Sha1-Hulud 2.0 Supply Chain Attack Scanner

A security scanner that detects npm packages compromised by the Sha1-Hulud 2.0 supply chain attack. Downloads real-time infected package lists from Koi.ai and scans your project.

About the Attack

Sha1-Hulud 2.0 is an ongoing npm supply chain attack that has compromised 800+ packages affecting 25,000+ repositories. The malware:

- Injects malicious preinstall scripts (setup_bun.js, bun_environment.js)
- Harvests credentials (npm tokens, GitHub PATs, SSH keys, cloud credentials)
- Exfiltrates secrets to attacker-controlled GitHub repositories
- Creates persistent backdoors in GitHub Actions workflows
- Can act as a wiper, deleting the user's home directory as a fallback

Affected organizations include: PostHog, ENS Domains, Zapier, and many more.

Features

- Real-time Data: Downloads latest compromised package list from Koi.ai
- Multiple Lock File Support: package-lock.json, yarn.lock, pnpm-lock.yaml
- Direct node_modules Scan: Verifies actual installed package versions
- IOC Detection: Scans for malicious files and suspicious patterns
- GitHub Actions Audit: Checks for compromised workflows and branches
- JSON Output: Machine-readable output for CI/CD integration
- Caching: 1-hour cache to reduce API calls

Installation

``bash


Using npx (no install needed)

npx sha1-hulud-scanner

Or install globally

npm install -g sha1-hulud-scanner

Or clone repository

git clone https://github.com/developerjhp/sha1-hulud-scanner.git
cd sha1-hulud-scanner
`

Usage

$3

`bash


Scan current directory

node scan.js

Scan specific project

node scan.js /path/to/your/project

Verbose output

node scan.js -v

JSON output (for CI/CD)

node scan.js --json

Force fresh download (ignore cache)

node scan.js --no-cache

Generate JSON report

node scan.js --json > security-report.json
`

$3

`bash


Make executable

chmod +x scan.sh

Scan current directory

./scan.sh

Scan specific project

./scan.sh /path/to/your/project
`

Output Examples

$3

`
╔═══════════════════════════════════════════════════════════════╗
║ 🐛 Sha1-Hulud 2.0 Supply Chain Attack Scanner ║
║ ║
║ Data Source: Koi.ai Live Updates ║
╚═══════════════════════════════════════════════════════════════╝

[ℹ] Project path: /Users/dev/my-project
[ℹ] Downloaded compromised package list (847 entries)

[1/4] Package Lock File Scan
[ℹ] Scanning package-lock.json...

[2/4] Direct node_modules Scan
[ℹ] Direct node_modules scan...

[3/4] IOC File Scan
[ℹ] Scanning for IOC files...

[4/4] GitHub Actions Scan
[ℹ] Scanning GitHub Actions...

═══════════════════════════════════════════════════════════════
SCAN REPORT
═══════════════════════════════════════════════════════════════

Packages checked: 847
Infected packages: 0
Warnings: 0

✅ No infection detected!
`

$3

`
═══════════════════════════════════════════════════════════════
SCAN REPORT
═══════════════════════════════════════════════════════════════

Packages checked: 847
Infected packages: 2
Warnings: 1

🚨 INFECTION DETECTED! Immediate action required!

Infected packages:
• @posthog/siphash@1.2.3
• @ensdomains/ensjs@4.0.1

Recommended actions:
1. Remove infected packages immediately or rollback to safe versions
2. Rotate npm tokens, GitHub PATs, SSH keys immediately
3. Rotate AWS/GCP/Azure cloud credentials
4. Review .github/workflows/ directory manually
5. Check git log for suspicious commits

Reference: https://www.koi.ai/incident/live-updates-sha1-hulud
`

What It Scans

$3


- Compares your package-lock.json, yarn.lock, or pnpm-lock.yaml against known compromised packages

$3

- Directly reads package.json files to verify installed versions

$3

Searches for known malicious files:
- setup_bun.js
- bun_environment.js
- cloud.json
- contents.json
- environment.json
- truffleSecrets.json

$3

Flags preinstall scripts containing:
- bun references
- curl / wget commands
- eval() / exec() calls
- Shell script execution

$3

Searches for references to:
- packages.storeartifact.com
- hulud related strings

$3

- Workflow files with hulud in filename
- Suspicious content in workflow YAML files
- Git branches containing hulud

CI/CD Integration

$3

`yaml
name: Security Scan

on: [push, pull_request]

jobs:
sha1-hulud-scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4

- name: Setup Node.js
uses: actions/setup-node@v4
with:
node-version: '20'

- name: Download Scanner
run: |
curl -sL https://raw.githubusercontent.com/developerjhp/sha1-hulud-scanner/main/scan.js -o scan.js

- name: Run Sha1-Hulud Scanner
run: node scan.js --json > scan-results.json

- name: Check Results
run: |
if [ $(node -e "console.log(require('./scan-results.json').infected.length)") -gt 0 ]; then
echo "🚨 Infected packages detected!"
cat scan-results.json
exit 1
fi
`

$3

`bash
#!/bin/sh


.git/hooks/pre-commit

node /path/to/sha1-hulud-scanner/scan.js
if [ $? -ne 0 ]; then
echo "🚨 Sha1-Hulud infection detected! Commit blocked."
exit 1
fi
`

JSON Output Schema

`json
{
"scanTime": "2025-11-25T10:30:00.000Z",
"projectPath": "/path/to/project",
"totalPackagesChecked": 847,
"infected": [
"@package/name@1.0.0"
],
"warnings": [
"Suspicious preinstall: some-package - \"node setup.js\""
],
"iocFindings": [
{
"type": "malicious_file",
"path": "/path/to/setup_bun.js"
}
],
"githubActionsFindings": [
{
"type": "suspicious_workflow_content",
"path": ".github/workflows/build.yml"
}
],
"clean": false
}
`

Exit Codes

| Code | Meaning |
|------|---------|
| 0 | No infection detected |
| 1 | Infection detected or scan error |

Remediation Steps

If infection is detected:

1. Isolate: Do not run npm install or any npm scripts
2. Identify: Note all infected package versions from the report
3. Remove/Rollback:
`bash
# Remove infected package
npm uninstall @infected/package

# Or rollback to safe version
npm install @infected/package@safe-version
`
4. Rotate Credentials:
- npm tokens: npm token revoke + create new
- GitHub PATs: Settings → Developer settings → Regenerate
- SSH keys: Generate new keypairs
- AWS/GCP/Azure: Rotate all access keys and secrets
5. Audit GitHub Actions:
- Review .github/workflows/` for suspicious files
- Check for unexpected branches
- Review recent commits
6. Scan CI/CD Environments: Check for persistence mechanisms

Data Source

This scanner uses the live compromised package list maintained by Koi Security:

- URL: https://www.koi.ai/incident/live-updates-sha1-hulud-the-second-coming-hundred-npm-packages-compromised
- CSV: Auto-downloaded and cached for 1 hour
- Updates: Koi.ai continuously updates the list as new compromised packages are discovered

References

- Koi.ai - Live Updates: Sha1-Hulud
- Wiz Blog - Sha1-Hulud 2.0
- Snyk - SHA1-Hulud Incident
- CISA Alert

License

MIT

Contributing

Issues and PRs welcome! Please ensure any contributions maintain zero external dependencies.