Node.js script to scan for compromised npm dependencies (Shai Hulud and others)

scan-npm-dependencies.md

Update #2 September 23, 2025: Updated the csv files based on snyk.io sources as of today:

• The shai hulud csv is updated with new dependencies and no longer includes the qix attack dependencies.
• The qix csv is updated with new dependencies found.

Update September 23, 2025: Updated the script to fix a critical bug where it did not detect scoped packages (such as @art-ws/di-node) in project lockfiles.

---

Scan for compromised npm dependencies

This minimal Node.js script scan-npm-deps.js scans your local computer for compromised packages.

It scans all project files (npm and yarn) in all subdirectories, global npm caches and global paths in all nvm versions. It also inspects Dockerfiles, CI configs, and vendored folders for embedded vulnerabilities.

Usage

Download the files, then run this in your $HOME folder or root folder underneath you have all your javascript projects:

node scan-npm-deps.js unsafe-npm-packages-shai-hulud-snyk-2025-09-23.csv

Attached are dependency lists to use it with:

CSV	Description
unsafe-npm-packages-shai-hulud-snyk-2025-09-23.csv	Shai Hulud Supply Chain Attack originating September 15, 2025 Critical exploit that attempts to steal secrets (developer environment secrets and tokens, CI/CD and cloud secrets and possibly more)
unsafe-npm-packages-qix-debug-chalk-2025-09-10.csv	qix debug chalk Supply Chain Attack originating September 8, 2025 This exploit targets crypto wallet transactions happening on the local machine.

Example Output:

🔍 Scanning for compromised NPM packages

📋 Reading package list...
   512 packages

🔒 Scanning project lockfiles and package.json...
   2 lockfiles

🐳 Scanning Dockerfiles...
   1 Dockerfiles

⚙️  Scanning CI/CD config files...
   1 CI config files

📁 Scanning vendored folders...

📦 Scanning global npm caches...
   1855 files to check in /Users/alex/.npm/_cacache
   ...checked 497/1855 files in /Users/alex/.npm/_cacache
   ...checked 688/1855 files in /Users/alex/.npm/_cacache
   ...checked 811/1855 files in /Users/alex/.npm/_cacache

📦 Scanning Yarn global cache...

📦 Scanning pnpm global store...

🧠 Scanning NVM-managed Node versions...
   2 node versions
   4673 files to check in /Users/alex/.nvm/versions/node/v22.19.0
   ...checked 4/4673 files in /Users/alex/.nvm/versions/node/v22.19.0
   5034 files to check in /Users/alex/.nvm/versions/node/v24.8.0
   ...checked 4/5034 files in /Users/alex/.nvm/versions/node/v24.8.0
   ...checked 4270/5034 files in /Users/alex/.nvm/versions/node/v24.8.0

✅ No compromised packages found.

If compromised packages are found (made up example):

...

❌ Compromised packages found:

📁 project1
     Resolved @art-ws/http-server@2.0.21 in project1/package-lock.json

📁 project2
     Resolved wrap-ansi@9.0.1 in project2/package-lock.json

Notes

These dependency lists might change over time, I will not necessarily be updating them. You can easily update them yourself when new information is revealed.

This is a rewrite of https://gist.github.com/joeskeen/202fe9f6d7a2f624097962507c5ab681 in Node.js, with significantly improved performance and a customizable dependency list passed as file argument.

scan-npm-deps.js

#!/usr/bin/env node

// Node.js rewrite of check-npm-cache.sh
// Original script source: https://gist.github.com/joeskeen/202fe9f6d7a2f624097962507c5ab681

const fs = require('fs');
const path = require('path');
const { execSync } = require('child_process');
const os = require('os');

// if no arguments, print usage
if (process.argv.length === 2) {
  console.error('Usage: node scan-npm-deps.js <packages-csv>');
  console.error();
  console.error('  This script scans all subdirectories and global npm caches');
  console.error('  for compromised NPM packages');
  console.error();
  console.error('  The file <packages-csv> must have the following format:');
  console.error('    <package>,<version>');
  console.error('    <package>,<version>');
  console.error('    ...');
  console.error();
  console.error('  Each line contains a single package and version');
  console.error();
  console.error('  Example:');
  console.error('    eslint-config-crowdstrike-node,4.0.3');
  console.error('    @art-ws/common,2.0.22');
  console.error('    @art-ws/common,2.0.28');
  process.exit(1);
}

const findings = [];

function printFindings() {
  // Summary
  console.log('');

  if (findings.length === 0) {
    console.log('✅ No compromised packages found.');
  } else {
    console.log('❌ Compromised packages found:');
    console.log('');

    const grouped = {};
    const remediation = {};

    // Group findings by remediation directory
    for (const line of findings) {
      const match = line.match(/in (.+)$/);
      if (!match) continue;

      let filePath = match[1];
      let dir = path.dirname(filePath);

      // Trim path before node_modules if present
      if (dir.includes('/node_modules/')) {
        dir = dir.substring(0, dir.indexOf('/node_modules'));
      } else if (dir.endsWith('/node_modules')) {
        dir = dir.substring(0, dir.length - '/node_modules'.length);
      }

      // Walk up to find the remediation root
      let currentDir = dir;
      while (currentDir !== '/' && currentDir !== '.') {
        if (fileExists(path.join(currentDir, 'package-lock.json'))) {
          remediation[currentDir] = 'npm';
          break;
        } else if (fileExists(path.join(currentDir, 'yarn.lock'))) {
          remediation[currentDir] = 'yarn';
          break;
        } else if (fileExists(path.join(currentDir, 'pnpm-lock.yaml'))) {
          remediation[currentDir] = 'pnpm';
          break;
        }
        currentDir = path.dirname(currentDir);
      }

      if (!grouped[dir]) {
        grouped[dir] = [];
      }
      grouped[dir].push(line);
    }

    // Print grouped findings
    for (const [dir, lines] of Object.entries(grouped)) {
      console.log(`📁 ${dir}`);
      for (const line of lines) {
        console.log(`     ${line}`);
      }
      console.log('');
    }

    // console.log('🛠️ Suggested Remediation Commands:');
    // console.log();
    // for (const [dir, tool] of Object.entries(remediation)) {
    //   console.log(`💡 cd "${dir}" && rm -rf node_modules ${tool}-lock.yaml yarn.lock package-lock.json && ${tool} install`);
    // }
  }
}

console.log('🔍 Scanning for compromised NPM packages');
console.log();
console.log('📋 Reading package list...');

const compromisedPackages = fs.readFileSync(process.argv[2], 'utf8');
// Parse compromised packages into array
const compromised = [];
compromisedPackages.split('\n').forEach(line => {
  line = line.trim();
  if (line && !line.startsWith('#')) {
    compromised.push(line);
  }
});
console.log(`   ${compromised.length} packages`);
console.log();

// Utility functions
function fileExists(filePath) {
  try {
    return fs.existsSync(filePath);
  } catch (error) {
    return false;
  }
}

function readFileSync(filePath) {
  try {
    return fs.readFileSync(filePath, 'utf8');
  } catch (error) {
    return '';
  }
}

function findFiles(dir, patterns, maxDepth = Infinity, matchDirectories = false) {
  const results = [];

  function traverse(currentDir, depth) {
    if (depth > maxDepth) return;

    try {
      const entries = fs.readdirSync(currentDir, { withFileTypes: true });

      for (const entry of entries) {
        const fullPath = path.join(currentDir, entry.name);

        if (entry.isDirectory()) {
          if (matchDirectories) {
            results.push(fullPath);
          }
          traverse(fullPath, depth + 1);
        } else if (entry.isFile()) {
          for (const pattern of patterns) {
            if (entry.name.match(pattern)) {
              results.push(fullPath);
              break;
            }
          }
        }
      }
    } catch (error) {
      // Skip directories we can't read
    }
  }

  if (fileExists(dir)) {
    traverse(dir, 0);
  }

  return results;
}

function scanFile(filePath) {
  const content = readFileSync(filePath);
  if (!content) return;

  for (const item of compromised) {
    const [pkg, version] = item.split(',');
    if (content.includes(pkg) && content.includes(version)) {
      findings.push(`Found ${pkg}@${version} in ${filePath}`);
    }
  }
}

function scanLockfileResolved(filePath) {
  const content = readFileSync(filePath);
  if (!content) return;

  for (const item of compromised) {
    const [pkg, version] = item.split(',');
    // Match resolved tarball URLs for compromised versions
    // get package local name, i.e. after the last /
    const localName = pkg.split('/').pop();
    const pattern = `${pkg}/-/${localName}-${version}.tgz`;
    if (content.includes(pattern)) {
      findings.push(`Resolved ${pkg}@${version} in ${filePath}`);
    }
  }
}

function scanProjectFiles() {
  const lockfilePatterns = [/^package-lock\.json$/, /^yarn\.lock$/, /^pnpm-lock\.yaml$/];
  const lockfiles = findFiles('.', lockfilePatterns);
  console.log(`   ${lockfiles.length} lockfiles`);

  let count = 0;
  for (const file of lockfiles) {
    scanLockfileResolved(file);
    count++;
    if (count % 100 === 0) {
      console.log(`   ...scanned ${count} files`);
    }
  }
}

async function scanNpmCache(cacheDir) {
  if (!fileExists(cacheDir)) return;

  // traverse cacheDir recursively
  const files = findFiles(cacheDir, [/.*/], Infinity);
  console.log(`   ${files.length} files to check in ${cacheDir}`);

  let startTime = Date.now();
  let count = 0;
  for (const file of files) {
    const content = readFileSync(file);
    for (const item of compromised) {
      const [pkg, version] = item.split(',');
      const searchPattern = `${pkg}@${version}`;

      if (content.includes(searchPattern)) {
        findings.push(`Found ${pkg}@${version} in cached file: ${file}`);
      }
    }
    count++;
    // print update every 5 seconds
    if (Date.now() - startTime > 5000) {
      console.log(`   ...checked ${count}/${files.length} files in ${cacheDir}`);
      startTime = Date.now();
    }
  }
}

async function scanNvmVersions() {
  const nvmDir = process.env.NVM_DIR || path.join(os.homedir(), '.nvm');
  if (!fileExists(nvmDir)) return;

  console.log();
  console.log('🧠 Scanning NVM-managed Node versions...');

  const nodeVersionsDir = path.join(nvmDir, 'versions', 'node');
  if (!fileExists(nodeVersionsDir)) return;

  // for each dir in nodeVersionsDir, scan the npm cache
  const dirs = findFiles(nodeVersionsDir, [/.*/], 0, true);
  console.log(`   ${dirs.length} node versions`);
  for (const dir of dirs) {
    await scanNpmCache(dir);
  }
}

function scanDockerfiles() {
  console.log();
  console.log('🐳 Scanning Dockerfiles...');

  const dockerfiles = findFiles('.', [/^Dockerfile/i]);
  console.log(`   ${dockerfiles.length} Dockerfiles`);

  let startTime = Date.now();
  let count = 0;

  for (const file of dockerfiles) {
    scanFile(file);
    count++;
    // print update every 5 seconds
    if (Date.now() - startTime > 5000) {
      console.log(`   ...scanned ${count}/${dockerfiles.length} Dockerfiles`);
      startTime = Date.now();
    }
  }
}

function scanCiConfigs() {
  console.log();
  console.log('⚙️  Scanning CI/CD config files...');

  const patterns = [
    /^Jenkinsfile/,
    /\.ya?ml$/
  ];

  const ciFiles = findFiles('.', patterns).filter(file => {
    const relativePath = path.relative('.', file);
    return !relativePath.includes('/node_modules/') &&
           (relativePath.includes('.github/') ||
            relativePath.includes('.gitlab/') ||
            relativePath.includes('.circleci/') ||
            relativePath.includes('Jenkinsfile'));
  });

  console.log(`   ${ciFiles.length} CI config files`);

  let startTime = Date.now();
  let count = 0;
  for (const file of ciFiles) {
    scanFile(file);
    count++;
    // print update every 5 seconds
    if (Date.now() - startTime > 5000) {
      console.log(`   ...scanned ${count}/${ciFiles.length} CI config files`);
      startTime = Date.now();
    }
  }
}

function scanVendoredDirs() {
  console.log();
  console.log('📁 Scanning vendored folders...');

  const vendorDirs = ['vendor', 'third_party', 'static', 'assets'];
  const patterns = [/\.js$/, /\.json$/, /\.tgz$/];

  for (const dir of vendorDirs) {
    if (!fileExists(dir)) continue;

    const files = findFiles(dir, patterns);
    for (const file of files) {
      scanFile(file);
    }
  }
}

// Main scanning logic
async function main() {
  console.log('🔒 Scanning project lockfiles and package.json...');
  scanProjectFiles();

  scanDockerfiles();
  scanCiConfigs();
  scanVendoredDirs();

  // Global caches
  console.log();
  console.log('📦 Scanning global npm caches...');
  const homeDir = os.homedir();

  const npmCache = path.join(homeDir, '.npm', '_cacache');
  if (fileExists(npmCache)) {
    await scanNpmCache(npmCache);
  }

  const npmPackages = path.join(homeDir, '.npm-packages');
  if (fileExists(npmPackages)) {
    await scanNpmCache(npmPackages);
  }

  // Yarn global cache
  console.log();
  console.log('📦 Scanning Yarn global cache...');
  try {
    const yarnCache = execSync('yarn cache dir 2>/dev/null || echo ""', { encoding: 'utf8' }).trim();
    if (yarnCache && fileExists(yarnCache)) {
      await scanNpmCache(yarnCache);
    }
  } catch (error) {
    // Yarn not available
  }

  // pnpm global store
  console.log();
  console.log('📦 Scanning pnpm global store...');
  try {
    const pnpmCache = execSync('pnpm store path 2>/dev/null || echo ""', { encoding: 'utf8' }).trim();
    if (pnpmCache && fileExists(pnpmCache)) {
      await scanNpmCache(pnpmCache);
    }
  } catch (error) {
    // pnpm not available
  }

  await scanNvmVersions();

  printFindings();
}

// Run the main function
main().catch(console.error);

snyk-parse-db.js

// Browser script to get snyk npm dependency lists into csv format
// for example from https://security.snyk.io/shai-hulud-npm-supply-chain-attack-sep-2025

// Instructions:

// 1. open the corresponding snyk vulnerability page in Chrome (only tested in Chrome)

// 2. open browser developer console

// 3. run this code (adds a function)
// -----------------------------------------
window.parseDeps = function() {
    window.deps = window.deps || [];

    document.querySelectorAll(".vue--proprietary-vulns__item").forEach(e => {
        const pkg = e.querySelector(".vue--proprietary-vulns__body > div > a:nth-child(2)").innerText;
        let versionsStr = e.querySelector(".vue--proprietary-vulns__footer").innerText;
        versionsStr.substring("Versions: ".length).split(", ").forEach(v => {
            window.deps.push(`${pkg},${v}`);
        });
    });
    console.log("total deps:", window.deps.length);
};
// -----------------------------------------

// 4. repeat this for all pages in the vulnerability list
// 4a. run this in the browser console
window.parseDeps()
// 4b. click "Next" page button
// 4c. repeat

// 5. when finished going through all pages, run this in the browser console
window.deps.join(`
`)

// 6. right click on the result and click "Copy string contents"

unsafe-npm-packages-qix-debug-chalk-2025-09-10.csv

unsafe-npm-packages-shai-hulud-snyk-2025-09-23.csv

Note I made two important updates today, see the readme update notes at the top.