npm - muaddib-scanner - Versions diffs - 2.11.74 → 2.11.75 - Mend

muaddib-scanner 2.11.74 → 2.11.75

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/package.json +1 -1
package/{self-scan-v2.11.74.json → self-scan-v2.11.75.json} +1 -1
package/src/ioc/ghsa-poller.js +26 -12
package/src/scanner/typosquat.js +77 -1

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "muaddib-scanner",
-  "version": "2.11.74",
+  "version": "2.11.75",
   "description": "Supply-chain threat detection & response for npm & PyPI/Python",
   "main": "src/index.js",
   "bin": {

package/{self-scan-v2.11.74.json → self-scan-v2.11.75.json} RENAMED Viewed

@@ -1,6 +1,6 @@
 {
   "target": "node_modules",
-  "timestamp": "2026-06-07T18:51:19.187Z",
+  "timestamp": "2026-06-07T19:18:50.434Z",
   "threats": [
     {
       "type": "string_mutation_obfuscation",

package/src/ioc/ghsa-poller.js CHANGED Viewed

@@ -31,7 +31,7 @@ const path = require('path');
 const https = require('https');
 const GHSA_API_HOST = 'api.github.com';
-const GHSA_ECOSYSTEMS = ['npm', 'pypi'];
+const GHSA_ECOSYSTEMS = ['npm', 'pypi', 'crates'];
 const GHSA_CURSOR_FILE = process.env.MUADDIB_GHSA_CURSOR_FILE ||
   path.join(__dirname, '..', '..', 'data', 'ghsa-cursor.json');
 const GHSA_MALWARE_FILE = process.env.MUADDIB_GHSA_MALWARE_FILE ||
@@ -84,9 +84,10 @@ function _httpGetJson(pathName, { token, httpImpl = https, timeoutMs = 20_000 }
  */
 async function _defaultFetch(ecosystem, opts = {}) {
   const token = opts.token || process.env.GITHUB_TOKEN || process.env.GH_TOKEN || null;
-  // GHSA names the Python ecosystem "pip" (not "pypi") in BOTH the query and the response;
-  // querying ecosystem=pypi returns HTTP 422. Map our internal name to GHSA's for the query.
-  const apiEco = ecosystem === 'pypi' ? 'pip' : ecosystem;
+  // GHSA names the Python ecosystem "pip" (not "pypi") and Rust "rust" (we call it
+  // "crates") in BOTH the query and the response; querying ecosystem=pypi returns HTTP
+  // 422. Map our internal name to GHSA's for the query.
+  const apiEco = ecosystem === 'pypi' ? 'pip' : ecosystem === 'crates' ? 'rust' : ecosystem;
   const p = `/advisories?type=malware&ecosystem=${encodeURIComponent(apiEco)}&per_page=100&sort=updated&direction=desc`;
   const { status, json } = await _httpGetJson(p, { token, httpImpl: opts.httpImpl });
   if (status !== 200 || !Array.isArray(json)) {
@@ -112,7 +113,7 @@ function _nextLink(linkHeader) {
 async function fetchAllGhsaMalware(ecosystem, opts = {}) {
   const token = opts.token || process.env.GITHUB_TOKEN || process.env.GH_TOKEN || null;
   const maxPages = Number.isFinite(opts.maxPages) ? opts.maxPages : 30;
-  const apiEco = ecosystem === 'pypi' ? 'pip' : ecosystem;
+  const apiEco = ecosystem === 'pypi' ? 'pip' : ecosystem === 'crates' ? 'rust' : ecosystem;
   let pathName = `/advisories?type=malware&ecosystem=${encodeURIComponent(apiEco)}&per_page=100&sort=published&direction=desc`;
   const rows = [];
   for (let page = 0; page < maxPages && pathName; page++) {
@@ -141,6 +142,7 @@ function parseAdvisory(adv, ecosystems = GHSA_ECOSYSTEMS) {
     if (!pkg || !pkg.name || !pkg.ecosystem) continue;
     let eco = String(pkg.ecosystem).toLowerCase();
     if (eco === 'pip') eco = 'pypi'; // normalize GHSA's "pip" to our internal "pypi"
+    else if (eco === 'rust') eco = 'crates'; // normalize GHSA's "rust" to our internal "crates"
     if (ecosystems && !ecosystems.includes(eco)) continue;
     out.push({
       ghsa_id: adv.ghsa_id,
@@ -210,17 +212,29 @@ function _maybeCompactMalware(file) {
 function buildGhsaPreAlertEmbed(row) {
   const link = row.ecosystem === 'pypi'
     ? `https://pypi.org/project/${encodeURIComponent(row.name)}/`
-    : `https://www.npmjs.com/package/${encodeURIComponent(row.name)}`;
+    : row.ecosystem === 'crates'
+      ? `https://crates.io/crates/${encodeURIComponent(row.name)}`
+      : `https://www.npmjs.com/package/${encodeURIComponent(row.name)}`;
+  const fields = [
+    { name: 'Package', value: `[${row.ecosystem}/${row.name}](${link})`, inline: true },
+    { name: 'Range', value: String(row.versionRange || '*'), inline: true },
+    { name: 'Advisory', value: `[${row.ghsa_id}](https://github.com/advisories/${row.ghsa_id})`, inline: true },
+    { name: 'Source', value: 'GitHub Advisory DB (type=malware) — active poller', inline: false }
+  ];
+  // crates enrichment: flag if the malicious crate name typosquats a popular crate.
+  // Lazy require keeps the poller light; findCratesTyposquatMatch is pure.
+  if (row.ecosystem === 'crates') {
+    try {
+      const { findCratesTyposquatMatch } = require('../scanner/typosquat.js');
+      const m = findCratesTyposquatMatch(row.name);
+      if (m) fields.push({ name: 'Typosquat', value: `looks like \`${m.original}\` (distance ${m.distance})`, inline: true });
+    } catch { /* enrichment is best-effort */ }
+  }
   return {
     embeds: [{
       title: '⚠️ GHSA PRE-ALERT — Fresh Malware Advisory',
       color: 0xe74c3c,
-      fields: [
-        { name: 'Package', value: `[${row.ecosystem}/${row.name}](${link})`, inline: true },
-        { name: 'Range', value: String(row.versionRange || '*'), inline: true },
-        { name: 'Advisory', value: `[${row.ghsa_id}](https://github.com/advisories/${row.ghsa_id})`, inline: true },
-        { name: 'Source', value: 'GitHub Advisory DB (type=malware) — active poller', inline: false }
-      ],
+      fields,
       footer: { text: `MUAD'DIB GHSA Pre-Alert | ${new Date().toISOString().replace('T', ' ').replace(/\.\d+Z$/, ' UTC')}` },
       timestamp: new Date().toISOString()
     }]

package/src/scanner/typosquat.js CHANGED Viewed

@@ -764,4 +764,80 @@ function findPyPITyposquatMatch(name) {
   return null;
 }
-module.exports = { scanTyposquatting, levenshteinDistance, clearMetadataCache, findPyPITyposquatMatch, findTyposquatMatch };
+// ============================================
+// crates.io (Rust) TYPOSQUATTING — Phase 4
+// ============================================
+// Pre-alert enrichment ONLY: flags when an incoming crate name (from the GHSA rust
+// malware feed) typosquats a popular crate. No crates ingestion / build.rs / scan-time
+// Cargo parsing (non-goal). Mirrors the PyPI block above.
+// Top crates.io packages by downloads (typosquat targets). Hardcoded snapshot.
+const POPULAR_CRATES = [
+  'serde', 'serde_json', 'serde_derive', 'serde_yaml', 'syn', 'quote', 'proc-macro2',
+  'libc', 'rand', 'rand_core', 'log', 'cfg-if', 'bitflags', 'itertools', 'once_cell',
+  'lazy_static', 'regex', 'regex-syntax', 'aho-corasick', 'base64', 'num-traits',
+  'unicode-ident', 'tokio', 'tokio-util', 'futures', 'futures-util', 'bytes',
+  'hashbrown', 'smallvec', 'parking_lot', 'anyhow', 'thiserror', 'indexmap', 'memchr',
+  'chrono', 'semver', 'getrandom', 'clap', 'time', 'uuid', 'hyper', 'reqwest',
+  'async-trait', 'tracing', 'tracing-core', 'tracing-subscriber', 'url',
+  'percent-encoding', 'idna', 'socket2', 'httparse', 'tower', 'rayon', 'num_cpus',
+  'either', 'toml', 'winapi', 'windows-sys', 'env_logger', 'generic-array', 'digest',
+  'sha2', 'typenum', 'subtle', 'rustls', 'ring', 'openssl', 'flate2', 'miniz_oxide',
+  'crc32fast', 'walkdir', 'tempfile', 'dirs', 'nix', 'backtrace', 'scopeguard',
+  'pin-project', 'pin-project-lite', 'slab', 'lock_api', 'crossbeam-utils',
+  'crossbeam-channel', 'crossbeam-epoch', 'ahash', 'fnv', 'mio', 'h2', 'http'
+];
+// crates.io treats '-' and '_' as equivalent and is case-insensitive for name
+// uniqueness; normalize the same way for typosquat comparison.
+function normalizeCrate(name) {
+  return name.toLowerCase().replace(/[-_]+/g, '-');
+}
+const POPULAR_CRATES_NORMALIZED = POPULAR_CRATES.map(normalizeCrate);
+const POPULAR_CRATES_SET = new Set(POPULAR_CRATES_NORMALIZED);
+// Legitimate crates within edit-distance of a popular crate but not squats.
+const CRATES_WHITELIST = new Set([
+  'mime',         // distance 1 from 'time' — both real & popular
+  'rand-chacha',  // rand ecosystem sibling (normalized)
+  'serde-with',   // serde ecosystem sibling
+  'futures-core',
+]);
+const MIN_CRATE_LENGTH = 4;
+/**
+ * Find a crates.io typosquat match (Levenshtein over the popular-crate list).
+ * Pure + IOC-independent. Used by the GHSA rust pre-alert to enrich the embed.
+ *
+ * @param {string} name - crate name
+ * @returns {{original: string, type: string, distance: number}|null}
+ */
+function findCratesTyposquatMatch(name) {
+  if (typeof name !== 'string' || !name) return null;
+  const normalized = normalizeCrate(name);
+  if (POPULAR_CRATES_SET.has(normalized)) return null; // it IS a popular crate
+  if (CRATES_WHITELIST.has(normalized)) return null;
+  if (normalized.length < MIN_CRATE_LENGTH) return null;
+  for (let i = 0; i < POPULAR_CRATES.length; i++) {
+    const popularNorm = POPULAR_CRATES_NORMALIZED[i];
+    const popular = POPULAR_CRATES[i];
+    if (normalized === popularNorm) continue;
+    if (popularNorm.length < MIN_CRATE_LENGTH) continue;
+    if (Math.abs(normalized.length - popularNorm.length) > 2) continue;
+    const distance = levenshteinDistance(normalized, popularNorm);
+    if (distance === 1) {
+      return { original: popular, type: detectTyposquatType(normalized, popularNorm), distance };
+    }
+    if (distance === 2 && popularNorm.length >= 5) {
+      return { original: popular, type: detectTyposquatType(normalized, popularNorm), distance };
+    }
+  }
+  return null;
+}
+module.exports = { scanTyposquatting, levenshteinDistance, clearMetadataCache, findPyPITyposquatMatch, findCratesTyposquatMatch, findTyposquatMatch };