Skip to content

Instantly share code, notes, and snippets.

@radekk
Last active April 27, 2020 04:43
Show Gist options
  • Save radekk/7eeebace5ccae35d0e0e62c12900b579 to your computer and use it in GitHub Desktop.
Save radekk/7eeebace5ccae35d0e0e62c12900b579 to your computer and use it in GitHub Desktop.
Detect malicious npm packages published by ~hacktask account
#!/bin/bash
# Author: @radekk
# List of vulnerable packages is from https://twitter.com/iamakulov/status/892485192883073024
# ----------------------
_IFS=$IFS
_COUNTER=0
_COUNTER_ALL=0
_SCAN_PATH=${1:-~/}
_VULN_PACKAGES="babelcli crossenv cross-env.js d3.js fabric-js ffmepg gruntcli http-proxy.js jquery.js mariadb mongose mssql.js mssql-node mysqljs nodecaffe nodefabric node-fabric nodeffmpeg nodemailer-js nodemailer.js nodemssql node-opencv node-opensl node-openssl noderequest nodesass nodesqlite node-sqlite node-tkinter opencv.js openssl.js proxy.js shadowsock smb sqlite.js sqliter sqlserver tkinter"
_REGEXP="(babelcli|crossenv|cross-env\.js|d3\.js|fabric-js|ffmepg|gruntcli|http-proxy\.js|jquery\.js|mariadb|mongose|mssql\.js|nodecaffe|nodefabric|node-fabric|nodeffmpeg|nodemailer-js|nodemailer\.js|nodemssql|node-opencv|node-opensl|node-openssl|noderequest|nodesass|nodesqlite|node-sqlite|node-tkinter|opencv\.js|openssl\.js|proxy\.js|shadowsock|smb|sqlite\.js|sqliter|sqlserver|tkinter)"
_REQUIRED_BIN="jq grep find"
for app in $_REQUIRED_BIN; do
which "$app" > /dev/null
if [ $? -ne 0 ]; then
echo "+ [ERROR] '$app' is not installed"
exit 1
fi
done
echo "+ Scanning your local package.json files in: ${_SCAN_PATH}"
echo "----------------------------------------------------------"
IFS=$'\n'
for file in $(find "$_SCAN_PATH" -type f -name 'package.json' 2> /dev/null);
do
if [ -f "$file" ]; then
_COUNTER_ALL=$((_COUNTER_ALL + 1))
grep -Eiqr $_REGEXP "$file"
if [ $? -eq 0 ]; then
_PACKAGES=$(cat "$file" | jq -r '.dependencies, .devDependencies | keys []' 2> /dev/null)
for package in $_PACKAGES; do
_IS_VULN=$(echo $package | grep -Eiq $_REGEXP && echo 1)
if [ "$_IS_VULN" == "1" ]; then
echo "${package} in ${file}"
_COUNTER=$((_COUNTER + 1))
fi
done
fi
fi
done;
IFS=$_IFS
echo "----------------------------------------------------------"
echo "+ Scanning is done. Detected affected projects: ${_COUNTER} among all scanned ${_COUNTER_ALL} files."
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment