shai-hulud-checker.sh

#!/usr/bin/env bash
set -euo pipefail

if [[ $# -lt 1 ]]; then
    echo "Usage: $0 <github-org> | <github-org/repo>"
    exit 1
fi

TARGET="$1"

CSV_URL="https://raw.githubusercontent.com/wiz-sec-public/wiz-research-iocs/main/reports/shai-hulud-2-packages.csv"
TMP_DIR="$(mktemp -d)"
AFFECTED_CSV="$TMP_DIR/shai.csv"
AFFECTED_LIST="$TMP_DIR/affected.txt"

# Download and extract malicious package list
curl -sSL "$CSV_URL" -o "$AFFECTED_CSV"

tail -n +2 "$AFFECTED_CSV" \
  | cut -d',' -f1 \
  | tr -d '\r' \
  | sed 's/^[ \t]*//;s/[ \t]*$//' \
  | sort -u \
  > "$AFFECTED_LIST"

# Determine repos to scan
if [[ "$TARGET" == */* ]]; then
    # Single repo
    echo "$TARGET" > "$TMP_DIR/repos.txt"
else
    # All repos under org/user
    gh repo list "$TARGET" --limit 500 --json name \
        -q '.[].name' | sed "s|^|$TARGET/|" > "$TMP_DIR/repos.txt"
fi

export AFFECTED_LIST
export TMP_DIR

scan_repo() {
    local repo="$1"

    # Fetch package.json quietly
    if ! gh api "repos/$repo/contents/package.json" --jq '.content' 2>/dev/null \
        | base64 --decode > "$TMP_DIR/pkg.json" 2>/dev/null; then
        return 0
    fi

    local found=()

    while IFS= read -r pkg; do
        jq -e --arg P "$pkg" '
            (.dependencies[$P] != null) or
            (.devDependencies[$P] != null) or
            (.peerDependencies[$P] != null) or
            (.optionalDependencies[$P] != null)
        ' "$TMP_DIR/pkg.json" >/dev/null 2>&1 && found+=("$pkg")
    done < "$AFFECTED_LIST"

    if [[ ${#found[@]} -gt 0 ]]; then
        printf "%s\n" "$repo"
        for f in "${found[@]}"; do
            printf "  - %s\n" "$f"
        done
    fi
}

export -f scan_repo

# Run in parallel (8 workers)
xargs -P 8 -I{} bash -c 'scan_repo "$@"' _ {} < "$TMP_DIR/repos.txt"

This script requires gh. To validate that this script works, you can run:

./shai-hulud-checker.sh Bogorg/sha1-hulud-installer

which will print the list of affected libs.