muaddib-scanner 2.2.13 → 2.2.15

package/src/scanner/dataflow.js

@@ -2,61 +2,14 @@ const fs = require('fs');
 const path = require('path');
 const acorn = require('acorn');
 const walk = require('acorn-walk');
-const { isDevFile, findJsFiles, getCallName } = require('../utils.js');
-
-const MAX_FILE_SIZE = 10 * 1024 * 1024; // 10MB
+const { getCallName } = require('../utils.js');
+const { ACORN_OPTIONS } = require('../shared/constants.js');
+const { analyzeWithDeobfuscation } = require('../shared/analyze-helper.js');
 
 async function analyzeDataFlow(targetPath, options = {}) {
-  const threats = [];
-  const files = findJsFiles(targetPath);
-
-  for (const file of files) {
-    const relativePath = path.relative(targetPath, file).replace(/\\/g, '/');
-
-    if (isDevFile(relativePath)) {
-      continue;
-    }
-
-    try {
-      const stat = fs.statSync(file);
-      if (stat.size > MAX_FILE_SIZE) continue;
-    } catch { continue; }
-
-    let content;
-    try {
-      content = fs.readFileSync(file, 'utf8');
-    } catch {
-      continue;
-    }
-
-    // Respect // muaddib-ignore directive in first 5 lines (like eslint-disable)
-    const headerLines = content.slice(0, 1024).split('\n').slice(0, 5);
-    if (headerLines.some(line => line.includes('muaddib-ignore'))) {
-      continue;
-    }
-
-    // Analyze original code first (preserves obfuscation-detection rules)
-    const fileThreats = analyzeFile(content, file, targetPath);
-    threats.push(...fileThreats);
-
-    // Also analyze deobfuscated code for additional findings hidden by obfuscation
-    if (typeof options.deobfuscate === 'function') {
-      try {
-        const result = options.deobfuscate(content);
-        if (result.transforms.length > 0) {
-          const deobThreats = analyzeFile(result.code, file, targetPath);
-          const existingKeys = new Set(fileThreats.map(t => `${t.type}::${t.message}`));
-          for (const dt of deobThreats) {
-            if (!existingKeys.has(`${dt.type}::${dt.message}`)) {
-              threats.push(dt);
-            }
-          }
-        }
-      } catch { /* deobfuscation failed — skip */ }
-    }
-  }
-
-  return threats;
+  return analyzeWithDeobfuscation(targetPath, analyzeFile, {
+    deobfuscate: options.deobfuscate
+  });
 }
 
 function analyzeFile(content, filePath, basePath) {
@@ -64,12 +17,7 @@ function analyzeFile(content, filePath, basePath) {
   let ast;
 
   try {
-    ast = acorn.parse(content, {
-      ecmaVersion: 2024,
-      sourceType: 'module',
-      allowHashBang: true,
-      locations: true
-    });
+    ast = acorn.parse(content, { ...ACORN_OPTIONS, locations: true });
   } catch {
     return threats;
   }

package/src/scanner/deobfuscate.js

@@ -2,6 +2,7 @@
 
 const acorn = require('acorn');
 const walk = require('acorn-walk');
+const { ACORN_OPTIONS } = require('../shared/constants.js');
 
 /**
  * Lightweight static deobfuscation pre-processor.
@@ -16,12 +17,7 @@ function deobfuscate(sourceCode) {
   // Parse AST — if parsing fails, return source unchanged (fail-safe)
   let ast;
   try {
-    ast = acorn.parse(sourceCode, {
-      ecmaVersion: 2024,
-      sourceType: 'module',
-      allowHashBang: true,
-      ranges: true
-    });
+    ast = acorn.parse(sourceCode, { ...ACORN_OPTIONS, ranges: true });
   } catch {
     return { code: sourceCode, transforms };
   }
@@ -197,12 +193,7 @@ function propagateConsts(sourceCode) {
   const transforms = [];
   let ast;
   try {
-    ast = acorn.parse(sourceCode, {
-      ecmaVersion: 2024,
-      sourceType: 'module',
-      allowHashBang: true,
-      ranges: true
-    });
+    ast = acorn.parse(sourceCode, { ...ACORN_OPTIONS, ranges: true });
   } catch {
     return { code: sourceCode, transforms };
   }
@@ -316,12 +307,7 @@ function foldConcatsOnly(sourceCode) {
   const transforms = [];
   let ast;
   try {
-    ast = acorn.parse(sourceCode, {
-      ecmaVersion: 2024,
-      sourceType: 'module',
-      allowHashBang: true,
-      ranges: true
-    });
+    ast = acorn.parse(sourceCode, { ...ACORN_OPTIONS, ranges: true });
   } catch {
     return { code: sourceCode, transforms };
   }

package/src/scanner/entropy.js

@@ -1,9 +1,8 @@
 const fs = require('fs');
 const path = require('path');
-const { findFiles } = require('../utils.js');
+const { findFiles, forEachSafeFile } = require('../utils.js');
 
 const ENTROPY_EXCLUDED_DIRS = ['.git', '.muaddib-cache', '__compiled__', '__tests__', '__test__', 'dist', 'build'];
-const MAX_FILE_SIZE = 10 * 1024 * 1024; // 10MB
 
 // File patterns to skip (compiled/minified/bundled)
 const SKIP_FILE_PATTERNS = ['.min.js', '.bundle.js', '.prod.js'];
@@ -203,29 +202,12 @@ function detectObfuscationPatterns(content, relativePath) {
 function scanEntropy(targetPath, options = {}) {
   const threats = [];
   const stringThreshold = options.entropyThreshold || STRING_ENTROPY_MEDIUM;
-  const files = findFiles(targetPath, { extensions: ['.js'], excludedDirs: ENTROPY_EXCLUDED_DIRS });
-
-  for (const file of files) {
-    // Skip files matching compiled/minified patterns
-    if (shouldSkipFile(file)) continue;
-
-    // Size guard
-    try {
-      const stat = fs.statSync(file);
-      if (stat.size > MAX_FILE_SIZE) continue;
-    } catch {
-      continue;
-    }
-
-    let content;
-    try {
-      content = fs.readFileSync(file, 'utf8');
-    } catch {
-      continue;
-    }
+  const files = findFiles(targetPath, { extensions: ['.js', '.mjs', '.cjs'], excludedDirs: ENTROPY_EXCLUDED_DIRS });
 
+  const safeFiles = files.filter(f => !shouldSkipFile(f));
+  forEachSafeFile(safeFiles, (file, content) => {
     // Skip files containing source maps (legitimate compiled output)
-    if (hasSourceMap(content)) continue;
+    if (hasSourceMap(content)) return;
 
     const relativePath = path.relative(targetPath, file);
 
@@ -252,7 +234,7 @@ function scanEntropy(targetPath, options = {}) {
         });
       }
     }
-  }
+  });
 
   return threats;
 }

package/src/scanner/github-actions.js

@@ -1,8 +1,9 @@
 const fs = require('fs');
 const path = require('path');
 
+const { MAX_FILE_SIZE } = require('../shared/constants.js');
+
 const YAML_EXTENSIONS = ['.yml', '.yaml'];
-const MAX_FILE_SIZE = 10 * 1024 * 1024; // 10MB
 const MAX_DEPTH = 10;
 
 function scanGitHubActions(targetPath) {

package/src/scanner/hash.js

@@ -3,11 +3,11 @@ const path = require('path');
 const nodeCrypto = require('crypto');
 const { loadCachedIOCs } = require('../ioc/updater.js');
 const { findFiles } = require('../utils.js');
+const { MAX_FILE_SIZE } = require('../shared/constants.js');
 
 // Hash cache: filePath -> { hash, mtime }
 const hashCache = new Map();
 const MAX_CACHE_SIZE = 10000;
-const MAX_FILE_SIZE = 10 * 1024 * 1024; // 10MB
 
 async function scanHashes(targetPath) {
   const threats = [];

package/src/scanner/module-graph.js

@@ -2,13 +2,13 @@ const fs = require('fs');
 const path = require('path');
 const acorn = require('acorn');
 const { findFiles } = require('../utils');
+const { ACORN_OPTIONS: BASE_ACORN_OPTIONS } = require('../shared/constants.js');
 
 // --- Sensitive source patterns ---
 const SENSITIVE_MODULES = new Set(['fs', 'child_process', 'dns', 'os']);
 
 const ACORN_OPTIONS = {
-  ecmaVersion: 'latest',
-  sourceType: 'module',
+  ...BASE_ACORN_OPTIONS,
   allowReturnOutsideFunction: true,
   allowImportExportEverywhere: true,
 };
@@ -32,7 +32,7 @@ const SINK_INSTANCE_METHODS = new Set(['connect', 'write', 'send']);
 function buildModuleGraph(packagePath) {
   const graph = {};
   const files = findFiles(packagePath, {
-    extensions: ['.js'],
+    extensions: ['.js', '.mjs', '.cjs'],
     excludedDirs: ['node_modules', '.git'],
   });
   for (const absFile of files) {

package/src/scanner/npm-registry.js

@@ -1,4 +1,5 @@
 const { NPM_PACKAGE_REGEX } = require('../shared/constants.js');
+const { debugLog } = require('../utils.js');
 
 const REGISTRY_URL = 'https://registry.npmjs.org';
 const DOWNLOADS_URL = 'https://api.npmjs.org/downloads/point/last-week';
@@ -44,13 +45,13 @@ async function fetchWithRetry(url) {
     // 404 = package doesn't exist
     if (response.status === 404) {
       // Drain response body to free resources
-      try { await response.text(); } catch {}
+      try { await response.text(); } catch (e) { debugLog('response drain failed:', e.message); }
       return null;
     }
 
     // 429 = rate limit, respect Retry-After header (capped at 30s)
     if (response.status === 429) {
-      try { await response.text(); } catch {}
+      try { await response.text(); } catch (e) { debugLog('response drain failed:', e.message); }
       const retryAfter = parseInt(response.headers.get('retry-after'), 10);
       const delay = Math.min(retryAfter && retryAfter > 0 ? retryAfter * 1000 : 2000, 30000);
       await new Promise(r => setTimeout(r, delay));
@@ -59,7 +60,7 @@ async function fetchWithRetry(url) {
 
     if (!response.ok) {
       // Drain response body on errors
-      try { await response.text(); } catch {}
+      try { await response.text(); } catch (e) { debugLog('response drain failed:', e.message); }
       return null;
     }
 

package/src/scanner/obfuscation.js

@@ -1,30 +1,15 @@
 const fs = require('fs');
 const path = require('path');
-const { findFiles } = require('../utils.js');
+const { findFiles, forEachSafeFile } = require('../utils.js');
 
 // node_modules NOT excluded: detect obfuscated code in dependencies
 const OBF_EXCLUDED_DIRS = ['.git', '.muaddib-cache'];
-const MAX_FILE_SIZE = 10 * 1024 * 1024; // 10MB
 
 function detectObfuscation(targetPath) {
   const threats = [];
-  const files = findFiles(targetPath, { extensions: ['.js'], excludedDirs: OBF_EXCLUDED_DIRS });
-
-  for (const file of files) {
-    // Skip files exceeding MAX_FILE_SIZE to avoid memory issues
-    try {
-      const stat = fs.statSync(file);
-      if (stat.size > MAX_FILE_SIZE) continue;
-    } catch {
-      continue;
-    }
+  const files = findFiles(targetPath, { extensions: ['.js', '.mjs', '.cjs'], excludedDirs: OBF_EXCLUDED_DIRS });
 
-    let content;
-    try {
-      content = fs.readFileSync(file, 'utf8');
-    } catch {
-      continue; // Skip unreadable files
-    }
+  forEachSafeFile(files, (file, content) => {
     const relativePath = path.relative(targetPath, file);
 
     const signals = [];
@@ -96,7 +81,7 @@ function detectObfuscation(targetPath) {
         file: relativePath
       });
     }
-  }
+  });
 
   return threats;
 }

package/src/scanner/shell.js

@@ -1,9 +1,8 @@
 const fs = require('fs');
 const path = require('path');
-const { findFiles } = require('../utils.js');
+const { findFiles, forEachSafeFile } = require('../utils.js');
 
 const SHELL_EXCLUDED_DIRS = ['node_modules', '.git', '.muaddib-cache'];
-const MAX_FILE_SIZE = 10 * 1024 * 1024; // 10MB
 
 const MALICIOUS_PATTERNS = [
   { pattern: /curl.*\|.*sh/m, name: 'curl_pipe_shell', severity: 'HIGH' },
@@ -26,16 +25,7 @@ async function scanShellScripts(targetPath) {
   // Cherche les fichiers shell
   const files = findFiles(targetPath, { extensions: ['.sh', '.bash', '.zsh', '.command'], excludedDirs: SHELL_EXCLUDED_DIRS });
 
-  for (const file of files) {
-    let content;
-    try {
-      const stat = fs.statSync(file);
-      if (stat.size > MAX_FILE_SIZE) continue;
-      content = fs.readFileSync(file, 'utf8');
-    } catch {
-      continue; // Skip unreadable files
-    }
-    
+  forEachSafeFile(files, (file, content) => {
     // Strip comment lines to avoid false positives on documentation
     const activeContent = content.split('\n')
       .filter(line => !line.trimStart().startsWith('#'))
@@ -51,7 +41,7 @@ async function scanShellScripts(targetPath) {
         });
       }
     }
-  }
+  });
 
   return threats;
 }

package/src/scanner/typosquat.js

@@ -311,6 +311,9 @@ function findTyposquatMatch(name) {
     // Ignore si le package populaire est trop court
     if (popular.length < MIN_PACKAGE_LENGTH) continue;
 
+    // Length pre-filter: Levenshtein distance >= |len(a) - len(b)|
+    if (Math.abs(nameLower.length - popularLower.length) > 2) continue;
+
     const distance = levenshteinDistance(nameLower, popularLower);
 
     // Distance de 1 = tres suspect (une seule lettre de difference)
@@ -479,6 +482,9 @@ function findPyPITyposquatMatch(name) {
     // Skip short popular packages
     if (popularNorm.length < MIN_PYPI_LENGTH) continue;
 
+    // Length pre-filter: Levenshtein distance >= |len(a) - len(b)|
+    if (Math.abs(normalized.length - popularNorm.length) > 2) continue;
+
     const distance = levenshteinDistance(normalized, popularNorm);
 
     // Distance 1 = very suspect (one char difference)

package/src/scoring.js

@@ -0,0 +1,213 @@
+// ============================================
+// SCORING CONSTANTS
+// ============================================
+// Severity weights for risk score calculation (0-100)
+// These values determine the impact of each threat type on the final score.
+// Example: 4 CRITICAL threats = 100 (max score), 10 HIGH threats = 100
+const SEVERITY_WEIGHTS = {
+  // CRITICAL: Threats with immediate impact (active malware, data exfiltration)
+  // High weight because a single critical threat justifies immediate action
+  CRITICAL: 25,
+
+  // HIGH: Serious threats (dangerous code, known malicious dependencies)
+  // 10 HIGH threats reach the maximum score
+  HIGH: 10,
+
+  // MEDIUM: Potential threats (suspicious patterns, light obfuscation)
+  // Moderate impact, requires investigation but not necessarily malicious
+  MEDIUM: 3,
+
+  // LOW: Informational findings, minimal impact on risk score
+  LOW: 1
+};
+
+// Thresholds for determining the overall risk level
+const RISK_THRESHOLDS = {
+  CRITICAL: 75,  // >= 75: Immediate action required
+  HIGH: 50,      // >= 50: Priority investigation
+  MEDIUM: 25     // >= 25: Monitor
+  // < 25 && > 0: LOW
+  // === 0: SAFE
+};
+
+// Maximum score (capped)
+const MAX_RISK_SCORE = 100;
+
+// Cap MEDIUM prototype_hook contribution (frameworks like Restify have 50+ extensions)
+const PROTO_HOOK_MEDIUM_CAP = 15;
+
+// ============================================
+// PER-FILE MAX SCORING (v2.2.11)
+// ============================================
+// Threat types classified as package-level (not tied to a specific source file).
+// These are added to the package score, not grouped by file.
+const PACKAGE_LEVEL_TYPES = new Set([
+  'lifecycle_script', 'lifecycle_shell_pipe',
+  'lifecycle_added_critical', 'lifecycle_added_high', 'lifecycle_modified',
+  'known_malicious_package', 'typosquat_detected',
+  'shai_hulud_marker', 'suspicious_file',
+  'pypi_malicious_package', 'pypi_typosquat_detected',
+  'dangerous_api_added_critical', 'dangerous_api_added_high', 'dangerous_api_added_medium',
+  'publish_burst', 'publish_dormant_spike', 'publish_rapid_succession',
+  'maintainer_new_suspicious', 'maintainer_sole_change',
+  'sandbox_network_activity', 'sandbox_file_changes', 'sandbox_process_spawns',
+  'sandbox_canary_exfiltration'
+]);
+
+/**
+ * Classify a threat as package-level or file-level.
+ * Package-level: metadata findings (package.json, node_modules, sandbox)
+ * File-level: code-level findings in specific source files
+ */
+function isPackageLevelThreat(threat) {
+  if (PACKAGE_LEVEL_TYPES.has(threat.type)) return true;
+  if (threat.file === 'package.json') return true;
+  if (threat.file && (threat.file.startsWith('node_modules/') || threat.file.startsWith('node_modules\\'))) return true;
+  if (threat.file && threat.file.startsWith('[SANDBOX]')) return true;
+  return false;
+}
+
+/**
+ * Compute a risk score for a group of threats using standard weights.
+ * Handles prototype_hook MEDIUM cap per group.
+ * @param {Array} threats - array of threat objects (after FP reductions)
+ * @returns {number} score 0-100
+ */
+function computeGroupScore(threats) {
+  const criticalCount = threats.filter(t => t.severity === 'CRITICAL').length;
+  const highCount = threats.filter(t => t.severity === 'HIGH').length;
+  const mediumCount = threats.filter(t => t.severity === 'MEDIUM').length;
+  const lowCount = threats.filter(t => t.severity === 'LOW').length;
+
+  const mediumProtoHookCount = threats.filter(
+    t => t.type === 'prototype_hook' && t.severity === 'MEDIUM'
+  ).length;
+  const protoHookPoints = Math.min(mediumProtoHookCount * SEVERITY_WEIGHTS.MEDIUM, PROTO_HOOK_MEDIUM_CAP);
+  const otherMediumCount = mediumCount - mediumProtoHookCount;
+
+  let score = 0;
+  score += criticalCount * SEVERITY_WEIGHTS.CRITICAL;
+  score += highCount * SEVERITY_WEIGHTS.HIGH;
+  score += otherMediumCount * SEVERITY_WEIGHTS.MEDIUM;
+  score += protoHookPoints;
+  score += lowCount * SEVERITY_WEIGHTS.LOW;
+  return Math.min(MAX_RISK_SCORE, score);
+}
+
+// ============================================
+// FP REDUCTION POST-PROCESSING
+// ============================================
+// Legitimate frameworks produce high volumes of certain threat types that
+// malware never does. This function downgrades severity when the count
+// exceeds thresholds only seen in legitimate codebases.
+const FP_COUNT_THRESHOLDS = {
+  dynamic_require: { maxCount: 10, from: 'HIGH', to: 'LOW' },
+  dangerous_call_function: { maxCount: 5, from: 'MEDIUM', to: 'LOW' },
+  require_cache_poison: { maxCount: 3, from: 'CRITICAL', to: 'LOW' },
+  suspicious_dataflow: { maxCount: 5, to: 'LOW' },
+  obfuscation_detected: { maxCount: 3, to: 'LOW' }
+};
+
+// Custom class prototypes that HTTP frameworks legitimately extend.
+// Distinguished from dangerous core Node.js prototype hooks.
+const FRAMEWORK_PROTOTYPES = ['Request', 'Response', 'App', 'Router'];
+const FRAMEWORK_PROTO_RE = new RegExp(
+  '^(' + FRAMEWORK_PROTOTYPES.join('|') + ')\\.prototype\\.'
+);
+
+function applyFPReductions(threats) {
+  // Count occurrences of each threat type (package-level, across all files)
+  const typeCounts = {};
+  for (const t of threats) {
+    typeCounts[t.type] = (typeCounts[t.type] || 0) + 1;
+  }
+
+  for (const t of threats) {
+    // Count-based downgrade: if a threat type appears too many times,
+    // it's a framework/plugin system, not malware
+    const rule = FP_COUNT_THRESHOLDS[t.type];
+    if (rule && typeCounts[t.type] > rule.maxCount && (!rule.from || t.severity === rule.from)) {
+      t.severity = rule.to;
+    }
+
+    // Prototype hook: framework class prototypes → MEDIUM
+    // Core Node.js prototypes (http.IncomingMessage, net.Socket) stay CRITICAL
+    // Browser/native APIs (globalThis.fetch, XMLHttpRequest) stay HIGH
+    if (t.type === 'prototype_hook' && t.severity === 'HIGH' &&
+        FRAMEWORK_PROTO_RE.test(t.message)) {
+      t.severity = 'MEDIUM';
+    }
+  }
+}
+
+/**
+ * Calculate per-file max risk score from deduplicated threats.
+ * Formula: riskScore = min(100, max(file_scores) + package_level_score)
+ * @param {Array} deduped - deduplicated threat array
+ * @returns {Object} { riskScore, riskLevel, globalRiskScore, maxFileScore, packageScore, mostSuspiciousFile, fileScores, criticalCount, highCount, mediumCount, lowCount }
+ */
+function calculateRiskScore(deduped) {
+  // 1. Separate deduped threats into package-level and file-level
+  const packageLevelThreats = [];
+  const fileLevelThreats = [];
+  for (const t of deduped) {
+    if (isPackageLevelThreat(t)) {
+      packageLevelThreats.push(t);
+    } else {
+      fileLevelThreats.push(t);
+    }
+  }
+
+  // 2. Group file-level threats by file
+  const fileGroups = new Map();
+  for (const t of fileLevelThreats) {
+    const key = t.file || '(unknown)';
+    if (!fileGroups.has(key)) fileGroups.set(key, []);
+    fileGroups.get(key).push(t);
+  }
+
+  // 3. Compute per-file scores and find the most suspicious file
+  let maxFileScore = 0;
+  let mostSuspiciousFile = null;
+  const fileScores = {};
+  for (const [file, fileThreats] of fileGroups) {
+    const score = computeGroupScore(fileThreats);
+    fileScores[file] = score;
+    if (score > maxFileScore) {
+      maxFileScore = score;
+      mostSuspiciousFile = file;
+    }
+  }
+
+  // 4. Compute package-level score (typosquat, lifecycle, dependency IOC, etc.)
+  const packageScore = computeGroupScore(packageLevelThreats);
+
+  // 5. Final score = max file score + package-level score, capped at 100
+  const riskScore = Math.min(MAX_RISK_SCORE, maxFileScore + packageScore);
+
+  // 6. Old global score for comparison (sum of ALL findings)
+  const globalRiskScore = computeGroupScore(deduped);
+
+  // 7. Severity counts (global, for summary display)
+  const criticalCount = deduped.filter(t => t.severity === 'CRITICAL').length;
+  const highCount = deduped.filter(t => t.severity === 'HIGH').length;
+  const mediumCount = deduped.filter(t => t.severity === 'MEDIUM').length;
+  const lowCount = deduped.filter(t => t.severity === 'LOW').length;
+
+  const riskLevel = riskScore >= RISK_THRESHOLDS.CRITICAL ? 'CRITICAL'
+                  : riskScore >= RISK_THRESHOLDS.HIGH ? 'HIGH'
+                  : riskScore >= RISK_THRESHOLDS.MEDIUM ? 'MEDIUM'
+                  : riskScore > 0 ? 'LOW'
+                  : 'SAFE';
+
+  return {
+    riskScore, riskLevel, globalRiskScore,
+    maxFileScore, packageScore, mostSuspiciousFile, fileScores,
+    criticalCount, highCount, mediumCount, lowCount
+  };
+}
+
+module.exports = {
+  SEVERITY_WEIGHTS, RISK_THRESHOLDS, MAX_RISK_SCORE,
+  isPackageLevelThreat, computeGroupScore, applyFPReductions, calculateRiskScore
+};

package/src/shared/analyze-helper.js

@@ -0,0 +1,49 @@
+const path = require('path');
+const { isDevFile, findJsFiles, forEachSafeFile } = require('../utils.js');
+
+/**
+ * Shared scanner wrapper: iterates JS files, runs analyzeFileFn on original + deobfuscated code,
+ * deduplicates findings by type::message key.
+ * @param {string} targetPath - Root directory to scan
+ * @param {Function} analyzeFileFn - (content, filePath, basePath) => threats[]
+ * @param {object} [options]
+ * @param {Function} [options.deobfuscate] - Deobfuscation function
+ * @param {string[]} [options.excludedFiles] - Relative paths to skip
+ * @param {boolean} [options.skipDevFiles=true] - Whether to skip dev/test files
+ * @returns {Array} Combined threats
+ */
+function analyzeWithDeobfuscation(targetPath, analyzeFileFn, options = {}) {
+  const threats = [];
+  const files = findJsFiles(targetPath);
+
+  forEachSafeFile(files, (file, content) => {
+    const relativePath = path.relative(targetPath, file).replace(/\\/g, '/');
+
+    if (options.excludedFiles && options.excludedFiles.includes(relativePath)) return;
+    if (options.skipDevFiles !== false && isDevFile(relativePath)) return;
+
+    // Analyze original code first (preserves obfuscation-detection rules)
+    const fileThreats = analyzeFileFn(content, file, targetPath);
+    threats.push(...fileThreats);
+
+    // Also analyze deobfuscated code for additional findings hidden by obfuscation
+    if (typeof options.deobfuscate === 'function') {
+      try {
+        const result = options.deobfuscate(content);
+        if (result.transforms.length > 0) {
+          const deobThreats = analyzeFileFn(result.code, file, targetPath);
+          const existingKeys = new Set(fileThreats.map(t => `${t.type}::${t.message}`));
+          for (const dt of deobThreats) {
+            if (!existingKeys.has(`${dt.type}::${dt.message}`)) {
+              threats.push(dt);
+            }
+          }
+        }
+      } catch { /* deobfuscation failed — skip */ }
+    }
+  });
+
+  return threats;
+}
+
+module.exports = { analyzeWithDeobfuscation };

package/src/shared/constants.js

@@ -86,4 +86,8 @@ const NPM_PACKAGE_REGEX = /^(@[a-z0-9-~][a-z0-9-._~]*\/)?[a-z0-9-~][a-z0-9-._~]*
 const MAX_TARBALL_SIZE = 50 * 1024 * 1024; // 50MB
 const DOWNLOAD_TIMEOUT = 30_000; // 30 seconds
 
-module.exports = { REHABILITATED_PACKAGES, NPM_PACKAGE_REGEX, MAX_TARBALL_SIZE, DOWNLOAD_TIMEOUT };
+// Shared scanner constants
+const MAX_FILE_SIZE = 10 * 1024 * 1024; // 10MB — skip files larger than this to avoid memory issues
+const ACORN_OPTIONS = { ecmaVersion: 2024, sourceType: 'module', allowHashBang: true };
+
+module.exports = { REHABILITATED_PACKAGES, NPM_PACKAGE_REGEX, MAX_TARBALL_SIZE, DOWNLOAD_TIMEOUT, MAX_FILE_SIZE, ACORN_OPTIONS };