muaddib-scanner 2.9.1 → 2.9.3

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "muaddib-scanner",
-  "version": "2.9.1",
+  "version": "2.9.3",
   "description": "Supply-chain threat detection & response for npm & PyPI/Python",
   "main": "src/index.js",
   "bin": {

package/src/index.js

@@ -28,7 +28,7 @@ const { computeReachableFiles } = require('./scanner/reachability.js');
 const { runTemporalAnalyses } = require('./temporal-runner.js');
 const { formatOutput } = require('./output-formatter.js');
 const { setExtraExcludes, getExtraExcludes, Spinner, listInstalledPackages, clearFileListCache, debugLog } = require('./utils.js');
-const { SEVERITY_WEIGHTS, RISK_THRESHOLDS, MAX_RISK_SCORE, isPackageLevelThreat, computeGroupScore, applyFPReductions, calculateRiskScore } = require('./scoring.js');
+const { SEVERITY_WEIGHTS, RISK_THRESHOLDS, MAX_RISK_SCORE, isPackageLevelThreat, computeGroupScore, applyFPReductions, applyCompoundBoosts, calculateRiskScore } = require('./scoring.js');
 const { buildIntentPairs } = require('./intent-graph.js');
 
 const { MAX_FILE_SIZE, safeParse } = require('./shared/constants.js');
@@ -570,6 +570,7 @@ async function run(targetPath, options = {}) {
   // Cross-scanner compound: detached_process + suspicious_dataflow in same file
   // Catches cases where credential flow is detected by dataflow scanner, not AST scanner
   {
+    const DIST_RE = /(?:^|[/\\])(?:dist|build|out|output)[/\\]|\.min\.js$|\.bundle\.js$/i;
     const fileMap = Object.create(null);
     for (const t of deduped) {
       if (t.file) {
@@ -578,6 +579,9 @@ async function run(targetPath, options = {}) {
       }
     }
     for (const file of Object.keys(fileMap)) {
+      // Skip dist/build files — bundler aggregation creates coincidental co-occurrence
+      // of detached_process + suspicious_dataflow. Real DPRK attacks target root files.
+      if (DIST_RE.test(file)) continue;
       const fileThreats = fileMap[file];
       const hasDetached = fileThreats.some(t => t.type === 'detached_process');
       const hasCredFlow = fileThreats.some(t => t.type === 'suspicious_dataflow');
@@ -598,6 +602,11 @@ async function run(targetPath, options = {}) {
   // A malware package typically has 1-3 occurrences, not dozens.
   applyFPReductions(deduped, reachableFiles, packageName, packageDeps);
 
+  // Compound scoring: inject synthetic CRITICAL threats when co-occurring types
+  // indicate unambiguous malice. Applied AFTER FP reductions to recover signals
+  // that were individually downgraded (count-based, dist, reachability).
+  applyCompoundBoosts(deduped);
+
   // Intent coherence analysis: detect source→sink pairs within files
   // Pass targetPath for destination-aware SDK pattern detection
   const intentResult = buildIntentPairs(deduped, targetPath);

package/src/response/playbooks.js

@@ -537,6 +537,26 @@ const PLAYBOOKS = {
     'Dans un package non-crypto, cela indique un potentiel canal C2 via blockchain. ' +
     'Verifier le contexte: si le package n\'a rien a voir avec la blockchain, supprimer immediatement.',
 
+  crypto_staged_payload:
+    'CRITIQUE: Chaine steganographique complete detectee — fichier binaire (.png/.jpg/.wasm) avec eval() + dechiffrement crypto. ' +
+    'Le payload malveillant est cache dans un fichier binaire et dechiffre a runtime. Supprimer le package immediatement. ' +
+    'Analyser le fichier binaire dans un sandbox pour extraire le payload.',
+
+  lifecycle_typosquat:
+    'CRITIQUE: Package avec nom similaire a un package populaire ET scripts lifecycle. ' +
+    'Vecteur classique de dependency confusion: le code s\'execute a l\'installation. ' +
+    'NE PAS installer. Verifier le nom exact du package. Signaler sur npm.',
+
+  lifecycle_inline_exec:
+    'CRITIQUE: Script lifecycle avec node -e (execution inline). Le code s\'execute automatiquement a npm install. ' +
+    'NE PAS installer. Si deja installe: considerer la machine compromise. ' +
+    'Auditer les modifications systeme recentes.',
+
+  lifecycle_remote_require:
+    'CRITIQUE: Script lifecycle avec require(http/https) pour charger du code distant. ' +
+    'Le payload est telecharge et execute automatiquement a l\'installation. ' +
+    'NE PAS installer. Bloquer les connexions sortantes. Supprimer le package.',
+
   bin_field_hijack:
     'CRITIQUE: Le champ "bin" de package.json shadow une commande systeme (node, npm, git, bash, etc.). ' +
     'A l\'installation, npm cree un symlink dans node_modules/.bin/ qui intercepte la commande reelle. ' +

package/src/rules/index.js

@@ -1594,6 +1594,57 @@ const RULES = {
     ],
     mitre: 'T1102'
   },
+
+  // Compound scoring rules (v2.9.2)
+  // Injected by applyCompoundBoosts() when co-occurring threat types indicate unambiguous malice.
+  crypto_staged_payload: {
+    id: 'MUADDIB-COMPOUND-001',
+    name: 'Steganographic Payload + Crypto Decryption',
+    severity: 'CRITICAL',
+    confidence: 'high',
+    description: 'Reference a un fichier binaire (.png/.jpg/.wasm) avec eval() combinee avec dechiffrement crypto (createDecipher). Chaine steganographique complete: payload cache dans un fichier binaire, dechiffre a runtime.',
+    references: [
+      'https://attack.mitre.org/techniques/T1140/',
+      'https://attack.mitre.org/techniques/T1027/003/'
+    ],
+    mitre: 'T1140'
+  },
+  lifecycle_typosquat: {
+    id: 'MUADDIB-COMPOUND-002',
+    name: 'Lifecycle Hook on Typosquat Package',
+    severity: 'CRITICAL',
+    confidence: 'high',
+    description: 'Script lifecycle (preinstall/postinstall) sur un package avec nom similaire a un package populaire. Vecteur classique de dependency confusion: le code s\'execute automatiquement a l\'installation.',
+    references: [
+      'https://attack.mitre.org/techniques/T1195/002/',
+      'https://snyk.io/blog/typosquatting-attacks/'
+    ],
+    mitre: 'T1195.002'
+  },
+  lifecycle_inline_exec: {
+    id: 'MUADDIB-COMPOUND-004',
+    name: 'Lifecycle Hook + Inline Node Execution',
+    severity: 'CRITICAL',
+    confidence: 'high',
+    description: 'Script lifecycle avec execution inline Node.js (node -e). Le code s\'execute automatiquement a npm install avec un payload inline.',
+    references: [
+      'https://attack.mitre.org/techniques/T1059/007/',
+      'https://attack.mitre.org/techniques/T1195/002/'
+    ],
+    mitre: 'T1059.007'
+  },
+  lifecycle_remote_require: {
+    id: 'MUADDIB-COMPOUND-005',
+    name: 'Lifecycle Hook + Remote Code Loading',
+    severity: 'CRITICAL',
+    confidence: 'high',
+    description: 'Script lifecycle avec require(http/https) pour charger du code distant. Le payload est telecharge et execute automatiquement a l\'installation.',
+    references: [
+      'https://attack.mitre.org/techniques/T1105/',
+      'https://attack.mitre.org/techniques/T1195/002/'
+    ],
+    mitre: 'T1105'
+  },
 };
 
 function getRule(type) {

package/src/scanner/ast-detectors.js

@@ -2360,7 +2360,7 @@ function handlePostWalk(ctx) {
     t.file === ctx.relFile && t.type === 'detached_process'
   );
   const hasSensitiveEnvInFile = ctx.threats.some(t =>
-    t.file === ctx.relFile && t.type === 'env_access'
+    t.file === ctx.relFile && t.type === 'env_access' && t.severity === 'HIGH'
   );
   if (hasDetachedInFile && hasSensitiveEnvInFile && ctx.hasNetworkCallInFile) {
     ctx.threats.push({
@@ -2372,11 +2372,15 @@ function handlePostWalk(ctx) {
   }
 
   // GlassWorm: Unicode variation selector decoder = .codePointAt + variation selector constants
+  // CRITICAL if combined with eval/exec (GlassWorm always uses dynamic execution),
+  // MEDIUM otherwise (.codePointAt + 0xFE00 is legitimate Unicode processing in fonts/text libs)
   if (ctx.hasCodePointAt && ctx.hasVariationSelectorConst) {
     ctx.threats.push({
       type: 'unicode_variation_decoder',
-      severity: 'CRITICAL',
-      message: 'Unicode variation selector decoder: .codePointAt() + 0xFE00/0xE0100 constants — GlassWorm payload reconstruction from invisible characters.',
+      severity: ctx.hasDynamicExec ? 'CRITICAL' : 'MEDIUM',
+      message: ctx.hasDynamicExec
+        ? 'Unicode variation selector decoder: .codePointAt() + 0xFE00/0xE0100 constants + dynamic execution — GlassWorm payload reconstruction from invisible characters.'
+        : 'Unicode variation selector decoder: .codePointAt() + 0xFE00/0xE0100 constants — likely legitimate Unicode processing (text formatting, font rendering).',
       file: ctx.relFile
     });
   }

package/src/scanner/obfuscation.js

@@ -23,7 +23,9 @@ function detectObfuscation(targetPath) {
     // P6: Any JS file > 100KB is overwhelmingly bundled output regardless of directory name.
     // Real obfuscated malware is typically small (<50KB). Catches prettier plugins/, svelte compiler/, etc.
     const isLargeJs = basename.endsWith('.js') && content.length > 100 * 1024;
-    const isPackageOutput = isMinified || isBundled || isInDistOrBuild || isLargeCjsMjs || isLargeJs;
+    // Locale/i18n files legitimately contain invisible Unicode (e.g. Persian ZWNJ U+200C)
+    const isLocaleFile = /(?:^|[/\\])(?:locale|locales|i18n|intl|lang|languages|translations)[/\\]/i.test(relativePath);
+    const isPackageOutput = isMinified || isBundled || isInDistOrBuild || isLargeCjsMjs || isLargeJs || isLocaleFile;
 
     // 1. Ratio code sur une seule ligne (skip .min.js — minification, not obfuscation)
     if (!isMinified) {
@@ -73,11 +75,11 @@ function detectObfuscation(targetPath) {
     // 7. Unicode invisible character injection (GlassWorm — mars 2026)
     // Detects zero-width chars, variation selectors, tag characters embedded in source
     const invisibleCount = countInvisibleUnicode(content);
-    if (invisibleCount >= 3) {
+    if (invisibleCount >= 10) {
       threats.push({
         type: 'unicode_invisible_injection',
         severity: isPackageOutput ? 'LOW' : 'CRITICAL',
-        message: `${invisibleCount} invisible Unicode characters detected (zero-width, variation selectors, tag chars). GlassWorm technique: payload encoded via invisible codepoints.`,
+        message: `${invisibleCount} invisible Unicode characters detected (zero-width, variation selectors, tag chars). Possible hidden payload encoded via invisible codepoints.`,
         file: relativePath
       });
     }
@@ -151,7 +153,7 @@ function hasLargeStringArray(content) {
  * - U+200B, U+200C, U+200D (zero-width space/joiner/non-joiner)
  * - U+FEFF (BOM — only if position > 0; pos 0 is legitimate BOM)
  * - U+2060 (word joiner), U+180E (Mongolian vowel separator)
- * - U+FE00-U+FE0F (variation selectors — GlassWorm 256-value encoding)
+ * - U+FE00-U+FE0E (variation selectors — excludes U+FE0F emoji presentation selector)
  * - U+E0100-U+E01EF (variation selectors supplement)
  * - U+E0001-U+E007F (tag characters)
  */
@@ -168,8 +170,8 @@ function countInvisibleUnicode(content) {
     else if (cp === 0xFEFF && i > 0) {
       count++;
     }
-    // BMP variation selectors (U+FE00-U+FE0F)
-    else if (cp >= 0xFE00 && cp <= 0xFE0F) {
+    // BMP variation selectors (U+FE00-U+FE0E) — excludes U+FE0F (emoji presentation selector)
+    else if (cp >= 0xFE00 && cp <= 0xFE0E) {
       count++;
     }
     // Supplementary plane: variation selectors supplement (U+E0100-U+E01EF)

package/src/scanner/package.js

@@ -137,6 +137,11 @@ async function scanPackageJson(targetPath) {
       : pkg.bin;
     for (const [cmdName, cmdPath] of Object.entries(binEntries || {})) {
       if (SHADOWED_COMMANDS.has(cmdName)) {
+        // Skip when the package IS the legitimate provider of the command:
+        // 1. Self-name: npm→bin.npm, yarn→bin.yarn
+        // 2. Sibling commands: npm also provides npx → pkg.name in SHADOWED_COMMANDS
+        // Typosquats still caught: 'nmp' declaring bin.npm → 'nmp' not in SHADOWED_COMMANDS → fires
+        if (cmdName === pkg.name || SHADOWED_COMMANDS.has(pkg.name)) continue;
         threats.push({
           type: 'bin_field_hijack',
           severity: 'CRITICAL',

package/src/scoring.js

@@ -62,7 +62,9 @@ const PACKAGE_LEVEL_TYPES = new Set([
   'publish_burst', 'publish_dormant_spike', 'publish_rapid_succession',
   'maintainer_new_suspicious', 'maintainer_sole_change',
   'sandbox_network_activity', 'sandbox_file_changes', 'sandbox_process_spawns',
-  'sandbox_canary_exfiltration'
+  'sandbox_canary_exfiltration',
+  // Compound scoring rules — package-level co-occurrences
+  'lifecycle_typosquat', 'lifecycle_inline_exec', 'lifecycle_remote_require'
 ]);
 
 /**
@@ -154,9 +156,16 @@ const DIST_EXEMPT_TYPES = new Set([
   'cross_file_dataflow',      // credential read → network exfil across files
   'staged_eval_decode',       // eval(atob(...)) (explicit payload staging)
   'reverse_shell',            // net.Socket + connect + pipe (always malicious)
-  'detached_credential_exfil', // detached process + credential exfil (DPRK/Lazarus)
+  // detached_credential_exfil removed from DIST_EXEMPT: in dist/ files, co-occurrence of
+  // detached_process + env_access + network is coincidental bundler aggregation.
+  // Kept in REACHABILITY_EXEMPT_TYPES (lifecycle invocation is valid).
   'node_modules_write',       // writeFile to node_modules/ (worm propagation)
-  'npm_publish_worm'          // exec("npm publish") (worm propagation)
+  'npm_publish_worm',         // exec("npm publish") (worm propagation)
+  // Dangerous shell commands in dist/ are real threats, never bundler output
+  'dangerous_exec',
+  // Compound scoring rules — co-occurrence signals, never FP
+  'crypto_staged_payload', 'lifecycle_typosquat',
+  'lifecycle_inline_exec', 'lifecycle_remote_require'
   // P6: remote_code_load and proxy_data_intercept removed — in bundled dist/ files,
   // fetch + eval co-occurrence is coincidental (bundler combines HTTP client + template compilation).
   // fetch_decrypt_exec (fetch+decrypt+eval triple) remains exempt — never coincidental.
@@ -174,7 +183,7 @@ const DIST_BUNDLER_ARTIFACT_TYPES = new Set([
   'dynamic_require', 'dynamic_import',
   'obfuscation_detected', 'high_entropy_string', 'possible_obfuscation',
   'js_obfuscation_pattern', 'vm_code_execution',
-  'module_compile', 'module_compile_dynamic',
+  'module_compile', 'module_compile_dynamic', 'unicode_variation_decoder',
   // P7: env_access in dist/ is bundled SDK config reading, not credential theft
   'env_access',
   // P8: Proxy traps in dist/ are state management frameworks (MobX, Vue reactivity, Immer),
@@ -182,7 +191,12 @@ const DIST_BUNDLER_ARTIFACT_TYPES = new Set([
   'proxy_data_intercept',
   // P9: fetch+eval in dist/ is Vite/Webpack code splitting (lazy chunk loading),
   // not remote code execution. Two-notch downgrade (CRITICAL→MEDIUM, HIGH→LOW).
-  'remote_code_load'
+  'remote_code_load',
+  // P10: In dist/ bundles, binary file refs + crypto are coincidental bundler aggregation
+  // (webpack bundles crypto utils alongside image processing). Real steganographic attacks
+  // (flatmap-stream) have these at package root, not dist/. Compound (crypto_staged_payload)
+  // is in DIST_EXEMPT_TYPES so the overall signal is preserved when truly malicious.
+  'staged_binary_payload', 'crypto_decipher'
 ]);
 
 // Types exempt from reachability downgrade — IOC matches, lifecycle, and package-level types.
@@ -203,6 +217,102 @@ const REACHABILITY_EXEMPT_TYPES = new Set([
   'detached_credential_exfil' // DPRK/Lazarus: invoked via lifecycle, not require/import
 ]);
 
+// ============================================
+// COMPOUND SCORING RULES (v2.9.2)
+// ============================================
+// Co-occurrences of threat types that NEVER appear in benign packages.
+// Applied AFTER FP reductions to recover signals that were individually downgraded.
+// Each compound injects a new CRITICAL threat when all required types are present.
+const SCORING_COMPOUNDS = [
+  {
+    type: 'crypto_staged_payload',
+    requires: ['staged_binary_payload', 'crypto_decipher'],
+    severity: 'CRITICAL',
+    message: 'Binary file reference + crypto decryption — steganographic payload chain (scoring compound).',
+    fileFrom: 'staged_binary_payload',
+    sameFile: true // Real steganographic attacks (flatmap-stream) have crypto+binary in the SAME file
+  },
+  {
+    type: 'lifecycle_typosquat',
+    requires: ['lifecycle_script', 'typosquat_detected'],
+    severity: 'CRITICAL',
+    message: 'Lifecycle hook on typosquat package — dependency confusion attack vector (scoring compound).',
+    fileFrom: 'typosquat_detected'
+  },
+  {
+    type: 'lifecycle_inline_exec',
+    requires: ['lifecycle_script', 'node_inline_exec'],
+    severity: 'CRITICAL',
+    message: 'Lifecycle hook with inline Node execution (node -e) — install-time code execution (scoring compound).',
+    fileFrom: 'node_inline_exec'
+  },
+  {
+    type: 'lifecycle_remote_require',
+    requires: ['lifecycle_script', 'network_require'],
+    severity: 'CRITICAL',
+    message: 'Lifecycle hook loading remote code (require http/https) — supply chain payload delivery (scoring compound).',
+    fileFrom: 'network_require'
+  },
+];
+
+/**
+ * Apply compound boost rules: inject synthetic CRITICAL threats when
+ * co-occurring threat types indicate unambiguous malice.
+ * Called AFTER applyFPReductions to recover individually-downgraded signals.
+ * @param {Array} threats - deduplicated threat array (mutated in place)
+ */
+function applyCompoundBoosts(threats) {
+  const typeSet = new Set(threats.map(t => t.type));
+
+  // Build map of type → first file encountered (for file assignment)
+  const typeFileMap = Object.create(null);
+  for (const t of threats) {
+    if (!typeFileMap[t.type]) {
+      typeFileMap[t.type] = t.file || '(unknown)';
+    }
+  }
+
+  for (const compound of SCORING_COMPOUNDS) {
+    // Skip if compound already present (e.g. from a scanner)
+    if (typeSet.has(compound.type)) continue;
+
+    // Check all required types are present
+    if (compound.requires.every(req => typeSet.has(req))) {
+      // Severity gate: at least one component must have severity >= MEDIUM
+      // after FP reductions. If all components were downgraded to LOW,
+      // the compound signal is not strong enough to justify a CRITICAL boost.
+      const hasSignificantComponent = compound.requires.some(req =>
+        threats.some(t => t.type === req && t.severity !== 'LOW')
+      );
+      if (!hasSignificantComponent) continue;
+
+      // Same-file constraint: all required types must appear in at least one common file.
+      // Prevents cross-file coincidental matches (e.g. next.js: staged_binary_payload in
+      // dist/compiled/@vercel/nft/index.js + crypto_decipher in a different file).
+      if (compound.sameFile) {
+        const filesByType = compound.requires.map(req =>
+          new Set(threats.filter(t => t.type === req).map(t => t.file))
+        );
+        // Find intersection of all file sets
+        const commonFiles = [...filesByType[0]].filter(f =>
+          filesByType.every(s => s.has(f))
+        );
+        if (commonFiles.length === 0) continue;
+      }
+
+      threats.push({
+        type: compound.type,
+        severity: compound.severity,
+        message: compound.message,
+        file: typeFileMap[compound.fileFrom] || '(unknown)',
+        count: 1,
+        compound: true
+      });
+      typeSet.add(compound.type);
+    }
+  }
+}
+
 // Custom class prototypes that HTTP frameworks legitimately extend.
 // Distinguished from dangerous core Node.js prototype hooks.
 const FRAMEWORK_PROTOTYPES = ['Request', 'Response', 'App', 'Router'];
@@ -463,5 +573,5 @@ function calculateRiskScore(deduped, intentResult) {
 
 module.exports = {
   SEVERITY_WEIGHTS, RISK_THRESHOLDS, MAX_RISK_SCORE, CONFIDENCE_FACTORS,
-  isPackageLevelThreat, computeGroupScore, applyFPReductions, calculateRiskScore
+  isPackageLevelThreat, computeGroupScore, applyFPReductions, applyCompoundBoosts, calculateRiskScore
 };