muaddib-scanner 2.2.6 → 2.2.8

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (10) hide show
  1. package/bin/muaddib.js +10 -1
  2. package/datasets/benign/packages-npm.txt +576 -77
  3. package/datasets/benign/packages-pypi.txt +146 -31
  4. package/datasets/ground-truth/README.md +54 -0
  5. package/datasets/ground-truth/known-malware.json +622 -0
  6. package/package.json +1 -1
  7. package/src/commands/evaluate.js +191 -31
  8. package/src/index.js +48 -0
  9. package/src/scanner/typosquat.js +13 -1
  10. package/tmp-test-pack.js +66 -0
package/datasets/ground-truth/known-malware.json ADDED
@@ -0,0 +1,622 @@
1
+ [
2
+ {
3
+ "name": "event-stream",
4
+ "ecosystem": "npm",
5
+ "version": "3.3.6",
6
+ "date": "2018-11",
7
+ "source": "npm Security",
8
+ "technique": "dependency injection - flatmap-stream malicious dep targeting Copay bitcoin wallet",
9
+ "url": "https://blog.npmjs.org/post/180565383195/details-about-the-event-stream-incident",
10
+ "severity": "critical"
11
+ },
12
+ {
13
+ "name": "flatmap-stream",
14
+ "ecosystem": "npm",
15
+ "version": "0.1.1",
16
+ "date": "2018-09",
17
+ "source": "Snyk",
18
+ "technique": "bitcoin wallet credential theft via obfuscated payload",
19
+ "url": "https://snyk.io/blog/malicious-code-found-in-npm-package-event-stream/",
20
+ "severity": "critical"
21
+ },
22
+ {
23
+ "name": "eslint-scope",
24
+ "ecosystem": "npm",
25
+ "version": "3.7.2",
26
+ "date": "2018-07",
27
+ "source": "ESLint",
28
+ "technique": "postinstall script exfiltrates .npmrc tokens to pastebin",
29
+ "url": "https://eslint.org/blog/2018/07/postmortem-for-malicious-package-publishes/",
30
+ "severity": "critical"
31
+ },
32
+ {
33
+ "name": "ua-parser-js",
34
+ "ecosystem": "npm",
35
+ "version": "0.7.29, 0.8.0, 1.0.0",
36
+ "date": "2021-10",
37
+ "source": "CISA",
38
+ "technique": "account hijack + preinstall script installing cryptominer and credential stealer",
39
+ "url": "https://us-cert.cisa.gov/ncas/current-activity/2021/10/22/malware-discovered-popular-npm-package-ua-parser-js",
40
+ "severity": "critical"
41
+ },
42
+ {
43
+ "name": "coa",
44
+ "ecosystem": "npm",
45
+ "version": "2.0.3, 2.0.4, 2.1.1, 2.1.3, 3.0.1, 3.1.3",
46
+ "date": "2021-11",
47
+ "source": "Rapid7",
48
+ "technique": "account hijack + postinstall exfiltrating credentials and browser data",
49
+ "url": "https://www.rapid7.com/blog/post/2021/11/05/new-npm-library-hijacks-coa-and-rc/",
50
+ "severity": "high"
51
+ },
52
+ {
53
+ "name": "rc",
54
+ "ecosystem": "npm",
55
+ "version": "1.2.9, 1.3.9, 2.3.9",
56
+ "date": "2021-11",
57
+ "source": "Sonatype",
58
+ "technique": "account hijack + postinstall credential theft",
59
+ "url": "https://www.sonatype.com/blog/npm-hijackers-at-it-again-popular-coa-and-rc-open-source-libraries-taken-over-to-spread-malware",
60
+ "severity": "high"
61
+ },
62
+ {
63
+ "name": "node-ipc",
64
+ "ecosystem": "npm",
65
+ "version": "10.1.1, 10.1.2",
66
+ "date": "2022-03",
67
+ "source": "Snyk",
68
+ "technique": "protestware - overwrites files with heart emoji on Russian/Belarusian IPs",
69
+ "url": "https://snyk.io/blog/peacenotwar-malicious-npm-node-ipc-package-vulnerability/",
70
+ "severity": "critical"
71
+ },
72
+ {
73
+ "name": "colors",
74
+ "ecosystem": "npm",
75
+ "version": "1.4.1",
76
+ "date": "2022-01",
77
+ "source": "LunaTrace",
78
+ "technique": "protestware - infinite loop printing 'liberty' and gibberish",
79
+ "url": "https://www.lunasec.io/docs/blog/node-ipc-protestware/",
80
+ "severity": "medium"
81
+ },
82
+ {
83
+ "name": "faker",
84
+ "ecosystem": "npm",
85
+ "version": "6.6.6",
86
+ "date": "2022-01",
87
+ "source": "LunaTrace",
88
+ "technique": "protestware - infinite loop printing anti-corporate messages",
89
+ "url": "https://www.lunasec.io/docs/blog/node-ipc-protestware/",
90
+ "severity": "medium"
91
+ },
92
+ {
93
+ "name": "chalk",
94
+ "ecosystem": "npm",
95
+ "version": "5.6.1",
96
+ "date": "2025-09",
97
+ "source": "Semgrep",
98
+ "technique": "phishing attack on maintainer + cryptostealer payload intercepting web3 wallet transactions",
99
+ "url": "https://semgrep.dev/blog/2025/chalk-debug-and-color-on-npm-compromised-in-new-supply-chain-attack/",
100
+ "severity": "critical"
101
+ },
102
+ {
103
+ "name": "debug",
104
+ "ecosystem": "npm",
105
+ "version": "4.4.0",
106
+ "date": "2025-09",
107
+ "source": "Sonatype",
108
+ "technique": "phishing attack on maintainer + cryptostealer in browser environments",
109
+ "url": "https://www.sonatype.com/blog/npm-chalk-and-debug-packages-hit-in-software-supply-chain-attack",
110
+ "severity": "critical"
111
+ },
112
+ {
113
+ "name": "ngx-bootstrap",
114
+ "ecosystem": "npm",
115
+ "version": "multiple (Sept 2025)",
116
+ "date": "2025-09",
117
+ "source": "Snyk",
118
+ "technique": "account compromise + postinstall harvesting npm/GitHub/cloud tokens with TruffleHog",
119
+ "url": "https://snyk.io/blog/embedded-malicious-code-in-tinycolor-and-ngx-bootstrap-releases-on-npm/",
120
+ "severity": "critical"
121
+ },
122
+ {
123
+ "name": "@ctrl/tinycolor",
124
+ "ecosystem": "npm",
125
+ "version": "multiple (Sept 2025)",
126
+ "date": "2025-09",
127
+ "source": "Socket.dev",
128
+ "technique": "account compromise + self-replicating worm modifying package.json and republishing",
129
+ "url": "https://socket.dev/blog/tinycolor-supply-chain-attack-affects-40-packages",
130
+ "severity": "critical"
131
+ },
132
+ {
133
+ "name": "@nrwl/nx-cloud",
134
+ "ecosystem": "npm",
135
+ "version": "19.1.0-beta.2",
136
+ "date": "2025-08",
137
+ "source": "Snyk",
138
+ "technique": "GitHub Actions injection + AI agent weaponization (claude/gemini/q CLIs) for credential exfiltration",
139
+ "url": "https://snyk.io/blog/weaponizing-ai-coding-agents-for-malware-in-the-nx-malicious-package/",
140
+ "severity": "critical"
141
+ },
142
+ {
143
+ "name": "noblox.js-vps",
144
+ "ecosystem": "npm",
145
+ "version": "4.21.0",
146
+ "date": "2024-08",
147
+ "source": "ReversingLabs",
148
+ "technique": "typosquatting noblox.js + Discord token theft + Quasar RAT deployment",
149
+ "url": "https://www.reversinglabs.com/blog/fake-roblox-api-packages-luna-grabber-npm",
150
+ "severity": "high"
151
+ },
152
+ {
153
+ "name": "twilio-npm",
154
+ "ecosystem": "npm",
155
+ "version": "multiple",
156
+ "date": "2024-01",
157
+ "source": "Sonatype",
158
+ "technique": "typosquatting twilio + reverse shell payload",
159
+ "url": "https://www.sonatype.com/blog/open-source-attacks-on-the-rise-top-8-malicious-packages-found-in-npm",
160
+ "severity": "critical"
161
+ },
162
+ {
163
+ "name": "duer-js",
164
+ "ecosystem": "npm",
165
+ "version": "1.0.0",
166
+ "date": "2024-12",
167
+ "source": "Phylum",
168
+ "technique": "Bada Stealer - Discord tokens, browser passwords, crypto wallets",
169
+ "url": "https://blog.phylum.io/sensitive-data-exfiltration-campaign-targets-npm-and-pypi/",
170
+ "severity": "critical"
171
+ },
172
+ {
173
+ "name": "execution-time-async",
174
+ "ecosystem": "npm",
175
+ "version": "1.4.1",
176
+ "date": "2024-02",
177
+ "source": "Phylum",
178
+ "technique": "Lazarus APT fake job campaign + remote code execution",
179
+ "url": "https://blog.phylum.io/sensitive-data-exfiltration-campaign-targets-npm-and-pypi/",
180
+ "severity": "critical"
181
+ },
182
+ {
183
+ "name": "@solana/web3.js",
184
+ "ecosystem": "npm",
185
+ "version": "1.95.6, 1.95.7",
186
+ "date": "2024-12",
187
+ "source": "ReversingLabs",
188
+ "technique": "account compromise + wallet seed phrase exfiltration",
189
+ "url": "https://www.reversinglabs.com/blog/malware-found-in-solana-npm-library-with-50m-downloads",
190
+ "severity": "critical"
191
+ },
192
+ {
193
+ "name": "eslint-config-prettier",
194
+ "ecosystem": "npm",
195
+ "version": "malicious (July 2025)",
196
+ "date": "2025-07",
197
+ "source": "Snyk",
198
+ "technique": "typosquatting domain attack on maintainers + credential theft",
199
+ "url": "https://snyk.io/blog/maintainers-of-eslint-prettier-plugin-attacked-via-npm-supply-chain-malware/",
200
+ "severity": "high"
201
+ },
202
+ {
203
+ "name": "haski",
204
+ "ecosystem": "npm",
205
+ "version": "1.0.0",
206
+ "date": "2024-10",
207
+ "source": "Socket.dev",
208
+ "technique": "blockchain C2 using Ethereum smart contracts for command control",
209
+ "url": "https://www.theregister.com/2024/11/05/typosquatting_npm_campaign/",
210
+ "severity": "high"
211
+ },
212
+ {
213
+ "name": "mathjs-min",
214
+ "ecosystem": "npm",
215
+ "version": "1.0.0",
216
+ "date": "2024-01",
217
+ "source": "Phylum",
218
+ "technique": "typosquatting mathjs + Discord token grabber",
219
+ "url": "https://blog.phylum.io/phylum-discovers-npm-package-mathjs-min-contains-discord-token-grabber/",
220
+ "severity": "high"
221
+ },
222
+ {
223
+ "name": "dydx-v4-client",
224
+ "ecosystem": "npm",
225
+ "version": "1.0.1",
226
+ "date": "2026-02",
227
+ "source": "Socket.dev",
228
+ "technique": "account compromise + cryptocurrency wallet seed phrase stealer + device fingerprinting",
229
+ "url": "https://socket.dev/blog/malicious-dydx-packages-published-to-npm-and-pypi",
230
+ "severity": "critical"
231
+ },
232
+ {
233
+ "name": "ultralytics",
234
+ "ecosystem": "pypi",
235
+ "version": "8.0.196.4",
236
+ "date": "2024-09",
237
+ "source": "ReversingLabs",
238
+ "technique": "account compromise + XMRig cryptocurrency miner",
239
+ "url": "https://www.reversinglabs.com/blog/compromised-ultralytics-pypi-package-delivers-crypto-coinminer",
240
+ "severity": "high"
241
+ },
242
+ {
243
+ "name": "Django-log-tracker",
244
+ "ecosystem": "pypi",
245
+ "version": "1.0.2",
246
+ "date": "2024-02",
247
+ "source": "Phylum",
248
+ "technique": "dormant package compromise + browser credential theft (Chrome/Opera/Brave) + remote script execution",
249
+ "url": "https://blog.phylum.io/sensitive-data-exfiltration-campaign-targets-npm-and-pypi/",
250
+ "severity": "critical"
251
+ },
252
+ {
253
+ "name": "requests-darwin-lite",
254
+ "ecosystem": "pypi",
255
+ "version": "2.28.0",
256
+ "date": "2024-03",
257
+ "source": "Fortinet",
258
+ "technique": "typosquatting requests + macOS Trojan + persistent C2 connection",
259
+ "url": "https://www.fortinet.com/blog/threat-research/malicious-packages-hidden-in-pypl",
260
+ "severity": "critical"
261
+ },
262
+ {
263
+ "name": "py-cord",
264
+ "ecosystem": "pypi",
265
+ "version": "multiple",
266
+ "date": "2024-03",
267
+ "source": "PyPI Security",
268
+ "technique": "typosquatting pycord + credential theft during 500+ package upload campaign",
269
+ "url": "https://thehackernews.com/2024/03/pypi-halts-sign-ups-amid-surge-of.html",
270
+ "severity": "high"
271
+ },
272
+ {
273
+ "name": "soopsocks",
274
+ "ecosystem": "pypi",
275
+ "version": "1.0.0",
276
+ "date": "2025-10",
277
+ "source": "Sonatype",
278
+ "technique": "infostealer infecting 2,653 systems before takedown",
279
+ "url": "https://thehackernews.com/2025/10/alert-malicious-pypi-package-soopsocks.html",
280
+ "severity": "critical"
281
+ },
282
+ {
283
+ "name": "pytoileur",
284
+ "ecosystem": "pypi",
285
+ "version": "1.0.0",
286
+ "date": "2024-01",
287
+ "source": "Sonatype",
288
+ "technique": "trojanized Windows binaries for surveillance and crypto wallet theft",
289
+ "url": "https://www.sonatype.com/blog/pypi-crypto-stealer-targets-windows-users-revives-malware-campaign",
290
+ "severity": "critical"
291
+ },
292
+ {
293
+ "name": "set-utils",
294
+ "ecosystem": "pypi",
295
+ "version": "1.0.0",
296
+ "date": "2025-01",
297
+ "source": "BleepingComputer",
298
+ "technique": "Ethereum private key stealer downloaded 1000+ times",
299
+ "url": "https://www.bleepingcomputer.com/news/security/ethereum-private-key-stealer-on-pypi-downloaded-over-1-000-times/",
300
+ "severity": "critical"
301
+ },
302
+ {
303
+ "name": "dydx-v4-client-py",
304
+ "ecosystem": "pypi",
305
+ "version": "1.0.0",
306
+ "date": "2026-02",
307
+ "source": "Socket.dev",
308
+ "technique": "account compromise + wallet stealer + Python RAT with arbitrary code execution",
309
+ "url": "https://socket.dev/blog/malicious-dydx-packages-published-to-npm-and-pypi",
310
+ "severity": "critical"
311
+ },
312
+ {
313
+ "name": "aiocpa",
314
+ "ecosystem": "pypi",
315
+ "version": "1.0.0",
316
+ "date": "2024-11",
317
+ "source": "PyPI Security",
318
+ "technique": "malicious setup script + credential exfiltration",
319
+ "url": "https://blog.pypi.org/posts/2024-11-25-aiocpa-attack-analysis/",
320
+ "severity": "high"
321
+ },
322
+ {
323
+ "name": "simple-mali-pkg",
324
+ "ecosystem": "pypi",
325
+ "version": "0.1.0",
326
+ "date": "2025-06",
327
+ "source": "Fortinet",
328
+ "technique": "data exfiltration via setup.py install script",
329
+ "url": "https://www.fortinet.com/blog/threat-research/malicious-packages-across-open-source-registries",
330
+ "severity": "high"
331
+ },
332
+ {
333
+ "name": "confighum",
334
+ "ecosystem": "pypi",
335
+ "version": "0.3.5",
336
+ "date": "2025-06",
337
+ "source": "Fortinet",
338
+ "technique": "data exfiltration via install hooks",
339
+ "url": "https://www.fortinet.com/blog/threat-research/malicious-packages-across-open-source-registries",
340
+ "severity": "high"
341
+ },
342
+ {
343
+ "name": "sinontop-utils",
344
+ "ecosystem": "pypi",
345
+ "version": "0.3.5",
346
+ "date": "2025-06",
347
+ "source": "Fortinet",
348
+ "technique": "sensitive data theft during installation",
349
+ "url": "https://www.fortinet.com/blog/threat-research/malicious-packages-across-open-source-registries",
350
+ "severity": "high"
351
+ },
352
+ {
353
+ "name": "solana-sdkpy",
354
+ "ecosystem": "pypi",
355
+ "version": "1.2.5, 1.2.6",
356
+ "date": "2025-06",
357
+ "source": "Fortinet",
358
+ "technique": "cryptocurrency wallet targeting + data exfiltration",
359
+ "url": "https://www.fortinet.com/blog/threat-research/malicious-packages-across-open-source-registries",
360
+ "severity": "critical"
361
+ },
362
+ {
363
+ "name": "peacenotwar",
364
+ "ecosystem": "npm",
365
+ "version": "multiple",
366
+ "date": "2022-03",
367
+ "source": "Orca Security",
368
+ "technique": "protestware creating WITH-LOVE-FROM-AMERICA.txt files as node-ipc dependency",
369
+ "url": "https://orca.security/resources/blog/cve-2022-23812-protestware-malicious-code-node-ipc-npm-package/",
370
+ "severity": "medium"
371
+ },
372
+ {
373
+ "name": "Shai-Hulud campaign (796+ packages)",
374
+ "ecosystem": "npm",
375
+ "version": "various",
376
+ "date": "2025-09",
377
+ "source": "Microsoft Security",
378
+ "technique": "self-replicating worm + preinstall token theft + automated package infection via npm API",
379
+ "url": "https://www.microsoft.com/en-us/security/blog/2025/12/09/shai-hulud-2-0-guidance-for-detecting-investigating-and-defending-against-the-supply-chain-attack/",
380
+ "severity": "critical"
381
+ },
382
+ {
383
+ "name": "Shai-Hulud 2.0 (setup_bun.js/bun_environment.js)",
384
+ "ecosystem": "npm",
385
+ "version": "various",
386
+ "date": "2025-11",
387
+ "source": "Datadog Security Labs",
388
+ "technique": "worm 2.0 + AWS/GCP/Azure credential harvesting + exponential propagation without actor intervention",
389
+ "url": "https://securitylabs.datadoghq.com/articles/shai-hulud-2.0-npm-worm/",
390
+ "severity": "critical"
391
+ },
392
+ {
393
+ "name": "Contagious Interview campaign (338+ packages)",
394
+ "ecosystem": "npm",
395
+ "version": "various",
396
+ "date": "2025-07",
397
+ "source": "Socket.dev",
398
+ "technique": "North Korean APT fake job offers + 180+ fake personas + 50k+ downloads + C2 infrastructure",
399
+ "url": "https://socket.dev/blog/north-korea-contagious-interview-campaign-338-malicious-npm-packages",
400
+ "severity": "critical"
401
+ },
402
+ {
403
+ "name": "Beamglea campaign (175 packages)",
404
+ "ecosystem": "npm",
405
+ "version": "various",
406
+ "date": "2025-01",
407
+ "source": "Socket.dev",
408
+ "technique": "phishing infrastructure targeting 135+ industrial/tech/energy companies via npm CDN abuse",
409
+ "url": "https://socket.dev/blog/175-malicious-npm-packages-host-phishing-infrastructure",
410
+ "severity": "high"
411
+ },
412
+ {
413
+ "name": "Flashbots SDK typosquats",
414
+ "ecosystem": "npm",
415
+ "version": "various",
416
+ "date": "2024-09",
417
+ "source": "Socket.dev",
418
+ "technique": "typosquatting Flashbots + Ethereum wallet key/seed exfiltration to Telegram",
419
+ "url": "https://socket.dev/blog/malicious-npm-packages-impersonate-flashbots-sdks-targeting-ethereum-wallet-credentials",
420
+ "severity": "critical"
421
+ },
422
+ {
423
+ "name": "Qix author compromise",
424
+ "ecosystem": "npm",
425
+ "version": "various packages",
426
+ "date": "2025-01",
427
+ "source": "Socket.dev",
428
+ "technique": "phishing email compromise of prolific npm author affecting multiple popular packages",
429
+ "url": "https://socket.dev/blog/npm-author-qix-compromised-in-major-supply-chain-attack",
430
+ "severity": "critical"
431
+ },
432
+ {
433
+ "name": "WhatsApp malicious packages",
434
+ "ecosystem": "npm",
435
+ "version": "various",
436
+ "date": "2024-11",
437
+ "source": "Socket.dev",
438
+ "technique": "targeting WhatsApp developers + remote kill switch capability",
439
+ "url": "https://socket.dev/blog/malicious-npm-packages-target-whatsapp-developers-with-remote-kill-switch",
440
+ "severity": "high"
441
+ },
442
+ {
443
+ "name": "60 network/host data exfiltration packages",
444
+ "ecosystem": "npm",
445
+ "version": "various",
446
+ "date": "2024-10",
447
+ "source": "Socket.dev",
448
+ "technique": "active network reconnaissance + host fingerprinting + data exfiltration",
449
+ "url": "https://socket.dev/blog/60-malicious-npm-packages-leak-network-and-host-data",
450
+ "severity": "high"
451
+ },
452
+ {
453
+ "name": "BSC/Ethereum crypto drainer",
454
+ "ecosystem": "npm",
455
+ "version": "various",
456
+ "date": "2024-09",
457
+ "source": "Socket.dev",
458
+ "technique": "Binance Smart Chain and Ethereum wallet drainers",
459
+ "url": "https://socket.dev/blog/malicious-npm-packages-target-bsc-and-ethereum",
460
+ "severity": "critical"
461
+ },
462
+ {
463
+ "name": "Discord token stealers (17 packages)",
464
+ "ecosystem": "npm",
465
+ "version": "various",
466
+ "date": "2024-01",
467
+ "source": "JFrog",
468
+ "technique": "targeting Discord tokens from %APPDATA% + 2FA code interception",
469
+ "url": "https://jfrog.com/blog/malicious-npm-packages-are-after-your-discord-tokens-17-new-packages-disclosed/",
470
+ "severity": "high"
471
+ },
472
+ {
473
+ "name": "LofyLife campaign",
474
+ "ecosystem": "npm",
475
+ "version": "various",
476
+ "date": "2024-03",
477
+ "source": "Kaspersky",
478
+ "technique": "Discord token theft + bank card data exfiltration",
479
+ "url": "https://securelist.com/lofylife-malicious-npm-packages/107014/",
480
+ "severity": "critical"
481
+ },
482
+ {
483
+ "name": "NodeCordRAT packages",
484
+ "ecosystem": "npm",
485
+ "version": "various",
486
+ "date": "2024-11",
487
+ "source": "Zscaler ThreatLabz",
488
+ "technique": "Chrome credentials + MetaMask keys/seeds + API tokens via RAT",
489
+ "url": "https://www.zscaler.com/blogs/security-research/malicious-npm-packages-deliver-nodecordrat",
490
+ "severity": "critical"
491
+ },
492
+ {
493
+ "name": "287 typosquatting packages (blockchain C2)",
494
+ "ecosystem": "npm",
495
+ "version": "various",
496
+ "date": "2024-10",
497
+ "source": "Socket.dev",
498
+ "technique": "typosquatting Puppeteer/Bignum.js/crypto libs + Ethereum smart contract C2 infrastructure",
499
+ "url": "https://www.theregister.com/2024/11/05/typosquatting_npm_campaign/",
500
+ "severity": "critical"
501
+ },
502
+ {
503
+ "name": "Atomic/Exodus wallet targeting",
504
+ "ecosystem": "npm",
505
+ "version": "various",
506
+ "date": "2024-08",
507
+ "source": "ReversingLabs",
508
+ "technique": "targeted malware campaign against Atomic and Exodus cryptocurrency wallets",
509
+ "url": "https://www.reversinglabs.com/blog/atomic-and-exodus-crypto-wallets-targeted-in-malicious-npm-campaign",
510
+ "severity": "critical"
511
+ },
512
+ {
513
+ "name": "Bladeroid packages",
514
+ "ecosystem": "npm",
515
+ "version": "various",
516
+ "date": "2024-05",
517
+ "source": "Sonatype",
518
+ "technique": "infostealer targeting Windows users via tea protocol reward exploitation",
519
+ "url": "https://www.sonatype.com/blog/ongoing-npm-software-supply-chain-attack-exposes-new-risks",
520
+ "severity": "high"
521
+ },
522
+ {
523
+ "name": "SilentSync RAT",
524
+ "ecosystem": "pypi",
525
+ "version": "various",
526
+ "date": "2024-12",
527
+ "source": "Zscaler ThreatLabz",
528
+ "technique": "Python-based RAT with persistence and remote command execution",
529
+ "url": "https://www.zscaler.com/blogs/security-research/malicious-pypi-packages-deliver-silentsync-rat",
530
+ "severity": "critical"
531
+ },
532
+ {
533
+ "name": "500+ typosquatting packages (March 2024)",
534
+ "ecosystem": "pypi",
535
+ "version": "various",
536
+ "date": "2024-03",
537
+ "source": "PyPI Security",
538
+ "technique": "automated typosquatting campaign forcing PyPI to halt new user signups",
539
+ "url": "https://thehackernews.com/2024/03/pypi-halts-sign-ups-amid-surge-of.html",
540
+ "severity": "critical"
541
+ },
542
+ {
543
+ "name": "Lazarus graphalgo campaign",
544
+ "ecosystem": "npm",
545
+ "version": "various",
546
+ "date": "2025-05",
547
+ "source": "Socket.dev",
548
+ "technique": "North Korean APT + Windows infostealer + Discord/crypto/browser data theft",
549
+ "url": "https://socket.dev/blog/lazarus-strikes-npm-again-with-a-new-wave-of-malicious-packages",
550
+ "severity": "critical"
551
+ },
552
+ {
553
+ "name": "100+ ML library typosquats",
554
+ "ecosystem": "pypi",
555
+ "version": "various",
556
+ "date": "2024-08",
557
+ "source": "Mend.io",
558
+ "technique": "targeting popular ML/AI libraries like TensorFlow/PyTorch with typosquats",
559
+ "url": "https://www.mend.io/blog/over-100-malicious-packages-target-popular-ml-pypi-libraries/",
560
+ "severity": "high"
561
+ },
562
+ {
563
+ "name": "MUT-8694 campaign",
564
+ "ecosystem": "npm/pypi",
565
+ "version": "various",
566
+ "date": "2025-08",
567
+ "source": "Datadog Security Labs",
568
+ "technique": "cross-ecosystem campaign targeting Windows users via npm and PyPI simultaneously",
569
+ "url": "https://securitylabs.datadoghq.com/articles/mut-8964-an-npm-and-pypi-malicious-campaign-targeting-windows-users/",
570
+ "severity": "high"
571
+ },
572
+ {
573
+ "name": "macOS-specific PyPI malware",
574
+ "ecosystem": "pypi",
575
+ "version": "various",
576
+ "date": "2024-06",
577
+ "source": "Datadog Security Labs",
578
+ "technique": "highly targeted malware checking for specific macOS machine configurations",
579
+ "url": "https://securitylabs.datadoghq.com/articles/malicious-pypi-package-targeting-highly-specific-macos-machines/",
580
+ "severity": "high"
581
+ },
582
+ {
583
+ "name": "Bitcoin library typosquats",
584
+ "ecosystem": "pypi",
585
+ "version": "various",
586
+ "date": "2024-05",
587
+ "source": "ReversingLabs",
588
+ "technique": "typosquatting popular Bitcoin libraries to steal cryptocurrency credentials",
589
+ "url": "https://www.reversinglabs.com/blog/malicious-python-packages-target-popular-bitcoin-library",
590
+ "severity": "critical"
591
+ },
592
+ {
593
+ "name": "ML model steganography",
594
+ "ecosystem": "pypi",
595
+ "version": "various",
596
+ "date": "2025-03",
597
+ "source": "ReversingLabs",
598
+ "technique": "novel attack hiding infostealer code inside ML model files (.pkl, .h5)",
599
+ "url": "https://www.reversinglabs.com/blog/malicious-attack-method-on-hosted-ml-models-now-targets-pypi",
600
+ "severity": "high"
601
+ },
602
+ {
603
+ "name": "HTTP library imposters",
604
+ "ecosystem": "pypi",
605
+ "version": "various (36+ packages)",
606
+ "date": "2024-11",
607
+ "source": "ReversingLabs",
608
+ "technique": "typosquatting requests/httpx/urllib3 + credential exfiltration",
609
+ "url": "https://www.reversinglabs.com/blog/beware-impostor-http-libraries-lurk-on-pypi",
610
+ "severity": "high"
611
+ },
612
+ {
613
+ "name": "PyPI backdoor debugger",
614
+ "ecosystem": "pypi",
615
+ "version": "various",
616
+ "date": "2024-04",
617
+ "source": "ReversingLabs",
618
+ "technique": "backdoor implant disguised as debugging utility",
619
+ "url": "https://www.reversinglabs.com/blog/backdoor-implant-discovered-on-pypi-posing-as-debugging-utility",
620
+ "severity": "critical"
621
+ }
622
+ ]
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "muaddib-scanner",
3
- "version": "2.2.6",
3
+ "version": "2.2.8",
4
4
  "description": "Supply-chain threat detection & response for npm & PyPI/Python",
5
5
  "main": "src/index.js",
6
6
  "bin": {