# sbr-malwscan roadmap

## v0.1 MVP (current)

**Phase A — Completed:**
- ✅ A1: Repo setup (Node.js + TypeScript, MIT)
- ✅ A2: FTP/SFTP walker + core-diff vs api.wordpress.org
- ✅ A3: Dropper hunter (extension-blind `<?php` scan, suspicious names/locations, anti-DELE perms)
- ✅ A4: Remote helper (base64-obfuscated patterns for WAF bypass, self-delete)
- ✅ A5: Cloaker tester (dual-UA Googlebot vs browser, hazard-term detection, sitemap discovery)
- ✅ A6: DB scanner (options, users, sessions, action-scheduler hooks)
- ✅ A7: Reporter (JSON + HTML + CLI TUI, exit codes 0/1/2)

**Still pending for v0.1 release:**
- Integration tests (fixture: mock WP install + known malware samples)
- `remediation` command (quarantine mode, safe rename to `.QUARANTINE-<ts>`)
- Publish to npm

## v0.2 Production-ready (planned)

- B1: Optional WP plugin (admin panel trigger, notices)
- B2: Signatures DB (separate repo, community PRs, GitHub Actions release)
- B3: GitHub Actions template for scheduled scans
- B4: Multi-CMS (Magento, PrestaShop, Laravel)
- B5: Docs site + video tutorial

## v0.3 Hardening (planned)

- C1: Auto-remediation with confirmation (quarantine core restore, DB cleanup)
- C2: Threat intel feed (abuse.ch, VirusTotal, AlienVault OTX)
- C3: Incremental scans + parallel FTP connections

## Origin story

Built from lessons learned during sweetbabyroom.pl hack recovery (Apr 2026). The attacker's dropper (`wp-includes/blocks/gallery/editor-styles.css` containing PHP) evaded:

- Wordfence free (scan died on shared hosting)
- Custom file scanner (extension-filtered to `.php/.js/.html` only)
- cyberFolks built-in AV (reactive, post-infection rename to `.VIRUS`)

Each scanner module directly addresses a technique the attacker used or a blind spot of existing tools.