muaddib-scanner 2.11.35 → 2.11.36

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "muaddib-scanner",
-  "version": "2.11.35",
+  "version": "2.11.36",
   "description": "Supply-chain threat detection & response for npm & PyPI/Python",
   "main": "src/index.js",
   "bin": {

package/{self-scan-v2.11.35.json → self-scan-v2.11.36.json}

@@ -1,6 +1,6 @@
 {
   "target": "node_modules",
-  "timestamp": "2026-05-24T21:03:08.335Z",
+  "timestamp": "2026-05-24T21:02:11.478Z",
   "threats": [
     {
       "type": "string_mutation_obfuscation",

package/src/pipeline/processor.js

@@ -10,7 +10,7 @@ const { buildIntentPairs } = require('../intent-graph.js');
 const { debugLog } = require('../utils.js');
 const { getPackageMetadata } = require('../scanner/npm-registry.js');
 const { checkReleaseZero } = require('../scanner/release-zero.js');
-const { checkUnclaimedMaintainerEmail } = require('../scanner/email-domain.js');
+const { checkUnclaimedMaintainerEmail, checkCompromisedDomain } = require('../scanner/email-domain.js');
 
 // Auto-sandbox compound trigger : optional out-of-tree dependency. Lazy-load
 // it so the pipeline still works when the file is absent (some dev machines
@@ -228,6 +228,10 @@ async function process(threats, targetPath, options, pythonDeps, warnings, scann
   // HIGH × confidence medium = 8.5 points isolated → composite-only signal.
   // Skipped automatically when MUADDIB_NO_REGISTRY_FETCH=1 (no meta available)
   // or MUADDIB_EMAIL_DOMAIN_CHECK=0 (explicit opt-out).
+  //
+  // F1 — RDAP compromised email domain. Same best-effort + silent contract.
+  // Severity HIGH × confidence high = 10 points isolated → composite-only.
+  // Opt-out via MUADDIB_RDAP_CHECK=0.
   if (_pkgMeta && _pkgMeta.npmRegistryMeta) {
     try {
       const emailThreats = await checkUnclaimedMaintainerEmail(_pkgMeta.npmRegistryMeta);
@@ -235,6 +239,12 @@ async function process(threats, targetPath, options, pythonDeps, warnings, scann
     } catch (err) {
       debugLog('[EMAIL-DOMAIN] check failed: ' + err.message);
     }
+    try {
+      const rdapThreats = await checkCompromisedDomain(_pkgMeta.npmRegistryMeta);
+      for (const t of rdapThreats) deduped.push(t);
+    } catch (err) {
+      debugLog('[RDAP] check failed: ' + err.message);
+    }
   }
 
   // Cross-scanner compound: detached_process + suspicious_dataflow in same file

package/src/rules/index.js

@@ -1512,6 +1512,19 @@ const RULES = {
     ],
     mitre: 'T1556'
   },
+  compromised_email_domain: {
+    id: 'MUADDIB-MAINTAINER-006',
+    name: 'Compromised Maintainer Email Domain',
+    severity: 'HIGH',
+    confidence: 'high',
+    description: 'Le domaine de l\'email du mainteneur a ete enregistre APRES la premiere publication du package (marge 30j). Pattern de rachat de domaine expire: l\'attaquant reprend le mail, declenche un reset de mot de passe npm, prend le compte. Signal composite-only (HIGH x high = 10 pts isole, sous T1).',
+    references: [
+      'https://github.com/DataDog/guarddog/blob/main/guarddog/analyzer/metadata/npm/potentially_compromised_email_domain.py',
+      'https://attack.mitre.org/techniques/T1556/',
+      'https://datatracker.ietf.org/doc/html/rfc7480'
+    ],
+    mitre: 'T1556'
+  },
 
   // Canary token detections
   canary_exfiltration: {

package/src/scanner/email-domain.js

@@ -132,6 +132,159 @@ async function checkUnclaimedMaintainerEmail(meta, options = {}) {
 // Exposed for tests
 function _resetCache() { _mxCache.clear(); }
 
+// =============================================================================
+// F1 — RDAP-based compromised email domain detection.
+//
+// Threat model: an attacker waits for the maintainer's email domain to expire,
+// re-registers it, takes the mailbox, triggers an npm password-reset, takes
+// over the account. The signal: the domain's `registration` event date is
+// AFTER the package was first published.
+//
+// Why RDAP and not WHOIS:
+//  - RDAP is the IETF replacement for WHOIS (RFC 7480-7483), returns JSON
+//  - HTTP/HTTPS — works with Node's built-in fetch, no external dep
+//  - rdap.org is a community redirector that forwards to TLD-specific RDAP
+//    servers. Best-effort: many ccTLDs (.ru, .cn, .tk, .io) have no RDAP at
+//    all → we MUST skip silently on 404/timeout (no log spam in prod).
+//
+// Design constraints (same as F3 + plan):
+//  - HIGH × confidence_high = 10 points → composite-only (sub-T1=20).
+//  - Network failures SILENT (debug-only). No retries.
+//  - 30-day cache for RDAP responses (they don't change often).
+//  - 30-day margin on the comparison: alert iff
+//      creation_date > package_first_publish - 30j
+//    The -30j absorbs registration-vs-publish timing edges (e.g., maintainer
+//    bought the domain a few weeks before shipping their first version).
+//  - Opt-out via MUADDIB_RDAP_CHECK=0 (default ON).
+//
+// Inspired by GuardDog's npm/potentially_compromised_email_domain.py (which
+// uses python-whois). We replace the WHOIS dependency with an RDAP HTTP call
+// to satisfy the CLAUDE.md "no external runtime deps" rule.
+// =============================================================================
+
+const RDAP_TIMEOUT_MS = 5000;
+const RDAP_CACHE_TTL = 30 * 24 * 60 * 60 * 1000; // 30 days
+const RDAP_BASE_URL = 'https://rdap.org/domain/';
+// 30-day margin on creation-vs-publish comparison (see above).
+const COMPROMISE_MARGIN_MS = 30 * 24 * 60 * 60 * 1000;
+
+// In-process cache: domain → { creationDate: ISO|null, fetchedAt: ms }
+const _rdapCache = new Map();
+
+/**
+ * Query the RDAP service for a domain's registration date.
+ * Returns { creationDate: ISO string } or null on any error/missing data.
+ * SILENT on failure — debug log only.
+ */
+async function fetchRdap(domain, options = {}) {
+  const timeoutMs = options.timeoutMs || RDAP_TIMEOUT_MS;
+  const cached = _rdapCache.get(domain);
+  if (cached && (Date.now() - cached.fetchedAt) < RDAP_CACHE_TTL) {
+    return cached.creationDate ? { creationDate: cached.creationDate } : null;
+  }
+
+  const controller = new AbortController();
+  const timer = setTimeout(() => controller.abort(), timeoutMs);
+
+  try {
+    const response = await fetch(RDAP_BASE_URL + encodeURIComponent(domain), {
+      signal: controller.signal,
+      redirect: 'follow',
+      headers: { 'Accept': 'application/rdap+json' }
+    });
+    if (!response.ok) {
+      // 404 = no RDAP for this TLD, or unknown domain. Other errors transient.
+      // Drain body to free resources.
+      try { await response.text(); } catch { /* ignore */ }
+      _rdapCache.set(domain, { creationDate: null, fetchedAt: Date.now() });
+      return null;
+    }
+    let data;
+    try {
+      data = await response.json();
+    } catch {
+      return null; // malformed JSON
+    }
+    if (!data || !Array.isArray(data.events)) {
+      _rdapCache.set(domain, { creationDate: null, fetchedAt: Date.now() });
+      return null;
+    }
+    const reg = data.events.find(e =>
+      e && typeof e.eventAction === 'string' &&
+      e.eventAction.toLowerCase() === 'registration'
+    );
+    const creationDate = reg && typeof reg.eventDate === 'string' ? reg.eventDate : null;
+    _rdapCache.set(domain, { creationDate, fetchedAt: Date.now() });
+    return creationDate ? { creationDate } : null;
+  } catch (err) {
+    debugLog('[RDAP] fetch failed for ' + domain + ': ' + (err.code || err.message));
+    return null;
+  } finally {
+    clearTimeout(timer);
+  }
+}
+
+/**
+ * Returns true if the domain registration came AFTER the package was first
+ * published (with a 30-day margin to absorb timing edges).
+ */
+function isCompromisedDomain(creationDateISO, packageCreatedAtISO) {
+  if (!creationDateISO || !packageCreatedAtISO) return false;
+  const cDate = new Date(creationDateISO).getTime();
+  const rDate = new Date(packageCreatedAtISO).getTime();
+  if (isNaN(cDate) || isNaN(rDate)) return false;
+  return cDate > (rDate - COMPROMISE_MARGIN_MS);
+}
+
+/**
+ * F1 entry point.
+ * @param {object|null} meta - Digested metadata. Reads maintainer_emails + created_at.
+ * @param {object} options - { fetchRdap } for tests to inject a mock.
+ * @returns {Promise<Array>} threats array
+ */
+async function checkCompromisedDomain(meta, options = {}) {
+  if (globalThis.process.env.MUADDIB_RDAP_CHECK === '0') return [];
+  if (!meta || !Array.isArray(meta.maintainer_emails) || meta.maintainer_emails.length === 0) {
+    return [];
+  }
+  if (!meta.created_at) return []; // need a package publish date to compare against
+
+  const fetchFn = options.fetchRdap || fetchRdap;
+  const domains = uniqueDomains(meta.maintainer_emails);
+  if (domains.length === 0) return [];
+
+  const threats = [];
+  for (const domain of domains) {
+    let rdap;
+    try {
+      rdap = await fetchFn(domain);
+    } catch (err) {
+      debugLog('[RDAP] unexpected error for ' + domain + ': ' + err.message);
+      continue;
+    }
+    if (!rdap || !rdap.creationDate) continue;
+    if (isCompromisedDomain(rdap.creationDate, meta.created_at)) {
+      const cd = rdap.creationDate.slice(0, 10);
+      const pd = meta.created_at.slice(0, 10);
+      threats.push({
+        type: 'compromised_email_domain',
+        severity: 'HIGH',
+        message: 'Maintainer email domain "' + domain + '" was registered on ' + cd
+          + ' AFTER the package was first published on ' + pd
+          + ' — likely domain takeover / account compromise indicator.',
+        file: 'package.json',
+        count: 1,
+        domain,
+        creation_date: rdap.creationDate,
+        package_created_at: meta.created_at
+      });
+    }
+  }
+  return threats;
+}
+
+function _resetRdapCache() { _rdapCache.clear(); }
+
 module.exports = {
   checkUnclaimedMaintainerEmail,
   extractDomain,
@@ -139,5 +292,13 @@ module.exports = {
   hasMxRecord,
   _resetCache,
   MX_TIMEOUT_MS,
-  MX_CACHE_TTL
+  MX_CACHE_TTL,
+  // F1 exports
+  checkCompromisedDomain,
+  fetchRdap,
+  isCompromisedDomain,
+  _resetRdapCache,
+  RDAP_TIMEOUT_MS,
+  RDAP_CACHE_TTL,
+  COMPROMISE_MARGIN_MS
 };