As of November 25th, 2025, the Shai Hulud 2 supply-chain incident is still in the process of being documented. To help developers verify their own projects, I created a small Bash script that checks installed package versions against the list published by Wiz Security.
GitHub: https://github.com/opctim/shai-hulud-2-check
What the script does
The script walks through your project directory, scanning both package-lock.json, pnpm-lock.yaml and yarn.lock files.
It extracts all installed package versions and checks them against the Shai Hulud 2 indicator list.
You can also point it to a custom CSV file via an environment variable if you prefer offline or internal data sources.
If any compromised version is found, the script exits with a non-zero status, making it easy to integrate into CI pipelines.
Contribute / Improve / Extend
I’m not looking for attention; I just hope the tool is useful.
If you find anything that needs improvement: feel free to contribute.
Top comments (0)