Skip to content

miccy/worms-ctrl

BranchesTags

Repository files navigation

🪱 worms-ctrl

worms-ctrl Banner

Universal Supply Chain Audit Tool & Threat Knowledge Base Defending against registry-native worms, malicious packages, and CI/CD compromises.

npm version License: MIT PRs Welcome

🛡️ The Future of Supply Chain Defense

The evolution of software supply chain attacks has reached a critical point. Incidents like the Shai-Hulud 2.0 npm worm or the TeamPCP CI/CD compromise demonstrate the rise of self-propagating malware that leverages the trust of package registries to exfiltrate sensitive data.

worms-ctrl is an automated auditing tool and comprehensive Knowledge Base designed to:

  1. Act as an Incident Response Tool: Providing immediate audit capabilities and remediation steps when under attack.
  2. Serve as a Threat Database: Documenting historical threats (like Shai-Hulud) with exact Indicators of Compromise (IoCs).
  3. Be AI-Agent Ready: Exposing machine-readable Threat Models (JSON/YAML) that Autonomous Security Agents can consume to update defense mechanisms in real-time.

⚡ Quick Start

# Install the universal scanner globally
npm install -g @worms-ctrl/cli

# Run an audit against your current project using all known threat definitions
npx worms-ctrl scan

# View the Knowledge Base of tracked threats
npx worms-ctrl threats

🧠 Threat Knowledge Base Architecture

worms-ctrl treats threats as structured data. Inside packages/ioc/, you will find JSON representations of known supply chain attacks.

Example: The Shai-Hulud Threat Object

When a new threat is detected via our intelligence feeds (e.g., Socket.dev, OSV, Phylum), an AI Agent can automatically generate a Threat Profile:

{
  "id": "shai-hulud-2.0",
  "name": "Shai-Hulud 2.0",
  "ecosystem": "npm",
  "severity": "CRITICAL",
  "status": "ARCHIVED",
  "description": "A destructive npm supply-chain worm targeting developers and CI/CD pipelines."
}

🗺️ Roadmap & Integration

  • Refactor core architecture from static scripts to dynamic JSON Threat Object ingestion.
  • Archive Shai-Hulud 2.0 as the first documented threat.
  • Integrate real-time webhook ingestion from Socket.dev & Phylum APIs.
  • Launch the wormsCTRL public Knowledge Base web portal.
  • Implement AI Agent workflow for automatic Threat Object generation from Twitter/Mastodon threat intel.

🤝 Contributing

We welcome contributions from security researchers! If you've analyzed a new malicious package campaign, please submit a PR adding a new Threat Object to our packages/ioc directory.

See CONTRIBUTING.md for details.

Formerly known as dont-be-shy-hulud.

About

🪱 NPM Worm Defense Guide: Detection, remediation & prevention for Shai-Hulud 2.0 and beyond!

Topics

nodejs npm security devops security-audit article detection malware supply-chain defense worm security-tools bun malware-detection shai-hulud shai-hulud-detector ncident-response

Resources

Readme

License

MIT license

Code of conduct

Code of conduct

Contributing

Contributing

Security policy

Security policy
Activity

Stars

1 star

Watchers

0 watching

Forks

0 forks
Report repository

Releases 5

v1.5.1 Latest
Dec 3, 2025
+ 4 releases

Sponsor this project

 
Learn more about GitHub Sponsors

Contributors

Languages