Show HN: Tool to detect malware left behind after patching CVE-2025-55182
Just_Clive Tuesday, December 09, 2025I'm Clive, a developer from South Africa. Four days ago, Eduardo Borges posted about getting hacked through CVE-2025-55182 (the React Server Components RCE). His server was patched, but the malware stayed, crypto miners, fake services named "nginxs" and "apaches", cron jobs for persistence. CPU at 361%. Part of a 415-server botnet.
That's when I realized: patching removes the vulnerability, but not the infection.
I built NeuroLint originally as a deterministic code transformation tool for React/Next.js (no AI, just AST-based fixes). When this CVE dropped, I added Layer 8: Security Forensics.
It scans for 80+ indicators of compromise: - Suspicious processes (high CPU, random names, fake services) - Malicious files in /tmp, modified system binaries - Persistence mechanisms (cron jobs, systemd services, SSH keys) - Network activity (mining pools, C2 servers) - Docker containers running as root with unauthorized changes - Crypto mining configs (c.json, wallet addresses)
Try it: npm install -g @neurolint/cli neurolint security:scan-breach . --deep
No signup required. Works on Linux/Mac. Takes ~5 minutes for a deep scan.
What's different from manual detection: - AST-based code analysis (detects obfuscated patterns) - 80+ behavioral signatures vs. 5-10 manual grep commands - Automated remediation (--fix flag) - Timeline reconstruction showing when breach occurred - Infrastructure-wide scanning (--cidr flag for networks)
The tool is deterministic (not AI). Same input = same output every time. Uses Babel parser for AST transformation with fail-safe validation - if a transformation fails syntax checks, it reverts.
Built it in 3 days based on Eduardo's forensics and other documented breaches. Already found dormant miners in test environments.
GitHub: https://github.com/Alcatecablee/Neurolint-CLI NPM: https://www.npmjs.com/package/@neurolint/cli
If you were running React 19 or Next.js 15-16 between Dec 3-7, run the scanner even if you already patched. Especially if you already patched.
Happy to answer questions about the detection logic, AST parsing approach, or the CVE itself.