muaddib-scanner 2.11.52 → 2.11.53

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "muaddib-scanner",
-  "version": "2.11.52",
+  "version": "2.11.53",
   "description": "Supply-chain threat detection & response for npm & PyPI/Python",
   "main": "src/index.js",
   "bin": {

package/{self-scan-v2.11.52.json → self-scan-v2.11.53.json}

@@ -1,6 +1,6 @@
 {
   "target": "node_modules",
-  "timestamp": "2026-05-26T21:21:36.874Z",
+  "timestamp": "2026-05-27T07:39:47.529Z",
   "threats": [
     {
       "type": "string_mutation_obfuscation",

package/src/monitor/queue.js

@@ -480,6 +480,18 @@ async function scanPackage(name, version, ecosystem, tarballUrl, registryMeta, s
       throw staticErr;
     }
 
+    // Phase 3 signal — agent-supply-chain lens. Pure observability, no scoring impact.
+    // Cisco AI Defense / SkillSieve / Snyk Agent Scan EVO scan skill marketplaces;
+    // they don't monitor the npm/PyPI firehose. Tracking which packages bundle a
+    // SKILL.md is our unique intersection (npm-package-bundling-malicious-skill).
+    try {
+      const det = detectSkillMdBundled(extractedDir, result && result.threats);
+      if (det.bundled) {
+        stats.skillMdBundled = (stats.skillMdBundled || 0) + 1;
+        console.log(`[MONITOR] SKILL_MD_BUNDLED: ${name}@${version} (${ecosystem}) — ${det.count} file(s)`);
+      }
+    } catch { /* observability signal — never let it break the scan */ }
+
     // First-publish detection: used for sandbox priority below
     const isFirstPublish = cacheTrigger && cacheTrigger.reason === 'first_publish';
 
@@ -1004,6 +1016,34 @@ async function scanPackage(name, version, ecosystem, tarballUrl, registryMeta, s
   }
 }
 
+/**
+ * Detect whether a package bundles a SKILL.md (Anthropic Agent Skills spec).
+ * Pure observability — drives the `stats.skillMdBundled` counter, no scoring effect.
+ *
+ * Two-pass check: (1) inspect emitted threats for SKILL.md filenames so we catch
+ * cases the scanner already touched without re-walking the tree; (2) fall back to
+ * a bounded findFiles walk (maxDepth 4, maxFiles 5) for packages where no scanner
+ * has flagged anything.
+ *
+ * @param {string|null} extractedDir - Unpacked tarball root, or null if unknown.
+ * @param {Array<{file?:string}>|null} threats - Threats array from the scan result.
+ * @returns {{bundled: boolean, count: number}}
+ */
+function detectSkillMdBundled(extractedDir, threats) {
+  const fromThreats = Array.isArray(threats) && threats.some(
+    t => /(?:^|[\\/])SKILL\.md$/i.test((t && t.file) || '')
+  );
+  if (fromThreats) return { bundled: true, count: 1 };
+  if (!extractedDir) return { bundled: false, count: 0 };
+  try {
+    const { findFiles } = require('../utils.js');
+    const found = findFiles(extractedDir, { extensions: ['SKILL.md'], maxDepth: 4, maxFiles: 5 });
+    return { bundled: found.length > 0, count: found.length };
+  } catch {
+    return { bundled: false, count: 0 };
+  }
+}
+
 function timeoutPromise(ms) {
   return new Promise((_, reject) => {
     setTimeout(() => reject(new Error(`Scan timeout after ${ms / 1000}s`)), ms);
@@ -1480,6 +1520,7 @@ module.exports = {
   runScanInWorker,
   scanPackage,
   timeoutPromise,
+  detectSkillMdBundled,
   isDailyReportDue,
   processQueueItem,
   processQueue,

package/src/scanner/ai-config.js

@@ -43,13 +43,31 @@ const AI_CONFIG_FILES = [
 // These are distinct from AI_CONFIG_FILES: they contain machine-readable hooks
 // that execute code on project open, not human-readable prompt injection.
 // Technique: Shai-Hulud (TeamPCP, May 2026) — .claude/settings.json SessionStart hook.
+// Additional mai 2026 surfaces (Cursor / Windsurf / Continue / root Claude Desktop)
+// added after the TrapDoor + Bitwarden CLI campaigns confirmed cross-agent targeting.
 const IDE_HOOK_FILES = [
   '.claude/settings.json',
   '.claude/settings.local.json',
   '.vscode/tasks.json',
-  '.kiro/settings/mcp.json'
+  '.kiro/settings/mcp.json',
+  '.cursor/mcp.json',
+  '.continue/config.json',
+  '.windsurf/mcp.json',
+  'mcp.json',
+  'claude_desktop_config.json'
 ];
 
+// Paths that follow the standard MCP `mcpServers.{name}.command` schema.
+// A package shipping any of these with a `command` entry is hostile: legitimate
+// npm/PyPI packages never ship per-user MCP configurations.
+const MCP_STANDARD_PATHS = new Set([
+  '.kiro/settings/mcp.json',
+  '.cursor/mcp.json',
+  '.windsurf/mcp.json',
+  'mcp.json',
+  'claude_desktop_config.json'
+]);
+
 // Dangerous shell command patterns in AI config files
 const SHELL_COMMAND_PATTERNS = [
   // Download and execute
@@ -209,9 +227,46 @@ function analyzeIDEHookFile(content, relPath) {
     }
   }
 
-  // .kiro/settings/mcp.json
+  // Standard MCP config family:
+  //   .kiro/settings/mcp.json | .cursor/mcp.json | .windsurf/mcp.json
+  //   | root mcp.json (Claude Desktop project mode)
+  //   | root claude_desktop_config.json (Claude Desktop global, hostile if shipped)
   // Structure: { mcpServers: { name: { command, args } } }
-  if (relPath.includes('.kiro/') && relPath.endsWith('mcp.json')) {
+  if (MCP_STANDARD_PATHS.has(relPath)) {
+    const mcpServers = parsed.mcpServers;
+    if (mcpServers && typeof mcpServers === 'object') {
+      for (const [name, config] of Object.entries(mcpServers)) {
+        if (config && typeof config === 'object' && config.command) {
+          threats.push({
+            type: 'ide_hook_autoexec',
+            severity: 'CRITICAL',
+            message: `IDE auto-exec hook: ${relPath} server "${name}" executes "${config.command}" on project open`,
+            file: relPath
+          });
+        }
+      }
+    }
+  }
+
+  // .continue/config.json — Continue.dev schema. Two MCP surfaces:
+  //   1. experimental.modelContextProtocolServers[].transport.command (canonical)
+  //   2. mcpServers.{name}.command (newer alias)
+  if (relPath === '.continue/config.json') {
+    const exp = parsed.experimental;
+    const mcps = exp && Array.isArray(exp.modelContextProtocolServers)
+      ? exp.modelContextProtocolServers
+      : [];
+    for (const srv of mcps) {
+      const cmd = srv && srv.transport && srv.transport.command;
+      if (cmd) {
+        threats.push({
+          type: 'ide_hook_autoexec',
+          severity: 'CRITICAL',
+          message: `IDE auto-exec hook: .continue/config.json modelContextProtocolServer transport executes "${cmd}" on project open`,
+          file: relPath
+        });
+      }
+    }
     const mcpServers = parsed.mcpServers;
     if (mcpServers && typeof mcpServers === 'object') {
       for (const [name, config] of Object.entries(mcpServers)) {
@@ -219,7 +274,7 @@ function analyzeIDEHookFile(content, relPath) {
           threats.push({
             type: 'ide_hook_autoexec',
             severity: 'CRITICAL',
-            message: `IDE auto-exec hook: .kiro/settings/mcp.json server "${name}" executes "${config.command}" on project open`,
+            message: `IDE auto-exec hook: .continue/config.json mcpServers "${name}" executes "${config.command}" on project open`,
             file: relPath
           });
         }

package/src/scanner/ast-detectors/constants.js

@@ -136,6 +136,17 @@ const SENSITIVE_AI_CONFIG_FILES_UNIQUE = [
   'claude.md', 'claude_desktop_config.json',
   'mcp.json',
   '.cursorrules', '.windsurfrules',
+  'copilot-instructions.md',
+  'agents.md', 'agent.md'
+];
+
+// Agent prompt files that live at any directory level — written by TrapDoor-style
+// post-install hooks to the user's home or cwd. Detected via a "standalone" branch
+// that does NOT require an MCP_CONFIG_PATHS dir prefix (otherwise homedir + .cursorrules
+// slips through because '.cursorrules'.includes('.cursor/') is false).
+const AGENT_PROMPT_FILENAMES = [
+  '.cursorrules', '.windsurfrules',
+  'claude.md', 'agents.md', 'agent.md',
   'copilot-instructions.md'
 ];
 const SENSITIVE_AI_CONFIG_FILES_ROOT_ONLY = [
@@ -256,6 +267,7 @@ module.exports = {
   NODE_HOOKABLE_CLASSES,
   MCP_CONFIG_PATHS,
   MCP_CONTENT_PATTERNS,
+  AGENT_PROMPT_FILENAMES,
   SENSITIVE_AI_CONFIG_FILES_UNIQUE,
   SENSITIVE_AI_CONFIG_FILES_ROOT_ONLY,
   GIT_HOOKS,

package/src/scanner/ast-detectors/handle-call-expression.js

@@ -30,6 +30,7 @@ const {
   DANGEROUS_CMD_PATTERNS,
   MCP_CONFIG_PATHS,
   MCP_CONTENT_PATTERNS,
+  AGENT_PROMPT_FILENAMES,
   SENSITIVE_AI_CONFIG_FILES_UNIQUE,
   SENSITIVE_AI_CONFIG_FILES_ROOT_ONLY,
   GIT_HOOKS,
@@ -51,6 +52,56 @@ const {
   resolveNumericExpression
 } = require('./helpers.js');
 
+/**
+ * Detect whether an AST node points at a user-level filesystem location:
+ *   os.homedir() | process.cwd() | process.env.HOME | process.env.USERPROFILE
+ *   | string starting with "~/" | absolute "/home/" or "C:\\Users\\" prefix
+ *   | path.join(...) where ANY arg matches the above (recursive)
+ *
+ * Used by SANDWORM_MODE R5b to distinguish hostile TrapDoor-style writes
+ * (homedir + .cursorrules) from legit scaffolder writes (__dirname + tmpl).
+ */
+function _isUserLevelPathArg(node, depth = 0) {
+  if (!node || depth > 4) return false;
+  // os.homedir() / process.cwd()
+  if (node.type === 'CallExpression' && node.callee?.type === 'MemberExpression') {
+    const objName = node.callee.object?.name || node.callee.object?.property?.name;
+    const propName = node.callee.property?.name;
+    if (objName === 'os' && propName === 'homedir') return true;
+    if (objName === 'process' && propName === 'cwd') return true;
+    // path.join() / path.resolve() — recurse into args
+    if (objName === 'path' && (propName === 'join' || propName === 'resolve')) {
+      return Array.isArray(node.arguments) && node.arguments.some(a => _isUserLevelPathArg(a, depth + 1));
+    }
+  }
+  // process.env.HOME / process.env.USERPROFILE
+  if (node.type === 'MemberExpression' && node.object?.type === 'MemberExpression') {
+    const root = node.object.object;
+    const mid = node.object.property;
+    const leaf = node.property;
+    if (root?.name === 'process' && mid?.name === 'env'
+        && (leaf?.name === 'HOME' || leaf?.name === 'USERPROFILE')) return true;
+  }
+  // Literal string indicators
+  if (node.type === 'Literal' && typeof node.value === 'string') {
+    if (node.value.startsWith('~/') || node.value.startsWith('~\\')) return true;
+    if (/^\/home\/|^\/Users\//.test(node.value)) return true;
+    if (/^[A-Za-z]:[\\/]Users[\\/]/.test(node.value)) return true;
+  }
+  // Template literal — check quasi parts for the same prefixes
+  if (node.type === 'TemplateLiteral' && Array.isArray(node.quasis) && node.quasis[0]) {
+    const head = node.quasis[0].value?.cooked || '';
+    if (head.startsWith('~/') || /^\/home\/|^\/Users\/|^[A-Za-z]:[\\/]Users[\\/]/.test(head)) return true;
+    // Also recurse into ${expr} parts: if any expression is a user-level indicator, treat as user-level
+    if (Array.isArray(node.expressions) && node.expressions.some(e => _isUserLevelPathArg(e, depth + 1))) return true;
+  }
+  // BinaryExpression "a + b" — recurse into both sides
+  if (node.type === 'BinaryExpression' && node.operator === '+') {
+    return _isUserLevelPathArg(node.left, depth + 1) || _isUserLevelPathArg(node.right, depth + 1);
+  }
+  return false;
+}
+
 function handleCallExpression(node, ctx) {
   const callName = getCallName(node);
 
@@ -662,10 +713,13 @@ function handleCallExpression(node, ctx) {
     }
   }
 
-  // SANDWORM_MODE R5: MCP config injection — writeFileSync to AI config paths
+  // SANDWORM_MODE R5: MCP config injection — writeFileSync/appendFileSync to AI config paths.
+  // appendFileSync was added in v2.11.49 to cover the TrapDoor (mai 2026) pattern that
+  // appends ZW-Unicode-poisoned instructions to existing CLAUDE.md / .cursorrules instead
+  // of overwriting them — the original missed M3 fixture's appendFileSync('CLAUDE.md', ...).
   if (node.callee.type === 'MemberExpression' && node.callee.property?.type === 'Identifier') {
     const mcpWriteMethod = node.callee.property.name;
-    if (['writeFileSync', 'writeFile'].includes(mcpWriteMethod) && node.arguments.length >= 2) {
+    if (['writeFileSync', 'writeFile', 'appendFileSync', 'appendFile'].includes(mcpWriteMethod) && node.arguments.length >= 2) {
       const mcpPathArg = node.arguments[0];
       const mcpPathStr = extractStringValueDeep(mcpPathArg);
       // Also check path.join() calls — resolve concat fragments in each argument
@@ -712,6 +766,36 @@ function handleCallExpression(node, ctx) {
           });
         }
       }
+
+      // SANDWORM_MODE R5b (TrapDoor, mai 2026): standalone agent-prompt-file write.
+      // Catches `path.join(os.homedir(), '.cursorrules')` / `appendFileSync(cwd+'/CLAUDE.md', ...)` patterns
+      // that bypass the isMcpPath gatekeeper because `.cursorrules` / `CLAUDE.md` / `AGENTS.md`
+      // are not inside an MCP_CONFIG_PATHS directory.
+      // FP-safe: requires either a user-level path indicator (os.homedir/process.cwd/process.env.HOME/~) OR
+      // shell-command / injection-instruction content. Static scaffolder writes
+      // (path.join(__dirname, 'tmpl', '.cursorrules') + static template) do NOT fire.
+      if (!isMcpPath) {
+        const standaloneFileName = mcpCheckPath.split(/[/\\]/).filter(Boolean).pop() || '';
+        if (AGENT_PROMPT_FILENAMES.some(f => standaloneFileName === f)) {
+          const hasUserLevelPath = _isUserLevelPathArg(mcpPathArg);
+          const contentArg2 = node.arguments[1];
+          const contentStr2 = extractStringValue(contentArg2);
+          const hasShellContent = !!contentStr2 && /(?:curl|wget)\s+[^\n]*\|\s*(?:sh|bash|zsh)\b|\beval\s*\(|\bsh\s+-c\s+|\bbash\s+-c\s+|\bnode\s+-e\s+/i.test(contentStr2);
+          const hasInjectionInstruction = !!contentStr2 && /IMPORTANT[:\s]+(?:before|after|run|execute)|do\s+not\s+(?:display|show|mention)|always\s+run/i.test(contentStr2);
+          if (hasUserLevelPath || hasShellContent || hasInjectionInstruction) {
+            const reasons = [];
+            if (hasUserLevelPath) reasons.push('user-level destination (homedir/cwd/env.HOME)');
+            if (hasShellContent) reasons.push('shell command in content');
+            if (hasInjectionInstruction) reasons.push('AI prompt-injection instruction in content');
+            ctx.threats.push({
+              type: 'mcp_config_injection',
+              severity: 'CRITICAL',
+              message: `MCP config injection: ${mcpWriteMethod}() writes to agent prompt file "${standaloneFileName}" — ${reasons.join(' + ')}. TrapDoor (mai 2026) post-install plant pattern.`,
+              file: ctx.relFile
+            });
+          }
+        }
+      }
     }
   }