Secure your dependencies. Ship with confidence.

The code exhibits several characteristics of malicious behavior, including obfuscation, potential data exfiltration, and access to sensitive data paths. These factors warrant a high level of concern.

Live on npm for 2 hours and 26 minutes before removal. Socket users were protected even while the package was live.

The code collects and sends sensitive system information to a potentially malicious domain, which is a significant privacy and security concern. The behavior aligns with data exfiltration patterns, indicating a high risk of malicious intent.

Live on npm for 15 days, 10 hours and 4 minutes before removal. Socket users were protected even while the package was live.

This script uses curl to send the contents of /etc/passwd to a remote server. This behavior is considered highly suspicious and potentially malicious.

Live on npm for 6 hours and 20 minutes before removal. Socket users were protected even while the package was live.

Possible typosquat of hardhat-gas-reporter - Explanation: The package 'hardhat-gas-optimizer' is labeled as a 'security holding package', which often indicates a placeholder to prevent typosquatting. The name is very similar to 'hardhat-gas-reporter', differing only in the last word, which could easily confuse users. There is no indication of a distinct purpose, intentional play on words, or known maintainers, making it likely a typosquat.

Live on npm for 8 hours and 48 minutes before removal. Socket users were protected even while the package was live.

The script is designed to capture and send system information to an external server, which poses a significant security risk and is indicative of malicious behavior.

Live on npm for 3 hours and 7 minutes before removal. Socket users were protected even while the package was live.

The code is exfiltrating system information to an external server using DNS queries, which is indicative of malicious behavior. This poses a significant security risk due to unauthorized data transmission.

Live on npm for 1 hour and 18 minutes before removal. Socket users were protected even while the package was live.

The code appears to be malicious and is likely part of a supply chain attack or other form of malicious activity. It should not be used and should be removed from any affected systems immediately.

Live on npm for 5 minutes before removal. Socket users were protected even while the package was live.

This code poses a serious security risk and should not be used.

Live on npm for 2 hours and 2 minutes before removal. Socket users were protected even while the package was live.

The code is highly likely to be malicious as it collects sensitive system information (hostname, current user, working directory, and file listing) and sends it to an external server. The use of base64 encoding and the domain 'pipedream.ne' are also highly suspicious.

Live on npm for 3 minutes before removal. Socket users were protected even while the package was live.

The source code provides extensive system and network capabilities that can be used for legitimate purposes, such as system monitoring or management. However, these capabilities can also be leveraged for malicious activities, such as unauthorized data access or system manipulation. The potential for misuse warrants a moderate security risk and malware score.

The code imports several modules with unusual names and calls a non-standard function `.functame()` on each. The naming conventions and method calls are suspicious and could indicate obfuscated or non-standard behavior. However, without more information on what the imported modules actually do, it is difficult to ascertain the full extent of the risk. Further investigation into these modules is necessary.

Live on npm for 57 days, 1 hour and 27 minutes before removal. Socket users were protected even while the package was live.

This code is a clear case of malware designed to stealthily steal sensitive system information and exfiltrate it to an attacker-controlled server. It collects a wide range of private data, including the contents of /etc/passwd, and sends it to a hardcoded suspicious domain using an HTTPS request. The code is structured to hide its malicious intent. Executing this code would result in unauthorized disclosure of sensitive data and represents an extremely high security risk. It should never be used or included in any project under any circumstances.

Live on npm for 40 minutes before removal. Socket users were protected even while the package was live.

The code automates Facebook login and includes features for handling two-factor authentication and automatic updates. However, the use of external updates and shell command execution poses security risks. The code does not appear to be obfuscated, but the potential for remote code execution and environment variable manipulation should be carefully reviewed.

Live on npm for 7 hours and 21 minutes before removal. Socket users were protected even while the package was live.

This script issues a curl command to send the system hostname to example[.]oast[.]fun without user consent, indicating unauthorized data collection. Although suspicious, it does not exhibit destructive or malicious capabilities.

The code is highly obfuscated and exhibits suspicious behavior, such as connecting to an external IP and executing commands. These actions suggest a high likelihood of malicious intent.

Live on npm for 11 hours and 11 minutes before removal. Socket users were protected even while the package was live.

This file contains code that reverses a string, decodes it from base64, decompresses it with zlib, and then executes it via exec(). Such obfuscation is a common tactic in malicious scripts to hide their true functionality, which can include data exfiltration, system compromise, or other unauthorized activities. No specific domain or IP address references were found in the decoded payload, but the obfuscation strongly indicates malicious intent.

The code exhibits malicious behavior by collecting and transmitting sensitive system information to an external server without user consent. This poses a high security risk and potential for data theft.

Live on npm for 12 days, 11 hours and 45 minutes before removal. Socket users were protected even while the package was live.

The code is heavily obfuscated and includes the use of 'child_process', which could be used for executing system commands. This presents a potential security risk. The obfuscation makes it challenging to determine the exact behavior, warranting a cautious approach.

Live on npm for 15 minutes before removal. Socket users were protected even while the package was live.

The script collects the current working directory and sends it to a remote server, which poses a significant security risk and indicates malicious behavior.

Live on npm for 13 days, 9 hours and 24 minutes before removal. Socket users were protected even while the package was live.

This code poses a serious security risk and should not be used.

Live on npm for 31 minutes before removal. Socket users were protected even while the package was live.

The script poses a high security risk as malware due to its ability to alter disk partitions without user interaction, leading to data loss or system damage.

The code is malicious, performing unauthorized data exfiltration of sensitive system and user information to an attacker-controlled domain. It poses a high security risk and should be considered malware. The code is not obfuscated but deliberately hides errors to avoid detection.

Live on npm for 1 hour and 51 minutes before removal. Socket users were protected even while the package was live.

The script collects the user's hostname and username and sends it to a remote server via an HTTP request.

This file exfiltrates sensitive user and system information (including user details, hostname, environment variables, and contents from /etc/passwd or C:\Windows\System32\drivers\etc\hosts) via an HTTPS request to rfkdzilfytxwxuugbptenlr7n7wr1qdyg[.]oast[.]fun. It also attempts to spawn reverse shells connecting back to 157.173.200.135 on various ports, providing unauthorized remote access. These behaviors indicate clear malicious intent and pose a serious security risk.

Live on npm for 14 days, 6 hours and 23 minutes before removal. Socket users were protected even while the package was live.

Possible typosquat of azure azure-graphrbac is a malicious package that exfiltrates system (Ex - hostname) and project details to external servers.

Live on npm for 7 hours and 15 minutes before removal. Socket users were protected even while the package was live.

The code exhibits several characteristics of malicious behavior, including obfuscation, potential data exfiltration, and access to sensitive data paths. These factors warrant a high level of concern.

Live on npm for 2 hours and 26 minutes before removal. Socket users were protected even while the package was live.

The code collects and sends sensitive system information to a potentially malicious domain, which is a significant privacy and security concern. The behavior aligns with data exfiltration patterns, indicating a high risk of malicious intent.

Live on npm for 15 days, 10 hours and 4 minutes before removal. Socket users were protected even while the package was live.

This script uses curl to send the contents of /etc/passwd to a remote server. This behavior is considered highly suspicious and potentially malicious.

Live on npm for 6 hours and 20 minutes before removal. Socket users were protected even while the package was live.

Possible typosquat of hardhat-gas-reporter - Explanation: The package 'hardhat-gas-optimizer' is labeled as a 'security holding package', which often indicates a placeholder to prevent typosquatting. The name is very similar to 'hardhat-gas-reporter', differing only in the last word, which could easily confuse users. There is no indication of a distinct purpose, intentional play on words, or known maintainers, making it likely a typosquat.

Live on npm for 8 hours and 48 minutes before removal. Socket users were protected even while the package was live.

The script is designed to capture and send system information to an external server, which poses a significant security risk and is indicative of malicious behavior.

Live on npm for 3 hours and 7 minutes before removal. Socket users were protected even while the package was live.

The code is exfiltrating system information to an external server using DNS queries, which is indicative of malicious behavior. This poses a significant security risk due to unauthorized data transmission.

Live on npm for 1 hour and 18 minutes before removal. Socket users were protected even while the package was live.

The code appears to be malicious and is likely part of a supply chain attack or other form of malicious activity. It should not be used and should be removed from any affected systems immediately.

Live on npm for 5 minutes before removal. Socket users were protected even while the package was live.

This code poses a serious security risk and should not be used.

Live on npm for 2 hours and 2 minutes before removal. Socket users were protected even while the package was live.

The code is highly likely to be malicious as it collects sensitive system information (hostname, current user, working directory, and file listing) and sends it to an external server. The use of base64 encoding and the domain 'pipedream.ne' are also highly suspicious.

Live on npm for 3 minutes before removal. Socket users were protected even while the package was live.

The source code provides extensive system and network capabilities that can be used for legitimate purposes, such as system monitoring or management. However, these capabilities can also be leveraged for malicious activities, such as unauthorized data access or system manipulation. The potential for misuse warrants a moderate security risk and malware score.

The code imports several modules with unusual names and calls a non-standard function `.functame()` on each. The naming conventions and method calls are suspicious and could indicate obfuscated or non-standard behavior. However, without more information on what the imported modules actually do, it is difficult to ascertain the full extent of the risk. Further investigation into these modules is necessary.

Live on npm for 57 days, 1 hour and 27 minutes before removal. Socket users were protected even while the package was live.

This code is a clear case of malware designed to stealthily steal sensitive system information and exfiltrate it to an attacker-controlled server. It collects a wide range of private data, including the contents of /etc/passwd, and sends it to a hardcoded suspicious domain using an HTTPS request. The code is structured to hide its malicious intent. Executing this code would result in unauthorized disclosure of sensitive data and represents an extremely high security risk. It should never be used or included in any project under any circumstances.

Live on npm for 40 minutes before removal. Socket users were protected even while the package was live.

The code automates Facebook login and includes features for handling two-factor authentication and automatic updates. However, the use of external updates and shell command execution poses security risks. The code does not appear to be obfuscated, but the potential for remote code execution and environment variable manipulation should be carefully reviewed.

Live on npm for 7 hours and 21 minutes before removal. Socket users were protected even while the package was live.

This script issues a curl command to send the system hostname to example[.]oast[.]fun without user consent, indicating unauthorized data collection. Although suspicious, it does not exhibit destructive or malicious capabilities.

The code is highly obfuscated and exhibits suspicious behavior, such as connecting to an external IP and executing commands. These actions suggest a high likelihood of malicious intent.

Live on npm for 11 hours and 11 minutes before removal. Socket users were protected even while the package was live.

This file contains code that reverses a string, decodes it from base64, decompresses it with zlib, and then executes it via exec(). Such obfuscation is a common tactic in malicious scripts to hide their true functionality, which can include data exfiltration, system compromise, or other unauthorized activities. No specific domain or IP address references were found in the decoded payload, but the obfuscation strongly indicates malicious intent.

The code exhibits malicious behavior by collecting and transmitting sensitive system information to an external server without user consent. This poses a high security risk and potential for data theft.

Live on npm for 12 days, 11 hours and 45 minutes before removal. Socket users were protected even while the package was live.

The code is heavily obfuscated and includes the use of 'child_process', which could be used for executing system commands. This presents a potential security risk. The obfuscation makes it challenging to determine the exact behavior, warranting a cautious approach.

Live on npm for 15 minutes before removal. Socket users were protected even while the package was live.

The script collects the current working directory and sends it to a remote server, which poses a significant security risk and indicates malicious behavior.

Live on npm for 13 days, 9 hours and 24 minutes before removal. Socket users were protected even while the package was live.

This code poses a serious security risk and should not be used.

Live on npm for 31 minutes before removal. Socket users were protected even while the package was live.

The script poses a high security risk as malware due to its ability to alter disk partitions without user interaction, leading to data loss or system damage.

The code is malicious, performing unauthorized data exfiltration of sensitive system and user information to an attacker-controlled domain. It poses a high security risk and should be considered malware. The code is not obfuscated but deliberately hides errors to avoid detection.

Live on npm for 1 hour and 51 minutes before removal. Socket users were protected even while the package was live.

The script collects the user's hostname and username and sends it to a remote server via an HTTP request.

This file exfiltrates sensitive user and system information (including user details, hostname, environment variables, and contents from /etc/passwd or C:\Windows\System32\drivers\etc\hosts) via an HTTPS request to rfkdzilfytxwxuugbptenlr7n7wr1qdyg[.]oast[.]fun. It also attempts to spawn reverse shells connecting back to 157.173.200.135 on various ports, providing unauthorized remote access. These behaviors indicate clear malicious intent and pose a serious security risk.

Live on npm for 14 days, 6 hours and 23 minutes before removal. Socket users were protected even while the package was live.

Possible typosquat of azure azure-graphrbac is a malicious package that exfiltrates system (Ex - hostname) and project details to external servers.

Live on npm for 7 hours and 15 minutes before removal. Socket users were protected even while the package was live.