🔍 Shellockolm

CLI & MCP Security Scanner for AI Agents

The security detective that scans React, Next.js & npm projects for CVEs, malware, and supply chain attacks

🤖 Built for AI Assistants | ⚡ Lightning Fast | 🔒 32 CVEs Tracked | 🎯 100% Offline

⚡ Install & Run in 60 Seconds

🪟 Windows

iex (irm https://raw.githubusercontent.com/hlsitechio/shellockolm/main/scripts/install.ps1)

Or: Download ZIP → Double-click scripts/setup.bat

---

🐧 Ubuntu / Debian / Mint

curl -fsSL https://raw.githubusercontent.com/hlsitechio/shellockolm/main/scripts/install-debian.sh | bash

---

🏔️ Arch / Manjaro

curl -fsSL https://raw.githubusercontent.com/hlsitechio/shellockolm/main/scripts/install-arch.sh | bash

---

🍎 macOS

curl -fsSL https://raw.githubusercontent.com/hlsitechio/shellockolm/main/scripts/install.sh | bash

---

Then run: python src/cli.py scan . → ✅ Instant security audit

🤖 Want AI integration? python src/configure_mcp.py → Use Shellockolm inside Claude/Copilot!

📖 Full installation guide | 🚀 Quick start | ⚡ Fast install reference | 🤖 MCP Setup

✅ 32 CVEs detected | ✅ Malware & secrets found | ✅ Auto-fix with backups | ✅ 100% offline

What It Finds • Live Demo • AI Integration • All Features • Full Docs

---

🚨 Why This Exists

I scanned 15 React apps. Every single one was vulnerable.

💀 What I Found (In 2 Minutes):

• 🔴 Remote Code Execution → React Server Components CVE-2025-55182
• 🔴 Middleware Bypass → Next.js authentication broken
• ☠️ Malware → Hidden in npm packages I trusted
• 🔑 API Keys Exposed → Sitting in .env files, pushed to Git
• 🦠 Supply Chain Attack → Dependencies were compromised

⏱️ Manual Audit = 3 Days. This Tool = 2 Minutes.

If you're shipping React/Next.js to production without scanning, you're playing Russian roulette with your users' data.

---

🎯 What It Finds

🔴 Critical CVEs React Server Components RCE (CVSS 10.0) Next.js middleware bypass (CVSS 9.1) n8n unauthenticated RCE (CVSS 10.0) Node.js runtime vulnerabilities npm package exploits (mysql2, jsonpath-plus, etc.)

🦠 Threats & Secrets Malware detection (obfuscation, cryptominers, backdoors) Supply chain attacks (Shai-Hulud worm, typosquatting) Secret exposure (API keys, AWS credentials, tokens) AI gateway leaks (Clawdbot/Moltbot credential piggybacking)

Tracks 32 unique CVEs across React, Next.js, Node.js, npm, n8n, and supply chain attacks.

---

🎬 See It In Action

Interactive Shell

┌─────────────────────────────────────────────────────────────┐
│  Shellockolm - Security Detective v1.0                      │
├─────────────────────────────────────────────────────────────┤
│  1   Full Scan           → All 7 scanners, 32 CVEs          │
│  2   React Scanner       → Server Components RCE            │
│  3   Next.js Scanner     → Middleware bypass                │
│  17  Deep Malware Scan   → RCE payloads, cryptominers       │
│  23  Scan for Secrets    → 50+ patterns, high entropy       │
│  X   QuickFix            → Auto-patch all vulnerabilities   │
└─────────────────────────────────────────────────────────────┘

CLI One-Liners

# Full security audit
python src/cli.py scan .

# Scan before installing npm package
python src/cli.py scan --scanner npm ./suspicious-package

# Export to JSON for CI/CD
python src/cli.py scan . -o security-report.json

# Live probe a URL for exploits
python src/cli.py live https://target.com

# Hunt for a specific CVE
python src/cli.py info CVE-2025-55182

---

💡 Why Shellockolm?

Problem	Other Tools	Shellockolm
Speed	Hours of manual auditing	30 seconds full scan
Depth	Generic CVE databases	32 hand-tracked vulnerabilities
Privacy	Cloud-based, upload your code	100% local, zero telemetry
False Positives	Noisy, generic warnings	Hand-tuned detection patterns
Usability	Complex configs, API keys	Works immediately, no setup
Coverage	CVEs only	CVEs + malware + secrets + supply chain

---

🛠️ Complete Features

📊 7 Specialized Scanners

Scanner	What It Detects	CVEs Covered
React RSC	Server Components RCE, source code exposure, DoS	CVE-2025-55182, CVE-2025-66478, +3 more
Next.js	Middleware authorization bypass, RSC vulnerabilities	CVE-2025-29927, CVE-2025-66478
npm Packages	RCE in mysql2, jsonpath-plus; DoS in body-parser, multer	CVE-2024-21508, CVE-2024-21534, +6 more
Node.js Runtime	HTTP/2 crash, TLS memory leak, permission model bypass	CVE-2025-59465, +8 more
n8n	Ni8mare unauthenticated RCE, expression injection	CVE-2026-21858, CVE-2025-68613, CVE-2025-68668
Supply Chain	Shai-Hulud worm, eslint-config-prettier compromise	CVE-2025-54313 + 10 campaign CVEs
Clawdbot/Moltbot	AI gateway credential leaks, OAuth piggybacking	4 critical auth bypass patterns

Total: 32 unique CVEs tracked

🦠 Advanced Malware Detection

• Obfuscation detection - Hex, base64, eval chains
• Cryptominers - Monero, Bitcoin mining scripts
• Backdoors - Reverse shells, command injection
• Data exfiltration - Suspicious HTTP requests
• Typosquatting - Packages mimicking popular libraries
• 100+ detection patterns hand-tuned for JavaScript/Node.js

🔐 Secrets Scanner

Finds leaked credentials in code, configs, and environment files:

• AWS Access Keys & Secret Keys
• GitHub Personal Access Tokens
• Slack Bot Tokens & Webhooks
• Stripe API Keys
• Private Keys (RSA, SSH, PGP)
• Database connection strings
• OAuth tokens & refresh tokens
• 50+ patterns + high-entropy string detection

⚡ Auto-Fix & Remediation

• One-command patching - Automatically upgrade vulnerable packages
• Automatic backups - Timestamped snapshots before changes
• Dry-run mode - Preview changes without applying
• Rollback support - Restore from backup if issues occur
• Fix wizard - Step-by-step guided remediation

🔄 CI/CD Integration

# GitHub Actions
- name: Security Scan
  run: |
    pip install -r requirements.txt
    python src/cli.py scan . -o results.json

• SARIF export for GitHub Code Scanning
• JSON reports for automated processing
• Exit codes for build failures on criticals
• Watch mode for continuous monitoring

📋 60+ Interactive Commands

Scanning: Full scan, React, Next.js, npm, Node.js, n8n, supply chain, custom
Malware: Deep scan, quarantine, package removal, code cleaning
Secrets: Scan all files, .env targeting, high-entropy detection
Live Probing: Test URLs for exploitable vulnerabilities
CVE Intelligence: List CVEs, filter by severity, bug bounty targets
Reports: JSON, SARIF, Markdown, security scoring (A-F)
Auto-Fix: Patch vulnerabilities, preview changes, rollback
Dependencies: Lockfile analysis, duplicate detection, typosquatting
SBOM: Generate CycloneDX or SPDX bills of materials
And more: Ignore rules, GitHub Advisory queries, dependency trees

See full command reference →

---

📖 Common Use Cases

🔍 Audit your React/Next.js app

python src/cli.py scan ~/my-nextjs-app --scanner nextjs

🛡️ Check before npm install

# Sandbox install + scan in temp directory
python src/cli.py shell
> 1b  # Pre-Download Check
> suspicious-package-name

🚨 Hunt for a specific CVE

python src/cli.py shell
> 1d  # CVE Hunter
> CVE-2025-29927
> /path/to/project

🤖 Live probe for exploits

python src/cli.py live https://target.com --scanner n8n

📊 Generate security report

python src/cli.py scan . -o report.json
python src/cli.py shell
> 37  # Export SARIF for GitHub Code Scanning

---

🎓 Why Python for a JavaScript Security Tool?

Shellockolm scans JavaScript projects from the outside — it doesn't execute your code, it inspects it.

• ✅ No conflict with target - No shared dependencies, no node_modules pollution
• ✅ No supply chain risk to scanner - Zero npm dependencies = zero attack surface
• ✅ Cross-platform with no build - Works on Windows/Linux/macOS with pip install
• ✅ Rich CLI out of box - Beautiful tables, progress bars, colored output
• ✅ Fast enough - Static analysis doesn't need V8's JIT

The scanner sits outside the blast radius of the ecosystem it's auditing.

---

🔒 Privacy & Security

• 100% Local — All scans run on your machine
• No Upload — Your code never leaves your system
• No Telemetry — Zero data collection
• No API Keys — Works completely offline
• Open Source — Full transparency (MIT License)

---

📚 Complete Command Reference

Expand to see all 60+ commands

Scanning

Command	Name	What It Does
1	Full Scan	Runs all 7 scanners on a directory to detect 32 CVEs across React, Next.js, Node.js, npm, n8n, supply chain, and Clawdbot/Moltbot.
1a	Scan ALL npm	Auto-discovers and scans every npm project on your system by finding all package.json files.
1b	Pre-Download Check	Sandbox-installs an npm package to a temp directory, scans it for malware and vulns, then destroys the sandbox.
1c	Deep Scan	Version checks + code pattern analysis + config inspection — shows step-by-step HOW each vulnerability is detected.
1d	CVE Hunter	Target a single CVE by ID and see real-time detection output against your project.
1e	Custom Scan	Pick exactly which scanners to run (toggle React, Next.js, npm, Node.js, n8n, Supply Chain, Clawdbot on/off).
2	React Scanner	Scan for React Server Components RCE (CVE-2025-55182, CVE-2025-66478).
3	Next.js Scanner	Scan for Next.js middleware bypass (CVE-2025-29927) and RSC vulnerabilities.
4	npm Packages	Scan for vulns in mysql2, jsonpath-plus, body-parser, multer, nuxt, AdonisJS.
5	Node.js Runtime	Scan for Node.js runtime vulnerabilities from the January 2026 security release.
6	n8n Scanner	Scan for n8n workflow automation vulns including Ni8mare unauthenticated RCE.
7	Supply Chain	Detect Shai-Hulud worm campaign, eslint-config-prettier compromise, malicious install scripts.

Live Probing

Command	Name	What It Does
8	Probe All	Actively probe a live URL for exploitable vulnerabilities (Next.js + n8n).
9	Next.js Probe	Test a URL for CVE-2025-29927 middleware bypass via x-middleware-subrequest header injection.
10	n8n Probe	Test a URL for CVE-2026-21858 Ni8mare unauthenticated RCE via Content-Type confusion.

CVE Intelligence

Command	Name	What It Does
11	List All CVEs	Display all 32 tracked CVEs with severity, CVSS scores, and affected packages.
12	Critical Only	Filter to show only CRITICAL severity CVEs (CVSS 9.0+).
13	Bug Bounty	List CVEs that are high-value bug bounty targets — critical severity or with public PoCs.
14	CVE Details	Get full details on a specific CVE: description, affected versions, patches, references.
15	List Scanners	Show all 7 scanners with their descriptions, CVE coverage, and capabilities.

Malware Analysis

Command	Name	What It Does
17	Deep Malware Scan	Scan node_modules and project files for RCE payloads, backdoors, cryptominers, data exfiltration, and typosquatting.
18	Quick Malware Scan	Fast scan of project files only (skips node_modules) — good for checking your own code for injected malware.
19	Quarantine File	Move a malicious file to quarantine with original path preserved for potential restoration.
20	Remove Package	Completely remove a malicious npm package from node_modules, backing up to quarantine first.
21	Clean Malicious Code	Surgically remove only malicious code from a file while preserving legitimate code (creates backup).
22	View Report	Display the latest malware analysis report with findings, threat levels, and remediation steps.

Secrets Scanner

Command	Name	What It Does
23	Scan for Secrets	Deep scan for API keys, tokens, passwords, AWS credentials, GitHub tokens, Stripe keys, and 50+ patterns.
24	Scan .env Files	Target .env files specifically for hardcoded secrets and credentials.
25	High Entropy	Use entropy-based detection to find random strings that may be unknown API key formats.
26	View Report	Display the latest secrets scan report with risk levels and recommendations.

Security Score

Command	Name	What It Does
27	Security Score	Generate a comprehensive A-F security grade analyzing vulns, malware, secrets, deps, and config.
28	Quick Check	Fast security assessment without deep scanning — good for CI/CD pipelines.
29	View Report	Display detailed security report with category breakdown and improvement tips.

Auto-Fix

Command	Name	What It Does
30	Auto-Fix	Automatically upgrade vulnerable packages to patched versions (creates backup first).
31	Preview Fixes	Dry-run showing what packages would be upgraded without making any changes.
32	Rollback	Restore package.json from backup if auto-fix caused issues.

[See remaining 30+ commands in original README]

---

📊 Tracked CVEs

All 32 CVEs (click to expand)

CVE	Severity	CVSS	Package	Description
CVE-2025-55182	Critical	10.0	React	Server Components RCE via unsafe deserialization (React2Shell)
CVE-2025-66478	Critical	10.0	Next.js	Server Components RCE — duplicate of CVE-2025-55182 for Next.js
CVE-2025-29927	Critical	9.1	Next.js	Middleware authorization bypass via x-middleware-subrequest header
CVE-2026-21858	Critical	10.0	n8n	Ni8mare — unauthenticated RCE via Content-Type confusion
CVE-2025-68613	High	—	n8n	Expression injection RCE (authenticated)
CVE-2025-68668	High	—	n8n	Python Code Node RCE
CVE-2025-55184	High	7.5	React	Server Components DoS via infinite loop
CVE-2025-67779	High	7.5	React	DoS incomplete fix for CVE-2025-55184
CVE-2025-55183	Medium	5.3	React	Server Components source code exposure
CVE-2024-21508	High	—	mysql2	Remote Code Execution
CVE-2024-21534	High	—	jsonpath-plus	Remote Code Execution
CVE-2025-1302	High	—	jsonpath-plus	RCE (incomplete fix for CVE-2024-21534)

[... remaining CVEs in original README]

---

🤝 Contributing

Found a bug? Have a feature request? Want to add CVE coverage?

• Issues
• Discussions
• Contributing Guide
• Code of Conduct

---

📝 License

MIT License — See LICENSE

📚 More Documentation:

• Installation Guide
• Quick Start
• Fast Install Reference
• MCP Server Setup
• MCP Quick Start
• MCP Usage Examples
• Claude Code CLI Setup
• Contributing Guidelines
• Security Policy
• Code of Conduct
• Changelog
• Privacy & Security

---

⭐ Star this repo if it helped secure your applications

Get Started | Features | Contributors | Report Issue

Built with 🔍 by @hlsitechio & AI (Claude + GitHub Copilot) | For the security community