v1.0.0 - Initial Release

Shai-Hulud 2.0 Detector v1.0.0

Protect your projects from the Shai-Hulud 2.0 npm supply chain attack.

Features

Package Detection

• Database of 790+ compromised packages from the November 2025 attack
• Scans package.json, package-lock.json, yarn.lock, and pnpm-lock.yaml
• Monorepo support with automatic subdirectory scanning

Security Findings Detection

• Malicious scripts: setup_bun.js, bun_environment.js in install hooks
• TruffleHog activity: Credential scanning patterns
• SHA1HULUD runners: Malicious GitHub Actions self-hosted runners
• Secrets exfiltration: actionsSecrets.json and other output files
• Malicious workflows: formatter_*.yml, discussion.yaml patterns
• Webhook exfiltration: webhook.site endpoints and known malicious UUIDs
• Shai-Hulud references: Repository names, git branches, remote URLs

Output Formats

• Text: Human-readable console output
• JSON: Machine-parseable results
• SARIF: GitHub Security tab integration

CI/CD Integration

• GitHub Actions (recommended)
• GitLab CI
• Jenkins
• Azure DevOps
• CircleCI

Quick Start

- uses: gensecaihq/Shai-Hulud-2.0-Detector@v1
  with:
    fail-on-critical: true

Affected Organizations

Zapier, ENS Domains, PostHog, AsyncAPI, Postman, Voiceflow, BrowserBase, Oku UI, and many more.

Links

• Full Documentation
• Report Compromised Package
• Report False Positive