muaddib-scanner 2.9.4 → 2.9.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (2) hide show
  1. package/README.md +11 -10
  2. package/package.json +1 -1
package/README.md CHANGED
@@ -30,7 +30,7 @@
30
30
 
31
31
  npm and PyPI supply-chain attacks are exploding. Shai-Hulud compromised 25K+ repos in 2025. Existing tools detect threats but don't help you respond.
32
32
 
33
- MUAD'DIB combines **14 parallel scanners** (134 detection rules), a **deobfuscation engine**, **inter-module dataflow analysis**, **per-file max scoring**, Docker sandbox with **monkey-patching preload** for time-bomb detection, **behavioral anomaly detection**, and **ground truth validation** to detect threats AND guide your response — even before they appear in any IOC database.
33
+ MUAD'DIB combines **14 parallel scanners** (152 detection rules), a **deobfuscation engine**, **inter-module dataflow analysis**, **per-file max scoring**, **compound scoring rules**, Docker sandbox with **monkey-patching preload** for time-bomb detection, **behavioral anomaly detection**, **GlassWorm campaign detection**, and **ground truth validation** to detect threats AND guide your response — even before they appear in any IOC database.
34
34
 
35
35
  ---
36
36
 
@@ -195,14 +195,15 @@ muaddib replay # Ground truth validation (46/49 TPR)
195
195
  | GitHub Actions | Shai-Hulud backdoor detection |
196
196
  | Hash Scanner | Known malicious file hashes |
197
197
 
198
- ### 134 detection rules
198
+ ### 152 detection rules
199
199
 
200
- All rules are mapped to MITRE ATT&CK techniques. See [SECURITY.md](SECURITY.md#detection-rules-v262) for the complete rules reference.
200
+ All rules are mapped to MITRE ATT&CK techniques. See [SECURITY.md](SECURITY.md#detection-rules-v294) for the complete rules reference.
201
201
 
202
202
  ### Detected campaigns
203
203
 
204
204
  | Campaign | Status |
205
205
  |----------|--------|
206
+ | GlassWorm (2026, 433+ packages) | Detected |
206
207
  | Shai-Hulud v1/v2/v3 (2025) | Detected |
207
208
  | event-stream (2018) | Detected |
208
209
  | eslint-scope (2018) | Detected |
@@ -281,12 +282,12 @@ repos:
281
282
 
282
283
  | Metric | Result | Details |
283
284
  |--------|--------|---------|
284
- | **Wild TPR** (Datadog 17K) | **88.2%** raw / **~100%** adjusted | 17,922 real malware. 2,077 out-of-scope (phishing, binaries, corrected) |
285
+ | **Wild TPR** (Datadog 17K) | **92.5%** (13,486/14,587 in-scope) | 17,922 packages. 3,335 skipped (no JS). By category: compromised_lib 97.8%, malicious_intent 92.1% |
285
286
  | **TPR** (Ground Truth) | **93.9%** (46/49) | 51 real attacks. 3 out-of-scope: browser-only |
286
- | **FPR** (Benign) | **12.1%** (64/529) | 529 npm packages, real source via `npm pack` |
287
- | **ADR** (Adversarial + Holdout) | **92.2%** (71/77) | 53 adversarial + 40 holdout (77 available on disk), global threshold=20 |
287
+ | **FPR** (Benign) | **12.9%** (68/529) | 529 npm packages, real source via `npm pack` |
288
+ | **ADR** (Adversarial + Holdout) | **96.3%** (103/107) | 67 adversarial + 40 holdout (107 available on disk), global threshold=20 |
288
289
 
289
- **2166 tests** across 49 files. **134 rules** (129 RULES + 5 PARANOID).
290
+ **2336 tests** across 50 files. **152 rules** (147 RULES + 5 PARANOID).
290
291
 
291
292
  > **Methodology caveats:**
292
293
  > - TPR measured on 49 Node.js attack samples (3 browser-only excluded from 51 total)
@@ -327,11 +328,11 @@ npm test
327
328
 
328
329
  ### Testing
329
330
 
330
- - **2166 tests** across 49 modular test files
331
+ - **2336 tests** across 50 modular test files
331
332
  - **56 fuzz tests** - Malformed inputs, ReDoS, unicode, binary
332
333
  - **Datadog 17K benchmark** - 17,922 real malware samples
333
334
  - **Ground truth validation** - 51 real-world attacks (93.9% TPR)
334
- - **False positive validation** - 12.1% FPR on 529 real npm packages
335
+ - **False positive validation** - 12.9% FPR on 529 real npm packages
335
336
 
336
337
  ---
337
338
 
@@ -347,7 +348,7 @@ npm test
347
348
  - [Evaluation Methodology](docs/EVALUATION_METHODOLOGY.md) - Experimental protocol, holdout scores
348
349
  - [Threat Model](docs/threat-model.md) - What MUAD'DIB detects and doesn't detect
349
350
  - [Adversarial Evaluation](ADVERSARIAL.md) - Red team samples and ADR results
350
- - [Security Policy](SECURITY.md) - Detection rules reference (134 rules)
351
+ - [Security Policy](SECURITY.md) - Detection rules reference (152 rules)
351
352
  - [Security Audit](docs/SECURITY_AUDIT.md) - Bypass validation report
352
353
  - [FP Analysis](docs/EVALUATION.md) - Historical false positive analysis
353
354
 
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "muaddib-scanner",
3
- "version": "2.9.4",
3
+ "version": "2.9.5",
4
4
  "description": "Supply-chain threat detection & response for npm & PyPI/Python",
5
5
  "main": "src/index.js",
6
6
  "bin": {