@oat-sa/shai-hulud-2-checker

Shai-Hulud 2.0 Checker

Detect malicious npm packages linked to the Shai-Hulud 2.0 supply chain attack. This tool scans your package-lock.json against Wiz Security's IOC database of ~700 compromised packages that execute credential theft and secret exfiltration during installation.

About the Attack

The Shai-Hulud 2.0 campaign (November 2025) compromised major packages including:

• Zapier packages
• ENS Domains packages
• PostHog packages
• Postman packages
• AsyncAPI packages

The malware:

• Executes during preinstall phase
• Steals AWS, Azure, and GCP credentials
• Exfiltrates GitHub tokens and SSH keys
• Creates backdoor workflows
• Targets both CI/CD pipelines and developer machines

Installation

Install globally:

npm install -g @oat-sa/shai-hulud-2-checker

Or install from GitHub:

git clone git@github.com:oat-sa/shai-hulud-2-checker.git
npm install
npm link

Usage

Run the checker in any project directory that has a package-lock.json file:

shai-hulud-2-checker

The tool will:

• Fetch the latest list of malicious packages from the Wiz Security IOC repository
• Scan all your project's dependencies from package-lock.json
• Report any exact version matches found

Example Output

If no suspicious packages are found:

Fetching malicious package list...
Loaded 700 suspicious packages signatures.
Scanning 245 dependencies...

✅ No suspicious packages found in your dependencies.

If malicious packages are detected:

Fetching malicious package list...
Loaded 700 suspicious packages signatures.
Scanning 245 dependencies...

⚠️ WARNING: Malicious packages detected!
- @posthog/agent
- posthog-node

Requirements

• Node.js (with ES modules support)
• A package-lock.json file (lockfileVersion 3 recommended) in the directory where you run the command

Data Source

This tool uses the malicious package list maintained by Wiz Security: https://github.com/wiz-sec-public/wiz-research-iocs

License

ISC