Scripts
shai-hulud-2-detector (NPM Supply Chain Attack)
Valida se seu package.json (e lock-file) possui algum pacote infectado pelo ataque Shai-Hulud 2.0 (24 Nov de 2025); Funciona com npm, yarn e pnpm. Leia mais sobre o ataque
Como usar (Windows Batch)
- 1.Baixe o script para a pasta do seu projeto (mesmo diretório do package.json)
- 2.Clique duas vezes no arquivo .bat para executar
- 3.Ou execute no Prompt de Comando: {scriptPath}
1@echo off
2REM Shai-Hulud 2.0 Supply Chain Attack Detector
3REM
4REM Checks your project dependencies against known compromised packages from the
5REM Shai-Hulud 2.0 supply chain attack that targeted npm packages.
6REM
7REM This script checks:
8REM - package.json dependencies
9REM - package-lock.json (npm)
10REM - pnpm-lock.yaml (pnpm)
11REM - yarn.lock (yarn)
12REM
13REM References:
14REM - https://www.wiz.io/blog/shai-hulud-2-0-ongoing-supply-chain-attack
15REM - https://socket.dev/blog/supply-chain-attack-shai-hulud-2-0
16REM
17REM Usage:
18REM shai-hulud-2-detector.bat
19REM (Automatically finds package.json in current or parent directories)
20
21setlocal enabledelayedexpansion
22
23REM Full list of compromised packages from Shai-Hulud 2.0 supply chain attack
24set "COMPROMISED=@accordproject/concerto-analysis@3.24.1 @accordproject/concerto-metamodel@3.12.5 @accordproject/concerto-types@3.24.1 @accordproject/markdown-it-cicero@0.16.26 @asyncapi/studio@1.0.3 @asyncapi/studio@1.0.2 @ensdomains/address-encoder@1.1.5 @ensdomains/content-hash@3.0.1 @ensdomains/dnsprovejs@0.5.3 @ensdomains/ens-validation@0.1.1 @ensdomains/ensjs@4.0.3 @ensdomains/eth-ens-namehash@2.0.16 @posthog/agent@1.24.1 @posthog/ai@7.1.2 @posthog/cli@0.5.15 @posthog/clickhouse@1.7.1 @posthog/core@1.5.6 @posthog/hedgehog-mode@0.0.42 @posthog/icons@0.36.1 @posthog/lemon-ui@0.0.1 @posthog/nextjs-config@1.5.1 @posthog/nuxt@1.2.9 @posthog/piscina@3.2.1 @posthog/plugin-contrib@0.0.6 @posthog/react-rrweb-player@1.1.4 @posthog/rrdom@0.0.31 @posthog/rrweb@0.0.31 @posthog/rrweb-player@0.0.31 @posthog/rrweb-record@0.0.31 @posthog/rrweb-replay@0.0.19 @posthog/rrweb-snapshot@0.0.31 @posthog/rrweb-utils@0.0.31 @posthog/siphash@1.1.2 @posthog/wizard@1.18.1 @postman/aether-icons@2.23.3 @postman/aether-icons@2.23.4 @postman/aether-icons@2.23.2 @postman/csv-parse@4.0.5 @postman/csv-parse@4.0.3 @postman/csv-parse@4.0.4 @postman/node-keytar@7.9.5 @postman/node-keytar@7.9.6 @postman/node-keytar@7.9.4 @postman/tunnel-agent@0.6.7 @postman/tunnel-agent@0.6.6 @postman/tunnel-agent@0.6.5 @voiceflow/common@8.9.2 @voiceflow/common@8.9.1 @zapier/ai-actions@0.1.19 @zapier/ai-actions@0.1.20 @zapier/ai-actions@0.1.18 @zapier/babel-preset-zapier@6.4.2 @zapier/babel-preset-zapier@6.4.3 @zapier/babel-preset-zapier@6.4.1 @zapier/browserslist-config-zapier@1.0.4 @zapier/browserslist-config-zapier@1.0.5 @zapier/browserslist-config-zapier@1.0.3 @zapier/secret-scrubber@1.1.5 @zapier/secret-scrubber@1.1.3 @zapier/secret-scrubber@1.1.4 blob-to-base64@1.0.3 cpu-instructions@0.0.14 crypto-addr-codec@0.1.9 enforce-branch-name@1.1.3 ethereum-ens@0.8.1 formik-error-focus@2.0.1 fuzzy-finder@1.0.5 fuzzy-finder@1.0.6 gatsby-plugin-cname@1.0.1 gatsby-plugin-cname@1.0.2 get-them-args@1.3.3 kill-port@2.0.2 posthog-docusaurus@2.0.6 posthog-js@1.297.3 posthog-node@5.13.3 posthog-node@5.11.3 posthog-node@4.18.1 posthog-react-native@4.11.1 posthog-react-native@4.12.5 posthog-react-native-session-replay@1.2.2 react-hook-form-persist@3.0.1 react-native-email@2.1.2 react-native-email@2.1.1 react-native-google-maps-directions@2.1.2 react-native-phone-call@1.2.2 react-native-phone-call@1.2.1 react-native-websocket@1.0.3 shell-exec@1.1.3 shell-exec@1.1.4 sort-by-distance@2.0.1 template-lib@1.1.3 template-lib@1.1.4 tenacious-fetch@2.3.2 url-encode-decode@1.0.1 zapier-platform-cli@18.0.4 zapier-platform-cli@18.0.3 zapier-platform-cli@18.0.2 zapier-platform-core@18.0.4 zapier-platform-core@18.0.3 zapier-platform-core@18.0.2 zapier-platform-schema@18.0.4 zapier-platform-schema@18.0.3 zapier-platform-schema@18.0.2"
25
26REM Find package.json in current or parent directories
27set "CURRENT_DIR=%CD%"
28set "PKG_PATH="
29
30:FIND_PKG
31if exist "%CURRENT_DIR%\package.json" (
32 set "PKG_PATH=%CURRENT_DIR%\package.json"
33 goto :FOUND_PKG
34)
35
36REM Go to parent directory
37for %%I in ("%CURRENT_DIR%\..") do set "PARENT_DIR=%%~fI"
38
39REM Check if we reached the root
40if "%CURRENT_DIR%"=="%PARENT_DIR%" (
41 echo Error: package.json not found in current directory or any parent directory.
42 exit /b 1
43)
44
45set "CURRENT_DIR=%PARENT_DIR%"
46goto :FIND_PKG
47
48:FOUND_PKG
49echo Checking: %PKG_PATH%
50
51REM Detect package manager
52set "PKG_MGR=unknown"
53for %%I in ("%PKG_PATH%\..") do set "PROJECT_DIR=%%~fI"
54
55if exist "%PROJECT_DIR%\pnpm-lock.yaml" set "PKG_MGR=pnpm"
56if exist "%PROJECT_DIR%\yarn.lock" set "PKG_MGR=yarn"
57if exist "%PROJECT_DIR%\package-lock.json" set "PKG_MGR=npm"
58
59echo Package manager: %PKG_MGR%
60
61REM Check if Node.js is available
62where node >nul 2>nul
63if %errorlevel% neq 0 (
64 echo Warning: Node.js not found. Install from https://nodejs.org
65 echo Checking package.json only...
66)
67
68REM Simple check - look for compromised packages in package.json
69echo.
70echo Scanning dependencies...
71
72set "FOUND_COMPROMISED=0"
73
74for %%P in (%COMPROMISED%) do (
75 findstr /C:"%%P" "%PKG_PATH%" >nul 2>nul
76 if !errorlevel! equ 0 (
77 if !FOUND_COMPROMISED! equ 0 (
78 echo.
79 echo COMPROMISED PACKAGES DETECTED!
80 echo ================================================================
81 set "FOUND_COMPROMISED=1"
82 )
83 echo Found: %%P
84 )
85)
86
87REM Check lockfile if exists
88if "%PKG_MGR%"=="npm" (
89 if exist "%PROJECT_DIR%\package-lock.json" (
90 echo Scanning package-lock.json...
91 for %%P in (%COMPROMISED%) do (
92 findstr /C:"%%P" "%PROJECT_DIR%\package-lock.json" >nul 2>nul
93 if !errorlevel! equ 0 (
94 if !FOUND_COMPROMISED! equ 0 (
95 echo.
96 echo COMPROMISED PACKAGES DETECTED!
97 echo ================================================================
98 set "FOUND_COMPROMISED=1"
99 )
100 echo Found: %%P ^(in lockfile^)
101 )
102 )
103 )
104)
105
106if %FOUND_COMPROMISED% equ 0 (
107 echo No compromised packages found.
108 exit /b 0
109)
110
111echo.
112echo Recommended actions:
113echo 1. Remove node_modules directory
114echo 2. Clear package manager cache:
115echo - npm: npm cache clean --force
116echo - pnpm: pnpm store prune
117echo - yarn: yarn cache clean
118echo 3. Pin packages to safe versions in package.json ^(use exact versions^)
119echo 4. Delete lockfile and regenerate it
120echo 5. Reinstall dependencies
121echo 6. Rotate all secrets/tokens ^(GitHub, CI/CD, cloud providers^)
122echo 7. Audit GitHub org for suspicious repos named "Shai-Hulud" or "SHA1-HULUD"
123echo.
124echo More info: https://www.wiz.io/blog/shai-hulud-2-0-ongoing-supply-chain-attack
125
126exit /b 1
127