Red-Hat-Information-Security/Incident-Response

# Red Hat 信息风险与安全 ## 事件响应工具 ### shai-hulud-package-check.py 专门用于检查受 Shai-Hulud 影响的软件包以及常见的入侵指标 用法： - 下载脚本 ``` chmod +x shai-hulud-package-check.py ./shai-hulud-package-check.py ``` ### npm-malicious-package-check.py 用于检查恶意软件包（包括受 Shai-Hulud 影响的软件包）的通用脚本。 用法： - 下载脚本 ``` chmod +x npm-malicious-package-check.py ./npm-malicious-package-check.py ``` #### 输出示例（无发现）： ``` =============================================================================== DISCLAIMER ------------------------------------------------------------------------------- This script can miss things. It's meant to be a basic check against packages in the following sources with specific versions listed: - https://github.com/ossf/malicious-packages - https://github.com/red-hat-information-security/incident-response =============================================================================== Fetching OSSF malicious package db... Loading OSSF malicious package db... Fetching RHIS malicious package db... Loading RHIS malicious package db... Fetching RHIS malicious package IOC db... Loading RHIS malicious package IOC db... Scanning for Indicators of Compromise (IoCs)... [PHEW] No malicious packages found ``` #### 输出示例（有发现）： ``` =============================================================================== DISCLAIMER ------------------------------------------------------------------------------- This script can miss things. It's meant to be a basic check against packages in the following sources with specific versions listed: - https://github.com/ossf/malicious-packages - https://github.com/red-hat-information-security/incident-response =============================================================================== Fetching OSSF malicious package db... Loading OSSF malicious package db... Fetching RHIS malicious package db... Loading RHIS malicious package db... Fetching RHIS malicious package IOC db... Loading RHIS malicious package IOC db... Scanning for Indicators of Compromise (IoCs)... [WARNING] Malicious Package IoC(s) Found: - Finding: Malicious Package: zxdb@2.0.0 Context: Source: OSSF Malicious Package DB Location: /home/myuser/foo/package.json - Finding: IoC: Malicious post-install script in node_modules directories Context: Campaign: Sha1-Hulud: The Second Coming Location: /home/myuser/foo/node_modules/foo/bun_environment.js - Finding: Malicious Package: 02-echo@0.0.7 Context: Campaign: Sha1-Hulud: The Second Coming Location: /home/myuser/bar/package.json [IMPORTANT] Please include the following in your ticket to InfoSec: - ALL OF THE SCRIPT OUTPUT ABOVE - Username: myuser - Hostname: myhost - Timestamp: 1764186765 ``` #### 免责声明 这基于 OSSF 的恶意软件包仓库以及我们自己的一些 特定软件包列表，可能存在尚未添加到 数据集中的新软件包。 ## 维护说明 对于参与此项目的人员，您可以运行 `make sync` 来刷新仓库中的 OSSF 恶意软件包列表并提交更改。我们目前使用的是 该仓库的快照，而不是在每台个人的机器上全新克隆它， 因为该仓库已经变得非常庞大，可能会导致克隆问题。此外， 移除脚本中的 git 依赖也是件好事。

标签：NPM安全, Python, Shai-Hulud, 包管理器, 失陷标示, 威胁情报, 安全脚本, 库, 应急响应, 开发者工具, 恶意包, 无后门, 暗色界面, 系统检查, 红帽, 统一API, 逆向工具