muaddib-scanner 2.2.11 → 2.2.14

package/src/response/playbooks.js

@@ -328,6 +328,16 @@ const PLAYBOOKS = {
     'CRITIQUE: eval() ou Function() recoit un argument decode en base64 (atob/Buffer.from). ' +
     'Technique de staged payload: le code malveillant est encode puis decode et execute dynamiquement. ' +
     'Isoler la machine. Decoder le payload manuellement pour analyser le code execute. Supprimer le package.',
+
+  crypto_decipher:
+    'crypto.createDecipher/createDecipheriv detecte. Dechiffrement de payload embarque a runtime. ' +
+    'Pattern canonique de l\'attaque event-stream/flatmap-stream. Extraire et decoder le payload manuellement ' +
+    'pour analyser le code execute. Verifier la source des donnees chiffrees.',
+
+  module_compile:
+    'CRITIQUE: module._compile() detecte. Cette API Node.js interne execute du code arbitraire ' +
+    'a partir d\'une chaine dans le contexte d\'un module. Utilisee dans flatmap-stream pour executer ' +
+    'un payload dechiffre sans ecrire sur disque. Isoler immediatement. Analyser la source de la chaine compilee.',
 };
 
 function getPlaybook(threatType) {

package/src/rules/index.js

@@ -649,6 +649,32 @@ const RULES = {
     mitre: 'T1565.001'
   },
 
+  crypto_decipher: {
+    id: 'MUADDIB-AST-022',
+    name: 'Encrypted Payload Decryption',
+    severity: 'HIGH',
+    confidence: 'high',
+    description: 'crypto.createDecipher/createDecipheriv detecte. Dechiffrement runtime de payload embarque. Pattern canonique de flatmap-stream/event-stream.',
+    references: [
+      'https://snyk.io/blog/malicious-code-found-in-npm-package-event-stream/',
+      'https://attack.mitre.org/techniques/T1140/'
+    ],
+    mitre: 'T1140'
+  },
+
+  module_compile: {
+    id: 'MUADDIB-AST-023',
+    name: 'Module Compile Execution',
+    severity: 'CRITICAL',
+    confidence: 'high',
+    description: 'module._compile() detecte. Execution de code arbitraire a partir d\'une chaine dans le contexte module. Technique cle de flatmap-stream.',
+    references: [
+      'https://blog.npmjs.org/post/180565383195/details-about-the-event-stream-incident',
+      'https://attack.mitre.org/techniques/T1059/007/'
+    ],
+    mitre: 'T1059'
+  },
+
   ai_agent_abuse: {
     id: 'MUADDIB-AST-013',
     name: 'AI Agent Weaponization',

package/src/scanner/ast.js

@@ -2,9 +2,9 @@ const fs = require('fs');
 const path = require('path');
 const acorn = require('acorn');
 const walk = require('acorn-walk');
-const { isDevFile, findJsFiles, getCallName } = require('../utils.js');
-
-const MAX_FILE_SIZE = 10 * 1024 * 1024; // 10MB
+const { getCallName } = require('../utils.js');
+const { ACORN_OPTIONS } = require('../shared/constants.js');
+const { analyzeWithDeobfuscation } = require('../shared/analyze-helper.js');
 
 const EXCLUDED_FILES = [
   'src/scanner/ast.js',
@@ -99,55 +99,10 @@ const SANDBOX_INDICATORS = [
 ];
 
 async function analyzeAST(targetPath, options = {}) {
-  const threats = [];
-  const files = findJsFiles(targetPath);
-
-  for (const file of files) {
-    const relativePath = path.relative(targetPath, file).replace(/\\/g, '/');
-
-    if (EXCLUDED_FILES.includes(relativePath)) {
-      continue;
-    }
-
-    // Ignore files in dev folders
-    if (isDevFile(relativePath)) {
-      continue;
-    }
-
-    try {
-      const stat = fs.statSync(file);
-      if (stat.size > MAX_FILE_SIZE) continue;
-    } catch { continue; }
-
-    let content;
-    try {
-      content = fs.readFileSync(file, 'utf8');
-    } catch {
-      continue;
-    }
-
-    // Analyze original code first (preserves obfuscation-detection rules)
-    const fileThreats = analyzeFile(content, file, targetPath);
-    threats.push(...fileThreats);
-
-    // Also analyze deobfuscated code for additional findings hidden by obfuscation
-    if (typeof options.deobfuscate === 'function') {
-      try {
-        const result = options.deobfuscate(content);
-        if (result.transforms.length > 0) {
-          const deobThreats = analyzeFile(result.code, file, targetPath);
-          const existingKeys = new Set(fileThreats.map(t => `${t.type}::${t.message}`));
-          for (const dt of deobThreats) {
-            if (!existingKeys.has(`${dt.type}::${dt.message}`)) {
-              threats.push(dt);
-            }
-          }
-        }
-      } catch { /* deobfuscation failed — skip */ }
-    }
-  }
-
-  return threats;
+  return analyzeWithDeobfuscation(targetPath, analyzeFile, {
+    deobfuscate: options.deobfuscate,
+    excludedFiles: EXCLUDED_FILES
+  });
 }
 
 
@@ -215,11 +170,7 @@ function analyzeFile(content, filePath, basePath) {
   let ast;
 
   try {
-    ast = acorn.parse(content, { 
-      ecmaVersion: 2024,
-      sourceType: 'module',
-      allowHashBang: true
-    });
+    ast = acorn.parse(content, ACORN_OPTIONS);
   } catch {
     // AST parse failed — apply regex fallback for known dangerous patterns
 
@@ -254,6 +205,8 @@ function analyzeFile(content, filePath, basePath) {
   const workflowPathVars = new Set();
   // Track variables assigned temp/executable file paths
   const execPathVars = new Map();
+  // Track variables that alias globalThis/global (e.g. const g = globalThis)
+  const globalThisAliases = new Set();
 
   /**
    * Extract string value from a node if it's a Literal or TemplateLiteral with no expressions.
@@ -308,6 +261,13 @@ function analyzeFile(content, filePath, basePath) {
           execPathVars.set(node.id.name, strVal);
         }
 
+        // Track variables that alias globalThis or global (e.g. const g = globalThis)
+        if (node.init?.type === 'Identifier' &&
+            (node.init.name === 'globalThis' || node.init.name === 'global' ||
+             node.init.name === 'window' || node.init.name === 'self')) {
+          globalThisAliases.add(node.id.name);
+        }
+
         // Track variables assigned from path.join containing .github/workflows
         if (node.init?.type === 'CallExpression' && node.init.callee?.type === 'MemberExpression') {
           const obj = node.init.callee.object;
@@ -719,6 +679,92 @@ function analyzeFile(content, filePath, basePath) {
           });
         }
       }
+
+      // Detect indirect eval/Function via computed property: obj['eval'](code), g['Function'](code)
+      // Bypasses getCallName() which only reads .property.name (Identifier), not Literal values
+      if (node.callee.type === 'MemberExpression' && node.callee.computed) {
+        const prop = node.callee.property;
+        if (prop.type === 'Literal' && typeof prop.value === 'string') {
+          if (prop.value === 'eval') {
+            hasEvalInFile = true;
+            threats.push({
+              type: 'dangerous_call_eval',
+              severity: 'HIGH',
+              message: 'Indirect eval via computed property access (obj["eval"]) — evasion technique.',
+              file: path.relative(basePath, filePath)
+            });
+          } else if (prop.value === 'Function') {
+            threats.push({
+              type: 'dangerous_call_function',
+              severity: 'MEDIUM',
+              message: 'Indirect Function via computed property access (obj["Function"]) — evasion technique.',
+              file: path.relative(basePath, filePath)
+            });
+          }
+        }
+        // Detect computed call on globalThis/global alias with variable property: g[k]()
+        // where g = globalThis and k is a variable (not a literal) — dynamic global dispatch
+        const obj = node.callee.object;
+        if (prop.type === 'Identifier' && obj?.type === 'Identifier' &&
+            (globalThisAliases.has(obj.name) || obj.name === 'globalThis' || obj.name === 'global')) {
+          hasEvalInFile = true;
+          threats.push({
+            type: 'dangerous_call_eval',
+            severity: 'HIGH',
+            message: `Dynamic global dispatch via computed property (${obj.name}[${prop.name}]) — likely indirect eval evasion.`,
+            file: path.relative(basePath, filePath)
+          });
+        }
+      }
+
+      // Detect indirect eval/Function via sequence expression: (0, eval)(code), (0, Function)(code)
+      // Comma operator returns last expression, so (0, eval) === eval but avoids Identifier callee
+      if (node.callee.type === 'SequenceExpression') {
+        const exprs = node.callee.expressions;
+        const last = exprs[exprs.length - 1];
+        if (last && last.type === 'Identifier') {
+          if (last.name === 'eval') {
+            hasEvalInFile = true;
+            threats.push({
+              type: 'dangerous_call_eval',
+              severity: 'HIGH',
+              message: 'Indirect eval via sequence expression ((0, eval)) — evasion technique.',
+              file: path.relative(basePath, filePath)
+            });
+          } else if (last.name === 'Function') {
+            threats.push({
+              type: 'dangerous_call_function',
+              severity: 'MEDIUM',
+              message: 'Indirect Function via sequence expression ((0, Function)) — evasion technique.',
+              file: path.relative(basePath, filePath)
+            });
+          }
+        }
+      }
+
+      // Detect crypto.createDecipher/createDecipheriv — encrypted payload pattern (flatmap-stream)
+      // Also detect module._compile — in-memory code execution
+      if (node.callee.type === 'MemberExpression') {
+        const prop = node.callee.property;
+        const propName = prop.type === 'Identifier' ? prop.name :
+                         (prop.type === 'Literal' ? prop.value : null);
+        if (propName === 'createDecipher' || propName === 'createDecipheriv') {
+          threats.push({
+            type: 'crypto_decipher',
+            severity: 'HIGH',
+            message: `${propName}() detected — runtime decryption of embedded payload (event-stream/flatmap-stream pattern).`,
+            file: path.relative(basePath, filePath)
+          });
+        }
+        if (propName === '_compile') {
+          threats.push({
+            type: 'module_compile',
+            severity: 'CRITICAL',
+            message: 'module._compile() detected — executes arbitrary code from string in module context (flatmap-stream pattern).',
+            file: path.relative(basePath, filePath)
+          });
+        }
+      }
     },
 
     ImportExpression(node) {

package/src/scanner/dataflow.js

@@ -2,61 +2,14 @@ const fs = require('fs');
 const path = require('path');
 const acorn = require('acorn');
 const walk = require('acorn-walk');
-const { isDevFile, findJsFiles, getCallName } = require('../utils.js');
-
-const MAX_FILE_SIZE = 10 * 1024 * 1024; // 10MB
+const { getCallName } = require('../utils.js');
+const { ACORN_OPTIONS } = require('../shared/constants.js');
+const { analyzeWithDeobfuscation } = require('../shared/analyze-helper.js');
 
 async function analyzeDataFlow(targetPath, options = {}) {
-  const threats = [];
-  const files = findJsFiles(targetPath);
-
-  for (const file of files) {
-    const relativePath = path.relative(targetPath, file).replace(/\\/g, '/');
-
-    if (isDevFile(relativePath)) {
-      continue;
-    }
-
-    try {
-      const stat = fs.statSync(file);
-      if (stat.size > MAX_FILE_SIZE) continue;
-    } catch { continue; }
-
-    let content;
-    try {
-      content = fs.readFileSync(file, 'utf8');
-    } catch {
-      continue;
-    }
-
-    // Respect // muaddib-ignore directive in first 5 lines (like eslint-disable)
-    const headerLines = content.slice(0, 1024).split('\n').slice(0, 5);
-    if (headerLines.some(line => line.includes('muaddib-ignore'))) {
-      continue;
-    }
-
-    // Analyze original code first (preserves obfuscation-detection rules)
-    const fileThreats = analyzeFile(content, file, targetPath);
-    threats.push(...fileThreats);
-
-    // Also analyze deobfuscated code for additional findings hidden by obfuscation
-    if (typeof options.deobfuscate === 'function') {
-      try {
-        const result = options.deobfuscate(content);
-        if (result.transforms.length > 0) {
-          const deobThreats = analyzeFile(result.code, file, targetPath);
-          const existingKeys = new Set(fileThreats.map(t => `${t.type}::${t.message}`));
-          for (const dt of deobThreats) {
-            if (!existingKeys.has(`${dt.type}::${dt.message}`)) {
-              threats.push(dt);
-            }
-          }
-        }
-      } catch { /* deobfuscation failed — skip */ }
-    }
-  }
-
-  return threats;
+  return analyzeWithDeobfuscation(targetPath, analyzeFile, {
+    deobfuscate: options.deobfuscate
+  });
 }
 
 function analyzeFile(content, filePath, basePath) {
@@ -64,12 +17,7 @@ function analyzeFile(content, filePath, basePath) {
   let ast;
 
   try {
-    ast = acorn.parse(content, {
-      ecmaVersion: 2024,
-      sourceType: 'module',
-      allowHashBang: true,
-      locations: true
-    });
+    ast = acorn.parse(content, { ...ACORN_OPTIONS, locations: true });
   } catch {
     return threats;
   }
@@ -95,7 +43,10 @@ function analyzeFile(content, filePath, basePath) {
           const prop = node.init.callee.property;
           if (obj?.type === 'Identifier' && obj.name === 'path' &&
               prop?.type === 'Identifier' && (prop.name === 'join' || prop.name === 'resolve')) {
-            if (node.init.arguments.some(a => a.type === 'Identifier' && sensitivePathVars.has(a.name))) {
+            if (node.init.arguments.some(a =>
+              (a.type === 'Identifier' && sensitivePathVars.has(a.name)) ||
+              (a.type === 'MemberExpression' && a.object?.type === 'Identifier' && sensitivePathVars.has(a.object.name))
+            )) {
               sensitivePathVars.add(node.id.name);
             }
           }
@@ -241,6 +192,17 @@ function analyzeFile(content, filePath, basePath) {
           });
         }
       }
+
+      // Detect property access to secret key material
+      const propName = node.property?.type === 'Identifier' ? node.property.name :
+                       (node.property?.type === 'Literal' ? node.property.value : null);
+      if (propName && ['secretKey', '_secretKey', 'privateKey', '_privateKey', 'mnemonic', 'seedPhrase'].includes(propName)) {
+        sources.push({
+          type: 'credential_read',
+          name: propName,
+          line: node.loc?.start?.line
+        });
+      }
     }
   });
 
@@ -300,7 +262,8 @@ const SENSITIVE_PATH_PATTERNS = [
   '.ethereum', '.electrum', '.config/solana', '.exodus',
   '.atomic', '.metamask', '.ledger-live', '.trezor',
   '.bitcoin', '.monero', '.gnupg',
-  '_cacache', '.cache/yarn', '.cache/pip'
+  '_cacache', '.cache/yarn', '.cache/pip',
+  'discord', 'leveldb'
 ];
 
 function isSensitivePath(val) {
@@ -327,6 +290,9 @@ function containsSensitiveLiteral(node) {
   if (node.type === 'CallExpression' && node.arguments) {
     return node.arguments.some(a => containsSensitiveLiteral(a));
   }
+  if (node.type === 'ObjectExpression' && node.properties) {
+    return node.properties.some(p => p.value && containsSensitiveLiteral(p.value));
+  }
   return false;
 }
 
@@ -346,6 +312,11 @@ function isCredentialPath(arg, sensitivePathVars) {
   if (arg.type === 'Identifier' && sensitivePathVars && sensitivePathVars.has(arg.name)) {
     return true;
   }
+  // Handle property access on tracked objects: _0x.a where _0x is tracked as sensitive
+  if (arg.type === 'MemberExpression' && arg.object?.type === 'Identifier' &&
+      sensitivePathVars && sensitivePathVars.has(arg.object.name)) {
+    return true;
+  }
   // Handle path.join(dir, '.npmrc') or path.join(sshDir, 'id_rsa') where sshDir is tracked
   if (arg.type === 'CallExpression' && arg.callee.type === 'MemberExpression') {
     const obj = arg.callee.object;

package/src/scanner/deobfuscate.js

@@ -2,6 +2,7 @@
 
 const acorn = require('acorn');
 const walk = require('acorn-walk');
+const { ACORN_OPTIONS } = require('../shared/constants.js');
 
 /**
  * Lightweight static deobfuscation pre-processor.
@@ -16,12 +17,7 @@ function deobfuscate(sourceCode) {
   // Parse AST — if parsing fails, return source unchanged (fail-safe)
   let ast;
   try {
-    ast = acorn.parse(sourceCode, {
-      ecmaVersion: 2024,
-      sourceType: 'module',
-      allowHashBang: true,
-      ranges: true
-    });
+    ast = acorn.parse(sourceCode, { ...ACORN_OPTIONS, ranges: true });
   } catch {
     return { code: sourceCode, transforms };
   }
@@ -97,6 +93,26 @@ function deobfuscate(sourceCode) {
         return;
       }
 
+      // Buffer.from('...', 'hex').toString() → decoded string
+      if (isBufferHexToString(node)) {
+        const hexStr = extractBufferHexArg(node);
+        if (hexStr === null) return;
+        try {
+          const decoded = Buffer.from(hexStr, 'hex').toString();
+          if (!isPrintable(decoded)) return;
+          const before = sourceCode.slice(node.start, node.end);
+          const after = quoteString(decoded);
+          replacements.push({
+            start: node.start,
+            end: node.end,
+            value: after,
+            type: 'hex',
+            before
+          });
+        } catch { /* decode failure — skip */ }
+        return;
+      }
+
       // atob('...') → decoded string
       if (isAtobCall(node)) {
         const b64str = node.arguments[0]?.value;
@@ -177,12 +193,7 @@ function propagateConsts(sourceCode) {
   const transforms = [];
   let ast;
   try {
-    ast = acorn.parse(sourceCode, {
-      ecmaVersion: 2024,
-      sourceType: 'module',
-      allowHashBang: true,
-      ranges: true
-    });
+    ast = acorn.parse(sourceCode, { ...ACORN_OPTIONS, ranges: true });
   } catch {
     return { code: sourceCode, transforms };
   }
@@ -296,12 +307,7 @@ function foldConcatsOnly(sourceCode) {
   const transforms = [];
   let ast;
   try {
-    ast = acorn.parse(sourceCode, {
-      ecmaVersion: 2024,
-      sourceType: 'module',
-      allowHashBang: true,
-      ranges: true
-    });
+    ast = acorn.parse(sourceCode, { ...ACORN_OPTIONS, ranges: true });
   } catch {
     return { code: sourceCode, transforms };
   }
@@ -430,6 +436,34 @@ function extractBufferBase64Arg(node) {
   return inner.arguments[0].value;
 }
 
+/**
+ * Check if node is Buffer.from('...', 'hex').toString()
+ */
+function isBufferHexToString(node) {
+  if (node.type !== 'CallExpression') return false;
+  const callee = node.callee;
+  if (callee.type !== 'MemberExpression') return false;
+  if (callee.property?.type !== 'Identifier' || callee.property.name !== 'toString') return false;
+  const inner = callee.object;
+  if (inner?.type !== 'CallExpression') return false;
+  const innerCallee = inner.callee;
+  if (innerCallee?.type !== 'MemberExpression') return false;
+  if (innerCallee.object?.type !== 'Identifier' || innerCallee.object.name !== 'Buffer') return false;
+  if (innerCallee.property?.type !== 'Identifier' || innerCallee.property.name !== 'from') return false;
+  if (inner.arguments.length < 2) return false;
+  if (inner.arguments[1]?.type !== 'Literal' || inner.arguments[1].value !== 'hex') return false;
+  if (inner.arguments[0]?.type !== 'Literal' || typeof inner.arguments[0].value !== 'string') return false;
+  return true;
+}
+
+/**
+ * Extract the hex string argument from Buffer.from(str, 'hex').toString()
+ */
+function extractBufferHexArg(node) {
+  const inner = node.callee.object;
+  return inner.arguments[0].value;
+}
+
 /**
  * Check if node is atob('...')
  */

package/src/scanner/entropy.js

@@ -1,9 +1,8 @@
 const fs = require('fs');
 const path = require('path');
-const { findFiles } = require('../utils.js');
+const { findFiles, forEachSafeFile } = require('../utils.js');
 
 const ENTROPY_EXCLUDED_DIRS = ['.git', '.muaddib-cache', '__compiled__', '__tests__', '__test__', 'dist', 'build'];
-const MAX_FILE_SIZE = 10 * 1024 * 1024; // 10MB
 
 // File patterns to skip (compiled/minified/bundled)
 const SKIP_FILE_PATTERNS = ['.min.js', '.bundle.js', '.prod.js'];
@@ -203,29 +202,12 @@ function detectObfuscationPatterns(content, relativePath) {
 function scanEntropy(targetPath, options = {}) {
   const threats = [];
   const stringThreshold = options.entropyThreshold || STRING_ENTROPY_MEDIUM;
-  const files = findFiles(targetPath, { extensions: ['.js'], excludedDirs: ENTROPY_EXCLUDED_DIRS });
-
-  for (const file of files) {
-    // Skip files matching compiled/minified patterns
-    if (shouldSkipFile(file)) continue;
-
-    // Size guard
-    try {
-      const stat = fs.statSync(file);
-      if (stat.size > MAX_FILE_SIZE) continue;
-    } catch {
-      continue;
-    }
-
-    let content;
-    try {
-      content = fs.readFileSync(file, 'utf8');
-    } catch {
-      continue;
-    }
+  const files = findFiles(targetPath, { extensions: ['.js', '.mjs', '.cjs'], excludedDirs: ENTROPY_EXCLUDED_DIRS });
 
+  const safeFiles = files.filter(f => !shouldSkipFile(f));
+  forEachSafeFile(safeFiles, (file, content) => {
     // Skip files containing source maps (legitimate compiled output)
-    if (hasSourceMap(content)) continue;
+    if (hasSourceMap(content)) return;
 
     const relativePath = path.relative(targetPath, file);
 
@@ -252,7 +234,7 @@ function scanEntropy(targetPath, options = {}) {
         });
       }
     }
-  }
+  });
 
   return threats;
 }

package/src/scanner/github-actions.js

@@ -1,8 +1,9 @@
 const fs = require('fs');
 const path = require('path');
 
+const { MAX_FILE_SIZE } = require('../shared/constants.js');
+
 const YAML_EXTENSIONS = ['.yml', '.yaml'];
-const MAX_FILE_SIZE = 10 * 1024 * 1024; // 10MB
 const MAX_DEPTH = 10;
 
 function scanGitHubActions(targetPath) {

package/src/scanner/hash.js

@@ -3,11 +3,11 @@ const path = require('path');
 const nodeCrypto = require('crypto');
 const { loadCachedIOCs } = require('../ioc/updater.js');
 const { findFiles } = require('../utils.js');
+const { MAX_FILE_SIZE } = require('../shared/constants.js');
 
 // Hash cache: filePath -> { hash, mtime }
 const hashCache = new Map();
 const MAX_CACHE_SIZE = 10000;
-const MAX_FILE_SIZE = 10 * 1024 * 1024; // 10MB
 
 async function scanHashes(targetPath) {
   const threats = [];

package/src/scanner/module-graph.js

@@ -2,13 +2,13 @@ const fs = require('fs');
 const path = require('path');
 const acorn = require('acorn');
 const { findFiles } = require('../utils');
+const { ACORN_OPTIONS: BASE_ACORN_OPTIONS } = require('../shared/constants.js');
 
 // --- Sensitive source patterns ---
 const SENSITIVE_MODULES = new Set(['fs', 'child_process', 'dns', 'os']);
 
 const ACORN_OPTIONS = {
-  ecmaVersion: 'latest',
-  sourceType: 'module',
+  ...BASE_ACORN_OPTIONS,
   allowReturnOutsideFunction: true,
   allowImportExportEverywhere: true,
 };
@@ -32,7 +32,7 @@ const SINK_INSTANCE_METHODS = new Set(['connect', 'write', 'send']);
 function buildModuleGraph(packagePath) {
   const graph = {};
   const files = findFiles(packagePath, {
-    extensions: ['.js'],
+    extensions: ['.js', '.mjs', '.cjs'],
     excludedDirs: ['node_modules', '.git'],
   });
   for (const absFile of files) {

package/src/scanner/npm-registry.js

@@ -1,4 +1,5 @@
 const { NPM_PACKAGE_REGEX } = require('../shared/constants.js');
+const { debugLog } = require('../utils.js');
 
 const REGISTRY_URL = 'https://registry.npmjs.org';
 const DOWNLOADS_URL = 'https://api.npmjs.org/downloads/point/last-week';
@@ -44,13 +45,13 @@ async function fetchWithRetry(url) {
     // 404 = package doesn't exist
     if (response.status === 404) {
       // Drain response body to free resources
-      try { await response.text(); } catch {}
+      try { await response.text(); } catch (e) { debugLog('response drain failed:', e.message); }
       return null;
     }
 
     // 429 = rate limit, respect Retry-After header (capped at 30s)
     if (response.status === 429) {
-      try { await response.text(); } catch {}
+      try { await response.text(); } catch (e) { debugLog('response drain failed:', e.message); }
       const retryAfter = parseInt(response.headers.get('retry-after'), 10);
       const delay = Math.min(retryAfter && retryAfter > 0 ? retryAfter * 1000 : 2000, 30000);
       await new Promise(r => setTimeout(r, delay));
@@ -59,7 +60,7 @@ async function fetchWithRetry(url) {
 
     if (!response.ok) {
       // Drain response body on errors
-      try { await response.text(); } catch {}
+      try { await response.text(); } catch (e) { debugLog('response drain failed:', e.message); }
       return null;
     }
 

package/src/scanner/obfuscation.js

@@ -1,30 +1,15 @@
 const fs = require('fs');
 const path = require('path');
-const { findFiles } = require('../utils.js');
+const { findFiles, forEachSafeFile } = require('../utils.js');
 
 // node_modules NOT excluded: detect obfuscated code in dependencies
 const OBF_EXCLUDED_DIRS = ['.git', '.muaddib-cache'];
-const MAX_FILE_SIZE = 10 * 1024 * 1024; // 10MB
 
 function detectObfuscation(targetPath) {
   const threats = [];
-  const files = findFiles(targetPath, { extensions: ['.js'], excludedDirs: OBF_EXCLUDED_DIRS });
-
-  for (const file of files) {
-    // Skip files exceeding MAX_FILE_SIZE to avoid memory issues
-    try {
-      const stat = fs.statSync(file);
-      if (stat.size > MAX_FILE_SIZE) continue;
-    } catch {
-      continue;
-    }
+  const files = findFiles(targetPath, { extensions: ['.js', '.mjs', '.cjs'], excludedDirs: OBF_EXCLUDED_DIRS });
 
-    let content;
-    try {
-      content = fs.readFileSync(file, 'utf8');
-    } catch {
-      continue; // Skip unreadable files
-    }
+  forEachSafeFile(files, (file, content) => {
     const relativePath = path.relative(targetPath, file);
 
     const signals = [];
@@ -96,7 +81,7 @@ function detectObfuscation(targetPath) {
         file: relativePath
       });
     }
-  }
+  });
 
   return threats;
 }