Tool to find npm packages and package lists containing compromised npm packages.
- GNU bash
- Node.js - https://nodejs.org
- e.g. Node version manager (NVM) - https://github.com/nvm-sh/nvm#git-install
cd ~/work
git clone https://github.com/solita/npm-malwares.git
Inside the current directory find recursively compromised npm packages from some given package list
cd ~/work
./npm-malwares/find-npm-packages.sh ./npm-malwares/crowd-strike-packages.txt
Find used packages with any version (removes versions). This result does not mean you are infected, you are just using some version of infected package.
./npm-malwares/find-npm-packages.sh <(cat ./npm-malwares/crowd-strike-packages.txt | sed 's/@[0-9].*$//g' | sort -u)
Count the number of packages from a list
cat crowd-strike-packages.txt | sed 's/@[0-9].*$//g' | sort -u | wc -l
A package list is an utf-8 text file containing npm package specifications as name@version-range (see npm help list)
separated by new line \n characters.
Package lists and sources:
- crowd-strike-packages - https://socket.dev/blog/ongoing-supply-chain-attack-targets-crowdstrike-npm-packages
- reversing-packages - https://www.reversinglabs.com/blog/shai-hulud-worm-npm
- qix-packages - https://thehackernews.com/2025/09/20-popular-npm-packages-with-2-billion.html