muaddib-scanner 2.4.4 → 2.4.5

package/iocs/packages.yaml

@@ -1,277 +1,277 @@
-# MUAD'DIB IOCs - Packages malveillants
-# Contribuez via PR: https://github.com/DNSZLSK/muad-dib
-
-version: "1.0.0"
-updated: "2026-01-01"
-
-packages:
-  # ============================================
-  # SHAI-HULUD v1 (Septembre 2025)
-  # ============================================
-  - id: SHAI-HULUD-V1-001
-    name: "@ctrl/tinycolor"
-    version: "4.1.1"
-    severity: critical
-    confidence: high
-    source: shai-hulud-v1
-    introduced: "2025-09-01"
-    description: "Package compromis par Shai-Hulud v1 - vol de credentials npm/GitHub"
-    references:
-      - https://blog.phylum.io/shai-hulud-npm-worm
-      - https://www.wiz.io/blog/shai-hulud-npm-supply-chain-attack
-    mitre: T1195.002
-
-  - id: SHAI-HULUD-V1-002
-    name: "ng2-file-upload"
-    version: "*"
-    severity: critical
-    confidence: high
-    source: shai-hulud-v1
-    introduced: "2025-09-01"
-    description: "Package compromis par Shai-Hulud v1"
-    references:
-      - https://blog.phylum.io/shai-hulud-npm-worm
-    mitre: T1195.002
-
-  - id: SHAI-HULUD-V1-003
-    name: "ngx-bootstrap"
-    version: "*"
-    severity: critical
-    confidence: high
-    source: shai-hulud-v1
-    introduced: "2025-09-01"
-    description: "Package compromis par Shai-Hulud v1"
-    references:
-      - https://blog.phylum.io/shai-hulud-npm-worm
-    mitre: T1195.002
-
-  # ============================================
-  # SHAI-HULUD v2 "The Second Coming" (Novembre 2025)
-  # ============================================
-  - id: SHAI-HULUD-V2-001
-    name: "@asyncapi/specs"
-    version: "*"
-    severity: critical
-    confidence: high
-    source: shai-hulud-v2
-    introduced: "2025-11-01"
-    description: "Package compromis par Shai-Hulud v2 - inclut dead man's switch"
-    references:
-      - https://www.wiz.io/blog/shai-hulud-npm-supply-chain-attack
-    mitre: T1195.002
-
-  - id: SHAI-HULUD-V2-002
-    name: "get-them-args"
-    version: "*"
-    severity: critical
-    confidence: high
-    source: shai-hulud-v2
-    introduced: "2025-11-01"
-    description: "Package compromis par Shai-Hulud v2"
-    references:
-      - https://www.wiz.io/blog/shai-hulud-npm-supply-chain-attack
-    mitre: T1195.002
-
-  - id: SHAI-HULUD-V2-003
-    name: "kill-port"
-    version: "*"
-    severity: critical
-    confidence: high
-    source: shai-hulud-v2
-    introduced: "2025-11-01"
-    description: "Package compromis par Shai-Hulud v2"
-    references:
-      - https://www.wiz.io/blog/shai-hulud-npm-supply-chain-attack
-    mitre: T1195.002
-
-  - id: SHAI-HULUD-V2-004
-    name: "posthog-node"
-    version: "*"
-    severity: critical
-    confidence: high
-    source: shai-hulud-v2
-    introduced: "2025-11-01"
-    description: "Package compromis par Shai-Hulud v2"
-    references:
-      - https://www.wiz.io/blog/shai-hulud-npm-supply-chain-attack
-    mitre: T1195.002
-
-  - id: SHAI-HULUD-V2-005
-    name: "posthog-js"
-    version: "*"
-    severity: critical
-    confidence: high
-    source: shai-hulud-v2
-    introduced: "2025-11-01"
-    description: "Package compromis par Shai-Hulud v2"
-    references:
-      - https://www.wiz.io/blog/shai-hulud-npm-supply-chain-attack
-    mitre: T1195.002
-
-  # ============================================
-  # SHAI-HULUD v3 "Golden Path" (Decembre 2025)
-  # ============================================
-  - id: SHAI-HULUD-V3-001
-    name: "@vietmoney/react-big-calendar"
-    version: "0.26.2"
-    severity: critical
-    confidence: high
-    source: shai-hulud-v3
-    introduced: "2025-12-01"
-    description: "Package compromis par Shai-Hulud v3 Golden Path"
-    references:
-      - https://socket.dev/npm/package/@vietmoney/react-big-calendar
-    mitre: T1195.002
-
-  # ============================================
-  # ATTAQUES HISTORIQUES
-  # ============================================
-  - id: EVENT-STREAM-001
-    name: "flatmap-stream"
-    version: "0.1.1"
-    severity: critical
-    confidence: high
-    source: event-stream-2018
-    introduced: "2018-11-01"
-    description: "Payload malveillant de l'attaque event-stream - vol de Bitcoin wallets"
-    references:
-      - https://blog.npmjs.org/post/180565383195/details-about-the-event-stream-incident
-    mitre: T1195.002
-
-  - id: EVENT-STREAM-002
-    name: "event-stream"
-    version: "3.3.6"
-    severity: critical
-    confidence: high
-    source: event-stream-2018
-    introduced: "2018-11-01"
-    description: "Version compromise de event-stream"
-    references:
-      - https://blog.npmjs.org/post/180565383195/details-about-the-event-stream-incident
-    mitre: T1195.002
-
-  - id: ESLINT-SCOPE-001
-    name: "eslint-scope"
-    version: "3.7.2"
-    severity: critical
-    confidence: high
-    source: eslint-scope-2018
-    introduced: "2018-07-01"
-    description: "Version compromise de eslint-scope - vol de tokens npm"
-    references:
-      - https://eslint.org/blog/2018/07/postmortem-for-malicious-package-publishes
-    mitre: T1195.002
-
-  # ============================================
-  # PROTESTWARE
-  # ============================================
-  - id: PROTESTWARE-001
-    name: "node-ipc"
-    version: "10.1.1"
-    severity: critical
-    confidence: high
-    source: protestware
-    introduced: "2022-03-01"
-    description: "Protestware - supprime fichiers sur machines avec IP russe/bielorusse"
-    references:
-      - https://snyk.io/blog/peacenotwar-malicious-npm-node-ipc-package-vulnerability/
-    mitre: T1485
-
-  - id: PROTESTWARE-002
-    name: "node-ipc"
-    version: "10.1.2"
-    severity: critical
-    confidence: high
-    source: protestware
-    introduced: "2022-03-01"
-    description: "Protestware - version modifiee"
-    references:
-      - https://snyk.io/blog/peacenotwar-malicious-npm-node-ipc-package-vulnerability/
-    mitre: T1485
-
-  - id: PROTESTWARE-002b
-    name: "peacenotwar"
-    version: "*"
-    severity: critical
-    confidence: high
-    source: protestware
-    introduced: "2022-03-01"
-    description: "Protestware dependency - deposite fichier texte sur le bureau via node-ipc"
-    references:
-      - https://snyk.io/blog/peacenotwar-malicious-npm-node-ipc-package-vulnerability/
-    mitre: T1485
-
-  - id: PROTESTWARE-003
-    name: "colors"
-    version: "1.4.1"
-    severity: high
-    confidence: high
-    source: protestware
-    introduced: "2022-01-01"
-    description: "Protestware - boucle infinie intentionnelle"
-    references:
-      - https://www.bleepingcomputer.com/news/security/dev-corrupts-npm-libs-colors-and-faker-breaking-thousands-of-apps/
-    mitre: T1499
-
-  - id: PROTESTWARE-004
-    name: "faker"
-    version: "6.6.6"
-    severity: high
-    confidence: high
-    source: protestware
-    introduced: "2022-01-01"
-    description: "Protestware - sabotage intentionnel"
-    references:
-      - https://www.bleepingcomputer.com/news/security/dev-corrupts-npm-libs-colors-and-faker-breaking-thousands-of-apps/
-    mitre: T1499
-
-  # ============================================
-  # TYPOSQUATS
-  # ============================================
-  - id: TYPOSQUAT-001
-    name: "crossenv"
-    version: "*"
-    severity: high
-    confidence: high
-    source: typosquat
-    introduced: "2017-08-01"
-    description: "Typosquat de cross-env - vol de variables d'environnement"
-    references:
-      - https://blog.npmjs.org/post/163723642530/crossenv-malware-on-the-npm-registry
-    mitre: T1195.002
-
-  - id: TYPOSQUAT-002
-    name: "mongose"
-    version: "*"
-    severity: high
-    confidence: high
-    source: typosquat
-    introduced: "2017-08-01"
-    description: "Typosquat de mongoose"
-    references:
-      - https://blog.npmjs.org/post/163723642530/crossenv-malware-on-the-npm-registry
-    mitre: T1195.002
-
-  - id: TYPOSQUAT-003
-    name: "babelcli"
-    version: "*"
-    severity: high
-    confidence: high
-    source: typosquat
-    introduced: "2017-08-01"
-    description: "Typosquat de babel-cli"
-    references:
-      - https://blog.npmjs.org/post/163723642530/crossenv-malware-on-the-npm-registry
-    mitre: T1195.002
-
-  - id: TYPOSQUAT-004
-    name: "lodahs"
-    version: "*"
-    severity: high
-    confidence: high
-    source: typosquat
-    introduced: "2019-01-01"
-    description: "Typosquat de lodash"
-    references:
-      - https://snyk.io/blog/malicious-code-found-in-npm-package-event-stream/
+# MUAD'DIB IOCs - Packages malveillants
+# Contribuez via PR: https://github.com/DNSZLSK/muad-dib
+
+version: "1.0.0"
+updated: "2026-01-01"
+
+packages:
+  # ============================================
+  # SHAI-HULUD v1 (Septembre 2025)
+  # ============================================
+  - id: SHAI-HULUD-V1-001
+    name: "@ctrl/tinycolor"
+    version: "4.1.1"
+    severity: critical
+    confidence: high
+    source: shai-hulud-v1
+    introduced: "2025-09-01"
+    description: "Package compromis par Shai-Hulud v1 - vol de credentials npm/GitHub"
+    references:
+      - https://blog.phylum.io/shai-hulud-npm-worm
+      - https://www.wiz.io/blog/shai-hulud-npm-supply-chain-attack
+    mitre: T1195.002
+
+  - id: SHAI-HULUD-V1-002
+    name: "ng2-file-upload"
+    version: "*"
+    severity: critical
+    confidence: high
+    source: shai-hulud-v1
+    introduced: "2025-09-01"
+    description: "Package compromis par Shai-Hulud v1"
+    references:
+      - https://blog.phylum.io/shai-hulud-npm-worm
+    mitre: T1195.002
+
+  - id: SHAI-HULUD-V1-003
+    name: "ngx-bootstrap"
+    version: "*"
+    severity: critical
+    confidence: high
+    source: shai-hulud-v1
+    introduced: "2025-09-01"
+    description: "Package compromis par Shai-Hulud v1"
+    references:
+      - https://blog.phylum.io/shai-hulud-npm-worm
+    mitre: T1195.002
+
+  # ============================================
+  # SHAI-HULUD v2 "The Second Coming" (Novembre 2025)
+  # ============================================
+  - id: SHAI-HULUD-V2-001
+    name: "@asyncapi/specs"
+    version: "*"
+    severity: critical
+    confidence: high
+    source: shai-hulud-v2
+    introduced: "2025-11-01"
+    description: "Package compromis par Shai-Hulud v2 - inclut dead man's switch"
+    references:
+      - https://www.wiz.io/blog/shai-hulud-npm-supply-chain-attack
+    mitre: T1195.002
+
+  - id: SHAI-HULUD-V2-002
+    name: "get-them-args"
+    version: "*"
+    severity: critical
+    confidence: high
+    source: shai-hulud-v2
+    introduced: "2025-11-01"
+    description: "Package compromis par Shai-Hulud v2"
+    references:
+      - https://www.wiz.io/blog/shai-hulud-npm-supply-chain-attack
+    mitre: T1195.002
+
+  - id: SHAI-HULUD-V2-003
+    name: "kill-port"
+    version: "*"
+    severity: critical
+    confidence: high
+    source: shai-hulud-v2
+    introduced: "2025-11-01"
+    description: "Package compromis par Shai-Hulud v2"
+    references:
+      - https://www.wiz.io/blog/shai-hulud-npm-supply-chain-attack
+    mitre: T1195.002
+
+  - id: SHAI-HULUD-V2-004
+    name: "posthog-node"
+    version: "*"
+    severity: critical
+    confidence: high
+    source: shai-hulud-v2
+    introduced: "2025-11-01"
+    description: "Package compromis par Shai-Hulud v2"
+    references:
+      - https://www.wiz.io/blog/shai-hulud-npm-supply-chain-attack
+    mitre: T1195.002
+
+  - id: SHAI-HULUD-V2-005
+    name: "posthog-js"
+    version: "*"
+    severity: critical
+    confidence: high
+    source: shai-hulud-v2
+    introduced: "2025-11-01"
+    description: "Package compromis par Shai-Hulud v2"
+    references:
+      - https://www.wiz.io/blog/shai-hulud-npm-supply-chain-attack
+    mitre: T1195.002
+
+  # ============================================
+  # SHAI-HULUD v3 "Golden Path" (Decembre 2025)
+  # ============================================
+  - id: SHAI-HULUD-V3-001
+    name: "@vietmoney/react-big-calendar"
+    version: "0.26.2"
+    severity: critical
+    confidence: high
+    source: shai-hulud-v3
+    introduced: "2025-12-01"
+    description: "Package compromis par Shai-Hulud v3 Golden Path"
+    references:
+      - https://socket.dev/npm/package/@vietmoney/react-big-calendar
+    mitre: T1195.002
+
+  # ============================================
+  # ATTAQUES HISTORIQUES
+  # ============================================
+  - id: EVENT-STREAM-001
+    name: "flatmap-stream"
+    version: "0.1.1"
+    severity: critical
+    confidence: high
+    source: event-stream-2018
+    introduced: "2018-11-01"
+    description: "Payload malveillant de l'attaque event-stream - vol de Bitcoin wallets"
+    references:
+      - https://blog.npmjs.org/post/180565383195/details-about-the-event-stream-incident
+    mitre: T1195.002
+
+  - id: EVENT-STREAM-002
+    name: "event-stream"
+    version: "3.3.6"
+    severity: critical
+    confidence: high
+    source: event-stream-2018
+    introduced: "2018-11-01"
+    description: "Version compromise de event-stream"
+    references:
+      - https://blog.npmjs.org/post/180565383195/details-about-the-event-stream-incident
+    mitre: T1195.002
+
+  - id: ESLINT-SCOPE-001
+    name: "eslint-scope"
+    version: "3.7.2"
+    severity: critical
+    confidence: high
+    source: eslint-scope-2018
+    introduced: "2018-07-01"
+    description: "Version compromise de eslint-scope - vol de tokens npm"
+    references:
+      - https://eslint.org/blog/2018/07/postmortem-for-malicious-package-publishes
+    mitre: T1195.002
+
+  # ============================================
+  # PROTESTWARE
+  # ============================================
+  - id: PROTESTWARE-001
+    name: "node-ipc"
+    version: "10.1.1"
+    severity: critical
+    confidence: high
+    source: protestware
+    introduced: "2022-03-01"
+    description: "Protestware - supprime fichiers sur machines avec IP russe/bielorusse"
+    references:
+      - https://snyk.io/blog/peacenotwar-malicious-npm-node-ipc-package-vulnerability/
+    mitre: T1485
+
+  - id: PROTESTWARE-002
+    name: "node-ipc"
+    version: "10.1.2"
+    severity: critical
+    confidence: high
+    source: protestware
+    introduced: "2022-03-01"
+    description: "Protestware - version modifiee"
+    references:
+      - https://snyk.io/blog/peacenotwar-malicious-npm-node-ipc-package-vulnerability/
+    mitre: T1485
+
+  - id: PROTESTWARE-002b
+    name: "peacenotwar"
+    version: "*"
+    severity: critical
+    confidence: high
+    source: protestware
+    introduced: "2022-03-01"
+    description: "Protestware dependency - deposite fichier texte sur le bureau via node-ipc"
+    references:
+      - https://snyk.io/blog/peacenotwar-malicious-npm-node-ipc-package-vulnerability/
+    mitre: T1485
+
+  - id: PROTESTWARE-003
+    name: "colors"
+    version: "1.4.1"
+    severity: high
+    confidence: high
+    source: protestware
+    introduced: "2022-01-01"
+    description: "Protestware - boucle infinie intentionnelle"
+    references:
+      - https://www.bleepingcomputer.com/news/security/dev-corrupts-npm-libs-colors-and-faker-breaking-thousands-of-apps/
+    mitre: T1499
+
+  - id: PROTESTWARE-004
+    name: "faker"
+    version: "6.6.6"
+    severity: high
+    confidence: high
+    source: protestware
+    introduced: "2022-01-01"
+    description: "Protestware - sabotage intentionnel"
+    references:
+      - https://www.bleepingcomputer.com/news/security/dev-corrupts-npm-libs-colors-and-faker-breaking-thousands-of-apps/
+    mitre: T1499
+
+  # ============================================
+  # TYPOSQUATS
+  # ============================================
+  - id: TYPOSQUAT-001
+    name: "crossenv"
+    version: "*"
+    severity: high
+    confidence: high
+    source: typosquat
+    introduced: "2017-08-01"
+    description: "Typosquat de cross-env - vol de variables d'environnement"
+    references:
+      - https://blog.npmjs.org/post/163723642530/crossenv-malware-on-the-npm-registry
+    mitre: T1195.002
+
+  - id: TYPOSQUAT-002
+    name: "mongose"
+    version: "*"
+    severity: high
+    confidence: high
+    source: typosquat
+    introduced: "2017-08-01"
+    description: "Typosquat de mongoose"
+    references:
+      - https://blog.npmjs.org/post/163723642530/crossenv-malware-on-the-npm-registry
+    mitre: T1195.002
+
+  - id: TYPOSQUAT-003
+    name: "babelcli"
+    version: "*"
+    severity: high
+    confidence: high
+    source: typosquat
+    introduced: "2017-08-01"
+    description: "Typosquat de babel-cli"
+    references:
+      - https://blog.npmjs.org/post/163723642530/crossenv-malware-on-the-npm-registry
+    mitre: T1195.002
+
+  - id: TYPOSQUAT-004
+    name: "lodahs"
+    version: "*"
+    severity: high
+    confidence: high
+    source: typosquat
+    introduced: "2019-01-01"
+    description: "Typosquat de lodash"
+    references:
+      - https://snyk.io/blog/malicious-code-found-in-npm-package-event-stream/
     mitre: T1195.002

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "muaddib-scanner",
-  "version": "2.4.4",
+  "version": "2.4.5",
   "description": "Supply-chain threat detection & response for npm & PyPI/Python",
   "main": "src/index.js",
   "bin": {
@@ -48,8 +48,7 @@
     "acorn": "8.16.0",
     "acorn-walk": "8.3.5",
     "adm-zip": "0.5.16",
-    "js-yaml": "4.1.1",
-    "loadash": "^1.0.0"
+    "js-yaml": "4.1.1"
   },
   "devDependencies": {
     "@eslint/js": "10.0.1",