muaddib-scanner 2.8.7 → 2.9.0

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "muaddib-scanner",
-  "version": "2.8.7",
+  "version": "2.9.0",
   "description": "Supply-chain threat detection & response for npm & PyPI/Python",
   "main": "src/index.js",
   "bin": {
@@ -44,7 +44,7 @@
     "node": ">=18.0.0"
   },
   "dependencies": {
-    "@inquirer/prompts": "8.3.0",
+    "@inquirer/prompts": "8.3.2",
     "acorn": "8.16.0",
     "acorn-walk": "8.3.5",
     "adm-zip": "0.5.16",

package/src/index.js

@@ -567,6 +567,33 @@ async function run(targetPath, options = {}) {
     }
   } catch { /* graceful fallback */ }
 
+  // Cross-scanner compound: detached_process + suspicious_dataflow in same file
+  // Catches cases where credential flow is detected by dataflow scanner, not AST scanner
+  {
+    const fileMap = Object.create(null);
+    for (const t of deduped) {
+      if (t.file) {
+        if (!fileMap[t.file]) fileMap[t.file] = [];
+        fileMap[t.file].push(t);
+      }
+    }
+    for (const file of Object.keys(fileMap)) {
+      const fileThreats = fileMap[file];
+      const hasDetached = fileThreats.some(t => t.type === 'detached_process');
+      const hasCredFlow = fileThreats.some(t => t.type === 'suspicious_dataflow');
+      const alreadyCompound = fileThreats.some(t => t.type === 'detached_credential_exfil');
+      if (hasDetached && hasCredFlow && !alreadyCompound) {
+        deduped.push({
+          type: 'detached_credential_exfil',
+          severity: 'CRITICAL',
+          message: 'Detached process + credential dataflow — background exfiltration (cross-scanner compound).',
+          file,
+          count: 1
+        });
+      }
+    }
+  }
+
   // FP reduction: legitimate frameworks produce high volumes of certain threat types.
   // A malware package typically has 1-3 occurrences, not dozens.
   applyFPReductions(deduped, reachableFiles, packageName, packageDeps);

package/src/ml/jsonl-writer.js

@@ -134,9 +134,15 @@ function getStats() {
  *
  * @param {string} packageName - package name to relabel
  * @param {string} newLabel - 'fp' or 'confirmed'
+ * @param {number} [sandboxFindingCount] - number of sandbox findings (defense-in-depth for 'confirmed')
  * @returns {number} number of records updated
  */
-function relabelRecords(packageName, newLabel) {
+function relabelRecords(packageName, newLabel, sandboxFindingCount) {
+  // Defense-in-depth: never write 'confirmed' without real sandbox findings
+  if (newLabel === 'confirmed' && (!sandboxFindingCount || sandboxFindingCount === 0)) {
+    console.warn(`[ML] BLOCKED relabel to 'confirmed' for ${packageName}: sandbox_finding_count=${sandboxFindingCount || 0}`);
+    return 0;
+  }
   try {
     if (!fs.existsSync(TRAINING_FILE)) return 0;
     const content = fs.readFileSync(TRAINING_FILE, 'utf8');

package/src/response/playbooks.js

@@ -501,6 +501,10 @@ const PLAYBOOKS = {
     'CRITIQUE: Un Proxy JavaScript avec trap set/get/apply est combine avec un appel reseau. ' +
     'Technique d\'interception: le Proxy capture toutes les ecritures de proprietes (credentials, tokens, config) ' +
     'et les exfiltre via HTTPS/fetch/dgram. Supprimer le package. Auditer tous les modules qui importent ce package.',
+  detached_credential_exfil:
+    'CRITIQUE: Process detache avec acces aux credentials et exfiltration reseau. ' +
+    'Technique DPRK/Lazarus: le process fils survit au parent (detached:true, unref()) et exfiltre des secrets en arriere-plan. ' +
+    'Supprimer le package immediatement. Regenerer tous les tokens/credentials. Auditer les process en cours d\'execution.',
   intent_credential_exfil:
     'CRITIQUE: Coherence d\'intention detectee — lecture de credentials combinee avec exfiltration reseau. ' +
     'Pattern multi-fichier DPRK/Lazarus: chaque fichier semble legitime individuellement mais le package ' +
@@ -510,6 +514,52 @@ const PLAYBOOKS = {
     'Coherence d\'intention detectee — sortie de commande systeme combinee avec exfiltration reseau. ' +
     'Le package execute des commandes et transmet les resultats. Verifier les commandes executees. ' +
     'Supprimer le package si non attendu. Auditer les logs reseau pour identifier les donnees exfiltrees.',
+
+  bin_field_hijack:
+    'CRITIQUE: Le champ "bin" de package.json shadow une commande systeme (node, npm, git, bash, etc.). ' +
+    'A l\'installation, npm cree un symlink dans node_modules/.bin/ qui intercepte la commande reelle. ' +
+    'Tous les npm scripts executeront le code malveillant au lieu de la vraie commande. ' +
+    'NE PAS installer. Si deja installe: rm -rf node_modules && npm cache clean --force && npm install.',
+
+  git_dependency_rce:
+    'Dependance utilisant une URL git+ ou git://. Vecteur d\'attaque PackageGate: si le package contient ' +
+    'un .npmrc avec git=./malicious.sh, npm executera le script au lieu de git, meme avec --ignore-scripts. ' +
+    'Verifier le contenu du .npmrc. Ne pas installer de packages avec des dependances git non vérifiées.',
+
+  npmrc_git_override:
+    'CRITIQUE: Fichier .npmrc contient git= override — technique PackageGate. Le binaire git est remplace ' +
+    'par un script controle par l\'attaquant. TOUTE operation git (clone, fetch, pull) executera le script malveillant. ' +
+    'NE PAS installer. Si deja installe: supprimer le package, verifier .npmrc, reinstaller git.',
+
+  node_modules_write:
+    'CRITIQUE: Le code ecrit dans node_modules/ — technique de propagation worm Shai-Hulud 2.0. ' +
+    'Le malware modifie d\'autres packages installes (ethers, webpack, etc.) pour injecter un backdoor persistent. ' +
+    'Verifier l\'integrite de tous les packages: rm -rf node_modules && npm install. ' +
+    'Auditer les fichiers modifies. Regenerer tous les secrets si le code a ete execute.',
+
+  bun_runtime_evasion:
+    'Invocation du runtime Bun detectee — technique Shai-Hulud 2.0. Le payload est execute via bun run ' +
+    'au lieu de node, echappant a toutes les sandboxes Node.js et au monitoring (--experimental-permission). ' +
+    'Verifier si bun est installe: which bun. Supprimer le package. ' +
+    'Auditer les processus: ps aux | grep bun.',
+
+  static_timer_bomb:
+    'Timer avec delai > 1h detecte dans l\'analyse statique (setTimeout/setInterval). ' +
+    'Technique PhantomRaven: le payload s\'active 48h+ apres l\'installation pour echapper aux sandboxes. ' +
+    'Analyser le callback du timer pour identifier le payload retarde. ' +
+    'Si delai > 24h: fort indicateur de time-bomb malware. NE PAS installer.',
+
+  npm_publish_worm:
+    'CRITIQUE: exec("npm publish") detecte — propagation worm. Le code utilise des tokens npm voles ' +
+    'pour publier des versions infectees des packages de la victime. Technique Shai-Hulud 1.0 et 2.0. ' +
+    'Isoler immediatement la machine. Revoquer les tokens npm: npm token revoke. ' +
+    'Verifier les packages publies: npm profile ls. Signaler sur npm.',
+
+  ollama_local_llm:
+    'Reference au port Ollama (11434) detectee. PhantomRaven Wave 4 utilise un LLM local (DeepSeek Coder) ' +
+    'pour reecrire le malware a chaque execution, evitant la detection par signature. Moteur polymorphe. ' +
+    'Verifier si Ollama est installe: curl http://localhost:11434/api/tags. ' +
+    'Aucun package npm legitime n\'appelle un LLM local. Supprimer le package.',
 };
 
 function getPlaybook(threatType) {

package/src/rules/index.js

@@ -1378,6 +1378,106 @@ const RULES = {
     ],
     mitre: 'T1557'
   },
+  // Package manifest detections (v2.8.9)
+  bin_field_hijack: {
+    id: 'MUADDIB-PKG-013',
+    name: 'Bin Field PATH Hijack',
+    severity: 'CRITICAL',
+    confidence: 'high',
+    description: 'Le champ "bin" de package.json shadow une commande systeme (node, npm, git, bash, etc.). A l\'install, npm cree un symlink dans node_modules/.bin/ qui intercepte la commande reelle pour tous les npm scripts.',
+    references: [
+      'https://socket.dev/blog/2025-supply-chain-report',
+      'https://www.wiz.io/blog/shai-hulud-npm-supply-chain-attack'
+    ],
+    mitre: 'T1574.007'
+  },
+  git_dependency_rce: {
+    id: 'MUADDIB-PKG-014',
+    name: 'Git Dependency RCE (PackageGate)',
+    severity: 'HIGH',
+    confidence: 'medium',
+    description: 'Dependance utilisant une URL git+ ou git://. Vecteur PackageGate: un .npmrc malveillant peut overrider le binaire git, permettant l\'execution de code meme avec --ignore-scripts.',
+    references: [
+      'https://socket.dev/blog/packagegate-npm-rce',
+      'https://attack.mitre.org/techniques/T1195/002/'
+    ],
+    mitre: 'T1195.002'
+  },
+  npmrc_git_override: {
+    id: 'MUADDIB-PKG-015',
+    name: '.npmrc Git Binary Override',
+    severity: 'CRITICAL',
+    confidence: 'high',
+    description: 'Fichier .npmrc contient git= override — technique PackageGate: remplace le binaire git par un script controle par l\'attaquant.',
+    references: [
+      'https://socket.dev/blog/packagegate-npm-rce'
+    ],
+    mitre: 'T1195.002'
+  },
+
+  // AST detections (v2.8.9 — supply-chain gaps)
+  node_modules_write: {
+    id: 'MUADDIB-AST-048',
+    name: 'Write to node_modules/ (Worm Propagation)',
+    severity: 'CRITICAL',
+    confidence: 'high',
+    description: 'writeFileSync/writeFile/appendFileSync ciblant node_modules/ — technique de propagation worm Shai-Hulud 2.0: modifie d\'autres packages installes pour injecter un backdoor persistent.',
+    references: [
+      'https://www.wiz.io/blog/shai-hulud-npm-supply-chain-attack',
+      'https://attack.mitre.org/techniques/T1195/002/'
+    ],
+    mitre: 'T1195.002'
+  },
+  bun_runtime_evasion: {
+    id: 'MUADDIB-AST-049',
+    name: 'Bun Runtime Evasion',
+    severity: 'HIGH',
+    confidence: 'medium',
+    description: 'Invocation du runtime Bun (bun run/exec/install) via exec/spawn — technique Shai-Hulud 2.0: utilise un runtime alternatif pour echapper aux sandboxes et monitoring Node.js.',
+    references: [
+      'https://www.wiz.io/blog/shai-hulud-npm-supply-chain-attack',
+      'https://attack.mitre.org/techniques/T1059/'
+    ],
+    mitre: 'T1059'
+  },
+  static_timer_bomb: {
+    id: 'MUADDIB-AST-050',
+    name: 'Static Timer Bomb',
+    severity: 'MEDIUM',
+    confidence: 'medium',
+    description: 'setTimeout/setInterval avec delai > 1h detecte statiquement. PhantomRaven active le 2nd stage 48h+ apres install. Evasion temporelle: le payload s\'active bien apres l\'installation pour echapper aux sandboxes.',
+    references: [
+      'https://www.sonatype.com/blog/phantomraven-supply-chain-attack',
+      'https://attack.mitre.org/techniques/T1497/003/'
+    ],
+    mitre: 'T1497.003'
+  },
+  npm_publish_worm: {
+    id: 'MUADDIB-AST-051',
+    name: 'npm publish Worm Propagation',
+    severity: 'CRITICAL',
+    confidence: 'high',
+    description: 'exec("npm publish") detecte — technique de propagation worm Shai-Hulud: utilise les tokens npm voles pour publier des versions infectees des packages de la victime.',
+    references: [
+      'https://blog.phylum.io/shai-hulud-npm-worm',
+      'https://www.wiz.io/blog/shai-hulud-npm-supply-chain-attack',
+      'https://attack.mitre.org/techniques/T1195/002/'
+    ],
+    mitre: 'T1195.002'
+  },
+  ollama_local_llm: {
+    id: 'MUADDIB-AST-052',
+    name: 'Ollama Local LLM (Polymorphic Engine)',
+    severity: 'HIGH',
+    confidence: 'medium',
+    description: 'Reference au port 11434 (Ollama) detectee. PhantomRaven Wave 4 utilise un LLM local pour reecrire le malware et eviter la detection signature. Moteur polymorphe.',
+    references: [
+      'https://www.sonatype.com/blog/phantomraven-supply-chain-attack',
+      'https://attack.mitre.org/techniques/T1027/005/'
+    ],
+    mitre: 'T1027.005'
+  },
+
   // Shell IFS evasion rules (v2.6.9)
   curl_ifs_evasion: {
     id: 'MUADDIB-SHELL-016',
@@ -1408,6 +1508,18 @@ const RULES = {
   },
 
   // Intent Graph rules (v2.6.0)
+  detached_credential_exfil: {
+    id: 'MUADDIB-AST-047',
+    name: 'Detached Process Credential Exfiltration',
+    severity: 'CRITICAL',
+    confidence: 'high',
+    description: 'Process detache (survit au parent) avec acces aux credentials et appel reseau — technique DPRK/Lazarus pour exfiltrer des secrets en arriere-plan',
+    references: [
+      'https://attack.mitre.org/techniques/T1041/',
+      'https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-108a'
+    ],
+    mitre: 'T1041'
+  },
   intent_credential_exfil: {
     id: 'MUADDIB-INTENT-001',
     name: 'Intent Credential Exfiltration',

package/src/scanner/ast-detectors.js

@@ -705,6 +705,26 @@ function handleCallExpression(node, ctx) {
           break;
         }
       }
+
+      // Bun runtime evasion: exec/spawn using bun instead of node (Shai-Hulud 2.0)
+      if (/\bbun\s+(run|exec|install|x)\b/.test(cmdStr)) {
+        ctx.threats.push({
+          type: 'bun_runtime_evasion',
+          severity: 'HIGH',
+          message: `Bun runtime invocation detected: "${cmdStr.slice(0, 80)}" — alternative runtime to evade Node.js monitoring/sandboxing.`,
+          file: ctx.relFile
+        });
+      }
+
+      // Worm propagation: npm publish / npm adduser / npm token create (Shai-Hulud)
+      if (/\bnpm\s+(publish|adduser|token\s+create|login)\b/.test(cmdStr)) {
+        ctx.threats.push({
+          type: 'npm_publish_worm',
+          severity: 'CRITICAL',
+          message: `exec("${cmdStr.slice(0, 80)}") — worm propagation: publishing packages with stolen credentials.`,
+          file: ctx.relFile
+        });
+      }
     }
   }
 
@@ -785,6 +805,30 @@ function handleCallExpression(node, ctx) {
     }
   }
 
+  // Detect spawn('bun', ['run', ...]) — Bun runtime evasion via spawn
+  if ((callName === 'spawn' || callName === 'execFile') && node.arguments.length >= 1) {
+    const bunArg = node.arguments[0];
+    if (bunArg.type === 'Literal' && typeof bunArg.value === 'string' && bunArg.value === 'bun') {
+      // Check the args array for run/exec/install/x
+      const argsArr = node.arguments[1];
+      let bunCmd = 'bun';
+      if (argsArr?.type === 'ArrayExpression' && argsArr.elements.length > 0) {
+        const firstEl = argsArr.elements[0];
+        if (firstEl?.type === 'Literal' && typeof firstEl.value === 'string') {
+          bunCmd = `bun ${firstEl.value}`;
+        }
+      }
+      if (/\bbun\s*(run|exec|install|x)?$/.test(bunCmd) || bunCmd === 'bun') {
+        ctx.threats.push({
+          type: 'bun_runtime_evasion',
+          severity: 'HIGH',
+          message: `spawn("bun", [...]) — Bun runtime invocation to evade Node.js monitoring/sandboxing.`,
+          file: ctx.relFile
+        });
+      }
+    }
+  }
+
   // Detect spawn/fork with {detached: true}
   if ((callName === 'spawn' || callName === 'fork') && node.arguments.length >= 2) {
     const lastArg = node.arguments[node.arguments.length - 1];
@@ -836,6 +880,27 @@ function handleCallExpression(node, ctx) {
     }
   }
 
+  // Detect writes to node_modules/ — worm propagation / package patching (Shai-Hulud 2.0)
+  if (node.callee.type === 'MemberExpression' && node.callee.property?.type === 'Identifier') {
+    const nmWriteMethod = node.callee.property.name;
+    if (['writeFileSync', 'writeFile', 'appendFileSync'].includes(nmWriteMethod) && node.arguments.length >= 2) {
+      const nmPathArg = node.arguments[0];
+      let nmPathStr = extractStringValueDeep(nmPathArg);
+      // Also resolve variable indirection
+      if (!nmPathStr && nmPathArg?.type === 'Identifier' && ctx.stringVarValues?.has(nmPathArg.name)) {
+        nmPathStr = ctx.stringVarValues.get(nmPathArg.name);
+      }
+      if (nmPathStr && /node_modules[/\\]/.test(nmPathStr)) {
+        ctx.threats.push({
+          type: 'node_modules_write',
+          severity: 'CRITICAL',
+          message: `${nmWriteMethod}() targeting node_modules/ path: "${nmPathStr.substring(0, 80)}" — package patching / worm propagation technique.`,
+          file: ctx.relFile
+        });
+      }
+    }
+  }
+
   // Detect fs.mkdirSync creating .github/workflows
   if (node.callee.type === 'MemberExpression' && node.callee.property?.type === 'Identifier') {
     const mkdirMethod = node.callee.property.name;
@@ -1200,6 +1265,24 @@ function handleCallExpression(node, ctx) {
         file: ctx.relFile
       });
     }
+
+    // Static timer bomb: setTimeout/setInterval with delay > 1 hour (PhantomRaven 48h delay)
+    if (node.arguments.length >= 2) {
+      const delayArg = node.arguments[1];
+      let delayMs = null;
+      if (delayArg.type === 'Literal' && typeof delayArg.value === 'number') {
+        delayMs = delayArg.value;
+      }
+      if (delayMs !== null && delayMs > 3600000) { // > 1 hour
+        const hours = (delayMs / 3600000).toFixed(1);
+        ctx.threats.push({
+          type: 'static_timer_bomb',
+          severity: delayMs > 86400000 ? 'HIGH' : 'MEDIUM', // > 24h = HIGH
+          message: `${callName}() with ${hours}h delay (${delayMs}ms) — time-bomb evasion: payload activates long after install.`,
+          file: ctx.relFile
+        });
+      }
+    }
   }
 
   // Detect eval.call(null, code) / eval.apply(null, [code]) / Function.call/apply
@@ -1727,6 +1810,17 @@ function handleLiteral(node, ctx) {
         break;
       }
     }
+
+    // Ollama LLM local: polymorphic engine indicator (PhantomRaven Wave 4)
+    // Port 11434 is Ollama's default port. Legitimate packages don't call local LLMs.
+    if (/(?:localhost|127\.0\.0\.1):11434/.test(node.value)) {
+      ctx.threats.push({
+        type: 'ollama_local_llm',
+        severity: 'HIGH',
+        message: `Reference to Ollama LLM API (${node.value.slice(0, 60)}) — polymorphic malware engine: uses local LLM to rewrite code and evade detection.`,
+        file: ctx.relFile
+      });
+    }
   }
 }
 
@@ -2187,6 +2281,24 @@ function handlePostWalk(ctx) {
       file: ctx.relFile
     });
   }
+
+  // DPRK/Lazarus compound: detached background process + credential env access + network
+  // Pattern: spawn({detached:true}) reads secrets then exfils via network.
+  // This combination is never legitimate — daemons don't read API keys and send them out.
+  const hasDetachedInFile = ctx.threats.some(t =>
+    t.file === ctx.relFile && t.type === 'detached_process'
+  );
+  const hasSensitiveEnvInFile = ctx.threats.some(t =>
+    t.file === ctx.relFile && t.type === 'env_access'
+  );
+  if (hasDetachedInFile && hasSensitiveEnvInFile && ctx.hasNetworkCallInFile) {
+    ctx.threats.push({
+      type: 'detached_credential_exfil',
+      severity: 'CRITICAL',
+      message: 'Detached process + sensitive env access + network call — credential exfiltration via background process (DPRK/Lazarus evasion pattern).',
+      file: ctx.relFile
+    });
+  }
 }
 
 function handleWithStatement(node, ctx) {

package/src/scanner/package.js

@@ -28,6 +28,13 @@ const DANGEROUS_PATTERNS = [
 const DANGEROUS_KEYS = new Set(['__proto__', 'constructor', 'prototype', 'toString', 'valueOf']);
 const DEP_FP_WHITELIST = new Set(['es5-ext', 'bootstrap-sass']);
 
+// System commands that should never be shadowed via the "bin" field (PATH hijack)
+const SHADOWED_COMMANDS = new Set([
+  'node', 'npm', 'npx', 'git', 'sh', 'bash', 'zsh', 'python', 'python3',
+  'curl', 'wget', 'ssh', 'scp', 'tar', 'make', 'gcc', 'go', 'ruby',
+  'perl', 'php', 'java', 'javac', 'pip', 'pip3', 'yarn', 'pnpm', 'bun'
+]);
+
 /**
  * Clean a version specifier to extract the primary version number.
  * Handles: ^1.0.0, ~1.0.0, >=1.0.0, >=1.0.0,<2.0.0, git URLs, etc.
@@ -95,6 +102,16 @@ async function scanPackageJson(targetPath) {
           });
         }
       }
+
+      // Detect Bun runtime evasion in lifecycle scripts (Shai-Hulud 2.0)
+      if (/\bbun\s+(run|exec|install|x)\b/.test(scriptContent) || /\bbunx\s+/.test(scriptContent)) {
+        threats.push({
+          type: 'bun_runtime_evasion',
+          severity: 'HIGH',
+          message: `Bun runtime invocation in lifecycle script "${scriptName}" — alternative runtime to evade Node.js monitoring/sandboxing.`,
+          file: 'package.json'
+        });
+      }
     }
   }
 
@@ -113,6 +130,39 @@ async function scanPackageJson(targetPath) {
     }
   }
 
+  // Detect bin field hijacking: shadowing system commands (node, npm, git, bash, etc.)
+  if (pkg.bin) {
+    const binEntries = typeof pkg.bin === 'string'
+      ? { [pkg.name]: pkg.bin }
+      : pkg.bin;
+    for (const [cmdName, cmdPath] of Object.entries(binEntries || {})) {
+      if (SHADOWED_COMMANDS.has(cmdName)) {
+        threats.push({
+          type: 'bin_field_hijack',
+          severity: 'CRITICAL',
+          message: `package.json "bin" field shadows system command "${cmdName}" → ${cmdPath}. PATH hijack: all npm scripts will execute this instead of the real ${cmdName}.`,
+          file: 'package.json'
+        });
+      }
+    }
+  }
+
+  // Detect .npmrc with git= override (PackageGate technique)
+  const npmrcPath = path.join(targetPath, '.npmrc');
+  if (fs.existsSync(npmrcPath)) {
+    try {
+      const npmrcContent = fs.readFileSync(npmrcPath, 'utf8');
+      if (/^git\s*=/m.test(npmrcContent)) {
+        threats.push({
+          type: 'npmrc_git_override',
+          severity: 'CRITICAL',
+          message: '.npmrc contains git= override — PackageGate technique: replaces git binary with attacker-controlled script.',
+          file: '.npmrc'
+        });
+      }
+    } catch { /* permission error */ }
+  }
+
   // Scan declared dependencies against IOCs
   let iocs;
   try {
@@ -156,12 +206,21 @@ async function scanPackageJson(targetPath) {
       ].some(p => p.test(urlLower));
       threats.push({
         type: 'dependency_url_suspicious',
-        severity: isSuspicious ? 'HIGH' : 'MEDIUM',
+        severity: isSuspicious ? 'CRITICAL' : 'HIGH',
         message: `Dependency "${depName}" uses HTTP URL: ${depVersion}` +
           (isSuspicious ? ' (tunnel/private/localhost)' : ' (unusual, verify source)'),
         file: 'package.json'
       });
     }
+    // Detect git-based dependencies — potential PackageGate RCE vector
+    if (typeof depVersion === 'string' && /^git[+:]/.test(depVersion)) {
+      threats.push({
+        type: 'git_dependency_rce',
+        severity: 'HIGH',
+        message: `Dependency "${depName}" uses git URL: ${depVersion} — potential PackageGate RCE vector (malicious .npmrc can override git binary).`,
+        file: 'package.json'
+      });
+    }
     // Skip known FP packages that share names with malicious IOC entries
     if (DEP_FP_WHITELIST.has(depName)) continue;
     let malicious = null;

package/src/scanner/shell.js

@@ -24,7 +24,9 @@ const MALICIOUS_PATTERNS = [
   // IFS evasion patterns (v2.6.9)
   { pattern: /curl\$\{?IFS\}?.*\|.*sh/m, name: 'curl_ifs_evasion', severity: 'CRITICAL' },
   { pattern: /eval\s+.*\$\(curl/m, name: 'eval_curl_subshell', severity: 'CRITICAL' },
-  { pattern: /sh\s+-c\s+['"].*curl/m, name: 'sh_c_curl_exec', severity: 'HIGH' }
+  { pattern: /sh\s+-c\s+['"].*curl/m, name: 'sh_c_curl_exec', severity: 'HIGH' },
+  // Bun runtime evasion (v2.8.9 — Shai-Hulud 2.0)
+  { pattern: /\bbun\s+run\b/m, name: 'bun_runtime_evasion', severity: 'HIGH' }
 ];
 
 const SHEBANG_RE = /^#!.*\b(?:ba)?sh\b/;

package/src/scoring.js

@@ -153,7 +153,10 @@ const DIST_EXEMPT_TYPES = new Set([
   'download_exec_binary',     // download + chmod + exec (binary dropper)
   'cross_file_dataflow',      // credential read → network exfil across files
   'staged_eval_decode',       // eval(atob(...)) (explicit payload staging)
-  'reverse_shell'             // net.Socket + connect + pipe (always malicious)
+  'reverse_shell',            // net.Socket + connect + pipe (always malicious)
+  'detached_credential_exfil', // detached process + credential exfil (DPRK/Lazarus)
+  'node_modules_write',       // writeFile to node_modules/ (worm propagation)
+  'npm_publish_worm'          // exec("npm publish") (worm propagation)
   // P6: remote_code_load and proxy_data_intercept removed — in bundled dist/ files,
   // fetch + eval co-occurrence is coincidental (bundler combines HTTP client + template compilation).
   // fetch_decrypt_exec (fetch+decrypt+eval triple) remains exempt — never coincidental.
@@ -196,7 +199,8 @@ const REACHABILITY_EXEMPT_TYPES = new Set([
   'cross_file_dataflow',
   'typosquat_detected', 'pypi_typosquat_detected',
   'pypi_malicious_package',
-  'ai_config_injection', 'ai_config_injection_compound'
+  'ai_config_injection', 'ai_config_injection_compound',
+  'detached_credential_exfil' // DPRK/Lazarus: invoked via lifecycle, not require/import
 ]);
 
 // Custom class prototypes that HTTP frameworks legitimately extend.