muaddib-scanner 2.9.0 → 2.9.2

package/iocs/builtin.yaml

@@ -117,6 +117,32 @@ packages:
     source: shai-hulud-v3
     description: "First confirmed v3 payload - testing phase"
 
+  # GlassWorm hijacked packages (mars 2026)
+  - name: "@aifabrix/miso-client"
+    version: "4.7.2"
+    source: glassworm
+  - name: "@iflow-mcp/watercrawl-watercrawl-mcp"
+    version: "1.3.0"
+    source: glassworm
+  - name: "@iflow-mcp/watercrawl-watercrawl-mcp"
+    version: "1.3.1"
+    source: glassworm
+  - name: "@iflow-mcp/watercrawl-watercrawl-mcp"
+    version: "1.3.2"
+    source: glassworm
+  - name: "@iflow-mcp/watercrawl-watercrawl-mcp"
+    version: "1.3.3"
+    source: glassworm
+  - name: "@iflow-mcp/watercrawl-watercrawl-mcp"
+    version: "1.3.4"
+    source: glassworm
+  - name: "react-native-country-select"
+    version: "0.3.91"
+    source: glassworm
+  - name: "react-native-international-phone-number"
+    version: "0.11.8"
+    source: glassworm
+
   # Attaques historiques
   - name: "flatmap-stream"
     version: "0.1.1"
@@ -177,6 +203,9 @@ files:
   - 3nvir0nm3nt.json
   - c9nt3nts.json
   - c0nt3nts.json
+  # GlassWorm (mars 2026)
+  - i.js
+  - init.json
 
 hashes:
   # Shai-Hulud v2 payloads
@@ -185,6 +214,8 @@ hashes:
   - "f099c5d9ec417d4445a0328ac0ada9cde79fc37410914103ae9c609cbc0ee068"
   - "a3894003ad1d293ba96d77881ccd2071446dc3f65f434669b49b3da92421901a"
   - "4b2399646573bb737c4969563303d8ee2e9ddbd1b271f1ca9e35ea78062538db"
+  # GlassWorm install.js (React Native hijack)
+  - "59221aa9623d86c930357dba7e3f54138c7ccbd0daa9c483d766cd8ce1b6ad26"
 
 markers:
   # Shai-Hulud v1/v2
@@ -198,4 +229,9 @@ markers:
   # Protestware
   - "peacenotwar"
   # Generic malicious
-  - "/dev/tcp"
+  - "/dev/tcp"
+  # GlassWorm (mars 2026)
+  - "lzcdrtfxyqiplpd"
+  - "28PKnu7RzizxBzFPoLp69HLXp9bJL3JFtT2s5QzHsEA2"
+  - "BjVeAjPrSKFiingBn4vZvghsGj9KCE8AJVtbc9S8o8SC"
+  - "6YGcuyFRJKZtcaYCCFba9fScNUvPkGXodXE1mJiSzqDJ"

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "muaddib-scanner",
-  "version": "2.9.0",
+  "version": "2.9.2",
   "description": "Supply-chain threat detection & response for npm & PyPI/Python",
   "main": "src/index.js",
   "bin": {

package/src/index.js

@@ -28,7 +28,7 @@ const { computeReachableFiles } = require('./scanner/reachability.js');
 const { runTemporalAnalyses } = require('./temporal-runner.js');
 const { formatOutput } = require('./output-formatter.js');
 const { setExtraExcludes, getExtraExcludes, Spinner, listInstalledPackages, clearFileListCache, debugLog } = require('./utils.js');
-const { SEVERITY_WEIGHTS, RISK_THRESHOLDS, MAX_RISK_SCORE, isPackageLevelThreat, computeGroupScore, applyFPReductions, calculateRiskScore } = require('./scoring.js');
+const { SEVERITY_WEIGHTS, RISK_THRESHOLDS, MAX_RISK_SCORE, isPackageLevelThreat, computeGroupScore, applyFPReductions, applyCompoundBoosts, calculateRiskScore } = require('./scoring.js');
 const { buildIntentPairs } = require('./intent-graph.js');
 
 const { MAX_FILE_SIZE, safeParse } = require('./shared/constants.js');
@@ -598,6 +598,11 @@ async function run(targetPath, options = {}) {
   // A malware package typically has 1-3 occurrences, not dozens.
   applyFPReductions(deduped, reachableFiles, packageName, packageDeps);
 
+  // Compound scoring: inject synthetic CRITICAL threats when co-occurring types
+  // indicate unambiguous malice. Applied AFTER FP reductions to recover signals
+  // that were individually downgraded (count-based, dist, reachability).
+  applyCompoundBoosts(deduped);
+
   // Intent coherence analysis: detect source→sink pairs within files
   // Pass targetPath for destination-aware SDK pattern detection
   const intentResult = buildIntentPairs(deduped, targetPath);

package/src/response/playbooks.js

@@ -515,6 +515,57 @@ const PLAYBOOKS = {
     'Le package execute des commandes et transmet les resultats. Verifier les commandes executees. ' +
     'Supprimer le package si non attendu. Auditer les logs reseau pour identifier les donnees exfiltrees.',
 
+  unicode_invisible_injection:
+    'CRITIQUE: Caracteres Unicode invisibles detectes (zero-width, variation selectors). ' +
+    'Technique GlassWorm: du code malveillant est encode via des variation selectors invisibles dans les editeurs. ' +
+    'Analyser le fichier avec un editeur hexa. Supprimer le package immediatement. ' +
+    'Verifier les autres fichiers du projet pour des injections similaires.',
+
+  unicode_variation_decoder:
+    'CRITIQUE: Decodeur de payload Unicode via variation selectors detecte (.codePointAt + 0xFE00/0xE0100). ' +
+    'Signature GlassWorm: le code reconstruit un payload octet par octet a partir de caracteres invisibles. ' +
+    'Isoler immediatement. Decoder manuellement les variation selectors pour extraire le payload. Supprimer le package.',
+
+  blockchain_c2_resolution:
+    'Import Solana/Web3 + appel API blockchain C2 (getSignaturesForAddress, getTransaction) detecte. ' +
+    'Technique GlassWorm: la blockchain sert de dead drop resolver pour obtenir l\'adresse C2 via le champ memo. ' +
+    'Cout de rotation: 0.000005 SOL par changement d\'adresse C2 — censorship-resistant. ' +
+    'Bloquer les connexions vers les RPC Solana. Supprimer le package.',
+
+  blockchain_rpc_endpoint:
+    'Endpoint RPC blockchain hardcode detecte (Solana mainnet, Infura Ethereum). ' +
+    'Dans un package non-crypto, cela indique un potentiel canal C2 via blockchain. ' +
+    'Verifier le contexte: si le package n\'a rien a voir avec la blockchain, supprimer immediatement.',
+
+  crypto_staged_payload:
+    'CRITIQUE: Chaine steganographique complete detectee — fichier binaire (.png/.jpg/.wasm) avec eval() + dechiffrement crypto. ' +
+    'Le payload malveillant est cache dans un fichier binaire et dechiffre a runtime. Supprimer le package immediatement. ' +
+    'Analyser le fichier binaire dans un sandbox pour extraire le payload.',
+
+  lifecycle_typosquat:
+    'CRITIQUE: Package avec nom similaire a un package populaire ET scripts lifecycle. ' +
+    'Vecteur classique de dependency confusion: le code s\'execute a l\'installation. ' +
+    'NE PAS installer. Verifier le nom exact du package. Signaler sur npm.',
+
+  credential_env_exfil:
+    'CRITIQUE: Ecriture dans des chemins sensibles (cache npm/yarn, credentials) + acces aux variables d\'environnement. ' +
+    'Double vecteur d\'exfiltration de credentials. Supprimer le package. Regenerer tous les secrets. ' +
+    'Nettoyer le cache: npm cache clean --force.',
+
+  lifecycle_inline_exec:
+    'CRITIQUE: Script lifecycle avec node -e (execution inline). Le code s\'execute automatiquement a npm install. ' +
+    'NE PAS installer. Si deja installe: considerer la machine compromise. ' +
+    'Auditer les modifications systeme recentes.',
+
+  lifecycle_remote_require:
+    'CRITIQUE: Script lifecycle avec require(http/https) pour charger du code distant. ' +
+    'Le payload est telecharge et execute automatiquement a l\'installation. ' +
+    'NE PAS installer. Bloquer les connexions sortantes. Supprimer le package.',
+
+  obfuscated_credential_tampering:
+    'CRITIQUE: Code obfusque + ecriture dans des chemins sensibles. Dissimulation de vol de credentials. ' +
+    'Supprimer le package immediatement. Nettoyer le cache npm/yarn. Regenerer tous les secrets.',
+
   bin_field_hijack:
     'CRITIQUE: Le champ "bin" de package.json shadow une commande systeme (node, npm, git, bash, etc.). ' +
     'A l\'installation, npm cree un symlink dans node_modules/.bin/ qui intercepte la commande reelle. ' +

package/src/rules/index.js

@@ -1544,6 +1544,131 @@ const RULES = {
     ],
     mitre: 'T1059'
   },
+
+  // GlassWorm detections (mars 2026)
+  unicode_invisible_injection: {
+    id: 'MUADDIB-OBF-003',
+    name: 'Unicode Invisible Character Injection',
+    severity: 'CRITICAL',
+    confidence: 'high',
+    description: 'Caracteres Unicode invisibles detectes (zero-width, variation selectors). Technique GlassWorm: encodage de payload malveillant via variation selectors (U+FE00-FE0F, U+E0100-E01EF) invisible dans les editeurs.',
+    references: [
+      'https://www.aikido.dev/blog/glassworm-returns-unicode-attack-github-npm-vscode',
+      'https://attack.mitre.org/techniques/T1027/'
+    ],
+    mitre: 'T1027'
+  },
+  unicode_variation_decoder: {
+    id: 'MUADDIB-AST-053',
+    name: 'Unicode Variation Selector Decoder',
+    severity: 'CRITICAL',
+    confidence: 'high',
+    description: 'Decodeur de payload Unicode via variation selectors (.codePointAt + 0xFE00/0xE0100). Signature GlassWorm: le code reconstruit un payload octet par octet a partir de caracteres invisibles.',
+    references: [
+      'https://www.koi.security/blog/glassworm-first-self-propagating-worm-using-invisible-code-hits-openvsx-marketplace',
+      'https://attack.mitre.org/techniques/T1140/'
+    ],
+    mitre: 'T1140'
+  },
+  blockchain_c2_resolution: {
+    id: 'MUADDIB-AST-054',
+    name: 'Blockchain C2 Resolution (Dead Drop)',
+    severity: 'HIGH',
+    confidence: 'high',
+    description: 'Import Solana/Web3 + appel API C2 (getSignaturesForAddress, getTransaction). Technique GlassWorm: la blockchain sert de dead drop resolver pour obtenir l\'adresse C2 via le champ memo des transactions.',
+    references: [
+      'https://www.sonatype.com/blog/hijacked-npm-packages-deliver-malware-via-solana-linked-to-glassworm',
+      'https://attack.mitre.org/techniques/T1102/'
+    ],
+    mitre: 'T1102'
+  },
+  blockchain_rpc_endpoint: {
+    id: 'MUADDIB-AST-055',
+    name: 'Hardcoded Blockchain RPC Endpoint',
+    severity: 'MEDIUM',
+    confidence: 'medium',
+    description: 'Endpoint RPC blockchain hardcode (Solana mainnet, Infura Ethereum). Dans un package non-crypto, indique un potentiel canal C2 via blockchain.',
+    references: [
+      'https://www.koi.security/blog/glassworm-first-self-propagating-worm-using-invisible-code-hits-openvsx-marketplace',
+      'https://attack.mitre.org/techniques/T1102/'
+    ],
+    mitre: 'T1102'
+  },
+
+  // Compound scoring rules (v2.9.2)
+  // Injected by applyCompoundBoosts() when co-occurring threat types indicate unambiguous malice.
+  crypto_staged_payload: {
+    id: 'MUADDIB-COMPOUND-001',
+    name: 'Steganographic Payload + Crypto Decryption',
+    severity: 'CRITICAL',
+    confidence: 'high',
+    description: 'Reference a un fichier binaire (.png/.jpg/.wasm) avec eval() combinee avec dechiffrement crypto (createDecipher). Chaine steganographique complete: payload cache dans un fichier binaire, dechiffre a runtime.',
+    references: [
+      'https://attack.mitre.org/techniques/T1140/',
+      'https://attack.mitre.org/techniques/T1027/003/'
+    ],
+    mitre: 'T1140'
+  },
+  lifecycle_typosquat: {
+    id: 'MUADDIB-COMPOUND-002',
+    name: 'Lifecycle Hook on Typosquat Package',
+    severity: 'CRITICAL',
+    confidence: 'high',
+    description: 'Script lifecycle (preinstall/postinstall) sur un package avec nom similaire a un package populaire. Vecteur classique de dependency confusion: le code s\'execute automatiquement a l\'installation.',
+    references: [
+      'https://attack.mitre.org/techniques/T1195/002/',
+      'https://snyk.io/blog/typosquatting-attacks/'
+    ],
+    mitre: 'T1195.002'
+  },
+  credential_env_exfil: {
+    id: 'MUADDIB-COMPOUND-003',
+    name: 'Credential Tampering + Env Access',
+    severity: 'CRITICAL',
+    confidence: 'high',
+    description: 'Ecriture dans un chemin sensible (cache npm/yarn, credentials) combinee avec acces aux variables d\'environnement. Chaine d\'exfiltration de credentials par double vecteur.',
+    references: [
+      'https://attack.mitre.org/techniques/T1552/001/',
+      'https://attack.mitre.org/techniques/T1565/001/'
+    ],
+    mitre: 'T1552.001'
+  },
+  lifecycle_inline_exec: {
+    id: 'MUADDIB-COMPOUND-004',
+    name: 'Lifecycle Hook + Inline Node Execution',
+    severity: 'CRITICAL',
+    confidence: 'high',
+    description: 'Script lifecycle avec execution inline Node.js (node -e). Le code s\'execute automatiquement a npm install avec un payload inline.',
+    references: [
+      'https://attack.mitre.org/techniques/T1059/007/',
+      'https://attack.mitre.org/techniques/T1195/002/'
+    ],
+    mitre: 'T1059.007'
+  },
+  lifecycle_remote_require: {
+    id: 'MUADDIB-COMPOUND-005',
+    name: 'Lifecycle Hook + Remote Code Loading',
+    severity: 'CRITICAL',
+    confidence: 'high',
+    description: 'Script lifecycle avec require(http/https) pour charger du code distant. Le payload est telecharge et execute automatiquement a l\'installation.',
+    references: [
+      'https://attack.mitre.org/techniques/T1105/',
+      'https://attack.mitre.org/techniques/T1195/002/'
+    ],
+    mitre: 'T1105'
+  },
+  obfuscated_credential_tampering: {
+    id: 'MUADDIB-COMPOUND-006',
+    name: 'Obfuscated Code + Credential Tampering',
+    severity: 'CRITICAL',
+    confidence: 'high',
+    description: 'Code obfusque combine avec ecriture dans des chemins sensibles (cache npm/yarn, credentials). Dissimulation de vol de credentials.',
+    references: [
+      'https://attack.mitre.org/techniques/T1027/',
+      'https://attack.mitre.org/techniques/T1565/001/'
+    ],
+    mitre: 'T1027'
+  },
 };
 
 function getRule(type) {

package/src/scanner/ast-detectors.js

@@ -170,7 +170,11 @@ const GIT_HOOKS = [
 const SUSPICIOUS_DOMAINS_HIGH = [
   'oastify.com', 'oast.fun', 'oast.me', 'oast.live',
   'burpcollaborator.net', 'webhook.site', 'pipedream.net',
-  'requestbin.com', 'hookbin.com', 'canarytokens.com'
+  'requestbin.com', 'hookbin.com', 'canarytokens.com',
+  // GlassWorm C2 IPs (mars 2026)
+  '217.69.3.218', '217.69.3.152',
+  '199.247.10.166', '199.247.13.106',
+  '140.82.52.31', '45.32.150.251'
 ];
 
 // Suspicious tunnel/proxy domains (MEDIUM severity)
@@ -198,6 +202,27 @@ const SANDBOX_INDICATORS = [
   '/proc/self/cgroup'
 ];
 
+// Blockchain RPC endpoints — potential C2 channel via blockchain (GlassWorm)
+const BLOCKCHAIN_RPC_ENDPOINTS = [
+  'api.mainnet-beta.solana.com',
+  'api.devnet.solana.com',
+  'api.testnet.solana.com',
+  'mainnet.infura.io',
+  'rpc.ankr.com'
+];
+
+// Solana/Web3 C2 methods — used for dead drop resolver (GlassWorm)
+const SOLANA_C2_METHODS = [
+  'getSignaturesForAddress', 'getAccountInfo', 'getTransaction',
+  'getConfirmedSignaturesForAddress2', 'getParsedTransaction'
+];
+
+// Solana/Web3 package names
+const SOLANA_PACKAGES = ['@solana/web3.js', 'solana-web3.js', '@solana/web3'];
+
+// Variation selector constants (GlassWorm decoder signature)
+const VARIATION_SELECTOR_CONSTS = [0xFE00, 0xFE0F, 0xE0100, 0xE01EF];
+
 // ============================================
 // HELPER FUNCTIONS
 // ============================================
@@ -647,6 +672,10 @@ function handleCallExpression(node, ctx) {
     if (reqStr && /\.node\s*$/.test(reqStr)) {
       ctx.hasRequireNodeFile = true;
     }
+    // GlassWorm: track Solana/Web3 require imports for compound blockchain C2 detection
+    if (reqStr && SOLANA_PACKAGES.some(pkg => reqStr === pkg)) {
+      ctx.hasSolanaImport = true;
+    }
   }
 
   // Detect exec/execSync with dangerous shell commands (direct or via MemberExpression)
@@ -1653,6 +1682,10 @@ function handleImportExpression(node, ctx) {
           file: ctx.relFile
         });
       }
+      // GlassWorm: track Solana/Web3 dynamic import for compound blockchain C2 detection
+      if (SOLANA_PACKAGES.some(pkg => src.value === pkg)) {
+        ctx.hasSolanaImport = true;
+      }
     } else {
       ctx.threats.push({
         type: 'dynamic_import',
@@ -1821,6 +1854,34 @@ function handleLiteral(node, ctx) {
         file: ctx.relFile
       });
     }
+
+    // Blockchain RPC endpoints — potential C2 channel (GlassWorm)
+    for (const endpoint of BLOCKCHAIN_RPC_ENDPOINTS) {
+      if (lowerVal.includes(endpoint)) {
+        ctx.threats.push({
+          type: 'blockchain_rpc_endpoint',
+          severity: 'MEDIUM',
+          message: `Hardcoded blockchain RPC endpoint "${endpoint}" — potential blockchain C2 channel.`,
+          file: ctx.relFile
+        });
+        break;
+      }
+    }
+
+    // Track Solana C2 method names in string literals (for compound detection)
+    for (const method of SOLANA_C2_METHODS) {
+      if (node.value === method || node.value.includes(method)) {
+        ctx.hasSolanaC2Method = true;
+        break;
+      }
+    }
+  }
+
+  // Track variation selector constants in numeric literals (GlassWorm decoder)
+  if (typeof node.value === 'number') {
+    if (VARIATION_SELECTOR_CONSTS.includes(node.value)) {
+      ctx.hasVariationSelectorConst = true;
+    }
   }
 }
 
@@ -1995,6 +2056,16 @@ function handleMemberExpression(node, ctx) {
     });
   }
 
+  // GlassWorm: track .codePointAt() calls (variation selector decoder pattern)
+  if (node.property?.type === 'Identifier' && node.property.name === 'codePointAt') {
+    ctx.hasCodePointAt = true;
+  }
+
+  // GlassWorm: track Solana C2 method calls (e.g., connection.getSignaturesForAddress)
+  if (node.property?.type === 'Identifier' && SOLANA_C2_METHODS.includes(node.property.name)) {
+    ctx.hasSolanaC2Method = true;
+  }
+
   if (
     node.object?.object?.name === 'process' &&
     node.object?.property?.name === 'env'
@@ -2299,6 +2370,30 @@ function handlePostWalk(ctx) {
       file: ctx.relFile
     });
   }
+
+  // GlassWorm: Unicode variation selector decoder = .codePointAt + variation selector constants
+  if (ctx.hasCodePointAt && ctx.hasVariationSelectorConst) {
+    ctx.threats.push({
+      type: 'unicode_variation_decoder',
+      severity: 'CRITICAL',
+      message: 'Unicode variation selector decoder: .codePointAt() + 0xFE00/0xE0100 constants — GlassWorm payload reconstruction from invisible characters.',
+      file: ctx.relFile
+    });
+  }
+
+  // GlassWorm: Blockchain C2 resolution = Solana import + C2 method
+  // CRITICAL if combined with eval/exec, HIGH otherwise
+  if (ctx.hasSolanaImport && ctx.hasSolanaC2Method) {
+    ctx.threats.push({
+      type: 'blockchain_c2_resolution',
+      severity: ctx.hasDynamicExec ? 'CRITICAL' : 'HIGH',
+      message: 'Solana/Web3 import + blockchain C2 method (getSignaturesForAddress/getTransaction) — ' +
+        (ctx.hasDynamicExec
+          ? 'dead drop resolver with dynamic execution. GlassWorm blockchain C2 pattern confirmed.'
+          : 'potential dead drop resolver. GlassWorm technique: C2 address rotated via Solana memo field.'),
+      file: ctx.relFile
+    });
+  }
 }
 
 function handleWithStatement(node, ctx) {

package/src/scanner/ast.js

@@ -160,7 +160,13 @@ function analyzeFile(content, filePath, basePath) {
     // C10: Hash verification — legitimate binary installers verify checksums
     // Requires BOTH createHash() call AND .digest() call — false positives from
     // standalone mentions of 'sha256' or 'integrity' in comments/descriptions
-    hasHashVerification: /\bcreateHash\s*\(/.test(content) && /\.digest\s*\(/.test(content)
+    hasHashVerification: /\bcreateHash\s*\(/.test(content) && /\.digest\s*\(/.test(content),
+    // GlassWorm: variation selector decoder pattern (.codePointAt + 0xFE00/0xE0100)
+    hasCodePointAt: false,
+    hasVariationSelectorConst: false,
+    // GlassWorm: blockchain C2 resolution (Solana import + C2 method + dynamic exec)
+    hasSolanaImport: false,
+    hasSolanaC2Method: false
   };
 
   // Compute fetchOnlySafeDomains: check if ALL URLs in file point to known registries

package/src/scanner/obfuscation.js

@@ -70,6 +70,18 @@ function detectObfuscation(targetPath) {
       signals.push('base64_eval');
     }
 
+    // 7. Unicode invisible character injection (GlassWorm — mars 2026)
+    // Detects zero-width chars, variation selectors, tag characters embedded in source
+    const invisibleCount = countInvisibleUnicode(content);
+    if (invisibleCount >= 3) {
+      threats.push({
+        type: 'unicode_invisible_injection',
+        severity: isPackageOutput ? 'LOW' : 'CRITICAL',
+        message: `${invisibleCount} invisible Unicode characters detected (zero-width, variation selectors, tag chars). GlassWorm technique: payload encoded via invisible codepoints.`,
+        file: relativePath
+      });
+    }
+
     // Hex/unicode escapes alone are not obfuscation (e.g. lodash Unicode char tables).
     // Only count them when combined with strong obfuscation signals.
     const hasStrongSignals = signals.some(s => s !== 'hex_escapes' && s !== 'unicode_escapes');
@@ -130,4 +142,52 @@ function hasLargeStringArray(content) {
   return false;
 }
 
+/**
+ * Count invisible Unicode codepoints in content (GlassWorm detection).
+ * Covers BMP zero-width chars, variation selectors, and supplementary plane
+ * tag characters / variation selectors supplement via codePointAt iteration.
+ *
+ * Codepoints detected:
+ * - U+200B, U+200C, U+200D (zero-width space/joiner/non-joiner)
+ * - U+FEFF (BOM — only if position > 0; pos 0 is legitimate BOM)
+ * - U+2060 (word joiner), U+180E (Mongolian vowel separator)
+ * - U+FE00-U+FE0F (variation selectors — GlassWorm 256-value encoding)
+ * - U+E0100-U+E01EF (variation selectors supplement)
+ * - U+E0001-U+E007F (tag characters)
+ */
+function countInvisibleUnicode(content) {
+  let count = 0;
+  for (let i = 0; i < content.length; i++) {
+    const cp = content.codePointAt(i);
+    // BMP invisible chars
+    if (cp === 0x200B || cp === 0x200C || cp === 0x200D ||
+        cp === 0x2060 || cp === 0x180E) {
+      count++;
+    }
+    // BOM only suspicious after position 0
+    else if (cp === 0xFEFF && i > 0) {
+      count++;
+    }
+    // BMP variation selectors (U+FE00-U+FE0F)
+    else if (cp >= 0xFE00 && cp <= 0xFE0F) {
+      count++;
+    }
+    // Supplementary plane: variation selectors supplement (U+E0100-U+E01EF)
+    else if (cp >= 0xE0100 && cp <= 0xE01EF) {
+      count++;
+      i++; // skip surrogate pair low half
+    }
+    // Supplementary plane: tag characters (U+E0001-U+E007F)
+    else if (cp >= 0xE0001 && cp <= 0xE007F) {
+      count++;
+      i++; // skip surrogate pair low half
+    }
+    // Skip surrogate pair low half for other supplementary chars
+    else if (cp > 0xFFFF) {
+      i++;
+    }
+  }
+  return count;
+}
+
 module.exports = { detectObfuscation };

package/src/scoring.js

@@ -62,7 +62,9 @@ const PACKAGE_LEVEL_TYPES = new Set([
   'publish_burst', 'publish_dormant_spike', 'publish_rapid_succession',
   'maintainer_new_suspicious', 'maintainer_sole_change',
   'sandbox_network_activity', 'sandbox_file_changes', 'sandbox_process_spawns',
-  'sandbox_canary_exfiltration'
+  'sandbox_canary_exfiltration',
+  // Compound scoring rules — package-level co-occurrences
+  'lifecycle_typosquat', 'lifecycle_inline_exec', 'lifecycle_remote_require'
 ]);
 
 /**
@@ -156,7 +158,12 @@ const DIST_EXEMPT_TYPES = new Set([
   'reverse_shell',            // net.Socket + connect + pipe (always malicious)
   'detached_credential_exfil', // detached process + credential exfil (DPRK/Lazarus)
   'node_modules_write',       // writeFile to node_modules/ (worm propagation)
-  'npm_publish_worm'          // exec("npm publish") (worm propagation)
+  'npm_publish_worm',         // exec("npm publish") (worm propagation)
+  // Dangerous shell commands in dist/ are real threats, never bundler output
+  'dangerous_exec',
+  // Compound scoring rules — co-occurrence signals, never FP
+  'crypto_staged_payload', 'lifecycle_typosquat', 'credential_env_exfil',
+  'lifecycle_inline_exec', 'lifecycle_remote_require', 'obfuscated_credential_tampering'
   // P6: remote_code_load and proxy_data_intercept removed — in bundled dist/ files,
   // fetch + eval co-occurrence is coincidental (bundler combines HTTP client + template compilation).
   // fetch_decrypt_exec (fetch+decrypt+eval triple) remains exempt — never coincidental.
@@ -203,6 +210,93 @@ const REACHABILITY_EXEMPT_TYPES = new Set([
   'detached_credential_exfil' // DPRK/Lazarus: invoked via lifecycle, not require/import
 ]);
 
+// ============================================
+// COMPOUND SCORING RULES (v2.9.2)
+// ============================================
+// Co-occurrences of threat types that NEVER appear in benign packages.
+// Applied AFTER FP reductions to recover signals that were individually downgraded.
+// Each compound injects a new CRITICAL threat when all required types are present.
+const SCORING_COMPOUNDS = [
+  {
+    type: 'crypto_staged_payload',
+    requires: ['staged_binary_payload', 'crypto_decipher'],
+    severity: 'CRITICAL',
+    message: 'Binary file reference + crypto decryption — steganographic payload chain (scoring compound).',
+    fileFrom: 'staged_binary_payload'
+  },
+  {
+    type: 'lifecycle_typosquat',
+    requires: ['lifecycle_script', 'typosquat_detected'],
+    severity: 'CRITICAL',
+    message: 'Lifecycle hook on typosquat package — dependency confusion attack vector (scoring compound).',
+    fileFrom: 'typosquat_detected'
+  },
+  {
+    type: 'credential_env_exfil',
+    requires: ['credential_tampering', 'env_access'],
+    severity: 'CRITICAL',
+    message: 'Credential path tampering + environment variable access — credential exfiltration chain (scoring compound).',
+    fileFrom: 'credential_tampering'
+  },
+  {
+    type: 'lifecycle_inline_exec',
+    requires: ['lifecycle_script', 'node_inline_exec'],
+    severity: 'CRITICAL',
+    message: 'Lifecycle hook with inline Node execution (node -e) — install-time code execution (scoring compound).',
+    fileFrom: 'node_inline_exec'
+  },
+  {
+    type: 'lifecycle_remote_require',
+    requires: ['lifecycle_script', 'network_require'],
+    severity: 'CRITICAL',
+    message: 'Lifecycle hook loading remote code (require http/https) — supply chain payload delivery (scoring compound).',
+    fileFrom: 'network_require'
+  },
+  {
+    type: 'obfuscated_credential_tampering',
+    requires: ['credential_tampering', 'obfuscation_detected'],
+    severity: 'CRITICAL',
+    message: 'Obfuscated code + credential path tampering — concealed credential theft (scoring compound).',
+    fileFrom: 'credential_tampering'
+  }
+];
+
+/**
+ * Apply compound boost rules: inject synthetic CRITICAL threats when
+ * co-occurring threat types indicate unambiguous malice.
+ * Called AFTER applyFPReductions to recover individually-downgraded signals.
+ * @param {Array} threats - deduplicated threat array (mutated in place)
+ */
+function applyCompoundBoosts(threats) {
+  const typeSet = new Set(threats.map(t => t.type));
+
+  // Build map of type → first file encountered (for file assignment)
+  const typeFileMap = Object.create(null);
+  for (const t of threats) {
+    if (!typeFileMap[t.type]) {
+      typeFileMap[t.type] = t.file || '(unknown)';
+    }
+  }
+
+  for (const compound of SCORING_COMPOUNDS) {
+    // Skip if compound already present (e.g. from a scanner)
+    if (typeSet.has(compound.type)) continue;
+
+    // Check all required types are present
+    if (compound.requires.every(req => typeSet.has(req))) {
+      threats.push({
+        type: compound.type,
+        severity: compound.severity,
+        message: compound.message,
+        file: typeFileMap[compound.fileFrom] || '(unknown)',
+        count: 1,
+        compound: true
+      });
+      typeSet.add(compound.type);
+    }
+  }
+}
+
 // Custom class prototypes that HTTP frameworks legitimately extend.
 // Distinguished from dangerous core Node.js prototype hooks.
 const FRAMEWORK_PROTOTYPES = ['Request', 'Response', 'App', 'Router'];
@@ -463,5 +557,5 @@ function calculateRiskScore(deduped, intentResult) {
 
 module.exports = {
   SEVERITY_WEIGHTS, RISK_THRESHOLDS, MAX_RISK_SCORE, CONFIDENCE_FACTORS,
-  isPackageLevelThreat, computeGroupScore, applyFPReductions, calculateRiskScore
+  isPackageLevelThreat, computeGroupScore, applyFPReductions, applyCompoundBoosts, calculateRiskScore
 };