Filesystem scanner that finds every Node.js project (package.json) under a root and checks resolved dependencies against a maintained list of compromised npm package versions.
The list is fetched from https://github.com/Cobenian/shai-hulud-detect/blob/main/compromised-packages.txt
Designed to run from this cloned repo. The script downloads the list once, logs progress to stdout, shows a spinner during npm ls, and summarizes results.
git clone [email protected]:unic/shai-hulud-scanner.git
cd shai-hulud-scanner
chmod +x shai-hulud-scan.sh
./shai-hulud-scan.sh [ROOT_DIR] # default: ../shai-hulud-scan.sh # scan current folder tree
./shai-hulud-scan.sh ~/code # scan a workspace/mono-repo root
NPM_BIN=/opt/homebrew/bin/npm ./shai-hulud-scan.sh /srv/projects- Crawls from
ROOT_DIR, discovers projects bypackage.json - Skips candidates with no lockfile (here or in parents) and no
node_modules/(workspace-friendly) - Runs
npm ls --all --jsonper project and comparesname@versionto the compromised list - Prints per-project status and a final summary
bash,curl,find,jq,npm- Internet access (the compromised list is fetched once per run)
OK: <dir>→ no compromised versionsALERT: <dir>→ at least one hit (listed)- Exit codes:
0= clean across all projects,1= hits found,2= error
- Lockfiles recognized:
package-lock.json,npm-shrinkwrap.json,pnpm-lock.yaml,yarn.lock,bun.lockb - Non-zero
npm ls(peer/extraneous warnings) is tolerated; JSON is still parsed - Read-only: the script never executes project scripts