At the end of scanning for obvious compromise the `check-projects` script then builds a listing of all of your dependencies and all of the versions your project files mention.

You can find that info under `reports/`

I'm currently working on improving the `check-projects` script so that it will alert you if ANY of your package.json or package-lock.json mentions a known infected package.

#ShalHulud #WalkWithoutRhythm #npm #github #javascript #cybersecurity #threatresponse

First pass is super simple and just looks for the file names & package.json signature for signs of infection anywhere in the path you tell it to search.

If it sees anything fishy it tells you where and stops until you've read the alert.

Oh and this only uses bash, sed, awk, grep, curl, and jq. So no npm, node or other big supply chains 🥴

https://github.com/datapartyjs/walk-without-rhythm/blob/main/check-projects

#ShalHulud #WalkWithoutRhythm #nodejs #npm #github #javascript

I've spent the last few hours writing down my scripts for detecting this so you can use them!

I'm hitting on two or three ways to detect it and will be adding more.

Watching the attack running I can see developers all over the world still doing their morning `npm i` and getting owned 😭

Maybe let the node developers in your life know about this tool 👇🏿

https://github.com/datapartyjs/walk-without-rhythm

#ShaiHulud #WalkWithoutRhythm #nodejs #javascript #npm #github #cybersecurity

Ok I've downloaded some of the compromised packages and you can search your already downloaded node modules for possibly infected packages using this command:

find ./node_modules -type f -name "bun_environment.js"

You can check your user level node cache using:

find ~/.npm -type f -name "bun_environment.js"

Still sizing this one up but if you get any hits check and see if they are big files (around 10MB) and if so you're likely infected.

#nodejs #npm #cybersecurity