Last active
September 17, 2025 10:48
-
-
Save shark0der/716f6bc2a90a611202de2ab11ba799da to your computer and use it in GitHub Desktop.
Check project's npm deps contain backdoored packages
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # finds all folders containing a `node_modules` folder and runs the check in each | |
| for i in $(find . -type d -name node_modules -prune -print); do | |
| ( | |
| cd $i/../; | |
| echo Checking $PWD; | |
| npm ls --all --depth=Infinity @ahmedhfarag/ngx-perfect-scrollbar @ahmedhfarag/ngx-virtual-scroller @art-ws/common @art-ws/config-eslint @art-ws/config-ts @art-ws/db-context @art-ws/di @art-ws/di-node @art-ws/eslint @art-ws/fastify-http-server @art-ws/http-server @art-ws/openapi @art-ws/package-base @art-ws/prettier @art-ws/slf @art-ws/ssl-info @art-ws/web-app @crowdstrike/commitlint @crowdstrike/falcon-shoelace @crowdstrike/foundry-js @crowdstrike/glide-core @crowdstrike/logscale-dashboard @crowdstrike/logscale-file-editor @crowdstrike/logscale-parser-edit @crowdstrike/logscale-search @crowdstrike/tailwind-toucan-base @ctrl/deluge @ctrl/golang-template @ctrl/magnet-link @ctrl/ngx-codemirror @ctrl/ngx-csv @ctrl/ngx-emoji-mart @ctrl/ngx-rightclick @ctrl/qbittorrent @ctrl/react-adsense @ctrl/shared-torrent @ctrl/tinycolor @ctrl/torrent-file @ctrl/transmission @ctrl/ts-base32 @hestjs/core @hestjs/cqrs @hestjs/demo @hestjs/eslint-config @hestjs/logger @hestjs/scalar @hestjs/validation @nativescript-community/arraybuffers @nativescript-community/gesturehandler @nativescript-community/perms @nativescript-community/sqlite @nativescript-community/text @nativescript-community/typeorm @nativescript-community/ui-collectionview @nativescript-community/ui-document-picker @nativescript-community/ui-drawer @nativescript-community/ui-image @nativescript-community/ui-label @nativescript-community/ui-material-bottom-navigation @nativescript-community/ui-material-bottomsheet @nativescript-community/ui-material-core @nativescript-community/ui-material-core-tabs @nativescript-community/ui-material-ripple @nativescript-community/ui-material-tabs @nativescript-community/ui-pager @nativescript-community/ui-pulltorefresh @nexe/config-manager @nexe/eslint-config @nexe/logger @nstudio/angular @nstudio/focus @nstudio/nativescript-checkbox @nstudio/nativescript-loading-indicator @nstudio/ui-collectionview @nstudio/web @nstudio/web-angular @nstudio/xplat @nstudio/xplat-utils @operato/board @operato/data-grist @operato/graphql @operato/headroom @operato/help @operato/i18n @operato/input @operato/layout @operato/popup @operato/pull-to-refresh @operato/shell @operato/styles @operato/utils @teselagen/bounce-loader @teselagen/liquibase-tools @teselagen/range-utils @teselagen/react-list @teselagen/react-table @thangved/callback-window @things-factory/attachment-base @things-factory/auth-base @things-factory/email-base @things-factory/env @things-factory/integration-base @things-factory/integration-marketplace @things-factory/shell @tnf-dev/api @tnf-dev/core @tnf-dev/js @tnf-dev/mui @tnf-dev/react @ui-ux-gang/devextreme-angular-rpk @yoobic/design-system @yoobic/jpeg-camera-es6 @yoobic/yobi airchief airpilot angulartics2 browser-webdriver-downloader capacitor-notificationhandler capacitor-plugin-healthapp capacitor-plugin-ihealth capacitor-plugin-vonage capacitorandroidpermissions config-cordova cordova-plugin-voxeet2 cordova-voxeet create-hest-app db-evo devextreme-angular-rpk ember-browser-services ember-headless-form ember-headless-form-yup ember-headless-table ember-url-hash-polyfill ember-velcro encounter-playground eslint-config-crowdstrike eslint-config-crowdstrike-node eslint-config-teselagen globalize-rpk graphql-sequelize-teselagen html-to-base64-image json-rules-engine-simplified jumpgate koa2-swagger-ui mcfly-semantic-release mcp-knowledge-base mcp-knowledge-graph mobioffice-cli monorepo-next mstate-angular mstate-cli mstate-dev-react mstate-react ng2-file-upload ngx-bootstrap ngx-color ngx-toastr ngx-trend ngx-ws oradm-to-gql oradm-to-sqlz ove-auto-annotate pm2-gelf-json printjs-rpk react-complaint-image react-jsonschema-form-conditionals remark-preset-lint-crowdstrike rxnt-authentication rxnt-healthchecks-nestjs rxnt-kue swc-plugin-component-annotate tbssnch teselagen-interval-tree tg-client-query-builder tg-redbird tg-seq-gen thangved-react-grid ts-gaussian ts-imports tvi-cli ve-bamreader ve-editor verror-extra voip-callkit wdio-web-reporter yargs-help-output yoo-styles | |
| ); | |
| done |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # package list source: https://www.aikido.dev/blog/s1ngularity-nx-attackers-strike-again | |
| # checks if your project/system contains any of the compromised packages at ANY version | |
| # if the output is empty - you're good | |
| # if the output contains packages - cross check against the list given in the article above | |
| # checks if the current project | |
| npm ls --all --depth=Infinity @ahmedhfarag/ngx-perfect-scrollbar @ahmedhfarag/ngx-virtual-scroller @art-ws/common @art-ws/config-eslint @art-ws/config-ts @art-ws/db-context @art-ws/di @art-ws/di-node @art-ws/eslint @art-ws/fastify-http-server @art-ws/http-server @art-ws/openapi @art-ws/package-base @art-ws/prettier @art-ws/slf @art-ws/ssl-info @art-ws/web-app @crowdstrike/commitlint @crowdstrike/falcon-shoelace @crowdstrike/foundry-js @crowdstrike/glide-core @crowdstrike/logscale-dashboard @crowdstrike/logscale-file-editor @crowdstrike/logscale-parser-edit @crowdstrike/logscale-search @crowdstrike/tailwind-toucan-base @ctrl/deluge @ctrl/golang-template @ctrl/magnet-link @ctrl/ngx-codemirror @ctrl/ngx-csv @ctrl/ngx-emoji-mart @ctrl/ngx-rightclick @ctrl/qbittorrent @ctrl/react-adsense @ctrl/shared-torrent @ctrl/tinycolor @ctrl/torrent-file @ctrl/transmission @ctrl/ts-base32 @hestjs/core @hestjs/cqrs @hestjs/demo @hestjs/eslint-config @hestjs/logger @hestjs/scalar @hestjs/validation @nativescript-community/arraybuffers @nativescript-community/gesturehandler @nativescript-community/perms @nativescript-community/sqlite @nativescript-community/text @nativescript-community/typeorm @nativescript-community/ui-collectionview @nativescript-community/ui-document-picker @nativescript-community/ui-drawer @nativescript-community/ui-image @nativescript-community/ui-label @nativescript-community/ui-material-bottom-navigation @nativescript-community/ui-material-bottomsheet @nativescript-community/ui-material-core @nativescript-community/ui-material-core-tabs @nativescript-community/ui-material-ripple @nativescript-community/ui-material-tabs @nativescript-community/ui-pager @nativescript-community/ui-pulltorefresh @nexe/config-manager @nexe/eslint-config @nexe/logger @nstudio/angular @nstudio/focus @nstudio/nativescript-checkbox @nstudio/nativescript-loading-indicator @nstudio/ui-collectionview @nstudio/web @nstudio/web-angular @nstudio/xplat @nstudio/xplat-utils @operato/board @operato/data-grist @operato/graphql @operato/headroom @operato/help @operato/i18n @operato/input @operato/layout @operato/popup @operato/pull-to-refresh @operato/shell @operato/styles @operato/utils @teselagen/bounce-loader @teselagen/liquibase-tools @teselagen/range-utils @teselagen/react-list @teselagen/react-table @thangved/callback-window @things-factory/attachment-base @things-factory/auth-base @things-factory/email-base @things-factory/env @things-factory/integration-base @things-factory/integration-marketplace @things-factory/shell @tnf-dev/api @tnf-dev/core @tnf-dev/js @tnf-dev/mui @tnf-dev/react @ui-ux-gang/devextreme-angular-rpk @yoobic/design-system @yoobic/jpeg-camera-es6 @yoobic/yobi airchief airpilot angulartics2 browser-webdriver-downloader capacitor-notificationhandler capacitor-plugin-healthapp capacitor-plugin-ihealth capacitor-plugin-vonage capacitorandroidpermissions config-cordova cordova-plugin-voxeet2 cordova-voxeet create-hest-app db-evo devextreme-angular-rpk ember-browser-services ember-headless-form ember-headless-form-yup ember-headless-table ember-url-hash-polyfill ember-velcro encounter-playground eslint-config-crowdstrike eslint-config-crowdstrike-node eslint-config-teselagen globalize-rpk graphql-sequelize-teselagen html-to-base64-image json-rules-engine-simplified jumpgate koa2-swagger-ui mcfly-semantic-release mcp-knowledge-base mcp-knowledge-graph mobioffice-cli monorepo-next mstate-angular mstate-cli mstate-dev-react mstate-react ng2-file-upload ngx-bootstrap ngx-color ngx-toastr ngx-trend ngx-ws oradm-to-gql oradm-to-sqlz ove-auto-annotate pm2-gelf-json printjs-rpk react-complaint-image react-jsonschema-form-conditionals remark-preset-lint-crowdstrike rxnt-authentication rxnt-healthchecks-nestjs rxnt-kue swc-plugin-component-annotate tbssnch teselagen-interval-tree tg-client-query-builder tg-redbird tg-seq-gen thangved-react-grid ts-gaussian ts-imports tvi-cli ve-bamreader ve-editor verror-extra voip-callkit wdio-web-reporter yargs-help-output yoo-styles | |
| # checks the global npm cache | |
| npm cache ls | grep -P '(@ahmedhfarag/ngx-perfect-scrollbar|@ahmedhfarag/ngx-virtual-scroller|@art-ws/common|@art-ws/config-eslint|@art-ws/config-ts|@art-ws/db-context|@art-ws/di|@art-ws/di-node|@art-ws/eslint|@art-ws/fastify-http-server|@art-ws/http-server|@art-ws/openapi|@art-ws/package-base|@art-ws/prettier|@art-ws/slf|@art-ws/ssl-info|@art-ws/web-app|@crowdstrike/commitlint|@crowdstrike/falcon-shoelace|@crowdstrike/foundry-js|@crowdstrike/glide-core|@crowdstrike/logscale-dashboard|@crowdstrike/logscale-file-editor|@crowdstrike/logscale-parser-edit|@crowdstrike/logscale-search|@crowdstrike/tailwind-toucan-base|@ctrl/deluge|@ctrl/golang-template|@ctrl/magnet-link|@ctrl/ngx-codemirror|@ctrl/ngx-csv|@ctrl/ngx-emoji-mart|@ctrl/ngx-rightclick|@ctrl/qbittorrent|@ctrl/react-adsense|@ctrl/shared-torrent|@ctrl/tinycolor|@ctrl/torrent-file|@ctrl/transmission|@ctrl/ts-base32|@hestjs/core|@hestjs/cqrs|@hestjs/demo|@hestjs/eslint-config|@hestjs/logger|@hestjs/scalar|@hestjs/validation|@nativescript-community/arraybuffers|@nativescript-community/gesturehandler|@nativescript-community/perms|@nativescript-community/sqlite|@nativescript-community/text|@nativescript-community/typeorm|@nativescript-community/ui-collectionview|@nativescript-community/ui-document-picker|@nativescript-community/ui-drawer|@nativescript-community/ui-image|@nativescript-community/ui-label|@nativescript-community/ui-material-bottom-navigation|@nativescript-community/ui-material-bottomsheet|@nativescript-community/ui-material-core|@nativescript-community/ui-material-core-tabs|@nativescript-community/ui-material-ripple|@nativescript-community/ui-material-tabs|@nativescript-community/ui-pager|@nativescript-community/ui-pulltorefresh|@nexe/config-manager|@nexe/eslint-config|@nexe/logger|@nstudio/angular|@nstudio/focus|@nstudio/nativescript-checkbox|@nstudio/nativescript-loading-indicator|@nstudio/ui-collectionview|@nstudio/web|@nstudio/web-angular|@nstudio/xplat|@nstudio/xplat-utils|@operato/board|@operato/data-grist|@operato/graphql|@operato/headroom|@operato/help|@operato/i18n|@operato/input|@operato/layout|@operato/popup|@operato/pull-to-refresh|@operato/shell|@operato/styles|@operato/utils|@teselagen/bounce-loader|@teselagen/liquibase-tools|@teselagen/range-utils|@teselagen/react-list|@teselagen/react-table|@thangved/callback-window|@things-factory/attachment-base|@things-factory/auth-base|@things-factory/email-base|@things-factory/env|@things-factory/integration-base|@things-factory/integration-marketplace|@things-factory/shell|@tnf-dev/api|@tnf-dev/core|@tnf-dev/js|@tnf-dev/mui|@tnf-dev/react|@ui-ux-gang/devextreme-angular-rpk|@yoobic/design-system|@yoobic/jpeg-camera-es6|@yoobic/yobi|airchief|airpilot|angulartics2|browser-webdriver-downloader|capacitor-notificationhandler|capacitor-plugin-healthapp|capacitor-plugin-ihealth|capacitor-plugin-vonage|capacitorandroidpermissions|config-cordova|cordova-plugin-voxeet2|cordova-voxeet|create-hest-app|db-evo|devextreme-angular-rpk|ember-browser-services|ember-headless-form|ember-headless-form-yup|ember-headless-table|ember-url-hash-polyfill|ember-velcro|encounter-playground|eslint-config-crowdstrike|eslint-config-crowdstrike-node|eslint-config-teselagen|globalize-rpk|graphql-sequelize-teselagen|html-to-base64-image|json-rules-engine-simplified|jumpgate|koa2-swagger-ui|mcfly-semantic-release|mcp-knowledge-base|mcp-knowledge-graph|mobioffice-cli|monorepo-next|mstate-angular|mstate-cli|mstate-dev-react|mstate-react|ng2-file-upload|ngx-bootstrap|ngx-color|ngx-toastr|ngx-trend|ngx-ws|oradm-to-gql|oradm-to-sqlz|ove-auto-annotate|pm2-gelf-json|printjs-rpk|react-complaint-image|react-jsonschema-form-conditionals|remark-preset-lint-crowdstrike|rxnt-authentication|rxnt-healthchecks-nestjs|rxnt-kue|swc-plugin-component-annotate|tbssnch|teselagen-interval-tree|tg-client-query-builder|tg-redbird|tg-seq-gen|thangved-react-grid|ts-gaussian|ts-imports|tvi-cli|ve-bamreader|ve-editor|verror-extra|voip-callkit|wdio-web-reporter|yargs-help-output|yoo-styles)' |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment