muaddib-scanner 2.11.24 → 2.11.28

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "muaddib-scanner",
-  "version": "2.11.24",
+  "version": "2.11.28",
   "description": "Supply-chain threat detection & response for npm & PyPI/Python",
   "main": "src/index.js",
   "bin": {

package/src/ml/feature-extractor.js

@@ -141,6 +141,15 @@ const GITHUB_RELEASE_HOSTS = ['github.com', 'objects.githubusercontent.com', 'ra
 const BUNDLE_PATH_RE = /(?:^|[\\/])(?:dist|build|lib|out|umd|esm|cjs|bundle|_next[\\/]static|\.next[\\/]static|public[\\/]static|webpack|rollup)[\\/]/i;
 const BUNDLE_FILE_RE = /\.(?:min|bundle|prod|umd|iife|esm|cjs)\.(?:m?js|cjs)$|\.min\.js$|chunk-[0-9a-f]+\.js$|vendors?~?.*\.js$/i;
 
+// v2.11.27 F12: reuse the exhaustive shared regex + veto helper from the
+// scanner side (covers @kitware/vtk.js, playwright/lib/utilsBundleImpl,
+// .yarn/releases, hash-suffixed chunks, Stencil sys/* dirs — patterns the
+// narrower local BUNDLE_PATH_RE misses).
+const {
+  BUNDLE_PATH_RE: SHARED_BUNDLE_PATH_RE,
+  hasBundleVetoSignal
+} = require('../shared/bundle-detect.js');
+
 // Threat types that indicate remote content fetch in a file (for
 // `git_hook_source_local` heuristic: absence => local source).
 const REMOTE_FETCH_TYPES = new Set([
@@ -934,6 +943,202 @@ function aiAgentBot(result, meta) {
   return true;
 }
 
+// ============================================================================
+// Feature 12 — vendor_minified_bundle (v2.11.27, weekly review 2026-05-22, 9 FP)
+// ============================================================================
+//
+// Targets the @photoroom/ui (1.8MB UMD bundle, 6 cascade types) and
+// @vkontakte/videoplayer-shared (32KB min, 4 cascade types) cluster: vendor
+// React/JS bundles where webpack/rollup/esbuild output legitimately produces
+// `eval`, `new Function`, prototype mutations for framework reactivity,
+// `Proxy({set/get})` interceptors, credential-regex-looking strings, and
+// minified blobs that trip the obfuscation heuristic. Per-file co-occurrence
+// of >=3 of those patterns on a path matching BUNDLE_PATH_RE is the signal.
+//
+// Complements F1 (bundleWithoutInstallScripts, cap 30) which requires ALL
+// threat files to exceed 100KB and ALL threats to carry t.file — both
+// conditions are too strict for the v2.11.27 cluster (vkontakte is 32KB; the
+// cluster co-occurs with package-level `intent_credential_exfil` for some
+// packages). F12 uses a 20KB floor per cascade file and an explicit C3
+// veto on package-level exfil intents instead of disqualifying outright.
+
+const CASCADE_TYPES = new Set([
+  'credential_regex_harvest',     // MUADDIB-AST-041
+  'dangerous_call_eval',          // MUADDIB-AST-004
+  'dangerous_call_function',      // MUADDIB-AST-005
+  'prototype_pollution',          // MUADDIB-AST-065
+  'proxy_data_intercept',         // MUADDIB-AST-043
+  'remote_code_load',             // MUADDIB-AST-040
+  'obfuscation_detected',         // src/scanner/obfuscation.js
+  'js_obfuscation_pattern'
+]);
+const CASCADE_MIN_TYPES = 3;
+const CASCADE_MIN_FILE_BYTES = 20 * 1024;
+
+/**
+ * Feature 12 — TRUE iff the package ships at least one minified vendor
+ * bundle file with >=3 distinct CASCADE_TYPES firing on it AND has no
+ * install lifecycle script AND no veto signal AND no package-level exfil
+ * intent.
+ *
+ * Discriminator vs malware injected into a bundle:
+ *   - hasBundleVetoSignal (src/shared/bundle-detect.js) catches reverse_shell,
+ *     node_modules_write, npm_publish_worm, npm_token_steal, systemd_persistence,
+ *     unicode_invisible_injection (GlassWorm), ioc_match,
+ *     known_malicious_package, shai_hulud_marker, detached_credential_exfil,
+ *     ai_config_injection, ide_task_persistence, plus env_access on
+ *     SENSITIVE_ENV_RE (NPM_TOKEN, AWS_*, SSH_*, etc.).
+ *   - C3 catches Axios UNC1069-style package-level intent_credential_exfil /
+ *     intent_command_exfil (no `t.file` → not file-scoped → real campaign).
+ *   - C2 (no lifecycle) catches postinstall droppers.
+ *   - C7 (20KB floor) catches hand-written 4KB eval injections in dist/.
+ *
+ * Cap 25 (MEDIUM). Tighter than F1=30: the cascade of >=3 bundler-emitted
+ * heuristics on a single file is a stronger structural bundler signature
+ * than "any large file with no install hook".
+ */
+function vendorMinifiedBundle(result, meta) {
+  if (!meta || !meta.registryMeta || meta.registryMeta.scripts === undefined) return false;
+  if (hasLifecycleScripts(meta)) return false;
+
+  const threats = (result && result.threats) || [];
+  if (threats.length === 0) return false;
+
+  // C3 — package-level exfil intent disqualifies (real campaign signal,
+  // not bundler artifact: bundlers never produce intent threats without
+  // a backing file).
+  for (const t of threats) {
+    if ((t.type === 'intent_credential_exfil' || t.type === 'intent_command_exfil') && !t.file) {
+      return false;
+    }
+  }
+
+  const summary = (result && result.summary) || {};
+  const fileSizes = summary.fileSizes || {};
+  const typesByFile = new Map();
+
+  for (const t of threats) {
+    if (!t.file || !CASCADE_TYPES.has(t.type)) continue;
+    if (!SHARED_BUNDLE_PATH_RE.test(t.file) && !BUNDLE_FILE_RE.test(t.file)) continue;
+    if (!typesByFile.has(t.file)) typesByFile.set(t.file, new Set());
+    typesByFile.get(t.file).add(t.type);
+  }
+
+  for (const [file, types] of typesByFile) {
+    if (types.size < CASCADE_MIN_TYPES) continue;
+    if (hasBundleVetoSignal(threats, file)) continue;
+    const size = fileSizes[file];
+    if (typeof size === 'number' && size < CASCADE_MIN_FILE_BYTES) continue;
+    return true;
+  }
+  return false;
+}
+
+// ============================================================================
+// Feature 13 — typosquat_benign_lifecycle (v2.11.28, weekly review 2026-05-22, 9 FP)
+// ============================================================================
+//
+// Targets the dependency_typosquat boundary-squat cluster (Axios UNC1069 rule
+// RT-C1 fired in March 2026 + RT-C1-FPR audit 2026-05). The boundary-squat
+// scanner emits `dependency_typosquat` MEDIUM on any sub-dep matching
+// `<prefix>-<popular>` or `<popular>-<suffix>` when the extra token is not in
+// LEGIT_BOUNDARY_TOKENS. The compound `typosquat_lifecycle` (CRITICAL,
+// src/scoring.js:517-523) escalates it to CRITICAL whenever a lifecycle hook
+// is present — including provably benign ones like `husky install`,
+// `npm run build`, or `node patches/apply-patches.js` (balena-cli pattern).
+//
+// F13 suppresses that compound's contribution when all lifecycle scripts are
+// provably benign AND no real exfil / IOC / `dependency_typosquat_used`
+// signal is present. The Axios UNC1069 discriminator (require()d sub-dep)
+// emits dependency_typosquat_used + the dependency_typosquat_require
+// compound — both vetoed in F13_VETO_TYPES.
+//
+// Reuses `isSafeLifecycleScript` from src/monitor/temporal.js:53 (covers
+// `npm run build`, `tsc`, `eslint`, etc.) and extends it with audit-observed
+// patterns: husky install, simple-git-hooks, patch-package,
+// `node patches/apply-patches.js`, is-ci || X guard.
+
+const { isSafeLifecycleScript } = require('../monitor/temporal.js');
+
+const F13_BENIGN_SCRIPT_RE = /^(?:is-ci\s*\|\|\s*)?(?:husky(?:\s+install)?|simple-git-hooks|patch-package|node\s+patches\/apply-patches\.js|npm\s+run\s+build(?::[a-z0-9_-]+)?)\s*$/i;
+
+function isBenignLifecycleScript(value) {
+  if (!value || typeof value !== 'string') return false;
+  if (isSafeLifecycleScript(value)) return true;
+  return value.trim().split(/\s*&&\s*/).every(cmd => F13_BENIGN_SCRIPT_RE.test(cmd.trim()));
+}
+
+const F13_VETO_TYPES = new Set([
+  // Egress / exfil — any real network capability is a campaign signal
+  'suspicious_dataflow', 'suspicious_domain', 'remote_code_load', 'curl_exec',
+  'intent_credential_exfil', 'intent_command_exfil', 'fetch_decrypt_exec',
+  'reverse_shell', 'binary_dropper', 'download_exec_binary',
+  'curl_env_exfil', 'external_tarball_dep', 'dependency_url_suspicious',
+  'blockchain_c2_resolution', 'dns_exfil',
+  // Worm propagation (Shai-Hulud)
+  'npm_publish_worm', 'node_modules_write', 'npm_token_steal',
+  // IOC hits
+  'ioc_match', 'known_malicious_package', 'shai_hulud_marker', 'ioc_string_match',
+  // DPRK / mini Shai-Hulud 2026-05
+  'detached_credential_exfil', 'ai_config_injection', 'ide_task_persistence',
+  // Axios UNC1069 discriminator: dep is require()d in code
+  'dependency_typosquat_used', 'dependency_typosquat_require'
+]);
+
+const F13_LIFECYCLE_KEYS = ['preinstall', 'install', 'postinstall', 'prepare'];
+
+/**
+ * Feature 13 — TRUE iff the package shows the compound `typosquat_lifecycle`
+ * (boundary-squat dep + lifecycle hook) AND every declared lifecycle script
+ * is provably benign AND no exfil / IOC / dep-usage signal is present.
+ *
+ * Discriminator vs malware:
+ *   - Axios UNC1069 wrappers emit `dependency_typosquat_used` (the dep is
+ *     require()d in source) + compound `dependency_typosquat_require` → veto.
+ *   - Shai-Hulud worm emits `npm_publish_worm`, `node_modules_write`,
+ *     `npm_token_steal` → veto.
+ *   - GlassWorm / DPRK emit `unicode_invisible_injection` (downstream
+ *     irrelevant — caught at scanner severity)/ `detached_credential_exfil`
+ *     / `ai_config_injection` / `ide_task_persistence` → veto.
+ *   - Real install-time droppers carry suspicious_dataflow / suspicious_domain
+ *     / remote_code_load / curl_exec / intent_*_exfil → veto.
+ *   - Hand-crafted `curl https://evil.sh | sh` postinstall fails
+ *     isBenignLifecycleScript → veto.
+ *
+ * Targets the v2.11.28 weekly review 2026-05-22 cluster:
+ *   - @doyourjob/gravity-ui-page-constructor (prepare: husky install)
+ *   - balena-cli (postinstall: node patches/apply-patches.js)
+ *   - magmastream (prepare: npm run build)
+ *   - @1d1s/design-system (prepare: npm run build:lib)
+ *   - @healthcare-interoperability/fhir-storage-core (prepare: npm run build)
+ *   - @quicore/problem-details-error (prepare: npm run build)
+ *
+ * Cap 30 (MEDIUM). Matches the F9 (mcp_server_env_access) cap because both
+ * suppress a compound-driven CRITICAL into the residual MEDIUM signal.
+ */
+function typosquatBenignLifecycle(result, meta) {
+  const threats = (result && result.threats) || [];
+  if (!threats.some(t => t.type === 'dependency_typosquat' || t.type === 'typosquat_detected')) return false;
+  if (!threats.some(t => t.type === 'lifecycle_script')) return false;
+  if (!threats.some(t => t.type === 'typosquat_lifecycle')) return false;
+
+  for (const t of threats) {
+    if (F13_VETO_TYPES.has(t.type)) return false;
+  }
+
+  const scripts = (meta && meta.registryMeta && meta.registryMeta.scripts) || null;
+  if (!scripts || typeof scripts !== 'object') return false;
+
+  let sawScript = false;
+  for (const key of F13_LIFECYCLE_KEYS) {
+    const v = scripts[key];
+    if (typeof v !== 'string' || v.trim().length === 0) continue;
+    sawScript = true;
+    if (!isBenignLifecycleScript(v)) return false;
+  }
+  return sawScript;
+}
+
 /**
  * Feature 8 — TRUE iff the package declares at least one install
  * lifecycle script AND the scan shows no network egress capability
@@ -1171,5 +1376,8 @@ module.exports = {
   installScriptNoNetworkEgress,
   mcpServerEnvAccess,
   vendorCliSdk,
-  aiAgentBot
+  aiAgentBot,
+  vendorMinifiedBundle,
+  typosquatBenignLifecycle,
+  isBenignLifecycleScript
 };

package/src/monitor/ingestion.js

@@ -14,7 +14,23 @@ const {
   loadNpmSeq, saveNpmSeq, CHANGES_STREAM_URL, CHANGES_LIMIT, CHANGES_CATCHUP_MAX,
   savePypiSerial, PYPI_XMLRPC_URL, PYPI_CATCHUP_MAX
 } = require('./state.js');
-const { sendIOCPreAlert } = require('./webhook.js');
+const { sendIOCPreAlert, sendCampaignPreAlert } = require('./webhook.js');
+
+// Active-campaign name patterns. Pre-alert fires on match BEFORE tarball
+// download so operators have visibility while IOC lists catch up (typical
+// lag: hours to days).
+// did-NNNN (May 2026): wave of did-0001..did-9999 publications observed in
+// the changes stream — name shape alone is enough to flag for fast triage.
+const CAMPAIGN_PATTERNS = [
+  { name: 'did-NNNN', re: /^did-\d{4}$/ }
+];
+
+function matchCampaignPattern(name) {
+  for (const c of CAMPAIGN_PATTERNS) {
+    if (c.re.test(name)) return c.name;
+  }
+  return null;
+}
 const { evaluateCacheTrigger, POPULAR_THRESHOLD, downloadsCache, DOWNLOADS_CACHE_TTL } = require('./classify.js');
 
 const SELF_PACKAGE_NAME = require('../../package.json').name;
@@ -133,105 +149,6 @@ async function getWeeklyDownloads(packageName) {
   }
 }
 
-// --- Trusted dependency diff check ---
-
-const TRUSTED_DEP_AGE_THRESHOLD_MS = 7 * 24 * 60 * 60 * 1000; // 7 days
-
-/**
- * Check for new dependencies added to a TRUSTED (popular) package.
- * Detects supply-chain attacks where a compromised maintainer account adds a
- * malicious dependency in a patch bump (e.g., axios 1.14.0 → 1.14.1 adding
- * plain-crypto-js, 2026-03-30).
- *
- * @param {string} name - Package name
- * @param {string} newVersion - Newly published version
- * @returns {Array} Array of findings (empty if no new deps or on error)
- */
-async function checkTrustedDepDiff(name, newVersion) {
-  const findings = [];
-  try {
-    // Fetch packument to get version list and dependencies
-    const body = await httpsGet(`https://registry.npmjs.org/${encodeURIComponent(name)}`, 10_000);
-    const packument = JSON.parse(body);
-
-    if (!packument.versions || !packument.time) return findings;
-
-    // Sort versions by publish time (not semver — handles prereleases correctly)
-    const timeMap = packument.time;
-    const versionKeys = Object.keys(packument.versions)
-      .filter(v => timeMap[v])
-      .sort((a, b) => new Date(timeMap[a]) - new Date(timeMap[b]));
-
-    const newIdx = versionKeys.indexOf(newVersion);
-    if (newIdx <= 0) return findings; // First version or not found
-
-    const prevVersion = versionKeys[newIdx - 1];
-
-    const prevDeps = (packument.versions[prevVersion] && packument.versions[prevVersion].dependencies) || {};
-    const newDeps = (packument.versions[newVersion] && packument.versions[newVersion].dependencies) || {};
-
-    // Find newly added dependencies (name not present in previous version)
-    const addedDeps = Object.keys(newDeps).filter(dep => !(dep in prevDeps));
-    if (addedDeps.length === 0) return findings;
-
-    console.log(`[MONITOR] TRUSTED dep diff: ${name} ${prevVersion} → ${newVersion}: +${addedDeps.length} new dep(s): ${addedDeps.join(', ')}`);
-
-    for (const dep of addedDeps) {
-      let ageMs = null;
-      try {
-        const depBody = await httpsGet(`https://registry.npmjs.org/${encodeURIComponent(dep)}`, 5_000);
-        const depData = JSON.parse(depBody);
-        const created = depData.time && depData.time.created;
-        if (created) {
-          ageMs = Date.now() - new Date(created).getTime();
-        }
-      } catch (err) {
-        console.log(`[MONITOR] WARNING: could not check age of dependency ${dep}: ${err.message}`);
-      }
-
-      if (ageMs === null || ageMs < TRUSTED_DEP_AGE_THRESHOLD_MS) {
-        // Unknown or < 7 days old — CRITICAL
-        const ageDays = ageMs !== null ? Math.floor(ageMs / 86400000) : 'unknown';
-        findings.push({
-          type: 'trusted_new_unknown_dependency',
-          severity: 'CRITICAL',
-          confidence: ageMs === null ? 'medium' : 'high',
-          file: 'package.json',
-          message: `TRUSTED package ${name} added unknown dependency ${dep} (age: ${ageDays}d) in version ${prevVersion} → ${newVersion}`,
-          rule_id: 'MUADDIB-TRUSTED-001',
-          mitre: 'T1195.002',
-          dep,
-          depAgeDays: ageDays,
-          prevVersion,
-          newVersion
-        });
-      } else {
-        // Known dependency (>= 7 days old) — HIGH
-        const ageDays = Math.floor(ageMs / 86400000);
-        findings.push({
-          type: 'trusted_new_dependency',
-          severity: 'HIGH',
-          confidence: 'medium',
-          file: 'package.json',
-          message: `TRUSTED package ${name} added new dependency ${dep} (age: ${ageDays}d) in version ${prevVersion} → ${newVersion}`,
-          rule_id: 'MUADDIB-TRUSTED-002',
-          mitre: 'T1195.002',
-          dep,
-          depAgeDays: ageDays,
-          prevVersion,
-          newVersion
-        });
-      }
-    }
-
-    return findings;
-  } catch (err) {
-    // Graceful fallback — log warning, continue as TRUSTED
-    console.log(`[MONITOR] WARNING: trusted dep diff check failed for ${name}@${newVersion}: ${err.message}`);
-    return findings;
-  }
-}
-
 // --- Tarball URL helpers ---
 
 function getNpmTarballUrl(pkgData) {
@@ -595,6 +512,20 @@ async function pollNpmChanges(state, scanQueue, stats) {
         console.warn(`[MONITOR] IOC pre-check failed: ${err.message}`);
       }
 
+      // Layer 1b: Campaign pre-alert — fire on name-pattern matches when the
+      // package isn't already a known IOC (avoid duplicate webhooks for the
+      // same publication). Lets us flag campaign waves while IOC lists lag.
+      if (!isKnownIOC) {
+        const campaign = matchCampaignPattern(name);
+        if (campaign) {
+          console.log(`[MONITOR] CAMPAIGN PRE-ALERT: ${name} — matches ${campaign}`);
+          stats.campaignPreAlerts = (stats.campaignPreAlerts || 0) + 1;
+          sendCampaignPreAlert(name, campaign).catch(err => {
+            console.error(`[MONITOR] campaign pre-alert webhook failed for ${name}: ${err.message}`);
+          });
+        }
+      }
+
       // Layer 2: Extract tarball URL from CouchDB doc (eliminates lazy resolution 404 race)
       const docMeta = change.doc ? extractTarballFromDoc(change.doc) : null;
 
@@ -690,9 +621,10 @@ async function pollNpmRss(state, scanQueue, stats) {
 
       // Layer 1: IOC pre-alert (RSS fallback path)
       // Only wildcard IOCs trigger here; versioned IOCs checked in resolveTarballAndScan().
+      let isKnownIOC = false;
       try {
         const iocs = loadCachedIOCs();
-        const isKnownIOC = iocs.wildcardPackages && iocs.wildcardPackages.has(name);
+        isKnownIOC = iocs.wildcardPackages && iocs.wildcardPackages.has(name);
         if (isKnownIOC) {
           console.log(`[MONITOR] IOC PRE-ALERT: ${name} — known malicious package detected via RSS`);
           stats.iocPreAlerts = (stats.iocPreAlerts || 0) + 1;
@@ -702,6 +634,18 @@ async function pollNpmRss(state, scanQueue, stats) {
         }
       } catch { /* IOC load failure is non-fatal */ }
 
+      // Layer 1b: Campaign pre-alert (RSS fallback path) — mirrors pollNpmChanges.
+      if (!isKnownIOC) {
+        const campaign = matchCampaignPattern(name);
+        if (campaign) {
+          console.log(`[MONITOR] CAMPAIGN PRE-ALERT: ${name} — matches ${campaign} (RSS)`);
+          stats.campaignPreAlerts = (stats.campaignPreAlerts || 0) + 1;
+          sendCampaignPreAlert(name, campaign).catch(err => {
+            console.error(`[MONITOR] campaign pre-alert webhook failed for ${name}: ${err.message}`);
+          });
+        }
+      }
+
       // Queue npm packages — tarball URL resolved during scan
       scanQueue.push({
         name,
@@ -1150,8 +1094,6 @@ module.exports = {
   httpsGet,
   httpsPost,
   getWeeklyDownloads,
-  checkTrustedDepDiff,
-  TRUSTED_DEP_AGE_THRESHOLD_MS,
 
   // Tarball URL helpers
   getNpmTarballUrl,
@@ -1183,6 +1125,10 @@ module.exports = {
   pollPyPI,
   poll,
 
+  // Active-campaign name watch (did-NNNN, etc.)
+  CAMPAIGN_PATTERNS,
+  matchCampaignPattern,
+
   // Test seam — see _deps definition near the top of this file.
   _deps
 };

package/src/monitor/queue.js

@@ -56,8 +56,6 @@ const {
   formatFindings,
   evaluateCacheTrigger,
   isFirstPublishHighRisk,
-  POPULAR_THRESHOLD,
-  downloadsCache: classifyDownloadsCache,
   DOWNLOADS_CACHE_TTL,
   HIGH_CONFIDENCE_MALICE_TYPES,
   IOC_MATCH_TYPES,
@@ -98,8 +96,8 @@ const {
   isSafeLifecycleScript
 } = require('./temporal.js');
 
-// From ./ingestion.js (will be created — currently in monitor.js)
-const { getNpmLatestTarball, getPyPITarballUrl, getWeeklyDownloads, checkTrustedDepDiff } = require('./ingestion.js');
+// From ./ingestion.js
+const { getNpmLatestTarball, getPyPITarballUrl } = require('./ingestion.js');
 
 // From ./tarball-archive.js
 const { archiveSuspectTarball } = require('./tarball-archive.js');
@@ -226,12 +224,15 @@ function countPackageFiles(dir) {
  *
  * @param {string} extractedDir - Path to extracted package
  * @param {number} timeoutMs - Timeout in milliseconds
+ * @param {object} [scanContext] - Monitor-side context spread into pipeline options.
+ *   Required by opt-in scanners (e.g. trusted-dep-diff) that need name/version/ecosystem
+ *   and a monitorMode flag to perform registry queries.
  * @returns {Promise<object>} Scan result (same shape as run(_, {_capture:true}))
  */
-function runScanInWorker(extractedDir, timeoutMs) {
+function runScanInWorker(extractedDir, timeoutMs, scanContext = null) {
   return new Promise((resolve, reject) => {
     const worker = new Worker(SCAN_WORKER_PATH, {
-      workerData: { extractedDir }
+      workerData: { extractedDir, scanContext: scanContext || {} }
     });
 
     let settled = false;
@@ -418,7 +419,19 @@ async function scanPackage(name, version, ecosystem, tarballUrl, registryMeta, s
 
     let result;
     try {
-      result = await runScanInWorker(extractedDir, STATIC_SCAN_TIMEOUT_MS);
+      // scanContext: feeds monitor-side info (name/version/ecosystem) and the
+      // monitorMode + trustedDepDiff flags into opt-in pipeline scanners.
+      // The trusted-dep-diff scanner needs both name and version to query the
+      // registry for the previous-version dependency list — that information
+      // is meaningless in offline CLI mode but available here.
+      const scanContext = {
+        name,
+        version,
+        ecosystem,
+        monitorMode: true,
+        trustedDepDiff: true
+      };
+      result = await runScanInWorker(extractedDir, STATIC_SCAN_TIMEOUT_MS, scanContext);
     } catch (staticErr) {
       if (/static scan timeout/i.test(staticErr.message)) {
         console.error(`[MONITOR] STATIC_TIMEOUT: ${name}@${version} — exceeded ${STATIC_SCAN_TIMEOUT_MS / 1000}s (worker terminated)`);
@@ -542,40 +555,20 @@ async function scanPackage(name, version, ecosystem, tarballUrl, registryMeta, s
         recordTrainingSample(result, { name, version, ecosystem, label: 'clean', registryMeta: meta, unpackedSize: meta.unpackedSize, npmRegistryMeta, fileCountTotal, hasTests });
         return { sandboxResult: null, staticClean: true };
       } else {
-        // Popularity pre-filter: skip sandbox for popular npm packages with only MEDIUM/LOW
-        if (ecosystem === 'npm' && !hasIOCMatch(result) && !hasTyposquat(result) && !hasHighOrCritical(result)) {
-          const downloads = await getWeeklyDownloads(name);
-          if (downloads >= POPULAR_THRESHOLD) {
-            // Dependency diff check: detect supply-chain injection on TRUSTED packages
-            // (e.g., axios 1.14.0 → 1.14.1 adding unknown plain-crypto-js, 2026-03-30)
-            const trustedFindings = await checkTrustedDepDiff(name, version);
-            const hasCriticalDepFinding = trustedFindings.some(f => f.severity === 'CRITICAL');
-
-            if (hasCriticalDepFinding) {
-              // CRITICAL: unknown/new dependency — bypass TRUSTED, route to full scan + sandbox
-              console.log(`[MONITOR] TRUSTED BYPASS: ${name}@${version} — new unknown dependency detected, routing to full scan`);
-              result.threats.push(...trustedFindings);
-              for (const f of trustedFindings) {
-                if (f.severity === 'CRITICAL') result.summary.critical = (result.summary.critical || 0) + 1;
-                else if (f.severity === 'HIGH') result.summary.high = (result.summary.high || 0) + 1;
-              }
-              // Fall through to full classification below (do NOT return)
-            } else {
-              // No CRITICAL dep findings — normal TRUSTED skip (log HIGH findings if any)
-              for (const f of trustedFindings) {
-                console.log(`[MONITOR] TRUSTED dep change: ${f.message}`);
-              }
-              stats.scanned++;
-              const elapsed = Date.now() - startTime;
-              stats.totalTimeMs += elapsed;
-              stats.clean++;
-              console.log(`[MONITOR] TRUSTED (popular): ${name}@${version} (${Math.round(downloads / 1000)}k downloads/week, ${counts.join(', ')})`);
-              updateScanStats('clean');
-              recordTrainingSample(result, { name, version, ecosystem, label: 'clean', registryMeta: meta, unpackedSize: meta.unpackedSize, npmRegistryMeta, fileCountTotal, hasTests });
-              return { sandboxResult: null, staticClean: true };
-            }
-          }
-        }
+        // No popularity-based skip here. The TRUSTED (popular) shortcut that used
+        // to live at this point was a whitelist-by-downloads — CLAUDE.md forbids
+        // FP-reducing whitelists, and the Shai-Hulud wave-2 ATO attacks of May 2026
+        // proved that popular packages are precisely the prime target for ATO.
+        // Downstream attenuation handles the FP load via computeReputationFactor()
+        // and the graduated webhook threshold (webhook.js:83-87) — popular packages
+        // need a higher static score to fire a webhook, but they remain visible in
+        // the pipeline (sandbox, persisted detections, training samples) the same
+        // way every other package is. The supply-chain dep-diff check that the
+        // old block used as bypass logic now runs as a first-class scanner
+        // (src/scanner/trusted-dep-diff.js, wired in via executor.js); its findings
+        // arrive in result.threats before this point, so isSuspectClassification
+        // and the reputation bypass for HIGH_CONFIDENCE_MALICE_TYPES take the
+        // package straight to tier 1a + mandatory sandbox + webhook.
 
         const classification = isSuspectClassification(result);
         if (!classification.suspect) {

package/src/monitor/webhook.js

@@ -187,6 +187,41 @@ async function sendIOCPreAlert(name, version) {
   await sendWebhook(url, payload, { rawPayload: true });
 }
 
+/**
+ * Layer 1b: Send immediate pre-alert webhook when a package name matches an
+ * active-campaign pattern (e.g. `did-NNNN` in May 2026). Fires BEFORE tarball
+ * download \u2014 IOC lists are eventually-consistent and lag the campaign by
+ * hours to days, so name-pattern watch is the only signal available in real
+ * time while the campaign is in flight.
+ * @param {string} name - Package name that matched the campaign pattern
+ * @param {string} campaign - Short campaign label (e.g. 'did-NNNN')
+ */
+async function sendCampaignPreAlert(name, campaign) {
+  const url = getWebhookUrl();
+  if (!url) return;
+
+  const npmLink = `https://www.npmjs.com/package/${encodeURIComponent(name)}`;
+
+  const payload = {
+    embeds: [{
+      title: '\u26a0\ufe0f CAMPAIGN PRE-ALERT \u2014 Suspected Active Campaign',
+      color: 0xe67e22,
+      fields: [
+        { name: 'Package', value: `[${name}](${npmLink})`, inline: true },
+        { name: 'Source', value: `Name pattern: ${campaign}`, inline: true },
+        { name: 'Detection', value: 'Changes stream pre-scan', inline: true },
+        { name: 'Status', value: 'Suspected campaign publication \u2014 not yet confirmed malicious. Full scan queued; treat as suspect until verdict lands.', inline: false }
+      ],
+      footer: {
+        text: `MUAD'DIB Campaign Pre-Alert | ${new Date().toISOString().replace('T', ' ').replace(/\.\d+Z$/, ' UTC')}`
+      },
+      timestamp: new Date().toISOString()
+    }]
+  };
+
+  await sendWebhook(url, payload, { rawPayload: true });
+}
+
 /**
  * Check if a specific package@version matches a versioned IOC entry.
  * Returns the matching IOC entry or null.
@@ -1172,6 +1207,7 @@ module.exports = {
   shouldSendWebhook,
   buildMonitorWebhookPayload,
   sendIOCPreAlert,
+  sendCampaignPreAlert,
   matchVersionedIOC,
   computeRiskLevel,
   computeRiskScore,

package/src/pipeline/executor.js

@@ -10,6 +10,7 @@ const { scanIocStrings } = require('../scanner/ioc-strings.js');
 const { scanAntiForensic } = require('../scanner/anti-forensic.js');
 const { scanStubPackage } = require('../scanner/stub-package.js');
 const { scanMonorepo } = require('../scanner/monorepo.js');
+const { scanTrustedDepDiff } = require('../scanner/trusted-dep-diff.js');
 const { analyzeDataFlow } = require('../scanner/dataflow.js');
 const { scanTyposquatting, findPyPITyposquatMatch } = require('../scanner/typosquat.js');
 const { scanGitHubActions } = require('../scanner/github-actions.js');
@@ -201,7 +202,7 @@ async function execute(targetPath, options, pythonDeps, warnings) {
     'scanDependencies', 'scanHashes', 'analyzeDataFlow', 'scanTyposquatting',
     'scanGitHubActions', 'matchPythonIOCs', 'checkPyPITyposquatting',
     'scanEntropy', 'scanAIConfig', 'scanIocStrings', 'scanAntiForensic',
-    'scanStubPackage', 'scanMonorepo'
+    'scanStubPackage', 'scanMonorepo', 'scanTrustedDepDiff'
   ];
 
   const settledResults = await Promise.allSettled([
@@ -221,7 +222,13 @@ async function execute(targetPath, options, pythonDeps, warnings) {
     yieldThen(() => scanIocStrings(targetPath)),
     withTimeout(() => scanAntiForensic(targetPath), 'scanAntiForensic'),
     yieldThen(() => scanStubPackage(targetPath)),
-    yieldThen(() => scanMonorepo(targetPath))
+    yieldThen(() => scanMonorepo(targetPath)),
+    // Opt-in scanner — short-circuits to [] unless options.trustedDepDiff or
+    // options.monitorMode is set. CLI runs without flags pay no cost (no I/O).
+    // Wrapped in withTimeout as defense in depth: scanner has its own 10s + 5s × N
+    // internal timeouts, but a registry slowdown with many added deps could exceed
+    // the static-scan budget without this cap.
+    withTimeout(() => scanTrustedDepDiff(targetPath, options), 'scanTrustedDepDiff')
   ]);
 
   // Extract results: use empty array for rejected scanners, log errors
@@ -250,7 +257,8 @@ async function execute(targetPath, options, pythonDeps, warnings) {
     iocStringThreats,
     antiForensicThreats,
     stubPackageThreats,
-    monorepoThreats
+    monorepoThreats,
+    trustedDepDiffThreats
   ] = scanResult;
 
   // Emit warning if file count cap was hit + quick-scan overflow files
@@ -330,6 +338,7 @@ async function execute(targetPath, options, pythonDeps, warnings) {
     ...antiForensicThreats,
     ...stubPackageThreats,
     ...monorepoThreats,
+    ...trustedDepDiffThreats,
     ...crossFileFlows.filter(f => f && f.sourceFile && f.sinkFile).map(f => ({
       type: f.type,
       severity: f.severity,

package/src/pipeline/scan-worker.js

@@ -23,7 +23,12 @@ const { run } = require('../index.js');
 
 (async () => {
   try {
-    const result = await run(workerData.extractedDir, { _capture: true });
+    // scanContext (optional) carries monitor-side info that opt-in scanners need
+    // (e.g. trusted-dep-diff requires package name + version to query the registry).
+    // It is spread INTO the pipeline options, but `_capture: true` always wins so
+    // the worker keeps returning the result object — never prints.
+    const scanContext = workerData.scanContext || {};
+    const result = await run(workerData.extractedDir, { ...scanContext, _capture: true });
     parentPort.postMessage({ type: 'result', data: result });
   } catch (err) {
     parentPort.postMessage({ type: 'error', message: err.message || String(err) });

package/src/scanner/trusted-dep-diff.js

@@ -0,0 +1,205 @@
+'use strict';
+
+/**
+ * Trusted dep-diff scanner — detects supply-chain injection via NEW dependencies
+ * added between two adjacent published versions of an npm package.
+ *
+ * Threat model: a compromised maintainer account publishes a patch bump that
+ * silently introduces a fresh (or unknown-aged) dependency carrying the actual
+ * payload. Reference incident: axios 1.14.0 → 1.14.1 adding `plain-crypto-js`
+ * on 2026-03-30. The hostile dep is short-aged and unrecognised, but the host
+ * package itself is reputable, so popularity-based filters miss it.
+ *
+ * Opt-in by design: the scanner needs registry I/O for the previous version's
+ * dependency list, which is meaningless for offline CLI audits of a frozen
+ * node_modules. It only runs when explicitly enabled via
+ *   options.trustedDepDiff === true  OR
+ *   options.monitorMode === true
+ * The monitor pipeline sets both via the worker thread context.
+ *
+ * Findings emitted (rule IDs already registered in src/rules/index.js:2598-2621):
+ *   - trusted_new_unknown_dependency  (CRITICAL) — added dep < 7d old OR age unknown
+ *   - trusted_new_dependency          (HIGH)     — added dep ≥ 7d old
+ *
+ * Both types are in HIGH_CONFIDENCE_MALICE_TYPES (classify.js:60), which means
+ * downstream reputation attenuation is bypassed — the finding's severity reaches
+ * the webhook decision uncapped.
+ */
+
+const fs = require('fs');
+const path = require('path');
+const https = require('https');
+
+const TRUSTED_DEP_AGE_THRESHOLD_MS = 7 * 24 * 60 * 60 * 1000; // 7 days
+
+const PACKUMENT_TIMEOUT_MS = 10_000;
+const DEP_AGE_TIMEOUT_MS = 5_000;
+
+/**
+ * Minimal HTTPS GET with follow-redirects and timeout.
+ * Local copy (not shared with monitor/ingestion.js) to keep the scanner
+ * self-contained — the monitor module pulls this scanner, not the reverse.
+ */
+function httpsGet(url, timeoutMs = 30_000) {
+  return new Promise((resolve, reject) => {
+    const req = https.get(url, { timeout: timeoutMs }, (res) => {
+      if (res.statusCode === 301 || res.statusCode === 302) {
+        res.resume();
+        const location = res.headers.location;
+        if (!location) return reject(new Error(`Redirect without Location for ${url}`));
+        return httpsGet(location, timeoutMs).then(resolve, reject);
+      }
+      if (res.statusCode < 200 || res.statusCode >= 300) {
+        res.resume();
+        return reject(new Error(`HTTP ${res.statusCode} for ${url}`));
+      }
+      const chunks = [];
+      res.on('data', (chunk) => chunks.push(chunk));
+      res.on('end', () => resolve(Buffer.concat(chunks).toString('utf8')));
+      res.on('error', reject);
+    });
+    req.on('error', reject);
+    req.on('timeout', () => {
+      req.destroy();
+      reject(new Error(`Timeout for ${url}`));
+    });
+  });
+}
+
+/**
+ * Core dep-diff logic — extracted verbatim from monitor/ingestion.js#checkTrustedDepDiff
+ * with no behavioural change: same findings shape, same rule_ids, same severity
+ * mapping, same 7-day age cutoff. Tests covering the original implementation
+ * (tests/integration/monitor.test.js:8929-9067) cover this directly via the
+ * `checkTrustedDepDiff` alias export below.
+ *
+ * @param {string} name - Package name
+ * @param {string} newVersion - Newly published version
+ * @returns {Promise<Array>} findings (empty on error or no new deps)
+ */
+async function checkDepDiff(name, newVersion) {
+  const findings = [];
+  try {
+    const body = await httpsGet(`https://registry.npmjs.org/${encodeURIComponent(name)}`, PACKUMENT_TIMEOUT_MS);
+    const packument = JSON.parse(body);
+
+    if (!packument.versions || !packument.time) return findings;
+
+    // Sort versions by publish time (not semver — handles prereleases correctly)
+    const timeMap = packument.time;
+    const versionKeys = Object.keys(packument.versions)
+      .filter(v => timeMap[v])
+      .sort((a, b) => new Date(timeMap[a]) - new Date(timeMap[b]));
+
+    const newIdx = versionKeys.indexOf(newVersion);
+    if (newIdx <= 0) return findings; // First version or not found
+
+    const prevVersion = versionKeys[newIdx - 1];
+
+    const prevDeps = (packument.versions[prevVersion] && packument.versions[prevVersion].dependencies) || {};
+    const newDeps = (packument.versions[newVersion] && packument.versions[newVersion].dependencies) || {};
+
+    const addedDeps = Object.keys(newDeps).filter(dep => !(dep in prevDeps));
+    if (addedDeps.length === 0) return findings;
+
+    console.log(`[SCANNER] trusted-dep-diff: ${name} ${prevVersion} → ${newVersion}: +${addedDeps.length} new dep(s): ${addedDeps.join(', ')}`);
+
+    for (const dep of addedDeps) {
+      let ageMs = null;
+      try {
+        const depBody = await httpsGet(`https://registry.npmjs.org/${encodeURIComponent(dep)}`, DEP_AGE_TIMEOUT_MS);
+        const depData = JSON.parse(depBody);
+        const created = depData.time && depData.time.created;
+        if (created) {
+          ageMs = Date.now() - new Date(created).getTime();
+        }
+      } catch (err) {
+        console.log(`[SCANNER] trusted-dep-diff: could not check age of dependency ${dep}: ${err.message}`);
+      }
+
+      if (ageMs === null || ageMs < TRUSTED_DEP_AGE_THRESHOLD_MS) {
+        const ageDays = ageMs !== null ? Math.floor(ageMs / 86400000) : 'unknown';
+        findings.push({
+          type: 'trusted_new_unknown_dependency',
+          severity: 'CRITICAL',
+          confidence: ageMs === null ? 'medium' : 'high',
+          file: 'package.json',
+          message: `TRUSTED package ${name} added unknown dependency ${dep} (age: ${ageDays}d) in version ${prevVersion} → ${newVersion}`,
+          rule_id: 'MUADDIB-TRUSTED-001',
+          mitre: 'T1195.002',
+          dep,
+          depAgeDays: ageDays,
+          prevVersion,
+          newVersion
+        });
+      } else {
+        const ageDays = Math.floor(ageMs / 86400000);
+        findings.push({
+          type: 'trusted_new_dependency',
+          severity: 'HIGH',
+          confidence: 'medium',
+          file: 'package.json',
+          message: `TRUSTED package ${name} added new dependency ${dep} (age: ${ageDays}d) in version ${prevVersion} → ${newVersion}`,
+          rule_id: 'MUADDIB-TRUSTED-002',
+          mitre: 'T1195.002',
+          dep,
+          depAgeDays: ageDays,
+          prevVersion,
+          newVersion
+        });
+      }
+    }
+
+    return findings;
+  } catch (err) {
+    console.log(`[SCANNER] trusted-dep-diff: check failed for ${name}@${newVersion}: ${err.message}`);
+    return findings;
+  }
+}
+
+/**
+ * Pipeline entry point. Called by src/pipeline/executor.js alongside the other
+ * 17 scanners (Promise.allSettled). Gated by an explicit opt-in option to keep
+ * CLI audits offline-safe.
+ *
+ * @param {string} targetPath - Extracted package directory
+ * @param {object} options    - Pipeline options. Honors:
+ *   - options.trustedDepDiff  - explicit opt-in (preferred)
+ *   - options.monitorMode     - opt-in for the monitor daemon path
+ *   - options.name            - package name override (avoids re-reading package.json)
+ *   - options.version         - version override
+ *   - options.ecosystem       - 'npm' | 'pypi' | ... — scanner is npm-only
+ * @returns {Promise<Array>}   findings array (always — never rejects)
+ */
+async function scanTrustedDepDiff(targetPath, options = {}) {
+  if (!options.trustedDepDiff && !options.monitorMode) return [];
+  if (options.ecosystem && options.ecosystem !== 'npm') return [];
+
+  let name = options.name || null;
+  let version = options.version || null;
+
+  if (!name || !version) {
+    const pkgJsonPath = path.join(targetPath, 'package.json');
+    if (!fs.existsSync(pkgJsonPath)) return [];
+    let pkg;
+    try {
+      pkg = JSON.parse(fs.readFileSync(pkgJsonPath, 'utf8'));
+    } catch {
+      return [];
+    }
+    name = name || pkg.name;
+    version = version || pkg.version;
+  }
+
+  if (!name || !version) return [];
+
+  return await checkDepDiff(name, version);
+}
+
+module.exports = {
+  scanTrustedDepDiff,
+  checkDepDiff,
+  // Backwards-compat alias for existing tests imported from monitor/ingestion.js
+  checkTrustedDepDiff: checkDepDiff,
+  TRUSTED_DEP_AGE_THRESHOLD_MS
+};

package/src/scoring.js

@@ -1486,6 +1486,8 @@ const {
   mcpServerEnvAccess,
   vendorCliSdk,
   aiAgentBot,
+  vendorMinifiedBundle,
+  typosquatBenignLifecycle,
 } = require('./ml/feature-extractor.js');
 
 /**
@@ -1520,6 +1522,13 @@ function applyContextualFPCaps(result, pkgMeta) {
   if (bundleWithoutInstallScripts(result, meta)) {
     applied.push({ feature: 'bundle_without_install_scripts', cap: 30 });
   }
+  // F12: vendor minified bundle cascade (>=3 CASCADE_TYPES on a single
+  // bundle file, no lifecycle, no veto) → MAX 25. Targets the v2.11.27
+  // weekly review cluster (@photoroom/ui, @vkontakte/videoplayer-shared).
+  // Tighter than F1 because the cascade is a stronger structural signature.
+  if (vendorMinifiedBundle(result, meta)) {
+    applied.push({ feature: 'vendor_minified_bundle', cap: 25 });
+  }
   // F3: credential destination first-party API → MAX 30
   if (networkDestinationFirstParty(result, meta)) {
     applied.push({ feature: 'network_destination_first_party', cap: 30 });
@@ -1552,6 +1561,14 @@ function applyContextualFPCaps(result, pkgMeta) {
   if (typosquatScopedPackage(result, meta)) {
     applied.push({ feature: 'typosquat_scoped_package', cap: -1 });
   }
+  // F13: boundary-squat dep + provably benign lifecycle (husky install,
+  // npm run build, patches/apply-patches) → MAX 30. Targets the v2.11.28
+  // weekly review cluster (@doyourjob/gravity-ui-page-constructor,
+  // magmastream, balena-cli, @1d1s/design-system, etc.). Vetoes on any
+  // exfil signal, IOC hit, or Axios UNC1069 dep-usage compound.
+  if (typosquatBenignLifecycle(result, meta)) {
+    applied.push({ feature: 'typosquat_benign_lifecycle', cap: 30 });
+  }
 
   if (applied.length === 0) return applied;