fix(scan): match renamed compromised packages header

ericboehs · ericboehs · commit 1d378bad46eb · 2026-05-13T15:31:47.000-05:00
The upstream Cobenian/shai-hulud-detect compromised-packages.txt header
was renamed from "Shai-Hulud NPM Supply Chain Attack" to "Shai-Hulud
Supply Chain Attack - Compromised Packages List", causing `vtk scan
repo` to fail validation with a false MITM/corrupted-file warning.

Switch the expected-header check to a regex (`Shai-Hulud.*Supply Chain
Attack`) so both the old and new wordings validate while still being
specific enough to catch a tampered or unrelated file.

Reported by Catalina Espinoza.
diff --git a/scripts/shai-hulud-repo-check.ps1 b/scripts/shai-hulud-repo-check.ps1
@@ -91,7 +91,7 @@ $CacheDir = Join-Path $env:LOCALAPPDATA "vtk"
 $CacheFile = Join-Path $CacheDir "compromised-packages.txt"
 $CacheTTL = 86400  # 24 hours in seconds
 $MinExpectedPackages = 500
-$ExpectedHeader = "Shai-Hulud NPM Supply Chain Attack"
+$ExpectedHeader = "Shai-Hulud.*Supply Chain Attack"
 $PlaybookUrl = "https://department-of-veterans-affairs.github.io/eert/shai-hulud-dev-machine-cleanup-playbook"
 
 # Resolve path
@@ -151,7 +151,7 @@ function Test-PackageListValid {
     param([string]$Content)
 
     # Check for expected header
-    if ($Content -notmatch [regex]::Escape($ExpectedHeader)) {
+    if ($Content -notmatch $ExpectedHeader) {
         Write-Warning "Downloaded file missing expected header - possible MITM or corrupted file"
         return $false
     }
diff --git a/scripts/shai-hulud-repo-check.sh b/scripts/shai-hulud-repo-check.sh
@@ -50,7 +50,7 @@ CACHE_DIR="${XDG_CACHE_HOME:-$HOME/.cache}/vtk"
 CACHE_FILE="$CACHE_DIR/compromised-packages.txt"
 CACHE_TTL=86400  # 24 hours
 MIN_EXPECTED_PACKAGES=500
-EXPECTED_HEADER="Shai-Hulud NPM Supply Chain Attack"
+EXPECTED_HEADER="Shai-Hulud.*Supply Chain Attack"
 PLAYBOOK_URL="https://department-of-veterans-affairs.github.io/eert/shai-hulud-dev-machine-cleanup-playbook"
 
 # Parse arguments
@@ -172,7 +172,7 @@ validate_package_list() {
   local content="$1"
 
   # Check for expected header
-  if ! echo "$content" | grep -q "$EXPECTED_HEADER"; then
+  if ! echo "$content" | grep -Eq "$EXPECTED_HEADER"; then
     echo "Downloaded file missing expected header - possible MITM or corrupted file" >&2
     return 1
   fi
