Comment by developerjhp

I’ve been tracking these supply-chain incidents as well, so I built a small real-time scanner that looks for suspicious SHA-1 patterns inside repositories.

It’s basically a lightweight CLI tool you can run directly inside any local project:

    npx sha1-hulud-scanner

Repo is here: https://github.com/developerjhp/sha1-hulud-scanner

It’s not meant to be a full security product — just a simple “first-pass” detector that helps catch unexpected checksum strings or injected artifacts before they slip into CI. Feedback and contributions are welcome!