npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

rce-detector

v1.0.5

Published

RCE/backdoor security scanner for JS, Python, Ruby, Dart — scan before install or run

Downloads

558

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

strangerhashedstrangerhashed

Keywords

securityrcebackdoorscannersupply-chain

Readme

rce-detector — RCE / Backdoor Detection

A cross-platform (Windows, macOS, Linux) static analysis tool that scans multiple languages and codebases (JavaScript/TypeScript, Python, Ruby, Dart/Flutter, React Native, and env files) for patterns used in remote code execution (RCE) and supply-chain backdoors. It can block application startup when threats are found, supports confirmation before running, and allowlist (override) for known-good code. It can be installed system-wide and run as a systemd service (e.g. with systemctl).

Works with any project type out of the box: React, Next.js, NestJS, Vue, Nuxt, plain Node, Python, Ruby, Dart/Flutter — one install, no per-repo setup.

Quick start

| Platform | One-line install | |----------|-------------------| | Any (npm) | npm install -g rce-detector — installs CLI and sets up wrappers. Run the export PATH=... command the installer prints (same terminal) so automatic scan works. | | Linux / macOS | curl -fsSL https://raw.githubusercontent.com/satyendra-antier/rce-backdoor-detector/main/get.sh | bash or ./install.sh from repo | | Windows | npm install -g rce-detector (same as above), or from repo: powershell -ExecutionPolicy Bypass -File install.ps1 |

After install (with wrappers), before any npm install or npm run start / dev / serve / build, and before node app.js, python app.py, etc., the scanner runs on the current directory; if it finds issues, the command is blocked.

Install by platform

| Platform | Install methods | |----------|------------------| | Linux | get.sh (curl | bash), install.sh (user or --system), .deb package, npm install -g rce-detector | | macOS | get.sh, install.sh, npm install -g rce-detector | | Windows | install.ps1 (PowerShell), npm install -g rce-detector |

npm install -g rce-detector does the full setup: it installs the CLI and runs a postinstall script that creates command wrappers (node, npm, npx, etc.) in ~/.local/bin (Linux/macOS) or %LOCALAPPDATA%\\bin (Windows) and adds that directory to your shell config. The installer prints a one-line command — run it in the same terminal to enable automatic scan immediately (no new terminal needed). Alternatively open a new terminal.
You can also use install.sh (Linux/macOS) or install.ps1 (Windows) from the repo for the same result.

Install as a Linux tool (system-wide)

To have the scanner work across the whole system for every user and every directory (any npm install, node app.js, python app.py, etc. gets scanned first and blocked if threats are found):

Option 1 — Direct install (recommended):

cd /path/to/rce-detector
sudo ./install.sh --system
  • Installs to /opt/security-scanner and puts security-scanner plus command wrappers (node, npm, npx, python3, etc.) in /usr/local/bin.
  • Config: /etc/security-scanner/config.json.
  • No codebase is destroyed; the tool only blocks the command when threats are found.

Option 2 — Install from a .deb package (like system software):

cd /path/to/rce-detector
./scripts/build-deb.sh 1.0.0
sudo dpkg -i dist/security-scanner_1.0.0_all.deb
  • Same effect as Option 1: system-wide install. Requires Node.js (apt install nodejs if needed).

After either option, /usr/local/bin is usually already in PATH. Then any project run (from any directory, any user) is intercepted: scanner runs first, and the run is blocked if threats are found.

System-level block (install once, works across all projects)

You can install the scanner once on your system and have it automatically run before any project start, without scanning or configuring each repo.

  1. Install (user install, no sudo):

    cd rce-detector && chmod +x install.sh && ./install.sh

    The installer automatically adds ~/.local/bin to the start of your PATH in ~/.bashrc and ~/.zshrc. Open a new terminal (or run source ~/.bashrc) so the wrappers are used.

  2. Done. From then on:

    • When you run npm start, node server.js, python app.py, rails s, flutter run, etc., the scanner runs on the current directory first.
    • If it finds threats, the command is blocked and does not run.
    • If the scan passes (or the path/findings are allowlisted), the real command runs as usual.
    • This applies to any repo or codebase you run from; you do not run the scanner manually or configure each project.

Wrapped commands: node, npm, npx, python3, python, ruby, bundle, rails, flutter, dart (only those present on your system at install time are wrapped).

Allowlist: Use the same allowlist as elsewhere: allowlist a path so it is never scanned, or allowlist findings so they are ignored. Config: ~/.config/security-scanner/config.json.

Note: System-level block (wrappers) is set up by install.sh on Linux and macOS, and by install.ps1 on Windows (adds %LOCALAPPDATA%\bin to PATH). On Windows without install.ps1, use the CLI or safe-start (e.g. rce-detector --path . --block --yes or node path\to\rce-detector\cli.js --path . --block --yes before starting the app).

Supported codebases

| Language / stack | Extensions | Examples | |-----------------------|-------------|-----------------------------| | JavaScript / TypeScript / React Native | .js, .jsx, .ts, .tsx, .mjs, .cjs | Node, Express, React, React Native | | Python | .py | Django, Flask | | Ruby / Ruby on Rails | .rb, .rake | Rails, Rake | | Dart / Flutter | .dart | Flutter apps | | Env / config | .env, *.env | Any project |

What it detects (by language)

  • JS/TS: eval, Function.constructor, atob(process.env), axios.get(variable), .data.cookie, handler(require), IIFE on load, child_process with variable.
  • Python: eval, exec, compile+exec, __import__(var), os.system(var), subprocess with variable, pickle.loads, unsafe yaml.load.
  • Ruby: eval, instance_eval/class_eval with variable, system/exec with variable, backtick with interpolation, open(var).
  • Dart: Process.run / Process.start with variable.
  • Env: Base64-like values (possible hidden URL/payload).

The tool does not execute your code; it only reads source and env files.

Requirements

  • Node.js v12 or later. No npm dependencies (built-in modules only).

Confirmation before running

When you run the scanner without --yes, it asks:

Run security scan on /path/to/project? [y/N]
  • Answer y to run the scan.
  • Use --yes or -y to skip this prompt (CI, systemd, scripts).

Override / allowlist (after detection)

For known-good projects or intentional patterns you can override so the scanner ignores them next time.

  1. Allowlist the whole path (skip future scans)

    rce-detector --path /path/to/project --allowlist-path

    Or when the scan shows findings, at the prompt choose A (allowlist this path).

  2. Allowlist current findings (keep scanning, ignore these rules in this project)
    After the report, at the prompt choose F (allowlist these findings). The config file is updated so the same file+line+rule are not reported again.

  3. Config file

    • User (all platforms): ~/.config/security-scanner/config.json (Windows: %USERPROFILE%\.config\security-scanner\config.json)
    • System (Unix): /etc/security-scanner/config.json (optional)
    • System (Windows): %ProgramData%\security-scanner\config.json (optional)
    • Example: config/config.example.json
    • You can edit it to add allowlistedPaths and allowlistedFindings by hand.

Usage (all platforms)

1. Scan only (report, no block)

rce-detector --path .
# Asks for confirmation unless you pass --yes
  • Windows: rce-detector --path . or node path\to\rce-detector\cli.js --path .
  • macOS / Linux: rce-detector --path .

Or from project root: npm run security-scan

2. Scan and block (exit 1 if any finding)

rce-detector --path . --block --yes
npm run security-scan:block

Use in CI or before starting the app so the process does not start when threats are present.

3. Safe-start (scan then start server only if clean)

node safe-start.js   # or: rce-detector --path . --block --yes && npm run start
npm run safe-start:server

Runs the scanner with --block --yes; only if the scan passes does it start node server/server.js. You can change the start command with --start "...".

4. Allowlist (override)

# Add current path to allowlist (skip scanning this path)
rce-detector --path /path/to/known-project --allowlist-path

Or run a scan; when findings appear, use the interactive A / F options to allowlist path or findings.

CLI options

| Option | Description | |--------|-------------| | --path <dir> | Directory to scan (default: .) | | --block | Exit with code 1 if any finding | | --yes, -y | Skip confirmation prompt (non-interactive) | | --allowlist-path | Add --path to allowlist and exit | | --json | Machine-readable JSON only | | --help, -h | Show help |

System-wide install and systemd (Linux / macOS)

You can install the scanner once on the system. The install also sets up command wrappers for system-level block (see above).

User install (recommended)

cd rce-detector
chmod +x install.sh
./install.sh
  • Installs to ~/.local/share/security-scanner
  • Puts security-scanner and command wrappers (node, npm, npx, python3, etc.) in ~/.local/bin
  • Installs user systemd unit in ~/.config/systemd/user/ (Linux)

To enable system-level block: The installer adds ~/.local/bin to your shell profile automatically; open a new terminal or run source ~/.bashrc.

Optional – scheduled scan (systemd):

mkdir -p ~/.config/security-scanner
cp rce-detector/config/config.example.json ~/.config/security-scanner/config.json
# Edit scanPaths: ["/home/user/projects"] etc.

systemctl --user start security-scanner
systemctl --user enable --now security-scanner.timer

System-wide install (optional, requires sudo)

sudo ./install.sh --system
  • Installs to /opt/security-scanner
  • /usr/local/bin/security-scanner and wrappers in /usr/local/bin (node, npm, python3, etc.)
  • Config: /etc/security-scanner/config.json
  • Systemd units in /etc/systemd/system/

Ensure /usr/local/bin is in PATH (it usually is). Then any user running npm start, node server.js, etc. will use the wrappers and get scanned first.

sudo systemctl start security-scanner
sudo systemctl enable --now security-scanner.timer

The service runs run-service.js, which reads scanPaths from config and runs the scanner on each path with --block --yes. The wrappers run the scanner on the current working directory whenever you run a project (npm start, node server.js, etc.).

Install like system software (apt-style)

You can distribute the tool so others can install it with a single command.

Option A: One-line install (curl + bash)

Host get.sh and install.sh (e.g. on GitHub). Users run:

curl -fsSL https://raw.githubusercontent.com/satyendra-antier/rce-backdoor-detector/main/get.sh | bash

Or from a repo clone: ./get.sh (uses local install.sh). This does a user install to ~/.local and auto-configures PATH.

Option B: .deb package (Debian/Ubuntu)

Build a .deb and install like any system package:

# From the rce-detector repo
./scripts/build-deb.sh 1.0.0
# Produces: dist/security-scanner_1.0.0_all.deb

sudo dpkg -i dist/security-scanner_1.0.0_all.deb

This installs to /opt/security-scanner, puts security-scanner and command wrappers in /usr/local/bin, and config in /etc/security-scanner/. Requires Node.js (apt install nodejs).

Option C: Add to your own apt repo (PPA or private repo)

  1. Build the .deb with ./scripts/build-deb.sh <version>.
  2. Publish the .deb to a PPA (Launchpad), or to a private apt repository.
  3. Users then run:
    sudo add-apt-repository ppa:your-org/rce-detector   # if using PPA
sudo apt update
sudo apt install security-scanner

Windows: PowerShell install (user, with wrappers)

From a clone or extracted archive of the repo:

cd path\to\rce-detector
powershell -ExecutionPolicy Bypass -File install.ps1
  • Installs to %LOCALAPPDATA%\security-scanner
  • Creates security-scanner.cmd and command wrappers (node.cmd, npm.cmd, npx.cmd, etc.) in %LOCALAPPDATA%\bin
  • Adds that directory to your user PATH
  • Config: %USERPROFILE%\.config\security-scanner\config.json

Open a new terminal so PATH is updated. Then npm start, node app.js, etc. run the scanner on the current directory first and block if threats are found.

For a private repo you would host the .deb and a Packages/Release structure and add the source to /etc/apt/sources.list.d/.

How “preventing execution” works

  1. Scan – Statically scans code and env files; does not run your app.
  2. Block – With --block, the CLI exits with code 1 when there is at least one finding (after allowlist).
  3. Safe-start – Runs the scanner with --block --yes; only if it exits 0 does it start your server. So if a backdoor is present, the server never starts.

What gets scanned

  • Files: By extension (see “Supported codebases”).
  • Directories skipped: node_modules, .git, dist, build, .next, coverage, .cache, security-scanner (install dir), .venv, venv, __pycache__, .dart_tool, vendor, tmp, .nuxt, .output.
  • Env: Any file named .env or ending in .env.

Uninstall

How to remove rce-detector depends on how you installed it.

Installed via npm

npm uninstall -g rce-detector

This removes the rce-detector and rce-scan commands. It does not remove any wrappers or config you added with install.sh or install.ps1 (see below if you used those).

Installed via install.sh (Linux / macOS, user install)

If you ran ./install.sh (no --system), the tool was installed under ~/.local. To uninstall:

  1. Remove the wrapper scripts so your real node, npm, npx, etc. are used again:
    rm -f ~/.local/bin/security-scanner \
      ~/.local/bin/node ~/.local/bin/npm ~/.local/bin/npx \
      ~/.local/bin/python3 ~/.local/bin/python ~/.local/bin/ruby \
      ~/.local/bin/bundle ~/.local/bin/rails ~/.local/bin/flutter ~/.local/bin/dart
  2. Remove the install directory:
    rm -rf ~/.local/share/security-scanner
  3. Optional: Remove the PATH line from your shell config. Edit ~/.bashrc and ~/.zshrc and delete the lines that mention security-scanner and ~/.local/bin (or $HOME/.local/bin).
  4. Optional: Remove config and allowlist: rm -rf ~/.config/security-scanner
  5. Optional: Remove user systemd units: rm -f ~/.config/systemd/user/security-scanner.service ~/.config/systemd/user/security-scanner.timer

Open a new terminal so the old wrappers are no longer in PATH.

Installed via install.sh --system (Linux / macOS, system-wide)

If you ran sudo ./install.sh --system:

sudo rm -f /usr/local/bin/security-scanner \
      /usr/local/bin/node /usr/local/bin/npm /usr/local/bin/npx \
      /usr/local/bin/python3 /usr/local/bin/python /usr/local/bin/ruby \
      /usr/local/bin/bundle /usr/local/bin/rails /usr/local/bin/flutter /usr/local/bin/dart
sudo rm -rf /opt/security-scanner
sudo rm -f /etc/systemd/system/security-scanner.service /etc/systemd/system/security-scanner.timer
sudo rm -rf /etc/security-scanner
sudo systemctl daemon-reload

After this, the real node, npm, etc. from your system (or nvm) will be used again.

Installed via install.ps1 (Windows)

  1. Remove the wrapper scripts from your user bin directory:
    • Delete (or rename) the folder %LOCALAPPDATA%\bin if it only contained rce-detector wrappers, or delete these files inside it: security-scanner.cmd, node.cmd, npm.cmd, npx.cmd, and any other .cmd wrappers that were added.
  2. Remove the install directory: Delete the folder %LOCALAPPDATA%\security-scanner.
  3. Remove from PATH: Open System Properties → Environment Variables → User variables → Path, and remove the entry for %LOCALAPPDATA%\bin (or the path you added).
  4. Optional: Remove config: %USERPROFILE%\.config\security-scanner.

Open a new terminal/PowerShell after changing PATH.

Installed via .deb (Debian/Ubuntu)

sudo apt remove security-scanner

To also remove config: sudo rm -rf /etc/security-scanner

Troubleshooting

  • Scanning not running when I use npm start / node app.js — After npm install -g rce-detector, run the export PATH=... command the installer printed (in the same terminal), or open a new terminal. Run which npm — it should show ~/.local/bin/npm (Linux/macOS) or %LOCALAPPDATA%\\bin\\npm.cmd (Windows). If not, re-run npm install -g rce-detector or ./install.sh / install.ps1 from the repo.
  • "no real binary for ..." — Re-run the installer (install.sh or install.ps1) so it can detect and store paths in config, or set realBinaries in your config file by hand.
  • "Unknown command: .../run-wrapper.js" when running npm — Wrappers are out of date. Re-run the installer from the repo: cd /path/to/rce-detector && ./install.sh (Linux/macOS) or powershell -ExecutionPolicy Bypass -File install.ps1 (Windows). Open a new terminal after install.
  • Windows: wrappers not used — Ensure %LOCALAPPDATA%\bin is in your user PATH and appears before other Node/npm locations. Open a new terminal after install.
  • Node version — Requires Node.js v12 or later. Run node -v to check.

Verifying the tool

  1. Clean codebase:
    rce-detector --path . --yes
    Expect: No suspicious patterns found.

  2. With backdoor (e.g. in JS):
    Same command on a tree that contains the backdoor pattern will list findings.
    rce-detector --path . --block --yes
    Expect: exit code 1.

  3. Override:
    Run scan, then at the prompt choose F to allowlist findings. Run the scan again; those findings should disappear (override applied).

File layout

rce-detector/
  cli.js              # CLI (--path, --block, --yes, --allowlist-path, --json)
  scanner.js          # Core: multi-language scan, allowlist filter
  run-guard.js        # Run scanner on a dir; used by wrappers
  run-wrapper.js      # Intercepts run/start; runs guard then real binary
  run-service.js      # systemd entry: scan config.scanPaths with --block --yes
  safe-start.js       # Scan then start app if clean
  install.sh          # User or system install + wrappers + systemd (auto PATH)
  install.ps1         # Windows user install + wrappers (auto PATH)
  get.sh              # One-line install (curl | bash)
  package.json        # npm bin for global install (rce-detector, rce-scan)
  scripts/
    build-deb.sh      # Build .deb for apt-style install
  bin/
    wrapper.sh        # Template for command wrappers (Unix)
    wrapper.cmd       # Template for command wrappers (Windows)
  scripts/
    detect-binaries.js    # Find real node, npm, python3, etc.
    merge-real-binaries.js # Write realBinaries into config
  lib/
    patterns/         # Per-language rules (javascript, python, ruby, dart)
    config.js         # Config and allowlist load/save
  config/
    config.example.json
  systemd/
    security-scanner.service
    security-scanner.timer
  PUBLISH.md          # Publishing guide (npm + GitHub Releases)
  README.md

Publishing (npm + GitHub Releases)

To publish the CLI to npm and create GitHub Release assets (.deb + zip), see PUBLISH.md for step-by-step instructions.

License / reuse

You can copy the rce-detector folder into other projects or install it system-wide. No npm dependencies; runs on Node.js on Windows, macOS, and Linux.