muaddib-scanner 2.11.48 → 2.11.52

package/README.md

@@ -30,7 +30,7 @@
 
 npm and PyPI supply-chain attacks are exploding. Shai-Hulud compromised 25K+ repos in 2025. Existing tools detect threats but don't help you respond.
 
-MUAD'DIB combines **17 parallel scanners** (234 detection rules), a **deobfuscation engine**, **inter-module dataflow analysis**, **compound scoring** (16 compound rules), **ML classifiers** (XGBoost), and gVisor/Docker sandbox to detect known threats and suspicious behavioral patterns in npm and PyPI packages.
+MUAD'DIB combines **20 parallel scanners** (262 detection rules), a **deobfuscation engine**, **inter-module dataflow analysis**, **compound scoring** (17 compound rules), and a gVisor/Docker sandbox to detect known threats and suspicious behavioral patterns in npm and PyPI packages. An XGBoost classifier exists in the codebase but is **currently inactive** (see [Evaluation Metrics](#evaluation-metrics) → ML Classifier section).
 
 ---
 
@@ -169,14 +169,14 @@ muaddib scrape                     # Full IOC refresh (~5min)
 muaddib diff HEAD~1                # Compare threats with previous commit
 muaddib init-hooks                 # Pre-commit hooks (husky/pre-commit/git)
 muaddib scan . --breakdown         # Explainable score decomposition
-muaddib replay                     # Ground truth validation (61/65 TPR@3)
+muaddib replay                     # Ground truth validation (90/94 TPR@3, v2.11.48)
 ```
 
 ---
 
 ## Features
 
-### 17 parallel scanners
+### 20 parallel scanners
 
 | Scanner | Detection |
 |---------|-----------|
@@ -198,10 +198,13 @@ muaddib replay                     # Ground truth validation (61/65 TPR@3)
 | Anti-Forensic AST (intel-triage P1.2) | XOR loop + self-delete + decoy write compound (csec autodelete) |
 | Stub Package (intel-triage P1.3) | Tiny main file + external dep URL + lifecycle hook (ltidi chain) |
 | Monorepo Scanner | Lerna/pnpm-workspace/turbo detection (Sprint 1 audit MR-C2 fix) |
+| Trusted-Dep-Diff (opt-in) | Diff against trusted dep tarballs from registry (v2.10.x) |
+| Python Source (PYSRC) | Import-time / install-time RCE patterns in `__init__.py` / `setup.py` (v2.11.41 — closes TrapDoor PyPI gap) |
+| Python AST (PYAST) | Tree-sitter-Python AST with taint-aware detectors (v2.11.42+) |
 
-### 234 detection rules
+### 259 detection rules
 
-All rules (229 RULES + 5 PARANOID) are mapped to MITRE ATT&CK techniques. See [SECURITY.md](SECURITY.md#detection-rules-v21021) for the complete rules reference.
+All rules (254 RULES + 5 PARANOID) are mapped to MITRE ATT&CK techniques. See [SECURITY.md](SECURITY.md#detection-rules-v21147) for the complete rules reference.
 
 ### Detected campaigns
 
@@ -275,7 +278,7 @@ With pre-commit framework:
 ```yaml
 repos:
   - repo: https://github.com/DNSZLSK/muad-dib
-    rev: v2.11.24
+    rev: v2.11.48
     hooks:
       - id: muaddib-scan
 ```
@@ -284,33 +287,57 @@ repos:
 
 ## Evaluation Metrics
 
+Latest measurement: **v2.11.48** (2026-05-26, Track D + PyPI download fix). Ground truth holds 96 samples (94 in-scope, 2 out-of-scope protestware). This run measures the full 94 in-scope set after the 2026-05-25 enrichment (Track C synthetic for the new PYSRC/PYAST/AST-092/AICONF-004/PKG-022 rules, Track A real-world tarballs recovered from VPS archive, Track B reconstructions from the in-house security-review benchmark).
+
+### Operational metrics (what an operator actually gets)
+
+These are the numbers a user gets when running `muaddib scan` against npm or PyPI packages. The pipeline executes scanners + FP caps only — no ML filter is applied (see ML Classifier note below).
+
 | Metric | Result | Details |
 |--------|--------|---------|
+| **Wild TPR** (Datadog 17K) | **92.8%** (13,538/14,587 in-scope) | 17,922 packages. 3,335 skipped (no JS). By category: compromised_lib 97.8%, malicious_intent 92.1% — last measurement v2.9.4, independent of GT. |
+| **TPR@3** (detection rate, v2.11.48) | **95.74%** (90/94 in-scope) | Full GT re-measurement. Threshold=3: any signal. 13 PyPI samples (was 0). 4 misses incl. 3 browser-only (lottie-player, polyfill-io, trojanized-jquery). |
+| **TPR@20** (alert rate, v2.11.48) | **88.30%** (83/94 in-scope) | Operational alert threshold=20. **+3.1pp vs v2.11.47** — Track D `recon_exfil_direct_ip` compound (MUADDIB-COMPOUND-016) closed the GT-095 gap (risk 3→50) and boosted GT-091 byvendors / GT-092 heloo131313 through `linux_fingerprint_exec`. |
+| **FPR rules** (Benign curated, v2.11.48 measure) | **1.10%** (6/545 scanned, 548 total) | **Unchanged after Track D** — the new compound + types created zero new FPs (sameFile gate + public-IP-only filter). Drop from 15.6% (v2.10.95) is attributable to FP caps F1-F14 (v2.10.97 → v2.11.31). 6 remaining FPs are real (meteor, prisma, @prisma/client, drizzle-orm, scrypt, liquid). |
+| **FPR** (Benign random, v2.11.48) | **2.50%** (5/200) | 200 random npm packages, unchanged. |
+| **FPR PyPI** (v2.11.48, first honest measurement) | **9.68%** (12/124 scanned, 132 total) | **Track D fixed the PyPI downloader** — removed `pip --no-binary :all:` flag (forced compile of wheel-only packages, timed out 38% of the time) + added `.whl` extraction via `extractArchive()`. Brought 42 previously-skipped giants (numpy/pandas/django/matplotlib/scikit-learn/...) into scope. All 12 FPs cluster at score 25-35: this is the cap-PyPI-35 artifact, not new rule misfires. Lifting the cap (Track E) would drop FPR PyPI to ≈0%. 8 residual fails are >500MB packages (torch, tensorflow, scipy, opencv-python, ansible…) hitting the 30s `PACK_TIMEOUT_MS`. |
+| **ADR** (Adversarial + Holdout, v2.11.48) | **96.26%** (103/107) | 67 adversarial + 40 holdout, global threshold=20. Stable vs v2.10.95. |
+
+**3913 tests** across 109 files. **262 rules** (257 RULES + 5 PARANOID — Track D added 3: AST-093, AST-094, COMPOUND-016).
+
+**Known issues (v2.11.48):**
+- *Cap PyPI à 35/100*: Python samples plafonnent à `riskScore=35` even when `globalRiskScore=100`. Confirmed empirically — all 12 PyPI FPs at score 25-35 (flask 32, django 35, tornado 35, bottle 30, pandas 25, matplotlib 25, plotly 25, bokeh 25, pymongo 35, coverage 32, fabric 35, websockets 35). Lifting the cap will simultaneously drop FPR PyPI to ≈0% and unblock PyPI MALWARE detection at higher thresholds. Track E target.
+
+### ML Classifier (offline only)
+
+`src/ml/classifier.js` is **not wired into `muaddib scan`**. The XGBoost model is currently exercised only by `muaddib evaluate` (offline metric replay) and `muaddib monitor` (LOG-ONLY since 2026-04-08, model collapsed pending retrain — see `src/monitor/queue.js:628`). The v2.11.48 evaluate-time replay shows the same 1.10% FPR (no additional FPs filtered) — kept as a reference for retrain validation, but the published operational FPR is the rules-only number above.
+
+> **Static evaluation caveats:**
+> - TPR measured on the full 94 in-scope samples from the 96-sample ground truth (2 out-of-scope protestware GT-005/GT-009 with `min_threats=0`)
+> - TPR@3 = detection rate (any signal); TPR@20 = operational alert threshold
+> - FPR rules measured on 548 curated popular npm packages (not a random sample)
+> - FPR PyPI: 124/132 scanned (8 download fails on >500MB giants — torch/tensorflow/ansible/…). Smaller N than npm.
+> - ADR measured with global threshold (score >= 20) as of v2.6.5
+
+See [Evaluation Methodology](docs/EVALUATION_METHODOLOGY.md) for the full experimental protocol, holdout history, and Datadog benchmark details.
+
+### ML Classifier — R&D, currently inactive
+
+> **Status (2026-04-08 → present):** The XGBoost classifier (`src/ml/classifier.js`) is **not wired into `muaddib scan`** at all, and in `muaddib monitor` it runs in **LOG-ONLY mode** since 2026-04-08 — the trained model collapsed (predicts p≈0.002 for every input, including clearly malicious lifecycle+exec+staged_payload patterns) and was disabled pending retrain on balanced JSONL data. The metrics below come from offline `muaddib evaluate` replay against a frozen bench. They describe what the model *would* contribute if it worked, **not** what an operator gets today.
+
+| Metric (offline `evaluate` replay) | Result | Details |
+|--------|--------|---------|
 | **ML FPR** | **2.85%** (239/8,393 holdout) | XGBoost retrained on 56,564 samples, 64 features, threshold=0.710 |
 | **ML TPR** | **99.93%** (2,918/2,920 holdout) | 377 confirmed_malicious via OSSF/GHSA/npm correlation |
-| **Wild TPR** (Datadog 17K) | **92.8%** (13,538/14,587 in-scope) | 17,922 packages. 3,335 skipped (no JS). By category: compromised_lib 97.8%, malicious_intent 92.1% |
-| **TPR@3** (detection rate) | **93.85%** (61/65) | 67 real attacks (65 active, 2 out-of-scope: GT-005 colors, GT-009 faker — protestware with min_threats=0). Threshold=3: any signal |
-| **TPR@20** (alert rate) | **86.2%** (56/65) | Operational alert threshold=20, aligned with ADR/FPR |
-| **FPR rules** (Benign curated, v2.10.95 measure) | **15.6%** (85/545 scanned, 548 total) | npm packages, real source via `npm pack`; v2.10.74 estimated 6-9% reduction did NOT materialize on rebuilt corpus |
-| **FPR after ML** (v2.10.95 measure) | **10.28%** (56/545 scanned) | ML filters 29/30 T1 benign, 0 GT/ADR suppressed |
-| **FPR** (Benign random, v2.10.95 measure) | **7.0%** (14/200) | 200 random npm packages, stratified sampling |
-| **ADR** (Adversarial + Holdout) | **96.3%** (103/107) | 67 adversarial + 40 holdout (107 available on disk), global threshold=20 |
-
-**3664 tests** across 93 files. **234 rules** (229 RULES + 5 PARANOID).
+| **FPR after ML T1** (offline replay, v2.11.48) | **1.10%** (6/545 scanned) | Classifier filters 0/6 raw FPs in this run (filtered 1 at v2.11.47). Not applied during real scans — `muaddib scan` never invokes the classifier. |
 
-> **ML retrain methodology (v2.10.51):**
+> **Retrain methodology (v2.10.51):**
 > - Ground truth: 377 confirmed_malicious via auto-labeler (OSSF malicious-packages, GitHub Advisory Database, npm registry takedown correlation)
 > - Dataset: 56,564 samples (14,602 malicious, 41,962 clean). Stratified 80/20 split
 > - Grid search: depth=4, estimators=300, lr=0.05. AUC-ROC=0.999, F1=0.960
 > - Leaky feature filter: 23 dead/leaky features removed (source-identity proxies)
 >
-> **Static evaluation caveats:**
-> - TPR measured on 65 active Node.js attack samples (2 out-of-scope: GT-005 colors, GT-009 faker, both protestware with min_threats=0; from 67 total)
-> - TPR@3 = detection rate (any signal); TPR@20 = operational alert threshold
-> - FPR measured on 532 curated popular npm packages (not a random sample)
-> - ADR measured with global threshold (score >= 20) as of v2.6.5
-
-See [Evaluation Methodology](docs/EVALUATION_METHODOLOGY.md) for the full experimental protocol, holdout history, and Datadog benchmark details.
+> The shadow model continues to log predictions in `muaddib monitor` for retraining validation. When the next model passes shadow validation, the LOG-ONLY guard in `src/monitor/queue.js:660` will be flipped and the metrics above will move back into the operational table.
 
 ---
 
@@ -344,11 +371,11 @@ npm test
 
 ### Testing
 
-- **3664 tests** across 93 modular test files
+- **3913 tests** across 109 modular test files
 - **56 fuzz tests** - Malformed inputs, ReDoS, unicode, binary
 - **Datadog 17K benchmark** - 14,587 confirmed malware samples (in-scope)
-- **Ground truth validation** - 67 real-world attacks (93.85% TPR@3, 86.2% TPR@20 — v2.10.95 measure)
-- **False positive validation** (v2.10.95 measure) - 15.6% FPR rules (85/545 scanned), 10.28% after ML (56/545 scanned), 7.0% on 200 random
+- **Ground truth validation** - 96 real-world attacks (95.74% TPR@3, 88.30% TPR@20 — v2.11.48 full measure on 94 in-scope)
+- **False positive validation** (v2.11.48 measure) - 1.10% FPR rules (6/545 scanned), 2.50% on 200 random, 9.68% on 124/132 PyPI (first honest measurement post-Track-D download fix). ML classifier currently inactive — see Evaluation Metrics → ML Classifier.
 
 ---
 
@@ -365,7 +392,7 @@ npm test
 - [Documentation Index](docs/INDEX.md) - All documentation in one place
 - [Evaluation Methodology](docs/EVALUATION_METHODOLOGY.md) - Experimental protocol, holdout scores
 - [Threat Model](docs/threat-model.md) - What MUAD'DIB detects and doesn't detect
-- [Security Policy](SECURITY.md) - Detection rules reference (234 rules)
+- [Security Policy](SECURITY.md) - Detection rules reference (259 rules)
 - [Security Audit](docs/SECURITY_AUDIT.md) - Bypass validation report
 - [FP Analysis](docs/EVALUATION.md) - Historical false positive analysis
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "muaddib-scanner",
-  "version": "2.11.48",
+  "version": "2.11.52",
   "description": "Supply-chain threat detection & response for npm & PyPI/Python",
   "main": "src/index.js",
   "bin": {

package/{self-scan-v2.11.48.json → self-scan-v2.11.52.json}

@@ -1,6 +1,6 @@
 {
   "target": "node_modules",
-  "timestamp": "2026-05-26T08:43:39.544Z",
+  "timestamp": "2026-05-26T21:21:36.874Z",
   "threats": [
     {
       "type": "string_mutation_obfuscation",

package/src/monitor/ingestion.js

@@ -141,7 +141,10 @@ async function getWeeklyDownloads(packageName) {
   }
   try {
     const url = `https://api.npmjs.org/downloads/point/last-week/${encodeURIComponent(packageName)}`;
-    const body = await httpsGet(url, 3000);
+    // Routed via _deps so tests can stub the downloads endpoint independently
+    // of the registry endpoint (Stage 2.1 added parallel-fetch from
+    // preResolveNpmBatch).
+    const body = await _deps.httpsGet(url, 3000);
     const data = JSON.parse(body);
     const downloads = typeof data.downloads === 'number' ? data.downloads : -1;
     downloadsCache.set(packageName, { downloads, fetchedAt: Date.now() });
@@ -158,12 +161,15 @@ function getNpmTarballUrl(pkgData) {
 }
 
 async function getPyPITarballUrl(packageName, packageVersion = '') {
-  // Per-version endpoint when we know the version (e.g. from the XML-RPC changelog) —
-  // guarantees we scan the artifact that just landed, not whatever became "latest"
-  // between event detection and scan. Falls back to /pypi/<name>/json (latest) otherwise.
-  const url = packageVersion
-    ? `https://pypi.org/pypi/${encodeURIComponent(packageName)}/${encodeURIComponent(packageVersion)}/json`
-    : `https://pypi.org/pypi/${encodeURIComponent(packageName)}/json`;
+  // Always hit the package-level endpoint. It contains:
+  //   - info.version  → latest version
+  //   - urls          → files for the latest version
+  //   - releases      → files for ALL versions (so we can find packageVersion's
+  //                     exact artifact, same anti-race guarantee as the per-
+  //                     version endpoint used to provide)
+  // We extract triage metadata (age_days, version_count) from `releases` in
+  // the same round-trip — keeps Stage 2's PyPI cost at 1 HTTP call.
+  const url = `https://pypi.org/pypi/${encodeURIComponent(packageName)}/json`;
   const body = await _deps.httpsGet(url);
   let data;
   try {
@@ -171,20 +177,58 @@ async function getPyPITarballUrl(packageName, packageVersion = '') {
   } catch (e) {
     throw new Error(`Invalid JSON from PyPI for ${packageName}: ${e.message}`);
   }
-  const version = (data.info && data.info.version) || packageVersion || '';
-  const urls = data.urls || [];
-  // Prefer sdist (.tar.gz)
-  const sdist = urls.find(u => u.packagetype === 'sdist' && u.url);
-  if (sdist) return { url: sdist.url, version };
-  // Fallback: any .tar.gz
-  const tarGz = urls.find(u => u.url && u.url.endsWith('.tar.gz'));
-  if (tarGz) return { url: tarGz.url, version };
-  // Fallback: wheel (.whl) — extracted via adm-zip in queue.js, not tar.
-  // Legacy .egg / .tar.bz2 / .exe installers intentionally NOT returned —
-  // they were the cause of ~2773 tar_failed/day before this fix.
-  const wheel = urls.find(u => u.url && (u.url.endsWith('.whl') || u.url.endsWith('.zip')));
-  if (wheel) return { url: wheel.url, version };
-  return { url: null, version };
+
+  const latestVersion = (data.info && data.info.version) || '';
+  const version = packageVersion || latestVersion;
+  const releases = (data && data.releases) || {};
+
+  // Pick files for the requested version (preserves the original anti-race
+  // guarantee — we scan the exact version flagged by the changelog). If
+  // absent (e.g. lazy resolution without a known version), use latest urls.
+  const files = (packageVersion && Array.isArray(releases[packageVersion]))
+    ? releases[packageVersion]
+    : (Array.isArray(data.urls) ? data.urls : []);
+
+  // Tarball selection priority unchanged: sdist > .tar.gz > .whl/.zip.
+  // Legacy .egg / .tar.bz2 / .exe intentionally not returned (they were the
+  // cause of ~2773 tar_failed/day before the original fix).
+  let tarballUrl = null;
+  const sdist = files.find(u => u && u.packagetype === 'sdist' && u.url);
+  if (sdist) {
+    tarballUrl = sdist.url;
+  } else {
+    const tarGz = files.find(u => u && u.url && u.url.endsWith('.tar.gz'));
+    if (tarGz) {
+      tarballUrl = tarGz.url;
+    } else {
+      const wheel = files.find(u => u && u.url && (u.url.endsWith('.whl') || u.url.endsWith('.zip')));
+      if (wheel) tarballUrl = wheel.url;
+    }
+  }
+
+  // Stage 2 triage metadata: derived from `releases` once per fetch.
+  const versionCount = Object.keys(releases).length;
+  let earliestUpload = Number.MAX_SAFE_INTEGER;
+  for (const v of Object.keys(releases)) {
+    const versionFiles = releases[v];
+    if (!Array.isArray(versionFiles)) continue;
+    for (const f of versionFiles) {
+      if (f && f.upload_time) {
+        const ts = Date.parse(f.upload_time);
+        if (Number.isFinite(ts) && ts < earliestUpload) earliestUpload = ts;
+      }
+    }
+  }
+  const ageDays = earliestUpload !== Number.MAX_SAFE_INTEGER
+    ? Math.floor((Date.now() - earliestUpload) / 86_400_000)
+    : null;
+
+  return {
+    url: tarballUrl,
+    version,
+    age_days: ageDays,
+    version_count: versionCount,
+  };
 }
 
 // --- RSS parsing ---
@@ -372,7 +416,7 @@ async function getNpmLatestTarball(packageName) {
   await acquireRegistrySlot();
   let body;
   try {
-    body = await httpsGet(url);
+    body = await _deps.httpsGet(url);
   } finally {
     releaseRegistrySlot();
   }
@@ -388,11 +432,153 @@ async function getNpmLatestTarball(packageName) {
       version: '', tarball: null, unpackedSize: 0, scripts: {},
       homepage: '', description: '',
       latestTagVersion: null, recentVersions: [],
+      age_days: null, version_count: 0,
     };
   }
+  // Stage 2.1 — extract reputation signals from the packument we already have,
+  // so triageRisk in queue.js doesn't have to refetch metadata via
+  // getPackageMetadata. Two fields are derivable from the packument alone:
+  //   - age_days   : time.created (package creation timestamp)
+  //   - version_count : Object.keys(versions).length (excludes unpublished
+  //                     tombstones kept only in `time`)
+  // weekly_downloads requires a separate api.npmjs.org call and is fetched in
+  // parallel by preResolveNpmBatch (it has its own cache + no semaphore).
+  const createdAt = (packument && packument.time && packument.time.created) || null;
+  result.age_days = createdAt
+    ? Math.floor((Date.now() - new Date(createdAt).getTime()) / 86_400_000)
+    : null;
+  result.version_count = (packument && packument.versions)
+    ? Object.keys(packument.versions).length : 0;
   return result;
 }
 
+// --- Pre-resolution helpers ---
+//
+// Resolve tarball URLs and metadata at ingestion time so scan workers do not
+// each pay a separate registry round-trip. Best-effort: any failure leaves
+// item.tarballUrl untouched (null) so resolveTarballAndScan() in queue.js
+// falls back to its existing lazy-resolution path (zero scan loss).
+//
+// HTTP throttling: getNpmLatestTarball / getPyPITarballUrl already acquire
+// the shared REGISTRY_SEMAPHORE_MAX=20 slot + 30 req/sec token bucket, so
+// fan-out is naturally bounded — bursts queue up rather than overrun the
+// registry. We still chunk explicitly below so the Promise closures don't
+// pile up on a 1000-item catch-up batch (each waiting on the semaphore
+// holds ~10KB of state; 1000 of them is a needless heap spike).
+const PRE_RESOLVE_CHUNK_SIZE = 50;
+
+// If a scanQueue is provided, items are pushed onto it as soon as their chunk
+// finishes resolution — so a crash mid-batch only loses the current chunk's
+// in-flight work, not all the chunks that already completed. When scanQueue
+// is omitted (unit tests, lib usage), items are only mutated in place and the
+// caller decides when to push.
+async function preResolveNpmBatch(items, stats, scanQueue) {
+  if (!items || items.length === 0) return;
+  const start = Date.now();
+  let resolved = 0;
+  let alreadyResolved = 0;
+  let failed = 0;
+  for (let i = 0; i < items.length; i += PRE_RESOLVE_CHUNK_SIZE) {
+    const chunk = items.slice(i, i + PRE_RESOLVE_CHUNK_SIZE);
+    await Promise.all(chunk.map(async (item) => {
+      if (item.tarballUrl) { alreadyResolved++; return; }
+      try {
+        // Stage 2.1 — fetch downloads in parallel with the packument. The
+        // downloads endpoint (api.npmjs.org) is not on the registry semaphore
+        // and has its own internal cache, so this is effectively free in the
+        // warm-cache case and adds at most one parallel HTTP otherwise.
+        const [npmInfo, weeklyDownloads] = await Promise.all([
+          getNpmLatestTarball(item.name),
+          getWeeklyDownloads(item.name).catch(() => null)
+        ]);
+        if (npmInfo && npmInfo.tarball) {
+          item.tarballUrl = npmInfo.tarball;
+          if (!item.version) item.version = npmInfo.version || '';
+          if (!item.unpackedSize) item.unpackedSize = npmInfo.unpackedSize || 0;
+          if (!item.registryScripts) item.registryScripts = npmInfo.scripts || null;
+          // weekly_downloads is best-effort. getWeeklyDownloads returns -1 on
+          // failure; normalize that to null so triageRisk treats it as missing
+          // (rather than silently biasing the reputation factor toward "suspect").
+          npmInfo.weekly_downloads = (typeof weeklyDownloads === 'number' && weeklyDownloads >= 0)
+            ? weeklyDownloads : null;
+          // Stash full packument-derived metadata for resolveTarballAndScan so
+          // the worker can run ATO-signature, burst-extras, and fast-track logic
+          // without a second registry call. Stage 2.1 enriches this with
+          // age_days / version_count (from getNpmLatestTarball) and
+          // weekly_downloads (from getWeeklyDownloads) so the triage block in
+          // queue.js can read meta directly without re-fetching.
+          item._npmInfo = npmInfo;
+          resolved++;
+        } else {
+          failed++;
+        }
+      } catch {
+        // Silent: worker will retry via lazy resolution. Logging here would
+        // double-count errors that the worker already surfaces.
+        failed++;
+      }
+    }));
+    // Crash resilience: surface this chunk to the queue now, before the next
+    // chunk starts. If the process dies between chunks we still keep the work
+    // already done. Items keep their original order because chunks complete
+    // sequentially.
+    if (scanQueue) {
+      for (const item of chunk) scanQueue.push(item);
+    }
+  }
+  if (stats) {
+    stats.npmPreResolved = (stats.npmPreResolved || 0) + resolved;
+    stats.npmPreResolveFailed = (stats.npmPreResolveFailed || 0) + failed;
+  }
+  if (items.length >= 5) {
+    const elapsed = Date.now() - start;
+    console.log(`[MONITOR] PRE-RESOLVE npm: ${resolved}/${items.length} in ${elapsed}ms (${failed} → lazy fallback${alreadyResolved ? `, ${alreadyResolved} already resolved` : ''})`);
+  }
+}
+
+async function preResolvePyPIBatch(items, stats, scanQueue) {
+  if (!items || items.length === 0) return;
+  const start = Date.now();
+  let resolved = 0;
+  let alreadyResolved = 0;
+  let failed = 0;
+  for (let i = 0; i < items.length; i += PRE_RESOLVE_CHUNK_SIZE) {
+    const chunk = items.slice(i, i + PRE_RESOLVE_CHUNK_SIZE);
+    await Promise.all(chunk.map(async (item) => {
+      if (item.tarballUrl) { alreadyResolved++; return; }
+      try {
+        const pypiInfo = await getPyPITarballUrl(item.name, item.version || '');
+        if (pypiInfo && pypiInfo.url) {
+          item.tarballUrl = pypiInfo.url;
+          if (!item.version && pypiInfo.version) item.version = pypiInfo.version;
+          // Stage 2 triage signals: stash age_days + version_count for
+          // triageRisk() to read in queue.js without a second registry call.
+          item._pypiInfo = {
+            age_days: pypiInfo.age_days,
+            version_count: pypiInfo.version_count,
+          };
+          resolved++;
+        } else {
+          failed++;
+        }
+      } catch {
+        failed++;
+      }
+    }));
+    if (scanQueue) {
+      for (const item of chunk) scanQueue.push(item);
+    }
+  }
+  if (stats) {
+    stats.pypiPreResolved = (stats.pypiPreResolved || 0) + resolved;
+    stats.pypiPreResolveFailed = (stats.pypiPreResolveFailed || 0) + failed;
+  }
+  if (items.length >= 5) {
+    const elapsed = Date.now() - start;
+    console.log(`[MONITOR] PRE-RESOLVE pypi: ${resolved}/${items.length} in ${elapsed}ms (${failed} → lazy fallback${alreadyResolved ? `, ${alreadyResolved} already resolved` : ''})`);
+  }
+}
+
 // --- npm polling ---
 
 /**
@@ -481,6 +667,10 @@ async function pollNpmChanges(state, scanQueue, stats) {
     stats.npmPublishEventsSeen = (stats.npmPublishEventsSeen || 0) + data.results.length;
 
     let queued = 0;
+    // Collect items into a local batch so we can pre-resolve tarball URLs in
+    // parallel before pushing to scanQueue. Items reach workers with metadata
+    // already attached → workers skip the per-scan registry round-trip.
+    const newItems = [];
     for (const change of data.results) {
       // Skip deleted packages
       if (change.deleted) continue;
@@ -547,11 +737,10 @@ async function pollNpmChanges(state, scanQueue, stats) {
       // Layer 3: Evaluate if this package should be cached
       const cacheTrigger = evaluateCacheTrigger(name, docMeta, change.doc || null);
 
-      // Layer 2: Extract tarball URL from CouchDB doc (eliminates lazy resolution 404 race)
-      // NOTE: fastTrack flag is computed in resolveTarballAndScan() AFTER metadata
-      // resolution via getNpmLatestTarball(). It cannot be computed here because
-      // post-May 2025, include_docs is deprecated and change.doc is always null.
-      scanQueue.push({
+      // Post-May 2025: change.doc is always null, so docMeta is null and tarballUrl
+      // starts as null. preResolveNpmBatch below fills tarballUrl + metadata via
+      // a parallel registry fetch so workers do not pay the round-trip per scan.
+      newItems.push({
         name,
         version: docMeta ? docMeta.version : '',
         ecosystem: 'npm',
@@ -564,6 +753,11 @@ async function pollNpmChanges(state, scanQueue, stats) {
       queued++;
     }
 
+    // Parallel pre-resolution, pushed chunk by chunk for crash resilience.
+    // Failures leave tarballUrl=null so the existing lazy-resolution path in
+    // resolveTarballAndScan() picks up the slack — zero scan loss.
+    await preResolveNpmBatch(newItems, stats, scanQueue);
+
     // Update seq in memory only — disk persistence is handled by daemon.js
     // after both queue and seq are saved atomically (prevents data loss on crash).
     if (data.last_seq != null) {
@@ -623,6 +817,7 @@ async function pollNpmRss(state, scanQueue, stats) {
     // falls back to RSS.
     stats.npmPublishEventsSeen = (stats.npmPublishEventsSeen || 0) + newPackages.length;
 
+    const newItems = [];
     for (const name of newPackages) {
       if (name === SELF_PACKAGE_NAME) {
         console.log(`[MONITOR] SKIPPED (self): ${name}`);
@@ -666,15 +861,18 @@ async function pollNpmRss(state, scanQueue, stats) {
         }
       }
 
-      // Queue npm packages — tarball URL resolved during scan
-      scanQueue.push({
+      newItems.push({
         name,
         version: '',
         ecosystem: 'npm',
-        tarballUrl: null // resolved lazily via resolveTarballAndScan (no CouchDB doc in RSS)
+        tarballUrl: null // pre-resolved below; lazy fallback preserved on failure
       });
     }
 
+    // Parallel pre-resolution with per-chunk push → crash-resilient and saves
+    // the worker's per-scan registry round-trip when it succeeds.
+    await preResolveNpmBatch(newItems, stats, scanQueue);
+
     // Remember the most recent package (first in RSS)
     if (packages.length > 0) {
       state.npmLastPackage = packages[0];
@@ -901,6 +1099,7 @@ async function pollPyPIChangelog(state, scanQueue, stats) {
     const seen = new Set();
     let queued = 0;
     let maxSerial = lastSerial;
+    const newItems = [];
 
     for (const ev of events) {
       if (ev.serial > maxSerial) maxSerial = ev.serial;
@@ -932,16 +1131,20 @@ async function pollPyPIChangelog(state, scanQueue, stats) {
         }
       } catch { /* IOC load failure is non-fatal */ }
 
-      scanQueue.push({
+      newItems.push({
         name: ev.name,
         version: ev.version,
         ecosystem: 'pypi',
-        tarballUrl: null, // resolved lazily via getPyPITarballUrl()
+        tarballUrl: null, // pre-resolved below; lazy fallback preserved
         isIOCMatch: isKnownIOC
       });
       queued++;
     }
 
+    // Parallel pre-resolution with per-chunk push to scanQueue. Failures keep
+    // tarballUrl=null so resolveTarballAndScan() falls back to lazy lookup.
+    await preResolvePyPIBatch(newItems, stats, scanQueue);
+
     // Persist the serial both in memory and on disk before returning.
     // daemon.js also flushes state.json after the queue is saved, but writing the
     // dedicated serial file here means a crash between the two flush points costs
@@ -996,17 +1199,22 @@ async function pollPyPIRss(state, scanQueue) {
       }
     }
 
+    const newItems = [];
     for (const name of newPackages) {
       console.log(`[MONITOR] New pypi (rss): ${name}`);
-      // Queue PyPI packages — tarball URL resolved during scan
-      scanQueue.push({
+      newItems.push({
         name,
         version: '',
         ecosystem: 'pypi',
-        tarballUrl: null // resolved lazily in scanPackage wrapper
+        tarballUrl: null // pre-resolved below; lazy fallback preserved
       });
     }
 
+    // pollPyPIRss does not have a stats arg today; pass {} so the helper still
+    // runs but per-poll counters are dropped. The PRE-RESOLVE log line gives
+    // operational visibility regardless. scanQueue is passed for per-chunk push.
+    await preResolvePyPIBatch(newItems, {}, scanQueue);
+
     // Remember the most recent package (first in RSS)
     if (packages.length > 0) {
       state.pypiLastPackage = packages[0];
@@ -1119,6 +1327,8 @@ module.exports = {
   getNpmTarballUrl,
   getPyPITarballUrl,
   getNpmLatestTarball,
+  preResolveNpmBatch,
+  preResolvePyPIBatch,
 
   // RSS parsing
   parseNpmRss,

package/src/monitor/queue.js

@@ -73,6 +73,7 @@ const {
   buildCanaryExfiltrationWebhookEmbed,
   getWebhookUrl,
   computeReputationFactor,
+  triageRisk,
   computeRiskLevel,
   sendDailyReport,
   alertedPackageRules,
@@ -127,6 +128,22 @@ const LARGE_PACKAGE_SIZE = 10 * 1024 * 1024; // 10MB
 const FIRST_PUBLISH_SANDBOX_MAX_QUEUE = parseInt(process.env.MUADDIB_FIRST_PUBLISH_SANDBOX_MAX_QUEUE, 10) || 10;
 const FIRST_PUBLISH_SANDBOX_ENABLED = process.env.MUADDIB_FIRST_PUBLISH_SANDBOX !== '0';
 
+// Stage 3 — sandbox gate. Static-score threshold below which T1b/T2 packages
+// are NOT sandboxed (static result alone is authoritative). Tightens the prior
+// "T1b sandbox if score >= 25 or queue < 20" to remove low-signal sandbox runs
+// that consume slots without producing actionable findings (the dominant cost
+// in the queue-saturation diagnostic). Validated by axon-enterprise@1.0.0
+// (static 52, sandbox confirmed 100) — gate >= 40 still catches it.
+// T1a (high-confidence malice) bypasses this gate; it's mandatory.
+// Override via env var to widen the gate (lower threshold) for a short
+// rollback window without redeploying. Clamped to [0, 100].
+function computeSandboxScoreThreshold(envValue) {
+  const parsed = parseInt(envValue, 10);
+  const value = Number.isFinite(parsed) ? parsed : 40;
+  return Math.max(0, Math.min(100, value));
+}
+const SANDBOX_SCORE_THRESHOLD = computeSandboxScoreThreshold(process.env.MUADDIB_SANDBOX_SCORE_THRESHOLD);
+
 // --- Bundled tooling false-positive filter ---
 
 const KNOWN_BUNDLED_FILES = ['yarn.js', 'webpack.js', 'terser.js', 'esbuild.js', 'polyfills.js'];
@@ -444,7 +461,11 @@ async function scanPackage(name, version, ecosystem, tarballUrl, registryMeta, s
         version,
         ecosystem,
         monitorMode: true,
-        trustedDepDiff: true
+        trustedDepDiff: true,
+        // Stage 2: set by processQueueItem when MUADDIB_TRIAGE_MODE=enforce.
+        // Defaults to 'full' so any CLI/test caller that bypasses triage gets
+        // the full 20-scanner pipeline (unchanged behaviour).
+        scanMode: (meta && meta.scanMode) || 'full'
       };
       result = await runScanInWorker(extractedDir, STATIC_SCAN_TIMEOUT_MS, scanContext);
     } catch (staticErr) {
@@ -733,14 +754,16 @@ async function scanPackage(name, version, ecosystem, tarballUrl, registryMeta, s
         }
 
         // T1a: mandatory sandbox (HC malice types, TIER1_TYPES non-LOW, lifecycle + intent compound)
-        // T1b: conditional sandbox (HIGH/CRITICAL without HC type — bundler FP zone)
-        //       → sandbox only if score >= 25 (significant risk) or queue pressure is low
-        // T2: sandbox if queue < 50 (as before)
+        // T1b: conditional sandbox — gated by SANDBOX_SCORE_THRESHOLD (Stage 3).
+        //       Previously gated at >= 25 OR queue < 20; tightened to >= 40 by
+        //       default because the 25-39 band produced no decisive sandbox
+        //       findings in 4 months of prod data (axon-enterprise was at 52).
+        // T2:  conditional sandbox — same score gate AND queue < 50.
         let sandboxResult = null;
         const shouldSandbox = !skipSandboxLargePackage && isSandboxEnabled() && sandboxAvailable && (
           tier === '1a' ||
-          (tier === '1b' && (riskScore >= 25 || scanQueue.length < 20)) ||
-          (tier === 2 && scanQueue.length < 50)
+          (tier === '1b' && riskScore >= SANDBOX_SCORE_THRESHOLD) ||
+          (tier === 2 && riskScore >= SANDBOX_SCORE_THRESHOLD && scanQueue.length < 50)
         );
 
         if (shouldSandbox) {
@@ -808,8 +831,12 @@ async function scanPackage(name, version, ecosystem, tarballUrl, registryMeta, s
           } catch (err) {
             console.error(`[MONITOR] SANDBOX error for ${name}@${version}: ${err.message}`);
           }
-        } else if (tier === '1b' && sandboxAvailable) {
-          console.log(`[MONITOR] SANDBOX DEFERRED (T1b, score=${riskScore} < 25, queue ${scanQueue.length} >= 20): ${name}@${version}`);
+        } else if (tier === '1b' && sandboxAvailable && riskScore >= SANDBOX_SCORE_THRESHOLD) {
+          // Stage 3 — defer only when the score crosses the gate. Below the
+          // threshold, sandbox is skipped entirely (static result is final).
+          // This stops the deferred-queue from filling with low-score items
+          // that would never produce decisive sandbox findings.
+          console.log(`[MONITOR] SANDBOX DEFERRED (T1b, score=${riskScore}, queue ${scanQueue.length}): ${name}@${version}`);
           enqueueDeferred({
             name, version, ecosystem, tier, riskScore, tarballUrl,
             enqueuedAt: Date.now(),
@@ -818,10 +845,14 @@ async function scanPackage(name, version, ecosystem, tarballUrl, registryMeta, s
             retries: 0
           });
           stats.sandboxDeferred = (stats.sandboxDeferred || 0) + 1;
+        } else if (tier === '1b' && sandboxAvailable) {
+          // Below SANDBOX_SCORE_THRESHOLD — no sandbox, no defer.
+          console.log(`[MONITOR] SANDBOX GATED (T1b, score=${riskScore} < ${SANDBOX_SCORE_THRESHOLD}): ${name}@${version}`);
+          stats.sandboxGated = (stats.sandboxGated || 0) + 1;
         } else if (tier === '1b') {
           console.log(`[MONITOR] SANDBOX SKIPPED (T1b, no Docker): ${name}@${version}`);
-        } else if (tier === 2 && sandboxAvailable) {
-          console.log(`[MONITOR] SANDBOX DEFERRED (T2, queue ${scanQueue.length} >= 50): ${name}@${version}`);
+        } else if (tier === 2 && sandboxAvailable && riskScore >= SANDBOX_SCORE_THRESHOLD) {
+          console.log(`[MONITOR] SANDBOX DEFERRED (T2, score=${riskScore}, queue ${scanQueue.length}): ${name}@${version}`);
           enqueueDeferred({
             name, version, ecosystem, tier, riskScore, tarballUrl,
             enqueuedAt: Date.now(),
@@ -830,6 +861,11 @@ async function scanPackage(name, version, ecosystem, tarballUrl, registryMeta, s
             retries: 0
           });
           stats.sandboxDeferred = (stats.sandboxDeferred || 0) + 1;
+        } else if (tier === 2 && sandboxAvailable) {
+          // Below SANDBOX_SCORE_THRESHOLD — T2 was already passive; staying
+          // static-only matches the existing T3 behaviour.
+          console.log(`[MONITOR] SANDBOX GATED (T2, score=${riskScore} < ${SANDBOX_SCORE_THRESHOLD}): ${name}@${version}`);
+          stats.sandboxGated = (stats.sandboxGated || 0) + 1;
         } else if (tier === 2) {
           console.log(`[MONITOR] SANDBOX SKIPPED (T2, no Docker): ${name}@${version}`);
         }
@@ -1114,65 +1150,78 @@ async function processQueue(scanQueue, stats, dailyAlerts, recentlyScanned, down
 async function resolveTarballAndScan(item, stats, dailyAlerts, recentlyScanned, downloadsCache, scanQueue, sandboxAvailable, signal) {
   if (signal && signal.aborted) return;
 
-  if (item.ecosystem === 'npm' && !item.tarballUrl) {
+  if (item.ecosystem === 'npm') {
+    // Pre-resolve at ingestion (ingestion.js:preResolveNpmBatch) attaches
+    // _npmInfo when it succeeds. Lazy path runs only when pre-resolve was
+    // skipped or failed — in which case _npmInfo is absent and tarballUrl is
+    // null. Either way, ATO / burst-extras / fast-track logic below runs on
+    // whichever npmInfo we have, preserving full behavior.
+    let npmInfo = item._npmInfo || null;
     try {
-      const npmInfo = await getNpmLatestTarball(item.name);
-      if (!npmInfo.tarball) {
-        console.log(`[MONITOR] SKIP: ${item.name} — no tarball URL found on npm`);
-        return;
-      }
-      item.tarballUrl = npmInfo.tarball;
-      if (npmInfo.version) item.version = npmInfo.version;
-      if (npmInfo.unpackedSize) item.unpackedSize = npmInfo.unpackedSize;
-      if (npmInfo.scripts) item.registryScripts = npmInfo.scripts;
-
-      // ATO signature: most-recently-published version differs from current
-      // dist-tags.latest. Pattern observed in TeamPCP / @antv 2026-05-19:
-      // attacker publishes 1-2 versions per package but does NOT bump the latest
-      // tag. semver resolution on `npm install <pkg>@^x.y` still pulls the
-      // malicious version. The mismatch is a strong ATO signal — legitimate
-      // maintainers almost always move latest when publishing.
-      if (npmInfo.latestTagVersion && npmInfo.version && npmInfo.version !== npmInfo.latestTagVersion) {
-        item.atoSignal = true;
-        console.log(`[MONITOR] ATO SIGNAL: ${item.name}@${item.version} published but dist-tags.latest=${npmInfo.latestTagVersion}`);
+      if (!item.tarballUrl) {
+        npmInfo = await getNpmLatestTarball(item.name);
+        if (!npmInfo.tarball) {
+          console.log(`[MONITOR] SKIP: ${item.name} — no tarball URL found on npm`);
+          return;
+        }
+        item.tarballUrl = npmInfo.tarball;
+        if (npmInfo.version) item.version = npmInfo.version;
+        if (npmInfo.unpackedSize) item.unpackedSize = npmInfo.unpackedSize;
+        if (npmInfo.scripts) item.registryScripts = npmInfo.scripts;
       }
 
-      // Burst-publish coverage: enqueue extra versions published in the same
-      // recent window. Single change event in the CouchDB feed can correspond
-      // to multiple version publishes when the attacker fires several in a
-      // burst (TeamPCP averaged ~2 versions per package). Without this we'd
-      // only scan whichever version happened to be the most recent at resolution
-      // time, racing the publish stream.
-      const recents = Array.isArray(npmInfo.recentVersions) ? npmInfo.recentVersions : [];
-      for (const recent of recents) {
-        if (!recent || !recent.tarball || !recent.version) continue;
-        const dedupeKey = `${item.name}@${recent.version}`;
-        if (recentlyScanned.has(dedupeKey)) continue;
-        scanQueue.push({
-          name: item.name,
-          version: recent.version,
-          ecosystem: 'npm',
-          tarballUrl: recent.tarball,
-          unpackedSize: recent.unpackedSize || 0,
-          registryScripts: recent.scripts || null,
-          atoSignal: item.atoSignal === true,
-          isATOBurstExtra: true,
-        });
-      }
+      if (npmInfo) {
+        // ATO signature: most-recently-published version differs from current
+        // dist-tags.latest. Pattern observed in TeamPCP / @antv 2026-05-19:
+        // attacker publishes 1-2 versions per package but does NOT bump the latest
+        // tag. semver resolution on `npm install <pkg>@^x.y` still pulls the
+        // malicious version. The mismatch is a strong ATO signal — legitimate
+        // maintainers almost always move latest when publishing.
+        if (npmInfo.latestTagVersion && item.version && item.version !== npmInfo.latestTagVersion) {
+          item.atoSignal = true;
+          console.log(`[MONITOR] ATO SIGNAL: ${item.name}@${item.version} published but dist-tags.latest=${npmInfo.latestTagVersion}`);
+        }
 
-      // Fast-track decision: large packages (>15MB) with no lifecycle scripts and no IOC match.
-      // Computed HERE (after metadata resolution), not at ingestion time — post-May 2025
-      // CouchDB changes feed has no docs, so metadata is only available after lazy fetch.
-      // Fast-track packages get: quick static scan (package.json + shell only), no AST,
-      // no sandbox, no LLM, no archiving. Exits in ~2-3s instead of 30-300s.
-      // ATO-signalled packages bypass fast-track regardless of size — we want
-      // the full pipeline (AST + sandbox) on anything that smells like an ATO.
-      const FAST_TRACK_SIZE_BYTES = 15 * 1024 * 1024;
-      if (!item.isIOCMatch && !item.atoSignal && (item.unpackedSize || 0) > FAST_TRACK_SIZE_BYTES) {
-        const scripts = item.registryScripts || {};
-        if (!scripts.preinstall && !scripts.postinstall && !scripts.install) {
-          item.fastTrack = true;
+        // Burst-publish coverage: enqueue extra versions published in the same
+        // recent window. Single change event in the CouchDB feed can correspond
+        // to multiple version publishes when the attacker fires several in a
+        // burst (TeamPCP averaged ~2 versions per package). Without this we'd
+        // only scan whichever version happened to be the most recent at resolution
+        // time, racing the publish stream.
+        const recents = Array.isArray(npmInfo.recentVersions) ? npmInfo.recentVersions : [];
+        for (const recent of recents) {
+          if (!recent || !recent.tarball || !recent.version) continue;
+          const dedupeKey = `${item.name}@${recent.version}`;
+          if (recentlyScanned.has(dedupeKey)) continue;
+          scanQueue.push({
+            name: item.name,
+            version: recent.version,
+            ecosystem: 'npm',
+            tarballUrl: recent.tarball,
+            unpackedSize: recent.unpackedSize || 0,
+            registryScripts: recent.scripts || null,
+            atoSignal: item.atoSignal === true,
+            isATOBurstExtra: true,
+          });
+        }
+
+        // Fast-track decision: large packages (>15MB) with no lifecycle scripts and no IOC match.
+        // Fast-track packages get: quick static scan (package.json + shell only), no AST,
+        // no sandbox, no LLM, no archiving. Exits in ~2-3s instead of 30-300s.
+        // ATO-signalled packages bypass fast-track regardless of size — we want
+        // the full pipeline (AST + sandbox) on anything that smells like an ATO.
+        const FAST_TRACK_SIZE_BYTES = 15 * 1024 * 1024;
+        if (!item.isIOCMatch && !item.atoSignal && (item.unpackedSize || 0) > FAST_TRACK_SIZE_BYTES) {
+          const scripts = item.registryScripts || {};
+          if (!scripts.preinstall && !scripts.postinstall && !scripts.install) {
+            item.fastTrack = true;
+          }
         }
+
+        // Free the packument-derived metadata once the per-item decisions are
+        // made — keeps queue items lean (a 28k-item queue × full packument JSON
+        // would be tens of MB of useless heap).
+        if (item._npmInfo) delete item._npmInfo;
       }
     } catch (err) {
       console.error(`[MONITOR] ERROR resolving npm tarball for ${item.name}: ${err.message}`);
@@ -1265,11 +1314,52 @@ async function resolveTarballAndScan(item, stats, dailyAlerts, recentlyScanned,
   // Abort check: if timeout fired during temporal checks, skip the expensive scan
   if (signal && signal.aborted) return;
 
+  // Stage 2 — Pass A triage. Decides whether the static scan runs all 20
+  // scanners or a quick_scan subset. Defaults to full when:
+  //   - env MUADDIB_TRIAGE_MODE !== 'enforce' (off | shadow | unset)
+  //   - the item is fastTrack-elected (already a more aggressive subset)
+  //   - any suspect signal flips triageRisk to 'full'
+  // Shadow mode computes + logs the decision but still runs full — safe way
+  // to observe classification share before flipping enforce.
+  const triageMode = (process.env.MUADDIB_TRIAGE_MODE || 'off').toLowerCase();
+  let effectiveScanMode = 'full';
+  if (triageMode !== 'off' && !item.fastTrack) {
+    let triageMeta = null;
+    if (item.ecosystem === 'npm') {
+      // Stage 2.1 — Stage 1 pre-resolve already fetched the packument and
+      // (Stage 2.1) computed age_days + version_count, plus parallel-fetched
+      // weekly_downloads. Read those directly to skip the second
+      // registry round-trip via getPackageMetadata. Fallback to the lazy
+      // metadata fetch only when _npmInfo is absent (lazy-resolve path).
+      if (item._npmInfo) {
+        triageMeta = {
+          age_days: item._npmInfo.age_days,
+          version_count: item._npmInfo.version_count,
+          weekly_downloads: item._npmInfo.weekly_downloads,
+        };
+      } else {
+        try {
+          const { getPackageMetadata } = require('../scanner/npm-registry.js');
+          triageMeta = await getPackageMetadata(item.name);
+        } catch { /* metadata unavailable → triageRisk will see null and pick 'full' */ }
+      }
+    } else if (item.ecosystem === 'pypi') {
+      triageMeta = item._pypiInfo || null;
+    }
+    const triage = triageRisk(item, triageMeta);
+    item.scanMode = triage.mode;
+    stats.triageQuick = (stats.triageQuick || 0) + (triage.mode === 'quick' ? 1 : 0);
+    stats.triageFull = (stats.triageFull || 0) + (triage.mode === 'full' ? 1 : 0);
+    console.log(`[TRIAGE] ${item.name}@${item.version || '?'}: mode=${triage.mode} reasons=[${triage.reasons.join(',') || 'none'}]`);
+    if (triageMode === 'enforce') effectiveScanMode = triage.mode;
+  }
+
   const scanResult = await scanPackage(item.name, item.version, item.ecosystem, item.tarballUrl, {
     unpackedSize: item.unpackedSize || 0,
     registryScripts: item.registryScripts || null,
     _cacheTrigger: item._cacheTrigger || null,
-    fastTrack: item.fastTrack || false
+    fastTrack: item.fastTrack || false,
+    scanMode: effectiveScanMode
   }, stats, dailyAlerts, recentlyScanned, downloadsCache, scanQueue, sandboxAvailable);
   const sandboxResult = scanResult && scanResult.sandboxResult;
   const staticClean = scanResult && scanResult.staticClean;
@@ -1367,6 +1457,8 @@ module.exports = {
   LARGE_PACKAGE_SIZE,
   FIRST_PUBLISH_SANDBOX_MAX_QUEUE,
   FIRST_PUBLISH_SANDBOX_ENABLED,
+  SANDBOX_SCORE_THRESHOLD,
+  computeSandboxScoreThreshold,
   KNOWN_BUNDLED_FILES,
   KNOWN_BUNDLED_PATHS,
   ML_EXCLUDED_DIRS,

package/src/monitor/webhook.js

@@ -304,6 +304,72 @@ function computeReputationFactor(metadata) {
   return Math.max(0.10, Math.min(1.5, factor));
 }
 
+/**
+ * True if the package declares an install-time lifecycle script that executes
+ * code on `npm install`. These hooks are the principal vehicle for malicious
+ * payloads (preinstall / postinstall / install). PyPI's setup.py equivalent is
+ * handled separately via `meta.has_setup_py` in triageRisk.
+ *
+ * Reads from both `item.registryScripts` (set by changes-stream docMeta when
+ * available) and `item._npmInfo.scripts` (set by Stage 1's preResolveNpmBatch).
+ *
+ * @param {Object} item - queue item
+ * @returns {boolean}
+ */
+function hasDangerousLifecycle(item) {
+  if (!item) return false;
+  const direct = item.registryScripts;
+  if (direct && (direct.preinstall || direct.postinstall || direct.install)) return true;
+  const stashed = item._npmInfo && item._npmInfo.scripts;
+  if (stashed && (stashed.preinstall || stashed.postinstall || stashed.install)) return true;
+  return false;
+}
+
+/**
+ * Pass A triage: choose between full pipeline (20 scanners) and quick_scan
+ * subset for a queued package. Default is `quick`; any suspect signal flips
+ * to `full`. Used by the monitor only — CLI scans default to full elsewhere.
+ *
+ * Tiers (any reason → full):
+ *   T0  IOC match / ATO signal / install-time lifecycle → known or high-prob threat
+ *   T1  No registry metadata available → cannot establish trust, default safe
+ *   T2  (npm) computeReputationFactor(meta) >= 1.0 → composite signal of new /
+ *       low-download / few-versions package, subsumes individual checks
+ *   T3  (PyPI) direct age < 30d or version_count < 5 → PyPI has no download
+ *       stats, so we cannot reuse the npm composite; use the direct fields the
+ *       PyPI JSON API exposes.
+ *
+ * Returning the reasons list (not just the mode) makes shadow-mode logs
+ * actionable for tuning.
+ *
+ * @param {Object} item - queue item
+ * @param {Object|null} meta - registry metadata {age_days, version_count, weekly_downloads, has_setup_py?}
+ * @returns {{mode: 'full'|'quick', reasons: string[]}}
+ */
+function triageRisk(item, meta) {
+  const reasons = [];
+  const ecosystem = (item && item.ecosystem) || null;
+
+  if (item && item.isIOCMatch) reasons.push('ioc_match');
+  if (item && item.atoSignal)  reasons.push('ato_signal');
+  if (hasDangerousLifecycle(item)) reasons.push('lifecycle_scripts');
+
+  if (!meta) {
+    reasons.push('no_metadata');
+  } else if (ecosystem === 'npm') {
+    const factor = computeReputationFactor(meta);
+    if (factor >= 1.0) reasons.push(`reputation_factor=${factor.toFixed(2)}`);
+  } else if (ecosystem === 'pypi') {
+    // PyPI has no weekly_downloads source today, so we cannot reuse
+    // computeReputationFactor as-is. Use direct signals instead.
+    if ((meta.age_days || 0) < 30) reasons.push('pypi_age<30d');
+    if ((meta.version_count || 0) < 5) reasons.push('pypi_version_count<5');
+    if (meta.has_setup_py === true) reasons.push('pypi_setup_py');
+  }
+
+  return { mode: reasons.length ? 'full' : 'quick', reasons };
+}
+
 /**
  * Persist a CRITICAL/HIGH alert to logs/alerts/YYYY-MM-DD-HH-mm-ss-<package>.json
  * Same payload as webhook — enables offline FPR/TPR trend analysis.
@@ -1237,6 +1303,8 @@ module.exports = {
   computeRiskLevel,
   computeRiskScore,
   computeReputationFactor,
+  hasDangerousLifecycle,
+  triageRisk,
   persistAlert,
   persistDailyReport,
   computeAlertPriority,

package/src/pipeline/executor.js

@@ -227,41 +227,80 @@ async function execute(targetPath, options, pythonDeps, warnings) {
     'scanPythonAST'
   ];
 
+  // Stage 2 quick_scan subset (monitor-only, set via options.scanMode='quick'
+  // by queue.js when MUADDIB_TRIAGE_MODE=enforce). The subset keeps the heavy
+  // detectors that anchor TPR on the 96-sample GT (analyzeAST covers 70/96,
+  // analyzeDataFlow covers 31/96 — non-negotiable), the cheap high-signal
+  // lifecycle/IOC scanners, and the Python detectors (PyPI samples need them;
+  // npm exit immediately on a depth-1 readdir, so the cost is negligible).
+  // Excluded: scanAntiForensic (45s timeout, never the unique trigger on GT),
+  // scanHashes (cheap but GT samples are rebuilt — hashes drift), scanAIConfig,
+  // scanStubPackage, scanMonorepo, scanTrustedDepDiff (opt-in registry diff),
+  // checkPyPITyposquatting (subsumed by scanTyposquatting for npm; PyPI
+  // typosquats already get full via triage signals). CLI mode and shadow mode
+  // never set scanMode so the default branch runs all 20 scanners — fully
+  // backwards-compatible.
+  const QUICK_SCAN_ALLOWLIST = new Set([
+    'scanPackageJson',
+    'scanShellScripts',
+    'analyzeAST',
+    'detectObfuscation',
+    'scanDependencies',
+    'analyzeDataFlow',
+    'scanTyposquatting',
+    'scanGitHubActions',
+    'matchPythonIOCs',
+    'scanEntropy',
+    'scanIocStrings',
+    'scanPythonSource',
+    'scanPythonAST',
+    'scanAIConfig'
+  ]);
+  const isQuick = options.scanMode === 'quick';
+  function ifEnabled(name, fn) {
+    if (isQuick && !QUICK_SCAN_ALLOWLIST.has(name)) return Promise.resolve([]);
+    return fn();
+  }
+  if (isQuick) {
+    const skipped = SCANNER_NAMES.filter(n => !QUICK_SCAN_ALLOWLIST.has(n));
+    debugLog(`[EXECUTOR] scanMode=quick — skipping ${skipped.length} scanners: ${skipped.join(', ')}`);
+  }
+
   const settledResults = await Promise.allSettled([
-    yieldThen(() => scanPackageJson(targetPath)),
-    yieldThen(() => scanShellScripts(targetPath)),
-    withTimeout(() => analyzeAST(targetPath, { deobfuscate: deobfuscateFn }), 'analyzeAST'),
-    yieldThen(() => detectObfuscation(targetPath)),
-    yieldThen(() => scanDependencies(targetPath)),
-    yieldThen(() => scanHashes(targetPath)),
-    withTimeout(() => analyzeDataFlow(targetPath, { deobfuscate: deobfuscateFn }), 'analyzeDataFlow'),
-    yieldThen(() => scanTyposquatting(targetPath)),
-    yieldThen(() => scanGitHubActions(targetPath)),
-    yieldThen(() => matchPythonIOCs(pythonDeps, targetPath)),
-    yieldThen(() => checkPyPITyposquatting(pythonDeps, targetPath)),
-    withTimeout(() => scanEntropy(targetPath, { entropyThreshold: options.entropyThreshold || undefined }), 'scanEntropy'),
-    yieldThen(() => scanAIConfig(targetPath)),
-    yieldThen(() => scanIocStrings(targetPath)),
-    withTimeout(() => scanAntiForensic(targetPath), 'scanAntiForensic'),
-    yieldThen(() => scanStubPackage(targetPath)),
-    yieldThen(() => scanMonorepo(targetPath)),
+    ifEnabled('scanPackageJson', () => yieldThen(() => scanPackageJson(targetPath))),
+    ifEnabled('scanShellScripts', () => yieldThen(() => scanShellScripts(targetPath))),
+    ifEnabled('analyzeAST', () => withTimeout(() => analyzeAST(targetPath, { deobfuscate: deobfuscateFn }), 'analyzeAST')),
+    ifEnabled('detectObfuscation', () => yieldThen(() => detectObfuscation(targetPath))),
+    ifEnabled('scanDependencies', () => yieldThen(() => scanDependencies(targetPath))),
+    ifEnabled('scanHashes', () => yieldThen(() => scanHashes(targetPath))),
+    ifEnabled('analyzeDataFlow', () => withTimeout(() => analyzeDataFlow(targetPath, { deobfuscate: deobfuscateFn }), 'analyzeDataFlow')),
+    ifEnabled('scanTyposquatting', () => yieldThen(() => scanTyposquatting(targetPath))),
+    ifEnabled('scanGitHubActions', () => yieldThen(() => scanGitHubActions(targetPath))),
+    ifEnabled('matchPythonIOCs', () => yieldThen(() => matchPythonIOCs(pythonDeps, targetPath))),
+    ifEnabled('checkPyPITyposquatting', () => yieldThen(() => checkPyPITyposquatting(pythonDeps, targetPath))),
+    ifEnabled('scanEntropy', () => withTimeout(() => scanEntropy(targetPath, { entropyThreshold: options.entropyThreshold || undefined }), 'scanEntropy')),
+    ifEnabled('scanAIConfig', () => yieldThen(() => scanAIConfig(targetPath))),
+    ifEnabled('scanIocStrings', () => yieldThen(() => scanIocStrings(targetPath))),
+    ifEnabled('scanAntiForensic', () => withTimeout(() => scanAntiForensic(targetPath), 'scanAntiForensic')),
+    ifEnabled('scanStubPackage', () => yieldThen(() => scanStubPackage(targetPath))),
+    ifEnabled('scanMonorepo', () => yieldThen(() => scanMonorepo(targetPath))),
     // Opt-in scanner — short-circuits to [] unless options.trustedDepDiff or
     // options.monitorMode is set. CLI runs without flags pay no cost (no I/O).
     // Wrapped in withTimeout as defense in depth: scanner has its own 10s + 5s × N
     // internal timeouts, but a registry slowdown with many added deps could exceed
     // the static-scan budget without this cap.
-    withTimeout(() => scanTrustedDepDiff(targetPath, options), 'scanTrustedDepDiff'),
+    ifEnabled('scanTrustedDepDiff', () => withTimeout(() => scanTrustedDepDiff(targetPath, options), 'scanTrustedDepDiff')),
     // PYSRC-001..008 (v2.11.25, TrapDoor PyPI gap). Detect import-time RCE
     // in __init__.py / setup.py / top-level .py files. Runs always — not gated
     // on detectPythonProject() because an attacker can ship a malicious __init__.py
     // without a requirements.txt. Walker is cheap (just a depth-1 readdir).
-    yieldThen(() => scanPythonSource(targetPath)),
+    ifEnabled('scanPythonSource', () => yieldThen(() => scanPythonSource(targetPath))),
     // PYAST-001..008 (v2.11.42+, npm/PyPI parity Phase 1). Full Python CST
     // analysis via tree-sitter-python WASM. Scope-aware module-level detection
     // of cmdclass override, exec, subprocess shell=True, pickle.loads,
     // __import__ dangerous, entry_points. Parser init happens at pre-analysis
     // stage above; this call is sync from the caller's POV.
-    yieldThen(() => scanPythonAST(targetPath))
+    ifEnabled('scanPythonAST', () => yieldThen(() => scanPythonAST(targetPath)))
   ]);
 
   // Extract results: use empty array for rejected scanners, log errors

package/src/response/playbooks.js

@@ -86,6 +86,15 @@ const PLAYBOOKS = {
   detached_process:
     'spawn/fork avec {detached: true} detecte. Le processus enfant survit a la fin de npm install et execute le payload en arriere-plan. Verifier les processus en cours: ps aux | grep node. Tuer le processus suspect.',
 
+  linux_fingerprint_exec:
+    'execSync/spawn d\'une commande de reconnaissance Linux (id, uname, lsb_release, hostname, whoami). Seule, peut etre du telemetry legit. Combinee avec un envoi reseau, c\'est du fingerprint pour C2 grouping — verifier le contexte (compound recon_exfil_direct_ip si IP literal publique present dans le meme fichier).',
+
+  direct_ip_exfil:
+    'Endpoint C2 hardcode comme IPv4 literal publique (bypass DNS resolution). Verifier le fichier qui contient l\'IP : si combine avec linux_fingerprint_exec ou credential_regex_harvest, c\'est tres probablement un C2 attaquant. Geolocaliser l\'IP, croiser avec threat intel.',
+
+  recon_exfil_direct_ip:
+    'CRITIQUE: Linux system fingerprint (id/uname/lsb_release/hostname/whoami) + exfil vers IPv4 publique literal dans le meme fichier. Pattern targeted C2 grouping (campagne marginfi mai 2026, design-system-coopeuch). Isoler la machine, blocker l\'IP au firewall, capturer trafic sortant pour forensic.',
+
   known_malicious_package:
     'CRITIQUE: Supprimer immediatement. rm -rf node_modules && npm cache clean --force && npm install',
 

package/src/rules/index.js

@@ -783,6 +783,19 @@ const RULES = {
     references: ['https://attack.mitre.org/techniques/T1195/002/'],
     mitre: 'T1195.002'
   },
+  recon_exfil_direct_ip: {
+    id: 'MUADDIB-COMPOUND-016',
+    name: 'Linux Fingerprint + Direct-IP Exfil',
+    severity: 'CRITICAL',
+    confidence: 'high',
+    domain: 'malware',
+    description: 'execSync(id|uname|lsb_release|hostname|whoami) + http/https vers IPv4 literal publique dans le meme fichier — fingerprint device pour groupement C2 cible. Pattern observe sur la campagne marginfi (mai 2026) et design-system-coopeuch reconstruction. Track D — ferme la gap surfacee par GT-095.',
+    references: [
+      'https://attack.mitre.org/techniques/T1082/',
+      'https://attack.mitre.org/techniques/T1041/'
+    ],
+    mitre: 'T1082'
+  },
 
   // Package.json script patterns
   curl_pipe_sh: {
@@ -1113,6 +1126,33 @@ const RULES = {
     ],
     mitre: 'T1564'
   },
+  linux_fingerprint_exec: {
+    id: 'MUADDIB-AST-093',
+    name: 'Linux System Reconnaissance Exec',
+    severity: 'HIGH',
+    confidence: 'high',
+    domain: 'malware',
+    description: 'execSync/exec/spawn d\'une commande de reconnaissance Linux (id, uname, lsb_release, hostname, whoami). Pattern observe sur les MALWARE direct-IP-exfil (marginfi cluster, design-system-coopeuch) qui collectent un fingerprint device avant exfil C2. HIGH seul (telemetry SDKs peuvent appeler hostname legit) — escalade CRITICAL en compound avec direct_ip_exfil dans le meme fichier.',
+    references: [
+      'https://attack.mitre.org/techniques/T1082/',
+      'https://attack.mitre.org/techniques/T1592/'
+    ],
+    mitre: 'T1082'
+  },
+  direct_ip_exfil: {
+    id: 'MUADDIB-AST-094',
+    name: 'Direct IP Exfiltration Endpoint',
+    severity: 'HIGH',
+    confidence: 'high',
+    domain: 'malware',
+    description: 'Literal IPv4 publique utilise comme endpoint C2 (URL http://1.2.3.4:port/path ou IP nue dans un host:/hostname: option). Bypass DNS resolution = pattern attaque ciblee. Plages skip: 127/8 (localhost), 169.254/16 (link-local incl. IMDS), 10/8 + 172.16/12 + 192.168/16 (RFC 1918 prive). RFC 5737 documentation flagge (aucun usage runtime legit).',
+    references: [
+      'https://attack.mitre.org/techniques/T1071/001/',
+      'https://attack.mitre.org/techniques/T1041/',
+      'https://datatracker.ietf.org/doc/html/rfc5737'
+    ],
+    mitre: 'T1041'
+  },
   dangerous_call_function: {
     id: 'MUADDIB-AST-005',
     name: 'new Function() Constructor',

package/src/scanner/ast-detectors/handle-call-expression.js

@@ -349,6 +349,21 @@ function handleCallExpression(node, ctx) {
           file: ctx.relFile
         });
       }
+
+      // AST-NNN: linux_fingerprint_exec (Track D, v2.11.48+) — recon command
+      // pattern observed on direct-IP-exfil malware (marginfi cluster, GT-095
+      // design-system-coopeuch). HIGH alone (telemetry SDKs may legitimately
+      // call hostname); CRITICAL when compounded with direct_ip_exfil in the
+      // same file (`recon_exfil_direct_ip` in SCORING_COMPOUNDS).
+      if (/^\s*(id|uname|lsb_release|hostname|whoami)(\s|$)/.test(cmdStr)) {
+        const firstTok = cmdStr.trim().split(/\s+/)[0];
+        ctx.threats.push({
+          type: 'linux_fingerprint_exec',
+          severity: 'HIGH',
+          message: `${execName || memberExec}("${cmdStr.slice(0, 60)}") — Linux system reconnaissance (${firstTok}) used for device fingerprinting / C2 grouping.`,
+          file: ctx.relFile
+        });
+      }
     }
   }
 
@@ -424,7 +439,7 @@ function handleCallExpression(node, ctx) {
   }
 
   // Detect spawn/execFile of shell processes
-  if ((callName === 'spawn' || callName === 'execFile') && node.arguments.length >= 1) {
+  if ((callName === 'spawn' || callName === 'execFile' || callName === 'spawnSync' || callName === 'execFileSync') && node.arguments.length >= 1) {
     const shellArg = node.arguments[0];
     if (shellArg.type === 'Literal' && typeof shellArg.value === 'string') {
       const shellBin = shellArg.value.toLowerCase();
@@ -436,6 +451,16 @@ function handleCallExpression(node, ctx) {
           file: ctx.relFile
         });
       }
+      // AST-NNN: linux_fingerprint_exec (Track D, v2.11.48+) — spawn form,
+      // first arg is the bare command (e.g. `spawn('uname', ['-a'])`).
+      if (['id', 'uname', 'lsb_release', 'hostname', 'whoami'].includes(shellBin)) {
+        ctx.threats.push({
+          type: 'linux_fingerprint_exec',
+          severity: 'HIGH',
+          message: `${callName}('${shellArg.value}', ...) — Linux system reconnaissance (${shellBin}) used for device fingerprinting / C2 grouping.`,
+          file: ctx.relFile
+        });
+      }
     }
     // Also check when shell is computed via os.platform() ternary
     if (shellArg.type === 'ConditionalExpression') {

package/src/scanner/ast-detectors/handle-literal.js

@@ -73,6 +73,43 @@ function handleLiteral(node, ctx) {
       }
     }
 
+    // AST-NNN: direct_ip_exfil (Track D, v2.11.48+) — IPv4 literal used as
+    // C2 endpoint (URL form `http://1.2.3.4:port/path` OR bare IP literal
+    // outside the safe ranges). Pattern observed on marginfi cluster
+    // (72.62.71.201), design-system-coopeuch GT-095 (direct IP exfil, no
+    // OAST cover), and similar manual-review MALWARE. HIGH alone — combined
+    // with linux_fingerprint_exec in the same file, escalates to CRITICAL
+    // via `recon_exfil_direct_ip` compound.
+    //
+    // Safe ranges (skipped, no fire):
+    //   0.0.0.0           bind-all / server listen address (fastify/express default)
+    //   127.0.0.0/8       localhost
+    //   169.254.0.0/16    link-local (incl. cloud IMDS — separate rules cover abuse)
+    //   10.0.0.0/8        RFC 1918 private
+    //   172.16.0.0/12     RFC 1918 private
+    //   192.168.0.0/16    RFC 1918 private
+    //   255.255.255.255   broadcast
+    // RFC 5737 documentation ranges (192.0.2.x, 198.51.100.x, 203.0.113.x)
+    // are intentionally flagged — no legitimate runtime use, lets our GT
+    // reconstruction fixtures exercise the rule.
+    const IP_SAFE_RE = /^(0\.0\.0\.0$|127\.|10\.|192\.168\.|169\.254\.|172\.(1[6-9]|2[0-9]|3[01])\.|255\.255\.255\.255$)/;
+    const urlIpMatch = node.value.match(/^https?:\/\/((?:\d{1,3}\.){3}\d{1,3})(?::\d+)?(?:\/|$)/);
+    const bareIpMatch = node.value.match(/^((?:\d{1,3}\.){3}\d{1,3})$/);
+    const candidateIp = (urlIpMatch && urlIpMatch[1]) || (bareIpMatch && bareIpMatch[1]) || null;
+    if (candidateIp && !IP_SAFE_RE.test(candidateIp)) {
+      // Validate each octet ≤ 255 to avoid matching '999.999.999.999' style noise
+      const octets = candidateIp.split('.').map(n => parseInt(n, 10));
+      if (octets.every(o => o >= 0 && o <= 255)) {
+        const form = urlIpMatch ? 'URL' : 'bare IPv4 literal';
+        ctx.threats.push({
+          type: 'direct_ip_exfil',
+          severity: 'HIGH',
+          message: `Hardcoded ${form} ${candidateIp} — direct-IP exfil endpoint (no DNS, no OAST cover). Classic C2 / dep-confusion pattern.`,
+          file: ctx.relFile
+        });
+      }
+    }
+
     // Ollama LLM local: polymorphic engine indicator (PhantomRaven Wave 4)
     // Port 11434 is Ollama's default port. Legitimate packages don't call local LLMs.
     if (/(?:localhost|127\.0\.0\.1):11434/.test(node.value)) {

package/src/scoring.js

@@ -654,6 +654,20 @@ const SCORING_COMPOUNDS = [
     fileFrom: 'function_constructor_require',
     sameFile: true
   },
+  // Track D (v2.11.48+) — recon_exfil_direct_ip. Closes GT-095 gap
+  // (design-system-coopeuch reconstruction scoring 3 alone, MALWARE per
+  // in-house review). Pattern: execSync(id|uname|lsb_release|hostname|whoami)
+  // + http(s) call to a direct IPv4 literal (no DNS, no OAST). Same file
+  // gates this to attacker-targeted device fingerprinting; legit telemetry
+  // SDKs talk to named endpoints and never co-occur with bare-IP exfil.
+  {
+    type: 'recon_exfil_direct_ip',
+    requires: ['linux_fingerprint_exec', 'direct_ip_exfil'],
+    severity: 'CRITICAL',
+    message: 'Linux system fingerprint (id/uname/lsb_release/hostname/whoami) + direct-IP exfil in same file — targeted device fingerprinting for C2 grouping (scoring compound).',
+    fileFrom: 'direct_ip_exfil',
+    sameFile: true
+  },
 ];
 
 // v2.11.11: Extract static require/import targets from a JS file (1 level).