Skip to content

Instantly share code, notes, and snippets.

@grundmanise

grundmanise/more-scan.sh

Last active May 15, 2026 16:09
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save grundmanise/a6166cb28daa38151492924f1e69e6fe to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save grundmanise/a6166cb28daa38151492924f1e69e6fe to your computer and use it in GitHub Desktop.
Download ZIP
Raw
more-scan.sh
#!/bin/bash
# Mini Shai-Hulud Deep-Scout (Hidden Folder & Lockfile Optimized)
# Final Revision: May 15, 2026
RED='\033[0;31m'
YELLOW='\033[1;33m'
GREEN='\033[0;32m'
NC='\033[0m'
echo -e "${YELLOW}--- ULTIMATE HIDDEN-VECTOR SCAN (TeamPCP / May 2026) ---${NC}"
echo "Note: Now scanning .git, .vscode, and .claude folders..."
# Exclude macOS System folders that throw "Operation not permitted"
# This keeps your output clean while still scanning all your code.
EXCLUDES=("-g" "!Library/" "-g" "!Pictures/" "-g" "!Music/" "-g" "!Downloads/" "-g" "!Public/" "-g" "!Movies/")
# 1. SCAN ALL LOCKFILES (Even if hidden or ignored)
# Hunting for the malicious TanStack and Mistral commit hashes
echo -e "\n${YELLOW}[1/6] Scanning all lockfiles (including hidden)...${NC}"
rg -uu "79ac49eedf774dd4b0cfa308722bc463cfe5885c|65bf499d" ~ "${EXCLUDES[@]}" \
-g "package*.json" -g "*-lock.yaml" -g "*-lock.json" -g "yarn.lock" \
-g "requirements.txt" -g "poetry.lock" 2>/dev/null | while read -r line; do
echo -e "${RED}[!] CRITICAL: Malicious hash in lockfile: $line${NC}"
done
# 2. SCAN GIT HISTORY & CONFIGS
# The worm spoofs 'claude@users.noreply.github.com' and adds its own remotes
echo -e "${YELLOW}[2/6] Checking Git metadata and spoofed signatures...${NC}"
rg --hidden --no-ignore "claude@users.noreply.github.com|zblgg" ~ "${EXCLUDES[@]}" \
-g "**/.git/COMMIT_EDITMSG" -g "**/.git/config" 2>/dev/null | while read -r line; do
echo -e "${RED}[!] MALICIOUS GIT SIGNATURE DETECTED: $line${NC}"
done
# 3. SCAN CI/CD WORKFLOWS (Exfiltration check)
echo -e "${YELLOW}[3/6] Checking local workflows for exfiltration (masscan.cloud)...${NC}"
rg --hidden "api.masscan.cloud" ~ "${EXCLUDES[@]}" -g "**/.github/workflows/*.y*ml" 2>/dev/null | while read -r line; do
echo -e "${RED}[!] COMPROMISED WORKFLOW DETECTED: $line${NC}"
done
# 4. SCAN IDE PERSISTENCE (VS Code / Claude Code)
echo -e "${YELLOW}[4/6] Checking hidden IDE configs for auto-run hooks...${NC}"
rg --hidden "router_init|setup.mjs|execution.js" ~ "${EXCLUDES[@]}" \
-g "**/.vscode/tasks.json" -g "**/.claude/settings.json" 2>/dev/null | while read -r line; do
echo -e "${RED}[!] IDE PERSISTENCE DETECTED: $line${NC}"
done
# 5. SCAN FOR HIDDEN MALWARE PAYLOADS
echo -e "${YELLOW}[5/6] Hunting for hidden malware files (router_init, etc)...${NC}"
rg --files --hidden ~ "${EXCLUDES[@]}" \
-g "**/router_init.js" -g "**/vite_setup.mjs" -g "**/execution.js" \
-g "**/setup.mjs" -g "**/transformers.pyz" 2>/dev/null | while read -r file; do
echo -e "${RED}[!] MALICIOUS PAYLOAD DETECTED: $file${NC}"
done
# 6. SYSTEM-LEVEL PERSISTENCE (LaunchAgents)
echo -e "${YELLOW}[6/6] Checking for 'Dead Man's Switch' services...${NC}"
[ -f ~/Library/LaunchAgents/com.user.gh-token-monitor.plist ] && echo -e "${RED}[!] WIPER SERVICE FOUND: com.user.gh-token-monitor.plist${NC}"
[ -f ~/.local/bin/gh-token-monitor.sh ] && echo -e "${RED}[!] WIPER SCRIPT FOUND: ~/.local/bin/gh-token-monitor.sh${NC}"
echo -e "\n${GREEN}[+] Comprehensive Scan Complete.${NC}"
Raw
scan.sh
#!/bin/bash
# Mini Shai-Hulud Deep-Forensics (Native Find Version)
# Date: May 15, 2026
RED='\033[0;31m'
YELLOW='\033[1;33m'
GREEN='\033[0;32m'
NC='\033[0m'
echo -e "${YELLOW}--- Deep-Forensics System Scan (May 2026) ---${NC}"
echo "Searching all hidden files & folders. This may take a minute..."
# 1. SCAN FOR MALICIOUS PAYLOADS (Filenames)
echo -e "\n${YELLOW}[1/4] Hunting for payload files by name...${NC}"
# We skip the heavy macOS Library/Pictures to keep it fast, but scan ALL code folders
find ~ -type d \( -path "*/Library" -o -path "*/Pictures" -o -path "*/Music" -o -path "*/Movies" \) -prune -o \
-type f \( -name "router_init.js" -o -name "vite_setup.mjs" -o -name "execution.js" -o -name "setup.mjs" -o -name "tanstack_runner.js" -o -name "transformers.pyz" \) -print | while read -r file; do
echo -e "${RED}[!] MALICIOUS PAYLOAD DETECTED: $file${NC}"
done
# 2. SCAN FILE CONTENTS (The "Smoking Gun" Hashes)
echo -e "${YELLOW}[2/4] Scanning all package/lockfile contents for malicious hashes...${NC}"
# This looks for the TanStack/zblgg hashes in every text file in your projects
find ~ -type d \( -path "*/Library" -o -path "*/Pictures" \) -prune -o \
-type f \( -name "package*.json" -o -name "*-lock.yaml" -o -name "*-lock.json" -o -name "yarn.lock" -o -name "requirements.txt" \) \
-exec grep -lE "79ac49eedf774dd4b0cfa308722bc463cfe5885c|65bf499d" {} + 2>/dev/null | while read -r match; do
echo -e "${RED}[!] INFECTED DEPENDENCY DETECTED: $match${NC}"
done
# 3. SCAN FOR EXFILTRATION DOMAINS (CI/CD Workflows)
echo -e "${YELLOW}[3/4] Checking for secret-stealing GitHub Actions...${NC}"
find ~ -type d \( -path "*/Library" -o -path "*/Pictures" \) -prune -o \
-path "*/.github/workflows/*" -type f \( -name "*.yml" -o -name "*.yaml" \) \
-exec grep -lE "api.masscan.cloud|filev2.getsession.org" {} + 2>/dev/null | while read -r workflow; do
echo -e "${RED}[!] COMPROMISED WORKFLOW FOUND: $workflow${NC}"
done
# 4. SCAN FOR PERSISTENCE (IDE Hooks & Git Signatures)
echo -e "${YELLOW}[4/4] Checking hidden IDE configs and Git metadata...${NC}"
find ~ -type d \( -path "*/Library" -o -path "*/Pictures" \) -prune -o \
\( -path "*/.vscode/tasks.json" -o -path "*/.claude/settings.json" -o -path "*/.git/COMMIT_EDITMSG" \) \
-exec grep -lE "router_init|setup.mjs|execution.js|claude@users.noreply.github.com" {} + 2>/dev/null | while read -r persistence; do
echo -e "${RED}[!] PERSISTENCE/MALICIOUS SIGNATURE DETECTED: $persistence${NC}"
done
echo -e "\n${GREEN}[+] Scan Complete.${NC}"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment