{"id":41600879,"url":"https://github.com/devbyray/check-vulnerable-npm-packages","last_synced_at":"2026-01-24T10:43:01.656Z","repository":{"id":315410879,"uuid":"1059366756","full_name":"devbyray/check-vulnerable-npm-packages","owner":"devbyray","description":"How to Check for Compromised NPM Packages","archived":false,"fork":false,"pushed_at":"2025-09-18T11:26:41.000Z","size":15,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2025-09-18T13:36:36.458Z","etag":null,"topics":["s1ngularity","shai-hulud","trufflehog"],"latest_commit_sha":null,"homepage":"","language":"JavaScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/devbyray.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2025-09-18T10:54:34.000Z","updated_at":"2025-09-18T11:26:44.000Z","dependencies_parsed_at":"2025-09-18T13:36:39.814Z","dependency_job_id":"8ce723ab-0e46-41ed-bad8-d29c268de08b","html_url":"https://github.com/devbyray/check-vulnerable-npm-packages","commit_stats":null,"previous_names":["devbyray/check-vulnerable-npm-packages"],"tags_count":null,"template":false,"template_full_name":null,"purl":"pkg:github/devbyray/check-vulnerable-npm-packages","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/devbyray%2Fcheck-vulnerable-npm-packages","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/devbyray%2Fcheck-vulnerable-npm-packages/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/devbyray%2Fcheck-vulnerable-npm-packages/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/devbyray%2Fcheck-vulnerable-npm-packages/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/devbyray","download_url":"https://codeload.github.com/devbyray/check-vulnerable-npm-packages/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/devbyray%2Fcheck-vulnerable-npm-packages/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28725378,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-24T10:24:43.181Z","status":"ssl_error","status_checked_at":"2026-01-24T10:24:36.112Z","response_time":89,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["s1ngularity","shai-hulud","trufflehog"],"created_at":"2026-01-24T10:42:58.719Z","updated_at":"2026-01-24T10:43:01.648Z","avatar_url":"https://github.com/devbyray.png","language":"JavaScript","funding_links":[],"categories":[],"sub_categories":[],"readme":"# How to Check for Compromised NPM Packages\n\n## Purpose\n\nThis tool helps you detect compromised npm packages in your project's lock files (`package-lock.json` and `pnpm-lock.yaml`). It was created in response to the S1ngularity/nx supply chain attack that affected numerous packages, as documented in the [Aikido Security blog post](https://www.aikido.dev/blog/s1ngularity-nx-attackers-strike-again).\n\nThe attack involved malware that:\n- Steals secrets and credentials\n- Exfiltrates data to attacker-controlled servers\n- Self-propagates through npm by infecting other packages\n- Turns private repositories public\n- Creates malicious GitHub Actions workflows\n\nThe tool scans your lock files against a list of known compromised packages and versions, alerting you if any are found in your dependencies.\n\n## Prerequisites\n\n- **Node.js** must be installed on your system (version 18 or higher recommended)\n- The script files should be in the same directory as your `bad-packages.txt` file\n\n## Dependencies\n\n**This tool uses zero external dependencies** - it only requires Node.js built-in modules (`fs`, `path`, etc.) and doesn't need any `npm install` commands. All functionality is self-contained within the script files.\n\n## How to Run\n\n### macOS/Linux\n```bash\n./check-compromised.sh\n```\n\n### Windows\n```batch\ncheck-compromised.bat\n```\nor\n```batch\ncheck-compromised.cmd\n```\n\n### Direct Node.js Execution\nFor ES module projects:\n```bash\nnode check-compromised.js\n```\n\nFor CommonJS projects:\n```bash\nnode check-compromised.cjs\n```\n\n## What It Does\n\n1. **Loads the bad packages list** from `bad-packages.txt` (187+ packages currently)\n2. **Scans recursively** for `package-lock.json` and `pnpm-lock.yaml` files in:\n   - The current directory\n   - All subdirectories\n   - Including inside `node_modules` folders\n3. **Checks dependencies** against the compromised list\n4. **Reports findings**:\n   - Lists all found lock files with full paths\n   - Shows compromised packages in **red** text\n   - Displays a **green** success message if no issues are found\n\n## Sample Output\n\n```\nLoaded 187 bad packages from bad-packages.txt\nFound 2 pnpm-lock.yaml file(s):\n  - /path/to/project/pnpm-lock.yaml\n  - /path/to/project/node_modules/.pnpm/some-package/pnpm-lock.yaml\nChecking /path/to/project/pnpm-lock.yaml...\nChecking /path/to/project/node_modules/.pnpm/some-package/pnpm-lock.yaml...\nCheck complete.\nEverything looks good! No compromised packages found.\n```\n\nIf compromised packages are found:\n```\nCompromised in pnpm-lock.yaml: @ahmedhfarag/ngx-perfect-scrollbar@20.0.20\n```\n\n## Updating the Bad Packages List\n\nThe `bad-packages.txt` file contains the list of compromised packages. To update it:\n\n1. Edit `bad-packages.txt`\n2. Add new entries in the format: `package-name\u003cTAB\u003eversion1,version2`\n3. Save the file\n4. Re-run the script\n\nThe current list is based on the packages documented in the [Aikido Security blog post](https://www.aikido.dev/blog/s1ngularity-nx-attackers-strike-again).\n\n## Files Included\n\n- `check-compromised.js` - ES module version\n- `check-compromised.cjs` - CommonJS version\n- `check-compromised.sh` - macOS/Linux shell script\n- `check-compromised.bat` - Windows batch file\n- `check-compromised.cmd` - Windows command file\n- `bad-packages.txt` - List of compromised packages\n- `how-to-check.md` - This documentation\n\n## Security Recommendations\n\nIf compromised packages are found:\n1. Remove them from your dependencies\n2. Clear your npm/pnpm cache\n3. Reinstall all packages\n4. Check for any leaked secrets or credentials\n5. Consider using tools like [Aikido SafeChain](https://www.npmjs.com/package/@aikidosec/safe-chain) for future protection\n\n## Reference\n\nFor more details about the attack, see: [S1ngularity/nx attackers strike again](https://www.aikido.dev/blog/s1ngularity-nx-attackers-strike-again)","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdevbyray%2Fcheck-vulnerable-npm-packages","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fdevbyray%2Fcheck-vulnerable-npm-packages","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdevbyray%2Fcheck-vulnerable-npm-packages/lists"}