A CLI tool to detect potential Shai Hulud npm-worm compromises in GitHub users and organizations.
Verified details
These details have been verified by PyPIProject links
GitHub Statistics
Maintainers
Project description
Shai Hulud Detector
A CLI tool to detect potential Shai Hulud npm-worm compromises in GitHub users and organizations.
What is Shai Hulud?
Shai Hulud is a self-replicating npm worm that spreads through compromised developer systems,
infecting GitHub repositories and injecting malicious code.
It has already been linked to multiple global supply-chain attacks targeting major npm libraries.
This tool scans for known indicators of compromise (IOCs), including:
- Suspicious repository descriptions containing
"Sha1-Hulud: The Second Coming." - Presence of suspicious JSON files containing secrets, credentials or environment configuration
Features
- Scan individual GitHub users
- Scan all members of a GitHub organization
- Dual detection methods: repository description patterns and suspicious file detection
- Concurrent scanning with configurable workers
- Color-coded output for easy identification (FLAG/OKAY/ERROR status)
- Detailed verbose mode
Requirements
- Python 3.11+
- uv package manager (https://docs.astral.sh/uv/)
- GitHub Personal Access Token (https://github.com/settings/tokens)
Installation
Clone the repository
git clone https://github.com/ysskrishna/shai-hulud-detector.git
cd shai-hulud-detector
Install dependencies
uv sync
Authentication Options
Environment variable (recommended):
export GITHUB_TOKEN=<GITHUB_TOKEN_HERE>
uv run python main.py scan <USERNAME_HERE>
Command-line flag:
uv run python main.py scan <USERNAME_HERE> --token <GITHUB_TOKEN_HERE>
If omitted, the tool exits with a clear warning.
Usage
Scan one or more users
uv run python main.py scan <USERNAME_HERE>
uv run python main.py scan <USERNAME_HERE1> <USERNAME_HERE2> <USERNAME_HERE3>
Scan all members of an organization
uv run python main.py scan --org <ORGANIZATION_NAME_HERE>
Help
uv run python main.py scan --help
Parallelism
Set concurrency (default 5):
uv run python main.py scan --org <ORGANIZATION_NAME_HERE> --workers 10
Verbose Output
uv run python main.py scan <USERNAME_HERE> --verbose
Recommended Actions
If you detect a compromise (FLAG status):
- Rotate all GitHub, npm, cloud, and CI/CD secrets
- Enforce MFA on GitHub & npm accounts
- Check GitHub for repositories with the description "Sha1-Hulud: The Second Coming."
- Review and remove any suspicious files found (e.g.,
secrets.json,credentials.json, etc.) - Disable npm
postinstallscripts in CI where possible - Audit all npm dependencies and versions
References
For more detailed information about Shai Hulud attacks, see:
- HelixGuard: Malicious Sha1Hulud Analysis
- Aikido Security: Shai Hulud Strikes Again
- Wiz: Shai Hulud 2.0 Ongoing Supply Chain Attack
License
MIT License - see LICENSE file for details.
Author
Y. Siva Sai Krishna
- GitHub: @ysskrishna
- LinkedIn: ysskrishna
Contributing
Contributions are welcome! Please feel free to submit a Pull Request.
Issues
If you encounter any issues or have feature requests, please open an issue on GitHub.
Project details
Verified details
These details have been verified by PyPIProject links
GitHub Statistics
Maintainers
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file shai_hulud_detector-1.0.0.tar.gz.
File metadata
- Download URL: shai_hulud_detector-1.0.0.tar.gz
- Upload date:
- Size: 32.7 kB
- Tags: Source
- Uploaded using Trusted Publishing? Yes
- Uploaded via: uv/0.9.12 {"installer":{"name":"uv","version":"0.9.12"},"python":null,"implementation":{"name":null,"version":null},"distro":{"name":"Ubuntu","version":"24.04","id":"noble","libc":null},"system":{"name":null,"release":null},"cpu":null,"openssl_version":null,"setuptools_version":null,"rustc_version":null,"ci":true}
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
f6a7b57619e9bca87d16d87f5af57e6e4075d7e16110416926fa261a3ce92827
|
|
| MD5 |
bd0f9bf4a2170d70dc08269a831be81d
|
|
| BLAKE2b-256 |
bc5eb87325ac2345e7a8b5d2d805542e0aff867cd6f2dbf5ce5521db5bef9db3
|
File details
Details for the file shai_hulud_detector-1.0.0-py3-none-any.whl.
File metadata
- Download URL: shai_hulud_detector-1.0.0-py3-none-any.whl
- Upload date:
- Size: 8.0 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? Yes
- Uploaded via: uv/0.9.12 {"installer":{"name":"uv","version":"0.9.12"},"python":null,"implementation":{"name":null,"version":null},"distro":{"name":"Ubuntu","version":"24.04","id":"noble","libc":null},"system":{"name":null,"release":null},"cpu":null,"openssl_version":null,"setuptools_version":null,"rustc_version":null,"ci":true}
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
9cb3711f54ba0c31929d445092ebe1d049c096d0b86a7aa4fb89c2bee5300016
|
|
| MD5 |
4a4a6265aa5cd872937910977ef44e2c
|
|
| BLAKE2b-256 |
233f8ae583b9d6b36c957ccce020ff8a60ca38cf2a6adcea45c8430029093861
|
