muaddib-scanner 2.11.69 → 2.11.71

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "muaddib-scanner",
-  "version": "2.11.69",
+  "version": "2.11.71",
   "description": "Supply-chain threat detection & response for npm & PyPI/Python",
   "main": "src/index.js",
   "bin": {

package/{self-scan-v2.11.69.json → self-scan-v2.11.71.json}

@@ -1,6 +1,6 @@
 {
   "target": "node_modules",
-  "timestamp": "2026-06-07T14:26:49.150Z",
+  "timestamp": "2026-06-07T16:09:51.503Z",
   "threats": [
     {
       "type": "string_mutation_obfuscation",

package/src/ioc/feed-health.js

@@ -0,0 +1,178 @@
+/**
+ * IOC feed-health alarm (Phase 2c, part 1).
+ *
+ * The audit that started the coverage plan traced the 24.5% operational-coverage
+ * collapse to a SILENT ops failure: the OSM feed went dark (returned 0) for weeks, so
+ * the IOC store went stale and nothing alarmed. This module closes that blind spot.
+ *
+ * After every IOC refresh, `checkFeedHealth` compares each feed's returned count against
+ * a persisted per-feed baseline. When a feed that has previously shown a healthy count
+ * suddenly returns 0, it raises a ONE-SHOT alarm (console + webhook) on the healthy→dark
+ * transition — not every cycle — and a recovery notice on dark→alive. Best-effort: a
+ * feed-health failure must NEVER break the IOC refresh.
+ *
+ * The decision core (`evaluateFeedHealth`) is a pure function (counts + prev state →
+ * alarms/recoveries/next state) so it is fully unit-testable without I/O or network.
+ */
+'use strict';
+
+const fs = require('fs');
+const path = require('path');
+
+const FEED_HEALTH_FILE = process.env.MUADDIB_FEED_HEALTH_FILE ||
+  path.join(__dirname, '..', '..', 'data', 'feed-health.json');
+
+// A feed must have shown at least this many IOCs at least once before a later zero counts
+// as "went dark". Below this a feed is too small/volatile to alarm on (FP guard). Real
+// feeds (GenSecAI/DataDog/OSV/OSM) return hundreds–thousands, so 5 is a safe floor.
+const MIN_HEALTHY_BASELINE = (() => {
+  const n = parseInt(process.env.MUADDIB_FEED_HEALTH_MIN, 10);
+  return Number.isFinite(n) && n > 0 ? n : 5;
+})();
+
+function loadFeedHealth(file = FEED_HEALTH_FILE) {
+  try {
+    const data = JSON.parse(fs.readFileSync(file, 'utf8'));
+    return (data && typeof data === 'object' && data.feeds && typeof data.feeds === 'object') ? data.feeds : {};
+  } catch {
+    return {};
+  }
+}
+
+function saveFeedHealth(state, file = FEED_HEALTH_FILE) {
+  try {
+    const dir = path.dirname(file);
+    if (!fs.existsSync(dir)) fs.mkdirSync(dir, { recursive: true });
+    const tmp = file + '.tmp';
+    fs.writeFileSync(tmp, JSON.stringify({ updatedAt: new Date().toISOString(), feeds: state }, null, 2));
+    fs.renameSync(tmp, file);
+  } catch (err) {
+    // Best-effort: a read-only / full disk must not break the refresh.
+    if (err && ['EROFS', 'EACCES', 'EPERM', 'ENOSPC'].includes(err.code)) return;
+    console.warn('[FEED-HEALTH] Failed to persist state: ' + err.message);
+  }
+}
+
+/**
+ * PURE decision core. Given current per-feed counts and the previous state, compute:
+ *   - alarms: feeds with a healthy baseline that returned 0 this cycle (healthy→dark edge)
+ *   - recoveries: dark feeds that returned data again (dark→alive edge)
+ *   - nextState: updated per-feed { lastHealthy, lastHealthyAt, dark }
+ * Feeds present in prevState but absent from `counts` keep their baseline (carry-forward).
+ *
+ * @param {Object<string,number>} counts
+ * @param {Object<string,{lastHealthy:number,lastHealthyAt:?string,dark:boolean}>} prevState
+ * @param {string} nowIso
+ */
+function evaluateFeedHealth(counts, prevState, nowIso) {
+  const alarms = [];
+  const recoveries = [];
+  const nextState = {};
+
+  for (const feed of Object.keys(counts || {})) {
+    const cur = Number(counts[feed]) || 0;
+    const prev = (prevState && prevState[feed]) || { lastHealthy: 0, lastHealthyAt: null, dark: false };
+    const entry = { lastHealthy: prev.lastHealthy || 0, lastHealthyAt: prev.lastHealthyAt || null, dark: !!prev.dark };
+
+    if (cur >= MIN_HEALTHY_BASELINE) {
+      entry.lastHealthy = cur;
+      entry.lastHealthyAt = nowIso;
+    }
+
+    if (cur === 0) {
+      if ((prev.lastHealthy || 0) >= MIN_HEALTHY_BASELINE && !prev.dark) {
+        alarms.push({ feed, lastHealthy: prev.lastHealthy, lastHealthyAt: prev.lastHealthyAt || null });
+      }
+      entry.dark = true;
+    } else {
+      if (prev.dark) recoveries.push({ feed, count: cur });
+      entry.dark = false;
+    }
+    nextState[feed] = entry;
+  }
+
+  // Carry forward feeds not reported this cycle so their baseline is not lost.
+  for (const feed of Object.keys(prevState || {})) {
+    if (!(feed in nextState)) nextState[feed] = prevState[feed];
+  }
+
+  return { alarms, recoveries, nextState };
+}
+
+function buildFeedHealthAlarmEmbed(alarms, recoveries) {
+  const fields = [];
+  for (const a of alarms) {
+    fields.push({
+      name: `🔴 ${a.feed} returned 0`,
+      value: `Last healthy: ${a.lastHealthy} IOC(s)${a.lastHealthyAt ? ` (${a.lastHealthyAt})` : ''}. ` +
+        'Feed likely down / token expired / endpoint moved — IOC store is going stale. Investigate now.',
+      inline: false
+    });
+  }
+  for (const r of (recoveries || [])) {
+    fields.push({ name: `🟢 ${r.feed} recovered`, value: `Now returning ${r.count} IOC(s).`, inline: false });
+  }
+  return {
+    embeds: [{
+      title: '⚠️ MUAD\'DIB IOC Feed Health',
+      color: alarms.length ? 0xe74c3c : 0x2ecc71,
+      fields,
+      footer: { text: 'MUAD\'DIB IOC feed-health monitor' },
+      timestamp: new Date().toISOString()
+    }]
+  };
+}
+
+async function _defaultDispatch(payload) {
+  const url = process.env.MUADDIB_WEBHOOK_URL;
+  if (!url) return; // no webhook configured — the console alarm already fired
+  try {
+    const { sendWebhook } = require('../webhook.js');
+    await sendWebhook(url, payload, { rawPayload: true });
+  } catch (err) {
+    console.warn('[FEED-HEALTH] webhook dispatch failed: ' + err.message);
+  }
+}
+
+/**
+ * Load → evaluate → persist → dispatch. Best-effort: NEVER throws (a feed-health failure
+ * must not break the IOC refresh). Returns { alarms, recoveries }.
+ *
+ * @param {Object<string,number>} counts - per-feed IOC counts from this refresh
+ * @param {Object} [opts]
+ * @param {function(object):Promise} [opts.dispatch] - injectable webhook sender (tests)
+ * @param {string} [opts.file] - state file override (tests)
+ */
+async function checkFeedHealth(counts, opts = {}) {
+  try {
+    const file = opts.file || FEED_HEALTH_FILE;
+    const prev = loadFeedHealth(file);
+    const { alarms, recoveries, nextState } = evaluateFeedHealth(counts, prev, new Date().toISOString());
+    saveFeedHealth(nextState, file);
+
+    for (const a of alarms) {
+      console.warn(`[FEED-HEALTH] ALARM: feed "${a.feed}" returned 0 (last healthy ${a.lastHealthy}). Stale IOCs degrade coverage — check the source.`);
+    }
+    for (const r of recoveries) {
+      console.log(`[FEED-HEALTH] RECOVERED: feed "${r.feed}" now returns ${r.count}.`);
+    }
+    if (alarms.length || recoveries.length) {
+      const dispatch = opts.dispatch || _defaultDispatch;
+      await dispatch(buildFeedHealthAlarmEmbed(alarms, recoveries));
+    }
+    return { alarms, recoveries };
+  } catch (err) {
+    console.warn('[FEED-HEALTH] check failed (non-fatal): ' + err.message);
+    return { alarms: [], recoveries: [] };
+  }
+}
+
+module.exports = {
+  evaluateFeedHealth,
+  checkFeedHealth,
+  loadFeedHealth,
+  saveFeedHealth,
+  buildFeedHealthAlarmEmbed,
+  FEED_HEALTH_FILE,
+  MIN_HEALTHY_BASELINE
+};

package/src/ioc/updater.js

@@ -62,6 +62,28 @@ async function updateIOCs() {
   mergeIOCs(baseIOCs, githubIOCs);
   console.log('     +' + shaiHulud.packages.length + ' GenSecAI, +' + datadog.packages.length + ' DataDog, +' + osvApi.length + ' OSV API, +' + osmResult.packages.length + ' OSM npm, +' + (osmResult.pypi_packages || []).length + ' OSM PyPI');
 
+  // Phase 2c (feed health): a feed that previously returned data but now returns 0 is the
+  // silent failure mode that froze the OSM feed and collapsed coverage. Raise a one-shot
+  // alarm on the healthy→dark transition. Best-effort — never throws, never blocks the refresh.
+  // Only feeds that were actually ATTEMPTED are health-checked: OSM is token-gated, so without
+  // OSM_API_TOKEN it is SKIPPED (not down) — counting it would raise a false "OSM went dark"
+  // alarm in any no-token context (e.g. an ad-hoc `muaddib update`) against the monitor-seeded
+  // baseline. OSV-API is public and volatile; its small counts rarely cross MIN_HEALTHY_BASELINE,
+  // so the engine naturally never establishes an alarm-able baseline for it.
+  try {
+    const feedCounts = {
+      'GenSecAI': shaiHulud.packages.length,
+      'DataDog': datadog.packages.length,
+      'OSV-API': osvApi.length
+    };
+    if (process.env.OSM_API_TOKEN) {
+      feedCounts['OSM'] = osmResult.packages.length + (osmResult.pypi_packages || []).length;
+    }
+    await require('./feed-health.js').checkFeedHealth(feedCounts);
+  } catch (e) {
+    console.warn('[FEED-HEALTH] skipped: ' + e.message);
+  }
+
   // Step 3b: Load existing cache IOCs (from bootstrap download or previous update)
   if (fs.existsSync(CACHE_IOC_FILE)) {
     try {

package/src/monitor/classify.js

@@ -75,7 +75,9 @@ const HIGH_CONFIDENCE_MALICE_TYPES = new Set([
   'ide_hook_autoexec',                     // .claude/settings.json SessionStart hook, .vscode/tasks.json folderOpen (Shai-Hulud)
   'workflow_secrets_dump',                  // toJSON(secrets) in GitHub Actions workflow (Shai-Hulud)
   // Phantom Gyp 2026-06: binding.gyp command-substitution = install-time RCE, quasi-never legit in benign packages
-  'gyp_command_exec'
+  'gyp_command_exec',
+  // Phantom Gyp compound (Phase 1b): configure-time <!(node x.js) × independently-malicious invoked file
+  'gyp_phantom_exec'
 ]);
 
 // Lifecycle compound types that indicate real malicious intent beyond a simple postinstall

package/src/pipeline/processor.js

@@ -3,6 +3,7 @@ const path = require('path');
 const { getRule, getRuleDomain } = require('../rules/index.js');
 const { getPlaybook } = require('../response/playbooks.js');
 const { computeReachableFiles, computeReachableFunctions } = require('../scanner/reachability.js');
+const { correlatePhantomGyp } = require('../scanner/phantom-gyp.js');
 const { applyFPReductions, applyCompoundBoosts, calculateRiskScore, getSeverityWeights, applyContextualFPCaps, applySingleFireCriticalFloor, applyReputationFactor, applyMatureStableCap, applySandboxVerdict, applyDeltaMultiplier } = require('../scoring.js');
 const { loadPriorVersionSignatures, computeSignatures, saveCachedSignatures } = require('../scoring/delta-multiplier.js');
 const { annotateConfidenceTiers } = require('../rules/confidence-tiers.js');
@@ -442,6 +443,13 @@ async function process(threats, targetPath, options, pythonDeps, warnings, scann
   // that were individually downgraded (count-based, dist, reachability, delta).
   applyCompoundBoosts(deduped, targetPath);
 
+  // Phase 1b — Phantom-Gyp compound: a configure-time <!(node x.js) sink in binding.gyp
+  // × the invoked file's INDEPENDENT malice verdict (from the AST/dataflow/module-graph
+  // findings already in `deduped`) → CRITICAL gyp_phantom_exec. Runs here so it sees the
+  // full post-scan, post-FP-reduction verdict set. FP≈0 by construction (it only ever
+  // ADDS a finding when the invoked file is independently judged malicious).
+  correlatePhantomGyp(deduped, targetPath);
+
   // Intent coherence analysis: detect source→sink pairs within files
   // Pass targetPath for destination-aware SDK pattern detection
   const intentResult = buildIntentPairs(deduped, targetPath);

package/src/response/playbooks.js

@@ -1005,6 +1005,10 @@ const PLAYBOOKS = {
     'CRITIQUE: binding.gyp utilise la command-substitution GYP <!(...) / <!@(...) — execution de code a l\'installation via node-gyp, sans script lifecycle (pattern Phantom Gyp). ' +
     'Decoder la commande substituee. NE PAS installer : node-gyp l\'execute au build meme avec --ignore-scripts. Verifier la source officielle du package.',
 
+  gyp_phantom_exec:
+    'CRITIQUE (compound Phase 1b): binding.gyp lance <!(node x.js) / <!(python y.py) au configure-time via node-gyp (aucun script lifecycle requis) ET le fichier invoque est juge malveillant de facon independante par les scanners AST/dataflow/module-graph. ' +
+    'Payload install-time confirme — NE PAS installer. Analyser le fichier invoque (nomme dans le message), c\'est lui qui porte la charge. node-gyp l\'execute meme avec --ignore-scripts.',
+
   string_mutation_obfuscation:
     'HAUTE: Chaine de .replace() reconstruisant des noms d\'API dangereuses (leet-speak). ' +
     'Technique d\'evasion par substitution de caracteres. Decoder la chaine finale. Supprimer si malveillant.',

package/src/rules/index.js

@@ -796,6 +796,19 @@ const RULES = {
     ],
     mitre: 'T1082'
   },
+  gyp_phantom_exec: {
+    id: 'MUADDIB-COMPOUND-017',
+    name: 'Phantom Gyp Install-Time Payload',
+    severity: 'CRITICAL',
+    confidence: 'high',
+    domain: 'malware',
+    description: 'binding.gyp exécute <!(node x.js) / <!(python y.py) au configure-time via node-gyp (npm le lance à l\'install dès qu\'un binding.gyp est présent, sans script lifecycle) ET le fichier invoqué (x.js) est jugé malveillant de façon indépendante par les scanners AST/dataflow/module-graph (verdict CRITICAL ou HIGH_CONFIDENCE_MALICE non-LOW sur ce fichier exact). Compound Phase 1b qui ferme le gap du speed-bump gyp_command_exec (MUADDIB-PKG-023) : la forme dominante <!(node setup.js) nu, statiquement indistinguable d\'un build-helper bénin, n\'est flaggée QUE quand le script invoqué porte lui-même un verdict de malice → FPR≈0 par construction.',
+    references: [
+      'https://attack.mitre.org/techniques/T1195/002/',
+      'https://attack.mitre.org/techniques/T1059/'
+    ],
+    mitre: 'T1195.002'
+  },
 
   // Package.json script patterns
   curl_pipe_sh: {

package/src/scanner/phantom-gyp.js

@@ -0,0 +1,155 @@
+/**
+ * Phantom-Gyp compound correlator (Phase 1b — the real fix).
+ *
+ * The line-by-line `gyp_command_exec` detector (src/scanner/package.js, MUADDIB-PKG-023)
+ * is an FP-first SPEED-BUMP: it flags a binding.gyp command-substitution `<!(...)` only
+ * when the command line itself carries a malice marker (curl, pipe-to-shell, inline
+ * network payload…). The dominant Phantom-Gyp shape — a bare `<!(node setup.js)` whose
+ * payload lives in setup.js — is statically INDISTINGUISHABLE from a legit build helper
+ * (`<!(node ./util/has_lib.js)`), so the speed-bump deliberately lets it pass to honor
+ * "FPR must never increase".
+ *
+ * This post-processor closes that gap WITHOUT any FP cost by compounding two signals:
+ *   (sink)    a `<!(node x.js)` / `<!(python y.py)` command-substitution in binding.gyp,
+ *             which node-gyp runs at *configure* time on install — no lifecycle script
+ *             needed; and
+ *   (verdict) the invoked file (x.js) being INDEPENDENTLY judged malicious by the proven
+ *             AST / dataflow / module-graph scanners (a CRITICAL finding, or a non-LOW
+ *             HIGH_CONFIDENCE_MALICE_TYPES finding) on that exact file.
+ * Only when BOTH hold do we emit `gyp_phantom_exec` (CRITICAL). The verdict comes from
+ * the existing scanners, so the false-positive rate is bounded by theirs → FP≈0 by
+ * construction. A benign build helper invoked the same way produces no malice verdict, so
+ * nothing fires and the package gains zero new findings.
+ *
+ * Runs as a post-processor (it needs the full, post-scan threats array) — it re-reads
+ * binding.gyp directly rather than threading a marker threat through FP reductions, so a
+ * benign package never carries any intermediate Phantom-Gyp signal.
+ */
+'use strict';
+
+const fs = require('fs');
+const path = require('path');
+const { HIGH_CONFIDENCE_MALICE_TYPES } = require('../monitor/classify.js');
+
+// Command-substitution capture: the required `!` gates command execution. Plain
+// `<(...)` / `<@(...)` (variable expansion, benign) is intentionally NOT matched —
+// flagging it would be a hard false positive. We capture only up to the FIRST closing
+// `)` so each command-sub body is isolated (unlike package.js's danger-marker scan, the
+// script-file extraction needs the exact command, not a 400-char window).
+const GYP_CMDSUB_RE = /<!@?\(([^)\n]{0,400})\)/g;
+// Interpreter at the start of the command body that runs a SCRIPT FILE argument.
+const SCRIPT_INTERP_RE = /^\s*(node|nodejs|python[0-9.]*|ruby|perl)\b(.*)$/i;
+// Recognized script-file extensions (kept tight — a bare token without one is not
+// assumed to be a script, to avoid matching subcommands like "rebuild").
+const SCRIPT_FILE_RE = /\.(?:js|cjs|mjs|py|rb|pl)$/i;
+// Inline-eval flags mean the payload is INLINE (no script file) — that case belongs to
+// the gyp_command_exec speed-bump, not here, so we skip the command-sub entirely.
+const INLINE_EVAL_FLAG_RE = /^--?(?:e|p|c|eval|print)$/i;
+
+/** Normalize a relative path for comparison: backslashes→/, strip leading ./ and /. */
+function _normRel(f) {
+  return String(f || '').replace(/\\/g, '/').replace(/^\.\//, '').replace(/^\/+/, '');
+}
+
+/**
+ * Extract the script files invoked by `<!(interpreter file …)` command-substitutions in
+ * a binding.gyp. Inline-eval forms (`node -e …`) and non-script interpreter queries
+ * (`node -p "require('node-addon-api').include"`) yield no file and are skipped.
+ *
+ * @param {string} gypContent - raw binding.gyp text
+ * @returns {Array<{interpreter:string, file:string}>}
+ */
+function extractGypInvokedScripts(gypContent) {
+  const out = [];
+  if (!gypContent || typeof gypContent !== 'string') return out;
+  GYP_CMDSUB_RE.lastIndex = 0;
+  let m;
+  while ((m = GYP_CMDSUB_RE.exec(gypContent)) !== null) {
+    const body = m[1];
+    const im = SCRIPT_INTERP_RE.exec(body);
+    if (!im) continue;
+    const interpreter = im[1].toLowerCase();
+    const tokens = (im[2] || '').trim().split(/\s+/).filter(Boolean);
+    let scriptFile = null;
+    for (const tok of tokens) {
+      if (tok.startsWith('-')) {
+        // An inline-eval flag means there is no script file in this command-sub.
+        if (INLINE_EVAL_FLAG_RE.test(tok)) { scriptFile = null; break; }
+        continue; // some other flag — keep scanning for the script argument
+      }
+      const clean = tok.replace(/^['"]+|['"]+$/g, '');
+      if (SCRIPT_FILE_RE.test(clean)) { scriptFile = clean; break; }
+    }
+    if (scriptFile) out.push({ interpreter, file: scriptFile });
+  }
+  return out;
+}
+
+/**
+ * True when a threat is a high-confidence malice verdict on its file: a CRITICAL of any
+ * type, or a non-LOW finding of a HIGH_CONFIDENCE_MALICE_TYPES type. This reuses the
+ * established "quasi-never legit" judgment rather than inventing a new bar.
+ */
+function _isMaliceVerdict(t) {
+  if (!t || !t.type) return false;
+  if (t.type === 'gyp_phantom_exec') return false; // never self-reference
+  if (t.severity === 'CRITICAL') return true;
+  if (t.severity !== 'LOW' && HIGH_CONFIDENCE_MALICE_TYPES.has(t.type)) return true;
+  return false;
+}
+
+/**
+ * Phantom-Gyp compound: for each `<!(node x.js)` in binding.gyp, if x.js is independently
+ * judged malicious in the same scan, push one CRITICAL `gyp_phantom_exec` threat. Mutates
+ * `threats` in place. Best-effort and side-effect-free on benign packages (no malice
+ * verdict on the invoked file ⇒ no push, no marker).
+ *
+ * @param {Array<object>} threats - the deduplicated, post-scan threats array
+ * @param {string} targetPath - scan target directory (where binding.gyp lives)
+ * @returns {object|null} the pushed compound threat, or null if nothing fired
+ */
+function correlatePhantomGyp(threats, targetPath) {
+  if (!Array.isArray(threats) || !targetPath) return null;
+  if (threats.some(t => t && t.type === 'gyp_phantom_exec')) return null; // idempotent
+
+  let gypContent;
+  try {
+    const gypPath = path.join(targetPath, 'binding.gyp');
+    if (!fs.existsSync(gypPath)) return null;
+    gypContent = fs.readFileSync(gypPath, 'utf8');
+  } catch { return null; }
+
+  const scripts = extractGypInvokedScripts(gypContent);
+  if (scripts.length === 0) return null;
+
+  for (const { interpreter, file } of scripts) {
+    const norm = _normRel(file);
+    const base = norm.split('/').pop();
+    const hasDir = norm.includes('/');
+    const malice = threats.find(t => {
+      if (!t || !t.file || !_isMaliceVerdict(t)) return false;
+      const tf = _normRel(t.file);
+      if (tf === norm) return true;
+      // A bare `<!(node loader.js)` ref (no directory) matches the invoked file by
+      // basename — binding.gyp refs resolve relative to the package root, the same
+      // base the scanners use for threat.file (path.relative(targetPath, …)).
+      if (!hasDir && tf.split('/').pop() === base) return true;
+      return false;
+    });
+    if (malice) {
+      const compound = {
+        type: 'gyp_phantom_exec',
+        severity: 'CRITICAL',
+        message: `binding.gyp runs <!(${interpreter} ${file}) at configure-time via node-gyp (no lifecycle script required) and ${file} is independently judged malicious (${malice.type}/${malice.severity}) — Phantom Gyp install-time payload (compound).`,
+        file: 'binding.gyp',
+        compound: true,
+        count: 1
+      };
+      threats.push(compound);
+      return compound; // one compound per package is enough
+    }
+  }
+  return null;
+}
+
+module.exports = { extractGypInvokedScripts, correlatePhantomGyp, _normRel, _isMaliceVerdict };

package/src/scoring.js

@@ -132,7 +132,9 @@ const PACKAGE_LEVEL_TYPES = new Set([
   // audit MR-C1: informational signal that the scan target is a monorepo root (per-workspace scoring TBD)
   'monorepo_detected',
   // Phantom Gyp: binding.gyp command-substitution is a package-level (manifest) finding
-  'gyp_command_exec'
+  'gyp_command_exec',
+  // Phantom Gyp compound (Phase 1b): configure-time <!(node x.js) × malicious invoked file
+  'gyp_phantom_exec'
 ]);
 
 // ============================================
@@ -160,7 +162,11 @@ const SINGLE_FIRE_CRITICAL_TYPES = new Set([
   'known_malicious_package',
   'pypi_malicious_package',
   'shai_hulud_marker',
-  'lifecycle_shell_pipe'
+  'lifecycle_shell_pipe',
+  // Phantom Gyp compound (Phase 1b): only fires when the invoked configure-time script
+  // is INDEPENDENTLY judged malicious, so it carries the same unambiguous-malware weight
+  // as the IOC/hash matches above — FP≈0 by construction justifies the single-fire floor.
+  'gyp_phantom_exec'
 ]);
 const SINGLE_FIRE_CRITICAL_FLOOR = 75;
 const SINGLE_FIRE_MIN_SEVERITY_RANK = 2; // HIGH