JSPM

@veracity/scan-hulud

1.0.2
    • ESM via JSPM
    • ES Module Entrypoint
    • Export Map
    • Keywords
    • License
    • Repository URL
    • TypeScript Types
    • README
    • Created
    • Published
    • Downloads 21
    • Score
      100M100P100Q36846F
    • License ISC

    Find Shai-Hulud worm in lock files

    Package Exports

    • @veracity/scan-hulud
    • @veracity/scan-hulud/scan-lock.js

    This package does not declare an exports field, so the exports above have been automatically detected and optimized by JSPM instead. If any package subpath is missing, it is recommended to post an issue to the original package (@veracity/scan-hulud) to support the "exports" field. If that is not possible, create a JSPM override to customize the exports field for this package.

    Readme

    scan-hulud

    CLI helper that scans a JavaScript lockfile (npm, yarn, or pnpm) for specific package versions listed in affected-packages.txt. The tool is published as @veracity/scan-hulud so it can run directly via npx without installing anything globally.

    Why is it published under the @veracity org? I had to act quickly and that was the easiest for me.

    Usage (via npx)

    npx -y @veracity/scan-hulud@latest ./path/to/package-lock.json
    npx -y @veracity/scan-hulud@latest ./path/to/yarn.lock
    npx -y @veracity/scan-hulud@latest ./path/to/pnpm-lock.yaml

    Flags & arguments

    Flag Description
    -y, --yes Currently ignored, but reserved to keep parity with earlier scripts.
    -h, --help Prints usage info.
    <lock-file> Required positional argument pointing to a package-lock.json, yarn.lock, or pnpm-lock.yaml file.

    The command prints every package/version pair from affected-packages.txt that also appears in your lockfile. Exit code 0 indicates the scan completed successfully; 1 indicates a failure (for example, at least one vulnerable entry was found or the lockfile could not be read).

    Examples

    # Scan the default npm lockfile in the current project
npx @veracity/scan-hulud@latest ./package-lock.json

# Scan a pnpm project from anywhere
npx @veracity/scan-hulud@latest ../another-project/pnpm-lock.yaml

    đź’ˇ npx automatically downloads the CLI from npm on demand. No local install is necessary.

    Contributing

    This repo intentionally avoids external dependencies—everything relies on Node's built‑in modules so the CLI stays lightweight and reproducible.

    Updating affected-packages.txt

    Edit affected-packages.txt manually. This is clearly the next step to automate, based on the content on https://helixguard.ai/blog/malicious-sha1hulud-2025-11-24.

    Running tests

    Use Node's built-in test runner:

    npm test
# or
node --test

    The tests execute the CLI against curated safe/vulnerable fixtures to ensure regressions are caught.

    Submitting changes

    1. Ensure affected-packages.txt only lists one package@version per line.
    2. Run the tests (npm test).
    3. Open a PR describing the changes and any notable scan results.

    That's it—thanks for keeping the scanner up to date!