Last active
December 3, 2025 19:31
-
-
Save alexgreenland/3a7aa666a37a9e71b4abf06b274278d9 to your computer and use it in GitHub Desktop.
[Updated 27 Nov 2025 00:21 UTC] Deep scan for bad NPM packages nested across projects - DFIR for Shai-Hulud cyberattack, Sep-Nov 2025
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| @ahmedhfarag/ngx-perfect-scrollbar | |
| @ahmedhfarag/ngx-virtual-scroller | |
| another-shai | |
| @art-ws/common | |
| @art-ws/config-eslint | |
| @art-ws/config-ts | |
| @art-ws/db-context | |
| @art-ws/di-node | |
| @art-ws/di | |
| @art-ws/eslint | |
| @art-ws/fastify-http-server | |
| @art-ws/http-server | |
| @art-ws/openapi | |
| @art-ws/package-base | |
| @art-ws/prettier | |
| @art-ws/slf | |
| @art-ws/ssl-info | |
| @art-ws/web-app | |
| @crowdstrike/commitlint | |
| @crowdstrike/falcon-shoelace | |
| @crowdstrike/foundry-js | |
| @crowdstrike/glide-core | |
| @crowdstrike/logscale-dashboard | |
| @crowdstrike/logscale-file-editor | |
| @crowdstrike/logscale-parser-edit | |
| @crowdstrike/logscale-search | |
| @crowdstrike/tailwind-toucan-base | |
| @ctrl/deluge | |
| @ctrl/golang-template | |
| @ctrl/magnet-link | |
| @ctrl/ngx-codemirror | |
| @ctrl/ngx-csv | |
| @ctrl/ngx-emoji-mart | |
| @ctrl/ngx-rightclick | |
| @ctrl/qbittorrent | |
| @ctrl/react-adsense | |
| @ctrl/shared-torrent | |
| @ctrl/tinycolor | |
| @ctrl/torrent-file | |
| @ctrl/transmission | |
| @ctrl/ts-base32 | |
| @hestjs/core | |
| @hestjs/cqrs | |
| @hestjs/demo | |
| @hestjs/eslint-config | |
| @hestjs/logger | |
| @hestjs/scalar | |
| @hestjs/validation | |
| @nativescript-community/arraybuffers | |
| @nativescript-community/gesturehandler | |
| @nativescript-community/perms | |
| @nativescript-community/sentry | |
| @nativescript-community/sqlite | |
| @nativescript-community/text | |
| @nativescript-community/typeorm | |
| @nativescript-community/ui-collectionview | |
| @nativescript-community/ui-document-picker | |
| @nativescript-community/ui-drawer | |
| @nativescript-community/ui-image | |
| @nativescript-community/ui-label | |
| @nativescript-community/ui-material-bottom-navigation | |
| @nativescript-community/ui-material-bottomsheet | |
| @nativescript-community/ui-material-core-tabs | |
| @nativescript-community/ui-material-core | |
| @nativescript-community/ui-material-ripple | |
| @nativescript-community/ui-material-tabs | |
| @nativescript-community/ui-pager | |
| @nativescript-community/ui-pulltorefresh | |
| @nexe/config-manager | |
| @nexe/eslint-config | |
| @nexe/logger | |
| @nstudio/angular | |
| @nstudio/focus | |
| @nstudio/nativescript-checkbox | |
| @nstudio/nativescript-loading-indicator | |
| @nstudio/ui-collectionview | |
| @nstudio/web-angular | |
| @nstudio/web | |
| @nstudio/xplat-utils | |
| @nstudio/xplat | |
| @operato/board | |
| @operato/data-grist | |
| @operato/graphql | |
| @operato/headroom | |
| @operato/help | |
| @operato/i18n | |
| @operato/input | |
| @operato/layout | |
| @operato/popup | |
| @operato/pull-to-refresh | |
| @operato/shell | |
| @operato/styles | |
| @operato/utils | |
| @teselagen/bio-parsers | |
| @teselagen/bounce-loader | |
| @teselagen/file-utils | |
| @teselagen/liquibase-tools | |
| @teselagen/ove | |
| @teselagen/range-utils | |
| @teselagen/react-list | |
| @teselagen/react-table | |
| @teselagen/sequence-utils | |
| @teselagen/ui | |
| @thangved/callback-window | |
| @things-factory/attachment-base | |
| @things-factory/auth-base | |
| @things-factory/email-base | |
| @things-factory/env | |
| @things-factory/integration-base | |
| @things-factory/integration-marketplace | |
| @things-factory/shell | |
| @tnf-dev/api | |
| @tnf-dev/core | |
| @tnf-dev/js | |
| @tnf-dev/mui | |
| @tnf-dev/react | |
| @ui-ux-gang/devextreme-angular-rpk | |
| @yoobic/design-system | |
| @yoobic/jpeg-camera-es6 | |
| @yoobic/yobi | |
| airchief | |
| airpilot | |
| angulartics2 | |
| browser-webdriver-downloader | |
| capacitor-notificationhandler | |
| capacitor-plugin-healthapp | |
| capacitor-plugin-ihealth | |
| capacitor-plugin-vonage | |
| capacitorandroidpermissions | |
| config-cordova | |
| cordova-plugin-voxeet2 | |
| cordova-voxeet | |
| create-hest-app | |
| db-evo | |
| devextreme-angular-rpk | |
| ember-browser-services | |
| ember-headless-form-yup | |
| ember-headless-form | |
| ember-headless-table | |
| ember-url-hash-polyfill | |
| ember-velcro | |
| encounter-playground | |
| eslint-config-crowdstrike-node | |
| eslint-config-crowdstrike | |
| slint-config-teselagen | |
| eslint-config-teselagen | |
| globalize-rpk | |
| graphql-sequelize-teselagen | |
| html-to-base64-image | |
| json-rules-engine-simplified | |
| jumpgate | |
| koa2-swagger-ui | |
| mcfly-semantic-release | |
| mcp-knowledge-base | |
| mcp-knowledge-graph | |
| mobioffice-cli | |
| monorepo-next | |
| mstate-angular | |
| mstate-cli | |
| mstate-dev-react | |
| mstate-react | |
| ng2-file-upload | |
| ngx-bootstrap | |
| ngx-color | |
| ngx-toastr | |
| ngx-trend | |
| ngx-ws | |
| oradm-to-gql | |
| oradm-to-sqlz | |
| ove-auto-annotate | |
| pm2-gelf-json | |
| printjs-rpk | |
| react-complaint-image | |
| react-jsonschema-form-conditionals | |
| react-jsonschema-form-extras | |
| react-jsonschema-rxnt-extras | |
| remark-preset-lint-crowdstrike | |
| rxnt-authentication | |
| rxnt-healthchecks-nestjs | |
| rxnt-kue | |
| swc-plugin-component-annotate | |
| tbssnch | |
| teselagen-interval-tree | |
| tg-client-query-builder | |
| tg-redbird | |
| tg-seq-gen | |
| thangved-react-grid | |
| ts-gaussian | |
| ts-imports | |
| tvi-cli | |
| ve-bamreader | |
| ve-editor | |
| verror-extra | |
| voip-callkit | |
| wdio-web-reporter | |
| yargs-help-output | |
| yoo-styles | |
| @rxap/ngx-bootstrap | |
| eslint-config-teselagen | |
| @zapier/ai-actions | |
| @zapier/ai-actions-react | |
| @zapier/babel-preset-zapier | |
| @zapier/browserslist-config-zapier | |
| @zapier/eslint-plugin-zapier | |
| @zapier/mcp-integration | |
| @zapier/secret-scrubber | |
| @zapier/spectral-api-ruleset | |
| @zapier/stubtree | |
| @zapier/zapier-sdk | |
| zapier-async-storage | |
| zapier-platform-cli | |
| zapier-platform-core | |
| zapier-platform-legacy-scripting-runner | |
| zapier-platform-schema | |
| zapier-scripts | |
| @asyncapi/avro-schema-parser | |
| @asyncapi/bundler | |
| @asyncapi/cli | |
| @asyncapi/converter | |
| @asyncapi/diff | |
| @asyncapi/dotnet-rabbitmq-template | |
| @asyncapi/edavisualiser | |
| @asyncapi/generator | |
| @asyncapi/generator-components | |
| @asyncapi/generator-helpers | |
| @asyncapi/generator-react-sdk | |
| @asyncapi/go-watermill-template | |
| @asyncapi/html-template | |
| @asyncapi/java-spring-cloud-stream-template | |
| @asyncapi/java-spring-template | |
| @asyncapi/java-template | |
| @asyncapi/keeper | |
| @asyncapi/markdown-template | |
| @asyncapi/modelina | |
| @asyncapi/modelina-cli | |
| @asyncapi/multi-parser | |
| @asyncapi/nodejs-template | |
| @asyncapi/nodejs-ws-template | |
| @asyncapi/nunjucks-filters | |
| @asyncapi/openapi-schema-parser | |
| @asyncapi/optimizer | |
| @asyncapi/parser | |
| @asyncapi/php-template | |
| @asyncapi/problem | |
| @asyncapi/protobuf-schema-parser | |
| @asyncapi/python-paho-template | |
| @asyncapi/react-component | |
| @asyncapi/server-api | |
| @asyncapi/specs | |
| @asyncapi/studio | |
| @asyncapi/web-component | |
| asyncapi-preview | |
| create-glee-app | |
| dotnet-template | |
| github-action-for-generator | |
| go-template | |
| @postman/aether-icons | |
| @postman/csv-parse | |
| @postman/final-node-keytar | |
| @postman/mcp-ui-client | |
| @postman/node-keytar | |
| @postman/pm-bin-linux-x64 | |
| @postman/pm-bin-macos-arm64 | |
| @postman/pm-bin-macos-x64 | |
| @postman/pm-bin-windows-x64 | |
| @postman/postman-collection-fork | |
| @postman/postman-mcp-cli | |
| @postman/postman-mcp-server | |
| @postman/pretty-ms | |
| @postman/secret-scanner-wasm | |
| @postman/tunnel-agent | |
| @postman/wdio-allure-reporter | |
| @postman/wdio-junit-reporter | |
| @posthog/agent | |
| @posthog/automatic-cohorts-plugin | |
| @posthog/clickhouse | |
| @posthog/cli | |
| @posthog/customerio-plugin | |
| @posthog/databricks-plugin | |
| @posthog/drop-events-on-property-plugin | |
| @posthog/event-sequence-timer-plugin | |
| @posthog/geoip-plugin | |
| @posthog/github-release-tracking-plugin | |
| @posthog/gitub-star-sync-plugin | |
| @posthog/heartbeat-plugin | |
| @posthog/hedgehog-mode | |
| @posthog/icons | |
| @posthog/ingestion-alert-plugin | |
| @posthog/intercom-plugin | |
| @posthog/laudspeaker-plugin | |
| @posthog/maxmind-plugin | |
| @posthog/migrator3000-plugin | |
| @posthog/netdata-event-processing | |
| @posthog/nextjs | |
| @posthog/nextjs-config | |
| @posthog/nuxt | |
| @posthog/pagerduty-plugin | |
| @posthog/piscina | |
| @posthog/plugin-contrib | |
| @posthog/plugin-server | |
| @posthog/plugin-unduplicates | |
| @posthog/react-rrweb-player | |
| @posthog/rrweb | |
| @posthog/rrweb-player | |
| @posthog/rrweb-record | |
| @posthog/rrweb-snapshot | |
| @posthog/rrweb-utils | |
| @posthog/sendgrid-plugin | |
| @posthog/siphash | |
| @posthog/taxonomy-plugin | |
| @posthog/twitter-followers-plugin | |
| @posthog/url-normalizer-plugin | |
| @posthog/variance-plugin | |
| @posthog/wizard | |
| @posthog/zendesk-plugin | |
| drop-events-on-property-plugin | |
| posthog-docusaurus | |
| posthog-js | |
| posthog-node | |
| posthog-react-native | |
| @ensdomains/address-encoder | |
| @ensdomains/blacklist | |
| @ensdomains/buffer | |
| @ensdomains/ccip-read-cf-worker | |
| @ensdomains/ccip-read-dns-gateway | |
| @ensdomains/ccip-read-router | |
| @ensdomains/ccip-read-worker-viem | |
| @ensdomains/content-hash | |
| @ensdomains/curvearithmetics | |
| @ensdomains/cypress-metamask | |
| @ensdomains/dnsprovejs | |
| @ensdomains/dnssec-oracle-anchors | |
| @ensdomains/dnssecoraclejs | |
| @ensdomains/durin | |
| @ensdomains/durin-middleware | |
| @ensdomains/ens-archived-contracts | |
| @ensdomains/ens-avatar | |
| @ensdomains/ens-contracts | |
| @ensdomains/ens-test-env | |
| @ensdomains/ens-validation | |
| @ensdomains/ensjs | |
| @ensdomains/ensjs-react | |
| @ensdomains/eth-ens-namehash | |
| @ensdomains/hackathon-registrar | |
| @ensdomains/hardhat-chai-matchers-viem | |
| @ensdomains/hardhat-toolbox-viem-extended | |
| @ensdomains/mock | |
| @ensdomains/name-wrapper | |
| @ensdomains/offchain-resolver-contracts | |
| @ensdomains/op-resolver-contracts | |
| @ensdomains/react-ens-address | |
| @ensdomains/renewal | |
| @ensdomains/renewal-widget | |
| @ensdomains/reverse-records | |
| @ensdomains/server-analytics | |
| @ensdomains/solsha1 | |
| @ensdomains/subdomain-registrar | |
| @ensdomains/test-utils | |
| @ensdomains/thorin | |
| @ensdomains/ui | |
| @ensdomains/unicode-confusables | |
| @ensdomains/unruggable-gateways | |
| @ensdomains/vite-plugin-i18next-loader | |
| @ensdomains/web3modal | |
| crypto-addr-codec | |
| ethereum-ens | |
| @voiceflow/alexa-types | |
| @voiceflow/anthropic | |
| @voiceflow/api-sdk | |
| @voiceflow/backend-utils | |
| @voiceflow/base-types | |
| @voiceflow/body-parser | |
| @voiceflow/chat-types | |
| @voiceflow/circleci-config-sdk-orb-import | |
| @voiceflow/commitlint-config | |
| @voiceflow/common | |
| @voiceflow/default-prompt-wrappers | |
| @voiceflow/dependency-cruiser-config | |
| @voiceflow/dtos-interact | |
| @voiceflow/encryption | |
| @voiceflow/eslint-config | |
| @voiceflow/eslint-plugin | |
| @voiceflow/exception | |
| @voiceflow/fetch | |
| @voiceflow/general-types | |
| @voiceflow/git-branch-check | |
| @voiceflow/google-dfes-types | |
| @voiceflow/google-types | |
| @voiceflow/husky-config | |
| @voiceflow/logger | |
| @voiceflow/metrics | |
| @voiceflow/natural-language-commander | |
| @voiceflow/nestjs-common | |
| @voiceflow/nestjs-mongodb | |
| @voiceflow/nestjs-rate-limit | |
| @voiceflow/nestjs-redis | |
| @voiceflow/nestjs-timeout | |
| @voiceflow/npm-package-json-lint-config | |
| @voiceflow/openai | |
| @voiceflow/pino | |
| @voiceflow/pino-pretty | |
| @voiceflow/prettier-config | |
| @voiceflow/react-chat | |
| @voiceflow/runtime | |
| @voiceflow/runtime-client-js | |
| @voiceflow/sdk-runtime | |
| @voiceflow/secrets-provider | |
| @voiceflow/semantic-release-config | |
| @voiceflow/serverless-plugin-typescript | |
| @voiceflow/slate-serializer | |
| @voiceflow/stitches-react | |
| @voiceflow/storybook-config | |
| @voiceflow/stylelint-config | |
| @voiceflow/test-common | |
| @voiceflow/tsconfig | |
| @voiceflow/tsconfig-paths | |
| @voiceflow/utils-designer | |
| @voiceflow/verror | |
| @voiceflow/vite-config | |
| @voiceflow/vitest-config | |
| @voiceflow/voice-types | |
| @voiceflow/voiceflow-types | |
| @voiceflow/widget | |
| @accordproject/concerto-analysis | |
| @accordproject/concerto-linter | |
| @accordproject/concerto-linter-default-ruleset | |
| @accordproject/concerto-metamodel | |
| @accordproject/markdown-it-cicero | |
| @accordproject/template-engine | |
| @alexcolls/nuxt-socket.io | |
| @alexcolls/nuxt-ux | |
| @antstackio/eslint-config-antstack | |
| @antstackio/express-graphql-proxy | |
| @antstackio/graphql-body-parser | |
| @antstackio/json-to-graphql | |
| @antstackio/shelbysam | |
| @actbase/native | |
| @actbase/node-server | |
| @actbase/react-absolute | |
| @actbase/react-daum-postcode | |
| @actbase/react-kakaosdk | |
| @actbase/react-native-actionsheet | |
| @actbase/react-native-devtools | |
| @actbase/react-native-fast-image | |
| @actbase/react-native-kakao-channel | |
| @actbase/react-native-kakao-navi | |
| @actbase/react-native-less-transformer | |
| @actbase/react-native-naver-login | |
| @actbase/react-native-simple-video | |
| @actbase/react-native-tiktok | |
| @aryanhussain/my-angular-lib | |
| @caretive/caret-cli | |
| @clausehq/flows-step-httprequest | |
| @clausehq/flows-step-jsontoxml | |
| @clausehq/flows-step-mqtt | |
| @clausehq/flows-step-sendgridemail | |
| @clausehq/flows-step-taskscreateurl | |
| @commute/bloom | |
| @commute/market-data | |
| @commute/market-data-chartjs | |
| @dev-blinq/ai-qa-logic | |
| @dev-blinq/cucumber-js | |
| @dev-blinq/cucumber_client | |
| @dev-blinq/ui-systems | |
| @everreal/validate-esmoduleinterop-imports | |
| @everreal/web-analytics | |
| @faq-component/core | |
| @faq-component/react | |
| @fishingbooker/browser-sync-plugin | |
| @fishingbooker/react-loader | |
| @fishingbooker/react-pagination | |
| @fishingbooker/react-raty | |
| @fishingbooker/react-swiper | |
| @hapheus/n8n-nodes-pgp | |
| @hover-design/core | |
| @hover-design/react | |
| @ifelsedeveloper/protocol-contracts-svm-idl | |
| @ifings/metatron3 | |
| @kvytech/components | |
| @kvytech/medusa-plugin-announcement | |
| @kvytech/medusa-plugin-management | |
| @kvytech/medusa-plugin-newsletter | |
| @kvytech/medusa-plugin-product-reviews | |
| @kvytech/medusa-plugin-promotion | |
| @kvytech/web | |
| @lessondesk/api-client | |
| @lessondesk/babel-preset | |
| @lessondesk/electron-group-api-client | |
| @lessondesk/eslint-config | |
| @lessondesk/material-icons | |
| @lessondesk/react-table-context | |
| @lessondesk/schoolbus | |
| @louisle2/core | |
| @louisle2/cortex-js | |
| @lpdjs/firestore-repo-service | |
| @markvivanco/app-version-checker | |
| @mcp-use/cli | |
| @mcp-use/inspector | |
| @mcp-use/mcp-use | |
| @ntnx/passport-wso2 | |
| @ntnx/t | |
| @orbitgtbelgium/mapbox-gl-draw-cut-polygon-mode | |
| @orbitgtbelgium/mapbox-gl-draw-scale-rotate-mode | |
| @orbitgtbelgium/orbit-components | |
| @orbitgtbelgium/time-slider | |
| @osmanekrem/bmad | |
| @osmanekrem/error-handler | |
| @pradhumngautam/common-app | |
| @pruthvi21/use-debounce | |
| @relyt/claude-context-core | |
| @relyt/claude-context-mcp | |
| @relyt/mcp-server-relytone | |
| @seezo/sdr-mcp-server | |
| @seung-ju/next | |
| @seung-ju/openapi-generator | |
| @seung-ju/react-hooks | |
| @seung-ju/react-native-action-sheet | |
| @suraj_h/medium-common | |
| @thedelta/eslint-config | |
| @tiaanduplessis/json | |
| @tiaanduplessis/react-progressbar | |
| @trefox/sleekshop-js | |
| @trigo/atrix | |
| @trigo/atrix-acl | |
| @trigo/atrix-elasticsearch | |
| @trigo/atrix-mongoose | |
| @trigo/atrix-orientdb | |
| @trigo/atrix-postgres | |
| @trigo/atrix-pubsub | |
| @trigo/atrix-redis | |
| @trigo/atrix-soap | |
| @trigo/atrix-swagger | |
| @trigo/bool-expressions | |
| @trigo/eslint-config-trigo | |
| @trigo/fsm | |
| @trigo/jsdt | |
| @trigo/keycloak-api | |
| @trigo/node-soap | |
| @trigo/pathfinder-ui-css | |
| @trigo/trigo-hapijs | |
| @varsityvibe/api-client | |
| @varsityvibe/utils | |
| @varsityvibe/validation-schemas | |
| 02-echo | |
| ai-crowl-shield | |
| arc-cli-fc | |
| atrix | |
| atrix-mongoose | |
| automation_model | |
| axios-timed | |
| barebones-css | |
| benmostyn-frame-print | |
| bidirectional-adapter | |
| blob-to-base64 | |
| blinqio-executions-cli | |
| bool-expressions | |
| bytecode-checker-cli | |
| bytes-to-x | |
| calc-loan-interest | |
| capacitor-plugin-apptrackingios | |
| capacitor-plugin-purchase | |
| capacitor-plugin-scgssigninwithgoogle | |
| capacitor-purchase-history | |
| capacitor-voice-recorder-wav | |
| chrome-extension-downloads | |
| claude-token-updater | |
| coinmarketcap-api | |
| colors-regex | |
| compare-obj | |
| composite-reducer | |
| count-it-down | |
| cpu-instructions | |
| create-hardhat3-app | |
| create-mcp-use-app | |
| css-dedoupe | |
| dashboard-empty-state | |
| designstudiouiux | |
| devstart-cli | |
| dialogflow-es | |
| discord-bot-server | |
| docusaurus-plugin-vanilla-extract | |
| dont-go | |
| email-deliverability-tester | |
| enforce-branch-name | |
| eslint-config-nitpicky | |
| eslint-config-trigo | |
| exact-ticker | |
| expo-audio-session | |
| expressos | |
| evm-checkcode-cli | |
| fat-fingered | |
| feature-flip | |
| firestore-search-engine | |
| fittxt | |
| flapstacks | |
| flatten-unflatten | |
| formik-error-focus | |
| formik-store | |
| fuzzy-finder | |
| gate-evm-check-code2 | |
| gate-evm-tools-test | |
| gatsby-plugin-cname | |
| generator-meteor-stock | |
| generator-ng-itobuz | |
| get-them-args | |
| gitsafe | |
| gulp-inject-envs | |
| haufe-axera-api-client | |
| hope-mapboxdraw | |
| hopedraw | |
| hover-design-prototype | |
| httpness | |
| hyper-fullfacing | |
| hyperterm-hipster | |
| image-to-uri | |
| invo | |
| ito-button | |
| itobuz-angular | |
| itobuz-angular-auth | |
| itobuz-angular-button | |
| jacob-zuma | |
| jan-browser | |
| jquery-bindings | |
| kill-port | |
| kwami | |
| lang-codes | |
| license-o-matic | |
| lint-staged-imagemin | |
| lite-serper-mcp-server | |
| luno-api | |
| mcp-use | |
| medusa-plugin-announcement | |
| medusa-plugin-logs | |
| medusa-plugin-momo | |
| medusa-plugin-product-reviews-kvy | |
| medusa-plugin-zalopay | |
| mod10-check-digit | |
| mon-package-react-typescript | |
| n8n-nodes-tmdb | |
| n8n-nodes-vercel-ai-sdk | |
| n8n-nodes-viral-app | |
| nanoreset | |
| next-circular-dependency | |
| next-simple-google-analytics | |
| next-styled-nprogress | |
| ngx-useful-swiper-prosenjit | |
| ngx-wooapi | |
| normal-store | |
| obj-to-css | |
| okta-react-router-6 | |
| orbit-boxicons | |
| orbit-nebula-draw-tools | |
| orbit-nebula-editor | |
| orbit-soap | |
| orchestrix | |
| package-tester | |
| parcel-plugin-asset-copier | |
| pdf-annotation | |
| pico-uid | |
| piclite | |
| pkg-readme | |
| prime-one-table | |
| prompt-eng | |
| prompt-eng-server | |
| ra-auth-firebase | |
| ra-data-firebase | |
| react-component-taggers | |
| react-element-prompt-inspector | |
| react-hook-form-persist | |
| react-jam-icons | |
| react-keycloak-context | |
| react-library-setup | |
| react-linear-loader | |
| react-micromodal.js | |
| react-native-datepicker-modal | |
| react-native-email | |
| react-native-fetch | |
| react-native-get-pixel-dimensions | |
| react-native-google-maps-directions | |
| react-native-log-level | |
| react-native-modest-checkbox | |
| react-native-modest-storage | |
| react-native-phone-call | |
| react-native-retriable-fetch | |
| react-native-view-finder | |
| react-native-websocket | |
| react-native-worklet-functions | |
| react-qr-image | |
| redux-forge | |
| redux-router-kit | |
| sa-company-registration-number-regex | |
| sa-id-gen | |
| scgsffcreator | |
| selenium-session-client | |
| set-nested-prop | |
| shelf-jwt-sessions | |
| shell-exec | |
| skills-use | |
| sort-by-distance | |
| south-african-id-info | |
| stat-fns | |
| stoor | |
| super-commit | |
| svelte-autocomplete-select | |
| svelte-toasty | |
| tanstack-shadcn-table | |
| tcsp | |
| tcsp-draw-test | |
| tcsp-test-vd | |
| template-lib | |
| template-micro-service | |
| tenacious-fetch | |
| test-foundry-app | |
| test-hardhat-app | |
| tiaan | |
| token.js-fork | |
| trigo-react-app | |
| typefence | |
| typeorm-orbit | |
| undefsafe-typed | |
| uplandui | |
| upload-to-play-store | |
| url-encode-decode | |
| use-unsaved-changes | |
| valid-south-african-id | |
| vf-oss-template | |
| web-scraper-mcp | |
| wellness-expert-ng-gallery | |
| wenk | |
| zuper-cli | |
| zuper-sdk | |
| zuper-stream | |
| @afetcan/api | |
| @afetcan/storage | |
| @alaan/s2s-auth | |
| @alexadark/amadeus-api | |
| @alexadark/gatsby-theme-events | |
| @alexadark/gatsby-theme-wordpress-blog | |
| @alexadark/reusable-functions | |
| @bdkinc/knex-ibmi | |
| @browserbasehq/bb9 | |
| @browserbasehq/director-ai | |
| @browserbasehq/mcp | |
| @browserbasehq/mcp-server-browserbase | |
| @browserbasehq/sdk-functions | |
| @browserbasehq/stagehand | |
| @browserbasehq/stagehand-docs | |
| @chtijs/eslint-config | |
| @cllbk/ghl | |
| @huntersofbook/auth-vue | |
| @huntersofbook/core | |
| @huntersofbook/core-nuxt | |
| @huntersofbook/form-naiveui | |
| @huntersofbook/i18n | |
| @huntersofbook/ui | |
| @jayeshsadhwani/telemetry-sdk | |
| @livecms/live-edit | |
| @livecms/nuxt-live-edit | |
| @lokeswari-satyanarayanan/rn-zustand-expo-template | |
| @lui-ui/lui-nuxt | |
| @lui-ui/lui-tailwindcss | |
| @lui-ui/lui-vue | |
| @micado-digital/stadtmarketing-kufstein-external | |
| @mizzle-dev/orm | |
| @oku-ui/accordion | |
| @oku-ui/alert-dialog | |
| @oku-ui/aspect-ratio | |
| @oku-ui/avatar | |
| @oku-ui/checkbox | |
| @oku-ui/collapsible | |
| @oku-ui/collection | |
| @oku-ui/dialog | |
| @oku-ui/direction | |
| @oku-ui/dismissable-layer | |
| @oku-ui/focus-guards | |
| @oku-ui/focus-scope | |
| @oku-ui/hover-card | |
| @oku-ui/label | |
| @oku-ui/menu | |
| @oku-ui/motion | |
| @oku-ui/motion-nuxt | |
| @oku-ui/popover | |
| @oku-ui/popper | |
| @oku-ui/portal | |
| @oku-ui/presence | |
| @oku-ui/primitive | |
| @oku-ui/primitives | |
| @oku-ui/primitives-nuxt | |
| @oku-ui/progress | |
| @oku-ui/provide | |
| @oku-ui/radio-group | |
| @oku-ui/roving-focus | |
| @oku-ui/scroll-area | |
| @oku-ui/separator | |
| @oku-ui/slider | |
| @oku-ui/switch | |
| @oku-ui/tabs | |
| @oku-ui/toast | |
| @oku-ui/toggle | |
| @oku-ui/toolbar | |
| @oku-ui/use-composable | |
| @oku-ui/utils | |
| @oku-ui/visually-hidden | |
| @pergel/cli | |
| @pergel/module-box | |
| @pergel/module-graphql | |
| @pergel/module-ui | |
| @pergel/nuxt | |
| @productdevbook/animejs-vue | |
| @productdevbook/auth | |
| @productdevbook/chatwoot | |
| @quick-start-soft/quick-document-translator | |
| @quick-start-soft/quick-git-clean-markdown | |
| @quick-start-soft/quick-markdown-compose | |
| @quick-start-soft/quick-markdown-image | |
| @quick-start-soft/quick-markdown-translator | |
| @quick-start-soft/quick-remove-image-background | |
| @quick-start-soft/quick-task-refine | |
| @sameepsi/sor | |
| @silgi/better-auth | |
| @silgi/drizzle | |
| @silgi/ecosystem | |
| @silgi/graphql | |
| @silgi/module-builder | |
| @silgi/openapi | |
| @silgi/permission | |
| @silgi/ratelimit | |
| @silgi/scalar | |
| @silgi/yoga | |
| @strapbuild/react-native-date-time-picker | |
| @strapbuild/react-native-perspective-image-cropper | |
| @strapbuild/react-native-perspective-image-cropper-2 | |
| @strapbuild/react-native-perspective-image-cropper-poojan31 | |
| @trackstar/react-trackstar-link | |
| @trackstar/react-trackstar-link-upgrade | |
| @trackstar/test-angular-package | |
| @trackstar/test-package | |
| @trpc-rate-limiter/cloudflare | |
| @trpc-rate-limiter/hono | |
| @viapip/eslint-config | |
| @vishadtyagi/full-year-calendar | |
| @vucod/email | |
| asciitranslator | |
| avvvatars-vue | |
| axios-builder | |
| babel-preset-kinvey-flex-service | |
| best_gpio_controller | |
| better-auth-nuxt | |
| better-queue-nedb | |
| buffered-interpolation-babylon6 | |
| ceviz | |
| create-director-app | |
| create-kinvey-flex-service | |
| create-silgi | |
| csv-tool-cli | |
| easypanel-sdk | |
| electron-volt | |
| eslint-config-kinvey-flex-service | |
| eslint-config-zeallat-base | |
| expo-router-on-rails | |
| express-starter-template | |
| gatsby-plugin-antd | |
| ids-css | |
| ids-enterprise-mcp-server | |
| ids-enterprise-ng | |
| ids-enterprise-typings | |
| insomnia-plugin-random-pick | |
| iron-shield-miniapp | |
| jaetut-varit-test | |
| jsonsurge | |
| kinetix-default-token-list | |
| kinvey-cli-wrapper | |
| kinvey-flex-scripts | |
| kns-error-code | |
| lui-vue-test | |
| m25-transaction-utils | |
| manual-billing-system-miniapp-api | |
| my-saeed-lib | |
| nitro-graphql | |
| nitrodeploy | |
| nitroping | |
| nuxt-keycloak | |
| pergel | |
| pergeltest | |
| quickswap-default-staking-list | |
| quickswap-default-token-list | |
| quickswap-sdk | |
| quickswap-smart-order-router | |
| quickswap-v2-sdk | |
| react-data-to-export | |
| react-native-use-modal | |
| react-packery-component | |
| react-scrambled-text | |
| rediff-viewer | |
| revenuecat | |
| shinhan-limit-scrap | |
| silgi | |
| simplejsonform | |
| solomon-api-stories | |
| solomon-v3-ui-wrapper | |
| soneium-acs | |
| sufetch | |
| tavily-module | |
| test23112222-api | |
| tiptap-shadcn-vue | |
| toonfetch | |
| ts-relay-cursor-paging | |
| typeface-antonio-complete | |
| unadapter | |
| unemail | |
| uniswap-router-sdk | |
| uniswap-test-sdk-core | |
| unsearch | |
| v-plausible | |
| valuedex-sdk | |
| victoria-wallet-constants | |
| victoria-wallet-core | |
| victoria-wallet-type | |
| victoria-wallet-utils | |
| victoria-wallet-validator | |
| vue-browserupdate-nuxt | |
| wallet-evm | |
| @accordproject/concerto-types | |
| @actbase/css-to-react-native-transform | |
| @dev-blinq/blinqioclient | |
| @everreal/react-charts | |
| @hyperlook/telemetry-sdk | |
| @ifings/design-system | |
| @kvytech/cli | |
| @kvytech/habbit-e2e-test | |
| @oku-ui/arrow | |
| @oku-ui/slot | |
| @oku-ui/toggle-group | |
| @oku-ui/tooltip | |
| @posthog/ai | |
| @posthog/bitbucket-release-tracker | |
| @posthog/core | |
| @posthog/currency-normalization-plugin | |
| @posthog/filter-out-plugin | |
| @posthog/first-time-event-tracker | |
| @posthog/kinesis-plugin | |
| @posthog/lemon-ui | |
| @posthog/postgres-plugin | |
| @posthog/rrdom | |
| @posthog/rrweb-replay | |
| @posthog/snowflake-export-plugin | |
| @posthog/twilio-plugin | |
| @posthog/web-dev-server | |
| @productdevbook/motion | |
| @productdevbook/ts-i18n | |
| @quick-start-soft/quick-markdown | |
| @quick-start-soft/quick-markdown-print | |
| @sme-ui/aoma-vevasound-metadata-lib | |
| @trackstar/angular-trackstar-link | |
| @trigo/hapi-auth-signedlink | |
| axios-cancelable | |
| bun-plugin-httpfile | |
| command-irail | |
| esbuild-plugin-brotli | |
| esbuild-plugin-eta | |
| esbuild-plugin-httpfile | |
| frontity-starter-theme | |
| just-toasty | |
| korea-administrative-area-geo-json-util | |
| nitro-kutu | |
| open2interne | |
| poper-react-sdk | |
| posthog-plugin-hello-world | |
| puny-req | |
| quickswap-default-staking-list-address | |
| quickswap-router-sdk | |
| quickswap-token-lists | |
| react-favic | |
| react-native-jam-icons | |
| rediff | |
| rollup-plugin-httpfile | |
| samesame | |
| scgs-capacitor-subscribe | |
| schob | |
| selenium-session | |
| solomon-v3-stories | |
| uniswap-smart-order-router | |
| victoriaxoaquyet-wallet-core | |
| vite-plugin-httpfile | |
| wallet-evm | |
| wallet-type | |
| web-types-htmx | |
| web-types-lit | |
| webpack-loader-httpfile | |
| @elsedev/react-csr-sdk | |
| @mparpaillon/connector-parse | |
| @mparpaillon/imagesloaded | |
| @mparpaillon/page | |
| @sameepsi/sor2 | |
| cbre-flow-common | |
| open2internet | |
| posthog-react-native-session-replay | |
| quickswap-ads-list | |
| utilitas |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # | |
| # Deep scan a batch of Node projects for known bad NPM packages, as listed in bad-deps.txt. | |
| # Fully checking each project, we look for bad packages nested anywhere in the dependency tree, | |
| # including node_modules and package-lock.json. | |
| # | |
| # Author: Dan Cassey, Alex Greenland, Epi - epihq.com | |
| # License: Public Domain (CC0) | |
| # Updated: 27 Nov 2025 | |
| # | |
| # Context: Digital Forensics & Incident Response (DFIR) for Shai-Hulud cyberattack, Sep-Nov 2025 | |
| # | |
| # This script is intended as a first-pass check for developers and DFIR teams. | |
| # It tells you if you depend on any version of the listed dependencies. | |
| # | |
| # The bad-deps.txt file is intended to be thorough on a best-effort basis but it is not an exhaustive list. | |
| # The list represents the current state of threat intelligence in the industry. | |
| # | |
| # Only specific versions of these dependencies are malicious, | |
| # but the cyberattack indicates the known compromise of these libraries or their authors in September and November 2025. | |
| # | |
| # We intentionally search for the packages without versions | |
| # so you can see if you have any level of dependency on one of these libraries. | |
| # | |
| # If a match is found, it does not necessarily indicate compromise. | |
| # A match reveals potential compromise and requires further investigation, by comparing version numbers. | |
| # | |
| # If no matches are found, it indicates no versions of these libraries are depended upon, | |
| # so you know with greater certainty that there is no current compromise from these dependencies in your projects. | |
| # | |
| # We check at a broader level for further assurance and safety. | |
| # Going forward, in the case where you have a dependency on an old version of one of these libraries, | |
| # you can decide whether to pin or remove the dependency. | |
| # | |
| PROJECTS=( | |
| # enter paths to roots of Node projects here, line separated | |
| ) | |
| CWD=$(pwd) | |
| BAD_DEPS=$(cat ./bad-deps.txt) | |
| for project in ${PROJECTS[@]}; do | |
| cd $project | |
| echo "Checking $project..." | |
| FULL_LIST=$(npm list --all --silent) | |
| for dep in ${BAD_DEPS[@]}; do | |
| if [ $(echo $FULL_LIST | grep "$dep" | wc -l) != 0 ]; then | |
| npm list $dep | |
| fi | |
| done | |
| cd $CWD | |
| done |
Author
@alexgreenland Just updated it with length check
if [ ${#PROJECTS[@]} -eq 0 ]; then
@johnnyshankman it was a conscious decision to scan without version numbers so we can tell you robustly whether you did depend or are about to depend on a dependency that has been compromised, by looking at definitions in each repo's package.json, node_modules and lockfile. This is important for DFIR. The tool is intended as a first-pass scan, and if it finds matches it will return the libraries and their versions you are depending on. The design decisions are included in the README comment of the script.
I've seen the Wiz CSV file and it has not been updated recently with the latest findings. Comparing with our list here (sourced courtesy of Socket), we have 203 more unique deps not included in the Wiz file. There are 10 deps in the Wiz file not in our list yet and I will add them in a moment.
appreciate this in-depth response 👍
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
27 Nov 2025 00:21 UTC: updated with 10 new compromised NPM libraries emerging from Shai-Hulud wave 2, appended in bad-deps.txt from line 994.
With thanks to Wiz for reporting their list of compromised libraries.