README.md

Lockfile IOC Scanner (npm / yarn / pnpm)

Scan your machine for suspicious or known malicious dependencies inside JavaScript lockfiles.

This script recursively scans for:

• package-lock.json
• yarn.lock
• pnpm-lock.yaml
• npm-shrinkwrap.json

Use Case

Designed to detect supply chain attacks such as the Axios compromise where malicious dependencies were injected via transitive packages (e.g. plain-crypto-js).

What it detects (default)

• plain-crypto-js (malicious package)
• axios@1.14.1
• axios@0.30.4

You can easily extend detection rules via the PATTERNS array.

---

Usage

chmod +x scan-lockfiles.sh
./scan-lockfiles.sh

scan-lockfiles.sh

#!/usr/bin/env bash

set -uo pipefail

SEARCH_ROOT="${1:-$HOME}"

LOCKFILES=(
  "package-lock.json"
  "yarn.lock"
  "pnpm-lock.yaml"
  "npm-shrinkwrap.json"
)

PATTERNS=(
  "plain-crypto-js|plain-crypto-js"
  "axios-1.14.1|axios.*1\.14\.1"
  "axios-0.30.4|axios.*0\.30\.4"
)

echo "Scanning root: $SEARCH_ROOT"
echo

find_args=()
for name in "${LOCKFILES[@]}"; do
  if [[ ${#find_args[@]} -gt 0 ]]; then
    find_args+=(-o)
  fi
  find_args+=(-name "$name")
done

match_found=0

while IFS= read -r -d '' file; do
  for entry in "${PATTERNS[@]}"; do
    label="${entry%%|*}"
    regex="${entry#*|}"

    if grep -E -q "$regex" "$file"; then
      printf '[MATCH] %-20s %s\n' "$label" "$file"
      match_found=1
    fi
  done
done < <(find "$SEARCH_ROOT" -type f \( "${find_args[@]}" \) -print0 2>/dev/null)

echo
if [[ "$match_found" -eq 0 ]]; then
  echo "No matches found."
else
  echo "Scan completed with matches."
fi