Lmst

#WalkWithoutRhythm

Just checked back on the Sha1-Hulud virus/worm. FINALLY npm appears free of obviously infected packages.

I still however am seeing infected machines posting their private data publicly on GitHub.

Not only that, I can see infected developer's github repos are being defaced in realtime.

These microsoft owned platforms seem to be really struggling with stopping this worm.

Query for defaced repos 👇🏿

https://github.com/search?q=api.airforce&type=repositories&s=updated&o=desc

#NPM #microsoft #github #Sha1Hulud #WalkWithoutRhythm #cybersecurity

Just finished writing another tool, now I can see NINE known compromised packages are still up for download on NPM! ⚠️

This tool crawls the list of known bad packages and downloads the latest bundle.

It then runs my other checks against the downloaded bundle and logs the results.

https://github.com/datapartyjs/walk-without-rhythm

#WalkWithoutRhythm #Sha1Hulud #NPM #GitHub #Microsoft #nodejs #javascript #cybersecurity #devlog #bash

./is-npm-still-dangerous
Reads the data/infected-pkgs.txt
Downloads the latest package metadata for every known infected package
Downloads the current latest package.tgz
Uncompresses and scans the latest version using ./check-projects
Depending upon the scan result
./is-npm-still-dangerous

capacitor-voice-recorder-wav 6.0.3 - STILL COMPROMISED
haufe-axera-api-client 0.0.2 - STILL COMPROMISED
hyper-fullfacing 1.0.3 - STILL COMPROMISED
@ifelsedeveloper/protocol-contracts-svm-idl 0.1.2 - STILL COMPROMISED
my-saeed-lib 0.1.1 - STILL COMPROMISED
quickswap-ads-list 1.0.33 - STILL COMPROMISED
@seung-ju/react-native-action-sheet 0.2.1 - STILL COMPROMISED
tcsp 2.0.2 - STILL COMPROMISED
web-types-lit 0.1.1 - STILL COMPROMISED
web-types-lit 0.1.1 - STILL COMPROMISED
Found 9 npm-reports/npm-latest-bad.txt packages STILL compromised!

See npm-reports/npm-latest-bad.txt for full listing.
Warning - Most people probably don't need to run this. It causes a lot of NPM traffic. Warning - There's a few packages this fails to download and check (likely bc's they are hosted outside of NPMjs.org)

Updated my listing of Sha1-Hulud detection tools.

I now have found at least 12 other tools for detecting Sha1-Hulud compromise on your dev box and in infrastructure.

https://github.com/datapartyjs/walk-without-rhythm?tab=readme-ov-file#similar-sha1-hulud-112425-detection-tools

#WalkWithoutRhythm #Sha1Hulud #npm #github #nodejs #javascript #cybersecurity #devops

Similar Sha1-Hulud 11/24/25 Detection Tools
Links to other projects provided with no warranty express or implied.

https://github.com/TimothyMeadows/sha1hulud-scanner
https://github.com/mottibec/sha1hulud-scanner
https://github.com/gensecaihq/Shai-Hulud-2.0-Detector
https://github.com/tprinty/sha1hulud-action-detector
https://github.com/da1z/amihulud
https://github.com/bobberg/sha1-hulud-folder-checker
https://github.com/servusdei2018/sha1-halud-scan
https://github.com/kevcooper/fremkit
https://github.com/ysskrishna/shai-hulud-detector
https://github.com/Cobenian/shai-hulud-detect
GitHub Scanners
https://github.com/ysskrishna/shai-hulud-detector
panther-labs/panther-analysis#1826

And to be clear this is NOT an all clear just yet. Why?

1. There remain known malicious packages STILL available for download on NPM (and I can see evidence of active downloads)

https://partyon.xyz/@nullagent/115607663085751105

2. Infected computers and servers are STILL posting stolen PII to public githubs for the world to see. GitHub has just gotten a tad faster at taking them down.

https://partyon.xyz/@nullagent/115607844583101135

So this is a smoldering fire still and we need to stay vigilant.

#Sha1Hulud #WalkWithoutRhythm

I spent more time searching for other Sha1-Hulud detection tools and found four more bringing it to 6 scanners (5 in nodejs).

Linked them all from my readme in case those work better for you.

Best way to beat a worm like this is to keep scanning and keep an eye out for the attacker to try and evade all of our tools.

By using more than one hopefully we make the attackers job harder to evade all of us.

https://github.com/datapartyjs/walk-without-rhythm?tab=readme-ov-file#similar-tools

#Sha1Hulud #WalkWithoutRhythm #nodejs #npm #github #microsoft

Just finished landing Exit Code support. So now if more scanners are made or one of the projects gets more features you can quickly switch to whichever makes the most sense for your use case!

I literally lost a ton of sleep on this volunteer incident response work so I'm going to go touch grass for a bit.

More hacks later tonight, still got some loose ends gnawing at me lol.

https://github.com/datapartyjs/walk-without-rhythm?tab=readme-ov-file#how-to-use

#nodejs #npm #javascript #Sha1Hulud #WalkWithoutRhythm #Sha1HuludScanner #cybersecurity

The fork of the CrowdStrike scanner introduced me to a really good idea, I should support the same exit code design so that our tools can work in tandem.

Maybe we detect different things or maybe one vs the other works in your environment.

So I made an issue to track this support:

https://github.com/datapartyjs/walk-without-rhythm/issues/18

#CrowdStrike #Sha1HuludScanner #WalkWithoutRhythm #cybersecurity #npm #nodejs

Making my morning rounds and I can see thath there are STILL infected packages that were already detected by cybersecurity analyst available on NPM this morning.

So I'm taking the time to go and personally message teams that haven't taken down their hacked packages.

Tracking that work with these two issues. I'm both manually spot checking the list and working on a script to automate that check. Moar PRs soon . . .

https://github.com/datapartyjs/walk-without-rhythm/issues/13

https://github.com/datapartyjs/walk-without-rhythm/issues/12

#ShaiHulud #WalkWithoutRhythm

If time is money and helping the community is good, then this almost completely broke and emotionally damaged open source nerd would dearly appreciate some donations so I can stay focused on helping untangle this worm.

Was planning to spend this week on a mad dash to get my latest apps shipped by turkey day(to you know, make money) but instead I'm doing worm mitigation 😭

https://ko-fi.com/nullagent
https://ko-fi.com/dataparty

#cybersecurity #incidentresponse #ShalHulud #WalkWithoutRhythm

Woot ok now that I have the dependency graph crawled I can just ship the listing of known bad NPM packages and just compare directly against that.

I updated the scanning script to alert if you have -any- version of an infected package.

You're gonna want to be very careful if you're not infected but have one of these dependencies present.

https://github.com/datapartyjs/walk-without-rhythm/blob/main/data/infected-pkgs-versions.txt

#ShalHulud #WalkWithoutRhythm #npm #github #javascript #cybersecurity #threatresponse

At the end of scanning for obvious compromise the `check-projects` script then builds a listing of all of your dependencies and all of the versions your project files mention.

You can find that info under `reports/`

I'm currently working on improving the `check-projects` script so that it will alert you if ANY of your package.json or package-lock.json mentions a known infected package.

#ShalHulud #WalkWithoutRhythm #npm #github #javascript #cybersecurity #threatresponse

First pass is super simple and just looks for the file names & package.json signature for signs of infection anywhere in the path you tell it to search.

If it sees anything fishy it tells you where and stops until you've read the alert.

Oh and this only uses bash, sed, awk, grep, curl, and jq. So no npm, node or other big supply chains 🥴

https://github.com/datapartyjs/walk-without-rhythm/blob/main/check-projects

#ShalHulud #WalkWithoutRhythm #nodejs #npm #github #javascript

I've spent the last few hours writing down my scripts for detecting this so you can use them!

I'm hitting on two or three ways to detect it and will be adding more.

Watching the attack running I can see developers all over the world still doing their morning `npm i` and getting owned 😭

Maybe let the node developers in your life know about this tool 👇🏿

https://github.com/datapartyjs/walk-without-rhythm

#ShaiHulud #WalkWithoutRhythm #nodejs #javascript #npm #github #cybersecurity

The emperor's presence on Arrakis was foretold.

https://youtu.be/wCDIYvFmgW8

#dune #worm #walken #WalkWithoutRhythm

Some oriental bittersweet, one of the few spots of color I saw on my walk today, when everything else is gray and brown. Their three-part fruits remind me of the sand worms in Dune.
#WalkWithoutRhythm #ItWontAttractTheWorm

Oriental bittersweet growing on a power tower. The stems are brown. The fruits are bright red and divided in three segments, with a three-part yellow covering, opening up like the sand worms in the movie Dune.

Finally #Spring in #PDX even if it is a seasonal quantum superposition

I worry about forecasts calling for a significant #elnino as days that are sunny >70 cause this town to loose it's collective mind.

-Think something between a Black Friday Sale and that Pegan human-sacrifice Spring ritual from "The Whicker Man"

Fortunately, anything >85F gives us a population of molten locals so ill-suited to the heat they seek to combat it with drive-through ice cream

#climatechange
#walkwithoutrhythm

#WalkWithoutRhythm

Client Info