muaddib-scanner 2.2.28 → 2.3.1

package/bin/muaddib.js

@@ -33,6 +33,7 @@ let temporalFullMode = false;
 let breakdownMode = false;
 let noDeobfuscate = false;
 let noModuleGraph = false;
+let noReachability = false;
 let feedLimit = null;
 let feedSeverity = null;
 let feedSince = null;
@@ -122,6 +123,8 @@ for (let i = 0; i < options.length; i++) {
     noDeobfuscate = true;
   } else if (options[i] === '--no-module-graph') {
     noModuleGraph = true;
+  } else if (options[i] === '--no-reachability') {
+    noReachability = true;
   } else if (options[i] === '--temporal') {
     temporalMode = true;
   } else if (options[i] === '--limit') {
@@ -415,6 +418,7 @@ const helpText = `
     --no-canary         Disable honey token injection in sandbox
     --no-deobfuscate    Disable deobfuscation pre-processing
     --no-module-graph   Disable cross-file dataflow analysis
+    --no-reachability   Disable entry-point reachability analysis
     --exclude [dir]     Exclude directory from scan (repeatable)
     --limit [n]         Limit feed entries (default: 50)
     --severity [level]  Filter by severity (CRITICAL|HIGH|MEDIUM|LOW)
@@ -461,7 +465,8 @@ if (command === 'version' || command === '--version' || command === '-v') {
     entropyThreshold: entropyThreshold,
     breakdown: breakdownMode,
     noDeobfuscate: noDeobfuscate,
-    noModuleGraph: noModuleGraph
+    noModuleGraph: noModuleGraph,
+    noReachability: noReachability
   }).then(exitCode => {
     process.exit(exitCode);
   }).catch(err => {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "muaddib-scanner",
-  "version": "2.2.28",
+  "version": "2.3.1",
   "description": "Supply-chain threat detection & response for npm & PyPI/Python",
   "main": "src/index.js",
   "bin": {
@@ -44,9 +44,9 @@
     "node": ">=18.0.0"
   },
   "dependencies": {
-    "@inquirer/prompts": "8.2.1",
-    "acorn": "8.15.0",
-    "acorn-walk": "8.3.4",
+    "@inquirer/prompts": "8.3.0",
+    "acorn": "8.16.0",
+    "acorn-walk": "8.3.5",
     "adm-zip": "0.5.16",
     "chalk": "5.6.2",
     "js-yaml": "4.1.1",
@@ -54,8 +54,8 @@
   },
   "devDependencies": {
     "@eslint/js": "10.0.1",
-    "eslint": "10.0.0",
-    "eslint-plugin-security": "^3.0.1",
+    "eslint": "10.0.2",
+    "eslint-plugin-security": "^4.0.0",
     "globals": "17.3.0"
   }
 }

package/src/index.js

@@ -19,6 +19,7 @@ const { scanEntropy } = require('./scanner/entropy.js');
 const { scanAIConfig } = require('./scanner/ai-config.js');
 const { deobfuscate } = require('./scanner/deobfuscate.js');
 const { buildModuleGraph, annotateTaintedExports, detectCrossFileFlows } = require('./scanner/module-graph.js');
+const { computeReachableFiles } = require('./scanner/reachability.js');
 const { runTemporalAnalyses } = require('./temporal-runner.js');
 const { formatOutput } = require('./output-formatter.js');
 const { setExtraExcludes, getExtraExcludes, Spinner, listInstalledPackages, clearFileListCache } = require('./utils.js');
@@ -333,9 +334,22 @@ async function run(targetPath, options = {}) {
     }
   }
 
+  // Reachability analysis: determine which files are reachable from entry points
+  let reachableFiles = null;
+  if (!options.noReachability) {
+    try {
+      const reachability = computeReachableFiles(targetPath);
+      if (!reachability.skipped) {
+        reachableFiles = reachability.reachableFiles;
+      }
+    } catch {
+      // Graceful fallback — treat all files as reachable
+    }
+  }
+
   // FP reduction: legitimate frameworks produce high volumes of certain threat types.
   // A malware package typically has 1-3 occurrences, not dozens.
-  applyFPReductions(deduped);
+  applyFPReductions(deduped, reachableFiles);
 
   // Enrich each threat with rules
   const enrichedThreats = deduped.map(t => {

package/src/monitor.js

@@ -1640,9 +1640,9 @@ function getTemporalMaxSeverity(temporalResult, astResult, publishResult, mainta
   if (astResult && astResult.suspicious && astResult.findings) {
     allFindings.push(...astResult.findings);
   }
-  if (publishResult && publishResult.suspicious && publishResult.anomalies) {
-    allFindings.push(...publishResult.anomalies);
-  }
+  // publishResult deliberately excluded — publish anomalies alone (nightly builds,
+  // burst releases) should not trigger temporal preservation. They are handled
+  // separately by isPublishAnomalyOnly().
   if (maintainerResult && maintainerResult.suspicious && maintainerResult.findings) {
     allFindings.push(...maintainerResult.findings);
   }

package/src/scanner/ast-detectors.js

@@ -808,7 +808,7 @@ function handleCallExpression(node, ctx) {
         });
       }
       // Module._compile counts as temp file exec for write-execute-delete pattern
-      ctx.hasTempFileExec = ctx.hasTempFileExec || ctx.hasTmpdirInContent;
+      ctx.hasTempFileExec = ctx.hasTempFileExec || ctx.hasDevShmInContent;
     }
 
     // SANDWORM_MODE: Track writeFileSync/writeFile to temp paths
@@ -816,13 +816,13 @@ function handleCallExpression(node, ctx) {
       const arg = node.arguments && node.arguments[0];
       if (arg) {
         const strVal = extractStringValue(arg);
-        if (strVal && (/\/dev\/shm\b/.test(strVal) || /\btmp\b/i.test(strVal) || /\btemp\b/i.test(strVal))) {
+        if (strVal && /\/dev\/shm\b/.test(strVal)) {
           ctx.hasTempFileWrite = true;
         }
-        // Variable reference to tmpdir/temp path
+        // Variable reference to /dev/shm path
         if (!strVal && (arg.type === 'Identifier' || arg.type === 'CallExpression' || arg.type === 'MemberExpression')) {
-          // Dynamic path — check if file content involves tmpdir patterns
-          ctx.hasTempFileWrite = ctx.hasTempFileWrite || ctx.hasTmpdirInContent;
+          // Dynamic path — check if file content involves /dev/shm
+          ctx.hasTempFileWrite = ctx.hasTempFileWrite || ctx.hasDevShmInContent;
         }
       }
     }
@@ -837,10 +837,10 @@ function handleCallExpression(node, ctx) {
   if (callName === 'require' && node.arguments.length > 0) {
     const arg = node.arguments[0];
     const strVal = extractStringValue(arg);
-    if (strVal && (/\/dev\/shm\b/.test(strVal) || /\btmp\b/i.test(strVal) || /\btemp\b/i.test(strVal))) {
+    if (strVal && /\/dev\/shm\b/.test(strVal)) {
       ctx.hasTempFileExec = true;
-    } else if (!strVal && ctx.hasTmpdirInContent) {
-      // Variable argument in a file that references tmpdir paths
+    } else if (!strVal && ctx.hasDevShmInContent) {
+      // Variable argument in a file that references /dev/shm
       ctx.hasTempFileExec = true;
     }
   }
@@ -860,16 +860,7 @@ function handleCallExpression(node, ctx) {
     }
   }
 
-  // SANDWORM_MODE R8: Detect dns.resolve/resolve4/resolveTxt calls (flag for co-occurrence)
-  if (node.callee.type === 'MemberExpression' && node.callee.property?.type === 'Identifier') {
-    const dnsPropName = node.callee.property.name;
-    if (['resolve', 'resolve4', 'resolveTxt', 'resolveCname'].includes(dnsPropName)) {
-      // Set hasDnsLoop if file has dns require + base64 encoding (co-occurrence checked in postWalk)
-      if (ctx.hasDnsRequire && ctx.hasBase64Encode) {
-        ctx.hasDnsLoop = true;
-      }
-    }
-  }
+  // SANDWORM_MODE R8: dns.resolve detection moved to walk.ancestor() in ast.js (FIX 5)
 }
 
 function handleImportExpression(node, ctx) {
@@ -1086,9 +1077,11 @@ function handleMemberExpression(node, ctx) {
 function handlePostWalk(ctx) {
   // SANDWORM_MODE: zlib inflate + base64 decode + eval/Function/Module._compile = obfuscated payload
   if (ctx.hasZlibInflate && ctx.hasBase64Decode && ctx.hasDynamicExec) {
+    // FIX 4: dist/build files get LOW severity (bundlers legitimately use zlib+base64+eval)
+    const isDistFile = /^(dist|build)[/\\]/i.test(ctx.relFile) || /\.bundle\.js$/i.test(ctx.relFile);
     ctx.threats.push({
       type: 'zlib_inflate_eval',
-      severity: 'CRITICAL',
+      severity: isDistFile ? 'LOW' : 'CRITICAL',
       message: 'Obfuscated payload: zlib inflate + base64 decode + dynamic execution. No legitimate package uses this pattern.',
       file: ctx.relFile
     });
@@ -1105,7 +1098,7 @@ function handlePostWalk(ctx) {
   }
 
   // SANDWORM_MODE R7: env harvesting = Object.entries/keys/values(process.env) + sensitive pattern in file
-  if (ctx.hasEnvEnumeration && ctx.hasEnvHarvestPattern) {
+  if (ctx.hasEnvEnumeration && ctx.hasEnvHarvestPattern && ctx.hasNetworkCallInFile) {
     ctx.threats.push({
       type: 'env_harvesting_dynamic',
       severity: 'HIGH',

package/src/scanner/ast.js

@@ -84,10 +84,11 @@ function analyzeFile(content, filePath, basePath) {
     hasTempFileWrite: false,
     hasTempFileExec: false,
     hasFileDelete: false,
-    hasTmpdirInContent: /\btmpdir\b|\/dev\/shm\b|\/tmp\b/i.test(content),
+    hasDevShmInContent: /\/dev\/shm\b/.test(content),
     // SANDWORM_MODE P2: env harvesting co-occurrence
     hasEnvEnumeration: false,  // Object.entries/keys/values(process.env)
     hasEnvHarvestPattern: /\b(KEY|SECRET|TOKEN|PASSWORD|CREDENTIAL|NPM|AWS|SSH|WEBHOOK)\b/.test(content),
+    hasNetworkCallInFile: /\b(fetch|https?\.request|https?\.get|dns\.resolve)\b/.test(content),
     // SANDWORM_MODE P2: DNS exfiltration co-occurrence
     hasDnsRequire: /\brequire\s*\(\s*['"]dns['"]\s*\)/.test(content) || /\bdns\s*\.\s*resolve/.test(content),
     hasBase64Encode: /\.toString\s*\(\s*['"]base64(url)?['"]\s*\)/.test(content),
@@ -106,6 +107,35 @@ function analyzeFile(content, filePath, basePath) {
     MemberExpression(node) { handleMemberExpression(node, ctx); }
   });
 
+  // FIX 5: DNS chunk exfiltration — verify dns.resolve* is inside a loop body
+  if (ctx.hasDnsRequire && ctx.hasBase64Encode && !ctx.hasDnsLoop) {
+    walk.ancestor(ast, {
+      CallExpression(node, _state, ancestors) {
+        if (ctx.hasDnsLoop) return;
+        if (node.callee.type === 'MemberExpression' && node.callee.property?.type === 'Identifier') {
+          const name = node.callee.property.name;
+          if (['resolve', 'resolve4', 'resolveTxt', 'resolveCname'].includes(name)) {
+            for (const anc of ancestors) {
+              if (['ForStatement', 'WhileStatement', 'ForOfStatement',
+                   'ForInStatement', 'DoWhileStatement'].includes(anc.type)) {
+                ctx.hasDnsLoop = true;
+                return;
+              }
+              // forEach/map callback = implicit loop
+              if (anc.type === 'CallExpression' && anc.callee?.type === 'MemberExpression') {
+                const m = anc.callee.property?.name;
+                if (['forEach', 'map', 'reduce', 'filter'].includes(m)) {
+                  ctx.hasDnsLoop = true;
+                  return;
+                }
+              }
+            }
+          }
+        }
+      }
+    });
+  }
+
   handlePostWalk(ctx);
 
   return threats;