Remediation
Findings you can actually close.
The layer nobody else packages well: rotation checklists, PR bumping, and per-machine fix plans that a level-1 analyst can execute in a ticket.
01
Per-finding fix instructions
Upgrade to at least version x.y.z, remove extension X, disable MCP entry Y. Concrete, copyable, and versioned with the catalog entry.
02
Auto-generated PRs
GitHub App integration bumps affected lockfiles. Opt-in per repo. One-click revert. No writes without your approval.
03
Credential-rotation checklist
Per exposed machine: which token types are plausibly present (npm token, GH PAT, cloud CLI creds, SSH keys, inferred from tool presence, never by reading secrets) → ordered rotation playbook.
Example
Rotation playbook for a Shai-Hulud-exposed endpoint.
Ordered, defensible, and tuned to the tokens the agent inferred present on that machine. Never by reading secret values.
- 01Revoke and rotate npm tokens tied to affected accounts.
- 02Cycle GitHub PATs and SSH keys stored on the endpoint.
- 03Rotate cloud CLI credentials (AWS, GCP, Azure profiles present on disk).
- 04Force sign-out and re-auth on IdP-integrated apps.
- 05Verify no new refresh tokens were issued during the exposure window.