## https://sploitus.com/exploit?id=00CD710B-0F9F-5FE6-8B88-DEADB938B30E
## CVE-2025-55182 Indicator Scanner
This repository provides a Python-based scanner for indicators of compromise related to CVE-2025-55182 (React Server Components RCE) and the specific multi-stage malware described in the Asleepace incident report. It is designed to run on Linux and macOS and focuses on host-level and application-level artifacts that are likely to appear on compromised systems.
### What this scanner checks
- **Filesystem IoCs**: Known malicious paths and binaries described in the incident report (for example `meshagent`, `fghgf`, `defunct`, `0dd1429aws`, `systemd-daemon`, `sex.sh`, temp `kodoha*/xmrig`, and related payload/script locations).
- **Suspicious processes**: Processes whose command lines contain known malware identifiers such as `meshagent`, `nextjss`, `nginxx`, `fghgf`, `xmrig`, `systemd-daemon`, or `docker-daemon`.
- **systemd services (Linux)**: Presence of suspicious services and unit files such as `nginxx.service`, `nextjss.service`, `system-daemon.service`, and `system-update-service.service`.
- **Cron persistence**: Entries in system and user crontabs that reference known malware components (e.g. MeshAgent hiding cron, XMRig miner, health/find/sex scripts, or the bind-mount `/proc` stealth technique).
- **JavaScript XOR injection**: JavaScript/TypeScript files containing the `xorDecode(` pattern used by the XOR-encoded loader injected into `node_modules` and `ecosystem.config.js`, as described in the incident report.
The scanner does not attempt remediation; it only reports suspicious findings and returns a non-zero exit code if anything suspicious is detected.
### Requirements
- **Python**: 3.8+ recommended
- **OS**: Linux or macOS
The script uses only the Python standard library; no external Python packages are required.
### Basic usage
- **Run from the repository root (default, human-readable output)**:
```bash
python3 cve_2025_55182_scanner.py
```
- **Scan a specific project or root directory for JS XOR injection IoCs**:
```bash
python3 cve_2025_55182_scanner.py --root /path/to/your/nextjs-or-react-project
```
- **Produce JSON output (for automation or log ingestion)**:
```bash
python3 cve_2025_55182_scanner.py --json
```
- **Skip JavaScript XOR injection scanning (system-level checks only)**:
```bash
python3 cve_2025_55182_scanner.py --skip-js-scan
```
- **Combine flags as needed**:
```bash
python3 cve_2025_55182_scanner.py --root /var/www/app --json
```
### Exit codes
- **0**: No suspicious indicators were found (all checks passed).
- **1**: One or more suspicious indicators were found (at least one check failed).
### Typical workflows
- **Quick host triage (Linux or macOS)**:
- **Command**:
- `python3 cve_2025_55182_scanner.py`
- **Use when**:
- You suspect the host may have been exploited via CVE-2025-55182 and want a fast overview of processes, filesystem, systemd, and cron IoCs.
- **Application-focused scan (Next.js/React project)**:
- **Command**:
- `python3 cve_2025_55182_scanner.py --root /path/to/app`
- **Use when**:
- You want to check for malicious XOR-based JavaScript injections (e.g. in `node_modules` or application code) in addition to system-level IoCs.
- **CI / automated environment**:
- **Command**:
- `python3 cve_2025_55182_scanner.py --root . --json`
- **Use when**:
- You need structured JSON output for dashboards, logs, or automated decisions.
### Special thanks and reference
- **Incident report and IoCs**:
- This scanner’s checks and indicators of compromise are heavily based on the detailed public incident report by Asleepace:
- [`https://asleepace.com/blog/malware-cve-2025-55182-exploitation-incident-report`](https://asleepace.com/blog/malware-cve-2025-55182-exploitation-incident-report)
Special thanks to Asleepace for documenting the CVE-2025-55182 exploitation and associated malware behaviors in depth, which made it possible to build this focused scanner.