npm - muaddib-scanner - Versions diffs - 2.11.39 → 2.11.40 - Mend

muaddib-scanner 2.11.39 → 2.11.40

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/package.json +1 -1
package/{self-scan-v2.11.39.json → self-scan-v2.11.40.json} +34 -7
package/src/response/playbooks.js +10 -0
package/src/rules/index.js +15 -0
package/src/scanner/ai-config.js +32 -3
package/src/scanner/obfuscation.js +1 -48
package/src/shared/unicode-invisibles.js +164 -0

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "muaddib-scanner",
-  "version": "2.11.39",
+  "version": "2.11.40",
   "description": "Supply-chain threat detection & response for npm & PyPI/Python",
   "main": "src/index.js",
   "bin": {

package/{self-scan-v2.11.39.json → self-scan-v2.11.40.json} RENAMED Viewed

@@ -1,6 +1,6 @@
 {
   "target": "node_modules",
-  "timestamp": "2026-05-25T08:33:11.787Z",
+  "timestamp": "2026-05-25T09:38:49.363Z",
   "threats": [
     {
       "type": "string_mutation_obfuscation",
@@ -870,6 +870,27 @@
       "playbook": "CRITIQUE: Execution de commande shell dangereuse detectee. Isoler la machine. Verifier si la commande a ete executee.",
       "points": 3
     },
+    {
+      "type": "unicode_invisible_injection",
+      "severity": "CRITICAL",
+      "message": "10 invisible Unicode characters detected (zero-width, variation selectors, tag chars). Possible hidden payload encoded via invisible codepoints.",
+      "file": "iconv-lite/encodings/sbcs-data-generated.js",
+      "count": 1,
+      "reductions": [],
+      "originalSeverity": "CRITICAL",
+      "confidenceTier": "medium",
+      "rule_id": "MUADDIB-OBF-003",
+      "rule_name": "Unicode Invisible Character Injection",
+      "confidence": "high",
+      "domain": "malware",
+      "references": [
+        "https://www.aikido.dev/blog/glassworm-returns-unicode-attack-github-npm-vscode",
+        "https://attack.mitre.org/techniques/T1027/"
+      ],
+      "mitre": "T1027",
+      "playbook": "CRITIQUE: Caracteres Unicode invisibles detectes (zero-width, variation selectors). Technique GlassWorm: du code malveillant est encode via des variation selectors invisibles dans les editeurs. Analyser le fichier avec un editeur hexa. Supprimer le package immediatement. Verifier les autres fichiers du projet pour des injections similaires.",
+      "points": 25
+    },
     {
       "type": "high_entropy_string",
       "severity": "LOW",
@@ -1107,17 +1128,17 @@
   ],
   "python": null,
   "summary": {
-    "total": 51,
-    "critical": 2,
+    "total": 52,
+    "critical": 3,
     "high": 6,
     "medium": 28,
     "low": 15,
     "riskScore": 35,
     "riskLevel": "MEDIUM",
     "globalRiskScore": 100,
-    "maxFileScore": 25,
+    "maxFileScore": 26,
     "packageScore": 1,
-    "mostSuspiciousFile": "ajv/lib/ajv.js",
+    "mostSuspiciousFile": "iconv-lite/encodings/sbcs-data-generated.js",
     "fileScores": {
       "esquery/parser.js": 5,
       "ajv/lib/ajv.js": 25,
@@ -1133,7 +1154,7 @@
       "eslint/lib/config/config-loader.js": 11,
       "eslint/lib/eslint/eslint-helpers.js": 25,
       "eslint/lib/eslint/eslint.js": 13,
-      "iconv-lite/encodings/sbcs-data-generated.js": 1,
+      "iconv-lite/encodings/sbcs-data-generated.js": 26,
       "iconv-lite/encodings/sbcs-data.js": 1,
       "ajv/lib/compile/formats.js": 1
     },
@@ -1169,6 +1190,12 @@
         "points": 25,
         "reason": "Dynamic import() with computed URL argument — remote code loading from dynamically constructed URL."
       },
+      {
+        "rule": "MUADDIB-OBF-003",
+        "type": "unicode_invisible_injection",
+        "points": 25,
+        "reason": "10 invisible Unicode characters detected (zero-width, variation selectors, tag chars). Possible hidden payload encoded via invisible codepoints."
+      },
       {
         "rule": "MUADDIB-AST-006",
         "type": "dynamic_require",
@@ -1461,7 +1488,7 @@
     "tierCounts": {
       "verified": 0,
       "high": 0,
-      "medium": 9,
+      "medium": 10,
       "low": 42
     },
     "perceivedFlagged": 0

package/src/response/playbooks.js CHANGED Viewed

@@ -399,6 +399,16 @@ const PLAYBOOKS = {
     'Technique Shai-Hulud (TeamPCP). Supprimer les fichiers .claude/settings.json ' +
     'et .vscode/tasks.json avant ouverture.',
+  aiconf_unicode_obfuscation:
+    'CRITIQUE: Fichier de config d\'agent IA contient des caracteres Unicode invisibles ' +
+    '(zero-width, directional override, variation selectors). Technique TrapDoor (mai 2026): ' +
+    'l\'attaquant insere des U+200B au milieu de mots-cles pour echapper a la revue humaine ' +
+    'et aux regex statiques, tandis que l\'agent IA (Claude, Cursor) lit le contenu normalise ' +
+    'et execute le payload cache. NE PAS ouvrir ce projet avec un agent IA. Ouvrir le fichier ' +
+    'dans un editeur qui affiche les caracteres invisibles (VS Code: "editor.renderControlCharacters") ' +
+    'pour inspecter le contenu reel. Supprimer le fichier ou nettoyer les caracteres invisibles ' +
+    'avant toute utilisation. Si deja ouvert avec un agent IA, regenerer tous les secrets touches.',
   ai_agent_abuse:
     'CRITIQUE: Un agent IA (Claude, Gemini, Q) est invoque avec des flags de bypass de securite ' +
     '(--dangerously-skip-permissions, --yolo, --trust-all-tools). Technique s1ngularity/Nx. ' +

package/src/rules/index.js CHANGED Viewed

@@ -914,6 +914,21 @@ const RULES = {
     ],
     mitre: 'T1546'
   },
+  aiconf_unicode_obfuscation: {
+    id: 'MUADDIB-AICONF-004',
+    name: 'Zero-Width Unicode Obfuscation in AI Config',
+    severity: 'CRITICAL',
+    confidence: 'high',
+    domain: 'malware',
+    description: 'Fichier de configuration d\'agent IA (.cursorrules, CLAUDE.md, copilot-instructions.md) contient des caracteres Unicode invisibles (zero-width, directional override, variation selectors) qui cachent des instructions a la revue humaine ou cassent des mots-cles pour echapper a la detection regex. Technique TrapDoor (mai 2026): curl|sh interspersee de U+200B passe au travers du regex /curl/ tandis que l\'agent IA execute le payload normalise.',
+    references: [
+      'https://socket.dev/blog/trapdoor-crypto-stealer-npm-pypi-crates',
+      'https://www.aikido.dev/blog/glassworm-returns-unicode-attack-github-npm-vscode',
+      'https://trojansource.codes/',
+      'https://attack.mitre.org/techniques/T1027/'
+    ],
+    mitre: 'T1027.013'
+  },
   require_cache_poison: {
     id: 'MUADDIB-AST-019',

package/src/scanner/ai-config.js CHANGED Viewed

@@ -18,6 +18,14 @@
 const fs = require('fs');
 const path = require('path');
+const { countInvisibleUnicode, stripInvisibleUnicode } = require('../shared/unicode-invisibles.js');
+// Threshold above which an AI config file is flagged as ZW-Unicode-obfuscated.
+// Lower than obfuscation.js (10) because .cursorrules / CLAUDE.md should never
+// legitimately contain invisible codepoints — even international content uses
+// only visible chars (CJK, accents, emoji with U+FE0F variation selector are
+// NOT counted by countInvisibleUnicode).
+const AI_CONFIG_ZW_THRESHOLD = 5;
 // AI agent config files to scan for prompt injection (relative to project root)
 const AI_CONFIG_FILES = [
@@ -111,7 +119,12 @@ function scanAIConfig(targetPath) {
     }
     const relPath = configFile;
-    const fileThreats = analyzeAIConfigFile(content, relPath);
+    // Normalize invisible Unicode BEFORE running regex patterns.
+    // Without this, an attacker can split keywords with U+200B (`curl`) to
+    // evade /curl\s+/ — the exact TrapDoor (mai 2026) .cursorrules vector.
+    const invisibleCount = countInvisibleUnicode(content);
+    const normalized = invisibleCount > 0 ? stripInvisibleUnicode(content) : content;
+    const fileThreats = analyzeAIConfigFile(normalized, relPath, invisibleCount);
     threats.push(...fileThreats);
   }
@@ -218,14 +231,30 @@ function analyzeIDEHookFile(content, relPath) {
 }
 /**
- * Analyze a single AI config file for prompt injection patterns
+ * Analyze a single AI config file for prompt injection patterns.
+ *
+ * @param {string} content - File content, already normalized (invisible Unicode stripped).
+ * @param {string} relPath - Relative path of the config file.
+ * @param {number} invisibleCount - Number of invisible Unicode codepoints in the original (pre-strip) content.
  */
-function analyzeAIConfigFile(content, relPath) {
+function analyzeAIConfigFile(content, relPath, invisibleCount) {
   const threats = [];
   let hasShellCommand = false;
   let hasExfiltration = false;
   let hasCredentialAccess = false;
+  // Zero-width / directional Unicode obfuscation (TrapDoor, mai 2026).
+  // An attacker can hide instructions or split keywords with U+200B etc. so
+  // human reviewers see "harmless" text while the AI agent reads the payload.
+  if (invisibleCount >= AI_CONFIG_ZW_THRESHOLD) {
+    threats.push({
+      type: 'aiconf_unicode_obfuscation',
+      severity: 'CRITICAL',
+      message: `AI config contains ${invisibleCount} invisible Unicode characters (zero-width / directional / variation selectors) in ${relPath} — content was normalized before pattern matching. Possible hidden instructions or keyword-splitting evasion (TrapDoor pattern).`,
+      file: relPath
+    });
+  }
   // Check shell command patterns
   for (const pattern of SHELL_COMMAND_PATTERNS) {
     if (pattern.regex.test(content)) {

package/src/scanner/obfuscation.js CHANGED Viewed

@@ -1,6 +1,7 @@
 const fs = require('fs');
 const path = require('path');
 const { findFiles, forEachSafeFile, debugLog } = require('../utils.js');
+const { countInvisibleUnicode } = require('../shared/unicode-invisibles.js');
 // node_modules NOT excluded: detect obfuscated code in dependencies.
 // dist/build/out/output excluded: bundled output is always flagged as isPackageOutput (LOW)
@@ -198,52 +199,4 @@ function hasLargeStringArray(content) {
   return false;
 }
-/**
- * Count invisible Unicode codepoints in content (GlassWorm detection).
- * Covers BMP zero-width chars, variation selectors, and supplementary plane
- * tag characters / variation selectors supplement via codePointAt iteration.
- *
- * Codepoints detected:
- * - U+200B, U+200C, U+200D (zero-width space/joiner/non-joiner)
- * - U+FEFF (BOM — only if position > 0; pos 0 is legitimate BOM)
- * - U+2060 (word joiner), U+180E (Mongolian vowel separator)
- * - U+FE00-U+FE0E (variation selectors — excludes U+FE0F emoji presentation selector)
- * - U+E0100-U+E01EF (variation selectors supplement)
- * - U+E0001-U+E007F (tag characters)
- */
-function countInvisibleUnicode(content) {
-  let count = 0;
-  for (let i = 0; i < content.length; i++) {
-    const cp = content.codePointAt(i);
-    // BMP invisible chars
-    if (cp === 0x200B || cp === 0x200C || cp === 0x200D ||
-        cp === 0x2060 || cp === 0x180E) {
-      count++;
-    }
-    // BOM only suspicious after position 0
-    else if (cp === 0xFEFF && i > 0) {
-      count++;
-    }
-    // BMP variation selectors (U+FE00-U+FE0E) — excludes U+FE0F (emoji presentation selector)
-    else if (cp >= 0xFE00 && cp <= 0xFE0E) {
-      count++;
-    }
-    // Supplementary plane: variation selectors supplement (U+E0100-U+E01EF)
-    else if (cp >= 0xE0100 && cp <= 0xE01EF) {
-      count++;
-      i++; // skip surrogate pair low half
-    }
-    // Supplementary plane: tag characters (U+E0001-U+E007F)
-    else if (cp >= 0xE0001 && cp <= 0xE007F) {
-      count++;
-      i++; // skip surrogate pair low half
-    }
-    // Skip surrogate pair low half for other supplementary chars
-    else if (cp > 0xFFFF) {
-      i++;
-    }
-  }
-  return count;
-}
 module.exports = { detectObfuscation };

package/src/shared/unicode-invisibles.js ADDED Viewed

@@ -0,0 +1,164 @@
+'use strict';
+/**
+ * Unicode invisible character helpers — shared by obfuscation.js and ai-config.js.
+ *
+ * Extracted v2.11.25 (TrapDoor campaign, mai 2026) : la fonction locale dans
+ * obfuscation.js couvrait `.js/.cjs/.mjs/.ts/.tsx/.py` mais pas les configs IA
+ * (.cursorrules, CLAUDE.md). En la partageant, ai-config.js peut normaliser le
+ * contenu avant ses regex et bloquer le vecteur "cu<U+200B>rl|sh" avec ZW
+ * interspersés dans le mot-clé.
+ *
+ * Codepoints détectés (superset du scope original obfuscation.js, qui n'incluait
+ * pas LRM/RLM ni les directional override) :
+ *
+ *   Zero-width:
+ *     U+200B ZWSP, U+200C ZWNJ, U+200D ZWJ
+ *     U+2060 word joiner
+ *     U+180E Mongolian vowel separator
+ *
+ *   Directional (bidi spoofing — Trojan Source CVE-2021-42574) :
+ *     U+200E LRM, U+200F RLM
+ *     U+202A LRE, U+202B RLE, U+202C PDF, U+202D LRO, U+202E RLO
+ *
+ *   Invisible math operators (peuvent casser un parser sans être vus) :
+ *     U+2061 function application, U+2062 invisible times,
+ *     U+2063 invisible separator, U+2064 invisible plus
+ *
+ *   BOM (mid-text only; position 0 est légitime UTF-8 BOM) :
+ *     U+FEFF
+ *
+ *   Variation selectors :
+ *     U+FE00-FE0E (excludes U+FE0F emoji presentation selector — légitime)
+ *     U+E0100-E01EF supplementary plane variation selectors
+ *
+ *   Tag characters (utilisés par GlassWorm pour encoder du payload) :
+ *     U+E0001, U+E0020-E007F
+ *
+ * CJK, accents, emoji standards (avec U+FE0F) sont volontairement EXCLUS — pas
+ * de FP attendu sur du contenu international légitime.
+ *
+ * Références :
+ *  - https://www.aikido.dev/blog/glassworm-returns-unicode-attack-github-npm-vscode
+ *  - https://trojansource.codes/ (Trojan Source, CVE-2021-42574)
+ *  - https://socket.dev/blog/trapdoor-crypto-stealer-npm-pypi-crates (mai 2026)
+ */
+/**
+ * Returns true if the codepoint at position `i` is considered invisible.
+ * Sets `skipNext` true on the result if the codepoint is supplementary
+ * (caller must `i++` to skip the low surrogate half).
+ *
+ * @param {string} content
+ * @param {number} i
+ * @returns {{ invisible: boolean, supplementary: boolean }}
+ */
+function inspectCodepoint(content, i) {
+  const cp = content.codePointAt(i);
+  // BMP zero-width
+  if (cp === 0x200B || cp === 0x200C || cp === 0x200D) {
+    return { invisible: true, supplementary: false };
+  }
+  // BMP directional (Trojan Source)
+  if (cp === 0x200E || cp === 0x200F ||
+      (cp >= 0x202A && cp <= 0x202E)) {
+    return { invisible: true, supplementary: false };
+  }
+  // BMP word joiner & friends
+  if (cp === 0x2060 || cp === 0x180E) {
+    return { invisible: true, supplementary: false };
+  }
+  // BMP invisible math operators (U+2061-2064)
+  if (cp >= 0x2061 && cp <= 0x2064) {
+    return { invisible: true, supplementary: false };
+  }
+  // BOM only suspicious after position 0
+  if (cp === 0xFEFF && i > 0) {
+    return { invisible: true, supplementary: false };
+  }
+  // BMP variation selectors (U+FE00-U+FE0E) — excludes U+FE0F emoji presentation
+  if (cp >= 0xFE00 && cp <= 0xFE0E) {
+    return { invisible: true, supplementary: false };
+  }
+  // Supplementary plane: variation selectors supplement (U+E0100-U+E01EF)
+  if (cp >= 0xE0100 && cp <= 0xE01EF) {
+    return { invisible: true, supplementary: true };
+  }
+  // Supplementary plane: tag characters (U+E0001 + U+E0020-U+E007F)
+  if (cp === 0xE0001 || (cp >= 0xE0020 && cp <= 0xE007F)) {
+    return { invisible: true, supplementary: true };
+  }
+  // Other supplementary chars (non-invisible) — need to skip low surrogate
+  if (cp > 0xFFFF) {
+    return { invisible: false, supplementary: true };
+  }
+  return { invisible: false, supplementary: false };
+}
+/**
+ * Count invisible Unicode codepoints in `content`.
+ *
+ * @param {string} content
+ * @returns {number}
+ */
+function countInvisibleUnicode(content) {
+  let count = 0;
+  for (let i = 0; i < content.length; i++) {
+    const { invisible, supplementary } = inspectCodepoint(content, i);
+    if (invisible) count++;
+    if (supplementary) i++; // skip low surrogate half
+  }
+  return count;
+}
+/**
+ * Return a copy of `content` with all invisible codepoints removed.
+ *
+ * Used to normalize text before pattern matching: prevents an attacker
+ * from splitting a keyword (`cu<U+200B>rl`) with zero-width chars to evade
+ * regex like /curl\s+/i.
+ *
+ * @param {string} content
+ * @returns {string}
+ */
+function stripInvisibleUnicode(content) {
+  // Fast path: if no codepoint > 0x7F, content is pure ASCII — nothing to strip.
+  let hasHighChar = false;
+  for (let i = 0; i < content.length; i++) {
+    if (content.charCodeAt(i) > 0x7F) { hasHighChar = true; break; }
+  }
+  if (!hasHighChar) return content;
+  let out = '';
+  for (let i = 0; i < content.length; i++) {
+    const { invisible, supplementary } = inspectCodepoint(content, i);
+    if (!invisible) {
+      // Preserve original char(s). For supplementary, copy both surrogate halves.
+      if (supplementary) {
+        out += content[i] + content[i + 1];
+        i++;
+      } else {
+        out += content[i];
+      }
+    } else if (supplementary) {
+      // Skip both surrogate halves
+      i++;
+    }
+  }
+  return out;
+}
+module.exports = {
+  countInvisibleUnicode,
+  stripInvisibleUnicode
+};