muaddib-scanner 2.11.53 → 2.11.57

package/README.md

@@ -303,7 +303,7 @@ These are the numbers a user gets when running `muaddib scan` against npm or PyP
 | **FPR PyPI** (v2.11.48, first honest measurement) | **9.68%** (12/124 scanned, 132 total) | **Track D fixed the PyPI downloader** — removed `pip --no-binary :all:` flag (forced compile of wheel-only packages, timed out 38% of the time) + added `.whl` extraction via `extractArchive()`. Brought 42 previously-skipped giants (numpy/pandas/django/matplotlib/scikit-learn/...) into scope. All 12 FPs cluster at score 25-35: this is the cap-PyPI-35 artifact, not new rule misfires. Lifting the cap (Track E) would drop FPR PyPI to ≈0%. 8 residual fails are >500MB packages (torch, tensorflow, scipy, opencv-python, ansible…) hitting the 30s `PACK_TIMEOUT_MS`. |
 | **ADR** (Adversarial + Holdout, v2.11.48) | **96.26%** (103/107) | 67 adversarial + 40 holdout, global threshold=20. Stable vs v2.10.95. |
 
-**3913 tests** across 109 files. **262 rules** (257 RULES + 5 PARANOID — Track D added 3: AST-093, AST-094, COMPOUND-016).
+**3969 tests** across 109 files. **262 rules** (257 RULES + 5 PARANOID — Track D added 3: AST-093, AST-094, COMPOUND-016).
 
 **Known issues (v2.11.48):**
 - *Cap PyPI à 35/100*: Python samples plafonnent à `riskScore=35` even when `globalRiskScore=100`. Confirmed empirically — all 12 PyPI FPs at score 25-35 (flask 32, django 35, tornado 35, bottle 30, pandas 25, matplotlib 25, plotly 25, bokeh 25, pymongo 35, coverage 32, fabric 35, websockets 35). Lifting the cap will simultaneously drop FPR PyPI to ≈0% and unblock PyPI MALWARE detection at higher thresholds. Track E target.

package/bin/muaddib.js

@@ -383,7 +383,6 @@ if (command === 'version' || command === '--version' || command === '-v') {
     });
   } else if (isTemporal && isTest && testPkg.length > 0) {
     const { detectSuddenLifecycleChange } = require('../src/temporal-analysis.js');
-    const pkgName = testPkg[testPkg.indexOf('--test') !== -1 ? testPkg.length - 1 : 0] || testPkg[0];
     // Find the package name: it's the non-flag argument
     const actualPkg = options.filter(o => !o.startsWith('-')).pop();
     if (!actualPkg) {
@@ -756,6 +755,7 @@ if (command === 'version' || command === '--version' || command === '-v') {
   const helpCmd = options.filter(o => !o.startsWith('-'))[0];
   showHelp(helpCmd);
 } else {
+  // eslint-disable-next-line no-control-regex -- strips control chars from untrusted command before display
   console.log(`Unknown command: ${String(command).replace(/[\x00-\x1f\x7f-\x9f]/g, '')}`);
   console.log('Type "muaddib help" to see available commands.');
   process.exit(1);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "muaddib-scanner",
-  "version": "2.11.53",
+  "version": "2.11.57",
   "description": "Supply-chain threat detection & response for npm & PyPI/Python",
   "main": "src/index.js",
   "bin": {
@@ -47,17 +47,17 @@
     "node": ">=18.0.0"
   },
   "dependencies": {
-    "@inquirer/prompts": "8.4.3",
+    "@inquirer/prompts": "8.5.2",
     "acorn": "8.16.0",
     "acorn-walk": "8.3.5",
     "adm-zip": "0.5.17",
-    "js-yaml": "4.1.1",
+    "js-yaml": "4.2.0",
     "loadash": "^1.0.0",
     "web-tree-sitter": "^0.26.9"
   },
   "devDependencies": {
     "@eslint/js": "10.0.1",
-    "eslint": "10.4.0",
+    "eslint": "10.4.1",
     "eslint-plugin-security": "^4.0.0",
     "globals": "17.6.0"
   }

package/{self-scan-v2.11.53.json → self-scan-v2.11.57.json}

@@ -1,6 +1,6 @@
 {
   "target": "node_modules",
-  "timestamp": "2026-05-27T07:39:47.529Z",
+  "timestamp": "2026-06-04T20:24:41.702Z",
   "threats": [
     {
       "type": "string_mutation_obfuscation",
@@ -1862,7 +1862,7 @@
       "ajv/lib/ajv.js": 15837,
       "ajv/scripts/bundle.js": 1795,
       "debug/src/node.js": 4728,
-      "eslint/bin/eslint.js": 5604,
+      "eslint/bin/eslint.js": 6028,
       "fast-json-stable-stringify/benchmark/index.js": 740,
       "isexe/test/basic.js": 4996,
       "keyv/src/index.js": 6603,

package/src/commands/safe-install.js

@@ -132,7 +132,6 @@ async function scanPackageRecursive(pkg, depth = 0, maxDepth = 3) {
     }
   }
   
-  const pkgBaseName = pkgName.replace(/^@[^/]+\//, '');
   
   // Avoid infinite loops
   if (scannedPackages.has(pkgName)) {

package/src/index.js

@@ -8,7 +8,7 @@ const { output } = require('./pipeline/outputter.js');
 async function run(targetPath, options = {}) {
   try {
     // Phase 1: Initialization (validate, IOCs, config, Python detection)
-    const { pythonDeps, configApplied, configResult, warnings } = await initialize(targetPath, options);
+    const { pythonDeps, warnings } = await initialize(targetPath, options);
 
     // Phase 2: Execute all scanners
     const { threats, scannerErrors } = await execute(targetPath, options, pythonDeps, warnings);

package/src/integrations/maintainer-change.js

@@ -126,7 +126,6 @@ async function detectMaintainerChange(packageName) {
 
   // Build name sets for comparison
   const previousNames = new Set(previousMaint.maintainers.map(m => m.name.toLowerCase()));
-  const currentNames = new Set(newestMaint.maintainers.map(m => m.name.toLowerCase()));
 
   // Detect NEW_MAINTAINER: maintainers in newest that weren't in previous
   for (const m of newestMaint.maintainers) {

package/src/integrations/webhook.js

@@ -86,7 +86,7 @@ async function sendWebhook(url, results, options = {}) {
     resolvedAddress = ipv4Addresses[0] || null;
   } catch (e) {
     if (e.message.startsWith('Webhook blocked')) throw e;
-    throw new Error(`Webhook blocked: DNS resolution failed for ${urlObj.hostname}`);
+    throw new Error(`Webhook blocked: DNS resolution failed for ${urlObj.hostname}`, { cause: e });
   }
 
   // rawPayload: send the results object directly as the payload (for pre-built embeds)
@@ -403,7 +403,6 @@ function sendOnce(url, payload, resolvedAddress) {
     };
 
     const req = protocol.request(options, (res) => {
-      let data = '';
       let size = 0;
       res.on('data', chunk => {
         size += chunk.length;
@@ -412,7 +411,6 @@ function sendOnce(url, payload, resolvedAddress) {
           reject(new Error('Webhook response exceeded 1MB limit'));
           return;
         }
-        data += chunk;
       });
       res.on('end', () => {
         if (res.statusCode >= 200 && res.statusCode < 300) {

package/src/ioc/scraper.js

@@ -22,7 +22,7 @@ const { NPM_PACKAGE_REGEX } = require('../shared/constants.js');
 // whitespace, slashes, length > 100. The previous regex required first
 // char in [1-9] after a '0' which broke ALL 0.x.y versions (false negative
 // spam in scraper logs ; ~600 valid PyPI/npm versions wrongly skipped per scrape).
-const VERSION_INVALID_CHARS = /[\s\\/'"`;|&$<>(){}\[\]?]/;
+const VERSION_INVALID_CHARS = /[\s\\/'"`;|&$<>(){}[\]?]/;
 function isValidVersion(version) {
   if (!version || typeof version !== 'string') return false;
   if (version === '*') return true;
@@ -31,7 +31,7 @@ function isValidVersion(version) {
   if (VERSION_INVALID_CHARS.test(version)) return false;
   // Must start with a digit (or 'v' prefix), and contain only word chars / . / + / -
   if (!/^v?\d/.test(version)) return false;
-  return /^[\w.+\-]+$/.test(version);
+  return /^[\w.+-]+$/.test(version);
 }
 // Backwards compat: keep VERSION_RE as a no-op test wrapper for any legacy
 // caller that imports it. Prefer isValidVersion() in new code.
@@ -303,63 +303,6 @@ function fetchText(url, redirectCount = 0) {
   });
 }
 
-function fetchBuffer(url, redirectCount = 0) {
-  return new Promise((resolve, reject) => {
-    const urlObj = new URL(url);
-    const reqOptions = {
-      hostname: urlObj.hostname,
-      path: urlObj.pathname + urlObj.search,
-      method: 'GET',
-      headers: {
-        'User-Agent': 'MUADDIB-Scanner/3.0'
-      }
-    };
-
-    const req = https.request(reqOptions, (res) => {
-      if ([301, 302, 307, 308].includes(res.statusCode)) {
-        res.resume(); // Drain response body before following redirect
-        if (redirectCount >= MAX_REDIRECTS) {
-          reject(new Error('Too many redirects'));
-          return;
-        }
-        const redirectUrl = res.headers.location;
-        if (!isAllowedRedirect(redirectUrl)) {
-          reject(new Error('Unauthorized redirect to: ' + redirectUrl));
-          return;
-        }
-        fetchBuffer(redirectUrl, redirectCount + 1).then(resolve).catch(reject);
-        return;
-      }
-
-      if (res.statusCode !== 200) {
-        res.resume(); // Drain response body on error
-        reject(new Error('HTTP ' + res.statusCode));
-        return;
-      }
-
-      const chunks = [];
-      let received = 0;
-      res.on('data', chunk => {
-        received += chunk.length;
-        if (received > MAX_RESPONSE_SIZE) {
-          req.destroy();
-          reject(new Error('Response exceeded maximum size'));
-          return;
-        }
-        chunks.push(chunk);
-      });
-      res.on('end', () => resolve(Buffer.concat(chunks)));
-    });
-
-    req.on('error', reject);
-    req.setTimeout(120000, () => {
-      req.destroy();
-      reject(new Error('Timeout'));
-    });
-
-    req.end();
-  });
-}
 
 /**
  * Download a large file with spinner progress (npm/ora style).
@@ -367,6 +310,7 @@ function fetchBuffer(url, redirectCount = 0) {
  */
 function fetchBufferWithProgress(url, label, redirectCount = 0) {
   return new Promise((resolve, reject) => {
+    let spinner = null;
     const urlObj = new URL(url);
     const reqOptions = {
       hostname: urlObj.hostname,
@@ -404,7 +348,7 @@ function fetchBufferWithProgress(url, label, redirectCount = 0) {
       const chunks = [];
       let received = 0;
 
-      const spinner = new Spinner();
+      spinner = new Spinner();
       spinner.start('Downloading ' + label + '...');
 
       res.on('data', (chunk) => {
@@ -432,12 +376,12 @@ function fetchBufferWithProgress(url, label, redirectCount = 0) {
     });
 
     req.on('error', (err) => {
-      spinner.fail('Download failed: ' + err.message);
+      if (spinner) spinner.fail('Download failed: ' + err.message);
       reject(err);
     });
     req.setTimeout(300000, () => {
       req.destroy();
-      spinner.fail('Download timed out');
+      if (spinner) spinner.fail('Download timed out');
       reject(new Error('Timeout downloading ' + label));
     });
 
@@ -850,7 +794,7 @@ async function scrapeOSVDataDump() {
             // Track known IDs so OSSF can skip them
             knownIds.add(vuln.id || path.basename(name, '.json'));
             malCount++;
-          } catch (parseErr) {
+          } catch {
             console.warn(`[WARN] Skipping unparseable entry: ${name}`);
           }
         }
@@ -923,7 +867,7 @@ async function scrapeOSVPyPIDataDump() {
             const parsed = parseOSVEntry(vuln, 'osv-malicious-pypi', 'PyPI');
             for (const p of parsed) packages.push(p);
             malCount++;
-          } catch (parseErr) {
+          } catch {
             console.warn(`[WARN] Skipping unparseable entry: ${name}`);
           }
         }
@@ -1143,8 +1087,6 @@ async function runScraper() {
   // (used by `getSourceConfidence` for webhook gating).
   let addedPackages = 0;
   let upgradedPackages = 0;
-  let skippedInvalid = 0;
-  let skippedNeverWildcard = 0;
   function appendSource(target, pkg) {
     if (!Array.isArray(target.sources)) target.sources = [];
     const newSrc = pkg.source || (pkg.freshness && pkg.freshness.source) || 'unknown';
@@ -1166,12 +1108,10 @@ async function runScraper() {
   }
   for (const pkg of allPackages) {
     if (!validateIOCEntry(pkg.name, pkg.version, 'npm')) {
-      skippedInvalid++;
       continue;
     }
     // Skip wildcard entries for packages that must stay version-specific
     if (pkg.version === '*' && NEVER_WILDCARD.has(pkg.name)) {
-      skippedNeverWildcard++;
       continue;
     }
     const key = pkg.name + '@' + pkg.version;
@@ -1218,7 +1158,6 @@ async function runScraper() {
   const allPyPIPackages = pypiPackages.concat(aikidoResult.pypi_packages || [], osmResult.pypi_packages || []);
   for (const pkg of allPyPIPackages) {
     if (!validateIOCEntry(pkg.name, pkg.version, 'pypi')) {
-      skippedInvalid++;
       continue;
     }
     const key = pkg.name + '@' + pkg.version;

package/src/ml/classifier.js

@@ -341,8 +341,9 @@ function classifyPackage(result, meta) {
       const bundlerResult = predictBundler(bundlerVec);
       // Log-only: record prediction for retraining validation
       const roundedP = Math.round(bundlerResult.probability * 1000) / 1000;
-      // When retrained and validated, remove the 'false &&' guard below.
-      if (false && bundlerResult.prediction === 'clean') {
+      // When retrained and validated, set BUNDLER_FILTER_ENABLED to true.
+      const BUNDLER_FILTER_ENABLED = false;
+      if (BUNDLER_FILTER_ENABLED && bundlerResult.prediction === 'clean') {
         return {
           prediction: 'fp_bundler',
           probability: roundedP,

package/src/ml/feature-extractor.js

@@ -602,7 +602,7 @@ const F9_INFRA_KEYS = new Set([
 
 // Credential file paths that a malicious MCP dropper would harvest.
 // Appearance in any threat message disqualifies F9.
-const F9_CREDENTIAL_FILE_RE = /\.npmrc\b|\.aws[\/\\](?:credentials|config)\b|\bid_rsa\b|\bid_ed25519\b|\.ssh[\/\\]|\.kube[\/\\]config\b|\.docker[\/\\]config\b|\.netrc\b|\.git-credentials\b|wallet\.dat\b|\bsecret_token\b/i;
+const F9_CREDENTIAL_FILE_RE = /\.npmrc\b|\.aws[/\\](?:credentials|config)\b|\bid_rsa\b|\bid_ed25519\b|\.ssh[/\\]|\.kube[/\\]config\b|\.docker[/\\]config\b|\.netrc\b|\.git-credentials\b|wallet\.dat\b|\bsecret_token\b/i;
 
 // v2.11.31 F14: split exfil types into HARD (real malware signals) vs
 // SOFT (compound/intent threats that legitimately fire on AI proxies +

package/src/ml/llm-detective.js

@@ -459,7 +459,7 @@ async function callAnthropicAPI(system, messages) {
     } catch (err) {
       clearTimeout(timeout);
       if (err.name === 'AbortError') {
-        throw new Error(`API timeout (${LLM_TIMEOUT_MS}ms)`);
+        throw new Error(`API timeout (${LLM_TIMEOUT_MS}ms)`, { cause: err });
       }
       if (attempt < maxAttempts - 1 && err.message && /ECONNRESET|ETIMEDOUT|ENOTFOUND/.test(err.message)) {
         await new Promise(r => setTimeout(r, 2000));
@@ -553,7 +553,7 @@ function parseResponse(text) {
  * @returns {Promise<Object|null>} verdict object or null on skip/error
  */
 async function investigatePackage(extractedDir, scanResult, options = {}) {
-  const { name, version, ecosystem, npmRegistryMeta, tier } = options;
+  const { name, version, ecosystem, npmRegistryMeta } = options;
 
   // Guard rails
   if (!isLlmEnabled()) {

package/src/monitor/daemon.js

@@ -3,14 +3,14 @@ const fs = require('fs');
 const path = require('path');
 const os = require('os');
 const v8 = require('v8');
-const { isDockerAvailable, SANDBOX_CONCURRENCY_MAX } = require('../sandbox/index.js');
+const { isDockerAvailable, SANDBOX_CONCURRENCY_MAX, killAllSandboxContainers } = require('../sandbox/index.js');
 const { setVerboseMode, isSandboxEnabled, isCanaryEnabled, isLlmDetectiveEnabled, getLlmDetectiveMode, DOWNLOADS_CACHE_TTL } = require('./classify.js');
 const { loadState, saveState, loadDailyStats, saveDailyStats, purgeTarballCache, getParisHour, atomicWriteFileSync, saveNpmSeq, ALERTS_FILE, runStateMigrations } = require('./state.js');
 const { isTemporalEnabled, isTemporalAstEnabled, isTemporalPublishEnabled, isTemporalMaintainerEnabled } = require('./temporal.js');
-const { pendingGrouped, flushScopeGroup, sendDailyReport, DAILY_REPORT_HOUR, alertedPackageRules } = require('./webhook.js');
+const { pendingGrouped, flushScopeGroup, sendDailyReport, DAILY_REPORT_HOUR, alertedPackageRules, ALERTED_PACKAGES_MAX: MAX_ALERTED_PACKAGES } = require('./webhook.js');
 const { poll } = require('./ingestion.js');
-const { processQueue, ensureWorkers, drainWorkers, getTargetConcurrency, setTargetConcurrency, getActiveWorkers, SCAN_CONCURRENCY } = require('./queue.js');
-const { computeTarget, ADJUST_INTERVAL_MS, BASE_CONCURRENCY, resetDeltas } = require('./adaptive-concurrency.js');
+const { ensureWorkers, drainWorkers, getTargetConcurrency, setTargetConcurrency, getActiveWorkers, terminateAllWorkers } = require('./queue.js');
+const { computeTarget, ADJUST_INTERVAL_MS, BASE_CONCURRENCY } = require('./adaptive-concurrency.js');
 const { startHealthcheck } = require('./healthcheck.js');
 const { startDeferredWorker, stopDeferredWorker, persistDeferredQueue, restoreDeferredQueue, clearDeferredQueue } = require('./deferred-sandbox.js');
 const { cleanupOldArchives, getRetentionDays, startPeriodicCleanup } = require('./tarball-archive.js');
@@ -65,6 +65,16 @@ const MEMORY_THRESHOLD_ELEVATED = 0.75;
 const MEMORY_THRESHOLD_HIGH = 0.85;
 const MEMORY_THRESHOLD_CRITICAL = 0.90;
 const MEMORY_THRESHOLD_EMERGENCY = 0.92;
+// RSS budget (OOM fix). The heap thresholds above miss the real failure mode: the
+// process dies from total RSS (off-heap — worker isolates, gVisor sandboxes, tarball
+// buffers) while heapUsed/heap_size_limit sits at ~20%. Gate on
+// process.memoryUsage().rss against an absolute budget so EMERGENCY fires before the
+// kernel OOM-killer. Default 8500MB on the 11.7GB VPS (~3GB headroom for
+// docker / gVisor / kernel). Override via MUADDIB_RSS_LIMIT_MB.
+const RSS_LIMIT_MB = (() => {
+  const parsed = parseInt(process.env.MUADDIB_RSS_LIMIT_MB, 10);
+  return Number.isFinite(parsed) && parsed > 0 ? parsed : 8500;
+})();
 // When truncating queue under EMERGENCY, keep the N most recent items.
 // These are the newest packages — most likely to still be on npm for re-scan.
 const EMERGENCY_QUEUE_KEEP = 500;
@@ -293,7 +303,9 @@ function checkDiskSpace() {
 // --- Memory management ---
 
 const MAX_RECENTLY_SCANNED = 50_000;
-const MAX_ALERTED_PACKAGES = 5_000;
+// MAX_ALERTED_PACKAGES is imported from webhook.js (single source of truth — the
+// alertedPackageRules Map lives there and FIFO-caps itself at insert with the same value).
+const MAX_DOWNLOADS_CACHE = 20_000; // hard size cap on top of the 24h TTL (bounded resource)
 
 /**
  * Compute current memory pressure level from V8 heap usage.
@@ -310,23 +322,30 @@ const MAX_ALERTED_PACKAGES = 5_000;
  *   - With --max-old-space-size=3072: ~3264MB (3072 + new space overhead)
  *   - Without the flag: ~4288MB (V8 default on 64-bit)
  */
-function computeMemoryPressure() {
-  const mem = process.memoryUsage();
+function computeMemoryPressure(memSample = null, rssLimitMb = RSS_LIMIT_MB) {
+  const mem = memSample || process.memoryUsage();
   const heapLimit = v8.getHeapStatistics().heap_size_limit;
   const ratio = heapLimit > 0 ? mem.heapUsed / heapLimit : 0;
+  const rssLimitBytes = rssLimitMb * 1024 * 1024;
+  const rssRatio = rssLimitBytes > 0 ? mem.rss / rssLimitBytes : 0;
 
-  if (ratio >= MEMORY_THRESHOLD_EMERGENCY) {
+  // Pressure is the WORSE of heap and RSS. The RSS arm catches the off-heap leak
+  // that the heap ratio is structurally blind to (heap sat at ~20% during every OOM
+  // while RSS climbed to 10.3GB). `ratio` stays the heap ratio for backward compat.
+  const worst = Math.max(ratio, rssRatio);
+
+  if (worst >= MEMORY_THRESHOLD_EMERGENCY) {
     _memoryPressureLevel = MEMORY_PRESSURE_LEVELS.EMERGENCY;
-  } else if (ratio >= MEMORY_THRESHOLD_CRITICAL) {
+  } else if (worst >= MEMORY_THRESHOLD_CRITICAL) {
     _memoryPressureLevel = MEMORY_PRESSURE_LEVELS.CRITICAL;
-  } else if (ratio >= MEMORY_THRESHOLD_HIGH) {
+  } else if (worst >= MEMORY_THRESHOLD_HIGH) {
     _memoryPressureLevel = MEMORY_PRESSURE_LEVELS.HIGH;
-  } else if (ratio >= MEMORY_THRESHOLD_ELEVATED) {
+  } else if (worst >= MEMORY_THRESHOLD_ELEVATED) {
     _memoryPressureLevel = MEMORY_PRESSURE_LEVELS.ELEVATED;
   } else {
     _memoryPressureLevel = MEMORY_PRESSURE_LEVELS.NONE;
   }
-  return { level: _memoryPressureLevel, mem, ratio };
+  return { level: _memoryPressureLevel, mem, ratio, rssRatio };
 }
 
 /**
@@ -362,6 +381,12 @@ function pruneMemoryCaches(recentlyScanned, downloadsCache, alertedPackageRules)
       pruned++;
     }
   }
+  // 2b. downloadsCache — hard size cap (FIFO) on top of TTL. A Map preserves
+  // insertion order, so the first key is the oldest (bounded resource).
+  while (downloadsCache.size > MAX_DOWNLOADS_CACHE) {
+    downloadsCache.delete(downloadsCache.keys().next().value);
+    pruned++;
+  }
 
   // 3. alertedPackageRules — cap size
   if (alertedPackageRules.size > MAX_ALERTED_PACKAGES) {
@@ -394,6 +419,12 @@ function pruneMemoryCaches(recentlyScanned, downloadsCache, alertedPackageRules)
  */
 function handleMemoryPressure(level, ratio, recentlyScanned, downloadsCache, scanQueue) {
   const pct = (ratio * 100).toFixed(0);
+  // Structured summary of what the breaker actually did this tick. Returned (the poll loop
+  // at the call site ignores it) so the reclaim is observable to callers and tests without
+  // scraping console output — CLAUDE.md §3 "Toujours logger un resume". The two kill fields
+  // stay `undefined` until the EMERGENCY branch sets them, so a reader can distinguish
+  // "reclaim never ran" (undefined) from "ran, nothing to free" (0) from "reclaim threw" (-1).
+  const summary = { level, cachesCleared: false, queueDropped: 0, deferredDropped: 0 };
 
   // HIGH (85%+): clear auxiliary caches — same as old emergency prune
   if (level >= MEMORY_PRESSURE_LEVELS.HIGH) {
@@ -401,6 +432,7 @@ function handleMemoryPressure(level, ratio, recentlyScanned, downloadsCache, sca
     recentlyScanned.clear();
     downloadsCache.clear();
     alertedPackageRules.clear();
+    summary.cachesCleared = true;
   }
 
   // CRITICAL (90%+): clear scanner caches, force GC
@@ -416,7 +448,7 @@ function handleMemoryPressure(level, ratio, recentlyScanned, downloadsCache, sca
     try { clearFileListCache(); } catch {}
     try { clearASTCache(); } catch {}
     // pendingGrouped webhook buffers
-    for (const [scope, group] of pendingGrouped) {
+    for (const [, group] of pendingGrouped) {
       clearTimeout(group.timer);
     }
     pendingGrouped.clear();
@@ -438,18 +470,34 @@ function handleMemoryPressure(level, ratio, recentlyScanned, downloadsCache, sca
       const dropped = queueBefore - EMERGENCY_QUEUE_KEEP;
       // splice from the front: older items were pushed first
       scanQueue.splice(0, dropped);
+      summary.queueDropped = dropped;
       console.error(`[MONITOR] MEMORY EMERGENCY: heap at ${pct}% — truncated queue ${queueBefore} → ${scanQueue.length} (dropped ${dropped} oldest items)`);
     }
     // Clear deferred sandbox queue (holds full staticResult objects)
     const deferredDropped = clearDeferredQueue();
+    summary.deferredDropped = deferredDropped;
     if (deferredDropped > 0) {
       console.error(`[MONITOR] MEMORY EMERGENCY: cleared ${deferredDropped} deferred sandbox items`);
     }
+    // Free the off-heap leak that queue truncation can't touch: orphaned sandbox
+    // containers (gVisor runsc survives `docker kill`) and wedged scan workers.
+    // Under a real RSS leak this — not the queue splice — is what reclaims memory.
+    try {
+      const killed = killAllSandboxContainers();
+      summary.containersKilled = killed;
+      if (killed > 0) console.error(`[MONITOR] MEMORY EMERGENCY: force-removed ${killed} sandbox container(s)`);
+    } catch (err) { summary.containersKilled = -1; console.error(`[MONITOR] EMERGENCY container kill failed: ${err.message}`); }
+    try {
+      const terminated = terminateAllWorkers();
+      summary.workersTerminated = terminated;
+      if (terminated > 0) console.error(`[MONITOR] MEMORY EMERGENCY: terminated ${terminated} scan worker(s)`);
+    } catch (err) { summary.workersTerminated = -1; console.error(`[MONITOR] EMERGENCY worker terminate failed: ${err.message}`); }
     // Second GC pass after freeing queue + deferred references
     if (global.gc) {
       global.gc();
     }
   }
+  return summary;
 }
 
 function reportStats(stats) {
@@ -753,7 +801,7 @@ async function startMonitor(options, stats, dailyAlerts, recentlyScanned, downlo
     // computeMemoryPressure() is cheap (~0.1ms). Running every 2s ensures fast
     // reaction to memory spikes — the 2026-04-13 incident showed that checking
     // every 5min is too slow (250 packages ingested between checks).
-    const { level: pressureLevel, mem: currentMem, ratio: heapRatio } = computeMemoryPressure();
+    const { level: pressureLevel, mem: currentMem, ratio: heapRatio, rssRatio } = computeMemoryPressure();
 
     // Top up workers ONLY when memory pressure is below HIGH.
     // At HIGH+, existing workers continue (they'll finish or timeout) but no new
@@ -775,7 +823,7 @@ async function startMonitor(options, stats, dailyAlerts, recentlyScanned, downlo
       const rssMB = (currentMem.rss / 1024 / 1024).toFixed(0);
       const pctUsed = (heapRatio * 100).toFixed(0);
       const levelName = Object.keys(MEMORY_PRESSURE_LEVELS).find(k => MEMORY_PRESSURE_LEVELS[k] === pressureLevel) || 'UNKNOWN';
-      console.log(`[MONITOR] MEMORY: heap=${heapUsedMB}MB/${heapLimitMB}MB (${pctUsed}%), rss=${rssMB}MB, queue=${scanQueue.length}, dedup=${recentlyScanned.size}, downloads=${downloadsCache.size}, alerts=${alertedPackageRules.size}, dailyAlerts=${dailyAlerts.length}, pressure=${levelName}`);
+      console.log(`[MONITOR] MEMORY: heap=${heapUsedMB}MB/${heapLimitMB}MB (${pctUsed}%), rss=${rssMB}MB (${(rssRatio * 100).toFixed(0)}%/${RSS_LIMIT_MB}MB), queue=${scanQueue.length}, dedup=${recentlyScanned.size}, downloads=${downloadsCache.size}, alerts=${alertedPackageRules.size}, dailyAlerts=${dailyAlerts.length}, pressure=${levelName}`);
 
       // Graduated response at HIGH+
       if (pressureLevel >= MEMORY_PRESSURE_LEVELS.HIGH) {
@@ -844,6 +892,7 @@ module.exports = {
   pruneMemoryCaches,
   MAX_RECENTLY_SCANNED,
   MAX_ALERTED_PACKAGES,
+  MAX_DOWNLOADS_CACHE,
   // Memory circuit breaker
   computeMemoryPressure,
   getMemoryPressureLevel,
@@ -853,6 +902,7 @@ module.exports = {
   MEMORY_THRESHOLD_HIGH,
   MEMORY_THRESHOLD_CRITICAL,
   MEMORY_THRESHOLD_EMERGENCY,
+  RSS_LIMIT_MB,
   EMERGENCY_QUEUE_KEEP,
   MEMORY_LOG_INTERVAL_NORMAL,
   MEMORY_LOG_INTERVAL_PRESSURE

package/src/monitor/deferred-sandbox.js

@@ -32,6 +32,10 @@ const DEFERRED_STATE_FILE = path.join(__dirname, '..', '..', 'data', 'deferred-q
 // slot. HIGH=10 pts is the intended T1b floor — values below 5 are LOW-only
 // aggregates which carry no actionable sandbox signal.
 const DEFERRED_MIN_SCORE = 5;
+// Hard ceiling on a single deferred sandbox run so the dedicated slot
+// (_deferredSlotBusy) can never wedge. maxRuns=1 self-bounds at ~SINGLE_RUN_TIMEOUT
+// (90s) + the sandbox watchdog grace; this AbortController is belt-and-suspenders.
+const DEFERRED_SANDBOX_TIMEOUT_MS = 150_000;
 
 // ── Mutable state ──
 const _deferredQueue = [];
@@ -190,11 +194,13 @@ async function processDeferredItem(stats) {
   // 4. Run sandbox on dedicated slot (bypasses shared semaphore)
   _deferredSlotBusy = true;
   let sandboxResult;
+  const ac = new AbortController();
+  const deadline = setTimeout(() => ac.abort(), DEFERRED_SANDBOX_TIMEOUT_MS);
   try {
     const canary = isCanaryEnabled();
     // maxRuns=1: deferred items are T1b/T2, time bomb detection (3 runs) is a luxury.
     // 90s instead of 270s per item → 3× faster deferred queue drain.
-    sandboxResult = await runSandbox(item.name, { canary, skipSemaphore: true, maxRuns: 1 });
+    sandboxResult = await runSandbox(item.name, { canary, skipSemaphore: true, maxRuns: 1, signal: ac.signal });
     console.log(`[DEFERRED] SANDBOX COMPLETE: ${key} -> score=${sandboxResult.score}, severity=${sandboxResult.severity}`);
   } catch (err) {
     console.error(`[DEFERRED] SANDBOX ERROR: ${key} — ${err.message}`);
@@ -210,6 +216,7 @@ async function processDeferredItem(stats) {
     }
     return null;
   } finally {
+    clearTimeout(deadline);
     _deferredSlotBusy = false;
   }
 

package/src/monitor/ingestion.js

@@ -11,7 +11,7 @@ const https = require('https');
 const { acquireRegistrySlot, releaseRegistrySlot } = require('../shared/http-limiter.js');
 const { loadCachedIOCs } = require('../ioc/updater.js');
 const {
-  loadNpmSeq, saveNpmSeq, CHANGES_STREAM_URL, CHANGES_LIMIT, CHANGES_CATCHUP_MAX,
+  saveNpmSeq, CHANGES_STREAM_URL, CHANGES_LIMIT, CHANGES_CATCHUP_MAX,
   savePypiSerial, PYPI_XMLRPC_URL, PYPI_CATCHUP_MAX
 } = require('./state.js');
 const { sendIOCPreAlert, sendCampaignPreAlert } = require('./webhook.js');
@@ -31,7 +31,7 @@ function matchCampaignPattern(name) {
   }
   return null;
 }
-const { evaluateCacheTrigger, POPULAR_THRESHOLD, downloadsCache, DOWNLOADS_CACHE_TTL } = require('./classify.js');
+const { evaluateCacheTrigger, downloadsCache, DOWNLOADS_CACHE_TTL } = require('./classify.js');
 
 const SELF_PACKAGE_NAME = require('../../package.json').name;
 
@@ -175,7 +175,7 @@ async function getPyPITarballUrl(packageName, packageVersion = '') {
   try {
     data = JSON.parse(body);
   } catch (e) {
-    throw new Error(`Invalid JSON from PyPI for ${packageName}: ${e.message}`);
+    throw new Error(`Invalid JSON from PyPI for ${packageName}: ${e.message}`, { cause: e });
   }
 
   const latestVersion = (data.info && data.info.version) || '';
@@ -424,7 +424,7 @@ async function getNpmLatestTarball(packageName) {
   try {
     packument = JSON.parse(body);
   } catch (e) {
-    throw new Error(`Invalid JSON from npm registry for ${packageName}: ${e.message}`);
+    throw new Error(`Invalid JSON from npm registry for ${packageName}: ${e.message}`, { cause: e });
   }
   const result = selectMostRecentVersion(packument);
   if (!result) {