muaddib-scanner 2.11.47 → 2.11.48

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "muaddib-scanner",
-  "version": "2.11.47",
+  "version": "2.11.48",
   "description": "Supply-chain threat detection & response for npm & PyPI/Python",
   "main": "src/index.js",
   "bin": {

package/{self-scan-v2.11.47.json → self-scan-v2.11.48.json}

@@ -1,6 +1,6 @@
 {
   "target": "node_modules",
-  "timestamp": "2026-05-25T18:50:42.771Z",
+  "timestamp": "2026-05-26T08:43:39.544Z",
   "threats": [
     {
       "type": "string_mutation_obfuscation",

package/src/ioc/bootstrap.js

@@ -13,6 +13,16 @@ const IOCS_URL = 'https://github.com/DNSZLSK/muad-dib/releases/latest/download/i
 const HOME_DATA_DIR = path.join(os.homedir(), '.muaddib', 'data');
 const IOCS_PATH = path.join(HOME_DATA_DIR, 'iocs.json');
 
+// Local bundled IOC file (committed in repo) — when present we don't need a network download.
+// Loader (src/ioc/updater.js) reads this directly, so the home-cache download becomes a
+// no-op for users who already have the source tree.
+const LOCAL_BUNDLED_IOCS = path.join(__dirname, 'data', 'iocs.json');
+
+// Per-process memoization: once download has failed (or been skipped), don't retry on the
+// next scan within the same process. Eval runs hundreds of scans — without this we burn a
+// 60s timeout per scan when the asset is missing.
+let _ensureIocsResult = null;
+
 // Minimum file size to consider IOCs valid (1MB)
 const MIN_IOCS_SIZE = 1_000_000;
 
@@ -135,6 +145,9 @@ function downloadAndDecompress(url, destPath) {
  * @returns {Promise<boolean>} true if IOCs are available (cached or downloaded), false if download failed
  */
 async function ensureIOCs() {
+  // Per-process memoization — first scan decides, subsequent scans reuse the result.
+  if (_ensureIocsResult !== null) return _ensureIocsResult;
+
   try {
     // Create data directory if needed
     if (!fs.existsSync(HOME_DATA_DIR)) {
@@ -145,10 +158,21 @@ async function ensureIOCs() {
     if (fs.existsSync(IOCS_PATH)) {
       const stat = fs.statSync(IOCS_PATH);
       if (stat.size >= MIN_IOCS_SIZE) {
-        return true;
+        return (_ensureIocsResult = true);
       }
     }
 
+    // Bundled-source fast path: dev installs and the npm tarball both ship src/ioc/data/iocs.json.
+    // When that file is present, the updater loader already merges it — no need to hit GitHub.
+    if (fs.existsSync(LOCAL_BUNDLED_IOCS)) {
+      try {
+        const stat = fs.statSync(LOCAL_BUNDLED_IOCS);
+        if (stat.size >= MIN_IOCS_SIZE) {
+          return (_ensureIocsResult = true);
+        }
+      } catch { /* fall through to download */ }
+    }
+
     // Offline / CI escape hatch: cache is empty/missing AND we don't want to
     // hit the network. Tests and air-gapped environments use this to avoid
     // 1-2s timeouts × N tests when the asset is unavailable. Same env var as
@@ -157,7 +181,7 @@ async function ensureIOCs() {
     // the cache check so a healthy cache still returns true even in offline
     // mode (otherwise tests that pre-populate the cache would falsely fail).
     if (process.env.MUADDIB_NO_REGISTRY_FETCH === '1') {
-      return false;
+      return (_ensureIocsResult = false);
     }
 
     // Download IOCs (messages go to stderr to avoid contaminating JSON/SARIF stdout)
@@ -169,18 +193,23 @@ async function ensureIOCs() {
     if (stat.size < MIN_IOCS_SIZE) {
       try { fs.unlinkSync(IOCS_PATH); } catch {}
       process.stderr.write('[WARN] Downloaded IOC file is too small, using compact IOCs\n');
-      return false;
+      return (_ensureIocsResult = false);
     }
 
     process.stderr.write('[MUADDIB] IOC database ready (' + Math.round(stat.size / 1024 / 1024) + ' MB)\n');
-    return true;
+    return (_ensureIocsResult = true);
   } catch (err) {
     process.stderr.write('[WARN] Could not download IOC database: ' + err.message + '\n');
-    process.stderr.write('[WARN] Continuing with YAML IOCs only (run "muaddib update" for full coverage)\n');
-    return false;
+    process.stderr.write('[WARN] Continuing with bundled/YAML IOCs (run "muaddib update" for full coverage)\n');
+    return (_ensureIocsResult = false);
   }
 }
 
+// Test hook — lets the test suite reset the memoization without spawning a fresh process.
+function _resetEnsureIocsForTests() {
+  _ensureIocsResult = null;
+}
+
 module.exports = {
   ensureIOCs,
   downloadAndDecompress,
@@ -188,5 +217,6 @@ module.exports = {
   IOCS_URL,
   IOCS_PATH,
   HOME_DATA_DIR,
-  MIN_IOCS_SIZE
+  MIN_IOCS_SIZE,
+  _resetEnsureIocsForTests
 };

package/src/pipeline/executor.js

@@ -125,7 +125,15 @@ async function execute(targetPath, options, pythonDeps, warnings) {
   const deobfuscateFn = options.noDeobfuscate ? null : deobfuscate;
 
   // Helper: yield to event loop so spinner can animate between sync operations
-  const yieldThen = (fn) => new Promise(resolve => setImmediate(() => resolve(fn())));
+  // Yield to the event loop before running `fn`. Without the try/catch the
+  // exception escapes the setImmediate callback as an uncaught exception
+  // (Node's setImmediate handler is outside any await/promise frame) and
+  // crashes the process — which is what was killing evaluate on benigns that
+  // hit a corner-case in detect-cross-file.js. Now sync throws become
+  // promise rejections, picked up by the surrounding try/catch.
+  const yieldThen = (fn) => new Promise((resolve, reject) =>
+    setImmediate(() => { try { resolve(fn()); } catch (e) { reject(e); } })
+  );
 
   // Cross-file module graph analysis (before individual scanners)
   // Bounded: 5s timeout to prevent DoS on large/adversarial packages

package/src/scanner/module-graph/detect-cross-file.js

@@ -395,7 +395,7 @@ function collectImportTaint(ast, currentFile, graph, taintedExports, packagePath
       // const data = reader.getData()  or  const data = reader.data
       if (decl.init.type === 'MemberExpression' && decl.init.object.type === 'Identifier') {
         const modRef = localTaint['__module__' + decl.init.object.name];
-        if (modRef) {
+        if (modRef && modRef.modTaint) {
           const propName = decl.init.property.name || decl.init.property.value;
           if (modRef.modTaint[propName] && modRef.modTaint[propName].tainted) {
             const t = modRef.modTaint[propName];
@@ -411,7 +411,7 @@ function collectImportTaint(ast, currentFile, graph, taintedExports, packagePath
         const callee = decl.init.callee;
         if (callee.object.type === 'Identifier') {
           const modRef = localTaint['__module__' + callee.object.name];
-          if (modRef) {
+          if (modRef && modRef.modTaint) {
             const propName = callee.property.name || callee.property.value;
             if (modRef.modTaint[propName] && modRef.modTaint[propName].tainted) {
               const t = modRef.modTaint[propName];
@@ -474,7 +474,7 @@ function collectImportTaint(ast, currentFile, graph, taintedExports, packagePath
             const thisProp = decl.init.callee.object.property.name || decl.init.callee.object.property.value;
             const methodName = decl.init.callee.property.name || decl.init.callee.property.value;
             const modRef = thisRefs[thisProp];
-            if (modRef && methodName && modRef.modTaint[methodName] && modRef.modTaint[methodName].tainted) {
+            if (modRef && methodName && modRef.modTaint && modRef.modTaint[methodName] && modRef.modTaint[methodName].tainted) {
               const t = modRef.modTaint[methodName];
               localTaint[decl.id.name] = {
                 source: t.source,