muaddib-scanner 2.11.68 → 2.11.70

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "muaddib-scanner",
-  "version": "2.11.68",
+  "version": "2.11.70",
   "description": "Supply-chain threat detection & response for npm & PyPI/Python",
   "main": "src/index.js",
   "bin": {

package/{self-scan-v2.11.68.json → self-scan-v2.11.70.json}

@@ -1,6 +1,6 @@
 {
   "target": "node_modules",
-  "timestamp": "2026-06-07T13:41:08.649Z",
+  "timestamp": "2026-06-07T15:33:14.219Z",
   "threats": [
     {
       "type": "string_mutation_obfuscation",

package/src/monitor/classify.js

@@ -75,7 +75,9 @@ const HIGH_CONFIDENCE_MALICE_TYPES = new Set([
   'ide_hook_autoexec',                     // .claude/settings.json SessionStart hook, .vscode/tasks.json folderOpen (Shai-Hulud)
   'workflow_secrets_dump',                  // toJSON(secrets) in GitHub Actions workflow (Shai-Hulud)
   // Phantom Gyp 2026-06: binding.gyp command-substitution = install-time RCE, quasi-never legit in benign packages
-  'gyp_command_exec'
+  'gyp_command_exec',
+  // Phantom Gyp compound (Phase 1b): configure-time <!(node x.js) × independently-malicious invoked file
+  'gyp_phantom_exec'
 ]);
 
 // Lifecycle compound types that indicate real malicious intent beyond a simple postinstall

package/src/monitor/deferred-sandbox.js

@@ -37,6 +37,25 @@ const DEFERRED_MIN_SCORE = 5;
 // (90s) + the sandbox watchdog grace; this AbortController is belt-and-suspenders.
 const DEFERRED_SANDBOX_TIMEOUT_MS = 150_000;
 
+// Tier priority for the deferred queue. Phase 3 routes T1a's sandbox here (async)
+// instead of block-waiting a scan worker, so T1a is the highest-confidence tier and
+// must be processed first and evicted last — it must never sit behind a high-score
+// T1b/T2. Minimal blast radius: ONLY T1a is elevated (rank 0); T1b and T2 keep the
+// same rank (1) so their existing riskScore-DESC ordering between them is unchanged.
+// Map (not a plain object) keeps numeric tier 2 and string tiers distinct and avoids
+// an object-injection sink.
+const _TIER_RANK = new Map([['1a', 0], ['1b', 1], [2, 1]]);
+function _tierRank(tier) {
+  return _TIER_RANK.has(tier) ? _TIER_RANK.get(tier) : 1;
+}
+function _deferredCompare(a, b) {
+  const r = _tierRank(a.tier) - _tierRank(b.tier);
+  return r !== 0 ? r : (b.riskScore - a.riskScore);
+}
+function _tierLabel(tier) {
+  return tier === '1a' ? 'T1a' : tier === 2 ? 'T2' : 'T1b';
+}
+
 // ── Mutable state ──
 const _deferredQueue = [];
 const _deferredSeen = new Set(); // name@version dedup
@@ -55,8 +74,10 @@ let _deferredSlotBusy = false;   // Dedicated slot: true while deferred sandbox
  * @returns {boolean} true if enqueued, false if rejected
  */
 function enqueueDeferred(item) {
-  // Guard: only T1b and T2 are allowed
-  if (item.tier !== '1b' && item.tier !== 2) {
+  // Guard: T1a (Phase 3 async-routed high-confidence tier), T1b and T2 are eligible.
+  // T1a was previously block-waited in the scan worker; it now runs on the dedicated
+  // deferred slot at top priority (see _deferredCompare).
+  if (item.tier !== '1a' && item.tier !== '1b' && item.tier !== 2) {
     console.error(`[DEFERRED] REJECTED: ${item.name}@${item.version} — tier ${item.tier} not eligible`);
     return false;
   }
@@ -74,9 +95,11 @@ function enqueueDeferred(item) {
   // still warrant sandbox verification — an adversary could otherwise
   // tune their malware to fire only LOW-severity TIER1 patterns to
   // bypass sandbox entirely.
+  // T1a is high-confidence malice by classification — it always bypasses the
+  // min-score floor (it must never be dropped before its sandbox runs).
   const itemThreats = (item.staticResult && item.staticResult.threats) || [];
   const hasTier1Signal = itemThreats.some(t => TIER1_TYPES.has(t.type));
-  if ((item.riskScore || 0) < DEFERRED_MIN_SCORE && !hasTier1Signal) {
+  if (item.tier !== '1a' && (item.riskScore || 0) < DEFERRED_MIN_SCORE && !hasTier1Signal) {
     console.error(`[DEFERRED] REJECTED: ${item.name}@${item.version} — score=${item.riskScore || 0} below minimum ${DEFERRED_MIN_SCORE}, no TIER1 signal (possible classification regression)`);
     return false;
   }
@@ -89,16 +112,18 @@ function enqueueDeferred(item) {
     return false;
   }
 
-  // Queue full — evict lowest or reject
+  // Queue full — evict the lowest-priority item (by tier then score) if the new
+  // item outranks it, else reject. Tier-aware so a T1a can always displace a
+  // lower-tier item even when its score is lower.
   if (_deferredQueue.length >= DEFERRED_QUEUE_MAX) {
     const lowest = _deferredQueue[_deferredQueue.length - 1];
-    if (item.riskScore > lowest.riskScore) {
+    if (_deferredCompare(item, lowest) < 0) {
       const evictKey = `${lowest.name}@${lowest.version}`;
       _deferredQueue.pop();
       _deferredSeen.delete(evictKey);
-      console.log(`[DEFERRED] EVICTED: ${evictKey} (score=${lowest.riskScore}) to make room for ${key} (score=${item.riskScore})`);
+      console.log(`[DEFERRED] EVICTED: ${evictKey} (${_tierLabel(lowest.tier)}, score=${lowest.riskScore}) to make room for ${key} (${_tierLabel(item.tier)}, score=${item.riskScore})`);
     } else {
-      console.log(`[DEFERRED] QUEUE FULL: ${key} (score=${item.riskScore}) rejected — all ${DEFERRED_QUEUE_MAX} items have higher scores`);
+      console.log(`[DEFERRED] QUEUE FULL: ${key} (${_tierLabel(item.tier)}, score=${item.riskScore}) rejected — all ${DEFERRED_QUEUE_MAX} items rank higher`);
       return false;
     }
   }
@@ -122,9 +147,9 @@ function enqueueDeferred(item) {
     };
   }
   delete item.npmRegistryMeta;
-  // Sort by riskScore DESC (highest first)
-  _deferredQueue.sort((a, b) => b.riskScore - a.riskScore);
-  console.log(`[DEFERRED] ENQUEUED: ${key} (tier=${item.tier === 2 ? 'T2' : 'T1b'}, score=${item.riskScore}, queue=${_deferredQueue.length})`);
+  // Sort by tier priority then riskScore DESC (T1a first, then highest score)
+  _deferredQueue.sort(_deferredCompare);
+  console.log(`[DEFERRED] ENQUEUED: ${key} (tier=${_tierLabel(item.tier)}, score=${item.riskScore}, queue=${_deferredQueue.length})`);
   return true;
 }
 
@@ -133,9 +158,10 @@ function getDeferredQueue() {
 }
 
 function getDeferredQueueStats() {
-  const tierBreakdown = { t1b: 0, t2: 0 };
+  const tierBreakdown = { t1a: 0, t1b: 0, t2: 0 };
   for (const item of _deferredQueue) {
-    if (item.tier === '1b') tierBreakdown.t1b++;
+    if (item.tier === '1a') tierBreakdown.t1a++;
+    else if (item.tier === '1b') tierBreakdown.t1b++;
     else if (item.tier === 2) tierBreakdown.t2++;
   }
   return {
@@ -189,7 +215,7 @@ async function processDeferredItem(stats) {
   const key = `${item.name}@${item.version}`;
   _deferredSeen.delete(key);
 
-  console.log(`[DEFERRED] PROCESSING: ${key} (tier=${item.tier === 2 ? 'T2' : 'T1b'}, score=${item.riskScore}, retries=${item.retries})`);
+  console.log(`[DEFERRED] PROCESSING: ${key} (tier=${_tierLabel(item.tier)}, score=${item.riskScore}, retries=${item.retries})`);
 
   // 4. Run sandbox on dedicated slot (bypasses shared semaphore)
   _deferredSlotBusy = true;
@@ -198,10 +224,13 @@ async function processDeferredItem(stats) {
   const deadline = setTimeout(() => ac.abort(), DEFERRED_SANDBOX_TIMEOUT_MS);
   try {
     const canary = isCanaryEnabled();
-    // maxRuns=1: deferred items are T1b/T2, time bomb detection (3 runs) is a luxury.
-    // 90s instead of 270s per item → 3× faster deferred queue drain.
+    // T1a keeps multi-run time-bomb detection (maxRuns=undefined) — that was its
+    // behavior on the old blocking in-worker path, preserved here for detection
+    // parity (Phase 3 only moves WHERE it runs, not how thoroughly). T1b/T2 stay
+    // single-run (maxRuns=1, ~90s vs ~270s) for fast deferred-queue drain.
+    const maxRuns = item.tier === '1a' ? undefined : 1;
     markSandboxed(item.name); // stamp for sandbox-revalidation cadence (matches the synchronous path)
-    sandboxResult = await runSandbox(item.name, { canary, skipSemaphore: true, maxRuns: 1, signal: ac.signal });
+    sandboxResult = await runSandbox(item.name, { canary, skipSemaphore: true, maxRuns, signal: ac.signal });
     console.log(`[DEFERRED] SANDBOX COMPLETE: ${key} -> score=${sandboxResult.score}, severity=${sandboxResult.severity}`);
   } catch (err) {
     console.error(`[DEFERRED] SANDBOX ERROR: ${key} — ${err.message}`);
@@ -212,7 +241,7 @@ async function processDeferredItem(stats) {
       // Re-enqueue for retry
       _deferredQueue.push(item);
       _deferredSeen.add(key);
-      _deferredQueue.sort((a, b) => b.riskScore - a.riskScore);
+      _deferredQueue.sort(_deferredCompare);
       console.log(`[DEFERRED] RE-ENQUEUED: ${key} for retry (attempt ${item.retries + 1}/${DEFERRED_MAX_RETRIES})`);
     }
     return null;
@@ -414,7 +443,7 @@ function restoreDeferredQueue() {
     }
 
     // Sort after bulk insert
-    _deferredQueue.sort((a, b) => b.riskScore - a.riskScore);
+    _deferredQueue.sort(_deferredCompare);
 
     if (restored > 0) {
       console.log(`[DEFERRED] Restored ${restored} items from disk (saved at ${data.savedAt})`);

package/src/monitor/queue.js

@@ -950,10 +950,23 @@ async function scanPackage(name, version, ecosystem, tarballUrl, registryMeta, s
             const maxRuns = tier === '1a' ? undefined : 1;
 
             if (tier === '1a') {
-              // T1a: mandatory sandbox — block-wait (high-confidence threats MUST get sandbox)
-              console.log(`[MONITOR] SANDBOX: launching for ${name}@${version}${canary ? ' (canary: on)' : ''}...`);
-              markSandboxed(name); // stamp before the await: an aborted/inconclusive run still spent the time
-              sandboxResult = await runSandbox(name, { canary, maxRuns, signal });
+              // Phase 3 (throughput decoupling): T1a no longer block-waits a scan
+              // worker. The high-confidence STATIC alert still fires synchronously
+              // below (trySendWebhook, with sandboxResult=null — same as the T1b/T2
+              // defer paths today); the sandbox runs ASYNC on the dedicated deferred
+              // slot at top priority (processed first, never evicted, keeps multi-run
+              // time-bomb detection) and sends a follow-up webhook if it confirms.
+              // Crash-safe: the deferred queue is persisted across restarts, unlike
+              // the old in-worker await which lost the sandbox on an OOM restart.
+              console.log(`[MONITOR] SANDBOX DEFER (T1a, async high-priority): ${name}@${version} (score=${riskScore})`);
+              enqueueDeferred({
+                name, version, ecosystem, tier, riskScore, tarballUrl,
+                enqueuedAt: Date.now(),
+                staticResult: result,
+                npmRegistryMeta,
+                retries: 0
+              });
+              stats.sandboxDeferred = (stats.sandboxDeferred || 0) + 1;
             } else if (tryAcquireSandboxSlot()) {
               // T1b/T2: non-blocking — slot acquired atomically, run with skipSemaphore
               const reason = tier === 2 ? ' (T2, queue low)' : ' (T1b, conditional)';
@@ -1148,8 +1161,13 @@ async function scanPackage(name, version, ecosystem, tarballUrl, registryMeta, s
                 // Safety: never suppress packages with high-confidence threats or positive sandbox
                 const hasHC = hasHighConfidenceThreat(result);
                 const hasSandboxEvidence = sandboxResult && sandboxResult.score > 0;
+                // Phase 3: T1a sandboxes are now deferred (async), so sandboxResult is
+                // null here — the sandbox evidence that previously guarded a T1a from
+                // LLM suppression hasn't run yet. Never let the LLM clear a T1a before
+                // its deferred sandbox confirms; T1a is the highest-confidence tier and
+                // MUST get sandbox verification (it can come via the follow-up webhook).
                 if (llmMode === 'active' && llmResult.verdict === 'benign' && llmResult.confidence > 0.85
-                    && !hasHC && !hasSandboxEvidence) {
+                    && !hasHC && !hasSandboxEvidence && tier !== '1a') {
                   console.log(`[LLM] SUPPRESS: ${name}@${version} cleared (benign, confidence=${llmResult.confidence})`);
                   stats.llmSuppressed = (stats.llmSuppressed || 0) + 1;
                   stats.scanned++;

package/src/pipeline/processor.js

@@ -3,6 +3,7 @@ const path = require('path');
 const { getRule, getRuleDomain } = require('../rules/index.js');
 const { getPlaybook } = require('../response/playbooks.js');
 const { computeReachableFiles, computeReachableFunctions } = require('../scanner/reachability.js');
+const { correlatePhantomGyp } = require('../scanner/phantom-gyp.js');
 const { applyFPReductions, applyCompoundBoosts, calculateRiskScore, getSeverityWeights, applyContextualFPCaps, applySingleFireCriticalFloor, applyReputationFactor, applyMatureStableCap, applySandboxVerdict, applyDeltaMultiplier } = require('../scoring.js');
 const { loadPriorVersionSignatures, computeSignatures, saveCachedSignatures } = require('../scoring/delta-multiplier.js');
 const { annotateConfidenceTiers } = require('../rules/confidence-tiers.js');
@@ -442,6 +443,13 @@ async function process(threats, targetPath, options, pythonDeps, warnings, scann
   // that were individually downgraded (count-based, dist, reachability, delta).
   applyCompoundBoosts(deduped, targetPath);
 
+  // Phase 1b — Phantom-Gyp compound: a configure-time <!(node x.js) sink in binding.gyp
+  // × the invoked file's INDEPENDENT malice verdict (from the AST/dataflow/module-graph
+  // findings already in `deduped`) → CRITICAL gyp_phantom_exec. Runs here so it sees the
+  // full post-scan, post-FP-reduction verdict set. FP≈0 by construction (it only ever
+  // ADDS a finding when the invoked file is independently judged malicious).
+  correlatePhantomGyp(deduped, targetPath);
+
   // Intent coherence analysis: detect source→sink pairs within files
   // Pass targetPath for destination-aware SDK pattern detection
   const intentResult = buildIntentPairs(deduped, targetPath);

package/src/response/playbooks.js

@@ -1005,6 +1005,10 @@ const PLAYBOOKS = {
     'CRITIQUE: binding.gyp utilise la command-substitution GYP <!(...) / <!@(...) — execution de code a l\'installation via node-gyp, sans script lifecycle (pattern Phantom Gyp). ' +
     'Decoder la commande substituee. NE PAS installer : node-gyp l\'execute au build meme avec --ignore-scripts. Verifier la source officielle du package.',
 
+  gyp_phantom_exec:
+    'CRITIQUE (compound Phase 1b): binding.gyp lance <!(node x.js) / <!(python y.py) au configure-time via node-gyp (aucun script lifecycle requis) ET le fichier invoque est juge malveillant de facon independante par les scanners AST/dataflow/module-graph. ' +
+    'Payload install-time confirme — NE PAS installer. Analyser le fichier invoque (nomme dans le message), c\'est lui qui porte la charge. node-gyp l\'execute meme avec --ignore-scripts.',
+
   string_mutation_obfuscation:
     'HAUTE: Chaine de .replace() reconstruisant des noms d\'API dangereuses (leet-speak). ' +
     'Technique d\'evasion par substitution de caracteres. Decoder la chaine finale. Supprimer si malveillant.',

package/src/rules/index.js

@@ -796,6 +796,19 @@ const RULES = {
     ],
     mitre: 'T1082'
   },
+  gyp_phantom_exec: {
+    id: 'MUADDIB-COMPOUND-017',
+    name: 'Phantom Gyp Install-Time Payload',
+    severity: 'CRITICAL',
+    confidence: 'high',
+    domain: 'malware',
+    description: 'binding.gyp exécute <!(node x.js) / <!(python y.py) au configure-time via node-gyp (npm le lance à l\'install dès qu\'un binding.gyp est présent, sans script lifecycle) ET le fichier invoqué (x.js) est jugé malveillant de façon indépendante par les scanners AST/dataflow/module-graph (verdict CRITICAL ou HIGH_CONFIDENCE_MALICE non-LOW sur ce fichier exact). Compound Phase 1b qui ferme le gap du speed-bump gyp_command_exec (MUADDIB-PKG-023) : la forme dominante <!(node setup.js) nu, statiquement indistinguable d\'un build-helper bénin, n\'est flaggée QUE quand le script invoqué porte lui-même un verdict de malice → FPR≈0 par construction.',
+    references: [
+      'https://attack.mitre.org/techniques/T1195/002/',
+      'https://attack.mitre.org/techniques/T1059/'
+    ],
+    mitre: 'T1195.002'
+  },
 
   // Package.json script patterns
   curl_pipe_sh: {

package/src/scanner/phantom-gyp.js

@@ -0,0 +1,155 @@
+/**
+ * Phantom-Gyp compound correlator (Phase 1b — the real fix).
+ *
+ * The line-by-line `gyp_command_exec` detector (src/scanner/package.js, MUADDIB-PKG-023)
+ * is an FP-first SPEED-BUMP: it flags a binding.gyp command-substitution `<!(...)` only
+ * when the command line itself carries a malice marker (curl, pipe-to-shell, inline
+ * network payload…). The dominant Phantom-Gyp shape — a bare `<!(node setup.js)` whose
+ * payload lives in setup.js — is statically INDISTINGUISHABLE from a legit build helper
+ * (`<!(node ./util/has_lib.js)`), so the speed-bump deliberately lets it pass to honor
+ * "FPR must never increase".
+ *
+ * This post-processor closes that gap WITHOUT any FP cost by compounding two signals:
+ *   (sink)    a `<!(node x.js)` / `<!(python y.py)` command-substitution in binding.gyp,
+ *             which node-gyp runs at *configure* time on install — no lifecycle script
+ *             needed; and
+ *   (verdict) the invoked file (x.js) being INDEPENDENTLY judged malicious by the proven
+ *             AST / dataflow / module-graph scanners (a CRITICAL finding, or a non-LOW
+ *             HIGH_CONFIDENCE_MALICE_TYPES finding) on that exact file.
+ * Only when BOTH hold do we emit `gyp_phantom_exec` (CRITICAL). The verdict comes from
+ * the existing scanners, so the false-positive rate is bounded by theirs → FP≈0 by
+ * construction. A benign build helper invoked the same way produces no malice verdict, so
+ * nothing fires and the package gains zero new findings.
+ *
+ * Runs as a post-processor (it needs the full, post-scan threats array) — it re-reads
+ * binding.gyp directly rather than threading a marker threat through FP reductions, so a
+ * benign package never carries any intermediate Phantom-Gyp signal.
+ */
+'use strict';
+
+const fs = require('fs');
+const path = require('path');
+const { HIGH_CONFIDENCE_MALICE_TYPES } = require('../monitor/classify.js');
+
+// Command-substitution capture: the required `!` gates command execution. Plain
+// `<(...)` / `<@(...)` (variable expansion, benign) is intentionally NOT matched —
+// flagging it would be a hard false positive. We capture only up to the FIRST closing
+// `)` so each command-sub body is isolated (unlike package.js's danger-marker scan, the
+// script-file extraction needs the exact command, not a 400-char window).
+const GYP_CMDSUB_RE = /<!@?\(([^)\n]{0,400})\)/g;
+// Interpreter at the start of the command body that runs a SCRIPT FILE argument.
+const SCRIPT_INTERP_RE = /^\s*(node|nodejs|python[0-9.]*|ruby|perl)\b(.*)$/i;
+// Recognized script-file extensions (kept tight — a bare token without one is not
+// assumed to be a script, to avoid matching subcommands like "rebuild").
+const SCRIPT_FILE_RE = /\.(?:js|cjs|mjs|py|rb|pl)$/i;
+// Inline-eval flags mean the payload is INLINE (no script file) — that case belongs to
+// the gyp_command_exec speed-bump, not here, so we skip the command-sub entirely.
+const INLINE_EVAL_FLAG_RE = /^--?(?:e|p|c|eval|print)$/i;
+
+/** Normalize a relative path for comparison: backslashes→/, strip leading ./ and /. */
+function _normRel(f) {
+  return String(f || '').replace(/\\/g, '/').replace(/^\.\//, '').replace(/^\/+/, '');
+}
+
+/**
+ * Extract the script files invoked by `<!(interpreter file …)` command-substitutions in
+ * a binding.gyp. Inline-eval forms (`node -e …`) and non-script interpreter queries
+ * (`node -p "require('node-addon-api').include"`) yield no file and are skipped.
+ *
+ * @param {string} gypContent - raw binding.gyp text
+ * @returns {Array<{interpreter:string, file:string}>}
+ */
+function extractGypInvokedScripts(gypContent) {
+  const out = [];
+  if (!gypContent || typeof gypContent !== 'string') return out;
+  GYP_CMDSUB_RE.lastIndex = 0;
+  let m;
+  while ((m = GYP_CMDSUB_RE.exec(gypContent)) !== null) {
+    const body = m[1];
+    const im = SCRIPT_INTERP_RE.exec(body);
+    if (!im) continue;
+    const interpreter = im[1].toLowerCase();
+    const tokens = (im[2] || '').trim().split(/\s+/).filter(Boolean);
+    let scriptFile = null;
+    for (const tok of tokens) {
+      if (tok.startsWith('-')) {
+        // An inline-eval flag means there is no script file in this command-sub.
+        if (INLINE_EVAL_FLAG_RE.test(tok)) { scriptFile = null; break; }
+        continue; // some other flag — keep scanning for the script argument
+      }
+      const clean = tok.replace(/^['"]+|['"]+$/g, '');
+      if (SCRIPT_FILE_RE.test(clean)) { scriptFile = clean; break; }
+    }
+    if (scriptFile) out.push({ interpreter, file: scriptFile });
+  }
+  return out;
+}
+
+/**
+ * True when a threat is a high-confidence malice verdict on its file: a CRITICAL of any
+ * type, or a non-LOW finding of a HIGH_CONFIDENCE_MALICE_TYPES type. This reuses the
+ * established "quasi-never legit" judgment rather than inventing a new bar.
+ */
+function _isMaliceVerdict(t) {
+  if (!t || !t.type) return false;
+  if (t.type === 'gyp_phantom_exec') return false; // never self-reference
+  if (t.severity === 'CRITICAL') return true;
+  if (t.severity !== 'LOW' && HIGH_CONFIDENCE_MALICE_TYPES.has(t.type)) return true;
+  return false;
+}
+
+/**
+ * Phantom-Gyp compound: for each `<!(node x.js)` in binding.gyp, if x.js is independently
+ * judged malicious in the same scan, push one CRITICAL `gyp_phantom_exec` threat. Mutates
+ * `threats` in place. Best-effort and side-effect-free on benign packages (no malice
+ * verdict on the invoked file ⇒ no push, no marker).
+ *
+ * @param {Array<object>} threats - the deduplicated, post-scan threats array
+ * @param {string} targetPath - scan target directory (where binding.gyp lives)
+ * @returns {object|null} the pushed compound threat, or null if nothing fired
+ */
+function correlatePhantomGyp(threats, targetPath) {
+  if (!Array.isArray(threats) || !targetPath) return null;
+  if (threats.some(t => t && t.type === 'gyp_phantom_exec')) return null; // idempotent
+
+  let gypContent;
+  try {
+    const gypPath = path.join(targetPath, 'binding.gyp');
+    if (!fs.existsSync(gypPath)) return null;
+    gypContent = fs.readFileSync(gypPath, 'utf8');
+  } catch { return null; }
+
+  const scripts = extractGypInvokedScripts(gypContent);
+  if (scripts.length === 0) return null;
+
+  for (const { interpreter, file } of scripts) {
+    const norm = _normRel(file);
+    const base = norm.split('/').pop();
+    const hasDir = norm.includes('/');
+    const malice = threats.find(t => {
+      if (!t || !t.file || !_isMaliceVerdict(t)) return false;
+      const tf = _normRel(t.file);
+      if (tf === norm) return true;
+      // A bare `<!(node loader.js)` ref (no directory) matches the invoked file by
+      // basename — binding.gyp refs resolve relative to the package root, the same
+      // base the scanners use for threat.file (path.relative(targetPath, …)).
+      if (!hasDir && tf.split('/').pop() === base) return true;
+      return false;
+    });
+    if (malice) {
+      const compound = {
+        type: 'gyp_phantom_exec',
+        severity: 'CRITICAL',
+        message: `binding.gyp runs <!(${interpreter} ${file}) at configure-time via node-gyp (no lifecycle script required) and ${file} is independently judged malicious (${malice.type}/${malice.severity}) — Phantom Gyp install-time payload (compound).`,
+        file: 'binding.gyp',
+        compound: true,
+        count: 1
+      };
+      threats.push(compound);
+      return compound; // one compound per package is enough
+    }
+  }
+  return null;
+}
+
+module.exports = { extractGypInvokedScripts, correlatePhantomGyp, _normRel, _isMaliceVerdict };

package/src/scoring.js

@@ -132,7 +132,9 @@ const PACKAGE_LEVEL_TYPES = new Set([
   // audit MR-C1: informational signal that the scan target is a monorepo root (per-workspace scoring TBD)
   'monorepo_detected',
   // Phantom Gyp: binding.gyp command-substitution is a package-level (manifest) finding
-  'gyp_command_exec'
+  'gyp_command_exec',
+  // Phantom Gyp compound (Phase 1b): configure-time <!(node x.js) × malicious invoked file
+  'gyp_phantom_exec'
 ]);
 
 // ============================================
@@ -160,7 +162,11 @@ const SINGLE_FIRE_CRITICAL_TYPES = new Set([
   'known_malicious_package',
   'pypi_malicious_package',
   'shai_hulud_marker',
-  'lifecycle_shell_pipe'
+  'lifecycle_shell_pipe',
+  // Phantom Gyp compound (Phase 1b): only fires when the invoked configure-time script
+  // is INDEPENDENTLY judged malicious, so it carries the same unambiguous-malware weight
+  // as the IOC/hash matches above — FP≈0 by construction justifies the single-fire floor.
+  'gyp_phantom_exec'
 ]);
 const SINGLE_FIRE_CRITICAL_FLOOR = 75;
 const SINGLE_FIRE_MIN_SEVERITY_RANK = 2; // HIGH