explaingit

coreindustries/core-shai-hulud-mitigation

Analysis updated 2026-05-18

0ShellAudience · ops devopsComplexity · 3/5Setup · easy

TLDR

A shell script toolkit that scans for and helps remediate the Shai-Hulud npm supply chain worm across your projects.

Mindmap

mindmap
  root((repo))
    What it does
      Scans for IOCs
      Applies mitigations
    Tech stack
      Shell scripts
      CI integration
    Use cases
      Incident response
      Preventive audit
    Audience
      Developers
      DevOps teams

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

What do people build with it?

USE CASE 1

Scan a project or a whole directory of git repos for signs of Shai-Hulud infection.

USE CASE 2

Run the scanner as a pre-install gate inside a CI pipeline.

USE CASE 3

Follow the incident response steps to safely rotate credentials after a suspected breach.

USE CASE 4

Check whether your dependencies include any of the known compromised package versions.

What is it built with?

ShellnpmGitHub CLI

How does it compare?

coreindustries/core-shai-hulud-mitigation123satyajeet123/bitnet-serveralexbloch-ia/legal-data
Stars000
LanguageShellShellShell
Setup difficultyeasyeasymoderate
Complexity3/52/52/5
Audienceops devopsdevelopergeneral

Figures from each repo's GitHub metadata at analysis time.

How do you get it running?

Difficulty · easy Time to first run · 5min

Requires the GitHub CLI installed and authenticated for the repo-search and token-audit steps.

No license file is mentioned in the README, so terms of reuse are unclear.

In plain English

This repository is a security response toolkit for a software supply chain attack called Shai-Hulud. A supply chain attack is when malicious code is hidden inside software packages that developers install as dependencies, spreading through the normal act of adding libraries to a project. Shai-Hulud is documented across five waves targeting the npm package ecosystem used by JavaScript developers, and to a lesser extent PyPI used by Python developers, with the worm propagating by using stolen credentials to publish more infected packages. The repository provides two shell scripts. The first, scan.sh, scans a project directory for known indicators of compromise: specific filenames, suspicious install scripts, known malicious package versions, exfiltration domain names, and oversized bundle files. It can scan a single project or automatically discover every git repository inside a parent directory, and it exits with a machine readable status code so it can run as a gate inside a CI pipeline. The second script, mitigate.sh, applies remediations once an infection is confirmed, with a dry run mode to preview changes first. The README also works as an incident response guide, covering how to disable persistence hooks before rotating credentials so a dead man's switch is not triggered, how to find attacker created repositories holding exfiltrated secrets, how to revoke compromised access tokens through the GitHub web interface rather than the command line, and which specific package versions across each attack wave are known to be compromised and must not be used. You would use this if you suspect your development environment or CI pipeline may have been exposed to this attack, or want to run it as a preventive audit before problems appear. The toolkit itself is written in shell. The full README is longer than what was shown.

Copy-paste prompts

Prompt 1
Explain what indicators of compromise scan.sh checks for and why each one matters.
Prompt 2
Walk me through the correct order of incident response steps if scan.sh finds a match.
Prompt 3
Help me integrate scan.sh into my CI pipeline as a pre-install check.
Prompt 4
Summarize which npm and PyPI package versions I need to avoid right now.

Frequently asked questions

What is core-shai-hulud-mitigation?

A shell script toolkit that scans for and helps remediate the Shai-Hulud npm supply chain worm across your projects.

What language is core-shai-hulud-mitigation written in?

Mainly Shell. The stack also includes Shell, npm, GitHub CLI.

What license does core-shai-hulud-mitigation use?

No license file is mentioned in the README, so terms of reuse are unclear.

How hard is core-shai-hulud-mitigation to set up?

Setup difficulty is rated easy, with roughly 5min to a first successful run.

Who is core-shai-hulud-mitigation for?

Mainly ops devops.

Open on GitHub → Explain another repo

This repo across BitVibe Labs

Verify against the repo before relying on details.