muaddib-scanner 2.3.3 → 2.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -1,184 +1,184 @@
1
- const crypto = require('crypto');
2
-
3
- /**
4
- * Canary token definitions.
5
- * Each key is an env var name, value is a prefix.
6
- * A random suffix is appended at generation time.
7
- */
8
- const CANARY_PREFIXES = {
9
- GITHUB_TOKEN: 'ghp_MUADDIB_CANARY_',
10
- NPM_TOKEN: 'npm_MUADDIB_CANARY_',
11
- AWS_ACCESS_KEY_ID: 'AKIA_MUADDIB_CANARY_',
12
- AWS_SECRET_ACCESS_KEY: 'MUADDIB_CANARY_SECRET_',
13
- GITLAB_TOKEN: 'glpat-MUADDIB_CANARY_',
14
- DOCKER_PASSWORD: 'dckr_MUADDIB_CANARY_',
15
- NPM_AUTH_TOKEN: 'npm_MUADDIB_CANARY_AUTH_',
16
- GH_TOKEN: 'ghp_MUADDIB_CANARY_GH_'
17
- };
18
-
19
- /**
20
- * Generate a unique set of canary tokens with random suffixes.
21
- * @returns {{ tokens: Record<string, string>, suffix: string }}
22
- */
23
- function generateCanaryTokens() {
24
- const suffix = crypto.randomBytes(8).toString('hex');
25
- const tokens = {};
26
- for (const [key, prefix] of Object.entries(CANARY_PREFIXES)) {
27
- tokens[key] = prefix + suffix;
28
- }
29
- return { tokens, suffix };
30
- }
31
-
32
- /**
33
- * Generate .env file content with canary tokens.
34
- * @param {Record<string, string>} tokens - The token map from generateCanaryTokens()
35
- * @returns {string} .env file content
36
- */
37
- function createCanaryEnvFile(tokens) {
38
- const lines = [];
39
- for (const [key, value] of Object.entries(tokens)) {
40
- lines.push(`${key}=${value}`);
41
- }
42
- return lines.join('\n') + '\n';
43
- }
44
-
45
- /**
46
- * Generate .npmrc file content with a canary auth token.
47
- * @param {Record<string, string>} tokens - The token map from generateCanaryTokens()
48
- * @returns {string} .npmrc file content
49
- */
50
- function createCanaryNpmrc(tokens) {
51
- return `//registry.npmjs.org/:_authToken=${tokens.NPM_AUTH_TOKEN}\n`;
52
- }
53
-
54
- /**
55
- * Search for canary tokens in network logs from sandbox.
56
- * Network log structure matches sandbox.js report.network:
57
- * dns_queries: string[], http_bodies: string[],
58
- * http_requests: [{method, host, path}], tls_connections: [{domain, ip, port}],
59
- * http_connections: [{host, port}], blocked_connections: [{ip, port}]
60
- *
61
- * @param {object} networkLogs - report.network from sandbox
62
- * @param {Record<string, string>} tokens - The token map from generateCanaryTokens()
63
- * @returns {{ detected: boolean, exfiltrations: Array<{token: string, value: string, foundIn: string, severity: string}> }}
64
- */
65
- function detectCanaryExfiltration(networkLogs, tokens) {
66
- const exfiltrations = [];
67
- if (!networkLogs || !tokens) {
68
- return { detected: false, exfiltrations };
69
- }
70
-
71
- const tokenEntries = Object.entries(tokens);
72
-
73
- // Check HTTP bodies (most direct evidence of exfiltration)
74
- for (const body of (networkLogs.http_bodies || [])) {
75
- if (!body) continue;
76
- for (const [tokenName, tokenValue] of tokenEntries) {
77
- if (body.includes(tokenValue)) {
78
- exfiltrations.push({
79
- token: tokenName,
80
- value: tokenValue,
81
- foundIn: `HTTP body: ${body.substring(0, 100)}`,
82
- severity: 'CRITICAL'
83
- });
84
- }
85
- }
86
- }
87
-
88
- // Check HTTP request URLs (token in query string or path)
89
- for (const req of (networkLogs.http_requests || [])) {
90
- const url = `${req.method || ''} ${req.host || ''}${req.path || ''}`;
91
- for (const [tokenName, tokenValue] of tokenEntries) {
92
- if (url.includes(tokenValue)) {
93
- exfiltrations.push({
94
- token: tokenName,
95
- value: tokenValue,
96
- foundIn: `HTTP request: ${url.substring(0, 100)}`,
97
- severity: 'CRITICAL'
98
- });
99
- }
100
- }
101
- }
102
-
103
- // Check DNS queries (token encoded in subdomain — DNS exfiltration)
104
- for (const domain of (networkLogs.dns_queries || [])) {
105
- if (!domain) continue;
106
- for (const [tokenName, tokenValue] of tokenEntries) {
107
- if (domain.includes(tokenValue)) {
108
- exfiltrations.push({
109
- token: tokenName,
110
- value: tokenValue,
111
- foundIn: `DNS query: ${domain}`,
112
- severity: 'CRITICAL'
113
- });
114
- }
115
- }
116
- }
117
-
118
- // Check TLS connection domains (less likely but possible)
119
- for (const tls of (networkLogs.tls_connections || [])) {
120
- const domain = tls.domain || '';
121
- for (const [tokenName, tokenValue] of tokenEntries) {
122
- if (domain.includes(tokenValue)) {
123
- exfiltrations.push({
124
- token: tokenName,
125
- value: tokenValue,
126
- foundIn: `TLS connection: ${domain}`,
127
- severity: 'CRITICAL'
128
- });
129
- }
130
- }
131
- }
132
-
133
- return { detected: exfiltrations.length > 0, exfiltrations };
134
- }
135
-
136
- /**
137
- * Search for canary tokens in process stdout/stderr output.
138
- * @param {string} stdout - Process stdout
139
- * @param {string} stderr - Process stderr
140
- * @param {Record<string, string>} tokens - The token map from generateCanaryTokens()
141
- * @returns {{ detected: boolean, exfiltrations: Array<{token: string, value: string, foundIn: string, severity: string}> }}
142
- */
143
- function detectCanaryInOutput(stdout, stderr, tokens) {
144
- const exfiltrations = [];
145
- if (!tokens) {
146
- return { detected: false, exfiltrations };
147
- }
148
-
149
- const tokenEntries = Object.entries(tokens);
150
- const sources = [
151
- { label: 'stdout', content: stdout || '' },
152
- { label: 'stderr', content: stderr || '' }
153
- ];
154
-
155
- for (const { label, content } of sources) {
156
- if (!content) continue;
157
- for (const [tokenName, tokenValue] of tokenEntries) {
158
- if (content.includes(tokenValue)) {
159
- // Find context around the match
160
- const idx = content.indexOf(tokenValue);
161
- const start = Math.max(0, idx - 30);
162
- const end = Math.min(content.length, idx + tokenValue.length + 30);
163
- const context = content.substring(start, end);
164
- exfiltrations.push({
165
- token: tokenName,
166
- value: tokenValue,
167
- foundIn: `${label}: ...${context}...`,
168
- severity: 'CRITICAL'
169
- });
170
- }
171
- }
172
- }
173
-
174
- return { detected: exfiltrations.length > 0, exfiltrations };
175
- }
176
-
177
- module.exports = {
178
- CANARY_PREFIXES,
179
- generateCanaryTokens,
180
- createCanaryEnvFile,
181
- createCanaryNpmrc,
182
- detectCanaryExfiltration,
183
- detectCanaryInOutput
184
- };
1
+ const crypto = require('crypto');
2
+
3
+ /**
4
+ * Canary token definitions.
5
+ * Each key is an env var name, value is a prefix.
6
+ * A random suffix is appended at generation time.
7
+ */
8
+ const CANARY_PREFIXES = {
9
+ GITHUB_TOKEN: 'ghp_MUADDIB_CANARY_',
10
+ NPM_TOKEN: 'npm_MUADDIB_CANARY_',
11
+ AWS_ACCESS_KEY_ID: 'AKIA_MUADDIB_CANARY_',
12
+ AWS_SECRET_ACCESS_KEY: 'MUADDIB_CANARY_SECRET_',
13
+ GITLAB_TOKEN: 'glpat-MUADDIB_CANARY_',
14
+ DOCKER_PASSWORD: 'dckr_MUADDIB_CANARY_',
15
+ NPM_AUTH_TOKEN: 'npm_MUADDIB_CANARY_AUTH_',
16
+ GH_TOKEN: 'ghp_MUADDIB_CANARY_GH_'
17
+ };
18
+
19
+ /**
20
+ * Generate a unique set of canary tokens with random suffixes.
21
+ * @returns {{ tokens: Record<string, string>, suffix: string }}
22
+ */
23
+ function generateCanaryTokens() {
24
+ const suffix = crypto.randomBytes(8).toString('hex');
25
+ const tokens = {};
26
+ for (const [key, prefix] of Object.entries(CANARY_PREFIXES)) {
27
+ tokens[key] = prefix + suffix;
28
+ }
29
+ return { tokens, suffix };
30
+ }
31
+
32
+ /**
33
+ * Generate .env file content with canary tokens.
34
+ * @param {Record<string, string>} tokens - The token map from generateCanaryTokens()
35
+ * @returns {string} .env file content
36
+ */
37
+ function createCanaryEnvFile(tokens) {
38
+ const lines = [];
39
+ for (const [key, value] of Object.entries(tokens)) {
40
+ lines.push(`${key}=${value}`);
41
+ }
42
+ return lines.join('\n') + '\n';
43
+ }
44
+
45
+ /**
46
+ * Generate .npmrc file content with a canary auth token.
47
+ * @param {Record<string, string>} tokens - The token map from generateCanaryTokens()
48
+ * @returns {string} .npmrc file content
49
+ */
50
+ function createCanaryNpmrc(tokens) {
51
+ return `//registry.npmjs.org/:_authToken=${tokens.NPM_AUTH_TOKEN}\n`;
52
+ }
53
+
54
+ /**
55
+ * Search for canary tokens in network logs from sandbox.
56
+ * Network log structure matches sandbox.js report.network:
57
+ * dns_queries: string[], http_bodies: string[],
58
+ * http_requests: [{method, host, path}], tls_connections: [{domain, ip, port}],
59
+ * http_connections: [{host, port}], blocked_connections: [{ip, port}]
60
+ *
61
+ * @param {object} networkLogs - report.network from sandbox
62
+ * @param {Record<string, string>} tokens - The token map from generateCanaryTokens()
63
+ * @returns {{ detected: boolean, exfiltrations: Array<{token: string, value: string, foundIn: string, severity: string}> }}
64
+ */
65
+ function detectCanaryExfiltration(networkLogs, tokens) {
66
+ const exfiltrations = [];
67
+ if (!networkLogs || !tokens) {
68
+ return { detected: false, exfiltrations };
69
+ }
70
+
71
+ const tokenEntries = Object.entries(tokens);
72
+
73
+ // Check HTTP bodies (most direct evidence of exfiltration)
74
+ for (const body of (networkLogs.http_bodies || [])) {
75
+ if (!body) continue;
76
+ for (const [tokenName, tokenValue] of tokenEntries) {
77
+ if (body.includes(tokenValue)) {
78
+ exfiltrations.push({
79
+ token: tokenName,
80
+ value: tokenValue,
81
+ foundIn: `HTTP body: ${body.substring(0, 100)}`,
82
+ severity: 'CRITICAL'
83
+ });
84
+ }
85
+ }
86
+ }
87
+
88
+ // Check HTTP request URLs (token in query string or path)
89
+ for (const req of (networkLogs.http_requests || [])) {
90
+ const url = `${req.method || ''} ${req.host || ''}${req.path || ''}`;
91
+ for (const [tokenName, tokenValue] of tokenEntries) {
92
+ if (url.includes(tokenValue)) {
93
+ exfiltrations.push({
94
+ token: tokenName,
95
+ value: tokenValue,
96
+ foundIn: `HTTP request: ${url.substring(0, 100)}`,
97
+ severity: 'CRITICAL'
98
+ });
99
+ }
100
+ }
101
+ }
102
+
103
+ // Check DNS queries (token encoded in subdomain — DNS exfiltration)
104
+ for (const domain of (networkLogs.dns_queries || [])) {
105
+ if (!domain) continue;
106
+ for (const [tokenName, tokenValue] of tokenEntries) {
107
+ if (domain.includes(tokenValue)) {
108
+ exfiltrations.push({
109
+ token: tokenName,
110
+ value: tokenValue,
111
+ foundIn: `DNS query: ${domain}`,
112
+ severity: 'CRITICAL'
113
+ });
114
+ }
115
+ }
116
+ }
117
+
118
+ // Check TLS connection domains (less likely but possible)
119
+ for (const tls of (networkLogs.tls_connections || [])) {
120
+ const domain = tls.domain || '';
121
+ for (const [tokenName, tokenValue] of tokenEntries) {
122
+ if (domain.includes(tokenValue)) {
123
+ exfiltrations.push({
124
+ token: tokenName,
125
+ value: tokenValue,
126
+ foundIn: `TLS connection: ${domain}`,
127
+ severity: 'CRITICAL'
128
+ });
129
+ }
130
+ }
131
+ }
132
+
133
+ return { detected: exfiltrations.length > 0, exfiltrations };
134
+ }
135
+
136
+ /**
137
+ * Search for canary tokens in process stdout/stderr output.
138
+ * @param {string} stdout - Process stdout
139
+ * @param {string} stderr - Process stderr
140
+ * @param {Record<string, string>} tokens - The token map from generateCanaryTokens()
141
+ * @returns {{ detected: boolean, exfiltrations: Array<{token: string, value: string, foundIn: string, severity: string}> }}
142
+ */
143
+ function detectCanaryInOutput(stdout, stderr, tokens) {
144
+ const exfiltrations = [];
145
+ if (!tokens) {
146
+ return { detected: false, exfiltrations };
147
+ }
148
+
149
+ const tokenEntries = Object.entries(tokens);
150
+ const sources = [
151
+ { label: 'stdout', content: stdout || '' },
152
+ { label: 'stderr', content: stderr || '' }
153
+ ];
154
+
155
+ for (const { label, content } of sources) {
156
+ if (!content) continue;
157
+ for (const [tokenName, tokenValue] of tokenEntries) {
158
+ if (content.includes(tokenValue)) {
159
+ // Find context around the match
160
+ const idx = content.indexOf(tokenValue);
161
+ const start = Math.max(0, idx - 30);
162
+ const end = Math.min(content.length, idx + tokenValue.length + 30);
163
+ const context = content.substring(start, end);
164
+ exfiltrations.push({
165
+ token: tokenName,
166
+ value: tokenValue,
167
+ foundIn: `${label}: ...${context}...`,
168
+ severity: 'CRITICAL'
169
+ });
170
+ }
171
+ }
172
+ }
173
+
174
+ return { detected: exfiltrations.length > 0, exfiltrations };
175
+ }
176
+
177
+ module.exports = {
178
+ CANARY_PREFIXES,
179
+ generateCanaryTokens,
180
+ createCanaryEnvFile,
181
+ createCanaryNpmrc,
182
+ detectCanaryExfiltration,
183
+ detectCanaryInOutput
184
+ };
package/src/index.js CHANGED
@@ -347,9 +347,18 @@ async function run(targetPath, options = {}) {
347
347
  }
348
348
  }
349
349
 
350
+ // Read package name for benign package whitelist
351
+ let packageName = null;
352
+ try {
353
+ const pkgPath = path.join(targetPath, 'package.json');
354
+ if (fs.existsSync(pkgPath)) {
355
+ packageName = JSON.parse(fs.readFileSync(pkgPath, 'utf8')).name || null;
356
+ }
357
+ } catch { /* graceful fallback */ }
358
+
350
359
  // FP reduction: legitimate frameworks produce high volumes of certain threat types.
351
360
  // A malware package typically has 1-3 occurrences, not dozens.
352
- applyFPReductions(deduped, reachableFiles);
361
+ applyFPReductions(deduped, reachableFiles, packageName);
353
362
 
354
363
  // Enrich each threat with rules
355
364
  const enrichedThreats = deduped.map(t => {