muaddib-scanner 2.4.3 → 2.4.5

package/src/scanner/ai-config.js

@@ -1,183 +1,183 @@
-/**
- * AI Config Injection Scanner
- *
- * Detects prompt injection attacks hidden in AI agent configuration files:
- * .cursorrules, CLAUDE.md, AGENT.md, .github/copilot-instructions.md,
- * copilot-setup-steps.yml, .cursorignore, .windsurfrules, etc.
- *
- * These files are designed to be read by AI coding assistants and may contain
- * hidden instructions to execute shell commands, exfiltrate secrets, or
- * download and run remote payloads.
- *
- * References:
- * - ToxicSkills (Snyk, Feb 2026)
- * - NVIDIA AI agent security guidance
- * - arxiv 2601.17548 (prompt injection in AI agents)
- * - Clinejection (Snyk, Feb 2026)
- */
-
-const fs = require('fs');
-const path = require('path');
-
-// AI agent config files to scan (relative to project root)
-const AI_CONFIG_FILES = [
-  '.cursorrules',
-  '.cursorignore',
-  '.windsurfrules',
-  'CLAUDE.md',
-  'AGENT.md',
-  '.github/copilot-instructions.md',
-  'copilot-setup-steps.yml',
-  '.github/copilot-setup-steps.yml'
-];
-
-// Dangerous shell command patterns in AI config files
-const SHELL_COMMAND_PATTERNS = [
-  // Download and execute
-  { regex: /curl\s+[^\n]*\|\s*(sh|bash|zsh)\b/i, label: 'curl pipe to shell', critical: true },
-  { regex: /wget\s+[^\n]*\|\s*(sh|bash|zsh)\b/i, label: 'wget pipe to shell', critical: true },
-  { regex: /curl\s+-[sS]*L?\s+https?:\/\/[^\s"']+\s*\|\s*(sh|bash)/i, label: 'curl download and execute', critical: true },
-  { regex: /wget\s+-[qQ]*O?-?\s+https?:\/\/[^\s"']+\s*\|\s*(sh|bash)/i, label: 'wget download and execute', critical: true },
-
-  // Direct shell execution
-  { regex: /\beval\s*\(/i, label: 'eval() call', critical: false },
-  { regex: /\bexec\s*\(/i, label: 'exec() call', critical: false },
-  { regex: /\bsource\s+\.env\b/i, label: 'source .env', critical: false },
-  { regex: /\bsh\s+-c\s+["']/i, label: 'sh -c execution', critical: false },
-  { regex: /\bbash\s+-c\s+["']/i, label: 'bash -c execution', critical: false },
-  { regex: /\bnode\s+-e\s+["']/i, label: 'node -e inline execution', critical: false },
-  { regex: /\bpython[3]?\s+-c\s+["']/i, label: 'python -c inline execution', critical: false }
-];
-
-// Exfiltration patterns — sending data to external endpoints
-const EXFIL_PATTERNS = [
-  { regex: /curl\s+[^\n]*-X\s*POST\s+[^\n]*https?:\/\/(?!api\.github\.com|registry\.npmjs\.org)[^\s"']+/i, label: 'curl POST to external endpoint' },
-  { regex: /curl\s+[^\n]*-d\s+[^\n]*https?:\/\/(?!api\.github\.com|registry\.npmjs\.org)[^\s"']+/i, label: 'curl data upload to external endpoint' },
-  { regex: /curl\s+[^\n]*https?:\/\/(?!api\.github\.com|registry\.npmjs\.org)[^\s"']+[^\n]*-d\s/i, label: 'curl data upload to external endpoint' },
-  { regex: /\|\s*curl\s+[^\n]*https?:\/\/(?!api\.github\.com|registry\.npmjs\.org)/i, label: 'pipe output to curl' },
-  { regex: /\|\s*base64\s*\|\s*curl/i, label: 'base64 encode and send via curl' }
-];
-
-// Credential access patterns — reading sensitive files/vars
-const CREDENTIAL_ACCESS_PATTERNS = [
-  { regex: /cat\s+~?\/?\.ssh\/id_/i, label: 'read SSH private key' },
-  { regex: /cat\s+~?\/?\.npmrc/i, label: 'read .npmrc tokens' },
-  { regex: /cat\s+~?\/?\.aws\/credentials/i, label: 'read AWS credentials' },
-  { regex: /cat\s+~?\/?\.env\b/i, label: 'read .env file' },
-  { regex: /cat\s+~?\/?\.gnupg\//i, label: 'read GPG keys' },
-  { regex: /\$GITHUB_TOKEN|\$GH_TOKEN|\$NPM_TOKEN|\$AWS_SECRET_ACCESS_KEY|\$DISCORD_TOKEN/i, label: 'reference to secret env var' },
-  { regex: /grep\s+[^\n]*(TOKEN|KEY|SECRET|PASSWORD|CREDENTIAL)[^\n]*/i, label: 'grep for secrets' },
-  { regex: /env\s*\|\s*grep\s+[^\n]*(TOKEN|KEY|SECRET|PASSWORD)/i, label: 'env grep for secrets' }
-];
-
-// Instruction patterns — AI prompt injection directives
-const INJECTION_INSTRUCTION_PATTERNS = [
-  { regex: /before\s+(reviewing|running|any|code|generating)[^\n]*(run|execute|source):/i, label: 'instruction to execute before review' },
-  { regex: /always\s+run\s+[^\n]*(before|first|initially)/i, label: 'instruction to always run command' },
-  { regex: /send\s+(contents?|data|output|results?)\s+(to|via)\s+https?:\/\//i, label: 'instruction to send data to URL' },
-  { regex: /upload\s+[^\n]*(to|via)\s+https?:\/\//i, label: 'instruction to upload to URL' },
-  { regex: /do\s+not\s+(display|show|output|mention|tell)/i, label: 'instruction to hide activity' }
-];
-
-/**
- * Scan AI config files for prompt injection
- */
-function scanAIConfig(targetPath) {
-  const threats = [];
-
-  for (const configFile of AI_CONFIG_FILES) {
-    const filePath = path.join(targetPath, configFile);
-
-    if (!fs.existsSync(filePath)) continue;
-
-    let content;
-    try {
-      const stat = fs.statSync(filePath);
-      if (stat.size > 1024 * 1024) continue; // Skip files > 1MB
-      content = fs.readFileSync(filePath, 'utf8');
-    } catch {
-      continue;
-    }
-
-    const relPath = configFile;
-    const fileThreats = analyzeAIConfigFile(content, relPath);
-    threats.push(...fileThreats);
-  }
-
-  return threats;
-}
-
-/**
- * Analyze a single AI config file for prompt injection patterns
- */
-function analyzeAIConfigFile(content, relPath) {
-  const threats = [];
-  let hasShellCommand = false;
-  let hasExfiltration = false;
-  let hasCredentialAccess = false;
-
-  // Check shell command patterns
-  for (const pattern of SHELL_COMMAND_PATTERNS) {
-    if (pattern.regex.test(content)) {
-      hasShellCommand = true;
-      threats.push({
-        type: pattern.critical ? 'ai_config_injection_critical' : 'ai_config_injection',
-        severity: pattern.critical ? 'CRITICAL' : 'HIGH',
-        message: `AI config prompt injection: ${pattern.label} in ${relPath}`,
-        file: relPath
-      });
-    }
-  }
-
-  // Check exfiltration patterns
-  for (const pattern of EXFIL_PATTERNS) {
-    if (pattern.regex.test(content)) {
-      hasExfiltration = true;
-      threats.push({
-        type: 'ai_config_injection_critical',
-        severity: 'CRITICAL',
-        message: `AI config exfiltration: ${pattern.label} in ${relPath}`,
-        file: relPath
-      });
-    }
-  }
-
-  // Check credential access patterns
-  for (const pattern of CREDENTIAL_ACCESS_PATTERNS) {
-    if (pattern.regex.test(content)) {
-      hasCredentialAccess = true;
-      threats.push({
-        type: 'ai_config_injection',
-        severity: 'HIGH',
-        message: `AI config credential access: ${pattern.label} in ${relPath}`,
-        file: relPath
-      });
-    }
-  }
-
-  // Check injection instruction patterns
-  for (const pattern of INJECTION_INSTRUCTION_PATTERNS) {
-    if (pattern.regex.test(content)) {
-      threats.push({
-        type: 'ai_config_injection',
-        severity: 'HIGH',
-        message: `AI config prompt injection: ${pattern.label} in ${relPath}`,
-        file: relPath
-      });
-    }
-  }
-
-  // Compound detection: shell + exfil or credential access → escalate
-  if (hasShellCommand && (hasExfiltration || hasCredentialAccess)) {
-    threats.push({
-      type: 'ai_config_injection_critical',
-      severity: 'CRITICAL',
-      message: `AI config compound attack: shell commands + ${hasExfiltration ? 'exfiltration' : 'credential access'} in ${relPath} — ToxicSkills/Clinejection pattern.`,
-      file: relPath
-    });
-  }
-
-  return threats;
-}
-
-module.exports = { scanAIConfig };
+/**
+ * AI Config Injection Scanner
+ *
+ * Detects prompt injection attacks hidden in AI agent configuration files:
+ * .cursorrules, CLAUDE.md, AGENT.md, .github/copilot-instructions.md,
+ * copilot-setup-steps.yml, .cursorignore, .windsurfrules, etc.
+ *
+ * These files are designed to be read by AI coding assistants and may contain
+ * hidden instructions to execute shell commands, exfiltrate secrets, or
+ * download and run remote payloads.
+ *
+ * References:
+ * - ToxicSkills (Snyk, Feb 2026)
+ * - NVIDIA AI agent security guidance
+ * - arxiv 2601.17548 (prompt injection in AI agents)
+ * - Clinejection (Snyk, Feb 2026)
+ */
+
+const fs = require('fs');
+const path = require('path');
+
+// AI agent config files to scan (relative to project root)
+const AI_CONFIG_FILES = [
+  '.cursorrules',
+  '.cursorignore',
+  '.windsurfrules',
+  'CLAUDE.md',
+  'AGENT.md',
+  '.github/copilot-instructions.md',
+  'copilot-setup-steps.yml',
+  '.github/copilot-setup-steps.yml'
+];
+
+// Dangerous shell command patterns in AI config files
+const SHELL_COMMAND_PATTERNS = [
+  // Download and execute
+  { regex: /curl\s+[^\n]*\|\s*(sh|bash|zsh)\b/i, label: 'curl pipe to shell', critical: true },
+  { regex: /wget\s+[^\n]*\|\s*(sh|bash|zsh)\b/i, label: 'wget pipe to shell', critical: true },
+  { regex: /curl\s+-[sS]*L?\s+https?:\/\/[^\s"']+\s*\|\s*(sh|bash)/i, label: 'curl download and execute', critical: true },
+  { regex: /wget\s+-[qQ]*O?-?\s+https?:\/\/[^\s"']+\s*\|\s*(sh|bash)/i, label: 'wget download and execute', critical: true },
+
+  // Direct shell execution
+  { regex: /\beval\s*\(/i, label: 'eval() call', critical: false },
+  { regex: /\bexec\s*\(/i, label: 'exec() call', critical: false },
+  { regex: /\bsource\s+\.env\b/i, label: 'source .env', critical: false },
+  { regex: /\bsh\s+-c\s+["']/i, label: 'sh -c execution', critical: false },
+  { regex: /\bbash\s+-c\s+["']/i, label: 'bash -c execution', critical: false },
+  { regex: /\bnode\s+-e\s+["']/i, label: 'node -e inline execution', critical: false },
+  { regex: /\bpython[3]?\s+-c\s+["']/i, label: 'python -c inline execution', critical: false }
+];
+
+// Exfiltration patterns — sending data to external endpoints
+const EXFIL_PATTERNS = [
+  { regex: /curl\s+[^\n]*-X\s*POST\s+[^\n]*https?:\/\/(?!api\.github\.com|registry\.npmjs\.org)[^\s"']+/i, label: 'curl POST to external endpoint' },
+  { regex: /curl\s+[^\n]*-d\s+[^\n]*https?:\/\/(?!api\.github\.com|registry\.npmjs\.org)[^\s"']+/i, label: 'curl data upload to external endpoint' },
+  { regex: /curl\s+[^\n]*https?:\/\/(?!api\.github\.com|registry\.npmjs\.org)[^\s"']+[^\n]*-d\s/i, label: 'curl data upload to external endpoint' },
+  { regex: /\|\s*curl\s+[^\n]*https?:\/\/(?!api\.github\.com|registry\.npmjs\.org)/i, label: 'pipe output to curl' },
+  { regex: /\|\s*base64\s*\|\s*curl/i, label: 'base64 encode and send via curl' }
+];
+
+// Credential access patterns — reading sensitive files/vars
+const CREDENTIAL_ACCESS_PATTERNS = [
+  { regex: /cat\s+~?\/?\.ssh\/id_/i, label: 'read SSH private key' },
+  { regex: /cat\s+~?\/?\.npmrc/i, label: 'read .npmrc tokens' },
+  { regex: /cat\s+~?\/?\.aws\/credentials/i, label: 'read AWS credentials' },
+  { regex: /cat\s+~?\/?\.env\b/i, label: 'read .env file' },
+  { regex: /cat\s+~?\/?\.gnupg\//i, label: 'read GPG keys' },
+  { regex: /\$GITHUB_TOKEN|\$GH_TOKEN|\$NPM_TOKEN|\$AWS_SECRET_ACCESS_KEY|\$DISCORD_TOKEN/i, label: 'reference to secret env var' },
+  { regex: /grep\s+[^\n]*(TOKEN|KEY|SECRET|PASSWORD|CREDENTIAL)[^\n]*/i, label: 'grep for secrets' },
+  { regex: /env\s*\|\s*grep\s+[^\n]*(TOKEN|KEY|SECRET|PASSWORD)/i, label: 'env grep for secrets' }
+];
+
+// Instruction patterns — AI prompt injection directives
+const INJECTION_INSTRUCTION_PATTERNS = [
+  { regex: /before\s+(reviewing|running|any|code|generating)[^\n]*(run|execute|source):/i, label: 'instruction to execute before review' },
+  { regex: /always\s+run\s+[^\n]*(before|first|initially)/i, label: 'instruction to always run command' },
+  { regex: /send\s+(contents?|data|output|results?)\s+(to|via)\s+https?:\/\//i, label: 'instruction to send data to URL' },
+  { regex: /upload\s+[^\n]*(to|via)\s+https?:\/\//i, label: 'instruction to upload to URL' },
+  { regex: /do\s+not\s+(display|show|output|mention|tell)/i, label: 'instruction to hide activity' }
+];
+
+/**
+ * Scan AI config files for prompt injection
+ */
+function scanAIConfig(targetPath) {
+  const threats = [];
+
+  for (const configFile of AI_CONFIG_FILES) {
+    const filePath = path.join(targetPath, configFile);
+
+    if (!fs.existsSync(filePath)) continue;
+
+    let content;
+    try {
+      const stat = fs.statSync(filePath);
+      if (stat.size > 1024 * 1024) continue; // Skip files > 1MB
+      content = fs.readFileSync(filePath, 'utf8');
+    } catch {
+      continue;
+    }
+
+    const relPath = configFile;
+    const fileThreats = analyzeAIConfigFile(content, relPath);
+    threats.push(...fileThreats);
+  }
+
+  return threats;
+}
+
+/**
+ * Analyze a single AI config file for prompt injection patterns
+ */
+function analyzeAIConfigFile(content, relPath) {
+  const threats = [];
+  let hasShellCommand = false;
+  let hasExfiltration = false;
+  let hasCredentialAccess = false;
+
+  // Check shell command patterns
+  for (const pattern of SHELL_COMMAND_PATTERNS) {
+    if (pattern.regex.test(content)) {
+      hasShellCommand = true;
+      threats.push({
+        type: pattern.critical ? 'ai_config_injection_critical' : 'ai_config_injection',
+        severity: pattern.critical ? 'CRITICAL' : 'HIGH',
+        message: `AI config prompt injection: ${pattern.label} in ${relPath}`,
+        file: relPath
+      });
+    }
+  }
+
+  // Check exfiltration patterns
+  for (const pattern of EXFIL_PATTERNS) {
+    if (pattern.regex.test(content)) {
+      hasExfiltration = true;
+      threats.push({
+        type: 'ai_config_injection_critical',
+        severity: 'CRITICAL',
+        message: `AI config exfiltration: ${pattern.label} in ${relPath}`,
+        file: relPath
+      });
+    }
+  }
+
+  // Check credential access patterns
+  for (const pattern of CREDENTIAL_ACCESS_PATTERNS) {
+    if (pattern.regex.test(content)) {
+      hasCredentialAccess = true;
+      threats.push({
+        type: 'ai_config_injection',
+        severity: 'HIGH',
+        message: `AI config credential access: ${pattern.label} in ${relPath}`,
+        file: relPath
+      });
+    }
+  }
+
+  // Check injection instruction patterns
+  for (const pattern of INJECTION_INSTRUCTION_PATTERNS) {
+    if (pattern.regex.test(content)) {
+      threats.push({
+        type: 'ai_config_injection',
+        severity: 'HIGH',
+        message: `AI config prompt injection: ${pattern.label} in ${relPath}`,
+        file: relPath
+      });
+    }
+  }
+
+  // Compound detection: shell + exfil or credential access → escalate
+  if (hasShellCommand && (hasExfiltration || hasCredentialAccess)) {
+    threats.push({
+      type: 'ai_config_injection_critical',
+      severity: 'CRITICAL',
+      message: `AI config compound attack: shell commands + ${hasExfiltration ? 'exfiltration' : 'credential access'} in ${relPath} — ToxicSkills/Clinejection pattern.`,
+      file: relPath
+    });
+  }
+
+  return threats;
+}
+
+module.exports = { scanAIConfig };

package/src/scanner/ast-detectors.js

@@ -221,8 +221,27 @@ function containsDecodePattern(node) {
 //   workflowPathVars, execPathVars, globalThisAliases,
 //   hasFromCharCode, hasEvalInFile (mutable)
 
+function isStaticValue(node) {
+  if (!node) return false;
+  if (node.type === 'Literal' && typeof node.value === 'string') return true;
+  if (node.type === 'ArrayExpression') {
+    return node.elements.every(el => el && el.type === 'Literal' && typeof el.value === 'string');
+  }
+  if (node.type === 'ObjectExpression') {
+    return node.properties.every(p =>
+      p.value && p.value.type === 'Literal' && typeof p.value.value === 'string'
+    );
+  }
+  return false;
+}
+
 function handleVariableDeclarator(node, ctx) {
   if (node.id?.type === 'Identifier') {
+    // Track statically-assigned variables for dynamic_require qualification
+    if (node.init && isStaticValue(node.init)) {
+      ctx.staticAssignments.add(node.id.name);
+    }
+
     // Track dynamic require vars
     if (node.init?.type === 'CallExpression') {
       const initCallName = getCallName(node.init);
@@ -305,10 +324,15 @@ function handleCallExpression(node, ctx) {
         });
       }
     } else if (arg.type === 'Identifier') {
+      // If the variable was assigned from a static value (string literal,
+      // array of strings, object with string values), it's a plugin loader pattern
+      const severity = ctx.staticAssignments.has(arg.name) ? 'LOW' : 'HIGH';
       ctx.threats.push({
         type: 'dynamic_require',
-        severity: 'HIGH',
-        message: 'Dynamic require() with variable argument (module name obfuscation).',
+        severity,
+        message: severity === 'LOW'
+          ? `Dynamic require() with statically-assigned variable "${arg.name}" (plugin loader pattern).`
+          : 'Dynamic require() with variable argument (module name obfuscation).',
         file: ctx.relFile
       });
     }
@@ -717,14 +741,13 @@ function handleCallExpression(node, ctx) {
         message: 'Function() with decode argument (atob/Buffer.from base64) — staged payload execution.',
         file: ctx.relFile
       });
-    } else {
-      const isConstant = hasOnlyStringLiteralArgs(node);
+    } else if (!hasOnlyStringLiteralArgs(node)) {
+      // Only flag dynamic Function() calls — string literal args (e.g. Function('return this'))
+      // are zero-risk globalThis polyfills used by every bundler
       ctx.threats.push({
         type: 'dangerous_call_function',
-        severity: isConstant ? 'LOW' : 'MEDIUM',
-        message: isConstant
-          ? 'Function() with constant string literal (low risk, globalThis polyfill pattern).'
-          : 'Function() with dynamic expression (template/factory pattern).',
+        severity: 'MEDIUM',
+        message: 'Function() with dynamic expression (template/factory pattern).',
         file: ctx.relFile
       });
     }
@@ -901,15 +924,15 @@ function handleImportExpression(node, ctx) {
 
 function handleNewExpression(node, ctx) {
   if (node.callee.type === 'Identifier' && node.callee.name === 'Function') {
-    const isConstant = hasOnlyStringLiteralArgs(node);
-    ctx.threats.push({
-      type: 'dangerous_call_function',
-      severity: isConstant ? 'LOW' : 'MEDIUM',
-      message: isConstant
-        ? 'new Function() with constant string literal (low risk, globalThis polyfill pattern).'
-        : 'new Function() with dynamic expression (template/factory pattern).',
-      file: ctx.relFile
-    });
+    // Skip string literal args — zero-risk globalThis polyfills used by every bundler
+    if (!hasOnlyStringLiteralArgs(node)) {
+      ctx.threats.push({
+        type: 'dangerous_call_function',
+        severity: 'MEDIUM',
+        message: 'new Function() with dynamic expression (template/factory pattern).',
+        file: ctx.relFile
+      });
+    }
   }
 
   // Detect new Proxy(process.env, handler)

package/src/scanner/ast.js

@@ -64,6 +64,7 @@ function analyzeFile(content, filePath, basePath) {
     threats,
     relFile: path.relative(basePath, filePath),
     dynamicRequireVars: new Set(),
+    staticAssignments: new Set(),
     dangerousCmdVars: new Map(),
     workflowPathVars: new Set(),
     execPathVars: new Map(),

package/src/scanner/dataflow.js

@@ -114,6 +114,10 @@ async function analyzeDataFlow(targetPath, options = {}) {
   });
 }
 
+/**
+ * Check if a VariableDeclarator init expression is a source-generating expression.
+ * Used to track which variables hold data from sensitive sources.
+ */
 function analyzeFile(content, filePath, basePath) {
   const threats = [];
   let ast;
@@ -208,6 +212,7 @@ function analyzeFile(content, filePath, basePath) {
           name: callName,
           line: node.loc?.start?.line
         });
+
       }
 
       if (callName === 'exec' || callName === 'execSync') {
@@ -219,6 +224,7 @@ function analyzeFile(content, filePath, basePath) {
               name: callName,
               line: node.loc?.start?.line
             });
+    
           }
         }
       }
@@ -268,18 +274,22 @@ function analyzeFile(content, filePath, basePath) {
           // DNS resolution as exfiltration sink
           if (obj.name === 'dns' && ['resolve', 'lookup', 'resolve4', 'resolve6', 'resolveTxt'].includes(prop.name)) {
             sinks.push({ type: 'network_send', name: `dns.${prop.name}`, line: node.loc?.start?.line });
+    
           }
           // HTTP/HTTPS request/get as network sink
           if ((obj.name === 'http' || obj.name === 'https') && ['request', 'get'].includes(prop.name)) {
             sinks.push({ type: 'network_send', name: `${obj.name}.${prop.name}`, line: node.loc?.start?.line });
+    
           }
           // net.connect / net.createConnection / tls.connect as network sink
           if ((obj.name === 'net' || obj.name === 'tls') && ['connect', 'createConnection'].includes(prop.name)) {
             sinks.push({ type: 'network_send', name: `${obj.name}.${prop.name}`, line: node.loc?.start?.line });
+    
           }
           // Instance socket.connect(port, host) when file imports net/tls
           if (hasRawSocketModule && prop.name === 'connect' && node.arguments.length >= 2) {
             sinks.push({ type: 'network_send', name: 'socket.connect', line: node.loc?.start?.line });
+    
           }
         }
       }
@@ -322,8 +332,9 @@ function analyzeFile(content, filePath, basePath) {
             // Check sink methods
             const sinkMethods = MODULE_SINK_METHODS[moduleName];
             if (sinkMethods && sinkMethods[methodName]) {
+              const sinkType = sinkMethods[methodName];
               sinks.push({
-                type: sinkMethods[methodName],
+                type: sinkType,
                 name: `${moduleName}.${methodName}`,
                 line: node.loc?.start?.line,
                 taint_tracked: true
@@ -341,8 +352,9 @@ function analyzeFile(content, filePath, basePath) {
           // Check sink methods for destructured calls
           const sinkMethods = MODULE_SINK_METHODS[moduleName];
           if (sinkMethods && sinkMethods[methodName]) {
+            const sinkType = sinkMethods[methodName];
             sinks.push({
-              type: sinkMethods[methodName],
+              type: sinkType,
               name: `${moduleName}.${methodName}`,
               line: node.loc?.start?.line,
               taint_tracked: true