muaddib-scanner 2.11.22 → 2.11.24

package/README.md

@@ -275,7 +275,7 @@ With pre-commit framework:
 ```yaml
 repos:
   - repo: https://github.com/DNSZLSK/muad-dib
-    rev: v2.11.22
+    rev: v2.11.24
     hooks:
       - id: muaddib-scan
 ```
@@ -296,7 +296,7 @@ repos:
 | **FPR** (Benign random, v2.10.95 measure) | **7.0%** (14/200) | 200 random npm packages, stratified sampling |
 | **ADR** (Adversarial + Holdout) | **96.3%** (103/107) | 67 adversarial + 40 holdout (107 available on disk), global threshold=20 |
 
-**3586 tests** across 93 files. **234 rules** (229 RULES + 5 PARANOID).
+**3602 tests** across 93 files. **234 rules** (229 RULES + 5 PARANOID).
 
 > **ML retrain methodology (v2.10.51):**
 > - Ground truth: 377 confirmed_malicious via auto-labeler (OSSF malicious-packages, GitHub Advisory Database, npm registry takedown correlation)
@@ -344,7 +344,7 @@ npm test
 
 ### Testing
 
-- **3586 tests** across 93 modular test files
+- **3602 tests** across 93 modular test files
 - **56 fuzz tests** - Malformed inputs, ReDoS, unicode, binary
 - **Datadog 17K benchmark** - 14,587 confirmed malware samples (in-scope)
 - **Ground truth validation** - 67 real-world attacks (93.85% TPR@3, 86.2% TPR@20 — v2.10.95 measure)

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "muaddib-scanner",
-  "version": "2.11.22",
+  "version": "2.11.24",
   "description": "Supply-chain threat detection & response for npm & PyPI/Python",
   "main": "src/index.js",
   "bin": {

package/src/ml/feature-extractor.js

@@ -703,6 +703,237 @@ function mcpServerEnvAccess(result, meta) {
   return true;
 }
 
+// ============================================================================
+// Feature 10 — vendor_cli_sdk (v2.11.23, audit week3 cluster, 96 FP)
+// ============================================================================
+//
+// Targets the largest residual FP cluster from the audit 2026-05-week3
+// (96 entries, 33.6% of FP): legitimate vendor / community CLIs and SDKs
+// that fire `credential_regex_harvest` + `env_access` on their OWN
+// in-package credential handling (Stripe checkout, OAuth-PKCE, bearer
+// tokens to vendor APIs, .env template scaffolding). Examples observed:
+// @nocobase/cli-v1, @posterly/cli, @super-hands/cli, codeapp-js-cli
+// (Microsoft Power Apps), nodebb-plugin-flawless-donations (Stripe),
+// @aiyiran/myclaw (Chinese OpenClaw wrapper), usegrain (scaffolder),
+// @tapestry-mud/cli, db-model-router, etc.
+//
+// Discriminator vs vendor-impersonating malware: SANDWORM_MODE droppers
+// (a) typically have no `bin` entry (they install via lifecycle hook,
+// not user-invoked CLI), (b) emit `mcp_config_injection` (F9 catches
+// those), (c) cite credential file paths (.npmrc / .ssh / .aws), (d)
+// emit third-party exfil threats. F10's conjunction requires NONE of
+// these and additionally requires a vendor identity hint (homepage or
+// scoped name).
+
+function _f10HasBinEntry(meta) {
+  const bin = meta && meta.registryMeta && meta.registryMeta.bin;
+  if (!bin) return false;
+  if (typeof bin === 'string' && bin.trim().length > 0) return true;
+  if (typeof bin === 'object' && Object.keys(bin).length > 0) return true;
+  return false;
+}
+
+function _f10HasVendorIdentity(meta) {
+  if (!meta) return false;
+  if (getHomepageHost(meta)) return true;
+  const name = meta.name && String(meta.name);
+  if (name && name.startsWith('@') && name.includes('/')) return true;
+  return false;
+}
+
+/**
+ * Feature 10 — TRUE iff the package looks structurally like a legitimate
+ * vendor / community CLI / SDK whose credential-handling threats are
+ * intrinsic to its functionality, not an exfil vector.
+ *
+ * Conjunction of 7 conditions (see file header for SANDWORM_MODE
+ * discriminator rationale):
+ *
+ *   C1  has `bin` entry                       — CLI signal
+ *   C2  credential_regex_harvest OR env_access fires
+ *   C3  no `mcp_config_injection`             — F9 catches MCP installers
+ *   C4  no install lifecycle hook             — legit CLIs are opt-in
+ *   C5  no third-party exfil threat (15 types)
+ *   C6  no credential file path (.npmrc/.ssh/.aws) in any threat message
+ *   C7  vendor identity present (homepage host OR scoped @vendor/name)
+ *
+ * Cap value 35 (CRITICAL → MEDIUM-HIGH boundary). Reuses the F9 constants
+ * F9_EXFIL_TYPES and F9_CREDENTIAL_FILE_RE for C5/C6.
+ *
+ * Covers up to 96 FP (33.6% of audit week3 FP corpus). Estimated effective
+ * coverage 60-75 after the conjunction filters (some week3 entries lack
+ * a bin field, e.g. design-system asset packages — those fall under F1
+ * `bundle_without_install_scripts` instead).
+ */
+function vendorCliSdk(result, meta) {
+  // C1 — has bin entry
+  if (!_f10HasBinEntry(meta)) return false;
+  const threats = (result && result.threats) || [];
+  if (threats.length === 0) return false;
+  // C2 — at least one credential-noise threat (the FP source)
+  const hasCredentialNoise = threats.some(t =>
+    t.type === 'credential_regex_harvest' ||
+    t.type === 'env_access' ||
+    t.type === 'env_charcode_reconstruction' ||
+    t.type === 'credential_tampering'
+  );
+  if (!hasCredentialNoise) return false;
+  // C3 — no mcp_config_injection (F9 territory)
+  if (threats.some(t => t.type === 'mcp_config_injection')) return false;
+  // C4 — no install lifecycle hook
+  if (hasLifecycleScripts(meta)) return false;
+  // C5 + C6 — scan threats for exfil signal and credential-file mentions
+  for (const t of threats) {
+    if (F9_EXFIL_TYPES.has(t.type)) return false;       // C5
+    if (F9_CREDENTIAL_FILE_RE.test(String(t.message || ''))) return false;  // C6
+  }
+  // C7 — vendor identity
+  if (!_f10HasVendorIdentity(meta)) return false;
+  return true;
+}
+
+// ============================================================================
+// Feature 11 — ai_agent_bot (v2.11.24, audit week3 cluster, 54 FP)
+// ============================================================================
+//
+// Targets the third cluster from the audit 2026-05-week3 (54 entries,
+// 18.9 % of FP): packages that ARE themselves multi-provider AI agents,
+// orchestrators, chatbots, or IM⇄AI bridges. Examples: gm-skill (AI coding
+// harness), codexmate (multi-provider orchestrator), lazyclaw (terminal
+// multi-LLM CLI), linco-connect (WeChat→Claude bridge), natureco-cli
+// (WhatsApp+Telegram bot), multis (Telegram chatbot), @aitne-sh/aitne
+// (personal AI daemon), @jhizzard/termdeck (browser term mux with AI),
+// triflux (Claude Code router), opuscode (Claude config wizard).
+//
+// These packages legitimately fire `dangerous_call_eval` (LLM tool-use
+// execute_code feature), `remote_code_load` (bun x pkg@latest fetching),
+// `detached_credential_exfil` (local session token storage), and lots
+// of `env_access` + `suspicious_dataflow`. F11 cannot blacklist these —
+// they ARE the core capabilities. Instead the conjunction requires:
+//
+//   - Positive AI agent identity (name/desc/keywords/deps signal)
+//   - Evidence the package operates on agent runtime data (touches paths
+//     like ~/.claude/, ~/.codex/, ~/.cursor/, etc.)
+//   - Absence of SANDWORM_MODE signatures: no preinstall, no
+//     mcp_config_injection (F9 priority), no third-party suspicious_domain,
+//     no credential file harvest, no binary dropper (F2 priority).
+//
+// Cap 35 (aligned with F10 — broader conjunction than F9).
+
+// Agent runtime directory regex — matches references in threat messages to
+// AI tool runtime paths. Both '~/.X/' and 'os.homedir() + "/.X"' patterns
+// surface as substrings here.
+const AGENT_RUNTIME_PATHS_RE = /[~/\\\\]\.(?:claude|codex|cursor|windsurf|continue|openclaude|openclaudia|hermes|aiflow|tdpilot|aitne|kimi|opuscode|freddie|gm-?log|gm-?skill|termdeck|relaydesk|natureco|grok|gemini|copilot|cline|aider|cody|tabnine|cursor-ai|cursorrules|claude-?desktop|claude-?code|llm[- ]?cache)\b/i;
+
+// AI agent name regex — package name signals identity.
+const AGENT_NAME_RE = /(?:^|[/_-])(?:agent|bot|chat|chatbot|claw|codex|coder|swarm|harness|brain|orchestr|orchestrator|claude|llm|hermes|aider|kimi|cline|cody|aitne|opuscode|relaydesk|termdeck|gm-skill|gm-hermes|gm-qwen|gm-thebird|gm-plugkit|relipa|triflux|protocol-proxy|codexmate|lazy?claw|natureco)(?:[_-]|$)/i;
+
+// Keywords that signal AI agent purpose (case-insensitive).
+const AGENT_KEYWORDS_SET = new Set([
+  'agent', 'ai', 'llm', 'chatbot', 'bot', 'claude', 'codex',
+  'cursor', 'copilot', 'ollama', 'openai', 'anthropic', 'gemini',
+  'multi-llm', 'multi-provider', 'orchestrator', 'coding-agent',
+  'ai-agent', 'llm-agent', 'mcp-agent'
+]);
+
+// Description regex — matches agent purpose phrases.
+const AGENT_DESC_RE = /\b(?:ai|llm|claude|codex|gemini|openai|anthropic|ollama)[ -]?(?:agent|bot|chatbot|orchestrator|harness|cli|assistant|coding[ -]?agent|gateway|relay|router|harness|workspace)\b|\bmulti[ -]?provider\b|\bcoding[ -]?agent\b|\bagent[ -]?(?:bridge|router|orchestrator)\b|telegram[ -]?(?:bot|bridge)|whatsapp[ -]?(?:bot|bridge)|wechat[ -]?(?:bot|bridge)/i;
+
+// Dependency names that signal AI agent / bot framework usage.
+const AGENT_DEPS = new Set([
+  '@anthropic-ai/sdk', '@anthropic-ai/claude-code', '@openai/agents', 'openai',
+  '@google/genai', '@google/generative-ai', 'ai', 'ollama', 'groq-sdk',
+  'telegraf', 'node-telegram-bot-api', '@whiskeysockets/baileys',
+  'whatsapp-web.js', 'discord.js', 'eventsource', 'node-pty',
+  '@anthropic-ai/bedrock-sdk', '@openai/realtime-api-beta'
+]);
+
+function _f11HasAgentIdentity(meta) {
+  if (!meta) return false;
+  const name = String(meta.name || '');
+  if (AGENT_NAME_RE.test(name)) return true;
+  const r = (meta.registryMeta || {});
+  const desc = r.description || meta.description || '';
+  if (AGENT_DESC_RE.test(desc)) return true;
+  if (Array.isArray(r.keywords)) {
+    for (const k of r.keywords) {
+      if (AGENT_KEYWORDS_SET.has(String(k).toLowerCase())) return true;
+    }
+  }
+  const deps = r.dependencies || meta.dependencies;
+  if (deps && typeof deps === 'object') {
+    for (const d of Object.keys(deps)) {
+      if (AGENT_DEPS.has(d)) return true;
+    }
+  }
+  return false;
+}
+
+function _f11HasAgentPathReference(threats) {
+  for (const t of threats) {
+    const msg = String(t.message || '');
+    if (AGENT_RUNTIME_PATHS_RE.test(msg)) return true;
+    // Also accept the threat's file field — sometimes the path leaks via the
+    // file location rather than the message body.
+    const file = String(t.file || '');
+    if (AGENT_RUNTIME_PATHS_RE.test(file)) return true;
+  }
+  return false;
+}
+
+/**
+ * Feature 11 — TRUE iff the package self-identifies as an AI agent / bot /
+ * multi-LLM orchestrator AND demonstrably operates on AI tool runtime
+ * data (~/.claude/, ~/.codex/, ~/.cursor/, etc.) AND lacks the
+ * SANDWORM_MODE / vendor-impersonation signatures.
+ *
+ * Conjunction of 7 conditions:
+ *
+ *   C1  AI agent identity (name|desc|keywords|deps signal)
+ *   C2  no install lifecycle hook
+ *   C3  no `mcp_config_injection` (F9 priority)
+ *   C4  no `suspicious_domain` threat (third-party exfil discriminator)
+ *   C5  no credential file path in any threat message (reuse F9 regex)
+ *   C6  >=1 threat references an agent runtime path (positive operating signal)
+ *   C7  no `binary_dropper` / `download_exec_binary` (F2 priority)
+ *
+ * Cap 35. Same cap as F10 (broader conjunction than F9). Reuses
+ * `F9_CREDENTIAL_FILE_RE` from v2.11.22.
+ *
+ * Discriminator vs malware:
+ *   - SANDWORM droppers use preinstall/postinstall (C2 blocks).
+ *   - MCP-impersonating malware emits mcp_config_injection (C3 → F9).
+ *   - Exfilers have suspicious_domain (C4 blocks).
+ *   - Binary droppers (C7 → F2 territory).
+ *   - Credential file harvesters (C5 blocks).
+ *
+ * Covers up to 54 FP (18.9% of audit week3). Effective estimated coverage
+ * 30-40 (55-75%): the rest lack agent runtime path references or fire on
+ * suspicious_domain due to Chinese model rerouting (yingclaw pattern).
+ */
+function aiAgentBot(result, meta) {
+  // C1 — identity
+  if (!_f11HasAgentIdentity(meta)) return false;
+  const threats = (result && result.threats) || [];
+  if (threats.length === 0) return false;
+  // C2 — no install lifecycle hook
+  if (hasLifecycleScripts(meta)) return false;
+  // C3, C4, C7 — fast threat-type checks
+  for (const t of threats) {
+    if (t.type === 'mcp_config_injection') return false;   // C3
+    if (t.type === 'suspicious_domain') return false;      // C4
+    if (t.type === 'binary_dropper') return false;         // C7
+    if (t.type === 'download_exec_binary') return false;   // C7
+  }
+  // C5 — no credential file path in any message
+  for (const t of threats) {
+    if (F9_CREDENTIAL_FILE_RE.test(String(t.message || ''))) return false;
+  }
+  // C6 — at least one threat references an agent runtime path
+  if (!_f11HasAgentPathReference(threats)) return false;
+  return true;
+}
+
 /**
  * Feature 8 — TRUE iff the package declares at least one install
  * lifecycle script AND the scan shows no network egress capability
@@ -855,6 +1086,10 @@ function extractFeatures(result, meta) {
 
   // --- v2.11.22 Feature 9 (audit week3 cluster — 25 FP) ---
   features.mcp_server_env_access = mcpServerEnvAccess(result, meta) ? 1 : 0;
+  // --- v2.11.23 Feature 10 (audit week3 cluster — up to 96 FP) ---
+  features.vendor_cli_sdk = vendorCliSdk(result, meta) ? 1 : 0;
+  // --- v2.11.24 Feature 11 (audit week3 cluster — up to 54 FP) ---
+  features.ai_agent_bot = aiAgentBot(result, meta) ? 1 : 0;
 
   return features;
 }
@@ -934,5 +1169,7 @@ module.exports = {
   obfuscationWithoutVector,
   placeholderAntiDepConfusion,
   installScriptNoNetworkEgress,
-  mcpServerEnvAccess
+  mcpServerEnvAccess,
+  vendorCliSdk,
+  aiAgentBot
 };

package/src/scoring.js

@@ -1484,6 +1484,8 @@ const {
   obfuscationWithoutVector,
   placeholderAntiDepConfusion,
   mcpServerEnvAccess,
+  vendorCliSdk,
+  aiAgentBot,
 } = require('./ml/feature-extractor.js');
 
 /**
@@ -1538,6 +1540,14 @@ function applyContextualFPCaps(result, pkgMeta) {
   if (obfuscationWithoutVector(result)) {
     applied.push({ feature: 'obfuscation_without_vector', cap: 35 });
   }
+  // F10: legit vendor CLI/SDK with intrinsic credential handling → MAX 35
+  if (vendorCliSdk(result, meta)) {
+    applied.push({ feature: 'vendor_cli_sdk', cap: 35 });
+  }
+  // F11: legit AI agent / bot / multi-LLM orchestrator → MAX 35
+  if (aiAgentBot(result, meta)) {
+    applied.push({ feature: 'ai_agent_bot', cap: 35 });
+  }
   // F5: typosquat on scoped package → suppress typosquat points
   if (typosquatScopedPackage(result, meta)) {
     applied.push({ feature: 'typosquat_scoped_package', cap: -1 });