Skip to content

Instantly share code, notes, and snippets.

View qsniyg's full-sized avatar

M.C. qsniyg

53 followers · 8 following
View GitHub Profile
@alexkli
alexkli / scan-npm-dependencies.md
Last active November 11, 2025 16:34
Node.js script to scan for compromised npm dependencies (Shai Hulud and others)

Update #2 September 23, 2025: Updated the csv files based on snyk.io sources as of today:

  • The shai hulud csv is updated with new dependencies and no longer includes the qix attack dependencies.
  • The qix csv is updated with new dependencies found.

Update September 23, 2025: Updated the script to fix a critical bug where it did not detect scoped packages (such as @art-ws/di-node) in project lockfiles.

Scan for compromised npm dependencies

@joeskeen
joeskeen / check-npm-cache.sh
Last active September 24, 2025 06:10 — forked from phxgg/check-npm-cache.sh
This script will check your npm cache and find if any of the affected packages was pulled in your machine. `chmod +x check-npm-cache.sh` before usage. No dependencies - should work on any system with Bash. (Only tested by me on Linux)
#!/usr/bin/env bash
echo "🔍 Scanning for compromised NPM packages..."
# Define compromised packages and versions
declare -A compromised=(
[ansi-regex]="6.2.1"
[ansi-styles]="6.2.2"
[backslash]="0.2.1"
[chalk]="5.6.1"
@phxgg
phxgg / check-npm-cache.sh
Last active September 26, 2025 06:55
This script will check your npm cache and find if any of the affected packages was pulled in your machine. `chmod +x check-npm-cache.sh` before usage. Requires jq, use `brew install jq` to install. Only tested on MacOS
#!/usr/bin/env bash
set -euo pipefail
packages_json='[
{"name":"backslash","version":"0.2.1"},
{"name":"chalk-template","version":"1.1.1"},
{"name":"supports-hyperlinks","version":"4.1.1"},
{"name":"has-ansi","version":"6.0.1"},
{"name":"simple-swizzle","version":"0.2.3"},
{"name":"color-string","version":"2.1.1"},