A comprehensive bash scanner to detect compromised npm packages from the SHA1-HULUD pt 2 supply chain attack.
SHA1-HULUD pt 2 is a supply chain attack targeting 288+ npm packages including:
- PostHog packages (
@posthog/*,posthog-node, etc.) - Zapier packages (
@zapier/*) - AsyncAPI packages (
@asyncapi/*) - Postman packages (
@postman/*) - ENS Domains packages (
@ensdomains/*,ethereum-ens) - MCP packages (
mcp-use,@mcp-use/*) - And many more...
More information: HelixGuard Blog Post
- β Scans 288+ compromised packages from SHA1-HULUD pt 2
- β Multi-package manager support: npm, yarn, bun, pnpm
- β
4-stage scanning:
- Direct dependencies (
package.json) - Transitive dependencies (
node_modules) - Lockfiles (all package managers)
- SHA1 markers detection
- Direct dependencies (
- β
False positive filtering for legitimate packages like
@aws-crypto/sha1-browser - β Shows specific package names when SHA1 markers detected
- β Clear color-coded output with actionable remediation steps
git clone https://github.com/standujar/sha1-hulud-scanner.git
cd sha1-hulud-scanner
chmod +x sha1-hulud-scanner.sh./sha1-hulud-scanner.sh <project_directory># Scan a local project
./sha1-hulud-scanner.sh /path/to/your/project
# Scan relative path
./sha1-hulud-scanner.sh ~/Projects/my-app
# Scan current directory
./sha1-hulud-scanner.sh .π SHA1-HULUD Scanner v2.1
βββββββββββββββββββββββββββββββββββββββββββββ
π Project: /path/to/project
π 288 packages to scan
π 5 known false positives to exclude
π [1/4] Scanning direct dependencies (package.json)...
β No compromised packages in direct dependencies
π [2/4] Scanning node_modules (transitive)...
β No compromised packages installed
π [3/4] Scanning lockfiles...
β No compromised packages in lockfiles
π [4/4] Scanning for SHA1-HULUD markers...
π Checking packages with 'sha1' in name (bun.lock):
βΉοΈ @aws-crypto/sha1-browser (legitimate package - skipped)
β No suspicious SHA1 markers (1 legitimate packages excluded)
βββββββββββββββββββββββββββββββββββββββββββββ
β
NO COMPROMISE DETECTED
Your project is clean β no SHA1-HULUD packages found.
π Statistics:
β’ 288 packages scanned
β’ 0 compromised packages
Scans package.json for any compromised packages in dependencies and devDependencies.
Checks if compromised packages are actually installed in node_modules/ (including transitive dependencies).
Scans lockfiles for all package managers:
package-lock.json(npm)yarn.lock(yarn)bun.lock(bun - binary format)pnpm-lock.yaml(pnpm)
Detects packages with "sha1" in their name, which is a signature of the attack. Filters out known false positives like AWS crypto packages.
The scanner will show detailed remediation steps:
- π STOP all builds/CI immediately
- π Isolate CI runners (if self-hosted)
- π Rotate ALL sensitive keys:
- GitHub tokens (PAT, fine-grained, App)
- AWS credentials (if non-OIDC)
- NPM tokens
- API keys (PostHog, Stripe, etc.)
- π Delete
node_modulesand lockfiles - π Update dependencies to clean versions
- π Audit CI logs from last 48 hours
- Bash 4.0+
grep,strings,sed(standard Unix tools)- Package manager lockfiles present in project
The scanner automatically excludes these legitimate packages:
@aws-crypto/sha1-browser- AWS SDK for S3 checksums@aws-crypto/sha256-browser- AWS crypto utilities@aws-crypto/sha256-js- AWS crypto utilitiessha1- Legitimate crypto librarysha.js- Legitimate crypto library
The scanner checks against 288 compromised packages defined in sha1-hulud-packages.txt.
To update the list:
# Edit sha1-hulud-packages.txt
# One package per line, comments supported with #Contributions are welcome! Please:
- Fork the repository
- Create a feature branch
- Submit a pull request
MIT License - Feel free to use this scanner to protect your projects.
# Clone and run
git clone https://github.com/standujar/sha1-hulud-scanner.git
cd sha1-hulud-scanner
chmod +x sha1-hulud-scanner.sh
./sha1-hulud-scanner.sh /path/to/your/projectStay safe! Scan your projects regularly. π‘οΈ