An open API service indexing awesome lists of open source software.

https://github.com/frobware/shudders

Shai-Hulud malware scanner in Rust - detects malicious NPM packages and IOCs
https://github.com/frobware/shudders

Last synced: 24 days ago
JSON representation

Shai-Hulud malware scanner in Rust - detects malicious NPM packages and IOCs

Awesome Lists containing this project

README

          

# shudders

A Rust implementation of the Shai-Hulud malware scanner that detects malicious NPM packages and host-based indicators of compromise.

Based on the Python scanner from [Red-Hat-Information-Security/Incident-Response](https://github.com/Red-Hat-Information-Security/Incident-Response/).

## Features

- Scans `package.json` files against a known malicious package database
- Detects file and directory IOCs using recursive and absolute patterns
- Supports scanning multiple directories in a single invocation
- Uses the [ignore](https://crates.io/crates/ignore) crate for fast filesystem traversal

## Building

```bash
cargo build --release
```

## Usage

```bash
# Scan the entire filesystem (default)
shudders

# Scan a specific directory
shudders /home/user/projects

# Scan multiple directories
shudders /home/user/projects /var/lib/node

# Verbose mode - show each package.json being checked
shudders -v /home/user/projects
```

## How it works

The scanner fetches two databases from the Red Hat Information Security Incident Response repository:

1. **Malicious NPM packages** - a list of known malicious package name/version combinations
2. **Host IOCs** - file and directory indicators of compromise

It then walks the specified directories, checking:

- Each `package.json` against the malicious package database
- Each file and directory path against the IOC patterns

## Example output

```
Fetching malicious package database from https://raw.githubusercontent.com/...
Loaded 1055 known malicious packages
Fetching host IOC database from https://raw.githubusercontent.com/...
Loaded 5 host IOCs

Scanning for Indicators of Compromise (IoCs)...

[WARNING] Malicious Package IoC(s) Found:

- Finding: Malicious Package: malicious-pkg@1.0.0
Context: Campaign: Shai-Hulud
Location: /path/to/node_modules/malicious-pkg/package.json

Scanned 42 package.json files

[IMPORTANT] Please include the following in your ticket to InfoSec:

- ALL OF THE SCRIPT OUTPUT ABOVE
- Username: user
- Hostname: workstation
- Timestamp: 1733680000
```

## Licence

MIT