npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

@jayhackpro/jayshield

v1.2.1

Published

Find and remove web malware, webshells, and backdoors. A fast, dependency-free malware scanner and quarantine tool by JayHackPro.

Downloads

422

Readme

JayShield®

Find and remove web malware, webshells, and backdoors.

A fast, dependency free malware scanner and remover for websites and servers. Point it at a folder, see exactly what is infected, then quarantine the threats safely. Nothing is ever deleted without your say so.

npm License: MIT Node Dependencies CI

Website · npm · by JayHackPro


Why JayShield

When a website is hacked, the attacker usually leaves something behind: a PHP webshell in the uploads folder, an obfuscated backdoor tacked onto a real file, an invisible iframe on the homepage, or a cryptocurrency miner buried in a script. Finding these by hand across thousands of files is slow and easy to get wrong.

JayShield does it in seconds. It reads every file, matches it against a library of malware techniques, checks its exact fingerprint against known bad files, and looks for the tell tale shapes of packed and hidden code. Then it shows you a clear, ranked report and offers to move the threats into a local vault so your site stops serving them right away.

It is one small tool with no dependencies, so you can trust it, read it, and run it anywhere Node is installed.

Quick start

No install required, run it straight from npm:

npx @jayhackpro/jayshield ./public_html

Prove it works on your machine first, using the harmless industry standard test file:

npx @jayhackpro/jayshield --selftest

Or install it once and call it by name:

npm install -g @jayhackpro/jayshield
jayshield ./public_html

The examples below write jayshield for short, meaning however you choose to run it.

What it catches

  • Webshells: c99, r57, WSO, b374k, FilesMan, and the generic remote file managers and command runners built on the same patterns.
  • Backdoors: eval of request input, variable functions driven by $_GET and $_POST, the preg_replace /e trick, remote payloads that are fetched and run, hardcoded password gates, and reverse shells.
  • Obfuscation: decode then run payloads, character code and hex string tricks, packed one liners, and large encoded blobs paired with a decoder.
  • Injected front end malware: hidden or zero size iframes, document.write of unescaped markup, eval(atob(...)), and redirects to decoded URLs.
  • Cryptocurrency miners: CoinHive and the browser mining scripts that spend your visitors' devices.
  • Skimmers and spam: session cookie exfiltration and blocks of hidden SEO or pharma spam links.
  • Disguised files: PHP hidden inside something that claims to be an image, double extensions like invoice.pdf.php, and executable scripts sitting in an uploads folder where only static files belong.
  • Known bad files: exact matches against a hash set you can extend, plus the EICAR antivirus test file.

What a scan looks like


     ██╗ █████╗ ██╗   ██╗██╗  ██╗ █████╗  ██████╗██╗  ██╗██████╗ ██████╗  ██████╗
     ██║██╔══██╗╚██╗ ██╔╝██║  ██║██╔══██╗██╔════╝██║ ██╔╝██╔══██╗██╔══██╗██╔═══██╗
     ██║███████║ ╚████╔╝ ███████║███████║██║     █████╔╝ ██████╔╝██████╔╝██║   ██║
██   ██║██╔══██║  ╚██╔╝  ██╔══██║██╔══██║██║     ██╔═██╗ ██╔═══╝ ██╔══██╗██║   ██║
╚█████╔╝██║  ██║   ██║   ██║  ██║██║  ██║╚██████╗██║  ██╗██║     ██║  ██║╚██████╔╝
 ╚════╝ ╚═╝  ╚═╝   ╚═╝   ╚═╝  ╚═╝╚═╝  ╚═╝ ╚═════╝╚═╝  ╚═╝╚═╝     ╚═╝  ╚═╝ ╚═════╝

  JayShield®  ·  find and remove web malware   v1.2.1
  github.com/JayHackPro/JayShield

  Scanned 1,284 files (24.6 MB) in 0.9 s

  CRITICAL public_html/wp-content/uploads/2026/logo.php
     ✕ Obfuscated eval of a decoded payload:1
       Code is hidden inside a decode call and run on the fly, the hallmark of a packed webshell.
       > <?php @eval(base64_decode($_POST["cmd"])); ?>
     ▲ Executable script in an uploads folder:1
       Upload and media folders should hold only static files. An executable script here is very often a planted backdoor.

  HIGH     public_html/index.html
     ▲ Hidden or zero-size iframe:42
       An invisible iframe usually delivers malware or ad fraud to visitors without a trace on the page.

  Summary
  critical 1   high 1   medium 0   low 0
  2 files infected, 1,282 clean

  Review the findings, then remove them safely with:
      jayshield public_html --quarantine

Remove threats safely

JayShield never deletes your files. When you are ready to clean up, quarantine moves each flagged file into a local vault and records where it came from, so your live site stops serving it at once while every byte is kept.

# preview what would move, changing nothing
jayshield ./public_html --quarantine --dry-run

# move every threat into the vault
jayshield ./public_html --quarantine

# see what is in the vault
jayshield --list

# put a file back if a detection was wrong
jayshield --restore <id>

# put everything back
jayshield --restore

If you have confirmed the files are malicious and want the disk space back, and only then, you can permanently delete the vault:

jayshield --purge --yes

Command reference

jayshield [paths...] [options]

| Option | What it does | | --- | --- | | --quarantine | Move every threat into the local vault | | --restore [id] | Put quarantined files back, one or all | | --list | Show what is in the vault | | --purge --yes | Permanently delete the vault (last resort) | | --min-severity <level> | critical, high, medium, or low | | --ignore-rule <id,...> | Silence one or more rules by id | | --hashes <file> | Add known bad sha256 hashes, one per line | | --max-size <MB> | Skip files larger than this (default 5) | | --vault <dir> | Quarantine folder (default .jayshield-quarantine) | | --follow-symlinks | Follow symbolic links (off by default) | | --dry-run | Show actions without changing anything | | --json | Machine readable output for pipelines | | --no-color | Plain text | | --no-banner | Hide the startup banner | | --banner | Print the JayHackPro banner and exit | | -v, --verbose | Include rule ids and references | | --selftest | Detect the EICAR test file end to end | | -V, --version | Print the version | | -h, --help | Show help |

Exit codes: 0 clean, 1 threats found, 2 error. That makes JayShield easy to drop into a CI pipeline or a cron job.

Use it in a pipeline

# fail the build if anything high or worse is found
jayshield ./release --min-severity high || exit 1

# save a JSON report
jayshield ./public_html --json > jayshield-report.json

Use it from code

Install it, then import the pieces you need:

npm install @jayhackpro/jayshield
import { scan, quarantineFiles } from "@jayhackpro/jayshield";

const result = await scan(["./public_html"]);
console.log(`${result.infected.length} infected of ${result.stats.scanned} scanned`);

if (result.infected.length) {
  await quarantineFiles(result.infected, { vaultDir: ".vault" });
}

Extend it

Add your own known bad hashes. Keep a text file with one sha256 per line, an optional label after it, and pass it with --hashes:

# my-threats.txt
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855  seen on client site

Silence a noisy rule. If a rule flags something you know is safe, pass its id:

jayshield . --ignore-rule js.packer,spam.pharma

Write new rules. Signatures live in src/rules.js as small, readable objects. Each one has an id, a severity, the file kinds it applies to, and a pattern. Add one, add a test in test/rules.test.mjs, and send a pull request.

What it is, and what it is not

JayShield is a fast first responder for web malware. It is excellent at finding the webshells, backdoors, injections, and known bad files that make up the large majority of website compromises, and at removing them without data loss.

It is not a full endpoint protection suite and does not run in the kernel or watch memory in real time. On a busy production server it works best alongside a host scanner and a web application firewall, as the fast, readable, scriptable layer you can run on demand and in your pipelines. Signatures find known techniques, so pair a scan with good backups and prompt updates.

Development

npm test        # run the full suite on Node's built in test runner
npm run selftest

Zero runtime dependencies, by design. A security tool should be small enough to read.

About JayHackPro

JayShield is built and maintained by JayHackPro® Inc., a software development company focused on cybersecurity, based in Los Angeles, California.

Let's make the world a better place.

Designed by Jayden Yoon ZK.

License

MIT. Use it freely in your own projects and on your own servers, and keep the notice. The brand stays behind the code.