展示HN:检测在修补CVE-2025-55182后遗留的恶意软件的工具
我是Clive,来自南非的开发者。四天前,Eduardo Borges发布了一则关于通过CVE-2025-55182(React服务器组件远程代码执行漏洞)被黑客攻击的帖子。他的服务器已经打了补丁,但恶意软件依然存在,包括加密矿工、名为“nginxs”和“apaches”的假服务,以及用于持久性的定时任务。CPU使用率高达361%。这是一部分415台服务器的僵尸网络。
这时我意识到:打补丁可以消除漏洞,但无法清除感染。
我最初构建NeuroLint是作为一个针对React/Next.js的确定性代码转换工具(没有AI,仅基于AST的修复)。当这个CVE出现时,我增加了第8层:安全取证。
它会扫描80多个妥协指标:
- 可疑进程(高CPU、随机名称、假服务)
- /tmp中的恶意文件,修改过的系统二进制文件
- 持久性机制(定时任务、systemd服务、SSH密钥)
- 网络活动(挖矿池、C2服务器)
- 以root身份运行并进行未经授权更改的Docker容器
- 加密挖矿配置(c.json、钱包地址)
试试吧:
```
npm install -g @neurolint/cli
neurolint security:scan-breach . --deep
```
无需注册。支持Linux/Mac。深度扫描大约需要5分钟。
与手动检测的不同之处:
- 基于AST的代码分析(检测混淆模式)
- 80多个行为特征与5-10个手动grep命令相比
- 自动修复(--fix标志)
- 重建时间线,显示漏洞发生的时间
- 基础设施范围的扫描(--cidr标志用于网络)
该工具是确定性的(不是AI)。相同的输入=每次相同的输出。使用Babel解析器进行AST转换,并进行安全验证——如果转换未通过语法检查,则会回滚。
我根据Eduardo的取证和其他已记录的漏洞在3天内构建了这个工具。已经在测试环境中发现了潜伏的矿工。
GitHub: [https://github.com/Alcatecablee/Neurolint-CLI](https://github.com/Alcatecablee/Neurolint-CLI)
NPM: [https://www.npmjs.com/package/@neurolint/cli](https://www.npmjs.com/package/@neurolint/cli)
如果你在12月3日至7日之间运行了React 19或Next.js 15-16,即使你已经打了补丁,也请运行扫描器。尤其是在你已经打了补丁的情况下。
欢迎提问关于检测逻辑、AST解析方法或该CVE本身的问题。
查看原文
I'm Clive, a developer from South Africa. Four days ago, Eduardo Borges posted about getting hacked through CVE-2025-55182 (the React Server Components RCE). His server was patched, but the malware stayed, crypto miners, fake services named "nginxs" and "apaches", cron jobs for persistence. CPU at 361%. Part of a 415-server botnet.<p>That's when I realized: patching removes the vulnerability, but not the infection.<p>I built NeuroLint originally as a deterministic code transformation tool for React/Next.js (no AI, just AST-based fixes). When this CVE dropped, I added Layer 8: Security Forensics.<p>It scans for 80+ indicators of compromise:
- Suspicious processes (high CPU, random names, fake services)
- Malicious files in /tmp, modified system binaries
- Persistence mechanisms (cron jobs, systemd services, SSH keys)
- Network activity (mining pools, C2 servers)
- Docker containers running as root with unauthorized changes
- Crypto mining configs (c.json, wallet addresses)<p>Try it:
npm install -g @neurolint/cli
neurolint security:scan-breach . --deep<p>No signup required. Works on Linux/Mac. Takes ~5 minutes for a deep scan.<p>What's different from manual detection:
- AST-based code analysis (detects obfuscated patterns)
- 80+ behavioral signatures vs. 5-10 manual grep commands
- Automated remediation (--fix flag)
- Timeline reconstruction showing when breach occurred
- Infrastructure-wide scanning (--cidr flag for networks)<p>The tool is deterministic (not AI). Same input = same output every time. Uses Babel parser for AST transformation with fail-safe validation - if a transformation fails syntax checks, it reverts.<p>Built it in 3 days based on Eduardo's forensics and other documented breaches. Already found dormant miners in test environments.<p>GitHub: <a href="https://github.com/Alcatecablee/Neurolint-CLI" rel="nofollow">https://github.com/Alcatecablee/Neurolint-CLI</a>
NPM: <a href="https://www.npmjs.com/package/@neurolint/cli" rel="nofollow">https://www.npmjs.com/package/@neurolint/cli</a><p>If you were running React 19 or Next.js 15-16 between Dec 3-7, run the scanner even if you already patched. Especially if you already patched.<p>Happy to answer questions about the detection logic, AST parsing approach, or the CVE itself.