muaddib-scanner 2.8.8 → 2.9.1

package/iocs/builtin.yaml

@@ -117,6 +117,32 @@ packages:
     source: shai-hulud-v3
     description: "First confirmed v3 payload - testing phase"
 
+  # GlassWorm hijacked packages (mars 2026)
+  - name: "@aifabrix/miso-client"
+    version: "4.7.2"
+    source: glassworm
+  - name: "@iflow-mcp/watercrawl-watercrawl-mcp"
+    version: "1.3.0"
+    source: glassworm
+  - name: "@iflow-mcp/watercrawl-watercrawl-mcp"
+    version: "1.3.1"
+    source: glassworm
+  - name: "@iflow-mcp/watercrawl-watercrawl-mcp"
+    version: "1.3.2"
+    source: glassworm
+  - name: "@iflow-mcp/watercrawl-watercrawl-mcp"
+    version: "1.3.3"
+    source: glassworm
+  - name: "@iflow-mcp/watercrawl-watercrawl-mcp"
+    version: "1.3.4"
+    source: glassworm
+  - name: "react-native-country-select"
+    version: "0.3.91"
+    source: glassworm
+  - name: "react-native-international-phone-number"
+    version: "0.11.8"
+    source: glassworm
+
   # Attaques historiques
   - name: "flatmap-stream"
     version: "0.1.1"
@@ -177,6 +203,9 @@ files:
   - 3nvir0nm3nt.json
   - c9nt3nts.json
   - c0nt3nts.json
+  # GlassWorm (mars 2026)
+  - i.js
+  - init.json
 
 hashes:
   # Shai-Hulud v2 payloads
@@ -185,6 +214,8 @@ hashes:
   - "f099c5d9ec417d4445a0328ac0ada9cde79fc37410914103ae9c609cbc0ee068"
   - "a3894003ad1d293ba96d77881ccd2071446dc3f65f434669b49b3da92421901a"
   - "4b2399646573bb737c4969563303d8ee2e9ddbd1b271f1ca9e35ea78062538db"
+  # GlassWorm install.js (React Native hijack)
+  - "59221aa9623d86c930357dba7e3f54138c7ccbd0daa9c483d766cd8ce1b6ad26"
 
 markers:
   # Shai-Hulud v1/v2
@@ -198,4 +229,9 @@ markers:
   # Protestware
   - "peacenotwar"
   # Generic malicious
-  - "/dev/tcp"
+  - "/dev/tcp"
+  # GlassWorm (mars 2026)
+  - "lzcdrtfxyqiplpd"
+  - "28PKnu7RzizxBzFPoLp69HLXp9bJL3JFtT2s5QzHsEA2"
+  - "BjVeAjPrSKFiingBn4vZvghsGj9KCE8AJVtbc9S8o8SC"
+  - "6YGcuyFRJKZtcaYCCFba9fScNUvPkGXodXE1mJiSzqDJ"

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "muaddib-scanner",
-  "version": "2.8.8",
+  "version": "2.9.1",
   "description": "Supply-chain threat detection & response for npm & PyPI/Python",
   "main": "src/index.js",
   "bin": {

package/src/response/playbooks.js

@@ -514,6 +514,74 @@ const PLAYBOOKS = {
     'Coherence d\'intention detectee — sortie de commande systeme combinee avec exfiltration reseau. ' +
     'Le package execute des commandes et transmet les resultats. Verifier les commandes executees. ' +
     'Supprimer le package si non attendu. Auditer les logs reseau pour identifier les donnees exfiltrees.',
+
+  unicode_invisible_injection:
+    'CRITIQUE: Caracteres Unicode invisibles detectes (zero-width, variation selectors). ' +
+    'Technique GlassWorm: du code malveillant est encode via des variation selectors invisibles dans les editeurs. ' +
+    'Analyser le fichier avec un editeur hexa. Supprimer le package immediatement. ' +
+    'Verifier les autres fichiers du projet pour des injections similaires.',
+
+  unicode_variation_decoder:
+    'CRITIQUE: Decodeur de payload Unicode via variation selectors detecte (.codePointAt + 0xFE00/0xE0100). ' +
+    'Signature GlassWorm: le code reconstruit un payload octet par octet a partir de caracteres invisibles. ' +
+    'Isoler immediatement. Decoder manuellement les variation selectors pour extraire le payload. Supprimer le package.',
+
+  blockchain_c2_resolution:
+    'Import Solana/Web3 + appel API blockchain C2 (getSignaturesForAddress, getTransaction) detecte. ' +
+    'Technique GlassWorm: la blockchain sert de dead drop resolver pour obtenir l\'adresse C2 via le champ memo. ' +
+    'Cout de rotation: 0.000005 SOL par changement d\'adresse C2 — censorship-resistant. ' +
+    'Bloquer les connexions vers les RPC Solana. Supprimer le package.',
+
+  blockchain_rpc_endpoint:
+    'Endpoint RPC blockchain hardcode detecte (Solana mainnet, Infura Ethereum). ' +
+    'Dans un package non-crypto, cela indique un potentiel canal C2 via blockchain. ' +
+    'Verifier le contexte: si le package n\'a rien a voir avec la blockchain, supprimer immediatement.',
+
+  bin_field_hijack:
+    'CRITIQUE: Le champ "bin" de package.json shadow une commande systeme (node, npm, git, bash, etc.). ' +
+    'A l\'installation, npm cree un symlink dans node_modules/.bin/ qui intercepte la commande reelle. ' +
+    'Tous les npm scripts executeront le code malveillant au lieu de la vraie commande. ' +
+    'NE PAS installer. Si deja installe: rm -rf node_modules && npm cache clean --force && npm install.',
+
+  git_dependency_rce:
+    'Dependance utilisant une URL git+ ou git://. Vecteur d\'attaque PackageGate: si le package contient ' +
+    'un .npmrc avec git=./malicious.sh, npm executera le script au lieu de git, meme avec --ignore-scripts. ' +
+    'Verifier le contenu du .npmrc. Ne pas installer de packages avec des dependances git non vérifiées.',
+
+  npmrc_git_override:
+    'CRITIQUE: Fichier .npmrc contient git= override — technique PackageGate. Le binaire git est remplace ' +
+    'par un script controle par l\'attaquant. TOUTE operation git (clone, fetch, pull) executera le script malveillant. ' +
+    'NE PAS installer. Si deja installe: supprimer le package, verifier .npmrc, reinstaller git.',
+
+  node_modules_write:
+    'CRITIQUE: Le code ecrit dans node_modules/ — technique de propagation worm Shai-Hulud 2.0. ' +
+    'Le malware modifie d\'autres packages installes (ethers, webpack, etc.) pour injecter un backdoor persistent. ' +
+    'Verifier l\'integrite de tous les packages: rm -rf node_modules && npm install. ' +
+    'Auditer les fichiers modifies. Regenerer tous les secrets si le code a ete execute.',
+
+  bun_runtime_evasion:
+    'Invocation du runtime Bun detectee — technique Shai-Hulud 2.0. Le payload est execute via bun run ' +
+    'au lieu de node, echappant a toutes les sandboxes Node.js et au monitoring (--experimental-permission). ' +
+    'Verifier si bun est installe: which bun. Supprimer le package. ' +
+    'Auditer les processus: ps aux | grep bun.',
+
+  static_timer_bomb:
+    'Timer avec delai > 1h detecte dans l\'analyse statique (setTimeout/setInterval). ' +
+    'Technique PhantomRaven: le payload s\'active 48h+ apres l\'installation pour echapper aux sandboxes. ' +
+    'Analyser le callback du timer pour identifier le payload retarde. ' +
+    'Si delai > 24h: fort indicateur de time-bomb malware. NE PAS installer.',
+
+  npm_publish_worm:
+    'CRITIQUE: exec("npm publish") detecte — propagation worm. Le code utilise des tokens npm voles ' +
+    'pour publier des versions infectees des packages de la victime. Technique Shai-Hulud 1.0 et 2.0. ' +
+    'Isoler immediatement la machine. Revoquer les tokens npm: npm token revoke. ' +
+    'Verifier les packages publies: npm profile ls. Signaler sur npm.',
+
+  ollama_local_llm:
+    'Reference au port Ollama (11434) detectee. PhantomRaven Wave 4 utilise un LLM local (DeepSeek Coder) ' +
+    'pour reecrire le malware a chaque execution, evitant la detection par signature. Moteur polymorphe. ' +
+    'Verifier si Ollama est installe: curl http://localhost:11434/api/tags. ' +
+    'Aucun package npm legitime n\'appelle un LLM local. Supprimer le package.',
 };
 
 function getPlaybook(threatType) {

package/src/rules/index.js

@@ -1378,6 +1378,106 @@ const RULES = {
     ],
     mitre: 'T1557'
   },
+  // Package manifest detections (v2.8.9)
+  bin_field_hijack: {
+    id: 'MUADDIB-PKG-013',
+    name: 'Bin Field PATH Hijack',
+    severity: 'CRITICAL',
+    confidence: 'high',
+    description: 'Le champ "bin" de package.json shadow une commande systeme (node, npm, git, bash, etc.). A l\'install, npm cree un symlink dans node_modules/.bin/ qui intercepte la commande reelle pour tous les npm scripts.',
+    references: [
+      'https://socket.dev/blog/2025-supply-chain-report',
+      'https://www.wiz.io/blog/shai-hulud-npm-supply-chain-attack'
+    ],
+    mitre: 'T1574.007'
+  },
+  git_dependency_rce: {
+    id: 'MUADDIB-PKG-014',
+    name: 'Git Dependency RCE (PackageGate)',
+    severity: 'HIGH',
+    confidence: 'medium',
+    description: 'Dependance utilisant une URL git+ ou git://. Vecteur PackageGate: un .npmrc malveillant peut overrider le binaire git, permettant l\'execution de code meme avec --ignore-scripts.',
+    references: [
+      'https://socket.dev/blog/packagegate-npm-rce',
+      'https://attack.mitre.org/techniques/T1195/002/'
+    ],
+    mitre: 'T1195.002'
+  },
+  npmrc_git_override: {
+    id: 'MUADDIB-PKG-015',
+    name: '.npmrc Git Binary Override',
+    severity: 'CRITICAL',
+    confidence: 'high',
+    description: 'Fichier .npmrc contient git= override — technique PackageGate: remplace le binaire git par un script controle par l\'attaquant.',
+    references: [
+      'https://socket.dev/blog/packagegate-npm-rce'
+    ],
+    mitre: 'T1195.002'
+  },
+
+  // AST detections (v2.8.9 — supply-chain gaps)
+  node_modules_write: {
+    id: 'MUADDIB-AST-048',
+    name: 'Write to node_modules/ (Worm Propagation)',
+    severity: 'CRITICAL',
+    confidence: 'high',
+    description: 'writeFileSync/writeFile/appendFileSync ciblant node_modules/ — technique de propagation worm Shai-Hulud 2.0: modifie d\'autres packages installes pour injecter un backdoor persistent.',
+    references: [
+      'https://www.wiz.io/blog/shai-hulud-npm-supply-chain-attack',
+      'https://attack.mitre.org/techniques/T1195/002/'
+    ],
+    mitre: 'T1195.002'
+  },
+  bun_runtime_evasion: {
+    id: 'MUADDIB-AST-049',
+    name: 'Bun Runtime Evasion',
+    severity: 'HIGH',
+    confidence: 'medium',
+    description: 'Invocation du runtime Bun (bun run/exec/install) via exec/spawn — technique Shai-Hulud 2.0: utilise un runtime alternatif pour echapper aux sandboxes et monitoring Node.js.',
+    references: [
+      'https://www.wiz.io/blog/shai-hulud-npm-supply-chain-attack',
+      'https://attack.mitre.org/techniques/T1059/'
+    ],
+    mitre: 'T1059'
+  },
+  static_timer_bomb: {
+    id: 'MUADDIB-AST-050',
+    name: 'Static Timer Bomb',
+    severity: 'MEDIUM',
+    confidence: 'medium',
+    description: 'setTimeout/setInterval avec delai > 1h detecte statiquement. PhantomRaven active le 2nd stage 48h+ apres install. Evasion temporelle: le payload s\'active bien apres l\'installation pour echapper aux sandboxes.',
+    references: [
+      'https://www.sonatype.com/blog/phantomraven-supply-chain-attack',
+      'https://attack.mitre.org/techniques/T1497/003/'
+    ],
+    mitre: 'T1497.003'
+  },
+  npm_publish_worm: {
+    id: 'MUADDIB-AST-051',
+    name: 'npm publish Worm Propagation',
+    severity: 'CRITICAL',
+    confidence: 'high',
+    description: 'exec("npm publish") detecte — technique de propagation worm Shai-Hulud: utilise les tokens npm voles pour publier des versions infectees des packages de la victime.',
+    references: [
+      'https://blog.phylum.io/shai-hulud-npm-worm',
+      'https://www.wiz.io/blog/shai-hulud-npm-supply-chain-attack',
+      'https://attack.mitre.org/techniques/T1195/002/'
+    ],
+    mitre: 'T1195.002'
+  },
+  ollama_local_llm: {
+    id: 'MUADDIB-AST-052',
+    name: 'Ollama Local LLM (Polymorphic Engine)',
+    severity: 'HIGH',
+    confidence: 'medium',
+    description: 'Reference au port 11434 (Ollama) detectee. PhantomRaven Wave 4 utilise un LLM local pour reecrire le malware et eviter la detection signature. Moteur polymorphe.',
+    references: [
+      'https://www.sonatype.com/blog/phantomraven-supply-chain-attack',
+      'https://attack.mitre.org/techniques/T1027/005/'
+    ],
+    mitre: 'T1027.005'
+  },
+
   // Shell IFS evasion rules (v2.6.9)
   curl_ifs_evasion: {
     id: 'MUADDIB-SHELL-016',
@@ -1444,6 +1544,56 @@ const RULES = {
     ],
     mitre: 'T1059'
   },
+
+  // GlassWorm detections (mars 2026)
+  unicode_invisible_injection: {
+    id: 'MUADDIB-OBF-003',
+    name: 'Unicode Invisible Character Injection',
+    severity: 'CRITICAL',
+    confidence: 'high',
+    description: 'Caracteres Unicode invisibles detectes (zero-width, variation selectors). Technique GlassWorm: encodage de payload malveillant via variation selectors (U+FE00-FE0F, U+E0100-E01EF) invisible dans les editeurs.',
+    references: [
+      'https://www.aikido.dev/blog/glassworm-returns-unicode-attack-github-npm-vscode',
+      'https://attack.mitre.org/techniques/T1027/'
+    ],
+    mitre: 'T1027'
+  },
+  unicode_variation_decoder: {
+    id: 'MUADDIB-AST-053',
+    name: 'Unicode Variation Selector Decoder',
+    severity: 'CRITICAL',
+    confidence: 'high',
+    description: 'Decodeur de payload Unicode via variation selectors (.codePointAt + 0xFE00/0xE0100). Signature GlassWorm: le code reconstruit un payload octet par octet a partir de caracteres invisibles.',
+    references: [
+      'https://www.koi.security/blog/glassworm-first-self-propagating-worm-using-invisible-code-hits-openvsx-marketplace',
+      'https://attack.mitre.org/techniques/T1140/'
+    ],
+    mitre: 'T1140'
+  },
+  blockchain_c2_resolution: {
+    id: 'MUADDIB-AST-054',
+    name: 'Blockchain C2 Resolution (Dead Drop)',
+    severity: 'HIGH',
+    confidence: 'high',
+    description: 'Import Solana/Web3 + appel API C2 (getSignaturesForAddress, getTransaction). Technique GlassWorm: la blockchain sert de dead drop resolver pour obtenir l\'adresse C2 via le champ memo des transactions.',
+    references: [
+      'https://www.sonatype.com/blog/hijacked-npm-packages-deliver-malware-via-solana-linked-to-glassworm',
+      'https://attack.mitre.org/techniques/T1102/'
+    ],
+    mitre: 'T1102'
+  },
+  blockchain_rpc_endpoint: {
+    id: 'MUADDIB-AST-055',
+    name: 'Hardcoded Blockchain RPC Endpoint',
+    severity: 'MEDIUM',
+    confidence: 'medium',
+    description: 'Endpoint RPC blockchain hardcode (Solana mainnet, Infura Ethereum). Dans un package non-crypto, indique un potentiel canal C2 via blockchain.',
+    references: [
+      'https://www.koi.security/blog/glassworm-first-self-propagating-worm-using-invisible-code-hits-openvsx-marketplace',
+      'https://attack.mitre.org/techniques/T1102/'
+    ],
+    mitre: 'T1102'
+  },
 };
 
 function getRule(type) {

package/src/scanner/ast-detectors.js

@@ -170,7 +170,11 @@ const GIT_HOOKS = [
 const SUSPICIOUS_DOMAINS_HIGH = [
   'oastify.com', 'oast.fun', 'oast.me', 'oast.live',
   'burpcollaborator.net', 'webhook.site', 'pipedream.net',
-  'requestbin.com', 'hookbin.com', 'canarytokens.com'
+  'requestbin.com', 'hookbin.com', 'canarytokens.com',
+  // GlassWorm C2 IPs (mars 2026)
+  '217.69.3.218', '217.69.3.152',
+  '199.247.10.166', '199.247.13.106',
+  '140.82.52.31', '45.32.150.251'
 ];
 
 // Suspicious tunnel/proxy domains (MEDIUM severity)
@@ -198,6 +202,27 @@ const SANDBOX_INDICATORS = [
   '/proc/self/cgroup'
 ];
 
+// Blockchain RPC endpoints — potential C2 channel via blockchain (GlassWorm)
+const BLOCKCHAIN_RPC_ENDPOINTS = [
+  'api.mainnet-beta.solana.com',
+  'api.devnet.solana.com',
+  'api.testnet.solana.com',
+  'mainnet.infura.io',
+  'rpc.ankr.com'
+];
+
+// Solana/Web3 C2 methods — used for dead drop resolver (GlassWorm)
+const SOLANA_C2_METHODS = [
+  'getSignaturesForAddress', 'getAccountInfo', 'getTransaction',
+  'getConfirmedSignaturesForAddress2', 'getParsedTransaction'
+];
+
+// Solana/Web3 package names
+const SOLANA_PACKAGES = ['@solana/web3.js', 'solana-web3.js', '@solana/web3'];
+
+// Variation selector constants (GlassWorm decoder signature)
+const VARIATION_SELECTOR_CONSTS = [0xFE00, 0xFE0F, 0xE0100, 0xE01EF];
+
 // ============================================
 // HELPER FUNCTIONS
 // ============================================
@@ -647,6 +672,10 @@ function handleCallExpression(node, ctx) {
     if (reqStr && /\.node\s*$/.test(reqStr)) {
       ctx.hasRequireNodeFile = true;
     }
+    // GlassWorm: track Solana/Web3 require imports for compound blockchain C2 detection
+    if (reqStr && SOLANA_PACKAGES.some(pkg => reqStr === pkg)) {
+      ctx.hasSolanaImport = true;
+    }
   }
 
   // Detect exec/execSync with dangerous shell commands (direct or via MemberExpression)
@@ -705,6 +734,26 @@ function handleCallExpression(node, ctx) {
           break;
         }
       }
+
+      // Bun runtime evasion: exec/spawn using bun instead of node (Shai-Hulud 2.0)
+      if (/\bbun\s+(run|exec|install|x)\b/.test(cmdStr)) {
+        ctx.threats.push({
+          type: 'bun_runtime_evasion',
+          severity: 'HIGH',
+          message: `Bun runtime invocation detected: "${cmdStr.slice(0, 80)}" — alternative runtime to evade Node.js monitoring/sandboxing.`,
+          file: ctx.relFile
+        });
+      }
+
+      // Worm propagation: npm publish / npm adduser / npm token create (Shai-Hulud)
+      if (/\bnpm\s+(publish|adduser|token\s+create|login)\b/.test(cmdStr)) {
+        ctx.threats.push({
+          type: 'npm_publish_worm',
+          severity: 'CRITICAL',
+          message: `exec("${cmdStr.slice(0, 80)}") — worm propagation: publishing packages with stolen credentials.`,
+          file: ctx.relFile
+        });
+      }
     }
   }
 
@@ -785,6 +834,30 @@ function handleCallExpression(node, ctx) {
     }
   }
 
+  // Detect spawn('bun', ['run', ...]) — Bun runtime evasion via spawn
+  if ((callName === 'spawn' || callName === 'execFile') && node.arguments.length >= 1) {
+    const bunArg = node.arguments[0];
+    if (bunArg.type === 'Literal' && typeof bunArg.value === 'string' && bunArg.value === 'bun') {
+      // Check the args array for run/exec/install/x
+      const argsArr = node.arguments[1];
+      let bunCmd = 'bun';
+      if (argsArr?.type === 'ArrayExpression' && argsArr.elements.length > 0) {
+        const firstEl = argsArr.elements[0];
+        if (firstEl?.type === 'Literal' && typeof firstEl.value === 'string') {
+          bunCmd = `bun ${firstEl.value}`;
+        }
+      }
+      if (/\bbun\s*(run|exec|install|x)?$/.test(bunCmd) || bunCmd === 'bun') {
+        ctx.threats.push({
+          type: 'bun_runtime_evasion',
+          severity: 'HIGH',
+          message: `spawn("bun", [...]) — Bun runtime invocation to evade Node.js monitoring/sandboxing.`,
+          file: ctx.relFile
+        });
+      }
+    }
+  }
+
   // Detect spawn/fork with {detached: true}
   if ((callName === 'spawn' || callName === 'fork') && node.arguments.length >= 2) {
     const lastArg = node.arguments[node.arguments.length - 1];
@@ -836,6 +909,27 @@ function handleCallExpression(node, ctx) {
     }
   }
 
+  // Detect writes to node_modules/ — worm propagation / package patching (Shai-Hulud 2.0)
+  if (node.callee.type === 'MemberExpression' && node.callee.property?.type === 'Identifier') {
+    const nmWriteMethod = node.callee.property.name;
+    if (['writeFileSync', 'writeFile', 'appendFileSync'].includes(nmWriteMethod) && node.arguments.length >= 2) {
+      const nmPathArg = node.arguments[0];
+      let nmPathStr = extractStringValueDeep(nmPathArg);
+      // Also resolve variable indirection
+      if (!nmPathStr && nmPathArg?.type === 'Identifier' && ctx.stringVarValues?.has(nmPathArg.name)) {
+        nmPathStr = ctx.stringVarValues.get(nmPathArg.name);
+      }
+      if (nmPathStr && /node_modules[/\\]/.test(nmPathStr)) {
+        ctx.threats.push({
+          type: 'node_modules_write',
+          severity: 'CRITICAL',
+          message: `${nmWriteMethod}() targeting node_modules/ path: "${nmPathStr.substring(0, 80)}" — package patching / worm propagation technique.`,
+          file: ctx.relFile
+        });
+      }
+    }
+  }
+
   // Detect fs.mkdirSync creating .github/workflows
   if (node.callee.type === 'MemberExpression' && node.callee.property?.type === 'Identifier') {
     const mkdirMethod = node.callee.property.name;
@@ -1200,6 +1294,24 @@ function handleCallExpression(node, ctx) {
         file: ctx.relFile
       });
     }
+
+    // Static timer bomb: setTimeout/setInterval with delay > 1 hour (PhantomRaven 48h delay)
+    if (node.arguments.length >= 2) {
+      const delayArg = node.arguments[1];
+      let delayMs = null;
+      if (delayArg.type === 'Literal' && typeof delayArg.value === 'number') {
+        delayMs = delayArg.value;
+      }
+      if (delayMs !== null && delayMs > 3600000) { // > 1 hour
+        const hours = (delayMs / 3600000).toFixed(1);
+        ctx.threats.push({
+          type: 'static_timer_bomb',
+          severity: delayMs > 86400000 ? 'HIGH' : 'MEDIUM', // > 24h = HIGH
+          message: `${callName}() with ${hours}h delay (${delayMs}ms) — time-bomb evasion: payload activates long after install.`,
+          file: ctx.relFile
+        });
+      }
+    }
   }
 
   // Detect eval.call(null, code) / eval.apply(null, [code]) / Function.call/apply
@@ -1570,6 +1682,10 @@ function handleImportExpression(node, ctx) {
           file: ctx.relFile
         });
       }
+      // GlassWorm: track Solana/Web3 dynamic import for compound blockchain C2 detection
+      if (SOLANA_PACKAGES.some(pkg => src.value === pkg)) {
+        ctx.hasSolanaImport = true;
+      }
     } else {
       ctx.threats.push({
         type: 'dynamic_import',
@@ -1727,6 +1843,45 @@ function handleLiteral(node, ctx) {
         break;
       }
     }
+
+    // Ollama LLM local: polymorphic engine indicator (PhantomRaven Wave 4)
+    // Port 11434 is Ollama's default port. Legitimate packages don't call local LLMs.
+    if (/(?:localhost|127\.0\.0\.1):11434/.test(node.value)) {
+      ctx.threats.push({
+        type: 'ollama_local_llm',
+        severity: 'HIGH',
+        message: `Reference to Ollama LLM API (${node.value.slice(0, 60)}) — polymorphic malware engine: uses local LLM to rewrite code and evade detection.`,
+        file: ctx.relFile
+      });
+    }
+
+    // Blockchain RPC endpoints — potential C2 channel (GlassWorm)
+    for (const endpoint of BLOCKCHAIN_RPC_ENDPOINTS) {
+      if (lowerVal.includes(endpoint)) {
+        ctx.threats.push({
+          type: 'blockchain_rpc_endpoint',
+          severity: 'MEDIUM',
+          message: `Hardcoded blockchain RPC endpoint "${endpoint}" — potential blockchain C2 channel.`,
+          file: ctx.relFile
+        });
+        break;
+      }
+    }
+
+    // Track Solana C2 method names in string literals (for compound detection)
+    for (const method of SOLANA_C2_METHODS) {
+      if (node.value === method || node.value.includes(method)) {
+        ctx.hasSolanaC2Method = true;
+        break;
+      }
+    }
+  }
+
+  // Track variation selector constants in numeric literals (GlassWorm decoder)
+  if (typeof node.value === 'number') {
+    if (VARIATION_SELECTOR_CONSTS.includes(node.value)) {
+      ctx.hasVariationSelectorConst = true;
+    }
   }
 }
 
@@ -1901,6 +2056,16 @@ function handleMemberExpression(node, ctx) {
     });
   }
 
+  // GlassWorm: track .codePointAt() calls (variation selector decoder pattern)
+  if (node.property?.type === 'Identifier' && node.property.name === 'codePointAt') {
+    ctx.hasCodePointAt = true;
+  }
+
+  // GlassWorm: track Solana C2 method calls (e.g., connection.getSignaturesForAddress)
+  if (node.property?.type === 'Identifier' && SOLANA_C2_METHODS.includes(node.property.name)) {
+    ctx.hasSolanaC2Method = true;
+  }
+
   if (
     node.object?.object?.name === 'process' &&
     node.object?.property?.name === 'env'
@@ -2205,6 +2370,30 @@ function handlePostWalk(ctx) {
       file: ctx.relFile
     });
   }
+
+  // GlassWorm: Unicode variation selector decoder = .codePointAt + variation selector constants
+  if (ctx.hasCodePointAt && ctx.hasVariationSelectorConst) {
+    ctx.threats.push({
+      type: 'unicode_variation_decoder',
+      severity: 'CRITICAL',
+      message: 'Unicode variation selector decoder: .codePointAt() + 0xFE00/0xE0100 constants — GlassWorm payload reconstruction from invisible characters.',
+      file: ctx.relFile
+    });
+  }
+
+  // GlassWorm: Blockchain C2 resolution = Solana import + C2 method
+  // CRITICAL if combined with eval/exec, HIGH otherwise
+  if (ctx.hasSolanaImport && ctx.hasSolanaC2Method) {
+    ctx.threats.push({
+      type: 'blockchain_c2_resolution',
+      severity: ctx.hasDynamicExec ? 'CRITICAL' : 'HIGH',
+      message: 'Solana/Web3 import + blockchain C2 method (getSignaturesForAddress/getTransaction) — ' +
+        (ctx.hasDynamicExec
+          ? 'dead drop resolver with dynamic execution. GlassWorm blockchain C2 pattern confirmed.'
+          : 'potential dead drop resolver. GlassWorm technique: C2 address rotated via Solana memo field.'),
+      file: ctx.relFile
+    });
+  }
 }
 
 function handleWithStatement(node, ctx) {

package/src/scanner/ast.js

@@ -160,7 +160,13 @@ function analyzeFile(content, filePath, basePath) {
     // C10: Hash verification — legitimate binary installers verify checksums
     // Requires BOTH createHash() call AND .digest() call — false positives from
     // standalone mentions of 'sha256' or 'integrity' in comments/descriptions
-    hasHashVerification: /\bcreateHash\s*\(/.test(content) && /\.digest\s*\(/.test(content)
+    hasHashVerification: /\bcreateHash\s*\(/.test(content) && /\.digest\s*\(/.test(content),
+    // GlassWorm: variation selector decoder pattern (.codePointAt + 0xFE00/0xE0100)
+    hasCodePointAt: false,
+    hasVariationSelectorConst: false,
+    // GlassWorm: blockchain C2 resolution (Solana import + C2 method + dynamic exec)
+    hasSolanaImport: false,
+    hasSolanaC2Method: false
   };
 
   // Compute fetchOnlySafeDomains: check if ALL URLs in file point to known registries

package/src/scanner/obfuscation.js

@@ -70,6 +70,18 @@ function detectObfuscation(targetPath) {
       signals.push('base64_eval');
     }
 
+    // 7. Unicode invisible character injection (GlassWorm — mars 2026)
+    // Detects zero-width chars, variation selectors, tag characters embedded in source
+    const invisibleCount = countInvisibleUnicode(content);
+    if (invisibleCount >= 3) {
+      threats.push({
+        type: 'unicode_invisible_injection',
+        severity: isPackageOutput ? 'LOW' : 'CRITICAL',
+        message: `${invisibleCount} invisible Unicode characters detected (zero-width, variation selectors, tag chars). GlassWorm technique: payload encoded via invisible codepoints.`,
+        file: relativePath
+      });
+    }
+
     // Hex/unicode escapes alone are not obfuscation (e.g. lodash Unicode char tables).
     // Only count them when combined with strong obfuscation signals.
     const hasStrongSignals = signals.some(s => s !== 'hex_escapes' && s !== 'unicode_escapes');
@@ -130,4 +142,52 @@ function hasLargeStringArray(content) {
   return false;
 }
 
+/**
+ * Count invisible Unicode codepoints in content (GlassWorm detection).
+ * Covers BMP zero-width chars, variation selectors, and supplementary plane
+ * tag characters / variation selectors supplement via codePointAt iteration.
+ *
+ * Codepoints detected:
+ * - U+200B, U+200C, U+200D (zero-width space/joiner/non-joiner)
+ * - U+FEFF (BOM — only if position > 0; pos 0 is legitimate BOM)
+ * - U+2060 (word joiner), U+180E (Mongolian vowel separator)
+ * - U+FE00-U+FE0F (variation selectors — GlassWorm 256-value encoding)
+ * - U+E0100-U+E01EF (variation selectors supplement)
+ * - U+E0001-U+E007F (tag characters)
+ */
+function countInvisibleUnicode(content) {
+  let count = 0;
+  for (let i = 0; i < content.length; i++) {
+    const cp = content.codePointAt(i);
+    // BMP invisible chars
+    if (cp === 0x200B || cp === 0x200C || cp === 0x200D ||
+        cp === 0x2060 || cp === 0x180E) {
+      count++;
+    }
+    // BOM only suspicious after position 0
+    else if (cp === 0xFEFF && i > 0) {
+      count++;
+    }
+    // BMP variation selectors (U+FE00-U+FE0F)
+    else if (cp >= 0xFE00 && cp <= 0xFE0F) {
+      count++;
+    }
+    // Supplementary plane: variation selectors supplement (U+E0100-U+E01EF)
+    else if (cp >= 0xE0100 && cp <= 0xE01EF) {
+      count++;
+      i++; // skip surrogate pair low half
+    }
+    // Supplementary plane: tag characters (U+E0001-U+E007F)
+    else if (cp >= 0xE0001 && cp <= 0xE007F) {
+      count++;
+      i++; // skip surrogate pair low half
+    }
+    // Skip surrogate pair low half for other supplementary chars
+    else if (cp > 0xFFFF) {
+      i++;
+    }
+  }
+  return count;
+}
+
 module.exports = { detectObfuscation };

package/src/scanner/package.js

@@ -28,6 +28,13 @@ const DANGEROUS_PATTERNS = [
 const DANGEROUS_KEYS = new Set(['__proto__', 'constructor', 'prototype', 'toString', 'valueOf']);
 const DEP_FP_WHITELIST = new Set(['es5-ext', 'bootstrap-sass']);
 
+// System commands that should never be shadowed via the "bin" field (PATH hijack)
+const SHADOWED_COMMANDS = new Set([
+  'node', 'npm', 'npx', 'git', 'sh', 'bash', 'zsh', 'python', 'python3',
+  'curl', 'wget', 'ssh', 'scp', 'tar', 'make', 'gcc', 'go', 'ruby',
+  'perl', 'php', 'java', 'javac', 'pip', 'pip3', 'yarn', 'pnpm', 'bun'
+]);
+
 /**
  * Clean a version specifier to extract the primary version number.
  * Handles: ^1.0.0, ~1.0.0, >=1.0.0, >=1.0.0,<2.0.0, git URLs, etc.
@@ -95,6 +102,16 @@ async function scanPackageJson(targetPath) {
           });
         }
       }
+
+      // Detect Bun runtime evasion in lifecycle scripts (Shai-Hulud 2.0)
+      if (/\bbun\s+(run|exec|install|x)\b/.test(scriptContent) || /\bbunx\s+/.test(scriptContent)) {
+        threats.push({
+          type: 'bun_runtime_evasion',
+          severity: 'HIGH',
+          message: `Bun runtime invocation in lifecycle script "${scriptName}" — alternative runtime to evade Node.js monitoring/sandboxing.`,
+          file: 'package.json'
+        });
+      }
     }
   }
 
@@ -113,6 +130,39 @@ async function scanPackageJson(targetPath) {
     }
   }
 
+  // Detect bin field hijacking: shadowing system commands (node, npm, git, bash, etc.)
+  if (pkg.bin) {
+    const binEntries = typeof pkg.bin === 'string'
+      ? { [pkg.name]: pkg.bin }
+      : pkg.bin;
+    for (const [cmdName, cmdPath] of Object.entries(binEntries || {})) {
+      if (SHADOWED_COMMANDS.has(cmdName)) {
+        threats.push({
+          type: 'bin_field_hijack',
+          severity: 'CRITICAL',
+          message: `package.json "bin" field shadows system command "${cmdName}" → ${cmdPath}. PATH hijack: all npm scripts will execute this instead of the real ${cmdName}.`,
+          file: 'package.json'
+        });
+      }
+    }
+  }
+
+  // Detect .npmrc with git= override (PackageGate technique)
+  const npmrcPath = path.join(targetPath, '.npmrc');
+  if (fs.existsSync(npmrcPath)) {
+    try {
+      const npmrcContent = fs.readFileSync(npmrcPath, 'utf8');
+      if (/^git\s*=/m.test(npmrcContent)) {
+        threats.push({
+          type: 'npmrc_git_override',
+          severity: 'CRITICAL',
+          message: '.npmrc contains git= override — PackageGate technique: replaces git binary with attacker-controlled script.',
+          file: '.npmrc'
+        });
+      }
+    } catch { /* permission error */ }
+  }
+
   // Scan declared dependencies against IOCs
   let iocs;
   try {
@@ -156,12 +206,21 @@ async function scanPackageJson(targetPath) {
       ].some(p => p.test(urlLower));
       threats.push({
         type: 'dependency_url_suspicious',
-        severity: isSuspicious ? 'HIGH' : 'MEDIUM',
+        severity: isSuspicious ? 'CRITICAL' : 'HIGH',
         message: `Dependency "${depName}" uses HTTP URL: ${depVersion}` +
           (isSuspicious ? ' (tunnel/private/localhost)' : ' (unusual, verify source)'),
         file: 'package.json'
       });
     }
+    // Detect git-based dependencies — potential PackageGate RCE vector
+    if (typeof depVersion === 'string' && /^git[+:]/.test(depVersion)) {
+      threats.push({
+        type: 'git_dependency_rce',
+        severity: 'HIGH',
+        message: `Dependency "${depName}" uses git URL: ${depVersion} — potential PackageGate RCE vector (malicious .npmrc can override git binary).`,
+        file: 'package.json'
+      });
+    }
     // Skip known FP packages that share names with malicious IOC entries
     if (DEP_FP_WHITELIST.has(depName)) continue;
     let malicious = null;

package/src/scanner/shell.js

@@ -24,7 +24,9 @@ const MALICIOUS_PATTERNS = [
   // IFS evasion patterns (v2.6.9)
   { pattern: /curl\$\{?IFS\}?.*\|.*sh/m, name: 'curl_ifs_evasion', severity: 'CRITICAL' },
   { pattern: /eval\s+.*\$\(curl/m, name: 'eval_curl_subshell', severity: 'CRITICAL' },
-  { pattern: /sh\s+-c\s+['"].*curl/m, name: 'sh_c_curl_exec', severity: 'HIGH' }
+  { pattern: /sh\s+-c\s+['"].*curl/m, name: 'sh_c_curl_exec', severity: 'HIGH' },
+  // Bun runtime evasion (v2.8.9 — Shai-Hulud 2.0)
+  { pattern: /\bbun\s+run\b/m, name: 'bun_runtime_evasion', severity: 'HIGH' }
 ];
 
 const SHEBANG_RE = /^#!.*\b(?:ba)?sh\b/;

package/src/scoring.js

@@ -154,7 +154,9 @@ const DIST_EXEMPT_TYPES = new Set([
   'cross_file_dataflow',      // credential read → network exfil across files
   'staged_eval_decode',       // eval(atob(...)) (explicit payload staging)
   'reverse_shell',            // net.Socket + connect + pipe (always malicious)
-  'detached_credential_exfil' // detached process + credential exfil (DPRK/Lazarus)
+  'detached_credential_exfil', // detached process + credential exfil (DPRK/Lazarus)
+  'node_modules_write',       // writeFile to node_modules/ (worm propagation)
+  'npm_publish_worm'          // exec("npm publish") (worm propagation)
   // P6: remote_code_load and proxy_data_intercept removed — in bundled dist/ files,
   // fetch + eval co-occurrence is coincidental (bundler combines HTTP client + template compilation).
   // fetch_decrypt_exec (fetch+decrypt+eval triple) remains exempt — never coincidental.