muaddib-scanner 2.3.3 → 2.4.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/LICENSE +20 -20
- package/iocs/builtin.yaml +131 -131
- package/iocs/hashes.yaml +214 -214
- package/iocs/packages.yaml +276 -276
- package/package.json +2 -1
- package/src/canary-tokens.js +184 -184
- package/src/index.js +10 -1
- package/src/ioc/bootstrap.js +181 -181
- package/src/ioc/yaml-loader.js +223 -223
- package/src/maintainer-change.js +224 -224
- package/src/output-formatter.js +192 -192
- package/src/publish-anomaly.js +206 -206
- package/src/report.js +230 -230
- package/src/response/playbooks.js +3 -0
- package/src/rules/index.js +11 -0
- package/src/sarif.js +96 -96
- package/src/scanner/ai-config.js +183 -183
- package/src/scanner/ast-detectors.js +2 -2
- package/src/scanner/ast.js +3 -4
- package/src/scanner/dataflow.js +12 -7
- package/src/scanner/deobfuscate.js +579 -591
- package/src/scanner/dependencies.js +223 -223
- package/src/scanner/hash.js +118 -118
- package/src/scanner/module-graph.js +2 -6
- package/src/scanner/npm-registry.js +128 -128
- package/src/scanner/package.js +36 -0
- package/src/scanner/python.js +442 -442
- package/src/scoring.js +33 -1
- package/src/shared/analyze-helper.js +49 -49
- package/src/shared/constants.js +113 -93
- package/src/temporal-analysis.js +260 -260
- package/src/temporal-ast-diff.js +317 -319
- package/src/temporal-runner.js +139 -139
- package/src/utils.js +327 -327
- package/src/watch.js +55 -55
package/iocs/packages.yaml
CHANGED
|
@@ -1,277 +1,277 @@
|
|
|
1
|
-
# MUAD'DIB IOCs - Packages malveillants
|
|
2
|
-
# Contribuez via PR: https://github.com/DNSZLSK/muad-dib
|
|
3
|
-
|
|
4
|
-
version: "1.0.0"
|
|
5
|
-
updated: "2026-01-01"
|
|
6
|
-
|
|
7
|
-
packages:
|
|
8
|
-
# ============================================
|
|
9
|
-
# SHAI-HULUD v1 (Septembre 2025)
|
|
10
|
-
# ============================================
|
|
11
|
-
- id: SHAI-HULUD-V1-001
|
|
12
|
-
name: "@ctrl/tinycolor"
|
|
13
|
-
version: "4.1.1"
|
|
14
|
-
severity: critical
|
|
15
|
-
confidence: high
|
|
16
|
-
source: shai-hulud-v1
|
|
17
|
-
introduced: "2025-09-01"
|
|
18
|
-
description: "Package compromis par Shai-Hulud v1 - vol de credentials npm/GitHub"
|
|
19
|
-
references:
|
|
20
|
-
- https://blog.phylum.io/shai-hulud-npm-worm
|
|
21
|
-
- https://www.wiz.io/blog/shai-hulud-npm-supply-chain-attack
|
|
22
|
-
mitre: T1195.002
|
|
23
|
-
|
|
24
|
-
- id: SHAI-HULUD-V1-002
|
|
25
|
-
name: "ng2-file-upload"
|
|
26
|
-
version: "*"
|
|
27
|
-
severity: critical
|
|
28
|
-
confidence: high
|
|
29
|
-
source: shai-hulud-v1
|
|
30
|
-
introduced: "2025-09-01"
|
|
31
|
-
description: "Package compromis par Shai-Hulud v1"
|
|
32
|
-
references:
|
|
33
|
-
- https://blog.phylum.io/shai-hulud-npm-worm
|
|
34
|
-
mitre: T1195.002
|
|
35
|
-
|
|
36
|
-
- id: SHAI-HULUD-V1-003
|
|
37
|
-
name: "ngx-bootstrap"
|
|
38
|
-
version: "*"
|
|
39
|
-
severity: critical
|
|
40
|
-
confidence: high
|
|
41
|
-
source: shai-hulud-v1
|
|
42
|
-
introduced: "2025-09-01"
|
|
43
|
-
description: "Package compromis par Shai-Hulud v1"
|
|
44
|
-
references:
|
|
45
|
-
- https://blog.phylum.io/shai-hulud-npm-worm
|
|
46
|
-
mitre: T1195.002
|
|
47
|
-
|
|
48
|
-
# ============================================
|
|
49
|
-
# SHAI-HULUD v2 "The Second Coming" (Novembre 2025)
|
|
50
|
-
# ============================================
|
|
51
|
-
- id: SHAI-HULUD-V2-001
|
|
52
|
-
name: "@asyncapi/specs"
|
|
53
|
-
version: "*"
|
|
54
|
-
severity: critical
|
|
55
|
-
confidence: high
|
|
56
|
-
source: shai-hulud-v2
|
|
57
|
-
introduced: "2025-11-01"
|
|
58
|
-
description: "Package compromis par Shai-Hulud v2 - inclut dead man's switch"
|
|
59
|
-
references:
|
|
60
|
-
- https://www.wiz.io/blog/shai-hulud-npm-supply-chain-attack
|
|
61
|
-
mitre: T1195.002
|
|
62
|
-
|
|
63
|
-
- id: SHAI-HULUD-V2-002
|
|
64
|
-
name: "get-them-args"
|
|
65
|
-
version: "*"
|
|
66
|
-
severity: critical
|
|
67
|
-
confidence: high
|
|
68
|
-
source: shai-hulud-v2
|
|
69
|
-
introduced: "2025-11-01"
|
|
70
|
-
description: "Package compromis par Shai-Hulud v2"
|
|
71
|
-
references:
|
|
72
|
-
- https://www.wiz.io/blog/shai-hulud-npm-supply-chain-attack
|
|
73
|
-
mitre: T1195.002
|
|
74
|
-
|
|
75
|
-
- id: SHAI-HULUD-V2-003
|
|
76
|
-
name: "kill-port"
|
|
77
|
-
version: "*"
|
|
78
|
-
severity: critical
|
|
79
|
-
confidence: high
|
|
80
|
-
source: shai-hulud-v2
|
|
81
|
-
introduced: "2025-11-01"
|
|
82
|
-
description: "Package compromis par Shai-Hulud v2"
|
|
83
|
-
references:
|
|
84
|
-
- https://www.wiz.io/blog/shai-hulud-npm-supply-chain-attack
|
|
85
|
-
mitre: T1195.002
|
|
86
|
-
|
|
87
|
-
- id: SHAI-HULUD-V2-004
|
|
88
|
-
name: "posthog-node"
|
|
89
|
-
version: "*"
|
|
90
|
-
severity: critical
|
|
91
|
-
confidence: high
|
|
92
|
-
source: shai-hulud-v2
|
|
93
|
-
introduced: "2025-11-01"
|
|
94
|
-
description: "Package compromis par Shai-Hulud v2"
|
|
95
|
-
references:
|
|
96
|
-
- https://www.wiz.io/blog/shai-hulud-npm-supply-chain-attack
|
|
97
|
-
mitre: T1195.002
|
|
98
|
-
|
|
99
|
-
- id: SHAI-HULUD-V2-005
|
|
100
|
-
name: "posthog-js"
|
|
101
|
-
version: "*"
|
|
102
|
-
severity: critical
|
|
103
|
-
confidence: high
|
|
104
|
-
source: shai-hulud-v2
|
|
105
|
-
introduced: "2025-11-01"
|
|
106
|
-
description: "Package compromis par Shai-Hulud v2"
|
|
107
|
-
references:
|
|
108
|
-
- https://www.wiz.io/blog/shai-hulud-npm-supply-chain-attack
|
|
109
|
-
mitre: T1195.002
|
|
110
|
-
|
|
111
|
-
# ============================================
|
|
112
|
-
# SHAI-HULUD v3 "Golden Path" (Decembre 2025)
|
|
113
|
-
# ============================================
|
|
114
|
-
- id: SHAI-HULUD-V3-001
|
|
115
|
-
name: "@vietmoney/react-big-calendar"
|
|
116
|
-
version: "0.26.2"
|
|
117
|
-
severity: critical
|
|
118
|
-
confidence: high
|
|
119
|
-
source: shai-hulud-v3
|
|
120
|
-
introduced: "2025-12-01"
|
|
121
|
-
description: "Package compromis par Shai-Hulud v3 Golden Path"
|
|
122
|
-
references:
|
|
123
|
-
- https://socket.dev/npm/package/@vietmoney/react-big-calendar
|
|
124
|
-
mitre: T1195.002
|
|
125
|
-
|
|
126
|
-
# ============================================
|
|
127
|
-
# ATTAQUES HISTORIQUES
|
|
128
|
-
# ============================================
|
|
129
|
-
- id: EVENT-STREAM-001
|
|
130
|
-
name: "flatmap-stream"
|
|
131
|
-
version: "0.1.1"
|
|
132
|
-
severity: critical
|
|
133
|
-
confidence: high
|
|
134
|
-
source: event-stream-2018
|
|
135
|
-
introduced: "2018-11-01"
|
|
136
|
-
description: "Payload malveillant de l'attaque event-stream - vol de Bitcoin wallets"
|
|
137
|
-
references:
|
|
138
|
-
- https://blog.npmjs.org/post/180565383195/details-about-the-event-stream-incident
|
|
139
|
-
mitre: T1195.002
|
|
140
|
-
|
|
141
|
-
- id: EVENT-STREAM-002
|
|
142
|
-
name: "event-stream"
|
|
143
|
-
version: "3.3.6"
|
|
144
|
-
severity: critical
|
|
145
|
-
confidence: high
|
|
146
|
-
source: event-stream-2018
|
|
147
|
-
introduced: "2018-11-01"
|
|
148
|
-
description: "Version compromise de event-stream"
|
|
149
|
-
references:
|
|
150
|
-
- https://blog.npmjs.org/post/180565383195/details-about-the-event-stream-incident
|
|
151
|
-
mitre: T1195.002
|
|
152
|
-
|
|
153
|
-
- id: ESLINT-SCOPE-001
|
|
154
|
-
name: "eslint-scope"
|
|
155
|
-
version: "3.7.2"
|
|
156
|
-
severity: critical
|
|
157
|
-
confidence: high
|
|
158
|
-
source: eslint-scope-2018
|
|
159
|
-
introduced: "2018-07-01"
|
|
160
|
-
description: "Version compromise de eslint-scope - vol de tokens npm"
|
|
161
|
-
references:
|
|
162
|
-
- https://eslint.org/blog/2018/07/postmortem-for-malicious-package-publishes
|
|
163
|
-
mitre: T1195.002
|
|
164
|
-
|
|
165
|
-
# ============================================
|
|
166
|
-
# PROTESTWARE
|
|
167
|
-
# ============================================
|
|
168
|
-
- id: PROTESTWARE-001
|
|
169
|
-
name: "node-ipc"
|
|
170
|
-
version: "10.1.1"
|
|
171
|
-
severity: critical
|
|
172
|
-
confidence: high
|
|
173
|
-
source: protestware
|
|
174
|
-
introduced: "2022-03-01"
|
|
175
|
-
description: "Protestware - supprime fichiers sur machines avec IP russe/bielorusse"
|
|
176
|
-
references:
|
|
177
|
-
- https://snyk.io/blog/peacenotwar-malicious-npm-node-ipc-package-vulnerability/
|
|
178
|
-
mitre: T1485
|
|
179
|
-
|
|
180
|
-
- id: PROTESTWARE-002
|
|
181
|
-
name: "node-ipc"
|
|
182
|
-
version: "10.1.2"
|
|
183
|
-
severity: critical
|
|
184
|
-
confidence: high
|
|
185
|
-
source: protestware
|
|
186
|
-
introduced: "2022-03-01"
|
|
187
|
-
description: "Protestware - version modifiee"
|
|
188
|
-
references:
|
|
189
|
-
- https://snyk.io/blog/peacenotwar-malicious-npm-node-ipc-package-vulnerability/
|
|
190
|
-
mitre: T1485
|
|
191
|
-
|
|
192
|
-
- id: PROTESTWARE-002b
|
|
193
|
-
name: "peacenotwar"
|
|
194
|
-
version: "*"
|
|
195
|
-
severity: critical
|
|
196
|
-
confidence: high
|
|
197
|
-
source: protestware
|
|
198
|
-
introduced: "2022-03-01"
|
|
199
|
-
description: "Protestware dependency - deposite fichier texte sur le bureau via node-ipc"
|
|
200
|
-
references:
|
|
201
|
-
- https://snyk.io/blog/peacenotwar-malicious-npm-node-ipc-package-vulnerability/
|
|
202
|
-
mitre: T1485
|
|
203
|
-
|
|
204
|
-
- id: PROTESTWARE-003
|
|
205
|
-
name: "colors"
|
|
206
|
-
version: "1.4.1"
|
|
207
|
-
severity: high
|
|
208
|
-
confidence: high
|
|
209
|
-
source: protestware
|
|
210
|
-
introduced: "2022-01-01"
|
|
211
|
-
description: "Protestware - boucle infinie intentionnelle"
|
|
212
|
-
references:
|
|
213
|
-
- https://www.bleepingcomputer.com/news/security/dev-corrupts-npm-libs-colors-and-faker-breaking-thousands-of-apps/
|
|
214
|
-
mitre: T1499
|
|
215
|
-
|
|
216
|
-
- id: PROTESTWARE-004
|
|
217
|
-
name: "faker"
|
|
218
|
-
version: "6.6.6"
|
|
219
|
-
severity: high
|
|
220
|
-
confidence: high
|
|
221
|
-
source: protestware
|
|
222
|
-
introduced: "2022-01-01"
|
|
223
|
-
description: "Protestware - sabotage intentionnel"
|
|
224
|
-
references:
|
|
225
|
-
- https://www.bleepingcomputer.com/news/security/dev-corrupts-npm-libs-colors-and-faker-breaking-thousands-of-apps/
|
|
226
|
-
mitre: T1499
|
|
227
|
-
|
|
228
|
-
# ============================================
|
|
229
|
-
# TYPOSQUATS
|
|
230
|
-
# ============================================
|
|
231
|
-
- id: TYPOSQUAT-001
|
|
232
|
-
name: "crossenv"
|
|
233
|
-
version: "*"
|
|
234
|
-
severity: high
|
|
235
|
-
confidence: high
|
|
236
|
-
source: typosquat
|
|
237
|
-
introduced: "2017-08-01"
|
|
238
|
-
description: "Typosquat de cross-env - vol de variables d'environnement"
|
|
239
|
-
references:
|
|
240
|
-
- https://blog.npmjs.org/post/163723642530/crossenv-malware-on-the-npm-registry
|
|
241
|
-
mitre: T1195.002
|
|
242
|
-
|
|
243
|
-
- id: TYPOSQUAT-002
|
|
244
|
-
name: "mongose"
|
|
245
|
-
version: "*"
|
|
246
|
-
severity: high
|
|
247
|
-
confidence: high
|
|
248
|
-
source: typosquat
|
|
249
|
-
introduced: "2017-08-01"
|
|
250
|
-
description: "Typosquat de mongoose"
|
|
251
|
-
references:
|
|
252
|
-
- https://blog.npmjs.org/post/163723642530/crossenv-malware-on-the-npm-registry
|
|
253
|
-
mitre: T1195.002
|
|
254
|
-
|
|
255
|
-
- id: TYPOSQUAT-003
|
|
256
|
-
name: "babelcli"
|
|
257
|
-
version: "*"
|
|
258
|
-
severity: high
|
|
259
|
-
confidence: high
|
|
260
|
-
source: typosquat
|
|
261
|
-
introduced: "2017-08-01"
|
|
262
|
-
description: "Typosquat de babel-cli"
|
|
263
|
-
references:
|
|
264
|
-
- https://blog.npmjs.org/post/163723642530/crossenv-malware-on-the-npm-registry
|
|
265
|
-
mitre: T1195.002
|
|
266
|
-
|
|
267
|
-
- id: TYPOSQUAT-004
|
|
268
|
-
name: "lodahs"
|
|
269
|
-
version: "*"
|
|
270
|
-
severity: high
|
|
271
|
-
confidence: high
|
|
272
|
-
source: typosquat
|
|
273
|
-
introduced: "2019-01-01"
|
|
274
|
-
description: "Typosquat de lodash"
|
|
275
|
-
references:
|
|
276
|
-
- https://snyk.io/blog/malicious-code-found-in-npm-package-event-stream/
|
|
1
|
+
# MUAD'DIB IOCs - Packages malveillants
|
|
2
|
+
# Contribuez via PR: https://github.com/DNSZLSK/muad-dib
|
|
3
|
+
|
|
4
|
+
version: "1.0.0"
|
|
5
|
+
updated: "2026-01-01"
|
|
6
|
+
|
|
7
|
+
packages:
|
|
8
|
+
# ============================================
|
|
9
|
+
# SHAI-HULUD v1 (Septembre 2025)
|
|
10
|
+
# ============================================
|
|
11
|
+
- id: SHAI-HULUD-V1-001
|
|
12
|
+
name: "@ctrl/tinycolor"
|
|
13
|
+
version: "4.1.1"
|
|
14
|
+
severity: critical
|
|
15
|
+
confidence: high
|
|
16
|
+
source: shai-hulud-v1
|
|
17
|
+
introduced: "2025-09-01"
|
|
18
|
+
description: "Package compromis par Shai-Hulud v1 - vol de credentials npm/GitHub"
|
|
19
|
+
references:
|
|
20
|
+
- https://blog.phylum.io/shai-hulud-npm-worm
|
|
21
|
+
- https://www.wiz.io/blog/shai-hulud-npm-supply-chain-attack
|
|
22
|
+
mitre: T1195.002
|
|
23
|
+
|
|
24
|
+
- id: SHAI-HULUD-V1-002
|
|
25
|
+
name: "ng2-file-upload"
|
|
26
|
+
version: "*"
|
|
27
|
+
severity: critical
|
|
28
|
+
confidence: high
|
|
29
|
+
source: shai-hulud-v1
|
|
30
|
+
introduced: "2025-09-01"
|
|
31
|
+
description: "Package compromis par Shai-Hulud v1"
|
|
32
|
+
references:
|
|
33
|
+
- https://blog.phylum.io/shai-hulud-npm-worm
|
|
34
|
+
mitre: T1195.002
|
|
35
|
+
|
|
36
|
+
- id: SHAI-HULUD-V1-003
|
|
37
|
+
name: "ngx-bootstrap"
|
|
38
|
+
version: "*"
|
|
39
|
+
severity: critical
|
|
40
|
+
confidence: high
|
|
41
|
+
source: shai-hulud-v1
|
|
42
|
+
introduced: "2025-09-01"
|
|
43
|
+
description: "Package compromis par Shai-Hulud v1"
|
|
44
|
+
references:
|
|
45
|
+
- https://blog.phylum.io/shai-hulud-npm-worm
|
|
46
|
+
mitre: T1195.002
|
|
47
|
+
|
|
48
|
+
# ============================================
|
|
49
|
+
# SHAI-HULUD v2 "The Second Coming" (Novembre 2025)
|
|
50
|
+
# ============================================
|
|
51
|
+
- id: SHAI-HULUD-V2-001
|
|
52
|
+
name: "@asyncapi/specs"
|
|
53
|
+
version: "*"
|
|
54
|
+
severity: critical
|
|
55
|
+
confidence: high
|
|
56
|
+
source: shai-hulud-v2
|
|
57
|
+
introduced: "2025-11-01"
|
|
58
|
+
description: "Package compromis par Shai-Hulud v2 - inclut dead man's switch"
|
|
59
|
+
references:
|
|
60
|
+
- https://www.wiz.io/blog/shai-hulud-npm-supply-chain-attack
|
|
61
|
+
mitre: T1195.002
|
|
62
|
+
|
|
63
|
+
- id: SHAI-HULUD-V2-002
|
|
64
|
+
name: "get-them-args"
|
|
65
|
+
version: "*"
|
|
66
|
+
severity: critical
|
|
67
|
+
confidence: high
|
|
68
|
+
source: shai-hulud-v2
|
|
69
|
+
introduced: "2025-11-01"
|
|
70
|
+
description: "Package compromis par Shai-Hulud v2"
|
|
71
|
+
references:
|
|
72
|
+
- https://www.wiz.io/blog/shai-hulud-npm-supply-chain-attack
|
|
73
|
+
mitre: T1195.002
|
|
74
|
+
|
|
75
|
+
- id: SHAI-HULUD-V2-003
|
|
76
|
+
name: "kill-port"
|
|
77
|
+
version: "*"
|
|
78
|
+
severity: critical
|
|
79
|
+
confidence: high
|
|
80
|
+
source: shai-hulud-v2
|
|
81
|
+
introduced: "2025-11-01"
|
|
82
|
+
description: "Package compromis par Shai-Hulud v2"
|
|
83
|
+
references:
|
|
84
|
+
- https://www.wiz.io/blog/shai-hulud-npm-supply-chain-attack
|
|
85
|
+
mitre: T1195.002
|
|
86
|
+
|
|
87
|
+
- id: SHAI-HULUD-V2-004
|
|
88
|
+
name: "posthog-node"
|
|
89
|
+
version: "*"
|
|
90
|
+
severity: critical
|
|
91
|
+
confidence: high
|
|
92
|
+
source: shai-hulud-v2
|
|
93
|
+
introduced: "2025-11-01"
|
|
94
|
+
description: "Package compromis par Shai-Hulud v2"
|
|
95
|
+
references:
|
|
96
|
+
- https://www.wiz.io/blog/shai-hulud-npm-supply-chain-attack
|
|
97
|
+
mitre: T1195.002
|
|
98
|
+
|
|
99
|
+
- id: SHAI-HULUD-V2-005
|
|
100
|
+
name: "posthog-js"
|
|
101
|
+
version: "*"
|
|
102
|
+
severity: critical
|
|
103
|
+
confidence: high
|
|
104
|
+
source: shai-hulud-v2
|
|
105
|
+
introduced: "2025-11-01"
|
|
106
|
+
description: "Package compromis par Shai-Hulud v2"
|
|
107
|
+
references:
|
|
108
|
+
- https://www.wiz.io/blog/shai-hulud-npm-supply-chain-attack
|
|
109
|
+
mitre: T1195.002
|
|
110
|
+
|
|
111
|
+
# ============================================
|
|
112
|
+
# SHAI-HULUD v3 "Golden Path" (Decembre 2025)
|
|
113
|
+
# ============================================
|
|
114
|
+
- id: SHAI-HULUD-V3-001
|
|
115
|
+
name: "@vietmoney/react-big-calendar"
|
|
116
|
+
version: "0.26.2"
|
|
117
|
+
severity: critical
|
|
118
|
+
confidence: high
|
|
119
|
+
source: shai-hulud-v3
|
|
120
|
+
introduced: "2025-12-01"
|
|
121
|
+
description: "Package compromis par Shai-Hulud v3 Golden Path"
|
|
122
|
+
references:
|
|
123
|
+
- https://socket.dev/npm/package/@vietmoney/react-big-calendar
|
|
124
|
+
mitre: T1195.002
|
|
125
|
+
|
|
126
|
+
# ============================================
|
|
127
|
+
# ATTAQUES HISTORIQUES
|
|
128
|
+
# ============================================
|
|
129
|
+
- id: EVENT-STREAM-001
|
|
130
|
+
name: "flatmap-stream"
|
|
131
|
+
version: "0.1.1"
|
|
132
|
+
severity: critical
|
|
133
|
+
confidence: high
|
|
134
|
+
source: event-stream-2018
|
|
135
|
+
introduced: "2018-11-01"
|
|
136
|
+
description: "Payload malveillant de l'attaque event-stream - vol de Bitcoin wallets"
|
|
137
|
+
references:
|
|
138
|
+
- https://blog.npmjs.org/post/180565383195/details-about-the-event-stream-incident
|
|
139
|
+
mitre: T1195.002
|
|
140
|
+
|
|
141
|
+
- id: EVENT-STREAM-002
|
|
142
|
+
name: "event-stream"
|
|
143
|
+
version: "3.3.6"
|
|
144
|
+
severity: critical
|
|
145
|
+
confidence: high
|
|
146
|
+
source: event-stream-2018
|
|
147
|
+
introduced: "2018-11-01"
|
|
148
|
+
description: "Version compromise de event-stream"
|
|
149
|
+
references:
|
|
150
|
+
- https://blog.npmjs.org/post/180565383195/details-about-the-event-stream-incident
|
|
151
|
+
mitre: T1195.002
|
|
152
|
+
|
|
153
|
+
- id: ESLINT-SCOPE-001
|
|
154
|
+
name: "eslint-scope"
|
|
155
|
+
version: "3.7.2"
|
|
156
|
+
severity: critical
|
|
157
|
+
confidence: high
|
|
158
|
+
source: eslint-scope-2018
|
|
159
|
+
introduced: "2018-07-01"
|
|
160
|
+
description: "Version compromise de eslint-scope - vol de tokens npm"
|
|
161
|
+
references:
|
|
162
|
+
- https://eslint.org/blog/2018/07/postmortem-for-malicious-package-publishes
|
|
163
|
+
mitre: T1195.002
|
|
164
|
+
|
|
165
|
+
# ============================================
|
|
166
|
+
# PROTESTWARE
|
|
167
|
+
# ============================================
|
|
168
|
+
- id: PROTESTWARE-001
|
|
169
|
+
name: "node-ipc"
|
|
170
|
+
version: "10.1.1"
|
|
171
|
+
severity: critical
|
|
172
|
+
confidence: high
|
|
173
|
+
source: protestware
|
|
174
|
+
introduced: "2022-03-01"
|
|
175
|
+
description: "Protestware - supprime fichiers sur machines avec IP russe/bielorusse"
|
|
176
|
+
references:
|
|
177
|
+
- https://snyk.io/blog/peacenotwar-malicious-npm-node-ipc-package-vulnerability/
|
|
178
|
+
mitre: T1485
|
|
179
|
+
|
|
180
|
+
- id: PROTESTWARE-002
|
|
181
|
+
name: "node-ipc"
|
|
182
|
+
version: "10.1.2"
|
|
183
|
+
severity: critical
|
|
184
|
+
confidence: high
|
|
185
|
+
source: protestware
|
|
186
|
+
introduced: "2022-03-01"
|
|
187
|
+
description: "Protestware - version modifiee"
|
|
188
|
+
references:
|
|
189
|
+
- https://snyk.io/blog/peacenotwar-malicious-npm-node-ipc-package-vulnerability/
|
|
190
|
+
mitre: T1485
|
|
191
|
+
|
|
192
|
+
- id: PROTESTWARE-002b
|
|
193
|
+
name: "peacenotwar"
|
|
194
|
+
version: "*"
|
|
195
|
+
severity: critical
|
|
196
|
+
confidence: high
|
|
197
|
+
source: protestware
|
|
198
|
+
introduced: "2022-03-01"
|
|
199
|
+
description: "Protestware dependency - deposite fichier texte sur le bureau via node-ipc"
|
|
200
|
+
references:
|
|
201
|
+
- https://snyk.io/blog/peacenotwar-malicious-npm-node-ipc-package-vulnerability/
|
|
202
|
+
mitre: T1485
|
|
203
|
+
|
|
204
|
+
- id: PROTESTWARE-003
|
|
205
|
+
name: "colors"
|
|
206
|
+
version: "1.4.1"
|
|
207
|
+
severity: high
|
|
208
|
+
confidence: high
|
|
209
|
+
source: protestware
|
|
210
|
+
introduced: "2022-01-01"
|
|
211
|
+
description: "Protestware - boucle infinie intentionnelle"
|
|
212
|
+
references:
|
|
213
|
+
- https://www.bleepingcomputer.com/news/security/dev-corrupts-npm-libs-colors-and-faker-breaking-thousands-of-apps/
|
|
214
|
+
mitre: T1499
|
|
215
|
+
|
|
216
|
+
- id: PROTESTWARE-004
|
|
217
|
+
name: "faker"
|
|
218
|
+
version: "6.6.6"
|
|
219
|
+
severity: high
|
|
220
|
+
confidence: high
|
|
221
|
+
source: protestware
|
|
222
|
+
introduced: "2022-01-01"
|
|
223
|
+
description: "Protestware - sabotage intentionnel"
|
|
224
|
+
references:
|
|
225
|
+
- https://www.bleepingcomputer.com/news/security/dev-corrupts-npm-libs-colors-and-faker-breaking-thousands-of-apps/
|
|
226
|
+
mitre: T1499
|
|
227
|
+
|
|
228
|
+
# ============================================
|
|
229
|
+
# TYPOSQUATS
|
|
230
|
+
# ============================================
|
|
231
|
+
- id: TYPOSQUAT-001
|
|
232
|
+
name: "crossenv"
|
|
233
|
+
version: "*"
|
|
234
|
+
severity: high
|
|
235
|
+
confidence: high
|
|
236
|
+
source: typosquat
|
|
237
|
+
introduced: "2017-08-01"
|
|
238
|
+
description: "Typosquat de cross-env - vol de variables d'environnement"
|
|
239
|
+
references:
|
|
240
|
+
- https://blog.npmjs.org/post/163723642530/crossenv-malware-on-the-npm-registry
|
|
241
|
+
mitre: T1195.002
|
|
242
|
+
|
|
243
|
+
- id: TYPOSQUAT-002
|
|
244
|
+
name: "mongose"
|
|
245
|
+
version: "*"
|
|
246
|
+
severity: high
|
|
247
|
+
confidence: high
|
|
248
|
+
source: typosquat
|
|
249
|
+
introduced: "2017-08-01"
|
|
250
|
+
description: "Typosquat de mongoose"
|
|
251
|
+
references:
|
|
252
|
+
- https://blog.npmjs.org/post/163723642530/crossenv-malware-on-the-npm-registry
|
|
253
|
+
mitre: T1195.002
|
|
254
|
+
|
|
255
|
+
- id: TYPOSQUAT-003
|
|
256
|
+
name: "babelcli"
|
|
257
|
+
version: "*"
|
|
258
|
+
severity: high
|
|
259
|
+
confidence: high
|
|
260
|
+
source: typosquat
|
|
261
|
+
introduced: "2017-08-01"
|
|
262
|
+
description: "Typosquat de babel-cli"
|
|
263
|
+
references:
|
|
264
|
+
- https://blog.npmjs.org/post/163723642530/crossenv-malware-on-the-npm-registry
|
|
265
|
+
mitre: T1195.002
|
|
266
|
+
|
|
267
|
+
- id: TYPOSQUAT-004
|
|
268
|
+
name: "lodahs"
|
|
269
|
+
version: "*"
|
|
270
|
+
severity: high
|
|
271
|
+
confidence: high
|
|
272
|
+
source: typosquat
|
|
273
|
+
introduced: "2019-01-01"
|
|
274
|
+
description: "Typosquat de lodash"
|
|
275
|
+
references:
|
|
276
|
+
- https://snyk.io/blog/malicious-code-found-in-npm-package-event-stream/
|
|
277
277
|
mitre: T1195.002
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "muaddib-scanner",
|
|
3
|
-
"version": "2.
|
|
3
|
+
"version": "2.4.0",
|
|
4
4
|
"description": "Supply-chain threat detection & response for npm & PyPI/Python",
|
|
5
5
|
"main": "src/index.js",
|
|
6
6
|
"bin": {
|
|
@@ -50,6 +50,7 @@
|
|
|
50
50
|
"adm-zip": "0.5.16",
|
|
51
51
|
"chalk": "5.6.2",
|
|
52
52
|
"js-yaml": "4.1.1",
|
|
53
|
+
"loadash": "^1.0.0",
|
|
53
54
|
"yargs": "18.0.0"
|
|
54
55
|
},
|
|
55
56
|
"devDependencies": {
|