Skip to content

protofy/wormsign

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

6 Commits
.github/workflows
.github/workflows
 
 
ui
ui
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
go.mod
go.mod
 
 
go.sum
go.sum
 
 
main.go
main.go
 
 

Repository files navigation

Wormsign

A security scanner to detect Shai-Hulud NPM worm infections in your projects.

Caution

This tool has been hacked together quickly in response to an active threat. Use at your own risk and review the source code before running. It is provided "as-is" without any warranties.

Features

  • Package scanning: Checks package.json, package-lock.json, yarn.lock, and pnpm-lock.yaml for compromised dependencies
  • GitHub markers: Detects malicious workflow files, branches, and git refs associated with the attack
  • Installed package scanning: Verifies actually installed npm packages via npm ls
  • Global npm scanning: Checks globally installed npm packages
  • Malicious code detection: Scans source files for known malicious patterns and exfiltration endpoints
  • Auto-updating threat intel: Downloads and caches the latest compromised package list from Wiz Security research
  • Interactive TUI mode: Beautiful terminal UI with spinners, real-time progress, and scrollable results

Installation

Pre-built binaries

Download the latest release for your platform from the Releases page.

Build from source

go build -o wormsign .

Usage

# Scan current directory
wormsign

# Scan a specific directory
wormsign -dir /path/to/project

# Scan with all checks enabled
wormsign -dir . -global -installed -malicious

# Don't scan for git infection markers
wormsign -dir . -git=false

# Force update threat intelligence
wormsign -update

# Run in offline mode (use cached threat intel)
wormsign -offline

# Export findings to JSON
wormsign -dir . -output findings.json

# Enable verbose output
wormsign -dir . -verbose

# Run in interactive TUI mode
wormsign -tui

# TUI mode with specific directory
wormsign -tui -dir /path/to/project

Options

Flag Description
-dir Directory to scan (default: .)
-tui Enable interactive TUI mode with spinners and scrollable results
-global Also scan global npm packages
-installed Scan installed packages via npm ls (requires node_modules)
-malicious Scan source files for malicious code patterns
-git Scan for GitHub infection markers (default: true)
-output Export findings to JSON file
-verbose Enable verbose/debug output
-offline Use cached threat intel (don't fetch from GitHub)
-update Force update threat intel from GitHub

Exit Codes

  • 0: No critical findings
  • 1: Critical findings detected

Cache Location

Threat intelligence is cached locally:

  • macOS: ~/Library/Caches/wormsign/
  • Linux: ~/.cache/wormsign/ or $XDG_CACHE_HOME/wormsign/
  • Windows: %LocalAppData%\wormsign\

Threat Intelligence

This tool uses the compromised package list maintained by Wiz Security. The list is automatically fetched and cached, with freshness checks on each run.

License

BSD-2-Clause License. See the LICENSE file for details.

About

Hacked together scanner to test for Shai Hulud Infiltration

Resources

Readme

License

BSD-2-Clause license
Activity
Custom properties

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases 3

v0.0.3 Now with TUI Latest
Nov 26, 2025
+ 2 releases

Packages

No packages published

Languages