npm Security Tools

Detection and mitigation tools for npm supply chain attacks, specifically targeting the Shai-Hulud 2.0 worm (November 2025).

Background

Shai-Hulud 2.0 is a self-propagating npm worm that:

Compromised 492+ packages (132M monthly downloads)
Affected organizations including Zapier, ENS Domains, PostHog, Postman
Steals credentials via TruffleHog and exfiltrates to GitHub
Can infect up to 100 npm packages you maintain
Wipes home directory if it cannot authenticate

Tools Included

Script	Purpose
`detect-shai-hulud.sh`	Scan systems for Shai-Hulud 2.0 IOCs
`npm-hardening.sh`	Apply security hardening to npm config
`monitor-npm-network.sh`	Monitor network activity during npm operations
`ci-security-check.sh`	CI/CD pipeline security checks

Quick Start

# Clone the repository
git clone https://gitlab.com/DrFrankieD2023/npm-security-tools.git
cd npm-security-tools

# Make all scripts executable
chmod +x *.sh

# Scan system for malware
./detect-shai-hulud.sh

# Scan specific directory
./detect-shai-hulud.sh --scan-path /path/to/projects

# Apply npm hardening (dry run)
./npm-hardening.sh

# Apply npm hardening (for real)
./npm-hardening.sh --apply

# Monitor npm install network activity
./monitor-npm-network.sh npm install

# Run CI/CD security check
./ci-security-check.sh /path/to/project

Requirements

Bash 4.0+
Standard Unix utilities (find, grep, ss)
npm (for hardening and audit features)
Optional: GitHub CLI (
```
gh
```
) for repo scanning
Optional:
```
jq
```
for JSON parsing in CI checks

detect-shai-hulud.sh

Scans for Shai-Hulud 2.0 indicators of compromise:

Malicious files:
```
setup_bun.js
```
,
```
bun_environment.js
```
Known malware hashes: SHA256 verification against known variants
Malware directories:
```
~/.dev-env/
```
(self-hosted runner installation)
Suspicious cache entries: References to Shai-Hulud, TruffleHog patterns
Compromised preinstall scripts: In
```
node_modules/*/package.json
```
GitHub compromise markers: Repos with "Second Coming" description
Credential exfiltration artifacts:
```
contents.json
```
,
```
environment.json
```
,
```
cloud.json
```

Scan Modes

# Full scan (recommended) - thorough, may take 10-15 minutes
./detect-shai-hulud.sh

# Quick scan - skips ~/.cache, faster but less thorough
./detect-shai-hulud.sh --quick

# Scan specific directory
./detect-shai-hulud.sh --scan-path /path/to/projects

Note: The full scan includes

~/.cache

which can be large. This is intentional - security scanning should be thorough. The

--quick

flag is available for repeated checks but a full scan is recommended at least once.

Exit Codes

Code	Meaning
0	Clean - no malware detected
1	Warnings found - manual investigation recommended
2	Critical IOCs found - immediate action required

npm-hardening.sh

Applies security best practices to npm configuration:

```
ignore-scripts=true
```
- Disable automatic lifecycle script execution
```
strict-ssl=true
```
- Enforce SSL certificate validation
```
audit-level=moderate
```
- Set minimum audit severity level
```
package-lock=true
```
- Ensure lockfile is always generated

monitor-npm-network.sh

Real-time network monitoring during npm operations:

# Monitor a specific command
./monitor-npm-network.sh npm install

# Continuous monitoring for 60 seconds
./monitor-npm-network.sh --watch

# Monitor for 5 minutes
./monitor-npm-network.sh --watch 300

Flags suspicious connections to:

```
raw.githubusercontent.com
```
(payload delivery)
```
pastebin.com
```
,
```
hastebin.com
```
(data exfil)
```
ngrok.io
```
,
```
webhook.site
```
(C2 channels)

ci-security-check.sh

CI/CD pipeline integration for pre-deployment security checks:

# GitLab CI example
security-check:
  stage: test
  script:
    - ./ci-security-check.sh .
  allow_failure: false

Checks include:

Lockfile presence and integrity
Suspicious lifecycle scripts
Shai-Hulud specific IOCs
npm audit vulnerabilities
Typosquatting detection
Git-based dependency warnings
Package size anomalies

If Compromised

Disconnect from network immediately
Revoke npm tokens:
```
npm token list
```
then
```
npm token revoke <id>
```
Revoke GitHub PATs: https://github.com/settings/tokens
Rotate SSH keys
Check for unauthorized publishes:
```
npm access ls-packages
```
Rotate cloud provider credentials

Contributing

Contributions are welcome! Please read our Contributing Guidelines and Code of Conduct before submitting a pull request.

Ways to Contribute

Report bugs or suggest features via issues
Add detection for new malware variants
Improve documentation
Add support for additional package managers (yarn, pnpm)
Write tests

Security

For security concerns, please see our Security Policy. Do not open public issues for security vulnerabilities.

References

License

This project is licensed under the MIT License - see the LICENSE file for details.

npm Security Tools

Detection and mitigation tools for npm supply chain attacks, specifically targeting the Shai-Hulud 2.0 worm (November 2025).

Background

Shai-Hulud 2.0 is a self-propagating npm worm that:

Compromised 492+ packages (132M monthly downloads)
Affected organizations including Zapier, ENS Domains, PostHog, Postman
Steals credentials via TruffleHog and exfiltrates to GitHub
Can infect up to 100 npm packages you maintain
Wipes home directory if it cannot authenticate

Tools Included

Script	Purpose
`detect-shai-hulud.sh`	Scan systems for Shai-Hulud 2.0 IOCs
`npm-hardening.sh`	Apply security hardening to npm config
`monitor-npm-network.sh`	Monitor network activity during npm operations
`ci-security-check.sh`	CI/CD pipeline security checks

Quick Start

# Clone the repository
git clone https://gitlab.com/DrFrankieD2023/npm-security-tools.git
cd npm-security-tools

# Make all scripts executable
chmod +x *.sh

# Scan system for malware
./detect-shai-hulud.sh

# Scan specific directory
./detect-shai-hulud.sh --scan-path /path/to/projects

# Apply npm hardening (dry run)
./npm-hardening.sh

# Apply npm hardening (for real)
./npm-hardening.sh --apply

# Monitor npm install network activity
./monitor-npm-network.sh npm install

# Run CI/CD security check
./ci-security-check.sh /path/to/project

Requirements

Bash 4.0+
Standard Unix utilities (find, grep, ss)
npm (for hardening and audit features)
Optional: GitHub CLI (
```
gh
```
) for repo scanning
Optional:
```
jq
```
for JSON parsing in CI checks

detect-shai-hulud.sh

Scans for Shai-Hulud 2.0 indicators of compromise:

Malicious files:
```
setup_bun.js
```
,
```
bun_environment.js
```
Known malware hashes: SHA256 verification against known variants
Malware directories:
```
~/.dev-env/
```
(self-hosted runner installation)
Suspicious cache entries: References to Shai-Hulud, TruffleHog patterns
Compromised preinstall scripts: In
```
node_modules/*/package.json
```
GitHub compromise markers: Repos with "Second Coming" description
Credential exfiltration artifacts:
```
contents.json
```
,
```
environment.json
```
,
```
cloud.json
```

Scan Modes

# Full scan (recommended) - thorough, may take 10-15 minutes
./detect-shai-hulud.sh

# Quick scan - skips ~/.cache, faster but less thorough
./detect-shai-hulud.sh --quick

# Scan specific directory
./detect-shai-hulud.sh --scan-path /path/to/projects

Note: The full scan includes

~/.cache

which can be large. This is intentional - security scanning should be thorough. The

--quick

flag is available for repeated checks but a full scan is recommended at least once.

Exit Codes

Code	Meaning
0	Clean - no malware detected
1	Warnings found - manual investigation recommended
2	Critical IOCs found - immediate action required

npm-hardening.sh

Applies security best practices to npm configuration:

```
ignore-scripts=true
```
- Disable automatic lifecycle script execution
```
strict-ssl=true
```
- Enforce SSL certificate validation
```
audit-level=moderate
```
- Set minimum audit severity level
```
package-lock=true
```
- Ensure lockfile is always generated

monitor-npm-network.sh

Real-time network monitoring during npm operations:

# Monitor a specific command
./monitor-npm-network.sh npm install

# Continuous monitoring for 60 seconds
./monitor-npm-network.sh --watch

# Monitor for 5 minutes
./monitor-npm-network.sh --watch 300

Flags suspicious connections to:

```
raw.githubusercontent.com
```
(payload delivery)
```
pastebin.com
```
,
```
hastebin.com
```
(data exfil)
```
ngrok.io
```
,
```
webhook.site
```
(C2 channels)

ci-security-check.sh

CI/CD pipeline integration for pre-deployment security checks:

# GitLab CI example
security-check:
  stage: test
  script:
    - ./ci-security-check.sh .
  allow_failure: false

Checks include:

Lockfile presence and integrity
Suspicious lifecycle scripts
Shai-Hulud specific IOCs
npm audit vulnerabilities
Typosquatting detection
Git-based dependency warnings
Package size anomalies

If Compromised

Disconnect from network immediately
Revoke npm tokens:
```
npm token list
```
then
```
npm token revoke <id>
```
Revoke GitHub PATs: https://github.com/settings/tokens
Rotate SSH keys
Check for unauthorized publishes:
```
npm access ls-packages
```
Rotate cloud provider credentials

Contributing

Contributions are welcome! Please read our Contributing Guidelines and Code of Conduct before submitting a pull request.

Ways to Contribute

Report bugs or suggest features via issues
Add detection for new malware variants
Improve documentation
Add support for additional package managers (yarn, pnpm)
Write tests

Security

For security concerns, please see our Security Policy. Do not open public issues for security vulnerabilities.

References

License

This project is licensed under the MIT License - see the LICENSE file for details.

npm Security Tools

npm Security Tools

Background

Tools Included

Quick Start

Requirements

detect-shai-hulud.sh

Scan Modes

Exit Codes

npm-hardening.sh

monitor-npm-network.sh

ci-security-check.sh

If Compromised

Contributing

Ways to Contribute

Security

References

License

Related Skills

<h1 align="center">

2. Apply Deepthink Protocol (reason about dependencies

- Identify gaps

npm Security Tools

Background

Tools Included

Quick Start

Requirements

detect-shai-hulud.sh

Scan Modes

Exit Codes

npm-hardening.sh

monitor-npm-network.sh

ci-security-check.sh

If Compromised

Contributing

Ways to Contribute

Security

References

License