muaddib-scanner 2.11.33 → 2.11.34

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (5) hide show
  1. package/package.json +1 -1
  2. package/{self-scan-v2.11.33.json → self-scan-v2.11.34.json} +1 -1
  3. package/src/scanner/ast-detectors/constants.js +8 -1
  4. package/src/scanner/dataflow.js +6 -0
  5. package/src/scanner/temporal-ast-diff.js +6 -1
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "muaddib-scanner",
3
- "version": "2.11.33",
3
+ "version": "2.11.34",
4
4
  "description": "Supply-chain threat detection & response for npm & PyPI/Python",
5
5
  "main": "src/index.js",
6
6
  "bin": {
package/{self-scan-v2.11.33.json → self-scan-v2.11.34.json} RENAMED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "target": "node_modules",
3
- "timestamp": "2026-05-24T21:02:55.214Z",
3
+ "timestamp": "2026-05-24T21:03:02.984Z",
4
4
  "threats": [
5
5
  {
6
6
  "type": "string_mutation_obfuscation",
package/src/scanner/ast-detectors/constants.js CHANGED
@@ -16,7 +16,14 @@ const SENSITIVE_STRINGS = [
16
16
  'The Second Coming',
17
17
  'Goldox-T3chs',
18
18
  '/etc/passwd',
19
- '/etc/shadow'
19
+ '/etc/shadow',
20
+ // F5 — guarddog-inspired cloud credential paths (narrow specific forms
21
+ // only, to keep FP rate flat: .pgpass/.netrc/.boto are NOT added here
22
+ // because legitimate JS DB clients reference them. Those still trigger
23
+ // via dataflow SENSITIVE_PATH_PATTERNS when followed by exfil sinks).
24
+ '.aws/credentials',
25
+ '.docker/config.json',
26
+ '.kube/config'
20
27
  ];
21
28
 
22
29
  // Env vars that are safe and should NOT be flagged (common config/runtime vars)
package/src/scanner/dataflow.js CHANGED
@@ -1075,6 +1075,12 @@ const SENSITIVE_PATH_PATTERNS = [
1075
1075
  '.atomic', '.metamask', '.ledger-live', '.trezor',
1076
1076
  '.bitcoin', '.monero', '.gnupg',
1077
1077
  '_cacache', '.cache/yarn', '.cache/pip',
1078
+ // F5 — guarddog-inspired cloud/DB/HTTP auth file coverage. Substring
1079
+ // match means '.docker/config' catches '.docker/config.json'. Narrow
1080
+ // patterns (.pgpass/.netrc/.boto) are unique filenames — FP-safe.
1081
+ '.docker/config', '.kube/config',
1082
+ '.pgpass', '.netrc', '.boto',
1083
+ '.azure/', '.gcloud/', '.config/gcloud/',
1078
1084
  // P6: Removed discord, leveldb — data directories, not credential paths.
1079
1085
  // _cacache/.cache kept — real cache poisoning vectors (T1195.002).
1080
1086
  '/proc/mem', '/proc/self', // v2.10.11: runner secret extraction from process memory (TeamPCP Trivy stealer)
package/src/scanner/temporal-ast-diff.js CHANGED
@@ -16,7 +16,12 @@ const METADATA_TIMEOUT = 10_000;
16
16
 
17
17
  const SENSITIVE_PATHS = [
18
18
  '/etc/passwd', '/etc/shadow', '.env', '.npmrc', '.ssh',
19
- '.aws/credentials', '.bash_history', '.gitconfig'
19
+ '.aws/credentials', '.bash_history', '.gitconfig',
20
+ // F5 — guarddog-inspired cloud/DB/HTTP auth files (newly-introduced
21
+ // access to any of these via a version bump is a strong temporal signal).
22
+ '.docker/config', '.kube/config',
23
+ '.pgpass', '.netrc', '.boto',
24
+ '.azure/credentials', '.gcloud/credentials'
20
25
  ];
21
26
 
22
27
  // Severity mapping for each pattern