Skip to content

fossas/fossa-malware-impacted-packages

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

23 Commits
blocker-tool
blocker-tool
 
 
blocklists
blocklists
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
fossa-deps.yml
fossa-deps.yml
 
 

Repository files navigation

Shai-Hulud Attack Impact Assessment

This repository helps you assess whether your organization was affected by the Shai-Hulud worm attack targeting multiple npm packages.

⚠️ Important Caveats

  • The fossa-deps.yml method provides a readable, actively maintained list of all known compromised packages.
    • Its purpose is to serve as an easy reference to help identify impacted packages; if scanned for analysis, it functions purely as a marker in your organization and is not a true project to review for issues.
    • It mirrors the classic way FOSSA lists manual dependencies, if you're into awesome yaml formatting.
  • However, after extensive testing, we do not recommend scanning the fossa-deps file for analysis purposes.
    • Many packages have been removed from the npm registry, so some will show resolution errors (e.g., PackageNotFound) — this is expected and not a FOSSA issue.
    • That said, the fossa-deps approach is highly effective on Day 0. If compromised packages are later removed by OSS maintainers, those packages may no longer be discoverable through fossa-deps.
    • On the plus side, FOSSA is actively maintaining the list of compromised packages, so you always have an up-to-date reference for identification and tracking.
  • The true solution for operational security and ongoing protection is to use the Package Blocker Tool, which:
    • Applies blocking rules directly in FOSSA,
    • Works regardless of package availability on npm,
    • Ensures no compromised packages can be used in future scans or projects.

Overview

This repository includes two main features:

  1. Package Identification via fossa-deps.yml

    • Lists all known compromised package versions
    • Serves as a clear, human-readable reference for reviewing purposes only.

  2. Blocking & Prevention via the Blocker Tool

    • Actively blocks all malicious packages across your organization.
    • Works even if the original package is gone from npm or missing from fossa-deps.yml.

Prerequisites

You’ll need:

  1. FOSSA API Token – A push-only token for scanning or blocking operations.
  2. FOSSA's Quality feature must be enabled in your organization.

Block Malicious Packages

Use the Package Blocker Tool in the blocker-tool/ directory to:

  • Block all confirmed Shai-Hulud packages (even those removed from npm).
  • Prevent any future scans from allowing compromised packages.
  • Optionally extend blocking rules with custom blocklists.

Quick start:

cd blocker-tool
npm install
./block-shai-hulud.sh -i "YOUR_QUALITY_POLICY_ID" -u "https://app.fossa.com" -t "YOUR_API_TOKEN"

See Blocker Tool README for full details.

Impacted Packages List

The fossa-deps.yml file contains all known compromised versions, including:

  • @ctrl/*
  • @nativescript-community/*
  • @teselagen/*
  • @crowdstrike/*
  • …and many more (over 500 versions total).

This list is actively maintained.

Suggested Workflow

  1. 📊 Identify – Use fossa-deps.yml as a reference to find impacted packages in your org.
  2. 🛡️ Block – Use the blocker tool to prevent usage of compromised packages going forward.
  3. 🔄 Monitor – Review affected projects, plan upgrades, and continuously audit new findings.

For help or advanced guidance, contact FOSSA Support or your account team.

About

No description, website, or topics provided.

Resources

Readme

License

Apache-2.0 license
Activity
Custom properties

Stars

1 star

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages