Using SBOM Search for SSCS Attacks

Understanding the Shai-Hulud Supply Chain Attack

The recent "Shai-Hulud" attack on the @ctrl/tinycolor npm package demonstrates the sophistication of modern supply chain threats. This attack compromised over 40 npm packages across multiple maintainers, affecting millions of weekly downloads. The malware featured self-propagating capabilities, automatically infecting downstream packages owned by the same maintainers, and employed advanced credential harvesting techniques targeting AWS, GCP, and Azure environments.

Key Attack Characteristics:

  • Self-Propagation: Automatically infects up to 20 packages per compromised maintainer

  • Credential Harvesting: Uses TruffleHog and environment variable dumping to steal secrets

  • Persistence: Injects GitHub Actions workflows to maintain long-term access

  • Multi-Cloud Targeting: Enumerates AWS Secrets Manager, GCP Secret Manager, and Azure credentials

Why Rapid SBOM Assessment is Critical

When sophisticated attacks like Shai-Hulud emerge, traditional security measures are insufficient. The attack's ability to cascade across maintainer accounts and establish persistent backdoors means that speed of detection directly impacts the scope of compromise. Organizations need immediate visibility into their software dependencies to identify affected systems before the attack can spread or exfiltrate sensitive credentials.

Using Arnica SBOM for Supply Chain Attack Response

Access Customized Link (Shai-Hulud Attack)

We prepared a link with all affected packages in one search. Simply login into Arnica and paste the following URL in your browser:

https://app.arnica.io/#/inventory/sbom?exactMatch=true&search=%40ahmedhfarag%2Fngx-perfect-scrollbar%4020.0.20%2C%40ahmedhfarag%2Fngx-virtual-scroller%404.0.4%2C%40art-ws%2Fcommon%402.0.22%2C%40art-ws%2Fcommon%402.0.28%2C%40art-ws%2Fconfig-eslint%402.0.4%2C%40art-ws%2Fconfig-eslint%402.0.5%2C%40art-ws%2Fconfig-ts%402.0.7%2C%40art-ws%2Fconfig-ts%402.0.8%2C%40art-ws%2Fdb-context%402.0.21%2C%40art-ws%2Fdb-context%402.0.24%2C%40art-ws%2Fdi-node%402.0.13%2C%40art-ws%2Fdi%402.0.28%2C%40art-ws%2Fdi%402.0.32%2C%40art-ws%2Feslint%401.0.5%2C%40art-ws%2Feslint%401.0.6%2C%40art-ws%2Ffastify-http-server%402.0.24%2C%40art-ws%2Ffastify-http-server%402.0.27%2C%40art-ws%2Fhttp-server%402.0.21%2C%40art-ws%2Fhttp-server%402.0.25%2C%40art-ws%2Fopenapi%400.1.12%2C%40art-ws%2Fopenapi%400.1.9%2C%40art-ws%2Fpackage-base%401.0.5%2C%40art-ws%2Fpackage-base%401.0.6%2C%40art-ws%2Fprettier%401.0.5%2C%40art-ws%2Fprettier%401.0.6%2C%40art-ws%2Fslf%402.0.15%2C%40art-ws%2Fslf%402.0.22%2C%40art-ws%2Fssl-info%401.0.10%2C%40art-ws%2Fssl-info%401.0.9%2C%40art-ws%2Fweb-app%401.0.3%2C%40art-ws%2Fweb-app%401.0.4%2C%40crowdstrike%2Fcommitlint%408.1.1%2C%40crowdstrike%2Fcommitlint%408.1.2%2C%40crowdstrike%2Ffalcon-shoelace%400.4.1%2C%40crowdstrike%2Ffalcon-shoelace%400.4.2%2C%40crowdstrike%2Ffoundry-js%400.19.1%2C%40crowdstrike%2Ffoundry-js%400.19.2%2C%40crowdstrike%2Fglide-core%400.34.2%2C%40crowdstrike%2Fglide-core%400.34.3%2C%40crowdstrike%2Flogscale-dashboard%401.205.1%2C%40crowdstrike%2Flogscale-dashboard%401.205.2%2C%40crowdstrike%2Flogscale-file-editor%401.205.1%2C%40crowdstrike%2Flogscale-file-editor%401.205.2%2C%40crowdstrike%2Flogscale-parser-edit%401.205.1%2C%40crowdstrike%2Flogscale-parser-edit%401.205.2%2C%40crowdstrike%2Flogscale-search%401.205.1%2C%40crowdstrike%2Flogscale-search%401.205.2%2C%40crowdstrike%2Ftailwind-toucan-base%405.0.1%2C%40crowdstrike%2Ftailwind-toucan-base%405.0.2%2C%40ctrl%2Fdeluge%407.2.1%2C%40ctrl%2Fdeluge%407.2.2%2C%40ctrl%2Fgolang-template%401.4.2%2C%40ctrl%2Fgolang-template%401.4.3%2C%40ctrl%2Fmagnet-link%404.0.3%2C%40ctrl%2Fmagnet-link%404.0.4%2C%40ctrl%2Fngx-codemirror%407.0.1%2C%40ctrl%2Fngx-codemirror%407.0.2%2C%40ctrl%2Fngx-csv%406.0.1%2C%40ctrl%2Fngx-csv%406.0.2%2C%40ctrl%2Fngx-emoji-mart%409.2.1%2C%40ctrl%2Fngx-emoji-mart%409.2.2%2C%40ctrl%2Fngx-rightclick%404.0.1%2C%40ctrl%2Fngx-rightclick%404.0.2%2C%40ctrl%2Fqbittorrent%409.7.1%2C%40ctrl%2Fqbittorrent%409.7.2%2C%40ctrl%2Freact-adsense%402.0.1%2C%40ctrl%2Freact-adsense%402.0.2%2C%40ctrl%2Fshared-torrent%406.3.1%2C%40ctrl%2Fshared-torrent%406.3.2%2C%40ctrl%2Ftinycolor%404.1.1%2C%40ctrl%2Ftinycolor%404.1.2%2C%40ctrl%2Ftorrent-file%404.1.1%2C%40ctrl%2Ftorrent-file%404.1.2%2C%40ctrl%2Ftransmission%407.3.1%2C%40ctrl%2Fts-base32%404.0.1%2C%40ctrl%2Fts-base32%404.0.2%2C%40hestjs%2Fcore%400.2.1%2C%40hestjs%2Fcqrs%400.1.6%2C%40hestjs%2Fdemo%400.1.2%2C%40hestjs%2Feslint-config%400.1.2%2C%40hestjs%2Flogger%400.1.6%2C%40hestjs%2Fscalar%400.1.7%2C%40hestjs%2Fvalidation%400.1.6%2C%40nativescript-community%2Farraybuffers%401.1.6%2C%40nativescript-community%2Farraybuffers%401.1.7%2C%40nativescript-community%2Farraybuffers%401.1.8%2C%40nativescript-community%2Fgesturehandler%402.0.35%2C%40nativescript-community%2Fperms%403.0.5%2C%40nativescript-community%2Fperms%403.0.6%2C%40nativescript-community%2Fperms%403.0.7%2C%40nativescript-community%2Fperms%403.0.8%2C%40nativescript-community%2Fsentry%404.6.43%2C%40nativescript-community%2Fsqlite%403.5.2%2C%40nativescript-community%2Fsqlite%403.5.3%2C%40nativescript-community%2Fsqlite%403.5.4%2C%40nativescript-community%2Fsqlite%403.5.5%2C%40nativescript-community%2Ftext%401.6.10%2C%40nativescript-community%2Ftext%401.6.11%2C%40nativescript-community%2Ftext%401.6.12%2C%40nativescript-community%2Ftext%401.6.13%2C%40nativescript-community%2Ftext%401.6.9%2C%40nativescript-community%2Ftypeorm%400.2.30%2C%40nativescript-community%2Ftypeorm%400.2.31%2C%40nativescript-community%2Ftypeorm%400.2.32%2C%40nativescript-community%2Ftypeorm%400.2.33%2C%40nativescript-community%2Fui-collectionview%406.0.6%2C%40nativescript-community%2Fui-document-picker%401.1.27%2C%40nativescript-community%2Fui-document-picker%401.1.28%2C%40nativescript-community%2Fui-drawer%400.1.30%2C%40nativescript-community%2Fui-image%404.5.6%2C%40nativescript-community%2Fui-label%401.3.35%2C%40nativescript-community%2Fui-label%401.3.36%2C%40nativescript-community%2Fui-label%401.3.37%2C%40nativescript-community%2Fui-material-bottom-navigation%407.2.72%2C%40nativescript-community%2Fui-material-bottom-navigation%407.2.73%2C%40nativescript-community%2Fui-material-bottom-navigation%407.2.74%2C%40nativescript-community%2Fui-material-bottom-navigation%407.2.75%2C%40nativescript-community%2Fui-material-bottomsheet%407.2.72%2C%40nativescript-community%2Fui-material-core-tabs%407.2.72%2C%40nativescript-community%2Fui-material-core-tabs%407.2.73%2C%40nativescript-community%2Fui-material-core-tabs%407.2.74%2C%40nativescript-community%2Fui-material-core-tabs%407.2.75%2C%40nativescript-community%2Fui-material-core-tabs%407.2.76%2C%40nativescript-community%2Fui-material-core%407.2.72%2C%40nativescript-community%2Fui-material-core%407.2.73%2C%40nativescript-community%2Fui-material-core%407.2.74%2C%40nativescript-community%2Fui-material-core%407.2.75%2C%40nativescript-community%2Fui-material-core%407.2.76%2C%40nativescript-community%2Fui-material-ripple%407.2.72%2C%40nativescript-community%2Fui-material-ripple%407.2.73%2C%40nativescript-community%2Fui-material-ripple%407.2.74%2C%40nativescript-community%2Fui-material-ripple%407.2.75%2C%40nativescript-community%2Fui-material-tabs%407.2.72%2C%40nativescript-community%2Fui-material-tabs%407.2.73%2C%40nativescript-community%2Fui-material-tabs%407.2.74%2C%40nativescript-community%2Fui-material-tabs%407.2.75%2C%40nativescript-community%2Fui-pager%4014.1.36%2C%40nativescript-community%2Fui-pager%4014.1.37%2C%40nativescript-community%2Fui-pager%4014.1.38%2C%40nativescript-community%2Fui-pulltorefresh%402.5.4%2C%40nativescript-community%2Fui-pulltorefresh%402.5.5%2C%40nativescript-community%2Fui-pulltorefresh%402.5.6%2C%40nativescript-community%2Fui-pulltorefresh%402.5.7%2C%40nexe%2Fconfig-manager%400.1.1%2C%40nexe%2Feslint-config%400.1.1%2C%40nexe%2Flogger%400.1.3%2C%40nstudio%2Fangular%4020.0.4%2C%40nstudio%2Fangular%4020.0.5%2C%40nstudio%2Fangular%4020.0.6%2C%40nstudio%2Ffocus%4020.0.4%2C%40nstudio%2Ffocus%4020.0.5%2C%40nstudio%2Ffocus%4020.0.6%2C%40nstudio%2Fnativescript-checkbox%402.0.6%2C%40nstudio%2Fnativescript-checkbox%402.0.7%2C%40nstudio%2Fnativescript-checkbox%402.0.8%2C%40nstudio%2Fnativescript-checkbox%402.0.9%2C%40nstudio%2Fnativescript-loading-indicator%405.0.1%2C%40nstudio%2Fnativescript-loading-indicator%405.0.2%2C%40nstudio%2Fnativescript-loading-indicator%405.0.3%2C%40nstudio%2Fnativescript-loading-indicator%405.0.4%2C%40nstudio%2Fui-collectionview%405.1.11%2C%40nstudio%2Fui-collectionview%405.1.12%2C%40nstudio%2Fui-collectionview%405.1.13%2C%40nstudio%2Fui-collectionview%405.1.14%2C%40nstudio%2Fweb-angular%4020.0.4%2C%40nstudio%2Fweb%4020.0.4%2C%40nstudio%2Fxplat-utils%4020.0.5%2C%40nstudio%2Fxplat-utils%4020.0.6%2C%40nstudio%2Fxplat-utils%4020.0.7%2C%40nstudio%2Fxplat%4020.0.5%2C%40nstudio%2Fxplat%4020.0.6%2C%40nstudio%2Fxplat%4020.0.7%2C%40operato%2Fboard%409.0.35%2C%40operato%2Fboard%409.0.36%2C%40operato%2Fboard%409.0.37%2C%40operato%2Fboard%409.0.38%2C%40operato%2Fboard%409.0.39%2C%40operato%2Fboard%409.0.40%2C%40operato%2Fboard%409.0.41%2C%40operato%2Fboard%409.0.42%2C%40operato%2Fboard%409.0.43%2C%40operato%2Fboard%409.0.44%2C%40operato%2Fboard%409.0.45%2C%40operato%2Fboard%409.0.46%2C%40operato%2Fboard%409.0.47%2C%40operato%2Fboard%409.0.48%2C%40operato%2Fboard%409.0.49%2C%40operato%2Fboard%409.0.50%2C%40operato%2Fboard%409.0.51%2C%40operato%2Fdata-grist%409.0.29%2C%40operato%2Fdata-grist%409.0.35%2C%40operato%2Fdata-grist%409.0.36%2C%40operato%2Fdata-grist%409.0.37%2C%40operato%2Fgraphql%409.0.22%2C%40operato%2Fgraphql%409.0.35%2C%40operato%2Fgraphql%409.0.36%2C%40operato%2Fgraphql%409.0.37%2C%40operato%2Fgraphql%409.0.38%2C%40operato%2Fgraphql%409.0.39%2C%40operato%2Fgraphql%409.0.40%2C%40operato%2Fgraphql%409.0.41%2C%40operato%2Fgraphql%409.0.42%2C%40operato%2Fgraphql%409.0.43%2C%40operato%2Fgraphql%409.0.44%2C%40operato%2Fgraphql%409.0.45%2C%40operato%2Fgraphql%409.0.46%2C%40operato%2Fgraphql%409.0.47%2C%40operato%2Fgraphql%409.0.48%2C%40operato%2Fgraphql%409.0.49%2C%40operato%2Fgraphql%409.0.50%2C%40operato%2Fgraphql%409.0.51%2C%40operato%2Fheadroom%409.0.2%2C%40operato%2Fheadroom%409.0.35%2C%40operato%2Fheadroom%409.0.36%2C%40operato%2Fheadroom%409.0.37%2C%40operato%2Fhelp%409.0.35%2C%40operato%2Fhelp%409.0.36%2C%40operato%2Fhelp%409.0.37%2C%40operato%2Fhelp%409.0.38%2C%40operato%2Fhelp%409.0.39%2C%40operato%2Fhelp%409.0.40%2C%40operato%2Fhelp%409.0.41%2C%40operato%2Fhelp%409.0.42%2C%40operato%2Fhelp%409.0.43%2C%40operato%2Fhelp%409.0.44%2C%40operato%2Fhelp%409.0.45%2C%40operato%2Fhelp%409.0.46%2C%40operato%2Fhelp%409.0.47%2C%40operato%2Fhelp%409.0.48%2C%40operato%2Fhelp%409.0.49%2C%40operato%2Fhelp%409.0.50%2C%40operato%2Fhelp%409.0.51%2C%40operato%2Fi18n%409.0.35%2C%40operato%2Fi18n%409.0.36%2C%40operato%2Fi18n%409.0.37%2C%40operato%2Finput%409.0.27%2C%40operato%2Finput%409.0.35%2C%40operato%2Finput%409.0.36%2C%40operato%2Finput%409.0.37%2C%40operato%2Finput%409.0.38%2C%40operato%2Finput%409.0.39%2C%40operato%2Finput%409.0.40%2C%40operato%2Finput%409.0.41%2C%40operato%2Finput%409.0.42%2C%40operato%2Finput%409.0.43%2C%40operato%2Finput%409.0.44%2C%40operato%2Finput%409.0.45%2C%40operato%2Finput%409.0.46%2C%40operato%2Finput%409.0.47%2C%40operato%2Finput%409.0.48%2C%40operato%2Flayout%409.0.35%2C%40operato%2Flayout%409.0.36%2C%40operato%2Flayout%409.0.37%2C%40operato%2Fpopup%409.0.22%2C%40operato%2Fpopup%409.0.35%2C%40operato%2Fpopup%409.0.36%2C%40operato%2Fpopup%409.0.37%2C%40operato%2Fpopup%409.0.38%2C%40operato%2Fpopup%409.0.39%2C%40operato%2Fpopup%409.0.40%2C%40operato%2Fpopup%409.0.41%2C%40operato%2Fpopup%409.0.42%2C%40operato%2Fpopup%409.0.43%2C%40operato%2Fpopup%409.0.44%2C%40operato%2Fpopup%409.0.45%2C%40operato%2Fpopup%409.0.46%2C%40operato%2Fpopup%409.0.47%2C%40operato%2Fpopup%409.0.48%2C%40operato%2Fpopup%409.0.49%2C%40operato%2Fpopup%409.0.50%2C%40operato%2Fpull-to-refresh%409.0.35%2C%40operato%2Fpull-to-refresh%409.0.36%2C%40operato%2Fpull-to-refresh%409.0.37%2C%40operato%2Fpull-to-refresh%409.0.38%2C%40operato%2Fpull-to-refresh%409.0.39%2C%40operato%2Fpull-to-refresh%409.0.40%2C%40operato%2Fpull-to-refresh%409.0.41%2C%40operato%2Fpull-to-refresh%409.0.42%2C%40operato%2Fpull-to-refresh%409.0.43%2C%40operato%2Fpull-to-refresh%409.0.44%2C%40operato%2Fpull-to-refresh%409.0.45%2C%40operato%2Fpull-to-refresh%409.0.46%2C%40operato%2Fpull-to-refresh%409.0.47%2C%40operato%2Fshell%409.0.22%2C%40operato%2Fshell%409.0.35%2C%40operato%2Fshell%409.0.36%2C%40operato%2Fshell%409.0.37%2C%40operato%2Fshell%409.0.38%2C%40operato%2Fshell%409.0.39%2C%40operato%2Fstyles%409.0.2%2C%40operato%2Fstyles%409.0.35%2C%40operato%2Fstyles%409.0.36%2C%40operato%2Fstyles%409.0.37%2C%40operato%2Futils%409.0.22%2C%40operato%2Futils%409.0.35%2C%40operato%2Futils%409.0.36%2C%40operato%2Futils%409.0.37%2C%40operato%2Futils%409.0.38%2C%40operato%2Futils%409.0.39%2C%40operato%2Futils%409.0.40%2C%40operato%2Futils%409.0.41%2C%40operato%2Futils%409.0.42%2C%40operato%2Futils%409.0.43%2C%40operato%2Futils%409.0.44%2C%40operato%2Futils%409.0.45%2C%40operato%2Futils%409.0.46%2C%40operato%2Futils%409.0.47%2C%40operato%2Futils%409.0.48%2C%40operato%2Futils%409.0.49%2C%40operato%2Futils%409.0.50%2C%40operato%2Futils%409.0.51%2C%40teselagen%2Fbounce-loader%400.3.16%2C%40teselagen%2Fbounce-loader%400.3.17%2C%40teselagen%2Fliquibase-tools%400.4.1%2C%40teselagen%2Frange-utils%400.3.14%2C%40teselagen%2Frange-utils%400.3.15%2C%40teselagen%2Freact-list%400.8.19%2C%40teselagen%2Freact-list%400.8.20%2C%40teselagen%2Freact-table%406.10.19%2C%40teselagen%2Freact-table%406.10.20%2C%40teselagen%2Freact-table%406.10.22%2C%40thangved%2Fcallback-window%401.1.4%2C%40things-factory%2Fattachment-base%409.0.42%2C%40things-factory%2Fattachment-base%409.0.43%2C%40things-factory%2Fattachment-base%409.0.44%2C%40things-factory%2Fattachment-base%409.0.45%2C%40things-factory%2Fattachment-base%409.0.46%2C%40things-factory%2Fattachment-base%409.0.47%2C%40things-factory%2Fattachment-base%409.0.48%2C%40things-factory%2Fattachment-base%409.0.49%2C%40things-factory%2Fattachment-base%409.0.50%2C%40things-factory%2Fauth-base%409.0.42%2C%40things-factory%2Fauth-base%409.0.43%2C%40things-factory%2Fauth-base%409.0.44%2C%40things-factory%2Fauth-base%409.0.45%2C%40things-factory%2Femail-base%409.0.42%2C%40things-factory%2Femail-base%409.0.43%2C%40things-factory%2Femail-base%409.0.44%2C%40things-factory%2Femail-base%409.0.45%2C%40things-factory%2Femail-base%409.0.46%2C%40things-factory%2Femail-base%409.0.47%2C%40things-factory%2Femail-base%409.0.48%2C%40things-factory%2Femail-base%409.0.49%2C%40things-factory%2Femail-base%409.0.50%2C%40things-factory%2Femail-base%409.0.51%2C%40things-factory%2Femail-base%409.0.52%2C%40things-factory%2Femail-base%409.0.53%2C%40things-factory%2Femail-base%409.0.54%2C%40things-factory%2Fenv%409.042%2C%40things-factory%2Fenv%409.043%2C%40things-factory%2Fenv%409.044%2C%40things-factory%2Fenv%409.045%2C%40things-factory%2Fintegration-base%409.042%2C%40things-factory%2Fintegration-base%409.043%2C%40things-factory%2Fintegration-base%409.044%2C%40things-factory%2Fintegration-base%409.045%2C%40things-factory%2Fintegration-marketplace%409.042%2C%40things-factory%2Fintegration-marketplace%409.043%2C%40things-factory%2Fintegration-marketplace%409.044%2C%40things-factory%2Fintegration-marketplace%409.045%2C%40things-factory%2Fshell%409.042%2C%40things-factory%2Fshell%409.043%2C%40things-factory%2Fshell%409.044%2C%40things-factory%2Fshell%409.045%2C%40tnf-dev%2Fapi%401.0.8%2C%40tnf-dev%2Fcore%401.0.8%2C%40tnf-dev%2Fjs%401.0.8%2C%40tnf-dev%2Fmui%401.0.8%2C%40tnf-dev%2Freact%401.0.8%2C%40ui-ux-gang%2Fdevextreme-angular-rpk%4024.1.7%2C%40yoobic%2Fjpeg-camera-es6%401.0.13%2C%40yoobic%2Fyobi%408.7.53%2Cairchief%400.3.1%2Cairpilot%400.8.8%2Cangulartics2%4014.1.1%2Cangulartics2%4014.1.2%2Cbrowser-webdriver-downloader%403.0.8%2Ccapacitor-notificationhandler%400.0.2%2Ccapacitor-notificationhandler%400.0.3%2Ccapacitor-plugin-healthapp%400.0.2%2Ccapacitor-plugin-healthapp%400.0.3%2Ccapacitor-plugin-ihealth%401.1.8%2Ccapacitor-plugin-ihealth%401.1.9%2Ccapacitor-plugin-vonage%401.0.2%2Ccapacitor-plugin-vonage%401.0.3%2Ccapacitorandroidpermissions%400.0.4%2Ccapacitorandroidpermissions%400.0.5%2Cconfig-cordova%400.8.5%2Ccordova-plugin-voxeet2%401.0.24%2Ccordova-voxeet%401.0.32%2Ccreate-hest-app%400.1.9%2Cdb-evo%401.1.4%2Cdb-evo%401.1.5%2Cdevextreme-angular-rpk%4021.2.8%2Cember-browser-services%405.0.2%2Cember-browser-services%405.0.3%2Cember-headless-form-yup%401.0.1%2Cember-headless-form%401.1.2%2Cember-headless-form%401.1.3%2Cember-headless-table%402.1.5%2Cember-headless-table%402.1.6%2Cember-url-hash-polyfill%401.0.12%2Cember-url-hash-polyfill%401.0.13%2Cember-velcro%402.2.1%2Cember-velcro%402.2.2%2Cencounter-playground%400.0.2%2Cencounter-playground%400.0.3%2Cencounter-playground%400.0.4%2Cencounter-playground%400.0.5%2Ceslint-config-crowdstrike-node%404.0.3%2Ceslint-config-crowdstrike-node%404.0.4%2Ceslint-config-crowdstrike%4011.0.2%2Ceslint-config-crowdstrike%4011.0.3%2Ceslint-config-teselagen%406.1.7%2Ceslint-config-teselagen%406.1.8%2Cglobalize-rpk%401.7.4%2Cgraphql-sequelize-teselagen%405.3.8%2Cgraphql-sequelize-teselagen%405.3.9%2Chtml-to-base64-image%401.0.2%2Cjson-rules-engine-simplified%400.2.1%2Cjson-rules-engine-simplified%400.2.4%2Cjumpgate%400.0.2%2Ckoa2-swagger-ui%405.11.1%2Ckoa2-swagger-ui%405.11.2%2Cmcfly-semantic-release%401.3.1%2Cmcp-knowledge-base%400.0.2%2Cmcp-knowledge-graph%401.2.1%2Cmobioffice-cli%401.0.3%2Cmonorepo-next%4013.0.1%2Cmonorepo-next%4013.0.2%2Cmstate-angular%400.4.4%2Cmstate-cli%400.4.7%2Cmstate-dev-react%401.1.1%2Cmstate-react%401.6.5%2Cng2-file-upload%407.0.2%2Cng2-file-upload%407.0.3%2Cng2-file-upload%408.0.1%2Cng2-file-upload%408.0.2%2Cng2-file-upload%408.0.3%2Cng2-file-upload%409.0.1%2Cngx-bootstrap%4018.1.4%2Cngx-bootstrap%4019.0.3%2Cngx-bootstrap%4020.0.4%2Cngx-bootstrap%4020.0.5%2Cngx-bootstrap%4020.0.6%2Cngx-color%4010.0.1%2Cngx-color%4010.0.2%2Cngx-toastr%4019.0.1%2Cngx-toastr%4019.0.2%2Cngx-trend%408.0.1%2Cngx-ws%401.1.5%2Cngx-ws%401.1.6%2Coradm-to-gql%4035.0.14%2Coradm-to-gql%4035.0.15%2Coradm-to-sqlz%401.1.2%2Coradm-to-sqlz%401.1.5%2Cove-auto-annotate%400.0.10%2Cove-auto-annotate%400.0.9%2Cpm2-gelf-json%401.0.4%2Cpm2-gelf-json%401.0.5%2Cprintjs-rpk%401.6.1%2Creact-complaint-image%400.0.32%2Creact-complaint-image%400.0.35%2Creact-jsonschema-form-conditionals%400.3.18%2Creact-jsonschema-form-conditionals%400.3.21%2Creact-jsonschema-form-extras%401.0.4%2Cremark-preset-lint-crowdstrike%404.0.1%2Cremark-preset-lint-crowdstrike%404.0.2%2Crxnt-authentication%400.0.3%2Crxnt-authentication%400.0.4%2Crxnt-authentication%400.0.5%2Crxnt-authentication%400.0.6%2Crxnt-healthchecks-nestjs%401.0.2%2Crxnt-healthchecks-nestjs%401.0.3%2Crxnt-healthchecks-nestjs%401.0.4%2Crxnt-healthchecks-nestjs%401.0.5%2Crxnt-kue%401.0.4%2Crxnt-kue%401.0.5%2Crxnt-kue%401.0.6%2Crxnt-kue%401.0.7%2Cswc-plugin-component-annotate%401.9.1%2Cswc-plugin-component-annotate%401.9.2%2Ctbssnch%401.0.2%2Cteselagen-interval-tree%401.1.2%2Ctg-client-query-builder%402.14.4%2Ctg-client-query-builder%402.14.5%2Ctg-redbird%401.3.1%2Ctg-redbird%401.3.2%2Ctg-seq-gen%401.0.10%2Ctg-seq-gen%401.0.9%2Cthangved-react-grid%401.0.3%2Cts-gaussian%403.0.5%2Cts-gaussian%403.0.6%2Cts-imports%401.0.1%2Cts-imports%401.0.2%2Ctvi-cli%400.1.5%2Cve-bamreader%400.2.6%2Cve-bamreader%400.2.7%2Cve-editor%401.0.1%2Cve-editor%401.0.2%2Cvoip-callkit%401.0.2%2Cvoip-callkit%401.0.3%2Cwdio-web-reporter%400.1.3%2Cyargs-help-output%405.0.3%2Cyoo-styles%406.0.326

This page load can take longer than expected. An empty result means your organization is likely not affected in the SLA branches, but may be potentially impacted by the backdoor pushed into a feature branch or executed on the local developer workstation.

Manual Search Instructions

  1. Navigate to SBOM: Log into Arnica and go to Inventory > Software Bill of Materials (SBOM)

  2. Enable Exact Match Mode:

    • Look for the "Exact Match Multiple Packages" toggle (default: OFF)

    • Turn ON this toggle to enable precise multi-package searching

  3. Multi-Package Search: With "Exact Match Multiple Packages" enabled, search for multiple packages using comma-separated format with exact package names and versions:

    @ctrl/[email protected],@ctrl/[email protected],@scatterplot/[email protected]

  4. Search Strategies: For comprehensive coverage during an active attack:

    • Exact Versions: Use the format package@version for precise matches

    • Multiple Packages: Separate each package with commas (no spaces)

    • Maintainer Coverage: Include all known compromised packages from the same maintainer

  5. URL Persistence: The search filters are automatically saved in the URL, allowing you to:

    • Bookmark specific searches

    • Share exact search links with your team

    • Refresh the page without losing your search criteria

  6. Results Analysis: The search returns only repositories containing the exact specified packages and versions, enabling immediate and precise impact assessment.

Last updated

Was this helpful?