A CLI tool to detect potential Shai Hulud npm-worm compromises in GitHub users and organizations.
Verified details
These details have been verified by PyPIProject links
GitHub Statistics
Maintainers
Project description
Shai Hulud Detector
A CLI tool to detect potential Shai Hulud npm-worm compromises in GitHub users and organizations.
What is Shai Hulud?
Shai Hulud is a self-replicating npm worm that spreads through compromised developer systems,
infecting GitHub repositories and injecting malicious code.
It has already been linked to multiple global supply-chain attacks targeting major npm libraries.
This tool scans for known indicators of compromise (IOCs), including:
- Suspicious repository descriptions containing
"Sha1-Hulud: The Second Coming." - Presence of suspicious JSON files containing secrets, credentials or environment configuration
Features
- Scan individual GitHub users
- Scan all members of a GitHub organization
- Dual detection methods: repository description patterns and suspicious file detection
- Concurrent scanning with configurable workers
- Color-coded output for easy identification (FLAG/OKAY/ERROR status)
- Detailed verbose mode
Requirements
- Python 3.11+
- GitHub Personal Access Token (https://github.com/settings/tokens)
Installation
Install directly from PyPI:
pip install shai-hulud-detector
Authentication
Set your GitHub token as an environment variable (recommended):
export GITHUB_TOKEN=<GITHUB_TOKEN_HERE>
Or pass it via command-line flag (see Usage section below). If omitted, the tool exits with a clear warning.
Usage
Scan one or more users
shai-hulud-detector scan <USERNAME_HERE>
shai-hulud-detector scan <USERNAME_HERE1> <USERNAME_HERE2> <USERNAME_HERE3>
Scan all members of an organization
shai-hulud-detector scan --org <ORGANIZATION_NAME_HERE>
Authentication via command-line
shai-hulud-detector scan <USERNAME_HERE> --token <GITHUB_TOKEN_HERE>
Help
shai-hulud-detector scan --help
Parallelism
Set concurrency (default 5):
shai-hulud-detector scan --org <ORGANIZATION_NAME_HERE> --workers 10
Verbose Output
shai-hulud-detector scan <USERNAME_HERE> --verbose
Recommended Actions
If you detect a compromise (FLAG status):
- Rotate all GitHub, npm, cloud, and CI/CD secrets
- Enforce MFA on GitHub & npm accounts
- Check GitHub for repositories with the description "Sha1-Hulud: The Second Coming."
- Review and remove any suspicious files found (e.g.,
secrets.json,credentials.json, etc.) - Disable npm
postinstallscripts in CI where possible - Audit all npm dependencies and versions
References
For more detailed information about Shai Hulud attacks, see:
- HelixGuard: Malicious Sha1Hulud Analysis
- Aikido Security: Shai Hulud Strikes Again
- Wiz: Shai Hulud 2.0 Ongoing Supply Chain Attack
License
MIT License - see LICENSE file for details.
Author
Y. Siva Sai Krishna
- GitHub: @ysskrishna
- LinkedIn: ysskrishna
Development
For development setup, building, and contributing, see DEVELOPMENT.md.
Changelog
See CHANGELOG.md for a detailed list of changes and version history.
Releases
For information on the release process and how to create new releases, see RELEASE.md.
Contributing
Contributions are welcome! Please feel free to submit a Pull Request.
Issues
If you encounter any issues or have feature requests, please open an issue on GitHub.
Project details
Verified details
These details have been verified by PyPIProject links
GitHub Statistics
Maintainers
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file shai_hulud_detector-1.0.4.tar.gz.
File metadata
- Download URL: shai_hulud_detector-1.0.4.tar.gz
- Upload date:
- Size: 278.3 kB
- Tags: Source
- Uploaded using Trusted Publishing? Yes
- Uploaded via: uv/0.9.17 {"installer":{"name":"uv","version":"0.9.17","subcommand":["publish"]},"python":null,"implementation":{"name":null,"version":null},"distro":{"name":"Ubuntu","version":"24.04","id":"noble","libc":null},"system":{"name":null,"release":null},"cpu":null,"openssl_version":null,"setuptools_version":null,"rustc_version":null,"ci":true}
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
6b3b1d250aa20ea9f57de7d96c6b92f3522aadc99b5dbd8f98a8a423c2f971e2
|
|
| MD5 |
7695d52671181584d55b7756e22298a8
|
|
| BLAKE2b-256 |
a7efc2702a96b3d95eb8d135513d75642521ee1554a06c4bb2b633edbfcd7550
|
File details
Details for the file shai_hulud_detector-1.0.4-py3-none-any.whl.
File metadata
- Download URL: shai_hulud_detector-1.0.4-py3-none-any.whl
- Upload date:
- Size: 8.3 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? Yes
- Uploaded via: uv/0.9.17 {"installer":{"name":"uv","version":"0.9.17","subcommand":["publish"]},"python":null,"implementation":{"name":null,"version":null},"distro":{"name":"Ubuntu","version":"24.04","id":"noble","libc":null},"system":{"name":null,"release":null},"cpu":null,"openssl_version":null,"setuptools_version":null,"rustc_version":null,"ci":true}
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
a4df5033527d089c385964f520c9f7dce848bb279b5eab05c9425cbb4bf01cff
|
|
| MD5 |
b920d844bc72b615164345de409de600
|
|
| BLAKE2b-256 |
b88bea8b289ea5bb5e98bea650f07686ecbf169570d6214e7ddf9f97513911ac
|
