muaddib-scanner 2.11.6 → 2.11.8

package/.env.example

@@ -0,0 +1,31 @@
+# MUAD'DIB environment variables — template
+# Copy to .env (local dev) or /opt/muaddib/.env (VPS) and fill in real values.
+# .env files are gitignored. NEVER commit a real token.
+
+# ----------------------------------------------------------------------------
+# Threat-feed API tokens (all OPTIONAL — scrapers degrade gracefully if absent)
+# ----------------------------------------------------------------------------
+
+# OpenSourceMalware.com — community-verified threat intel
+# Free tier: 60 req/min, /query-latest gives 100 most recent threats per ecosystem.
+# Sign up + generate at: https://opensourcemalware.com/auth → profile → API Tokens
+# Format: osm_<random-32+chars>
+# Used by: src/ioc/scraper.js → scrapeOSMQueryLatest()
+OSM_API_TOKEN=
+
+# ----------------------------------------------------------------------------
+# Webhook destinations (optional — monitor alerts)
+# ----------------------------------------------------------------------------
+
+# Discord webhook for monitor alerts (P1/P2/P3 triage)
+# DISCORD_WEBHOOK_URL=
+
+# ----------------------------------------------------------------------------
+# Tuning gates (already documented in deploy/muaddib-monitor.service)
+# ----------------------------------------------------------------------------
+
+# MUADDIB_FN_REACHABILITY=1
+# MUADDIB_DECAY=1
+# MUADDIB_MATURE_CAP=1
+# MUADDIB_METADATA_FACTOR=1
+# MUADDIB_DELTA_MODE=1

package/README.md

@@ -30,7 +30,7 @@
 
 npm and PyPI supply-chain attacks are exploding. Shai-Hulud compromised 25K+ repos in 2025. Existing tools detect threats but don't help you respond.
 
-MUAD'DIB combines **14 parallel scanners** (209 detection rules), a **deobfuscation engine**, **inter-module dataflow analysis**, **compound scoring**, **ML classifiers** (XGBoost), and gVisor/Docker sandbox to detect known threats and suspicious behavioral patterns in npm and PyPI packages.
+MUAD'DIB combines **16 parallel scanners** (223 detection rules), a **deobfuscation engine**, **inter-module dataflow analysis**, **compound scoring**, **ML classifiers** (XGBoost), and gVisor/Docker sandbox to detect known threats and suspicious behavioral patterns in npm and PyPI packages.
 
 ---
 
@@ -176,7 +176,7 @@ muaddib replay                     # Ground truth validation (61/65 TPR@3)
 
 ## Features
 
-### 14 parallel scanners
+### 16 parallel scanners
 
 | Scanner | Detection |
 |---------|-----------|
@@ -194,8 +194,11 @@ muaddib replay                     # Ground truth validation (61/65 TPR@3)
 | Package/Dependencies | Lifecycle scripts, IOC matching (225K+ packages) |
 | GitHub Actions | Shai-Hulud backdoor detection |
 | Hash Scanner | Known malicious file hashes |
+| IOC Strings (intel-triage P1.1) | YARA-style string matching (Axios 2026, TeamPCP, GlassWorm, CanisterSprawl) |
+| Anti-Forensic AST (intel-triage P1.2) | XOR loop + self-delete + decoy write compound (csec autodelete) |
+| Stub Package (intel-triage P1.3) | Tiny main file + external dep URL + lifecycle hook (ltidi chain) |
 
-### 209 detection rules
+### 223 detection rules
 
 All rules are mapped to MITRE ATT&CK techniques. See [SECURITY.md](SECURITY.md#detection-rules-v21021) for the complete rules reference.
 
@@ -271,7 +274,7 @@ With pre-commit framework:
 ```yaml
 repos:
   - repo: https://github.com/DNSZLSK/muad-dib
-    rev: v2.10.97
+    rev: v2.11.6
     hooks:
       - id: muaddib-scan
 ```
@@ -292,7 +295,7 @@ repos:
 | **FPR** (Benign random, v2.10.95 measure) | **7.0%** (14/200) | 200 random npm packages, stratified sampling |
 | **ADR** (Adversarial + Holdout) | **96.3%** (103/107) | 67 adversarial + 40 holdout (107 available on disk), global threshold=20 |
 
-**3280 tests** across 69 files. **209 rules** (204 RULES + 5 PARANOID).
+**3529 tests** across 89 files. **223 rules** (218 RULES + 5 PARANOID).
 
 > **ML retrain methodology (v2.10.51):**
 > - Ground truth: 377 confirmed_malicious via auto-labeler (OSSF malicious-packages, GitHub Advisory Database, npm registry takedown correlation)
@@ -340,7 +343,7 @@ npm test
 
 ### Testing
 
-- **3280 tests** across 69 modular test files
+- **3529 tests** across 89 modular test files
 - **56 fuzz tests** - Malformed inputs, ReDoS, unicode, binary
 - **Datadog 17K benchmark** - 14,587 confirmed malware samples (in-scope)
 - **Ground truth validation** - 67 real-world attacks (93.85% TPR@3, 86.2% TPR@20 — v2.10.95 measure)
@@ -361,7 +364,7 @@ npm test
 - [Documentation Index](docs/INDEX.md) - All documentation in one place
 - [Evaluation Methodology](docs/EVALUATION_METHODOLOGY.md) - Experimental protocol, holdout scores
 - [Threat Model](docs/threat-model.md) - What MUAD'DIB detects and doesn't detect
-- [Security Policy](SECURITY.md) - Detection rules reference (209 rules)
+- [Security Policy](SECURITY.md) - Detection rules reference (223 rules)
 - [Security Audit](docs/SECURITY_AUDIT.md) - Bypass validation report
 - [FP Analysis](docs/EVALUATION.md) - Historical false positive analysis
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "muaddib-scanner",
-  "version": "2.11.6",
+  "version": "2.11.8",
   "description": "Supply-chain threat detection & response for npm & PyPI/Python",
   "main": "src/index.js",
   "bin": {
@@ -46,7 +46,7 @@
     "node": ">=18.0.0"
   },
   "dependencies": {
-    "@inquirer/prompts": "8.4.1",
+    "@inquirer/prompts": "8.4.2",
     "acorn": "8.16.0",
     "acorn-walk": "8.3.5",
     "adm-zip": "0.5.17",
@@ -57,8 +57,8 @@
   },
   "devDependencies": {
     "@eslint/js": "10.0.1",
-    "eslint": "10.2.1",
+    "eslint": "10.3.0",
     "eslint-plugin-security": "^4.0.0",
-    "globals": "17.5.0"
+    "globals": "17.6.0"
   }
 }

package/src/ioc/scraper.js

@@ -980,8 +980,8 @@ async function scrapeGitHubAdvisory() {
 // ============================================
 async function runScraper() {
   console.log('\n' + '='.repeat(60));
-  console.log('  MUAD\'DIB IOC Scraper v4.0');
-  console.log('  OSV + OSSF + GenSecAI + DataDog + Snyk');
+  console.log('  MUAD\'DIB IOC Scraper v4.1');
+  console.log('  OSV + OSSF + GenSecAI + DataDog + Aikido + OSM');
   console.log('='.repeat(60) + '\n');
 
   // Reset aggregated warning counters
@@ -1038,7 +1038,8 @@ async function runScraper() {
     scrapeOSSFMaliciousPackages(osvResult.knownIds),
     scrapeGitHubAdvisory(),
     scrapeOSVPyPIDataDump(),
-    scrapeAikidoMalwareFeed()
+    scrapeAikidoMalwareFeed(),
+    scrapeOSMQueryLatest()
   ]);
 
   const shaiHuludResult = results[0];
@@ -1047,6 +1048,7 @@ async function runScraper() {
   const githubPackages = results[3];
   const pypiPackages = results[4];
   const aikidoResult = results[5];
+  const osmResult = results[6];
 
   // Log aggregated warnings
   if (_noVersionSkipCount > 0) {
@@ -1060,7 +1062,8 @@ async function runScraper() {
     ...datadogResult.packages,
     ...ossfPackages,
     ...githubPackages,
-    ...aikidoResult.packages
+    ...aikidoResult.packages,
+    ...osmResult.packages
   ];
 
   // Merge all hashes
@@ -1072,7 +1075,7 @@ async function runScraper() {
   // Smart deduplication: build map of best entry per key
   // For duplicates, keep the one with highest confidence, then most recent date
   const dedupSpinner = new Spinner();
-  dedupSpinner.start('Deduplicating ' + allPackages.length + ' npm + ' + (pypiPackages.length + (aikidoResult.pypi_packages || []).length) + ' PyPI entries...');
+  dedupSpinner.start('Deduplicating ' + allPackages.length + ' npm + ' + (pypiPackages.length + (aikidoResult.pypi_packages || []).length + (osmResult.pypi_packages || []).length) + ' PyPI entries...');
   const dedupMap = new Map();
 
   // Seed with existing IOCs (with sanitization of stale comma-in-version entries)
@@ -1173,7 +1176,7 @@ async function runScraper() {
   }
   let addedPyPIPackages = 0;
   // Merge Aikido PyPI feed into the same loop
-  const allPyPIPackages = pypiPackages.concat(aikidoResult.pypi_packages || []);
+  const allPyPIPackages = pypiPackages.concat(aikidoResult.pypi_packages || [], osmResult.pypi_packages || []);
   for (const pkg of allPyPIPackages) {
     if (!validateIOCEntry(pkg.name, pkg.version, 'pypi')) {
       skippedInvalid++;
@@ -1411,6 +1414,131 @@ async function scrapeAikidoMalwareFeed() {
   return { packages: npmPackages, pypi_packages: pypiPackages };
 }
 
+// ============================================
+// SOURCE 7: OpenSourceMalware.com (community-verified threat intel)
+// Free tier: 60 req/min, /query-latest returns 100 most recent verified threats per
+// ecosystem. Token stored in OSM_API_TOKEN env var (NEVER hardcoded — public repo).
+// API: https://api.opensourcemalware.com/functions/v1/query-latest?ecosystem={npm|pypi}
+// Docs: https://docs.opensourcemalware.com/api/query-latest.md
+// Rate-limit ref: https://docs.opensourcemalware.com/api/rate-limits.md
+// ============================================
+async function scrapeOSMQueryLatest() {
+  console.log('[SCRAPER] OpenSourceMalware.com query-latest...');
+  const token = process.env.OSM_API_TOKEN;
+  if (!token) {
+    console.log('[SCRAPER]   OSM_API_TOKEN not set — skipping (graceful, no error).');
+    return { packages: [], pypi_packages: [] };
+  }
+  // Defensive token shape check (don't log the value)
+  if (typeof token !== 'string' || !token.startsWith('osm_') || token.length < 16) {
+    console.log('[SCRAPER]   OSM_API_TOKEN malformed (expected osm_<chars>) — skipping.');
+    return { packages: [], pypi_packages: [] };
+  }
+
+  const npmPackages = [];
+  const pypiPackages = [];
+  const headers = { Authorization: 'Bearer ' + token };
+
+  // Map OSM severity_level (low/medium/high/critical) to MUAD'DIB severity (lowercase).
+  // OSM doesn't always populate severity; default to 'high' (verified threats are high-confidence by definition).
+  function mapSeverity(s) {
+    if (!s || typeof s !== 'string') return 'high';
+    const v = s.toLowerCase().trim();
+    if (v === 'low' || v === 'medium' || v === 'high' || v === 'critical') return v;
+    return 'high';
+  }
+
+  function buildReferences(threat, ecosystem) {
+    const refs = [];
+    if (threat.osv_advisory_url && typeof threat.osv_advisory_url === 'string') refs.push(threat.osv_advisory_url);
+    if (threat.ghsa_advisory_url && typeof threat.ghsa_advisory_url === 'string') refs.push(threat.ghsa_advisory_url);
+    // Canonical OSM page for this threat. Best-effort URL — if 404 it's harmless metadata.
+    if (threat.package_name) {
+      refs.push('https://opensourcemalware.com/' + ecosystem + '/' + encodeURIComponent(threat.package_name));
+    }
+    return refs;
+  }
+
+  function buildDescription(threat) {
+    const parts = [];
+    if (threat.threat_description) parts.push(String(threat.threat_description));
+    if (Array.isArray(threat.tags) && threat.tags.length > 0) {
+      parts.push('Tags: ' + threat.tags.filter(t => typeof t === 'string').join(', '));
+    }
+    if (threat.researcher) parts.push('Reporter: ' + String(threat.researcher));
+    return parts.length > 0 ? parts.join(' — ') : 'Verified by OpenSourceMalware.com community';
+  }
+
+  async function pull(ecosystem, target) {
+    try {
+      const { status, data } = await fetchJSON(
+        'https://api.opensourcemalware.com/functions/v1/query-latest?ecosystem=' + encodeURIComponent(ecosystem),
+        { headers }
+      );
+      if (status === 401 || status === 403) {
+        console.log('[SCRAPER]   OSM ' + ecosystem + ': HTTP ' + status + ' — token rejected, check OSM_API_TOKEN.');
+        return;
+      }
+      if (status !== 200) {
+        console.log('[SCRAPER]   OSM ' + ecosystem + ' feed: HTTP ' + status);
+        return;
+      }
+      if (!data || !Array.isArray(data.threats)) {
+        console.log('[SCRAPER]   OSM ' + ecosystem + ' feed: unexpected response shape (no threats[]).');
+        return;
+      }
+      let count = 0;
+      for (const t of data.threats) {
+        if (!t || typeof t.package_name !== 'string' || t.package_name.length === 0) continue;
+        // OSM verifies report_type === 'package' threats. Skip anything else (repository/url/domain).
+        // The query is filtered by ecosystem, but defensive check on registry field.
+        if (t.report_type && t.report_type !== 'package') continue;
+        // Normalize version: OSM uses free-form strings ('all', 'any', 'unknown', null, etc.)
+        // Wildcard placeholders must be MUAD'DIB's canonical '*' so the IOC matcher hits.
+        let ver = '*';
+        if (t.version_info && typeof t.version_info === 'string') {
+          const trimmed = t.version_info.trim();
+          const lc = trimmed.toLowerCase();
+          if (trimmed !== '' && lc !== 'all' && lc !== 'any' && lc !== 'unknown' && lc !== '*' && lc !== 'n/a') {
+            ver = trimmed;
+          }
+        }
+        const severity = mapSeverity(t.severity_level);
+        const addedAt = t.verified_at || t.created_at || t.first_seen || new Date().toISOString();
+        const idPrefix = ecosystem === 'pypi' ? 'OSM-PYPI-' : 'OSM-';
+        target.push({
+          id: idPrefix + t.package_name + '-' + ver,
+          name: t.package_name,
+          version: ver,
+          severity: severity,
+          confidence: 'high',
+          source: 'osm',
+          description: buildDescription(t),
+          references: buildReferences(t, ecosystem),
+          mitre: 'T1195.002',
+          freshness: {
+            added_at: addedAt,
+            source: 'osm',
+            confidence: 'high'
+          }
+        });
+        count++;
+      }
+      console.log('[SCRAPER]   ' + count + ' ' + ecosystem + ' verified threats from OSM');
+    } catch (e) {
+      // Defensive: do NOT echo any token-bearing URL or header in the error.
+      console.log('[SCRAPER]   OSM ' + ecosystem + ' error: ' + (e && e.message ? e.message : 'unknown'));
+    }
+  }
+
+  // Sequential (not parallel): keeps us well under the 60 req/min rate limit
+  // and gives clearer logs. Two ecosystems = ~200ms total.
+  await pull('npm', npmPackages);
+  await pull('pypi', pypiPackages);
+
+  return { packages: npmPackages, pypi_packages: pypiPackages };
+}
+
 // ============================================
 // SOURCE 5: OSV.dev Lightweight API
 // Used by `muaddib update` (fast, no zip download)
@@ -1529,6 +1657,7 @@ function getSourceConfidence(pkg) {
 module.exports = {
   runScraper, scrapeShaiHuludDetector, scrapeDatadogIOCs,
   scrapeAikidoMalwareFeed,
+  scrapeOSMQueryLatest,
   scrapeOSVLightweightAPI, queryOSVBatch,
   getSourceConfidence,
   // Pure utility functions (exported for testing)

package/src/ioc/updater.js

@@ -39,25 +39,28 @@ async function updateIOCs() {
   mergeIOCs(baseIOCs, yamlStandard);
   console.log('[2/4] YAML IOCs: ' + yamlStandard.packages.length + ' packages, ' + yamlStandard.hashes.length + ' hashes');
 
-  // Step 3: Download additional IOCs from GitHub + OSV API (GenSecAI + DataDog + OSV lightweight)
-  const { scrapeShaiHuludDetector, scrapeDatadogIOCs, scrapeOSVLightweightAPI } = require('./scraper.js');
-  console.log('[3/4] Downloading GitHub + OSV API IOCs...');
+  // Step 3: Download additional IOCs from GitHub + OSV API (GenSecAI + DataDog + OSV lightweight + OSM)
+  // Light path: JSON/REST only, NO heavy zip dumps. Designed to be safe at 15min cadence.
+  // For the deep refresh (OSV zip dumps + OSSF + Aikido + GitHub Advisory), use `muaddib scrape` (~5min).
+  const { scrapeShaiHuludDetector, scrapeDatadogIOCs, scrapeOSVLightweightAPI, scrapeOSMQueryLatest } = require('./scraper.js');
+  console.log('[3/4] Downloading GitHub + OSV API + OSM IOCs...');
 
-  const [shaiHulud, datadog, osvApi] = await Promise.all([
+  const [shaiHulud, datadog, osvApi, osmResult] = await Promise.all([
     scrapeShaiHuludDetector(),
     scrapeDatadogIOCs(),
-    scrapeOSVLightweightAPI()
+    scrapeOSVLightweightAPI(),
+    scrapeOSMQueryLatest()
   ]);
 
   const githubIOCs = {
-    packages: [].concat(shaiHulud.packages, datadog.packages, osvApi),
-    pypi_packages: [],
+    packages: [].concat(shaiHulud.packages, datadog.packages, osvApi, osmResult.packages),
+    pypi_packages: (osmResult.pypi_packages || []).slice(),
     hashes: [].concat(shaiHulud.hashes || [], datadog.hashes || []),
     markers: [],
     files: []
   };
   mergeIOCs(baseIOCs, githubIOCs);
-  console.log('     +' + shaiHulud.packages.length + ' GenSecAI, +' + datadog.packages.length + ' DataDog, +' + osvApi.length + ' OSV API');
+  console.log('     +' + shaiHulud.packages.length + ' GenSecAI, +' + datadog.packages.length + ' DataDog, +' + osvApi.length + ' OSV API, +' + osmResult.packages.length + ' OSM npm, +' + (osmResult.pypi_packages || []).length + ' OSM PyPI');
 
   // Step 3b: Load existing cache IOCs (from bootstrap download or previous update)
   if (fs.existsSync(CACHE_IOC_FILE)) {

package/src/response/playbooks.js

@@ -149,6 +149,9 @@ const PLAYBOOKS = {
   stub_with_string_ioc:
     'CRITIQUE: Package stub + IOC string connu = staging chain-attack confirme. Bloquer le package + sa dep externe. Regenerer secrets si install effectue.',
 
+  staged_remote_loader:
+    'CRITIQUE: Staged remote loader detecte (Function.constructor("require", body) + process shadow). Le payload reel est sur un pastebin externe (jsonkeeper.com ou autre). Pattern campagne chai-* / poxios-chain. Bloquer le package, isoler les machines qui ont fait `npm install`, regenerer credentials. Inspecter l\'URL paste-service decodee depuis la base64.',
+
   known_malicious_hash:
     'CRITIQUE: Fichier malveillant confirme par hash. Supprimer immediatement. Considerer la machine compromise.',
 

package/src/rules/index.js

@@ -261,6 +261,18 @@ const RULES = {
     ],
     mitre: 'T1195.002'
   },
+  staged_remote_loader: {
+    id: 'MUADDIB-COMPOUND-012',
+    name: 'Staged Remote Loader (Function.constructor + shadowed process)',
+    severity: 'CRITICAL',
+    confidence: 'high',
+    description: 'Compound: new Function.constructor("require", body) co-occurs with `const process = {...}` shadowing in the same file. Pattern observed in the chai-* / poxios-chain / express-guardrail / justenv campaign (semaine 2026-05-04 a 2026-05-09): fork de pino avec caller.js qui decode une URL base64 (jsonkeeper.com), fetch le payload distant via axios, et l\'execute via Function.constructor en passant require comme parametre. Le tarball npm ne contient aucun code malveillant statique — la charge utile est externalisee sur un pastebin.',
+    references: [
+      'project_detection_gap_chai_staged_loader memory entry',
+      'data/security-review-2026-05-04-10.md'
+    ],
+    mitre: 'T1059.007'
+  },
   lifecycle_script_dependency: {
     id: 'MUADDIB-DEP-004',
     name: 'Lifecycle Script in Dependency',
@@ -1798,7 +1810,7 @@ const RULES = {
   },
   dangerous_constructor: {
     id: 'MUADDIB-AST-057',
-    name: 'Prototype Chain Constructor Access',
+    name: 'AsyncFunction/GeneratorFunction Constructor via Prototype Chain',
     severity: 'CRITICAL',
     confidence: 'high',
     description: 'Acces au constructeur AsyncFunction ou GeneratorFunction via Object.getPrototypeOf(). Technique d\'evasion permettant d\'executer du code arbitraire sans reference directe a eval() ou Function().',
@@ -2312,7 +2324,7 @@ const RULES = {
   },
   prototype_chain_constructor: {
     id: 'MUADDIB-AST-081',
-    name: 'Prototype Chain Constructor Access',
+    name: 'Prototype Chain Constructor Access via Variable',
     severity: 'CRITICAL',
     confidence: 'high',
     description: 'Object.getPrototypeOf(variable).constructor extrait dans une variable — traversee de la chaine de prototypes pour atteindre le constructeur Function et executer du code arbitraire.',

package/src/runtime/monitor-feed.js

@@ -0,0 +1,241 @@
+'use strict';
+
+/**
+ * monitor-feed.js — Aggregator for /monitor HTTP endpoints.
+ *
+ * Reads the same persistent files the monitor writes to data/ and exposes
+ * three views consumed by muad-api -> muad-front:
+ *   - buildMonitorDaily()         today's stats from daily-stats.json
+ *   - buildMonitorWindow(range)   per-day rollup from scan-stats.json
+ *   - buildMonitorAll()           all-time totals + detection breakdown
+ *
+ * Defensive: every read is wrapped — missing files yield zeros, never throws.
+ */
+
+const fs = require('fs');
+const path = require('path');
+
+const {
+  DAILY_STATS_FILE,
+  SCAN_STATS_FILE,
+  STATE_FILE,
+  LAST_DAILY_REPORT_FILE,
+  loadScanStats,
+  loadStateRaw,
+  loadLastDailyReportDate,
+  getDetectionStats,
+  getParisDateString
+} = require('../monitor/state.js');
+
+const pkg = require('../../package.json');
+
+const SUPPORTED_RANGES = new Set(['7d', '30d', 'all']);
+const RANGE_DAYS = { '7d': 7, '30d': 30 };
+
+function safeReadJson(file) {
+  try {
+    if (!fs.existsSync(file)) return null;
+    const raw = fs.readFileSync(file, 'utf8');
+    return JSON.parse(raw);
+  } catch {
+    return null;
+  }
+}
+
+function emptyToday(date) {
+  return {
+    date,
+    scanned: 0,
+    clean: 0,
+    suspect: 0,
+    suspectByTier: { t1: 0, t1a: 0, t1b: 0, t2: 0, t3: 0 },
+    errors: 0,
+    errorsByType: { too_large: 0, tar_failed: 0, http_error: 0, timeout: 0, static_timeout: 0, other: 0 },
+    totalTimeMs: 0,
+    mlFiltered: 0,
+    llmAnalyzed: 0,
+    llmSuppressed: 0,
+    changesStreamPackages: 0
+  };
+}
+
+function readToday() {
+  const date = getParisDateString();
+  const data = safeReadJson(DAILY_STATS_FILE);
+  if (!data || typeof data.scanned !== 'number') return emptyToday(date);
+  return {
+    date,
+    scanned: data.scanned || 0,
+    clean: data.clean || 0,
+    suspect: data.suspect || 0,
+    suspectByTier: {
+      t1: (data.suspectByTier && data.suspectByTier.t1) || 0,
+      t1a: (data.suspectByTier && data.suspectByTier.t1a) || 0,
+      t1b: (data.suspectByTier && data.suspectByTier.t1b) || 0,
+      t2: (data.suspectByTier && data.suspectByTier.t2) || 0,
+      t3: (data.suspectByTier && data.suspectByTier.t3) || 0
+    },
+    errors: data.errors || 0,
+    errorsByType: {
+      too_large: (data.errorsByType && data.errorsByType.too_large) || 0,
+      tar_failed: (data.errorsByType && data.errorsByType.tar_failed) || 0,
+      http_error: (data.errorsByType && data.errorsByType.http_error) || 0,
+      timeout: (data.errorsByType && data.errorsByType.timeout) || 0,
+      static_timeout: (data.errorsByType && data.errorsByType.static_timeout) || 0,
+      other: (data.errorsByType && data.errorsByType.other) || 0
+    },
+    totalTimeMs: data.totalTimeMs || 0,
+    mlFiltered: data.mlFiltered || 0,
+    llmAnalyzed: data.llmAnalyzed || 0,
+    llmSuppressed: data.llmSuppressed || 0,
+    changesStreamPackages: data.changesStreamPackages || 0
+  };
+}
+
+function readLastReportAt() {
+  const fromFile = safeReadJson(LAST_DAILY_REPORT_FILE);
+  if (fromFile && typeof fromFile.lastReportDate === 'string') return fromFile.lastReportDate;
+  const date = loadLastDailyReportDate();
+  return date || null;
+}
+
+function readMonitorState() {
+  try {
+    return loadStateRaw() || {};
+  } catch {
+    return {};
+  }
+}
+
+/**
+ * Build the /monitor/daily payload.
+ */
+function buildMonitorDaily() {
+  const today = readToday();
+  const lastReportAt = readLastReportAt();
+  const monitorState = readMonitorState();
+
+  return {
+    generated_at: new Date().toISOString(),
+    engineVersion: pkg.version,
+    today,
+    lastReportAt,
+    monitor: {
+      npmLastPackage: monitorState.npmLastPackage || null,
+      pypiLastPackage: monitorState.pypiLastPackage || null,
+      lastDailyReportDate: monitorState.lastDailyReportDate || null
+    }
+  };
+}
+
+function emptyDayEntry(date) {
+  return {
+    date,
+    scanned: 0,
+    clean: 0,
+    suspect: 0,
+    false_positive: 0,
+    confirmed: 0,
+    sandbox_inconclusive: 0,
+    fp_rate: 0
+  };
+}
+
+function aggregateDays(days) {
+  const totals = { scanned: 0, clean: 0, suspect: 0, false_positive: 0, confirmed: 0, sandbox_inconclusive: 0 };
+  let fpRateSum = 0;
+  let fpRateCount = 0;
+  for (const d of days) {
+    totals.scanned += d.scanned || 0;
+    totals.clean += d.clean || 0;
+    totals.suspect += d.suspect || 0;
+    totals.false_positive += d.false_positive || 0;
+    totals.confirmed += d.confirmed || 0;
+    totals.sandbox_inconclusive += d.sandbox_inconclusive || 0;
+    if (typeof d.fp_rate === 'number' && d.fp_rate >= 0) {
+      fpRateSum += d.fp_rate;
+      fpRateCount++;
+    }
+  }
+  const fp_rate_avg = fpRateCount > 0 ? fpRateSum / fpRateCount : 0;
+  return { ...totals, fp_rate_avg: Math.round(fp_rate_avg * 1000) / 1000 };
+}
+
+/**
+ * Build the /monitor/window payload for a given range ('7d' | '30d').
+ */
+function buildMonitorWindow(range) {
+  if (!SUPPORTED_RANGES.has(range) || range === 'all') {
+    throw new Error(`Unsupported range: ${range}. Use 7d or 30d.`);
+  }
+  const days = RANGE_DAYS[range];
+  const data = loadScanStats();
+  const allDaily = Array.isArray(data.daily) ? data.daily : [];
+
+  const today = getParisDateString();
+  const todayMs = Date.parse(`${today}T00:00:00Z`);
+  const cutoffMs = todayMs - (days - 1) * 24 * 60 * 60 * 1000;
+
+  const inRange = allDaily.filter(d => {
+    if (!d || typeof d.date !== 'string') return false;
+    const ms = Date.parse(`${d.date}T00:00:00Z`);
+    return Number.isFinite(ms) && ms >= cutoffMs && ms <= todayMs;
+  });
+
+  const dateIndex = new Map(inRange.map(d => [d.date, d]));
+  const byDay = [];
+  for (let i = days - 1; i >= 0; i--) {
+    const ms = todayMs - i * 24 * 60 * 60 * 1000;
+    const dateStr = new Date(ms).toISOString().slice(0, 10);
+    byDay.push(dateIndex.get(dateStr) || emptyDayEntry(dateStr));
+  }
+
+  return {
+    generated_at: new Date().toISOString(),
+    engineVersion: pkg.version,
+    range,
+    from: byDay[0].date,
+    to: byDay[byDay.length - 1].date,
+    totals: aggregateDays(byDay),
+    byDay
+  };
+}
+
+/**
+ * Build the /monitor/stats payload (all-time totals + detection breakdown).
+ */
+function buildMonitorAll() {
+  const data = loadScanStats();
+  const stats = data.stats || {};
+  let detection = { total: 0, bySeverity: {}, byEcosystem: {}, leadTime: null };
+  try {
+    detection = getDetectionStats();
+  } catch {
+    // keep defaults
+  }
+  return {
+    generated_at: new Date().toISOString(),
+    engineVersion: pkg.version,
+    allTime: {
+      total_scanned: stats.total_scanned || 0,
+      clean: stats.clean || 0,
+      suspect: stats.suspect || 0,
+      false_positive: stats.false_positive || 0,
+      confirmed_malicious: stats.confirmed_malicious || 0,
+      sandbox_inconclusive: stats.sandbox_inconclusive || 0,
+      sandbox_unconfirmed: stats.sandbox_unconfirmed || 0
+    },
+    detectionStats: detection
+  };
+}
+
+module.exports = {
+  buildMonitorDaily,
+  buildMonitorWindow,
+  buildMonitorAll,
+  SUPPORTED_RANGES,
+  // exported for tests
+  _safeReadJson: safeReadJson,
+  _readToday: readToday,
+  _aggregateDays: aggregateDays
+};

package/src/sandbox/compound-triggers.js

@@ -0,0 +1,232 @@
+'use strict';
+
+// Sandbox-friendly compound triggers.
+// Surgical activation of the Docker sandbox only on threat patterns where
+// dynamic observation provides signal beyond static AST/regex analysis.
+// Targets 2026 attacks: Shai-Hulud, Axios 2026 (OrDeR_7077), GlassWorm,
+// PhantomRaven, CanisterWorm, ltidi chain.
+//
+// Activation rule: a compound matches AND preliminary score in [15, 35].
+//   score < 15  -> clean, no need to sandbox
+//   score > 35  -> already definitive, no second-tier verdict needed
+
+const SANDBOX_TRIGGER_MIN_SCORE = 15;
+const SANDBOX_TRIGGER_MAX_SCORE = 35;
+
+const TRIGGERS = [
+  {
+    name: 'lifecycle_install_chain',
+    description: 'Lifecycle script + credential tampering or harvest pattern',
+    target: 'Shai-Hulud, PhantomRaven',
+    watchpoints: ['honey_npmrc_read', 'honey_ssh_read', 'execve_chain_depth', 'outbound_non_registry'],
+    matches(threats) {
+      const hasLifecycle = threats.some(t =>
+        t.type === 'lifecycle_script' ||
+        t.type === 'lifecycle_added_critical' ||
+        t.type === 'lifecycle_added_high' ||
+        t.type === 'lifecycle_modified' ||
+        t.type === 'lifecycle_inline_exec' ||
+        t.type === 'lifecycle_remote_require' ||
+        t.type === 'lifecycle_dataflow' ||
+        t.type === 'lifecycle_dangerous_exec' ||
+        t.type === 'obfuscated_lifecycle_env' ||
+        t.type === 'lifecycle_typosquat' ||
+        t.type === 'lifecycle_shell_pipe' ||
+        t.type === 'lifecycle_hidden_payload'
+      );
+      const hasCredHarvest = threats.some(t =>
+        t.type === 'credential_regex_harvest' ||
+        t.type === 'credential_tampering' ||
+        t.type === 'credential_command_exec' ||
+        t.type === 'env_harvesting_dynamic' ||
+        t.type === 'curl_env_exfil' ||
+        t.type === 'env_proxy_intercept' ||
+        t.type === 'npmrc_access' ||
+        t.type === 'github_token_access' ||
+        t.type === 'aws_credential_access' ||
+        t.type === 'ssh_access'
+      );
+      return hasLifecycle && hasCredHarvest;
+    }
+  },
+  {
+    name: 'stub_with_external_dep',
+    description: 'Stub package with external HTTPS dep (ltidi chain)',
+    target: 'ltidi chain attack',
+    watchpoints: ['outbound_non_registry', 'fs_created_outside_install', 'execve_chain_depth'],
+    matches(threats) {
+      const hasStub = threats.some(t =>
+        t.type === 'stub_package_external_payload' ||
+        t.type === 'stub_package_external_dep' ||
+        t.type === 'stub_with_string_ioc'
+      );
+      const hasExternalDep = threats.some(t =>
+        t.type === 'external_tarball_dep' ||
+        t.type === 'dependency_url_suspicious' ||
+        t.type === 'git_dependency_rce' ||
+        t.type === 'lifecycle_script_dependency'
+      );
+      return hasStub && hasExternalDep;
+    }
+  },
+  {
+    name: 'obfuscated_oversize',
+    description: 'Obfuscation + large file + execution path',
+    target: 'Shai-Hulud bun_environment.js (10MB)',
+    watchpoints: ['runtime_deobfuscation_executed', 'execve_chain_depth', 'outbound_non_registry'],
+    matches(threats, fileSizes) {
+      const hasObf = threats.some(t =>
+        t.type === 'obfuscation_detected' ||
+        t.type === 'js_obfuscation_pattern' ||
+        t.type === 'possible_obfuscation' ||
+        t.type === 'split_entropy_payload' ||
+        t.type === 'fragmented_high_entropy_cluster' ||
+        t.type === 'high_entropy_string'
+      );
+      const hasExec = threats.some(t =>
+        t.type === 'dangerous_call_exec' ||
+        t.type === 'dangerous_exec' ||
+        t.type === 'detached_process' ||
+        t.type === 'staged_payload' ||
+        t.type === 'staged_binary_payload' ||
+        t.type === 'binary_dropper' ||
+        t.type === 'bun_runtime_evasion'
+      );
+      if (!hasObf || !hasExec) return false;
+      // Specificity gate: this compound only matches when at least one file
+      // exceeds 1MB. Without that, decrypt_then_execute below is more
+      // appropriate. Returns false (not undefined) when no size info to keep
+      // the more specific decrypt_then_execute match available.
+      if (!fileSizes || Object.keys(fileSizes).length === 0) return false;
+      return Object.values(fileSizes).some(size => typeof size === 'number' && size > 1024 * 1024);
+    }
+  },
+  {
+    name: 'decrypt_then_execute',
+    description: 'Obfuscation or XOR decoding + new Function or eval',
+    target: 'Axios 2026 OrDeR_7077',
+    watchpoints: ['runtime_deobfuscation_executed', 'outbound_non_registry'],
+    matches(threats) {
+      const hasDecrypt = threats.some(t =>
+        t.type === 'base64_decode' ||
+        t.type === 'base64_decode_exec' ||
+        t.type === 'obfuscation_detected' ||
+        t.type === 'js_obfuscation_pattern' ||
+        t.type === 'crypto_decipher' ||
+        t.type === 'staged_eval_decode' ||
+        t.type === 'env_charcode_reconstruction' ||
+        t.type === 'string_mutation_obfuscation' ||
+        t.type === 'self_destruct_eval' ||
+        t.type === 'anti_forensic_xor_autodelete' ||
+        t.type === 'anti_forensic_partial' ||
+        t.type === 'wget_base64_decode'
+      );
+      const hasExec = threats.some(t =>
+        t.type === 'dangerous_call_eval' ||
+        t.type === 'dangerous_call_function' ||
+        t.type === 'dangerous_constructor' ||
+        t.type === 'function_runtime_args' ||
+        t.type === 'function_constructor_require' ||
+        t.type === 'staged_payload' ||
+        t.type === 'fetch_decrypt_exec' ||
+        t.type === 'vm_dynamic_code' ||
+        t.type === 'vm_code_execution' ||
+        t.type === 'reflect_code_execution' ||
+        t.type === 'callback_exec_rce' ||
+        t.type === 'eval_usage'
+      );
+      return hasDecrypt && hasExec;
+    }
+  },
+  {
+    name: 'invisible_blockchain',
+    description: 'Unicode invisible decoder + blockchain RPC endpoint',
+    target: 'GlassWorm',
+    watchpoints: ['outbound_blockchain_rpc', 'runtime_deobfuscation_executed'],
+    matches(threats) {
+      const hasInvisible = threats.some(t =>
+        t.type === 'unicode_invisible_injection' ||
+        t.type === 'unicode_variation_decoder'
+      );
+      const hasBlockchain = threats.some(t =>
+        t.type === 'blockchain_c2_resolution' ||
+        t.type === 'blockchain_rpc_endpoint'
+      );
+      return hasInvisible && hasBlockchain;
+    }
+  },
+  {
+    name: 'npm_token_self_use',
+    description: 'npmrc access + outbound HTTP or npm CLI invocation pattern',
+    target: 'CanisterWorm',
+    watchpoints: ['npm_self_invoke', 'honey_npmrc_read', 'outbound_non_registry'],
+    matches(threats) {
+      const hasNpmrc = threats.some(t =>
+        t.type === 'npmrc_access' ||
+        t.type === 'npmrc_git_override' ||
+        t.type === 'npm_token_steal' ||
+        t.type === 'npm_publish_worm'
+      );
+      const hasOutbound = threats.some(t =>
+        t.type === 'curl_exfiltration' ||
+        t.type === 'curl_env_exfil' ||
+        t.type === 'github_api_call' ||
+        t.type === 'remote_code_load' ||
+        t.type === 'network_require' ||
+        t.type === 'websocket_credential_exfil' ||
+        t.type === 'websocket_c2' ||
+        t.type === 'dns_chunk_exfiltration' ||
+        t.type === 'staged_payload' ||
+        t.type === 'fetch_decrypt_exec'
+      );
+      return hasNpmrc && hasOutbound;
+    }
+  }
+];
+
+/**
+ * Evaluate whether the static threat set warrants sandbox activation.
+ *
+ * @param {Array<{type:string,severity:string}>} threats - Deduplicated static threats.
+ * @param {number} score - Preliminary static score.
+ * @param {object} [fileSizes] - Map relative-path -> bytes (used by obfuscated_oversize).
+ * @returns {{shouldRun:boolean, compound:string|null, watchpoints:string[], reason:string}}
+ */
+function evaluateSandboxTrigger(threats, score, fileSizes) {
+  if (!Array.isArray(threats)) {
+    return { shouldRun: false, compound: null, watchpoints: [], reason: 'no threats array' };
+  }
+  if (typeof score !== 'number' || Number.isNaN(score)) {
+    return { shouldRun: false, compound: null, watchpoints: [], reason: 'invalid score' };
+  }
+  if (score < SANDBOX_TRIGGER_MIN_SCORE) {
+    return { shouldRun: false, compound: null, watchpoints: [], reason: 'score below window' };
+  }
+  if (score > SANDBOX_TRIGGER_MAX_SCORE) {
+    return { shouldRun: false, compound: null, watchpoints: [], reason: 'score above window' };
+  }
+  for (const trigger of TRIGGERS) {
+    let matched = false;
+    try {
+      matched = trigger.matches(threats, fileSizes || {});
+    } catch (e) {
+      matched = false;
+    }
+    if (matched) {
+      return {
+        shouldRun: true,
+        compound: trigger.name,
+        watchpoints: trigger.watchpoints.slice(),
+        reason: trigger.description
+      };
+    }
+  }
+  return { shouldRun: false, compound: null, watchpoints: [], reason: 'no compound matched' };
+}
+
+module.exports = {
+  evaluateSandboxTrigger,
+  TRIGGERS,
+  SANDBOX_TRIGGER_MIN_SCORE,
+  SANDBOX_TRIGGER_MAX_SCORE
+};

package/src/scoring.js

@@ -447,7 +447,16 @@ const REACHABILITY_EXEMPT_TYPES = new Set([
   'pypi_malicious_package',
   'ai_config_injection', 'ai_config_injection_compound',
   'detached_credential_exfil', // DPRK/Lazarus: invoked via lifecycle, not require/import
-  'native_addon_install' // binding.gyp executes during npm install but isn't require()'d
+  'native_addon_install', // binding.gyp executes during npm install but isn't require()'d
+  // Staged loader pattern (chai-* / poxios-chain campaign 2026-05): the malicious
+  // file is loaded indirectly (transport.js requires caller.js) and reachability
+  // resolution can fail, demoting CRITICAL to LOW. These types are unambiguously
+  // malicious — no legitimate code shadows process, calls Function.constructor("require"),
+  // or self-destructs after running new Function(...).
+  'function_constructor_require',  // AST-086 — Function.constructor("require", body)
+  'process_variable_shadow',       // AST-087 — const process = {env:{...}}
+  'function_runtime_args',         // AST-090 — new Function('require','__dirname',...)
+  'self_destruct_eval'             // AST-089 — dynamic exec + unlink __filename
 ]);
 
 // ============================================
@@ -569,6 +578,20 @@ const SCORING_COMPOUNDS = [
     message: 'Stub package with external URL dep + known string IOC — chain-attack staging package (scoring compound).',
     fileFrom: 'ioc_string_match'
   },
+  // Security review 2026-05-09 — chai-* / poxios-chain / express-guardrail / justenv
+  // campaign. Pattern: fork pino + caller.js with `const process = {env: {DEV_API_KEY: <base64>}}`
+  // + axios.get(decoded URL) + new Function.constructor("require", body). The package
+  // body is otherwise legitimate pino code — only the injected file is malicious.
+  // Each individual signal is already CRITICAL/HIGH but reachability/per-file scoring
+  // can demote them. The compound recovers the signal when 2+ co-occur in the same file.
+  {
+    type: 'staged_remote_loader',
+    requires: ['function_constructor_require', 'process_variable_shadow'],
+    severity: 'CRITICAL',
+    message: 'Function.constructor("require", body) + shadowed process env in same file — staged remote loader (chai-* / poxios-chain pattern). Payload fetched at runtime from external paste service.',
+    fileFrom: 'function_constructor_require',
+    sameFile: true
+  },
 ];
 
 /**