Cross-platform scanner for exact matches to known compromised Node package versions in manifests, lockfiles, and installed package metadata.

Default targets:

• [email protected]
• [email protected]
• [email protected]
• [email protected]

The scanner works on macOS, Linux, and Windows and can scan a single repo, multiple roots, or a full machine path when explicitly requested.

• scripts/scan_compromised_versions.py: scanner
• SKILL.md: Codex skill entrypoint
• CLAUDE.md: Claude Code instructions
• references/incident-2026-03-31.md: source notes for the default targets

macOS/Linux:

python3 scripts/scan_compromised_versions.py /path/to/repo
python3 scripts/scan_compromised_versions.py /path/one /path/two
python3 scripts/scan_compromised_versions.py --json /
python3 scripts/scan_compromised_versions.py --fail-on-match /path/to/repo
python3 scripts/apply_release_age_guards.py

Windows PowerShell:

py scripts\scan_compromised_versions.py C:\src\repo
py scripts\scan_compromised_versions.py --json C:\

Custom target set:

python3 scripts/scan_compromised_versions.py \
  --no-default-targets \
  --target [email protected] \
  --target [email protected] \
  /path/to/scan

• package.json
• package-lock.json
• npm-shrinkwrap.json
• yarn.lock
• pnpm-lock.yaml
• bun.lock
• bun.lockb
• installed package package.json files under node_modules

• manifest:*: declared dependency spec in package.json
• installed-package: installed package manifest, usually under node_modules
• lockfile:*: exact resolved version in a lockfile
• lockfile:bun.lockb: best-effort binary-string match
• ioc:file-path: host-level IOC such as /Library/Caches/com.apple.act.mond, %PROGRAMDATA%\\wt.exe, %TEMP%\\6202033.vbs, %TEMP%\\6202033.ps1, or /tmp/ld.py

Run the helper below to add the release-age guardrails used during this incident response workflow:

python3 scripts/apply_release_age_guards.py

That helper:

• adds min-release-age=7 to ~/.npmrc if that key is missing
• adds exclude-newer = "7 days" to the user uv config if that key is missing
• preserves existing config content and leaves existing guardrail keys untouched

If the local npm CLI does not recognize min-release-age, upgrade npm first and rerun the helper.

• The scan reports exact matches, not approximate or range-based risk.
• Full-system scans use platform-aware pruning to skip common OS-managed temp or virtual filesystem locations.
• The scanner also checks current-platform filesystem IOCs from the March 31, 2026 incident and the incident reference includes the network, npm account, and timeline details needed for deeper hunting.
• For real-world scans, if any of the default compromised versions are found, assume the machine or environment is compromised ("pwned"): stop using it, shut it down, and take it to IT or security immediately.
• If you install this as a local skill via the current skill-installer, do not use --path .; that installer path currently sparse-checks out only top-level files for repo-root installs.