muaddib-scanner 2.5.3 → 2.5.5

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "muaddib-scanner",
-  "version": "2.5.3",
+  "version": "2.5.5",
   "description": "Supply-chain threat detection & response for npm & PyPI/Python",
   "main": "src/index.js",
   "bin": {

package/src/index.js

@@ -27,7 +27,7 @@ const { buildModuleGraph, annotateTaintedExports, detectCrossFileFlows } = requi
 const { computeReachableFiles } = require('./scanner/reachability.js');
 const { runTemporalAnalyses } = require('./temporal-runner.js');
 const { formatOutput } = require('./output-formatter.js');
-const { setExtraExcludes, getExtraExcludes, Spinner, listInstalledPackages, clearFileListCache } = require('./utils.js');
+const { setExtraExcludes, getExtraExcludes, Spinner, listInstalledPackages, clearFileListCache, debugLog } = require('./utils.js');
 const { SEVERITY_WEIGHTS, RISK_THRESHOLDS, MAX_RISK_SCORE, isPackageLevelThreat, computeGroupScore, applyFPReductions, calculateRiskScore } = require('./scoring.js');
 
 const { MAX_FILE_SIZE } = require('./shared/constants.js');
@@ -218,8 +218,9 @@ async function run(targetPath, options = {}) {
       const graph = await yieldThen(() => buildModuleGraph(targetPath));
       const tainted = await yieldThen(() => annotateTaintedExports(graph, targetPath));
       crossFileFlows = await yieldThen(() => detectCrossFileFlows(graph, tainted, targetPath));
-    } catch {
+    } catch (e) {
       // Graceful fallback — module graph is best-effort
+      debugLog('[MODULE-GRAPH] Error:', e && e.message);
     }
   }
 

package/src/sandbox/analyzer.js

@@ -2,7 +2,7 @@
  * MUAD'DIB Sandbox Preload Log Analyzer
  *
  * Parses [PRELOAD] log lines produced by docker/preload.js and generates
- * scored findings for behavioral analysis. Six detection rules:
+ * scored findings for behavioral analysis. Seven detection rules:
  *
  *   1. sandbox_timer_delay_suspicious — timer delay > 1h (MEDIUM, +15)
  *   2. sandbox_timer_delay_critical   — timer delay > 24h (CRITICAL, +30, supersedes #1)
@@ -10,6 +10,7 @@
  *   4. sandbox_network_after_sensitive_read — network call after sensitive read (CRITICAL, +40)
  *   5. sandbox_exec_suspicious        — dangerous command execution (HIGH, +25)
  *   6. sandbox_env_token_access       — sensitive env var access (MEDIUM, +10)
+ *   7. sandbox_native_addon_load      — native .node addon loaded (MEDIUM, +15)
  */
 
 const ONE_HOUR_MS = 3600000;
@@ -21,6 +22,24 @@ const TWENTY_FOUR_HOURS_MS = 24 * ONE_HOUR_MS;
  * @param {string} logContent - Raw preload log content
  * @returns {{ score: number, findings: Array<{type: string, severity: string, detail: string, evidence: string}> }}
  */
+/**
+ * Validate that a log line has the expected [PRELOAD] CATEGORY: format.
+ * Rejects lines that don't match the expected structure to prevent
+ * log injection attacks where malware injects fake preload log lines.
+ */
+const VALID_CATEGORIES = new Set([
+  'INIT', 'TIME', 'TIMER', 'NETWORK', 'FS_READ', 'FS_WRITE',
+  'EXEC', 'ENV_ACCESS', 'NATIVE_ADDON', 'WORKER'
+]);
+
+function isValidPreloadLine(line) {
+  if (!line || !line.includes('[PRELOAD]')) return false;
+  // Must match format: [PRELOAD] CATEGORY: ... (t+NNNms)
+  const match = line.match(/^\[PRELOAD\]\s+(\w+):/);
+  if (!match) return false;
+  return VALID_CATEGORIES.has(match[1]);
+}
+
 function analyzePreloadLog(logContent) {
   const findings = [];
   let score = 0;
@@ -29,7 +48,7 @@ function analyzePreloadLog(logContent) {
     return { score: 0, findings: [] };
   }
 
-  const lines = logContent.split('\n').filter(l => l.includes('[PRELOAD]'));
+  const lines = logContent.split('\n').filter(l => isValidPreloadLine(l));
 
   // Categorize lines
   const timerLines = [];
@@ -38,6 +57,7 @@ function analyzePreloadLog(logContent) {
   const networkLines = [];
   const execLines = [];
   const envLines = [];
+  const nativeAddonLines = [];
 
   for (const line of lines) {
     if (line.includes('TIMER:')) {
@@ -52,6 +72,8 @@ function analyzePreloadLog(logContent) {
       execLines.push(line);
     } else if (line.includes('ENV_ACCESS:')) {
       envLines.push(line);
+    } else if (line.includes('NATIVE_ADDON:')) {
+      nativeAddonLines.push(line);
     }
   }
 
@@ -173,10 +195,28 @@ function analyzePreloadLog(logContent) {
     });
   }
 
+  // ── Rule 7: Native addon loading ──
+  // Native addons (.node files) can bypass all JS monkey-patches via syscalls.
+  // Flag their loading so analysts know time-based evasion may be undetected.
+  if (nativeAddonLines.length > 0) {
+    const addons = nativeAddonLines.map(l => {
+      const m = l.match(/process\.dlopen:\s*(.+?)(?:\s+\(t\+|$)/);
+      return m ? m[1].trim() : 'unknown';
+    });
+
+    score += 15;
+    findings.push({
+      type: 'sandbox_native_addon_load',
+      severity: 'MEDIUM',
+      detail: `Native addon loaded (${addons.length}): time-based evasion via syscalls possible`,
+      evidence: addons.join(', ')
+    });
+  }
+
   return {
     score: Math.min(100, score),
     findings
   };
 }
 
-module.exports = { analyzePreloadLog };
+module.exports = { analyzePreloadLog, isValidPreloadLine };

package/src/scanner/ast-detectors.js

@@ -30,7 +30,7 @@ const SAFE_ENV_VARS = [
 ];
 
 // Env var prefixes that are safe (npm metadata, locale settings)
-const SAFE_ENV_PREFIXES = ['npm_config_', 'npm_lifecycle_', 'npm_package_', 'lc_'];
+const SAFE_ENV_PREFIXES = ['npm_config_', 'npm_lifecycle_', 'npm_package_', 'lc_', 'muaddib_'];
 
 // Env var keywords to detect sensitive environment access (separate from SENSITIVE_STRINGS)
 const ENV_SENSITIVE_KEYWORDS = [
@@ -862,6 +862,81 @@ function handleCallExpression(node, ctx) {
     }
   }
 
+  // Detect eval.call(null, code) / eval.apply(null, [code]) / Function.call/apply
+  if (node.callee.type === 'MemberExpression' && !node.callee.computed &&
+      node.callee.property?.type === 'Identifier' &&
+      (node.callee.property.name === 'call' || node.callee.property.name === 'apply')) {
+    const obj = node.callee.object;
+    if (obj?.type === 'Identifier' && (obj.name === 'eval' || obj.name === 'Function')) {
+      ctx.hasEvalInFile = true;
+      ctx.hasDynamicExec = true;
+      ctx.threats.push({
+        type: obj.name === 'eval' ? 'dangerous_call_eval' : 'dangerous_call_function',
+        severity: 'HIGH',
+        message: `${obj.name}.${node.callee.property.name}() — indirect execution via call/apply evasion technique.`,
+        file: ctx.relFile
+      });
+    }
+  }
+
+  // Detect array access pattern: [require][0]('child_process') or [eval][0](code)
+  if (node.callee.type === 'MemberExpression' && node.callee.computed &&
+      node.callee.object?.type === 'ArrayExpression' &&
+      node.callee.property?.type === 'Literal' && typeof node.callee.property.value === 'number') {
+    const elements = node.callee.object.elements;
+    for (const el of elements) {
+      if (el?.type === 'Identifier') {
+        if (el.name === 'eval') {
+          ctx.hasEvalInFile = true;
+          ctx.hasDynamicExec = true;
+          ctx.threats.push({
+            type: 'dangerous_call_eval',
+            severity: 'HIGH',
+            message: '[eval][0]() — array access evasion technique for indirect eval execution.',
+            file: ctx.relFile
+          });
+        } else if (el.name === 'require') {
+          ctx.threats.push({
+            type: 'dynamic_require',
+            severity: 'HIGH',
+            message: '[require][0]() — array access evasion technique for indirect require.',
+            file: ctx.relFile
+          });
+        } else if (el.name === 'Function') {
+          ctx.hasDynamicExec = true;
+          ctx.threats.push({
+            type: 'dangerous_call_function',
+            severity: 'MEDIUM',
+            message: '[Function][0]() — array access evasion technique for indirect Function construction.',
+            file: ctx.relFile
+          });
+        }
+      }
+    }
+  }
+
+  // Detect new Proxy(require, handler) — proxy wrapping require to intercept module loading
+  if (node.callee.type === 'Identifier' && node.callee.name !== 'Proxy') {
+    // handled below in handleNewExpression
+  }
+
+  // Detect template literals in exec/execSync: execSync(`${cmd}`)
+  if ((execName || memberExec) && node.arguments.length > 0) {
+    const arg = node.arguments[0];
+    if (arg.type === 'TemplateLiteral' && arg.expressions.length > 0) {
+      // Template literal with dynamic expressions in exec — bypass for string matching
+      const staticParts = arg.quasis.map(q => q.value.raw).join('');
+      if (DANGEROUS_CMD_PATTERNS.some(p => p.test(staticParts))) {
+        ctx.threats.push({
+          type: 'dangerous_exec',
+          severity: 'CRITICAL',
+          message: `Dangerous command in template literal exec(): "${staticParts.substring(0, 80)}" — template literal evasion.`,
+          file: ctx.relFile
+        });
+      }
+    }
+  }
+
   // Detect indirect eval/Function via computed property
   if (node.callee.type === 'MemberExpression' && node.callee.computed) {
     const prop = node.callee.property;
@@ -1058,6 +1133,15 @@ function handleNewExpression(node, ctx) {
         file: ctx.relFile
       });
     }
+    // Detect new Proxy(require, handler) — intercept module loading
+    if (target.type === 'Identifier' && target.name === 'require') {
+      ctx.threats.push({
+        type: 'dynamic_require',
+        severity: 'HIGH',
+        message: 'new Proxy(require) — proxy wrapping require to intercept/redirect module loading.',
+        file: ctx.relFile
+      });
+    }
   }
 }
 
@@ -1119,6 +1203,54 @@ function handleLiteral(node, ctx) {
 }
 
 function handleAssignmentExpression(node, ctx) {
+  // Detect object property indirection: obj.exec = require('child_process').exec
+  // or obj.fn = eval — stashing dangerous functions in object properties
+  if (node.left?.type === 'MemberExpression' && node.right) {
+    const propName = node.left.property?.type === 'Identifier' ? node.left.property.name :
+                     (node.left.property?.type === 'Literal' ? String(node.left.property.value) : null);
+
+    if (propName) {
+      // Assigning require('child_process') or its methods to an object property
+      if (node.right.type === 'CallExpression' && getCallName(node.right) === 'require' &&
+          node.right.arguments.length > 0 && node.right.arguments[0]?.type === 'Literal') {
+        const mod = node.right.arguments[0].value;
+        if (mod === 'child_process' || mod === 'fs' || mod === 'net' || mod === 'dns') {
+          ctx.threats.push({
+            type: 'dynamic_require',
+            severity: 'HIGH',
+            message: `Object property indirection: ${propName} = require('${mod}') — hiding dangerous module in object property.`,
+            file: ctx.relFile
+          });
+        }
+      }
+      // Assigning require('child_process').exec to an object property
+      if (node.right.type === 'MemberExpression' && node.right.object?.type === 'CallExpression' &&
+          getCallName(node.right.object) === 'require' &&
+          node.right.object.arguments.length > 0 && node.right.object.arguments[0]?.type === 'Literal' &&
+          node.right.object.arguments[0].value === 'child_process') {
+        const method = node.right.property?.type === 'Identifier' ? node.right.property.name : null;
+        if (method && ['exec', 'execSync', 'spawn', 'execFile'].includes(method)) {
+          ctx.threats.push({
+            type: 'dangerous_exec',
+            severity: 'HIGH',
+            message: `Object property indirection: ${propName} = require('child_process').${method} — hiding exec in object property.`,
+            file: ctx.relFile
+          });
+        }
+      }
+      // Assigning eval or Function to an object property
+      if (node.right.type === 'Identifier' && (node.right.name === 'eval' || node.right.name === 'Function')) {
+        ctx.hasDynamicExec = true;
+        ctx.threats.push({
+          type: node.right.name === 'eval' ? 'dangerous_call_eval' : 'dangerous_call_function',
+          severity: 'HIGH',
+          message: `Object property indirection: ${propName} = ${node.right.name} — stashing dangerous function in object property.`,
+          file: ctx.relFile
+        });
+      }
+    }
+  }
+
   if (node.left?.type === 'MemberExpression') {
     const left = node.left;
 
@@ -1375,6 +1507,33 @@ function handlePostWalk(ctx) {
   }
 }
 
+function handleWithStatement(node, ctx) {
+  // with(require('child_process')) exec(cmd) — scope injection evasion
+  // The with() statement makes all properties of the object available as local variables.
+  // When used with require(), it allows calling exec(), spawn() etc. without explicit reference.
+  if (node.object?.type === 'CallExpression' && getCallName(node.object) === 'require') {
+    const arg = node.object.arguments[0];
+    const modName = arg?.type === 'Literal' ? arg.value : null;
+    const dangerousModules = ['child_process', 'fs', 'http', 'https', 'net', 'dns'];
+    if (modName && dangerousModules.includes(modName)) {
+      ctx.hasDynamicExec = true;
+      ctx.threats.push({
+        type: 'dangerous_exec',
+        severity: 'CRITICAL',
+        message: `with(require('${modName}')) — scope injection evasion: all module methods available as local variables.`,
+        file: ctx.relFile
+      });
+    } else if (!modName) {
+      ctx.threats.push({
+        type: 'dynamic_require',
+        severity: 'HIGH',
+        message: 'with(require(...)) — scope injection with dynamic module. Evasion technique.',
+        file: ctx.relFile
+      });
+    }
+  }
+}
+
 module.exports = {
   handleVariableDeclarator,
   handleCallExpression,
@@ -1383,5 +1542,6 @@ module.exports = {
   handleLiteral,
   handleAssignmentExpression,
   handleMemberExpression,
+  handleWithStatement,
   handlePostWalk
 };

package/src/scanner/ast.js

@@ -11,6 +11,7 @@ const {
   handleLiteral,
   handleAssignmentExpression,
   handleMemberExpression,
+  handleWithStatement,
   handlePostWalk
 } = require('./ast-detectors.js');
 
@@ -121,7 +122,8 @@ function analyzeFile(content, filePath, basePath) {
     NewExpression(node) { handleNewExpression(node, ctx); },
     Literal(node) { handleLiteral(node, ctx); },
     AssignmentExpression(node) { handleAssignmentExpression(node, ctx); },
-    MemberExpression(node) { handleMemberExpression(node, ctx); }
+    MemberExpression(node) { handleMemberExpression(node, ctx); },
+    WithStatement(node) { handleWithStatement(node, ctx); }
   });
 
   // FIX 5: DNS chunk exfiltration — verify dns.resolve* is inside a loop body

package/src/scanner/dataflow.js

@@ -140,7 +140,26 @@ function analyzeFile(content, filePath, basePath) {
   // Track exec calls whose result is captured (for command_output source detection)
   const execResultNodes = new Set();
 
+  // Fix #22: EventEmitter tracking — detect tainted emit → on patterns
+  const eventHandlers = new Map(); // eventName → { hasNetworkSink: boolean }
+  const emitTaintedEvents = new Set(); // event names emitted with tainted data
+
+  // Fix #23: Function param tainting — track function declarations
+  const functionDefs = new Map(); // functionName → { params: [paramNames] }
+
   walk.simple(ast, {
+    FunctionDeclaration(node) {
+      // Fix #23: Track function declarations for param tainting
+      if (node.id && node.id.name && node.params) {
+        const paramNames = node.params
+          .filter(p => p.type === 'Identifier')
+          .map(p => p.name);
+        if (paramNames.length > 0) {
+          functionDefs.set(node.id.name, { params: paramNames });
+        }
+      }
+    },
+
     VariableDeclarator(node) {
       if (node.id?.type === 'Identifier' && node.init) {
         if (containsSensitiveLiteral(node.init)) {
@@ -373,6 +392,62 @@ function analyzeFile(content, filePath, basePath) {
         }
       }
 
+      // Fix #22: EventEmitter tracking
+      if (node.callee.type === 'MemberExpression' && node.callee.property?.type === 'Identifier') {
+        const methodName = node.callee.property.name;
+
+        // Track .on('eventName', handler) — check if handler has network sink
+        if (methodName === 'on' && node.arguments.length >= 2) {
+          const eventArg = node.arguments[0];
+          if (eventArg.type === 'Literal' && typeof eventArg.value === 'string') {
+            const handler = node.arguments[1];
+            // Check if the handler body contains network sinks
+            let handlerHasSink = false;
+            if (handler.type === 'FunctionExpression' || handler.type === 'ArrowFunctionExpression') {
+              const bodyStr = content.slice(handler.start, handler.end);
+              handlerHasSink = /\b(request|fetch|https?\.get|https?\.request|dns\.resolve)\b/.test(bodyStr);
+            }
+            eventHandlers.set(eventArg.value, { hasNetworkSink: handlerHasSink });
+          }
+        }
+
+        // Track .emit('eventName', taintedData) — check if emitted data is tainted
+        if (methodName === 'emit' && node.arguments.length >= 2) {
+          const eventArg = node.arguments[0];
+          if (eventArg.type === 'Literal' && typeof eventArg.value === 'string') {
+            const dataArg = node.arguments[1];
+            if (dataArg.type === 'Identifier' && sensitivePathVars.has(dataArg.name)) {
+              emitTaintedEvents.add(eventArg.value);
+            }
+            // Also check taintMap
+            if (dataArg.type === 'Identifier') {
+              const taint = taintMap.get(dataArg.name);
+              if (taint && (taint.source === 'process.env' || MODULE_SOURCE_METHODS[taint.source])) {
+                emitTaintedEvents.add(eventArg.value);
+              }
+            }
+          }
+        }
+      }
+
+      // Fix #23: Function param tainting — propagate taint through function calls
+      if (node.callee.type === 'Identifier' && functionDefs.has(node.callee.name)) {
+        const funcDef = functionDefs.get(node.callee.name);
+        for (let i = 0; i < node.arguments.length && i < funcDef.params.length; i++) {
+          const arg = node.arguments[i];
+          if (arg.type === 'Identifier') {
+            // Check if argument is tainted
+            const argTaint = taintMap.get(arg.name);
+            if (argTaint && (argTaint.source === 'process.env' || MODULE_SOURCE_METHODS[argTaint.source])) {
+              sensitivePathVars.add(funcDef.params[i]);
+            }
+            if (sensitivePathVars.has(arg.name)) {
+              sensitivePathVars.add(funcDef.params[i]);
+            }
+          }
+        }
+      }
+
       // Exec callback: exec('cmd', (err, stdout) => {...}) — output will be used
       if (!execResultNodes.has(node) && node.arguments.length >= 2) {
         const lastArg = node.arguments[node.arguments.length - 1];
@@ -471,6 +546,25 @@ function analyzeFile(content, filePath, basePath) {
     }
   });
 
+  // Fix #22: EventEmitter compound detection
+  for (const eventName of emitTaintedEvents) {
+    const handler = eventHandlers.get(eventName);
+    if (handler && handler.hasNetworkSink) {
+      sources.push({
+        type: 'credential_read',
+        name: `EventEmitter.emit('${eventName}')`,
+        line: 0,
+        taint_tracked: true
+      });
+      sinks.push({
+        type: 'network_send',
+        name: `EventEmitter.on('${eventName}') handler`,
+        line: 0,
+        taint_tracked: true
+      });
+    }
+  }
+
   // Check if any source or sink was resolved via taint tracking
   const hasTaintTracked = sources.some(s => s.taint_tracked) || sinks.some(s => s.taint_tracked);
 
@@ -613,9 +707,13 @@ const SYSTEM_IDENTITY_ENVS = new Set([
   'USERPROFILE', 'COMPUTERNAME', 'WHOAMI'
 ]);
 
+// Env var prefixes for tool-internal configuration (not external credentials)
+const SAFE_ENV_PREFIXES = ['MUADDIB_', 'npm_config_', 'npm_lifecycle_', 'npm_package_'];
+
 function isSensitiveEnv(name) {
   const upper = name.toUpperCase();
   if (SYSTEM_IDENTITY_ENVS.has(upper)) return true;
+  if (SAFE_ENV_PREFIXES.some(p => upper.startsWith(p))) return false;
   const sensitive = ['TOKEN', 'SECRET', 'KEY', 'PASSWORD', 'CREDENTIAL', 'AUTH', 'NPM', 'AWS', 'AZURE', 'GCP'];
   return sensitive.some(s => upper.includes(s));
 }

package/src/scanner/deobfuscate.js

@@ -581,4 +581,71 @@ function isPrintable(str) {
   return (controlCount / str.length) < 0.2;
 }
 
-module.exports = { deobfuscate };
+/**
+ * Detect control flow flattening obfuscation pattern.
+ * Pattern: while(true/1) { switch(var) { case N: ...; var = M; break; ... } }
+ * Returns true if the pattern is detected.
+ * @param {string} sourceCode — raw JS source
+ * @returns {boolean}
+ */
+function detectControlFlowFlattening(sourceCode) {
+  const ast = safeParse(sourceCode, { ranges: true });
+  if (!ast) return false;
+
+  let found = false;
+  walk.simple(ast, {
+    WhileStatement(node) {
+      if (found) return;
+      // Check for while(true) or while(1)
+      const test = node.test;
+      const isInfinite = (test.type === 'Literal' && (test.value === true || test.value === 1))
+        || (test.type === 'Identifier' && test.name === 'true');
+      if (!isInfinite) return;
+
+      // Body should contain a SwitchStatement
+      const body = node.body;
+      let switchNode = null;
+      if (body.type === 'SwitchStatement') {
+        switchNode = body;
+      } else if (body.type === 'BlockStatement' && body.body) {
+        switchNode = body.body.find(s => s.type === 'SwitchStatement');
+      }
+      if (!switchNode || !switchNode.cases) return;
+
+      // Need at least 3 cases for CFF pattern
+      if (switchNode.cases.length < 3) return;
+
+      // Check for state variable reassignment in at least 2 cases
+      const discriminant = switchNode.discriminant;
+      if (!discriminant) return;
+      let stateVarName = null;
+      if (discriminant.type === 'Identifier') {
+        stateVarName = discriminant.name;
+      } else if (discriminant.type === 'MemberExpression' && discriminant.property?.type === 'Identifier') {
+        stateVarName = discriminant.property.name;
+      }
+      if (!stateVarName) return;
+
+      // Count cases that reassign the state variable
+      let reassignCount = 0;
+      for (const c of switchNode.cases) {
+        if (!c.consequent) continue;
+        const caseSource = sourceCode.slice(c.start, c.end);
+        // Look for stateVar = <number> pattern
+        const reassignRe = new RegExp('\\b' + stateVarName.replace(/[.*+?^${}()|[\]\\]/g, '\\$&') + '\\s*=\\s*\\d+');
+        if (reassignRe.test(caseSource)) {
+          reassignCount++;
+        }
+      }
+
+      // CFF pattern: at least 2 cases reassign the state variable
+      if (reassignCount >= 2) {
+        found = true;
+      }
+    }
+  });
+
+  return found;
+}
+
+module.exports = { deobfuscate, detectControlFlowFlattening };

package/src/scanner/module-graph.js

@@ -63,18 +63,43 @@ function extractLocalImports(filePath, packagePath) {
   return [...new Set(imports)];
 }
 
+/**
+ * Try to resolve string concatenation in require arguments.
+ * require('./a' + '/b') → './a/b'
+ * @param {Object} node - BinaryExpression AST node
+ * @returns {string|null} Resolved string or null
+ */
+function tryResolveConcatRequire(node, depth) {
+  if (depth === undefined) depth = 0;
+  if (depth > 20) return null;
+  if (node.type === 'Literal' && typeof node.value === 'string') return node.value;
+  if (node.type === 'BinaryExpression' && node.operator === '+') {
+    const left = tryResolveConcatRequire(node.left, depth + 1);
+    if (left === null) return null;
+    const right = tryResolveConcatRequire(node.right, depth + 1);
+    if (right === null) return null;
+    return left + right;
+  }
+  return null;
+}
+
 function walkForRequires(node, fileDir, packagePath, imports) {
   if (!node || typeof node !== 'object') return;
   if (
     node.type === 'CallExpression' &&
     node.callee && node.callee.type === 'Identifier' &&
     node.callee.name === 'require' &&
-    node.arguments.length === 1 &&
-    node.arguments[0].type === 'Literal' &&
-    typeof node.arguments[0].value === 'string'
+    node.arguments.length === 1
   ) {
-    const spec = node.arguments[0].value;
-    if (isLocalImport(spec)) {
+    const arg = node.arguments[0];
+    let spec = null;
+    if (arg.type === 'Literal' && typeof arg.value === 'string') {
+      spec = arg.value;
+    } else if (arg.type === 'BinaryExpression') {
+      // Fix #25: Resolve simple string concatenation in require args
+      spec = tryResolveConcatRequire(arg);
+    }
+    if (spec && isLocalImport(spec)) {
       const resolved = resolveLocal(fileDir, spec, packagePath);
       if (resolved) imports.push(resolved);
     }
@@ -420,7 +445,7 @@ function expandTaintThroughReexports(graph, taintedExports, packagePath) {
     expanded[f] = { ...taintedExports[f] };
   }
 
-  for (let level = 0; level < 2; level++) {
+  for (let level = 0; level < 4; level++) {
     let changed = false;
     for (const relFile of Object.keys(graph)) {
       const absFile = path.resolve(packagePath, relFile);
@@ -878,5 +903,6 @@ function toRel(abs, packagePath) {
 
 module.exports = {
   buildModuleGraph, annotateTaintedExports, detectCrossFileFlows,
-  resolveLocal, extractLocalImports, parseFile, isLocalImport, toRel, isFileExists
+  resolveLocal, extractLocalImports, parseFile, isLocalImport, toRel, isFileExists,
+  tryResolveConcatRequire
 };

package/src/scoring.js

@@ -283,13 +283,25 @@ function calculateRiskScore(deduped) {
   // 4. Compute package-level score (typosquat, lifecycle, dependency IOC, etc.)
   const packageScore = computeGroupScore(packageLevelThreats);
 
-  // 5. Final score = max file score + package-level score, capped at 100
-  const riskScore = Math.min(MAX_RISK_SCORE, maxFileScore + packageScore);
+  // 5. Cross-file bonus: aggregate signal from non-max files
+  // A package with 3 files each scoring 20 is more suspicious than 1 file scoring 20.
+  // Add 25% of each non-max file's score as a bonus, capped at 25.
+  const sortedScores = Object.values(fileScores).sort((a, b) => b - a);
+  let crossFileBonus = 0;
+  if (sortedScores.length > 1) {
+    for (let i = 1; i < sortedScores.length; i++) {
+      crossFileBonus += Math.ceil(sortedScores[i] * 0.25);
+    }
+    crossFileBonus = Math.min(crossFileBonus, 25);
+  }
+
+  // 6. Final score = max file score + cross-file bonus + package-level score, capped at 100
+  const riskScore = Math.min(MAX_RISK_SCORE, maxFileScore + crossFileBonus + packageScore);
 
-  // 6. Old global score for comparison (sum of ALL findings)
+  // 7. Old global score for comparison (sum of ALL findings)
   const globalRiskScore = computeGroupScore(deduped);
 
-  // 7. Severity counts (global, for summary display)
+  // 8. Severity counts (global, for summary display)
   const criticalCount = deduped.filter(t => t.severity === 'CRITICAL').length;
   const highCount = deduped.filter(t => t.severity === 'HIGH').length;
   const mediumCount = deduped.filter(t => t.severity === 'MEDIUM').length;
@@ -303,7 +315,7 @@ function calculateRiskScore(deduped) {
 
   return {
     riskScore, riskLevel, globalRiskScore,
-    maxFileScore, packageScore, mostSuspiciousFile, fileScores,
+    maxFileScore, crossFileBonus, packageScore, mostSuspiciousFile, fileScores,
     criticalCount, highCount, mediumCount, lowCount
   };
 }

package/src/shared/download.js

@@ -82,6 +82,38 @@ function isAllowedDownloadRedirect(redirectUrl) {
   }
 }
 
+/**
+ * Check if an IP address is private/internal.
+ */
+function isPrivateIP(ip) {
+  const normalized = normalizeHostname(ip);
+  return PRIVATE_IP_PATTERNS.some(p => p.test(normalized));
+}
+
+/**
+ * Resolve hostname to IP and validate it's not a private address.
+ * Prevents DNS rebinding attacks where a domain initially resolves to
+ * a public IP but later rebinds to a private IP.
+ */
+async function safeDnsResolve(hostname) {
+  // Skip for IP addresses (already validated in isAllowedDownloadRedirect)
+  if (/^(\d{1,3}\.){3}\d{1,3}$/.test(hostname)) {
+    if (isPrivateIP(hostname)) throw new Error(`DNS rebinding blocked: ${hostname} is private`);
+    return hostname;
+  }
+  const dns = require('dns');
+  const addresses = await dns.promises.resolve4(hostname);
+  if (!addresses || addresses.length === 0) {
+    throw new Error(`DNS resolution failed for ${hostname}`);
+  }
+  for (const addr of addresses) {
+    if (isPrivateIP(addr)) {
+      throw new Error(`DNS rebinding blocked: ${hostname} resolved to private IP ${addr}`);
+    }
+  }
+  return addresses[0];
+}
+
 /**
  * Download a file from HTTPS URL to disk, with SSRF-safe redirect handling.
  * @param {string} url - Source URL (must be HTTPS)
@@ -90,60 +122,64 @@ function isAllowedDownloadRedirect(redirectUrl) {
  * @returns {Promise<number>} Number of bytes downloaded
  */
 function downloadToFile(url, destPath, timeoutMs = DOWNLOAD_TIMEOUT) {
-  return new Promise((resolve, reject) => {
-    const doRequest = (requestUrl) => {
-      const req = https.get(requestUrl, { timeout: timeoutMs }, (res) => {
-        if (res.statusCode === 301 || res.statusCode === 302) {
-          res.resume();
-          const location = res.headers.location;
-          if (!location) return reject(new Error(`Redirect without Location for ${requestUrl}`));
-          // Resolve relative redirects against the request URL
-          const absoluteLocation = new URL(location, requestUrl).href;
-          const check = isAllowedDownloadRedirect(absoluteLocation);
-          if (!check.allowed) {
-            return reject(new Error(check.error));
+  // DNS rebinding protection: validate hostname before connecting
+  const parsedUrl = new URL(url);
+  return safeDnsResolve(parsedUrl.hostname).then(() => {
+    return new Promise((resolve, reject) => {
+      const doRequest = (requestUrl) => {
+        const req = https.get(requestUrl, { timeout: timeoutMs }, (res) => {
+          if (res.statusCode === 301 || res.statusCode === 302) {
+            res.resume();
+            const location = res.headers.location;
+            if (!location) return reject(new Error(`Redirect without Location for ${requestUrl}`));
+            // Resolve relative redirects against the request URL
+            const absoluteLocation = new URL(location, requestUrl).href;
+            const check = isAllowedDownloadRedirect(absoluteLocation);
+            if (!check.allowed) {
+              return reject(new Error(check.error));
+            }
+            return doRequest(absoluteLocation);
+          }
+          if (res.statusCode < 200 || res.statusCode >= 300) {
+            res.resume();
+            return reject(new Error(`HTTP ${res.statusCode} for ${requestUrl}`));
           }
-          return doRequest(absoluteLocation);
-        }
-        if (res.statusCode < 200 || res.statusCode >= 300) {
-          res.resume();
-          return reject(new Error(`HTTP ${res.statusCode} for ${requestUrl}`));
-        }
-        const contentLength = parseInt(res.headers['content-length'], 10);
-        if (contentLength && contentLength > MAX_TARBALL_SIZE) {
-          res.resume();
-          return reject(new Error(`Package too large: ${contentLength} bytes (max ${MAX_TARBALL_SIZE})`));
-        }
-        const fileStream = fs.createWriteStream(destPath);
-        let downloadedBytes = 0;
-        res.on('data', (chunk) => {
-          downloadedBytes += chunk.length;
-          if (downloadedBytes > MAX_TARBALL_SIZE) {
-            res.destroy();
+          const contentLength = parseInt(res.headers['content-length'], 10);
+          if (contentLength && contentLength > MAX_TARBALL_SIZE) {
+            res.resume();
+            return reject(new Error(`Package too large: ${contentLength} bytes (max ${MAX_TARBALL_SIZE})`));
+          }
+          const fileStream = fs.createWriteStream(destPath);
+          let downloadedBytes = 0;
+          res.on('data', (chunk) => {
+            downloadedBytes += chunk.length;
+            if (downloadedBytes > MAX_TARBALL_SIZE) {
+              res.destroy();
+              fileStream.destroy();
+              try { fs.unlinkSync(destPath); } catch {}
+              reject(new Error(`Package too large: ${downloadedBytes}+ bytes (max ${MAX_TARBALL_SIZE})`));
+            }
+          });
+          res.pipe(fileStream);
+          fileStream.on('finish', () => resolve(downloadedBytes));
+          fileStream.on('error', (err) => {
+            try { fs.unlinkSync(destPath); } catch {}
+            reject(err);
+          });
+          res.on('error', (err) => {
             fileStream.destroy();
             try { fs.unlinkSync(destPath); } catch {}
-            reject(new Error(`Package too large: ${downloadedBytes}+ bytes (max ${MAX_TARBALL_SIZE})`));
-          }
-        });
-        res.pipe(fileStream);
-        fileStream.on('finish', () => resolve(downloadedBytes));
-        fileStream.on('error', (err) => {
-          try { fs.unlinkSync(destPath); } catch {}
-          reject(err);
+            reject(err);
+          });
         });
-        res.on('error', (err) => {
-          fileStream.destroy();
-          try { fs.unlinkSync(destPath); } catch {}
-          reject(err);
+        req.on('error', reject);
+        req.on('timeout', () => {
+          req.destroy();
+          reject(new Error(`Timeout downloading ${requestUrl}`));
         });
-      });
-      req.on('error', reject);
-      req.on('timeout', () => {
-        req.destroy();
-        reject(new Error(`Timeout downloading ${requestUrl}`));
-      });
-    };
-    doRequest(url);
+      };
+      doRequest(url);
+    });
   });
 }
 
@@ -204,6 +240,8 @@ module.exports = {
   sanitizePackageName,
   isAllowedDownloadRedirect,
   normalizeHostname,
+  isPrivateIP,
+  safeDnsResolve,
   ALLOWED_DOWNLOAD_DOMAINS,
   PRIVATE_IP_PATTERNS
 };