npm - muaddib-scanner - Versions diffs - 2.11.92 → 2.11.93 - Mend

muaddib-scanner 2.11.92 → 2.11.93

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

package/package.json +1 -1
package/{self-scan-v2.11.92.json → self-scan-v2.11.93.json} +1 -1
package/src/scanner/ast-detectors/handle-call-expression.js +42 -2
package/src/scanner/ast-detectors/handle-post-walk.js +13 -0
package/src/scanner/ast-detectors/mcp-write-classifier.js +71 -0
package/src/scanner/ast.js +4 -0

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "muaddib-scanner",
-  "version": "2.11.92",
+  "version": "2.11.93",
   "description": "Supply-chain threat detection & response for npm & PyPI/Python",
   "main": "src/index.js",
   "bin": {

package/{self-scan-v2.11.92.json → self-scan-v2.11.93.json} RENAMED Viewed

@@ -1,6 +1,6 @@
 {
   "target": "node_modules",
-  "timestamp": "2026-06-11T11:05:03.615Z",
+  "timestamp": "2026-06-11T11:25:31.537Z",
   "threats": [
     {
       "type": "string_mutation_obfuscation",

package/src/scanner/ast-detectors/handle-call-expression.js CHANGED Viewed

@@ -49,6 +49,31 @@ const {
   containsDecodePattern,
   resolveNumericExpression
 } = require('./helpers.js');
+const { countInvisibleUnicode } = require('../../shared/unicode-invisibles.js');
+const { classifyMcpWrite } = require('./mcp-write-classifier.js');
+const { isShadowEnabled, recordShadowDivergence } = require('../../shared/shadow.js');
+/**
+ * SHADOW 3-tier classification for mcp_config_injection emissions (R5 + R5b).
+ * Computes the candidate class (template / shell_exec / instruction_injection)
+ * and logs a divergence ONLY when the candidate semantics would downgrade the
+ * verdict (template → MEDIUM). Zero effect on the threat emitted by the caller
+ * — the live severity stays CRITICAL until the shadow data adjudicates the flip.
+ * The package identity is not available at AST level; evidence carries the file.
+ */
+function _shadowClassifyMcpWrite(contentStr, checkPath, rule, ctx) {
+  try {
+    if (!isShadowEnabled()) return;
+    const { cls, signals } = classifyMcpWrite(contentStr, checkPath);
+    if (cls !== 'template') return; // shell_exec / instruction_injection keep CRITICAL — no divergence
+    recordShadowDivergence({
+      detector: 'mcp_config_injection_3tier',
+      oldVerdict: 'CRITICAL',
+      newVerdict: 'MEDIUM',
+      evidence: { cls, signals, path: checkPath, rule, file: ctx.relFile }
+    });
+  } catch { /* shadow must never affect the scan */ }
+}
 /**
  * Detect whether an AST node points at a user-level filesystem location:
@@ -756,6 +781,10 @@ function handleCallExpression(node, ctx) {
           ? MCP_CONTENT_PATTERNS.some(p => contentStr.includes(p.replace(/"/g, '')))
           : isSensitiveConfigFile; // dynamic content only suspicious for known config files
         if (hasContentPattern) {
+          // SHADOW 3-tier classification (zero effect on the emitted severity):
+          // template-class writes are the scaffolder FP under adjudication —
+          // log the would-be CRITICAL→MEDIUM divergence for `shadow-report`.
+          _shadowClassifyMcpWrite(contentStr, mcpCheckPath, 'R5', ctx);
           ctx.threats.push({
             type: 'mcp_config_injection',
             severity: 'CRITICAL',
@@ -780,11 +809,20 @@ function handleCallExpression(node, ctx) {
           const contentStr2 = extractStringValue(contentArg2);
           const hasShellContent = !!contentStr2 && /(?:curl|wget)\s+[^\n]*\|\s*(?:sh|bash|zsh)\b|\beval\s*\(|\bsh\s+-c\s+|\bbash\s+-c\s+|\bnode\s+-e\s+/i.test(contentStr2);
           const hasInjectionInstruction = !!contentStr2 && /IMPORTANT[:\s]+(?:before|after|run|execute)|do\s+not\s+(?:display|show|mention)|always\s+run/i.test(contentStr2);
-          if (hasUserLevelPath || hasShellContent || hasInjectionInstruction) {
+          // 3d (additive, v2.11.91): zero-width/bidi Unicode in the written
+          // content — the TrapDoor hidden-instruction encoding (Socket,
+          // 2026-05-25: instructions invisible in an editor, word-broken so
+          // the 3b/3c plain-text regexes can't match). A legitimate generator
+          // never emits invisible codepoints into a rules file. Strictly
+          // additive: can only ADD detections to the 3a/3b/3c OR.
+          const hasInvisibleContent = !!contentStr2 && countInvisibleUnicode(contentStr2) > 0;
+          if (hasUserLevelPath || hasShellContent || hasInjectionInstruction || hasInvisibleContent) {
             const reasons = [];
             if (hasUserLevelPath) reasons.push('user-level destination (homedir/cwd/env.HOME)');
             if (hasShellContent) reasons.push('shell command in content');
             if (hasInjectionInstruction) reasons.push('AI prompt-injection instruction in content');
+            if (hasInvisibleContent) reasons.push('zero-width/bidi Unicode in content (hidden-instruction encoding)');
+            _shadowClassifyMcpWrite(contentStr2, mcpCheckPath, 'R5b', ctx);
             ctx.threats.push({
               type: 'mcp_config_injection',
               severity: 'CRITICAL',
@@ -2047,4 +2085,6 @@ function handleCallExpression(node, ctx) {
 }
-module.exports = { handleCallExpression };
+// _shadowClassifyMcpWrite is shared with handle-post-walk.js (the Wave-4
+// keyword-co-occurrence emitter — the third mcp_config_injection site).
+module.exports = { handleCallExpression, _shadowClassifyMcpWrite };

package/src/scanner/ast-detectors/handle-post-walk.js CHANGED Viewed

@@ -274,6 +274,19 @@ function handlePostWalk(ctx) {
   // Wave 4: MCP content keywords in file with writeFileSync = MCP injection signal
   if (ctx.hasMcpContentKeywords && !ctx.threats.some(t => t.type === 'mcp_config_injection')) {
+    // SHADOW 3-tier classification (zero effect on the emitted severity). The
+    // 2026-06-11 backtest showed this keyword-co-occurrence rule emits ~85% of
+    // historical mcp_config_injection alerts (100/118 packages) — every
+    // legitimate MCP server installer carries mcpServers keywords + writes —
+    // so the adjudication MUST cover this site, not just R5/R5b. The classifier
+    // runs on the FILE source (the written content is not extractable here):
+    // a file whose code carries shell-exec or hidden-instruction markers keeps
+    // CRITICAL silently; an inert config-writer logs the CRITICAL→MEDIUM
+    // candidate divergence, tagged rule:'W4' so the report splits it out.
+    try {
+      const { _shadowClassifyMcpWrite } = require('./handle-call-expression.js');
+      _shadowClassifyMcpWrite(typeof ctx._content === 'string' ? ctx._content : null, '(file-level keyword co-occurrence)', 'W4', ctx);
+    } catch { /* shadow must never affect the scan */ }
     ctx.threats.push({
       type: 'mcp_config_injection',
       severity: 'CRITICAL',

package/src/scanner/ast-detectors/mcp-write-classifier.js ADDED Viewed

@@ -0,0 +1,71 @@
+'use strict';
+/**
+ * mcp-write-classifier.js — pure 3-tier classifier for mcp_config_injection
+ * candidates (SHADOW adjudication + the future severity flip).
+ *
+ * Empirical classes (web research 2026-06-11, calibrated on real campaigns):
+ *   (a) template              — write with inert content: the scaffolder shape
+ *       (ruler, rulesync, cursor-rules, cursor-tools all legitimately write
+ *       .cursorrules/CLAUDE.md/AGENTS.md). Candidate MEDIUM after adjudication.
+ *   (b) shell_exec            — content carries a shell command or an
+ *       agent-hook exec (SafeDep campaign, 2026-05-13: .claude/settings.json
+ *       SessionStart hook → ELF). Stays CRITICAL.
+ *   (c) instruction_injection — content carries hidden instructions: zero-
+ *       width/bidi Unicode (TrapDoor encoding — Socket 2026-05-25; GitHub
+ *       flags the same) or agent-addressed directives ("do not tell the
+ *       user…"). Stays CRITICAL.
+ *
+ * The classifier is PURE (no I/O, no ctx) so it is unit-testable per class and
+ * is exactly what gets promoted when the flip lands. Until then it feeds the
+ * shadow log: oldVerdict CRITICAL vs newVerdict (template→MEDIUM).
+ *
+ * Honest default: content that cannot be extracted statically classifies as
+ * `template` with signal `dynamic_content` — we don't know, so the shadow
+ * numbers must not pretend we do. (The live R5/R5b severity is unaffected
+ * either way — this module emits no threats.)
+ */
+const { countInvisibleUnicode } = require('../../shared/unicode-invisibles.js');
+// (c) — agent-addressed directives. Superset of the live R5b 3c regex
+// (IMPORTANT/do-not-display/always-run) with the additions calibrated on the
+// Rules-File-Backdoor / Mini-Shai-Hulud wording. Word-boundaried enough not to
+// match benign docs ("important: run tests before committing" matches — by
+// design, that wording addressed to an agent IS the attack shape; the
+// difference is made by the write target, which the caller already gated on).
+const INJECTION_DIRECTIVE_RE = /IMPORTANT[:\s]+(?:before|after|run|execute)|do\s+not\s+(?:display|show|mention|tell)|never\s+(?:mention|reveal|disclose)|hide\s+this\s+from|always\s+run/i;
+// (b) — shell command in content. Same expression as the live R5b 3b gate.
+const SHELL_CONTENT_RE = /(?:curl|wget)\s+[^\n]*\|\s*(?:sh|bash|zsh)\b|\beval\s*\(|\bsh\s+-c\s+|\bbash\s+-c\s+|\bnode\s+-e\s+/i;
+// (b) — agent-hook exec in JSON content: a "hooks" structure carrying a
+// "command" (the SafeDep .claude/settings.json SessionStart shape). Order-
+// insensitive containment — the content is config the attacker controls, a
+// strict JSON parse would be evadable with trailing garbage.
+const HOOKS_COMMAND_RE = /"hooks"[\s\S]{0,400}"command"|"command"[\s\S]{0,400}"hooks"/;
+/**
+ * @param {string|null|undefined} contentStr statically-extracted write content
+ *        (null/undefined = dynamic, not extractable)
+ * @param {string} [checkPath] lowercased destination path (reserved for future
+ *        signals; not used for class decision today)
+ * @returns {{cls: 'template'|'shell_exec'|'instruction_injection', signals: string[]}}
+ */
+function classifyMcpWrite(contentStr, checkPath) { // eslint-disable-line no-unused-vars
+  if (contentStr === null || contentStr === undefined || typeof contentStr !== 'string') {
+    return { cls: 'template', signals: ['dynamic_content'] };
+  }
+  const signals = [];
+  if (countInvisibleUnicode(contentStr) > 0) signals.push('zero_width_unicode');
+  if (INJECTION_DIRECTIVE_RE.test(contentStr)) signals.push('injection_directive');
+  if (signals.length > 0) return { cls: 'instruction_injection', signals };
+  if (SHELL_CONTENT_RE.test(contentStr)) signals.push('shell_command');
+  if (HOOKS_COMMAND_RE.test(contentStr)) signals.push('hooks_command_json');
+  if (signals.length > 0) return { cls: 'shell_exec', signals };
+  return { cls: 'template', signals: [] };
+}
+module.exports = { classifyMcpWrite, INJECTION_DIRECTIVE_RE, SHELL_CONTENT_RE, HOOKS_COMMAND_RE };

package/src/scanner/ast.js CHANGED Viewed

@@ -111,6 +111,10 @@ function analyzeFile(content, filePath, basePath) {
   const ctx = {
     threats,
     relFile: path.relative(basePath, filePath),
+    // File source reference for the post-walk shadow classifier (Wave-4 MCP
+    // site has no extractable written-content string — it classifies the file).
+    // A reference to the already-held string: no copy, freed with the ctx.
+    _content: content,
     dynamicRequireVars: new Set(),
     staticAssignments: new Set(),
     // v2.10.73 P2: AST-006 source qualification — tracks WHERE a variable's value came from.