Bidirectional unicode control characters
Bin script confusion
Bin script shell injection
Chronological version anomaly
Environment variable access
27 more issues →
Bad dependency semver
Bad text encoding
CommonJS depending on ESModule
7 more issues →
No bug tracker
No contributors or author data
Deprecated SPDX exception
Modified license exception
Non OSI license
3 more issues →
Depend on Socket to prevent malicious open source dependencies from infiltrating your app.
Install the Socket GitHub App in less than 5 minutes and get protected today.
Block 60+ issues in open source code, including malware, typo-squatting, hidden code, misleading packages, permission creep, and more.
Reduce work by surfacing actionable security information directly in GitHub. Empower developers to make better decisions.
Jan 06, 2022
Maintainer intentionally adds malware
Rogue maintainer sabotages his own open source package with 100M downloads/month, notably breaking Amazon's AWS SDK.
Nov 15, 2021
npm discovers a platform vulnerability allowing unauthorized publishing of any package
Attackers could publish new versions of any npm package without authorization for multiple years.
Oct 22, 2021
Hijacked package adds cryptominers and password-stealing malware
Multiple packages with 30M downloads/month are hijacked and publish malicious versions directly into the software supply chain.
Nov 26, 2018
Package hijacked adding organization specific backdoors
Obfuscated malware added to a dependency which targeted a single company, went undetected for over a week, and made it into their production build.
Circumventing Chinese censorship: Plethora of eBooks pervade these GitHub and npm repositories containing contents of banned websites like 'The Economist'