Supply chain attacks targeting npm packages are on the rise. In March 2026 alone, we saw the axios npm account takeover (a top-10 npm package) and the Trivy release infrastructure compromise in quick succession.

Every time an incident like this occurs, teams must investigate whether any repositories under their GitHub Organizations are affected. Searching lockfiles via the GitHub Code Search API, assessing impact, and documenting findings in Issues, all of this across multiple organizations, takes significant effort when done manually.

To delegate this work to AI coding assistants, we built the gh-security-scan skill.

What gh-security-scan Does

gh-security-scan is a security investigation skill that supports three scopes: GitHub Enterprise, Organization, and Repository. It is published in the oh-my-skills repository and works with three AI coding assistants: Claude Code, Codex, and Gemini CLI.

Key capabilities:

• Enumerate target repositories via gh CLI (Enterprise / Organization / Repository scope)
• Search lockfiles, config files, and source code using the GitHub Code Search API
• Automatically create Issues with hierarchical tracking (main tracking Issue + sub-Issues per repository)
• Report findings in a structured table (Repository / Status / Details)
• Update summary and auto-close sub-Issues with no findings

Why an AI Coding Assistant Skill

The investigation workflow after a supply chain attack follows a predictable pattern:

1. Identify the affected packages and versions
2. Enumerate repositories in the organization
3. Search lockfiles and config files in each repository
4. Document findings in Issues and track remediation

This workflow is formulaic, but the effort scales with organization size. AI coding assistants can operate the GitHub API via gh CLI, interpret search results, and create well-structured Issues.

By defining this as a skill, there is no need to write the investigation prompt from scratch each time. The skill includes reference guides for investigation patterns (npm supply chain attacks, CVE-based vulnerabilities, credential exposure), so the AI can construct appropriate search queries.

Supported Platforms and Skill Structure

The skill is implemented following the conventions of each platform.

Each skill shares a common structure:

• SKILL.md: Skill metadata and workflow definition
• references/investigation_patterns.md: Reference guide for investigation patterns

The reference guide covers three investigation patterns:

npm Supply Chain Attacks

Searches lockfiles (package-lock.json, yarn.lock, pnpm-lock.yaml) for the affected package, checking whether compromised versions are present. Includes GitHub Code Search API examples and a 6-step remediation procedure.

CVE-Based Vulnerabilities

A checklist for cross-checking dependency manifests across JavaScript, Python, Ruby, Java, Go, Rust, and PHP, along with container images and IaC configurations.

Credential Exposure

Search patterns for AWS access keys (AKIA), GitHub tokens (ghp_), Slack tokens, private keys, and associated remediation steps.

Usage Example

To investigate the axios supply chain attack across an Organization using Claude Code:

/gh-security-scan --org my-org "Investigate compromised npm package axios@1.14.1 and axios@0.30.4"

The skill automatically executes this workflow:

1. Enumerate repositories in the Organization via gh api
2. Create a main tracking Issue in the Organization’s .github repository
3. Search lockfiles in each repository using the GitHub Code Search API
4. Record findings in sub-Issues with structured tables
5. Update the main tracking Issue with a summary
6. Auto-close sub-Issues with no findings

Running at the Enterprise scope investigates all Organizations under the Enterprise.

About oh-my-skills

gh-security-scan is published in the oh-my-skills repository. oh-my-skills is a curated collection of skills for AI coding assistants. Beyond gh-security-scan, it includes skills for PDF text extraction, text-to-Excel conversion, and video-to-meeting-minutes generation.

Licensed under MIT.

Conclusion

When a supply chain attack hits, cross-organization impact investigation is unavoidable. The gh-security-scan skill lets you delegate this investigation to an AI coding assistant. With built-in investigation pattern references, there is no need to craft the investigation prompt from scratch.

The axios incident will not be the last. Having the skill ready before the next incident means faster initial response when it matters.

That’s all from the Gemba, delegating supply chain attack investigations to AI.