diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 5a2a38730..3079f1b14 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -55,6 +55,14 @@ jobs:
       - name: Install dependencies
         run: npm ci
         
+        ## https://semgrep.dev/blog/2025/security-advisory-npm-packages-using-secret-scanning-tools-to-steal-credentials/
+      - name: Check shai-hulud attack
+        run: |
+          if find . -type f -name "*.js" -exec sha256sum {} \; | grep -q "46faab8ab153fae6e80e7cca38eab363075bb524edd79e42269217a083628f09"; then
+            echo "Vulnerable version of serialize-javascript found in:"
+            find . -type f -name "*.js" -exec sha256sum {} \; | grep "46faab8ab153fae6e80e7cca38eab363075bb524edd79e42269217a083628f09" | awk '{print $2}'
+            exit 1
+          fi
       - name: Lint
         run: npm run lint