We take security vulnerabilities in MUAD'DIB seriously. If you discover a security issue, please report it responsibly.

DO NOT open a public GitHub issue for security vulnerabilities.

Instead, please report security issues via one of these methods:

1. GitHub Security Advisories (preferred):

   • Go to Security Advisories
   • Click "New draft security advisory"
   • Fill in the details

2. Email:

   • Send details to the maintainer via GitHub profile contact

Please include the following information in your report:

• Description: Clear description of the vulnerability
• Impact: What an attacker could achieve
• Steps to reproduce: Detailed steps to reproduce the issue
• Affected versions: Which versions are affected
• Suggested fix: If you have one (optional)

• Acknowledgment: Within 48 hours
• Initial assessment: Within 7 days
• Fix timeline: Depends on severity
  • Critical: 24-72 hours
  • High: 1-2 weeks
  • Medium: 2-4 weeks
  • Low: Next release

• We follow coordinated disclosure
• We will credit reporters in the release notes (unless you prefer anonymity)
• We aim to release fixes before public disclosure
• We request a 90-day disclosure window for complex issues

MUAD'DIB uses 14 scanner modules (module-graph pre-analysis + 13 parallel scanners) + 5 behavioral anomaly detection features + ground truth validation, producing 209 rule IDs (204 RULES + 5 PARANOID):

Co-occurring threat type combinations that never appear in benign packages. Inject synthetic CRITICAL threats.

Runtime behavioral analysis: packages are installed in an isolated Docker container and monitored for suspicious activity (file access, network traffic, process spawns) via strace, tcpdump, and filesystem diffing. The sandbox simulates a CI environment (v2.1.2) to trigger CI-aware malware and injects 6 canary token honeypots for exfiltration detection.

Runtime behavioral analysis via monkey-patching preload (NODE_OPTIONS=--require /opt/preload.js). Patches time APIs, intercepts network/filesystem/process/env calls. Multi-run mode at [0h, 72h, 7d] offsets to detect time-bomb malware (MITRE T1497.003).

Intra-file coherence analysis detects when a single file contains both a credential source and a dangerous sink. Cross-file detection is handled by module-graph (FLOW-004). LOW-severity threats are excluded to respect FP reductions.

Behavioral detection analyzes changes between package versions to detect supply-chain attacks before they appear in IOC databases. These features query the npm registry at scan time and compare metadata/code across versions.

MITRE: T1195.002 (Supply Chain Compromise: Software Supply Chain)

MITRE: T1195.002 (Supply Chain Compromise: Software Supply Chain)

MITRE: T1195.002 (Supply Chain Compromise: Software Supply Chain)

MITRE: T1195.002 (Supply Chain Compromise: Software Supply Chain)

MITRE: T1552.001 (Unsecured Credentials: Credentials in Files)

6 honeypot credentials are injected (v2.1.2):

• GITHUB_TOKEN / NPM_TOKEN — Package registry tokens
• AWS_ACCESS_KEY_ID / AWS_SECRET_ACCESS_KEY — Cloud credentials
• SLACK_WEBHOOK_URL / DISCORD_WEBHOOK_URL — Messaging webhooks

Detection uses both dynamic tokens (random per session) and static fallback tokens. Exfiltration is searched in HTTP bodies, DNS queries, HTTP request URLs, TLS domains, filesystem changes, process commands, and install output.

The sandbox simulates CI environments by setting: CI=true, GITHUB_ACTIONS=true, GITLAB_CI=true, TRAVIS=true, CIRCLECI=true, JENKINS_URL=http://localhost:8080. This triggers CI-aware malware that checks for these environment variables before activating, which would otherwise stay dormant in local development environments.

These rules apply only in monitor mode to packages with >= 50,000 weekly downloads. A CRITICAL finding bypasses the TRUSTED fast-track and routes the package to full scan + sandbox.

• Package names are validated against npm naming rules to prevent command injection
• Webhook URLs are validated against a whitelist of allowed domains
• File paths are sanitized to prevent directory traversal

• Webhook module only allows connections to whitelisted domains:
  • discord.com
  • discordapp.com
  • hooks.slack.com
• Download module (v2.1.2) only allows redirects to whitelisted registry domains:
  • registry.npmjs.org, registry.yarnpkg.com
  • pypi.org, files.pythonhosted.org
• Private IP ranges are blocked (127.x, 10.x, 172.16-31.x, 192.168.x, 169.254.x, IPv6 loopback/link-local)
• Redirect validation prevents SSRF via open redirects

• execFileSync with array arguments replaces execSync with template literals for tar extraction
• Package names are sanitized via sanitizePackageName() to remove .. path traversal sequences
• NPM_PACKAGE_REGEX is centralized in src/shared/constants.js and enforced across all modules

• HTML reports escape all user-provided data
• No inline JavaScript in generated reports

• All dependencies are pinned to exact versions
• Regular updates via Dependabot (when enabled)
• Minimal dependency footprint (5 production dependencies)

1. Keep updated: Run npm update -g muaddib-scanner regularly
2. Update IOCs: Run muaddib update to get the latest threat database
3. Use in CI/CD: Integrate with GitHub Actions for continuous scanning
4. Review results: Don't blindly trust automated tools - review flagged packages

1. No secrets: Never commit API keys, tokens, or credentials
2. Signed commits: Use GPG-signed commits when possible
3. Review dependencies: Check new dependencies before adding them

MUAD'DIB 2.9 uses a triple detection approach:

1. IOC-based detection (v1.x): Matches packages against 225,000+ known malicious packages from OSV, DataDog, OSSF, GitHub Advisory, and other sources. Fast and reliable for known threats.

2. Behavioral anomaly detection (v2.0): Analyzes changes between package versions to detect supply-chain attacks before they appear in IOC databases. Compares lifecycle scripts, AST, publish frequency, and maintainer metadata across versions. This approach can detect 0-day behavioral anomalies without any prior knowledge of the specific attack.

3. Ground truth validation (v2.1–v2.10.95): Validates detection accuracy against 67 real-world attacks (65 active samples; 2 out-of-scope: GT-005 colors and GT-009 faker protestware with min_threats=0), tracks detection lead times vs. public advisories, and monitors false positive rates over time. 3280 tests across 69 files. Current TPR@3: 93.85% (61/65), ADR: 96.3% (103/107). Provides observability into scanner effectiveness.

The behavioral detection features are opt-in (--temporal-full) and query the npm registry at scan time. They are particularly effective against:

• Account takeover attacks (event-stream pattern)
• Compromised CI/CD pipelines (automated malicious publishes)
• Dormant package hijacking (abandonware takeover)
• Sudden code injection (Shai-Hulud, ua-parser-js pattern)

MUAD'DIB includes a ground truth dataset of 51 real-world supply-chain attacks (49 active samples) to continuously validate detection coverage.

TPR: 93.9% (46/49 detected)

3 out-of-scope misses (browser-only):

• lottie-player, polyfill-io, trojanized-jquery (browser-only DOM attacks)

Run muaddib evaluate --ground-truth to validate detection at any time.

The metrics reported above should be interpreted with the following caveats:

• TPR scope: Measured on 49 Node.js attack samples from 51 total. 3 browser-only attacks (lottie-player, polyfill-io, trojanized-jquery) are excluded because MUAD'DIB is a Node.js static analyzer and cannot detect DOM/browser-only patterns.
• FPR dataset: Measured on 529 curated popular npm packages, not a random sample. FPR varies significantly by package size: small packages (<10 JS files) have lower FPR than very large packages (100+ files) due to accumulation of benign patterns that resemble threats.
• ADR methodology: As of v2.6.5+, ADR uses a global threshold (score >= 20) aligned with the benign threshold. Earlier versions used per-sample tuned thresholds which inflated the ADR metric. Current ADR: 96.3% (103/107).
• Node.js scope: MUAD'DIB is designed for Node.js/npm supply-chain attacks. Browser-only attacks, native binary payloads, and phishing pages are out of scope.
• Static analysis limitations: Dynamic obfuscation, encrypted payloads that require runtime keys, and multi-stage attacks fetching payloads from external servers may evade static detection.

Validated against the DataDog Malicious Software Packages Dataset (17,922 real malware npm packages).

Wild TPR: 92.5% (13,486/14,587 in-scope)

• Total packages: 17,922
• Out-of-scope (no JS files): 3,335 skipped
• In-scope: 14,587
• Detected: 13,486
• Score=0 misses: 1,101 in-scope packages
• Errors: 0

By category:

• compromised_lib: 97.8% (904/924)
• malicious_intent: 92.1% (12,582/13,663 in-scope, 3,335 skipped)

See Evaluation Methodology for the full methodology.

The muaddib serve HTTP server binds to localhost (127.0.0.1) by default. It serves detection data as JSON for SIEM integration.

• No authentication: the server is designed for local use only. Do not expose to the public internet. For production deployment, use a reverse proxy (nginx, Caddy) with authentication and TLS termination.
• No sensitive data: the feed contains detection metadata (package names, severities, timestamps), not raw file contents or credentials.
• Localhost binding: default port 3000, binds to 127.0.0.1 only.

riskScore = min(100, maxFileScore + crossFileBonus + intentBonus + packageScore)

• Severity weights: CRITICAL=25, HIGH=10, MEDIUM=3, LOW=1
• Per-file max: Threats grouped by file, each group scored independently. Only the maximum file score counts.
• Cross-file bonus: 25% of non-max file scores (MEDIUM+ only), capped at 25.
• Intent bonus: Intra-file source-sink coherence, capped at 30.
• Package score: Lifecycle scripts, typosquat, IOC matches. CRITICAL floor at 50 when present.

Legitimate frameworks produce high volumes of certain threat types that malware never does. When the count exceeds these thresholds, severity is downgraded to LOW:

A percentage guard (< 40% of total threats) prevents downgrading when a type dominates findings.

• Dist/build files: One-notch severity downgrade; bundler artifacts get two-notch (CRITICAL→MEDIUM).
• Reachability: Findings in files not reachable from entry points → LOW.
• Framework prototypes: Request/Response/App/Router.prototype → MEDIUM.
• HTTP client whitelist: >20 prototype_hook hits targeting HTTP class names → MEDIUM.

MUAD'DIB is an educational tool and first-line defense. It has known limitations:

• Behavioral detection requires network: Temporal features query the npm registry (requires internet access)
• ML pipeline (experimental): v2.8.6 adds JSONL feature extraction (62 features) for offline model training, but detection remains deterministic rule-based
• npm and PyPI only: Does not scan other package ecosystems (RubyGems, Maven, Go, etc.)
• Sandbox requires Docker: Behavioral analysis needs Docker Desktop
• Temporal analysis is npm-only: Behavioral anomaly detection (--temporal-*) currently only supports npm packages, not PyPI

For enterprise-grade protection, consider complementing with:

• Socket.dev - ML behavioral analysis
• Snyk - Vulnerability database
• Semgrep - Advanced static analysis

We thank the following for responsible disclosure:

No vulnerabilities have been reported yet.

Thank you for helping keep MUAD'DIB and its users safe!