Skip to content

Instantly share code, notes, and snippets.

@caarmen

caarmen/scanpostman.md

Last active December 16, 2025 09:35
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save caarmen/67958b65f2fe6c80e1727f6c7a126514 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save caarmen/67958b65f2fe6c80e1727f6c7a126514 to your computer and use it in GitHub Desktop.
Download ZIP
Scan Postman using Shai-Hulid 2.0 Detector
Raw
scanpostman.md

Scan the Postman application for linux, inside a docker container, for shai-hulud

Build the docker image

# Dockerfile
FROM ubuntu:latest

WORKDIR /app

RUN apt-get update && \
    apt-get install -y \
        git \
        curl

RUN git clone https://github.com/gensecaihq/Shai-Hulud-2.0-Detector.git

ENV NVM_DIR="/root/.nvm"
ENV NODE_VERSION="24"

# Install NVM, source it, and install Node 24
RUN curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.40.3/install.sh | bash && \
    . "$NVM_DIR/nvm.sh" && \
    nvm install $NODE_VERSION && \
    nvm alias default $NODE_VERSION && \
    nvm use default

ENV PATH="$NVM_DIR/versions/node/v$NODE_VERSION/bin:$PATH"

CMD ["/bin/bash"]
  • Create a folder scanner and put this Dockerfile in it.
  • cd scanner
  • sudo docker build -t scanner .

Run a container in bash

  • sudo docker run -i -t scanner /bin/bash

Scan Postman inside the container

  • Download the Postman package (you can find the link on the Postman downloads page):
    • curl "https://dl.pstmn.io/download/latest/linux_64" -o postman.tgz
  • Extract the Postman package:
    • tar xzf postman.tgz
  • Launch the detector tool:
    • cd Shai-Hulud-2.0-Detector
    • node dist/index.js --working-directory=/app/Postman/
@caarmen
Copy link
Author

caarmen commented Dec 16, 2025

Result of the scan:

root@1a11414f54f4:/app/Shai-Hulud-2.0-Detector# node dist/index.js --working-directory=/app/Postman/

Shai-Hulud 2.0 Detector

Inputs:

  • Fail on Critical: true
  • Fail on High: false
  • Fail on Any: false
  • Scan Lockfiles: true
  • Scan Node Modules: false
  • Output Format: json
  • Working Directory: /app/Postman/
  • Allowlist Path: .shai-hulud-allowlist.json
  • Ignore Allowlist: false
  • Warn on Allowlist: false

Database version: 2.0.0
Last updated: 2025-12-12T00:54:57.949Z
Total known affected packages: 795

Scanning directory: /app/Postman
Starting scan...

JSON Report:

{
  "totalDependencies": 87,
  "affectedCount": 0,
  "cleanCount": 87,
  "results": [],
  "securityFindings": [
    {
      "type": "trufflehog-activity",
      "severity": "critical",
      "title": "TruffleHog activity detected",
      "description": "Secret scanning pattern. This may indicate automated credential theft as part of the Shai-Hulud attack.",
      "location": "/app/Postman/app/resources/app/js/THEME_AYU_DARK.js",
      "evidence": "/secret[_-]?scan/i",
      "sha256": "8fdc1ce978195402dcf24f8e7bdbc4bba0690a4e7a9e7f316747119956e26afd"
    },
    {
      "type": "trufflehog-activity",
      "severity": "critical",
      "title": "TruffleHog activity detected",
      "description": "Secret scanning pattern. This may indicate automated credential theft as part of the Shai-Hulud attack.",
      "location": "/app/Postman/app/resources/app/js/THEME_AYU_LIGHT.js",
      "evidence": "/secret[_-]?scan/i",
      "sha256": "3df2d28b9a7a7faf74232f16a85b6fdf734bab8060e073e9790793947b51325e"
    },
    {
      "type": "trufflehog-activity",
      "severity": "critical",
      "title": "TruffleHog activity detected",
      "description": "Secret scanning pattern. This may indicate automated credential theft as part of the Shai-Hulud attack.",
      "location": "/app/Postman/app/resources/app/js/THEME_DRACULA.js",
      "evidence": "/secret[_-]?scan/i",
      "sha256": "ab57ff7131316d414c93fadedb7daf2f68f7e694fd9cc6da4cb3018c1ccd7d90"
    },
    {
      "type": "trufflehog-activity",
      "severity": "critical",
      "title": "TruffleHog activity detected",
      "description": "Secret scanning pattern. This may indicate automated credential theft as part of the Shai-Hulud attack.",
      "location": "/app/Postman/app/resources/app/js/THEME_HIGH_CONTRAST_DARK.js",
      "evidence": "/secret[_-]?scan/i",
      "sha256": "dbd47e926a04eb2f648cddacb7a3506a6749b3f6e4f9ef2e6f2f92299221f8fc"
    },
    {
      "type": "trufflehog-activity",
      "severity": "critical",
      "title": "TruffleHog activity detected",
      "description": "Secret scanning pattern. This may indicate automated credential theft as part of the Shai-Hulud attack.",
      "location": "/app/Postman/app/resources/app/js/THEME_HIGH_CONTRAST_LIGHT.js",
      "evidence": "/secret[_-]?scan/i",
      "sha256": "1912ef0020b3997549a8c13e8d5f1ae3753266b7a14451d27247507894207108"
    },
    {
      "type": "trufflehog-activity",
      "severity": "critical",
      "title": "TruffleHog activity detected",
      "description": "Secret scanning pattern. This may indicate automated credential theft as part of the Shai-Hulud attack.",
      "location": "/app/Postman/app/resources/app/js/THEME_MONOKAI.js",
      "evidence": "/secret[_-]?scan/i",
      "sha256": "ccfe4932e6b38183fe5612300364cafca7437eeaf8dff10a15a5669de43679b9"
    },
    {
      "type": "trufflehog-activity",
      "severity": "critical",
      "title": "TruffleHog activity detected",
      "description": "Secret scanning pattern. This may indicate automated credential theft as part of the Shai-Hulud attack.",
      "location": "/app/Postman/app/resources/app/js/THEME_NIGHT_OWL_DARK.js",
      "evidence": "/secret[_-]?scan/i",
      "sha256": "d5bcfd15bb4c8aec4779e474f8db39608957a1c381b2fc4d319e3534c053057a"
    },
    {
      "type": "trufflehog-activity",
      "severity": "critical",
      "title": "TruffleHog activity detected",
      "description": "Secret scanning pattern. This may indicate automated credential theft as part of the Shai-Hulud attack.",
      "location": "/app/Postman/app/resources/app/js/THEME_NIGHT_OWL_LIGHT.js",
      "evidence": "/secret[_-]?scan/i",
      "sha256": "433e9d6709ab3b0b4012e91034d9bc32e928194c7d397fea3eaca435074e9d95"
    },
    {
      "type": "trufflehog-activity",
      "severity": "critical",
      "title": "TruffleHog activity detected",
      "description": "Secret scanning pattern. This may indicate automated credential theft as part of the Shai-Hulud attack.",
      "location": "/app/Postman/app/resources/app/js/THEME_SOLARIZED_DARK.js",
      "evidence": "/secret[_-]?scan/i",
      "sha256": "535a259a4c4b082cab501f5c21b8cfa499dc032d6f62a22c1517c7ea91f9acbf"
    },
    {
      "type": "trufflehog-activity",
      "severity": "critical",
      "title": "TruffleHog activity detected",
      "description": "Secret scanning pattern. This may indicate automated credential theft as part of the Shai-Hulud attack.",
      "location": "/app/Postman/app/resources/app/js/THEME_SOLARIZED_LIGHT.js",
      "evidence": "/secret[_-]?scan/i",
      "sha256": "d3e6978cd7066d0a6f058f064ca3e96bf132a7a272a8633914eecd13a1a44943"
    },
    {
      "type": "trufflehog-activity",
      "severity": "critical",
      "title": "TruffleHog activity detected",
      "description": "Secret scanning pattern. This may indicate automated credential theft as part of the Shai-Hulud attack.",
      "location": "/app/Postman/app/resources/app/js/desktop-offline.js",
      "evidence": "/secret[_-]?scan/i",
      "sha256": "d9d0922eabb9c7808c2328561fefe99b4d43bc5e50ceebe7bc86f660f7272300"
    },
    {
      "type": "trufflehog-activity",
      "severity": "critical",
      "title": "TruffleHog activity detected",
      "description": "Secret scanning pattern. This may indicate automated credential theft as part of the Shai-Hulud attack.",
      "location": "/app/Postman/app/resources/app/js/migration-firmware.js",
      "evidence": "/secret[_-]?scan/i",
      "sha256": "8f963b54b9a8b3a7e3cf6ab8d561ec33a82370717f32c67e62bac866a6c4d3b8"
    },
    {
      "type": "trufflehog-activity",
      "severity": "critical",
      "title": "TruffleHog activity detected",
      "description": "Secret scanning pattern. This may indicate automated credential theft as part of the Shai-Hulud attack.",
      "location": "/app/Postman/app/resources/app/js/scratchpad/scratchpad.js",
      "evidence": "/secret[_-]?scan/i",
      "sha256": "7b74c7f53d399a1cc4d3991550ada44b62db863d0ee58fd7ad81424eba48286e"
    },
    {
      "type": "compromised-package",
      "severity": "low",
      "title": "Package from affected namespace with semver range",
      "description": "\"@postman/aes-crypto-js\" is from the @postman namespace which has known compromised packages. The version pattern \"^0.2.0\" could auto-update to a compromised version during npm update.",
      "location": "/app/Postman/app/resources/app/package.json",
      "evidence": "\"@postman/aes-crypto-js\": \"^0.2.0\""
    }
  ],
  "scannedFilesCount": 2,
  "scannedFiles": [
    "/app/Postman/app/resources/app/package.json",
    "/app/Postman/app/resources/app/yarn.lock"
  ],
  "scanTime": 930
}
::set-output name=affected-count::0

::set-output name=security-findings-count::14

::set-output name=scan-time::930

::set-output name=status::affected

::set-output name=results::[]

::set-output name=security-findings::[{"type":"trufflehog-activity","severity":"critical","title":"TruffleHog activity detected","description":"Secret scanning pattern. This may indicate automated credential theft as part of the Shai-Hulud attack.","location":"/app/Postman/app/resources/app/js/THEME_AYU_DARK.js","evidence":"/secret[_-]?scan/i","sha256":"8fdc1ce978195402dcf24f8e7bdbc4bba0690a4e7a9e7f316747119956e26afd"},{"type":"trufflehog-activity","severity":"critical","title":"TruffleHog activity detected","description":"Secret scanning pattern. This may indicate automated credential theft as part of the Shai-Hulud attack.","location":"/app/Postman/app/resources/app/js/THEME_AYU_LIGHT.js","evidence":"/secret[_-]?scan/i","sha256":"3df2d28b9a7a7faf74232f16a85b6fdf734bab8060e073e9790793947b51325e"},{"type":"trufflehog-activity","severity":"critical","title":"TruffleHog activity detected","description":"Secret scanning pattern. This may indicate automated credential theft as part of the Shai-Hulud attack.","location":"/app/Postman/app/resources/app/js/THEME_DRACULA.js","evidence":"/secret[_-]?scan/i","sha256":"ab57ff7131316d414c93fadedb7daf2f68f7e694fd9cc6da4cb3018c1ccd7d90"},{"type":"trufflehog-activity","severity":"critical","title":"TruffleHog activity detected","description":"Secret scanning pattern. This may indicate automated credential theft as part of the Shai-Hulud attack.","location":"/app/Postman/app/resources/app/js/THEME_HIGH_CONTRAST_DARK.js","evidence":"/secret[_-]?scan/i","sha256":"dbd47e926a04eb2f648cddacb7a3506a6749b3f6e4f9ef2e6f2f92299221f8fc"},{"type":"trufflehog-activity","severity":"critical","title":"TruffleHog activity detected","description":"Secret scanning pattern. This may indicate automated credential theft as part of the Shai-Hulud attack.","location":"/app/Postman/app/resources/app/js/THEME_HIGH_CONTRAST_LIGHT.js","evidence":"/secret[_-]?scan/i","sha256":"1912ef0020b3997549a8c13e8d5f1ae3753266b7a14451d27247507894207108"},{"type":"trufflehog-activity","severity":"critical","title":"TruffleHog activity detected","description":"Secret scanning pattern. This may indicate automated credential theft as part of the Shai-Hulud attack.","location":"/app/Postman/app/resources/app/js/THEME_MONOKAI.js","evidence":"/secret[_-]?scan/i","sha256":"ccfe4932e6b38183fe5612300364cafca7437eeaf8dff10a15a5669de43679b9"},{"type":"trufflehog-activity","severity":"critical","title":"TruffleHog activity detected","description":"Secret scanning pattern. This may indicate automated credential theft as part of the Shai-Hulud attack.","location":"/app/Postman/app/resources/app/js/THEME_NIGHT_OWL_DARK.js","evidence":"/secret[_-]?scan/i","sha256":"d5bcfd15bb4c8aec4779e474f8db39608957a1c381b2fc4d319e3534c053057a"},{"type":"trufflehog-activity","severity":"critical","title":"TruffleHog activity detected","description":"Secret scanning pattern. This may indicate automated credential theft as part of the Shai-Hulud attack.","location":"/app/Postman/app/resources/app/js/THEME_NIGHT_OWL_LIGHT.js","evidence":"/secret[_-]?scan/i","sha256":"433e9d6709ab3b0b4012e91034d9bc32e928194c7d397fea3eaca435074e9d95"},{"type":"trufflehog-activity","severity":"critical","title":"TruffleHog activity detected","description":"Secret scanning pattern. This may indicate automated credential theft as part of the Shai-Hulud attack.","location":"/app/Postman/app/resources/app/js/THEME_SOLARIZED_DARK.js","evidence":"/secret[_-]?scan/i","sha256":"535a259a4c4b082cab501f5c21b8cfa499dc032d6f62a22c1517c7ea91f9acbf"},{"type":"trufflehog-activity","severity":"critical","title":"TruffleHog activity detected","description":"Secret scanning pattern. This may indicate automated credential theft as part of the Shai-Hulud attack.","location":"/app/Postman/app/resources/app/js/THEME_SOLARIZED_LIGHT.js","evidence":"/secret[_-]?scan/i","sha256":"d3e6978cd7066d0a6f058f064ca3e96bf132a7a272a8633914eecd13a1a44943"},{"type":"trufflehog-activity","severity":"critical","title":"TruffleHog activity detected","description":"Secret scanning pattern. This may indicate automated credential theft as part of the Shai-Hulud attack.","location":"/app/Postman/app/resources/app/js/desktop-offline.js","evidence":"/secret[_-]?scan/i","sha256":"d9d0922eabb9c7808c2328561fefe99b4d43bc5e50ceebe7bc86f660f7272300"},{"type":"trufflehog-activity","severity":"critical","title":"TruffleHog activity detected","description":"Secret scanning pattern. This may indicate automated credential theft as part of the Shai-Hulud attack.","location":"/app/Postman/app/resources/app/js/migration-firmware.js","evidence":"/secret[_-]?scan/i","sha256":"8f963b54b9a8b3a7e3cf6ab8d561ec33a82370717f32c67e62bac866a6c4d3b8"},{"type":"trufflehog-activity","severity":"critical","title":"TruffleHog activity detected","description":"Secret scanning pattern. This may indicate automated credential theft as part of the Shai-Hulud attack.","location":"/app/Postman/app/resources/app/js/scratchpad/scratchpad.js","evidence":"/secret[_-]?scan/i","sha256":"7b74c7f53d399a1cc4d3991550ada44b62db863d0ee58fd7ad81424eba48286e"},{"type":"compromised-package","severity":"low","title":"Package from affected namespace with semver range","description":"\"@postman/aes-crypto-js\" is from the @postman namespace which has known compromised packages. The version pattern \"^0.2.0\" could auto-update to a compromised version during npm update.","location":"/app/Postman/app/resources/app/package.json","evidence":"\"@postman/aes-crypto-js\": \"^0.2.0\""}]

::set-output name=allowlisted-count::0
::error title=TruffleHog activity detected,file=/app/Postman/app/resources/app/js/THEME_AYU_DARK.js,line=1::[CRITICAL] TruffleHog activity detected - trufflehog-activity
::error title=TruffleHog activity detected,file=/app/Postman/app/resources/app/js/THEME_AYU_LIGHT.js,line=1::[CRITICAL] TruffleHog activity detected - trufflehog-activity
::error title=TruffleHog activity detected,file=/app/Postman/app/resources/app/js/THEME_DRACULA.js,line=1::[CRITICAL] TruffleHog activity detected - trufflehog-activity
::error title=TruffleHog activity detected,file=/app/Postman/app/resources/app/js/THEME_HIGH_CONTRAST_DARK.js,line=1::[CRITICAL] TruffleHog activity detected - trufflehog-activity
::error title=TruffleHog activity detected,file=/app/Postman/app/resources/app/js/THEME_HIGH_CONTRAST_LIGHT.js,line=1::[CRITICAL] TruffleHog activity detected - trufflehog-activity
::error title=TruffleHog activity detected,file=/app/Postman/app/resources/app/js/THEME_MONOKAI.js,line=1::[CRITICAL] TruffleHog activity detected - trufflehog-activity
::error title=TruffleHog activity detected,file=/app/Postman/app/resources/app/js/THEME_NIGHT_OWL_DARK.js,line=1::[CRITICAL] TruffleHog activity detected - trufflehog-activity
::error title=TruffleHog activity detected,file=/app/Postman/app/resources/app/js/THEME_NIGHT_OWL_LIGHT.js,line=1::[CRITICAL] TruffleHog activity detected - trufflehog-activity
::error title=TruffleHog activity detected,file=/app/Postman/app/resources/app/js/THEME_SOLARIZED_DARK.js,line=1::[CRITICAL] TruffleHog activity detected - trufflehog-activity
::error title=TruffleHog activity detected,file=/app/Postman/app/resources/app/js/THEME_SOLARIZED_LIGHT.js,line=1::[CRITICAL] TruffleHog activity detected - trufflehog-activity
::error title=TruffleHog activity detected,file=/app/Postman/app/resources/app/js/desktop-offline.js,line=1::[CRITICAL] TruffleHog activity detected - trufflehog-activity
::error title=TruffleHog activity detected,file=/app/Postman/app/resources/app/js/migration-firmware.js,line=1::[CRITICAL] TruffleHog activity detected - trufflehog-activity
::error title=TruffleHog activity detected,file=/app/Postman/app/resources/app/js/scratchpad/scratchpad.js,line=1::[CRITICAL] TruffleHog activity detected - trufflehog-activity
::notice title=Package from affected namespace with semver range,file=/app/Postman/app/resources/app/package.json,line=1::[LOW] Package from affected namespace with semver range - compromised-package
::error::Shai-Hulud 2.0 supply chain attack indicators detected: 13 critical severity issue(s) detected

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment