npm - muaddib-scanner - Versions diffs - 2.11.89 → 2.11.90 - Mend

muaddib-scanner 2.11.89 → 2.11.90

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/package.json +1 -1
package/{self-scan-v2.11.89.json → self-scan-v2.11.90.json} +1 -1
package/src/scanner/npm-registry.js +4 -0
package/src/scoring.js +33 -2

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "muaddib-scanner",
-  "version": "2.11.89",
+  "version": "2.11.90",
   "description": "Supply-chain threat detection & response for npm & PyPI/Python",
   "main": "src/index.js",
   "bin": {

package/{self-scan-v2.11.89.json → self-scan-v2.11.90.json} RENAMED Viewed

@@ -1,6 +1,6 @@
 {
   "target": "node_modules",
-  "timestamp": "2026-06-11T08:17:41.614Z",
+  "timestamp": "2026-06-11T08:32:51.994Z",
   "threats": [
     {
       "type": "string_mutation_obfuscation",

package/src/scanner/npm-registry.js CHANGED Viewed

@@ -217,6 +217,10 @@ async function getPackageMetadata(packageName) {
     // / pinned-old / vendored versions bypass the cap so we don't mask attacks
     // captured in static fixtures (e.g. eslint-scope 3.7.2, chalk 5.6.1).
     latest_version: latestVersion || null,
+    // P4 : full dist-tags map ({ latest, next, canary, ... }) so scoring can tell a
+    // maintainer-controlled pre-release channel version (inherits partial reputation)
+    // from a historical / pinned-old version (no reputation).
+    dist_tags: (meta['dist-tags'] && typeof meta['dist-tags'] === 'object') ? meta['dist-tags'] : null,
     // F3 : list of maintainer email addresses (lowercased, unique) for DNS
     // MX / RDAP downstream checks. Empty array if no emails published.
     maintainer_emails: maintainerEmails,

package/src/scoring.js CHANGED Viewed

@@ -1874,6 +1874,23 @@ function _hasMaliceSignal(threats) {
   return threats.some(t => t.severity === 'HIGH' || t.severity === 'CRITICAL');
 }
+// P4 (pre-release reputation): known maintainer-controlled pre-release dist-tag names.
+const _PRERELEASE_TAG_RE = /^(next|canary|nightly|rc|beta|alpha|dev|experimental|preview|snapshot|edge|insider|insiders)$/i;
+// True when the scanned version is published on a NON-latest pre-release dist-tag
+// (e.g. dist-tags = { latest: "3.19.1", next: "3.19.0-nightly-..." } and we scan the
+// nightly). Maintainer-controlled, so an attacker cannot put a payload on `next`
+// without the account — and Track R still floors confirmed malice regardless.
+function _isPrereleaseChannelVersion(metadata) {
+  const dt = metadata && metadata.dist_tags;
+  const sv = metadata && metadata.scan_version;
+  if (!dt || typeof dt !== 'object' || typeof sv !== 'string') return false;
+  for (const [tag, ver] of Object.entries(dt)) {
+    if (ver === sv && tag !== 'latest' && _PRERELEASE_TAG_RE.test(tag)) return true;
+  }
+  return false;
+}
 function applyReputationFactor(result, metadata) {
   if (!result || !result.summary || !metadata) return null;
   // FPR plan : the reputation factor describes "how trustworthy this package
@@ -1884,12 +1901,21 @@ function applyReputationFactor(result, metadata) {
   // scan version is unknown (CLI scanning a directory without version field),
   // we fail open : skip the factor entirely rather than apply a multiplier
   // we cannot situate in time.
+  // P4 (pre-release reputation): a canary/nightly/rc of an established package is a NEW
+  // (not historical) version on a maintainer-controlled pre-release dist-tag, so it should
+  // inherit the package's reputation — but only PARTIALLY (it is not the verified latest).
+  // Any OTHER non-latest version (historical / pinned-old / vendored) keeps the full skip.
+  let _prereleaseAttenuation = 1.0;
   if (
     typeof metadata.latest_version === 'string' &&
     typeof metadata.scan_version === 'string' &&
     metadata.latest_version !== metadata.scan_version
   ) {
-    return null;
+    if (_isPrereleaseChannelVersion(metadata)) {
+      _prereleaseAttenuation = 0.85;
+    } else {
+      return null;
+    }
   }
   if (
     typeof metadata.latest_version === 'string' &&
@@ -1900,9 +1926,14 @@ function applyReputationFactor(result, metadata) {
   // P3 hardening: a valid attestation must NOT earn a trust bonus on a package that
   // also shows malice (TeamPCP attested-malware scenario). Withhold it here, where
   // the threat list is available.
-  const factor = _factorFromMetadata(metadata, {
+  let factor = _factorFromMetadata(metadata, {
     allowProvenanceBonus: !_hasMaliceSignal(result.threats)
   });
+  // P4: blend the factor toward neutral (1.0) for pre-release channel versions — they
+  // get most of the reputation suppression but not 100% (they are not the verified latest).
+  if (_prereleaseAttenuation !== 1.0) {
+    factor = 1.0 + (factor - 1.0) * _prereleaseAttenuation;
+  }
   if (factor === 1.0) {
     result.summary.reputationFactor = 1.0;
     return null;