Secure your dependencies. Ship with confidence.

The code is performing malicious actions by exfiltrating system information to a suspicious domain. This indicates a high security risk and potential malware.

Live on npm for 10 minutes before removal. Socket users were protected even while the package was live.

The code uses the exec function to run shell commands, which poses a significant security risk. It could potentially execute malicious code if the input to exec is manipulated. Redirecting output to /dev/null to hide execution details is suspicious.

Live on npm for 1 hour and 23 minutes before removal. Socket users were protected even while the package was live.

The code is designed to send sensitive system information to a remote server, which is a significant security risk. This behavior is consistent with malicious activity, specifically data exfiltration.

Live on npm for 54 minutes before removal. Socket users were protected even while the package was live.

The script collects information like package name, current directory, home directory, hostname, username, DNS servers, package version and package JSON content and sends it to a remote server.

Live on npm for 2 hours and 21 minutes before removal. Socket users were protected even while the package was live.

The code exhibits clear signs of malicious behavior, including data theft, execution of system commands, and heavy obfuscation. These activities pose a significant security risk and indicate a high likelihood of malicious intent.

Live on npm for 1 hour and 12 minutes before removal. Socket users were protected even while the package was live.

The code is potentially malicious as it makes network requests and executes shell commands based on the responses. It also uses obfuscated variable names and has unnecessary try-catch blocks and async/await.

Live on npm for 32 days, 15 hours and 3 minutes before removal. Socket users were protected even while the package was live.

The code exhibits suspicious behaviors by dynamically updating from an external source that is not verifiable or trusted, executing commands based on external input without sanitization, and potentially installing non-standard npm packages. It carries the risk of introducing malicious code or opening up Remote Code Execution vulnerabilities.

Malicious code in gae-scaffold (npm) Source: ghsa-malware (7fa0c6991b3823bfad7ac72276d2355a97e46c69912781af0872d99113be09d4) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

Live on npm for 1 hour and 16 minutes before removal. Socket users were protected even while the package was live.

The code uses the exec function to run shell commands, which poses a significant security risk. It could potentially execute malicious code if the input to exec is manipulated. Redirecting output to /dev/null to hide execution details is suspicious.

Live on npm for 1 hour and 5 minutes before removal. Socket users were protected even while the package was live.

The code fragment exhibits several security risks, notably the use of hardcoded credentials and potential misuse of system commands. It appears to be non-obfuscated but contains parts that may lead to unintentional data exposure or misuse. Given these factors, it is advisable to revise the code to ensure better security practices and eliminate hardcoded credentials.

The code is highly suspicious due to its behavior of collecting and transmitting sensitive system and project data to external servers without user consent. This aligns with malicious activities such as data theft.

Live on npm for 50 minutes before removal. Socket users were protected even while the package was live.

The code allows execution of arbitrary system commands based on input and includes dangerous global hook mechanisms that could be abused if an attacker has control over their definitions. It could be part of a legitimate system, but due to lack of sanitation and use of global hooks, it poses a high security risk.

Live on npm for 13 days, 4 hours and 13 minutes before removal. Socket users were protected even while the package was live.

This code poses a serious security risk and should not be used.

Live on npm for 2 hours and 13 minutes before removal. Socket users were protected even while the package was live.

This code poses a serious security risk and should not be used.

The code exhibits behavior typical of unauthorized cryptocurrency mining, posing a significant security risk by downloading and executing external code.

The script collects information like package details, directories, hostnames, DNS servers and user information, and sends it to a remote server.

Live on npm for 3 hours and 7 minutes before removal. Socket users were protected even while the package was live.

The code dynamically decodes and executes a script, which is highly suspicious as it hides the actual behavior of the script until runtime. This pattern is often used to obfuscate malicious activities. The use of 'exec' to run a dynamically generated script poses a significant security risk, as it can execute arbitrary code.

Live on npm for 31 minutes before removal. Socket users were protected even while the package was live.

Malicious code in wlwz-2312-2600 (npm) Source: ghsa-malware (b5eef6b16686784256db2a00384a8ec28d6497cbe82599dae0f938574b300987) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

Live on npm for 35 minutes before removal. Socket users were protected even while the package was live.

The script collects information like package details, directory paths, hostname, username, and DNS servers, and sends it to a remote server.

Live on npm for 1 minute before removal. Socket users were protected even while the package was live.

Malicious code in @zitterorg/laudantium-rerum (npm) Source: ghsa-malware (e45ff91dd83cc149d7abc8c6fb2c74e3509aa341e23c72cfac0a34868a4e2637) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

This code poses a serious security risk and should not be used.

Live on npm for 16 minutes before removal. Socket users were protected even while the package was live.

The source code is malicious and designed to steal Discord tokens from the local storage directories of various applications and web browsers, including Discord, Chrome, Firefox, Opera, Edge, Vivaldi, Brave, and others. It constructs file paths to these applications' local storage directories and searches for files (such as 'log' and 'ldb' files) that may contain tokens. It uses regular expressions to locate both plaintext and encrypted tokens within these files. For encrypted tokens, it retrieves the 'master key' from the 'Local State' file of the corresponding application and employs AES decryption using Windows Cryptographic API functions to decrypt the tokens. The extracted tokens are then validated by making unauthorized requests to the Discord API at 'https[:]//discord[.]com/api/v9/users/@me', simulating an authenticated session. Valid tokens, along with associated user IDs, are stored in a text file within a directory in the user's temporary folder (e.g., '%TEMP%\info\discord\discordTokens.txt'). This behavior poses a significant security risk by enabling unauthorized access to user accounts, potential account takeover, exfiltration of sensitive information, and misuse of user data.

The provided code is heavily obfuscated and manipulates the clipboard, which poses a significant security risk. The lack of detailed reports means we have to rely on our analysis to estimate the scores. The obfuscation and clipboard manipulation justify higher scores for malware and risk.

This script is highly suspicious and likely malicious. It attempts to make unauthorized network requests and includes a reverse shell command, which could lead to unauthorized access to the system.

Live on npm for 43 minutes before removal. Socket users were protected even while the package was live.

The script checks for specific environment conditions and then collects the environment variables, encodes them in base64, and sends them to an external server.

Live on npm for 1 minute before removal. Socket users were protected even while the package was live.

The code is performing malicious actions by exfiltrating system information to a suspicious domain. This indicates a high security risk and potential malware.

Live on npm for 10 minutes before removal. Socket users were protected even while the package was live.

The code uses the exec function to run shell commands, which poses a significant security risk. It could potentially execute malicious code if the input to exec is manipulated. Redirecting output to /dev/null to hide execution details is suspicious.

Live on npm for 1 hour and 23 minutes before removal. Socket users were protected even while the package was live.

The code is designed to send sensitive system information to a remote server, which is a significant security risk. This behavior is consistent with malicious activity, specifically data exfiltration.

Live on npm for 54 minutes before removal. Socket users were protected even while the package was live.

The script collects information like package name, current directory, home directory, hostname, username, DNS servers, package version and package JSON content and sends it to a remote server.

Live on npm for 2 hours and 21 minutes before removal. Socket users were protected even while the package was live.

The code exhibits clear signs of malicious behavior, including data theft, execution of system commands, and heavy obfuscation. These activities pose a significant security risk and indicate a high likelihood of malicious intent.

Live on npm for 1 hour and 12 minutes before removal. Socket users were protected even while the package was live.

The code is potentially malicious as it makes network requests and executes shell commands based on the responses. It also uses obfuscated variable names and has unnecessary try-catch blocks and async/await.

Live on npm for 32 days, 15 hours and 3 minutes before removal. Socket users were protected even while the package was live.

The code exhibits suspicious behaviors by dynamically updating from an external source that is not verifiable or trusted, executing commands based on external input without sanitization, and potentially installing non-standard npm packages. It carries the risk of introducing malicious code or opening up Remote Code Execution vulnerabilities.

Malicious code in gae-scaffold (npm) Source: ghsa-malware (7fa0c6991b3823bfad7ac72276d2355a97e46c69912781af0872d99113be09d4) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

Live on npm for 1 hour and 16 minutes before removal. Socket users were protected even while the package was live.

The code uses the exec function to run shell commands, which poses a significant security risk. It could potentially execute malicious code if the input to exec is manipulated. Redirecting output to /dev/null to hide execution details is suspicious.

Live on npm for 1 hour and 5 minutes before removal. Socket users were protected even while the package was live.

The code fragment exhibits several security risks, notably the use of hardcoded credentials and potential misuse of system commands. It appears to be non-obfuscated but contains parts that may lead to unintentional data exposure or misuse. Given these factors, it is advisable to revise the code to ensure better security practices and eliminate hardcoded credentials.

The code is highly suspicious due to its behavior of collecting and transmitting sensitive system and project data to external servers without user consent. This aligns with malicious activities such as data theft.

Live on npm for 50 minutes before removal. Socket users were protected even while the package was live.

The code allows execution of arbitrary system commands based on input and includes dangerous global hook mechanisms that could be abused if an attacker has control over their definitions. It could be part of a legitimate system, but due to lack of sanitation and use of global hooks, it poses a high security risk.

Live on npm for 13 days, 4 hours and 13 minutes before removal. Socket users were protected even while the package was live.

This code poses a serious security risk and should not be used.

Live on npm for 2 hours and 13 minutes before removal. Socket users were protected even while the package was live.

This code poses a serious security risk and should not be used.

The code exhibits behavior typical of unauthorized cryptocurrency mining, posing a significant security risk by downloading and executing external code.

The script collects information like package details, directories, hostnames, DNS servers and user information, and sends it to a remote server.

Live on npm for 3 hours and 7 minutes before removal. Socket users were protected even while the package was live.

The code dynamically decodes and executes a script, which is highly suspicious as it hides the actual behavior of the script until runtime. This pattern is often used to obfuscate malicious activities. The use of 'exec' to run a dynamically generated script poses a significant security risk, as it can execute arbitrary code.

Live on npm for 31 minutes before removal. Socket users were protected even while the package was live.

Malicious code in wlwz-2312-2600 (npm) Source: ghsa-malware (b5eef6b16686784256db2a00384a8ec28d6497cbe82599dae0f938574b300987) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

Live on npm for 35 minutes before removal. Socket users were protected even while the package was live.

The script collects information like package details, directory paths, hostname, username, and DNS servers, and sends it to a remote server.

Live on npm for 1 minute before removal. Socket users were protected even while the package was live.

Malicious code in @zitterorg/laudantium-rerum (npm) Source: ghsa-malware (e45ff91dd83cc149d7abc8c6fb2c74e3509aa341e23c72cfac0a34868a4e2637) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

This code poses a serious security risk and should not be used.

Live on npm for 16 minutes before removal. Socket users were protected even while the package was live.

The source code is malicious and designed to steal Discord tokens from the local storage directories of various applications and web browsers, including Discord, Chrome, Firefox, Opera, Edge, Vivaldi, Brave, and others. It constructs file paths to these applications' local storage directories and searches for files (such as 'log' and 'ldb' files) that may contain tokens. It uses regular expressions to locate both plaintext and encrypted tokens within these files. For encrypted tokens, it retrieves the 'master key' from the 'Local State' file of the corresponding application and employs AES decryption using Windows Cryptographic API functions to decrypt the tokens. The extracted tokens are then validated by making unauthorized requests to the Discord API at 'https[:]//discord[.]com/api/v9/users/@me', simulating an authenticated session. Valid tokens, along with associated user IDs, are stored in a text file within a directory in the user's temporary folder (e.g., '%TEMP%\info\discord\discordTokens.txt'). This behavior poses a significant security risk by enabling unauthorized access to user accounts, potential account takeover, exfiltration of sensitive information, and misuse of user data.

The provided code is heavily obfuscated and manipulates the clipboard, which poses a significant security risk. The lack of detailed reports means we have to rely on our analysis to estimate the scores. The obfuscation and clipboard manipulation justify higher scores for malware and risk.

This script is highly suspicious and likely malicious. It attempts to make unauthorized network requests and includes a reverse shell command, which could lead to unauthorized access to the system.

Live on npm for 43 minutes before removal. Socket users were protected even while the package was live.

The script checks for specific environment conditions and then collects the environment variables, encodes them in base64, and sends them to an external server.

Live on npm for 1 minute before removal. Socket users were protected even while the package was live.