GitHub Early Warning Stalker Bot

Real-time GitHub exploit PoC monitor that scores, analyzes, and alerts on newly published CVE exploits before they trend. Built to give defenders a head start and red teams the edge.

What it does

• Scans GitHub every 5 minutes for new repos containing CVE identifiers (CVE-2024, CVE-2025 + keywords poc, exploit, bypass)
• Threat analysis engine with red-flag detection (IPs, shellcode, base64 exec, obfuscation patterns)
• Automated confidence scoring (0–100) → SAFE / SUSPICIOUS / MALWARE verdicts
• Discord alerts with color-coded embeds, IOCs, author intel, and threat breakdowns
• SQLite deduplication — no spam, only new findings
• Deep README analysis — fetches and scans repository documentation for hidden indicators
• TypeScript with strict mode — zero runtime surprises, production-grade error handling

TL;DR: Your automated 0-day early warning system. GitHub publishes a PoC → you get alerted with threat analysis → you act before it goes mainstream.

Detection Capabilities

Red Flags Tracked

The bot analyzes each repository using a multi-point detection system:

Scoring Logic

• Starting score: 70 points
• 60–100 → 🟢 SAFE (Likely legitimate security research)
• 30–59 → 🟡 SUSPICIOUS (Contains concerning patterns, needs review)
• 0–29 → 🔴 MALWARE (High-confidence malicious code)

Multiple red flags compound — a repo with shellcode + obfuscation + new account drops fast.

Getting it running

Prerequisites

• Node.js 18+ (if you don't have this, get it from nodejs.org)
• Discord bot token (create bot)
• GitHub Personal Access Token (classic token, no scopes needed — generate here)
• Discord channel ID (enable Developer Mode in Discord → right-click channel → Copy ID)

💡 Bot permissions needed: Send Messages, Embed Links, View Channel

Installation

# Clone the repository
git clone https://github.com/moscovium-mc/GitHub-Exploit-Tracker.git
cd GitHub-Exploit-Tracker

# Install dependencies
npm install

# Build the project
npm run build

# Run the bot
npm start

Configuration

Create a .env file in the project root:

# Discord Bot Token (from discord.com/developers/applications)
DISCORD_TOKEN=_bot_token

# Discord Channel ID (right-click channel → Copy ID)
DISCORD_CHANNEL_ID=channel_id

# GitHub Personal Access Token (github.com/settings/tokens)
GITHUB_TOKEN=github_token

# Scan interval in minutes (default: 5)
SCAN_INTERVAL_MINUTES=5

Setting up Discord Bot

1. Go to Discord Developer Portal
2. Click New Application → give it a name
3. Go to Bot section → Add Bot
4. Copy the bot token (put in DISCORD_TOKEN)
5. Under OAuth2 → URL Generator:
   • Scopes: bot
   • Permissions: Send Messages, Embed Links, View Channel
6. Use generated URL to invite bot to your server

Getting GitHub Token

1. Go to GitHub Settings → Tokens
2. Click Generate new token (classic)
3. Name it (e.g., "Exploit Tracker Bot")
4. No scopes needed for public repos
5. Click Generate and copy the token

Platform Support

Fully Tested On

• Windows 10/11
• Linux (Ubuntu, Debian, Kali,)
• macOS (Intel & Apple Silicon)

Requirements

• Node.js 18.x or higher
• npm or yarn
• Internet access (GitHub API + Discord)

Troubleshooting

Bot starts but no alerts appear

Problem: Bot runs successfully but Discord channel stays empty

Solutions:

• Verify DISCORD_CHANNEL_ID is the channel ID, not server ID
• Confirm bot has Send Messages and Embed Links permissions
• Check bot can View Channel (role permissions)
• Look for errors in console output

"Could not fetch user data" warnings

Problem: Warnings about missing user metadata

Solutions:

• This is normal for some GitHub users (privacy settings)
• Bot continues scanning — doesn't break functionality
• User creation date check skipped for these accounts

Rate limit errors

Problem: GitHub API rate limit messages

Solutions:

• Authenticated requests: 5000/hour
• This bot uses ~60-80 per scan
• At 5-minute intervals = safe limits
• If hitting limits, increase SCAN_INTERVAL_MINUTES

Database locked errors

Problem: SQLite "database is locked"

Solutions:

• Close any DB browser tools
• Delete data/seen_repos.db and restart
• Make sure only one bot instance running

No new repos found

Problem: Bot reports 0 repositories every scan

Solutions:

• GitHub API may be rate limiting
• Try increasing scan interval
• Verify GITHUB_TOKEN is valid and not expired
• Check GitHub API status: githubstatus.com

Fully Working Features

• Real-time GitHub monitoring (CVE-2024/2025)
• Multi-query search (6 different query combinations)
• README content analysis
• 7-point threat detection system
• Automated confidence scoring
• IOC extraction (IPs, patterns)
• SQLite deduplication
• Discord embeds with color-coding
• Author intelligence (account age, profile)
• Configurable scan intervals
• Cross-platform support
• Error and retry logic
• Comprehensive logging

Use Cases

This bot is built for:

SOC Analysts

• Early visibility into public exploit drops
• Threat scoring reduces triage time
• IOC extraction for correlation

Threat Hunters

• Proactive intel on emerging TTPs
• Track exploit development trends
• Identify malicious repositories masquerading as PoCs

Red Teams

• Discover new PoCs before defenders patch
• Evaluate exploit reliability via threat score
• Monitor adversary tooling development

Bug Bounty Hunters

• Track exploit availability for in-scope CVEs
• Early PoC access for vulnerability research
• Correlate CVEs with public exploits

Incident Responders

• Match attacks to public exploits
• Identify compromised systems faster
• Understand attacker tooling

Security Researchers

• Monitor CVE weaponization timeline
• Track malware distribution via fake PoCs
• Research exploit development lifecycle

Performance Metrics

• Startup time: 2-3 seconds
• Scan duration: 30-60 seconds (depends on results)
• Memory usage: ~50-100 MB
• CPU usage: <5% during scans
• Network: ~5 MB per scan cycle
• Database size: ~1 KB per 100 repos tracked

Contributing

PRs welcome — but keep it lean and effective.

Good Additions

• New red-flag patterns (domain extraction, hash detection)
• Additional CVE years (CVE-2026+)
• Better IOC parsing (URLs, file hashes, domains)
• Severity-based filtering ("only alert score <40")
• Custom search queries via config
• Webhook support for non-Discord integrations

Please Don't Add

• Bloat or unnecessary dependencies
• Web dashboards (this is a bot, not a platform)
• Breaking changes without discussion
• Features that slow down scans

Contribution Guidelines

1. Fork the repository
2. Create a feature branch
3. Test on Windows, Linux, and macOS
4. Keep TypeScript strict mode compliance
5. Update README if adding features
6. Submit PR with clear description

Support My Work

If this bot saves you time (or prevents a breach), consider supporting development:

Crypto donations:

• bc1quavqz6cxqzfy4qtvq4zxc4fjgap3s7cmxja0k4
• 0x5287af72afbc152b09b3bf20af3693157db9e425
• HYZjfEx8NbEMJX1vL1GmGj39zA6TgMsHm5KCHWSZxF4j
• 86zv6vTDuG35sdBzBpwVAsD71hbt2gjH14qiesyrSsMkUAWHQkPZyY9TreeQ5dXRuP57yitP4Yn13SQEcMK4MhtwFzPoRR1

Your support keeps my projects maintained and improved.

Acknowledgments

• GitHub API - For providing access to repository data
• Discord.js - Discord bot framework
• Octokit - GitHub API client library
• Security research community - For responsible disclosure practices

Legal Disclaimer

This tool is designed for defensive security operations and authorized security research only.

Intended Use

• Monitoring public exploit repositories
• Threat intelligence gathering
• Security operations center (SOC) automation
• Vulnerability research and analysis

Prohibited Use

• Deploying exploits without authorization
• Attacking systems you don't own
• Violating GitHub's Terms of Service
• Any illegal activities

By using this software, you agree to use it responsibly and ethically. The authors are not responsible for misuse.

License

MIT License - See LICENSE file for details.

GitHub publishes → bot analyzes → you respond.

⭐ Star this repo if it helps your security operations.
Report issues to improve detection accuracy.
Fork and contribute to make it better.

Stay ahead. Stay secure.