npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

sha1-hulud-scanner

v1.0.1

Published

Sha1-Hulud 2.0 npm supply chain attack scanner - Real-time detection using Koi.ai data

Downloads

24,980

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

developerjhpdeveloperjhp

Keywords

securitynpmsupply-chainsha1-huludshai-huludmalwarescannervulnerabilityauditkoi

Readme

Sha1-Hulud 2.0 Supply Chain Attack Scanner

A security scanner that detects npm packages compromised by the Sha1-Hulud 2.0 supply chain attack. Downloads real-time infected package lists from Koi.ai and scans your project.

About the Attack

Sha1-Hulud 2.0 is an ongoing npm supply chain attack that has compromised 800+ packages affecting 25,000+ repositories. The malware:

  • Injects malicious preinstall scripts (setup_bun.js, bun_environment.js)
  • Harvests credentials (npm tokens, GitHub PATs, SSH keys, cloud credentials)
  • Exfiltrates secrets to attacker-controlled GitHub repositories
  • Creates persistent backdoors in GitHub Actions workflows
  • Can act as a wiper, deleting the user's home directory as a fallback

Affected organizations include: PostHog, ENS Domains, Zapier, and many more.

Features

  • Real-time Data: Downloads latest compromised package list from Koi.ai
  • Multiple Lock File Support: package-lock.json, yarn.lock, pnpm-lock.yaml
  • Direct node_modules Scan: Verifies actual installed package versions
  • IOC Detection: Scans for malicious files and suspicious patterns
  • GitHub Actions Audit: Checks for compromised workflows and branches
  • JSON Output: Machine-readable output for CI/CD integration
  • Caching: 1-hour cache to reduce API calls

Installation

# Using npx (no install needed)
npx sha1-hulud-scanner

# Or install globally
npm install -g sha1-hulud-scanner

# Or clone repository
git clone https://github.com/developerjhp/sha1-hulud-scanner.git
cd sha1-hulud-scanner

Usage

Node.js Version

# Scan current directory
node scan.js

# Scan specific project
node scan.js /path/to/your/project

# Verbose output
node scan.js -v

# JSON output (for CI/CD)
node scan.js --json

# Force fresh download (ignore cache)
node scan.js --no-cache

# Generate JSON report
node scan.js --json > security-report.json

Bash Version

# Make executable
chmod +x scan.sh

# Scan current directory
./scan.sh

# Scan specific project
./scan.sh /path/to/your/project

Output Examples

Clean Project

╔═══════════════════════════════════════════════════════════════╗
║        🐛 Sha1-Hulud 2.0 Supply Chain Attack Scanner         ║
║                                                               ║
║  Data Source: Koi.ai Live Updates                            ║
╚═══════════════════════════════════════════════════════════════╝

[ℹ] Project path: /Users/dev/my-project
[ℹ] Downloaded compromised package list (847 entries)

[1/4] Package Lock File Scan
[ℹ] Scanning package-lock.json...

[2/4] Direct node_modules Scan
[ℹ] Direct node_modules scan...

[3/4] IOC File Scan
[ℹ] Scanning for IOC files...

[4/4] GitHub Actions Scan
[ℹ] Scanning GitHub Actions...

═══════════════════════════════════════════════════════════════
                         SCAN REPORT
═══════════════════════════════════════════════════════════════

Packages checked:  847
Infected packages: 0
Warnings:          0

✅ No infection detected!

Infected Project

═══════════════════════════════════════════════════════════════
                         SCAN REPORT
═══════════════════════════════════════════════════════════════

Packages checked:  847
Infected packages: 2
Warnings:          1

🚨 INFECTION DETECTED! Immediate action required!

Infected packages:
  • @posthog/[email protected]
  • @ensdomains/[email protected]

Recommended actions:
  1. Remove infected packages immediately or rollback to safe versions
  2. Rotate npm tokens, GitHub PATs, SSH keys immediately
  3. Rotate AWS/GCP/Azure cloud credentials
  4. Review .github/workflows/ directory manually
  5. Check git log for suspicious commits

Reference: https://www.koi.ai/incident/live-updates-sha1-hulud

What It Scans

1. Package Lock Files

  • Compares your package-lock.json, yarn.lock, or pnpm-lock.yaml against known compromised packages

2. node_modules Directory

  • Directly reads package.json files to verify installed versions

3. IOC Files

Searches for known malicious files:

  • setup_bun.js
  • bun_environment.js
  • cloud.json
  • contents.json
  • environment.json
  • truffleSecrets.json

4. Suspicious Preinstall Scripts

Flags preinstall scripts containing:

  • bun references
  • curl / wget commands
  • eval() / exec() calls
  • Shell script execution

5. Malicious Domain References

Searches for references to:

  • packages.storeartifact.com
  • hulud related strings

6. GitHub Actions

  • Workflow files with hulud in filename
  • Suspicious content in workflow YAML files
  • Git branches containing hulud

CI/CD Integration

GitHub Actions

name: Security Scan

on: [push, pull_request]

jobs:
  sha1-hulud-scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Setup Node.js
        uses: actions/setup-node@v4
        with:
          node-version: '20'

      - name: Download Scanner
        run: |
          curl -sL https://raw.githubusercontent.com/developerjhp/sha1-hulud-scanner/main/scan.js -o scan.js

      - name: Run Sha1-Hulud Scanner
        run: node scan.js --json > scan-results.json

      - name: Check Results
        run: |
          if [ $(node -e "console.log(require('./scan-results.json').infected.length)") -gt 0 ]; then
            echo "🚨 Infected packages detected!"
            cat scan-results.json
            exit 1
          fi

Pre-commit Hook

#!/bin/sh
# .git/hooks/pre-commit

node /path/to/sha1-hulud-scanner/scan.js
if [ $? -ne 0 ]; then
    echo "🚨 Sha1-Hulud infection detected! Commit blocked."
    exit 1
fi

JSON Output Schema

{
  "scanTime": "2025-11-25T10:30:00.000Z",
  "projectPath": "/path/to/project",
  "totalPackagesChecked": 847,
  "infected": [
    "@package/[email protected]"
  ],
  "warnings": [
    "Suspicious preinstall: some-package - \"node setup.js\""
  ],
  "iocFindings": [
    {
      "type": "malicious_file",
      "path": "/path/to/setup_bun.js"
    }
  ],
  "githubActionsFindings": [
    {
      "type": "suspicious_workflow_content",
      "path": ".github/workflows/build.yml"
    }
  ],
  "clean": false
}

Exit Codes

| Code | Meaning | |------|---------| | 0 | No infection detected | | 1 | Infection detected or scan error |

Remediation Steps

If infection is detected:

  1. Isolate: Do not run npm install or any npm scripts
  2. Identify: Note all infected package versions from the report
  3. Remove/Rollback:
    # Remove infected package
npm uninstall @infected/package

# Or rollback to safe version
npm install @infected/package@safe-version
  4. Rotate Credentials:
    • npm tokens: npm token revoke + create new
    • GitHub PATs: Settings → Developer settings → Regenerate
    • SSH keys: Generate new keypairs
    • AWS/GCP/Azure: Rotate all access keys and secrets
  5. Audit GitHub Actions:
    • Review .github/workflows/ for suspicious files
    • Check for unexpected branches
    • Review recent commits
  6. Scan CI/CD Environments: Check for persistence mechanisms

Data Source

This scanner uses the live compromised package list maintained by Koi Security:

  • URL: https://www.koi.ai/incident/live-updates-sha1-hulud-the-second-coming-hundred-npm-packages-compromised
  • CSV: Auto-downloaded and cached for 1 hour
  • Updates: Koi.ai continuously updates the list as new compromised packages are discovered

References

License

MIT

Contributing

Issues and PRs welcome! Please ensure any contributions maintain zero external dependencies.