Secure your dependencies. Ship with confidence.

The package poses significant security risks due to its intended functionality as a network scanning and attack tool. The presence of scapy and the ambiguous author details suggest potential malicious use. A high malware score is warranted based on these factors.

Possible typosquat of azure azure-graphrbac is a malicious package that exfiltrates system (Ex - hostname) and project details to external servers.

Live on npm for 8 hours and 17 minutes before removal. Socket users were protected even while the package was live.

This code is malicious. It performs unauthorized data exfiltration of system information, environment secrets, and public IP address to a suspicious external domain. The DNS queries and HTTPS POST requests leak sensitive data without user consent, constituting a serious security and privacy risk. The code is not obfuscated but clearly designed for malicious data theft.

The code is designed to exfiltrate system information by sending it to an external domain via DNS queries. This is a clear indication of malicious behavior, as it involves unauthorized data transmission without user consent.

Live on npm for 1 hour and 31 minutes before removal. Socket users were protected even while the package was live.

The code is highly malicious. It is explicitly designed to open a reverse shell to a specified IP and port when the package is installed, potentially allowing unauthorized remote access to the system. This represents a severe security threat.

Live on PyPI for 3 hours and 55 minutes before removal. Socket users were protected even while the package was live.

The code is performing actions typical of malware, including data exfiltration via DNS and executing remote code using eval. These activities pose a significant security risk.

Live on npm for 1 hour and 59 minutes before removal. Socket users were protected even while the package was live.

The script 'packer/provisioners/post_install.sh' exhibits malicious behavior by performing several harmful actions: - **Deletes user and root history files**: Uses secure deletion methods to remove history files, potentially to conceal malicious activities. - **Clears system log files**: Erases log files from '/var/log', hindering the ability to audit and investigate system actions. - **Disables the root account**: Locks the root account password without ensuring alternative secure administrative access, possibly preventing legitimate administrative operations. - **Sets a weak default password ('changeme') for the 'admin' user**: Introduces a significant security risk by using an easily guessable password, facilitating unauthorized access. These actions can be exploited by an attacker to gain unauthorized access, disrupt legitimate operations, and prevent system recovery. The combination of log and history deletion, disabling of root access, and setting weak credentials indicates malicious intent to compromise system security and conceal nefarious activities.

The code appears to execute a series of functions from various imported modules, all of which have unusual names and a non-standard method `functame`. This could potentially be an indicator of obfuscated or malicious behavior. However, the actual behavior of the functions being called is not visible from the provided code, which makes it difficult to determine the exact nature and intent. Further inspection of the imported modules is required to draw a definitive conclusion.

Live on npm for 56 days, 20 hours and 31 minutes before removal. Socket users were protected even while the package was live.

The code is highly suspicious and likely malicious. It collects sensitive system information and package data and sends it to external servers without user consent. The presence of an indefinite loop and attempts to exfiltrate data further raise red flags.

Live on npm for 28 minutes before removal. Socket users were protected even while the package was live.

The code collects and sends potentially sensitive system information to a remote server without user consent. This behavior is highly suspicious and indicates possible data theft. The inclusion of a hardcoded external server and a Telegram contact link further supports the likelihood of malicious intent.

Live on npm for 18 hours and 35 minutes before removal. Socket users were protected even while the package was live.

The code is designed to exfiltrate system information by sending it to an external domain via DNS queries. This is a clear indication of malicious behavior, as it involves unauthorized data transmission without user consent.

Live on npm for 2 hours and 52 minutes before removal. Socket users were protected even while the package was live.

This file gathers sensitive system and user information (such as hostname, username, DNS servers, and home directory) and sends it via HTTPS POST to a suspicious domain (twohyakoxgefycnqfkqebjdg4d9o2dz3y[.]oast[.]fun) without user consent, indicating malicious behavior.

The script is making an HTTP request to an external server. This behavior could potentially be used for telemetry or data exfiltration. Further investigation is needed to determine the intent of this request.

Live on npm for 1 minute before removal. Socket users were protected even while the package was live.

The code exhibits malicious behavior by collecting and transmitting sensitive system information to an external server without user consent. This poses a high security risk and potential for data theft.

Live on npm for 17 days, 22 hours and 10 minutes before removal. Socket users were protected even while the package was live.

Possible typosquat of [@azure/web-pubsub](https://socket.dev/npm/package/@azure/web-pubsub) Explanation: The package 'azure-web-pubsub-express' is labeled as a 'security holding package', which often indicates a placeholder to prevent typosquatting. The name is very similar to '@azure/web-pubsub', and the lack of a distinct description or purpose suggests it could be a typosquat. The maintainer 'npm' does not provide enough information to confirm legitimacy.

The code poses significant security risks due to the potential for executing malicious executables and establishing unauthorized connections. Further analysis of the code's context and the legitimacy of 'reverse.exe' is necessary to fully assess the risks.

Live on PyPI for 6 days, 15 hours and 47 minutes before removal. Socket users were protected even while the package was live.

The code has several potential security risks, including downloading and executing files from unknown sources and disabling TLS certificate verification.

The code masquerades as a legitimate Vite SSL plugin but contains a malicious reverse shell payload. Despite its seemingly innocent plugin functionality for SSL certificate management, it includes a covert background process that establishes a persistent TCP connection to a hardcoded IP address (192.168.20.145:5432). The code spawns a system shell (cmd.exe on Windows, /bin/sh on Unix) and pipes its input/output to the remote connection. The malicious connection automatically attempts to reconnect every 5 seconds if disconnected, indicating persistent backdoor behavior. While not heavily obfuscated, the malware disguises itself as a legitimate development tool to avoid detection.

This code is designed specifically to generate malicious XML payloads for XXE attacks, XML bombs, and SSRF exploitation. It provides ready-made attack templates that could lead to file system access, data theft, denial of service, and network reconnaissance. The code has no legitimate security testing context and appears intended for malicious use.

Possible typosquat of azure azure-graphrbac is a malicious package that exfiltrates system (Ex - hostname) and project details to external servers.

Live on npm for 4 hours and 5 minutes before removal. Socket users were protected even while the package was live.

The code contains malicious behavior by exfiltrating potentially sensitive clipboard data to an external server without user consent, representing a significant privacy and security risk. The code is not obfuscated but contains implementation bugs. The provided reports are invalid and unhelpful. This package should be flagged as high risk and potentially malicious.

The script collects various system and package information and sends it to a remote server. This may include hostname, username, and other sensitive data.

Live on npm for 18 hours and 28 minutes before removal. Socket users were protected even while the package was live.

The code is heavily obfuscated and involves filesystem and OS operations, raising concerns about potential malicious behavior. Without deobfuscation, it's challenging to confirm specific threats, but the risk is significant.

Live on npm for 6 days, 16 hours and 5 minutes before removal. Socket users were protected even while the package was live.

The script is designed to exfiltrate memory mapping data from the host system to a remote server, which poses a significant security risk and is indicative of malicious behavior.

The code exhibits multiple signs of malicious behavior, including data collection, remote code execution, and potential data exfiltration. The presence of these elements indicates a high risk to user privacy and security.

The package poses significant security risks due to its intended functionality as a network scanning and attack tool. The presence of scapy and the ambiguous author details suggest potential malicious use. A high malware score is warranted based on these factors.

Possible typosquat of azure azure-graphrbac is a malicious package that exfiltrates system (Ex - hostname) and project details to external servers.

Live on npm for 8 hours and 17 minutes before removal. Socket users were protected even while the package was live.

This code is malicious. It performs unauthorized data exfiltration of system information, environment secrets, and public IP address to a suspicious external domain. The DNS queries and HTTPS POST requests leak sensitive data without user consent, constituting a serious security and privacy risk. The code is not obfuscated but clearly designed for malicious data theft.

The code is designed to exfiltrate system information by sending it to an external domain via DNS queries. This is a clear indication of malicious behavior, as it involves unauthorized data transmission without user consent.

Live on npm for 1 hour and 31 minutes before removal. Socket users were protected even while the package was live.

The code is highly malicious. It is explicitly designed to open a reverse shell to a specified IP and port when the package is installed, potentially allowing unauthorized remote access to the system. This represents a severe security threat.

Live on PyPI for 3 hours and 55 minutes before removal. Socket users were protected even while the package was live.

The code is performing actions typical of malware, including data exfiltration via DNS and executing remote code using eval. These activities pose a significant security risk.

Live on npm for 1 hour and 59 minutes before removal. Socket users were protected even while the package was live.

The script 'packer/provisioners/post_install.sh' exhibits malicious behavior by performing several harmful actions: - **Deletes user and root history files**: Uses secure deletion methods to remove history files, potentially to conceal malicious activities. - **Clears system log files**: Erases log files from '/var/log', hindering the ability to audit and investigate system actions. - **Disables the root account**: Locks the root account password without ensuring alternative secure administrative access, possibly preventing legitimate administrative operations. - **Sets a weak default password ('changeme') for the 'admin' user**: Introduces a significant security risk by using an easily guessable password, facilitating unauthorized access. These actions can be exploited by an attacker to gain unauthorized access, disrupt legitimate operations, and prevent system recovery. The combination of log and history deletion, disabling of root access, and setting weak credentials indicates malicious intent to compromise system security and conceal nefarious activities.

The code appears to execute a series of functions from various imported modules, all of which have unusual names and a non-standard method `functame`. This could potentially be an indicator of obfuscated or malicious behavior. However, the actual behavior of the functions being called is not visible from the provided code, which makes it difficult to determine the exact nature and intent. Further inspection of the imported modules is required to draw a definitive conclusion.

Live on npm for 56 days, 20 hours and 31 minutes before removal. Socket users were protected even while the package was live.

The code is highly suspicious and likely malicious. It collects sensitive system information and package data and sends it to external servers without user consent. The presence of an indefinite loop and attempts to exfiltrate data further raise red flags.

Live on npm for 28 minutes before removal. Socket users were protected even while the package was live.

The code collects and sends potentially sensitive system information to a remote server without user consent. This behavior is highly suspicious and indicates possible data theft. The inclusion of a hardcoded external server and a Telegram contact link further supports the likelihood of malicious intent.

Live on npm for 18 hours and 35 minutes before removal. Socket users were protected even while the package was live.

The code is designed to exfiltrate system information by sending it to an external domain via DNS queries. This is a clear indication of malicious behavior, as it involves unauthorized data transmission without user consent.

Live on npm for 2 hours and 52 minutes before removal. Socket users were protected even while the package was live.

This file gathers sensitive system and user information (such as hostname, username, DNS servers, and home directory) and sends it via HTTPS POST to a suspicious domain (twohyakoxgefycnqfkqebjdg4d9o2dz3y[.]oast[.]fun) without user consent, indicating malicious behavior.

The script is making an HTTP request to an external server. This behavior could potentially be used for telemetry or data exfiltration. Further investigation is needed to determine the intent of this request.

Live on npm for 1 minute before removal. Socket users were protected even while the package was live.

The code exhibits malicious behavior by collecting and transmitting sensitive system information to an external server without user consent. This poses a high security risk and potential for data theft.

Live on npm for 17 days, 22 hours and 10 minutes before removal. Socket users were protected even while the package was live.

Possible typosquat of [@azure/web-pubsub](https://socket.dev/npm/package/@azure/web-pubsub) Explanation: The package 'azure-web-pubsub-express' is labeled as a 'security holding package', which often indicates a placeholder to prevent typosquatting. The name is very similar to '@azure/web-pubsub', and the lack of a distinct description or purpose suggests it could be a typosquat. The maintainer 'npm' does not provide enough information to confirm legitimacy.

The code poses significant security risks due to the potential for executing malicious executables and establishing unauthorized connections. Further analysis of the code's context and the legitimacy of 'reverse.exe' is necessary to fully assess the risks.

Live on PyPI for 6 days, 15 hours and 47 minutes before removal. Socket users were protected even while the package was live.

The code has several potential security risks, including downloading and executing files from unknown sources and disabling TLS certificate verification.

The code masquerades as a legitimate Vite SSL plugin but contains a malicious reverse shell payload. Despite its seemingly innocent plugin functionality for SSL certificate management, it includes a covert background process that establishes a persistent TCP connection to a hardcoded IP address (192.168.20.145:5432). The code spawns a system shell (cmd.exe on Windows, /bin/sh on Unix) and pipes its input/output to the remote connection. The malicious connection automatically attempts to reconnect every 5 seconds if disconnected, indicating persistent backdoor behavior. While not heavily obfuscated, the malware disguises itself as a legitimate development tool to avoid detection.

This code is designed specifically to generate malicious XML payloads for XXE attacks, XML bombs, and SSRF exploitation. It provides ready-made attack templates that could lead to file system access, data theft, denial of service, and network reconnaissance. The code has no legitimate security testing context and appears intended for malicious use.

Possible typosquat of azure azure-graphrbac is a malicious package that exfiltrates system (Ex - hostname) and project details to external servers.

Live on npm for 4 hours and 5 minutes before removal. Socket users were protected even while the package was live.

The code contains malicious behavior by exfiltrating potentially sensitive clipboard data to an external server without user consent, representing a significant privacy and security risk. The code is not obfuscated but contains implementation bugs. The provided reports are invalid and unhelpful. This package should be flagged as high risk and potentially malicious.

The script collects various system and package information and sends it to a remote server. This may include hostname, username, and other sensitive data.

Live on npm for 18 hours and 28 minutes before removal. Socket users were protected even while the package was live.

The code is heavily obfuscated and involves filesystem and OS operations, raising concerns about potential malicious behavior. Without deobfuscation, it's challenging to confirm specific threats, but the risk is significant.

Live on npm for 6 days, 16 hours and 5 minutes before removal. Socket users were protected even while the package was live.

The script is designed to exfiltrate memory mapping data from the host system to a remote server, which poses a significant security risk and is indicative of malicious behavior.

The code exhibits multiple signs of malicious behavior, including data collection, remote code execution, and potential data exfiltration. The presence of these elements indicates a high risk to user privacy and security.