muaddib-scanner 2.5.15 → 2.5.16

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "muaddib-scanner",
-  "version": "2.5.15",
+  "version": "2.5.16",
   "description": "Supply-chain threat detection & response for npm & PyPI/Python",
   "main": "src/index.js",
   "bin": {

package/src/index.js

@@ -23,7 +23,7 @@ const { ensureIOCs } = require('./ioc/bootstrap.js');
 const { scanEntropy } = require('./scanner/entropy.js');
 const { scanAIConfig } = require('./scanner/ai-config.js');
 const { deobfuscate } = require('./scanner/deobfuscate.js');
-const { buildModuleGraph, annotateTaintedExports, detectCrossFileFlows } = require('./scanner/module-graph.js');
+const { buildModuleGraph, annotateTaintedExports, detectCrossFileFlows, annotateSinkExports, detectCallbackCrossFileFlows } = require('./scanner/module-graph.js');
 const { computeReachableFiles } = require('./scanner/reachability.js');
 const { runTemporalAnalyses } = require('./temporal-runner.js');
 const { formatOutput } = require('./output-formatter.js');
@@ -362,6 +362,10 @@ async function run(targetPath, options = {}) {
       const graph = await yieldThen(() => buildModuleGraph(targetPath));
       const tainted = await yieldThen(() => annotateTaintedExports(graph, targetPath));
       crossFileFlows = await yieldThen(() => detectCrossFileFlows(graph, tainted, targetPath));
+      // Callback-based cross-file flow detection
+      const sinkAnnotations = await yieldThen(() => annotateSinkExports(graph, targetPath));
+      const callbackFlows = await yieldThen(() => detectCallbackCrossFileFlows(graph, tainted, sinkAnnotations, targetPath));
+      crossFileFlows = crossFileFlows.concat(callbackFlows);
     } catch (e) {
       // Graceful fallback — module graph is best-effort
       debugLog('[MODULE-GRAPH] Error:', e && e.message);

package/src/response/playbooks.js

@@ -461,6 +461,31 @@ const PLAYBOOKS = {
   fragmented_high_entropy_cluster:
     'Cluster de chaines courtes a haute entropie detecte. Possible fragmentation de payload pour eviter la detection. ' +
     'Reconstituer les fragments et analyser le contenu combine. Verifier si les chaines sont concatenees ou reassemblees a l\'execution.',
+
+  wasm_host_sink:
+    'CRITIQUE: Module WebAssembly charge avec des imports host contenant des sinks reseau. Le flux de controle est cache dans le binaire WASM, ' +
+    'rendant l\'analyse statique impossible. Le WASM peut lire des fichiers sensibles et exfiltrer via les callbacks host. ' +
+    'Supprimer le package immediatement. Analyser le fichier WASM avec wasm2wat pour comprendre le flux. Regenerer tous les secrets.',
+  credential_regex_harvest:
+    'Code contient des regex de detection de credentials (Bearer, password, token, API key) combine avec un appel reseau. ' +
+    'Technique de harvesting: scanne les donnees en transit (streams HTTP, fichiers) pour extraire des secrets et les exfiltrer. ' +
+    'Supprimer le package. Auditer le trafic reseau sortant.',
+  builtin_override_exfil:
+    'Code remplace une methode built-in (console.log/warn/error, Object.defineProperty) et contient un appel reseau. ' +
+    'Technique de monkey-patching: intercepte les donnees passant par les APIs natives pour les exfiltrer. ' +
+    'Supprimer le package. Verifier si d\'autres methodes natives ont ete modifiees.',
+  stream_credential_intercept:
+    'Classe stream (Transform/Duplex/Writable) avec regex de credentials et appel reseau. ' +
+    'Technique de wiretap: le stream intercepte les donnees en transit, scanne pour des secrets (Bearer, password, token) ' +
+    'et les exfiltre via un appel reseau. Supprimer le package.',
+  remote_code_load:
+    'CRITIQUE: Fetch reseau + eval/new Function() dans le meme fichier. ' +
+    'Technique multi-stage: le package telecharge un payload depuis un serveur distant (SVG, HTML, JSON) puis l\'execute. ' +
+    'Supprimer le package. Bloquer le domaine C2 au niveau firewall.',
+  proxy_data_intercept:
+    'CRITIQUE: Un Proxy JavaScript avec trap set/get/apply est combine avec un appel reseau. ' +
+    'Technique d\'interception: le Proxy capture toutes les ecritures de proprietes (credentials, tokens, config) ' +
+    'et les exfiltre via HTTPS/fetch/dgram. Supprimer le package. Auditer tous les modules qui importent ce package.',
 };
 
 function getPlaybook(threatType) {

package/src/rules/index.js

@@ -1285,6 +1285,78 @@ const RULES = {
     ],
     mitre: 'T1059'
   },
+  wasm_host_sink: {
+    id: 'MUADDIB-AST-042',
+    name: 'WASM Host Import Sink',
+    severity: 'CRITICAL',
+    confidence: 'high',
+    description: 'Module WebAssembly charge avec des callbacks host contenant des sinks reseau (fetch/http.request). Le WASM peut invoquer ces callbacks pour exfiltrer des donnees tout en cachant le flux de controle. Aucun package npm legitime ne combine WASM + callbacks reseau host.',
+    references: [
+      'https://attack.mitre.org/techniques/T1059/',
+      'https://attack.mitre.org/techniques/T1027/'
+    ],
+    mitre: 'T1059'
+  },
+  credential_regex_harvest: {
+    id: 'MUADDIB-AST-041',
+    name: 'Credential Regex Harvesting',
+    severity: 'HIGH',
+    confidence: 'high',
+    description: 'Regex de detection de credentials (token/password/secret/Bearer) combine avec un appel reseau. Technique de harvesting: le code scanne les donnees de flux (streams, requetes) a la recherche de credentials et les exfiltre.',
+    references: [
+      'https://attack.mitre.org/techniques/T1552/',
+      'https://attack.mitre.org/techniques/T1041/'
+    ],
+    mitre: 'T1552'
+  },
+  builtin_override_exfil: {
+    id: 'MUADDIB-AST-044',
+    name: 'Built-in Method Override Exfiltration',
+    severity: 'HIGH',
+    confidence: 'high',
+    description: 'Override de methode built-in (console.log/warn/error, Object.defineProperty) combine avec un appel reseau. Technique de monkey-patching: le code remplace une API native pour intercepter les donnees en transit et les exfiltrer.',
+    references: [
+      'https://attack.mitre.org/techniques/T1557/',
+      'https://attack.mitre.org/techniques/T1041/'
+    ],
+    mitre: 'T1557'
+  },
+  stream_credential_intercept: {
+    id: 'MUADDIB-AST-045',
+    name: 'Stream Credential Interception',
+    severity: 'HIGH',
+    confidence: 'high',
+    description: 'Classe stream (Transform/Duplex/Writable) avec regex de credentials et appel reseau. Technique de wiretap: le stream intercepte les donnees en transit, scanne pour des credentials (Bearer, password, token) et les exfiltre.',
+    references: [
+      'https://attack.mitre.org/techniques/T1557/',
+      'https://attack.mitre.org/techniques/T1552/'
+    ],
+    mitre: 'T1557'
+  },
+  remote_code_load: {
+    id: 'MUADDIB-AST-040',
+    name: 'Remote Code Loading',
+    severity: 'CRITICAL',
+    confidence: 'high',
+    description: 'Fetch reseau + eval/Function dans le meme fichier. Technique multi-stage: le code telecharge un payload distant (SVG, HTML, JSON) et l\'execute dynamiquement. Aucun package npm legitime ne combine fetch + eval/Function.',
+    references: [
+      'https://attack.mitre.org/techniques/T1105/',
+      'https://attack.mitre.org/techniques/T1059/'
+    ],
+    mitre: 'T1105'
+  },
+  proxy_data_intercept: {
+    id: 'MUADDIB-AST-043',
+    name: 'Proxy Data Interception',
+    severity: 'CRITICAL',
+    confidence: 'high',
+    description: 'Proxy trap (set/get/apply) combine avec un appel reseau dans le meme fichier. Technique d\'interception de donnees: le Proxy capture toutes les ecritures/lectures de proprietes et les exfiltre via le reseau. Utilise pour voler des credentials passees via module.exports.',
+    references: [
+      'https://attack.mitre.org/techniques/T1557/',
+      'https://attack.mitre.org/techniques/T1041/'
+    ],
+    mitre: 'T1557'
+  },
 };
 
 function getRule(type) {

package/src/scanner/ast-detectors.js

@@ -26,17 +26,56 @@ const SAFE_ENV_VARS = [
   'LANG', 'TERM', 'CI', 'DEBUG', 'VERBOSE', 'LOG_LEVEL',
   'SHELL', 'USER', 'LOGNAME', 'EDITOR', 'TZ',
   'NODE_DEBUG', 'NODE_PATH', 'NODE_OPTIONS',
-  'DISPLAY', 'COLORTERM', 'FORCE_COLOR', 'NO_COLOR', 'TERM_PROGRAM'
+  'DISPLAY', 'COLORTERM', 'FORCE_COLOR', 'NO_COLOR', 'TERM_PROGRAM',
+  // CI environment metadata (non-sensitive)
+  'GITHUB_REPOSITORY', 'GITHUB_SHA', 'GITHUB_REF', 'GITHUB_WORKSPACE',
+  'GITHUB_RUN_ID', 'GITHUB_RUN_NUMBER', 'GITHUB_ACTOR', 'GITHUB_EVENT_NAME',
+  'GITHUB_WORKFLOW', 'GITHUB_ACTION', 'GITHUB_JOB', 'GITHUB_SERVER_URL',
+  'GITLAB_CI', 'TRAVIS', 'CIRCLECI', 'JENKINS_URL',
+  // Build tool config
+  'NODE_TLS_REJECT_UNAUTHORIZED', 'BABEL_ENV', 'WEBPACK_MODE'
 ];
 
-// Env var prefixes that are safe (npm metadata, locale settings)
-const SAFE_ENV_PREFIXES = ['npm_config_', 'npm_lifecycle_', 'npm_package_', 'lc_', 'muaddib_'];
+// Env var prefixes that are safe (npm metadata, locale settings, framework public vars)
+const SAFE_ENV_PREFIXES = [
+  'npm_config_', 'npm_lifecycle_', 'npm_package_', 'lc_', 'muaddib_',
+  'next_public_', 'vite_', 'react_app_'
+];
 
 // Env var keywords to detect sensitive environment access (separate from SENSITIVE_STRINGS)
 const ENV_SENSITIVE_KEYWORDS = [
   'TOKEN', 'SECRET', 'KEY', 'PASSWORD', 'CREDENTIAL', 'AUTH'
 ];
 
+// Non-sensitive qualifiers: when a keyword is preceded by one of these in the env var name,
+// it is config metadata, not a real secret (e.g., PUBLIC_KEY, CACHE_KEY, SORT_KEY)
+const ENV_NON_SENSITIVE_QUALIFIERS = new Set([
+  'PUBLIC', 'CACHE', 'PRIMARY', 'FOREIGN', 'SORT', 'PARTITION', 'INDEX', 'ENCRYPTION'
+]);
+
+/**
+ * Check if an env var name contains a sensitive keyword as a full _-delimited segment,
+ * not preceded by a non-sensitive qualifier.
+ * e.g., NPM_TOKEN → TOKEN is full segment → true
+ *       PUBLIC_KEY → KEY preceded by PUBLIC → false
+ *       CACHE_KEY → KEY preceded by CACHE → false
+ *       GITHUB_TOKEN → TOKEN is full segment, preceded by GITHUB (not a qualifier) → true
+ */
+function isEnvSensitive(envVar) {
+  const upper = envVar.toUpperCase();
+  const segments = upper.split('_');
+  for (let i = 0; i < segments.length; i++) {
+    if (ENV_SENSITIVE_KEYWORDS.includes(segments[i])) {
+      // Check if preceded by a non-sensitive qualifier
+      if (i > 0 && ENV_NON_SENSITIVE_QUALIFIERS.has(segments[i - 1])) {
+        continue;
+      }
+      return true;
+    }
+  }
+  return false;
+}
+
 // AI agent dangerous flags — disable security controls (s1ngularity/Nx, Aug 2025)
 const AI_AGENT_DANGEROUS_FLAGS = [
   '--dangerously-skip-permissions',
@@ -85,10 +124,11 @@ const HOOKABLE_NATIVES = [
 ];
 
 // Node.js core module classes targeted for prototype hooking
-const NODE_HOOKABLE_MODULES = ['http', 'https', 'net', 'tls', 'stream'];
+const NODE_HOOKABLE_MODULES = ['http', 'https', 'net', 'tls', 'stream', 'events', 'dgram'];
 const NODE_HOOKABLE_CLASSES = [
   'IncomingMessage', 'ServerResponse', 'ClientRequest',
-  'OutgoingMessage', 'Socket', 'Server', 'Agent'
+  'OutgoingMessage', 'Socket', 'Server', 'Agent',
+  'EventEmitter'
 ];
 
 // AI/MCP config paths targeted for config injection (SANDWORM_MODE)
@@ -423,7 +463,7 @@ function handleVariableDeclarator(node, ctx) {
         if (SAFE_ENV_VARS.includes(envVar)) continue;
         const envLower = envVar.toLowerCase();
         if (SAFE_ENV_PREFIXES.some(p => envLower.startsWith(p))) continue;
-        if (ENV_SENSITIVE_KEYWORDS.some(s => envVar.toUpperCase().includes(s))) {
+        if (isEnvSensitive(envVar)) {
           ctx.threats.push({
             type: 'env_access',
             severity: 'HIGH',
@@ -538,7 +578,7 @@ function handleCallExpression(node, ctx) {
         }
       }
       if (!resolved) {
-        ctx.threats.push({ type: 'dynamic_require', severity: 'HIGH',
+        ctx.threats.push({ type: 'dynamic_require', severity: 'MEDIUM',
           message: 'Dynamic require() with member expression argument (object property obfuscation).',
           file: ctx.relFile });
       }
@@ -985,9 +1025,9 @@ function handleCallExpression(node, ctx) {
 
   if (callName === 'eval') {
     ctx.hasEvalInFile = true;
-    ctx.hasDynamicExec = true;
     // Detect staged eval decode
     if (node.arguments.length === 1 && hasDecodeArg(node.arguments[0])) {
+      ctx.hasDynamicExec = true;
       ctx.threats.push({
         type: 'staged_eval_decode',
         severity: 'CRITICAL',
@@ -1007,9 +1047,15 @@ function handleCallExpression(node, ctx) {
         if (/\b(require|import|exec|execSync|spawn|child_process|\.readFile|\.writeFile|process\.env|\.homedir)\b/.test(val)) {
           severity = 'HIGH';
           message = `eval() with dangerous API in string literal: "${val.substring(0, 100)}"`;
+          ctx.hasDynamicExec = true;
         }
       }
 
+      // Only set hasDynamicExec for non-constant (dynamic) eval
+      if (!isConstant) {
+        ctx.hasDynamicExec = true;
+      }
+
       ctx.threats.push({
         type: 'dangerous_call_eval',
         severity,
@@ -1039,6 +1085,25 @@ function handleCallExpression(node, ctx) {
     }
   }
 
+  // setTimeout/setInterval with string argument = eval equivalent
+  // setTimeout("require('child_process').exec('whoami')", 100) executes the string as code
+  // Only string Literal and TemplateLiteral are eval-equivalent; Identifier/MemberExpression
+  // are function references (callbacks), not code strings.
+  if ((callName === 'setTimeout' || callName === 'setInterval') && node.arguments.length >= 1) {
+    const firstArg = node.arguments[0];
+    if ((firstArg.type === 'Literal' && typeof firstArg.value === 'string') ||
+        firstArg.type === 'TemplateLiteral') {
+      ctx.hasEvalInFile = true;
+      ctx.hasDynamicExec = true;
+      ctx.threats.push({
+        type: 'dangerous_call_eval',
+        severity: 'HIGH',
+        message: `${callName}() with string argument — eval equivalent, executes the string as code.`,
+        file: ctx.relFile
+      });
+    }
+  }
+
   // Detect eval.call(null, code) / eval.apply(null, [code]) / Function.call/apply
   if (node.callee.type === 'MemberExpression' && !node.callee.computed &&
       node.callee.property?.type === 'Identifier' &&
@@ -1447,6 +1512,20 @@ function handleNewExpression(node, ctx) {
         file: ctx.relFile
       });
     }
+    // Detect new Proxy(obj, handler) where handler has set/get traps — data interception
+    // Real-world technique: export a Proxy that intercepts all property sets/gets to exfiltrate
+    // data flowing through the module. Combined with network (hasNetworkInFile) → credential theft.
+    if (!target.type?.includes('MemberExpression') || target.property?.name !== 'env') {
+      const handler = node.arguments[1];
+      if (handler?.type === 'ObjectExpression') {
+        const hasTrap = handler.properties?.some(p =>
+          p.key?.type === 'Identifier' && ['set', 'get', 'apply', 'construct'].includes(p.key.name)
+        );
+        if (hasTrap) {
+          ctx.hasProxyTrap = true;
+        }
+      }
+    }
   }
 
   // Batch 2: new Worker(code, { eval: true }) — worker_threads code execution
@@ -1630,6 +1709,19 @@ function handleAssignmentExpression(node, ctx) {
       }
     }
 
+    // JSON.stringify = ... or JSON.parse = ... — global API hooking
+    // Real-world technique: override JSON.stringify to intercept all serialization and exfiltrate data
+    if (left.object?.type === 'Identifier' && left.object.name === 'JSON' &&
+        left.property?.type === 'Identifier' &&
+        ['stringify', 'parse'].includes(left.property.name)) {
+      ctx.threats.push({
+        type: 'prototype_hook',
+        severity: 'HIGH',
+        message: `JSON.${left.property.name} overridden — global API hooking to intercept all JSON serialization/deserialization.`,
+        file: ctx.relFile
+      });
+    }
+
     // XMLHttpRequest.prototype.send = ... or Response.prototype.json = ...
     if (left.object?.type === 'MemberExpression' &&
         left.object.property?.type === 'Identifier' &&
@@ -1723,7 +1815,7 @@ function handleMemberExpression(node, ctx) {
       if (SAFE_ENV_PREFIXES.some(p => envLower.startsWith(p))) {
         return;
       }
-      if (ENV_SENSITIVE_KEYWORDS.some(s => envVar.toUpperCase().includes(s))) {
+      if (isEnvSensitive(envVar)) {
         ctx.threats.push({
           type: 'env_access',
           severity: 'HIGH',
@@ -1828,6 +1920,17 @@ function handlePostWalk(ctx) {
     });
   }
 
+  // Remote code loading: fetch + eval/Function in same file = multi-stage payload
+  // Distinct from fetch_decrypt_exec which also requires crypto. This catches SVG/HTML payload extraction.
+  if (ctx.hasRemoteFetch && ctx.hasDynamicExec && !ctx.hasCryptoDecipher) {
+    ctx.threats.push({
+      type: 'remote_code_load',
+      severity: 'CRITICAL',
+      message: 'Remote code loading: network fetch + dynamic eval/Function in same file — multi-stage payload execution.',
+      file: ctx.relFile
+    });
+  }
+
   // Wave 4: Remote fetch + crypto decrypt + dynamic eval = steganographic payload chain
   if (ctx.hasRemoteFetch && ctx.hasCryptoDecipher && ctx.hasDynamicExec) {
     ctx.threats.push({
@@ -1861,6 +1964,67 @@ function handlePostWalk(ctx) {
     });
   }
 
+  // WASM payload detection: WebAssembly.compile/instantiate + readFileSync/https in same file
+  // WASM host import objects can contain callback functions that read credentials and exfiltrate.
+  // This pattern is never legitimate in npm packages — WASM should use pure computation, not host I/O.
+  if (ctx.hasWasmLoad && ctx.hasNetworkCallInFile) {
+    ctx.threats.push({
+      type: 'wasm_host_sink',
+      severity: 'CRITICAL',
+      message: 'WebAssembly module with network-capable host imports. WASM can invoke host callbacks to exfiltrate data while hiding control flow.',
+      file: ctx.relFile
+    });
+  }
+
+  // Credential regex harvesting: credential-matching regex + network call in same file
+  // Real-world pattern: Transform/stream that scans data for tokens/passwords and exfiltrates
+  if (ctx.hasCredentialRegex && ctx.hasNetworkCallInFile) {
+    ctx.threats.push({
+      type: 'credential_regex_harvest',
+      severity: 'HIGH',
+      message: 'Credential regex patterns (token/password/secret/Bearer) + network call in same file — stream data credential harvesting.',
+      file: ctx.relFile
+    });
+  }
+
+  // Built-in method override + network: console.X = function or Object.defineProperty = function
+  // combined with network calls. Monkey-patching built-in APIs for data interception.
+  if (ctx.hasBuiltinOverride && ctx.hasNetworkCallInFile) {
+    ctx.threats.push({
+      type: 'builtin_override_exfil',
+      severity: 'HIGH',
+      message: 'Built-in method override (console/Object.defineProperty) + network call — runtime API hijacking for data interception and exfiltration.',
+      file: ctx.relFile
+    });
+  }
+
+  // Stream credential interception: Transform/Duplex/Writable stream + credential regex + network
+  // Wiretap pattern: intercepts data in transit, scans for credentials, exfiltrates matches.
+  if (ctx.hasStreamInterceptor && ctx.hasCredentialRegex && ctx.hasNetworkCallInFile) {
+    ctx.threats.push({
+      type: 'stream_credential_intercept',
+      severity: 'HIGH',
+      message: 'Stream class (Transform/Duplex/Writable) with credential regex scanning + network call — data-in-transit credential wiretap.',
+      file: ctx.relFile
+    });
+  }
+
+  // Proxy data interception: new Proxy(obj, { set/get }) + network in same file
+  // Real-world pattern: export a Proxy that exfiltrates all property assignments via network
+  // CRITICAL only when credential signals co-occur (env_access, suspicious_dataflow),
+  // otherwise HIGH — bare Proxy + fetch is insufficient evidence.
+  if (ctx.hasProxyTrap && ctx.hasNetworkCallInFile) {
+    const hasCredentialSignal = ctx.threats.some(t =>
+      t.type === 'env_access' || t.type === 'suspicious_dataflow'
+    );
+    ctx.threats.push({
+      type: 'proxy_data_intercept',
+      severity: hasCredentialSignal ? 'CRITICAL' : 'HIGH',
+      message: 'Proxy trap (set/get/apply) with network call in same file — data interception and exfiltration via Proxy handler.',
+      file: ctx.relFile
+    });
+  }
+
   // Wave 4: MCP content keywords in file with writeFileSync = MCP injection signal
   if (ctx.hasMcpContentKeywords && !ctx.threats.some(t => t.type === 'mcp_config_injection')) {
     ctx.threats.push({

package/src/scanner/ast.js

@@ -15,6 +15,24 @@ const {
   handlePostWalk
 } = require('./ast-detectors.js');
 
+// Check if credential keywords appear INSIDE regex literals or new RegExp() patterns.
+// Only true when the keyword is part of the regex pattern itself, not just a string elsewhere in the file.
+const CREDENTIAL_REGEX_KEYWORDS = /bearer|password|secret|token|credential|api.?key/i;
+function hasCredentialInsideRegex(content) {
+  // Check regex literals: /...pattern.../flags
+  const regexLiteralRe = /\/(?!\*)(?:[^/\\]|\\.)+\/[gimsuy]*/g;
+  let m;
+  while ((m = regexLiteralRe.exec(content)) !== null) {
+    if (CREDENTIAL_REGEX_KEYWORDS.test(m[0])) return true;
+  }
+  // Check new RegExp('pattern') — keyword must be in the string argument
+  const newRegExpRe = /new\s+RegExp\s*\(\s*(['"`])((?:[^\\]|\\.)*?)\1/g;
+  while ((m = newRegExpRe.exec(content)) !== null) {
+    if (CREDENTIAL_REGEX_KEYWORDS.test(m[2])) return true;
+  }
+  return false;
+}
+
 const EXCLUDED_FILES = [
   'src/scanner/ast.js',
   'src/scanner/shell.js',
@@ -93,6 +111,15 @@ function analyzeFile(content, filePath, basePath) {
     hasEnvEnumeration: false,  // Object.entries/keys/values(process.env)
     hasEnvHarvestPattern: /\b(KEY|SECRET|TOKEN|PASSWORD|CREDENTIAL|NPM|AWS|SSH|WEBHOOK)\b/.test(content),
     hasNetworkCallInFile: /\b(fetch|https?\.request|https?\.get|dns\.resolve)\b/.test(content),
+    // Credential regex harvesting: regex literals or new RegExp() whose PATTERN contains credential keywords
+    // Must check that the keyword is inside the regex, not just anywhere in the file
+    hasCredentialRegex: hasCredentialInsideRegex(content),
+    // Built-in method override: console.X = function or Object.defineProperty = function
+    hasBuiltinOverride: /\bconsole\s*\.\s*\w+\s*=\s*function/.test(content) ||
+                        /\bconsole\s*\[\s*\w+\s*\]\s*=\s*function/.test(content) ||
+                        /\bObject\s*\.\s*defineProperty\s*=\s*function/.test(content),
+    // Stream interceptor: class extending Transform/Duplex/Writable (data wiretap pattern)
+    hasStreamInterceptor: /\bextends\s+(Transform|Duplex|Writable)\b/.test(content),
     // SANDWORM_MODE P2: DNS exfiltration co-occurrence
     hasDnsRequire: /\brequire\s*\(\s*['"]dns['"]\s*\)/.test(content) || /\bdns\s*\.\s*resolve/.test(content),
     hasBase64Encode: /\.toString\s*\(\s*['"]base64(url)?['"]\s*\)/.test(content),
@@ -123,7 +150,11 @@ function analyzeFile(content, filePath, basePath) {
     hasModuleImport: /require\s*\(\s*['"]module['"]\s*\)/.test(content) || /module\.constructor/.test(content),
     hasMcpContentKeywords: (/\bmcpServers\b/.test(content) || /\bmcp\.json\b/.test(content) || /\bclaude_desktop_config\b/.test(content)) &&
       /\bwriteFileSync\b|\bwriteFile\s*\(/.test(content) &&
-      (/\.claude[/\\]/.test(content) || /\.cursor[/\\]/.test(content) || /\.vscode[/\\]/.test(content) || /\.windsurf[/\\]/.test(content) || /\.codeium[/\\]/.test(content) || /\.continue[/\\]/.test(content) || /claude_desktop_config/.test(content) || /\bmcp\.json\b/.test(content))
+      (/\.claude[/\\]/.test(content) || /\.cursor[/\\]/.test(content) || /\.vscode[/\\]/.test(content) || /\.windsurf[/\\]/.test(content) || /\.codeium[/\\]/.test(content) || /\.continue[/\\]/.test(content) || /claude_desktop_config/.test(content) || /\bmcp\.json\b/.test(content)),
+    // WASM payload detection: WebAssembly.compile/instantiate with host import sinks
+    hasWasmLoad: /\bWebAssembly\s*\.\s*(compile|instantiate|compileStreaming|instantiateStreaming)\b/.test(content),
+    hasWasmHostSink: false,  // set in handleCallExpression when WASM import object contains network/fs sinks
+    hasProxyTrap: false  // set in handleNewExpression when Proxy has set/get/apply trap
   };
 
   // Compute fetchOnlySafeDomains: check if ALL URLs in file point to known registries

package/src/scanner/dataflow.js

@@ -9,9 +9,11 @@ const { analyzeWithDeobfuscation } = require('../shared/analyze-helper.js');
 // Module classification maps for intra-file taint tracking
 const MODULE_SOURCE_METHODS = {
   os: {
-    homedir: 'fingerprint_read', hostname: 'fingerprint_read',
+    homedir: 'fingerprint_read',
     networkInterfaces: 'fingerprint_read', userInfo: 'fingerprint_read',
-    platform: 'telemetry_read', arch: 'telemetry_read'
+    hostname: 'telemetry_read', platform: 'telemetry_read', arch: 'telemetry_read',
+    type: 'telemetry_read', release: 'telemetry_read',
+    cpus: 'telemetry_read', totalmem: 'telemetry_read', freemem: 'telemetry_read'
   },
   fs: {
     readFileSync: 'credential_read', readFile: 'credential_read',
@@ -356,21 +358,17 @@ function analyzeFile(content, filePath, basePath) {
         }
       }
 
-      // os.hostname(), os.networkInterfaces(), os.userInfo(), os.homedir() as fingerprint sources
-      // os.platform(), os.arch() as telemetry sources (lower severity)
+      // os.* methods classified via MODULE_SOURCE_METHODS for consistent categorization
+      // fingerprint_read: homedir, networkInterfaces, userInfo (real exfil targets)
+      // telemetry_read: hostname, platform, arch, type, release, cpus, totalmem, freemem
       if (node.callee.type === 'MemberExpression') {
         const obj = node.callee.object;
         const prop = node.callee.property;
         if (obj?.type === 'Identifier' && obj.name === 'os' && prop?.type === 'Identifier') {
-          if (['hostname', 'networkInterfaces', 'userInfo', 'homedir'].includes(prop.name)) {
+          const osClassification = MODULE_SOURCE_METHODS.os?.[prop.name];
+          if (osClassification) {
             sources.push({
-              type: 'fingerprint_read',
-              name: `os.${prop.name}`,
-              line: node.loc?.start?.line
-            });
-          } else if (['platform', 'arch'].includes(prop.name)) {
-            sources.push({
-              type: 'telemetry_read',
+              type: osClassification,
               name: `os.${prop.name}`,
               line: node.loc?.start?.line
             });

package/src/scanner/entropy.js

@@ -266,7 +266,7 @@ function scanEntropy(targetPath, options = {}) {
     }
 
     // B11: Fragment cluster — many short high-entropy strings = payload fragmentation
-    const FRAG_MIN = 8, FRAG_MAX = 49, FRAG_COUNT = 5, FRAG_ENTROPY = 4.5;
+    const FRAG_MIN = 8, FRAG_MAX = 49, FRAG_COUNT = 10, FRAG_ENTROPY = 5.0;
     const frags = strings.filter(s =>
       s.length >= FRAG_MIN && s.length <= FRAG_MAX &&
       !SOURCE_MAP_REGEX.test(s) && !SHA256_HEX_REGEX.test(s) && !MD5_HEX_REGEX.test(s) &&

package/src/scanner/module-graph.js

@@ -5,7 +5,7 @@ const { findFiles, EXCLUDED_DIRS } = require('../utils');
 const { ACORN_OPTIONS: BASE_ACORN_OPTIONS, safeParse } = require('../shared/constants.js');
 
 // --- Sensitive source patterns ---
-const SENSITIVE_MODULES = new Set(['fs', 'child_process', 'dns', 'os']);
+const SENSITIVE_MODULES = new Set(['fs', 'child_process', 'dns', 'os', 'dgram']);
 
 const ACORN_OPTIONS = {
   ...BASE_ACORN_OPTIONS,
@@ -151,10 +151,15 @@ function analyzeExports(filePath) {
 
   // Track class declarations: class Foo { ... }
   const classDefs = {};
+  // Track function declarations: function foo() { ... }
+  const funcDefs = {};
   walkAST(ast, (node) => {
     if (node.type === 'ClassDeclaration' && node.id && node.id.name) {
       classDefs[node.id.name] = node;
     }
+    if (node.type === 'FunctionDeclaration' && node.id && node.id.name) {
+      funcDefs[node.id.name] = node;
+    }
   });
 
   // First pass: collect require assignments, ES imports, and tainted variable assignments
@@ -309,6 +314,16 @@ function analyzeExports(filePath) {
             } else if (prop.value.type === 'Identifier' && taintedVars[prop.value.name]) {
               const t = taintedVars[prop.value.name];
               exports[propName] = { tainted: true, source: t.source, detail: t.detail };
+            } else if (prop.value.type === 'Identifier' && funcDefs[prop.value.name]) {
+              // Shorthand property referencing a FunctionDeclaration: { readConfig }
+              const fnNode = funcDefs[prop.value.name];
+              const fnBody = fnNode.body && fnNode.body.type === 'BlockStatement' ? fnNode.body.body : null;
+              if (fnBody) {
+                const bodyTaint = scanBodyForTaint(fnBody, moduleVars, taintedVars);
+                if (bodyTaint) {
+                  exports[propName] = { tainted: true, source: bodyTaint.source, detail: bodyTaint.detail };
+                }
+              }
             }
           }
         }
@@ -1081,8 +1096,283 @@ function toRel(abs, packagePath) {
   return path.relative(packagePath, abs).replace(/\\/g, '/');
 }
 
+// =============================================================================
+// STEP 4 — Sink export annotation (for callback-based cross-file detection)
+// =============================================================================
+
+/**
+ * Annotate exports that contain network/exec sinks in their function body.
+ * This is the inverse of annotateTaintedExports — finds "where data goes out".
+ * Used to detect callback-based cross-file exfiltration:
+ *   reader.js exports readConfig() (tainted source)
+ *   sender.js exports sendData() (sink export)
+ *   index.js connects them via callback: readConfig((data) => sendData(data))
+ */
+function annotateSinkExports(graph, packagePath) {
+  const result = {};
+  for (const relFile of Object.keys(graph)) {
+    const absFile = path.resolve(packagePath, relFile);
+    result[relFile] = analyzeSinkExports(absFile);
+  }
+  return result;
+}
+
+function analyzeSinkExports(filePath) {
+  const ast = parseFile(filePath);
+  if (!ast) return {};
+
+  const sinkExports = {};
+
+  // Track function declarations for shorthand property resolution
+  const localFuncDefs = {};
+  walkAST(ast, (node) => {
+    if (node.type === 'FunctionDeclaration' && node.id && node.id.name) {
+      localFuncDefs[node.id.name] = node;
+    }
+  });
+
+  // Collect require assignments for sink module detection
+  const sinkModuleVars = {};
+  walkAST(ast, (node) => {
+    if (node.type === 'VariableDeclaration') {
+      for (const decl of node.declarations) {
+        if (!decl.init || !decl.id || decl.id.type !== 'Identifier') continue;
+        if (isRequireCall(decl.init)) {
+          const mod = decl.init.arguments[0].value;
+          if (mod === 'http' || mod === 'https' || mod === 'net' || mod === 'dgram') {
+            sinkModuleVars[decl.id.name] = mod;
+          }
+        }
+      }
+    }
+    if (node.type === 'ImportDeclaration' && node.source && typeof node.source.value === 'string') {
+      const mod = node.source.value;
+      if (mod === 'http' || mod === 'https' || mod === 'net' || mod === 'dgram') {
+        for (const spec of node.specifiers) {
+          sinkModuleVars[spec.local.name] = mod;
+        }
+      }
+    }
+  });
+
+  function bodyHasSink(body) {
+    let found = null;
+    walkAST({ type: 'Program', body }, (node) => {
+      if (found) return;
+      if (node.type === 'CallExpression') {
+        // fetch(), eval()
+        if (node.callee.type === 'Identifier' && SINK_CALLEE_NAMES.has(node.callee.name)) {
+          found = node.callee.name + '()';
+          return;
+        }
+        // https.request(), http.get()
+        if (node.callee.type === 'MemberExpression') {
+          const chain = getMemberChain(node.callee);
+          if (SINK_MEMBER_METHODS.has(chain)) {
+            found = chain + '()';
+            return;
+          }
+          // Variable-based: const h = require('https'); h.request()
+          if (node.callee.object.type === 'Identifier' && sinkModuleVars[node.callee.object.name]) {
+            const method = node.callee.property.name || node.callee.property.value;
+            if (method === 'request' || method === 'get') {
+              found = sinkModuleVars[node.callee.object.name] + '.' + method + '()';
+              return;
+            }
+          }
+          // .write(), .send(), .connect()
+          const method = node.callee.property.name || node.callee.property.value;
+          if (SINK_INSTANCE_METHODS.has(method)) {
+            found = method + '()';
+            return;
+          }
+        }
+      }
+    });
+    return found;
+  }
+
+  // Check module.exports = { fn: function() { ... sink ... } }
+  walkAST(ast, (node) => {
+    if (isModuleExportsAssign(node)) {
+      const value = node.expression.right;
+      const exportName = getExportName(node.expression.left);
+
+      if (value.type === 'ObjectExpression' && exportName === 'default') {
+        for (const prop of value.properties) {
+          if (!prop.key) continue;
+          const propName = prop.key.name || prop.key.value || 'unknown';
+          let funcBody = getFunctionBody(prop.value);
+          // Shorthand property referencing a FunctionDeclaration: { reportData }
+          if (!funcBody && prop.value.type === 'Identifier' && localFuncDefs[prop.value.name]) {
+            const fnNode = localFuncDefs[prop.value.name];
+            funcBody = fnNode.body && fnNode.body.type === 'BlockStatement' ? fnNode.body.body : null;
+          }
+          if (funcBody) {
+            const sink = bodyHasSink(funcBody);
+            if (sink) {
+              sinkExports[propName] = { hasSink: true, sink };
+            }
+          }
+        }
+      } else {
+        const funcBody = getFunctionBody(value);
+        if (funcBody) {
+          const sink = bodyHasSink(funcBody);
+          if (sink) {
+            sinkExports[exportName] = { hasSink: true, sink };
+          }
+        }
+      }
+    }
+
+    // export function foo() { ... sink ... }
+    if (node.type === 'ExportNamedDeclaration' && node.declaration) {
+      const decl = node.declaration;
+      if (decl.type === 'FunctionDeclaration' && decl.id) {
+        const funcBody = decl.body && decl.body.type === 'BlockStatement' ? decl.body.body : null;
+        if (funcBody) {
+          const sink = bodyHasSink(funcBody);
+          if (sink) {
+            sinkExports[decl.id.name] = { hasSink: true, sink };
+          }
+        }
+      }
+    }
+  });
+
+  return sinkExports;
+}
+
+/**
+ * Detect callback-based cross-file flows.
+ * Pattern: file imports tainted source fn + sink fn, connects them via callback.
+ * Example: readConfig((err, data) => { sendData(data); })
+ * Also: const data = readConfig(); sendData(data);
+ */
+function detectCallbackCrossFileFlows(graph, taintedExports, sinkExports, packagePath) {
+  const expandedTaint = expandTaintThroughReexports(graph, taintedExports, packagePath);
+  const flows = [];
+
+  for (const relFile of Object.keys(graph)) {
+    const absFile = path.resolve(packagePath, relFile);
+    const ast = parseFile(absFile);
+    if (!ast) continue;
+
+    const fileDir = path.dirname(absFile);
+
+    // Collect imported tainted source functions and imported sink functions
+    const importedSources = {}; // varName → { sourceFile, source, detail }
+    const importedSinks = {};   // varName → { sinkFile, sink }
+
+    walkAST(ast, (node) => {
+      if (node.type !== 'VariableDeclaration') return;
+      for (const decl of node.declarations) {
+        if (!decl.init || !decl.id) continue;
+
+        // const { readConfig } = require('./reader')
+        if (isRequireCall(decl.init) && isLocalImport(decl.init.arguments[0].value)) {
+          const spec = decl.init.arguments[0].value;
+          const resolved = resolveLocal(fileDir, spec, packagePath);
+          if (!resolved) continue;
+
+          if (decl.id.type === 'ObjectPattern') {
+            for (const prop of decl.id.properties) {
+              const key = prop.key && (prop.key.name || prop.key.value);
+              const localName = prop.value && prop.value.name;
+              if (!key || !localName) continue;
+
+              // Check if this is a tainted source export
+              if (expandedTaint[resolved] && expandedTaint[resolved][key] && expandedTaint[resolved][key].tainted) {
+                const t = expandedTaint[resolved][key];
+                importedSources[localName] = {
+                  sourceFile: t.sourceFile || resolved,
+                  source: t.source,
+                  detail: t.detail || ''
+                };
+              }
+
+              // Check if this is a sink export
+              if (sinkExports[resolved] && sinkExports[resolved][key] && sinkExports[resolved][key].hasSink) {
+                importedSinks[localName] = {
+                  sinkFile: resolved,
+                  sink: sinkExports[resolved][key].sink
+                };
+              }
+            }
+          }
+
+          if (decl.id.type === 'Identifier') {
+            // Whole module import: const reader = require('./reader')
+            // Check default taint
+            if (expandedTaint[resolved] && expandedTaint[resolved]['default'] && expandedTaint[resolved]['default'].tainted) {
+              const t = expandedTaint[resolved]['default'];
+              importedSources[decl.id.name] = {
+                sourceFile: t.sourceFile || resolved,
+                source: t.source,
+                detail: t.detail || ''
+              };
+            }
+            // Check default sink
+            if (sinkExports[resolved] && sinkExports[resolved]['default'] && sinkExports[resolved]['default'].hasSink) {
+              importedSinks[decl.id.name] = {
+                sinkFile: resolved,
+                sink: sinkExports[resolved]['default'].sink
+              };
+            }
+          }
+        }
+      }
+    });
+
+    // If we have both imported sources and sinks, check for callback connections
+    if (Object.keys(importedSources).length === 0 || Object.keys(importedSinks).length === 0) continue;
+
+    // Pattern 1: sourceFn(function(err, data) { sinkFn(data); })
+    // Pattern 2: const result = sourceFn(); sinkFn(result);
+    walkAST(ast, (node) => {
+      if (node.type !== 'CallExpression') return;
+
+      // Check if the call is to an imported source
+      const calleeName = node.callee.type === 'Identifier' ? node.callee.name : null;
+      if (!calleeName || !importedSources[calleeName]) return;
+
+      // Check if any argument is a callback that calls an imported sink
+      for (const arg of node.arguments) {
+        if (arg.type === 'FunctionExpression' || arg.type === 'ArrowFunctionExpression') {
+          const body = arg.body.type === 'BlockStatement' ? arg.body.body : [arg.body];
+          walkAST({ type: 'Program', body }, (inner) => {
+            if (inner.type !== 'CallExpression') return;
+            const innerCallee = inner.callee.type === 'Identifier' ? inner.callee.name : null;
+            if (innerCallee && importedSinks[innerCallee]) {
+              const src = importedSources[calleeName];
+              const snk = importedSinks[innerCallee];
+              // Avoid duplicates
+              const key = `${src.sourceFile}→${relFile}→${snk.sinkFile}`;
+              if (!flows.some(f => `${f.sourceFile}→${f.sinkFile}→${snk.sinkFile}` === key)) {
+                flows.push({
+                  severity: 'CRITICAL',
+                  type: 'cross_file_dataflow',
+                  sourceFile: src.sourceFile,
+                  source: `${src.source}${src.detail ? '(' + src.detail + ')' : ''}`,
+                  sinkFile: relFile,
+                  sink: snk.sink,
+                  description: `Credential read in ${src.sourceFile} passed via callback to network sink (${snk.sink}) imported from ${snk.sinkFile} in ${relFile}`,
+                });
+              }
+            }
+          });
+        }
+      }
+    });
+  }
+
+  return flows;
+}
+
 module.exports = {
   buildModuleGraph, annotateTaintedExports, detectCrossFileFlows,
+  annotateSinkExports, detectCallbackCrossFileFlows,
   resolveLocal, extractLocalImports, parseFile, isLocalImport, toRel, isFileExists,
   tryResolveConcatRequire
 };

package/src/scoring.js

@@ -118,7 +118,9 @@ const FP_COUNT_THRESHOLDS = {
   // P4: hash algorithms contain bit manipulation that triggers obfuscation heuristics
   js_obfuscation_pattern: { maxCount: 1, from: 'HIGH', to: 'LOW' },
   // P4: bundled credential_tampering from minified alias resolution (jspdf, lerna)
-  credential_tampering: { maxCount: 5, to: 'LOW' }
+  credential_tampering: { maxCount: 5, to: 'LOW' },
+  // B1 FP reduction: bundled code aliases eval/Function (sinon, storybook, vitest)
+  dangerous_call_eval: { maxCount: 3, from: 'MEDIUM', to: 'LOW' }
 };
 
 // Types exempt from dist/ downgrade — IOC matches, lifecycle scripts, and
@@ -133,12 +135,25 @@ const DIST_EXEMPT_TYPES = new Set([
   'download_exec_binary',     // download + chmod + exec (binary dropper)
   'cross_file_dataflow',      // credential read → network exfil across files
   'staged_eval_decode',       // eval(atob(...)) (explicit payload staging)
-  'reverse_shell'             // net.Socket + connect + pipe (always malicious)
+  'reverse_shell',            // net.Socket + connect + pipe (always malicious)
+  'remote_code_load',          // fetch + eval/Function (multi-stage payload)
+  'proxy_data_intercept'       // Proxy trap + network (data interception)
 ]);
 
 // Regex matching dist/build/minified/bundled file paths
 const DIST_FILE_RE = /(?:^|[/\\])(?:dist|build)[/\\]|\.min\.js$|\.bundle\.js$/i;
 
+// Bundler artifact types: get two-notch downgrade in dist/ files (CRITICAL→MEDIUM, HIGH→LOW).
+// These are individual pattern signals that bundlers routinely produce (eval for globalThis,
+// dynamic require for code-splitting, minification obfuscation, etc.)
+const DIST_BUNDLER_ARTIFACT_TYPES = new Set([
+  'dangerous_call_eval', 'dangerous_call_function',
+  'dynamic_require', 'dynamic_import',
+  'obfuscation_detected', 'high_entropy_string', 'possible_obfuscation',
+  'js_obfuscation_pattern', 'vm_code_execution',
+  'module_compile', 'module_compile_dynamic'
+]);
+
 // Types exempt from reachability downgrade — IOC matches, lifecycle, and package-level types.
 // NOTE: Uses the base IOC/lifecycle exempt set, NOT full DIST_EXEMPT_TYPES.
 // Compound detections (zlib_inflate_eval, staged_eval_decode, etc.) should still be
@@ -244,13 +259,23 @@ function applyFPReductions(threats, reachableFiles, packageName) {
       }
     }
 
-    // Dist/build/minified files: bundler artifacts get severity downgraded one notch.
-    // Reduced from two-notch (audit fix): 2-notch made dist/ attacks invisible (CRITICAL→MEDIUM=3pts).
+    // Dist/build/minified files: severity downgrade for bundler output.
     // Compound detections are exempt (DIST_EXEMPT_TYPES).
+    // Bundler artifact types (eval, dynamic_require, obfuscation) get two-notch downgrade
+    // (CRITICAL→MEDIUM, HIGH→LOW) since bundlers routinely produce these patterns.
+    // Other non-exempt types keep one-notch downgrade.
     if (t.file && !DIST_EXEMPT_TYPES.has(t.type) && DIST_FILE_RE.test(t.file)) {
-      if (t.severity === 'CRITICAL') t.severity = 'HIGH';
-      else if (t.severity === 'HIGH') t.severity = 'MEDIUM';
-      else if (t.severity === 'MEDIUM') t.severity = 'LOW';
+      if (DIST_BUNDLER_ARTIFACT_TYPES.has(t.type)) {
+        // Two-notch downgrade for bundler artifacts
+        if (t.severity === 'CRITICAL') t.severity = 'MEDIUM';
+        else if (t.severity === 'HIGH') t.severity = 'LOW';
+        else if (t.severity === 'MEDIUM') t.severity = 'LOW';
+      } else {
+        // One-notch downgrade for other non-exempt types
+        if (t.severity === 'CRITICAL') t.severity = 'HIGH';
+        else if (t.severity === 'HIGH') t.severity = 'MEDIUM';
+        else if (t.severity === 'MEDIUM') t.severity = 'LOW';
+      }
     }
 
     // Reachability: findings in files not reachable from entry points → LOW