muaddib-scanner 2.11.69 → 2.11.70

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "muaddib-scanner",
-  "version": "2.11.69",
+  "version": "2.11.70",
   "description": "Supply-chain threat detection & response for npm & PyPI/Python",
   "main": "src/index.js",
   "bin": {

package/{self-scan-v2.11.69.json → self-scan-v2.11.70.json}

@@ -1,6 +1,6 @@
 {
   "target": "node_modules",
-  "timestamp": "2026-06-07T14:26:49.150Z",
+  "timestamp": "2026-06-07T15:33:14.219Z",
   "threats": [
     {
       "type": "string_mutation_obfuscation",

package/src/monitor/classify.js

@@ -75,7 +75,9 @@ const HIGH_CONFIDENCE_MALICE_TYPES = new Set([
   'ide_hook_autoexec',                     // .claude/settings.json SessionStart hook, .vscode/tasks.json folderOpen (Shai-Hulud)
   'workflow_secrets_dump',                  // toJSON(secrets) in GitHub Actions workflow (Shai-Hulud)
   // Phantom Gyp 2026-06: binding.gyp command-substitution = install-time RCE, quasi-never legit in benign packages
-  'gyp_command_exec'
+  'gyp_command_exec',
+  // Phantom Gyp compound (Phase 1b): configure-time <!(node x.js) × independently-malicious invoked file
+  'gyp_phantom_exec'
 ]);
 
 // Lifecycle compound types that indicate real malicious intent beyond a simple postinstall

package/src/pipeline/processor.js

@@ -3,6 +3,7 @@ const path = require('path');
 const { getRule, getRuleDomain } = require('../rules/index.js');
 const { getPlaybook } = require('../response/playbooks.js');
 const { computeReachableFiles, computeReachableFunctions } = require('../scanner/reachability.js');
+const { correlatePhantomGyp } = require('../scanner/phantom-gyp.js');
 const { applyFPReductions, applyCompoundBoosts, calculateRiskScore, getSeverityWeights, applyContextualFPCaps, applySingleFireCriticalFloor, applyReputationFactor, applyMatureStableCap, applySandboxVerdict, applyDeltaMultiplier } = require('../scoring.js');
 const { loadPriorVersionSignatures, computeSignatures, saveCachedSignatures } = require('../scoring/delta-multiplier.js');
 const { annotateConfidenceTiers } = require('../rules/confidence-tiers.js');
@@ -442,6 +443,13 @@ async function process(threats, targetPath, options, pythonDeps, warnings, scann
   // that were individually downgraded (count-based, dist, reachability, delta).
   applyCompoundBoosts(deduped, targetPath);
 
+  // Phase 1b — Phantom-Gyp compound: a configure-time <!(node x.js) sink in binding.gyp
+  // × the invoked file's INDEPENDENT malice verdict (from the AST/dataflow/module-graph
+  // findings already in `deduped`) → CRITICAL gyp_phantom_exec. Runs here so it sees the
+  // full post-scan, post-FP-reduction verdict set. FP≈0 by construction (it only ever
+  // ADDS a finding when the invoked file is independently judged malicious).
+  correlatePhantomGyp(deduped, targetPath);
+
   // Intent coherence analysis: detect source→sink pairs within files
   // Pass targetPath for destination-aware SDK pattern detection
   const intentResult = buildIntentPairs(deduped, targetPath);

package/src/response/playbooks.js

@@ -1005,6 +1005,10 @@ const PLAYBOOKS = {
     'CRITIQUE: binding.gyp utilise la command-substitution GYP <!(...) / <!@(...) — execution de code a l\'installation via node-gyp, sans script lifecycle (pattern Phantom Gyp). ' +
     'Decoder la commande substituee. NE PAS installer : node-gyp l\'execute au build meme avec --ignore-scripts. Verifier la source officielle du package.',
 
+  gyp_phantom_exec:
+    'CRITIQUE (compound Phase 1b): binding.gyp lance <!(node x.js) / <!(python y.py) au configure-time via node-gyp (aucun script lifecycle requis) ET le fichier invoque est juge malveillant de facon independante par les scanners AST/dataflow/module-graph. ' +
+    'Payload install-time confirme — NE PAS installer. Analyser le fichier invoque (nomme dans le message), c\'est lui qui porte la charge. node-gyp l\'execute meme avec --ignore-scripts.',
+
   string_mutation_obfuscation:
     'HAUTE: Chaine de .replace() reconstruisant des noms d\'API dangereuses (leet-speak). ' +
     'Technique d\'evasion par substitution de caracteres. Decoder la chaine finale. Supprimer si malveillant.',

package/src/rules/index.js

@@ -796,6 +796,19 @@ const RULES = {
     ],
     mitre: 'T1082'
   },
+  gyp_phantom_exec: {
+    id: 'MUADDIB-COMPOUND-017',
+    name: 'Phantom Gyp Install-Time Payload',
+    severity: 'CRITICAL',
+    confidence: 'high',
+    domain: 'malware',
+    description: 'binding.gyp exécute <!(node x.js) / <!(python y.py) au configure-time via node-gyp (npm le lance à l\'install dès qu\'un binding.gyp est présent, sans script lifecycle) ET le fichier invoqué (x.js) est jugé malveillant de façon indépendante par les scanners AST/dataflow/module-graph (verdict CRITICAL ou HIGH_CONFIDENCE_MALICE non-LOW sur ce fichier exact). Compound Phase 1b qui ferme le gap du speed-bump gyp_command_exec (MUADDIB-PKG-023) : la forme dominante <!(node setup.js) nu, statiquement indistinguable d\'un build-helper bénin, n\'est flaggée QUE quand le script invoqué porte lui-même un verdict de malice → FPR≈0 par construction.',
+    references: [
+      'https://attack.mitre.org/techniques/T1195/002/',
+      'https://attack.mitre.org/techniques/T1059/'
+    ],
+    mitre: 'T1195.002'
+  },
 
   // Package.json script patterns
   curl_pipe_sh: {

package/src/scanner/phantom-gyp.js

@@ -0,0 +1,155 @@
+/**
+ * Phantom-Gyp compound correlator (Phase 1b — the real fix).
+ *
+ * The line-by-line `gyp_command_exec` detector (src/scanner/package.js, MUADDIB-PKG-023)
+ * is an FP-first SPEED-BUMP: it flags a binding.gyp command-substitution `<!(...)` only
+ * when the command line itself carries a malice marker (curl, pipe-to-shell, inline
+ * network payload…). The dominant Phantom-Gyp shape — a bare `<!(node setup.js)` whose
+ * payload lives in setup.js — is statically INDISTINGUISHABLE from a legit build helper
+ * (`<!(node ./util/has_lib.js)`), so the speed-bump deliberately lets it pass to honor
+ * "FPR must never increase".
+ *
+ * This post-processor closes that gap WITHOUT any FP cost by compounding two signals:
+ *   (sink)    a `<!(node x.js)` / `<!(python y.py)` command-substitution in binding.gyp,
+ *             which node-gyp runs at *configure* time on install — no lifecycle script
+ *             needed; and
+ *   (verdict) the invoked file (x.js) being INDEPENDENTLY judged malicious by the proven
+ *             AST / dataflow / module-graph scanners (a CRITICAL finding, or a non-LOW
+ *             HIGH_CONFIDENCE_MALICE_TYPES finding) on that exact file.
+ * Only when BOTH hold do we emit `gyp_phantom_exec` (CRITICAL). The verdict comes from
+ * the existing scanners, so the false-positive rate is bounded by theirs → FP≈0 by
+ * construction. A benign build helper invoked the same way produces no malice verdict, so
+ * nothing fires and the package gains zero new findings.
+ *
+ * Runs as a post-processor (it needs the full, post-scan threats array) — it re-reads
+ * binding.gyp directly rather than threading a marker threat through FP reductions, so a
+ * benign package never carries any intermediate Phantom-Gyp signal.
+ */
+'use strict';
+
+const fs = require('fs');
+const path = require('path');
+const { HIGH_CONFIDENCE_MALICE_TYPES } = require('../monitor/classify.js');
+
+// Command-substitution capture: the required `!` gates command execution. Plain
+// `<(...)` / `<@(...)` (variable expansion, benign) is intentionally NOT matched —
+// flagging it would be a hard false positive. We capture only up to the FIRST closing
+// `)` so each command-sub body is isolated (unlike package.js's danger-marker scan, the
+// script-file extraction needs the exact command, not a 400-char window).
+const GYP_CMDSUB_RE = /<!@?\(([^)\n]{0,400})\)/g;
+// Interpreter at the start of the command body that runs a SCRIPT FILE argument.
+const SCRIPT_INTERP_RE = /^\s*(node|nodejs|python[0-9.]*|ruby|perl)\b(.*)$/i;
+// Recognized script-file extensions (kept tight — a bare token without one is not
+// assumed to be a script, to avoid matching subcommands like "rebuild").
+const SCRIPT_FILE_RE = /\.(?:js|cjs|mjs|py|rb|pl)$/i;
+// Inline-eval flags mean the payload is INLINE (no script file) — that case belongs to
+// the gyp_command_exec speed-bump, not here, so we skip the command-sub entirely.
+const INLINE_EVAL_FLAG_RE = /^--?(?:e|p|c|eval|print)$/i;
+
+/** Normalize a relative path for comparison: backslashes→/, strip leading ./ and /. */
+function _normRel(f) {
+  return String(f || '').replace(/\\/g, '/').replace(/^\.\//, '').replace(/^\/+/, '');
+}
+
+/**
+ * Extract the script files invoked by `<!(interpreter file …)` command-substitutions in
+ * a binding.gyp. Inline-eval forms (`node -e …`) and non-script interpreter queries
+ * (`node -p "require('node-addon-api').include"`) yield no file and are skipped.
+ *
+ * @param {string} gypContent - raw binding.gyp text
+ * @returns {Array<{interpreter:string, file:string}>}
+ */
+function extractGypInvokedScripts(gypContent) {
+  const out = [];
+  if (!gypContent || typeof gypContent !== 'string') return out;
+  GYP_CMDSUB_RE.lastIndex = 0;
+  let m;
+  while ((m = GYP_CMDSUB_RE.exec(gypContent)) !== null) {
+    const body = m[1];
+    const im = SCRIPT_INTERP_RE.exec(body);
+    if (!im) continue;
+    const interpreter = im[1].toLowerCase();
+    const tokens = (im[2] || '').trim().split(/\s+/).filter(Boolean);
+    let scriptFile = null;
+    for (const tok of tokens) {
+      if (tok.startsWith('-')) {
+        // An inline-eval flag means there is no script file in this command-sub.
+        if (INLINE_EVAL_FLAG_RE.test(tok)) { scriptFile = null; break; }
+        continue; // some other flag — keep scanning for the script argument
+      }
+      const clean = tok.replace(/^['"]+|['"]+$/g, '');
+      if (SCRIPT_FILE_RE.test(clean)) { scriptFile = clean; break; }
+    }
+    if (scriptFile) out.push({ interpreter, file: scriptFile });
+  }
+  return out;
+}
+
+/**
+ * True when a threat is a high-confidence malice verdict on its file: a CRITICAL of any
+ * type, or a non-LOW finding of a HIGH_CONFIDENCE_MALICE_TYPES type. This reuses the
+ * established "quasi-never legit" judgment rather than inventing a new bar.
+ */
+function _isMaliceVerdict(t) {
+  if (!t || !t.type) return false;
+  if (t.type === 'gyp_phantom_exec') return false; // never self-reference
+  if (t.severity === 'CRITICAL') return true;
+  if (t.severity !== 'LOW' && HIGH_CONFIDENCE_MALICE_TYPES.has(t.type)) return true;
+  return false;
+}
+
+/**
+ * Phantom-Gyp compound: for each `<!(node x.js)` in binding.gyp, if x.js is independently
+ * judged malicious in the same scan, push one CRITICAL `gyp_phantom_exec` threat. Mutates
+ * `threats` in place. Best-effort and side-effect-free on benign packages (no malice
+ * verdict on the invoked file ⇒ no push, no marker).
+ *
+ * @param {Array<object>} threats - the deduplicated, post-scan threats array
+ * @param {string} targetPath - scan target directory (where binding.gyp lives)
+ * @returns {object|null} the pushed compound threat, or null if nothing fired
+ */
+function correlatePhantomGyp(threats, targetPath) {
+  if (!Array.isArray(threats) || !targetPath) return null;
+  if (threats.some(t => t && t.type === 'gyp_phantom_exec')) return null; // idempotent
+
+  let gypContent;
+  try {
+    const gypPath = path.join(targetPath, 'binding.gyp');
+    if (!fs.existsSync(gypPath)) return null;
+    gypContent = fs.readFileSync(gypPath, 'utf8');
+  } catch { return null; }
+
+  const scripts = extractGypInvokedScripts(gypContent);
+  if (scripts.length === 0) return null;
+
+  for (const { interpreter, file } of scripts) {
+    const norm = _normRel(file);
+    const base = norm.split('/').pop();
+    const hasDir = norm.includes('/');
+    const malice = threats.find(t => {
+      if (!t || !t.file || !_isMaliceVerdict(t)) return false;
+      const tf = _normRel(t.file);
+      if (tf === norm) return true;
+      // A bare `<!(node loader.js)` ref (no directory) matches the invoked file by
+      // basename — binding.gyp refs resolve relative to the package root, the same
+      // base the scanners use for threat.file (path.relative(targetPath, …)).
+      if (!hasDir && tf.split('/').pop() === base) return true;
+      return false;
+    });
+    if (malice) {
+      const compound = {
+        type: 'gyp_phantom_exec',
+        severity: 'CRITICAL',
+        message: `binding.gyp runs <!(${interpreter} ${file}) at configure-time via node-gyp (no lifecycle script required) and ${file} is independently judged malicious (${malice.type}/${malice.severity}) — Phantom Gyp install-time payload (compound).`,
+        file: 'binding.gyp',
+        compound: true,
+        count: 1
+      };
+      threats.push(compound);
+      return compound; // one compound per package is enough
+    }
+  }
+  return null;
+}
+
+module.exports = { extractGypInvokedScripts, correlatePhantomGyp, _normRel, _isMaliceVerdict };

package/src/scoring.js

@@ -132,7 +132,9 @@ const PACKAGE_LEVEL_TYPES = new Set([
   // audit MR-C1: informational signal that the scan target is a monorepo root (per-workspace scoring TBD)
   'monorepo_detected',
   // Phantom Gyp: binding.gyp command-substitution is a package-level (manifest) finding
-  'gyp_command_exec'
+  'gyp_command_exec',
+  // Phantom Gyp compound (Phase 1b): configure-time <!(node x.js) × malicious invoked file
+  'gyp_phantom_exec'
 ]);
 
 // ============================================
@@ -160,7 +162,11 @@ const SINGLE_FIRE_CRITICAL_TYPES = new Set([
   'known_malicious_package',
   'pypi_malicious_package',
   'shai_hulud_marker',
-  'lifecycle_shell_pipe'
+  'lifecycle_shell_pipe',
+  // Phantom Gyp compound (Phase 1b): only fires when the invoked configure-time script
+  // is INDEPENDENTLY judged malicious, so it carries the same unambiguous-malware weight
+  // as the IOC/hash matches above — FP≈0 by construction justifies the single-fire floor.
+  'gyp_phantom_exec'
 ]);
 const SINGLE_FIRE_CRITICAL_FLOOR = 75;
 const SINGLE_FIRE_MIN_SEVERITY_RANK = 2; // HIGH