explaingit

nisten/shaiscan

Analysis updated 2026-05-18

20ShellAudience · ops devopsComplexity · 2/5Setup · easy

TLDR

A single shell script that scans Mac and Linux systems for signs of the Shai Hulud npm supply chain worm.

Mindmap

mindmap
  root((repo))
    What it does
      Shai Hulud worm scanner
      Read only detection
      Hosts file C2 block
    Tech stack
      Shell script
      ripgrep
      POSIX tools
    Use cases
      Infection check
      Block C2 domains
      Audit lockfiles
    Audience
      DevOps engineers
      Security conscious developers

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

What do people build with it?

USE CASE 1

Check a development machine for signs of Shai Hulud worm infection after installing npm or PyPI packages

USE CASE 2

Block the worm's command and control domains in minutes using the provided hosts file entries

USE CASE 3

Audit lockfiles and package.json against a list of known malicious package versions

What is it built with?

Shellripgrep

How does it compare?

nisten/shaiscanabuzar-ansarii/androidlinux-gpuflashpoint493/unreal-angelscript-skills
Stars202020
LanguageShellShellShell
Setup difficultyeasymoderateeasy
Complexity2/52/52/5
Audienceops devopsdeveloperdeveloper

Figures from each repo's GitHub metadata at analysis time.

How do you get it running?

Difficulty · easy Time to first run · 5min

No dependencies beyond awk, find, and grep, works without root for a user level scan.

No license information is stated in the README excerpt.

In plain English

shaiscan is a single shell script that scans a Mac or Linux computer for signs of infection by a specific supply chain worm called Mini Shai Hulud, which spreads through malicious npm and PyPI packages. The script does not need any special installation beyond a normal shell and a few common command line tools, and it never modifies files, never contacts the worm's control servers, and never asks for extra permissions beyond what is needed to read files. The README's first recommendation, before even running the scanner, is a thirty second fix: adding a handful of lines to the computer's hosts file that block network access to six domains the worm uses for command and control. Doing this alone stops the worm's stolen data from ever reaching the attacker, even if the malicious code is already present. The README gives copy paste instructions for Linux, macOS, and Windows to do this. Running the actual scanner checks a long list of things: suspicious running processes, malicious files left behind in common folders, network connections to the worm's servers, tampered editor or CI configuration files, lockfiles and package files that reference known bad package versions, git commit history, installed packages, and package manager caches, among other checks. Findings are written to a markdown report and labeled by severity, ranging from confirmed compromise down to purely informational notes. The scanner is explicitly read only. It will not delete anything it finds, will not rotate any credentials for you, and recommends imaging the disk for forensic purposes before doing any cleanup. The README also encourages running your package manager's own built in security audit tool alongside shaiscan, since shaiscan only knows about the specific indicators it has been given and may miss newer advisories.

Copy-paste prompts

Prompt 1
Walk me through blocking the Shai Hulud worm's C2 domains in my hosts file
Prompt 2
Explain what each severity tag in shaiscan's report means
Prompt 3
What does shaiscan check on my system and what does it deliberately not do

Frequently asked questions

What is shaiscan?

A single shell script that scans Mac and Linux systems for signs of the Shai Hulud npm supply chain worm.

What language is shaiscan written in?

Mainly Shell. The stack also includes Shell, ripgrep.

What license does shaiscan use?

No license information is stated in the README excerpt.

How hard is shaiscan to set up?

Setup difficulty is rated easy, with roughly 5min to a first successful run.

Who is shaiscan for?

Mainly ops devops.

Open on GitHub → Explain another repo

This repo across BitVibe Labs

Verify against the repo before relying on details.