Share
## https://sploitus.com/exploit?id=00CD710B-0F9F-5FE6-8B88-DEADB938B30E
## CVE-2025-55182 Indicator Scanner

This repository provides a Python-based scanner for indicators of compromise related to CVE-2025-55182 (React Server Components RCE) and the specific multi-stage malware described in the Asleepace incident report. It is designed to run on Linux and macOS and focuses on host-level and application-level artifacts that are likely to appear on compromised systems.

### What this scanner checks

- **Filesystem IoCs**: Known malicious paths and binaries described in the incident report (for example `meshagent`, `fghgf`, `defunct`, `0dd1429aws`, `systemd-daemon`, `sex.sh`, temp `kodoha*/xmrig`, and related payload/script locations).
- **Suspicious processes**: Processes whose command lines contain known malware identifiers such as `meshagent`, `nextjss`, `nginxx`, `fghgf`, `xmrig`, `systemd-daemon`, or `docker-daemon`.
- **systemd services (Linux)**: Presence of suspicious services and unit files such as `nginxx.service`, `nextjss.service`, `system-daemon.service`, and `system-update-service.service`.
- **Cron persistence**: Entries in system and user crontabs that reference known malware components (e.g. MeshAgent hiding cron, XMRig miner, health/find/sex scripts, or the bind-mount `/proc` stealth technique).
- **JavaScript XOR injection**: JavaScript/TypeScript files containing the `xorDecode(` pattern used by the XOR-encoded loader injected into `node_modules` and `ecosystem.config.js`, as described in the incident report.

The scanner does not attempt remediation; it only reports suspicious findings and returns a non-zero exit code if anything suspicious is detected.

### Requirements

- **Python**: 3.8+ recommended
- **OS**: Linux or macOS

The script uses only the Python standard library; no external Python packages are required.

### Basic usage

- **Run from the repository root (default, human-readable output)**:

```bash
python3 cve_2025_55182_scanner.py
```

- **Scan a specific project or root directory for JS XOR injection IoCs**:

```bash
python3 cve_2025_55182_scanner.py --root /path/to/your/nextjs-or-react-project
```

- **Produce JSON output (for automation or log ingestion)**:

```bash
python3 cve_2025_55182_scanner.py --json
```

- **Skip JavaScript XOR injection scanning (system-level checks only)**:

```bash
python3 cve_2025_55182_scanner.py --skip-js-scan
```

- **Combine flags as needed**:

```bash
python3 cve_2025_55182_scanner.py --root /var/www/app --json
```

### Exit codes

- **0**: No suspicious indicators were found (all checks passed).
- **1**: One or more suspicious indicators were found (at least one check failed).

### Typical workflows

- **Quick host triage (Linux or macOS)**:
  - **Command**:
    - `python3 cve_2025_55182_scanner.py`
  - **Use when**:
    - You suspect the host may have been exploited via CVE-2025-55182 and want a fast overview of processes, filesystem, systemd, and cron IoCs.

- **Application-focused scan (Next.js/React project)**:
  - **Command**:
    - `python3 cve_2025_55182_scanner.py --root /path/to/app`
  - **Use when**:
    - You want to check for malicious XOR-based JavaScript injections (e.g. in `node_modules` or application code) in addition to system-level IoCs.

- **CI / automated environment**:
  - **Command**:
    - `python3 cve_2025_55182_scanner.py --root . --json`
  - **Use when**:
    - You need structured JSON output for dashboards, logs, or automated decisions.

### Special thanks and reference

- **Incident report and IoCs**:
  - This scanner’s checks and indicators of compromise are heavily based on the detailed public incident report by Asleepace:
  - [`https://asleepace.com/blog/malware-cve-2025-55182-exploitation-incident-report`](https://asleepace.com/blog/malware-cve-2025-55182-exploitation-incident-report)

Special thanks to Asleepace for documenting the CVE-2025-55182 exploitation and associated malware behaviors in depth, which made it possible to build this focused scanner.