npm - muaddib-scanner - Versions diffs - 2.7.4 → 2.7.6 - Mend

muaddib-scanner 2.7.4 → 2.7.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

package/README.md +3 -3
package/package.json +1 -1
package/src/response/playbooks.js +3 -0
package/src/rules/index.js +9 -0
package/src/scanner/ast-detectors.js +13 -0
package/src/scanner/npm-registry.js +3 -1

package/README.md CHANGED Viewed

@@ -286,7 +286,7 @@ repos:
 | **FPR** (Benign) | **12.1%** (64/529) | 529 npm packages, real source via `npm pack` |
 | **ADR** (Adversarial + Holdout) | **92.2%** (71/77) | 53 adversarial + 40 holdout (77 available on disk), global threshold=20 |
-**2042 tests** across 49 files. **133 rules** (128 RULES + 5 PARANOID).
+**2093 tests** across 49 files. **134 rules** (129 RULES + 5 PARANOID).
 > **Methodology caveats:**
 > - TPR measured on 49 Node.js attack samples (3 browser-only excluded from 51 total)
@@ -327,7 +327,7 @@ npm test
 ### Testing
-- **2042 tests** across 49 modular test files
+- **2093 tests** across 49 modular test files
 - **56 fuzz tests** - Malformed inputs, ReDoS, unicode, binary
 - **Datadog 17K benchmark** - 17,922 real malware samples
 - **Ground truth validation** - 51 real-world attacks (93.9% TPR)
@@ -347,7 +347,7 @@ npm test
 - [Evaluation Methodology](docs/EVALUATION_METHODOLOGY.md) - Experimental protocol, holdout scores
 - [Threat Model](docs/threat-model.md) - What MUAD'DIB detects and doesn't detect
 - [Adversarial Evaluation](ADVERSARIAL.md) - Red team samples and ADR results
-- [Security Policy](SECURITY.md) - Detection rules reference (133 rules)
+- [Security Policy](SECURITY.md) - Detection rules reference (134 rules)
 - [Security Audit](docs/SECURITY_AUDIT.md) - Bypass validation report
 - [FP Analysis](docs/EVALUATION.md) - Historical false positive analysis

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "muaddib-scanner",
-  "version": "2.7.4",
+  "version": "2.7.6",
   "description": "Supply-chain threat detection & response for npm & PyPI/Python",
   "main": "src/index.js",
   "bin": {

package/src/response/playbooks.js CHANGED Viewed

@@ -478,6 +478,9 @@ const PLAYBOOKS = {
     'CRITIQUE: Module WebAssembly charge avec des imports host contenant des sinks reseau. Le flux de controle est cache dans le binaire WASM, ' +
     'rendant l\'analyse statique impossible. Le WASM peut lire des fichiers sensibles et exfiltrer via les callbacks host. ' +
     'Supprimer le package immediatement. Analyser le fichier WASM avec wasm2wat pour comprendre le flux. Regenerer tous les secrets.',
+  wasm_standalone:
+    'Module WebAssembly charge sans sink reseau apparent. Usage potentiellement legitime (crypto, image, codecs video). ' +
+    'Verifier le fichier .wasm avec wasm2wat. Si le package n\'a aucune raison d\'utiliser du WASM, considerer comme suspect.',
   credential_regex_harvest:
     'Code contient des regex de detection de credentials (Bearer, password, token, API key) combine avec un appel reseau. ' +
     'Technique de harvesting: scanne les donnees en transit (streams HTTP, fichiers) pour extraire des secrets et les exfiltrer. ' +

package/src/rules/index.js CHANGED Viewed

@@ -1309,6 +1309,15 @@ const RULES = {
     ],
     mitre: 'T1059'
   },
+  wasm_standalone: {
+    id: 'MUADDIB-AST-046',
+    name: 'WASM Module Load (Standalone)',
+    severity: 'MEDIUM',
+    confidence: 'medium',
+    description: 'Module WebAssembly charge sans sink reseau detectable. Usage legitime frequent (cryptographie, traitement d\'image, codecs). Le WASM cache le flux de controle — verifier le fichier .wasm manuellement.',
+    references: ['https://attack.mitre.org/techniques/T1027/'],
+    mitre: 'T1027'
+  },
   credential_regex_harvest: {
     id: 'MUADDIB-AST-041',
     name: 'Credential Regex Harvesting',

package/src/scanner/ast-detectors.js CHANGED Viewed

@@ -2094,6 +2094,19 @@ function handlePostWalk(ctx) {
     });
   }
+  // WASM standalone: WebAssembly.compile/instantiate WITHOUT network sinks.
+  // Legitimate: crypto, image processing, codecs. Still warrants investigation
+  // because WASM hides control flow from static analysis.
+  // Compound WASM + network → wasm_host_sink (CRITICAL) takes priority (mutually exclusive).
+  if (ctx.hasWasmLoad && !ctx.hasNetworkCallInFile) {
+    ctx.threats.push({
+      type: 'wasm_standalone',
+      severity: 'MEDIUM',
+      message: 'WebAssembly module loaded without detectable network sinks. WASM hides control flow — verify .wasm file purpose.',
+      file: ctx.relFile
+    });
+  }
   // Credential regex harvesting: credential-matching regex + network call in same file
   // Real-world pattern: Transform/stream that scans data for tokens/passwords and exfiltrates
   if (ctx.hasCredentialRegex && ctx.hasNetworkCallInFile) {

package/src/scanner/npm-registry.js CHANGED Viewed

@@ -114,6 +114,7 @@ async function getPackageMetadata(packageName) {
   const weeklyDownloads = downloadsData?.downloads ?? 0;
   const authorPackageCount = authorData?.total ?? 0;
+  const versionCount = meta.versions ? Object.keys(meta.versions).length : 0;
   return {
     created_at: createdAt,
@@ -121,7 +122,8 @@ async function getPackageMetadata(packageName) {
     weekly_downloads: weeklyDownloads,
     author_package_count: authorPackageCount,
     has_readme: hasReadme,
-    has_repository: hasRepository
+    has_repository: hasRepository,
+    version_count: versionCount
   };
 }