ghmendonca
ghmendonca
/ detect-infection.sh
Created
February 12, 2026 01:26
NPM Supply Chain Malware Scanner (Cross-Chain TxDataHiding / OmniStealer / DPRK APT) - Detects blockchain C2 malware, IDE injection, credential theft. Based on Ransom-ISAC YARA rules. 16 detection checks.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # NPM Supply Chain Malware Detection Script (Cross-Chain TxDataHiding / OmniStealer) | |
| # Reference: https://ransom-isac.org/blog/cross-chain-txdatahiding-crypto-heist-part-2/ | |
| # YARA Rules: Actor_APT_DPRK_Unknown_MAL (Ransom-ISAC) | |
| # Detects malware variant that spreads via compromised npm packages | |
| # Usage: ./detect-infection.sh | |
| # Supports: macOS, Linux, Windows (Git Bash / MSYS2 / Cygwin) | |
| RED='\033[0;31m' | |
| GREEN='\033[0;32m' |