Sha1 Hulud 2.0 Vulnerability Scanner
November 26, 2025 ยท View on GitHub
A comprehensive security scanner for detecting compromised packages from the Sha1 Hulud 2.0 supply chain attack in JavaScript projects and monorepos.
๐ Features
- ๐ Comprehensive Scanning: Detects vulnerable packages from DataDog's consolidated IOC list
- ๐ฆ Monorepo Support: Works with Turborepo, Yarn workspaces, pnpm workspaces, Lerna, Rush
- ๐ฏ Zero Configuration: Automatically detects project structure and workspace configuration
- ๐ Detailed Reporting: Provides workspace-aware vulnerability mapping and JSON reports
- โก Fast & Lightweight: Only one dependency (glob), works with Node.js 16+
๐ Installation
Install from GitHub
# Install globally
npm install -g https://github.com/yourusername/sha1-hulud-scanner.git
# Install as dev dependency in your project
npm install -D https://github.com/yourusername/sha1-hulud-scanner.git
# or
yarn add -D https://github.com/yourusername/sha1-hulud-scanner.git
# or
pnpm add -D https://github.com/yourusername/sha1-hulud-scanner.git
Install from npm (when published)
npm install -g sha1-hulud-scanner
# or as dev dependency
npm install -D sha1-hulud-scanner
๐ฏ Usage
Command Line Interface
# Scan current directory
sha1-hulud-scan
# Scan specific directory
sha1-hulud-scan /path/to/project
# Custom output file
sha1-hulud-scan --output security-report.json
# JSON output only (for CI/CD)
sha1-hulud-scan --quiet --json
# Disable colors
sha1-hulud-scan --no-color
# Show help
sha1-hulud-scan --help
Programmatic Usage
import { scanForVulnerabilities } from 'sha1-hulud-scanner'
const result = await scanForVulnerabilities({
directory: '/path/to/project',
outputFile: 'security-report.json',
quiet: false,
colors: true
})
console.log(`Found ${result.vulnerabilitiesFound} vulnerabilities`)
Package.json Script
Add to your project's package.json:
{
"scripts": {
"security:scan": "sha1-hulud-scan"
},
"devDependencies": {
"sha1-hulud-scanner": "github:yourusername/sha1-hulud-scanner"
}
}
Then run:
npm run security:scan
๐๏ธ Supported Project Types
Single Package Projects
- โ Any Node.js project with package.json
- โ React, Vue, Angular, Express, etc.
Monorepos & Workspaces
- โ
Turborepo (
turbo.json) - โ
Yarn Workspaces (
workspacesin package.json) - โ
pnpm Workspaces (
pnpm.workspaces) - โ
Lerna (
lerna.json) - โ
Rush (
rush.json)
๐ Output Examples
Clean Project
๐ Shai Hulud 2.0 Vulnerability Scanner (Monorepo Support)
โ
Loaded 795 vulnerable packages from IOC list
๐ฆ Detected single workspace with 1 packages
โ
Found 116 unique dependencies across 1 packages
โ
Found 195 packages across 1 node_modules locations
๐ SCAN RESULTS
๐ NO VULNERABLE PACKAGES FOUND!
Your single workspace appears to be clean from Shai Hulud 2.0 compromised packages.
๐ Detailed report saved to: vulnerability-report.json
Monorepo with Vulnerabilities
๐ Shai Hulud 2.0 Vulnerability Scanner (Monorepo Support)
โ
Loaded 795 vulnerable packages from IOC list
๐ฆ Detected turborepo workspace with 5 packages
๐ Workspace packages:
@myorg/web (apps/web) - 45 deps
@myorg/api (apps/api) - 32 deps
@myorg/ui (packages/ui) - 28 deps
โ
Found 89 unique dependencies across 5 packages
โ
Found 234 packages across 3 node_modules locations
๐ SCAN RESULTS
โ ๏ธ FOUND 2 POTENTIALLY VULNERABLE PACKAGES:
1. vulnerable-package
Vulnerable Versions: 1.2.3, 1.2.4
Found in:
๐ฆ @myorg/web (apps/web) - v1.2.3
๐ node_modules (root) - v1.2.3
๐ง RECOMMENDED ACTIONS:
1. Remove or replace vulnerable packages from affected workspaces
2. Update to safe versions if available
3. Run workspace-specific dependency audits
4. Consider using lockfiles for consistent versions
๐ง CLI Options
| Option | Short | Description |
|---|---|---|
--help | -h | Show help message |
--version | -v | Show version number |
--output <file> | -o | Custom output file (default: vulnerability-report.json) |
--quiet | -q | Suppress console output (except errors) |
--json | Output results as JSON to stdout | |
--no-color | Disable colored output |
๐ Report Format
The scanner generates a detailed JSON report:
{
"timestamp": "2024-01-01T00:00:00.000Z",
"workspaceType": "turborepo",
"totalVulnerableInIOC": 795,
"totalWorkspacePackages": 5,
"totalUniqueDependencies": 89,
"totalInstalledPackages": 234,
"nodeModulesLocations": 3,
"vulnerabilitiesFound": 2,
"workspacePackages": [
{
"name": "@myorg/web",
"path": "apps/web",
"dependencyCount": 45
}
],
"vulnerabilities": [
{
"name": "vulnerable-package",
"version": "1.2.3",
"location": "@myorg/web (apps/web)",
"vulnerableVersions": ["1.2.3", "1.2.4"],
"type": "declared",
"workspace": "@myorg/web"
}
]
}
๐ CI/CD Integration
GitHub Actions
name: Security Scan
on: [push, pull_request]
jobs:
security:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Setup Node.js
uses: actions/setup-node@v3
with:
node-version: '18'
- name: Install dependencies
run: npm ci
- name: Security scan
run: npx sha1-hulud-scan --json > security-results.json
- name: Upload security report
uses: actions/upload-artifact@v3
with:
name: security-report
path: |
security-results.json
vulnerability-report.json
Exit Codes
0: No vulnerabilities found1: Vulnerabilities found or error occurred
๐ Data Source
The scanner uses the official DataDog consolidated IOCs list:
- Source: https://github.com/DataDog/indicators-of-compromise
- File:
shai-hulud-2.0/consolidated_iocs.csv - Updated: Fetches latest data on each scan
๐ ๏ธ Development
Local Development
git clone https://github.com/yourusername/sha1-hulud-scanner.git
cd sha1-hulud-scanner
npm install
npm test
Testing
# Run tests
npm test
# Test CLI locally
node bin/cli.js --help
node bin/cli.js /path/to/test/project
๐ License
MIT License - see LICENSE file for details.
๐ค Contributing
- Fork the repository
- Create a feature branch
- Make your changes
- Add tests if applicable
- Submit a pull request
๐ Issues
Report issues at: https://github.com/yourusername/sha1-hulud-scanner/issues
๐ Changelog
v1.0.0
- Initial release
- Monorepo support for all major tools
- CLI and programmatic interfaces
- Comprehensive vulnerability detection