scan-hulud

CLI helper that scans a JavaScript lockfile (npm, yarn, or pnpm) for specific package versions listed in affected-packages.txt. The tool is published as @veracity/scan-hulud so it can run directly via npx without installing anything globally.

Why is it published under the @veracity org? I had to act quickly and that was the easiest for me.

Usage (via `npx`)

bash

npx -y @veracity/scan-hulud@latest ./path/to/package-lock.json

bash

npx -y @veracity/scan-hulud@latest ./path/to/yarn.lock

bash

npx -y @veracity/scan-hulud@latest ./path/to/pnpm-lock.yaml





$3



| Flag           | Description                                                                                            |

| -------------- | ------------------------------------------------------------------------------------------------------ |

|

-y, --yes

  | Currently ignored, but reserved to keep parity with earlier scripts.                                   |

|

-h, --help

 | Prints usage info.                                                                                     |

|

| Required positional argument pointing to a package-lock.json, yarn.lock, or pnpm-lock.yaml

 file. |



The command prints every package/version pair from

affected-packages.txt that also appears in your lockfile. Exit code 0 indicates the scan completed successfully; 1

 indicates a failure (for example, at least one vulnerable entry was found or the lockfile could not be read).



$3

bash

Scan the default npm lockfile in the current project

npx @veracity/scan-hulud@latest ./package-lock.json



Scan a pnpm project from anywhere

npx @veracity/scan-hulud@latest ../another-project/pnpm-lock.yaml





> 💡

npx

 automatically downloads the CLI from npm on demand. No local install is necessary.



Contributing



This repo intentionally avoids external dependencies—everything relies on Node's built‑in modules so the CLI stays lightweight and reproducible.



$3



Edit

affected-packages.txt

 manually. This is clearly the next step to automate, based on the content on https://helixguard.ai/blog/malicious-sha1hulud-2025-11-24.



$3



Use Node's built-in test runner:

bash

npm test

or

node --test





The tests execute the CLI against curated safe/vulnerable fixtures to ensure regressions are caught.



$3



1. Ensure

affected-packages.txt only lists one package@version

 per line.

2. Run the tests (

npm test`).
3. Open a PR describing the changes and any notable scan results.

That's it—thanks for keeping the scanner up to date!

Usage (via npx)

bash
npx -y @veracity/scan-hulud@latest ./path/to/package-lock.json

bash
npx -y @veracity/scan-hulud@latest ./path/to/yarn.lock

bash
npx -y @veracity/scan-hulud@latest ./path/to/pnpm-lock.yaml

$3

| Flag | Description |
| -------------- | ------------------------------------------------------------------------------------------------------ |
|

| Currently ignored, but reserved to keep parity with earlier scripts. |
|

| Prints usage info. |
|

| Required positional argument pointing to a package-lock.json, yarn.lock, or pnpm-lock.yaml

 file. |



The command prints every package/version pair from

affected-packages.txt that also appears in your lockfile. Exit code 0 indicates the scan completed successfully; 1

 indicates a failure (for example, at least one vulnerable entry was found or the lockfile could not be read).



$3

bash

Scan the default npm lockfile in the current project

npx @veracity/scan-hulud@latest ./package-lock.json



Scan a pnpm project from anywhere

npx @veracity/scan-hulud@latest ../another-project/pnpm-lock.yaml





> 💡

npx

 automatically downloads the CLI from npm on demand. No local install is necessary.



Contributing



This repo intentionally avoids external dependencies—everything relies on Node's built‑in modules so the CLI stays lightweight and reproducible.



$3



Edit

affected-packages.txt

 manually. This is clearly the next step to automate, based on the content on https://helixguard.ai/blog/malicious-sha1hulud-2025-11-24.



$3



Use Node's built-in test runner:

bash

npm test

or

node --test





The tests execute the CLI against curated safe/vulnerable fixtures to ensure regressions are caught.



$3



1. Ensure

affected-packages.txt only lists one package@version

 per line.

2. Run the tests (

npm test`).
3. Open a PR describing the changes and any notable scan results.

That's it—thanks for keeping the scanner up to date!

@veracity/scan-hulud

Dist Tags

scan-hulud

Usage (via `npx`)

$3

$3

Scan the default npm lockfile in the current project

Scan a pnpm project from anywhere

Contributing

$3

$3

or

$3

@veracity/scan-hulud

Dist Tags

scan-hulud

Usage (via `npx`)

$3

$3

Scan the default npm lockfile in the current project

Scan a pnpm project from anywhere

Contributing

$3

$3

or

$3

@veracity/scan-hulud

Dist Tags

scan-hulud

Usage (via npx)

$3

$3

Scan the default npm lockfile in the current project

Scan a pnpm project from anywhere

Contributing

$3

$3

or

$3

@veracity/scan-hulud

Dist Tags

scan-hulud

Usage (via npx)

$3

$3

Scan the default npm lockfile in the current project

Scan a pnpm project from anywhere

Contributing

$3

$3

or

$3

Usage (via `npx`)

Usage (via `npx`)