Node v0.2.1 — Shai-Hulud Defense
·
20 commits
to main
since this release
sealed-env Node 0.2.1 — Shai-Hulud Defense Release
Defensive hardening release. No spec changes, no wire format changes.
Files sealed by 0.2.0 decrypt identically here.
Designed in response to the TeamPCP open-sourcing of the Shai-Hulud framework on 2026-05-12.
Highlights
- New
sealed-env scan [path]command — detects accidentally committed sealed-env tokens and keys. Pre-commit hook ready (--staged), CI integration (--json), drop-ingitleaksconfig bundled. sealed-env doctor— 3 hardening checks against Shai-Hulud's documented attack surface: plaintext key exposure, IDE backdoor hooks, CI runner posture.threat-research/directory — module-by-module defensive analysis of the open-sourced Shai-Hulud framework, with citations to Datadog Security Labs, StepSecurity, Mondoo, and others.- Honest scope claim in README +
THREAT_MODEL.md: sealed-env reduces the impact of Shai-Hulud-class attacks; it does not prevent initial host compromise.
Run after upgrading
sealed-env doctorNew advisory [!] warnings may appear — none indicate defects, all point to posture improvements.
Full changelog: CHANGELOG.md
Defensive analysis: threat-research/analysis/shai-hulud-defense.md