root@server:~# incident response, automated

Find the malware
hiding in your website.

When a site gets hacked, the attacker leaves something behind: a webshell in the uploads folder, a backdoor bolted onto a real file, a miner buried in a script. JayShield® finds it in seconds and quarantines it safely, without ever deleting your data.

View source →
  • 0 dependencies
  • 54 tests
  • MIT licensed
  • Node 18+
Webshells and backdoors Obfuscated payloads Image polyglots Miners and skimmers Known bad hashes

// detections

Built to catch how sites really get hacked.

One rule catches a whole technique, not a single strain, so JayShield finds the copies too. Signatures, hashes, and shape-based heuristics, layered together.

Webshells

c99, r57, WSO, b374k, FilesMan, and the generic remote file managers and command runners built on the same patterns.

Backdoors

eval of request input, variable functions driven by the query string, the preg_replace trick, remote payloads that fetch and run, and reverse shells.

Obfuscation

Decode then run payloads, character and hex tricks, packed one-liners, and the big encoded blobs that hide a shell in plain sight.

Image polyglots

The classic upload bypass: a real image with PHP appended to the end. Byte-level checks catch it even though the file looks binary.

Miners and skimmers

In-browser cryptocurrency miners, hidden iframes, and the scripts that quietly copy a visitor session off to another server.

Known bad files

Exact hash matches against a set you can extend, plus the EICAR test file so you can prove the scanner is wired up correctly.

// remediation

Remove threats without losing a byte.

JayShield never deletes your files. Quarantine moves each flagged file into a local vault and records where it came from, so your live site stops serving it at once while every byte is kept.

  • 01
    Scan read-only by default. Nothing on disk changes until you say so.
  • 02
    Quarantine flagged files move into a sealed local vault, out of the web root.
  • 03
    Restore put anything back, byte for byte, if a detection was wrong.

Purge is the only destructive action, and it never runs without an explicit confirmation.

// get started

Run your first scan in one line.

No account, no agent, no dependencies to download. It runs anywhere Node does.

Scan a folder, no install

Prove it works, with the EICAR test file

Install once, call it by name

Exit codes make it drop straight into CI: 0 clean, 1 threats found, 2 error. Add --json for machine-readable output.

// who builds this

JayHackPro® Inc.

A software development company focused on cybersecurity, based in Los Angeles, California. JayHackPro builds tools that make the web a safer place to be, and open-sources the ones that help everyone.

"Let's make the world a better place."