muaddib-scanner 2.11.6 → 2.11.7

package/README.md

@@ -30,7 +30,7 @@
 
 npm and PyPI supply-chain attacks are exploding. Shai-Hulud compromised 25K+ repos in 2025. Existing tools detect threats but don't help you respond.
 
-MUAD'DIB combines **14 parallel scanners** (209 detection rules), a **deobfuscation engine**, **inter-module dataflow analysis**, **compound scoring**, **ML classifiers** (XGBoost), and gVisor/Docker sandbox to detect known threats and suspicious behavioral patterns in npm and PyPI packages.
+MUAD'DIB combines **16 parallel scanners** (223 detection rules), a **deobfuscation engine**, **inter-module dataflow analysis**, **compound scoring**, **ML classifiers** (XGBoost), and gVisor/Docker sandbox to detect known threats and suspicious behavioral patterns in npm and PyPI packages.
 
 ---
 
@@ -176,7 +176,7 @@ muaddib replay                     # Ground truth validation (61/65 TPR@3)
 
 ## Features
 
-### 14 parallel scanners
+### 16 parallel scanners
 
 | Scanner | Detection |
 |---------|-----------|
@@ -194,8 +194,11 @@ muaddib replay                     # Ground truth validation (61/65 TPR@3)
 | Package/Dependencies | Lifecycle scripts, IOC matching (225K+ packages) |
 | GitHub Actions | Shai-Hulud backdoor detection |
 | Hash Scanner | Known malicious file hashes |
+| IOC Strings (intel-triage P1.1) | YARA-style string matching (Axios 2026, TeamPCP, GlassWorm, CanisterSprawl) |
+| Anti-Forensic AST (intel-triage P1.2) | XOR loop + self-delete + decoy write compound (csec autodelete) |
+| Stub Package (intel-triage P1.3) | Tiny main file + external dep URL + lifecycle hook (ltidi chain) |
 
-### 209 detection rules
+### 223 detection rules
 
 All rules are mapped to MITRE ATT&CK techniques. See [SECURITY.md](SECURITY.md#detection-rules-v21021) for the complete rules reference.
 
@@ -271,7 +274,7 @@ With pre-commit framework:
 ```yaml
 repos:
   - repo: https://github.com/DNSZLSK/muad-dib
-    rev: v2.10.97
+    rev: v2.11.6
     hooks:
       - id: muaddib-scan
 ```
@@ -292,7 +295,7 @@ repos:
 | **FPR** (Benign random, v2.10.95 measure) | **7.0%** (14/200) | 200 random npm packages, stratified sampling |
 | **ADR** (Adversarial + Holdout) | **96.3%** (103/107) | 67 adversarial + 40 holdout (107 available on disk), global threshold=20 |
 
-**3280 tests** across 69 files. **209 rules** (204 RULES + 5 PARANOID).
+**3529 tests** across 89 files. **223 rules** (218 RULES + 5 PARANOID).
 
 > **ML retrain methodology (v2.10.51):**
 > - Ground truth: 377 confirmed_malicious via auto-labeler (OSSF malicious-packages, GitHub Advisory Database, npm registry takedown correlation)
@@ -340,7 +343,7 @@ npm test
 
 ### Testing
 
-- **3280 tests** across 69 modular test files
+- **3529 tests** across 89 modular test files
 - **56 fuzz tests** - Malformed inputs, ReDoS, unicode, binary
 - **Datadog 17K benchmark** - 14,587 confirmed malware samples (in-scope)
 - **Ground truth validation** - 67 real-world attacks (93.85% TPR@3, 86.2% TPR@20 — v2.10.95 measure)
@@ -361,7 +364,7 @@ npm test
 - [Documentation Index](docs/INDEX.md) - All documentation in one place
 - [Evaluation Methodology](docs/EVALUATION_METHODOLOGY.md) - Experimental protocol, holdout scores
 - [Threat Model](docs/threat-model.md) - What MUAD'DIB detects and doesn't detect
-- [Security Policy](SECURITY.md) - Detection rules reference (209 rules)
+- [Security Policy](SECURITY.md) - Detection rules reference (223 rules)
 - [Security Audit](docs/SECURITY_AUDIT.md) - Bypass validation report
 - [FP Analysis](docs/EVALUATION.md) - Historical false positive analysis
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "muaddib-scanner",
-  "version": "2.11.6",
+  "version": "2.11.7",
   "description": "Supply-chain threat detection & response for npm & PyPI/Python",
   "main": "src/index.js",
   "bin": {

package/src/response/playbooks.js

@@ -149,6 +149,9 @@ const PLAYBOOKS = {
   stub_with_string_ioc:
     'CRITIQUE: Package stub + IOC string connu = staging chain-attack confirme. Bloquer le package + sa dep externe. Regenerer secrets si install effectue.',
 
+  staged_remote_loader:
+    'CRITIQUE: Staged remote loader detecte (Function.constructor("require", body) + process shadow). Le payload reel est sur un pastebin externe (jsonkeeper.com ou autre). Pattern campagne chai-* / poxios-chain. Bloquer le package, isoler les machines qui ont fait `npm install`, regenerer credentials. Inspecter l\'URL paste-service decodee depuis la base64.',
+
   known_malicious_hash:
     'CRITIQUE: Fichier malveillant confirme par hash. Supprimer immediatement. Considerer la machine compromise.',
 

package/src/rules/index.js

@@ -261,6 +261,18 @@ const RULES = {
     ],
     mitre: 'T1195.002'
   },
+  staged_remote_loader: {
+    id: 'MUADDIB-COMPOUND-012',
+    name: 'Staged Remote Loader (Function.constructor + shadowed process)',
+    severity: 'CRITICAL',
+    confidence: 'high',
+    description: 'Compound: new Function.constructor("require", body) co-occurs with `const process = {...}` shadowing in the same file. Pattern observed in the chai-* / poxios-chain / express-guardrail / justenv campaign (semaine 2026-05-04 a 2026-05-09): fork de pino avec caller.js qui decode une URL base64 (jsonkeeper.com), fetch le payload distant via axios, et l\'execute via Function.constructor en passant require comme parametre. Le tarball npm ne contient aucun code malveillant statique — la charge utile est externalisee sur un pastebin.',
+    references: [
+      'project_detection_gap_chai_staged_loader memory entry',
+      'data/security-review-2026-05-04-10.md'
+    ],
+    mitre: 'T1059.007'
+  },
   lifecycle_script_dependency: {
     id: 'MUADDIB-DEP-004',
     name: 'Lifecycle Script in Dependency',
@@ -1798,7 +1810,7 @@ const RULES = {
   },
   dangerous_constructor: {
     id: 'MUADDIB-AST-057',
-    name: 'Prototype Chain Constructor Access',
+    name: 'AsyncFunction/GeneratorFunction Constructor via Prototype Chain',
     severity: 'CRITICAL',
     confidence: 'high',
     description: 'Acces au constructeur AsyncFunction ou GeneratorFunction via Object.getPrototypeOf(). Technique d\'evasion permettant d\'executer du code arbitraire sans reference directe a eval() ou Function().',
@@ -2312,7 +2324,7 @@ const RULES = {
   },
   prototype_chain_constructor: {
     id: 'MUADDIB-AST-081',
-    name: 'Prototype Chain Constructor Access',
+    name: 'Prototype Chain Constructor Access via Variable',
     severity: 'CRITICAL',
     confidence: 'high',
     description: 'Object.getPrototypeOf(variable).constructor extrait dans une variable — traversee de la chaine de prototypes pour atteindre le constructeur Function et executer du code arbitraire.',

package/src/runtime/monitor-feed.js

@@ -0,0 +1,241 @@
+'use strict';
+
+/**
+ * monitor-feed.js — Aggregator for /monitor HTTP endpoints.
+ *
+ * Reads the same persistent files the monitor writes to data/ and exposes
+ * three views consumed by muad-api -> muad-front:
+ *   - buildMonitorDaily()         today's stats from daily-stats.json
+ *   - buildMonitorWindow(range)   per-day rollup from scan-stats.json
+ *   - buildMonitorAll()           all-time totals + detection breakdown
+ *
+ * Defensive: every read is wrapped — missing files yield zeros, never throws.
+ */
+
+const fs = require('fs');
+const path = require('path');
+
+const {
+  DAILY_STATS_FILE,
+  SCAN_STATS_FILE,
+  STATE_FILE,
+  LAST_DAILY_REPORT_FILE,
+  loadScanStats,
+  loadStateRaw,
+  loadLastDailyReportDate,
+  getDetectionStats,
+  getParisDateString
+} = require('../monitor/state.js');
+
+const pkg = require('../../package.json');
+
+const SUPPORTED_RANGES = new Set(['7d', '30d', 'all']);
+const RANGE_DAYS = { '7d': 7, '30d': 30 };
+
+function safeReadJson(file) {
+  try {
+    if (!fs.existsSync(file)) return null;
+    const raw = fs.readFileSync(file, 'utf8');
+    return JSON.parse(raw);
+  } catch {
+    return null;
+  }
+}
+
+function emptyToday(date) {
+  return {
+    date,
+    scanned: 0,
+    clean: 0,
+    suspect: 0,
+    suspectByTier: { t1: 0, t1a: 0, t1b: 0, t2: 0, t3: 0 },
+    errors: 0,
+    errorsByType: { too_large: 0, tar_failed: 0, http_error: 0, timeout: 0, static_timeout: 0, other: 0 },
+    totalTimeMs: 0,
+    mlFiltered: 0,
+    llmAnalyzed: 0,
+    llmSuppressed: 0,
+    changesStreamPackages: 0
+  };
+}
+
+function readToday() {
+  const date = getParisDateString();
+  const data = safeReadJson(DAILY_STATS_FILE);
+  if (!data || typeof data.scanned !== 'number') return emptyToday(date);
+  return {
+    date,
+    scanned: data.scanned || 0,
+    clean: data.clean || 0,
+    suspect: data.suspect || 0,
+    suspectByTier: {
+      t1: (data.suspectByTier && data.suspectByTier.t1) || 0,
+      t1a: (data.suspectByTier && data.suspectByTier.t1a) || 0,
+      t1b: (data.suspectByTier && data.suspectByTier.t1b) || 0,
+      t2: (data.suspectByTier && data.suspectByTier.t2) || 0,
+      t3: (data.suspectByTier && data.suspectByTier.t3) || 0
+    },
+    errors: data.errors || 0,
+    errorsByType: {
+      too_large: (data.errorsByType && data.errorsByType.too_large) || 0,
+      tar_failed: (data.errorsByType && data.errorsByType.tar_failed) || 0,
+      http_error: (data.errorsByType && data.errorsByType.http_error) || 0,
+      timeout: (data.errorsByType && data.errorsByType.timeout) || 0,
+      static_timeout: (data.errorsByType && data.errorsByType.static_timeout) || 0,
+      other: (data.errorsByType && data.errorsByType.other) || 0
+    },
+    totalTimeMs: data.totalTimeMs || 0,
+    mlFiltered: data.mlFiltered || 0,
+    llmAnalyzed: data.llmAnalyzed || 0,
+    llmSuppressed: data.llmSuppressed || 0,
+    changesStreamPackages: data.changesStreamPackages || 0
+  };
+}
+
+function readLastReportAt() {
+  const fromFile = safeReadJson(LAST_DAILY_REPORT_FILE);
+  if (fromFile && typeof fromFile.lastReportDate === 'string') return fromFile.lastReportDate;
+  const date = loadLastDailyReportDate();
+  return date || null;
+}
+
+function readMonitorState() {
+  try {
+    return loadStateRaw() || {};
+  } catch {
+    return {};
+  }
+}
+
+/**
+ * Build the /monitor/daily payload.
+ */
+function buildMonitorDaily() {
+  const today = readToday();
+  const lastReportAt = readLastReportAt();
+  const monitorState = readMonitorState();
+
+  return {
+    generated_at: new Date().toISOString(),
+    engineVersion: pkg.version,
+    today,
+    lastReportAt,
+    monitor: {
+      npmLastPackage: monitorState.npmLastPackage || null,
+      pypiLastPackage: monitorState.pypiLastPackage || null,
+      lastDailyReportDate: monitorState.lastDailyReportDate || null
+    }
+  };
+}
+
+function emptyDayEntry(date) {
+  return {
+    date,
+    scanned: 0,
+    clean: 0,
+    suspect: 0,
+    false_positive: 0,
+    confirmed: 0,
+    sandbox_inconclusive: 0,
+    fp_rate: 0
+  };
+}
+
+function aggregateDays(days) {
+  const totals = { scanned: 0, clean: 0, suspect: 0, false_positive: 0, confirmed: 0, sandbox_inconclusive: 0 };
+  let fpRateSum = 0;
+  let fpRateCount = 0;
+  for (const d of days) {
+    totals.scanned += d.scanned || 0;
+    totals.clean += d.clean || 0;
+    totals.suspect += d.suspect || 0;
+    totals.false_positive += d.false_positive || 0;
+    totals.confirmed += d.confirmed || 0;
+    totals.sandbox_inconclusive += d.sandbox_inconclusive || 0;
+    if (typeof d.fp_rate === 'number' && d.fp_rate >= 0) {
+      fpRateSum += d.fp_rate;
+      fpRateCount++;
+    }
+  }
+  const fp_rate_avg = fpRateCount > 0 ? fpRateSum / fpRateCount : 0;
+  return { ...totals, fp_rate_avg: Math.round(fp_rate_avg * 1000) / 1000 };
+}
+
+/**
+ * Build the /monitor/window payload for a given range ('7d' | '30d').
+ */
+function buildMonitorWindow(range) {
+  if (!SUPPORTED_RANGES.has(range) || range === 'all') {
+    throw new Error(`Unsupported range: ${range}. Use 7d or 30d.`);
+  }
+  const days = RANGE_DAYS[range];
+  const data = loadScanStats();
+  const allDaily = Array.isArray(data.daily) ? data.daily : [];
+
+  const today = getParisDateString();
+  const todayMs = Date.parse(`${today}T00:00:00Z`);
+  const cutoffMs = todayMs - (days - 1) * 24 * 60 * 60 * 1000;
+
+  const inRange = allDaily.filter(d => {
+    if (!d || typeof d.date !== 'string') return false;
+    const ms = Date.parse(`${d.date}T00:00:00Z`);
+    return Number.isFinite(ms) && ms >= cutoffMs && ms <= todayMs;
+  });
+
+  const dateIndex = new Map(inRange.map(d => [d.date, d]));
+  const byDay = [];
+  for (let i = days - 1; i >= 0; i--) {
+    const ms = todayMs - i * 24 * 60 * 60 * 1000;
+    const dateStr = new Date(ms).toISOString().slice(0, 10);
+    byDay.push(dateIndex.get(dateStr) || emptyDayEntry(dateStr));
+  }
+
+  return {
+    generated_at: new Date().toISOString(),
+    engineVersion: pkg.version,
+    range,
+    from: byDay[0].date,
+    to: byDay[byDay.length - 1].date,
+    totals: aggregateDays(byDay),
+    byDay
+  };
+}
+
+/**
+ * Build the /monitor/stats payload (all-time totals + detection breakdown).
+ */
+function buildMonitorAll() {
+  const data = loadScanStats();
+  const stats = data.stats || {};
+  let detection = { total: 0, bySeverity: {}, byEcosystem: {}, leadTime: null };
+  try {
+    detection = getDetectionStats();
+  } catch {
+    // keep defaults
+  }
+  return {
+    generated_at: new Date().toISOString(),
+    engineVersion: pkg.version,
+    allTime: {
+      total_scanned: stats.total_scanned || 0,
+      clean: stats.clean || 0,
+      suspect: stats.suspect || 0,
+      false_positive: stats.false_positive || 0,
+      confirmed_malicious: stats.confirmed_malicious || 0,
+      sandbox_inconclusive: stats.sandbox_inconclusive || 0,
+      sandbox_unconfirmed: stats.sandbox_unconfirmed || 0
+    },
+    detectionStats: detection
+  };
+}
+
+module.exports = {
+  buildMonitorDaily,
+  buildMonitorWindow,
+  buildMonitorAll,
+  SUPPORTED_RANGES,
+  // exported for tests
+  _safeReadJson: safeReadJson,
+  _readToday: readToday,
+  _aggregateDays: aggregateDays
+};

package/src/sandbox/compound-triggers.js

@@ -0,0 +1,232 @@
+'use strict';
+
+// Sandbox-friendly compound triggers.
+// Surgical activation of the Docker sandbox only on threat patterns where
+// dynamic observation provides signal beyond static AST/regex analysis.
+// Targets 2026 attacks: Shai-Hulud, Axios 2026 (OrDeR_7077), GlassWorm,
+// PhantomRaven, CanisterWorm, ltidi chain.
+//
+// Activation rule: a compound matches AND preliminary score in [15, 35].
+//   score < 15  -> clean, no need to sandbox
+//   score > 35  -> already definitive, no second-tier verdict needed
+
+const SANDBOX_TRIGGER_MIN_SCORE = 15;
+const SANDBOX_TRIGGER_MAX_SCORE = 35;
+
+const TRIGGERS = [
+  {
+    name: 'lifecycle_install_chain',
+    description: 'Lifecycle script + credential tampering or harvest pattern',
+    target: 'Shai-Hulud, PhantomRaven',
+    watchpoints: ['honey_npmrc_read', 'honey_ssh_read', 'execve_chain_depth', 'outbound_non_registry'],
+    matches(threats) {
+      const hasLifecycle = threats.some(t =>
+        t.type === 'lifecycle_script' ||
+        t.type === 'lifecycle_added_critical' ||
+        t.type === 'lifecycle_added_high' ||
+        t.type === 'lifecycle_modified' ||
+        t.type === 'lifecycle_inline_exec' ||
+        t.type === 'lifecycle_remote_require' ||
+        t.type === 'lifecycle_dataflow' ||
+        t.type === 'lifecycle_dangerous_exec' ||
+        t.type === 'obfuscated_lifecycle_env' ||
+        t.type === 'lifecycle_typosquat' ||
+        t.type === 'lifecycle_shell_pipe' ||
+        t.type === 'lifecycle_hidden_payload'
+      );
+      const hasCredHarvest = threats.some(t =>
+        t.type === 'credential_regex_harvest' ||
+        t.type === 'credential_tampering' ||
+        t.type === 'credential_command_exec' ||
+        t.type === 'env_harvesting_dynamic' ||
+        t.type === 'curl_env_exfil' ||
+        t.type === 'env_proxy_intercept' ||
+        t.type === 'npmrc_access' ||
+        t.type === 'github_token_access' ||
+        t.type === 'aws_credential_access' ||
+        t.type === 'ssh_access'
+      );
+      return hasLifecycle && hasCredHarvest;
+    }
+  },
+  {
+    name: 'stub_with_external_dep',
+    description: 'Stub package with external HTTPS dep (ltidi chain)',
+    target: 'ltidi chain attack',
+    watchpoints: ['outbound_non_registry', 'fs_created_outside_install', 'execve_chain_depth'],
+    matches(threats) {
+      const hasStub = threats.some(t =>
+        t.type === 'stub_package_external_payload' ||
+        t.type === 'stub_package_external_dep' ||
+        t.type === 'stub_with_string_ioc'
+      );
+      const hasExternalDep = threats.some(t =>
+        t.type === 'external_tarball_dep' ||
+        t.type === 'dependency_url_suspicious' ||
+        t.type === 'git_dependency_rce' ||
+        t.type === 'lifecycle_script_dependency'
+      );
+      return hasStub && hasExternalDep;
+    }
+  },
+  {
+    name: 'obfuscated_oversize',
+    description: 'Obfuscation + large file + execution path',
+    target: 'Shai-Hulud bun_environment.js (10MB)',
+    watchpoints: ['runtime_deobfuscation_executed', 'execve_chain_depth', 'outbound_non_registry'],
+    matches(threats, fileSizes) {
+      const hasObf = threats.some(t =>
+        t.type === 'obfuscation_detected' ||
+        t.type === 'js_obfuscation_pattern' ||
+        t.type === 'possible_obfuscation' ||
+        t.type === 'split_entropy_payload' ||
+        t.type === 'fragmented_high_entropy_cluster' ||
+        t.type === 'high_entropy_string'
+      );
+      const hasExec = threats.some(t =>
+        t.type === 'dangerous_call_exec' ||
+        t.type === 'dangerous_exec' ||
+        t.type === 'detached_process' ||
+        t.type === 'staged_payload' ||
+        t.type === 'staged_binary_payload' ||
+        t.type === 'binary_dropper' ||
+        t.type === 'bun_runtime_evasion'
+      );
+      if (!hasObf || !hasExec) return false;
+      // Specificity gate: this compound only matches when at least one file
+      // exceeds 1MB. Without that, decrypt_then_execute below is more
+      // appropriate. Returns false (not undefined) when no size info to keep
+      // the more specific decrypt_then_execute match available.
+      if (!fileSizes || Object.keys(fileSizes).length === 0) return false;
+      return Object.values(fileSizes).some(size => typeof size === 'number' && size > 1024 * 1024);
+    }
+  },
+  {
+    name: 'decrypt_then_execute',
+    description: 'Obfuscation or XOR decoding + new Function or eval',
+    target: 'Axios 2026 OrDeR_7077',
+    watchpoints: ['runtime_deobfuscation_executed', 'outbound_non_registry'],
+    matches(threats) {
+      const hasDecrypt = threats.some(t =>
+        t.type === 'base64_decode' ||
+        t.type === 'base64_decode_exec' ||
+        t.type === 'obfuscation_detected' ||
+        t.type === 'js_obfuscation_pattern' ||
+        t.type === 'crypto_decipher' ||
+        t.type === 'staged_eval_decode' ||
+        t.type === 'env_charcode_reconstruction' ||
+        t.type === 'string_mutation_obfuscation' ||
+        t.type === 'self_destruct_eval' ||
+        t.type === 'anti_forensic_xor_autodelete' ||
+        t.type === 'anti_forensic_partial' ||
+        t.type === 'wget_base64_decode'
+      );
+      const hasExec = threats.some(t =>
+        t.type === 'dangerous_call_eval' ||
+        t.type === 'dangerous_call_function' ||
+        t.type === 'dangerous_constructor' ||
+        t.type === 'function_runtime_args' ||
+        t.type === 'function_constructor_require' ||
+        t.type === 'staged_payload' ||
+        t.type === 'fetch_decrypt_exec' ||
+        t.type === 'vm_dynamic_code' ||
+        t.type === 'vm_code_execution' ||
+        t.type === 'reflect_code_execution' ||
+        t.type === 'callback_exec_rce' ||
+        t.type === 'eval_usage'
+      );
+      return hasDecrypt && hasExec;
+    }
+  },
+  {
+    name: 'invisible_blockchain',
+    description: 'Unicode invisible decoder + blockchain RPC endpoint',
+    target: 'GlassWorm',
+    watchpoints: ['outbound_blockchain_rpc', 'runtime_deobfuscation_executed'],
+    matches(threats) {
+      const hasInvisible = threats.some(t =>
+        t.type === 'unicode_invisible_injection' ||
+        t.type === 'unicode_variation_decoder'
+      );
+      const hasBlockchain = threats.some(t =>
+        t.type === 'blockchain_c2_resolution' ||
+        t.type === 'blockchain_rpc_endpoint'
+      );
+      return hasInvisible && hasBlockchain;
+    }
+  },
+  {
+    name: 'npm_token_self_use',
+    description: 'npmrc access + outbound HTTP or npm CLI invocation pattern',
+    target: 'CanisterWorm',
+    watchpoints: ['npm_self_invoke', 'honey_npmrc_read', 'outbound_non_registry'],
+    matches(threats) {
+      const hasNpmrc = threats.some(t =>
+        t.type === 'npmrc_access' ||
+        t.type === 'npmrc_git_override' ||
+        t.type === 'npm_token_steal' ||
+        t.type === 'npm_publish_worm'
+      );
+      const hasOutbound = threats.some(t =>
+        t.type === 'curl_exfiltration' ||
+        t.type === 'curl_env_exfil' ||
+        t.type === 'github_api_call' ||
+        t.type === 'remote_code_load' ||
+        t.type === 'network_require' ||
+        t.type === 'websocket_credential_exfil' ||
+        t.type === 'websocket_c2' ||
+        t.type === 'dns_chunk_exfiltration' ||
+        t.type === 'staged_payload' ||
+        t.type === 'fetch_decrypt_exec'
+      );
+      return hasNpmrc && hasOutbound;
+    }
+  }
+];
+
+/**
+ * Evaluate whether the static threat set warrants sandbox activation.
+ *
+ * @param {Array<{type:string,severity:string}>} threats - Deduplicated static threats.
+ * @param {number} score - Preliminary static score.
+ * @param {object} [fileSizes] - Map relative-path -> bytes (used by obfuscated_oversize).
+ * @returns {{shouldRun:boolean, compound:string|null, watchpoints:string[], reason:string}}
+ */
+function evaluateSandboxTrigger(threats, score, fileSizes) {
+  if (!Array.isArray(threats)) {
+    return { shouldRun: false, compound: null, watchpoints: [], reason: 'no threats array' };
+  }
+  if (typeof score !== 'number' || Number.isNaN(score)) {
+    return { shouldRun: false, compound: null, watchpoints: [], reason: 'invalid score' };
+  }
+  if (score < SANDBOX_TRIGGER_MIN_SCORE) {
+    return { shouldRun: false, compound: null, watchpoints: [], reason: 'score below window' };
+  }
+  if (score > SANDBOX_TRIGGER_MAX_SCORE) {
+    return { shouldRun: false, compound: null, watchpoints: [], reason: 'score above window' };
+  }
+  for (const trigger of TRIGGERS) {
+    let matched = false;
+    try {
+      matched = trigger.matches(threats, fileSizes || {});
+    } catch (e) {
+      matched = false;
+    }
+    if (matched) {
+      return {
+        shouldRun: true,
+        compound: trigger.name,
+        watchpoints: trigger.watchpoints.slice(),
+        reason: trigger.description
+      };
+    }
+  }
+  return { shouldRun: false, compound: null, watchpoints: [], reason: 'no compound matched' };
+}
+
+module.exports = {
+  evaluateSandboxTrigger,
+  TRIGGERS,
+  SANDBOX_TRIGGER_MIN_SCORE,
+  SANDBOX_TRIGGER_MAX_SCORE
+};

package/src/scoring.js

@@ -447,7 +447,16 @@ const REACHABILITY_EXEMPT_TYPES = new Set([
   'pypi_malicious_package',
   'ai_config_injection', 'ai_config_injection_compound',
   'detached_credential_exfil', // DPRK/Lazarus: invoked via lifecycle, not require/import
-  'native_addon_install' // binding.gyp executes during npm install but isn't require()'d
+  'native_addon_install', // binding.gyp executes during npm install but isn't require()'d
+  // Staged loader pattern (chai-* / poxios-chain campaign 2026-05): the malicious
+  // file is loaded indirectly (transport.js requires caller.js) and reachability
+  // resolution can fail, demoting CRITICAL to LOW. These types are unambiguously
+  // malicious — no legitimate code shadows process, calls Function.constructor("require"),
+  // or self-destructs after running new Function(...).
+  'function_constructor_require',  // AST-086 — Function.constructor("require", body)
+  'process_variable_shadow',       // AST-087 — const process = {env:{...}}
+  'function_runtime_args',         // AST-090 — new Function('require','__dirname',...)
+  'self_destruct_eval'             // AST-089 — dynamic exec + unlink __filename
 ]);
 
 // ============================================
@@ -569,6 +578,20 @@ const SCORING_COMPOUNDS = [
     message: 'Stub package with external URL dep + known string IOC — chain-attack staging package (scoring compound).',
     fileFrom: 'ioc_string_match'
   },
+  // Security review 2026-05-09 — chai-* / poxios-chain / express-guardrail / justenv
+  // campaign. Pattern: fork pino + caller.js with `const process = {env: {DEV_API_KEY: <base64>}}`
+  // + axios.get(decoded URL) + new Function.constructor("require", body). The package
+  // body is otherwise legitimate pino code — only the injected file is malicious.
+  // Each individual signal is already CRITICAL/HIGH but reachability/per-file scoring
+  // can demote them. The compound recovers the signal when 2+ co-occur in the same file.
+  {
+    type: 'staged_remote_loader',
+    requires: ['function_constructor_require', 'process_variable_shadow'],
+    severity: 'CRITICAL',
+    message: 'Function.constructor("require", body) + shadowed process env in same file — staged remote loader (chai-* / poxios-chain pattern). Payload fetched at runtime from external paste service.',
+    fileFrom: 'function_constructor_require',
+    sameFile: true
+  },
 ];
 
 /**