
Security News
libxml2 Maintainer Ends Embargoed Vulnerability Reports, Citing Unsustainable Burden
Libxml2’s solo maintainer drops embargoed security fixes, highlighting the burden on unpaid volunteers who keep critical open source software secure.
Quickly evaluate the security and health of any open source package.
azure-graphrbac
4.6.7
Removed from npm
Blocked by Socket
Possible typosquat of azure - Explanation: The package 'azure-graphrbac' is labeled as a 'security holding package', which often indicates a placeholder to prevent typosquatting. The name 'azure-graphrbac' closely resembles legitimate Azure package naming conventions, which could confuse users. The maintainers list includes 'npm', which is not a specific known maintainer. Therefore, it is likely a typosquat.
Live on npm for 49 minutes before removal. Socket users were protected even while the package was live.
epm-rdpt-angularjs
1.0.6
by nishant57
Removed from npm
Blocked by Socket
The provided source code is highly malicious as it sets up a reverse shell, allowing unauthorized remote access and control over the system. This poses a severe security risk.
Live on npm for 1 hour and 7 minutes before removal. Socket users were protected even while the package was live.
llm-oracle
1.0.1
by josh.weavery
Live on npm
Blocked by Socket
The code is heavily obfuscated and performs suspicious activities such as copying a file to a system directory and executing it with elevated privileges. This behavior, combined with the obfuscation, suggests a high likelihood of malicious intent.
jcnpm-cli
1.0.0
by jeftlee
Removed from npm
Blocked by Socket
The 'commandSpawn' function is vulnerable to command injection and other shell-based exploits due to the lack of input validation and output sanitization. The package should be used with caution and additional security measures should be taken to mitigate the risk of shell-based exploits.
Live on npm for 9 hours and 35 minutes before removal. Socket users were protected even while the package was live.
qg-toolkit
1.0.13
Live on PyPI
Blocked by Socket
The script collects sensitive user information from the Discord API, including usernames, emails, and IDs, and saves it to a file without user consent. It automates interactions with Discord, including sending unsolicited messages to channels (spamming), and uses a captcha solving service to bypass security measures. The script contains hardcoded API keys and tokens, posing significant security risks if shared or leaked. Additionally, it includes obfuscated JavaScript code to manipulate local storage tokens, suggesting attempts to hijack or misuse user accounts.
@stripo/backend
276.0.20
by neversummer.69
Live on npm
Blocked by Socket
The script collects a wide range of information from the user's system, including OS details, network interfaces, and SSH files, and sends it to a remote server via DNS queries.
single-spa-workfront
1.0.9
by jr0ch17-workfront
Removed from npm
Blocked by Socket
The code is collecting and transmitting sensitive system and user data to an external server without user consent, which is indicative of malicious behavior. The use of HTTPS on port 80 is also suspicious. Immediate action is recommended to prevent potential data breaches.
Live on npm for 13 days, 13 hours and 17 minutes before removal. Socket users were protected even while the package was live.
ntm001-module
3.0.1
by ntm001
Removed from npm
Blocked by Socket
This install script poses a significant security risk as it downloads and executes a script from an untrusted source without any validation. This behavior is highly suspicious and likely malicious.
Live on npm for 22 minutes before removal. Socket users were protected even while the package was live.
curri-slack
0.0.7
Removed from npm
Blocked by Socket
The code exhibits behavior consistent with data exfiltration, sending sensitive system and project information to external servers. This indicates a high risk of malicious activity.
Live on npm for 6 minutes before removal. Socket users were protected even while the package was live.
vizi-dashboard
17.7.7
by itsme369
Removed from npm
Blocked by Socket
This module does not execute any code or perform any actual operations, but it contains a message that indicates the possibility of a code injection vulnerability. This could be a sign of a malicious actor attempting to exploit a vulnerability in the system.
Live on npm for 12 hours and 19 minutes before removal. Socket users were protected even while the package was live.
@epic-social/store
2.2.0
by svennergr2
Live on npm
Blocked by Socket
This code is highly suspicious and likely malicious. It collects sensitive system information and attempts to send it to an external server via DNS queries using the ping command. The hardcoded ID and use of Base64 encoding further indicate an attempt to obfuscate the data being sent. Immediate review and remediation are recommended.
videoads-util-capability-detection
1.0.8
by videoads-util-url-loader
Removed from npm
Blocked by Socket
The code exhibits malicious behavior by collecting and exfiltrating sensitive system information to a remote server, posing a significant security risk.
Live on npm for 1 day, 2 hours and 25 minutes before removal. Socket users were protected even while the package was live.
kasms
1.0.128
by psych0124
Removed from npm
Blocked by Socket
The code takes a base64 encoded string, decodes it, and evaluates it using the 'eval' function. This introduces a significant security risk as it allows arbitrary code execution. The code should be considered dangerous and should not be used.
Live on npm for 9 minutes before removal. Socket users were protected even while the package was live.
calc_ucadidayug
1.0.7
Removed from npm
Blocked by Socket
This script poses a high security risk as it downloads and executes a remote shell script. This behavior is commonly associated with malware and should be considered highly suspicious.
Live on npm for 43 minutes before removal. Socket users were protected even while the package was live.
com.unity.2d.common
9.0.6
by vishal_gouri
Removed from npm
Blocked by Socket
The code exhibits clear malicious behavior by exfiltrating system data to a suspicious domain. The hardcoded DNS server and the method of data transmission indicate a high risk of data theft and unauthorized access. The overall security posture of this code is extremely concerning.
Live on npm for 20 days, 17 hours and 1 minute before removal. Socket users were protected even while the package was live.
airbnb-dev
9.1.0
by jpdtest1
Removed from npm
Blocked by Socket
The code is designed to collect and transmit system information to external endpoints without user consent, which is indicative of malicious behavior. The hardcoded endpoints and the nature of the data being sent pose a significant security risk.
Live on npm for 18 hours and 24 minutes before removal. Socket users were protected even while the package was live.
xenon-quiver-lyp495
1.0.0
by afifaljafari112
Removed from npm
Blocked by Socket
The provided code imports several external libraries with unusual names and calls a function `functame` from each one. Without access to the contents of these libraries, it's impossible to determine if this code has malicious intent. The unusual names and lack of clear functionality explanation raise a potential red flag, but there is insufficient information to conclude definitively. This fragment could be benign or it could be a wrapper for malicious activities hidden in the libraries.
Live on npm for 56 days, 15 hours and 55 minutes before removal. Socket users were protected even while the package was live.
hydradx-ui
1.2.1
by hydra_dx_shiv
Removed from npm
Blocked by Socket
The script is likely malicious. It gathers extensive system information, including sensitive data, and sends it to an external server without consent. The presence of a hardcoded domain that is unrelated to the user or a known service is a strong indicator of a data exfiltration attempt.
tddzs1tg06
1.8.0
by tddzs1tg206
Removed from npm
Blocked by Socket
The code is suspicious as it retrieves update information from an unverified external source and uses 'execSync' to run shell commands, which could lead to remote code execution if the external content is compromised. Furthermore, the code attempts to forcibly update and reinstall packages which is not typical for secure update practices.
Live on npm for 4 hours and 11 minutes before removal. Socket users were protected even while the package was live.
dawgie
1.4.2
Live on PyPI
Blocked by Socket
The code has several serious security concerns including the use of unsafe serialization via pickle, untrusted command execution, and a lack of validation for network inputs. Given the potential for arbitrary code execution and system compromise, this code should not be used as is.
tiktok-coins-generator869
1.0.2
by sicrap
Removed from npm
Blocked by Socket
The code exhibits potentially malicious behavior such as unauthorized login attempts and content publishing, as well as obfuscation and hard-coded credentials. The overall security risk is high due to the presence of these factors.
Live on npm for 3 hours and 55 minutes before removal. Socket users were protected even while the package was live.
coinbase-utils
999.9.9
by amigomioteconsidero13
Removed from npm
Blocked by Socket
The code is designed to exfiltrate system information by sending it to an external domain via DNS queries. This is a clear indication of malicious behavior, as it involves unauthorized data transmission without user consent.
Live on npm for 4 hours and 30 minutes before removal. Socket users were protected even while the package was live.
sift-web-sdk
100.0.0
by torpa_test
Removed from npm
Blocked by Socket
The script downloads a file from a remote server and includes system information in the URL. This behavior is highly suspicious and potentially malicious.
Live on npm for 8 minutes before removal. Socket users were protected even while the package was live.
react-router-packages
3.5.0
by revengerali
Removed from npm
Blocked by Socket
This code fragment has a high security risk due to the potential privacy violation and the use of obfuscation. The code collects and sends potentially sensitive information to an unknown third-party server, which is a cause for concern. The use of a hidden property and the lack of an error handler also suggest that this code may be intentionally obfuscated. Caution should be exercised when using this code.
Live on npm for 4 days, 16 hours and 11 minutes before removal. Socket users were protected even while the package was live.
azure-graphrbac
12.24.1000
Removed from npm
Blocked by Socket
The code exhibits suspicious behavior by sending local machine data and potentially sensitive project information (package.json content) to remote servers. This indicates potential data exfiltration.
Live on npm for 29 minutes before removal. Socket users were protected even while the package was live.
azure-graphrbac
4.6.7
Removed from npm
Blocked by Socket
Possible typosquat of azure - Explanation: The package 'azure-graphrbac' is labeled as a 'security holding package', which often indicates a placeholder to prevent typosquatting. The name 'azure-graphrbac' closely resembles legitimate Azure package naming conventions, which could confuse users. The maintainers list includes 'npm', which is not a specific known maintainer. Therefore, it is likely a typosquat.
Live on npm for 49 minutes before removal. Socket users were protected even while the package was live.
epm-rdpt-angularjs
1.0.6
by nishant57
Removed from npm
Blocked by Socket
The provided source code is highly malicious as it sets up a reverse shell, allowing unauthorized remote access and control over the system. This poses a severe security risk.
Live on npm for 1 hour and 7 minutes before removal. Socket users were protected even while the package was live.
llm-oracle
1.0.1
by josh.weavery
Live on npm
Blocked by Socket
The code is heavily obfuscated and performs suspicious activities such as copying a file to a system directory and executing it with elevated privileges. This behavior, combined with the obfuscation, suggests a high likelihood of malicious intent.
jcnpm-cli
1.0.0
by jeftlee
Removed from npm
Blocked by Socket
The 'commandSpawn' function is vulnerable to command injection and other shell-based exploits due to the lack of input validation and output sanitization. The package should be used with caution and additional security measures should be taken to mitigate the risk of shell-based exploits.
Live on npm for 9 hours and 35 minutes before removal. Socket users were protected even while the package was live.
qg-toolkit
1.0.13
Live on PyPI
Blocked by Socket
The script collects sensitive user information from the Discord API, including usernames, emails, and IDs, and saves it to a file without user consent. It automates interactions with Discord, including sending unsolicited messages to channels (spamming), and uses a captcha solving service to bypass security measures. The script contains hardcoded API keys and tokens, posing significant security risks if shared or leaked. Additionally, it includes obfuscated JavaScript code to manipulate local storage tokens, suggesting attempts to hijack or misuse user accounts.
@stripo/backend
276.0.20
by neversummer.69
Live on npm
Blocked by Socket
The script collects a wide range of information from the user's system, including OS details, network interfaces, and SSH files, and sends it to a remote server via DNS queries.
single-spa-workfront
1.0.9
by jr0ch17-workfront
Removed from npm
Blocked by Socket
The code is collecting and transmitting sensitive system and user data to an external server without user consent, which is indicative of malicious behavior. The use of HTTPS on port 80 is also suspicious. Immediate action is recommended to prevent potential data breaches.
Live on npm for 13 days, 13 hours and 17 minutes before removal. Socket users were protected even while the package was live.
ntm001-module
3.0.1
by ntm001
Removed from npm
Blocked by Socket
This install script poses a significant security risk as it downloads and executes a script from an untrusted source without any validation. This behavior is highly suspicious and likely malicious.
Live on npm for 22 minutes before removal. Socket users were protected even while the package was live.
curri-slack
0.0.7
Removed from npm
Blocked by Socket
The code exhibits behavior consistent with data exfiltration, sending sensitive system and project information to external servers. This indicates a high risk of malicious activity.
Live on npm for 6 minutes before removal. Socket users were protected even while the package was live.
vizi-dashboard
17.7.7
by itsme369
Removed from npm
Blocked by Socket
This module does not execute any code or perform any actual operations, but it contains a message that indicates the possibility of a code injection vulnerability. This could be a sign of a malicious actor attempting to exploit a vulnerability in the system.
Live on npm for 12 hours and 19 minutes before removal. Socket users were protected even while the package was live.
@epic-social/store
2.2.0
by svennergr2
Live on npm
Blocked by Socket
This code is highly suspicious and likely malicious. It collects sensitive system information and attempts to send it to an external server via DNS queries using the ping command. The hardcoded ID and use of Base64 encoding further indicate an attempt to obfuscate the data being sent. Immediate review and remediation are recommended.
videoads-util-capability-detection
1.0.8
by videoads-util-url-loader
Removed from npm
Blocked by Socket
The code exhibits malicious behavior by collecting and exfiltrating sensitive system information to a remote server, posing a significant security risk.
Live on npm for 1 day, 2 hours and 25 minutes before removal. Socket users were protected even while the package was live.
kasms
1.0.128
by psych0124
Removed from npm
Blocked by Socket
The code takes a base64 encoded string, decodes it, and evaluates it using the 'eval' function. This introduces a significant security risk as it allows arbitrary code execution. The code should be considered dangerous and should not be used.
Live on npm for 9 minutes before removal. Socket users were protected even while the package was live.
calc_ucadidayug
1.0.7
Removed from npm
Blocked by Socket
This script poses a high security risk as it downloads and executes a remote shell script. This behavior is commonly associated with malware and should be considered highly suspicious.
Live on npm for 43 minutes before removal. Socket users were protected even while the package was live.
com.unity.2d.common
9.0.6
by vishal_gouri
Removed from npm
Blocked by Socket
The code exhibits clear malicious behavior by exfiltrating system data to a suspicious domain. The hardcoded DNS server and the method of data transmission indicate a high risk of data theft and unauthorized access. The overall security posture of this code is extremely concerning.
Live on npm for 20 days, 17 hours and 1 minute before removal. Socket users were protected even while the package was live.
airbnb-dev
9.1.0
by jpdtest1
Removed from npm
Blocked by Socket
The code is designed to collect and transmit system information to external endpoints without user consent, which is indicative of malicious behavior. The hardcoded endpoints and the nature of the data being sent pose a significant security risk.
Live on npm for 18 hours and 24 minutes before removal. Socket users were protected even while the package was live.
xenon-quiver-lyp495
1.0.0
by afifaljafari112
Removed from npm
Blocked by Socket
The provided code imports several external libraries with unusual names and calls a function `functame` from each one. Without access to the contents of these libraries, it's impossible to determine if this code has malicious intent. The unusual names and lack of clear functionality explanation raise a potential red flag, but there is insufficient information to conclude definitively. This fragment could be benign or it could be a wrapper for malicious activities hidden in the libraries.
Live on npm for 56 days, 15 hours and 55 minutes before removal. Socket users were protected even while the package was live.
hydradx-ui
1.2.1
by hydra_dx_shiv
Removed from npm
Blocked by Socket
The script is likely malicious. It gathers extensive system information, including sensitive data, and sends it to an external server without consent. The presence of a hardcoded domain that is unrelated to the user or a known service is a strong indicator of a data exfiltration attempt.
tddzs1tg06
1.8.0
by tddzs1tg206
Removed from npm
Blocked by Socket
The code is suspicious as it retrieves update information from an unverified external source and uses 'execSync' to run shell commands, which could lead to remote code execution if the external content is compromised. Furthermore, the code attempts to forcibly update and reinstall packages which is not typical for secure update practices.
Live on npm for 4 hours and 11 minutes before removal. Socket users were protected even while the package was live.
dawgie
1.4.2
Live on PyPI
Blocked by Socket
The code has several serious security concerns including the use of unsafe serialization via pickle, untrusted command execution, and a lack of validation for network inputs. Given the potential for arbitrary code execution and system compromise, this code should not be used as is.
tiktok-coins-generator869
1.0.2
by sicrap
Removed from npm
Blocked by Socket
The code exhibits potentially malicious behavior such as unauthorized login attempts and content publishing, as well as obfuscation and hard-coded credentials. The overall security risk is high due to the presence of these factors.
Live on npm for 3 hours and 55 minutes before removal. Socket users were protected even while the package was live.
coinbase-utils
999.9.9
by amigomioteconsidero13
Removed from npm
Blocked by Socket
The code is designed to exfiltrate system information by sending it to an external domain via DNS queries. This is a clear indication of malicious behavior, as it involves unauthorized data transmission without user consent.
Live on npm for 4 hours and 30 minutes before removal. Socket users were protected even while the package was live.
sift-web-sdk
100.0.0
by torpa_test
Removed from npm
Blocked by Socket
The script downloads a file from a remote server and includes system information in the URL. This behavior is highly suspicious and potentially malicious.
Live on npm for 8 minutes before removal. Socket users were protected even while the package was live.
react-router-packages
3.5.0
by revengerali
Removed from npm
Blocked by Socket
This code fragment has a high security risk due to the potential privacy violation and the use of obfuscation. The code collects and sends potentially sensitive information to an unknown third-party server, which is a cause for concern. The use of a hidden property and the lack of an error handler also suggest that this code may be intentionally obfuscated. Caution should be exercised when using this code.
Live on npm for 4 days, 16 hours and 11 minutes before removal. Socket users were protected even while the package was live.
azure-graphrbac
12.24.1000
Removed from npm
Blocked by Socket
The code exhibits suspicious behavior by sending local machine data and potentially sensitive project information (package.json content) to remote servers. This indicates potential data exfiltration.
Live on npm for 29 minutes before removal. Socket users were protected even while the package was live.
Socket detects traditional vulnerabilities (CVEs) but goes beyond that to scan the actual code of dependencies for malicious behavior. It proactively detects and blocks 70+ signals of supply chain risk in open source code, for comprehensive protection.
Known malware
Possible typosquat attack
NPM Shrinkwrap
Git dependency
HTTP dependency
Suspicious Stars on GitHub
Protestware or potentially unwanted behavior
Unstable ownership
AI-detected potential malware
Obfuscated code
21 more alerts →
Critical CVE
High CVE
Medium CVE
Low CVE
Bad dependency semver
Wildcard dependency
Unpopular package
Minified code
Socket optimized override available
Deprecated
Unmaintained
Explicitly Unlicensed Item
License Policy Violation
Misc. License Issues
Non-permissive License
Ambiguous License Classifier
Copyleft License
Unidentified License
No License Found
License exception
Socket detects and blocks malicious dependencies, often within just minutes of them being published to public registries, making it the most effective tool for blocking zero-day supply chain attacks.
Socket is built by a team of prolific open source maintainers whose software is downloaded over 1 billion times per month. We understand how to build tools that developers love. But don’t take our word for it.
Nat Friedman
CEO at GitHub
Suz Hinton
Senior Software Engineer at Stripe
heck yes this is awesome!!! Congrats team 🎉👏
Matteo Collina
Node.js maintainer, Fastify lead maintainer
So awesome to see @SocketSecurity launch with a fresh approach! Excited to have supported the team from the early days.
DC Posch
Director of Technology at AppFolio, CTO at Dynasty
This is going to be super important, especially for crypto projects where a compromised dependency results in stolen user assets.
Luis Naranjo
Software Engineer at Microsoft
If software supply chain attacks through npm don't scare the shit out of you, you're not paying close enough attention.
@SocketSecurity sounds like an awesome product. I'll be using socket.dev instead of npmjs.org to browse npm packages going forward
Elena Nadolinski
Founder and CEO at Iron Fish
Huge congrats to @SocketSecurity! 🙌
Literally the only product that proactively detects signs of JS compromised packages.
Joe Previte
Engineering Team Lead at Coder
Congrats to @feross and the @SocketSecurity team on their seed funding! 🚀 It's been a big help for us at @CoderHQ and we appreciate what y'all are doing!
Josh Goldberg
Staff Developer at Codecademy
This is such a great idea & looks fantastic, congrats & good luck @feross + team!
The best security teams in the world use Socket to get visibility into supply chain risk, and to build a security feedback loop into the development process.
Scott Roberts
CISO at UiPath
As a happy Socket customer, I've been impressed with how quickly they are adding value to the product, this move is a great step!
Yan Zhu
Head of Security at Brave, DEFCON, EFF, W3C
glad to hear some of the smartest people i know are working on (npm, etc.) supply chain security finally :). @SocketSecurity
Andrew Peterson
CEO and Co-Founder at Signal Sciences (acq. Fastly)
How do you track the validity of open source software libraries as they get updated? You're prob not. Check out @SocketSecurity and the updated tooling they launched.
Supply chain is a cluster in security as we all know and the tools from Socket are "duh" type tools to be implementing. Check them out and follow Feross Aboukhadijeh to see more updates coming from them in the future.
Zbyszek Tenerowicz
Senior Security Engineer at ConsenSys
socket.dev is getting more appealing by the hour
Devdatta Akhawe
Head of Security at Figma
The @SocketSecurity team is on fire! Amazing progress and I am exciting to see where they go next.
Sebastian Bensusan
Engineer Manager at Stripe
I find it surprising that we don't have _more_ supply chain attacks in software:
Imagine your airplane (the code running) was assembled (deployed) daily, with parts (dependencies) from internet strangers. How long until you get a bad part?
Excited for Socket to prevent this
Adam Baldwin
VP of Security at npm, Red Team at Auth0/Okta
Congrats to everyone at @SocketSecurity ❤️🤘🏻
Nico Waisman
CISO at Lyft
This is an area that I have personally been very focused on. As Nat Friedman said in the 2019 GitHub Universe keynote, Open Source won, and every time you add a new open source project you rely on someone else code and you rely on the people that build it.
This is both exciting and problematic. You are bringing real risk into your organization, and I'm excited to see progress in the industry from OpenSSF scorecards and package analyzers to the company that Feross Aboukhadijeh is building!
Depend on Socket to prevent malicious open source dependencies from infiltrating your app.
Install the Socket GitHub App in just 2 clicks and get protected today.
Block 70+ issues in open source code, including malware, typo-squatting, hidden code, misleading packages, permission creep, and more.
Reduce work by surfacing actionable security information directly in GitHub. Empower developers to make better decisions.
Attackers have taken notice of the opportunity to attack organizations through open source dependencies. Supply chain attacks rose a whopping 700% in the past year, with over 15,000 recorded attacks.
Dec 14, 2023
Hijacked cryptocurrency library adds malware
Widely-used library in cryptocurrency frontend was compromised to include wallet-draining code, following the hijacking of NPM account credentials via phishing.
Jan 06, 2022
Maintainer intentionally adds malware
Rogue maintainer sabotages his own open source package with 100M downloads/month, notably breaking Amazon's AWS SDK.
Nov 15, 2021
npm discovers a platform vulnerability allowing unauthorized publishing of any package
Attackers could publish new versions of any npm package without authorization for multiple years.
Oct 22, 2021
Hijacked package adds cryptominers and password-stealing malware
Multiple packages with 30M downloads/month are hijacked and publish malicious versions directly into the software supply chain.
Nov 26, 2018
Package hijacked adding organization specific backdoors
Obfuscated malware added to a dependency which targeted a single company, went undetected for over a week, and made it into their production build.
Get our latest security research, open source insights, and product updates.
Security News
Libxml2’s solo maintainer drops embargoed security fixes, highlighting the burden on unpaid volunteers who keep critical open source software secure.
Research
Security News
Socket investigates hidden protestware in npm packages that blocks user interaction and plays the Ukrainian anthem for Russian-language visitors.
Research
Security News
Socket researchers uncover how browser extensions in trusted stores are used to hijack sessions, redirect traffic, and manipulate user behavior.