muaddib-scanner 2.3.1 → 2.3.3

package/README.md

@@ -21,7 +21,7 @@
 </p>
 
 <p align="center">
-  <a href="README.fr.md">Version francaise</a>
+  <a href="docs/README.fr.md">Version francaise</a>
 </p>
 
 ---
@@ -285,7 +285,7 @@ Add to `.pre-commit-config.yaml`:
 ```yaml
 repos:
   - repo: https://github.com/DNSZLSK/muad-dib
-    rev: v2.2.24
+    rev: v2.3.1
     hooks:
       - id: muaddib-scan        # Scan all threats
       # - id: muaddib-diff      # Or: only new threats
@@ -641,7 +641,7 @@ Alerts appear in Security > Code scanning alerts.
 ## Architecture
 
 ```
-MUAD'DIB 2.2.24 Scanner
+MUAD'DIB 2.3.1 Scanner
 |
 +-- IOC Match (225,000+ packages, JSON DB)
 |   +-- OSV.dev npm dump (200K+ MAL-* entries)
@@ -663,7 +663,7 @@ MUAD'DIB 2.2.24 Scanner
 |   +-- 3-hop re-export chains, class method analysis
 |   +-- Cross-file credential read -> network sink detection
 |
-+-- 14 Parallel Scanners (94 rules)
++-- 14 Parallel Scanners (102 rules)
 |   +-- AST Parse (acorn) — eval/Function, credential CLI theft, binary droppers, prototype hooks
 |   +-- Pattern Matching (shell, scripts)
 |   +-- Obfuscation Detection (skip .min.js, ignore hex/unicode alone)
@@ -689,11 +689,13 @@ MUAD'DIB 2.2.24 Scanner
 |   +-- Score Breakdown (explainable per-rule scoring)
 |   +-- Threat Feed API (HTTP server, JSON feed for SIEM)
 |
-+-- FP Reduction Post-processing (v2.2.8-v2.2.9)
-|   +-- Count-based severity downgrade (dynamic_require, dataflow, etc.)
-|   +-- Framework prototype scoring cap
-|   +-- Obfuscation in dist/build → LOW
++-- FP Reduction Post-processing (v2.2.8-v2.2.9, v2.3.0-v2.3.1)
+|   +-- Count-based severity downgrade (dynamic_require, dataflow, module_compile, etc.)
+|   +-- Framework prototype scoring cap + HTTP client whitelist
+|   +-- Obfuscation in dist/build/.cjs/.mjs → LOW
 |   +-- Safe env var + prefix filtering
+|   +-- Dataflow telemetry source categorization (os.platform/arch → telemetry_read)
+|   +-- DEP whitelist (es5-ext, bootstrap-sass) + npm alias skip
 |
 +-- Per-File Max Scoring (v2.2.11)
 |   +-- Score = max(file_scores) + package_level_score
@@ -721,9 +723,8 @@ Output (CLI, JSON, HTML, SARIF, Webhook, Threat Feed)
 | Metric | Result | Details |
 |--------|--------|---------|
 | **TPR** (Ground Truth) | **91.8%** (45/49) | 51 real-world attacks (49 active). 4 out-of-scope: browser-only (3) + FP-risky (1) |
-| **FPR** (Standard packages) | **6.2%** (18/290) | Packages with <10 JS files — typical libraries and tools |
-| **FPR** (Benign, global) | **~13%** (69/527) | 529 npm packages, real source code via `npm pack`, threshold > 20 |
-| **ADR** (Adversarial + Holdout) | **100%** (78/78) | 38 adversarial + 40 holdout evasive samples across 5 red-team waves |
+| **FPR** (Benign, global) | **7.4%** (39/525) | 529 npm packages (525 scanned), real source code via `npm pack`, threshold > 20 |
+| **ADR** (Adversarial + Holdout) | **98.7%** (77/78) | 38 adversarial + 40 holdout evasive samples. 1 documented miss: `require-cache-poison` (accepted trade-off) |
 
 **FPR by package size** — FPR correlates linearly with package size. Per-file max scoring (v2.2.11) significantly reduces FP on medium/large packages:
 
@@ -734,7 +735,7 @@ Output (CLI, JSON, HTML, SARIF, Webhook, Threat Feed)
 | Large (50-100 JS files) | 40 | 10 | 25.0% |
 | Very large (100+ JS files) | 62 | 25 | 40.3% |
 
-**FPR progression**: 0% (invalid, empty dirs, v2.2.0-v2.2.6) → 38% (first real measurement, v2.2.7) → 19.4% (v2.2.8) → 17.5% (v2.2.9) → **~13%** (v2.2.11, per-file max scoring)
+**FPR progression**: 0% (invalid, empty dirs, v2.2.0-v2.2.6) → 38% (first real measurement, v2.2.7) → 19.4% (v2.2.8) → 17.5% (v2.2.9) → ~13% (v2.2.11, per-file max scoring) → 8.9% (v2.3.0, P2) → **7.4%** (v2.3.1, P3)
 
 **Holdout progression** (pre-tuning scores, rules frozen):
 
@@ -748,10 +749,10 @@ Output (CLI, JSON, HTML, SARIF, Webhook, Threat Feed)
 
 - **TPR** (True Positive Rate): detection rate on 49 real-world supply-chain attacks (event-stream, ua-parser-js, coa, flatmap-stream, eslint-scope, solana-web3js, and 43 more). 4 misses are browser-only (lottie-player, polyfill-io, trojanized-jquery) or risky to fix (websocket-rat) — see [Threat Model](docs/threat-model.md).
 - **FPR** (False Positive Rate): packages scoring > 20 out of 529 real npm packages (source code scanned, not empty dirs). The 6.2% on standard packages (<10 JS files, 290 packages) is the most representative metric for typical use — most npm packages are small.
-- **ADR** (Adversarial Detection Rate): detection rate on 75 evasive malicious samples — 35 adversarial (4 red-team waves) + 40 holdout (5 batches of 10, testing obfuscation, inter-module dataflow, etc.)
+- **ADR** (Adversarial Detection Rate): detection rate on 78 evasive malicious samples — 38 adversarial + 40 holdout (5 batches of 10, testing obfuscation, inter-module dataflow, etc.). 1 documented miss: `require-cache-poison` (score 10 < threshold 20, accepted trade-off from FP reduction P3).
 - **Holdout** (pre-tuning): detection rate on 10 unseen samples with rules frozen (measures generalization)
 
-Datasets: 529 npm + 132 PyPI benign packages, 78 adversarial/holdout samples, 51 ground-truth attacks (65 documented malware packages). **1317 tests**, 86% code coverage.
+Datasets: 529 npm + 132 PyPI benign packages, 78 adversarial/holdout samples, 51 ground-truth attacks (65 documented malware packages). **1387 tests**, 86% code coverage.
 
 See [Evaluation Methodology](docs/EVALUATION_METHODOLOGY.md) for the full experimental protocol.
 
@@ -787,11 +788,11 @@ npm test
 
 ### Testing
 
-- **1317 unit/integration tests** across 20 modular test files - 86% code coverage via [Codecov](https://codecov.io/gh/DNSZLSK/muad-dib)
+- **1387 unit/integration tests** across 20 modular test files - 86% code coverage via [Codecov](https://codecov.io/gh/DNSZLSK/muad-dib)
 - **56 fuzz tests** - Malformed YAML, invalid JSON, binary files, ReDoS, unicode, 10MB inputs
-- **78 adversarial/holdout samples** - 38 adversarial + 40 holdout, 78/78 detection rate (100% ADR)
+- **78 adversarial/holdout samples** - 38 adversarial + 40 holdout, 77/78 detection rate (98.7% ADR). 1 documented miss: `require-cache-poison` (accepted trade-off)
 - **Ground truth validation** - 51 real-world attacks (45/49 detected = 91.8% TPR). 4 out-of-scope: browser-only (3) + FP-risky (1)
-- **False positive validation** - 6.2% FPR on standard packages (18/290), ~13% global (69/527) on real npm source code via `npm pack`
+- **False positive validation** - 7.4% FPR global (39/525) on real npm source code via `npm pack`
 - **ESLint security audit** - `eslint-plugin-security` with 14 rules enabled
 
 ---

package/bin/muaddib.js

@@ -3,7 +3,6 @@ const { exec } = require('child_process');
 const { run } = require('../src/index.js');
 const { updateIOCs } = require('../src/ioc/updater.js');
 const { watch } = require('../src/watch.js');
-const { startDaemon } = require('../src/daemon.js');
 const { runScraper } = require('../src/ioc/scraper.js');
 const { safeInstall } = require('../src/safe-install.js');
 const { buildSandboxImage, runSandbox, generateNetworkReport } = require('../src/sandbox.js');
@@ -279,6 +278,7 @@ async function interactiveMenu() {
         message: 'Webhook URL:'
       });
     }
+    const { startDaemon } = require('../src/daemon.js');
     startDaemon({ webhook });
   }
 
@@ -593,6 +593,7 @@ if (command === 'version' || command === '--version' || command === '-v') {
     });
   }
 } else if (command === 'daemon') {
+  const { startDaemon } = require('../src/daemon.js');
   startDaemon({ webhook: webhookUrl });
 } else if (command === 'install' || command === 'i') {
   const packages = options.filter(o => !o.startsWith('-'));

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "muaddib-scanner",
-  "version": "2.3.1",
+  "version": "2.3.3",
   "description": "Supply-chain threat detection & response for npm & PyPI/Python",
   "main": "src/index.js",
   "bin": {