muaddib-scanner 2.11.87 → 2.11.88

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (5) hide show
  1. package/package.json +1 -1
  2. package/{self-scan-v2.11.87.json → self-scan-v2.11.88.json} +1 -1
  3. package/src/ml/feature-extractor.js +5 -1
  4. package/src/rules/index.js +1 -1
  5. package/src/scanner/trusted-dep-diff.js +6 -1
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "muaddib-scanner",
3
- "version": "2.11.87",
3
+ "version": "2.11.88",
4
4
  "description": "Supply-chain threat detection & response for npm & PyPI/Python",
5
5
  "main": "src/index.js",
6
6
  "bin": {
package/{self-scan-v2.11.87.json → self-scan-v2.11.88.json} RENAMED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "target": "node_modules",
3
- "timestamp": "2026-06-11T07:47:11.727Z",
3
+ "timestamp": "2026-06-11T08:02:35.162Z",
4
4
  "threats": [
5
5
  {
6
6
  "type": "string_mutation_obfuscation",
package/src/ml/feature-extractor.js CHANGED
@@ -1090,7 +1090,11 @@ const CASCADE_TYPES = new Set([
1090
1090
  'proxy_data_intercept', // MUADDIB-AST-043
1091
1091
  'remote_code_load', // MUADDIB-AST-040
1092
1092
  'obfuscation_detected', // src/scanner/obfuscation.js
1093
- 'js_obfuscation_pattern'
1093
+ 'js_obfuscation_pattern',
1094
+ // FPR audit 2026-06: these two also fire on legitimate minified vendor bundles
1095
+ // (string-rewrite tables, base64 blobs) and were escaping the bundle cap.
1096
+ 'string_mutation_obfuscation',
1097
+ 'high_entropy_string'
1094
1098
  ]);
1095
1099
  const CASCADE_MIN_TYPES = 3;
1096
1100
  const CASCADE_MIN_FILE_BYTES = 20 * 1024;
package/src/rules/index.js CHANGED
@@ -3348,7 +3348,7 @@ const RULES = {
3348
3348
  trusted_new_dependency: {
3349
3349
  id: 'MUADDIB-TRUSTED-002',
3350
3350
  name: 'Trusted Package Added New Dependency',
3351
- severity: 'HIGH',
3351
+ severity: 'MEDIUM',
3352
3352
  confidence: 'medium',
3353
3353
  domain: 'malware',
3354
3354
  description: 'Un package TRUSTED (>50k downloads/semaine) a ajoute une nouvelle dependance connue (>7 jours) dans un bump de version — changement de surface d\'attaque a verifier.',
package/src/scanner/trusted-dep-diff.js CHANGED
@@ -154,7 +154,12 @@ async function checkDepDiff(name, newVersion) {
154
154
  const ageDays = Math.floor(ageMs / 86400000);
155
155
  findings.push({
156
156
  type: 'trusted_new_dependency',
157
- severity: 'HIGH',
157
+ // FPR audit 2026-06: a trusted package adding an ESTABLISHED (>=7d) dependency
158
+ // is an audit/surface-change signal ("a verifier"), not malice — it produced
159
+ // ~169 FPs. Downgraded HIGH->MEDIUM so it no longer alone meets the tier-1b
160
+ // corroboration bar. The real account-takeover case (new/unknown dep <7d) is
161
+ // the separate CRITICAL `trusted_new_unknown_dependency` (HC type) and is intact.
162
+ severity: 'MEDIUM',
158
163
  confidence: 'medium',
159
164
  file: 'package.json',
160
165
  message: `TRUSTED package ${name} added new dependency ${dep} (age: ${ageDays}d) in version ${prevVersion} → ${newVersion}`,