muaddib-scanner 2.9.3 → 2.9.5

package/README.md

@@ -30,7 +30,7 @@
 
 npm and PyPI supply-chain attacks are exploding. Shai-Hulud compromised 25K+ repos in 2025. Existing tools detect threats but don't help you respond.
 
-MUAD'DIB combines **14 parallel scanners** (134 detection rules), a **deobfuscation engine**, **inter-module dataflow analysis**, **per-file max scoring**, Docker sandbox with **monkey-patching preload** for time-bomb detection, **behavioral anomaly detection**, and **ground truth validation** to detect threats AND guide your response — even before they appear in any IOC database.
+MUAD'DIB combines **14 parallel scanners** (152 detection rules), a **deobfuscation engine**, **inter-module dataflow analysis**, **per-file max scoring**, **compound scoring rules**, Docker sandbox with **monkey-patching preload** for time-bomb detection, **behavioral anomaly detection**, **GlassWorm campaign detection**, and **ground truth validation** to detect threats AND guide your response — even before they appear in any IOC database.
 
 ---
 
@@ -195,14 +195,15 @@ muaddib replay                     # Ground truth validation (46/49 TPR)
 | GitHub Actions | Shai-Hulud backdoor detection |
 | Hash Scanner | Known malicious file hashes |
 
-### 134 detection rules
+### 152 detection rules
 
-All rules are mapped to MITRE ATT&CK techniques. See [SECURITY.md](SECURITY.md#detection-rules-v262) for the complete rules reference.
+All rules are mapped to MITRE ATT&CK techniques. See [SECURITY.md](SECURITY.md#detection-rules-v294) for the complete rules reference.
 
 ### Detected campaigns
 
 | Campaign | Status |
 |----------|--------|
+| GlassWorm (2026, 433+ packages) | Detected |
 | Shai-Hulud v1/v2/v3 (2025) | Detected |
 | event-stream (2018) | Detected |
 | eslint-scope (2018) | Detected |
@@ -281,12 +282,12 @@ repos:
 
 | Metric | Result | Details |
 |--------|--------|---------|
-| **Wild TPR** (Datadog 17K) | **88.2%** raw / **~100%** adjusted | 17,922 real malware. 2,077 out-of-scope (phishing, binaries, corrected) |
+| **Wild TPR** (Datadog 17K) | **92.5%** (13,486/14,587 in-scope) | 17,922 packages. 3,335 skipped (no JS). By category: compromised_lib 97.8%, malicious_intent 92.1% |
 | **TPR** (Ground Truth) | **93.9%** (46/49) | 51 real attacks. 3 out-of-scope: browser-only |
-| **FPR** (Benign) | **12.1%** (64/529) | 529 npm packages, real source via `npm pack` |
-| **ADR** (Adversarial + Holdout) | **92.2%** (71/77) | 53 adversarial + 40 holdout (77 available on disk), global threshold=20 |
+| **FPR** (Benign) | **12.9%** (68/529) | 529 npm packages, real source via `npm pack` |
+| **ADR** (Adversarial + Holdout) | **96.3%** (103/107) | 67 adversarial + 40 holdout (107 available on disk), global threshold=20 |
 
-**2166 tests** across 49 files. **134 rules** (129 RULES + 5 PARANOID).
+**2336 tests** across 50 files. **152 rules** (147 RULES + 5 PARANOID).
 
 > **Methodology caveats:**
 > - TPR measured on 49 Node.js attack samples (3 browser-only excluded from 51 total)
@@ -327,11 +328,11 @@ npm test
 
 ### Testing
 
-- **2166 tests** across 49 modular test files
+- **2336 tests** across 50 modular test files
 - **56 fuzz tests** - Malformed inputs, ReDoS, unicode, binary
 - **Datadog 17K benchmark** - 17,922 real malware samples
 - **Ground truth validation** - 51 real-world attacks (93.9% TPR)
-- **False positive validation** - 12.1% FPR on 529 real npm packages
+- **False positive validation** - 12.9% FPR on 529 real npm packages
 
 ---
 
@@ -347,7 +348,7 @@ npm test
 - [Evaluation Methodology](docs/EVALUATION_METHODOLOGY.md) - Experimental protocol, holdout scores
 - [Threat Model](docs/threat-model.md) - What MUAD'DIB detects and doesn't detect
 - [Adversarial Evaluation](ADVERSARIAL.md) - Red team samples and ADR results
-- [Security Policy](SECURITY.md) - Detection rules reference (134 rules)
+- [Security Policy](SECURITY.md) - Detection rules reference (152 rules)
 - [Security Audit](docs/SECURITY_AUDIT.md) - Bypass validation report
 - [FP Analysis](docs/EVALUATION.md) - Historical false positive analysis
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "muaddib-scanner",
-  "version": "2.9.3",
+  "version": "2.9.5",
   "description": "Supply-chain threat detection & response for npm & PyPI/Python",
   "main": "src/index.js",
   "bin": {

package/src/response/playbooks.js

@@ -349,6 +349,11 @@ const PLAYBOOKS = {
     'pour eviter la detection statique. Technique de vol de GITHUB_TOKEN, NPM_TOKEN, etc. ' +
     'Verifier quelles variables sont accedees et si elles sont exfiltrees.',
 
+  lifecycle_hidden_payload:
+    'CRITIQUE: Le script lifecycle pointe vers un fichier cache dans node_modules/. ' +
+    'Ce pattern est utilise par les attaques DPRK/Lazarus pour cacher le payload dans un repertoire ' +
+    'que les scanners excluent par defaut. Examiner le fichier cible immediatement.',
+
   lifecycle_shell_pipe:
     'CRITIQUE: Le script lifecycle (preinstall/postinstall) pipe du code distant vers un shell (curl | sh). ' +
     'NE PAS installer. Ceci execute du code arbitraire a l\'installation. ' +

package/src/rules/index.js

@@ -649,6 +649,19 @@ const RULES = {
     mitre: 'T1027'
   },
 
+  lifecycle_hidden_payload: {
+    id: 'MUADDIB-PKG-016',
+    name: 'Lifecycle Script Targets Hidden Payload',
+    severity: 'CRITICAL',
+    confidence: 'high',
+    description: 'Script lifecycle pointe vers un fichier dans node_modules/ — technique de dissimulation de payload. Les scanners excluent node_modules/ par defaut, rendant le payload invisible. Pattern DPRK/Lazarus interview attack.',
+    references: [
+      'https://unit42.paloaltonetworks.com/operation-dream-job/',
+      'https://blog.phylum.io/shai-hulud-npm-worm'
+    ],
+    mitre: 'T1027.009'
+  },
+
   lifecycle_shell_pipe: {
     id: 'MUADDIB-PKG-010',
     name: 'Lifecycle Script Pipes to Shell',

package/src/scanner/ast-detectors.js

@@ -475,6 +475,45 @@ function handleVariableDeclarator(node, ctx) {
       ctx.stringVarValues.set(node.id.name, strVal);
     }
 
+    // Track variables assigned from require.cache[...] (module cache references)
+    // Used to detect writes to cached module exports (require.cache poisoning)
+    if (node.init?.type === 'MemberExpression' && node.init.computed) {
+      const obj = node.init.object;
+      if (obj?.type === 'MemberExpression' &&
+          obj.object?.type === 'Identifier' && obj.object.name === 'require' &&
+          obj.property?.type === 'Identifier' && obj.property.name === 'cache') {
+        ctx.requireCacheVars.add(node.id.name);
+      }
+    }
+
+    // Track variables assigned from BinaryExpression with '+' (string concatenation building)
+    // Used to detect setTimeout(concatVar, delay) — eval via timer with built string
+    // FP fix: only track when at least one operand is demonstrably a string (literal, template,
+    // or known string var). Filters out arithmetic `var e = a + 1` in minified code.
+    if (node.init?.type === 'BinaryExpression' && node.init.operator === '+') {
+      const left = node.init.left;
+      const right = node.init.right;
+      const isStringOperand = (n) =>
+        (n.type === 'Literal' && typeof n.value === 'string') ||
+        n.type === 'TemplateLiteral' ||
+        (n.type === 'Identifier' && ctx.stringVarValues?.has(n.name)) ||
+        (n.type === 'Identifier' && ctx.stringBuildVars?.has(n.name));
+      if (isStringOperand(left) || isStringOperand(right)) {
+        ctx.stringBuildVars.add(node.id.name);
+      }
+    }
+
+    // Track object variables with Proxy trap properties (set/get/apply/construct)
+    // Used to detect new Proxy(target, handlerVar) when handler is not inline
+    if (node.init?.type === 'ObjectExpression') {
+      const hasTrap = node.init.properties?.some(p =>
+        p.key?.type === 'Identifier' && ['set', 'get', 'apply', 'construct'].includes(p.key.name)
+      );
+      if (hasTrap) {
+        ctx.proxyHandlerVars.add(node.id.name);
+      }
+    }
+
     // Track variables assigned from path.join containing .github/workflows
     if (node.init?.type === 'CallExpression' && node.init.callee?.type === 'MemberExpression') {
       const obj = node.init.callee.object;
@@ -1294,6 +1333,29 @@ function handleCallExpression(node, ctx) {
         file: ctx.relFile
       });
     }
+    // BinaryExpression with '+' as first arg = string concatenation for eval via timer
+    else if (firstArg.type === 'BinaryExpression' && firstArg.operator === '+') {
+      ctx.hasEvalInFile = true;
+      ctx.hasDynamicExec = true;
+      ctx.threats.push({
+        type: 'dangerous_call_eval',
+        severity: 'HIGH',
+        message: `${callName}() with concatenated string argument — eval equivalent, dynamically built code string.`,
+        file: ctx.relFile
+      });
+    }
+    // Identifier arg that was tracked as string value or string concatenation result
+    else if (firstArg.type === 'Identifier' &&
+             (ctx.stringVarValues?.has(firstArg.name) || ctx.stringBuildVars?.has(firstArg.name))) {
+      ctx.hasEvalInFile = true;
+      ctx.hasDynamicExec = true;
+      ctx.threats.push({
+        type: 'dangerous_call_eval',
+        severity: 'HIGH',
+        message: `${callName}() with variable "${firstArg.name}" containing built string — eval equivalent, executes the string as code.`,
+        file: ctx.relFile
+      });
+    }
 
     // Static timer bomb: setTimeout/setInterval with delay > 1 hour (PhantomRaven 48h delay)
     if (node.arguments.length >= 2) {
@@ -1757,8 +1819,17 @@ function handleNewExpression(node, ctx) {
         );
         if (hasTrap) {
           ctx.hasProxyTrap = true;
+          const hasSetTrap = handler.properties?.some(p =>
+            p.key?.type === 'Identifier' && p.key.name === 'set'
+          );
+          if (hasSetTrap) ctx.hasProxySetTrap = true;
         }
       }
+      // Also detect when handler is a variable reference that was tracked as having trap properties
+      if (handler?.type === 'Identifier' && ctx.proxyHandlerVars?.has(handler.name)) {
+        ctx.hasProxyTrap = true;
+        ctx.hasProxySetTrap = true; // proxyHandlerVars tracks objects with any trap including set
+      }
     }
   }
 
@@ -1966,6 +2037,29 @@ function handleAssignmentExpression(node, ctx) {
   if (node.left?.type === 'MemberExpression') {
     const left = node.left;
 
+    // require.cache[...].exports = ... — module cache poisoning WRITE (not just read)
+    // This is always malicious: replacing a core module's exports to intercept all usage.
+    // Also detects: mod.exports.X = ... where mod is from require.cache[...]
+    if (left.property?.type === 'Identifier' && left.property.name === 'exports') {
+      // Direct pattern: require.cache[...].exports = ...
+      const obj = left.object;
+      if (obj?.type === 'MemberExpression' && obj.computed) {
+        const deep = obj.object;
+        if (deep?.type === 'MemberExpression' &&
+            deep.object?.type === 'Identifier' && deep.object.name === 'require' &&
+            deep.property?.type === 'Identifier' && deep.property.name === 'cache') {
+          ctx.hasRequireCacheWrite = true;
+        }
+      }
+    }
+    // Indirect pattern: mod.exports.X = ... where mod = require.cache[...]
+    if (left.object?.type === 'MemberExpression' &&
+        left.object.property?.type === 'Identifier' && left.object.property.name === 'exports' &&
+        left.object.object?.type === 'Identifier' &&
+        ctx.requireCacheVars?.has(left.object.object.name)) {
+      ctx.hasRequireCacheWrite = true;
+    }
+
     // globalThis.fetch = ... or globalThis.XMLHttpRequest = ... (B2: include aliases)
     if (left.object?.type === 'Identifier' &&
         (left.object.name === 'globalThis' || left.object.name === 'global' ||
@@ -2045,15 +2139,11 @@ function handleAssignmentExpression(node, ctx) {
 }
 
 function handleMemberExpression(node, ctx) {
-  // Detect require.cache access
+  // Detect require.cache access — set flag, defer threat emission to handlePostWalk
+  // FP fix: distinguish READ (hot-reload, delete, introspection) from WRITE (.exports = ...)
   if (node.object?.type === 'Identifier' && node.object.name === 'require' &&
       node.property?.type === 'Identifier' && node.property.name === 'cache') {
-    ctx.threats.push({
-      type: 'require_cache_poison',
-      severity: 'CRITICAL',
-      message: 'require.cache accessed — module cache poisoning to hijack or replace core Node.js modules.',
-      file: ctx.relFile
-    });
+    ctx.hasRequireCacheRead = true;
   }
 
   // GlassWorm: track .codePointAt() calls (variation selector decoder pattern)
@@ -2307,11 +2397,15 @@ function handlePostWalk(ctx) {
 
   // Built-in method override + network: console.X = function or Object.defineProperty = function
   // combined with network calls. Monkey-patching built-in APIs for data interception.
+  // CRITICAL when Object.defineProperty itself is reassigned (global hook on all property defs).
   if (ctx.hasBuiltinOverride && ctx.hasNetworkCallInFile) {
+    const isGlobalHook = ctx.hasBuiltinGlobalHook;
     ctx.threats.push({
       type: 'builtin_override_exfil',
-      severity: 'HIGH',
-      message: 'Built-in method override (console/Object.defineProperty) + network call — runtime API hijacking for data interception and exfiltration.',
+      severity: isGlobalHook ? 'CRITICAL' : 'HIGH',
+      message: isGlobalHook
+        ? 'Object.defineProperty reassigned + network call — global hook intercepts all property definitions for credential exfiltration.'
+        : 'Built-in method override (console/Object.defineProperty) + network call — runtime API hijacking for data interception and exfiltration.',
       file: ctx.relFile
     });
   }
@@ -2335,10 +2429,15 @@ function handlePostWalk(ctx) {
     const hasCredentialSignal = ctx.threats.some(t =>
       t.type === 'env_access' || t.type === 'suspicious_dataflow'
     );
+    // CRITICAL when: credential signals co-occur, OR set trap (intercepts all property writes)
+    // A set trap with network call = universal data capture + exfiltration
+    const isCritical = hasCredentialSignal || ctx.hasProxySetTrap;
     ctx.threats.push({
       type: 'proxy_data_intercept',
-      severity: hasCredentialSignal ? 'CRITICAL' : 'HIGH',
-      message: 'Proxy trap (set/get/apply) with network call in same file — data interception and exfiltration via Proxy handler.',
+      severity: isCritical ? 'CRITICAL' : 'HIGH',
+      message: ctx.hasProxySetTrap
+        ? 'Proxy set trap with network call — intercepts ALL property writes for exfiltration via Proxy handler.'
+        : 'Proxy trap (set/get/apply) with network call in same file — data interception and exfiltration via Proxy handler.',
       file: ctx.relFile
     });
   }
@@ -2353,6 +2452,24 @@ function handlePostWalk(ctx) {
     });
   }
 
+  // require.cache: distinguish WRITE (actual poisoning) from READ-only (hot-reload, introspection)
+  // FP fix: READ-only emits LOW (informational), WRITE emits CRITICAL (malicious module replacement).
+  if (ctx.hasRequireCacheWrite) {
+    ctx.threats.push({
+      type: 'require_cache_poison',
+      severity: 'CRITICAL',
+      message: 'require.cache[...].exports = ... — module cache write: replaces core module exports to intercept all callers.',
+      file: ctx.relFile
+    });
+  } else if (ctx.hasRequireCacheRead) {
+    ctx.threats.push({
+      type: 'require_cache_poison',
+      severity: 'LOW',
+      message: 'require.cache accessed — module cache read (hot-reload/introspection pattern).',
+      file: ctx.relFile
+    });
+  }
+
   // DPRK/Lazarus compound: detached background process + credential env access + network
   // Pattern: spawn({detached:true}) reads secrets then exfils via network.
   // This combination is never legitimate — daemons don't read API keys and send them out.

package/src/scanner/ast.js

@@ -120,6 +120,8 @@ function analyzeFile(content, filePath, basePath) {
     hasBuiltinOverride: /\bconsole\s*\.\s*\w+\s*=\s*function/.test(content) ||
                         /\bconsole\s*\[\s*\w+\s*\]\s*=\s*function/.test(content) ||
                         /\bObject\s*\.\s*defineProperty\s*=\s*function/.test(content),
+    // Critical builtin override: Object.defineProperty itself is reassigned (global hook)
+    hasBuiltinGlobalHook: /\bObject\s*\.\s*defineProperty\s*=\s*function/.test(content),
     // Stream interceptor: class extending Transform/Duplex/Writable (data wiretap pattern)
     hasStreamInterceptor: /\bextends\s+(Transform|Duplex|Writable)\b/.test(content),
     // SANDWORM_MODE P2: DNS exfiltration co-occurrence
@@ -157,6 +159,12 @@ function analyzeFile(content, filePath, basePath) {
     hasWasmLoad: /\bWebAssembly\s*\.\s*(compile|instantiate|compileStreaming|instantiateStreaming)\b/.test(content),
     hasWasmHostSink: false,  // set in handleCallExpression when WASM import object contains network/fs sinks
     hasProxyTrap: false,  // set in handleNewExpression when Proxy has set/get/apply trap
+    hasProxySetTrap: false, // set when Proxy specifically has a 'set' trap (data interception)
+    hasRequireCacheRead: false,  // set when require.cache is accessed (read)
+    hasRequireCacheWrite: false, // set when require.cache exports are modified
+    requireCacheVars: new Set(), // variables assigned from require.cache[...]
+    proxyHandlerVars: new Set(),  // variables assigned object literals with set/get/apply/construct traps
+    stringBuildVars: new Set(),   // variables assigned from BinaryExpression with '+' (string concat)
     // C10: Hash verification — legitimate binary installers verify checksums
     // Requires BOTH createHash() call AND .digest() call — false positives from
     // standalone mentions of 'sha256' or 'integrity' in comments/descriptions

package/src/scanner/dataflow.js

@@ -205,9 +205,17 @@ function analyzeFile(content, filePath, basePath) {
   // Fix #23: Function param tainting — track function declarations
   const functionDefs = new Map(); // functionName → { params: [paramNames] }
 
+  // Fix #24: Callback exposure — track function parameters (potential callbacks)
+  // When a callback parameter is invoked with tainted data, it's credential exposure.
+  const callbackParams = new Set(); // parameter names of enclosing functions
+  const callbackExposures = []; // { callbackName, argName, line }
+
+  // Pre-scan: collect function declarations and callback params BEFORE the main walk.
+  // acorn-walk.simple uses post-order traversal (children before parents), so
+  // FunctionDeclaration handlers fire AFTER CallExpressions inside the function body.
+  // This pre-scan ensures callbackParams and functionDefs are populated before analysis.
   walk.simple(ast, {
     FunctionDeclaration(node) {
-      // Fix #23: Track function declarations for param tainting
       if (node.id && node.id.name && node.params) {
         const paramNames = node.params
           .filter(p => p.type === 'Identifier')
@@ -215,8 +223,16 @@ function analyzeFile(content, filePath, basePath) {
         if (paramNames.length > 0) {
           functionDefs.set(node.id.name, { params: paramNames });
         }
+        // FP fix: skip 1-char parameter names (minified code noise: e, t, n, r, a, b, etc.)
+        // Real callback exposure attacks use descriptive names (callback, handler, cb, fn, done).
+        for (const p of node.params) {
+          if (p.type === 'Identifier' && p.name.length > 1) callbackParams.add(p.name);
+        }
       }
-    },
+    }
+  });
+
+  walk.simple(ast, {
 
     VariableDeclarator(node) {
       // B9: Array destructuring taint propagation: const [data] = [fs.readFileSync('.npmrc')]
@@ -268,6 +284,19 @@ function analyzeFile(content, filePath, basePath) {
             }
           }
         }
+        // Fix #24: Propagate taint through fs.readFileSync/readFile results
+        // const data = fs.readFileSync(npmrc) where npmrc is sensitive → data is tainted
+        if (initNode.type === 'CallExpression' && initNode.callee?.type === 'MemberExpression') {
+          const callProp = initNode.callee.property;
+          if (callProp?.type === 'Identifier' &&
+              (callProp.name === 'readFileSync' || callProp.name === 'readFile')) {
+            const readArg = initNode.arguments[0];
+            if (readArg && isCredentialPath(readArg, sensitivePathVars)) {
+              sensitivePathVars.add(node.id.name);
+            }
+          }
+        }
+
         // B7: Taint propagation through data-preserving wrappers
         if (initNode.type === 'CallExpression') {
           const callee = initNode.callee;
@@ -653,6 +682,22 @@ function analyzeFile(content, filePath, basePath) {
         }
       }
 
+      // Fix #24: Callback exposure — detect callback(taintedData)
+      // When a function parameter is called with tainted data, it exposes credentials
+      // to the caller (cross-module credential exposure pattern).
+      if (node.callee.type === 'Identifier' && callbackParams.has(node.callee.name) &&
+          node.arguments.length >= 1) {
+        for (const arg of node.arguments) {
+          if (arg.type === 'Identifier' && sensitivePathVars.has(arg.name)) {
+            callbackExposures.push({
+              callbackName: node.callee.name,
+              argName: arg.name,
+              line: node.loc?.start?.line || 0
+            });
+          }
+        }
+      }
+
       // Exec callback: exec('cmd', (err, stdout) => {...}) — output will be used
       if (!execResultNodes.has(node) && node.arguments.length >= 2) {
         const lastArg = node.arguments[node.arguments.length - 1];
@@ -755,6 +800,7 @@ function analyzeFile(content, filePath, basePath) {
   for (const eventName of emitTaintedEvents) {
     const handler = eventHandlers.get(eventName);
     if (handler && handler.hasNetworkSink) {
+      // Same-file emit→on with network sink: full suspicious_dataflow
       sources.push({
         type: 'credential_read',
         name: `EventEmitter.emit('${eventName}')`,
@@ -767,9 +813,31 @@ function analyzeFile(content, filePath, basePath) {
         line: 0,
         taint_tracked: true
       });
+    } else {
+      // Cross-file: tainted data emitted on EventEmitter without same-file listener.
+      // The data is broadcasted to other modules — credential exposure pattern.
+      sinks.push({
+        type: 'network_send',
+        name: `EventEmitter.emit('${eventName}') [cross-module broadcast]`,
+        line: 0,
+        taint_tracked: true
+      });
     }
   }
 
+  // Fix #24: Callback exposure — add sinks for callback invocations with tainted data
+  // FP fix: cap at 5 exposures per file. Real attacks have 1-2 targeted callbacks,
+  // >5 is minified code noise (jspdf, etc.)
+  const cappedExposures = callbackExposures.slice(0, 5);
+  for (const exposure of cappedExposures) {
+    sinks.push({
+      type: 'network_send',
+      name: `${exposure.callbackName}(${exposure.argName}) [callback exposure]`,
+      line: exposure.line,
+      taint_tracked: true
+    });
+  }
+
   // Check if any source or sink was resolved via taint tracking
   const hasTaintTracked = sources.some(s => s.taint_tracked) || sinks.some(s => s.taint_tracked);
 
@@ -804,6 +872,17 @@ function analyzeFile(content, filePath, basePath) {
       }
       if (severity === 'CRITICAL') break;
     }
+    // Fix #24: EventEmitter broadcast and callback exposure sinks are always CRITICAL
+    // when combined with credential sources — the data is being sent to external consumers
+    if (severity !== 'CRITICAL') {
+      const hasExposureSink = exfilSinks.some(s =>
+        s.name.includes('[cross-module broadcast]') || s.name.includes('[callback exposure]')
+      );
+      const hasCredentialSource = sources.some(s => s.type === 'credential_read');
+      if (hasExposureSink && hasCredentialSource) {
+        severity = 'CRITICAL';
+      }
+    }
 
     // Downgrade: if ALL sources are pure telemetry (os.platform, os.arch), cap at HIGH
     const allTelemetryOnly = sources.every(s => s.type === 'telemetry_read');

package/src/scanner/package.js

@@ -103,6 +103,19 @@ async function scanPackageJson(targetPath) {
         }
       }
 
+      // Escalate: lifecycle script targeting node_modules/ — payload hiding technique.
+      // Legitimate postinstall scripts run from the package's own directory, not from node_modules/.
+      // Lazarus/DPRK interview attacks hide payloads in node_modules/.cache/ or similar paths.
+      if (['preinstall', 'install', 'postinstall'].includes(scriptName) &&
+          /\bnode_modules[\/\\]/.test(scriptContent)) {
+        threats.push({
+          type: 'lifecycle_hidden_payload',
+          severity: 'CRITICAL',
+          message: `Critical: "${scriptName}" targets file inside node_modules/ — payload hiding technique to evade scanners.`,
+          file: 'package.json'
+        });
+      }
+
       // Detect Bun runtime evasion in lifecycle scripts (Shai-Hulud 2.0)
       if (/\bbun\s+(run|exec|install|x)\b/.test(scriptContent) || /\bbunx\s+/.test(scriptContent)) {
         threats.push({

package/src/scoring.js

@@ -131,7 +131,8 @@ const FP_COUNT_THRESHOLDS = {
   // P4: bundled credential_tampering from minified alias resolution (jspdf, lerna)
   credential_tampering: { maxCount: 5, to: 'LOW' },
   // B1 FP reduction: bundled code aliases eval/Function (sinon, storybook, vitest)
-  dangerous_call_eval: { maxCount: 3, from: 'MEDIUM', to: 'LOW' },
+  // FP fix: also cover HIGH severity (setTimeout+stringBuildVar in minified code)
+  dangerous_call_eval: { maxCount: 3, to: 'LOW' },
   // P6: HTTP client libraries (undici, aws-sdk, nodemailer, jsdom) parse Authorization/Bearer headers
   // with 3+ credential regexes. Real harvesters use 1-2 targeted regexes.
   credential_regex_harvest: { maxCount: 2, from: 'HIGH', to: 'LOW' },
@@ -379,13 +380,10 @@ function applyFPReductions(threats, reachableFiles, packageName, packageDeps) {
       }
     }
 
-    // require_cache_poison: single hit → HIGH (plugin dedup/hot-reload, not malware)
-    // Malware poisons cache repeatedly; a single access is framework behavior
-    if (t.type === 'require_cache_poison' && t.severity === 'CRITICAL' &&
-        typeCounts.require_cache_poison === 1) {
-      t.reductions.push({ rule: 'cache_poison_single', from: 'CRITICAL', to: 'HIGH' });
-      t.severity = 'HIGH';
-    }
+    // require_cache_poison: single-hit downgrade removed.
+    // The READ/WRITE distinction in ast-detectors already handles the FP case:
+    // READ-only → LOW (hot-reload, introspection), WRITE → CRITICAL (malicious replacement).
+    // A single cache WRITE is genuinely malicious — no downgrade needed.
 
     // Prototype hook: framework class prototypes → MEDIUM
     // Core Node.js prototypes (http.IncomingMessage, net.Socket) stay CRITICAL
@@ -432,9 +430,12 @@ function applyFPReductions(threats, reachableFiles, packageName, packageDeps) {
     }
 
     // Reachability: findings in files not reachable from entry points → LOW
+    // Exception: .d.ts files are never require()'d by JS but are executed by ts-node/tsx/bun.
+    // Executable code in .d.ts is always malicious — exempt from unreachable downgrade.
+    const isDtsFile = t.file && t.file.endsWith('.d.ts');
     if (reachableFiles && reachableFiles.size > 0 && t.file &&
         !REACHABILITY_EXEMPT_TYPES.has(t.type) &&
-        !isPackageLevelThreat(t)) {
+        !isPackageLevelThreat(t) && !isDtsFile) {
       const normalizedFile = t.file.replace(/\\/g, '/');
       if (!reachableFiles.has(normalizedFile)) {
         t.reductions.push({ rule: 'unreachable', from: t.severity, to: 'LOW' });

package/src/shared/analyze-helper.js

@@ -22,14 +22,29 @@ function analyzeWithDeobfuscation(targetPath, analyzeFileFn, options = {}) {
     if (options.excludedFiles && options.excludedFiles.includes(relativePath)) return;
     if (options.skipDevFiles !== false && isDevFile(relativePath)) return;
 
+    // .d.ts files: strip TypeScript declaration syntax before JS parsing.
+    // Legitimate .d.ts files contain only type declarations (no executable code).
+    // Any require/exec/network calls in a .d.ts are high-confidence malicious payload hiding.
+    let effectiveContent = content;
+    if (file.endsWith('.d.ts')) {
+      effectiveContent = content.split('\n').map(line => {
+        const trimmed = line.trim();
+        // Strip lines that are pure TypeScript declarations (Acorn can't parse these)
+        if (/^export\s+declare\s+/.test(trimmed)) return '// [ts-stripped]';
+        if (/^declare\s+(function|class|const|let|var|type|interface|enum|namespace|module|global)\s/.test(trimmed)) return '// [ts-stripped]';
+        if (/^(export\s+)?(type|interface)\s/.test(trimmed)) return '// [ts-stripped]';
+        return line;
+      }).join('\n');
+    }
+
     // Analyze original code first (preserves obfuscation-detection rules)
-    const fileThreats = analyzeFileFn(content, file, targetPath);
+    const fileThreats = analyzeFileFn(effectiveContent, file, targetPath);
     threats.push(...fileThreats);
 
     // Also analyze deobfuscated code for additional findings hidden by obfuscation
     if (typeof options.deobfuscate === 'function') {
       try {
-        const result = options.deobfuscate(content);
+        const result = options.deobfuscate(effectiveContent);
         if (result.transforms.length > 0) {
           const deobThreats = analyzeFileFn(result.code, file, targetPath);
           const existingKeys = new Set(fileThreats.map(t => `${t.type}::${t.message}`));

package/src/utils.js

@@ -183,7 +183,9 @@ function _findFilesImpl(dir, { extensions, excludedDirs, maxDepth, results, visi
  * @returns {string[]} List of .js file paths
  */
 function findJsFiles(dir, results = []) {
-  return findFiles(dir, { extensions: ['.js', '.mjs', '.cjs'], results });
+  // .d.ts included: legitimate .d.ts files never contain require/exec/network calls,
+  // so any executable code in .d.ts is a high-confidence malicious payload hiding technique.
+  return findFiles(dir, { extensions: ['.js', '.mjs', '.cjs', '.d.ts'], results });
 }
 
 function clearFileListCache() {