https://github.com/frobware/shudders
Shai-Hulud malware scanner in Rust - detects malicious NPM packages and IOCs
https://github.com/frobware/shudders
Last synced: 24 days ago
JSON representation
Shai-Hulud malware scanner in Rust - detects malicious NPM packages and IOCs
- Host: GitHub
- URL: https://github.com/frobware/shudders
- Owner: frobware
- Created: 2025-12-08T18:01:34.000Z (7 months ago)
- Default Branch: master
- Last Pushed: 2025-12-08T21:49:10.000Z (7 months ago)
- Last Synced: 2026-04-30T12:23:11.858Z (3 months ago)
- Language: Rust
- Size: 46.9 KB
- Stars: 0
- Watchers: 0
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
Awesome Lists containing this project
README
# shudders
A Rust implementation of the Shai-Hulud malware scanner that detects malicious NPM packages and host-based indicators of compromise.
Based on the Python scanner from [Red-Hat-Information-Security/Incident-Response](https://github.com/Red-Hat-Information-Security/Incident-Response/).
## Features
- Scans `package.json` files against a known malicious package database
- Detects file and directory IOCs using recursive and absolute patterns
- Supports scanning multiple directories in a single invocation
- Uses the [ignore](https://crates.io/crates/ignore) crate for fast filesystem traversal
## Building
```bash
cargo build --release
```
## Usage
```bash
# Scan the entire filesystem (default)
shudders
# Scan a specific directory
shudders /home/user/projects
# Scan multiple directories
shudders /home/user/projects /var/lib/node
# Verbose mode - show each package.json being checked
shudders -v /home/user/projects
```
## How it works
The scanner fetches two databases from the Red Hat Information Security Incident Response repository:
1. **Malicious NPM packages** - a list of known malicious package name/version combinations
2. **Host IOCs** - file and directory indicators of compromise
It then walks the specified directories, checking:
- Each `package.json` against the malicious package database
- Each file and directory path against the IOC patterns
## Example output
```
Fetching malicious package database from https://raw.githubusercontent.com/...
Loaded 1055 known malicious packages
Fetching host IOC database from https://raw.githubusercontent.com/...
Loaded 5 host IOCs
Scanning for Indicators of Compromise (IoCs)...
[WARNING] Malicious Package IoC(s) Found:
- Finding: Malicious Package: malicious-pkg@1.0.0
Context: Campaign: Shai-Hulud
Location: /path/to/node_modules/malicious-pkg/package.json
Scanned 42 package.json files
[IMPORTANT] Please include the following in your ticket to InfoSec:
- ALL OF THE SCRIPT OUTPUT ABOVE
- Username: user
- Hostname: workstation
- Timestamp: 1733680000
```
## Licence
MIT