A fast, dependency-free malware scanner and remover for websites and servers.
Point it at a folder, see exactly what is infected, then quarantine the threats safely.
Website · npm · by JayHackPro
When a website is hacked, the attacker usually leaves something behind: a PHP webshell in the uploads folder, an obfuscated backdoor tacked onto a real file, an invisible iframe on the homepage, or a cryptocurrency miner buried in a script. Finding these by hand across thousands of files is slow and easy to get wrong.
JayShield does it in seconds. It reads every file, matches it against a library of malware techniques, checks its exact fingerprint against known bad files, and looks for the telltale shapes of packed and hidden code. Then it shows you a clear, ranked report and offers to move the threats into a local vault so your site stops serving them right away.
It is one small tool with no dependencies, so you can trust it, read it, and run it anywhere Node is installed.
No install required, run it straight from npm:
npx @jayhackpro/jayshield ./public_htmlProve it works on your machine first, using the harmless, industry-standard test file:
npx @jayhackpro/jayshield --selftestOr install it once and call it by name:
npm install -g @jayhackpro/jayshield
jayshield ./public_htmlThe examples below write jayshield for short, meaning however you choose to run it.
A report ranked by severity, with the exact line and a plain-language reason for every finding:
- Webshells: c99, r57, WSO, b374k, FilesMan, and the generic remote file managers and command runners built on the same patterns.
- Backdoors:
evalof request input, variable functions driven by$_GETand$_POST, thepreg_replace/etrick, remote payloads that are fetched and run, hardcoded password gates, and reverse shells. - Obfuscation: decode then run payloads, character code and hex string tricks, packed one-liners, and large encoded blobs paired with a decoder.
- Injected front-end malware: hidden or zero-size iframes,
document.writeof unescaped markup,eval(atob(...)), and redirects to decoded URLs. - Cryptocurrency miners: CoinHive and the browser mining scripts that spend your visitors' devices.
- Skimmers and spam: session cookie exfiltration and blocks of hidden SEO or pharma spam links.
- Disguised files: PHP hidden inside something that claims to be an image,
double extensions like
invoice.pdf.php, and executable scripts sitting in an uploads folder where only static files belong. - Known bad files: exact matches against a hash set you can extend, plus the EICAR antivirus test file.
JayShield never deletes your files. When you are ready to clean up, quarantine moves each flagged file into a local vault and records where it came from, so your live site stops serving it at once while every byte is kept.
# preview what would move, changing nothing
jayshield ./public_html --quarantine --dry-run
# move every threat into the vault
jayshield ./public_html --quarantine
# see what is in the vault
jayshield --list
# put a file back if a detection was wrong
jayshield --restore <id>
# put everything back
jayshield --restoreIf you have confirmed the files are malicious and want the disk space back, and only then, you can permanently delete the vault:
jayshield --purge --yesjayshield [paths...] [options]
| Option | What it does |
|---|---|
--quarantine |
Move every threat into the local vault |
--restore [id] |
Put quarantined files back, one or all |
--list |
Show what is in the vault |
--purge --yes |
Permanently delete the vault (last resort) |
--min-severity <level> |
critical, high, medium, or low |
--ignore-rule <id,...> |
Silence one or more rules by id |
--hashes <file> |
Add known bad sha256 hashes, one per line |
--max-size <MB> |
Skip files larger than this (default 5) |
--vault <dir> |
Quarantine folder (default .jayshield-quarantine) |
--follow-symlinks |
Follow symbolic links (off by default) |
--dry-run |
Show actions without changing anything |
--json |
Machine-readable output for pipelines |
--no-color |
Plain text |
--no-banner |
Hide the startup banner |
--banner |
Print the JayHackPro banner and exit |
-v, --verbose |
Include rule ids and references |
--selftest |
Detect the EICAR test file end to end |
-V, --version |
Print the version |
-h, --help |
Show help |
Exit codes: 0 clean, 1 threats found, 2 error. That makes JayShield easy
to drop into a CI pipeline or a cron job.
# fail the build if anything high or worse is found
jayshield ./release --min-severity high || exit 1
# save a JSON report
jayshield ./public_html --json > jayshield-report.jsonInstall it, then import the pieces you need:
npm install @jayhackpro/jayshieldimport { scan, quarantineFiles } from "@jayhackpro/jayshield";
const result = await scan(["./public_html"]);
console.log(`${result.infected.length} infected of ${result.stats.scanned} scanned`);
if (result.infected.length) {
await quarantineFiles(result.infected, { vaultDir: ".vault" });
}Add your own known bad hashes. Keep a text file with one sha256 per line,
an optional label after it, and pass it with --hashes:
# my-threats.txt
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 seen on client site
Silence a noisy rule. If a rule flags something you know is safe, pass its id:
jayshield . --ignore-rule js.packer,spam.pharmaWrite new rules. Signatures live in src/rules.js as small,
readable objects. Each one has an id, a severity, the file kinds it applies to,
and a pattern. Add one, add a test in test/rules.test.mjs,
and send a pull request.
JayShield is a fast first responder for web malware. It is excellent at finding the webshells, backdoors, injections, and known bad files that make up the large majority of website compromises, and at removing them without data loss.
It is not a full endpoint protection suite and does not run in the kernel or watch memory in real time. On a busy production server it works best alongside a host scanner and a web application firewall, as the fast, readable, scriptable layer you can run on demand and in your pipelines. Signatures find known techniques, so pair a scan with good backups and prompt updates.
npm test # run the full suite on Node's built in test runner
npm run selftestZero runtime dependencies, by design. A security tool should be small enough to read.
JayShield is built and maintained by JayHackPro® Inc., a software development company focused on cybersecurity, based in Los Angeles, California.
Let's make the world a better place.
- Website: JayHackPro.com
- X: @JayHackPro
- Contact: info@JayHackPro.com
Designed by Jayden Yoon ZK.
MIT. Use it freely in your own projects and on your own servers, and keep the notice. The brand stays behind the code.
