A simple bash only tool that will, for a specific CVE, recursively scan a directory for indicators of compromise (IoCs) and indicators of vulnerability.
Plus a cve-scanner skill, that can be used to collect data and create a YAML definition for a CVE.
./scan.sh scanners/<CVE-ID> [options] [TARGET_DIR]| Argument | Description |
|---|---|
CVE-ID |
Path to a CVE scanner directory (e.g. scanners/CVE-2026-4816) |
TARGET_DIR |
Directory to scan recursively (default: .) |
| Flag | Description |
|---|---|
--json |
Output results as JSON |
--output FILE |
Write results to a file |
Exit codes: 0 = clean, 1 = IoCs found, 2 = usage error.
| CVE | Product | Type |
|---|---|---|
| CVE-2026-33228 | flatted (prototype pollution in circular JSON parser, CVSS 9.8) | Vulnerability |
| CVE-2026-03-31-axios | axios (supply chain RAT delivery via compromised maintainer account) | Malware IoCs |
| CVE-2026-33634 | Trivy, litellm, telnyx, KICS (TeamPCP supply chain attack, CVSS 9.4) | Malware IoCs |
| CVE-2025-59145 | color-name and related npm packages (supply chain attack, CVSS 8.8) | Malware IoCs |
| CVE-2025-55182 | React Server Components (React2Shell pre-auth RCE, CVSS 10.0) | Malware IoCs |
| CVE-2025-54313 | eslint-config-prettier / npm packages (supply chain, CVSS 7.5) | Malware IoCs |
Ensure you have asdf or equivalent such as mise installed.
Run...
make setupmake testUse Conventional Commits and the imperative mood.
Run /cve-scanner in Claude Code from this directory.
Each scanner lives in scanners/<CVE-ID>/ and contains an indicators.yaml and README.md. scan.sh picks it up automatically.
Known indicators or compromise or vulnerability can change as more is learned about the CVE. You can update the definition by rerunning the cve-scanner skill for the CVE.
If no CVE Identifier has been assigned yet, use something sensible like CVE-2026-04-01-APRIL-FOOL. When the CVE Identifier has been assigned change the directory name and the README entry to the correct CVE Identifier, and run the cve-scanner skill again for the CVE.
Note that you may need to update the /cve-scanner skill to make it better if you find the generated indicators.yaml lacking in some way, but please keep it simple. Also, question everything the agentic coding assistant suggests, some things will just increase the likelihood of getting false positives.
See https://github.com/madetech/cve-scanner/issues for things you could pick up to contribute or to add new issues.
If you pick up an issue, assign yourself and keep the rest of us updated with progress in the comments and/or a draft pull request.