hlsitechio/shellockolm
If you are the rightful owner of shellockolm and would like to certify it and/or have it hosted online, please leave a comment on the right or send an email to dayong@mcphub.com.
This toolset provides a comprehensive solution for detecting and patching the critical CVE-2025-55182 vulnerability, known as React2Shell, which affects React Server Components.
🔍 Shellockolm
Your Security Detective for React, Next.js & npm Packages
Elementary, my dear developer! Detect CVEs, malware, and supply chain attacks in seconds.
CVSS 10.0 threats eliminated • 1000+ projects scanned • Zero configuration
shellockolm scan /your/projects
# ✓ Scanned 2,665 projects in 12 seconds
# ⚠ Found 19 critical vulnerabilities (CVE-2025-55182, CVE-2025-66478)
# ✓ Patched all projects automatically
# ✓ 0 malware detected in 7,106 npm packages
🕵️ What is Shellockolm?
Shellockolm (inspired by "Sherlock Holmes") is your security detective that hunts down vulnerabilities, CVEs, and malware in React, Next.js, and npm projects.
One command scans thousands of projects, detects critical threats, and automatically patches them—elementary!
🎯 Why Shellockolm?
The Problem
- ⚠️ Critical CVEs: CVE-2025-55182, CVE-2025-66478 (CVSS 10.0)
- ☠️ npm Malware: Shai Hulud campaign, supply chain attacks
- 🔓 Outdated Dependencies: Known vulnerabilities everywhere
- 🎯 Supply Chain Attacks: Compromised packages in your stack
The Solution
Shellockolm detects ALL of them in one scan. No manual checking. No endless configuration. Just results.
🔍 Comprehensive Multi-CVE Detection
CVE Scanner
- ✅ CVE-2025-55182 (React Server Components RCE)
- ✅ CVE-2025-66478 (Vercel/Next.js advisory - same vulnerability)
- ✅ Historical React & Next.js CVEs
- ✅ Expanding vulnerability database
Malware Detector
- ✅ Shai Hulud npm malware campaign
- ✅ Suspicious preinstall/postinstall scripts
- ✅ Supply chain attack indicators
- ✅ 7,106+ malware patterns
Smart Analysis
- ✅ React: All versions scanned
- ✅ Next.js: Complete 15.x, 16.x coverage
- ✅ npm packages: Comprehensive malware detection
- ✅ Zero false positives
⚡ Lightning Fast Performance
python src/auto_fix.py /your/projects
- 2,665 projects → 12 seconds
- 100+ GitHub repos → 30 seconds (no cloning!)
- Parallel processing for maximum speed
- Smart caching for instant re-scans
🛡️ Automated Protection
- ✅ Auto-patch vulnerable versions
- ✅ Create backups before changes
- ✅ Verify all fixes
- ✅ Generate compliance reports
- ✅ Read-only mode for safety
🚀 Quick Start
1. Install
git clone https://github.com/hlsitechio/shellockolm
cd shellockolm
pip install -r requirements.txt
2. Choose Your Workflow
Option A: Scan Local Projects ⭐ Recommended
python src/auto_fix.py /your/projects
Option B: Scan GitHub Repositories
gh auth login # One-time setup
python src/github_scanner.py
Option C: AI Assistant Integration (MCP)
python src/server.py
3. Done!
Check your terminal or scan_report.json for results.
📊 Real-World Results
| Metric | Result |
|---|---|
| Projects Scanned | 2,665 local + 23 GitHub repos |
| Scan Time | 12 seconds (local) / 30 seconds (GitHub) |
| CVEs Found | 19 critical (CVE-2025-55182/66478) |
| Patch Success Rate | 100% |
| npm Packages Analyzed | 7,106+ |
| Malware Detected | 0 (Shai Hulud signatures checked) |
| Time Saved | 4-6 hours → 2 minutes |
🛠️ What Gets Detected
Critical CVEs
| CVE | Severity | Package | Affected | Patched |
|---|---|---|---|---|
| CVE-2025-55182 | CVSS 10.0 | React | 19.0.0-19.2.0 | 19.0.1, 19.1.2, 19.2.1 |
| CVE-2025-66478 | CVSS 10.0 | Next.js | 15.0-16.0.x | 15.0.5+, 16.0.7+ |
Next.js Patched Versions:
15.0.5+, 15.1.9+, 15.2.6+, 15.3.6+, 15.4.8+, 15.5.7+, 16.0.7+
npm Malware (Shai Hulud Campaign)
@postman/security-helpers@posthog/plugin-geoip@asyncapi/openapi-schema-parser@ensdomains/content-hash@zapier/secret-scrubber
Indicators Detected:
bun_environment.js,setup_bun.jstrufflehog,.truffler-cachecloud.json,truffleSecrets.json
🌐 GitHub Integration
Scan your entire GitHub account without cloning
python src/github_scanner.py
Features:
- ✅ No cloning required (uses GitHub API)
- ✅ Private repositories supported
- ✅ Organization scanning
- ✅ Enterprise-secure (uses GitHub CLI)
- ✅ 100+ repos in 30 seconds
🤖 AI Assistant Integration (MCP)
Use Shellockolm with Claude Desktop, Cursor, or any MCP-compatible AI:
python src/server.py
AI assistants can:
- Analyze vulnerabilities
- Generate fix recommendations
- Create compliance reports
- Monitor security across projects
🧰 Tools Included
| Tool | Purpose |
|---|---|
auto_fix.py | Scan → Detect → Patch → Verify |
github_scanner.py | GitHub repo scanning (no cloning) |
scanner.py | Core CVE detection engine |
malware_scanner.py | npm malware & supply chain attacks |
vulnerability_database.py | Comprehensive CVE tracking |
server.py | MCP server for AI assistants |
remediation.py | Safe patching with backups |
🎯 Use Cases
Developers
python src/github_scanner.py
python src/scan_simple.py ~/projects
Teams
python src/github_scanner.py --org yourcompany
python src/auto_fix.py /projects --report-only
Security Auditors
python src/malware_scanner.py /path/to/audit
python src/auto_fix.py /audit --json > audit.json
DevOps/CI-CD
- name: Security Scan
run: python src/auto_fix.py . --report-only
📚 Documentation
- ⭐
🔐 Privacy First
Your code stays local. Shellockolm:
- ✅ Never uploads code or paths
- ✅ Stores scan results locally only
- ✅ Protects data with enhanced .gitignore
- ✅ Uses official GitHub CLI (secure)
💡 Requirements
- Python 3.10+
- GitHub CLI (for GitHub scanning)
- Internet (for GitHub API only)
Optional:
- Claude Desktop / Cursor (for MCP)
- Git
📞 Support
🌟 Contributing
⭐ Star the repo to help others discover it!
We welcome:
- Bug reports & feature requests
- CVE database updates
- Malware signature additions
- Documentation improvements
- Code contributions
📜 License
MIT License - See
🔍 Elementary security for complex codebases
Built by developers, for developers. Open source. Privacy-first.