One-liner to find (vulnerable) NPM package versions in all your repos

Recently, quite a few NPM packages with millions of downloads were brutally hacked, and malware was injected [1, 2]

Turned out, there is no easy way to determine whether an affected version is present in node_modules of all components of my apps, including dependencies of dependencies (I tried NPM audit, NPM list, and folder search, all were cumbersome and quite hard to apply to a containerized multi-repo app). The problem with such packages is also that it may be enough to have them on your computer or a build system to get fully compromised,

I came up with a simple bash one-liner that anyone can run in their dev folders – simply add the list of sub-folders to scan as TARGETS and the name of a culprit package – i.e. “rc” as CULPRIT.

CULPRIT="rc"; TARGETS=( "awesome-repo-1" "awesome-repo-2" ); for element in "${TARGETS[@]}"; do echo "Checking $element"; find $element/node_modules -path "*/$CULPRIT/**" -prune -name "package.json" -exec cat {} + | grep -e \"version\": -e _location ; done

This script will print out the versions of the component and their locations. And then it is up to you to read into the details of CVE and find out whether you are hacked or not… yet.

Also, link to Github Gist.

Alternatively, to scan all child folders and their node_modules without picking individual repos:

CULPRIT="rc"; for element in *; do; if [ -d "$element" ]; then echo "Checking $element"; find $element/node_modules -path "*/$CULPRIT/**" -prune -name "package.json" -exec cat {} + | grep -e \"version\": -e _location ; fi; done

Happy hunting!

Leave a Comment

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s