muaddib-scanner 2.9.2 → 2.9.3

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "muaddib-scanner",
-  "version": "2.9.2",
+  "version": "2.9.3",
   "description": "Supply-chain threat detection & response for npm & PyPI/Python",
   "main": "src/index.js",
   "bin": {

package/src/index.js

@@ -570,6 +570,7 @@ async function run(targetPath, options = {}) {
   // Cross-scanner compound: detached_process + suspicious_dataflow in same file
   // Catches cases where credential flow is detected by dataflow scanner, not AST scanner
   {
+    const DIST_RE = /(?:^|[/\\])(?:dist|build|out|output)[/\\]|\.min\.js$|\.bundle\.js$/i;
     const fileMap = Object.create(null);
     for (const t of deduped) {
       if (t.file) {
@@ -578,6 +579,9 @@ async function run(targetPath, options = {}) {
       }
     }
     for (const file of Object.keys(fileMap)) {
+      // Skip dist/build files — bundler aggregation creates coincidental co-occurrence
+      // of detached_process + suspicious_dataflow. Real DPRK attacks target root files.
+      if (DIST_RE.test(file)) continue;
       const fileThreats = fileMap[file];
       const hasDetached = fileThreats.some(t => t.type === 'detached_process');
       const hasCredFlow = fileThreats.some(t => t.type === 'suspicious_dataflow');

package/src/response/playbooks.js

@@ -547,11 +547,6 @@ const PLAYBOOKS = {
     'Vecteur classique de dependency confusion: le code s\'execute a l\'installation. ' +
     'NE PAS installer. Verifier le nom exact du package. Signaler sur npm.',
 
-  credential_env_exfil:
-    'CRITIQUE: Ecriture dans des chemins sensibles (cache npm/yarn, credentials) + acces aux variables d\'environnement. ' +
-    'Double vecteur d\'exfiltration de credentials. Supprimer le package. Regenerer tous les secrets. ' +
-    'Nettoyer le cache: npm cache clean --force.',
-
   lifecycle_inline_exec:
     'CRITIQUE: Script lifecycle avec node -e (execution inline). Le code s\'execute automatiquement a npm install. ' +
     'NE PAS installer. Si deja installe: considerer la machine compromise. ' +
@@ -562,10 +557,6 @@ const PLAYBOOKS = {
     'Le payload est telecharge et execute automatiquement a l\'installation. ' +
     'NE PAS installer. Bloquer les connexions sortantes. Supprimer le package.',
 
-  obfuscated_credential_tampering:
-    'CRITIQUE: Code obfusque + ecriture dans des chemins sensibles. Dissimulation de vol de credentials. ' +
-    'Supprimer le package immediatement. Nettoyer le cache npm/yarn. Regenerer tous les secrets.',
-
   bin_field_hijack:
     'CRITIQUE: Le champ "bin" de package.json shadow une commande systeme (node, npm, git, bash, etc.). ' +
     'A l\'installation, npm cree un symlink dans node_modules/.bin/ qui intercepte la commande reelle. ' +

package/src/rules/index.js

@@ -1621,18 +1621,6 @@ const RULES = {
     ],
     mitre: 'T1195.002'
   },
-  credential_env_exfil: {
-    id: 'MUADDIB-COMPOUND-003',
-    name: 'Credential Tampering + Env Access',
-    severity: 'CRITICAL',
-    confidence: 'high',
-    description: 'Ecriture dans un chemin sensible (cache npm/yarn, credentials) combinee avec acces aux variables d\'environnement. Chaine d\'exfiltration de credentials par double vecteur.',
-    references: [
-      'https://attack.mitre.org/techniques/T1552/001/',
-      'https://attack.mitre.org/techniques/T1565/001/'
-    ],
-    mitre: 'T1552.001'
-  },
   lifecycle_inline_exec: {
     id: 'MUADDIB-COMPOUND-004',
     name: 'Lifecycle Hook + Inline Node Execution',
@@ -1657,18 +1645,6 @@ const RULES = {
     ],
     mitre: 'T1105'
   },
-  obfuscated_credential_tampering: {
-    id: 'MUADDIB-COMPOUND-006',
-    name: 'Obfuscated Code + Credential Tampering',
-    severity: 'CRITICAL',
-    confidence: 'high',
-    description: 'Code obfusque combine avec ecriture dans des chemins sensibles (cache npm/yarn, credentials). Dissimulation de vol de credentials.',
-    references: [
-      'https://attack.mitre.org/techniques/T1027/',
-      'https://attack.mitre.org/techniques/T1565/001/'
-    ],
-    mitre: 'T1027'
-  },
 };
 
 function getRule(type) {

package/src/scanner/ast-detectors.js

@@ -2360,7 +2360,7 @@ function handlePostWalk(ctx) {
     t.file === ctx.relFile && t.type === 'detached_process'
   );
   const hasSensitiveEnvInFile = ctx.threats.some(t =>
-    t.file === ctx.relFile && t.type === 'env_access'
+    t.file === ctx.relFile && t.type === 'env_access' && t.severity === 'HIGH'
   );
   if (hasDetachedInFile && hasSensitiveEnvInFile && ctx.hasNetworkCallInFile) {
     ctx.threats.push({
@@ -2372,11 +2372,15 @@ function handlePostWalk(ctx) {
   }
 
   // GlassWorm: Unicode variation selector decoder = .codePointAt + variation selector constants
+  // CRITICAL if combined with eval/exec (GlassWorm always uses dynamic execution),
+  // MEDIUM otherwise (.codePointAt + 0xFE00 is legitimate Unicode processing in fonts/text libs)
   if (ctx.hasCodePointAt && ctx.hasVariationSelectorConst) {
     ctx.threats.push({
       type: 'unicode_variation_decoder',
-      severity: 'CRITICAL',
-      message: 'Unicode variation selector decoder: .codePointAt() + 0xFE00/0xE0100 constants — GlassWorm payload reconstruction from invisible characters.',
+      severity: ctx.hasDynamicExec ? 'CRITICAL' : 'MEDIUM',
+      message: ctx.hasDynamicExec
+        ? 'Unicode variation selector decoder: .codePointAt() + 0xFE00/0xE0100 constants + dynamic execution — GlassWorm payload reconstruction from invisible characters.'
+        : 'Unicode variation selector decoder: .codePointAt() + 0xFE00/0xE0100 constants — likely legitimate Unicode processing (text formatting, font rendering).',
       file: ctx.relFile
     });
   }

package/src/scanner/obfuscation.js

@@ -23,7 +23,9 @@ function detectObfuscation(targetPath) {
     // P6: Any JS file > 100KB is overwhelmingly bundled output regardless of directory name.
     // Real obfuscated malware is typically small (<50KB). Catches prettier plugins/, svelte compiler/, etc.
     const isLargeJs = basename.endsWith('.js') && content.length > 100 * 1024;
-    const isPackageOutput = isMinified || isBundled || isInDistOrBuild || isLargeCjsMjs || isLargeJs;
+    // Locale/i18n files legitimately contain invisible Unicode (e.g. Persian ZWNJ U+200C)
+    const isLocaleFile = /(?:^|[/\\])(?:locale|locales|i18n|intl|lang|languages|translations)[/\\]/i.test(relativePath);
+    const isPackageOutput = isMinified || isBundled || isInDistOrBuild || isLargeCjsMjs || isLargeJs || isLocaleFile;
 
     // 1. Ratio code sur une seule ligne (skip .min.js — minification, not obfuscation)
     if (!isMinified) {
@@ -73,11 +75,11 @@ function detectObfuscation(targetPath) {
     // 7. Unicode invisible character injection (GlassWorm — mars 2026)
     // Detects zero-width chars, variation selectors, tag characters embedded in source
     const invisibleCount = countInvisibleUnicode(content);
-    if (invisibleCount >= 3) {
+    if (invisibleCount >= 10) {
       threats.push({
         type: 'unicode_invisible_injection',
         severity: isPackageOutput ? 'LOW' : 'CRITICAL',
-        message: `${invisibleCount} invisible Unicode characters detected (zero-width, variation selectors, tag chars). GlassWorm technique: payload encoded via invisible codepoints.`,
+        message: `${invisibleCount} invisible Unicode characters detected (zero-width, variation selectors, tag chars). Possible hidden payload encoded via invisible codepoints.`,
         file: relativePath
       });
     }
@@ -151,7 +153,7 @@ function hasLargeStringArray(content) {
  * - U+200B, U+200C, U+200D (zero-width space/joiner/non-joiner)
  * - U+FEFF (BOM — only if position > 0; pos 0 is legitimate BOM)
  * - U+2060 (word joiner), U+180E (Mongolian vowel separator)
- * - U+FE00-U+FE0F (variation selectors — GlassWorm 256-value encoding)
+ * - U+FE00-U+FE0E (variation selectors — excludes U+FE0F emoji presentation selector)
  * - U+E0100-U+E01EF (variation selectors supplement)
  * - U+E0001-U+E007F (tag characters)
  */
@@ -168,8 +170,8 @@ function countInvisibleUnicode(content) {
     else if (cp === 0xFEFF && i > 0) {
       count++;
     }
-    // BMP variation selectors (U+FE00-U+FE0F)
-    else if (cp >= 0xFE00 && cp <= 0xFE0F) {
+    // BMP variation selectors (U+FE00-U+FE0E) — excludes U+FE0F (emoji presentation selector)
+    else if (cp >= 0xFE00 && cp <= 0xFE0E) {
       count++;
     }
     // Supplementary plane: variation selectors supplement (U+E0100-U+E01EF)

package/src/scanner/package.js

@@ -137,6 +137,11 @@ async function scanPackageJson(targetPath) {
       : pkg.bin;
     for (const [cmdName, cmdPath] of Object.entries(binEntries || {})) {
       if (SHADOWED_COMMANDS.has(cmdName)) {
+        // Skip when the package IS the legitimate provider of the command:
+        // 1. Self-name: npm→bin.npm, yarn→bin.yarn
+        // 2. Sibling commands: npm also provides npx → pkg.name in SHADOWED_COMMANDS
+        // Typosquats still caught: 'nmp' declaring bin.npm → 'nmp' not in SHADOWED_COMMANDS → fires
+        if (cmdName === pkg.name || SHADOWED_COMMANDS.has(pkg.name)) continue;
         threats.push({
           type: 'bin_field_hijack',
           severity: 'CRITICAL',

package/src/scoring.js

@@ -156,14 +156,16 @@ const DIST_EXEMPT_TYPES = new Set([
   'cross_file_dataflow',      // credential read → network exfil across files
   'staged_eval_decode',       // eval(atob(...)) (explicit payload staging)
   'reverse_shell',            // net.Socket + connect + pipe (always malicious)
-  'detached_credential_exfil', // detached process + credential exfil (DPRK/Lazarus)
+  // detached_credential_exfil removed from DIST_EXEMPT: in dist/ files, co-occurrence of
+  // detached_process + env_access + network is coincidental bundler aggregation.
+  // Kept in REACHABILITY_EXEMPT_TYPES (lifecycle invocation is valid).
   'node_modules_write',       // writeFile to node_modules/ (worm propagation)
   'npm_publish_worm',         // exec("npm publish") (worm propagation)
   // Dangerous shell commands in dist/ are real threats, never bundler output
   'dangerous_exec',
   // Compound scoring rules — co-occurrence signals, never FP
-  'crypto_staged_payload', 'lifecycle_typosquat', 'credential_env_exfil',
-  'lifecycle_inline_exec', 'lifecycle_remote_require', 'obfuscated_credential_tampering'
+  'crypto_staged_payload', 'lifecycle_typosquat',
+  'lifecycle_inline_exec', 'lifecycle_remote_require'
   // P6: remote_code_load and proxy_data_intercept removed — in bundled dist/ files,
   // fetch + eval co-occurrence is coincidental (bundler combines HTTP client + template compilation).
   // fetch_decrypt_exec (fetch+decrypt+eval triple) remains exempt — never coincidental.
@@ -181,7 +183,7 @@ const DIST_BUNDLER_ARTIFACT_TYPES = new Set([
   'dynamic_require', 'dynamic_import',
   'obfuscation_detected', 'high_entropy_string', 'possible_obfuscation',
   'js_obfuscation_pattern', 'vm_code_execution',
-  'module_compile', 'module_compile_dynamic',
+  'module_compile', 'module_compile_dynamic', 'unicode_variation_decoder',
   // P7: env_access in dist/ is bundled SDK config reading, not credential theft
   'env_access',
   // P8: Proxy traps in dist/ are state management frameworks (MobX, Vue reactivity, Immer),
@@ -189,7 +191,12 @@ const DIST_BUNDLER_ARTIFACT_TYPES = new Set([
   'proxy_data_intercept',
   // P9: fetch+eval in dist/ is Vite/Webpack code splitting (lazy chunk loading),
   // not remote code execution. Two-notch downgrade (CRITICAL→MEDIUM, HIGH→LOW).
-  'remote_code_load'
+  'remote_code_load',
+  // P10: In dist/ bundles, binary file refs + crypto are coincidental bundler aggregation
+  // (webpack bundles crypto utils alongside image processing). Real steganographic attacks
+  // (flatmap-stream) have these at package root, not dist/. Compound (crypto_staged_payload)
+  // is in DIST_EXEMPT_TYPES so the overall signal is preserved when truly malicious.
+  'staged_binary_payload', 'crypto_decipher'
 ]);
 
 // Types exempt from reachability downgrade — IOC matches, lifecycle, and package-level types.
@@ -222,7 +229,8 @@ const SCORING_COMPOUNDS = [
     requires: ['staged_binary_payload', 'crypto_decipher'],
     severity: 'CRITICAL',
     message: 'Binary file reference + crypto decryption — steganographic payload chain (scoring compound).',
-    fileFrom: 'staged_binary_payload'
+    fileFrom: 'staged_binary_payload',
+    sameFile: true // Real steganographic attacks (flatmap-stream) have crypto+binary in the SAME file
   },
   {
     type: 'lifecycle_typosquat',
@@ -231,13 +239,6 @@ const SCORING_COMPOUNDS = [
     message: 'Lifecycle hook on typosquat package — dependency confusion attack vector (scoring compound).',
     fileFrom: 'typosquat_detected'
   },
-  {
-    type: 'credential_env_exfil',
-    requires: ['credential_tampering', 'env_access'],
-    severity: 'CRITICAL',
-    message: 'Credential path tampering + environment variable access — credential exfiltration chain (scoring compound).',
-    fileFrom: 'credential_tampering'
-  },
   {
     type: 'lifecycle_inline_exec',
     requires: ['lifecycle_script', 'node_inline_exec'],
@@ -252,13 +253,6 @@ const SCORING_COMPOUNDS = [
     message: 'Lifecycle hook loading remote code (require http/https) — supply chain payload delivery (scoring compound).',
     fileFrom: 'network_require'
   },
-  {
-    type: 'obfuscated_credential_tampering',
-    requires: ['credential_tampering', 'obfuscation_detected'],
-    severity: 'CRITICAL',
-    message: 'Obfuscated code + credential path tampering — concealed credential theft (scoring compound).',
-    fileFrom: 'credential_tampering'
-  }
 ];
 
 /**
@@ -284,6 +278,28 @@ function applyCompoundBoosts(threats) {
 
     // Check all required types are present
     if (compound.requires.every(req => typeSet.has(req))) {
+      // Severity gate: at least one component must have severity >= MEDIUM
+      // after FP reductions. If all components were downgraded to LOW,
+      // the compound signal is not strong enough to justify a CRITICAL boost.
+      const hasSignificantComponent = compound.requires.some(req =>
+        threats.some(t => t.type === req && t.severity !== 'LOW')
+      );
+      if (!hasSignificantComponent) continue;
+
+      // Same-file constraint: all required types must appear in at least one common file.
+      // Prevents cross-file coincidental matches (e.g. next.js: staged_binary_payload in
+      // dist/compiled/@vercel/nft/index.js + crypto_decipher in a different file).
+      if (compound.sameFile) {
+        const filesByType = compound.requires.map(req =>
+          new Set(threats.filter(t => t.type === req).map(t => t.file))
+        );
+        // Find intersection of all file sets
+        const commonFiles = [...filesByType[0]].filter(f =>
+          filesByType.every(s => s.has(f))
+        );
+        if (commonFiles.length === 0) continue;
+      }
+
       threats.push({
         type: compound.type,
         severity: compound.severity,