npm - muaddib-scanner - Versions diffs - 2.2.6 → 2.2.7 - Mend

muaddib-scanner 2.2.6 → 2.2.7

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (9) hide show

package/bin/muaddib.js +10 -1
package/datasets/benign/packages-npm.txt +576 -77
package/datasets/benign/packages-pypi.txt +146 -31
package/datasets/ground-truth/README.md +54 -0
package/datasets/ground-truth/known-malware.json +622 -0
package/package.json +1 -1
package/src/commands/evaluate.js +191 -31
package/tmp-summary.js +24 -0
package/tmp-test-pack.js +66 -0

package/bin/muaddib.js CHANGED Viewed

@@ -752,7 +752,16 @@ if (command === 'version' || command === '--version' || command === '-v') {
   process.exit(0);
 } else if (command === 'evaluate') {
   const { evaluate } = require('../src/commands/evaluate.js');
-  evaluate({ json: jsonOutput }).then(() => {
+  const evalOpts = { json: jsonOutput };
+  for (let i = 0; i < options.length; i++) {
+    if (options[i] === '--benign-limit' && options[i + 1]) {
+      evalOpts.benignLimit = parseInt(options[i + 1], 10);
+      i++;
+    } else if (options[i] === '--refresh-benign') {
+      evalOpts.refreshBenign = true;
+    }
+  }
+  evaluate(evalOpts).then(() => {
     process.exit(0);
   }).catch(err => {
     console.error('[ERROR]', err.message);

package/datasets/benign/packages-npm.txt CHANGED Viewed

@@ -1,98 +1,597 @@
+# MUAD'DIB Benign Dataset — 500+ popular npm packages
+# Used by `muaddib evaluate` to measure False Positive Rate (FPR)
+# Threshold: score > 20 = false positive
+# Organized by category to ensure coverage of FP-prone patterns
+# === Frameworks web (25) ===
 express
-lodash
-react
-axios
-webpack
-typescript
-eslint
-prettier
-jest
-mocha
+koa
+fastify
+hapi
+@nestjs/core
+@nestjs/common
 next
+nuxt
+remix
+gatsby
+sails
+restify
+polka
+micro
+moleculer
+feathers
+loopback
+adonis
+strapi
+keystone
+redwood
+blitz
+meteor
+derby
+total.js
+# === Bibliothèques UI (25) ===
+react
+react-dom
 vue
-moment
-dayjs
-uuid
-chalk
+@angular/core
+@angular/common
+svelte
+preact
+lit
+solid-js
+alpine
+stimulus
+mithril
+inferno
+hyperapp
+riot
+stencil
+ember-source
+backbone
+marionette
+polymer
+qwik
+htmx.org
+petite-vue
+million
+nano-jsx
+# === Build tools (35) ===
+webpack
+webpack-cli
+webpack-dev-server
+vite
+esbuild
+rollup
+parcel
+@swc/core
+@swc/cli
+tsup
+unbuild
+babel-core
+@babel/core
+@babel/cli
+@babel/preset-env
+@babel/preset-typescript
+@babel/preset-react
+@babel/plugin-transform-runtime
+terser
+uglify-js
+html-webpack-plugin
+css-loader
+style-loader
+file-loader
+mini-css-extract-plugin
+postcss-loader
+sass-loader
+less-loader
+ts-loader
+babel-loader
+copy-webpack-plugin
+clean-webpack-plugin
+webpack-merge
+webpack-bundle-analyzer
+speed-measure-webpack-plugin
+# === CLI tools (30) ===
 commander
-inquirer
 yargs
-dotenv
-cors
-body-parser
-mongoose
-sequelize
-passport
-jsonwebtoken
-bcrypt
-nodemailer
-socket.io
-redis
+inquirer
+@inquirer/prompts
+chalk
+ora
+meow
+oclif
+vorpal
+caporal
+gluegun
+prompts
+listr2
+tasuku
+cac
+citty
+cleye
+arg
+mri
+minimist
+nopt
+get-stdin
+update-notifier
+boxen
+terminal-link
+figures
+log-symbols
+cli-table3
+cli-progress
+blessed
+# === Testing (25) ===
+jest
+mocha
+vitest
+ava
+tap
+jasmine
+karma
+c8
+nyc
+istanbul
+sinon
+chai
+expect
+supertest
+nock
+msw
+@testing-library/react
+@testing-library/jest-dom
+@testing-library/dom
+@testing-library/vue
+enzyme
+storybook
+@storybook/react
+playwright
+cypress
+# === Database (25) ===
 pg
 mysql2
 sqlite3
+better-sqlite3
+mongoose
+sequelize
+prisma
+@prisma/client
+drizzle-orm
+knex
+typeorm
+mikro-orm
+objection
+bookshelf
+waterline
+ioredis
+redis
+mongodb
+cassandra-driver
+couchbase
+neo4j-driver
+arangojs
+level
+lmdb
+sql.js
+# === Linters/formatters (18) ===
+eslint
+prettier
+stylelint
+@biomejs/biome
+oxlint
+eslint-plugin-react
+eslint-plugin-import
+eslint-plugin-security
+eslint-config-airbnb
+eslint-config-standard
+eslint-plugin-vue
+eslint-plugin-node
+eslint-plugin-jest
+@typescript-eslint/parser
+@typescript-eslint/eslint-plugin
+eslint-plugin-prettier
+editorconfig
+markdownlint-cli
+# === Monorepo tools (12) ===
+turbo
+nx
+lerna
+@changesets/cli
+@changesets/changelog-github
+rush
+bolt
+pnpm
+yarn
+npm
+oao
+ultra-runner
+# === Wasm/native (12) ===
 sharp
-multer
-formidable
-cheerio
-puppeteer
-playwright
-cypress
-electron
-react-dom
-react-router
-redux
-mobx
-rxjs
-ramda
-underscore
-async
-debug
-minimist
+canvas
+node-gyp
+@napi-rs/cli
+node-addon-api
+prebuild
+prebuild-install
+node-pre-gyp
+nan
+ref-napi
+ffi-napi
+farmhash
+# === DevOps/CI (18) ===
+husky
+lint-staged
+semantic-release
+commitlint
+@commitlint/cli
+@commitlint/config-conventional
+conventional-changelog
+standard-version
+release-it
+auto
+np
+gh-pages
+vercel
+netlify-cli
+wrangler
+pm2
+forever
+nodemon
+# === Crypto/security (18) ===
+bcrypt
+bcryptjs
+jsonwebtoken
+jose
+helmet
+cors
+csurf
+passport
+passport-local
+passport-jwt
+passport-google-oauth20
+crypto-js
+tweetnacl
+libsodium-wrappers
+node-forge
+argon2
+scrypt
+express-rate-limit
+# === HTTP/networking (25) ===
+axios
+got
+node-fetch
+undici
+superagent
+ky
+bent
+phin
+needle
+request
+urllib
+ws
+socket.io
+socket.io-client
+@grpc/grpc-js
+@grpc/proto-loader
+http-proxy
+http-proxy-middleware
+express-http-proxy
+cors-anywhere
+tunnel
+agent-base
+https-proxy-agent
+socks-proxy-agent
+proxy-agent
+# === File system (18) ===
+fs-extra
 glob
+globby
+fast-glob
+chokidar
 rimraf
 mkdirp
-semver
-yup
-zod
-ajv
-joi
-express-validator
-helmet
-compression
-morgan
+tmp
+temp
+graceful-fs
+proper-lockfile
+lockfile
+archiver
+adm-zip
+tar
+unzipper
+decompress
+copy
+# === Logging/monitoring (14) ===
 winston
 pino
+pino-pretty
+morgan
 bunyan
-dotenv-expand
-cross-env
+debug
+loglevel
+log4js
+consola
+signale
+roarr
+tracer
+winston-daily-rotate-file
+cls-hooked
+# === Codegen/AST (18) ===
+acorn
+acorn-walk
+@babel/parser
+@babel/traverse
+@babel/generator
+@babel/types
+esprima
+escodegen
+recast
+jscodeshift
+typescript
+ts-morph
+astring
+meriyah
+espree
+ast-types
+@vue/compiler-sfc
+svelte-compiler
+# === Shell/process (18) ===
+execa
+shelljs
+cross-spawn
 concurrently
-nodemon
-ts-node
-esbuild
-rollup
-vite
-parcel
-core-js
-regenerator-runtime
-whatwg-fetch
-isomorphic-fetch
-node-fetch
-got
-superagent
+npm-run-all
+npm-run-all2
+pidtree
+tree-kill
+fkill
+signal-exit
+death
+per-env
+env-cmd
+dotenv-cli
+open
+opn
+start-server-and-test
+wait-on
+# === Plugin systems (14) ===
+postcss
+postcss-preset-env
+autoprefixer
+cssnano
+tailwindcss
+unified
+remark
+remark-parse
+remark-stringify
+rehype
+rehype-parse
+rehype-stringify
+mdast-util-to-string
+unist-util-visit
+# === Validation/schema (15) ===
+zod
+yup
+ajv
+joi
+superstruct
+valibot
+class-validator
+class-transformer
+io-ts
+runtypes
+typebox
+@sinclair/typebox
+json-schema
+jsonschema
+fastest-validator
+# === Templating (10) ===
+ejs
+pug
+handlebars
+nunjucks
+mustache
+liquid
+eta
+art-template
+marko
+twig
+# === State management (10) ===
+redux
+@reduxjs/toolkit
+mobx
+zustand
+jotai
+recoil
+valtio
+xstate
+pinia
+vuex
+# === GraphQL (10) ===
+graphql
+@apollo/server
+@apollo/client
+graphql-tag
+graphql-tools
+type-graphql
+nexus
+pothos
+urql
+mercurius
+# === Image/media (10) ===
+probe-image-size
+jimp
+gm
+imagemin
+pngquant
+svgo
+fluent-ffmpeg
+image-size
+exif-parser
+blurhash
+# === Markdown/text (10) ===
+marked
+markdown-it
+showdown
+turndown
+sanitize-html
+dompurify
+html-minifier-terser
+clean-css
+csso
+js-beautify
+# === Date/time (10) ===
+date-fns
+dayjs
+luxon
+moment
+moment-timezone
+chrono-node
+ms
+pretty-ms
+timeago.js
+date-fns-tz
+# === Math/data (10) ===
+mathjs
+decimal.js
+bignumber.js
+numeral
+d3
+lodash
+underscore
+ramda
+fp-ts
+immutable
+# === UUID/crypto utils (10) ===
+uuid
+nanoid
+cuid
+ulid
+shortid
+hashids
+object-hash
+md5
+sha.js
+create-hash
+# === Config/env (10) ===
+dotenv
+dotenv-expand
+cosmiconfig
+rc
+convict
+conf
+configstore
+env-ci
+nconf
+envalid
+# === Queue/workers (10) ===
+bull
+bullmq
+agenda
+bee-queue
+kue
+amqplib
+rabbitmq-client
+celery-client
+p-queue
+bottleneck
+# === Caching (8) ===
+node-cache
+lru-cache
+keyv
+cacheable-request
+flat-cache
+apicache
+memory-cache
+quick-lru
+# === Email (8) ===
+nodemailer
+@sendgrid/mail
+mailgun.js
+postmark
+aws-sdk
+ses
+email-templates
+mjml
+# === PDF/docs (8) ===
+pdfkit
+pdf-lib
+puppeteer
+jspdf
+exceljs
+xlsx
+csv-parser
+papaparse
+# === Miscellaneous popular (40+) ===
+async
+bluebird
+rxjs
+p-limit
+p-map
+p-retry
+p-timeout
+redaxios
 form-data
+formidable
 busboy
+multer
 cookie-parser
 express-session
 connect-redis
-ioredis
-bull
-agenda
-node-cron
-date-fns
-luxon
-numeral
-decimal.js
-bignumber.js
-mathjs
-lodash-es
+connect-mongo
+body-parser
+compression
+serve-static
+serve-favicon
+method-override
+errorhandler
+cron
+node-schedule
+cheerio
+puppeteer-core
+jsdom
+xmlbuilder2
+xml2js
+fast-xml-parser
+yaml
+toml
+ini
+properties-reader
+iconv-lite
+chardet
+string-width
+wrap-ansi
+strip-ansi
+ansi-colors