muaddib-scanner 2.9.7 → 2.9.9

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "muaddib-scanner",
-  "version": "2.9.7",
+  "version": "2.9.9",
   "description": "Supply-chain threat detection & response for npm & PyPI/Python",
   "main": "src/index.js",
   "bin": {

package/scripts/sample-npm-random.js

@@ -0,0 +1,339 @@
+#!/usr/bin/env node
+/**
+ * MUAD'DIB — npm Random Package Sampler
+ *
+ * Samples 200 packages from the npm registry by stratified random sampling.
+ * Used to measure FPR on a representative npm sample (not curated).
+ *
+ * Strata (by dependency count):
+ *   small  (<10 deps):   80 packages  (40%)
+ *   medium (10-50 deps):  60 packages  (30%)
+ *   large  (50-100 deps): 40 packages  (20%)
+ *   vlarge (100+ deps):   20 packages  (10%)
+ *
+ * Exclusions: @types/*, deprecated, already in packages-npm.txt
+ *
+ * Usage:
+ *   node scripts/sample-npm-random.js [--seed N] [--output path]
+ */
+
+const https = require('https');
+const fs = require('fs');
+const path = require('path');
+
+const ROOT = path.join(__dirname, '..');
+const CURATED_FILE = path.join(ROOT, 'datasets', 'benign', 'packages-npm.txt');
+const DEFAULT_OUTPUT = path.join(ROOT, 'datasets', 'benign', 'packages-npm-random.txt');
+
+const STRATA = {
+  small:  { min: 0,   max: 9,   quota: 80 },
+  medium: { min: 10,  max: 50,  quota: 60 },
+  large:  { min: 51,  max: 100, quota: 40 },
+  vlarge: { min: 101, max: Infinity, quota: 20 }
+};
+
+// Search keywords — diverse enough to sample across npm
+const SEARCH_KEYWORDS = [
+  'util', 'helper', 'config', 'server', 'client', 'api', 'data',
+  'file', 'string', 'array', 'json', 'http', 'url', 'path', 'stream',
+  'log', 'debug', 'test', 'mock', 'format', 'parse', 'transform',
+  'crypto', 'hash', 'encode', 'decode', 'compress', 'cache', 'queue',
+  'event', 'promise', 'async', 'callback', 'middleware', 'router',
+  'database', 'mongo', 'redis', 'sql', 'orm', 'schema', 'validate',
+  'cli', 'terminal', 'color', 'progress', 'spinner', 'prompt',
+  'image', 'pdf', 'csv', 'xml', 'yaml', 'markdown', 'html',
+  'email', 'auth', 'token', 'session', 'cookie', 'proxy',
+  'date', 'time', 'math', 'random', 'uuid', 'id', 'slug',
+  'webpack', 'babel', 'eslint', 'prettier', 'rollup', 'vite',
+  'react', 'vue', 'angular', 'svelte', 'solid', 'preact',
+  'express', 'koa', 'fastify', 'socket', 'graphql', 'rest',
+  'aws', 'azure', 'gcp', 'docker', 'kubernetes', 'ci',
+  'i18n', 'locale', 'charset', 'buffer', 'binary', 'hex',
+  'retry', 'timeout', 'rate', 'limit', 'throttle', 'debounce',
+  'merge', 'deep', 'clone', 'diff', 'patch', 'compare',
+  'glob', 'pattern', 'regex', 'match', 'search', 'filter',
+  'tree', 'graph', 'list', 'map', 'set', 'stack',
+  'plugin', 'loader', 'adapter', 'wrapper', 'bridge', 'connector'
+];
+
+// Seeded PRNG (mulberry32) for reproducibility
+function mulberry32(seed) {
+  return function() {
+    seed |= 0; seed = seed + 0x6D2B79F5 | 0;
+    let t = Math.imul(seed ^ seed >>> 15, 1 | seed);
+    t = t + Math.imul(t ^ t >>> 7, 61 | t) ^ t;
+    return ((t ^ t >>> 14) >>> 0) / 4294967296;
+  };
+}
+
+function shuffleArray(arr, rng) {
+  for (let i = arr.length - 1; i > 0; i--) {
+    const j = Math.floor(rng() * (i + 1));
+    [arr[i], arr[j]] = [arr[j], arr[i]];
+  }
+  return arr;
+}
+
+function httpsGet(url) {
+  return new Promise((resolve, reject) => {
+    const req = https.get(url, { timeout: 15000 }, (res) => {
+      if (res.statusCode >= 300 && res.statusCode < 400 && res.headers.location) {
+        httpsGet(res.headers.location).then(resolve).catch(reject);
+        return;
+      }
+      if (res.statusCode !== 200) {
+        res.resume();
+        reject(new Error(`HTTP ${res.statusCode} for ${url}`));
+        return;
+      }
+      let data = '';
+      res.on('data', chunk => data += chunk);
+      res.on('end', () => {
+        try { resolve(JSON.parse(data)); }
+        catch (e) { reject(new Error(`JSON parse error: ${e.message}`)); }
+      });
+    });
+    req.on('error', reject);
+    req.on('timeout', () => { req.destroy(); reject(new Error('timeout')); });
+  });
+}
+
+/**
+ * Search npm registry for packages matching a keyword.
+ * Returns array of { name, version } objects.
+ */
+async function searchNpm(keyword, from = 0, size = 250) {
+  const url = `https://registry.npmjs.org/-/v1/search?text=${encodeURIComponent(keyword)}&size=${size}&from=${from}`;
+  try {
+    const data = await httpsGet(url);
+    return (data.objects || []).map(o => ({
+      name: o.package.name,
+      version: o.package.version,
+      description: o.package.description || '',
+      deprecated: o.package.deprecated || false
+    }));
+  } catch (err) {
+    console.error(`  [WARN] npm search "${keyword}" failed: ${err.message}`);
+    return [];
+  }
+}
+
+/**
+ * Get dependency count for a package via npm view.
+ * Returns { deps, devDeps } or null on failure.
+ */
+async function getDepCount(pkgName) {
+  const url = `https://registry.npmjs.org/${encodeURIComponent(pkgName)}/latest`;
+  try {
+    const data = await httpsGet(url);
+    const deps = data.dependencies ? Object.keys(data.dependencies).length : 0;
+    const devDeps = data.devDependencies ? Object.keys(data.devDependencies).length : 0;
+    return { deps, devDeps, totalDeps: deps + devDeps };
+  } catch {
+    return null;
+  }
+}
+
+function classifyStratum(depCount) {
+  for (const [name, { min, max }] of Object.entries(STRATA)) {
+    if (depCount >= min && depCount <= max) return name;
+  }
+  return 'small';
+}
+
+function loadCuratedPackages() {
+  try {
+    return new Set(
+      fs.readFileSync(CURATED_FILE, 'utf8')
+        .split(/\r?\n/)
+        .map(l => l.trim())
+        .filter(l => l && !l.startsWith('#'))
+    );
+  } catch {
+    return new Set();
+  }
+}
+
+async function main() {
+  const args = process.argv.slice(2);
+  let seed = 42;
+  let outputPath = DEFAULT_OUTPUT;
+
+  for (let i = 0; i < args.length; i++) {
+    if (args[i] === '--seed' && args[i + 1]) { seed = parseInt(args[i + 1], 10); i++; }
+    if (args[i] === '--output' && args[i + 1]) { outputPath = args[i + 1]; i++; }
+  }
+
+  const rng = mulberry32(seed);
+  const curated = loadCuratedPackages();
+  console.log(`  Loaded ${curated.size} curated packages to exclude`);
+  console.log(`  Seed: ${seed}`);
+
+  // Phase 1: Collect candidate packages from npm search
+  console.log(`\n  [1/3] Collecting candidates from npm search...`);
+  const candidates = new Map(); // name -> { name, version, description }
+  const shuffledKeywords = shuffleArray([...SEARCH_KEYWORDS], rng);
+
+  for (let i = 0; i < shuffledKeywords.length; i++) {
+    const keyword = shuffledKeywords[i];
+    if (process.stdout.isTTY) {
+      process.stdout.write(`\r  Searching "${keyword}" (${i + 1}/${shuffledKeywords.length})...          `);
+    }
+
+    // Search with random offset for diversity
+    const offset = Math.floor(rng() * 200);
+    const results = await searchNpm(keyword, offset, 250);
+
+    for (const pkg of results) {
+      // Exclusion filters
+      if (candidates.has(pkg.name)) continue;
+      if (curated.has(pkg.name)) continue;
+      if (pkg.name.startsWith('@types/')) continue;
+      if (pkg.deprecated) continue;
+      if (pkg.name.startsWith('_')) continue;
+
+      candidates.set(pkg.name, pkg);
+    }
+
+    // Stop early if we have enough candidates
+    if (candidates.size >= 2000) break;
+
+    // Rate limiting: ~100ms between requests
+    await new Promise(r => setTimeout(r, 100));
+  }
+
+  if (process.stdout.isTTY) {
+    process.stdout.write('\r' + ''.padEnd(80) + '\r');
+  }
+  console.log(`  Collected ${candidates.size} unique candidates`);
+
+  // Phase 2: Classify by dependency count
+  // Over-collect: allow 2x quota per stratum to enable backfill
+  console.log(`\n  [2/3] Classifying by dependency count...`);
+  const buckets = { small: [], medium: [], large: [], vlarge: [] };
+  const candidateList = shuffleArray([...candidates.keys()], rng);
+
+  const totalQuota = Object.values(STRATA).reduce((s, v) => s + v.quota, 0);
+  let classified = 0;
+  let processed = 0;
+  // Over-collect limit: 2x quota per stratum to provide backfill pool
+  const OVER_COLLECT = 2;
+
+  for (const pkgName of candidateList) {
+    // Check if all buckets have enough for backfill
+    const allOverCollected = Object.entries(STRATA).every(
+      ([name, { quota }]) => buckets[name].length >= quota * OVER_COLLECT
+    );
+    if (allOverCollected) break;
+
+    processed++;
+    if (process.stdout.isTTY && processed % 10 === 0) {
+      const bucketStatus = Object.entries(buckets).map(([k, v]) => `${k}:${v.length}/${STRATA[k].quota}`).join(' ');
+      process.stdout.write(`\r  Classifying [${processed}/${candidateList.length}] ${bucketStatus}          `);
+    }
+
+    const info = await getDepCount(pkgName);
+    if (!info) continue;
+
+    const stratum = classifyStratum(info.totalDeps);
+    if (buckets[stratum].length < STRATA[stratum].quota * OVER_COLLECT) {
+      buckets[stratum].push({ name: pkgName, deps: info.totalDeps, stratum });
+      classified++;
+    }
+
+    // Rate limiting
+    await new Promise(r => setTimeout(r, 50));
+  }
+
+  if (process.stdout.isTTY) {
+    process.stdout.write('\r' + ''.padEnd(80) + '\r');
+  }
+
+  // Phase 3: Output with backfill
+  // If large/vlarge strata can't meet quota, redistribute remaining slots
+  // to small/medium proportionally (reflects real npm distribution).
+  console.log(`\n  [3/3] Writing results...`);
+  const selected = [];
+  let deficit = 0;
+  for (const [name, { quota }] of Object.entries(STRATA)) {
+    const actual = Math.min(buckets[name].length, quota);
+    console.log(`    ${name}: ${actual}/${quota} packages`);
+    selected.push(...buckets[name].slice(0, actual));
+    deficit += quota - actual;
+  }
+
+  // Backfill deficit from small/medium overflow (proportional)
+  if (deficit > 0) {
+    console.log(`    Backfilling ${deficit} slots from small/medium overflow...`);
+    const backfillSources = ['small', 'medium']; // priority order
+    for (const src of backfillSources) {
+      if (deficit <= 0) break;
+      const overflow = buckets[src].slice(STRATA[src].quota);
+      const take = Math.min(overflow.length, deficit);
+      if (take > 0) {
+        selected.push(...overflow.slice(0, take));
+        deficit -= take;
+        console.log(`      +${take} from ${src} overflow`);
+      }
+    }
+  }
+
+  const totalSelected = selected.length;
+  console.log(`\n  Total: ${totalSelected}/200 packages`);
+
+  if (totalSelected < 200) {
+    console.warn(`\n  [WARN] Only ${totalSelected} packages found. Re-run with different --seed or add more search keywords.`);
+  }
+
+  // Write output file
+  // Use a Set to track already-written packages (avoid duplication from backfill)
+  const writtenNames = new Set();
+  const header = [
+    '# MUAD\'DIB Benign Random Dataset — npm stratified random sample',
+    `# Generated: ${new Date().toISOString()}`,
+    `# Seed: ${seed}`,
+    `# Total: ${totalSelected} packages`,
+    '# Strata: small (<10 deps): 80, medium (10-50): 60, large (51-100): 40, vlarge (100+): 20',
+    '# Backfill: unfilled large/vlarge slots redistributed to small/medium',
+    '# Used by `muaddib evaluate` to measure FPR on representative npm sample',
+    ''
+  ];
+
+  const lines = [];
+  for (const [name, { quota }] of Object.entries(STRATA)) {
+    const actual = Math.min(buckets[name].length, quota);
+    lines.push(`# === ${name} (${actual}/${quota}) ===`);
+    for (const pkg of buckets[name].slice(0, actual)) {
+      lines.push(pkg.name);
+      writtenNames.add(pkg.name);
+    }
+    lines.push('');
+  }
+
+  // Backfill section (additional packages from overflow)
+  const backfillPkgs = selected.filter(p => !writtenNames.has(p.name));
+  if (backfillPkgs.length > 0) {
+    lines.push(`# === backfill (${backfillPkgs.length}) ===`);
+    for (const pkg of backfillPkgs) {
+      lines.push(pkg.name);
+    }
+    lines.push('');
+  }
+
+  fs.mkdirSync(path.dirname(outputPath), { recursive: true });
+  fs.writeFileSync(outputPath, header.join('\n') + lines.join('\n'));
+  console.log(`  Written to: ${path.relative(ROOT, outputPath)}`);
+
+  // Verify no overlap with curated
+  const overlap = selected.filter(p => curated.has(p.name));
+  if (overlap.length > 0) {
+    console.error(`\n  [ERROR] ${overlap.length} packages overlap with curated corpus: ${overlap.map(p => p.name).join(', ')}`);
+  } else {
+    console.log('  No overlap with curated corpus');
+  }
+}
+
+main().catch(err => {
+  console.error(`[ERROR] ${err.message}`);
+  process.exit(1);
+});

package/src/config.js

@@ -205,12 +205,23 @@ function validateConfig(raw) {
 
 /**
  * Resolve which config file to load.
- * Priority: --config <path> > .muaddibrc.json at targetPath root
+ * Priority: --config <path> > ~/.muaddibrc.json > CWD/.muaddibrc.json (if CWD ≠ targetPath)
+ *
+ * SECURITY: NEVER auto-detect config from targetPath (the scanned directory).
+ * An attacker can place .muaddibrc.json in their npm package with
+ * severityWeights: {critical:0, high:0, medium:0, low:0} to neutralize the scanner.
+ * Only load config from trusted locations:
+ * - Explicit --config <path>
+ * - User home directory (~/.muaddibrc.json)
+ * - CWD, but ONLY when CWD is different from the scan target
+ *
  * @param {string} targetPath - scan target directory
  * @param {string|null} configPath - explicit --config path (or null)
  * @returns {{ config: object|null, warnings: string[], errors: string[], source: string|null }}
  */
 function resolveConfig(targetPath, configPath) {
+  const warnings = [];
+
   // Explicit --config path
   if (configPath) {
     const absPath = path.isAbsolute(configPath) ? configPath : path.resolve(configPath);
@@ -229,22 +240,39 @@ function resolveConfig(targetPath, configPath) {
     return result;
   }
 
-  // Auto-detect .muaddibrc.json at target root
-  const rcPath = path.join(targetPath, '.muaddibrc.json');
-  if (!fs.existsSync(rcPath)) {
-    return { config: null, warnings: [], errors: [], source: null };
+  // SECURITY: Warn if .muaddibrc.json is found INSIDE the scanned package (informational only)
+  const targetRcPath = path.join(targetPath, '.muaddibrc.json');
+  if (fs.existsSync(targetRcPath)) {
+    warnings.push('[SECURITY] .muaddibrc.json found inside scanned package — ignored (potential config neutralization attack)');
   }
-  const { raw, error } = loadConfigFile(rcPath);
-  if (error) {
-    // Auto-detected config with errors is a warning, not a fatal error
-    return { config: null, warnings: [`[CONFIG] ${error} — .muaddibrc.json ignored`], errors: [], source: null };
-  }
-  const result = validateConfig(raw);
-  if (result.config) {
-    result.warnings.unshift('Loaded custom thresholds from .muaddibrc.json');
+
+  // Auto-detect ONLY from safe locations (NOT from scan target)
+  const cwd = process.cwd();
+  const homedir = require('os').homedir();
+  const candidates = [
+    path.join(homedir, '.muaddibrc.json'),
+    // CWD config only if CWD is NOT the scan target (developer scanning an external package)
+    ...(path.resolve(cwd) !== path.resolve(targetPath) ? [path.join(cwd, '.muaddibrc.json')] : [])
+  ];
+
+  for (const rcPath of candidates) {
+    if (!fs.existsSync(rcPath)) continue;
+    const { raw, error } = loadConfigFile(rcPath);
+    if (error) {
+      warnings.push(`[CONFIG] ${error} — ${rcPath} ignored`);
+      continue;
+    }
+    const result = validateConfig(raw);
+    // Prepend any security warnings accumulated before this config was found
+    result.warnings = [...warnings, ...result.warnings];
+    if (result.config) {
+      result.warnings.unshift(`Loaded custom thresholds from ${rcPath}`);
+    }
+    result.source = rcPath;
+    return result;
   }
-  result.source = rcPath;
-  return result;
+
+  return { config: null, warnings, errors: [], source: null };
 }
 
 module.exports = { DEFAULTS, loadConfigFile, validateConfig, resolveConfig };

package/src/response/playbooks.js

@@ -537,6 +537,12 @@ const PLAYBOOKS = {
     'Cout de rotation: 0.000005 SOL par changement d\'adresse C2 — censorship-resistant. ' +
     'Bloquer les connexions vers les RPC Solana. Supprimer le package.',
 
+  module_load_bypass:
+    'CRITIQUE: Module._load() detecte — bypass du module loader interne de Node.js. ' +
+    'Permet de charger dynamiquement des modules (child_process, fs, net) sans passer par require(), ' +
+    'contournant les restrictions et les hooks de chargement. ' +
+    'Supprimer le package immediatement. Auditer les modules charges dynamiquement.',
+
   blockchain_rpc_endpoint:
     'Endpoint RPC blockchain hardcode detecte (Solana mainnet, Infura Ethereum). ' +
     'Dans un package non-crypto, cela indique un potentiel canal C2 via blockchain. ' +

package/src/rules/index.js

@@ -1595,6 +1595,19 @@ const RULES = {
     ],
     mitre: 'T1102'
   },
+  module_load_bypass: {
+    id: 'MUADDIB-AST-056',
+    name: 'Module._load() Internal Loader Bypass',
+    severity: 'CRITICAL',
+    confidence: 'high',
+    description: 'Module._load() detecte — bypass du module loader interne de Node.js pour charger dynamiquement des modules sans passer par require(). Technique d\'evasion contournant les restrictions de chargement de modules.',
+    references: [
+      'https://nodejs.org/api/modules.html',
+      'https://attack.mitre.org/techniques/T1059/007/'
+    ],
+    mitre: 'T1059.007'
+  },
+
   blockchain_rpc_endpoint: {
     id: 'MUADDIB-AST-055',
     name: 'Hardcoded Blockchain RPC Endpoint',

package/src/sandbox/index.js

@@ -240,18 +240,8 @@ async function runSingleSandbox(packageName, options = {}) {
     proc.on('close', (code) => {
       clearTimeout(timer);
 
-      // Docker-level failure: log error and return clean result
-      if (code !== 0 && !stdout.includes('---MUADDIB-REPORT-START---')) {
-        const errLines = stderr.split(/\r?\n/).filter(l => l && !l.includes('[SANDBOX]'));
-        if (errLines.length > 0) {
-          console.log(`[SANDBOX] Docker error (exit ${code}): ${errLines[0]}`);
-        } else {
-          console.log(`[SANDBOX] Container exited with code ${code} (no output)`);
-        }
-        resolve(cleanResult);
-        return;
-      }
-
+      // TIMEOUT FIRST: docker kill causes non-zero exit (code 137/SIGKILL),
+      // must check before Docker error handler to avoid returning CLEAN on timeout
       if (timedOut) {
         const result = {
           score: 100,
@@ -269,6 +259,18 @@ async function runSingleSandbox(packageName, options = {}) {
         return;
       }
 
+      // Docker-level failure (non-timeout): log error and return clean result
+      if (code !== 0 && !stdout.includes('---MUADDIB-REPORT-START---')) {
+        const errLines = stderr.split(/\r?\n/).filter(l => l && !l.includes('[SANDBOX]'));
+        if (errLines.length > 0) {
+          console.log(`[SANDBOX] Docker error (exit ${code}): ${errLines[0]}`);
+        } else {
+          console.log(`[SANDBOX] Container exited with code ${code} (no output)`);
+        }
+        resolve(cleanResult);
+        return;
+      }
+
       // Parse JSON from container stdout using delimiter
       let report;
       try {

package/src/scanner/ast-detectors.js

@@ -281,6 +281,40 @@ function resolveStringConcat(node) {
   return null;
 }
 
+/**
+ * Like resolveStringConcat, but additionally resolves Identifier nodes via
+ * a stringVarValues Map (variable name → known string value).
+ * Used for double-indirection patterns: var a='ev',b='al'; globalThis[a+b]()
+ */
+function resolveStringConcatWithVars(node, stringVarValues) {
+  if (!node) return null;
+  if (node.type === 'Literal' && typeof node.value === 'string') return node.value;
+  if (node.type === 'Identifier' && stringVarValues && stringVarValues.has(node.name)) {
+    return stringVarValues.get(node.name);
+  }
+  if (node.type === 'TemplateLiteral' && node.expressions.length === 0) {
+    return node.quasis.map(q => q.value.raw).join('');
+  }
+  if (node.type === 'TemplateLiteral' && node.expressions.length > 0) {
+    const parts = [];
+    for (let i = 0; i < node.quasis.length; i++) {
+      parts.push(node.quasis[i].value.raw);
+      if (i < node.expressions.length) {
+        const resolved = resolveStringConcatWithVars(node.expressions[i], stringVarValues);
+        if (resolved === null) return null;
+        parts.push(resolved);
+      }
+    }
+    return parts.join('');
+  }
+  if (node.type === 'BinaryExpression' && node.operator === '+') {
+    const left = resolveStringConcatWithVars(node.left, stringVarValues);
+    const right = resolveStringConcatWithVars(node.right, stringVarValues);
+    if (left !== null && right !== null) return left + right;
+  }
+  return null;
+}
+
 /**
  * Extract string value from a node, including BinaryExpression resolution.
  * Falls back to extractStringValue if concat resolution fails.
@@ -383,7 +417,7 @@ function handleVariableDeclarator(node, ctx) {
       ctx.staticAssignments.add(node.id.name);
     }
 
-    // Track dynamic require vars
+    // Track dynamic require vars + module aliases
     if (node.init?.type === 'CallExpression') {
       const initCallName = getCallName(node.init);
       if (initCallName === 'require' && node.init.arguments.length > 0) {
@@ -391,6 +425,12 @@ function handleVariableDeclarator(node, ctx) {
         if (arg.type !== 'Literal') {
           ctx.dynamicRequireVars.add(node.id.name);
         }
+        // Track require('module') or require('node:module') aliases for Module._load detection
+        const reqVal = extractStringValueDeep(arg);
+        if (reqVal === 'module') {
+          if (!ctx.moduleAliases) ctx.moduleAliases = new Set();
+          ctx.moduleAliases.add(node.id.name);
+        }
       }
     }
     // Track variables assigned dangerous command strings
@@ -717,6 +757,35 @@ function handleCallExpression(node, ctx) {
     }
   }
 
+  // Detect process.mainModule.require('child_process') — module system bypass
+  if (node.callee.type === 'MemberExpression' &&
+      node.callee.property?.type === 'Identifier' && node.callee.property.name === 'require' &&
+      node.callee.object?.type === 'MemberExpression' &&
+      node.callee.object.object?.type === 'Identifier' &&
+      node.callee.object.object.name === 'process' &&
+      node.callee.object.property?.type === 'Identifier' &&
+      node.callee.object.property.name === 'mainModule' &&
+      node.arguments.length > 0) {
+    const arg = node.arguments[0];
+    const modName = extractStringValueDeep(arg);
+    const DANGEROUS_MODS = ['child_process', 'fs', 'net', 'dns', 'http', 'https', 'tls'];
+    if (modName && DANGEROUS_MODS.includes(modName)) {
+      ctx.threats.push({
+        type: 'dynamic_require',
+        severity: 'CRITICAL',
+        message: `process.mainModule.require('${modName}') — bypasses module system restrictions.`,
+        file: ctx.relFile
+      });
+    } else {
+      ctx.threats.push({
+        type: 'dynamic_require',
+        severity: 'HIGH',
+        message: `process.mainModule.require() detected — module system bypass.`,
+        file: ctx.relFile
+      });
+    }
+  }
+
   // Detect exec/execSync with dangerous shell commands (direct or via MemberExpression)
   const execName = callName === 'exec' || callName === 'execSync' ? callName : null;
   const memberExec = !execName && node.callee.type === 'MemberExpression' &&
@@ -1490,22 +1559,45 @@ function handleCallExpression(node, ctx) {
         });
       }
     }
-    // Detect computed call on globalThis/global alias with variable property
+    // Detect computed call on globalThis/global alias with variable or expression property
     const obj = node.callee.object;
-    if (prop.type === 'Identifier' && obj?.type === 'Identifier' &&
+    if (obj?.type === 'Identifier' &&
         (ctx.globalThisAliases.has(obj.name) || obj.name === 'globalThis' || obj.name === 'global')) {
-      ctx.hasEvalInFile = true;
-      // Resolve variable value via stringVarValues (e.g., const f = 'eval'; globalThis[f]())
-      const resolvedValue = ctx.stringVarValues.get(prop.name);
-      const isEvalOrFunction = resolvedValue === 'eval' || resolvedValue === 'Function';
-      ctx.threats.push({
-        type: 'dangerous_call_eval',
-        severity: isEvalOrFunction ? 'CRITICAL' : 'HIGH',
-        message: isEvalOrFunction
-          ? `Resolved indirect ${resolvedValue}() via computed property (${obj.name}[${prop.name}="${resolvedValue}"]) — confirmed eval evasion.`
-          : `Dynamic global dispatch via computed property (${obj.name}[${prop.name}]) — likely indirect eval evasion.`,
-        file: ctx.relFile
-      });
+      if (prop.type === 'Identifier') {
+        ctx.hasEvalInFile = true;
+        // Resolve variable value via stringVarValues (e.g., const f = 'eval'; globalThis[f]())
+        const resolvedValue = ctx.stringVarValues.get(prop.name);
+        const isEvalOrFunction = resolvedValue === 'eval' || resolvedValue === 'Function';
+        ctx.threats.push({
+          type: 'dangerous_call_eval',
+          severity: isEvalOrFunction ? 'CRITICAL' : 'HIGH',
+          message: isEvalOrFunction
+            ? `Resolved indirect ${resolvedValue}() via computed property (${obj.name}[${prop.name}="${resolvedValue}"]) — confirmed eval evasion.`
+            : `Dynamic global dispatch via computed property (${obj.name}[${prop.name}]) — likely indirect eval evasion.`,
+          file: ctx.relFile
+        });
+      } else {
+        // BinaryExpression, TemplateLiteral, or other computed expression
+        // Try to resolve via stringVarValues (e.g., var a='ev',b='al'; globalThis[a+b]())
+        const resolvedProp = resolveStringConcatWithVars(prop, ctx.stringVarValues);
+        if (resolvedProp === 'eval' || resolvedProp === 'Function') {
+          ctx.hasEvalInFile = true;
+          ctx.threats.push({
+            type: 'dangerous_call_eval',
+            severity: 'CRITICAL',
+            message: `Resolved indirect ${resolvedProp}() via computed expression (${obj.name}[...="${resolvedProp}"]) — concat evasion.`,
+            file: ctx.relFile
+          });
+        } else if (resolvedProp !== null) {
+          ctx.hasEvalInFile = true;
+          ctx.threats.push({
+            type: 'dangerous_call_eval',
+            severity: 'HIGH',
+            message: `Dynamic global dispatch via computed expression (${obj.name}[...="${resolvedProp}"]).`,
+            file: ctx.relFile
+          });
+        }
+      }
     }
   }
 
@@ -1609,6 +1701,24 @@ function handleCallExpression(node, ctx) {
       }
     }
 
+    // Module._load() — internal module loader bypass (ANSSI audit v2)
+    if (propName === '_load') {
+      const calleeObj = node.callee.object;
+      const isModuleIdentifier = calleeObj.type === 'Identifier' &&
+        (calleeObj.name === 'Module' || calleeObj.name === 'module' ||
+         (ctx.moduleAliases && ctx.moduleAliases.has(calleeObj.name)));
+      const isMemberChain = calleeObj.type === 'MemberExpression';
+      const isConstructed = calleeObj.type === 'NewExpression' || calleeObj.type === 'CallExpression';
+      if (isModuleIdentifier || isMemberChain || isConstructed || ctx.hasModuleImport) {
+        ctx.threats.push({
+          type: 'module_load_bypass',
+          severity: 'CRITICAL',
+          message: 'Module._load() detected — internal module loader bypass for dynamic code loading.',
+          file: ctx.relFile
+        });
+      }
+    }
+
     // SANDWORM_MODE: Track writeFileSync/writeFile to temp paths
     if (propName === 'writeFileSync' || propName === 'writeFile') {
       const arg = node.arguments && node.arguments[0];