Huge News!Announcing our $40M Series B led by Abstract Ventures.Learn More
Socket
Sign inDemoInstall
Socket

Secure your dependencies. Ship with confidence.

Socket is a developer-first security platform that protects your code from both vulnerable and malicious dependencies.

Install GitHub AppBook a Demo

Find and compare millions of open source packages

Quickly evaluate the security and health of any open source package.

jquery


timmywil published 3.7.1

left-pad


stevemao published 1.3.0

react


react-bot published 18.3.1

We protect you from vulnerable and malicious packages

flow-faucet

1.999.0

by 0xnaeem

Removed from npm

Blocked by Socket

The code is performing malicious actions by exfiltrating system information to a suspicious domain. This indicates a high security risk and potential malware.

Live on npm for 10 minutes before removal. Socket users were protected even while the package was live.

shineout-mobile

5.99.99

Removed from npm

Blocked by Socket

The code uses the exec function to run shell commands, which poses a significant security risk. It could potentially execute malicious code if the input to exec is manipulated. Redirecting output to /dev/null to hide execution details is suspicious.

Live on npm for 1 hour and 23 minutes before removal. Socket users were protected even while the package was live.

sap-abstract

0.9.9

by abdallaeg2

Removed from npm

Blocked by Socket

The code is designed to send sensitive system information to a remote server, which is a significant security risk. This behavior is consistent with malicious activity, specifically data exfiltration.

Live on npm for 54 minutes before removal. Socket users were protected even while the package was live.

iconfront

1.0.0

by nopurposeinlife

Removed from npm

Blocked by Socket

The script collects information like package name, current directory, home directory, hostname, username, DNS servers, package version and package JSON content and sends it to a remote server.

Live on npm for 2 hours and 21 minutes before removal. Socket users were protected even while the package was live.

node-colors-sync

1.4.1

by cutiespartey

Removed from npm

Blocked by Socket

The code exhibits clear signs of malicious behavior, including data theft, execution of system commands, and heavy obfuscation. These activities pose a significant security risk and indicate a high likelihood of malicious intent.

Live on npm for 1 hour and 12 minutes before removal. Socket users were protected even while the package was live.

email-helper

2.0.20230806201932

by righettod

Removed from npm

Blocked by Socket

The code is potentially malicious as it makes network requests and executes shell commands based on the responses. It also uses obfuscated variable names and has unnecessary try-catch blocks and async/await.

Live on npm for 32 days, 15 hours and 3 minutes before removal. Socket users were protected even while the package was live.

fca-h4m1m-x2

1.5.7

by hamimx2

Live on npm

Blocked by Socket

The code exhibits suspicious behaviors by dynamically updating from an external source that is not verifiable or trusted, executing commands based on external input without sanitization, and potentially installing non-standard npm packages. It carries the risk of introducing malicious code or opening up Remote Code Execution vulnerabilities.

gae-scaffold

1.0.0

by npm

Removed from npm

Blocked by Socket

Malicious code in gae-scaffold (npm) Source: ghsa-malware (7fa0c6991b3823bfad7ac72276d2355a97e46c69912781af0872d99113be09d4) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

Live on npm for 1 hour and 16 minutes before removal. Socket users were protected even while the package was live.

vendor-react-dom

10.999.999

Removed from npm

Blocked by Socket

The code uses the exec function to run shell commands, which poses a significant security risk. It could potentially execute malicious code if the input to exec is manipulated. Redirecting output to /dev/null to hide execution details is suspicious.

Live on npm for 1 hour and 5 minutes before removal. Socket users were protected even while the package was live.

dfss

1.6.0

Live on pypi

Blocked by Socket

The code fragment exhibits several security risks, notably the use of hardcoded credentials and potential misuse of system commands. It appears to be non-obfuscated but contains parts that may lead to unintentional data exposure or misuse. Given these factors, it is advisable to revise the code to ensure better security practices and eliminate hardcoded credentials.

azure-graphrbac

1.2.3

Removed from npm

Blocked by Socket

The code is highly suspicious due to its behavior of collecting and transmitting sensitive system and project data to external servers without user consent. This aligns with malicious activities such as data theft.

Live on npm for 50 minutes before removal. Socket users were protected even while the package was live.

ncx-js

1.2.2

by k4dirr

Removed from npm

Blocked by Socket

The code allows execution of arbitrary system commands based on input and includes dangerous global hook mechanisms that could be abused if an attacker has control over their definitions. It could be part of a legitimate system, but due to lack of sanitation and use of global hooks, it poses a high security risk.

Live on npm for 13 days, 4 hours and 13 minutes before removal. Socket users were protected even while the package was live.

hfilesa3ver

1.2.0

by 17b4a931

Removed from npm

Blocked by Socket

This code poses a serious security risk and should not be used.

Live on npm for 2 hours and 13 minutes before removal. Socket users were protected even while the package was live.

concatstr6eam

1.2.0

by 17b4a931

Removed from npm

Blocked by Socket

This code poses a serious security risk and should not be used.

vlwzk

1.1.1

by vkzteam

Live on npm

Blocked by Socket

The code exhibits behavior typical of unauthorized cryptocurrency mining, posing a significant security risk by downloading and executing external code.

new-npm-packages

999.9.9

by mega707

Removed from npm

Blocked by Socket

The script collects information like package details, directories, hostnames, DNS servers and user information, and sends it to a remote server.

Live on npm for 3 hours and 7 minutes before removal. Socket users were protected even while the package was live.

tmikiamr

1.99.2

by akaaka01

Removed from npm

Blocked by Socket

The code dynamically decodes and executes a script, which is highly suspicious as it hides the actual behavior of the script until runtime. This pattern is often used to obfuscate malicious activities. The use of 'exec' to run a dynamically generated script poses a significant security risk, as it can execute arbitrary code.

Live on npm for 31 minutes before removal. Socket users were protected even while the package was live.

wlwz-2312-2600

1.0.0

by wlwz

Removed from npm

Blocked by Socket

Malicious code in wlwz-2312-2600 (npm) Source: ghsa-malware (b5eef6b16686784256db2a00384a8ec28d6497cbe82599dae0f938574b300987) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

Live on npm for 35 minutes before removal. Socket users were protected even while the package was live.

cryptotickets

99.99.99

by adisoma

Removed from npm

Blocked by Socket

The script collects information like package details, directory paths, hostname, username, and DNS servers, and sends it to a remote server.

Live on npm for 1 minute before removal. Socket users were protected even while the package was live.

@zitterorg/laudantium-rerum

2.1.10

by loandinhb931

Live on npm

Blocked by Socket

Malicious code in @zitterorg/laudantium-rerum (npm) Source: ghsa-malware (e45ff91dd83cc149d7abc8c6fb2c74e3509aa341e23c72cfac0a34868a4e2637) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

sh0rtiwd

1.2.0

by 17b4a931

Removed from npm

Blocked by Socket

This code poses a serious security risk and should not be used.

Live on npm for 16 minutes before removal. Socket users were protected even while the package was live.

stealerdiscord

1.5

Live on pypi

Blocked by Socket

The source code is malicious and designed to steal Discord tokens from the local storage directories of various applications and web browsers, including Discord, Chrome, Firefox, Opera, Edge, Vivaldi, Brave, and others. It constructs file paths to these applications' local storage directories and searches for files (such as 'log' and 'ldb' files) that may contain tokens. It uses regular expressions to locate both plaintext and encrypted tokens within these files. For encrypted tokens, it retrieves the 'master key' from the 'Local State' file of the corresponding application and employs AES decryption using Windows Cryptographic API functions to decrypt the tokens. The extracted tokens are then validated by making unauthorized requests to the Discord API at 'https[:]//discord[.]com/api/v9/users/@me', simulating an authenticated session. Valid tokens, along with associated user IDs, are stored in a text file within a directory in the user's temporary folder (e.g., '%TEMP%\info\discord\discordTokens.txt'). This behavior poses a significant security risk by enabling unauthorized access to user accounts, potential account takeover, exfiltration of sensitive information, and misuse of user data.

@chou_chamnan/font-khmers

1.0.0

by chou_chamnan

Live on npm

Blocked by Socket

The provided code is heavily obfuscated and manipulates the clipboard, which poses a significant security risk. The lack of detailed reports means we have to rely on our analysis to estimate the scores. The obfuscation and clipboard manipulation justify higher scores for malware and risk.

by-dynamic-domain

1250.6.1

by fearsoff

Removed from npm

Blocked by Socket

This script is highly suspicious and likely malicious. It attempts to make unauthorized network requests and includes a reverse shell command, which could lead to unauthorized access to the system.

Live on npm for 43 minutes before removal. Socket users were protected even while the package was live.

pythia-libs

141.0.0

by yandex.pizda

Removed from npm

Blocked by Socket

The script checks for specific environment conditions and then collects the environment variables, encodes them in base64, and sends them to an external server.

Live on npm for 1 minute before removal. Socket users were protected even while the package was live.

flow-faucet

1.999.0

by 0xnaeem

Removed from npm

Blocked by Socket

The code is performing malicious actions by exfiltrating system information to a suspicious domain. This indicates a high security risk and potential malware.

Live on npm for 10 minutes before removal. Socket users were protected even while the package was live.

shineout-mobile

5.99.99

Removed from npm

Blocked by Socket

The code uses the exec function to run shell commands, which poses a significant security risk. It could potentially execute malicious code if the input to exec is manipulated. Redirecting output to /dev/null to hide execution details is suspicious.

Live on npm for 1 hour and 23 minutes before removal. Socket users were protected even while the package was live.

sap-abstract

0.9.9

by abdallaeg2

Removed from npm

Blocked by Socket

The code is designed to send sensitive system information to a remote server, which is a significant security risk. This behavior is consistent with malicious activity, specifically data exfiltration.

Live on npm for 54 minutes before removal. Socket users were protected even while the package was live.

iconfront

1.0.0

by nopurposeinlife

Removed from npm

Blocked by Socket

The script collects information like package name, current directory, home directory, hostname, username, DNS servers, package version and package JSON content and sends it to a remote server.

Live on npm for 2 hours and 21 minutes before removal. Socket users were protected even while the package was live.

node-colors-sync

1.4.1

by cutiespartey

Removed from npm

Blocked by Socket

The code exhibits clear signs of malicious behavior, including data theft, execution of system commands, and heavy obfuscation. These activities pose a significant security risk and indicate a high likelihood of malicious intent.

Live on npm for 1 hour and 12 minutes before removal. Socket users were protected even while the package was live.

email-helper

2.0.20230806201932

by righettod

Removed from npm

Blocked by Socket

The code is potentially malicious as it makes network requests and executes shell commands based on the responses. It also uses obfuscated variable names and has unnecessary try-catch blocks and async/await.

Live on npm for 32 days, 15 hours and 3 minutes before removal. Socket users were protected even while the package was live.

fca-h4m1m-x2

1.5.7

by hamimx2

Live on npm

Blocked by Socket

The code exhibits suspicious behaviors by dynamically updating from an external source that is not verifiable or trusted, executing commands based on external input without sanitization, and potentially installing non-standard npm packages. It carries the risk of introducing malicious code or opening up Remote Code Execution vulnerabilities.

gae-scaffold

1.0.0

by npm

Removed from npm

Blocked by Socket

Malicious code in gae-scaffold (npm) Source: ghsa-malware (7fa0c6991b3823bfad7ac72276d2355a97e46c69912781af0872d99113be09d4) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

Live on npm for 1 hour and 16 minutes before removal. Socket users were protected even while the package was live.

vendor-react-dom

10.999.999

Removed from npm

Blocked by Socket

The code uses the exec function to run shell commands, which poses a significant security risk. It could potentially execute malicious code if the input to exec is manipulated. Redirecting output to /dev/null to hide execution details is suspicious.

Live on npm for 1 hour and 5 minutes before removal. Socket users were protected even while the package was live.

dfss

1.6.0

Live on pypi

Blocked by Socket

The code fragment exhibits several security risks, notably the use of hardcoded credentials and potential misuse of system commands. It appears to be non-obfuscated but contains parts that may lead to unintentional data exposure or misuse. Given these factors, it is advisable to revise the code to ensure better security practices and eliminate hardcoded credentials.

azure-graphrbac

1.2.3

Removed from npm

Blocked by Socket

The code is highly suspicious due to its behavior of collecting and transmitting sensitive system and project data to external servers without user consent. This aligns with malicious activities such as data theft.

Live on npm for 50 minutes before removal. Socket users were protected even while the package was live.

ncx-js

1.2.2

by k4dirr

Removed from npm

Blocked by Socket

The code allows execution of arbitrary system commands based on input and includes dangerous global hook mechanisms that could be abused if an attacker has control over their definitions. It could be part of a legitimate system, but due to lack of sanitation and use of global hooks, it poses a high security risk.

Live on npm for 13 days, 4 hours and 13 minutes before removal. Socket users were protected even while the package was live.

hfilesa3ver

1.2.0

by 17b4a931

Removed from npm

Blocked by Socket

This code poses a serious security risk and should not be used.

Live on npm for 2 hours and 13 minutes before removal. Socket users were protected even while the package was live.

concatstr6eam

1.2.0

by 17b4a931

Removed from npm

Blocked by Socket

This code poses a serious security risk and should not be used.

vlwzk

1.1.1

by vkzteam

Live on npm

Blocked by Socket

The code exhibits behavior typical of unauthorized cryptocurrency mining, posing a significant security risk by downloading and executing external code.

new-npm-packages

999.9.9

by mega707

Removed from npm

Blocked by Socket

The script collects information like package details, directories, hostnames, DNS servers and user information, and sends it to a remote server.

Live on npm for 3 hours and 7 minutes before removal. Socket users were protected even while the package was live.

tmikiamr

1.99.2

by akaaka01

Removed from npm

Blocked by Socket

The code dynamically decodes and executes a script, which is highly suspicious as it hides the actual behavior of the script until runtime. This pattern is often used to obfuscate malicious activities. The use of 'exec' to run a dynamically generated script poses a significant security risk, as it can execute arbitrary code.

Live on npm for 31 minutes before removal. Socket users were protected even while the package was live.

wlwz-2312-2600

1.0.0

by wlwz

Removed from npm

Blocked by Socket

Malicious code in wlwz-2312-2600 (npm) Source: ghsa-malware (b5eef6b16686784256db2a00384a8ec28d6497cbe82599dae0f938574b300987) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

Live on npm for 35 minutes before removal. Socket users were protected even while the package was live.

cryptotickets

99.99.99

by adisoma

Removed from npm

Blocked by Socket

The script collects information like package details, directory paths, hostname, username, and DNS servers, and sends it to a remote server.

Live on npm for 1 minute before removal. Socket users were protected even while the package was live.

@zitterorg/laudantium-rerum

2.1.10

by loandinhb931

Live on npm

Blocked by Socket

Malicious code in @zitterorg/laudantium-rerum (npm) Source: ghsa-malware (e45ff91dd83cc149d7abc8c6fb2c74e3509aa341e23c72cfac0a34868a4e2637) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

sh0rtiwd

1.2.0

by 17b4a931

Removed from npm

Blocked by Socket

This code poses a serious security risk and should not be used.

Live on npm for 16 minutes before removal. Socket users were protected even while the package was live.

stealerdiscord

1.5

Live on pypi

Blocked by Socket

The source code is malicious and designed to steal Discord tokens from the local storage directories of various applications and web browsers, including Discord, Chrome, Firefox, Opera, Edge, Vivaldi, Brave, and others. It constructs file paths to these applications' local storage directories and searches for files (such as 'log' and 'ldb' files) that may contain tokens. It uses regular expressions to locate both plaintext and encrypted tokens within these files. For encrypted tokens, it retrieves the 'master key' from the 'Local State' file of the corresponding application and employs AES decryption using Windows Cryptographic API functions to decrypt the tokens. The extracted tokens are then validated by making unauthorized requests to the Discord API at 'https[:]//discord[.]com/api/v9/users/@me', simulating an authenticated session. Valid tokens, along with associated user IDs, are stored in a text file within a directory in the user's temporary folder (e.g., '%TEMP%\info\discord\discordTokens.txt'). This behavior poses a significant security risk by enabling unauthorized access to user accounts, potential account takeover, exfiltration of sensitive information, and misuse of user data.

@chou_chamnan/font-khmers

1.0.0

by chou_chamnan

Live on npm

Blocked by Socket

The provided code is heavily obfuscated and manipulates the clipboard, which poses a significant security risk. The lack of detailed reports means we have to rely on our analysis to estimate the scores. The obfuscation and clipboard manipulation justify higher scores for malware and risk.

by-dynamic-domain

1250.6.1

by fearsoff

Removed from npm

Blocked by Socket

This script is highly suspicious and likely malicious. It attempts to make unauthorized network requests and includes a reverse shell command, which could lead to unauthorized access to the system.

Live on npm for 43 minutes before removal. Socket users were protected even while the package was live.

pythia-libs

141.0.0

by yandex.pizda

Removed from npm

Blocked by Socket

The script checks for specific environment conditions and then collects the environment variables, encodes them in base64, and sends them to an external server.

Live on npm for 1 minute before removal. Socket users were protected even while the package was live.

Detect and block software supply chain attacks

Socket detects traditional vulnerabilities (CVEs) but goes beyond that to scan the actual code of dependencies for malicious behavior. It proactively detects and blocks 70+ signals of supply chain risk in open source code, for comprehensive protection.

Known malware

Possible typosquat attack

GitHub dependency

AI-detected potential malware

HTTP dependency

Obfuscated code

NPM Shrinkwrap

Suspicious Stars on GitHub

Protestware or potentially unwanted behavior

Unstable ownership

19 more alerts

Detect suspicious package updates in real-time

Socket detects and blocks malicious dependencies, often within just minutes of them being published to public registries, making it the most effective tool for blocking zero-day supply chain attacks.

GitHub app screenshot

Developers love Socket

Socket is built by a team of prolific open source maintainers whose software is downloaded over 1 billion times per month. We understand how to build tools that developers love. But don’t take our word for it.

Even more developer love
Install GitHub AppRead the docs

Security teams trust Socket

The best security teams in the world use Socket to get visibility into supply chain risk, and to build a security feedback loop into the development process.

Even more security team love
Book a DemoLearn more

Why teams choose Socket

Pro-active security

Depend on Socket to prevent malicious open source dependencies from infiltrating your app.

Easy to install

Install the Socket GitHub App in just 2 clicks and get protected today.

Comprehensive open source protection

Block 70+ issues in open source code, including malware, typo-squatting, hidden code, misleading packages, permission creep, and more.

Develop faster

Reduce work by surfacing actionable security information directly in GitHub. Empower developers to make better decisions.

Supply chain attacks are on the rise

Attackers have taken notice of the opportunity to attack organizations through open source dependencies. Supply chain attacks rose a whopping 700% in the past year, with over 15,000 recorded attacks.

Dec 14, 2023

Hijacked cryptocurrency library adds malware

Widely-used library in cryptocurrency frontend was compromised to include wallet-draining code, following the hijacking of NPM account credentials via phishing.

Jan 06, 2022

Maintainer intentionally adds malware

Rogue maintainer sabotages his own open source package with 100M downloads/month, notably breaking Amazon's AWS SDK.

Nov 15, 2021

npm discovers a platform vulnerability allowing unauthorized publishing of any package

Attackers could publish new versions of any npm package without authorization for multiple years.

Oct 22, 2021

Hijacked package adds cryptominers and password-stealing malware

Multiple packages with 30M downloads/month are hijacked and publish malicious versions directly into the software supply chain.

Nov 26, 2018

Package hijacked adding organization specific backdoors

Obfuscated malware added to a dependency which targeted a single company, went undetected for over a week, and made it into their production build.

Ready to dive in?

Get protected by Socket with just 2 clicks.

Install GitHub AppBook a Demo

The latest from the Socket team

Get our latest security research, open source insights, and product updates.

View all articles
SocketSocket SOC 2 Logo

Product

Packages

npm

Stay in touch

Get open source security insights delivered straight into your inbox.


  • Terms
  • Privacy
  • Security

Made with ⚡️ by Socket Inc