muaddib-scanner 2.11.51 → 2.11.53

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "muaddib-scanner",
-  "version": "2.11.51",
+  "version": "2.11.53",
   "description": "Supply-chain threat detection & response for npm & PyPI/Python",
   "main": "src/index.js",
   "bin": {

package/{self-scan-v2.11.51.json → self-scan-v2.11.53.json}

@@ -1,6 +1,6 @@
 {
   "target": "node_modules",
-  "timestamp": "2026-05-26T20:25:43.730Z",
+  "timestamp": "2026-05-27T07:39:47.529Z",
   "threats": [
     {
       "type": "string_mutation_obfuscation",

package/src/monitor/ingestion.js

@@ -141,7 +141,10 @@ async function getWeeklyDownloads(packageName) {
   }
   try {
     const url = `https://api.npmjs.org/downloads/point/last-week/${encodeURIComponent(packageName)}`;
-    const body = await httpsGet(url, 3000);
+    // Routed via _deps so tests can stub the downloads endpoint independently
+    // of the registry endpoint (Stage 2.1 added parallel-fetch from
+    // preResolveNpmBatch).
+    const body = await _deps.httpsGet(url, 3000);
     const data = JSON.parse(body);
     const downloads = typeof data.downloads === 'number' ? data.downloads : -1;
     downloadsCache.set(packageName, { downloads, fetchedAt: Date.now() });
@@ -429,8 +432,23 @@ async function getNpmLatestTarball(packageName) {
       version: '', tarball: null, unpackedSize: 0, scripts: {},
       homepage: '', description: '',
       latestTagVersion: null, recentVersions: [],
+      age_days: null, version_count: 0,
     };
   }
+  // Stage 2.1 — extract reputation signals from the packument we already have,
+  // so triageRisk in queue.js doesn't have to refetch metadata via
+  // getPackageMetadata. Two fields are derivable from the packument alone:
+  //   - age_days   : time.created (package creation timestamp)
+  //   - version_count : Object.keys(versions).length (excludes unpublished
+  //                     tombstones kept only in `time`)
+  // weekly_downloads requires a separate api.npmjs.org call and is fetched in
+  // parallel by preResolveNpmBatch (it has its own cache + no semaphore).
+  const createdAt = (packument && packument.time && packument.time.created) || null;
+  result.age_days = createdAt
+    ? Math.floor((Date.now() - new Date(createdAt).getTime()) / 86_400_000)
+    : null;
+  result.version_count = (packument && packument.versions)
+    ? Object.keys(packument.versions).length : 0;
   return result;
 }
 
@@ -465,15 +483,30 @@ async function preResolveNpmBatch(items, stats, scanQueue) {
     await Promise.all(chunk.map(async (item) => {
       if (item.tarballUrl) { alreadyResolved++; return; }
       try {
-        const npmInfo = await getNpmLatestTarball(item.name);
+        // Stage 2.1 — fetch downloads in parallel with the packument. The
+        // downloads endpoint (api.npmjs.org) is not on the registry semaphore
+        // and has its own internal cache, so this is effectively free in the
+        // warm-cache case and adds at most one parallel HTTP otherwise.
+        const [npmInfo, weeklyDownloads] = await Promise.all([
+          getNpmLatestTarball(item.name),
+          getWeeklyDownloads(item.name).catch(() => null)
+        ]);
         if (npmInfo && npmInfo.tarball) {
           item.tarballUrl = npmInfo.tarball;
           if (!item.version) item.version = npmInfo.version || '';
           if (!item.unpackedSize) item.unpackedSize = npmInfo.unpackedSize || 0;
           if (!item.registryScripts) item.registryScripts = npmInfo.scripts || null;
+          // weekly_downloads is best-effort. getWeeklyDownloads returns -1 on
+          // failure; normalize that to null so triageRisk treats it as missing
+          // (rather than silently biasing the reputation factor toward "suspect").
+          npmInfo.weekly_downloads = (typeof weeklyDownloads === 'number' && weeklyDownloads >= 0)
+            ? weeklyDownloads : null;
           // Stash full packument-derived metadata for resolveTarballAndScan so
           // the worker can run ATO-signature, burst-extras, and fast-track logic
-          // without a second registry call.
+          // without a second registry call. Stage 2.1 enriches this with
+          // age_days / version_count (from getNpmLatestTarball) and
+          // weekly_downloads (from getWeeklyDownloads) so the triage block in
+          // queue.js can read meta directly without re-fetching.
           item._npmInfo = npmInfo;
           resolved++;
         } else {

package/src/monitor/queue.js

@@ -128,6 +128,22 @@ const LARGE_PACKAGE_SIZE = 10 * 1024 * 1024; // 10MB
 const FIRST_PUBLISH_SANDBOX_MAX_QUEUE = parseInt(process.env.MUADDIB_FIRST_PUBLISH_SANDBOX_MAX_QUEUE, 10) || 10;
 const FIRST_PUBLISH_SANDBOX_ENABLED = process.env.MUADDIB_FIRST_PUBLISH_SANDBOX !== '0';
 
+// Stage 3 — sandbox gate. Static-score threshold below which T1b/T2 packages
+// are NOT sandboxed (static result alone is authoritative). Tightens the prior
+// "T1b sandbox if score >= 25 or queue < 20" to remove low-signal sandbox runs
+// that consume slots without producing actionable findings (the dominant cost
+// in the queue-saturation diagnostic). Validated by axon-enterprise@1.0.0
+// (static 52, sandbox confirmed 100) — gate >= 40 still catches it.
+// T1a (high-confidence malice) bypasses this gate; it's mandatory.
+// Override via env var to widen the gate (lower threshold) for a short
+// rollback window without redeploying. Clamped to [0, 100].
+function computeSandboxScoreThreshold(envValue) {
+  const parsed = parseInt(envValue, 10);
+  const value = Number.isFinite(parsed) ? parsed : 40;
+  return Math.max(0, Math.min(100, value));
+}
+const SANDBOX_SCORE_THRESHOLD = computeSandboxScoreThreshold(process.env.MUADDIB_SANDBOX_SCORE_THRESHOLD);
+
 // --- Bundled tooling false-positive filter ---
 
 const KNOWN_BUNDLED_FILES = ['yarn.js', 'webpack.js', 'terser.js', 'esbuild.js', 'polyfills.js'];
@@ -464,6 +480,18 @@ async function scanPackage(name, version, ecosystem, tarballUrl, registryMeta, s
       throw staticErr;
     }
 
+    // Phase 3 signal — agent-supply-chain lens. Pure observability, no scoring impact.
+    // Cisco AI Defense / SkillSieve / Snyk Agent Scan EVO scan skill marketplaces;
+    // they don't monitor the npm/PyPI firehose. Tracking which packages bundle a
+    // SKILL.md is our unique intersection (npm-package-bundling-malicious-skill).
+    try {
+      const det = detectSkillMdBundled(extractedDir, result && result.threats);
+      if (det.bundled) {
+        stats.skillMdBundled = (stats.skillMdBundled || 0) + 1;
+        console.log(`[MONITOR] SKILL_MD_BUNDLED: ${name}@${version} (${ecosystem}) — ${det.count} file(s)`);
+      }
+    } catch { /* observability signal — never let it break the scan */ }
+
     // First-publish detection: used for sandbox priority below
     const isFirstPublish = cacheTrigger && cacheTrigger.reason === 'first_publish';
 
@@ -738,14 +766,16 @@ async function scanPackage(name, version, ecosystem, tarballUrl, registryMeta, s
         }
 
         // T1a: mandatory sandbox (HC malice types, TIER1_TYPES non-LOW, lifecycle + intent compound)
-        // T1b: conditional sandbox (HIGH/CRITICAL without HC type — bundler FP zone)
-        //       → sandbox only if score >= 25 (significant risk) or queue pressure is low
-        // T2: sandbox if queue < 50 (as before)
+        // T1b: conditional sandbox — gated by SANDBOX_SCORE_THRESHOLD (Stage 3).
+        //       Previously gated at >= 25 OR queue < 20; tightened to >= 40 by
+        //       default because the 25-39 band produced no decisive sandbox
+        //       findings in 4 months of prod data (axon-enterprise was at 52).
+        // T2:  conditional sandbox — same score gate AND queue < 50.
         let sandboxResult = null;
         const shouldSandbox = !skipSandboxLargePackage && isSandboxEnabled() && sandboxAvailable && (
           tier === '1a' ||
-          (tier === '1b' && (riskScore >= 25 || scanQueue.length < 20)) ||
-          (tier === 2 && scanQueue.length < 50)
+          (tier === '1b' && riskScore >= SANDBOX_SCORE_THRESHOLD) ||
+          (tier === 2 && riskScore >= SANDBOX_SCORE_THRESHOLD && scanQueue.length < 50)
         );
 
         if (shouldSandbox) {
@@ -813,8 +843,12 @@ async function scanPackage(name, version, ecosystem, tarballUrl, registryMeta, s
           } catch (err) {
             console.error(`[MONITOR] SANDBOX error for ${name}@${version}: ${err.message}`);
           }
-        } else if (tier === '1b' && sandboxAvailable) {
-          console.log(`[MONITOR] SANDBOX DEFERRED (T1b, score=${riskScore} < 25, queue ${scanQueue.length} >= 20): ${name}@${version}`);
+        } else if (tier === '1b' && sandboxAvailable && riskScore >= SANDBOX_SCORE_THRESHOLD) {
+          // Stage 3 — defer only when the score crosses the gate. Below the
+          // threshold, sandbox is skipped entirely (static result is final).
+          // This stops the deferred-queue from filling with low-score items
+          // that would never produce decisive sandbox findings.
+          console.log(`[MONITOR] SANDBOX DEFERRED (T1b, score=${riskScore}, queue ${scanQueue.length}): ${name}@${version}`);
           enqueueDeferred({
             name, version, ecosystem, tier, riskScore, tarballUrl,
             enqueuedAt: Date.now(),
@@ -823,10 +857,14 @@ async function scanPackage(name, version, ecosystem, tarballUrl, registryMeta, s
             retries: 0
           });
           stats.sandboxDeferred = (stats.sandboxDeferred || 0) + 1;
+        } else if (tier === '1b' && sandboxAvailable) {
+          // Below SANDBOX_SCORE_THRESHOLD — no sandbox, no defer.
+          console.log(`[MONITOR] SANDBOX GATED (T1b, score=${riskScore} < ${SANDBOX_SCORE_THRESHOLD}): ${name}@${version}`);
+          stats.sandboxGated = (stats.sandboxGated || 0) + 1;
         } else if (tier === '1b') {
           console.log(`[MONITOR] SANDBOX SKIPPED (T1b, no Docker): ${name}@${version}`);
-        } else if (tier === 2 && sandboxAvailable) {
-          console.log(`[MONITOR] SANDBOX DEFERRED (T2, queue ${scanQueue.length} >= 50): ${name}@${version}`);
+        } else if (tier === 2 && sandboxAvailable && riskScore >= SANDBOX_SCORE_THRESHOLD) {
+          console.log(`[MONITOR] SANDBOX DEFERRED (T2, score=${riskScore}, queue ${scanQueue.length}): ${name}@${version}`);
           enqueueDeferred({
             name, version, ecosystem, tier, riskScore, tarballUrl,
             enqueuedAt: Date.now(),
@@ -835,6 +873,11 @@ async function scanPackage(name, version, ecosystem, tarballUrl, registryMeta, s
             retries: 0
           });
           stats.sandboxDeferred = (stats.sandboxDeferred || 0) + 1;
+        } else if (tier === 2 && sandboxAvailable) {
+          // Below SANDBOX_SCORE_THRESHOLD — T2 was already passive; staying
+          // static-only matches the existing T3 behaviour.
+          console.log(`[MONITOR] SANDBOX GATED (T2, score=${riskScore} < ${SANDBOX_SCORE_THRESHOLD}): ${name}@${version}`);
+          stats.sandboxGated = (stats.sandboxGated || 0) + 1;
         } else if (tier === 2) {
           console.log(`[MONITOR] SANDBOX SKIPPED (T2, no Docker): ${name}@${version}`);
         }
@@ -973,6 +1016,34 @@ async function scanPackage(name, version, ecosystem, tarballUrl, registryMeta, s
   }
 }
 
+/**
+ * Detect whether a package bundles a SKILL.md (Anthropic Agent Skills spec).
+ * Pure observability — drives the `stats.skillMdBundled` counter, no scoring effect.
+ *
+ * Two-pass check: (1) inspect emitted threats for SKILL.md filenames so we catch
+ * cases the scanner already touched without re-walking the tree; (2) fall back to
+ * a bounded findFiles walk (maxDepth 4, maxFiles 5) for packages where no scanner
+ * has flagged anything.
+ *
+ * @param {string|null} extractedDir - Unpacked tarball root, or null if unknown.
+ * @param {Array<{file?:string}>|null} threats - Threats array from the scan result.
+ * @returns {{bundled: boolean, count: number}}
+ */
+function detectSkillMdBundled(extractedDir, threats) {
+  const fromThreats = Array.isArray(threats) && threats.some(
+    t => /(?:^|[\\/])SKILL\.md$/i.test((t && t.file) || '')
+  );
+  if (fromThreats) return { bundled: true, count: 1 };
+  if (!extractedDir) return { bundled: false, count: 0 };
+  try {
+    const { findFiles } = require('../utils.js');
+    const found = findFiles(extractedDir, { extensions: ['SKILL.md'], maxDepth: 4, maxFiles: 5 });
+    return { bundled: found.length > 0, count: found.length };
+  } catch {
+    return { bundled: false, count: 0 };
+  }
+}
+
 function timeoutPromise(ms) {
   return new Promise((_, reject) => {
     setTimeout(() => reject(new Error(`Scan timeout after ${ms / 1000}s`)), ms);
@@ -1295,10 +1366,23 @@ async function resolveTarballAndScan(item, stats, dailyAlerts, recentlyScanned,
   if (triageMode !== 'off' && !item.fastTrack) {
     let triageMeta = null;
     if (item.ecosystem === 'npm') {
-      try {
-        const { getPackageMetadata } = require('../scanner/npm-registry.js');
-        triageMeta = await getPackageMetadata(item.name);
-      } catch { /* metadata unavailable → triageRisk will see null and pick 'full' */ }
+      // Stage 2.1 — Stage 1 pre-resolve already fetched the packument and
+      // (Stage 2.1) computed age_days + version_count, plus parallel-fetched
+      // weekly_downloads. Read those directly to skip the second
+      // registry round-trip via getPackageMetadata. Fallback to the lazy
+      // metadata fetch only when _npmInfo is absent (lazy-resolve path).
+      if (item._npmInfo) {
+        triageMeta = {
+          age_days: item._npmInfo.age_days,
+          version_count: item._npmInfo.version_count,
+          weekly_downloads: item._npmInfo.weekly_downloads,
+        };
+      } else {
+        try {
+          const { getPackageMetadata } = require('../scanner/npm-registry.js');
+          triageMeta = await getPackageMetadata(item.name);
+        } catch { /* metadata unavailable → triageRisk will see null and pick 'full' */ }
+      }
     } else if (item.ecosystem === 'pypi') {
       triageMeta = item._pypiInfo || null;
     }
@@ -1413,6 +1497,8 @@ module.exports = {
   LARGE_PACKAGE_SIZE,
   FIRST_PUBLISH_SANDBOX_MAX_QUEUE,
   FIRST_PUBLISH_SANDBOX_ENABLED,
+  SANDBOX_SCORE_THRESHOLD,
+  computeSandboxScoreThreshold,
   KNOWN_BUNDLED_FILES,
   KNOWN_BUNDLED_PATHS,
   ML_EXCLUDED_DIRS,
@@ -1434,6 +1520,7 @@ module.exports = {
   runScanInWorker,
   scanPackage,
   timeoutPromise,
+  detectSkillMdBundled,
   isDailyReportDue,
   processQueueItem,
   processQueue,

package/src/scanner/ai-config.js

@@ -43,13 +43,31 @@ const AI_CONFIG_FILES = [
 // These are distinct from AI_CONFIG_FILES: they contain machine-readable hooks
 // that execute code on project open, not human-readable prompt injection.
 // Technique: Shai-Hulud (TeamPCP, May 2026) — .claude/settings.json SessionStart hook.
+// Additional mai 2026 surfaces (Cursor / Windsurf / Continue / root Claude Desktop)
+// added after the TrapDoor + Bitwarden CLI campaigns confirmed cross-agent targeting.
 const IDE_HOOK_FILES = [
   '.claude/settings.json',
   '.claude/settings.local.json',
   '.vscode/tasks.json',
-  '.kiro/settings/mcp.json'
+  '.kiro/settings/mcp.json',
+  '.cursor/mcp.json',
+  '.continue/config.json',
+  '.windsurf/mcp.json',
+  'mcp.json',
+  'claude_desktop_config.json'
 ];
 
+// Paths that follow the standard MCP `mcpServers.{name}.command` schema.
+// A package shipping any of these with a `command` entry is hostile: legitimate
+// npm/PyPI packages never ship per-user MCP configurations.
+const MCP_STANDARD_PATHS = new Set([
+  '.kiro/settings/mcp.json',
+  '.cursor/mcp.json',
+  '.windsurf/mcp.json',
+  'mcp.json',
+  'claude_desktop_config.json'
+]);
+
 // Dangerous shell command patterns in AI config files
 const SHELL_COMMAND_PATTERNS = [
   // Download and execute
@@ -209,9 +227,46 @@ function analyzeIDEHookFile(content, relPath) {
     }
   }
 
-  // .kiro/settings/mcp.json
+  // Standard MCP config family:
+  //   .kiro/settings/mcp.json | .cursor/mcp.json | .windsurf/mcp.json
+  //   | root mcp.json (Claude Desktop project mode)
+  //   | root claude_desktop_config.json (Claude Desktop global, hostile if shipped)
   // Structure: { mcpServers: { name: { command, args } } }
-  if (relPath.includes('.kiro/') && relPath.endsWith('mcp.json')) {
+  if (MCP_STANDARD_PATHS.has(relPath)) {
+    const mcpServers = parsed.mcpServers;
+    if (mcpServers && typeof mcpServers === 'object') {
+      for (const [name, config] of Object.entries(mcpServers)) {
+        if (config && typeof config === 'object' && config.command) {
+          threats.push({
+            type: 'ide_hook_autoexec',
+            severity: 'CRITICAL',
+            message: `IDE auto-exec hook: ${relPath} server "${name}" executes "${config.command}" on project open`,
+            file: relPath
+          });
+        }
+      }
+    }
+  }
+
+  // .continue/config.json — Continue.dev schema. Two MCP surfaces:
+  //   1. experimental.modelContextProtocolServers[].transport.command (canonical)
+  //   2. mcpServers.{name}.command (newer alias)
+  if (relPath === '.continue/config.json') {
+    const exp = parsed.experimental;
+    const mcps = exp && Array.isArray(exp.modelContextProtocolServers)
+      ? exp.modelContextProtocolServers
+      : [];
+    for (const srv of mcps) {
+      const cmd = srv && srv.transport && srv.transport.command;
+      if (cmd) {
+        threats.push({
+          type: 'ide_hook_autoexec',
+          severity: 'CRITICAL',
+          message: `IDE auto-exec hook: .continue/config.json modelContextProtocolServer transport executes "${cmd}" on project open`,
+          file: relPath
+        });
+      }
+    }
     const mcpServers = parsed.mcpServers;
     if (mcpServers && typeof mcpServers === 'object') {
       for (const [name, config] of Object.entries(mcpServers)) {
@@ -219,7 +274,7 @@ function analyzeIDEHookFile(content, relPath) {
           threats.push({
             type: 'ide_hook_autoexec',
             severity: 'CRITICAL',
-            message: `IDE auto-exec hook: .kiro/settings/mcp.json server "${name}" executes "${config.command}" on project open`,
+            message: `IDE auto-exec hook: .continue/config.json mcpServers "${name}" executes "${config.command}" on project open`,
             file: relPath
           });
         }

package/src/scanner/ast-detectors/constants.js

@@ -136,6 +136,17 @@ const SENSITIVE_AI_CONFIG_FILES_UNIQUE = [
   'claude.md', 'claude_desktop_config.json',
   'mcp.json',
   '.cursorrules', '.windsurfrules',
+  'copilot-instructions.md',
+  'agents.md', 'agent.md'
+];
+
+// Agent prompt files that live at any directory level — written by TrapDoor-style
+// post-install hooks to the user's home or cwd. Detected via a "standalone" branch
+// that does NOT require an MCP_CONFIG_PATHS dir prefix (otherwise homedir + .cursorrules
+// slips through because '.cursorrules'.includes('.cursor/') is false).
+const AGENT_PROMPT_FILENAMES = [
+  '.cursorrules', '.windsurfrules',
+  'claude.md', 'agents.md', 'agent.md',
   'copilot-instructions.md'
 ];
 const SENSITIVE_AI_CONFIG_FILES_ROOT_ONLY = [
@@ -256,6 +267,7 @@ module.exports = {
   NODE_HOOKABLE_CLASSES,
   MCP_CONFIG_PATHS,
   MCP_CONTENT_PATTERNS,
+  AGENT_PROMPT_FILENAMES,
   SENSITIVE_AI_CONFIG_FILES_UNIQUE,
   SENSITIVE_AI_CONFIG_FILES_ROOT_ONLY,
   GIT_HOOKS,

package/src/scanner/ast-detectors/handle-call-expression.js

@@ -30,6 +30,7 @@ const {
   DANGEROUS_CMD_PATTERNS,
   MCP_CONFIG_PATHS,
   MCP_CONTENT_PATTERNS,
+  AGENT_PROMPT_FILENAMES,
   SENSITIVE_AI_CONFIG_FILES_UNIQUE,
   SENSITIVE_AI_CONFIG_FILES_ROOT_ONLY,
   GIT_HOOKS,
@@ -51,6 +52,56 @@ const {
   resolveNumericExpression
 } = require('./helpers.js');
 
+/**
+ * Detect whether an AST node points at a user-level filesystem location:
+ *   os.homedir() | process.cwd() | process.env.HOME | process.env.USERPROFILE
+ *   | string starting with "~/" | absolute "/home/" or "C:\\Users\\" prefix
+ *   | path.join(...) where ANY arg matches the above (recursive)
+ *
+ * Used by SANDWORM_MODE R5b to distinguish hostile TrapDoor-style writes
+ * (homedir + .cursorrules) from legit scaffolder writes (__dirname + tmpl).
+ */
+function _isUserLevelPathArg(node, depth = 0) {
+  if (!node || depth > 4) return false;
+  // os.homedir() / process.cwd()
+  if (node.type === 'CallExpression' && node.callee?.type === 'MemberExpression') {
+    const objName = node.callee.object?.name || node.callee.object?.property?.name;
+    const propName = node.callee.property?.name;
+    if (objName === 'os' && propName === 'homedir') return true;
+    if (objName === 'process' && propName === 'cwd') return true;
+    // path.join() / path.resolve() — recurse into args
+    if (objName === 'path' && (propName === 'join' || propName === 'resolve')) {
+      return Array.isArray(node.arguments) && node.arguments.some(a => _isUserLevelPathArg(a, depth + 1));
+    }
+  }
+  // process.env.HOME / process.env.USERPROFILE
+  if (node.type === 'MemberExpression' && node.object?.type === 'MemberExpression') {
+    const root = node.object.object;
+    const mid = node.object.property;
+    const leaf = node.property;
+    if (root?.name === 'process' && mid?.name === 'env'
+        && (leaf?.name === 'HOME' || leaf?.name === 'USERPROFILE')) return true;
+  }
+  // Literal string indicators
+  if (node.type === 'Literal' && typeof node.value === 'string') {
+    if (node.value.startsWith('~/') || node.value.startsWith('~\\')) return true;
+    if (/^\/home\/|^\/Users\//.test(node.value)) return true;
+    if (/^[A-Za-z]:[\\/]Users[\\/]/.test(node.value)) return true;
+  }
+  // Template literal — check quasi parts for the same prefixes
+  if (node.type === 'TemplateLiteral' && Array.isArray(node.quasis) && node.quasis[0]) {
+    const head = node.quasis[0].value?.cooked || '';
+    if (head.startsWith('~/') || /^\/home\/|^\/Users\/|^[A-Za-z]:[\\/]Users[\\/]/.test(head)) return true;
+    // Also recurse into ${expr} parts: if any expression is a user-level indicator, treat as user-level
+    if (Array.isArray(node.expressions) && node.expressions.some(e => _isUserLevelPathArg(e, depth + 1))) return true;
+  }
+  // BinaryExpression "a + b" — recurse into both sides
+  if (node.type === 'BinaryExpression' && node.operator === '+') {
+    return _isUserLevelPathArg(node.left, depth + 1) || _isUserLevelPathArg(node.right, depth + 1);
+  }
+  return false;
+}
+
 function handleCallExpression(node, ctx) {
   const callName = getCallName(node);
 
@@ -662,10 +713,13 @@ function handleCallExpression(node, ctx) {
     }
   }
 
-  // SANDWORM_MODE R5: MCP config injection — writeFileSync to AI config paths
+  // SANDWORM_MODE R5: MCP config injection — writeFileSync/appendFileSync to AI config paths.
+  // appendFileSync was added in v2.11.49 to cover the TrapDoor (mai 2026) pattern that
+  // appends ZW-Unicode-poisoned instructions to existing CLAUDE.md / .cursorrules instead
+  // of overwriting them — the original missed M3 fixture's appendFileSync('CLAUDE.md', ...).
   if (node.callee.type === 'MemberExpression' && node.callee.property?.type === 'Identifier') {
     const mcpWriteMethod = node.callee.property.name;
-    if (['writeFileSync', 'writeFile'].includes(mcpWriteMethod) && node.arguments.length >= 2) {
+    if (['writeFileSync', 'writeFile', 'appendFileSync', 'appendFile'].includes(mcpWriteMethod) && node.arguments.length >= 2) {
       const mcpPathArg = node.arguments[0];
       const mcpPathStr = extractStringValueDeep(mcpPathArg);
       // Also check path.join() calls — resolve concat fragments in each argument
@@ -712,6 +766,36 @@ function handleCallExpression(node, ctx) {
           });
         }
       }
+
+      // SANDWORM_MODE R5b (TrapDoor, mai 2026): standalone agent-prompt-file write.
+      // Catches `path.join(os.homedir(), '.cursorrules')` / `appendFileSync(cwd+'/CLAUDE.md', ...)` patterns
+      // that bypass the isMcpPath gatekeeper because `.cursorrules` / `CLAUDE.md` / `AGENTS.md`
+      // are not inside an MCP_CONFIG_PATHS directory.
+      // FP-safe: requires either a user-level path indicator (os.homedir/process.cwd/process.env.HOME/~) OR
+      // shell-command / injection-instruction content. Static scaffolder writes
+      // (path.join(__dirname, 'tmpl', '.cursorrules') + static template) do NOT fire.
+      if (!isMcpPath) {
+        const standaloneFileName = mcpCheckPath.split(/[/\\]/).filter(Boolean).pop() || '';
+        if (AGENT_PROMPT_FILENAMES.some(f => standaloneFileName === f)) {
+          const hasUserLevelPath = _isUserLevelPathArg(mcpPathArg);
+          const contentArg2 = node.arguments[1];
+          const contentStr2 = extractStringValue(contentArg2);
+          const hasShellContent = !!contentStr2 && /(?:curl|wget)\s+[^\n]*\|\s*(?:sh|bash|zsh)\b|\beval\s*\(|\bsh\s+-c\s+|\bbash\s+-c\s+|\bnode\s+-e\s+/i.test(contentStr2);
+          const hasInjectionInstruction = !!contentStr2 && /IMPORTANT[:\s]+(?:before|after|run|execute)|do\s+not\s+(?:display|show|mention)|always\s+run/i.test(contentStr2);
+          if (hasUserLevelPath || hasShellContent || hasInjectionInstruction) {
+            const reasons = [];
+            if (hasUserLevelPath) reasons.push('user-level destination (homedir/cwd/env.HOME)');
+            if (hasShellContent) reasons.push('shell command in content');
+            if (hasInjectionInstruction) reasons.push('AI prompt-injection instruction in content');
+            ctx.threats.push({
+              type: 'mcp_config_injection',
+              severity: 'CRITICAL',
+              message: `MCP config injection: ${mcpWriteMethod}() writes to agent prompt file "${standaloneFileName}" — ${reasons.join(' + ')}. TrapDoor (mai 2026) post-install plant pattern.`,
+              file: ctx.relFile
+            });
+          }
+        }
+      }
     }
   }