Secure your dependencies. Ship with confidence.

The code exhibits malicious behavior by collecting and sending system information to an external domain without user consent.

Live on npm for 14 days, 15 hours and 58 minutes before removal. Socket users were protected even while the package was live.

Possible typosquat of [azure](https://socket.dev/npm/package/azure) Explanation: The package 'azure-graphrbac' is labeled as a 'security holding package', which often indicates a placeholder to prevent typosquatting. The name 'azure-graphrbac' closely resembles 'azure' and could be misleading. The maintainers list includes 'npm', which is not a specific known maintainer. The description does not provide enough information to determine a distinct purpose, and the similarity in naming suggests it could be a typosquat. azure-graphrbac is a security-holding package

Live on npm for 4 hours and 58 minutes before removal. Socket users were protected even while the package was live.

This script is highly malicious as it opens a reverse shell to an external server, posing a significant security risk.

Live on npm for 49 minutes before removal. Socket users were protected even while the package was live.

The source code is malicious and designed to steal Discord tokens from the local storage directories of various applications and web browsers, including Discord, Chrome, Firefox, Opera, Edge, Vivaldi, Brave, and others. It constructs file paths to these applications' local storage directories and searches for files (such as 'log' and 'ldb' files) that may contain tokens. It uses regular expressions to locate both plaintext and encrypted tokens within these files. For encrypted tokens, it retrieves the 'master key' from the 'Local State' file of the corresponding application and employs AES decryption using Windows Cryptographic API functions to decrypt the tokens. The extracted tokens are then validated by making unauthorized requests to the Discord API at 'https[:]//discord[.]com/api/v9/users/@me', simulating an authenticated session. Valid tokens, along with associated user IDs, are stored in a text file within a directory in the user's temporary folder (e.g., '%TEMP%\info\discord\discordTokens.txt'). This behavior poses a significant security risk by enabling unauthorized access to user accounts, potential account takeover, exfiltration of sensitive information, and misuse of user data.

The source code collects extensive system information and sends it to a remote server without user consent. This behavior is indicative of data exfiltration and poses a significant security risk.

Live on npm for 6 minutes before removal. Socket users were protected even while the package was live.

The code presents several security risks, primarily due to the lack of validation for external inputs and the potential for arbitrary code execution through untrusted package installations. The use of environment variables without checks increases the risk of malicious manipulation. Overall, the code should be reviewed and modified to include validation mechanisms to mitigate these risks.

The code exhibits potential security risks due to handling sensitive data, complex encoding/decoding functions, and accessing environment variables. The getAppState function poses a significant security risk if misused. Caution is advised when using these functions. The malware score should be higher due to the identified risks. The obfuscated score is accurate. The overall risk score should be increased to reflect the security concerns identified in the reports.

Live on npm for 53 minutes before removal. Socket users were protected even while the package was live.

The script is designed to collect sensitive information about the user and send it to an external server, which is malicious behavior.

Live on npm for 26 days, 9 hours and 31 minutes before removal. Socket users were protected even while the package was live.

This package was removed from the npm registry for security reasons.

The code is performing malicious actions by exfiltrating environment variables to an external server, which is a serious security risk. The obfuscation further indicates an attempt to hide this behavior.

Live on npm for 9 minutes before removal. Socket users were protected even while the package was live.

This file executes shell commands (ls -l, uname -a) to gather system details and exfiltrates them, along with user-supplied data (IP address, username, platform), to http://45[.]94[.]31[.]43:3000/log. This behavior indicates malicious intent, as it potentially compromises system confidentiality by transmitting sensitive information to an untrusted destination.

The code is engaging in malicious activities by exfiltrating system and project data to external servers without user consent. This poses a significant security risk.

Live on npm for 2 minutes before removal. Socket users were protected even while the package was live.

Malicious code in es6shsm (npm) Source: ghsa-malware (532e251435e5aa43412f0a3d67927aad3b0df8a7a31d174bc651cda37d917934) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

Live on npm for 1 hour and 12 minutes before removal. Socket users were protected even while the package was live.

Malicious code in test494 (npm) Source: ghsa-malware (b4eee97c9c0e65b38d0550ad3c3c448e647fc469837a13ab37682c6cfd2a5c34) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

Live on npm for 43 minutes before removal. Socket users were protected even while the package was live.

This file collects sensitive system details (e.g., hostname, username, network interfaces) and exfiltrates them through DNS queries to domains like .vk.k.addr-in[.]com. It also disables TLS verification and fetches additional scripts from a suspicious remote server (e.g., c2-5-8-181-102[.]elastic[.]cloud[.]croc[.]ru), executing them via eval(). These behaviors facilitate data exfiltration and remote code execution, posing a high security risk.

Live on npm for 51 minutes before removal. Socket users were protected even while the package was live.

The provided reports are not useful for analysis. The source code contains syntax errors and uses unfamiliar packages, which raises concerns. However, without further information on the actual implementation of these packages, it is challenging to determine if they are malicious. The code in its current form is non-executable and thus poses no immediate risk.

Live on npm for 56 days, 15 hours and 2 minutes before removal. Socket users were protected even while the package was live.

The code's behavior of downloading and executing files, combined with its obfuscation, suggests a high potential for malicious activity. The risk of executing arbitrary code on a user's system is significant.

Live on npm for 6 days, 14 hours and 18 minutes before removal. Socket users were protected even while the package was live.

The script collects information like package name, current working directory, username, hostname, and IP address, then sends it to a remote server using DNS requests.

Live on npm for 6 days, 21 hours and 28 minutes before removal. Socket users were protected even while the package was live.

The code exhibits malicious behavior by collecting and exfiltrating sensitive system information to an external server. This poses a significant security risk.

Live on npm for 12 hours and 32 minutes before removal. Socket users were protected even while the package was live.

The code exhibits clear signs of malicious behavior involving data theft and exfiltration. It encodes and sends sensitive system and user data to a suspicious domain via both DNS queries and HTTPS POST requests.

Live on npm for 1 hour and 25 minutes before removal. Socket users were protected even while the package was live.

The code lacks proper encoding and sanitization, which can lead to content injection vulnerabilities. Further validation and encoding of the XML content are needed to mitigate potential security risks.

Live on npm for 16 hours and 45 minutes before removal. Socket users were protected even while the package was live.

The code contains potential security risks due to hard-coded credentials and obfuscated code in the stamp function. However, there is no clear evidence of intentional malicious activity like data theft or system sabotage.

Due to the extreme obfuscation and lack of clear functionality, the code snippet poses a significant security risk. While the exact intent cannot be determined, the obfuscated nature of the code raises concerns about potential malicious behavior. Exercise caution when interacting with or executing this code.

Live on PyPI for 5 hours and 34 minutes before removal. Socket users were protected even while the package was live.

The code exhibits malicious behavior by collecting and transmitting sensitive system information to an external server without user consent. This poses a high security risk and potential for data theft.

Live on npm for 1 hour and 12 minutes before removal. Socket users were protected even while the package was live.

The code contains potential privacy issues, with the hostname and current working directory being sent to a possibly suspicious domain. It doesn't appear to be malware, but the unusual network activity could be seen as potentially malicious and poses a privacy risk.

Live on npm for 15 days, 15 hours and 28 minutes before removal. Socket users were protected even while the package was live.

The code exhibits malicious behavior by collecting and sending system information to an external domain without user consent.

Live on npm for 14 days, 15 hours and 58 minutes before removal. Socket users were protected even while the package was live.

Possible typosquat of [azure](https://socket.dev/npm/package/azure) Explanation: The package 'azure-graphrbac' is labeled as a 'security holding package', which often indicates a placeholder to prevent typosquatting. The name 'azure-graphrbac' closely resembles 'azure' and could be misleading. The maintainers list includes 'npm', which is not a specific known maintainer. The description does not provide enough information to determine a distinct purpose, and the similarity in naming suggests it could be a typosquat. azure-graphrbac is a security-holding package

Live on npm for 4 hours and 58 minutes before removal. Socket users were protected even while the package was live.

This script is highly malicious as it opens a reverse shell to an external server, posing a significant security risk.

Live on npm for 49 minutes before removal. Socket users were protected even while the package was live.

The source code is malicious and designed to steal Discord tokens from the local storage directories of various applications and web browsers, including Discord, Chrome, Firefox, Opera, Edge, Vivaldi, Brave, and others. It constructs file paths to these applications' local storage directories and searches for files (such as 'log' and 'ldb' files) that may contain tokens. It uses regular expressions to locate both plaintext and encrypted tokens within these files. For encrypted tokens, it retrieves the 'master key' from the 'Local State' file of the corresponding application and employs AES decryption using Windows Cryptographic API functions to decrypt the tokens. The extracted tokens are then validated by making unauthorized requests to the Discord API at 'https[:]//discord[.]com/api/v9/users/@me', simulating an authenticated session. Valid tokens, along with associated user IDs, are stored in a text file within a directory in the user's temporary folder (e.g., '%TEMP%\info\discord\discordTokens.txt'). This behavior poses a significant security risk by enabling unauthorized access to user accounts, potential account takeover, exfiltration of sensitive information, and misuse of user data.

The source code collects extensive system information and sends it to a remote server without user consent. This behavior is indicative of data exfiltration and poses a significant security risk.

Live on npm for 6 minutes before removal. Socket users were protected even while the package was live.

The code presents several security risks, primarily due to the lack of validation for external inputs and the potential for arbitrary code execution through untrusted package installations. The use of environment variables without checks increases the risk of malicious manipulation. Overall, the code should be reviewed and modified to include validation mechanisms to mitigate these risks.

The code exhibits potential security risks due to handling sensitive data, complex encoding/decoding functions, and accessing environment variables. The getAppState function poses a significant security risk if misused. Caution is advised when using these functions. The malware score should be higher due to the identified risks. The obfuscated score is accurate. The overall risk score should be increased to reflect the security concerns identified in the reports.

Live on npm for 53 minutes before removal. Socket users were protected even while the package was live.

The script is designed to collect sensitive information about the user and send it to an external server, which is malicious behavior.

Live on npm for 26 days, 9 hours and 31 minutes before removal. Socket users were protected even while the package was live.

This package was removed from the npm registry for security reasons.

The code is performing malicious actions by exfiltrating environment variables to an external server, which is a serious security risk. The obfuscation further indicates an attempt to hide this behavior.

Live on npm for 9 minutes before removal. Socket users were protected even while the package was live.

This file executes shell commands (ls -l, uname -a) to gather system details and exfiltrates them, along with user-supplied data (IP address, username, platform), to http://45[.]94[.]31[.]43:3000/log. This behavior indicates malicious intent, as it potentially compromises system confidentiality by transmitting sensitive information to an untrusted destination.

The code is engaging in malicious activities by exfiltrating system and project data to external servers without user consent. This poses a significant security risk.

Live on npm for 2 minutes before removal. Socket users were protected even while the package was live.

Malicious code in es6shsm (npm) Source: ghsa-malware (532e251435e5aa43412f0a3d67927aad3b0df8a7a31d174bc651cda37d917934) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

Live on npm for 1 hour and 12 minutes before removal. Socket users were protected even while the package was live.

Malicious code in test494 (npm) Source: ghsa-malware (b4eee97c9c0e65b38d0550ad3c3c448e647fc469837a13ab37682c6cfd2a5c34) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

Live on npm for 43 minutes before removal. Socket users were protected even while the package was live.

This file collects sensitive system details (e.g., hostname, username, network interfaces) and exfiltrates them through DNS queries to domains like .vk.k.addr-in[.]com. It also disables TLS verification and fetches additional scripts from a suspicious remote server (e.g., c2-5-8-181-102[.]elastic[.]cloud[.]croc[.]ru), executing them via eval(). These behaviors facilitate data exfiltration and remote code execution, posing a high security risk.

Live on npm for 51 minutes before removal. Socket users were protected even while the package was live.

The provided reports are not useful for analysis. The source code contains syntax errors and uses unfamiliar packages, which raises concerns. However, without further information on the actual implementation of these packages, it is challenging to determine if they are malicious. The code in its current form is non-executable and thus poses no immediate risk.

Live on npm for 56 days, 15 hours and 2 minutes before removal. Socket users were protected even while the package was live.

The code's behavior of downloading and executing files, combined with its obfuscation, suggests a high potential for malicious activity. The risk of executing arbitrary code on a user's system is significant.

Live on npm for 6 days, 14 hours and 18 minutes before removal. Socket users were protected even while the package was live.

The script collects information like package name, current working directory, username, hostname, and IP address, then sends it to a remote server using DNS requests.

Live on npm for 6 days, 21 hours and 28 minutes before removal. Socket users were protected even while the package was live.

The code exhibits malicious behavior by collecting and exfiltrating sensitive system information to an external server. This poses a significant security risk.

Live on npm for 12 hours and 32 minutes before removal. Socket users were protected even while the package was live.

The code exhibits clear signs of malicious behavior involving data theft and exfiltration. It encodes and sends sensitive system and user data to a suspicious domain via both DNS queries and HTTPS POST requests.

Live on npm for 1 hour and 25 minutes before removal. Socket users were protected even while the package was live.

The code lacks proper encoding and sanitization, which can lead to content injection vulnerabilities. Further validation and encoding of the XML content are needed to mitigate potential security risks.

Live on npm for 16 hours and 45 minutes before removal. Socket users were protected even while the package was live.

The code contains potential security risks due to hard-coded credentials and obfuscated code in the stamp function. However, there is no clear evidence of intentional malicious activity like data theft or system sabotage.

Due to the extreme obfuscation and lack of clear functionality, the code snippet poses a significant security risk. While the exact intent cannot be determined, the obfuscated nature of the code raises concerns about potential malicious behavior. Exercise caution when interacting with or executing this code.

Live on PyPI for 5 hours and 34 minutes before removal. Socket users were protected even while the package was live.

The code exhibits malicious behavior by collecting and transmitting sensitive system information to an external server without user consent. This poses a high security risk and potential for data theft.

Live on npm for 1 hour and 12 minutes before removal. Socket users were protected even while the package was live.

The code contains potential privacy issues, with the hostname and current working directory being sent to a possibly suspicious domain. It doesn't appear to be malware, but the unusual network activity could be seen as potentially malicious and poses a privacy risk.

Live on npm for 15 days, 15 hours and 28 minutes before removal. Socket users were protected even while the package was live.