muaddib-scanner 2.11.87 → 2.11.89

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "muaddib-scanner",
-  "version": "2.11.87",
+  "version": "2.11.89",
   "description": "Supply-chain threat detection & response for npm & PyPI/Python",
   "main": "src/index.js",
   "bin": {

package/{self-scan-v2.11.87.json → self-scan-v2.11.89.json}

@@ -1,6 +1,6 @@
 {
   "target": "node_modules",
-  "timestamp": "2026-06-11T07:47:11.727Z",
+  "timestamp": "2026-06-11T08:17:41.614Z",
   "threats": [
     {
       "type": "string_mutation_obfuscation",

package/src/ml/feature-extractor.js

@@ -1090,7 +1090,11 @@ const CASCADE_TYPES = new Set([
   'proxy_data_intercept',         // MUADDIB-AST-043
   'remote_code_load',             // MUADDIB-AST-040
   'obfuscation_detected',         // src/scanner/obfuscation.js
-  'js_obfuscation_pattern'
+  'js_obfuscation_pattern',
+  // FPR audit 2026-06: these two also fire on legitimate minified vendor bundles
+  // (string-rewrite tables, base64 blobs) and were escaping the bundle cap.
+  'string_mutation_obfuscation',
+  'high_entropy_string'
 ]);
 const CASCADE_MIN_TYPES = 3;
 const CASCADE_MIN_FILE_BYTES = 20 * 1024;

package/src/monitor/queue.js

@@ -150,10 +150,14 @@ const BURST_PREALERT_MIN_VERSIONS = (() => {
   const n = parseInt(process.env.MUADDIB_BURST_MIN_VERSIONS, 10);
   return Number.isFinite(n) && n >= 2 ? n : 10;
 })();
-// Dedup burst pings: one per name per process window (bounded — cleared at the cap so it
-// can never grow without limit, CLAUDE.md §2).
-const _burstAlerted = new Set();
+// Burst ping throttle (FPR/notif audit 2026-06): name -> last burst-alert timestamp.
+// Was a lifetime Set (dedup once per process), which both (a) silenced a genuine
+// re-burst days later and (b) on a process that runs for weeks accumulated spam from
+// every monorepo/CI nightly that re-bursts. Now a 24h-cooldown Map: one alert per
+// package per day max. Bounded — cleared at the cap so it can never grow without limit.
+const _burstAlerted = new Map();
 const BURST_ALERTED_MAX = 20_000;
+const BURST_ALERT_COOLDOWN_MS = 24 * 60 * 60 * 1000; // 24h
 
 // Stage 3 — sandbox gate. Static-score threshold below which T1b/T2 packages
 // are NOT sandboxed (static result alone is authoritative). Tightens the prior
@@ -1530,9 +1534,22 @@ async function resolveTarballAndScan(item, stats, dailyAlerts, recentlyScanned,
         const isBurst = burstCount >= BURST_PREALERT_MIN_VERSIONS;
         if (isBurst) {
           item.isBurst = true;
-          if (!_burstAlerted.has(item.name)) {
+          // Anti-flood (notification only — the burst versions are STILL queued and scanned
+          // below regardless; muting the heads-up never weakens detection):
+          //  1) Established packages (mature + many versions) bursting are monorepo / CI
+          //     nightly churn, not the Shai-Hulud account-takeover signal (that is a NEW /
+          //     low-reputation package suddenly bursting). A real takeover of an established
+          //     package is still caught by the per-version scan + the atoSignal above.
+          //  2) 24h cooldown per package so a package re-bursting all day pings at most once.
+          const _np = item._npmInfo || npmInfo || {};
+          const _established = Number.isFinite(_np.age_days) && _np.age_days > 730 &&
+            Number.isFinite(_np.version_count) && _np.version_count > 100;
+          const _now = Date.now();
+          const _last = _burstAlerted.get(item.name);
+          const _onCooldown = _last && (_now - _last) < BURST_ALERT_COOLDOWN_MS;
+          if (!_established && !_onCooldown) {
             if (_burstAlerted.size >= BURST_ALERTED_MAX) _burstAlerted.clear();
-            _burstAlerted.add(item.name);
+            _burstAlerted.set(item.name, _now);
             stats.burstPreAlerts = (stats.burstPreAlerts || 0) + 1;
             console.log(`[MONITOR] BURST PRE-ALERT: ${item.name} — ${burstCount} versions in the recent window`);
             sendBurstPreAlert(item.name, burstCount, item.ecosystem).catch(err => {

package/src/rules/index.js

@@ -3348,7 +3348,7 @@ const RULES = {
   trusted_new_dependency: {
     id: 'MUADDIB-TRUSTED-002',
     name: 'Trusted Package Added New Dependency',
-    severity: 'HIGH',
+    severity: 'MEDIUM',
     confidence: 'medium',
     domain: 'malware',
     description: 'Un package TRUSTED (>50k downloads/semaine) a ajoute une nouvelle dependance connue (>7 jours) dans un bump de version — changement de surface d\'attaque a verifier.',

package/src/scanner/trusted-dep-diff.js

@@ -154,7 +154,12 @@ async function checkDepDiff(name, newVersion) {
         const ageDays = Math.floor(ageMs / 86400000);
         findings.push({
           type: 'trusted_new_dependency',
-          severity: 'HIGH',
+          // FPR audit 2026-06: a trusted package adding an ESTABLISHED (>=7d) dependency
+          // is an audit/surface-change signal ("a verifier"), not malice — it produced
+          // ~169 FPs. Downgraded HIGH->MEDIUM so it no longer alone meets the tier-1b
+          // corroboration bar. The real account-takeover case (new/unknown dep <7d) is
+          // the separate CRITICAL `trusted_new_unknown_dependency` (HC type) and is intact.
+          severity: 'MEDIUM',
           confidence: 'medium',
           file: 'package.json',
           message: `TRUSTED package ${name} added new dependency ${dep} (age: ${ageDays}d) in version ${prevVersion} → ${newVersion}`,