muaddib-scanner 2.9.4 → 2.9.6

package/README.md

@@ -30,7 +30,7 @@
 
 npm and PyPI supply-chain attacks are exploding. Shai-Hulud compromised 25K+ repos in 2025. Existing tools detect threats but don't help you respond.
 
-MUAD'DIB combines **14 parallel scanners** (134 detection rules), a **deobfuscation engine**, **inter-module dataflow analysis**, **per-file max scoring**, Docker sandbox with **monkey-patching preload** for time-bomb detection, **behavioral anomaly detection**, and **ground truth validation** to detect threats AND guide your response — even before they appear in any IOC database.
+MUAD'DIB combines **14 parallel scanners** (152 detection rules), a **deobfuscation engine**, **inter-module dataflow analysis**, **per-file max scoring**, **compound scoring rules**, Docker sandbox with **monkey-patching preload** for time-bomb detection, **behavioral anomaly detection**, **GlassWorm campaign detection**, and **ground truth validation** to detect threats AND guide your response — even before they appear in any IOC database.
 
 ---
 
@@ -195,14 +195,15 @@ muaddib replay                     # Ground truth validation (46/49 TPR)
 | GitHub Actions | Shai-Hulud backdoor detection |
 | Hash Scanner | Known malicious file hashes |
 
-### 134 detection rules
+### 152 detection rules
 
-All rules are mapped to MITRE ATT&CK techniques. See [SECURITY.md](SECURITY.md#detection-rules-v262) for the complete rules reference.
+All rules are mapped to MITRE ATT&CK techniques. See [SECURITY.md](SECURITY.md#detection-rules-v294) for the complete rules reference.
 
 ### Detected campaigns
 
 | Campaign | Status |
 |----------|--------|
+| GlassWorm (2026, 433+ packages) | Detected |
 | Shai-Hulud v1/v2/v3 (2025) | Detected |
 | event-stream (2018) | Detected |
 | eslint-scope (2018) | Detected |
@@ -281,12 +282,12 @@ repos:
 
 | Metric | Result | Details |
 |--------|--------|---------|
-| **Wild TPR** (Datadog 17K) | **88.2%** raw / **~100%** adjusted | 17,922 real malware. 2,077 out-of-scope (phishing, binaries, corrected) |
+| **Wild TPR** (Datadog 17K) | **92.5%** (13,486/14,587 in-scope) | 17,922 packages. 3,335 skipped (no JS). By category: compromised_lib 97.8%, malicious_intent 92.1% |
 | **TPR** (Ground Truth) | **93.9%** (46/49) | 51 real attacks. 3 out-of-scope: browser-only |
-| **FPR** (Benign) | **12.1%** (64/529) | 529 npm packages, real source via `npm pack` |
-| **ADR** (Adversarial + Holdout) | **92.2%** (71/77) | 53 adversarial + 40 holdout (77 available on disk), global threshold=20 |
+| **FPR** (Benign) | **12.9%** (68/529) | 529 npm packages, real source via `npm pack` |
+| **ADR** (Adversarial + Holdout) | **96.3%** (103/107) | 67 adversarial + 40 holdout (107 available on disk), global threshold=20 |
 
-**2166 tests** across 49 files. **134 rules** (129 RULES + 5 PARANOID).
+**2336 tests** across 50 files. **152 rules** (147 RULES + 5 PARANOID).
 
 > **Methodology caveats:**
 > - TPR measured on 49 Node.js attack samples (3 browser-only excluded from 51 total)
@@ -327,11 +328,11 @@ npm test
 
 ### Testing
 
-- **2166 tests** across 49 modular test files
+- **2336 tests** across 50 modular test files
 - **56 fuzz tests** - Malformed inputs, ReDoS, unicode, binary
 - **Datadog 17K benchmark** - 17,922 real malware samples
 - **Ground truth validation** - 51 real-world attacks (93.9% TPR)
-- **False positive validation** - 12.1% FPR on 529 real npm packages
+- **False positive validation** - 12.9% FPR on 529 real npm packages
 
 ---
 
@@ -347,7 +348,7 @@ npm test
 - [Evaluation Methodology](docs/EVALUATION_METHODOLOGY.md) - Experimental protocol, holdout scores
 - [Threat Model](docs/threat-model.md) - What MUAD'DIB detects and doesn't detect
 - [Adversarial Evaluation](ADVERSARIAL.md) - Red team samples and ADR results
-- [Security Policy](SECURITY.md) - Detection rules reference (134 rules)
+- [Security Policy](SECURITY.md) - Detection rules reference (152 rules)
 - [Security Audit](docs/SECURITY_AUDIT.md) - Bypass validation report
 - [FP Analysis](docs/EVALUATION.md) - Historical false positive analysis
 

package/bin/muaddib.js

@@ -1,5 +1,5 @@
 #!/usr/bin/env node
-const { exec } = require('child_process');
+const { execFile } = require('child_process');
 const { run } = require('../src/index.js');
 const { updateIOCs } = require('../src/ioc/updater.js');
 const { watch } = require('../src/watch.js');
@@ -160,7 +160,8 @@ for (let i = 0; i < options.length; i++) {
 if (!jsonOutput && !sarifOutput && command !== 'feed' && command !== 'serve') {
   try {
     const currentVersion = require('../package.json').version;
-    exec('npm view muaddib-scanner version', { timeout: 5000 }, (err, stdout) => {
+    const npmBin = process.platform === 'win32' ? 'npm.cmd' : 'npm';
+    execFile(npmBin, ['view', 'muaddib-scanner', 'version'], { timeout: 5000 }, (err, stdout) => {
       if (err) return; // No network or npm unavailable
       const latest = (stdout || '').toString().trim();
       if (!latest || latest === currentVersion) return;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "muaddib-scanner",
-  "version": "2.9.4",
+  "version": "2.9.6",
   "description": "Supply-chain threat detection & response for npm & PyPI/Python",
   "main": "src/index.js",
   "bin": {

package/src/index.js

@@ -186,8 +186,8 @@ function scanParanoid(targetPath) {
           }
         }
       });
-    } catch {
-      // Ignore read/parse errors
+    } catch (e) {
+      debugLog('[PARANOID] AST parse error:', e?.message);
     }
   }
 
@@ -218,8 +218,8 @@ function scanParanoid(targetPath) {
         const relFile = path.relative(targetPath, filePath);
         scanFileContent(filePath, content, relFile);
       }
-    } catch {
-      // Ignore read errors
+    } catch (e) {
+      debugLog('[PARANOID] file read error:', e?.message);
     }
   }
 
@@ -247,8 +247,8 @@ function scanParanoid(targetPath) {
           scanFile(fullPath);
         }
       }
-    } catch {
-      // Ignore walk errors
+    } catch (e) {
+      debugLog('[PARANOID] walkDir error:', e?.message);
     }
   }
 
@@ -550,7 +550,8 @@ async function run(targetPath, options = {}) {
       if (!reachability.skipped) {
         reachableFiles = reachability.reachableFiles;
       }
-    } catch {
+    } catch (e) {
+      debugLog('[REACHABILITY] error:', e?.message);
       // Graceful fallback — treat all files as reachable
     }
   }

package/src/scanner/ast-detectors.js

@@ -1495,10 +1495,15 @@ function handleCallExpression(node, ctx) {
     if (prop.type === 'Identifier' && obj?.type === 'Identifier' &&
         (ctx.globalThisAliases.has(obj.name) || obj.name === 'globalThis' || obj.name === 'global')) {
       ctx.hasEvalInFile = true;
+      // Resolve variable value via stringVarValues (e.g., const f = 'eval'; globalThis[f]())
+      const resolvedValue = ctx.stringVarValues.get(prop.name);
+      const isEvalOrFunction = resolvedValue === 'eval' || resolvedValue === 'Function';
       ctx.threats.push({
         type: 'dangerous_call_eval',
-        severity: 'HIGH',
-        message: `Dynamic global dispatch via computed property (${obj.name}[${prop.name}]) — likely indirect eval evasion.`,
+        severity: isEvalOrFunction ? 'CRITICAL' : 'HIGH',
+        message: isEvalOrFunction
+          ? `Resolved indirect ${resolvedValue}() via computed property (${obj.name}[${prop.name}="${resolvedValue}"]) — confirmed eval evasion.`
+          : `Dynamic global dispatch via computed property (${obj.name}[${prop.name}]) — likely indirect eval evasion.`,
         file: ctx.relFile
       });
     }

package/src/scanner/deobfuscate.js

@@ -154,6 +154,27 @@ function deobfuscate(sourceCode) {
       const hexResult = tryResolveHexArrayMap(node, sourceCode);
       if (hexResult !== null) {
         replacements.push(hexResult);
+        return;
+      }
+
+      // ---- 5. ARRAY JOIN ----
+      // ['e','v','a','l'].join('') → "eval"
+      if (node.callee?.type === 'MemberExpression' &&
+          node.callee.property?.name === 'join' &&
+          node.callee.object?.type === 'ArrayExpression' &&
+          node.arguments?.length === 1 &&
+          node.arguments[0]?.type === 'Literal' &&
+          node.arguments[0].value === '') {
+        const elements = node.callee.object.elements;
+        if (elements.length > 0 && elements.every(el => el?.type === 'Literal' && typeof el.value === 'string')) {
+          const joined = elements.map(el => el.value).join('');
+          const before = sourceCode.slice(node.start, node.end);
+          replacements.push({
+            start: node.start, end: node.end,
+            value: quoteString(joined),
+            type: 'array_join', before
+          });
+        }
       }
     }
   });

package/src/scanner/shell.js

@@ -1,6 +1,6 @@
 const fs = require('fs');
 const path = require('path');
-const { findFiles, forEachSafeFile } = require('../utils.js');
+const { findFiles, forEachSafeFile, debugLog } = require('../utils.js');
 const { MAX_FILE_SIZE } = require('../shared/constants.js');
 
 const SHELL_EXCLUDED_DIRS = ['node_modules', '.git', '.muaddib-cache'];
@@ -56,7 +56,7 @@ function scanFileContent(file, content, targetPath, threats) {
 function findExtensionlessFiles(dir, excludedDirs, results = [], depth = 0) {
   if (depth > 20) return results;
   let items;
-  try { items = fs.readdirSync(dir); } catch { return results; }
+  try { items = fs.readdirSync(dir); } catch (e) { debugLog('[SHELL] readdirSync error:', e?.message); return results; }
 
   for (const item of items) {
     if (excludedDirs.includes(item)) continue;
@@ -69,7 +69,7 @@ function findExtensionlessFiles(dir, excludedDirs, results = [], depth = 0) {
       } else if (lstat.isFile() && !path.extname(item) && lstat.size <= MAX_FILE_SIZE) {
         results.push(fullPath);
       }
-    } catch { /* permission error */ }
+    } catch (e) { debugLog('[SHELL] stat error:', e?.message); }
   }
   return results;
 }
@@ -94,7 +94,7 @@ async function scanShellScripts(targetPath) {
       if (SHEBANG_RE.test(firstLine)) {
         scanFileContent(file, content, targetPath, threats);
       }
-    } catch { /* ignore unreadable files */ }
+    } catch (e) { debugLog('[SHELL] readFile error:', e?.message); }
   }
 
   return threats;

package/src/scoring.js

@@ -279,11 +279,11 @@ function applyCompoundBoosts(threats) {
 
     // Check all required types are present
     if (compound.requires.every(req => typeSet.has(req))) {
-      // Severity gate: at least one component must have severity >= MEDIUM
-      // after FP reductions. If all components were downgraded to LOW,
-      // the compound signal is not strong enough to justify a CRITICAL boost.
+      // Severity gate: at least one component must have had original severity >= MEDIUM.
+      // Uses originalSeverity (pre-FP-reduction) to prevent attackers from
+      // manipulating compound gates via count-threshold or dist-file downgrades.
       const hasSignificantComponent = compound.requires.some(req =>
-        threats.some(t => t.type === req && t.severity !== 'LOW')
+        threats.some(t => t.type === req && (t.originalSeverity || t.severity) !== 'LOW')
       );
       if (!hasSignificantComponent) continue;
 
@@ -323,8 +323,11 @@ const FRAMEWORK_PROTO_RE = new RegExp(
 
 function applyFPReductions(threats, reachableFiles, packageName, packageDeps) {
   // Initialize reductions audit trail on each threat
+  // Store original severity before any FP reductions, so compound
+  // severity gates can check pre-reduction severity (GAP 4b).
   for (const t of threats) {
     t.reductions = [];
+    t.originalSeverity = t.severity;
   }
 
   // Count occurrences of each threat type (package-level, across all files)
@@ -384,6 +387,29 @@ function applyFPReductions(threats, reachableFiles, packageName, packageDeps) {
     // The READ/WRITE distinction in ast-detectors already handles the FP case:
     // READ-only → LOW (hot-reload, introspection), WRITE → CRITICAL (malicious replacement).
     // A single cache WRITE is genuinely malicious — no downgrade needed.
+  }
+
+  // Dilution floor: retain at least one instance at original severity per type
+  // to prevent complete count-threshold dilution by injected benign patterns.
+  // Only applies to types with low maxCount (≤3) and a severity constraint (from field),
+  // where injection of benign patterns is feasible. High-count types (dynamic_require,
+  // env_access) and unconstrained types (suspicious_dataflow) represent legitimate
+  // framework patterns and should allow full downgrade.
+  const restoredTypes = new Set();
+  for (const t of threats) {
+    const lastReduction = t.reductions?.find(r => r.rule === 'count_threshold');
+    if (lastReduction && !restoredTypes.has(t.type)) {
+      const rule = FP_COUNT_THRESHOLDS[t.type];
+      if (rule && rule.from && rule.maxCount <= 3) {
+        t.severity = lastReduction.from;
+        t.reductions = t.reductions.filter(r => r.rule !== 'count_threshold');
+        t.reductions.push({ rule: 'count_threshold_floor', note: 'retained one instance at original severity' });
+        restoredTypes.add(t.type);
+      }
+    }
+  }
+
+  for (const t of threats) {
 
     // Prototype hook: framework class prototypes → MEDIUM
     // Core Node.js prototypes (http.IncomingMessage, net.Socket) stay CRITICAL