapper innocent declare un sub-dep malveillant. Signal solo MEDIUM, escalade CRITICAL via compounds lifecycle/dataflow/require.',
     references: [
       'https://snyk.io/blog/typosquatting-attacks/',
       'https://attack.mitre.org/techniques/T1195/002/'
@@ -377,6 +381,25 @@ const RULES = {
     references: ['https://attack.mitre.org/techniques/T1195/002/'],
     mitre: 'T1195.002'
   },
+  // RT-C1-FPR (audit 2026-05): compounds escaladant dependency_typosquat solo (MEDIUM)
+  typosquat_lifecycle: {
+    id: 'MUADDIB-COMPOUND-014',
+    name: 'Boundary-Squat Dep + Lifecycle Hook',
+    severity: 'CRITICAL',
+    confidence: 'high',
+    description: 'Dependance boundary-squat declaree avec script lifecycle (preinstall/postinstall) — install-time payload delivery via typosquat sub-dep.',
+    references: ['https://attack.mitre.org/techniques/T1195/002/'],
+    mitre: 'T1195.002'
+  },
+  typosquat_dataflow: {
+    id: 'MUADDIB-COMPOUND-015',
+    name: 'Boundary-Squat Dep + Suspicious Dataflow',
+    severity: 'HIGH',
+    confidence: 'high',
+    description: 'Dependance boundary-squat declaree avec flux de donnees suspect (lecture credentials + envoi reseau) — typosquat dep co-occurring with exfiltration.',
+    references: ['https://attack.mitre.org/techniques/T1195/002/'],
+    mitre: 'T1195.002'
+  },
 
   // Package.json script patterns
   curl_pipe_sh: {

package/src/scanner/typosquat.js

@@ -30,6 +30,23 @@ const POPULAR_PACKAGES = [
   'crypto-js'
 ];
 
+// RT-C1-FPR (audit 2026-05): frameworks dont les packages d'ecosysteme ont la
+// convention <framework>-<role>-<extension> (eslint-plugin-react, babel-preset-env,
+// gatsby-plugin-mdx, eslint-import-resolver-typescript). Un dep dont le PREMIER
+// segment hyphene est dans ce Set est une extension legitime du framework, jamais
+// un squat d'un autre package -- quelles que soient les autres segments.
+// EXCLUS volontairement : react, vue, angular, svelte, typescript. Leurs packages
+// d'ecosysteme ont le framework EN SUFFIXE (eslint-plugin-react), donc la convention
+// prefixe ne s'applique pas et conserver la detection de squats `react-token-exfil`
+// reste prioritaire.
+const ECOSYSTEM_FRAMEWORK_PREFIXES = new Set([
+  'eslint', 'babel', 'webpack', 'rollup', 'vite', 'parcel', 'esbuild', 'swc', 'tsup',
+  'gatsby', 'next', 'nuxt', 'remix', 'expo', 'metro',
+  'jest', 'mocha', 'karma', 'cypress', 'playwright', 'vitest',
+  'postcss', 'stylelint', 'prettier', 'typedoc',
+  'storybook', 'docusaurus', 'astro'
+]);
+
 // RT-C1: Hyphen tokens that legitimately PREFIX or SUFFIX popular package names.
 // `<token>-<popular>` or `<popular>-<token>` is considered benign when the extra
 // token is in this set (ecosystem qualifiers, framework prefixes, official scopes).
@@ -372,7 +389,11 @@ async function scanTyposquatting(targetPath) {
       + bMatch.original + '" (extra token: "' + bMatch.extra + '"). Axios UNC1069 pattern.';
     threats.push({
       type: 'dependency_typosquat',
-      severity: 'HIGH',
+      // RT-C1-FPR (audit 2026-05): demoted HIGH -> MEDIUM. Boundary-squat alone is
+      // a heuristic signal (name resemblance, no execution proof). The compounds
+      // typosquat_lifecycle (CRITICAL) and typosquat_dataflow (HIGH) escalate when
+      // co-occurring with real execution/exfil signals.
+      severity: 'MEDIUM',
       message: declMsg,
       file: 'package.json',
       details: {
@@ -557,6 +578,14 @@ function findTyposquatMatch(name) {
 }
 
 function isLegitimateVariant(name) {
+  // RT-C1-FPR (audit 2026-05): ecosystem framework prefix -> legitimate extension.
+  // Ex: eslint-import-resolver-typescript, babel-loader-svelte, gatsby-source-fs.
+  const firstHyphen = name.indexOf('-');
+  if (firstHyphen > 0) {
+    const prefix = name.slice(0, firstHyphen);
+    if (ECOSYSTEM_FRAMEWORK_PREFIXES.has(prefix)) return true;
+  }
+
   // Suffixes legitimes qui ne sont PAS du typosquatting
   const legitimateSuffixes = [
     '-cli', '-core', '-utils', '-plugin', '-loader', '-webpack',

package/src/scoring.js

@@ -509,6 +509,30 @@ const SCORING_COMPOUNDS = [
     message: 'Boundary-squat dependency declared AND require()d in code — Axios UNC1069 pattern (scoring compound).',
     fileFrom: 'dependency_typosquat_used'
   },
+  {
+    // RT-C1-FPR (audit 2026-05): boundary-squat dep + lifecycle hook → install-time
+    // payload delivery via typosquat sub-dep. Mirror of dependency_typosquat_require
+    // but with lifecycle instead of _used: stronger signal — proves install-time
+    // execution intent without requiring explicit require() in scanned code.
+    type: 'typosquat_lifecycle',
+    requires: ['dependency_typosquat', 'lifecycle_script'],
+    severity: 'CRITICAL',
+    message: 'Boundary-squat dependency + lifecycle hook — install-time payload delivery via typosquat sub-dep (scoring compound).',
+    fileFrom: 'dependency_typosquat'
+    // No sameFile: both are package.json-level
+  },
+  {
+    // RT-C1-FPR (audit 2026-05): boundary-squat dep + suspicious dataflow → typosquat
+    // dep co-occurring with credential exfil. Mirror of lifecycle_dataflow (HIGH) —
+    // co-occurrence without direct causal link, so HIGH not CRITICAL.
+    type: 'typosquat_dataflow',
+    requires: ['dependency_typosquat', 'suspicious_dataflow'],
+    severity: 'HIGH',
+    message: 'Boundary-squat dependency + suspicious dataflow — typosquat dep co-occurring with credential exfil (scoring compound).',
+    fileFrom: 'suspicious_dataflow',
+    // No sameFile: dep is package.json, dataflow is src/*.js
+    excludeIfBundled: true
+  },
   {
     type: 'lifecycle_inline_exec',
     requires: ['lifecycle_script', 'node_inline_exec'],