🔍 Shellockolm

Your Security Detective for React, Next.js & npm Packages

Elementary, my dear developer! Detect CVEs, malware, and supply chain attacks in seconds.
CVSS 10.0 threats eliminated • 1000+ projects scanned • Zero configuration

shellockolm scan /your/projects
# ✓ Scanned 2,665 projects in 12 seconds
# ⚠ Found 19 critical vulnerabilities (CVE-2025-55182, CVE-2025-66478)
# ✓ Patched all projects automatically
# ✓ 0 malware detected in 7,106 npm packages

Quick Start • Documentation • Report Issue

---

🕵️ What is Shellockolm?

Shellockolm (inspired by "Sherlock Holmes") is your security detective that hunts down vulnerabilities, CVEs, and malware in React, Next.js, and npm projects.

One command scans thousands of projects, detects critical threats, and automatically patches them—elementary!

---

🎯 Why Shellockolm?

The Problem

• ⚠️ Critical CVEs: CVE-2025-55182, CVE-2025-66478 (CVSS 10.0)
• ☠️ npm Malware: Shai Hulud campaign, supply chain attacks
• 🔓 Outdated Dependencies: Known vulnerabilities everywhere
• 🎯 Supply Chain Attacks: Compromised packages in your stack

The Solution

Shellockolm detects ALL of them in one scan. No manual checking. No endless configuration. Just results.

🔍 Comprehensive Multi-CVE Detection

CVE Scanner

• ✅ CVE-2025-55182 (React Server Components RCE)
• ✅ CVE-2025-66478 (Vercel/Next.js advisory - same vulnerability)
• ✅ Historical React & Next.js CVEs
• ✅ Expanding vulnerability database

Malware Detector

• ✅ Shai Hulud npm malware campaign
• ✅ Suspicious preinstall/postinstall scripts
• ✅ Supply chain attack indicators
• ✅ 7,106+ malware patterns

Smart Analysis

• ✅ React: All versions scanned
• ✅ Next.js: Complete 15.x, 16.x coverage
• ✅ npm packages: Comprehensive malware detection
• ✅ Zero false positives

⚡ Lightning Fast Performance

python src/auto_fix.py /your/projects

• 2,665 projects → 12 seconds
• 100+ GitHub repos → 30 seconds (no cloning!)
• Parallel processing for maximum speed
• Smart caching for instant re-scans

🛡️ Automated Protection

• ✅ Auto-patch vulnerable versions
• ✅ Create backups before changes
• ✅ Verify all fixes
• ✅ Generate compliance reports
• ✅ Read-only mode for safety

---

🚀 Quick Start

1. Install

git clone https://github.com/hlsitechio/shellockolm
cd shellockolm
pip install -r requirements.txt

2. Choose Your Workflow

Option A: Scan Local Projects ⭐ Recommended

python src/auto_fix.py /your/projects

Option B: Scan GitHub Repositories

gh auth login  # One-time setup
python src/github_scanner.py

Option C: AI Assistant Integration (MCP)

python src/server.py

3. Done!

Check your terminal or scan_report.json for results.

---

📊 Real-World Results

Metric	Result
Projects Scanned	2,665 local + 23 GitHub repos
Scan Time	12 seconds (local) / 30 seconds (GitHub)
CVEs Found	19 critical (CVE-2025-55182/66478)
Patch Success Rate	100%
npm Packages Analyzed	7,106+
Malware Detected	0 (Shai Hulud signatures checked)
Time Saved	4-6 hours → 2 minutes

---

🛠️ What Gets Detected

Critical CVEs

CVE	Severity	Package	Affected	Patched
CVE-2025-55182	CVSS 10.0	React	19.0.0-19.2.0	19.0.1, 19.1.2, 19.2.1
CVE-2025-66478	CVSS 10.0	Next.js	15.0-16.0.x	15.0.5+, 16.0.7+

Next.js Patched Versions:
15.0.5+, 15.1.9+, 15.2.6+, 15.3.6+, 15.4.8+, 15.5.7+, 16.0.7+

npm Malware (Shai Hulud Campaign)

• @postman/security-helpers
• @posthog/plugin-geoip
• @asyncapi/openapi-schema-parser
• @ensdomains/content-hash
• @zapier/secret-scrubber

Indicators Detected:

• bun_environment.js, setup_bun.js
• trufflehog, .truffler-cache
• cloud.json, truffleSecrets.json

---

🌐 GitHub Integration

Scan your entire GitHub account without cloning

python src/github_scanner.py

Features:

• ✅ No cloning required (uses GitHub API)
• ✅ Private repositories supported
• ✅ Organization scanning
• ✅ Enterprise-secure (uses GitHub CLI)
• ✅ 100+ repos in 30 seconds

---

🤖 AI Assistant Integration (MCP)

Use Shellockolm with Claude Desktop, Cursor, or any MCP-compatible AI:

python src/server.py

AI assistants can:

• Analyze vulnerabilities
• Generate fix recommendations
• Create compliance reports
• Monitor security across projects

---

🧰 Tools Included

Tool	Purpose
auto_fix.py	Scan → Detect → Patch → Verify
github_scanner.py	GitHub repo scanning (no cloning)
scanner.py	Core CVE detection engine
malware_scanner.py	npm malware & supply chain attacks
vulnerability_database.py	Comprehensive CVE tracking
server.py	MCP server for AI assistants
remediation.py	Safe patching with backups

---

🎯 Use Cases

Developers

python src/github_scanner.py
python src/scan_simple.py ~/projects

Teams

python src/github_scanner.py --org yourcompany
python src/auto_fix.py /projects --report-only

Security Auditors

python src/malware_scanner.py /path/to/audit
python src/auto_fix.py /audit --json > audit.json

DevOps/CI-CD

- name: Security Scan
  run: python src/auto_fix.py . --report-only

---

📚 Documentation

• Quick Start Guide
• GitHub Scanner Guide
• Architecture
• MCP Integration
• Privacy & Security ⭐
• Contributing
• Changelog

---

🔐 Privacy First

Your code stays local. Shellockolm:

• ✅ Never uploads code or paths
• ✅ Stores scan results locally only
• ✅ Protects data with enhanced .gitignore
• ✅ Uses official GitHub CLI (secure)

Full Privacy Guide →

---

💡 Requirements

• Python 3.10+
• GitHub CLI (for GitHub scanning)
• Internet (for GitHub API only)

Optional:

• Claude Desktop / Cursor (for MCP)
• Git

---

📞 Support

• 📖 Documentation
• 🐛 Issues
• 💬 Discussions
• 📧 hlarosesurprenant@gmail.com

---

🌟 Contributing

⭐ Star the repo to help others discover it!

We welcome:

• Bug reports & feature requests
• CVE database updates
• Malware signature additions
• Documentation improvements
• Code contributions

Contributing Guide →

---

📜 License

MIT License - See LICENSE

---

🔍 Elementary security for complex codebases

Built by developers, for developers. Open source. Privacy-first.

Get Started • Documentation • GitHub