muaddib-scanner 2.5.17 → 2.6.1

package/README.md

@@ -642,7 +642,7 @@ Alerts appear in Security > Code scanning alerts.
 ## Architecture
 
 ```
-MUAD'DIB 2.5.17 Scanner
+MUAD'DIB 2.6.1 Scanner
 |
 +-- IOC Match (225,000+ packages, JSON DB)
 |   +-- OSV.dev npm dump (200K+ MAL-* entries)
@@ -664,7 +664,12 @@ MUAD'DIB 2.5.17 Scanner
 |   +-- 3-hop re-export chains, class method analysis
 |   +-- Cross-file credential read -> network sink detection
 |
-+-- 14 Parallel Scanners (121 rules)
++-- Intent Coherence Analysis (v2.6.0)
+|   +-- Intra-file source-sink pairing (credential read + eval/network in same file)
+|   +-- Cross-file detection delegated to module-graph (proven taint paths only)
+|   +-- LOW severity threats excluded (respects FP reductions)
+|
++-- 14 Parallel Scanners (129 rules)
 |   +-- AST Parse (acorn) — eval/Function, credential CLI theft, binary droppers, prototype hooks
 |   +-- Pattern Matching (shell, scripts)
 |   +-- Obfuscation Detection (skip .min.js, ignore hex/unicode alone)
@@ -746,8 +751,8 @@ Output (CLI, JSON, HTML, SARIF, Webhook, Threat Feed)
 |--------|--------|---------|
 | **Wild TPR** (Datadog 17K) | **88.2%** raw · **~100%** adjusted | 17,922 real malware samples. 2,077 misses are all out-of-scope (see below) |
 | **TPR** (Ground Truth) | **93.9%** (46/49) | 51 real-world attacks (49 active). 3 out-of-scope: browser-only (3) |
-| **FPR** (Benign, global) | **12.3%** (65/529) | 529 npm packages, real source code via `npm pack`, threshold > 20 |
-| **ADR** (Adversarial + Holdout) | **94.0%** (63/67) | 62 adversarial + 40 holdout evasive samples. 4 misses: `require-cache-poison` (P3 trade-off), `getter-defineProperty-exfil`, `setTimeout-eval-chain`, `setter-trap-exfil` |
+| **FPR** (Benign, global) | **12.3%** (65/532) | 532 npm packages, real source code via `npm pack`, threshold > 20 |
+| **ADR** (Adversarial + Holdout) | **97.3%** (73/75) | 53 adversarial + 40 holdout evasive samples (75 available on disk). 2 misses: `require-cache-poison` (P3 trade-off), `getter-defineProperty-exfil` |
 
 **Datadog 17K benchmark** — [DataDog Malicious Software Packages Dataset](https://github.com/DataDog/malicious-software-packages-dataset), 17,922 real malware samples (npm). Raw TPR: 88.2% (15,810/17,922). The 2,077 misses (score=0) were manually categorized:
 
@@ -768,9 +773,9 @@ All 2,077 misses lack Node.js malware patterns. MUAD'DIB performs AST-based Node
 | Large (50-100 JS files) | 40 | 10 | 25.0% |
 | Very large (100+ JS files) | 62 | 25 | 40.3% |
 
-**FPR progression**: 0% (invalid, empty dirs, v2.2.0-v2.2.6) → 38% (first real measurement, v2.2.7) → 19.4% (v2.2.8) → 17.5% (v2.2.9) → ~13% (v2.2.11, per-file max scoring) → 8.9% (v2.3.0, P2) → 7.4% (v2.3.1, P3) → 6.0% (v2.5.8, P4 + IOC wildcard audit) → ~13.6% (v2.5.14, audit hardening added stricter detection) → **12.3%** (v2.5.16, P5 + P6)
+**FPR progression**: 0% (invalid, empty dirs, v2.2.0-v2.2.6) → 38% (first real measurement, v2.2.7) → 19.4% (v2.2.8) → 17.5% (v2.2.9) → ~13% (v2.2.11, per-file max scoring) → 8.9% (v2.3.0, P2) → 7.4% (v2.3.1, P3) → 6.0% (v2.5.8, P4 + IOC wildcard audit) → ~13.6% (v2.5.14, audit hardening added stricter detection) → **12.3%** (v2.5.16, P5 + P6) → **12.3%** (v2.6.0, intent graph v2 — zero FP added) → **12.3%** (v2.6.1, module-graph bounded path — zero FP added)
 
-> **Note on FPR evolution:** The historic 6.0% FPR (v2.5.8) relied on a `BENIGN_PACKAGE_WHITELIST` that excluded certain known packages from scoring — a data leakage bias removed in v2.5.10. The current 12.3% FPR is an honest measurement without whitelisting, against 529 real benign packages. The P5/P6 reductions (setTimeout precision, dist/ two-notch downgrade, credential_regex count-based, env segment matching, etc.) are detector precision improvements, not whitelisting.
+> **Note on FPR evolution:** The historic 6.0% FPR (v2.5.8) relied on a `BENIGN_PACKAGE_WHITELIST` that excluded certain known packages from scoring — a data leakage bias removed in v2.5.10. The current 12.3% FPR is an honest measurement without whitelisting, against 532 real benign packages. The intent graph (v2.6.0) adds zero false positives by using intra-file pairing only and excluding LOW-severity threats.
 
 **Holdout progression** (pre-tuning scores, rules frozen):
 
@@ -785,10 +790,10 @@ All 2,077 misses lack Node.js malware patterns. MUAD'DIB performs AST-based Node
 - **Wild TPR** (Datadog Benchmark): detection rate on 17,922 real malware packages from the [DataDog Malicious Software Packages Dataset](https://github.com/DataDog/malicious-software-packages-dataset). Raw 88.2% (15,810/17,922). Adjusted ~100% on JS/Node.js malware when excluding out-of-scope samples (1,233 phishing HTML pages, 824 native binaries, 20 corrected libraries). See [Evaluation Methodology](docs/EVALUATION_METHODOLOGY.md#14-datadog-17k-benchmark).
 - **TPR** (True Positive Rate): detection rate on 49 real-world supply-chain attacks (event-stream, ua-parser-js, coa, flatmap-stream, eslint-scope, solana-web3js, and 43 more). 3 misses are browser-only (lottie-player, polyfill-io, trojanized-jquery) — see [Threat Model](docs/threat-model.md).
 - **FPR** (False Positive Rate): packages scoring > 20 out of 529 real npm packages (source code scanned, not empty dirs).
-- **ADR** (Adversarial Detection Rate): detection rate on 102 evasive malicious samples — 62 adversarial + 40 holdout (5 adversarial waves + 4 holdout batches). 4 misses on available samples: `require-cache-poison` (P3 trade-off), `getter-defineProperty-exfil`, `setTimeout-eval-chain`, `setter-trap-exfil`.
+- **ADR** (Adversarial Detection Rate): detection rate on 120 evasive malicious samples — 53 adversarial + 40 holdout (6 adversarial waves + 4 holdout batches). 75 available on disk. 2 misses on available samples: `require-cache-poison` (P3 trade-off), `getter-defineProperty-exfil`.
 - **Holdout** (pre-tuning): detection rate on 10 unseen samples with rules frozen (measures generalization)
 
-Datasets: 17,922 Datadog malware samples, 529 npm + 132 PyPI benign packages, 102 adversarial/holdout samples, 51 ground-truth attacks (65 documented malware packages). **1869 tests**, 86% code coverage.
+Datasets: 17,922 Datadog malware samples, 532 npm + 132 PyPI benign packages, 120 adversarial/holdout samples (75 available on disk), 51 ground-truth attacks (65 documented malware packages). **1932 tests**, 86% code coverage.
 
 See [Evaluation Methodology](docs/EVALUATION_METHODOLOGY.md) for the full experimental protocol.
 
@@ -824,12 +829,12 @@ npm test
 
 ### Testing
 
-- **1869 unit/integration tests** across 43 modular test files - 86% code coverage via [Codecov](https://codecov.io/gh/DNSZLSK/muad-dib)
+- **1932 unit/integration tests** across 44 modular test files - 86% code coverage via [Codecov](https://codecov.io/gh/DNSZLSK/muad-dib)
 - **56 fuzz tests** - Malformed YAML, invalid JSON, binary files, ReDoS, unicode, 10MB inputs
 - **Datadog 17K benchmark** - 17,922 real malware samples, 88.2% raw TPR, ~100% on JS/Node.js malware (2,077 out-of-scope misses: phishing, binaries, corrected libs)
-- **102 adversarial/holdout samples** - 62 adversarial + 40 holdout, 63/67 detection rate on available samples (94.0% ADR). 4 misses: `require-cache-poison` (P3 trade-off), `getter-defineProperty-exfil`, `setTimeout-eval-chain`, `setter-trap-exfil`
+- **120 adversarial/holdout samples** - 53 adversarial + 40 holdout (75 available on disk), 73/75 detection rate (97.3% ADR). 2 misses: `require-cache-poison` (P3 trade-off), `getter-defineProperty-exfil`
 - **Ground truth validation** - 51 real-world attacks (46/49 detected = 93.9% TPR). 3 out-of-scope: browser-only (lottie-player, polyfill-io, trojanized-jquery)
-- **False positive validation** - 12.3% FPR global (65/529) on real npm source code via `npm pack`
+- **False positive validation** - 12.3% FPR global (65/532) on real npm source code via `npm pack`
 - **ESLint security audit** - `eslint-plugin-security` with 14 rules enabled
 
 ---

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "muaddib-scanner",
-  "version": "2.5.17",
+  "version": "2.6.1",
   "description": "Supply-chain threat detection & response for npm & PyPI/Python",
   "main": "src/index.js",
   "bin": {

package/src/index.js

@@ -23,12 +23,13 @@ const { ensureIOCs } = require('./ioc/bootstrap.js');
 const { scanEntropy } = require('./scanner/entropy.js');
 const { scanAIConfig } = require('./scanner/ai-config.js');
 const { deobfuscate } = require('./scanner/deobfuscate.js');
-const { buildModuleGraph, annotateTaintedExports, detectCrossFileFlows, annotateSinkExports, detectCallbackCrossFileFlows } = require('./scanner/module-graph.js');
+const { buildModuleGraph, annotateTaintedExports, detectCrossFileFlows, annotateSinkExports, detectCallbackCrossFileFlows, detectEventEmitterFlows } = require('./scanner/module-graph.js');
 const { computeReachableFiles } = require('./scanner/reachability.js');
 const { runTemporalAnalyses } = require('./temporal-runner.js');
 const { formatOutput } = require('./output-formatter.js');
 const { setExtraExcludes, getExtraExcludes, Spinner, listInstalledPackages, clearFileListCache, debugLog } = require('./utils.js');
 const { SEVERITY_WEIGHTS, RISK_THRESHOLDS, MAX_RISK_SCORE, isPackageLevelThreat, computeGroupScore, applyFPReductions, calculateRiskScore } = require('./scoring.js');
+const { buildIntentPairs } = require('./intent-graph.js');
 
 const { MAX_FILE_SIZE, safeParse } = require('./shared/constants.js');
 const walk = require('acorn-walk');
@@ -356,16 +357,27 @@ async function run(targetPath, options = {}) {
 
   // Cross-file module graph analysis (before individual scanners)
   // Wrapped in yieldThen to unblock spinner animation
+  // Bounded: 5s timeout to prevent DoS on large/adversarial packages
+  const MODULE_GRAPH_TIMEOUT_MS = 5000;
   let crossFileFlows = [];
   if (!options.noModuleGraph) {
-    try {
+    const moduleGraphWork = async () => {
       const graph = await yieldThen(() => buildModuleGraph(targetPath));
       const tainted = await yieldThen(() => annotateTaintedExports(graph, targetPath));
-      crossFileFlows = await yieldThen(() => detectCrossFileFlows(graph, tainted, targetPath));
-      // Callback-based cross-file flow detection
       const sinkAnnotations = await yieldThen(() => annotateSinkExports(graph, targetPath));
+      crossFileFlows = await yieldThen(() => detectCrossFileFlows(graph, tainted, sinkAnnotations, targetPath));
+      // Callback-based cross-file flow detection
       const callbackFlows = await yieldThen(() => detectCallbackCrossFileFlows(graph, tainted, sinkAnnotations, targetPath));
       crossFileFlows = crossFileFlows.concat(callbackFlows);
+      // EventEmitter cross-module flow detection
+      const emitterFlows = await yieldThen(() => detectEventEmitterFlows(graph, tainted, sinkAnnotations, targetPath));
+      crossFileFlows = crossFileFlows.concat(emitterFlows);
+    };
+    const timeout = new Promise((_, reject) =>
+      setTimeout(() => reject(new Error('Module graph timeout')), MODULE_GRAPH_TIMEOUT_MS)
+    );
+    try {
+      await Promise.race([moduleGraphWork(), timeout]);
     } catch (e) {
       // Graceful fallback — module graph is best-effort
       debugLog('[MODULE-GRAPH] Error:', e && e.message);
@@ -529,6 +541,23 @@ async function run(targetPath, options = {}) {
   // A malware package typically has 1-3 occurrences, not dozens.
   applyFPReductions(deduped, reachableFiles, packageName);
 
+  // Intent coherence analysis: detect source→sink pairs across files
+  const intentResult = buildIntentPairs(deduped);
+  // Add intent threats to deduped before enrichment so they get rules/playbooks
+  if (intentResult.intentThreats) {
+    for (const it of intentResult.intentThreats) {
+      // Respect reachability: downgrade intent threats in unreachable files
+      if (reachableFiles && reachableFiles.size > 0 && it.file) {
+        const normalizedFile = it.file.replace(/\\/g, '/');
+        if (!reachableFiles.has(normalizedFile)) {
+          it.severity = 'LOW';
+          it.unreachable = true;
+        }
+      }
+      deduped.push(it);
+    }
+  }
+
   // Enrich each threat with rules
   const enrichedThreats = deduped.map(t => {
     const rule = getRule(t.type);
@@ -550,12 +579,12 @@ async function run(targetPath, options = {}) {
     .map(t => ({ rule: t.rule_id, type: t.type, points: t.points, reason: t.message }))
     .sort((a, b) => b.points - a.points);
 
-  // Per-file max scoring (v2.2.11)
+  // Per-file max scoring (v2.2.11) with intent graph bonus
   const {
     riskScore, riskLevel, globalRiskScore,
-    maxFileScore, packageScore, mostSuspiciousFile, fileScores,
+    maxFileScore, packageScore, intentBonus, mostSuspiciousFile, fileScores,
     criticalCount, highCount, mediumCount, lowCount
-  } = calculateRiskScore(deduped);
+  } = calculateRiskScore(deduped, intentResult);
 
   // Python scan metadata
   const pythonInfo = pythonDeps.length > 0 ? {

package/src/intent-graph.js

@@ -0,0 +1,233 @@
+'use strict';
+
+// ============================================
+// INTENT GRAPH — Intra-File Coherence Analysis
+// ============================================
+// Boosts score when a SINGLE file contains both a high-confidence credential
+// source AND a dangerous sink (eval, exec, network). This is genuinely suspicious
+// because legitimate code rarely reads .npmrc and evals in the same file.
+//
+// DESIGN PRINCIPLES (informed by SpiderScan, Cerebro, taint-slicing research):
+// 1. INTRA-FILE ONLY — cross-file pairing without proven data flow = FP explosion
+//    (aws-sdk has process.env in config.js + https.request in http.js = not malicious)
+// 2. Cross-file detection is handled by module-graph.js → cross_file_dataflow threats
+// 3. Sources = ONLY high-confidence credential access (NOT env_access, NOT suspicious_dataflow)
+// 4. Sinks = ONLY threats already identified by scanners (NO content-based scanning)
+// 5. No double-counting — suspicious_dataflow is already a compound detection
+
+// ============================================
+// SOURCE CLASSIFICATION
+// ============================================
+const SOURCE_TYPES = {
+  sensitive_string: 'credential_read',        // .npmrc, .ssh, .env file references
+  env_harvesting_dynamic: 'credential_read',  // Object.keys(process.env), rest destructuring
+  credential_regex_harvest: 'credential_read', // regex patterns for tokens/passwords
+  llm_api_key_harvest: 'credential_read',     // OPENAI_API_KEY, ANTHROPIC_API_KEY
+  credential_cli_steal: 'credential_read',    // gh auth token, gcloud auth
+  // env_access EXCLUDED — standard config (process.env.PORT, AWS_REGION, NODE_ENV)
+  // suspicious_dataflow EXCLUDED — already compound detection
+  // cross_file_dataflow EXCLUDED — already scored CRITICAL by module-graph
+};
+
+// ============================================
+// SINK CLASSIFICATION (from existing threats only)
+// ============================================
+const THREAT_SINK_TYPES = {
+  dangerous_call_eval: 'exec_sink',
+  dangerous_call_function: 'exec_sink',
+  staged_eval_decode: 'exec_sink',
+  vm_code_execution: 'exec_sink',
+  module_compile: 'exec_sink',
+  module_compile_dynamic: 'exec_sink',
+  credential_tampering: 'file_tamper',
+  git_hook_injection: 'file_tamper',
+  workflow_write: 'file_tamper',
+  mcp_config_injection: 'file_tamper',
+  ide_persistence: 'file_tamper',
+};
+
+// Message-based sink detection for threats not in THREAT_SINK_TYPES
+const SINK_MESSAGE_PATTERNS = [
+  { pattern: /https?\.request|dns\.resolve|net\.connect/, type: 'network_external' },
+  { pattern: /webhook/i, type: 'network_external' },
+];
+
+// ============================================
+// COHERENCE MATRIX
+// ============================================
+// Only applied to intra-file pairs. Cross-file coherence is handled by module-graph.
+const COHERENCE_MATRIX = {
+  credential_read: {
+    network_external: { modifier: 30, severity: 'CRITICAL' },
+    network_internal: { modifier: 10, severity: 'HIGH' },
+    exec_sink:        { modifier: 25, severity: 'CRITICAL' },
+    file_local:       { modifier: 5,  severity: 'MEDIUM' },
+    file_tamper:      { modifier: 20, severity: 'HIGH' },
+  },
+  fingerprint_read: {
+    network_external: { modifier: 0,  severity: 'LOW' },
+    network_internal: { modifier: 0,  severity: 'LOW' },
+    exec_sink:        { modifier: 10, severity: 'MEDIUM' },
+    file_local:       { modifier: 0,  severity: 'LOW' },
+    file_tamper:      { modifier: 5,  severity: 'LOW' },
+  },
+  telemetry_read: {
+    network_external: { modifier: 0,  severity: 'LOW' },
+    network_internal: { modifier: 0,  severity: 'LOW' },
+    exec_sink:        { modifier: 0,  severity: 'LOW' },
+    file_local:       { modifier: 0,  severity: 'LOW' },
+    file_tamper:      { modifier: 0,  severity: 'LOW' },
+  },
+  config_read: {
+    network_external: { modifier: 5,  severity: 'LOW' },
+    network_internal: { modifier: 0,  severity: 'LOW' },
+    exec_sink:        { modifier: 5,  severity: 'LOW' },
+    file_local:       { modifier: 0,  severity: 'LOW' },
+    file_tamper:      { modifier: 0,  severity: 'LOW' },
+  },
+  command_output: {
+    network_external: { modifier: 20, severity: 'HIGH' },
+    network_internal: { modifier: 5,  severity: 'MEDIUM' },
+    exec_sink:        { modifier: 15, severity: 'HIGH' },
+    file_local:       { modifier: 5,  severity: 'MEDIUM' },
+    file_tamper:      { modifier: 15, severity: 'HIGH' },
+  },
+};
+
+// Kept for backward compatibility but no longer used in pairing
+// Cross-file detection is handled by module-graph.js (cross_file_dataflow)
+const CROSS_FILE_MULTIPLIER = 0.5;
+
+/**
+ * Classify a threat as a source type.
+ * Only high-confidence credential access patterns.
+ */
+function classifySource(threat) {
+  if (SOURCE_TYPES[threat.type]) return SOURCE_TYPES[threat.type];
+
+  // Explicitly excluded types
+  if (threat.type === 'suspicious_dataflow') return null;
+  if (threat.type === 'env_access') return null;
+  if (threat.type === 'cross_file_dataflow') return null;
+
+  // Message-based: only for threats referencing sensitive file paths
+  if (threat.message) {
+    const msg = threat.message;
+    if (/\.npmrc|\.ssh\/|\.aws\/|id_rsa|\.gitconfig/i.test(msg)) {
+      return 'credential_read';
+    }
+  }
+
+  return null;
+}
+
+/**
+ * Classify a threat as a sink type.
+ * Only from existing threat types — no content scanning.
+ */
+function classifySink(threat) {
+  if (THREAT_SINK_TYPES[threat.type]) return THREAT_SINK_TYPES[threat.type];
+
+  if (threat.message) {
+    for (const { pattern, type } of SINK_MESSAGE_PATTERNS) {
+      if (pattern.test(threat.message)) return type;
+    }
+  }
+
+  return null;
+}
+
+/**
+ * Build intent pairs from INTRA-FILE co-occurrence only.
+ * Cross-file detection is handled by module-graph.js (cross_file_dataflow).
+ *
+ * @param {Array} threats - deduplicated threat array
+ * @returns {Object} { pairs, intentScore, intentThreats }
+ */
+function buildIntentPairs(threats) {
+  // Only consider MEDIUM+ threats. LOW severity means applyFPReductions already
+  // determined this is noise (bundler artifact, dist/ file, count threshold exceeded).
+  // Re-elevating LOW threats via intent pairing would undo FP reductions.
+  const eligible = threats.filter(t => t.severity !== 'LOW');
+
+  // Group eligible threats by file
+  const byFile = new Map();
+  for (const t of eligible) {
+    const file = t.file || '(unknown)';
+    if (!byFile.has(file)) byFile.set(file, []);
+    byFile.get(file).push(t);
+  }
+
+  const pairSet = new Set();
+  const pairs = [];
+  let intentScore = 0;
+
+  // Only pair sources and sinks within the SAME file
+  for (const [file, fileThreats] of byFile) {
+    const sources = [];
+    const sinks = [];
+
+    for (const t of fileThreats) {
+      const srcType = classifySource(t);
+      const sinkType = classifySink(t);
+      if (srcType) sources.push(srcType);
+      if (sinkType) sinks.push(sinkType);
+    }
+
+    if (sources.length === 0 || sinks.length === 0) continue;
+
+    // Deduplicate source×sink combinations within this file
+    for (const srcType of new Set(sources)) {
+      const srcMatrix = COHERENCE_MATRIX[srcType];
+      if (!srcMatrix) continue;
+
+      for (const sinkType of new Set(sinks)) {
+        const entry = srcMatrix[sinkType];
+        if (!entry || entry.modifier === 0) continue;
+
+        const pairKey = `${srcType}:${sinkType}:${file}`;
+        if (pairSet.has(pairKey)) continue;
+        pairSet.add(pairKey);
+
+        pairs.push({
+          sourceType: srcType,
+          sinkType,
+          severity: entry.severity,
+          modifier: entry.modifier,
+          crossFile: false,
+          sourceFile: file,
+          sinkFile: file
+        });
+        intentScore += entry.modifier;
+      }
+    }
+  }
+
+  // Generate intent threats only for high-confidence pairs (modifier >= 25)
+  const intentThreats = [];
+  for (const pair of pairs) {
+    if (pair.modifier >= 25) {
+      const type = pair.sourceType === 'credential_read'
+        ? 'intent_credential_exfil'
+        : pair.sourceType === 'command_output'
+          ? 'intent_command_exfil'
+          : 'intent_credential_exfil';
+      intentThreats.push({
+        type,
+        severity: pair.severity,
+        message: `Intent coherence: ${pair.sourceType} → ${pair.sinkType} (${pair.sourceFile})`,
+        file: pair.sourceFile
+      });
+    }
+  }
+
+  return { pairs, intentScore, intentThreats };
+}
+
+module.exports = {
+  classifySource,
+  classifySink,
+  buildIntentPairs,
+  COHERENCE_MATRIX,
+  CROSS_FILE_MULTIPLIER
+};

package/src/response/playbooks.js

@@ -486,6 +486,15 @@ const PLAYBOOKS = {
     'CRITIQUE: Un Proxy JavaScript avec trap set/get/apply est combine avec un appel reseau. ' +
     'Technique d\'interception: le Proxy capture toutes les ecritures de proprietes (credentials, tokens, config) ' +
     'et les exfiltre via HTTPS/fetch/dgram. Supprimer le package. Auditer tous les modules qui importent ce package.',
+  intent_credential_exfil:
+    'CRITIQUE: Coherence d\'intention detectee — lecture de credentials combinee avec exfiltration reseau. ' +
+    'Pattern multi-fichier DPRK/Lazarus: chaque fichier semble legitime individuellement mais le package ' +
+    'dans son ensemble collecte des secrets et les envoie sur le reseau. Supprimer le package immediatement. ' +
+    'Regenerer tous les tokens/credentials exposes. Auditer le package.json pour les scripts lifecycle.',
+  intent_command_exfil:
+    'Coherence d\'intention detectee — sortie de commande systeme combinee avec exfiltration reseau. ' +
+    'Le package execute des commandes et transmet les resultats. Verifier les commandes executees. ' +
+    'Supprimer le package si non attendu. Auditer les logs reseau pour identifier les donnees exfiltrees.',
 };
 
 function getPlaybook(threatType) {

package/src/rules/index.js

@@ -1357,6 +1357,31 @@ const RULES = {
     ],
     mitre: 'T1557'
   },
+  // Intent Graph rules (v2.6.0)
+  intent_credential_exfil: {
+    id: 'MUADDIB-INTENT-001',
+    name: 'Intent Credential Exfiltration',
+    severity: 'CRITICAL',
+    confidence: 'high',
+    description: 'Coherence d\'intention: lecture de credentials (fichiers sensibles, env vars) combinee avec un sink reseau ou exec dans le meme package. Pattern typique DPRK/Lazarus: code malveillant fragmente sur plusieurs fichiers avec uniquement des APIs legitimes.',
+    references: [
+      'https://attack.mitre.org/techniques/T1041/',
+      'https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-108a'
+    ],
+    mitre: 'T1041'
+  },
+  intent_command_exfil: {
+    id: 'MUADDIB-INTENT-002',
+    name: 'Intent Command Output Exfiltration',
+    severity: 'HIGH',
+    confidence: 'medium',
+    description: 'Coherence d\'intention: sortie de commande systeme combinee avec un sink reseau. Le code execute des commandes et transmet les resultats sur le reseau — reconnaissance ou exfiltration.',
+    references: [
+      'https://attack.mitre.org/techniques/T1059/',
+      'https://attack.mitre.org/techniques/T1041/'
+    ],
+    mitre: 'T1059'
+  },
 };
 
 function getRule(type) {

package/src/scanner/ast-detectors.js

@@ -389,6 +389,32 @@ function handleVariableDeclarator(node, ctx) {
         if (cn === 'eval' || cn === 'Function') ctx.evalAliases.set(node.id.name, cn);
       }
     }
+    // B1 fix: const getEval = () => eval; — 0-param arrow/function returning eval/Function as value (not call)
+    if ((node.init?.type === 'ArrowFunctionExpression' || node.init?.type === 'FunctionExpression')) {
+      const body = node.init.body;
+      // () => eval
+      if (body?.type === 'Identifier' && (body.name === 'eval' || body.name === 'Function')) {
+        ctx.evalAliases.set(node.id.name, body.name + '_factory');
+      }
+      // () => { return eval; }
+      if (body?.type === 'BlockStatement' && body.body?.length === 1 &&
+          body.body[0].type === 'ReturnStatement' &&
+          body.body[0].argument?.type === 'Identifier' &&
+          (body.body[0].argument.name === 'eval' || body.body[0].argument.name === 'Function')) {
+        ctx.evalAliases.set(node.id.name, body.body[0].argument.name + '_factory');
+      }
+    }
+
+    // B1 fix: const compiler = getCompiler() where getCompiler is eval_factory
+    if (node.init?.type === 'CallExpression' &&
+        node.init.callee?.type === 'Identifier' &&
+        ctx.evalAliases?.has(node.init.callee.name)) {
+      const aliased = ctx.evalAliases.get(node.init.callee.name);
+      if (aliased.endsWith('_factory')) {
+        const baseName = aliased.replace('_factory', '');
+        ctx.evalAliases.set(node.id.name, baseName);
+      }
+    }
 
     // B5: Track object literal string properties
     if (node.init?.type === 'ObjectExpression') {
@@ -558,6 +584,23 @@ function handleCallExpression(node, ctx) {
         });
       }
     }
+    // B3 fix: require(/child_process/.source) — RegExpLiteral.source resolution
+    else if (arg.type === 'MemberExpression' &&
+             arg.object?.type === 'Literal' && arg.object.regex &&
+             arg.property?.type === 'Identifier' && arg.property.name === 'source') {
+      const regexSource = arg.object.regex.pattern;
+      const DANGEROUS_MODS = ['child_process', 'fs', 'net', 'dns', 'http', 'https', 'tls'];
+      const norm = regexSource.startsWith('node:') ? regexSource.slice(5) : regexSource;
+      if (DANGEROUS_MODS.includes(norm)) {
+        ctx.threats.push({ type: 'dynamic_require', severity: 'CRITICAL',
+          message: `require(/${regexSource}/.source) resolves to "${norm}" — regex .source evasion.`,
+          file: ctx.relFile });
+      } else {
+        ctx.threats.push({ type: 'dynamic_require', severity: 'HIGH',
+          message: `require() with regex .source argument (/${regexSource}/.source) — obfuscation technique.`,
+          file: ctx.relFile });
+      }
+    }
     // B5: require(obj.prop) — MemberExpression argument
     else if (arg.type === 'MemberExpression') {
       const objName = arg.object?.type === 'Identifier' ? arg.object.name : null;
@@ -1013,14 +1056,37 @@ function handleCallExpression(node, ctx) {
   // B1: Alias call — E('code') where E = eval or F = Function
   if (node.callee.type === 'Identifier' && ctx.evalAliases?.has(node.callee.name)) {
     const aliased = ctx.evalAliases.get(node.callee.name);
-    ctx.hasEvalInFile = true;
-    ctx.hasDynamicExec = true;
-    ctx.threats.push({
-      type: aliased === 'eval' ? 'dangerous_call_eval' : 'dangerous_call_function',
-      severity: 'HIGH',
-      message: `Indirect ${aliased} via alias "${node.callee.name}" — eval wrapper evasion.`,
-      file: ctx.relFile
-    });
+    if (aliased.endsWith('_factory')) {
+      // Factory pattern: getEval()('code') — the callee is detected at outer CallExpression level
+      // Mark the identifier so we can detect the outer call
+    } else {
+      ctx.hasEvalInFile = true;
+      ctx.hasDynamicExec = true;
+      ctx.threats.push({
+        type: aliased === 'eval' ? 'dangerous_call_eval' : 'dangerous_call_function',
+        severity: 'HIGH',
+        message: `Indirect ${aliased} via alias "${node.callee.name}" — eval wrapper evasion.`,
+        file: ctx.relFile
+      });
+    }
+  }
+
+  // B1 fix: Factory call — getEval()('code') where getEval = () => eval
+  if (node.callee.type === 'CallExpression' &&
+      node.callee.callee?.type === 'Identifier' &&
+      ctx.evalAliases?.has(node.callee.callee.name)) {
+    const aliased = ctx.evalAliases.get(node.callee.callee.name);
+    if (aliased.endsWith('_factory')) {
+      const baseName = aliased.replace('_factory', '');
+      ctx.hasEvalInFile = true;
+      ctx.hasDynamicExec = true;
+      ctx.threats.push({
+        type: baseName === 'eval' ? 'dangerous_call_eval' : 'dangerous_call_function',
+        severity: 'HIGH',
+        message: `Indirect ${baseName} via factory function "${node.callee.callee.name}()" — eval factory evasion.`,
+        file: ctx.relFile
+      });
+    }
   }
 
   if (callName === 'eval') {
@@ -1119,6 +1185,24 @@ function handleCallExpression(node, ctx) {
         file: ctx.relFile
       });
     }
+    // B2 fix: Function.prototype.call.call(eval, null, code) / X.call.call(eval, ...)
+    // Deep MemberExpression: obj is itself a MemberExpression ending in .call/.apply
+    if (obj?.type === 'MemberExpression' &&
+        obj.property?.type === 'Identifier' &&
+        (obj.property.name === 'call' || obj.property.name === 'apply') &&
+        node.arguments.length >= 2) {
+      const firstArg = node.arguments[0];
+      if (firstArg?.type === 'Identifier' && (firstArg.name === 'eval' || firstArg.name === 'Function')) {
+        ctx.hasEvalInFile = true;
+        ctx.hasDynamicExec = true;
+        ctx.threats.push({
+          type: firstArg.name === 'eval' ? 'dangerous_call_eval' : 'dangerous_call_function',
+          severity: 'HIGH',
+          message: `${firstArg.name} passed to .call.call() — nested call/apply evasion technique.`,
+          file: ctx.relFile
+        });
+      }
+    }
   }
 
   // Detect array access pattern: [require][0]('child_process') or [eval][0](code)

package/src/scanner/dataflow.js

@@ -109,6 +109,31 @@ function buildTaintMap(ast) {
           }
         }
       }
+
+      // B5 fix: const tools = { read: fs.readFileSync, home: os.homedir }
+      // Track object properties that reference tainted module methods as tainted aliases
+      if (node.id.type === 'Identifier' && init.type === 'ObjectExpression') {
+        for (const prop of init.properties) {
+          if (prop.type !== 'Property') continue;
+          const key = prop.key?.type === 'Identifier' ? prop.key.name :
+                      (prop.key?.type === 'Literal' ? String(prop.key.value) : null);
+          if (!key) continue;
+          // Property value is a MemberExpression on a tainted module: fs.readFileSync, os.homedir
+          if (prop.value?.type === 'MemberExpression' &&
+              prop.value.object?.type === 'Identifier' &&
+              prop.value.property?.type === 'Identifier') {
+            const parentTaint = taintMap.get(prop.value.object.name);
+            if (parentTaint && TRACKED_MODULES.has(parentTaint.source)) {
+              const methodName = prop.value.property.name;
+              // Store as "objName.key" so tools.read calls are resolved
+              taintMap.set(`${node.id.name}.${key}`, {
+                source: parentTaint.source,
+                detail: `${parentTaint.source}.${methodName}`
+              });
+            }
+          }
+        }
+      }
     }
   });
 
@@ -466,6 +491,42 @@ function analyzeFile(content, filePath, basePath) {
               });
             }
           }
+
+          // B5 fix: object method alias — tools.read(...) where tools.read = fs.readFileSync
+          const aliasKey = `${obj.name}.${prop.name}`;
+          const aliasTaint = taintMap.get(aliasKey);
+          if (aliasTaint && aliasTaint.detail.includes('.')) {
+            const [aliasModule, aliasMethod] = aliasTaint.detail.split('.');
+            const aliasSourceMethods = MODULE_SOURCE_METHODS[aliasModule];
+            if (aliasSourceMethods && aliasSourceMethods[aliasMethod]) {
+              // For credential_read: also check if the argument is a sensitive path
+              const isCredArg = node.arguments[0] && isCredentialPath(node.arguments[0], sensitivePathVars);
+              if (aliasSourceMethods[aliasMethod] === 'credential_read' && isCredArg) {
+                sources.push({
+                  type: 'credential_read',
+                  name: `${aliasModule}.${aliasMethod}`,
+                  line: node.loc?.start?.line,
+                  taint_tracked: true
+                });
+              } else if (aliasSourceMethods[aliasMethod] !== 'credential_read') {
+                sources.push({
+                  type: aliasSourceMethods[aliasMethod],
+                  name: `${aliasModule}.${aliasMethod}`,
+                  line: node.loc?.start?.line,
+                  taint_tracked: true
+                });
+              }
+            }
+            const aliasSinkMethods = MODULE_SINK_METHODS[aliasModule];
+            if (aliasSinkMethods && aliasSinkMethods[aliasMethod]) {
+              sinks.push({
+                type: aliasSinkMethods[aliasMethod],
+                name: `${aliasModule}.${aliasMethod}`,
+                line: node.loc?.start?.line,
+                taint_tracked: true
+              });
+            }
+          }
         }
       }