pwn-check

A bash script to check for specific potentially vulnerable dependency versions in your JavaScript/Node.js projects. This specifically checks for package versions of the attack on Sep 8, 13:16 UTC detailed here:

https://www.aikido.dev/blog/npm-debug-and-chalk-packages-compromised

Disclosure from the maintainer of these packages:

https://news.ycombinator.com/item?id=45169794

Features

• ✅ Supports multiple lock file formats:
  • pnpm-lock.yaml
  • package-lock.json
  • yarn.lock
• 🎨 Color-coded output for easy identification
• 📋 Checks for 18 specific dependency versions
• 🔍 Single directory checking (check_dependencies.sh)
• 🌲 Recursive directory tree scanning (recursive_check.sh)
• 🚫 Automatic exclusion of node_modules directories

Usage

This repository includes two scripts:

Single Directory Check (check_dependencies.sh)

Check dependencies in a single directory containing a lock file.

1. Make the script executable (if not already):

   chmod +x check_dependencies.sh

2. Run the script in a directory containing a lock file:

   ./check_dependencies.sh

3. View help:

   ./check_dependencies.sh --help

High-Performance Recursive Check (recursive_check.sh)

⚡ Optimized version with parallel processing for checking large numbers of projects quickly.

1. Make the script executable (if not already):

   chmod +x recursive_check.sh

2. Run with default settings (4 parallel jobs):

   ./recursive_check.sh

3. Use custom number of parallel jobs (1-16):

   ./recursive_check.sh -j 8 /path/to/projects

4. Disable parallel processing:

   ./recursive_check.sh --no-parallel

5. View help:

   ./recursive_check.sh --help

Output

The script uses color coding to indicate the status of each dependency:

• 🟢 Green: Safe version found (different from the target vulnerable version)
• 🔴 Red: Vulnerable version found (matches the target version exactly)
• ⚫ Gray: Dependency not found in the project

Dependencies Checked

The script checks for these specific versions:

• backslash 0.2.1
• chalk-template 1.1.1
• supports-hyperlinks 4.1.1
• has-ansi 6.0.1
• simple-swizzle 0.2.3
• color-string 2.1.1
• error-ex 1.3.3
• color-name 2.0.1
• is-arrayish 0.3.3
• slice-ansi 7.1.1
• color-convert 3.1.1
• wrap-ansi 9.0.1
• ansi-regex 6.2.1
• supports-color 10.2.1
• strip-ansi 7.1.1
• chalk 5.6.1
• debug 4.4.2
• ansi-styles 6.2.2

Example Output

pwn-check
==================================

Checking pnpm-lock.yaml...
○ backslash: not found
○ chalk-template: not found
✓ supports-hyperlinks: 2.3.0 (safe version)
✓ color-name: 1.1.4 (safe version)
✗ chalk: 5.6.1 (matches target version - potentially vulnerable)

==================================
Green: Safe version found
Red: Vulnerable version found (matches target)
Gray: Dependency not found in project

Requirements

• Bash shell
• Optional: jq (improves package-lock.json parsing)

The script works without jq but parsing of package-lock.json files is more reliable when jq is available.