hulud-party-scanner 1.0.6 → 1.0.8
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +39 -5
- package/compromised-libs.txt +1090 -798
- package/env-patterns.txt +7 -0
- package/exfil-patterns.txt +4 -0
- package/malicious-commands.txt +6 -0
- package/malicious-filenames.txt +5 -0
- package/malicious-hashes.txt +10 -0
- package/package.json +5 -2
- package/scan.js +393 -169
package/README.md
CHANGED
|
@@ -1,14 +1,48 @@
|
|
|
1
1
|
# hulud-party-scanner
|
|
2
2
|
|
|
3
|
-
Project integrity scanner for known vulnerabilities and suspicious patterns related to the Shai-Hulud supply-chain attack.
|
|
3
|
+
> Project integrity scanner for known vulnerabilities and suspicious patterns related to the Shai-Hulud supply-chain attack.
|
|
4
4
|
|
|
5
|
-
This
|
|
5
|
+
This tool helps developers identify potential compromises by scanning for signatures associated with the Shai-Hulud supply-chain attack.
|
|
6
6
|
|
|
7
|
-
|
|
7
|
+
It is a **Node.js implementation** based on the original shell script from [sngular/shai-hulud-integrity-scanner](https://github.com/sngular/shai-hulud-integrity-scanner).
|
|
8
8
|
|
|
9
|
-
|
|
9
|
+
## 🚀 Features
|
|
10
10
|
|
|
11
|
-
|
|
11
|
+
- **Pattern Detection**: Scans for known malicious file patterns and content.
|
|
12
|
+
- **Cross-Platform**: Runs on Windows, macOS, and Linux via Node.js.
|
|
13
|
+
- **Zero Config**: Works out of the box with `npx`.
|
|
14
|
+
- **Live IOCs**: Fetches the latest indicators of compromise (hashes, filenames, patterns) at runtime.
|
|
15
|
+
|
|
16
|
+
## 🔍 What it Scans
|
|
17
|
+
|
|
18
|
+
Based on the analysis logic in `scan.js`, this tool performs the following checks:
|
|
19
|
+
|
|
20
|
+
### 1. Dependency Integrity
|
|
21
|
+
- **Lockfile Analysis**: Parses `package-lock.json`, `yarn.lock` (v1), and `pnpm-lock.yaml` to detect specific versions of libraries known to be compromised.
|
|
22
|
+
- **Deep Node Modules Scan**: Crawls `node_modules` to find installed packages that might not be in the lockfile and checks for suspicious directory names.
|
|
23
|
+
|
|
24
|
+
### 2. Static Code Analysis & Heuristics
|
|
25
|
+
- **Malicious Signatures**: Compares file hashes (SHA256) and filenames against a database of known threats.
|
|
26
|
+
- **Behavioral Patterns**: Scans source files (`.js`, `.ts`, `.json`, `.sh`, `.yml`) for suspicious code:
|
|
27
|
+
- **Credential Access**: Usage of `process.env` or patterns matching sensitive keys.
|
|
28
|
+
- **System Discovery**: Calls to `os.platform()`, `os.userInfo()`, or CI environment variables (`GITHUB_ACTIONS`, `CI`).
|
|
29
|
+
- **Execution**: Usage of `child_process`, `exec`, or `spawn`.
|
|
30
|
+
- **Workflow Tampering**: Suspicious `npm publish` or `git push` commands inside `.github/workflows`.
|
|
31
|
+
|
|
32
|
+
### 3. Lifecycle Hooks
|
|
33
|
+
- Inspects `package.json` scripts (`preinstall`, `postinstall`, etc.) for malicious commands or obfuscated scripts.
|
|
34
|
+
|
|
35
|
+
### 4. Environment Artifacts
|
|
36
|
+
- Scans the user's home directory for known malware artifacts (e.g., fake `trufflehog` binaries or caches).
|
|
37
|
+
|
|
38
|
+
### 5. Risk Assessment
|
|
39
|
+
- Maps findings to **MITRE ATT&CK** tactics and calculates a risk score (Low to Critical) based on the correlation of findings.
|
|
40
|
+
|
|
41
|
+
## 🛠 Usage
|
|
42
|
+
|
|
43
|
+
You can run the scanner against your current project directory or specify a path.
|
|
44
|
+
|
|
45
|
+
### Scan Current Directory
|
|
12
46
|
|
|
13
47
|
```bash
|
|
14
48
|
npx hulud-party-scanner
|