Analysis updated 2026-05-18
Scan a project or a whole directory of git repos for signs of Shai-Hulud infection.
Run the scanner as a pre-install gate inside a CI pipeline.
Follow the incident response steps to safely rotate credentials after a suspected breach.
Check whether your dependencies include any of the known compromised package versions.
| coreindustries/core-shai-hulud-mitigation | 123satyajeet123/bitnet-server | alexbloch-ia/legal-data | |
|---|---|---|---|
| Stars | 0 | 0 | 0 |
| Language | Shell | Shell | Shell |
| Setup difficulty | easy | easy | moderate |
| Complexity | 3/5 | 2/5 | 2/5 |
| Audience | ops devops | developer | general |
Figures from each repo's GitHub metadata at analysis time.
Requires the GitHub CLI installed and authenticated for the repo-search and token-audit steps.
This repository is a security response toolkit for a software supply chain attack called Shai-Hulud. A supply chain attack is when malicious code is hidden inside software packages that developers install as dependencies, spreading through the normal act of adding libraries to a project. Shai-Hulud is documented across five waves targeting the npm package ecosystem used by JavaScript developers, and to a lesser extent PyPI used by Python developers, with the worm propagating by using stolen credentials to publish more infected packages. The repository provides two shell scripts. The first, scan.sh, scans a project directory for known indicators of compromise: specific filenames, suspicious install scripts, known malicious package versions, exfiltration domain names, and oversized bundle files. It can scan a single project or automatically discover every git repository inside a parent directory, and it exits with a machine readable status code so it can run as a gate inside a CI pipeline. The second script, mitigate.sh, applies remediations once an infection is confirmed, with a dry run mode to preview changes first. The README also works as an incident response guide, covering how to disable persistence hooks before rotating credentials so a dead man's switch is not triggered, how to find attacker created repositories holding exfiltrated secrets, how to revoke compromised access tokens through the GitHub web interface rather than the command line, and which specific package versions across each attack wave are known to be compromised and must not be used. You would use this if you suspect your development environment or CI pipeline may have been exposed to this attack, or want to run it as a preventive audit before problems appear. The toolkit itself is written in shell. The full README is longer than what was shown.
A shell script toolkit that scans for and helps remediate the Shai-Hulud npm supply chain worm across your projects.
Mainly Shell. The stack also includes Shell, npm, GitHub CLI.
No license file is mentioned in the README, so terms of reuse are unclear.
Setup difficulty is rated easy, with roughly 5min to a first successful run.
Mainly ops devops.
This repo across BitVibe Labs
Verify against the repo before relying on details.