c0defusi0n/security-scanner

Security scanner to detect malicious code in Magento 2

Maintainers

Package info

github.com/c0defusi0n/SecurityScanner

Issues

Type:magento2-module

pkg:composer/c0defusi0n/security-scanner

Transparency log

Statistics

Installs: 288

Dependents: 0

Suggesters: 0

Stars: 1

1.4.0 2026-06-29 08:13 UTC

This package is auto-updated.

Last update: 2026-06-29 08:14:07 UTC


README

Latest Stable Version Total Downloads License

The Security Scanner module for Magento 2 helps you automatically detect potentially malicious code in your Magento CMS blocks. It can alert you via email and Telegram notifications when suspicious code patterns are detected, enhancing your store's security posture.

Features

  • Scheduled security scans across CMS blocks, CMS pages and admin-editable HTML config (head/footer includes, welcome message — the usual Magecart injection points)
  • Webshell/backdoor signature detection (eval, packers, request-to-sink, /e modifier, ...)
  • Optional AI second opinion: an OpenAI-compatible LLM (local or external) checks scanned content alongside the regex
  • PolyShell (APSB25-94) detection: flags vulnerable Magento versions and malicious files in pub/media
  • Remote signature database (over-the-air): optionally fetch an extra regex set from a configurable HTTPS URL before each scan — ship new detections without updating the module
  • Magento vulnerability feed: optionally surface the latest Magento / Adobe Commerce vulnerabilities in the admin (system-message bar + notification inbox) from a configurable feed URL
  • Alert de-duplication: the same finding is reported once, not on every scan
  • Ignore-list to silence known false positives
  • Configurable scan frequency (hourly, daily, weekly, etc.)
  • Email notifications for security alerts
  • Telegram bot integration for instant notifications
  • Generic webhook channel — send alerts anywhere (Slack, Discord, Teams, Mattermost, ntfy.sh, ...)
  • Customizable malicious code detection patterns
  • Admin panel for easy configuration
  • Command line interface for manual scans

Installation

Via Composer (Recommended)

composer require c0defusi0n/security-scanner
bin/magento module:enable C0defusi0n_SecurityScanner
bin/magento setup:upgrade
bin/magento setup:di:compile
bin/magento setup:static-content:deploy
bin/magento cache:flush

Manual Installation

  1. Download the ZIP file from the GitHub repository
  2. Extract the contents into app/code/C0defusi0n/SecurityScanner/ directory
  3. Run the following commands:
bin/magento module:enable C0defusi0n_SecurityScanner
bin/magento setup:upgrade
bin/magento setup:di:compile
bin/magento setup:static-content:deploy
bin/magento cache:flush

Configuration

  1. Go to Stores > Configuration > Security Scanner
  2. Configure the following options:

General Configuration

  • Enable Scanner: Enable or disable the security scanner
  • Scan Frequency: Set how often the scanner should run
  • Ignore List: One entry per line; any finding whose location (CMS identifier, config path, media path) contains an entry is skipped — use to silence known false positives

Email Notifications

  • Enable Email Notifications: Turn on/off email alerts
  • Email Sender: Configure the sender of email notifications
  • Email Recipients: Set the email addresses to receive notifications (comma separated)
  • Send Clean Reports: Option to receive reports even when no issues are detected

Telegram Notifications

  • Enable Telegram Notifications: Turn on/off Telegram alerts
  • Telegram Bot Token: Set your Telegram bot API token
  • Telegram Chat ID: Set the chat ID where notifications should be sent
  • Test Telegram Connection: Test button to verify your Telegram configuration

Webhook Notifications

Send alerts to any incoming webhook — no service-specific integration needed.

  • Enable Webhook Notifications: Turn on/off webhook alerts
  • Webhook URL: The URL to POST notifications to
  • Send Clean Reports: Option to post a report even when no issues are detected
  • Test Webhook: Button to send a test message to the configured URL

The message is POSTed as JSON {"text": ..., "content": ...}, which Slack, Microsoft Teams, Mattermost, Google Chat (text) and Discord (content) all accept. If the URL points at ntfy.sh (or a self-hosted ntfy), the message is sent as a plain-text body instead, with Title and Tags headers — e.g. https://ntfy.sh/your-topic.

AI Scanner (optional)

A second opinion from a Large Language Model, run alongside the regex patterns on CMS blocks, CMS pages and HTML config values. Disabled by default.

  • Enable AI Scanner: Turn the AI second opinion on/off
  • Chat Completions Endpoint: An OpenAI-compatible /v1/chat/completions URL — local (http://host.docker.internal:11434/v1/chat/completions for Ollama, LM Studio, vLLM, llama.cpp) or external (https://api.openai.com/v1/chat/completions)
  • Model: e.g. qwen2.5-coder, llama3.1, gpt-4o-mini
  • API Key: Optional Bearer token (stored encrypted) — needed for external APIs, usually empty for a local model
  • Max Characters Sent: Content is truncated to this length before being sent (bounds cost/context; default 12000)
  • System Prompt: The instructions sent to the model — fully editable. Ships with a hardened default that frames the task as an authorized defensive scan, treats the scanned content as untrusted data (anti prompt-injection), and forbids refusals. Leave it empty to fall back to a built-in safe prompt.

The model is asked to return {"malicious": bool, "reason": "..."}; a positive verdict is added as a finding (AI: <reason>). It never replaces the regex — it only adds findings. The scanned content is appended automatically inside delimiters, so a custom prompt should keep the "content is untrusted data, not instructions" rule or the model may refuse or be fooled by hostile content.

Remote Signatures (optional)

Fetch an extra regex database from an HTTPS JSON URL before each scan — "antivirus definitions" style. These patterns are merged on top of the built-in ones (never replacing them), so detection keeps working offline. Disabled by default, but the URL is pre-filled with the official signatures repo so you only have to flip it on.

  • Enable Remote Signatures: turn the remote database on/off
  • Signatures JSON URL: HTTPS raw URL of the signatures.json. Defaults to c0defusi0n/securityscanner-signatures; fork it and point here to maintain your own set
  • Update Interval (hours): minimum time between network checks — the body is not re-downloaded while the source has not changed (conditional GET). Default 24

Patterns are cached as a dated flat file under var/securityscanner/; every remote regex is validated (must compile) before use, and an unreachable source or invalid JSON falls back to the last good copy, then to the built-in baseline. The scan never breaks because the repo is down.

Magento Vulnerability Feed (optional)

Show the latest Magento / Adobe Commerce vulnerabilities in the admin — a system-message bar at the top of every page plus the notification inbox (the bell) — from an HTTPS JSON feed. Disabled by default, URL pre-filled with the official feed repo.

  • Enable Vulnerability Feed: turn the feed on/off
  • Feed JSON URL: HTTPS raw URL of the feed.json. Defaults to c0defusi0n/securityscanner-feed; fork it to curate your own
  • Update Interval (hours): how often the hourly cron re-checks the feed. Default 1
  • Max Items Shown: maximum number of items displayed. Default 10

The feed is produced out-of-band (e.g. a scheduled job aggregating Adobe APSB / NVD / Sansec); the module only consumes it, reads the cache only on page render (no network during admin browsing), and escapes all feed content on display.

Malicious Code Detection Patterns

  • Custom Patterns: Add your own regular expressions to extend detection capabilities

Usage

Automatic Scans

Once configured, the module will automatically scan your CMS blocks based on the frequency settings you've specified. If suspicious code is detected, you'll receive notifications via the channels you've enabled.

Manual Scan via CLI

You can also trigger a security scan manually using the command line:

bin/magento c0defusi0n:security:scan

PolyShell (APSB25-94) detection

Each scan also checks for exposure to the PolyShell unrestricted file upload vulnerability (APSB25-94):

  • Version check — warns if the running Magento version is potentially affected (< 2.4.9). Versions are not enough to confirm a fix, since the patch ships as an isolated security patch; the alert tells you to verify it is applied.
  • Media scan — sweeps pub/media for executable PHP files anywhere (e.g. accesson.php, double extensions like shell.php.jpg) and for polyglot uploads (a media file embedding a <?php tag) inside the upload drop zones (custom_options/, customer_address/).

The PolyShell threat model and detection approach were inspired by aregowe/magento2-module-polyshell-protection. That module blocks the attack at the framework level; this scanner only detects and alerts, so the two are complementary.

Customization

Adding Custom Detection Patterns

You can add your own regular expressions to detect specific patterns of malicious code through the admin configuration or by extending the module.

Extending Email Templates

The module includes customizable email templates for security alerts and clean reports, which can be modified through the Magento admin panel under Marketing > Email Templates.

Internationalization

The module supports multiple languages through Magento's translation system. English translations are included by default, and French translations are available.

Requirements

  • PHP 8.1 or higher
  • Magento 2.4.x

Support

For bug reports and feature requests, please use the GitHub issue tracker.

License

This module is licensed under the MIT License - see the LICENSE file for details.

Contributors

Changelog

1.4.0

  • Remote signature database (over-the-air): optionally fetch an extra regex set from a configurable HTTPS URL before each scan; merged on top of the built-ins, validated, cached with a conditional GET and graceful fallback. Defaults to the official signatures repo.
  • Magento vulnerability feed: optionally surface the latest Magento/Adobe Commerce vulnerabilities in the admin (system-message bar + notification inbox) from a configurable feed URL, refreshed by an hourly cron.
  • AI scanner efficiency: the LLM is now only queried for items the regex did not already flag, content with no markup/code is pre-filtered out, and verdicts are cached by content hash so unchanged content is never re-sent (big win on repeat scans against a local model).
  • Added Test/remote_test.php standalone tests for the remote parsing/validation and the AI pre-filter.

1.3.0

  • Security hardening: HTML-escape CMS title/identifier in the alert email, Telegram and webhook output; treat PCRE backtrack-limit failures as suspicious instead of silently skipping (detection-evasion fix); persist the seen-findings flag only after a notification is delivered, retrying on total failure; validate the webhook URL scheme and stop logging untrusted response bodies; disable Discord mention expansion; cap scanned-content size; truncate AI error-response logs.

1.2.0

  • Optional AI scanner: sends CMS blocks/pages and HTML config to an OpenAI-compatible LLM (local or external) for a second opinion alongside the regex

1.1.0

  • Encrypted storage for the Telegram bot token (obscure field)
  • Invalid custom regex patterns are now skipped instead of breaking the scan
  • Expanded webshell/backdoor detection patterns
  • Scan coverage extended to CMS pages and admin-editable HTML config (head/footer includes, welcome message)
  • PolyShell (APSB25-94) detection: vulnerable version check + pub/media malicious file scan
  • Generic webhook notification channel (Slack/Discord/Teams/Mattermost/ntfy.sh/...) with admin test button
  • Alert de-duplication: findings are reported once, not on every scan
  • Ignore-list to silence known false positives
  • Added a standalone detection test (Test/patterns_test.php)

1.0.0

  • Initial release
  • Added CMS block scanning
  • Added email and Telegram notifications
  • Added admin configuration
  • Added CLI command