Skip to content

SECURITY.md

Latest commit

 

History

History
49 lines (32 loc) · 3.14 KB

SECURITY.md

File metadata and controls

49 lines (32 loc) · 3.14 KB

Security

Supply chain (Mini Shai-Hulud and similar attacks)

This repository uses defenses against npm supply-chain worms such as Mini Shai-Hulud (TeamPCP), which compromise packages via CI OIDC token theft and malicious install lifecycle scripts (often pulling Bun and router_init.js).

Consumer protections (this repo)

  • Frozen lockfilepnpm-lock.yaml is committed; CI uses pnpm install --frozen-lockfile.
  • Blocked install scripts — only packages listed in package.jsonpnpm.onlyBuiltDependencies may run preinstall/postinstall (currently isolated-vm for dev tooling).
  • Blocklist scanpnpm run audit:supply-chain checks the lockfile against security/compromised-packages.json.
  • Delayed updatesminimumReleaseAge (24h) reduces exposure to freshly published malicious versions.
  • No exotic transitive depsblockExoticSubdeps blocks git/tarball transitive resolutions.

If you may have installed a compromised package

Assume all secrets on that machine/CI runner are compromised. Rotate:

  • npm tokens and OIDC trusted publishers
  • GitHub PATs / App tokens
  • Cloud provider keys, Vault tokens, kube credentials

Block egress to known IOC domains (DNS): git-tanstack.com, filev2.getsession.org, seed1.getsession.org, api.masscan.cloud.

Check for persistence artifacts: .claude/router_runtime.js, malicious .vscode/tasks.json, pgmon.service, /tmp/transformers.pyz.

Maintainer / publish hardening

  • Enable npm 2FA and configure trusted publishing (OIDC) for n8n-nodes-halopsacomplete on npmjs.com (Package → Publishing access → link this GitHub repo and the Release workflow). Releases do not use a long-lived NPM_TOKEN.
  • Releases use .github/workflows/release.yml: frozen lockfile → blocklist scan → pnpm audit (high+) → OSV-Scanner → build → npm publish --provenance via OIDC.
  • Never use pull_request_target with write permissions + checkout of untrusted PR code.
  • Run pnpm run audit:supply-chain before release; prepublishOnly runs the same check locally.
  • CI fails on high+ pnpm audit findings and OSV lockfile hits (see supply-chain.yml). Transitive issues may be mitigated with pnpm.overrides in package.json (e.g. lodash).
  • Branch protection (recommended): require the Supply chain security check on master before merge; do not auto-merge Dependabot PRs without green CI.
  • Review Dependabot PRs; weekly dev-dependency groups still must pass supply-chain + audit + build.

Blocklist maintenance

  • Full Mini Shai-Hulud package list: security/compromised-packages-blocklist.json (172 packages).
  • IOC strings and metadata: security/compromised-packages.json.
  • After new advisories, update the blocklist JSON and run pnpm run audit:supply-chain.

Reporting vulnerabilities

Email red@4c.gg or open a private security advisory on GitHub. Do not file public issues for unfixed credential or supply-chain incidents.

Updating the blocklist

After new campaign advisories, extend security/compromised-packages.json and re-run pnpm run audit:supply-chain.