npm - muaddib-scanner - Versions diffs - 2.11.73 → 2.11.74 - Mend

muaddib-scanner 2.11.73 → 2.11.74

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

package/package.json +1 -1
package/{self-scan-v2.11.73.json → self-scan-v2.11.74.json} +1 -1
package/src/monitor/classify.js +21 -14
package/src/monitor/ingestion.js +25 -1
package/src/monitor/queue.js +4 -0
package/src/monitor/webhook.js +52 -27

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "muaddib-scanner",
-  "version": "2.11.73",
+  "version": "2.11.74",
   "description": "Supply-chain threat detection & response for npm & PyPI/Python",
   "main": "src/index.js",
   "bin": {

package/{self-scan-v2.11.73.json → self-scan-v2.11.74.json} RENAMED Viewed

@@ -1,6 +1,6 @@
 {
   "target": "node_modules",
-  "timestamp": "2026-06-07T17:25:13.830Z",
+  "timestamp": "2026-06-07T18:51:19.187Z",
   "threats": [
     {
       "type": "string_mutation_obfuscation",

package/src/monitor/classify.js CHANGED Viewed

@@ -1,6 +1,6 @@
 'use strict';
-const { levenshteinDistance } = require('../scanner/typosquat.js');
+const { levenshteinDistance, findPyPITyposquatMatch } = require('../scanner/typosquat.js');
 const { loadCachedIOCs } = require('../ioc/updater.js');
 // --- Popular npm names (used for quick typosquat check) ---
@@ -351,32 +351,39 @@ function quickTyposquatCheck(name) {
  * Layer 3: Determine if a package should be cached and at what retention level.
  * @param {string} name - Package name
  * @param {Object|null} docMeta - Metadata from extractTarballFromDoc
- * @param {Object|null} doc - Full CouchDB doc
+ * @param {Object|null} doc - Full CouchDB doc (npm; carries `versions` for first-publish)
+ * @param {Object} [opts] - Non-npm ecosystem hints:
+ *   { ecosystem?: 'npm'|'pypi', versionCount?: number }. PyPI has no packument at
+ *   ingest time, so the version count comes from preResolvePyPIBatch via opts.
  * @returns {{ shouldCache: boolean, reason: string, retentionDays: number }}
  */
-function evaluateCacheTrigger(name, docMeta, doc) {
-  // Trigger 1: IOC match -- 30-day retention
+function evaluateCacheTrigger(name, docMeta, doc, opts = {}) {
+  const ecosystem = opts.ecosystem || 'npm';
+  // Trigger 1: IOC match -- 30-day retention. PyPI IOCs are namespaced "pypi:<name>".
   try {
     const iocs = loadCachedIOCs();
-    if ((iocs.wildcardPackages && iocs.wildcardPackages.has(name)) ||
-        (iocs.packagesMap && iocs.packagesMap.has(name))) {
+    const inSet = (s) => s && (s.has(name) || (ecosystem === 'pypi' && s.has(`pypi:${name}`)));
+    if (inSet(iocs.wildcardPackages) || inSet(iocs.packagesMap)) {
       return { shouldCache: true, reason: 'ioc_match', retentionDays: TARBALL_CACHE_HIGH_RISK_RETENTION_DAYS };
     }
   } catch { /* non-fatal */ }
-  // Trigger 2: Typosquat signal -- 7-day retention
+  // Trigger 2: Typosquat signal -- 7-day retention (ecosystem-specific popular list)
   try {
-    if (quickTyposquatCheck(name)) {
+    const typo = ecosystem === 'pypi' ? !!findPyPITyposquatMatch(name) : quickTyposquatCheck(name);
+    if (typo) {
       return { shouldCache: true, reason: 'typosquat_signal', retentionDays: TARBALL_CACHE_DEFAULT_RETENTION_DAYS };
     }
   } catch { /* non-fatal */ }
-  // Trigger 3: First publish (single version in doc) -- 7-day retention
-  if (doc && doc.versions) {
-    const versionCount = Object.keys(doc.versions).length;
-    if (versionCount === 1) {
-      return { shouldCache: true, reason: 'first_publish', retentionDays: TARBALL_CACHE_DEFAULT_RETENTION_DAYS };
-    }
+  // Trigger 3: First publish (single version) -- 7-day retention.
+  // npm: count from the CouchDB doc; pypi: count passed via opts.versionCount.
+  const versionCount = ecosystem === 'pypi'
+    ? (Number.isFinite(opts.versionCount) ? opts.versionCount : null)
+    : (doc && doc.versions ? Object.keys(doc.versions).length : null);
+  if (versionCount === 1) {
+    return { shouldCache: true, reason: 'first_publish', retentionDays: TARBALL_CACHE_DEFAULT_RETENTION_DAYS };
   }
   return { shouldCache: false, reason: '', retentionDays: 0 };

package/src/monitor/ingestion.js CHANGED Viewed

@@ -618,6 +618,16 @@ async function preResolvePyPIBatch(items, stats, scanQueue) {
             age_days: pypiInfo.age_days,
             version_count: pypiInfo.version_count,
           };
+          // First-publish parity with npm: derive the cache trigger + flag from the
+          // version count (PyPI has no packument at ingest, so the count comes from
+          // the registry fetch above). Feeds tarball retention, the scan-ledger
+          // firstPublish field, and Phase 2b protected eviction. The first-publish
+          // *sandbox* stays npm-only (runSandbox can't pip-install) — gated in queue.js.
+          const trig = evaluateCacheTrigger(item.name, null, null, {
+            ecosystem: 'pypi', versionCount: pypiInfo.version_count
+          });
+          item._cacheTrigger = trig.shouldCache ? trig : null;
+          item.firstPublish = trig.reason === 'first_publish';
           resolved++;
         } else {
           failed++;
@@ -1186,12 +1196,26 @@ async function pollPyPIChangelog(state, scanQueue, stats) {
         if (isKnownIOC) {
           console.log(`[MONITOR] IOC PRE-ALERT (pypi): ${ev.name} — known malicious package`);
           stats.iocPreAlerts = (stats.iocPreAlerts || 0) + 1;
-          sendIOCPreAlert(ev.name).catch(err => {
+          sendIOCPreAlert(ev.name, ev.version, 'pypi').catch(err => {
             console.error(`[MONITOR] IOC pre-alert webhook failed for ${ev.name}: ${err.message}`);
           });
         }
       } catch { /* IOC load failure is non-fatal */ }
+      // Campaign pre-alert (mirror of the npm Layer 1b): fire on name-pattern
+      // matches when the package isn't already a known IOC. Campaigns can target
+      // PyPI too; matchCampaignPattern is a pure name match, ecosystem-agnostic.
+      if (!isKnownIOC) {
+        const campaign = matchCampaignPattern(ev.name);
+        if (campaign) {
+          console.log(`[MONITOR] CAMPAIGN PRE-ALERT (pypi): ${ev.name} — matches ${campaign}`);
+          stats.campaignPreAlerts = (stats.campaignPreAlerts || 0) + 1;
+          sendCampaignPreAlert(ev.name, campaign, 'pypi').catch(err => {
+            console.error(`[MONITOR] campaign pre-alert webhook failed for ${ev.name}: ${err.message}`);
+          });
+        }
+      }
       newItems.push({
         name: ev.name,
         version: ev.version,

package/src/monitor/queue.js CHANGED Viewed

@@ -651,7 +651,11 @@ async function scanPackage(name, version, ecosystem, tarballUrl, registryMeta, s
     // First-publish sandbox priority: sandbox even with 0 static findings
     // if the package is from a new/unknown maintainer without a linked repository.
+    // First-publish sandbox is npm-only: runSandbox does `npm install <name>` and
+    // cannot install PyPI sdists/wheels. PyPI first-publish items still carry the
+    // flag + cache trigger + ledger firstPublish (Phase 2a) but skip the sandbox.
     const firstPublishSandbox = isFirstPublish &&
+      ecosystem === 'npm' &&
       FIRST_PUBLISH_SANDBOX_ENABLED &&
       isFirstPublishHighRisk(cacheTrigger, npmRegistryMeta) &&
       isSandboxEnabled() && sandboxAvailable &&

package/src/monitor/webhook.js CHANGED Viewed

@@ -150,25 +150,30 @@ function buildMonitorWebhookPayload(name, version, ecosystem, result, sandboxRes
 }
 /**
- * Layer 1: Send immediate IOC pre-alert webhook when a known malicious package
- * appears in the changes stream, BEFORE tarball download.
- * Safety net for packages that get unpublished before scanning completes.
- * @param {string} name - Package name matching IOC database
- * @param {string} [version] - Version if known (from CouchDB doc)
+ * Build the registry web link for a package, ecosystem-aware. Mirrors the link
+ * logic in ghsa-poller.js so pre-alerts point at the correct registry instead of
+ * always npmjs.com (PyPI IOC pre-alerts previously mislinked to npm).
  */
-async function sendIOCPreAlert(name, version) {
-  const url = getWebhookUrl();
-  if (!url) return;
+function registryLink(ecosystem, name) {
+  if (ecosystem === 'pypi') return `https://pypi.org/project/${encodeURIComponent(name)}/`;
+  if (ecosystem === 'crates') return `https://crates.io/crates/${encodeURIComponent(name)}`;
+  return `https://www.npmjs.com/package/${encodeURIComponent(name)}`;
+}
-  const npmLink = `https://www.npmjs.com/package/${encodeURIComponent(name)}`;
+/**
+ * Layer 1: Build the IOC pre-alert embed (pure \u2014 no network). Exported for tests.
+ * @param {string} name - Package name matching IOC database
+ * @param {string} [version] - Version if known
+ * @param {string} [ecosystem='npm'] - 'npm' | 'pypi' (link target)
+ */
+function buildIOCPreAlertEmbed(name, version, ecosystem = 'npm') {
   const versionStr = version ? `@${version}` : '';
-  const payload = {
+  return {
     embeds: [{
       title: '\u26a0\ufe0f IOC PRE-ALERT \u2014 Known Malicious Package',
       color: 0xe74c3c,
       fields: [
-        { name: 'Package', value: `[${name}${versionStr}](${npmLink})`, inline: true },
+        { name: 'Package', value: `[${ecosystem}/${name}${versionStr}](${registryLink(ecosystem, name)})`, inline: true },
         { name: 'Source', value: 'IOC Database Match', inline: true },
         { name: 'Detection', value: 'Changes stream pre-scan', inline: true },
         { name: 'Status', value: 'Full scan queued \u2014 this is an early warning. Package may be unpublished before scan completes.', inline: false }
@@ -179,31 +184,35 @@ async function sendIOCPreAlert(name, version) {
       timestamp: new Date().toISOString()
     }]
   };
-  await sendWebhook(url, payload, { rawPayload: true });
 }
 /**
- * Layer 1b: Send immediate pre-alert webhook when a package name matches an
- * active-campaign pattern (e.g. `did-NNNN` in May 2026). Fires BEFORE tarball
- * download \u2014 IOC lists are eventually-consistent and lag the campaign by
- * hours to days, so name-pattern watch is the only signal available in real
- * time while the campaign is in flight.
- * @param {string} name - Package name that matched the campaign pattern
- * @param {string} campaign - Short campaign label (e.g. 'did-NNNN')
+ * Layer 1: Send immediate IOC pre-alert webhook when a known malicious package
+ * appears in the changes stream, BEFORE tarball download. Safety net for packages
+ * that get unpublished before scanning completes.
+ * @param {string} name - Package name matching IOC database
+ * @param {string} [version] - Version if known (from CouchDB doc)
+ * @param {string} [ecosystem='npm'] - 'npm' | 'pypi'
  */
-async function sendCampaignPreAlert(name, campaign) {
+async function sendIOCPreAlert(name, version, ecosystem = 'npm') {
   const url = getWebhookUrl();
   if (!url) return;
+  await sendWebhook(url, buildIOCPreAlertEmbed(name, version, ecosystem), { rawPayload: true });
+}
-  const npmLink = `https://www.npmjs.com/package/${encodeURIComponent(name)}`;
-  const payload = {
+/**
+ * Layer 1b: Build the campaign pre-alert embed (pure \u2014 no network). Exported for tests.
+ * @param {string} name - Package name that matched the campaign pattern
+ * @param {string} campaign - Short campaign label (e.g. 'did-NNNN')
+ * @param {string} [ecosystem='npm'] - 'npm' | 'pypi' (link target)
+ */
+function buildCampaignPreAlertEmbed(name, campaign, ecosystem = 'npm') {
+  return {
     embeds: [{
       title: '\u26a0\ufe0f CAMPAIGN PRE-ALERT \u2014 Suspected Active Campaign',
       color: 0xe67e22,
       fields: [
-        { name: 'Package', value: `[${name}](${npmLink})`, inline: true },
+        { name: 'Package', value: `[${ecosystem}/${name}](${registryLink(ecosystem, name)})`, inline: true },
         { name: 'Source', value: `Name pattern: ${campaign}`, inline: true },
         { name: 'Detection', value: 'Changes stream pre-scan', inline: true },
         { name: 'Status', value: 'Suspected campaign publication \u2014 not yet confirmed malicious. Full scan queued; treat as suspect until verdict lands.', inline: false }
@@ -214,8 +223,21 @@ async function sendCampaignPreAlert(name, campaign) {
       timestamp: new Date().toISOString()
     }]
   };
+}
-  await sendWebhook(url, payload, { rawPayload: true });
+/**
+ * Layer 1b: Send a campaign pre-alert webhook when a package name matches an
+ * active-campaign pattern (e.g. `did-NNNN`). Fires BEFORE tarball download \u2014 IOC
+ * lists lag the campaign by hours to days, so name-pattern watch is the only
+ * real-time signal while the campaign is in flight.
+ * @param {string} name - Package name that matched the campaign pattern
+ * @param {string} campaign - Short campaign label (e.g. 'did-NNNN')
+ * @param {string} [ecosystem='npm'] - 'npm' | 'pypi'
+ */
+async function sendCampaignPreAlert(name, campaign, ecosystem = 'npm') {
+  const url = getWebhookUrl();
+  if (!url) return;
+  await sendWebhook(url, buildCampaignPreAlertEmbed(name, campaign, ecosystem), { rawPayload: true });
 }
 /**
@@ -1372,7 +1394,10 @@ module.exports = {
   getWebhookThreshold,
   shouldSendWebhook,
   buildMonitorWebhookPayload,
+  registryLink,
+  buildIOCPreAlertEmbed,
   sendIOCPreAlert,
+  buildCampaignPreAlertEmbed,
   sendCampaignPreAlert,
   matchVersionedIOC,
   computeRiskLevel,