muaddib-scanner 2.11.73 → 2.11.75

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "muaddib-scanner",
-  "version": "2.11.73",
+  "version": "2.11.75",
   "description": "Supply-chain threat detection & response for npm & PyPI/Python",
   "main": "src/index.js",
   "bin": {

package/{self-scan-v2.11.73.json → self-scan-v2.11.75.json}

@@ -1,6 +1,6 @@
 {
   "target": "node_modules",
-  "timestamp": "2026-06-07T17:25:13.830Z",
+  "timestamp": "2026-06-07T19:18:50.434Z",
   "threats": [
     {
       "type": "string_mutation_obfuscation",

package/src/ioc/ghsa-poller.js

@@ -31,7 +31,7 @@ const path = require('path');
 const https = require('https');
 
 const GHSA_API_HOST = 'api.github.com';
-const GHSA_ECOSYSTEMS = ['npm', 'pypi'];
+const GHSA_ECOSYSTEMS = ['npm', 'pypi', 'crates'];
 const GHSA_CURSOR_FILE = process.env.MUADDIB_GHSA_CURSOR_FILE ||
   path.join(__dirname, '..', '..', 'data', 'ghsa-cursor.json');
 const GHSA_MALWARE_FILE = process.env.MUADDIB_GHSA_MALWARE_FILE ||
@@ -84,9 +84,10 @@ function _httpGetJson(pathName, { token, httpImpl = https, timeoutMs = 20_000 }
  */
 async function _defaultFetch(ecosystem, opts = {}) {
   const token = opts.token || process.env.GITHUB_TOKEN || process.env.GH_TOKEN || null;
-  // GHSA names the Python ecosystem "pip" (not "pypi") in BOTH the query and the response;
-  // querying ecosystem=pypi returns HTTP 422. Map our internal name to GHSA's for the query.
-  const apiEco = ecosystem === 'pypi' ? 'pip' : ecosystem;
+  // GHSA names the Python ecosystem "pip" (not "pypi") and Rust "rust" (we call it
+  // "crates") in BOTH the query and the response; querying ecosystem=pypi returns HTTP
+  // 422. Map our internal name to GHSA's for the query.
+  const apiEco = ecosystem === 'pypi' ? 'pip' : ecosystem === 'crates' ? 'rust' : ecosystem;
   const p = `/advisories?type=malware&ecosystem=${encodeURIComponent(apiEco)}&per_page=100&sort=updated&direction=desc`;
   const { status, json } = await _httpGetJson(p, { token, httpImpl: opts.httpImpl });
   if (status !== 200 || !Array.isArray(json)) {
@@ -112,7 +113,7 @@ function _nextLink(linkHeader) {
 async function fetchAllGhsaMalware(ecosystem, opts = {}) {
   const token = opts.token || process.env.GITHUB_TOKEN || process.env.GH_TOKEN || null;
   const maxPages = Number.isFinite(opts.maxPages) ? opts.maxPages : 30;
-  const apiEco = ecosystem === 'pypi' ? 'pip' : ecosystem;
+  const apiEco = ecosystem === 'pypi' ? 'pip' : ecosystem === 'crates' ? 'rust' : ecosystem;
   let pathName = `/advisories?type=malware&ecosystem=${encodeURIComponent(apiEco)}&per_page=100&sort=published&direction=desc`;
   const rows = [];
   for (let page = 0; page < maxPages && pathName; page++) {
@@ -141,6 +142,7 @@ function parseAdvisory(adv, ecosystems = GHSA_ECOSYSTEMS) {
     if (!pkg || !pkg.name || !pkg.ecosystem) continue;
     let eco = String(pkg.ecosystem).toLowerCase();
     if (eco === 'pip') eco = 'pypi'; // normalize GHSA's "pip" to our internal "pypi"
+    else if (eco === 'rust') eco = 'crates'; // normalize GHSA's "rust" to our internal "crates"
     if (ecosystems && !ecosystems.includes(eco)) continue;
     out.push({
       ghsa_id: adv.ghsa_id,
@@ -210,17 +212,29 @@ function _maybeCompactMalware(file) {
 function buildGhsaPreAlertEmbed(row) {
   const link = row.ecosystem === 'pypi'
     ? `https://pypi.org/project/${encodeURIComponent(row.name)}/`
-    : `https://www.npmjs.com/package/${encodeURIComponent(row.name)}`;
+    : row.ecosystem === 'crates'
+      ? `https://crates.io/crates/${encodeURIComponent(row.name)}`
+      : `https://www.npmjs.com/package/${encodeURIComponent(row.name)}`;
+  const fields = [
+    { name: 'Package', value: `[${row.ecosystem}/${row.name}](${link})`, inline: true },
+    { name: 'Range', value: String(row.versionRange || '*'), inline: true },
+    { name: 'Advisory', value: `[${row.ghsa_id}](https://github.com/advisories/${row.ghsa_id})`, inline: true },
+    { name: 'Source', value: 'GitHub Advisory DB (type=malware) — active poller', inline: false }
+  ];
+  // crates enrichment: flag if the malicious crate name typosquats a popular crate.
+  // Lazy require keeps the poller light; findCratesTyposquatMatch is pure.
+  if (row.ecosystem === 'crates') {
+    try {
+      const { findCratesTyposquatMatch } = require('../scanner/typosquat.js');
+      const m = findCratesTyposquatMatch(row.name);
+      if (m) fields.push({ name: 'Typosquat', value: `looks like \`${m.original}\` (distance ${m.distance})`, inline: true });
+    } catch { /* enrichment is best-effort */ }
+  }
   return {
     embeds: [{
       title: '⚠️ GHSA PRE-ALERT — Fresh Malware Advisory',
       color: 0xe74c3c,
-      fields: [
-        { name: 'Package', value: `[${row.ecosystem}/${row.name}](${link})`, inline: true },
-        { name: 'Range', value: String(row.versionRange || '*'), inline: true },
-        { name: 'Advisory', value: `[${row.ghsa_id}](https://github.com/advisories/${row.ghsa_id})`, inline: true },
-        { name: 'Source', value: 'GitHub Advisory DB (type=malware) — active poller', inline: false }
-      ],
+      fields,
       footer: { text: `MUAD'DIB GHSA Pre-Alert | ${new Date().toISOString().replace('T', ' ').replace(/\.\d+Z$/, ' UTC')}` },
       timestamp: new Date().toISOString()
     }]

package/src/monitor/classify.js

@@ -1,6 +1,6 @@
 'use strict';
 
-const { levenshteinDistance } = require('../scanner/typosquat.js');
+const { levenshteinDistance, findPyPITyposquatMatch } = require('../scanner/typosquat.js');
 const { loadCachedIOCs } = require('../ioc/updater.js');
 
 // --- Popular npm names (used for quick typosquat check) ---
@@ -351,32 +351,39 @@ function quickTyposquatCheck(name) {
  * Layer 3: Determine if a package should be cached and at what retention level.
  * @param {string} name - Package name
  * @param {Object|null} docMeta - Metadata from extractTarballFromDoc
- * @param {Object|null} doc - Full CouchDB doc
+ * @param {Object|null} doc - Full CouchDB doc (npm; carries `versions` for first-publish)
+ * @param {Object} [opts] - Non-npm ecosystem hints:
+ *   { ecosystem?: 'npm'|'pypi', versionCount?: number }. PyPI has no packument at
+ *   ingest time, so the version count comes from preResolvePyPIBatch via opts.
  * @returns {{ shouldCache: boolean, reason: string, retentionDays: number }}
  */
-function evaluateCacheTrigger(name, docMeta, doc) {
-  // Trigger 1: IOC match -- 30-day retention
+function evaluateCacheTrigger(name, docMeta, doc, opts = {}) {
+  const ecosystem = opts.ecosystem || 'npm';
+
+  // Trigger 1: IOC match -- 30-day retention. PyPI IOCs are namespaced "pypi:<name>".
   try {
     const iocs = loadCachedIOCs();
-    if ((iocs.wildcardPackages && iocs.wildcardPackages.has(name)) ||
-        (iocs.packagesMap && iocs.packagesMap.has(name))) {
+    const inSet = (s) => s && (s.has(name) || (ecosystem === 'pypi' && s.has(`pypi:${name}`)));
+    if (inSet(iocs.wildcardPackages) || inSet(iocs.packagesMap)) {
       return { shouldCache: true, reason: 'ioc_match', retentionDays: TARBALL_CACHE_HIGH_RISK_RETENTION_DAYS };
     }
   } catch { /* non-fatal */ }
 
-  // Trigger 2: Typosquat signal -- 7-day retention
+  // Trigger 2: Typosquat signal -- 7-day retention (ecosystem-specific popular list)
   try {
-    if (quickTyposquatCheck(name)) {
+    const typo = ecosystem === 'pypi' ? !!findPyPITyposquatMatch(name) : quickTyposquatCheck(name);
+    if (typo) {
       return { shouldCache: true, reason: 'typosquat_signal', retentionDays: TARBALL_CACHE_DEFAULT_RETENTION_DAYS };
     }
   } catch { /* non-fatal */ }
 
-  // Trigger 3: First publish (single version in doc) -- 7-day retention
-  if (doc && doc.versions) {
-    const versionCount = Object.keys(doc.versions).length;
-    if (versionCount === 1) {
-      return { shouldCache: true, reason: 'first_publish', retentionDays: TARBALL_CACHE_DEFAULT_RETENTION_DAYS };
-    }
+  // Trigger 3: First publish (single version) -- 7-day retention.
+  // npm: count from the CouchDB doc; pypi: count passed via opts.versionCount.
+  const versionCount = ecosystem === 'pypi'
+    ? (Number.isFinite(opts.versionCount) ? opts.versionCount : null)
+    : (doc && doc.versions ? Object.keys(doc.versions).length : null);
+  if (versionCount === 1) {
+    return { shouldCache: true, reason: 'first_publish', retentionDays: TARBALL_CACHE_DEFAULT_RETENTION_DAYS };
   }
 
   return { shouldCache: false, reason: '', retentionDays: 0 };

package/src/monitor/ingestion.js

@@ -618,6 +618,16 @@ async function preResolvePyPIBatch(items, stats, scanQueue) {
             age_days: pypiInfo.age_days,
             version_count: pypiInfo.version_count,
           };
+          // First-publish parity with npm: derive the cache trigger + flag from the
+          // version count (PyPI has no packument at ingest, so the count comes from
+          // the registry fetch above). Feeds tarball retention, the scan-ledger
+          // firstPublish field, and Phase 2b protected eviction. The first-publish
+          // *sandbox* stays npm-only (runSandbox can't pip-install) — gated in queue.js.
+          const trig = evaluateCacheTrigger(item.name, null, null, {
+            ecosystem: 'pypi', versionCount: pypiInfo.version_count
+          });
+          item._cacheTrigger = trig.shouldCache ? trig : null;
+          item.firstPublish = trig.reason === 'first_publish';
           resolved++;
         } else {
           failed++;
@@ -1186,12 +1196,26 @@ async function pollPyPIChangelog(state, scanQueue, stats) {
         if (isKnownIOC) {
           console.log(`[MONITOR] IOC PRE-ALERT (pypi): ${ev.name} — known malicious package`);
           stats.iocPreAlerts = (stats.iocPreAlerts || 0) + 1;
-          sendIOCPreAlert(ev.name).catch(err => {
+          sendIOCPreAlert(ev.name, ev.version, 'pypi').catch(err => {
             console.error(`[MONITOR] IOC pre-alert webhook failed for ${ev.name}: ${err.message}`);
           });
         }
       } catch { /* IOC load failure is non-fatal */ }
 
+      // Campaign pre-alert (mirror of the npm Layer 1b): fire on name-pattern
+      // matches when the package isn't already a known IOC. Campaigns can target
+      // PyPI too; matchCampaignPattern is a pure name match, ecosystem-agnostic.
+      if (!isKnownIOC) {
+        const campaign = matchCampaignPattern(ev.name);
+        if (campaign) {
+          console.log(`[MONITOR] CAMPAIGN PRE-ALERT (pypi): ${ev.name} — matches ${campaign}`);
+          stats.campaignPreAlerts = (stats.campaignPreAlerts || 0) + 1;
+          sendCampaignPreAlert(ev.name, campaign, 'pypi').catch(err => {
+            console.error(`[MONITOR] campaign pre-alert webhook failed for ${ev.name}: ${err.message}`);
+          });
+        }
+      }
+
       newItems.push({
         name: ev.name,
         version: ev.version,

package/src/monitor/queue.js

@@ -651,7 +651,11 @@ async function scanPackage(name, version, ecosystem, tarballUrl, registryMeta, s
 
     // First-publish sandbox priority: sandbox even with 0 static findings
     // if the package is from a new/unknown maintainer without a linked repository.
+    // First-publish sandbox is npm-only: runSandbox does `npm install <name>` and
+    // cannot install PyPI sdists/wheels. PyPI first-publish items still carry the
+    // flag + cache trigger + ledger firstPublish (Phase 2a) but skip the sandbox.
     const firstPublishSandbox = isFirstPublish &&
+      ecosystem === 'npm' &&
       FIRST_PUBLISH_SANDBOX_ENABLED &&
       isFirstPublishHighRisk(cacheTrigger, npmRegistryMeta) &&
       isSandboxEnabled() && sandboxAvailable &&

package/src/monitor/webhook.js

@@ -150,25 +150,30 @@ function buildMonitorWebhookPayload(name, version, ecosystem, result, sandboxRes
 }
 
 /**
- * Layer 1: Send immediate IOC pre-alert webhook when a known malicious package
- * appears in the changes stream, BEFORE tarball download.
- * Safety net for packages that get unpublished before scanning completes.
- * @param {string} name - Package name matching IOC database
- * @param {string} [version] - Version if known (from CouchDB doc)
+ * Build the registry web link for a package, ecosystem-aware. Mirrors the link
+ * logic in ghsa-poller.js so pre-alerts point at the correct registry instead of
+ * always npmjs.com (PyPI IOC pre-alerts previously mislinked to npm).
  */
-async function sendIOCPreAlert(name, version) {
-  const url = getWebhookUrl();
-  if (!url) return;
+function registryLink(ecosystem, name) {
+  if (ecosystem === 'pypi') return `https://pypi.org/project/${encodeURIComponent(name)}/`;
+  if (ecosystem === 'crates') return `https://crates.io/crates/${encodeURIComponent(name)}`;
+  return `https://www.npmjs.com/package/${encodeURIComponent(name)}`;
+}
 
-  const npmLink = `https://www.npmjs.com/package/${encodeURIComponent(name)}`;
+/**
+ * Layer 1: Build the IOC pre-alert embed (pure \u2014 no network). Exported for tests.
+ * @param {string} name - Package name matching IOC database
+ * @param {string} [version] - Version if known
+ * @param {string} [ecosystem='npm'] - 'npm' | 'pypi' (link target)
+ */
+function buildIOCPreAlertEmbed(name, version, ecosystem = 'npm') {
   const versionStr = version ? `@${version}` : '';
-
-  const payload = {
+  return {
     embeds: [{
       title: '\u26a0\ufe0f IOC PRE-ALERT \u2014 Known Malicious Package',
       color: 0xe74c3c,
       fields: [
-        { name: 'Package', value: `[${name}${versionStr}](${npmLink})`, inline: true },
+        { name: 'Package', value: `[${ecosystem}/${name}${versionStr}](${registryLink(ecosystem, name)})`, inline: true },
         { name: 'Source', value: 'IOC Database Match', inline: true },
         { name: 'Detection', value: 'Changes stream pre-scan', inline: true },
         { name: 'Status', value: 'Full scan queued \u2014 this is an early warning. Package may be unpublished before scan completes.', inline: false }
@@ -179,31 +184,35 @@ async function sendIOCPreAlert(name, version) {
       timestamp: new Date().toISOString()
     }]
   };
-
-  await sendWebhook(url, payload, { rawPayload: true });
 }
 
 /**
- * Layer 1b: Send immediate pre-alert webhook when a package name matches an
- * active-campaign pattern (e.g. `did-NNNN` in May 2026). Fires BEFORE tarball
- * download \u2014 IOC lists are eventually-consistent and lag the campaign by
- * hours to days, so name-pattern watch is the only signal available in real
- * time while the campaign is in flight.
- * @param {string} name - Package name that matched the campaign pattern
- * @param {string} campaign - Short campaign label (e.g. 'did-NNNN')
+ * Layer 1: Send immediate IOC pre-alert webhook when a known malicious package
+ * appears in the changes stream, BEFORE tarball download. Safety net for packages
+ * that get unpublished before scanning completes.
+ * @param {string} name - Package name matching IOC database
+ * @param {string} [version] - Version if known (from CouchDB doc)
+ * @param {string} [ecosystem='npm'] - 'npm' | 'pypi'
  */
-async function sendCampaignPreAlert(name, campaign) {
+async function sendIOCPreAlert(name, version, ecosystem = 'npm') {
   const url = getWebhookUrl();
   if (!url) return;
+  await sendWebhook(url, buildIOCPreAlertEmbed(name, version, ecosystem), { rawPayload: true });
+}
 
-  const npmLink = `https://www.npmjs.com/package/${encodeURIComponent(name)}`;
-
-  const payload = {
+/**
+ * Layer 1b: Build the campaign pre-alert embed (pure \u2014 no network). Exported for tests.
+ * @param {string} name - Package name that matched the campaign pattern
+ * @param {string} campaign - Short campaign label (e.g. 'did-NNNN')
+ * @param {string} [ecosystem='npm'] - 'npm' | 'pypi' (link target)
+ */
+function buildCampaignPreAlertEmbed(name, campaign, ecosystem = 'npm') {
+  return {
     embeds: [{
       title: '\u26a0\ufe0f CAMPAIGN PRE-ALERT \u2014 Suspected Active Campaign',
       color: 0xe67e22,
       fields: [
-        { name: 'Package', value: `[${name}](${npmLink})`, inline: true },
+        { name: 'Package', value: `[${ecosystem}/${name}](${registryLink(ecosystem, name)})`, inline: true },
         { name: 'Source', value: `Name pattern: ${campaign}`, inline: true },
         { name: 'Detection', value: 'Changes stream pre-scan', inline: true },
         { name: 'Status', value: 'Suspected campaign publication \u2014 not yet confirmed malicious. Full scan queued; treat as suspect until verdict lands.', inline: false }
@@ -214,8 +223,21 @@ async function sendCampaignPreAlert(name, campaign) {
       timestamp: new Date().toISOString()
     }]
   };
+}
 
-  await sendWebhook(url, payload, { rawPayload: true });
+/**
+ * Layer 1b: Send a campaign pre-alert webhook when a package name matches an
+ * active-campaign pattern (e.g. `did-NNNN`). Fires BEFORE tarball download \u2014 IOC
+ * lists lag the campaign by hours to days, so name-pattern watch is the only
+ * real-time signal while the campaign is in flight.
+ * @param {string} name - Package name that matched the campaign pattern
+ * @param {string} campaign - Short campaign label (e.g. 'did-NNNN')
+ * @param {string} [ecosystem='npm'] - 'npm' | 'pypi'
+ */
+async function sendCampaignPreAlert(name, campaign, ecosystem = 'npm') {
+  const url = getWebhookUrl();
+  if (!url) return;
+  await sendWebhook(url, buildCampaignPreAlertEmbed(name, campaign, ecosystem), { rawPayload: true });
 }
 
 /**
@@ -1372,7 +1394,10 @@ module.exports = {
   getWebhookThreshold,
   shouldSendWebhook,
   buildMonitorWebhookPayload,
+  registryLink,
+  buildIOCPreAlertEmbed,
   sendIOCPreAlert,
+  buildCampaignPreAlertEmbed,
   sendCampaignPreAlert,
   matchVersionedIOC,
   computeRiskLevel,

package/src/scanner/typosquat.js

@@ -764,4 +764,80 @@ function findPyPITyposquatMatch(name) {
   return null;
 }
 
-module.exports = { scanTyposquatting, levenshteinDistance, clearMetadataCache, findPyPITyposquatMatch, findTyposquatMatch };
+// ============================================
+// crates.io (Rust) TYPOSQUATTING — Phase 4
+// ============================================
+// Pre-alert enrichment ONLY: flags when an incoming crate name (from the GHSA rust
+// malware feed) typosquats a popular crate. No crates ingestion / build.rs / scan-time
+// Cargo parsing (non-goal). Mirrors the PyPI block above.
+
+// Top crates.io packages by downloads (typosquat targets). Hardcoded snapshot.
+const POPULAR_CRATES = [
+  'serde', 'serde_json', 'serde_derive', 'serde_yaml', 'syn', 'quote', 'proc-macro2',
+  'libc', 'rand', 'rand_core', 'log', 'cfg-if', 'bitflags', 'itertools', 'once_cell',
+  'lazy_static', 'regex', 'regex-syntax', 'aho-corasick', 'base64', 'num-traits',
+  'unicode-ident', 'tokio', 'tokio-util', 'futures', 'futures-util', 'bytes',
+  'hashbrown', 'smallvec', 'parking_lot', 'anyhow', 'thiserror', 'indexmap', 'memchr',
+  'chrono', 'semver', 'getrandom', 'clap', 'time', 'uuid', 'hyper', 'reqwest',
+  'async-trait', 'tracing', 'tracing-core', 'tracing-subscriber', 'url',
+  'percent-encoding', 'idna', 'socket2', 'httparse', 'tower', 'rayon', 'num_cpus',
+  'either', 'toml', 'winapi', 'windows-sys', 'env_logger', 'generic-array', 'digest',
+  'sha2', 'typenum', 'subtle', 'rustls', 'ring', 'openssl', 'flate2', 'miniz_oxide',
+  'crc32fast', 'walkdir', 'tempfile', 'dirs', 'nix', 'backtrace', 'scopeguard',
+  'pin-project', 'pin-project-lite', 'slab', 'lock_api', 'crossbeam-utils',
+  'crossbeam-channel', 'crossbeam-epoch', 'ahash', 'fnv', 'mio', 'h2', 'http'
+];
+
+// crates.io treats '-' and '_' as equivalent and is case-insensitive for name
+// uniqueness; normalize the same way for typosquat comparison.
+function normalizeCrate(name) {
+  return name.toLowerCase().replace(/[-_]+/g, '-');
+}
+
+const POPULAR_CRATES_NORMALIZED = POPULAR_CRATES.map(normalizeCrate);
+const POPULAR_CRATES_SET = new Set(POPULAR_CRATES_NORMALIZED);
+
+// Legitimate crates within edit-distance of a popular crate but not squats.
+const CRATES_WHITELIST = new Set([
+  'mime',         // distance 1 from 'time' — both real & popular
+  'rand-chacha',  // rand ecosystem sibling (normalized)
+  'serde-with',   // serde ecosystem sibling
+  'futures-core',
+]);
+
+const MIN_CRATE_LENGTH = 4;
+
+/**
+ * Find a crates.io typosquat match (Levenshtein over the popular-crate list).
+ * Pure + IOC-independent. Used by the GHSA rust pre-alert to enrich the embed.
+ *
+ * @param {string} name - crate name
+ * @returns {{original: string, type: string, distance: number}|null}
+ */
+function findCratesTyposquatMatch(name) {
+  if (typeof name !== 'string' || !name) return null;
+  const normalized = normalizeCrate(name);
+
+  if (POPULAR_CRATES_SET.has(normalized)) return null; // it IS a popular crate
+  if (CRATES_WHITELIST.has(normalized)) return null;
+  if (normalized.length < MIN_CRATE_LENGTH) return null;
+
+  for (let i = 0; i < POPULAR_CRATES.length; i++) {
+    const popularNorm = POPULAR_CRATES_NORMALIZED[i];
+    const popular = POPULAR_CRATES[i];
+    if (normalized === popularNorm) continue;
+    if (popularNorm.length < MIN_CRATE_LENGTH) continue;
+    if (Math.abs(normalized.length - popularNorm.length) > 2) continue;
+
+    const distance = levenshteinDistance(normalized, popularNorm);
+    if (distance === 1) {
+      return { original: popular, type: detectTyposquatType(normalized, popularNorm), distance };
+    }
+    if (distance === 2 && popularNorm.length >= 5) {
+      return { original: popular, type: detectTyposquatType(normalized, popularNorm), distance };
+    }
+  }
+  return null;
+}
+
+module.exports = { scanTyposquatting, levenshteinDistance, clearMetadataCache, findPyPITyposquatMatch, findCratesTyposquatMatch, findTyposquatMatch };