Analysis updated 2026-05-18
Check a development machine for signs of Shai Hulud worm infection after installing npm or PyPI packages
Block the worm's command and control domains in minutes using the provided hosts file entries
Audit lockfiles and package.json against a list of known malicious package versions
| nisten/shaiscan | abuzar-ansarii/androidlinux-gpu | flashpoint493/unreal-angelscript-skills | |
|---|---|---|---|
| Stars | 20 | 20 | 20 |
| Language | Shell | Shell | Shell |
| Setup difficulty | easy | moderate | easy |
| Complexity | 2/5 | 2/5 | 2/5 |
| Audience | ops devops | developer | developer |
Figures from each repo's GitHub metadata at analysis time.
No dependencies beyond awk, find, and grep, works without root for a user level scan.
shaiscan is a single shell script that scans a Mac or Linux computer for signs of infection by a specific supply chain worm called Mini Shai Hulud, which spreads through malicious npm and PyPI packages. The script does not need any special installation beyond a normal shell and a few common command line tools, and it never modifies files, never contacts the worm's control servers, and never asks for extra permissions beyond what is needed to read files. The README's first recommendation, before even running the scanner, is a thirty second fix: adding a handful of lines to the computer's hosts file that block network access to six domains the worm uses for command and control. Doing this alone stops the worm's stolen data from ever reaching the attacker, even if the malicious code is already present. The README gives copy paste instructions for Linux, macOS, and Windows to do this. Running the actual scanner checks a long list of things: suspicious running processes, malicious files left behind in common folders, network connections to the worm's servers, tampered editor or CI configuration files, lockfiles and package files that reference known bad package versions, git commit history, installed packages, and package manager caches, among other checks. Findings are written to a markdown report and labeled by severity, ranging from confirmed compromise down to purely informational notes. The scanner is explicitly read only. It will not delete anything it finds, will not rotate any credentials for you, and recommends imaging the disk for forensic purposes before doing any cleanup. The README also encourages running your package manager's own built in security audit tool alongside shaiscan, since shaiscan only knows about the specific indicators it has been given and may miss newer advisories.
A single shell script that scans Mac and Linux systems for signs of the Shai Hulud npm supply chain worm.
Mainly Shell. The stack also includes Shell, ripgrep.
No license information is stated in the README excerpt.
Setup difficulty is rated easy, with roughly 5min to a first successful run.
Mainly ops devops.
This repo across BitVibe Labs
Verify against the repo before relying on details.