npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

wormwatch

v0.1.1

Published

Scan an npm project for known Shai-Hulud supply-chain worm indicators: compromised package versions, planted files, and malicious install scripts.

Readme

wormwatch

A small, zero-dependency CLI that scans an npm project for known Shai-Hulud supply-chain worm indicators: compromised package versions, planted payload files, and malicious install scripts.

Point it at a project and it tells you whether anything in your dependency tree matches a known indicator of compromise.

$ wormwatch .
[!!] .
  2 indicator(s) found:
    [HIGH] package: @ctrl/[email protected]
           ./node_modules/@ctrl/tinycolor
           Installed version is a known-compromised Shai-Hulud release.
    [MED ] file: setup_bun.js
           ./node_modules/@ctrl/tinycolor/setup_bun.js
           Injected by the Shai-Hulud 2.0 wave via an added preinstall script.
  Coverage: 214 package(s), 1 flagged file(s); lockfile parsed, node_modules scanned.

Why

Shai-Hulud is a self-replicating worm that spread through the npm ecosystem starting in September 2025, trojanizing hundreds of package versions (including widely used ones like @ctrl/tinycolor and ngx-bootstrap), stealing secrets during install, and republishing itself through compromised maintainer tokens. If you installed or locked a bad version, the signal is sitting in your project right now. wormwatch is a fast way to check, from the command line or in CI.

Install

npm install -g wormwatch     # once published
npx wormwatch .              # or run without installing
# from source:
git clone https://github.com/danraveh-ai/wormwatch && cd wormwatch
npm install && npm run build
node dist/src/cli.js .

Usage

wormwatch                       # scan the current directory
wormwatch ./my-app ./other-app  # scan several projects
wormwatch --json .              # machine-readable output
wormwatch --iocs latest.json .  # use an updated IOC set
wormwatch --quiet .; echo $?    # exit code only

Exit codes: 0 no known indicators found, 1 at least one indicator found, 2 an error occurred. The non-zero code on a hit makes it easy to fail a CI job when a dependency matches a known IOC.

What it checks

  • Package versions. Parses package-lock.json (v1, v2, and v3) and walks node_modules for installed name@version pairs that match known-compromised releases.
  • Planted files. Looks for the distinctively named files the worm drops inside packages (setup_bun.js, bun_environment.js, truffleSecrets.json) and the backdoor CI workflow .github/workflows/shai-hulud-workflow.yml.
  • Payload by hash. bundle.js is far too common a filename to flag by name, so it is matched by SHA-256 against the known payload hash instead.
  • Install scripts. Scans preinstall / install / postinstall hooks in the root and installed manifests for known IOC strings, including the hardcoded exfiltration endpoint.

Findings are labeled HIGH or MED confidence so you can triage. High-confidence hits (an exact bad version, a hash match, the backdoor workflow) are near-certain. Medium hits (a distinctively named file, a suspicious install script) are strong signals worth verifying by hand.

Scope and honesty

wormwatch does static matching against a curated IOC snapshot. It is deliberate about what it does and does not claim:

  • The bundled IOC set (data/shai-hulud-iocs.json) is a curated snapshot, not a complete inventory. Hundreds of versions were affected across multiple waves and vendor lists keep changing. Supply a fresher set with --iocs.
  • A clean result means no known IOCs were found in this project. It is not proof that the project is safe, and it says nothing about compromises outside the indicator set.
  • wormwatch does not do behavioral or dynamic malware analysis, and it does not remove anything. It reports; you decide.

The IOC dataset carries its own sources and curation date. If you are responding to a live incident, cross-check against the authoritative vendor advisories linked in that file.

Development

npm install
npm test        # builds, then runs the node:test suite

Written in TypeScript with no runtime dependencies. Tests build a real project tree in a temp directory for each case, with no network access.

License

MIT. See LICENSE.