Tool to find npm packages and package lists containing compromised npm packages.
- GNU bash
- Node.js - https://nodejs.org
- e.g. Node version manager (NVM) - https://github.com/nvm-sh/nvm#git-install
cd ~/work
git clone https://github.com/solita/npm-malwares.git
Inside the current directory find recursively compromised npm packages from some given package list
cd ~/work
./npm-malwares/find-npm-packages.sh ./npm-malwares/crowd-strike-packages.txt
For projects using pnpm, you can use find-pnpm-packages.sh instead.
Find used packages with any version (removes versions). This result does not mean you are infected, you are just using some version of infected package.
./npm-malwares/find-npm-packages.sh <(cat ./npm-malwares/crowd-strike-packages.txt | sed 's/@[0-9].*$//g' | sort -u)
Count the number of packages from a list
cat crowd-strike-packages.txt | sed 's/@[0-9].*$//g' | sort -u | wc -l
If you have installed some npm tool globally (with -g option), or if you are using npx to run some package without installing it permanently,
you can check their dependencies with this script:
./npm-malwares/find-global-npm-packages.sh ./npm-malwares/crowd-strike-packages.txt
The script will scan all globally installed packages and their dependencies, and npx directories (usually ~/.npm/_npx).
Info:
A package list is an utf-8 text file containing npm package specifications as name@version-range (see npm help list)
separated by new line \n characters.
Package lists and sources:
- crowd-strike-packages - https://socket.dev/blog/ongoing-supply-chain-attack-targets-crowdstrike-npm-packages
- reversing-packages - https://www.reversinglabs.com/blog/shai-hulud-worm-npm
- qix-packages - https://thehackernews.com/2025/09/20-popular-npm-packages-with-2-billion.html
- shai-hulud-the-second-coming_packages - https://helixguard.ai/blog/malicious-sha1hulud-2025-11-24
