Skip to content

Instantly share code, notes, and snippets.

@Pomax

Pomax/check-bad-packages.js

Last active November 24, 2025 18:16
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save Pomax/b6e9fd9c0e580d8935fe26110fa91aa3 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save Pomax/b6e9fd9c0e580d8935fe26110fa91aa3 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
check-bad-packages.js
import { globSync, existsSync, readFileSync } from "node:fs";
import { join } from "node:path";
import { execSync } from "node:child_process";
// List of bad actors, from https://www.wiz.io/blog/shai-hulud-2-0-ongoing-supply-chain-attack
const pkgs = {
"02-echo": "0.0.7",
"@accordproject/concerto-analysis": "3.24.1",
"@accordproject/concerto-linter": "3.24.1",
"@accordproject/concerto-linter-default-ruleset": "3.24.1",
"@accordproject/concerto-metamodel": "3.12.5",
"@accordproject/concerto-types": "3.24.1",
"@accordproject/markdown-it-cicero": "0.16.26",
"@accordproject/template-engine": "2.7.2",
"@actbase/css-to-react-native-transform": "1.0.3",
"@actbase/native": "0.1.32",
"@actbase/node-server": "1.1.19",
"@actbase/react-absolute": "0.8.3",
"@actbase/react-daum-postcode": "1.0.5",
"@actbase/react-kakaosdk": "0.9.27",
"@actbase/react-native-actionsheet": "1.0.3",
"@actbase/react-native-devtools": "0.1.3",
"@actbase/react-native-fast-image": "8.5.13",
"@actbase/react-native-kakao-channel": "1.0.2",
"@actbase/react-native-kakao-navi": "2.0.4",
"@actbase/react-native-less-transformer": "1.0.6",
"@actbase/react-native-naver-login": "1.0.1",
"@actbase/react-native-simple-video": "1.0.13",
"@actbase/react-native-tiktok": "1.1.3",
"@alexcolls/nuxt-socket.io": "0.0.7,0.0.8",
"@alexcolls/nuxt-ux": "0.6.2,0.6.1",
"@antstackio/eslint-config-antstack": "0.0.3",
"@antstackio/express-graphql-proxy": "0.2.8",
"@antstackio/graphql-body-parser": "0.1.1",
"@antstackio/json-to-graphql": "1.0.3",
"@antstackio/shelbysam": "1.1.7",
"@aryanhussain/my-angular-lib": "0.0.23",
"@asyncapi/dotnet-rabbitmq-template": "1.0.2,1.0.1",
"@asyncapi/edavisualiser": "1.2.2,1.2.1",
"@asyncapi/go-watermill-template": "0.2.76,0.2.77",
"@asyncapi/java-template": "0.3.6,0.3.5",
"@asyncapi/keeper": "0.0.3,0.0.2",
"@asyncapi/php-template": "0.1.2,0.1.1",
"@asyncapi/python-paho-template": "0.2.15,0.2.14",
"@asyncapi/server-api": "0.16.25,0.16.24",
"@asyncapi/studio": "1.0.3,1.0.2",
"@asyncapi/web-component": "2.6.7,2.6.6",
"@browserbasehq/bb9": "1.2.21",
"@browserbasehq/director-ai": "1.0.3",
"@browserbasehq/mcp": "2.1.1",
"@browserbasehq/mcp-server-browserbase": "2.4.2",
"@browserbasehq/sdk-functions": "0.0.4",
"@browserbasehq/stagehand": "3.0.4",
"@browserbasehq/stagehand-docs": "1.0.1",
"@caretive/caret-cli": "0.0.2",
"@clausehq/flows-step-httprequest": "0.1.14",
"@clausehq/flows-step-jsontoxml": "0.1.14",
"@clausehq/flows-step-mqtt": "0.1.14",
"@clausehq/flows-step-sendgridemail": "0.1.14",
"@clausehq/flows-step-taskscreateurl": "0.1.14",
"@commute/bloom": "1.0.3",
"@commute/market-data": "1.0.2",
"@commute/market-data-chartjs": "2.3.1",
"@dev-blinq/ai-qa-logic": "1.0.19",
"@dev-blinq/cucumber-js": "1.0.131",
"@dev-blinq/cucumber_client": "1.0.738",
"@dev-blinq/ui-systems": "1.0.93",
"@ensdomains/address-encoder": "1.1.5",
"@ensdomains/blacklist": "1.0.1",
"@ensdomains/buffer": "0.1.2",
"@ensdomains/ccip-read-cf-worker": "0.0.4",
"@ensdomains/ccip-read-dns-gateway": "0.1.1",
"@ensdomains/ccip-read-router": "0.0.7",
"@ensdomains/ccip-read-worker-viem": "0.0.4",
"@ensdomains/content-hash": "3.0.1",
"@ensdomains/curvearithmetics": "1.0.1",
"@ensdomains/cypress-metamask": "1.2.1",
"@ensdomains/dnsprovejs": "0.5.3",
"@ensdomains/dnssec-oracle-anchors": "0.0.2",
"@ensdomains/dnssecoraclejs": "0.2.9",
"@ensdomains/durin": "0.1.2",
"@ensdomains/durin-middleware": "0.0.2",
"@ensdomains/ens-archived-contracts": "0.0.3",
"@ensdomains/ens-avatar": "1.0.4",
"@ensdomains/ens-contracts": "1.6.1",
"@ensdomains/ens-test-env": "1.0.2",
"@ensdomains/ens-validation": "0.1.1",
"@ensdomains/ensjs": "4.0.3",
"@ensdomains/ensjs-react": "0.0.5",
"@ensdomains/eth-ens-namehash": "2.0.16",
"@ensdomains/hackathon-registrar": "1.0.5",
"@ensdomains/hardhat-chai-matchers-viem": "0.1.15",
"@ensdomains/hardhat-toolbox-viem-extended": "0.0.6",
"@ensdomains/mock": "2.1.52",
"@ensdomains/name-wrapper": "1.0.1",
"@ensdomains/offchain-resolver-contracts": "0.2.2",
"@ensdomains/op-resolver-contracts": "0.0.2",
"@ensdomains/react-ens-address": "0.0.32",
"@ensdomains/renewal": "0.0.13",
"@ensdomains/renewal-widget": "0.1.10",
"@ensdomains/reverse-records": "1.0.1",
"@ensdomains/server-analytics": "0.0.2",
"@ensdomains/solsha1": "0.0.4",
"@ensdomains/subdomain-registrar": "0.2.4",
"@ensdomains/test-utils": "1.3.1",
"@ensdomains/thorin": "0.6.51",
"@ensdomains/ui": "3.4.6",
"@ensdomains/unicode-confusables": "0.1.1",
"@ensdomains/unruggable-gateways": "0.0.3",
"@ensdomains/vite-plugin-i18next-loader": "4.0.4",
"@ensdomains/web3modal": "1.10.2",
"@everreal/react-charts": "2.0.1,2.0.2",
"@everreal/validate-esmoduleinterop-imports": "1.4.4,1.4.5",
"@everreal/web-analytics": "0.0.1,0.0.2",
"@faq-component/core": "0.0.4",
"@faq-component/react": "1.0.1",
"@fishingbooker/browser-sync-plugin": "1.0.5",
"@fishingbooker/react-loader": "1.0.7",
"@fishingbooker/react-pagination": "2.0.6",
"@fishingbooker/react-raty": "2.0.1",
"@fishingbooker/react-swiper": "0.1.5",
"@hapheus/n8n-nodes-pgp": "1.5.1",
"@hover-design/core": "0.0.1",
"@hover-design/react": "0.2.1",
"@ifelsedeveloper/protocol-contracts-svm-idl": "0.1.2",
"@ifings/design-system": "4.9.2",
"@ifings/metatron3": "0.1.5",
"@kvytech/cli": "0.0.7",
"@kvytech/components": "0.0.2",
"@kvytech/habbit-e2e-test": "0.0.2",
"@kvytech/medusa-plugin-announcement": "0.0.8",
"@kvytech/medusa-plugin-management": "0.0.5",
"@kvytech/medusa-plugin-newsletter": "0.0.5",
"@kvytech/medusa-plugin-product-reviews": "0.0.9",
"@kvytech/medusa-plugin-promotion": "0.0.2",
"@kvytech/web": "0.0.2",
"@lessondesk/api-client": "9.12.3,9.12.2",
"@lessondesk/babel-preset": "1.0.1",
"@lessondesk/electron-group-api-client": "1.0.3",
"@lessondesk/eslint-config": "1.4.2",
"@lessondesk/material-icons": "1.0.3",
"@lessondesk/react-table-context": "2.0.4",
"@lessondesk/schoolbus": "5.2.2,5.2.3",
"@livecms/live-edit": "0.0.32",
"@livecms/nuxt-live-edit": "1.9.2",
"@louisle2/core": "1.0.1",
"@louisle2/cortex-js": "0.1.6",
"@lpdjs/firestore-repo-service": "1.0.1",
"@markvivanco/app-version-checker": "1.0.2,1.0.1",
"@ntnx/passport-wso2": "0.0.3",
"@ntnx/t": "0.0.101",
"@orbitgtbelgium/mapbox-gl-draw-cut-polygon-mode": "2.0.5",
"@orbitgtbelgium/mapbox-gl-draw-scale-rotate-mode": "1.1.1",
"@orbitgtbelgium/orbit-components": "1.2.9",
"@orbitgtbelgium/time-slider": "1.0.187",
"@osmanekrem/bmad": "1.0.6",
"@osmanekrem/error-handler": "1.2.2",
"@posthog/agent": "1.24.1",
"@posthog/ai": "7.1.2",
"@posthog/cli": "0.5.15",
"@posthog/clickhouse": "1.7.1",
"@posthog/core": "1.5.6",
"@posthog/hedgehog-mode": "0.0.42",
"@posthog/icons": "0.36.1",
"@posthog/lemon-ui": "0.0.1",
"@posthog/nextjs-config": "1.5.1",
"@posthog/nuxt": "1.2.9",
"@posthog/piscina": "3.2.1",
"@posthog/plugin-contrib": "0.0.6",
"@posthog/react-rrweb-player": "1.1.4",
"@posthog/rrdom": "0.0.31",
"@posthog/rrweb": "0.0.31",
"@posthog/rrweb-player": "0.0.31",
"@posthog/rrweb-record": "0.0.31",
"@posthog/rrweb-replay": "0.0.19",
"@posthog/rrweb-snapshot": "0.0.31",
"@posthog/rrweb-utils": "0.0.31",
"@posthog/siphash": "1.1.2",
"@posthog/wizard": "1.18.1",
"@postman/aether-icons": "2.23.4,2.23.3,2.23.2",
"@postman/csv-parse": "4.0.5,4.0.3,4.0.4",
"@postman/node-keytar": "7.9.6,7.9.4,7.9.5",
"@postman/tunnel-agent": "0.6.7,0.6.6,0.6.5",
"@pradhumngautam/common-app": "1.0.2",
"@pruthvi21/use-debounce": "1.0.3",
"@quick-start-soft/quick-document-translator": "1.4.2511142126",
"@quick-start-soft/quick-git-clean-markdown": "1.4.2511142126",
"@quick-start-soft/quick-markdown": "1.4.2511142126",
"@quick-start-soft/quick-markdown-compose": "1.4.2506300029",
"@quick-start-soft/quick-markdown-image": "1.4.2511142126",
"@quick-start-soft/quick-markdown-print": "1.4.2511142126",
"@quick-start-soft/quick-markdown-translator": "1.4.2509202331",
"@quick-start-soft/quick-remove-image-background": "1.4.2511142126",
"@quick-start-soft/quick-task-refine": "1.4.2511142126",
"@relyt/claude-context-core": "0.1.1",
"@seezo/sdr-mcp-server": "0.0.5",
"@seung-ju/next": "0.0.2",
"@seung-ju/openapi-generator": "0.0.4",
"@seung-ju/react-hooks": "0.0.2",
"@seung-ju/react-native-action-sheet": "0.2.1",
"@sme-ui/aoma-vevasound-metadata-lib": "0.1.3",
"@strapbuild/react-native-date-time-picker": "2.0.4",
"@strapbuild/react-native-perspective-image-cropper": "0.4.15",
"@strapbuild/react-native-perspective-image-cropper-2": "0.4.7",
"@strapbuild/react-native-perspective-image-cropper-poojan31": "0.4.6",
"@suraj_h/medium-common": "1.0.5",
"@thedelta/eslint-config": "1.0.2",
"@tiaanduplessis/json": "2.0.3,2.0.2",
"@tiaanduplessis/react-progressbar": "1.0.2,1.0.1",
"@trefox/sleekshop-js": "0.1.6",
"@trigo/atrix": "7.0.1",
"@trigo/atrix-elasticsearch": "2.0.1",
"@trigo/atrix-postgres": "1.0.3",
"@trigo/atrix-pubsub": "4.0.3",
"@trigo/atrix-soap": "1.0.2",
"@trigo/atrix-swagger": "3.0.1",
"@trigo/bool-expressions": "4.1.3",
"@trigo/eslint-config-trigo": "3.3.1",
"@trigo/fsm": "3.4.2",
"@trigo/hapi-auth-signedlink": "1.3.1",
"@trigo/pathfinder-ui-css": "0.1.1",
"@trigo/trigo-hapijs": "5.0.1",
"@trpc-rate-limiter/cloudflare": "0.1.4",
"@trpc-rate-limiter/hono": "0.1.4",
"@varsityvibe/api-client": "1.3.36,1.3.37",
"@varsityvibe/utils": "5.0.6",
"@varsityvibe/validation-schemas": "0.6.7,0.6.8",
"@vishadtyagi/full-year-calendar": "0.1.11",
"@voiceflow/alexa-types": "2.15.60,2.15.61",
"@voiceflow/anthropic": "0.4.4,0.4.5",
"@voiceflow/api-sdk": "3.28.58,3.28.59",
"@voiceflow/backend-utils": "5.0.2,5.0.1",
"@voiceflow/base-types": "2.136.3,2.136.2",
"@voiceflow/body-parser": "1.21.2,1.21.3",
"@voiceflow/chat-types": "2.14.59,2.14.58",
"@voiceflow/circleci-config-sdk-orb-import": "0.2.1,0.2.2",
"@voiceflow/commitlint-config": "2.6.2,2.6.1",
"@voiceflow/common": "8.9.1,8.9.2",
"@voiceflow/default-prompt-wrappers": "1.7.4,1.7.3",
"@voiceflow/dependency-cruiser-config": "1.8.12,1.8.11",
"@voiceflow/dtos-interact": "1.40.2,1.40.1",
"@voiceflow/encryption": "0.3.3,0.3.2",
"@voiceflow/eslint-config": "7.16.4,7.16.5",
"@voiceflow/eslint-plugin": "1.6.2,1.6.1",
"@voiceflow/exception": "1.10.2,1.10.1",
"@voiceflow/fetch": "1.11.1,1.11.2",
"@voiceflow/general-types": "3.2.23,3.2.22",
"@voiceflow/git-branch-check": "1.4.4,1.4.3",
"@voiceflow/google-dfes-types": "2.17.12,2.17.13",
"@voiceflow/google-types": "2.21.12,2.21.13",
"@voiceflow/husky-config": "1.3.1,1.3.2",
"@voiceflow/logger": "2.4.3,2.4.2",
"@voiceflow/metrics": "1.5.2,1.5.1",
"@voiceflow/natural-language-commander": "0.5.2,0.5.3",
"@voiceflow/nestjs-common": "2.75.2,2.75.3",
"@voiceflow/nestjs-mongodb": "1.3.1,1.3.2",
"@voiceflow/nestjs-rate-limit": "1.3.3,1.3.2",
"@voiceflow/nestjs-redis": "1.3.1,1.3.2",
"@voiceflow/nestjs-timeout": "1.3.1,1.3.2",
"@voiceflow/npm-package-json-lint-config": "1.1.1,1.1.2",
"@voiceflow/openai": "3.2.2,3.2.3",
"@voiceflow/pino": "6.11.4,6.11.3",
"@voiceflow/pino-pretty": "4.4.2,4.4.1",
"@voiceflow/prettier-config": "1.10.2,1.10.1",
"@voiceflow/react-chat": "1.65.4,1.65.3",
"@voiceflow/runtime": "1.29.1,1.29.2",
"@voiceflow/runtime-client-js": "1.17.3,1.17.2",
"@voiceflow/sdk-runtime": "1.43.2,1.43.1",
"@voiceflow/secrets-provider": "1.9.3,1.9.2",
"@voiceflow/semantic-release-config": "1.4.2,1.4.1",
"@voiceflow/serverless-plugin-typescript": "2.1.7,2.1.8",
"@voiceflow/slate-serializer": "1.7.4,1.7.3",
"@voiceflow/stitches-react": "2.3.3,2.3.2",
"@voiceflow/storybook-config": "1.2.2,1.2.3",
"@voiceflow/stylelint-config": "1.1.1,1.1.2",
"@voiceflow/test-common": "2.1.1,2.1.2",
"@voiceflow/tsconfig": "1.12.2,1.12.1",
"@voiceflow/tsconfig-paths": "1.1.5,1.1.4",
"@voiceflow/utils-designer": "1.74.19,1.74.20",
"@voiceflow/verror": "1.1.5,1.1.4",
"@voiceflow/vite-config": "2.6.2,2.6.3",
"@voiceflow/vitest-config": "1.10.3,1.10.2",
"@voiceflow/voice-types": "2.10.59,2.10.58",
"@voiceflow/voiceflow-types": "3.32.45,3.32.46",
"@voiceflow/widget": "1.7.18,1.7.19",
"@zapier/ai-actions": "0.1.20,0.1.19,0.1.18",
"@zapier/babel-preset-zapier": "6.4.2,6.4.1,6.4.3",
"@zapier/browserslist-config-zapier": "1.0.4,1.0.3,1.0.5",
"@zapier/secret-scrubber": "1.1.5,1.1.4,1.1.3",
"ai-crowl-shield": "1.0.7",
"arc-cli-fc": "1.0.1",
"asyncapi-preview": "1.0.2,1.0.1",
atrix: "1.0.1",
automation_model: "1.0.491",
"axios-builder": "1.2.1",
"axios-cancelable": "1.0.2,1.0.1",
"axios-timed": "1.0.2,1.0.1",
"barebones-css": "1.1.4,1.1.3",
"benmostyn-frame-print": "1.0.1",
bestgpiocontroller: "1.0.10",
"bidirectional-adapter": "1.2.2,1.2.4,1.2.5,1.2.3",
"blinqio-executions-cli": "1.0.41",
"blob-to-base64": "1.0.3",
"bun-plugin-httpfile": "0.1.1",
"bytecode-checker-cli": "1.0.11,1.0.8,1.0.9,1.0.10",
"bytes-to-x": "1.0.1",
"calc-loan-interest": "1.0.4",
"capacitor-plugin-apptrackingios": "0.0.21",
"capacitor-plugin-purchase": "0.1.1",
"capacitor-plugin-scgssigninwithgoogle": "0.0.5",
"capacitor-purchase-history": "0.0.10",
"capacitor-voice-recorder-wav": "6.0.3",
"chrome-extension-downloads": "0.0.3,0.0.4",
"claude-token-updater": "1.0.3",
"coinmarketcap-api": "3.1.3,3.1.2",
"colors-regex": "2.0.1",
"command-irail": "0.5.4",
"compare-obj": "1.1.1,1.1.2",
"composite-reducer": "1.0.4,1.0.3,1.0.2,1.0.5",
"count-it-down": "1.0.2,1.0.1",
"cpu-instructions": "0.0.14",
"create-director-app": "0.1.1",
"create-glee-app": "0.2.3,0.2.2",
"create-hardhat3-app": "1.1.4,1.1.3,1.1.1,1.1.2",
"crypto-addr-codec": "0.1.9",
"css-dedoupe": "0.1.2",
"dashboard-empty-state": "1.0.3",
designstudiouiux: "1.0.1",
"devstart-cli": "1.0.6",
"dialogflow-es": "1.1.4,1.1.3,1.1.1,1.1.2",
"discord-bot-server": "0.1.2",
"docusaurus-plugin-vanilla-extract": "1.0.3",
"dont-go": "1.1.2",
"dotnet-template": "0.0.3,0.0.4",
"drop-events-on-property-plugin": "0.0.2",
"email-deliverability-tester": "1.1.1",
"enforce-branch-name": "1.1.3",
"esbuild-plugin-brotli": "0.2.1",
"esbuild-plugin-eta": "0.1.1",
"esbuild-plugin-httpfile": "0.4.1",
"eslint-config-nitpicky": "4.0.1",
"eslint-config-trigo": "22.0.2",
"eslint-config-zeallat-base": "1.0.4",
"ethereum-ens": "0.8.1",
"evm-checkcode-cli": "1.0.15,1.0.12,1.0.13,1.0.14",
"exact-ticker": "0.3.5",
"expo-audio-session": "0.2.1",
expressos: "1.1.3",
"fat-fingered": "1.0.2,1.0.1",
"feature-flip": "1.0.2,1.0.1",
"firestore-search-engine": "1.2.3",
fittxt: "1.0.3,1.0.2",
flapstacks: "1.0.2,1.0.1",
"flatten-unflatten": "1.0.2,1.0.1",
"formik-error-focus": "2.0.1",
"formik-store": "1.0.1",
"fuzzy-finder": "1.0.5,1.0.6",
"gate-evm-check-code2": "2.0.3,2.0.4,2.0.5,2.0.6",
"gate-evm-tools-test": "1.0.7,1.0.8,1.0.5,1.0.6",
"gatsby-plugin-cname": "1.0.2,1.0.1",
"generator-meteor-stock": "0.1.6",
"generator-ng-itobuz": "0.0.15",
"get-them-args": "1.3.3",
"github-action-for-generator": "2.1.28,2.1.27",
gitsafe: "1.0.5",
"go-template": "0.1.8,0.1.9",
"gulp-inject-envs": "1.2.2,1.2.1",
"haufe-axera-api-client": "0.0.1,0.0.2",
"hope-mapboxdraw": "0.1.1",
hopedraw: "1.0.3",
"hover-design-prototype": "0.0.5",
httpness: "1.0.3,1.0.2",
"hyper-fullfacing": "1.0.3",
"hyperterm-hipster": "1.0.7",
"ids-css": "1.5.1",
"ids-enterprise-mcp-server": "0.0.2",
"ids-enterprise-ng": "20.1.6",
"ids-enterprise-typings": "20.1.6",
"image-to-uri": "1.0.2,1.0.1",
"insomnia-plugin-random-pick": "1.0.4",
invo: "0.2.2",
"iron-shield-miniapp": "0.0.2",
"ito-button": "8.0.3",
"itobuz-angular": "0.0.1",
"itobuz-angular-auth": "8.0.11",
"itobuz-angular-button": "8.0.11",
"jacob-zuma": "1.0.2,1.0.1",
"jaetut-varit-test": "1.0.2",
"jan-browser": "0.13.1",
"jquery-bindings": "1.1.3,1.1.2",
jsonsurge: "1.0.7",
"just-toasty": "1.7.1",
"kill-port": "2.0.3,2.0.2",
"korea-administrative-area-geo-json-util": "1.0.7",
kwami: "1.5.9,1.5.10",
"lang-codes": "1.0.2,1.0.1",
"license-o-matic": "1.2.2,1.2.1",
"lint-staged-imagemin": "1.3.1,1.3.2",
"lite-serper-mcp-server": "0.2.2",
"luno-api": "1.2.3",
"manual-billing-system-miniapp-api": "1.3.1",
"medusa-plugin-announcement": "0.0.3",
"medusa-plugin-logs": "0.0.17",
"medusa-plugin-momo": "0.0.68",
"medusa-plugin-product-reviews-kvy": "0.0.4",
"medusa-plugin-zalopay": "0.0.40",
"mod10-check-digit": "1.0.1",
"mon-package-react-typescript": "1.0.1",
"my-saeed-lib": "0.1.1",
"n8n-nodes-tmdb": "0.5.1",
"n8n-nodes-vercel-ai-sdk": "0.1.7",
"n8n-nodes-viral-app": "0.2.5",
nanoreset: "7.0.2,7.0.1",
"next-circular-dependency": "1.0.3,1.0.2",
"next-simple-google-analytics": "1.1.1,1.1.2",
"next-styled-nprogress": "1.0.4,1.0.5",
"ngx-useful-swiper-prosenjit": "9.0.2",
"ngx-wooapi": "12.0.1",
"normal-store": "1.3.1,1.3.4,1.3.3,1.3.2",
"obj-to-css": "1.0.3,1.0.2",
"okta-react-router-6": "5.0.1",
open2internet: "0.1.1",
"orbit-boxicons": "2.1.3",
"orbit-nebula-draw-tools": "1.0.10",
"orbit-nebula-editor": "1.0.2",
"orbit-soap": "0.43.13",
orchestrix: "12.1.2",
"package-tester": "1.0.1",
"parcel-plugin-asset-copier": "1.1.3,1.1.2",
"pdf-annotation": "0.0.2",
piclite: "1.0.1",
"pico-uid": "1.0.4,1.0.3",
"pkg-readme": "1.1.1",
"poper-react-sdk": "0.1.2",
"posthog-docusaurus": "2.0.6",
"posthog-js": "1.297.3",
"posthog-node": "4.18.1,5.13.3,5.11.3",
"posthog-plugin-hello-world": "1.0.1",
"posthog-react-native": "4.11.1,4.12.5",
"posthog-react-native-session-replay": "1.2.2",
"prime-one-table": "0.0.19",
"prompt-eng": "1.0.50",
"puny-req": "1.0.3",
"ra-auth-firebase": "1.0.3",
"ra-data-firebase": "1.0.8,1.0.7",
"react-component-taggers": "0.1.9",
"react-data-to-export": "1.0.1",
"react-element-prompt-inspector": "0.1.18",
"react-favic": "1.0.2",
"react-hook-form-persist": "3.0.2,3.0.1",
"react-jam-icons": "1.0.2,1.0.1",
"react-keycloak-context": "1.0.8,1.0.9",
"react-library-setup": "0.0.6",
"react-linear-loader": "1.0.2",
"react-micromodal.js": "1.0.2,1.0.1",
"react-native-datepicker-modal": "1.3.1,1.3.2",
"react-native-email": "2.1.1,2.1.2",
"react-native-fetch": "2.0.1,2.0.2",
"react-native-get-pixel-dimensions": "1.0.2,1.0.1",
"react-native-google-maps-directions": "2.1.2",
"react-native-jam-icons": "1.0.2,1.0.1",
"react-native-log-level": "1.2.2,1.2.1",
"react-native-modest-checkbox": "3.3.1",
"react-native-modest-storage": "2.1.1",
"react-native-phone-call": "1.2.2,1.2.1",
"react-native-retriable-fetch": "2.0.1,2.0.2",
"react-native-use-modal": "1.0.3",
"react-native-view-finder": "1.2.2,1.2.1",
"react-native-websocket": "1.0.4,1.0.3",
"react-native-worklet-functions": "3.3.3",
"react-qr-image": "1.1.1",
rediff: "1.0.5",
"rediff-viewer": "0.0.7",
"redux-router-kit": "1.2.2,1.2.4,1.2.3",
"rollup-plugin-httpfile": "0.2.1",
"sa-company-registration-number-regex": "1.0.2,1.0.1",
"sa-id-gen": "1.0.4,1.0.5",
samesame: "1.0.3",
"scgs-capacitor-subscribe": "1.0.11",
scgsffcreator: "1.0.5",
"set-nested-prop": "2.0.1,2.0.2",
"shelf-jwt-sessions": "0.1.2",
"shell-exec": "1.1.4,1.1.3",
"shinhan-limit-scrap": "1.0.3",
"skills-use": "0.1.2,0.1.1",
"solomon-api-stories": "1.0.2",
"solomon-v3-stories": "1.15.6",
"solomon-v3-ui-wrapper": "1.6.1",
"sort-by-distance": "2.0.1",
"south-african-id-info": "1.0.2",
"stat-fns": "1.0.1",
stoor: "2.3.2",
"super-commit": "1.0.1",
"svelte-autocomplete-select": "1.1.1",
"svelte-toasty": "1.1.3,1.1.2",
"tanstack-shadcn-table": "1.1.5",
tcsp: "2.0.2",
"tcsp-draw-test": "1.0.5",
"tcsp-test-vd": "2.4.4",
"template-lib": "1.1.4,1.1.3",
"template-micro-service": "1.0.3,1.0.2",
"tenacious-fetch": "2.3.3,2.3.2",
"test-foundry-app": "1.0.4,1.0.3,1.0.2,1.0.1",
"test-hardhat-app": "1.0.4,1.0.3,1.0.2,1.0.1",
"test23112222-api": "1.0.1",
tiaan: "1.0.2",
"token.js-fork": "0.7.32",
"trigo-react-app": "4.1.2",
typefence: "1.2.2,1.2.3",
"typeorm-orbit": "0.2.27",
"undefsafe-typed": "1.0.4,1.0.3",
uplandui: "0.5.4",
"upload-to-play-store": "1.0.2,1.0.1",
"url-encode-decode": "1.0.2,1.0.1",
"use-unsaved-changes": "1.0.9",
"valid-south-african-id": "1.0.3",
"vf-oss-template": "1.0.4,1.0.3,1.0.2,1.0.1",
"vite-plugin-httpfile": "0.2.1",
"vue-browserupdate-nuxt": "1.0.5",
"web-scraper-mcp": "1.1.4",
"web-types-htmx": "0.1.1",
"web-types-lit": "0.1.1",
"webpack-loader-httpfile": "0.2.1",
"wellness-expert-ng-gallery": "5.1.1",
wenk: "1.0.9,1.0.10",
"zapier-async-storage": "1.0.3,1.0.2,1.0.1",
"zapier-platform-cli": "18.0.4,18.0.3,18.0.2",
"zapier-platform-core": "18.0.4,18.0.3,18.0.2",
"zapier-platform-schema": "18.0.4,18.0.3,18.0.2",
"zapier-scripts": "7.8.3,7.8.4",
"zuper-cli": "1.0.1",
"zuper-sdk": "1.0.57",
"zuper-stream": "2.0.9",
};
// get all downstream node_modules dirs
const allModules = globSync(`**/node_modules/`);
// see if any of those contain known malicious packages
for (const [name, versions] of Object.entries(pkgs)) {
allModules.forEach((dir) => {
const pkgDir = join(dir, name);
if (!existsSync(pkgDir)) return;
console.log(`POTENTIALLY MALICIOUS PACKAGE FOUND: ${pkgDir}`);
// Extract the version field from package.json
const packageJsonData = readFileSync(`${pkgDir}/package.json`);
const packageJSON = JSON.parse(packageJsonData.toString());
const { version } = packageJSON;
// Is this a known-bad version?
const malicious = versions.split(`,`);
if (malicious.includes(version)) {
console.log(`!!! MALICIOUS PACKAGE VERSION FOUND: ${pkgDir}@${version}`);
console.log();
} else {
console.log(`*** NON-MALICIOUS VERSION, CONSIDER PINNING ${pkgDir} TO ${version}`);
}
});
}
// Also check for known payloads:
const workflowFiles = globSync(`.github/workflows/*.y?(a)ml`);
for (const file of workflowFiles) {
if (file.endsWith(`discussions.yaml`) || file.includes(`formatter`)) {
console.log(`!!! POTENTIALLY BAD WORKFLOW FILE FOUND: ${file}`);
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment