muaddib-scanner 2.11.33 → 2.11.35

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "muaddib-scanner",
-  "version": "2.11.33",
+  "version": "2.11.35",
   "description": "Supply-chain threat detection & response for npm & PyPI/Python",
   "main": "src/index.js",
   "bin": {

package/{self-scan-v2.11.33.json → self-scan-v2.11.35.json}

@@ -1,6 +1,6 @@
 {
   "target": "node_modules",
-  "timestamp": "2026-05-24T21:02:55.214Z",
+  "timestamp": "2026-05-24T21:03:08.335Z",
   "threats": [
     {
       "type": "string_mutation_obfuscation",

package/src/pipeline/processor.js

@@ -10,6 +10,7 @@ const { buildIntentPairs } = require('../intent-graph.js');
 const { debugLog } = require('../utils.js');
 const { getPackageMetadata } = require('../scanner/npm-registry.js');
 const { checkReleaseZero } = require('../scanner/release-zero.js');
+const { checkUnclaimedMaintainerEmail } = require('../scanner/email-domain.js');
 
 // Auto-sandbox compound trigger : optional out-of-tree dependency. Lazy-load
 // it so the pipeline still works when the file is absent (some dev machines
@@ -222,6 +223,20 @@ async function process(threats, targetPath, options, pythonDeps, warnings, scann
     debugLog('[RELEASE-ZERO] check failed: ' + err.message);
   }
 
+  // F3 — unclaimed maintainer email domain (DNS MX). Best-effort, silent on
+  // network failure (per feedback_weak_signals_composite_scoring). Severity
+  // HIGH × confidence medium = 8.5 points isolated → composite-only signal.
+  // Skipped automatically when MUADDIB_NO_REGISTRY_FETCH=1 (no meta available)
+  // or MUADDIB_EMAIL_DOMAIN_CHECK=0 (explicit opt-out).
+  if (_pkgMeta && _pkgMeta.npmRegistryMeta) {
+    try {
+      const emailThreats = await checkUnclaimedMaintainerEmail(_pkgMeta.npmRegistryMeta);
+      for (const t of emailThreats) deduped.push(t);
+    } catch (err) {
+      debugLog('[EMAIL-DOMAIN] check failed: ' + err.message);
+    }
+  }
+
   // Cross-scanner compound: detached_process + suspicious_dataflow in same file
   // Catches cases where credential flow is detected by dataflow scanner, not AST scanner
   {

package/src/rules/index.js

@@ -1500,6 +1500,18 @@ const RULES = {
     ],
     mitre: 'T1195.002'
   },
+  unclaimed_maintainer_email: {
+    id: 'MUADDIB-MAINTAINER-005',
+    name: 'Unclaimed Maintainer Email Domain',
+    severity: 'HIGH',
+    confidence: 'medium',
+    description: 'Le domaine de l\'email du mainteneur n\'a aucun MX record valide. Un attaquant peut enregistrer le domaine, creer la boite mail, declencher un reset de mot de passe npm, prendre le compte. Signal composite-only (HIGH x medium = 8.5 pts isole, sous T1).',
+    references: [
+      'https://github.com/DataDog/guarddog/blob/main/guarddog/analyzer/metadata/npm/unclaimed_maintainer_email_domain.py',
+      'https://attack.mitre.org/techniques/T1556/'
+    ],
+    mitre: 'T1556'
+  },
 
   // Canary token detections
   canary_exfiltration: {

package/src/scanner/ast-detectors/constants.js

@@ -16,7 +16,14 @@ const SENSITIVE_STRINGS = [
   'The Second Coming',
   'Goldox-T3chs',
   '/etc/passwd',
-  '/etc/shadow'
+  '/etc/shadow',
+  // F5 — guarddog-inspired cloud credential paths (narrow specific forms
+  // only, to keep FP rate flat: .pgpass/.netrc/.boto are NOT added here
+  // because legitimate JS DB clients reference them. Those still trigger
+  // via dataflow SENSITIVE_PATH_PATTERNS when followed by exfil sinks).
+  '.aws/credentials',
+  '.docker/config.json',
+  '.kube/config'
 ];
 
 // Env vars that are safe and should NOT be flagged (common config/runtime vars)

package/src/scanner/dataflow.js

@@ -1075,6 +1075,12 @@ const SENSITIVE_PATH_PATTERNS = [
   '.atomic', '.metamask', '.ledger-live', '.trezor',
   '.bitcoin', '.monero', '.gnupg',
   '_cacache', '.cache/yarn', '.cache/pip',
+  // F5 — guarddog-inspired cloud/DB/HTTP auth file coverage. Substring
+  // match means '.docker/config' catches '.docker/config.json'. Narrow
+  // patterns (.pgpass/.netrc/.boto) are unique filenames — FP-safe.
+  '.docker/config', '.kube/config',
+  '.pgpass', '.netrc', '.boto',
+  '.azure/', '.gcloud/', '.config/gcloud/',
   // P6: Removed discord, leveldb — data directories, not credential paths.
   // _cacache/.cache kept — real cache poisoning vectors (T1195.002).
   '/proc/mem', '/proc/self',  // v2.10.11: runner secret extraction from process memory (TeamPCP Trivy stealer)

package/src/scanner/email-domain.js

@@ -0,0 +1,143 @@
+// F3 — Unclaimed maintainer email domain detection.
+//
+// Threat model: if the maintainer's email domain has no valid MX record, the
+// domain is "unclaimed" for mail. An attacker can register the domain, create
+// the mailbox, trigger an npm password-reset, take over the account.
+//
+// Design constraints:
+//  - HIGH × confidence_medium = 8.5 points → composite-only (sub-T1).
+//    This signal MUST never trigger an alert in isolation; it only contributes
+//    to scoring alongside other indicators.
+//  - Network failures (timeout, ESERVFAIL, etc.) are SILENT (debug-only logs).
+//    No retries. rdap.org-style community redirectors are best-effort and the
+//    scan must not block or spam logs on flaky ccTLD DNS.
+//  - 30-day in-process cache (positive AND negative) keyed by domain.
+//
+// Inspired by GuardDog's npm/unclaimed_maintainer_email_domain.py.
+
+const dns = require('dns');
+const { debugLog } = require('../utils.js');
+
+const MX_TIMEOUT_MS = 3000;
+const MX_CACHE_TTL = 30 * 24 * 60 * 60 * 1000; // 30 days
+
+// In-process cache: domain → { hasMx: bool|null, fetchedAt: ms }
+// hasMx === null = uncertain (transient error), don't cache long-term — but
+// we DO cache it short-term to avoid re-querying within the same scan batch.
+const _mxCache = new Map();
+
+function extractDomain(email) {
+  if (!email || typeof email !== 'string') return null;
+  const at = email.lastIndexOf('@');
+  if (at <= 0 || at >= email.length - 1) return null;
+  const domain = email.slice(at + 1).toLowerCase().trim();
+  // Basic sanity: must contain a dot, no whitespace, reasonable length
+  if (!domain.includes('.') || /\s/.test(domain) || domain.length > 253) return null;
+  return domain;
+}
+
+function uniqueDomains(emails) {
+  const set = new Set();
+  for (const e of emails || []) {
+    const d = extractDomain(e);
+    if (d) set.add(d);
+  }
+  return Array.from(set);
+}
+
+async function resolveMxWithTimeout(resolveMx, domain, timeoutMs) {
+  let timer = null;
+  try {
+    return await Promise.race([
+      resolveMx(domain),
+      new Promise((_, reject) => {
+        timer = setTimeout(() => reject(Object.assign(new Error('DNS_TIMEOUT'), { code: 'DNS_TIMEOUT' })), timeoutMs);
+      })
+    ]);
+  } finally {
+    if (timer) clearTimeout(timer);
+  }
+}
+
+/**
+ * Returns true if the domain has at least one MX record, false if it
+ * definitively has none (ENOTFOUND/ENODATA), null on transient/uncertain
+ * errors (timeout/ESERVFAIL/etc — treat as "skip silently").
+ */
+async function hasMxRecord(resolveMx, domain) {
+  const cached = _mxCache.get(domain);
+  if (cached && (Date.now() - cached.fetchedAt) < MX_CACHE_TTL) {
+    return cached.hasMx;
+  }
+  let hasMx;
+  try {
+    const records = await resolveMxWithTimeout(resolveMx, domain, MX_TIMEOUT_MS);
+    hasMx = Array.isArray(records) && records.length > 0;
+  } catch (err) {
+    const code = err && err.code;
+    if (code === 'ENOTFOUND' || code === 'ENODATA') {
+      hasMx = false;
+    } else {
+      // Timeout, ESERVFAIL, EREFUSED, network-down: uncertain → skip silently.
+      debugLog('[EMAIL-DOMAIN] MX lookup uncertain for ' + domain + ': ' + (code || err.message));
+      // Short-cache the uncertainty so we don't re-query during the same scan
+      _mxCache.set(domain, { hasMx: null, fetchedAt: Date.now() });
+      return null;
+    }
+  }
+  _mxCache.set(domain, { hasMx, fetchedAt: Date.now() });
+  return hasMx;
+}
+
+/**
+ * F3 entry point.
+ * @param {object|null} meta - Digested metadata from getPackageMetadata.
+ *   Reads meta.maintainer_emails (string[]).
+ * @param {object} options - { resolveMx } for tests to inject a mock resolver.
+ * @returns {Promise<Array>} threats array (empty when disabled, offline, or no email)
+ */
+async function checkUnclaimedMaintainerEmail(meta, options = {}) {
+  // Opt-out for offline / air-gapped scans
+  if (globalThis.process.env.MUADDIB_EMAIL_DOMAIN_CHECK === '0') return [];
+  if (!meta || !Array.isArray(meta.maintainer_emails) || meta.maintainer_emails.length === 0) {
+    return [];
+  }
+  const resolveMx = options.resolveMx || dns.promises.resolveMx;
+  const domains = uniqueDomains(meta.maintainer_emails);
+  if (domains.length === 0) return [];
+
+  const threats = [];
+  for (const domain of domains) {
+    let hasMx;
+    try {
+      hasMx = await hasMxRecord(resolveMx, domain);
+    } catch (err) {
+      debugLog('[EMAIL-DOMAIN] unexpected error for ' + domain + ': ' + err.message);
+      continue;
+    }
+    if (hasMx === false) {
+      threats.push({
+        type: 'unclaimed_maintainer_email',
+        severity: 'HIGH',
+        message: 'Maintainer email domain "' + domain + '" has no MX record — unclaimed mailbox, attacker can register the domain to receive a password-reset and take over the account.',
+        file: 'package.json',
+        count: 1,
+        domain
+      });
+    }
+  }
+  return threats;
+}
+
+// Exposed for tests
+function _resetCache() { _mxCache.clear(); }
+
+module.exports = {
+  checkUnclaimedMaintainerEmail,
+  extractDomain,
+  uniqueDomains,
+  hasMxRecord,
+  _resetCache,
+  MX_TIMEOUT_MS,
+  MX_CACHE_TTL
+};

package/src/scanner/npm-registry.js

@@ -117,6 +117,21 @@ async function getPackageMetadata(packageName) {
     || meta.maintainers?.[0]?.name
     || null;
 
+  // F3 — extract ALL maintainer emails (latest version + top-level merged,
+  // deduped) for unclaimed-domain MX check downstream.
+  const maintainerEmails = (() => {
+    const out = new Set();
+    const sources = [
+      ...(Array.isArray(latestMeta?.maintainers) ? latestMeta.maintainers : []),
+      ...(Array.isArray(meta.maintainers) ? meta.maintainers : [])
+    ];
+    for (const m of sources) {
+      const e = m && typeof m === 'object' ? m.email : null;
+      if (typeof e === 'string' && e.includes('@')) out.add(e.toLowerCase().trim());
+    }
+    return Array.from(out);
+  })();
+
   const readmeText = meta.readme || '';
   const hasReadme = readmeText.length > 100;
 
@@ -182,6 +197,9 @@ async function getPackageMetadata(packageName) {
     // / pinned-old / vendored versions bypass the cap so we don't mask attacks
     // captured in static fixtures (e.g. eslint-scope 3.7.2, chalk 5.6.1).
     latest_version: latestVersion || null,
+    // F3 : list of maintainer email addresses (lowercased, unique) for DNS
+    // MX / RDAP downstream checks. Empty array if no emails published.
+    maintainer_emails: maintainerEmails,
     // C3 : per-version publish timestamps for delta-mode selectPriorVersions.
     time: versionTimes,
     ...advancedSignals

package/src/scanner/temporal-ast-diff.js

@@ -16,7 +16,12 @@ const METADATA_TIMEOUT = 10_000;
 
 const SENSITIVE_PATHS = [
   '/etc/passwd', '/etc/shadow', '.env', '.npmrc', '.ssh',
-  '.aws/credentials', '.bash_history', '.gitconfig'
+  '.aws/credentials', '.bash_history', '.gitconfig',
+  // F5 — guarddog-inspired cloud/DB/HTTP auth files (newly-introduced
+  // access to any of these via a version bump is a strong temporal signal).
+  '.docker/config', '.kube/config',
+  '.pgpass', '.netrc', '.boto',
+  '.azure/credentials', '.gcloud/credentials'
 ];
 
 // Severity mapping for each pattern