muaddib-scanner 2.5.13 → 2.5.14

package/logs/alerts/{2026-03-07T17-50-50-825-evil-pkg.json → 2026-03-07T19-15-13-572-evil-pkg.json}

@@ -1,6 +1,6 @@
 {
   "target": "npm/evil-pkg@1.0.0",
-  "timestamp": "2026-03-07T17:50:50.825Z",
+  "timestamp": "2026-03-07T19:15:13.572Z",
   "ecosystem": "npm",
   "summary": {
     "critical": 1,

package/logs/alerts/{2026-03-07T17-50-50-826-suspect-pkg.json → 2026-03-07T19-15-13-572-suspect-pkg.json}

@@ -1,6 +1,6 @@
 {
   "target": "npm/suspect-pkg@1.0",
-  "timestamp": "2026-03-07T17:50:50.826Z",
+  "timestamp": "2026-03-07T19:15:13.572Z",
   "ecosystem": "npm",
   "summary": {
     "critical": 0,

package/logs/alerts/{2026-03-07T17-50-50-827-evil-pkg.json → 2026-03-07T19-15-13-573-evil-pkg.json}

@@ -1,6 +1,6 @@
 {
   "target": "npm/evil-pkg@1.0.0",
-  "timestamp": "2026-03-07T17:50:50.826Z",
+  "timestamp": "2026-03-07T19:15:13.573Z",
   "ecosystem": "npm",
   "summary": {
     "critical": 1,

package/logs/alerts/{2026-03-07T17-50-51-268-evil-pkg.json → 2026-03-07T19-15-13-948-evil-pkg.json}

@@ -1,6 +1,6 @@
 {
   "target": "npm/evil-pkg@2.0.0",
-  "timestamp": "2026-03-07T17:50:51.268Z",
+  "timestamp": "2026-03-07T19:15:13.947Z",
   "ecosystem": "npm",
   "summary": {
     "critical": 1,

package/logs/daily-reports/2026-03-07.json

@@ -1,6 +1,6 @@
 {
   "date": "2026-03-07",
-  "timestamp": "2026-03-07T17:50:51.399Z",
+  "timestamp": "2026-03-07T19:15:14.082Z",
   "embed": {
     "embeds": [
       {
@@ -34,14 +34,14 @@
           },
           {
             "name": "Top Suspects",
-            "value": "1. **npm/test-dedup-detection-1772905850823@1.0.0** — 1 finding(s)",
+            "value": "1. **npm/test-dedup-detection-1772910913569@1.0.0** — 1 finding(s)",
             "inline": false
           }
         ],
         "footer": {
-          "text": "MUAD'DIB - Daily summary | 2026-03-07 17:50:51 UTC"
+          "text": "MUAD'DIB - Daily summary | 2026-03-07 19:15:14 UTC"
         },
-        "timestamp": "2026-03-07T17:50:51.399Z"
+        "timestamp": "2026-03-07T19:15:14.081Z"
       }
     ]
   },

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "muaddib-scanner",
-  "version": "2.5.13",
+  "version": "2.5.14",
   "description": "Supply-chain threat detection & response for npm & PyPI/Python",
   "main": "src/index.js",
   "bin": {

package/src/ioc/updater.js

@@ -455,6 +455,13 @@ function invalidateCache() {
 // ============================================
 // Key is derived from a stable machine-specific seed + hardcoded salt.
 // This protects against local file tampering by unauthorized processes.
+//
+// RISK ACCEPTED (v2.5.14): Full cryptographic signing of IOC updates (e.g., Ed25519
+// signatures verified against a pinned public key) was evaluated but not implemented.
+// Current mitigations: HTTPS-only downloads + domain allowlist in src/shared/download.js
+// + HMAC-SHA256 integrity for cached data. The HMAC key is machine-local, so it does
+// not protect against a compromised upstream source — that risk is accepted given the
+// cost/benefit trade-off and the existing HTTPS + domain pinning controls.
 const IOC_HMAC_SALT = 'muaddib-ioc-integrity-v1';
 
 function getIOCHMACKey() {

package/src/response/playbooks.js

@@ -165,6 +165,15 @@ const PLAYBOOKS = {
   fifo_reverse_shell:
     'CRITIQUE: Reverse shell FIFO/named pipe detecte. Machine potentiellement compromise. Isoler immediatement.',
 
+  fifo_nc_reverse_shell:
+    'CRITIQUE: Reverse shell via mkfifo + netcat detecte. Machine potentiellement compromise. Isoler immediatement. Verifier les connexions sortantes actives.',
+
+  base64_decode_exec:
+    'CRITIQUE: Payload encode en base64 pipe vers un shell. Decoder le payload pour analyse: echo "<payload>" | base64 -d. Isoler la machine si deja execute.',
+
+  wget_base64_decode:
+    'Telechargement + decodage base64 detecte. Verifier l\'URL de telechargement et decoder le contenu. Pattern de staging malveillant en deux etapes.',
+
   shai_hulud_backdoor:
     'CRITIQUE: Backdoor Shai-Hulud dans GitHub Actions. Supprimer le workflow et auditer les runs precedents.',
 
@@ -448,6 +457,10 @@ const PLAYBOOKS = {
     'new Worker() avec eval:true detecte. Le code s\'execute dans un thread worker separe, contournant la detection AST du thread principal. ' +
     'Verifier le contenu du code passe au Worker. Si dynamique ou obfusque, supprimer le package. ' +
     'Analyser les communications inter-threads (parentPort, workerData) pour identifier le payload.',
+
+  fragmented_high_entropy_cluster:
+    'Cluster de chaines courtes a haute entropie detecte. Possible fragmentation de payload pour eviter la detection. ' +
+    'Reconstituer les fragments et analyser le contenu combine. Verifier si les chaines sont concatenees ou reassemblees a l\'execution.',
 };
 
 function getPlaybook(threatType) {

package/src/rules/index.js

@@ -385,6 +385,33 @@ const RULES = {
     references: ['https://attack.mitre.org/techniques/T1059/004/'],
     mitre: 'T1059.004'
   },
+  fifo_nc_reverse_shell: {
+    id: 'MUADDIB-SHELL-013',
+    name: 'FIFO + Netcat Reverse Shell',
+    severity: 'CRITICAL',
+    confidence: 'high',
+    description: 'Reverse shell via mkfifo + netcat (sans /dev/tcp). Technique alternative de reverse shell utilisant un named pipe.',
+    references: ['https://attack.mitre.org/techniques/T1059/004/'],
+    mitre: 'T1059.004'
+  },
+  base64_decode_exec: {
+    id: 'MUADDIB-SHELL-014',
+    name: 'Base64 Decode Pipe to Shell',
+    severity: 'CRITICAL',
+    confidence: 'high',
+    description: 'Payload encode en base64 decode et pipe vers bash/sh. Technique d\'obfuscation courante pour cacher des commandes malveillantes.',
+    references: ['https://attack.mitre.org/techniques/T1140/'],
+    mitre: 'T1140'
+  },
+  wget_base64_decode: {
+    id: 'MUADDIB-SHELL-015',
+    name: 'Wget + Base64 Decode',
+    severity: 'HIGH',
+    confidence: 'high',
+    description: 'Telechargement via wget suivi de decodage base64. Pattern de staging en deux etapes pour dropper un payload.',
+    references: ['https://attack.mitre.org/techniques/T1105/'],
+    mitre: 'T1105'
+  },
 
   // AST additional patterns
   possible_obfuscation: {
@@ -958,6 +985,15 @@ const RULES = {
     references: ['https://attack.mitre.org/techniques/T1027/'],
     mitre: 'T1027'
   },
+  fragmented_high_entropy_cluster: {
+    id: 'MUADDIB-ENTROPY-004',
+    name: 'Fragmented High Entropy Cluster',
+    severity: 'MEDIUM',
+    confidence: 'medium',
+    description: 'Cluster de chaines courtes a haute entropie (8-49 chars) detecte. Technique de fragmentation de payload pour contourner le seuil de longueur minimum d\'analyse entropique.',
+    references: ['https://attack.mitre.org/techniques/T1027/'],
+    mitre: 'T1027'
+  },
   js_obfuscation_pattern: {
     id: 'MUADDIB-ENTROPY-003',
     name: 'JS Obfuscation Pattern',

package/src/scanner/ast-detectors.js

@@ -330,6 +330,44 @@ function handleVariableDeclarator(node, ctx) {
       ctx.globalThisAliases.add(node.id.name);
     }
 
+    // B1: const E = eval; const F = Function;
+    if (node.init?.type === 'Identifier' &&
+        (node.init.name === 'eval' || node.init.name === 'Function')) {
+      ctx.evalAliases.set(node.id.name, node.init.name);
+    }
+    // B1: const E = (x) => eval(x); const E = function(x) { return eval(x); }
+    if ((node.init?.type === 'ArrowFunctionExpression' || node.init?.type === 'FunctionExpression') &&
+        node.init.params?.length >= 1) {
+      const body = node.init.body;
+      if (body?.type === 'CallExpression') {
+        const cn = getCallName(body);
+        if (cn === 'eval' || cn === 'Function') ctx.evalAliases.set(node.id.name, cn);
+      }
+      if (body?.type === 'BlockStatement' && body.body?.length === 1 &&
+          body.body[0].type === 'ReturnStatement' && body.body[0].argument?.type === 'CallExpression') {
+        const cn = getCallName(body.body[0].argument);
+        if (cn === 'eval' || cn === 'Function') ctx.evalAliases.set(node.id.name, cn);
+      }
+    }
+
+    // B5: Track object literal string properties
+    if (node.init?.type === 'ObjectExpression') {
+      const propMap = new Map();
+      for (const prop of node.init.properties) {
+        if (prop.type !== 'Property') continue;
+        const key = prop.key?.type === 'Identifier' ? prop.key.name :
+                    (prop.key?.type === 'Literal' ? String(prop.key.value) : null);
+        const val = extractStringValueDeep(prop.value);
+        if (key && val) propMap.set(key, val);
+      }
+      if (propMap.size > 0) ctx.objectPropertyMap.set(node.id.name, propMap);
+    }
+
+    // Track initial string values for reassignment tracking
+    if (strVal !== null && strVal !== undefined) {
+      ctx.stringVarValues.set(node.id.name, strVal);
+    }
+
     // Track variables assigned from path.join containing .github/workflows
     if (node.init?.type === 'CallExpression' && node.init.callee?.type === 'MemberExpression') {
       const obj = node.init.callee.object;
@@ -442,17 +480,68 @@ function handleCallExpression(node, ctx) {
         });
       }
     } else if (arg.type === 'Identifier') {
-      // If the variable was assigned from a static value (string literal,
-      // array of strings, object with string values), it's a plugin loader pattern
-      const severity = ctx.staticAssignments.has(arg.name) ? 'LOW' : 'HIGH';
-      ctx.threats.push({
-        type: 'dynamic_require',
-        severity,
-        message: severity === 'LOW'
-          ? `Dynamic require() with statically-assigned variable "${arg.name}" (plugin loader pattern).`
-          : 'Dynamic require() with variable argument (module name obfuscation).',
-        file: ctx.relFile
-      });
+      // Check if variable was reassignment-tracked to a dangerous module
+      const DANGEROUS_MODS_REQ = ['child_process', 'fs', 'net', 'dns', 'http', 'https', 'tls'];
+      const resolvedVal = ctx.stringVarValues?.get(arg.name);
+      if (resolvedVal) {
+        const norm = resolvedVal.startsWith('node:') ? resolvedVal.slice(5) : resolvedVal;
+        if (DANGEROUS_MODS_REQ.includes(norm)) {
+          ctx.threats.push({
+            type: 'dynamic_require', severity: 'CRITICAL',
+            message: `require(${arg.name}) resolves to "${norm}" via variable reassignment — module name obfuscation.`,
+            file: ctx.relFile
+          });
+        } else {
+          // If the variable was assigned from a static value (string literal,
+          // array of strings, object with string values), it's a plugin loader pattern
+          const severity = ctx.staticAssignments.has(arg.name) ? 'LOW' : 'HIGH';
+          ctx.threats.push({
+            type: 'dynamic_require',
+            severity,
+            message: severity === 'LOW'
+              ? `Dynamic require() with statically-assigned variable "${arg.name}" (plugin loader pattern).`
+              : 'Dynamic require() with variable argument (module name obfuscation).',
+            file: ctx.relFile
+          });
+        }
+      } else {
+        // If the variable was assigned from a static value (string literal,
+        // array of strings, object with string values), it's a plugin loader pattern
+        const severity = ctx.staticAssignments.has(arg.name) ? 'LOW' : 'HIGH';
+        ctx.threats.push({
+          type: 'dynamic_require',
+          severity,
+          message: severity === 'LOW'
+            ? `Dynamic require() with statically-assigned variable "${arg.name}" (plugin loader pattern).`
+            : 'Dynamic require() with variable argument (module name obfuscation).',
+          file: ctx.relFile
+        });
+      }
+    }
+    // B5: require(obj.prop) — MemberExpression argument
+    else if (arg.type === 'MemberExpression') {
+      const objName = arg.object?.type === 'Identifier' ? arg.object.name : null;
+      const propName = arg.property?.type === 'Identifier' ? arg.property.name :
+                       (arg.property?.type === 'Literal' ? String(arg.property.value) : null);
+      const DANGEROUS_MODS = ['child_process', 'fs', 'net', 'dns', 'http', 'https', 'tls'];
+      let resolved = false;
+      if (objName && propName && ctx.objectPropertyMap?.has(objName)) {
+        const val = ctx.objectPropertyMap.get(objName).get(propName);
+        if (val) {
+          const norm = val.startsWith('node:') ? val.slice(5) : val;
+          if (DANGEROUS_MODS.includes(norm)) {
+            ctx.threats.push({ type: 'dynamic_require', severity: 'CRITICAL',
+              message: `require(${objName}.${propName}) resolves to "${norm}" — object property indirection.`,
+              file: ctx.relFile });
+            resolved = true;
+          }
+        }
+      }
+      if (!resolved) {
+        ctx.threats.push({ type: 'dynamic_require', severity: 'HIGH',
+          message: 'Dynamic require() with member expression argument (object property obfuscation).',
+          file: ctx.relFile });
+      }
     }
     // Wave 4: detect require() of .node binary files (native addon camouflage)
     const reqStr = extractStringValueDeep(arg);
@@ -881,6 +970,19 @@ function handleCallExpression(node, ctx) {
     }
   }
 
+  // B1: Alias call — E('code') where E = eval or F = Function
+  if (node.callee.type === 'Identifier' && ctx.evalAliases?.has(node.callee.name)) {
+    const aliased = ctx.evalAliases.get(node.callee.name);
+    ctx.hasEvalInFile = true;
+    ctx.hasDynamicExec = true;
+    ctx.threats.push({
+      type: aliased === 'eval' ? 'dangerous_call_eval' : 'dangerous_call_function',
+      severity: 'HIGH',
+      message: `Indirect ${aliased} via alias "${node.callee.name}" — eval wrapper evasion.`,
+      file: ctx.relFile
+    });
+  }
+
   if (callName === 'eval') {
     ctx.hasEvalInFile = true;
     ctx.hasDynamicExec = true;
@@ -1432,6 +1534,29 @@ function handleLiteral(node, ctx) {
 }
 
 function handleAssignmentExpression(node, ctx) {
+  // Variable reassignment: x += 'process' or x = x + 'process'
+  if (node.left?.type === 'Identifier') {
+    if (node.operator === '+=' && ctx.stringVarValues.has(node.left.name)) {
+      const rightVal = extractStringValueDeep(node.right);
+      if (rightVal !== null) {
+        const combined = ctx.stringVarValues.get(node.left.name) + rightVal;
+        ctx.stringVarValues.set(node.left.name, combined);
+        if (DANGEROUS_CMD_PATTERNS.some(p => p.test(combined))) {
+          ctx.dangerousCmdVars.set(node.left.name, combined);
+        }
+      }
+    }
+    if (node.operator === '=' && node.right?.type === 'BinaryExpression') {
+      const resolved = resolveStringConcat(node.right);
+      if (resolved) {
+        ctx.stringVarValues.set(node.left.name, resolved);
+        if (DANGEROUS_CMD_PATTERNS.some(p => p.test(resolved))) {
+          ctx.dangerousCmdVars.set(node.left.name, resolved);
+        }
+      }
+    }
+  }
+
   // Detect object property indirection: obj.exec = require('child_process').exec
   // or obj.fn = eval — stashing dangerous functions in object properties
   if (node.left?.type === 'MemberExpression' && node.right) {
@@ -1489,14 +1614,17 @@ function handleAssignmentExpression(node, ctx) {
   if (node.left?.type === 'MemberExpression') {
     const left = node.left;
 
-    // globalThis.fetch = ... or globalThis.XMLHttpRequest = ...
-    if (left.object?.type === 'Identifier' && left.object.name === 'globalThis' &&
+    // globalThis.fetch = ... or globalThis.XMLHttpRequest = ... (B2: include aliases)
+    if (left.object?.type === 'Identifier' &&
+        (left.object.name === 'globalThis' || left.object.name === 'global' ||
+         left.object.name === 'window' || left.object.name === 'self' ||
+         ctx.globalThisAliases.has(left.object.name)) &&
         left.property?.type === 'Identifier') {
       if (HOOKABLE_NATIVES.includes(left.property.name)) {
         ctx.threats.push({
           type: 'prototype_hook',
           severity: 'HIGH',
-          message: `globalThis.${left.property.name} overridden — native API hooking for traffic interception.`,
+          message: `${left.object.name}.${left.property.name} overridden — native API hooking for traffic interception.`,
           file: ctx.relFile
         });
       }
@@ -1712,7 +1840,8 @@ function handlePostWalk(ctx) {
 
   // Wave 4: Download-execute-cleanup — https download + chmod executable + execSync + unlink
   // Exclude when all URLs in the file point to safe registries (npm, GitHub, nodejs.org)
-  if (ctx.hasRemoteFetch && ctx.hasChmodExecutable && ctx.hasExecSyncCall && !ctx.fetchOnlySafeDomains) {
+  // B4: removed fetchOnlySafeDomains guard — compound requires fetch+chmod+exec, which is never legitimate
+  if (ctx.hasRemoteFetch && ctx.hasChmodExecutable && ctx.hasExecSyncCall) {
     ctx.threats.push({
       type: 'download_exec_binary',
       severity: 'CRITICAL',

package/src/scanner/ast.js

@@ -70,6 +70,9 @@ function analyzeFile(content, filePath, basePath) {
     workflowPathVars: new Set(),
     execPathVars: new Map(),
     globalThisAliases: new Set(),
+    evalAliases: new Map(),           // B1: variable name → 'eval'|'Function'
+    objectPropertyMap: new Map(),     // B5: objName → Map<propName, stringValue>
+    stringVarValues: new Map(),       // Variable reassignment tracking: varName → string value
     hasFromCharCode: content.includes('fromCharCode'),
     hasJsReverseShell: /\bnet\.Socket\b/.test(content) &&
       /\.connect\s*\(/.test(content) &&

package/src/scanner/dataflow.js

@@ -203,6 +203,33 @@ function analyzeFile(content, filePath, basePath) {
             }
           }
         }
+        // B7: Taint propagation through data-preserving wrappers
+        if (initNode.type === 'CallExpression') {
+          const callee = initNode.callee;
+          let isTaintWrapper = false;
+          // JSON.stringify(x) / JSON.parse(x)
+          if (callee?.type === 'MemberExpression' &&
+              callee.object?.type === 'Identifier' && callee.object.name === 'JSON' &&
+              callee.property?.type === 'Identifier' &&
+              (callee.property.name === 'stringify' || callee.property.name === 'parse')) {
+            isTaintWrapper = true;
+          }
+          // x.toString() / String(x) / Buffer.from(x)
+          if (callee?.type === 'MemberExpression' &&
+              callee.property?.type === 'Identifier' && callee.property.name === 'toString') {
+            isTaintWrapper = true;
+          }
+          if (callee?.type === 'Identifier' && callee.name === 'String') {
+            isTaintWrapper = true;
+          }
+          if (isTaintWrapper && initNode.arguments.length >= 1) {
+            const wrappedArg = initNode.arguments[0];
+            if (wrappedArg.type === 'Identifier' && sensitivePathVars.has(wrappedArg.name)) {
+              sensitivePathVars.add(node.id.name);
+            }
+          }
+        }
+
         // Track exec result capture: const output = execSync('cmd')
         if (initNode.type === 'CallExpression') {
           let execName = null;

package/src/scanner/entropy.js

@@ -228,7 +228,26 @@ function scanEntropy(targetPath, options = {}) {
     const strings = extractStringLiterals(content);
     for (const str of strings) {
       if (str.length < MIN_STRING_LENGTH) continue;
-      if (str.length > MAX_STRING_LENGTH) continue;
+
+      // B12: Windowed analysis for strings > MAX_STRING_LENGTH
+      if (str.length > MAX_STRING_LENGTH) {
+        if (SOURCE_MAP_REGEX.test(str) || SHA256_HEX_REGEX.test(str)) continue;
+        const WINDOW = 500, WIN_THRESHOLD = 6.0;
+        for (let i = 0; i < str.length; i += WINDOW) {
+          const w = str.slice(i, i + WINDOW);
+          if (w.length < 20) continue;
+          if (calculateShannonEntropy(w) > WIN_THRESHOLD) {
+            threats.push({
+              type: 'high_entropy_string',
+              severity: ENCODING_TABLE_RE.test(relativePath) ? 'LOW' : 'MEDIUM',
+              message: `High entropy window in long string (${str.length} chars, offset ${i}) — possible padded payload`,
+              file: relativePath
+            });
+            break;
+          }
+        }
+        continue;
+      }
 
       // Skip whitelisted patterns
       if (isWhitelistedString(str, relativePath)) continue;
@@ -245,6 +264,23 @@ function scanEntropy(targetPath, options = {}) {
         });
       }
     }
+
+    // B11: Fragment cluster — many short high-entropy strings = payload fragmentation
+    const FRAG_MIN = 8, FRAG_MAX = 49, FRAG_COUNT = 5, FRAG_ENTROPY = 4.5;
+    const frags = strings.filter(s =>
+      s.length >= FRAG_MIN && s.length <= FRAG_MAX &&
+      !SOURCE_MAP_REGEX.test(s) && !SHA256_HEX_REGEX.test(s) && !MD5_HEX_REGEX.test(s) &&
+      !UUID_REGEX.test(s) && !JWT_REGEX.test(s) &&
+      calculateShannonEntropy(s) > FRAG_ENTROPY
+    );
+    if (frags.length >= FRAG_COUNT) {
+      threats.push({
+        type: 'fragmented_high_entropy_cluster',
+        severity: ENCODING_TABLE_RE.test(relativePath) ? 'LOW' : 'MEDIUM',
+        message: `Fragment cluster: ${frags.length} short high-entropy strings (8-49 chars) — possible payload fragmentation.`,
+        file: relativePath
+      });
+    }
   });
 
   return threats;

package/src/scanner/shell.js

@@ -16,7 +16,10 @@ const MALICIOUS_PATTERNS = [
   { pattern: /(?:cat|readFile|cp|mv|curl\s+file:\/\/|tar\s+.*|scp\s+).*\.ssh/m, name: 'ssh_access', severity: 'HIGH' },
   { pattern: /python\s+-c.*import\s+socket/m, name: 'python_reverse_shell', severity: 'CRITICAL' },
   { pattern: /perl\s+-e.*socket/m, name: 'perl_reverse_shell', severity: 'CRITICAL' },
-  { pattern: /mkfifo.*\/dev\/tcp/m, name: 'fifo_reverse_shell', severity: 'CRITICAL' }
+  { pattern: /mkfifo.*\/dev\/tcp/m, name: 'fifo_reverse_shell', severity: 'CRITICAL' },
+  { pattern: /mkfifo\s+\S+.*(?:\|\s*nc\s|nc\s+\S+.*>\s*\/tmp\/)/m, name: 'fifo_nc_reverse_shell', severity: 'CRITICAL' },
+  { pattern: /base64\s+-d\b.*\|\s*(ba)?sh/m, name: 'base64_decode_exec', severity: 'CRITICAL' },
+  { pattern: /wget\s+\S+.*&&.*base64\s+-d/m, name: 'wget_base64_decode', severity: 'HIGH' }
 ];
 
 async function scanShellScripts(targetPath) {

package/src/scanner/typosquat.js

@@ -116,6 +116,20 @@ const WHITELIST = new Set([
 ]);
 
 
+// B13: Pair-aware whitelist — only skip comparison with the specific popular package
+const WHITELIST_PAIRS = new Map([
+  ['chai', 'chalk'], ['pino', 'sinon'], ['ioredis', 'redis'],
+  ['bcryptjs', 'bcrypt'], ['recast', 'react'], ['asyncdi', 'async'],
+  ['redux', 'redis'], ['args', 'yargs'], ['oxlint', 'eslint'], ['vasync', 'async'],
+  ['conf', 'config'], ['defu', 'debug'], ['ohash', 'lodash'], ['cors', 'colors'],
+  ['meant', 'react'], ['whelk', 'chalk'], ['tslog', 'tslib'], ['mkdist', 'mkdirp'],
+  ['jshint', 'eslint'], ['dtslint', 'eslint'], ['redis', 'redux'],
+  ['cypress', 'express'], ['colord', 'colors'], ['read', 'react'],
+  ['ulid', 'uuid'], ['tslint', 'eslint'], ['jison', 'sinon'],
+  ['reds', 'redis'], ['docdash', 'lodash'], ['yarpm', 'yargs'],
+  ['canvg', 'canvas'], ['mocks', 'mocha'], ['reactor', 'react']
+]);
+
 // Pre-computed lowercase versions for performance
 const POPULAR_PACKAGES_LOWER = POPULAR_PACKAGES.map(p => p.toLowerCase());
 
@@ -317,9 +331,9 @@ async function scanTyposquatting(targetPath) {
 function findTyposquatMatch(name) {
   const nameLower = name.toLowerCase();
   
-  // Ignore les packages whitelistes
-  if (WHITELIST.has(nameLower)) return null;
-  
+  // Ignore les packages whitelistes (B13: only skip entirely if not in pair-aware map)
+  if (WHITELIST.has(nameLower) && !WHITELIST_PAIRS.has(nameLower)) return null;
+
   // Ignore les packages scoped (@org/package)
   if (name.startsWith('@')) return null;
 
@@ -329,6 +343,9 @@ function findTyposquatMatch(name) {
   // Ignore les packages avec suffixes legitimes courants
   if (isLegitimateVariant(nameLower)) return null;
 
+  // B13: Get the specific popular package this whitelisted name is paired with
+  const pairedTarget = WHITELIST_PAIRS.get(nameLower);
+
   for (let i = 0; i < POPULAR_PACKAGES.length; i++) {
     const popularLower = POPULAR_PACKAGES_LOWER[i];
     const popular = POPULAR_PACKAGES[i];
@@ -336,6 +353,9 @@ function findTyposquatMatch(name) {
     // Ignore si c'est exactement le meme
     if (nameLower === popularLower) continue;
 
+    // B13: Skip only the intended pair for whitelisted packages
+    if (pairedTarget && pairedTarget === popularLower) continue;
+
     // Ignore si le package populaire est trop court
     if (popular.length < MIN_PACKAGE_LENGTH) continue;