"The Mahdi will be aware of things others cannot see." – Excerpt from the Mahdi prophecy
Scans for npm-packages and artifacts known to be compromised by 'Shai-Hulud' attack.
scanned files/dirs:
- package.json
- node_modules/
- package-lock.json
- yarn.lock
- pnpm-lock.yaml
- .yarn/cache
Ignores proc/sys/dev mounts per default.
Uses list of compromised packages from socket.dev (last update: 19.09.2025 0:28)
- mostly vibe-coded 😬
- didn't test yarn part 😬
- if no compromised packages are found, your system might still be compromised, because of undetected packages or outdated list (check and update the list at line 38 before running!)
- a virus scan might be more effective
- dependencies: python3
python3 mahdi.py [-h] [--root ROOT] [--no-exclude-mounts] [--follow-symlinks] [--output OUTPUT] [--max MAX]
options:
-h, --help show this help message and exit
--root, -r ROOT Root path to scan (default: /)
--no-exclude-mounts Do not exclude /proc,/sys,/dev etc. (default: false)
--follow-symlinks Follow symlinks (default: false)
--output, -o OUTPUT Write JSON output to files (default: false)
--max MAX Max directories to probe (default: 0 = unlimited)