muaddib-scanner 2.9.2 → 2.9.4

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "muaddib-scanner",
-  "version": "2.9.2",
+  "version": "2.9.4",
   "description": "Supply-chain threat detection & response for npm & PyPI/Python",
   "main": "src/index.js",
   "bin": {

package/src/index.js

@@ -570,6 +570,7 @@ async function run(targetPath, options = {}) {
   // Cross-scanner compound: detached_process + suspicious_dataflow in same file
   // Catches cases where credential flow is detected by dataflow scanner, not AST scanner
   {
+    const DIST_RE = /(?:^|[/\\])(?:dist|build|out|output)[/\\]|\.min\.js$|\.bundle\.js$/i;
     const fileMap = Object.create(null);
     for (const t of deduped) {
       if (t.file) {
@@ -578,6 +579,9 @@ async function run(targetPath, options = {}) {
       }
     }
     for (const file of Object.keys(fileMap)) {
+      // Skip dist/build files — bundler aggregation creates coincidental co-occurrence
+      // of detached_process + suspicious_dataflow. Real DPRK attacks target root files.
+      if (DIST_RE.test(file)) continue;
       const fileThreats = fileMap[file];
       const hasDetached = fileThreats.some(t => t.type === 'detached_process');
       const hasCredFlow = fileThreats.some(t => t.type === 'suspicious_dataflow');

package/src/response/playbooks.js

@@ -349,6 +349,11 @@ const PLAYBOOKS = {
     'pour eviter la detection statique. Technique de vol de GITHUB_TOKEN, NPM_TOKEN, etc. ' +
     'Verifier quelles variables sont accedees et si elles sont exfiltrees.',
 
+  lifecycle_hidden_payload:
+    'CRITIQUE: Le script lifecycle pointe vers un fichier cache dans node_modules/. ' +
+    'Ce pattern est utilise par les attaques DPRK/Lazarus pour cacher le payload dans un repertoire ' +
+    'que les scanners excluent par defaut. Examiner le fichier cible immediatement.',
+
   lifecycle_shell_pipe:
     'CRITIQUE: Le script lifecycle (preinstall/postinstall) pipe du code distant vers un shell (curl | sh). ' +
     'NE PAS installer. Ceci execute du code arbitraire a l\'installation. ' +
@@ -547,11 +552,6 @@ const PLAYBOOKS = {
     'Vecteur classique de dependency confusion: le code s\'execute a l\'installation. ' +
     'NE PAS installer. Verifier le nom exact du package. Signaler sur npm.',
 
-  credential_env_exfil:
-    'CRITIQUE: Ecriture dans des chemins sensibles (cache npm/yarn, credentials) + acces aux variables d\'environnement. ' +
-    'Double vecteur d\'exfiltration de credentials. Supprimer le package. Regenerer tous les secrets. ' +
-    'Nettoyer le cache: npm cache clean --force.',
-
   lifecycle_inline_exec:
     'CRITIQUE: Script lifecycle avec node -e (execution inline). Le code s\'execute automatiquement a npm install. ' +
     'NE PAS installer. Si deja installe: considerer la machine compromise. ' +
@@ -562,10 +562,6 @@ const PLAYBOOKS = {
     'Le payload est telecharge et execute automatiquement a l\'installation. ' +
     'NE PAS installer. Bloquer les connexions sortantes. Supprimer le package.',
 
-  obfuscated_credential_tampering:
-    'CRITIQUE: Code obfusque + ecriture dans des chemins sensibles. Dissimulation de vol de credentials. ' +
-    'Supprimer le package immediatement. Nettoyer le cache npm/yarn. Regenerer tous les secrets.',
-
   bin_field_hijack:
     'CRITIQUE: Le champ "bin" de package.json shadow une commande systeme (node, npm, git, bash, etc.). ' +
     'A l\'installation, npm cree un symlink dans node_modules/.bin/ qui intercepte la commande reelle. ' +

package/src/rules/index.js

@@ -649,6 +649,19 @@ const RULES = {
     mitre: 'T1027'
   },
 
+  lifecycle_hidden_payload: {
+    id: 'MUADDIB-PKG-016',
+    name: 'Lifecycle Script Targets Hidden Payload',
+    severity: 'CRITICAL',
+    confidence: 'high',
+    description: 'Script lifecycle pointe vers un fichier dans node_modules/ — technique de dissimulation de payload. Les scanners excluent node_modules/ par defaut, rendant le payload invisible. Pattern DPRK/Lazarus interview attack.',
+    references: [
+      'https://unit42.paloaltonetworks.com/operation-dream-job/',
+      'https://blog.phylum.io/shai-hulud-npm-worm'
+    ],
+    mitre: 'T1027.009'
+  },
+
   lifecycle_shell_pipe: {
     id: 'MUADDIB-PKG-010',
     name: 'Lifecycle Script Pipes to Shell',
@@ -1621,18 +1634,6 @@ const RULES = {
     ],
     mitre: 'T1195.002'
   },
-  credential_env_exfil: {
-    id: 'MUADDIB-COMPOUND-003',
-    name: 'Credential Tampering + Env Access',
-    severity: 'CRITICAL',
-    confidence: 'high',
-    description: 'Ecriture dans un chemin sensible (cache npm/yarn, credentials) combinee avec acces aux variables d\'environnement. Chaine d\'exfiltration de credentials par double vecteur.',
-    references: [
-      'https://attack.mitre.org/techniques/T1552/001/',
-      'https://attack.mitre.org/techniques/T1565/001/'
-    ],
-    mitre: 'T1552.001'
-  },
   lifecycle_inline_exec: {
     id: 'MUADDIB-COMPOUND-004',
     name: 'Lifecycle Hook + Inline Node Execution',
@@ -1657,18 +1658,6 @@ const RULES = {
     ],
     mitre: 'T1105'
   },
-  obfuscated_credential_tampering: {
-    id: 'MUADDIB-COMPOUND-006',
-    name: 'Obfuscated Code + Credential Tampering',
-    severity: 'CRITICAL',
-    confidence: 'high',
-    description: 'Code obfusque combine avec ecriture dans des chemins sensibles (cache npm/yarn, credentials). Dissimulation de vol de credentials.',
-    references: [
-      'https://attack.mitre.org/techniques/T1027/',
-      'https://attack.mitre.org/techniques/T1565/001/'
-    ],
-    mitre: 'T1027'
-  },
 };
 
 function getRule(type) {

package/src/scanner/ast-detectors.js

@@ -475,6 +475,45 @@ function handleVariableDeclarator(node, ctx) {
       ctx.stringVarValues.set(node.id.name, strVal);
     }
 
+    // Track variables assigned from require.cache[...] (module cache references)
+    // Used to detect writes to cached module exports (require.cache poisoning)
+    if (node.init?.type === 'MemberExpression' && node.init.computed) {
+      const obj = node.init.object;
+      if (obj?.type === 'MemberExpression' &&
+          obj.object?.type === 'Identifier' && obj.object.name === 'require' &&
+          obj.property?.type === 'Identifier' && obj.property.name === 'cache') {
+        ctx.requireCacheVars.add(node.id.name);
+      }
+    }
+
+    // Track variables assigned from BinaryExpression with '+' (string concatenation building)
+    // Used to detect setTimeout(concatVar, delay) — eval via timer with built string
+    // FP fix: only track when at least one operand is demonstrably a string (literal, template,
+    // or known string var). Filters out arithmetic `var e = a + 1` in minified code.
+    if (node.init?.type === 'BinaryExpression' && node.init.operator === '+') {
+      const left = node.init.left;
+      const right = node.init.right;
+      const isStringOperand = (n) =>
+        (n.type === 'Literal' && typeof n.value === 'string') ||
+        n.type === 'TemplateLiteral' ||
+        (n.type === 'Identifier' && ctx.stringVarValues?.has(n.name)) ||
+        (n.type === 'Identifier' && ctx.stringBuildVars?.has(n.name));
+      if (isStringOperand(left) || isStringOperand(right)) {
+        ctx.stringBuildVars.add(node.id.name);
+      }
+    }
+
+    // Track object variables with Proxy trap properties (set/get/apply/construct)
+    // Used to detect new Proxy(target, handlerVar) when handler is not inline
+    if (node.init?.type === 'ObjectExpression') {
+      const hasTrap = node.init.properties?.some(p =>
+        p.key?.type === 'Identifier' && ['set', 'get', 'apply', 'construct'].includes(p.key.name)
+      );
+      if (hasTrap) {
+        ctx.proxyHandlerVars.add(node.id.name);
+      }
+    }
+
     // Track variables assigned from path.join containing .github/workflows
     if (node.init?.type === 'CallExpression' && node.init.callee?.type === 'MemberExpression') {
       const obj = node.init.callee.object;
@@ -1294,6 +1333,29 @@ function handleCallExpression(node, ctx) {
         file: ctx.relFile
       });
     }
+    // BinaryExpression with '+' as first arg = string concatenation for eval via timer
+    else if (firstArg.type === 'BinaryExpression' && firstArg.operator === '+') {
+      ctx.hasEvalInFile = true;
+      ctx.hasDynamicExec = true;
+      ctx.threats.push({
+        type: 'dangerous_call_eval',
+        severity: 'HIGH',
+        message: `${callName}() with concatenated string argument — eval equivalent, dynamically built code string.`,
+        file: ctx.relFile
+      });
+    }
+    // Identifier arg that was tracked as string value or string concatenation result
+    else if (firstArg.type === 'Identifier' &&
+             (ctx.stringVarValues?.has(firstArg.name) || ctx.stringBuildVars?.has(firstArg.name))) {
+      ctx.hasEvalInFile = true;
+      ctx.hasDynamicExec = true;
+      ctx.threats.push({
+        type: 'dangerous_call_eval',
+        severity: 'HIGH',
+        message: `${callName}() with variable "${firstArg.name}" containing built string — eval equivalent, executes the string as code.`,
+        file: ctx.relFile
+      });
+    }
 
     // Static timer bomb: setTimeout/setInterval with delay > 1 hour (PhantomRaven 48h delay)
     if (node.arguments.length >= 2) {
@@ -1757,8 +1819,17 @@ function handleNewExpression(node, ctx) {
         );
         if (hasTrap) {
           ctx.hasProxyTrap = true;
+          const hasSetTrap = handler.properties?.some(p =>
+            p.key?.type === 'Identifier' && p.key.name === 'set'
+          );
+          if (hasSetTrap) ctx.hasProxySetTrap = true;
         }
       }
+      // Also detect when handler is a variable reference that was tracked as having trap properties
+      if (handler?.type === 'Identifier' && ctx.proxyHandlerVars?.has(handler.name)) {
+        ctx.hasProxyTrap = true;
+        ctx.hasProxySetTrap = true; // proxyHandlerVars tracks objects with any trap including set
+      }
     }
   }
 
@@ -1966,6 +2037,29 @@ function handleAssignmentExpression(node, ctx) {
   if (node.left?.type === 'MemberExpression') {
     const left = node.left;
 
+    // require.cache[...].exports = ... — module cache poisoning WRITE (not just read)
+    // This is always malicious: replacing a core module's exports to intercept all usage.
+    // Also detects: mod.exports.X = ... where mod is from require.cache[...]
+    if (left.property?.type === 'Identifier' && left.property.name === 'exports') {
+      // Direct pattern: require.cache[...].exports = ...
+      const obj = left.object;
+      if (obj?.type === 'MemberExpression' && obj.computed) {
+        const deep = obj.object;
+        if (deep?.type === 'MemberExpression' &&
+            deep.object?.type === 'Identifier' && deep.object.name === 'require' &&
+            deep.property?.type === 'Identifier' && deep.property.name === 'cache') {
+          ctx.hasRequireCacheWrite = true;
+        }
+      }
+    }
+    // Indirect pattern: mod.exports.X = ... where mod = require.cache[...]
+    if (left.object?.type === 'MemberExpression' &&
+        left.object.property?.type === 'Identifier' && left.object.property.name === 'exports' &&
+        left.object.object?.type === 'Identifier' &&
+        ctx.requireCacheVars?.has(left.object.object.name)) {
+      ctx.hasRequireCacheWrite = true;
+    }
+
     // globalThis.fetch = ... or globalThis.XMLHttpRequest = ... (B2: include aliases)
     if (left.object?.type === 'Identifier' &&
         (left.object.name === 'globalThis' || left.object.name === 'global' ||
@@ -2045,15 +2139,11 @@ function handleAssignmentExpression(node, ctx) {
 }
 
 function handleMemberExpression(node, ctx) {
-  // Detect require.cache access
+  // Detect require.cache access — set flag, defer threat emission to handlePostWalk
+  // FP fix: distinguish READ (hot-reload, delete, introspection) from WRITE (.exports = ...)
   if (node.object?.type === 'Identifier' && node.object.name === 'require' &&
       node.property?.type === 'Identifier' && node.property.name === 'cache') {
-    ctx.threats.push({
-      type: 'require_cache_poison',
-      severity: 'CRITICAL',
-      message: 'require.cache accessed — module cache poisoning to hijack or replace core Node.js modules.',
-      file: ctx.relFile
-    });
+    ctx.hasRequireCacheRead = true;
   }
 
   // GlassWorm: track .codePointAt() calls (variation selector decoder pattern)
@@ -2307,11 +2397,15 @@ function handlePostWalk(ctx) {
 
   // Built-in method override + network: console.X = function or Object.defineProperty = function
   // combined with network calls. Monkey-patching built-in APIs for data interception.
+  // CRITICAL when Object.defineProperty itself is reassigned (global hook on all property defs).
   if (ctx.hasBuiltinOverride && ctx.hasNetworkCallInFile) {
+    const isGlobalHook = ctx.hasBuiltinGlobalHook;
     ctx.threats.push({
       type: 'builtin_override_exfil',
-      severity: 'HIGH',
-      message: 'Built-in method override (console/Object.defineProperty) + network call — runtime API hijacking for data interception and exfiltration.',
+      severity: isGlobalHook ? 'CRITICAL' : 'HIGH',
+      message: isGlobalHook
+        ? 'Object.defineProperty reassigned + network call — global hook intercepts all property definitions for credential exfiltration.'
+        : 'Built-in method override (console/Object.defineProperty) + network call — runtime API hijacking for data interception and exfiltration.',
       file: ctx.relFile
     });
   }
@@ -2335,10 +2429,15 @@ function handlePostWalk(ctx) {
     const hasCredentialSignal = ctx.threats.some(t =>
       t.type === 'env_access' || t.type === 'suspicious_dataflow'
     );
+    // CRITICAL when: credential signals co-occur, OR set trap (intercepts all property writes)
+    // A set trap with network call = universal data capture + exfiltration
+    const isCritical = hasCredentialSignal || ctx.hasProxySetTrap;
     ctx.threats.push({
       type: 'proxy_data_intercept',
-      severity: hasCredentialSignal ? 'CRITICAL' : 'HIGH',
-      message: 'Proxy trap (set/get/apply) with network call in same file — data interception and exfiltration via Proxy handler.',
+      severity: isCritical ? 'CRITICAL' : 'HIGH',
+      message: ctx.hasProxySetTrap
+        ? 'Proxy set trap with network call — intercepts ALL property writes for exfiltration via Proxy handler.'
+        : 'Proxy trap (set/get/apply) with network call in same file — data interception and exfiltration via Proxy handler.',
       file: ctx.relFile
     });
   }
@@ -2353,6 +2452,24 @@ function handlePostWalk(ctx) {
     });
   }
 
+  // require.cache: distinguish WRITE (actual poisoning) from READ-only (hot-reload, introspection)
+  // FP fix: READ-only emits LOW (informational), WRITE emits CRITICAL (malicious module replacement).
+  if (ctx.hasRequireCacheWrite) {
+    ctx.threats.push({
+      type: 'require_cache_poison',
+      severity: 'CRITICAL',
+      message: 'require.cache[...].exports = ... — module cache write: replaces core module exports to intercept all callers.',
+      file: ctx.relFile
+    });
+  } else if (ctx.hasRequireCacheRead) {
+    ctx.threats.push({
+      type: 'require_cache_poison',
+      severity: 'LOW',
+      message: 'require.cache accessed — module cache read (hot-reload/introspection pattern).',
+      file: ctx.relFile
+    });
+  }
+
   // DPRK/Lazarus compound: detached background process + credential env access + network
   // Pattern: spawn({detached:true}) reads secrets then exfils via network.
   // This combination is never legitimate — daemons don't read API keys and send them out.
@@ -2360,7 +2477,7 @@ function handlePostWalk(ctx) {
     t.file === ctx.relFile && t.type === 'detached_process'
   );
   const hasSensitiveEnvInFile = ctx.threats.some(t =>
-    t.file === ctx.relFile && t.type === 'env_access'
+    t.file === ctx.relFile && t.type === 'env_access' && t.severity === 'HIGH'
   );
   if (hasDetachedInFile && hasSensitiveEnvInFile && ctx.hasNetworkCallInFile) {
     ctx.threats.push({
@@ -2372,11 +2489,15 @@ function handlePostWalk(ctx) {
   }
 
   // GlassWorm: Unicode variation selector decoder = .codePointAt + variation selector constants
+  // CRITICAL if combined with eval/exec (GlassWorm always uses dynamic execution),
+  // MEDIUM otherwise (.codePointAt + 0xFE00 is legitimate Unicode processing in fonts/text libs)
   if (ctx.hasCodePointAt && ctx.hasVariationSelectorConst) {
     ctx.threats.push({
       type: 'unicode_variation_decoder',
-      severity: 'CRITICAL',
-      message: 'Unicode variation selector decoder: .codePointAt() + 0xFE00/0xE0100 constants — GlassWorm payload reconstruction from invisible characters.',
+      severity: ctx.hasDynamicExec ? 'CRITICAL' : 'MEDIUM',
+      message: ctx.hasDynamicExec
+        ? 'Unicode variation selector decoder: .codePointAt() + 0xFE00/0xE0100 constants + dynamic execution — GlassWorm payload reconstruction from invisible characters.'
+        : 'Unicode variation selector decoder: .codePointAt() + 0xFE00/0xE0100 constants — likely legitimate Unicode processing (text formatting, font rendering).',
       file: ctx.relFile
     });
   }

package/src/scanner/ast.js

@@ -120,6 +120,8 @@ function analyzeFile(content, filePath, basePath) {
     hasBuiltinOverride: /\bconsole\s*\.\s*\w+\s*=\s*function/.test(content) ||
                         /\bconsole\s*\[\s*\w+\s*\]\s*=\s*function/.test(content) ||
                         /\bObject\s*\.\s*defineProperty\s*=\s*function/.test(content),
+    // Critical builtin override: Object.defineProperty itself is reassigned (global hook)
+    hasBuiltinGlobalHook: /\bObject\s*\.\s*defineProperty\s*=\s*function/.test(content),
     // Stream interceptor: class extending Transform/Duplex/Writable (data wiretap pattern)
     hasStreamInterceptor: /\bextends\s+(Transform|Duplex|Writable)\b/.test(content),
     // SANDWORM_MODE P2: DNS exfiltration co-occurrence
@@ -157,6 +159,12 @@ function analyzeFile(content, filePath, basePath) {
     hasWasmLoad: /\bWebAssembly\s*\.\s*(compile|instantiate|compileStreaming|instantiateStreaming)\b/.test(content),
     hasWasmHostSink: false,  // set in handleCallExpression when WASM import object contains network/fs sinks
     hasProxyTrap: false,  // set in handleNewExpression when Proxy has set/get/apply trap
+    hasProxySetTrap: false, // set when Proxy specifically has a 'set' trap (data interception)
+    hasRequireCacheRead: false,  // set when require.cache is accessed (read)
+    hasRequireCacheWrite: false, // set when require.cache exports are modified
+    requireCacheVars: new Set(), // variables assigned from require.cache[...]
+    proxyHandlerVars: new Set(),  // variables assigned object literals with set/get/apply/construct traps
+    stringBuildVars: new Set(),   // variables assigned from BinaryExpression with '+' (string concat)
     // C10: Hash verification — legitimate binary installers verify checksums
     // Requires BOTH createHash() call AND .digest() call — false positives from
     // standalone mentions of 'sha256' or 'integrity' in comments/descriptions

package/src/scanner/dataflow.js

@@ -205,9 +205,17 @@ function analyzeFile(content, filePath, basePath) {
   // Fix #23: Function param tainting — track function declarations
   const functionDefs = new Map(); // functionName → { params: [paramNames] }
 
+  // Fix #24: Callback exposure — track function parameters (potential callbacks)
+  // When a callback parameter is invoked with tainted data, it's credential exposure.
+  const callbackParams = new Set(); // parameter names of enclosing functions
+  const callbackExposures = []; // { callbackName, argName, line }
+
+  // Pre-scan: collect function declarations and callback params BEFORE the main walk.
+  // acorn-walk.simple uses post-order traversal (children before parents), so
+  // FunctionDeclaration handlers fire AFTER CallExpressions inside the function body.
+  // This pre-scan ensures callbackParams and functionDefs are populated before analysis.
   walk.simple(ast, {
     FunctionDeclaration(node) {
-      // Fix #23: Track function declarations for param tainting
       if (node.id && node.id.name && node.params) {
         const paramNames = node.params
           .filter(p => p.type === 'Identifier')
@@ -215,8 +223,16 @@ function analyzeFile(content, filePath, basePath) {
         if (paramNames.length > 0) {
           functionDefs.set(node.id.name, { params: paramNames });
         }
+        // FP fix: skip 1-char parameter names (minified code noise: e, t, n, r, a, b, etc.)
+        // Real callback exposure attacks use descriptive names (callback, handler, cb, fn, done).
+        for (const p of node.params) {
+          if (p.type === 'Identifier' && p.name.length > 1) callbackParams.add(p.name);
+        }
       }
-    },
+    }
+  });
+
+  walk.simple(ast, {
 
     VariableDeclarator(node) {
       // B9: Array destructuring taint propagation: const [data] = [fs.readFileSync('.npmrc')]
@@ -268,6 +284,19 @@ function analyzeFile(content, filePath, basePath) {
             }
           }
         }
+        // Fix #24: Propagate taint through fs.readFileSync/readFile results
+        // const data = fs.readFileSync(npmrc) where npmrc is sensitive → data is tainted
+        if (initNode.type === 'CallExpression' && initNode.callee?.type === 'MemberExpression') {
+          const callProp = initNode.callee.property;
+          if (callProp?.type === 'Identifier' &&
+              (callProp.name === 'readFileSync' || callProp.name === 'readFile')) {
+            const readArg = initNode.arguments[0];
+            if (readArg && isCredentialPath(readArg, sensitivePathVars)) {
+              sensitivePathVars.add(node.id.name);
+            }
+          }
+        }
+
         // B7: Taint propagation through data-preserving wrappers
         if (initNode.type === 'CallExpression') {
           const callee = initNode.callee;
@@ -653,6 +682,22 @@ function analyzeFile(content, filePath, basePath) {
         }
       }
 
+      // Fix #24: Callback exposure — detect callback(taintedData)
+      // When a function parameter is called with tainted data, it exposes credentials
+      // to the caller (cross-module credential exposure pattern).
+      if (node.callee.type === 'Identifier' && callbackParams.has(node.callee.name) &&
+          node.arguments.length >= 1) {
+        for (const arg of node.arguments) {
+          if (arg.type === 'Identifier' && sensitivePathVars.has(arg.name)) {
+            callbackExposures.push({
+              callbackName: node.callee.name,
+              argName: arg.name,
+              line: node.loc?.start?.line || 0
+            });
+          }
+        }
+      }
+
       // Exec callback: exec('cmd', (err, stdout) => {...}) — output will be used
       if (!execResultNodes.has(node) && node.arguments.length >= 2) {
         const lastArg = node.arguments[node.arguments.length - 1];
@@ -755,6 +800,7 @@ function analyzeFile(content, filePath, basePath) {
   for (const eventName of emitTaintedEvents) {
     const handler = eventHandlers.get(eventName);
     if (handler && handler.hasNetworkSink) {
+      // Same-file emit→on with network sink: full suspicious_dataflow
       sources.push({
         type: 'credential_read',
         name: `EventEmitter.emit('${eventName}')`,
@@ -767,9 +813,31 @@ function analyzeFile(content, filePath, basePath) {
         line: 0,
         taint_tracked: true
       });
+    } else {
+      // Cross-file: tainted data emitted on EventEmitter without same-file listener.
+      // The data is broadcasted to other modules — credential exposure pattern.
+      sinks.push({
+        type: 'network_send',
+        name: `EventEmitter.emit('${eventName}') [cross-module broadcast]`,
+        line: 0,
+        taint_tracked: true
+      });
     }
   }
 
+  // Fix #24: Callback exposure — add sinks for callback invocations with tainted data
+  // FP fix: cap at 5 exposures per file. Real attacks have 1-2 targeted callbacks,
+  // >5 is minified code noise (jspdf, etc.)
+  const cappedExposures = callbackExposures.slice(0, 5);
+  for (const exposure of cappedExposures) {
+    sinks.push({
+      type: 'network_send',
+      name: `${exposure.callbackName}(${exposure.argName}) [callback exposure]`,
+      line: exposure.line,
+      taint_tracked: true
+    });
+  }
+
   // Check if any source or sink was resolved via taint tracking
   const hasTaintTracked = sources.some(s => s.taint_tracked) || sinks.some(s => s.taint_tracked);
 
@@ -804,6 +872,17 @@ function analyzeFile(content, filePath, basePath) {
       }
       if (severity === 'CRITICAL') break;
     }
+    // Fix #24: EventEmitter broadcast and callback exposure sinks are always CRITICAL
+    // when combined with credential sources — the data is being sent to external consumers
+    if (severity !== 'CRITICAL') {
+      const hasExposureSink = exfilSinks.some(s =>
+        s.name.includes('[cross-module broadcast]') || s.name.includes('[callback exposure]')
+      );
+      const hasCredentialSource = sources.some(s => s.type === 'credential_read');
+      if (hasExposureSink && hasCredentialSource) {
+        severity = 'CRITICAL';
+      }
+    }
 
     // Downgrade: if ALL sources are pure telemetry (os.platform, os.arch), cap at HIGH
     const allTelemetryOnly = sources.every(s => s.type === 'telemetry_read');

package/src/scanner/obfuscation.js

@@ -23,7 +23,9 @@ function detectObfuscation(targetPath) {
     // P6: Any JS file > 100KB is overwhelmingly bundled output regardless of directory name.
     // Real obfuscated malware is typically small (<50KB). Catches prettier plugins/, svelte compiler/, etc.
     const isLargeJs = basename.endsWith('.js') && content.length > 100 * 1024;
-    const isPackageOutput = isMinified || isBundled || isInDistOrBuild || isLargeCjsMjs || isLargeJs;
+    // Locale/i18n files legitimately contain invisible Unicode (e.g. Persian ZWNJ U+200C)
+    const isLocaleFile = /(?:^|[/\\])(?:locale|locales|i18n|intl|lang|languages|translations)[/\\]/i.test(relativePath);
+    const isPackageOutput = isMinified || isBundled || isInDistOrBuild || isLargeCjsMjs || isLargeJs || isLocaleFile;
 
     // 1. Ratio code sur une seule ligne (skip .min.js — minification, not obfuscation)
     if (!isMinified) {
@@ -73,11 +75,11 @@ function detectObfuscation(targetPath) {
     // 7. Unicode invisible character injection (GlassWorm — mars 2026)
     // Detects zero-width chars, variation selectors, tag characters embedded in source
     const invisibleCount = countInvisibleUnicode(content);
-    if (invisibleCount >= 3) {
+    if (invisibleCount >= 10) {
       threats.push({
         type: 'unicode_invisible_injection',
         severity: isPackageOutput ? 'LOW' : 'CRITICAL',
-        message: `${invisibleCount} invisible Unicode characters detected (zero-width, variation selectors, tag chars). GlassWorm technique: payload encoded via invisible codepoints.`,
+        message: `${invisibleCount} invisible Unicode characters detected (zero-width, variation selectors, tag chars). Possible hidden payload encoded via invisible codepoints.`,
         file: relativePath
       });
     }
@@ -151,7 +153,7 @@ function hasLargeStringArray(content) {
  * - U+200B, U+200C, U+200D (zero-width space/joiner/non-joiner)
  * - U+FEFF (BOM — only if position > 0; pos 0 is legitimate BOM)
  * - U+2060 (word joiner), U+180E (Mongolian vowel separator)
- * - U+FE00-U+FE0F (variation selectors — GlassWorm 256-value encoding)
+ * - U+FE00-U+FE0E (variation selectors — excludes U+FE0F emoji presentation selector)
  * - U+E0100-U+E01EF (variation selectors supplement)
  * - U+E0001-U+E007F (tag characters)
  */
@@ -168,8 +170,8 @@ function countInvisibleUnicode(content) {
     else if (cp === 0xFEFF && i > 0) {
       count++;
     }
-    // BMP variation selectors (U+FE00-U+FE0F)
-    else if (cp >= 0xFE00 && cp <= 0xFE0F) {
+    // BMP variation selectors (U+FE00-U+FE0E) — excludes U+FE0F (emoji presentation selector)
+    else if (cp >= 0xFE00 && cp <= 0xFE0E) {
       count++;
     }
     // Supplementary plane: variation selectors supplement (U+E0100-U+E01EF)

package/src/scanner/package.js

@@ -103,6 +103,19 @@ async function scanPackageJson(targetPath) {
         }
       }
 
+      // Escalate: lifecycle script targeting node_modules/ — payload hiding technique.
+      // Legitimate postinstall scripts run from the package's own directory, not from node_modules/.
+      // Lazarus/DPRK interview attacks hide payloads in node_modules/.cache/ or similar paths.
+      if (['preinstall', 'install', 'postinstall'].includes(scriptName) &&
+          /\bnode_modules[\/\\]/.test(scriptContent)) {
+        threats.push({
+          type: 'lifecycle_hidden_payload',
+          severity: 'CRITICAL',
+          message: `Critical: "${scriptName}" targets file inside node_modules/ — payload hiding technique to evade scanners.`,
+          file: 'package.json'
+        });
+      }
+
       // Detect Bun runtime evasion in lifecycle scripts (Shai-Hulud 2.0)
       if (/\bbun\s+(run|exec|install|x)\b/.test(scriptContent) || /\bbunx\s+/.test(scriptContent)) {
         threats.push({
@@ -137,6 +150,11 @@ async function scanPackageJson(targetPath) {
       : pkg.bin;
     for (const [cmdName, cmdPath] of Object.entries(binEntries || {})) {
       if (SHADOWED_COMMANDS.has(cmdName)) {
+        // Skip when the package IS the legitimate provider of the command:
+        // 1. Self-name: npm→bin.npm, yarn→bin.yarn
+        // 2. Sibling commands: npm also provides npx → pkg.name in SHADOWED_COMMANDS
+        // Typosquats still caught: 'nmp' declaring bin.npm → 'nmp' not in SHADOWED_COMMANDS → fires
+        if (cmdName === pkg.name || SHADOWED_COMMANDS.has(pkg.name)) continue;
         threats.push({
           type: 'bin_field_hijack',
           severity: 'CRITICAL',

package/src/scoring.js

@@ -131,7 +131,8 @@ const FP_COUNT_THRESHOLDS = {
   // P4: bundled credential_tampering from minified alias resolution (jspdf, lerna)
   credential_tampering: { maxCount: 5, to: 'LOW' },
   // B1 FP reduction: bundled code aliases eval/Function (sinon, storybook, vitest)
-  dangerous_call_eval: { maxCount: 3, from: 'MEDIUM', to: 'LOW' },
+  // FP fix: also cover HIGH severity (setTimeout+stringBuildVar in minified code)
+  dangerous_call_eval: { maxCount: 3, to: 'LOW' },
   // P6: HTTP client libraries (undici, aws-sdk, nodemailer, jsdom) parse Authorization/Bearer headers
   // with 3+ credential regexes. Real harvesters use 1-2 targeted regexes.
   credential_regex_harvest: { maxCount: 2, from: 'HIGH', to: 'LOW' },
@@ -156,14 +157,16 @@ const DIST_EXEMPT_TYPES = new Set([
   'cross_file_dataflow',      // credential read → network exfil across files
   'staged_eval_decode',       // eval(atob(...)) (explicit payload staging)
   'reverse_shell',            // net.Socket + connect + pipe (always malicious)
-  'detached_credential_exfil', // detached process + credential exfil (DPRK/Lazarus)
+  // detached_credential_exfil removed from DIST_EXEMPT: in dist/ files, co-occurrence of
+  // detached_process + env_access + network is coincidental bundler aggregation.
+  // Kept in REACHABILITY_EXEMPT_TYPES (lifecycle invocation is valid).
   'node_modules_write',       // writeFile to node_modules/ (worm propagation)
   'npm_publish_worm',         // exec("npm publish") (worm propagation)
   // Dangerous shell commands in dist/ are real threats, never bundler output
   'dangerous_exec',
   // Compound scoring rules — co-occurrence signals, never FP
-  'crypto_staged_payload', 'lifecycle_typosquat', 'credential_env_exfil',
-  'lifecycle_inline_exec', 'lifecycle_remote_require', 'obfuscated_credential_tampering'
+  'crypto_staged_payload', 'lifecycle_typosquat',
+  'lifecycle_inline_exec', 'lifecycle_remote_require'
   // P6: remote_code_load and proxy_data_intercept removed — in bundled dist/ files,
   // fetch + eval co-occurrence is coincidental (bundler combines HTTP client + template compilation).
   // fetch_decrypt_exec (fetch+decrypt+eval triple) remains exempt — never coincidental.
@@ -181,7 +184,7 @@ const DIST_BUNDLER_ARTIFACT_TYPES = new Set([
   'dynamic_require', 'dynamic_import',
   'obfuscation_detected', 'high_entropy_string', 'possible_obfuscation',
   'js_obfuscation_pattern', 'vm_code_execution',
-  'module_compile', 'module_compile_dynamic',
+  'module_compile', 'module_compile_dynamic', 'unicode_variation_decoder',
   // P7: env_access in dist/ is bundled SDK config reading, not credential theft
   'env_access',
   // P8: Proxy traps in dist/ are state management frameworks (MobX, Vue reactivity, Immer),
@@ -189,7 +192,12 @@ const DIST_BUNDLER_ARTIFACT_TYPES = new Set([
   'proxy_data_intercept',
   // P9: fetch+eval in dist/ is Vite/Webpack code splitting (lazy chunk loading),
   // not remote code execution. Two-notch downgrade (CRITICAL→MEDIUM, HIGH→LOW).
-  'remote_code_load'
+  'remote_code_load',
+  // P10: In dist/ bundles, binary file refs + crypto are coincidental bundler aggregation
+  // (webpack bundles crypto utils alongside image processing). Real steganographic attacks
+  // (flatmap-stream) have these at package root, not dist/. Compound (crypto_staged_payload)
+  // is in DIST_EXEMPT_TYPES so the overall signal is preserved when truly malicious.
+  'staged_binary_payload', 'crypto_decipher'
 ]);
 
 // Types exempt from reachability downgrade — IOC matches, lifecycle, and package-level types.
@@ -222,7 +230,8 @@ const SCORING_COMPOUNDS = [
     requires: ['staged_binary_payload', 'crypto_decipher'],
     severity: 'CRITICAL',
     message: 'Binary file reference + crypto decryption — steganographic payload chain (scoring compound).',
-    fileFrom: 'staged_binary_payload'
+    fileFrom: 'staged_binary_payload',
+    sameFile: true // Real steganographic attacks (flatmap-stream) have crypto+binary in the SAME file
   },
   {
     type: 'lifecycle_typosquat',
@@ -231,13 +240,6 @@ const SCORING_COMPOUNDS = [
     message: 'Lifecycle hook on typosquat package — dependency confusion attack vector (scoring compound).',
     fileFrom: 'typosquat_detected'
   },
-  {
-    type: 'credential_env_exfil',
-    requires: ['credential_tampering', 'env_access'],
-    severity: 'CRITICAL',
-    message: 'Credential path tampering + environment variable access — credential exfiltration chain (scoring compound).',
-    fileFrom: 'credential_tampering'
-  },
   {
     type: 'lifecycle_inline_exec',
     requires: ['lifecycle_script', 'node_inline_exec'],
@@ -252,13 +254,6 @@ const SCORING_COMPOUNDS = [
     message: 'Lifecycle hook loading remote code (require http/https) — supply chain payload delivery (scoring compound).',
     fileFrom: 'network_require'
   },
-  {
-    type: 'obfuscated_credential_tampering',
-    requires: ['credential_tampering', 'obfuscation_detected'],
-    severity: 'CRITICAL',
-    message: 'Obfuscated code + credential path tampering — concealed credential theft (scoring compound).',
-    fileFrom: 'credential_tampering'
-  }
 ];
 
 /**
@@ -284,6 +279,28 @@ function applyCompoundBoosts(threats) {
 
     // Check all required types are present
     if (compound.requires.every(req => typeSet.has(req))) {
+      // Severity gate: at least one component must have severity >= MEDIUM
+      // after FP reductions. If all components were downgraded to LOW,
+      // the compound signal is not strong enough to justify a CRITICAL boost.
+      const hasSignificantComponent = compound.requires.some(req =>
+        threats.some(t => t.type === req && t.severity !== 'LOW')
+      );
+      if (!hasSignificantComponent) continue;
+
+      // Same-file constraint: all required types must appear in at least one common file.
+      // Prevents cross-file coincidental matches (e.g. next.js: staged_binary_payload in
+      // dist/compiled/@vercel/nft/index.js + crypto_decipher in a different file).
+      if (compound.sameFile) {
+        const filesByType = compound.requires.map(req =>
+          new Set(threats.filter(t => t.type === req).map(t => t.file))
+        );
+        // Find intersection of all file sets
+        const commonFiles = [...filesByType[0]].filter(f =>
+          filesByType.every(s => s.has(f))
+        );
+        if (commonFiles.length === 0) continue;
+      }
+
       threats.push({
         type: compound.type,
         severity: compound.severity,
@@ -363,13 +380,10 @@ function applyFPReductions(threats, reachableFiles, packageName, packageDeps) {
       }
     }
 
-    // require_cache_poison: single hit → HIGH (plugin dedup/hot-reload, not malware)
-    // Malware poisons cache repeatedly; a single access is framework behavior
-    if (t.type === 'require_cache_poison' && t.severity === 'CRITICAL' &&
-        typeCounts.require_cache_poison === 1) {
-      t.reductions.push({ rule: 'cache_poison_single', from: 'CRITICAL', to: 'HIGH' });
-      t.severity = 'HIGH';
-    }
+    // require_cache_poison: single-hit downgrade removed.
+    // The READ/WRITE distinction in ast-detectors already handles the FP case:
+    // READ-only → LOW (hot-reload, introspection), WRITE → CRITICAL (malicious replacement).
+    // A single cache WRITE is genuinely malicious — no downgrade needed.
 
     // Prototype hook: framework class prototypes → MEDIUM
     // Core Node.js prototypes (http.IncomingMessage, net.Socket) stay CRITICAL
@@ -416,9 +430,12 @@ function applyFPReductions(threats, reachableFiles, packageName, packageDeps) {
     }
 
     // Reachability: findings in files not reachable from entry points → LOW
+    // Exception: .d.ts files are never require()'d by JS but are executed by ts-node/tsx/bun.
+    // Executable code in .d.ts is always malicious — exempt from unreachable downgrade.
+    const isDtsFile = t.file && t.file.endsWith('.d.ts');
     if (reachableFiles && reachableFiles.size > 0 && t.file &&
         !REACHABILITY_EXEMPT_TYPES.has(t.type) &&
-        !isPackageLevelThreat(t)) {
+        !isPackageLevelThreat(t) && !isDtsFile) {
       const normalizedFile = t.file.replace(/\\/g, '/');
       if (!reachableFiles.has(normalizedFile)) {
         t.reductions.push({ rule: 'unreachable', from: t.severity, to: 'LOW' });

package/src/shared/analyze-helper.js

@@ -22,14 +22,29 @@ function analyzeWithDeobfuscation(targetPath, analyzeFileFn, options = {}) {
     if (options.excludedFiles && options.excludedFiles.includes(relativePath)) return;
     if (options.skipDevFiles !== false && isDevFile(relativePath)) return;
 
+    // .d.ts files: strip TypeScript declaration syntax before JS parsing.
+    // Legitimate .d.ts files contain only type declarations (no executable code).
+    // Any require/exec/network calls in a .d.ts are high-confidence malicious payload hiding.
+    let effectiveContent = content;
+    if (file.endsWith('.d.ts')) {
+      effectiveContent = content.split('\n').map(line => {
+        const trimmed = line.trim();
+        // Strip lines that are pure TypeScript declarations (Acorn can't parse these)
+        if (/^export\s+declare\s+/.test(trimmed)) return '// [ts-stripped]';
+        if (/^declare\s+(function|class|const|let|var|type|interface|enum|namespace|module|global)\s/.test(trimmed)) return '// [ts-stripped]';
+        if (/^(export\s+)?(type|interface)\s/.test(trimmed)) return '// [ts-stripped]';
+        return line;
+      }).join('\n');
+    }
+
     // Analyze original code first (preserves obfuscation-detection rules)
-    const fileThreats = analyzeFileFn(content, file, targetPath);
+    const fileThreats = analyzeFileFn(effectiveContent, file, targetPath);
     threats.push(...fileThreats);
 
     // Also analyze deobfuscated code for additional findings hidden by obfuscation
     if (typeof options.deobfuscate === 'function') {
       try {
-        const result = options.deobfuscate(content);
+        const result = options.deobfuscate(effectiveContent);
         if (result.transforms.length > 0) {
           const deobThreats = analyzeFileFn(result.code, file, targetPath);
           const existingKeys = new Set(fileThreats.map(t => `${t.type}::${t.message}`));

package/src/utils.js

@@ -183,7 +183,9 @@ function _findFilesImpl(dir, { extensions, excludedDirs, maxDepth, results, visi
  * @returns {string[]} List of .js file paths
  */
 function findJsFiles(dir, results = []) {
-  return findFiles(dir, { extensions: ['.js', '.mjs', '.cjs'], results });
+  // .d.ts included: legitimate .d.ts files never contain require/exec/network calls,
+  // so any executable code in .d.ts is a high-confidence malicious payload hiding technique.
+  return findFiles(dir, { extensions: ['.js', '.mjs', '.cjs', '.d.ts'], results });
 }
 
 function clearFileListCache() {