muaddib-scanner 2.9.0 → 2.9.1

package/iocs/builtin.yaml

@@ -117,6 +117,32 @@ packages:
     source: shai-hulud-v3
     description: "First confirmed v3 payload - testing phase"
 
+  # GlassWorm hijacked packages (mars 2026)
+  - name: "@aifabrix/miso-client"
+    version: "4.7.2"
+    source: glassworm
+  - name: "@iflow-mcp/watercrawl-watercrawl-mcp"
+    version: "1.3.0"
+    source: glassworm
+  - name: "@iflow-mcp/watercrawl-watercrawl-mcp"
+    version: "1.3.1"
+    source: glassworm
+  - name: "@iflow-mcp/watercrawl-watercrawl-mcp"
+    version: "1.3.2"
+    source: glassworm
+  - name: "@iflow-mcp/watercrawl-watercrawl-mcp"
+    version: "1.3.3"
+    source: glassworm
+  - name: "@iflow-mcp/watercrawl-watercrawl-mcp"
+    version: "1.3.4"
+    source: glassworm
+  - name: "react-native-country-select"
+    version: "0.3.91"
+    source: glassworm
+  - name: "react-native-international-phone-number"
+    version: "0.11.8"
+    source: glassworm
+
   # Attaques historiques
   - name: "flatmap-stream"
     version: "0.1.1"
@@ -177,6 +203,9 @@ files:
   - 3nvir0nm3nt.json
   - c9nt3nts.json
   - c0nt3nts.json
+  # GlassWorm (mars 2026)
+  - i.js
+  - init.json
 
 hashes:
   # Shai-Hulud v2 payloads
@@ -185,6 +214,8 @@ hashes:
   - "f099c5d9ec417d4445a0328ac0ada9cde79fc37410914103ae9c609cbc0ee068"
   - "a3894003ad1d293ba96d77881ccd2071446dc3f65f434669b49b3da92421901a"
   - "4b2399646573bb737c4969563303d8ee2e9ddbd1b271f1ca9e35ea78062538db"
+  # GlassWorm install.js (React Native hijack)
+  - "59221aa9623d86c930357dba7e3f54138c7ccbd0daa9c483d766cd8ce1b6ad26"
 
 markers:
   # Shai-Hulud v1/v2
@@ -198,4 +229,9 @@ markers:
   # Protestware
   - "peacenotwar"
   # Generic malicious
-  - "/dev/tcp"
+  - "/dev/tcp"
+  # GlassWorm (mars 2026)
+  - "lzcdrtfxyqiplpd"
+  - "28PKnu7RzizxBzFPoLp69HLXp9bJL3JFtT2s5QzHsEA2"
+  - "BjVeAjPrSKFiingBn4vZvghsGj9KCE8AJVtbc9S8o8SC"
+  - "6YGcuyFRJKZtcaYCCFba9fScNUvPkGXodXE1mJiSzqDJ"

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "muaddib-scanner",
-  "version": "2.9.0",
+  "version": "2.9.1",
   "description": "Supply-chain threat detection & response for npm & PyPI/Python",
   "main": "src/index.js",
   "bin": {

package/src/response/playbooks.js

@@ -515,6 +515,28 @@ const PLAYBOOKS = {
     'Le package execute des commandes et transmet les resultats. Verifier les commandes executees. ' +
     'Supprimer le package si non attendu. Auditer les logs reseau pour identifier les donnees exfiltrees.',
 
+  unicode_invisible_injection:
+    'CRITIQUE: Caracteres Unicode invisibles detectes (zero-width, variation selectors). ' +
+    'Technique GlassWorm: du code malveillant est encode via des variation selectors invisibles dans les editeurs. ' +
+    'Analyser le fichier avec un editeur hexa. Supprimer le package immediatement. ' +
+    'Verifier les autres fichiers du projet pour des injections similaires.',
+
+  unicode_variation_decoder:
+    'CRITIQUE: Decodeur de payload Unicode via variation selectors detecte (.codePointAt + 0xFE00/0xE0100). ' +
+    'Signature GlassWorm: le code reconstruit un payload octet par octet a partir de caracteres invisibles. ' +
+    'Isoler immediatement. Decoder manuellement les variation selectors pour extraire le payload. Supprimer le package.',
+
+  blockchain_c2_resolution:
+    'Import Solana/Web3 + appel API blockchain C2 (getSignaturesForAddress, getTransaction) detecte. ' +
+    'Technique GlassWorm: la blockchain sert de dead drop resolver pour obtenir l\'adresse C2 via le champ memo. ' +
+    'Cout de rotation: 0.000005 SOL par changement d\'adresse C2 — censorship-resistant. ' +
+    'Bloquer les connexions vers les RPC Solana. Supprimer le package.',
+
+  blockchain_rpc_endpoint:
+    'Endpoint RPC blockchain hardcode detecte (Solana mainnet, Infura Ethereum). ' +
+    'Dans un package non-crypto, cela indique un potentiel canal C2 via blockchain. ' +
+    'Verifier le contexte: si le package n\'a rien a voir avec la blockchain, supprimer immediatement.',
+
   bin_field_hijack:
     'CRITIQUE: Le champ "bin" de package.json shadow une commande systeme (node, npm, git, bash, etc.). ' +
     'A l\'installation, npm cree un symlink dans node_modules/.bin/ qui intercepte la commande reelle. ' +

package/src/rules/index.js

@@ -1544,6 +1544,56 @@ const RULES = {
     ],
     mitre: 'T1059'
   },
+
+  // GlassWorm detections (mars 2026)
+  unicode_invisible_injection: {
+    id: 'MUADDIB-OBF-003',
+    name: 'Unicode Invisible Character Injection',
+    severity: 'CRITICAL',
+    confidence: 'high',
+    description: 'Caracteres Unicode invisibles detectes (zero-width, variation selectors). Technique GlassWorm: encodage de payload malveillant via variation selectors (U+FE00-FE0F, U+E0100-E01EF) invisible dans les editeurs.',
+    references: [
+      'https://www.aikido.dev/blog/glassworm-returns-unicode-attack-github-npm-vscode',
+      'https://attack.mitre.org/techniques/T1027/'
+    ],
+    mitre: 'T1027'
+  },
+  unicode_variation_decoder: {
+    id: 'MUADDIB-AST-053',
+    name: 'Unicode Variation Selector Decoder',
+    severity: 'CRITICAL',
+    confidence: 'high',
+    description: 'Decodeur de payload Unicode via variation selectors (.codePointAt + 0xFE00/0xE0100). Signature GlassWorm: le code reconstruit un payload octet par octet a partir de caracteres invisibles.',
+    references: [
+      'https://www.koi.security/blog/glassworm-first-self-propagating-worm-using-invisible-code-hits-openvsx-marketplace',
+      'https://attack.mitre.org/techniques/T1140/'
+    ],
+    mitre: 'T1140'
+  },
+  blockchain_c2_resolution: {
+    id: 'MUADDIB-AST-054',
+    name: 'Blockchain C2 Resolution (Dead Drop)',
+    severity: 'HIGH',
+    confidence: 'high',
+    description: 'Import Solana/Web3 + appel API C2 (getSignaturesForAddress, getTransaction). Technique GlassWorm: la blockchain sert de dead drop resolver pour obtenir l\'adresse C2 via le champ memo des transactions.',
+    references: [
+      'https://www.sonatype.com/blog/hijacked-npm-packages-deliver-malware-via-solana-linked-to-glassworm',
+      'https://attack.mitre.org/techniques/T1102/'
+    ],
+    mitre: 'T1102'
+  },
+  blockchain_rpc_endpoint: {
+    id: 'MUADDIB-AST-055',
+    name: 'Hardcoded Blockchain RPC Endpoint',
+    severity: 'MEDIUM',
+    confidence: 'medium',
+    description: 'Endpoint RPC blockchain hardcode (Solana mainnet, Infura Ethereum). Dans un package non-crypto, indique un potentiel canal C2 via blockchain.',
+    references: [
+      'https://www.koi.security/blog/glassworm-first-self-propagating-worm-using-invisible-code-hits-openvsx-marketplace',
+      'https://attack.mitre.org/techniques/T1102/'
+    ],
+    mitre: 'T1102'
+  },
 };
 
 function getRule(type) {

package/src/scanner/ast-detectors.js

@@ -170,7 +170,11 @@ const GIT_HOOKS = [
 const SUSPICIOUS_DOMAINS_HIGH = [
   'oastify.com', 'oast.fun', 'oast.me', 'oast.live',
   'burpcollaborator.net', 'webhook.site', 'pipedream.net',
-  'requestbin.com', 'hookbin.com', 'canarytokens.com'
+  'requestbin.com', 'hookbin.com', 'canarytokens.com',
+  // GlassWorm C2 IPs (mars 2026)
+  '217.69.3.218', '217.69.3.152',
+  '199.247.10.166', '199.247.13.106',
+  '140.82.52.31', '45.32.150.251'
 ];
 
 // Suspicious tunnel/proxy domains (MEDIUM severity)
@@ -198,6 +202,27 @@ const SANDBOX_INDICATORS = [
   '/proc/self/cgroup'
 ];
 
+// Blockchain RPC endpoints — potential C2 channel via blockchain (GlassWorm)
+const BLOCKCHAIN_RPC_ENDPOINTS = [
+  'api.mainnet-beta.solana.com',
+  'api.devnet.solana.com',
+  'api.testnet.solana.com',
+  'mainnet.infura.io',
+  'rpc.ankr.com'
+];
+
+// Solana/Web3 C2 methods — used for dead drop resolver (GlassWorm)
+const SOLANA_C2_METHODS = [
+  'getSignaturesForAddress', 'getAccountInfo', 'getTransaction',
+  'getConfirmedSignaturesForAddress2', 'getParsedTransaction'
+];
+
+// Solana/Web3 package names
+const SOLANA_PACKAGES = ['@solana/web3.js', 'solana-web3.js', '@solana/web3'];
+
+// Variation selector constants (GlassWorm decoder signature)
+const VARIATION_SELECTOR_CONSTS = [0xFE00, 0xFE0F, 0xE0100, 0xE01EF];
+
 // ============================================
 // HELPER FUNCTIONS
 // ============================================
@@ -647,6 +672,10 @@ function handleCallExpression(node, ctx) {
     if (reqStr && /\.node\s*$/.test(reqStr)) {
       ctx.hasRequireNodeFile = true;
     }
+    // GlassWorm: track Solana/Web3 require imports for compound blockchain C2 detection
+    if (reqStr && SOLANA_PACKAGES.some(pkg => reqStr === pkg)) {
+      ctx.hasSolanaImport = true;
+    }
   }
 
   // Detect exec/execSync with dangerous shell commands (direct or via MemberExpression)
@@ -1653,6 +1682,10 @@ function handleImportExpression(node, ctx) {
           file: ctx.relFile
         });
       }
+      // GlassWorm: track Solana/Web3 dynamic import for compound blockchain C2 detection
+      if (SOLANA_PACKAGES.some(pkg => src.value === pkg)) {
+        ctx.hasSolanaImport = true;
+      }
     } else {
       ctx.threats.push({
         type: 'dynamic_import',
@@ -1821,6 +1854,34 @@ function handleLiteral(node, ctx) {
         file: ctx.relFile
       });
     }
+
+    // Blockchain RPC endpoints — potential C2 channel (GlassWorm)
+    for (const endpoint of BLOCKCHAIN_RPC_ENDPOINTS) {
+      if (lowerVal.includes(endpoint)) {
+        ctx.threats.push({
+          type: 'blockchain_rpc_endpoint',
+          severity: 'MEDIUM',
+          message: `Hardcoded blockchain RPC endpoint "${endpoint}" — potential blockchain C2 channel.`,
+          file: ctx.relFile
+        });
+        break;
+      }
+    }
+
+    // Track Solana C2 method names in string literals (for compound detection)
+    for (const method of SOLANA_C2_METHODS) {
+      if (node.value === method || node.value.includes(method)) {
+        ctx.hasSolanaC2Method = true;
+        break;
+      }
+    }
+  }
+
+  // Track variation selector constants in numeric literals (GlassWorm decoder)
+  if (typeof node.value === 'number') {
+    if (VARIATION_SELECTOR_CONSTS.includes(node.value)) {
+      ctx.hasVariationSelectorConst = true;
+    }
   }
 }
 
@@ -1995,6 +2056,16 @@ function handleMemberExpression(node, ctx) {
     });
   }
 
+  // GlassWorm: track .codePointAt() calls (variation selector decoder pattern)
+  if (node.property?.type === 'Identifier' && node.property.name === 'codePointAt') {
+    ctx.hasCodePointAt = true;
+  }
+
+  // GlassWorm: track Solana C2 method calls (e.g., connection.getSignaturesForAddress)
+  if (node.property?.type === 'Identifier' && SOLANA_C2_METHODS.includes(node.property.name)) {
+    ctx.hasSolanaC2Method = true;
+  }
+
   if (
     node.object?.object?.name === 'process' &&
     node.object?.property?.name === 'env'
@@ -2299,6 +2370,30 @@ function handlePostWalk(ctx) {
       file: ctx.relFile
     });
   }
+
+  // GlassWorm: Unicode variation selector decoder = .codePointAt + variation selector constants
+  if (ctx.hasCodePointAt && ctx.hasVariationSelectorConst) {
+    ctx.threats.push({
+      type: 'unicode_variation_decoder',
+      severity: 'CRITICAL',
+      message: 'Unicode variation selector decoder: .codePointAt() + 0xFE00/0xE0100 constants — GlassWorm payload reconstruction from invisible characters.',
+      file: ctx.relFile
+    });
+  }
+
+  // GlassWorm: Blockchain C2 resolution = Solana import + C2 method
+  // CRITICAL if combined with eval/exec, HIGH otherwise
+  if (ctx.hasSolanaImport && ctx.hasSolanaC2Method) {
+    ctx.threats.push({
+      type: 'blockchain_c2_resolution',
+      severity: ctx.hasDynamicExec ? 'CRITICAL' : 'HIGH',
+      message: 'Solana/Web3 import + blockchain C2 method (getSignaturesForAddress/getTransaction) — ' +
+        (ctx.hasDynamicExec
+          ? 'dead drop resolver with dynamic execution. GlassWorm blockchain C2 pattern confirmed.'
+          : 'potential dead drop resolver. GlassWorm technique: C2 address rotated via Solana memo field.'),
+      file: ctx.relFile
+    });
+  }
 }
 
 function handleWithStatement(node, ctx) {

package/src/scanner/ast.js

@@ -160,7 +160,13 @@ function analyzeFile(content, filePath, basePath) {
     // C10: Hash verification — legitimate binary installers verify checksums
     // Requires BOTH createHash() call AND .digest() call — false positives from
     // standalone mentions of 'sha256' or 'integrity' in comments/descriptions
-    hasHashVerification: /\bcreateHash\s*\(/.test(content) && /\.digest\s*\(/.test(content)
+    hasHashVerification: /\bcreateHash\s*\(/.test(content) && /\.digest\s*\(/.test(content),
+    // GlassWorm: variation selector decoder pattern (.codePointAt + 0xFE00/0xE0100)
+    hasCodePointAt: false,
+    hasVariationSelectorConst: false,
+    // GlassWorm: blockchain C2 resolution (Solana import + C2 method + dynamic exec)
+    hasSolanaImport: false,
+    hasSolanaC2Method: false
   };
 
   // Compute fetchOnlySafeDomains: check if ALL URLs in file point to known registries

package/src/scanner/obfuscation.js

@@ -70,6 +70,18 @@ function detectObfuscation(targetPath) {
       signals.push('base64_eval');
     }
 
+    // 7. Unicode invisible character injection (GlassWorm — mars 2026)
+    // Detects zero-width chars, variation selectors, tag characters embedded in source
+    const invisibleCount = countInvisibleUnicode(content);
+    if (invisibleCount >= 3) {
+      threats.push({
+        type: 'unicode_invisible_injection',
+        severity: isPackageOutput ? 'LOW' : 'CRITICAL',
+        message: `${invisibleCount} invisible Unicode characters detected (zero-width, variation selectors, tag chars). GlassWorm technique: payload encoded via invisible codepoints.`,
+        file: relativePath
+      });
+    }
+
     // Hex/unicode escapes alone are not obfuscation (e.g. lodash Unicode char tables).
     // Only count them when combined with strong obfuscation signals.
     const hasStrongSignals = signals.some(s => s !== 'hex_escapes' && s !== 'unicode_escapes');
@@ -130,4 +142,52 @@ function hasLargeStringArray(content) {
   return false;
 }
 
+/**
+ * Count invisible Unicode codepoints in content (GlassWorm detection).
+ * Covers BMP zero-width chars, variation selectors, and supplementary plane
+ * tag characters / variation selectors supplement via codePointAt iteration.
+ *
+ * Codepoints detected:
+ * - U+200B, U+200C, U+200D (zero-width space/joiner/non-joiner)
+ * - U+FEFF (BOM — only if position > 0; pos 0 is legitimate BOM)
+ * - U+2060 (word joiner), U+180E (Mongolian vowel separator)
+ * - U+FE00-U+FE0F (variation selectors — GlassWorm 256-value encoding)
+ * - U+E0100-U+E01EF (variation selectors supplement)
+ * - U+E0001-U+E007F (tag characters)
+ */
+function countInvisibleUnicode(content) {
+  let count = 0;
+  for (let i = 0; i < content.length; i++) {
+    const cp = content.codePointAt(i);
+    // BMP invisible chars
+    if (cp === 0x200B || cp === 0x200C || cp === 0x200D ||
+        cp === 0x2060 || cp === 0x180E) {
+      count++;
+    }
+    // BOM only suspicious after position 0
+    else if (cp === 0xFEFF && i > 0) {
+      count++;
+    }
+    // BMP variation selectors (U+FE00-U+FE0F)
+    else if (cp >= 0xFE00 && cp <= 0xFE0F) {
+      count++;
+    }
+    // Supplementary plane: variation selectors supplement (U+E0100-U+E01EF)
+    else if (cp >= 0xE0100 && cp <= 0xE01EF) {
+      count++;
+      i++; // skip surrogate pair low half
+    }
+    // Supplementary plane: tag characters (U+E0001-U+E007F)
+    else if (cp >= 0xE0001 && cp <= 0xE007F) {
+      count++;
+      i++; // skip surrogate pair low half
+    }
+    // Skip surrogate pair low half for other supplementary chars
+    else if (cp > 0xFFFF) {
+      i++;
+    }
+  }
+  return count;
+}
+
 module.exports = { detectObfuscation };