vtk 0.9.5 → 1.1.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: d1dcc8ae6e6afb5c4c1c924795a50653a6e017e471898f5c200b56c5a7b6b65c
-  data.tar.gz: 909287a71eec23d871a149a3cd44c5be0b1336fa7b5850c08eefb417a9842516
+  metadata.gz: c41b577facc94e32eb15aeea7f5817a49f54c31a568654c5dfe5da082d0775f9
+  data.tar.gz: 87820698519528ff97594bf9e148a0a20ca700026079a0fc2b65ede3bee84b19
 SHA512:
-  metadata.gz: f2d233defa6fe42e20f5627d214a3d3ef6737cd7ea85ee33b65680d1028762087d38926a5b3d6ed9297256501ad18931d405a6e0403f7d81fb420f375bd2b345
-  data.tar.gz: 85a0fd85fbc7c6c69bdc01714069a68bb2f0225180b89950d02c32e9cdbdcf7998d260925e637966665771cf57d4dc8b00d6002a995b42f5aca5a1495e77543e
+  metadata.gz: 729f7b3a93dd61661ad557d471796a059ada830970afe16bbeef7bdf84e0e92887a321249c5ffc025db051fe71dfffb00fdec836382e3041392ae3ddcc9e5b59
+  data.tar.gz: eb5411ac4f245210470d310767fabd2e877759a5dcb023b00ae4925e8dcb4dec16f7637441433ca978d809d807734b18e4e51d901f69107e8291d186309d2ba3

data/.github/workflows/main.yml

@@ -4,7 +4,7 @@ on: [push,pull_request]
 
 jobs:
   build:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-22.04
     steps:
     - uses: actions/checkout@v2
     - uses: ruby/setup-ruby@v1

data/.rubocop_todo.yml

@@ -1,6 +1,6 @@
 # This configuration was generated by
 # `rubocop --auto-gen-config`
-# on 2021-08-06 20:18:41 UTC using RuboCop version 1.8.1.
+# on 2023-12-15 17:05:02 UTC using RuboCop version 1.59.0.
 # The point is for the user to remove these configuration records
 # one by one as the offenses are removed from the code base.
 # Note that changes in the inspected code, or installation of new
@@ -9,4 +9,9 @@
 # Offense count: 1
 # Configuration parameters: CountComments, CountAsOne.
 Metrics/ClassLength:
-  Max: 405
+  Max: 403
+
+# Offense count: 2
+Style/OpenStructUse:
+  Exclude:
+    - 'lib/vtk/commands/socks/setup.rb'

data/.tool-versions

@@ -1 +1 @@
-ruby 3.2.2
+ruby 3.4.7

data/CHANGELOG.md

@@ -1,5 +1,34 @@
 # Changelog
 
+## [v1.1.0](https://github.com/department-of-veterans-affairs/vtk/tree/v1.1.0) (2025-12-15)
+
+[Full Changelog](https://github.com/department-of-veterans-affairs/vtk/compare/v1.0.0...v1.1.0)
+
+**Merged pull requests:**
+
+- feat(scan): add vtk scan machine for Shai-Hulud detection [\#64](https://github.com/department-of-veterans-affairs/vtk/pull/64) ([ericboehs](https://github.com/ericboehs))
+- fix: resolve rubocop offenses in socks/setup.rb [\#66](https://github.com/department-of-veterans-affairs/vtk/pull/66) ([ericboehs](https://github.com/ericboehs))
+- Fix rubocop exceptions and update GH to run on Ubuntu Latest [\#63](https://github.com/department-of-veterans-affairs/vtk/pull/63) ([ericboehs](https://github.com/ericboehs))
+
+## [v1.0.0](https://github.com/department-of-veterans-affairs/vtk/tree/v1.0.0) (2024-09-18)
+
+🎉
+
+[Full Changelog](https://github.com/department-of-veterans-affairs/vtk/compare/v0.9.5...v1.0.0)
+
+**Merged pull requests:**
+
+- fix: OpenStruct is no longer auto required in Ruby 3.2 [\#62](https://github.com/department-of-veterans-affairs/vtk/pull/62) ([ericboehs](https://github.com/ericboehs))
+- Update RuboCop w/ corrections [\#53](https://github.com/department-of-veterans-affairs/vtk/pull/53) ([ericboehs](https://github.com/ericboehs))
+
+## [v0.9.5](https://github.com/department-of-veterans-affairs/vtk/tree/v0.9.5) (2023-12-15)
+
+[Full Changelog](https://github.com/department-of-veterans-affairs/vtk/compare/v0.9.4...v0.9.5)
+
+**Merged pull requests:**
+
+- Add sudo to proxy setup command for MacOS. [\#52](https://github.com/department-of-veterans-affairs/vtk/pull/52) ([omahane](https://github.com/omahane))
+
 ## [v0.9.4](https://github.com/department-of-veterans-affairs/vtk/tree/v0.9.4) (2022-04-11)
 
 [Full Changelog](https://github.com/department-of-veterans-affairs/vtk/compare/v0.9.3...v0.9.4)

data/Gemfile

@@ -4,3 +4,13 @@ source 'https://rubygems.org'
 
 # Specify your gem's dependencies in vtk.gemspec
 gemspec
+
+group :development do
+  gem 'github_changelog_generator', '~> 1.15.0'
+  gem 'pry', '~> 0.13.0'
+  gem 'rake', '~> 13.0.0'
+  gem 'rspec', '~> 3.10.0'
+  gem 'rubocop', '~> 1.59'
+  gem 'rubocop-rake', '~> 0.5.0'
+  gem 'rubocop-rspec', '~> 2.0.0'
+end

data/README.md

@@ -67,6 +67,39 @@ $ vtk socks off
 ----> Disconnected from SOCKS.
 ```
     
+### Scan
+
+Security scanning commands for detecting malware and vulnerabilities.
+
+---
+
+```
+$ vtk scan machine
+```
+
+The **machine subcommand** checks your local machine for signs of active Shai-Hulud malware infection. This is a fast (~5 second) check that looks for:
+
+- **Critical indicators**: `~/.dev-env/` persistence folder, malicious processes (Runner.Listener, SHA1HULUD), malware payload files
+- **High-risk indicators**: Exfiltration artifacts, unexpected Bun/Trufflehog installations
+- **Credential inventory**: Lists credential files that should be rotated if infected
+
+**Exit codes:**
+- `0` - Clean (no infection indicators)
+- `1` - Infected (critical indicators found)
+- `2` - Warning (needs investigation)
+
+**Options:**
+- `--verbose` / `-v` - Detailed output with all checks
+- `--quiet` / `-q` - Exit code only, no output
+- `--json` / `-j` - JSON output format
+
+Example:
+```
+$ vtk scan machine --quiet && echo "Clean" || echo "Check machine!"
+```
+
+---
+
 ### Help
 
 For helpful information about commands and subcommands run the following:
@@ -74,6 +107,7 @@ For helpful information about commands and subcommands run the following:
     $ vtk -h
     $ vtk module -h
     $ vtk socks -h
+    $ vtk scan -h
 
 ### Docker
 

data/lib/vtk/cli.rb

@@ -23,5 +23,8 @@ module Vtk
 
     require_relative 'commands/module'
     register Vtk::Commands::Module, 'module', 'module [SUBCOMMAND]', 'Command description...'
+
+    require_relative 'commands/scan'
+    register Vtk::Commands::Scan, 'scan', 'scan [SUBCOMMAND]', 'Security scanning for malware and vulnerabilities'
   end
 end

data/lib/vtk/commands/scan/machine.rb

@@ -0,0 +1,60 @@
+# frozen_string_literal: true
+
+require 'English'
+require_relative '../../command'
+
+module Vtk
+  module Commands
+    class Scan
+      # Check for active malware infection indicators (Shai-Hulud)
+      class Machine < Vtk::Command
+        attr_reader :options
+
+        def initialize(options)
+          @options = options
+          super()
+        end
+
+        def execute(output: $stdout)
+          @output = output
+
+          script_path, gem_root = find_script
+          return script_not_found(output, gem_root) unless script_path
+
+          run_script(script_path)
+        end
+
+        private
+
+        def script_not_found(output, gem_root)
+          output.puts 'ERROR: Could not find shai-hulud-machine-check.sh script'
+          output.puts "Expected at: #{gem_root}/scripts/shai-hulud-machine-check.sh"
+          1
+        end
+
+        def run_script(script_path)
+          cmd = ['bash', script_path]
+          cmd << '--verbose' if options[:verbose]
+          cmd << '--json' if options[:json]
+          cmd << '--quiet' if options[:quiet]
+          cmd << "--scan-dirs=#{options[:scan_dirs]}" if options[:scan_dirs]
+
+          system(*cmd)
+          $CHILD_STATUS.exitstatus
+        end
+
+        def find_script
+          # Look for script relative to this gem's location
+          # __dir__ = lib/vtk/commands/scan, so go up 4 levels to get to vtk root
+          gem_root = File.expand_path('../../../..', __dir__)
+          script_path = File.join(gem_root, 'scripts', 'shai-hulud-machine-check.sh')
+
+          # Use explicit bash interpreter, so executable bit not required
+          return [script_path, gem_root] if File.exist?(script_path)
+
+          [nil, gem_root]
+        end
+      end
+    end
+  end
+end

data/lib/vtk/commands/scan.rb

@@ -0,0 +1,37 @@
+# frozen_string_literal: true
+
+require 'thor'
+
+module Vtk
+  module Commands
+    # Security scanning commands for developer machines and repositories
+    class Scan < Thor
+      namespace :scan
+
+      desc 'machine', 'Check for active malware infection indicators (Shai-Hulud)'
+      method_option :help, aliases: '-h', type: :boolean,
+                           desc: 'Display usage information'
+      method_option :verbose, aliases: '-v', type: :boolean,
+                              desc: 'Detailed output with all checks'
+      method_option :json, aliases: '-j', type: :boolean,
+                           desc: 'Output results as JSON'
+      method_option :quiet, aliases: '-q', type: :boolean,
+                            desc: 'Exit code only, no output'
+      method_option :scan_dirs, type: :string,
+                                desc: 'Additional directories to scan for backdoor workflows (comma-separated)'
+      def machine
+        if options[:help]
+          invoke :help, ['machine']
+        else
+          require_relative 'scan/machine'
+          exit_status = Vtk::Commands::Scan::Machine.new(options).execute
+          exit exit_status
+        end
+      end
+
+      # Future subcommands:
+      # desc 'repos', 'Scan lockfiles for compromised packages'
+      # desc 'credentials', 'Inventory credentials that may need rotation'
+    end
+  end
+end

data/lib/vtk/commands/socks/on.rb

@@ -30,14 +30,14 @@ module Vtk
 
         def connected?
           system "curl --max-time 2 -sL --proxy socks5h://127.0.0.1:#{port} sentry.vfs.va.gov 2> /dev/null | " \
-            'grep -q sentry-logo'
+                 'grep -q sentry-logo'
         end
 
         def connect_to_socks
           exit if system "lsof -Pi :#{port} -sTCP:LISTEN -t > /dev/null"
 
           Process.spawn "nohup ssh -vvv -o ServerAliveInterval=60 -o ConnectTimeout=5 socks -D #{port} -N" \
-            '> /tmp/socks.log 2>&1 &'
+                        '> /tmp/socks.log 2>&1 &'
         end
 
         def ensure_connection

data/lib/vtk/commands/socks/setup.rb

@@ -4,6 +4,7 @@ require_relative '../../command'
 require 'tty-prompt'
 require 'fileutils'
 require 'erb'
+require 'ostruct'
 
 module Vtk
   module Commands
@@ -11,7 +12,7 @@ module Vtk
       # Sets up socks access to the VA network
       class Setup < Vtk::Command
         PROXY_URL = 'https://raw.githubusercontent.com/department-of-veterans-affairs/va.gov-team/master/' \
-          'scripts/socks/proxy.pac'
+                    'scripts/socks/proxy.pac'
 
         attr_reader :ssh_config_path, :input, :output, :boot_script_path, :ssh_key_path, :prompt, :port, :skip_test
 
@@ -19,9 +20,9 @@ module Vtk
           @options = options
           @prompt = TTY::Prompt.new interrupt: :exit
           @port = options['port'] || '2001'
-          @boot_script_path = options['boot_script_path'] || "#{ENV['HOME']}/Library"
-          @ssh_key_path = options['ssh_key_path'] || "#{ENV['HOME']}/.ssh/id_rsa_vagov"
-          @ssh_config_path = options['ssh_config_path'] || "#{ENV['HOME']}/.ssh/config"
+          @boot_script_path = options['boot_script_path'] || "#{Dir.home}/Library"
+          @ssh_key_path = options['ssh_key_path'] || "#{Dir.home}/.ssh/id_rsa_vagov"
+          @ssh_config_path = options['ssh_config_path'] || "#{Dir.home}/.ssh/config"
           @skip_test = options['skip_test'] || false
 
           super()
@@ -170,7 +171,7 @@ module Vtk
 
           ssh_agent_add
           system 'git config --global credential.helper > /dev/null || ' \
-            "git config --global credential.helper 'cache --timeout=600'"
+                 "git config --global credential.helper 'cache --timeout=600'"
           cloned = system(
             "git clone --quiet#{' --depth 1' if macos?} --no-checkout --filter=blob:none #{repo_url} '/tmp/dova-devops'"
           )
@@ -207,7 +208,7 @@ module Vtk
           @repo_url ||= begin
             keyscan_github_com
 
-            if github_ssh_configured
+            if github_ssh_configured?
               'git@github.com:department-of-veterans-affairs/devops.git'
             else
               'https://github.com/department-of-veterans-affairs/devops.git'
@@ -221,7 +222,7 @@ module Vtk
           `ssh-keyscan -H github.com >> ~/.ssh/known_hosts 2> /dev/null`
         end
 
-        def github_ssh_configured
+        def github_ssh_configured?
           !`ssh -T git@github.com 2>&1`.include?('Permission denied')
         end
 
@@ -230,7 +231,7 @@ module Vtk
 
           if File.exist? "#{ssh_config_path}.bak"
             log "!!! ERROR: Could not make backup of #{pretty_ssh_config_path} as #{pretty_ssh_config_path}.bak " \
-              'exists. Aborting.'
+                'exists. Aborting.'
             exit 1
           end
 
@@ -256,7 +257,7 @@ module Vtk
               IdentityFile #{pretty_ssh_key_path}
           CFG
 
-          IO.write ssh_config_path, keychain_config, mode: 'a'
+          File.write ssh_config_path, keychain_config, mode: 'a'
         end
 
         def ssh_config_configured_with_keychain?
@@ -330,7 +331,7 @@ module Vtk
         def wsl_configure_system_boot
           return true if File.exist? socks_bat
 
-          IO.write socks_bat, 'wsl nohup bash -c "/usr/bin/ssh socks -N &" < nul > nul 2>&1', mode: 'a'
+          File.write socks_bat, 'wsl nohup bash -c "/usr/bin/ssh socks -N &" < nul > nul 2>&1', mode: 'a'
         end
 
         def socks_bat
@@ -400,7 +401,7 @@ module Vtk
             autossh_path: `which autossh`.chomp,
             port: @port,
             boot_script_path: File.realpath(boot_script_path),
-            user: ENV['USER']
+            user: ENV.fetch('USER', nil)
           )
         end
 
@@ -429,7 +430,7 @@ module Vtk
             autossh_path: `which autossh`.chomp,
             port: @port,
             ssh_key_path: ssh_key_path,
-            user: ENV['USER']
+            user: ENV.fetch('USER', nil)
           )
         end
 
@@ -459,8 +460,8 @@ module Vtk
           return true if `gsettings get org.gnome.system.proxy mode` == "'auto'\n"
 
           log 'Configuring system proxy to use SOCKS tunnel...' do
-            `gsettings set org.gnome.system.proxy mode 'auto'` &&
-              `gsettings set org.gnome.system.proxy autoconfig-url "#{PROXY_URL}"`
+            system("gsettings set org.gnome.system.proxy mode 'auto'") &&
+              system("gsettings set org.gnome.system.proxy autoconfig-url '#{PROXY_URL}'")
           end
         end
 
@@ -479,10 +480,8 @@ module Vtk
         end
 
         def network_interfaces
-          @network_interfaces ||= begin
-            `networksetup -listallnetworkservices`.split("\n").drop(1).select do |network_interface|
-              `networksetup -getautoproxyurl "#{network_interface}"`.start_with?('URL: (null)')
-            end
+          @network_interfaces ||= `networksetup -listallnetworkservices`.split("\n").drop(1).select do |interface|
+            `networksetup -getautoproxyurl "#{interface}"`.start_with?('URL: (null)')
           end
         end
 
@@ -509,7 +508,7 @@ module Vtk
         end
 
         def pretty_path(path)
-          path.gsub ENV['HOME'], '~'
+          path.gsub Dir.home, '~'
         end
 
         def log(message)

data/lib/vtk/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Vtk
-  VERSION = '0.9.5'
+  VERSION = '1.1.0'
 end

data/scripts/shai-hulud-machine-check.sh

@@ -0,0 +1,531 @@
+#!/bin/bash
+#
+# Shai-Hulud Machine Infection Checker
+# =====================================
+#
+# Quick script to check if your machine shows signs of active Shai-Hulud infection.
+# This is a FAST check (~5 seconds) for infection indicators only.
+#
+# WHAT THIS CHECKS:
+#
+#   CRITICAL (Active Infection):
+#     - ~/.dev-env/ persistence folder (contains GitHub self-hosted runner)
+#     - ~/.truffler-cache/ malware cache (NOT legit Trufflehog which uses ~/.trufflehog/)
+#     - Running processes: Runner.Listener, SHA1HULUD, suspicious node/bun
+#     - Malware files: setup_bun.js, bun_environment.js
+#     - Backdoor workflows: .github/workflows/discussion.yaml
+#
+#   HIGH (Exfiltration Likely Occurred):
+#     - Exfiltration artifacts: cloud.json, truffleSecrets.json, etc.
+#     - Unexpected ~/.bun/ installation
+#     - Unexpected Trufflehog binary
+#
+#   INFO (Credentials to Rotate if Infected):
+#     - Lists credential files the malware targets
+#     - ~/.npmrc, ~/.aws/, ~/.config/gh/, etc.
+#
+# EXIT CODES:
+#   0 - Clean (no infection indicators found)
+#   1 - INFECTED (critical indicators found)
+#   2 - WARNING (high-risk indicators, needs investigation)
+#
+# USAGE:
+#   ./shai-hulud-machine-check.sh              # Compact output
+#   ./shai-hulud-machine-check.sh --verbose    # Detailed output
+#   ./shai-hulud-machine-check.sh --quiet      # Exit code only
+#   ./shai-hulud-machine-check.sh --json       # JSON output
+#   ./shai-hulud-machine-check.sh --scan-dirs=~/repos,~/work  # Additional dirs
+#
+# References:
+#   - Wiz.io: https://www.wiz.io/blog/shai-hulud-2-0-ongoing-supply-chain-attack
+#   - Datadog: https://securitylabs.datadoghq.com/articles/shai-hulud-2.0-npm-worm/
+#
+# Author: Eric Boehs / EERT (with Claude Code)
+# Version: 1.1.0
+# Date: December 2025
+#
+
+set -e
+
+# Parse arguments
+QUIET=false
+JSON=false
+VERBOSE=false
+EXTRA_SCAN_DIRS=""
+for arg in "$@"; do
+  case $arg in
+    --quiet|-q) QUIET=true ;;
+    --json|-j) JSON=true ;;
+    --verbose|-v) VERBOSE=true ;;
+    --scan-dirs=*) EXTRA_SCAN_DIRS="${arg#*=}" ;;
+    --help|-h)
+      echo "Usage: $0 [--verbose|-v] [--quiet|-q] [--json|-j] [--scan-dirs=DIR1,DIR2,...]"
+      echo "  --verbose    Detailed output with all checks"
+      echo "  --quiet      Exit code only, no output"
+      echo "  --json       JSON output format"
+      echo "  --scan-dirs  Additional directories to scan for backdoor workflows (comma-separated)"
+      exit 0
+      ;;
+  esac
+done
+
+# Default directories to scan for backdoor workflows
+DEFAULT_SCAN_DIRS=("$HOME/Code" "$HOME/Projects" "$HOME/src" "$HOME/dev" "$HOME/workspace")
+
+# Build final scan dirs list
+SCAN_DIRS=("${DEFAULT_SCAN_DIRS[@]}")
+if [ -n "$EXTRA_SCAN_DIRS" ]; then
+  IFS=',' read -ra EXTRA_DIRS <<< "$EXTRA_SCAN_DIRS"
+  for dir in "${EXTRA_DIRS[@]}"; do
+    # Expand ~ to $HOME
+    expanded_dir="${dir/#\~/$HOME}"
+    SCAN_DIRS+=("$expanded_dir")
+  done
+fi
+
+# Results tracking
+CRITICAL_FINDINGS=()
+HIGH_FINDINGS=()
+INFO_FINDINGS=()
+
+# Colors (disabled in quiet/json mode)
+if [ "$QUIET" = false ] && [ "$JSON" = false ] && [ -t 1 ]; then
+  RED='\033[0;31m'
+  YELLOW='\033[0;33m'
+  GREEN='\033[0;32m'
+  CYAN='\033[0;36m'
+  BOLD='\033[1m'
+  NC='\033[0m' # No Color
+else
+  RED='' YELLOW='' GREEN='' CYAN='' BOLD='' NC=''
+fi
+
+# Logging functions
+log() {
+  if [ "$QUIET" = false ] && [ "$JSON" = false ]; then
+    echo -e "$@"
+  fi
+}
+
+log_verbose() {
+  if [ "$VERBOSE" = true ] && [ "$QUIET" = false ] && [ "$JSON" = false ]; then
+    echo -e "$@"
+  fi
+}
+
+log_critical() {
+  CRITICAL_FINDINGS+=("$1")
+}
+
+log_high() {
+  HIGH_FINDINGS+=("$1")
+}
+
+log_info() {
+  INFO_FINDINGS+=("$1")
+}
+
+# Verbose header
+log_verbose ""
+log_verbose "${BOLD}========================================${NC}"
+log_verbose "${BOLD}  Shai-Hulud Machine Infection Check${NC}"
+log_verbose "${BOLD}========================================${NC}"
+log_verbose ""
+log_verbose "Checking for active infection indicators..."
+log_verbose ""
+
+###########################################
+# CRITICAL CHECKS
+###########################################
+
+log_verbose "${BOLD}=== Critical Checks ===${NC}"
+log_verbose ""
+
+# 1. Check for ~/.dev-env/ persistence folder
+log_verbose "Checking for persistence folder (~/.dev-env/)..."
+if [ -d "$HOME/.dev-env" ]; then
+  log_critical "~/.dev-env/ persistence folder found"
+  log_verbose "  ${RED}[CRITICAL]${NC} PERSISTENCE FOLDER FOUND: ~/.dev-env/"
+  log_verbose "  This folder contains the malware's self-hosted GitHub runner."
+  log_verbose "  Contents:"
+  ls -la "$HOME/.dev-env" 2>/dev/null | head -10 | while read line; do log_verbose "    $line"; done
+else
+  log_verbose "  ${GREEN}Not found${NC}"
+fi
+
+# 1b. Check for ~/.truffler-cache/ (malware-specific Trufflehog cache)
+log_verbose ""
+log_verbose "Checking for malware Trufflehog cache (~/.truffler-cache/)..."
+if [ -d "$HOME/.truffler-cache" ]; then
+  log_critical "~/.truffler-cache/ malware cache found"
+  log_verbose "  ${RED}[CRITICAL]${NC} MALWARE CACHE FOUND: ~/.truffler-cache/"
+  log_verbose "  This is a MALWARE-SPECIFIC path (legit Trufflehog uses ~/.trufflehog/)."
+  log_verbose "  The malware stores its Trufflehog binary here to scan for secrets."
+  log_verbose "  Contents:"
+  ls -la "$HOME/.truffler-cache" 2>/dev/null | head -10 | while read line; do log_verbose "    $line"; done
+else
+  log_verbose "  ${GREEN}Not found${NC}"
+fi
+
+# 2. Check for malicious running processes
+log_verbose ""
+log_verbose "Checking for malicious processes..."
+
+# Runner.Listener (GitHub self-hosted runner - malware installs this)
+if pgrep -f "Runner.Listener" > /dev/null 2>&1; then
+  log_critical "Runner.Listener process running"
+  log_verbose "  ${RED}[CRITICAL]${NC} MALICIOUS PROCESS: Runner.Listener is running"
+  log_verbose "  PIDs: $(pgrep -f 'Runner.Listener' | tr '\n' ' ')"
+fi
+
+# SHA1HULUD process
+if pgrep -f "SHA1HULUD" > /dev/null 2>&1; then
+  log_critical "SHA1HULUD process running"
+  log_verbose "  ${RED}[CRITICAL]${NC} MALICIOUS PROCESS: SHA1HULUD is running"
+  log_verbose "  PIDs: $(pgrep -f 'SHA1HULUD' | tr '\n' ' ')"
+fi
+
+# Check for node processes running from ~/.dev-env
+if pgrep -f "$HOME/.dev-env" > /dev/null 2>&1; then
+  log_critical "Process running from ~/.dev-env"
+  log_verbose "  ${RED}[CRITICAL]${NC} MALICIOUS PROCESS: Process running from ~/.dev-env"
+  log_verbose "  PIDs: $(pgrep -f "$HOME/.dev-env" | tr '\n' ' ')"
+fi
+
+# Check for suspicious bun processes (from ~/.bun if unexpected)
+if pgrep -f "$HOME/.bun/bin/bun" > /dev/null 2>&1; then
+  log_high "bun process running from ~/.bun/bin/bun"
+  log_verbose "  ${YELLOW}[HIGH]${NC} SUSPICIOUS PROCESS: bun running from ~/.bun/bin/bun"
+  log_verbose "  This could be legitimate if you installed Bun intentionally."
+  log_verbose "  PIDs: $(pgrep -f "$HOME/.bun/bin/bun" | tr '\n' ' ')"
+fi
+
+# If no malicious processes found
+if ! pgrep -f "Runner.Listener" > /dev/null 2>&1 && \
+   ! pgrep -f "SHA1HULUD" > /dev/null 2>&1 && \
+   ! pgrep -f "$HOME/.dev-env" > /dev/null 2>&1; then
+  log_verbose "  ${GREEN}No malicious processes detected${NC}"
+fi
+
+# 3. Check for malware payload files in home directory
+log_verbose ""
+log_verbose "Checking for malware files in home directory..."
+MALWARE_FILES=("setup_bun.js" "bun_environment.js")
+MALWARE_FOUND=false
+for file in "${MALWARE_FILES[@]}"; do
+  if [ -f "$HOME/$file" ]; then
+    log_critical "Malware file: ~/$file"
+    log_verbose "  ${RED}[CRITICAL]${NC} MALWARE FILE FOUND: ~/$file"
+    MALWARE_FOUND=true
+  fi
+done
+
+# Check in common locations
+for dir in "$HOME" "$HOME/Desktop" "$HOME/Downloads" "/tmp"; do
+  if [ -d "$dir" ]; then
+    for file in "${MALWARE_FILES[@]}"; do
+      FOUND=$(find "$dir" -maxdepth 2 -name "$file" -type f 2>/dev/null | head -5)
+      if [ -n "$FOUND" ]; then
+        while IFS= read -r f; do
+          log_critical "Malware file: $f"
+          log_verbose "  ${RED}[CRITICAL]${NC} MALWARE FILE FOUND: $f"
+          MALWARE_FOUND=true
+        done <<< "$FOUND"
+      fi
+    done
+  fi
+done
+
+if [ "$MALWARE_FOUND" = false ]; then
+  log_verbose "  ${GREEN}No malware files detected${NC}"
+fi
+
+# 4. Check for backdoor workflow files
+log_verbose ""
+log_verbose "Checking for backdoor workflow files..."
+log_verbose "  Scanning directories:"
+for dir in "${SCAN_DIRS[@]}"; do
+  if [ -d "$dir" ]; then
+    log_verbose "    - $dir"
+  else
+    log_verbose "    - $dir ${YELLOW}(not found)${NC}"
+  fi
+done
+log_verbose ""
+BACKDOOR_FOUND=false
+# Search for discussion.yaml in .github/workflows directories
+# The malicious workflow contains: runs-on: self-hosted AND ${{ github.event.discussion.body }}
+for base_dir in "${SCAN_DIRS[@]}"; do
+  if [ -d "$base_dir" ]; then
+    FOUND=$(find "$base_dir" -maxdepth 5 -path "*/.github/workflows/discussion.yaml" -type f 2>/dev/null | head -10)
+    if [ -n "$FOUND" ]; then
+      while IFS= read -r f; do
+        # Check if file contains the malicious pattern
+        if grep -q "self-hosted" "$f" 2>/dev/null && grep -q "github.event.discussion" "$f" 2>/dev/null; then
+          log_critical "Backdoor workflow: $f"
+          log_verbose "  ${RED}[CRITICAL]${NC} BACKDOOR WORKFLOW FOUND: $f"
+          log_verbose "  This workflow uses self-hosted runner with discussion body injection."
+          BACKDOOR_FOUND=true
+        else
+          log_high "Unverified discussion.yaml: $f"
+          log_verbose "  ${YELLOW}[HIGH]${NC} UNVERIFIED WORKFLOW: $f"
+          log_verbose "  Found discussion.yaml - please verify this is legitimate."
+        fi
+      done <<< "$FOUND"
+    fi
+  fi
+done
+
+if [ "$BACKDOOR_FOUND" = false ]; then
+  log_verbose "  ${GREEN}No backdoor workflows detected${NC}"
+fi
+
+###########################################
+# HIGH-RISK CHECKS
+###########################################
+
+log_verbose ""
+log_verbose "${BOLD}=== High-Risk Checks ===${NC}"
+log_verbose ""
+
+# 4. Check for exfiltration artifacts
+log_verbose "Checking for exfiltration artifacts..."
+EXFIL_FILES=("cloud.json" "truffleSecrets.json" "environment.json" "actionsSecrets.json" "contents.json")
+EXFIL_FOUND=false
+for file in "${EXFIL_FILES[@]}"; do
+  # Check home directory and common locations
+  for dir in "$HOME" "/tmp" "$HOME/Desktop" "$HOME/Downloads"; do
+    if [ -f "$dir/$file" ]; then
+      log_high "Exfiltration artifact: $dir/$file"
+      log_verbose "  ${YELLOW}[HIGH]${NC} EXFILTRATION ARTIFACT: $dir/$file"
+      EXFIL_FOUND=true
+    fi
+  done
+done
+
+if [ "$EXFIL_FOUND" = false ]; then
+  log_verbose "  ${GREEN}No exfiltration artifacts detected${NC}"
+fi
+
+# 5. Check for unexpected Bun installation
+log_verbose ""
+log_verbose "Checking for unexpected Bun installation..."
+if [ -d "$HOME/.bun" ]; then
+  log_high "~/.bun/ installation found"
+  log_verbose "  ${YELLOW}[HIGH]${NC} BUN INSTALLATION FOUND: ~/.bun/"
+  log_verbose "  If you did NOT install Bun intentionally, this is suspicious."
+  log_verbose "  Bun version: $(~/.bun/bin/bun --version 2>/dev/null || echo 'unknown')"
+elif command -v bun &> /dev/null; then
+  BUN_PATH=$(which bun)
+  log_high "Bun found: $BUN_PATH"
+  log_verbose "  ${YELLOW}[HIGH]${NC} BUN FOUND IN PATH: $BUN_PATH"
+  log_verbose "  If you did NOT install Bun intentionally, investigate."
+else
+  log_verbose "  ${GREEN}No unexpected Bun installation${NC}"
+fi
+
+# 6. Check for Trufflehog (malware downloads this to scan for secrets)
+log_verbose ""
+log_verbose "Checking for unexpected Trufflehog..."
+if command -v trufflehog &> /dev/null; then
+  TH_PATH=$(which trufflehog)
+  log_high "Trufflehog found: $TH_PATH"
+  log_verbose "  ${YELLOW}[HIGH]${NC} TRUFFLEHOG FOUND: $TH_PATH"
+  log_verbose "  The malware uses Trufflehog to scan for secrets."
+  log_verbose "  If you did NOT install this intentionally, investigate."
+elif [ -f "$HOME/.local/bin/trufflehog" ] || [ -f "/tmp/trufflehog" ]; then
+  log_high "Trufflehog in suspicious location"
+  log_verbose "  ${YELLOW}[HIGH]${NC} TRUFFLEHOG FOUND in suspicious location"
+else
+  log_verbose "  ${GREEN}No unexpected Trufflehog installation${NC}"
+fi
+
+###########################################
+# INFORMATIONAL - Credentials at Risk
+###########################################
+
+log_verbose ""
+log_verbose "${BOLD}=== Credential Files (Rotate if Infected) ===${NC}"
+log_verbose ""
+log_verbose "These are files the malware targets for exfiltration."
+log_verbose "If your machine is infected, ROTATE ALL OF THESE:"
+log_verbose ""
+
+# NPM tokens
+if [ -f "$HOME/.npmrc" ]; then
+  if grep -qi "authtoken\|_auth" "$HOME/.npmrc" 2>/dev/null; then
+    log_info "~/.npmrc contains auth tokens"
+    log_verbose "  ${CYAN}[INFO]${NC} ~/.npmrc contains auth tokens - ROTATE NPM TOKENS"
+  else
+    log_verbose "  ~/.npmrc exists (no tokens detected)"
+  fi
+else
+  log_verbose "  ~/.npmrc not found"
+fi
+
+# AWS credentials
+if [ -d "$HOME/.aws" ]; then
+  log_info "~/.aws/ exists"
+  log_verbose "  ${CYAN}[INFO]${NC} ~/.aws/ exists - ROTATE AWS ACCESS KEYS"
+else
+  log_verbose "  ~/.aws/ not found"
+fi
+
+# GCP credentials
+if [ -f "$HOME/.config/gcloud/application_default_credentials.json" ]; then
+  log_info "GCP ADC exists"
+  log_verbose "  ${CYAN}[INFO]${NC} GCP ADC exists - RE-AUTHENTICATE with 'gcloud auth application-default login'"
+else
+  log_verbose "  GCP ADC not found"
+fi
+
+# Azure credentials
+if [ -d "$HOME/.azure" ]; then
+  log_info "~/.azure/ exists"
+  log_verbose "  ${CYAN}[INFO]${NC} ~/.azure/ exists - RE-AUTHENTICATE with 'az login'"
+else
+  log_verbose "  ~/.azure/ not found"
+fi
+
+# GitHub CLI
+if [ -f "$HOME/.config/gh/hosts.yml" ]; then
+  log_info "GitHub CLI authenticated"
+  log_verbose "  ${CYAN}[INFO]${NC} GitHub CLI authenticated - ROTATE TOKEN with 'gh auth logout && gh auth login'"
+else
+  log_verbose "  GitHub CLI not authenticated"
+fi
+
+# SSH keys
+if [ -d "$HOME/.ssh" ] && ls "$HOME/.ssh/"*.pub &> /dev/null; then
+  log_info "SSH keys exist"
+  log_verbose "  ${CYAN}[INFO]${NC} SSH keys exist (~/.ssh/) - Consider rotating if infected"
+fi
+
+# Git credentials
+if [ -f "$HOME/.git-credentials" ]; then
+  log_info "~/.git-credentials exists"
+  log_verbose "  ${CYAN}[INFO]${NC} ~/.git-credentials exists - ROTATE stored credentials"
+fi
+
+# Environment variables with secrets
+SENSITIVE_VARS=$(env | grep -iE "token|key|secret|password|credential|auth|api" 2>/dev/null | wc -l | tr -d ' ')
+if [ "$SENSITIVE_VARS" -gt 0 ]; then
+  log_info "$SENSITIVE_VARS sensitive env vars"
+  log_verbose "  ${CYAN}[INFO]${NC} $SENSITIVE_VARS sensitive environment variables detected"
+fi
+
+###########################################
+# SUMMARY
+###########################################
+
+log_verbose ""
+log_verbose "${BOLD}========================================${NC}"
+
+# Determine final status
+EXIT_CODE=0
+if [ ${#CRITICAL_FINDINGS[@]} -gt 0 ]; then
+  EXIT_CODE=1
+  if [ "$VERBOSE" = true ]; then
+    log "${RED}${BOLD}  STATUS: INFECTED${NC}"
+    log "${RED}${BOLD}========================================${NC}"
+    log ""
+    log "${RED}CRITICAL FINDINGS (${#CRITICAL_FINDINGS[@]}):${NC}"
+    for finding in "${CRITICAL_FINDINGS[@]}"; do
+      log "  - $finding"
+    done
+    log ""
+    log "${BOLD}IMMEDIATE ACTIONS:${NC}"
+    log "  1. DISCONNECT from network immediately"
+    log "  2. Do NOT run npm/yarn/node commands"
+    log "  3. Follow the cleanup playbook"
+    log "  4. Rotate ALL credentials listed above"
+  else
+    log "${RED}${BOLD}Shai-Hulud Check: INFECTED${NC}"
+    for finding in "${CRITICAL_FINDINGS[@]}"; do
+      log "  ${RED}-${NC} $finding"
+    done
+    log ""
+    log "Run with ${BOLD}--verbose${NC} for details and remediation steps"
+  fi
+elif [ ${#HIGH_FINDINGS[@]} -gt 0 ]; then
+  EXIT_CODE=2
+  if [ "$VERBOSE" = true ]; then
+    log "${YELLOW}${BOLD}  STATUS: WARNING - INVESTIGATE${NC}"
+    log "${YELLOW}${BOLD}========================================${NC}"
+    log ""
+    log "${YELLOW}HIGH-RISK FINDINGS (${#HIGH_FINDINGS[@]}):${NC}"
+    for finding in "${HIGH_FINDINGS[@]}"; do
+      log "  - $finding"
+    done
+    log ""
+    log "${BOLD}RECOMMENDED ACTIONS:${NC}"
+    log "  1. Verify if Bun/Trufflehog were installed intentionally"
+    log "  2. If not intentional, treat as potentially infected"
+    log "  3. Investigate further before running any package manager commands"
+  else
+    log "${YELLOW}${BOLD}Shai-Hulud Check: WARNING${NC}"
+    for finding in "${HIGH_FINDINGS[@]}"; do
+      log "  ${YELLOW}-${NC} $finding"
+    done
+    log ""
+    log "These may be legitimate if you installed them intentionally."
+    log "Run with ${BOLD}--verbose${NC} for details or investigate if unexpected."
+  fi
+else
+  if [ "$VERBOSE" = true ]; then
+    log "${GREEN}${BOLD}  STATUS: CLEAN${NC}"
+    log "${GREEN}${BOLD}========================================${NC}"
+    log ""
+    log "${GREEN}No active infection indicators detected.${NC}"
+    log ""
+    log "Next steps:"
+    log "  - Verify your repos don't have compromised packages"
+    log "  - Check your lockfiles for known malicious packages"
+  else
+    log "${GREEN}${BOLD}Shai-Hulud Check: CLEAN${NC}"
+  fi
+fi
+
+log ""
+
+# JSON output mode
+if [ "$JSON" = true ]; then
+  # Build JSON array from bash array (no jq dependency)
+  json_array() {
+    local arr=("$@")
+    if [ ${#arr[@]} -eq 0 ]; then
+      echo '[]'
+      return
+    fi
+    local result='['
+    local first=true
+    for item in "${arr[@]}"; do
+      if [ "$first" = true ]; then
+        first=false
+      else
+        result+=','
+      fi
+      # Escape quotes and backslashes for JSON
+      item="${item//\\/\\\\}"
+      item="${item//\"/\\\"}"
+      result+="\"$item\""
+    done
+    result+=']'
+    echo "$result"
+  }
+
+  cat <<EOF
+{
+  "status": "$([ ${#CRITICAL_FINDINGS[@]} -gt 0 ] && echo 'INFECTED' || ([ ${#HIGH_FINDINGS[@]} -gt 0 ] && echo 'WARNING' || echo 'CLEAN'))",
+  "critical_count": ${#CRITICAL_FINDINGS[@]},
+  "high_count": ${#HIGH_FINDINGS[@]},
+  "info_count": ${#INFO_FINDINGS[@]},
+  "critical_findings": $(json_array "${CRITICAL_FINDINGS[@]}"),
+  "high_findings": $(json_array "${HIGH_FINDINGS[@]}"),
+  "info_findings": $(json_array "${INFO_FINDINGS[@]}"),
+  "timestamp": "$(date -u +%Y-%m-%dT%H:%M:%SZ)"
+}
+EOF
+fi
+
+exit $EXIT_CODE

data/vtk.gemspec

@@ -18,6 +18,7 @@ Gem::Specification.new do |spec|
   spec.metadata['documentation_uri'] = spec.homepage
   spec.metadata['source_code_uri'] = spec.homepage
   spec.metadata['changelog_uri'] = 'https://github.com/department-of-veterans-affairs/vtk/blob/master/CHANGELOG.md'
+  spec.metadata['rubygems_mfa_required'] = 'true'
 
   # Specify which files should be added to the gem when it is released.
   # The `git ls-files -z` loads the files in the RubyGem that have been added into git.
@@ -31,15 +32,4 @@ Gem::Specification.new do |spec|
   spec.add_dependency 'thor', '> 0.20.3'
   spec.add_dependency 'tty-command', '~> 0.10.0'
   spec.add_dependency 'tty-prompt', '~> 0.23.0'
-
-  spec.add_development_dependency 'github_changelog_generator', '~> 1.15.0'
-  spec.add_development_dependency 'pry', '~> 0.13.0'
-  spec.add_development_dependency 'rake', '~> 13.0.0'
-  spec.add_development_dependency 'rspec', '~> 3.10.0'
-  spec.add_development_dependency 'rubocop', '~> 1.8.0'
-  spec.add_development_dependency 'rubocop-rake', '~> 0.5.0'
-  spec.add_development_dependency 'rubocop-rspec', '~> 2.0.0'
-
-  # For more information and examples about making a new gem, checkout our
-  # guide at: https://bundler.io/guides/creating_gem.html
 end

metadata

@@ -1,16 +1,15 @@
 --- !ruby/object:Gem::Specification
 name: vtk
 version: !ruby/object:Gem::Version
-  version: 0.9.5
+  version: 1.1.0
 platform: ruby
 authors:
 - Eric Boehs
 - Lindsey Hattamer
 - Travis Hilton
-autorequire:
 bindir: exe
 cert_chain: []
-date: 2023-12-15 00:00:00.000000000 Z
+date: 1980-01-02 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: thor
@@ -54,104 +53,6 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: 0.23.0
-- !ruby/object:Gem::Dependency
-  name: github_changelog_generator
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: 1.15.0
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: 1.15.0
-- !ruby/object:Gem::Dependency
-  name: pry
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: 0.13.0
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: 0.13.0
-- !ruby/object:Gem::Dependency
-  name: rake
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: 13.0.0
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: 13.0.0
-- !ruby/object:Gem::Dependency
-  name: rspec
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: 3.10.0
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: 3.10.0
-- !ruby/object:Gem::Dependency
-  name: rubocop
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: 1.8.0
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: 1.8.0
-- !ruby/object:Gem::Dependency
-  name: rubocop-rake
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: 0.5.0
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: 0.5.0
-- !ruby/object:Gem::Dependency
-  name: rubocop-rspec
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: 2.0.0
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: 2.0.0
 description: This is a platform CLI tool for VFS developer usage.
 email:
 - eric.boehs@oddball.io
@@ -189,6 +90,8 @@ files:
 - lib/vtk/commands/module/model.rb
 - lib/vtk/commands/module/serializer.rb
 - lib/vtk/commands/module/service.rb
+- lib/vtk/commands/scan.rb
+- lib/vtk/commands/scan/machine.rb
 - lib/vtk/commands/socks.rb
 - lib/vtk/commands/socks/off.rb
 - lib/vtk/commands/socks/on.rb
@@ -199,6 +102,7 @@ files:
 - lib/vtk/templates/socks/setup/gov.va.socks.plist.erb
 - lib/vtk/templates/socks/setup/va_gov_socks.service.erb
 - lib/vtk/version.rb
+- scripts/shai-hulud-machine-check.sh
 - vtk.gemspec
 homepage: https://github.com/department-of-veterans-affairs/vtk
 licenses:
@@ -208,7 +112,7 @@ metadata:
   documentation_uri: https://github.com/department-of-veterans-affairs/vtk
   source_code_uri: https://github.com/department-of-veterans-affairs/vtk
   changelog_uri: https://github.com/department-of-veterans-affairs/vtk/blob/master/CHANGELOG.md
-post_install_message:
+  rubygems_mfa_required: 'true'
 rdoc_options: []
 require_paths:
 - lib
@@ -223,8 +127,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.4.14
-signing_key:
+rubygems_version: 3.6.9
 specification_version: 4
 summary: A CLI for the platform
 test_files: []