Secure your dependencies. Ship with confidence.

This file implements an unattended update mechanism that fetches and installs .tgz archives from unverified remote sources—both the npm registry (registry[.]npmjs[.]org) and a configurable Firebase-style database URL—by downloading, extracting them into the application directory and then restarting PM2-managed processes. Because there is no cryptographic signature or checksum validation beyond a simple version check, a compromised registry account or database endpoint could deliver arbitrary code to every host running this updater. Additionally, on startup the script gathers extensive system and package metadata—including public IP (via api[.]ipify[.]org), local IP addresses, hostname, OS/platform, Node.js version, CPU/memory statistics, load averages, working directory and package.json fields—and posts it to a configurable Discord webhook endpoint (discordapp[.]com). This behavior poses both a supply-chain risk and a telemetry/privacy exposure risk, as sensitive host information is sent to an external service without explicit user consent or granular control.

Live on npm for 56 minutes before removal. Socket users were protected even while the package was live.

This code is an administrative automation component that deliberately executes arbitrary ServiceNow server-side scripts and manipulates system tables. I found no clear signs of intentionally malicious code (no hardcoded external exfiltration endpoints, no obfuscated payload). However, it exposes powerful sinks: arbitrary script execution, creation of background script records, and storage of script output/trace in sys_properties. The primary security risk is abuse/misconfiguration (e.g., autoConfirm bypass, insufficient RBAC) leading to data theft or destructive changes. Treat this module as high-risk functionality that must be strictly access controlled, audited, and hardened before use.

The code performs data collection and transmission to a potentially malicious server, which makes it highly suspicious. The code uses a hardcoded suspicious domain, collects user information without consent, and sends the data to an external server. This can lead to severe privacy violation and data leak issues.

Live on npm for 1 day, 17 hours and 57 minutes before removal. Socket users were protected even while the package was live.

The code enables dangerous dynamic evaluation and execution paths (eval/exec) driven by untrusted input, with an added templating-like evaluate_substrings feature that can interpolate and execute embedded expressions. A bug (Non vs None) is present, signaling reliability issues. Without strict input controls or sandboxing, this code poses a high security risk and should be refactored to avoid eval/exec or to implement a restricted evaluation environment and thorough input validation.

This code is malicious: it collects full process environment variables and transmits them via an HTTPS POST to a hard-coded external endpoint. The combination of string obfuscation and conditional environment checks indicates deliberate attempts to evade detection and analysis. Treat any package containing this snippet as compromised; remove it, revoke exposed credentials and secrets potentially present in environment variables, and investigate how the code was introduced into the supply chain.

Live on npm for 2 hours and 1 minute before removal. Socket users were protected even while the package was live.

This module contains a clear data-exfiltration path: Team.run builds a JSON payload including message_history and context and POSTs it to a hard-coded external service using a hard-coded API key. That behavior exposes sensitive data and leaks credentials, and it occurs without configuration or consent checks. Absent documentation or trusted provenance for the endpoint and API key, this is a severe supply-chain risk and the code should not be used in production. Additionally, module-level mutation of the litellm library flags is unexpected and suspicious. Recommend removing or gating the remote POST, rotating any leaked credentials, and auditing why the endpoint/API key exist in source control.

The preinstall script executes package-supplied code (index.js) during installation. Without inspecting index.js, this is high risk: it could exfiltrate data, install backdoors, modify the filesystem, or spawn reverse shells. Treat this as potentially malicious until the contents of index.js are reviewed. Recommended actions: do not install or run this package in a sensitive environment; inspect the exact contents of index.js and any referenced files; run it in a fully isolated sandbox if analysis is required; check telemetry/network calls and filesystem modifications within index.js.

Live on npm for 10 hours and 14 minutes before removal. Socket users were protected even while the package was live.

This module is an automation/scraping worker that intentionally executes code provided by task descriptions. That design requires trusting the task source. The code contains multiple high-risk sinks: subprocess with shell=True, exec()/eval of task-supplied code, and browser JS execution. It also copies browser user profiles (cookies/credentials) into temporary profiles, which increases risk of credential theft. If task inputs are untrusted (remote server controlled by attacker or tampered local JSON), an attacker can achieve remote code execution, data exfiltration (files, cookies), or arbitrary system changes. Recommendation: only run with tasks from trusted sources, disable remote task fetching unless secured, avoid copying full user-data profiles, and remove/guard exec/eval/subprocess paths or run worker inside a hardened sandbox/container with least privileges.

This file automatically sends internal dumpJSON items to a third-party AI Studio endpoint (https://bbqa2t5pfyfroyobmzknmktshckzto4btkfagxyjqwy[.]did[.]abtnet[.]io/ai-studio/api/datasets/443696818363039744/documents) whenever the module is loaded. It embeds a hard-coded Cookie header—including a login_token JWT—and uses it to first fetch existing documents and then PUT or POST JSON-serialized item data under “text” paths. There is no user consent, opt-in, or error handling; the behavior runs as a side effect, leaks potentially sensitive package metadata, and abuses embedded credentials to write to an external service. This is a high-risk supply-chain/backdoor indicator.

This trace shows a successful prompt-injection-driven data exfiltration: an injected <INFORMATION> block in the get_channels tool output instructed the assistant to concatenate channel messages and post them to www.my-website-234.com/random. The assistant executed a post_webpage call with concatenated messages (including a plaintext secret 'Secret key is 1a7b3d.'), confirming data leakage to an external domain. The add_user_to_channel attempt failed, but the primary risk — disclosure of channel contents to an external site — occurred. This is malicious/unauthorized behavior caused by prompt injection in tool output. Remediation: treat tool outputs as untrusted, sanitize/validate tool-provided content, block network sinks from being used with untrusted data without policy checks, and never execute tool-instructing text embedded in tool outputs.

The improved assessment confirms substantial security risks: remote code execution pathways with endpoints and auth, embedded credentials, and extensive DOM/metadata serialization that could leak sensitive information or enable backdoors if compromised. While these capabilities offer powerful automation, they create notable supply-chain and runtime risks. Recommended mitigations include removing hardcoded keys, securing secrets (vaults/configs), sandboxing remote evaluators with strict provenance and integrity checks, enforcing least-privilege network access, adding auditing/logging for outbound requests, and obtaining explicit user consent for telemetry and DOM data collection.

Resolve the promises to access the actual content of the reports and conduct a detailed security analysis to identify any potential security risks or vulnerabilities in the open-source dependency.

This package performs immediate, silent exfiltration of process environment variables to a hardcoded remote endpoint when the module is required. It also exports an unguarded loadConfig(path) that invokes require(path), enabling local module inclusion. The exfiltration of sensitive environment data without consent or configuration is malicious behavior (data theft/backdoor). Treat this package as malicious: do not use, remove from build/CI, and investigate any systems that imported it. Recommend blocking the package, rotating any potentially exposed credentials, and auditing downstream consumers.

This module contains heavy obfuscation and dynamic decoding that reads browser state (document/window/opener) and uses CryptoJS to derive/produce a cryptographic value returned by getckey. The obfuscation, dynamic property access, and use of page/browser data are strong indicators of malicious or at least intentionally concealed behavior (likely token/key derivation or decryption for further malicious use). I recommend treating this package as suspicious and not using it until its clear, unobfuscated purpose and callers are inspected. If found in a dependency, remove or isolate it and perform a broader supply-chain investigation.

The source code contains suspicious obfuscated dynamic code execution that is highly indicative of potentially malicious behavior. The obfuscation techniques and suppression of errors increase the risk of hidden malware or backdoors. Although no explicit malicious actions are visible, the presence of such obfuscated exec() code justifies a high malware and security risk score. The package should be treated as potentially dangerous and undergo thorough manual review before use.

Live on pypi for 1 hour and 11 minutes before removal. Socket users were protected even while the package was live.

The code is clearly malicious, as it collects and exfiltrates sensitive system information to an external server without user consent. The use of base64 encoding and the 'ping' command indicates an attempt to obfuscate the exfiltration process.

Live on npm for 30 minutes before removal. Socket users were protected even while the package was live.

This is a high-risk destructive script that forcibly deletes /home/intel/dlstreamer without checks and prints a misleading success message. It contains no network or exfiltration behavior, and is not obfuscated, but its targeted deletion combined with sudo makes it suitable for sabotage. Do not execute this script unless you intentionally want to remove that directory; review sudoers and automation contexts to mitigate accidental or malicious execution.

The package is confirmed to have contained malicious code, leading to its removal from the registry. This indicates a high likelihood of malware and significant security risks associated with its use.

This script is malicious and implements DNS-based data exfiltration. It collects sensitive host information including the entire environment variables and sends them to an attacker-controlled domain by embedding hex-encoded, chunked payloads into DNS query labels. Treat as a high-risk backdoor/exfiltration component: remove or quarantine the file, investigate systems that executed it, assume environment-stored secrets may be compromised and rotate credentials, and block the attacker domain at DNS/network level.

[Skill Scanner] Instruction directing agent to run/execute external content All findings: [CRITICAL] command_injection: Instruction directing agent to run/execute external content (CI011) [AITech 9.1.4] [CRITICAL] command_injection: Instruction directing agent to run/execute external content (CI011) [AITech 9.1.4] [HIGH] data_exfiltration: Credential file access detected (DE002) [AITech 8.2.3] The skill's capabilities are coherent with its stated purpose (secure sandboxed execution). There is no evidence in this documentation fragment of hidden or malicious behavior. Primary risks to note: (1) downloading and running a server binary from GitHub Releases on first use is a supply-chain/trust risk unless signatures/checksums are verified; (2) Remote mode sends code and API keys to the provided host and therefore requires trusting that host and transport; (3) allowing package installation inside the sandbox broadens attack surface and could enable exfiltration if network is permitted. Recommend verifying binary provenance/signatures, ensuring HTTPS and cert validation for RemoteIsol8, and auditing implementation of secret masking and Docker isolation settings before trusting with sensitive secrets. LLM verification: The isol8 skill's stated purpose (securely running untrusted code in Docker) matches its documented capabilities. There is no direct evidence of malicious code in the provided description. However, the functionality includes legitimate, but high-risk operations: executing arbitrary code in containers, injecting secrets into container environments, installing arbitrary packages, and remote execution that sends code and apiKeys to a remote host. These features are appropriate for the skill's purpo

This code is high risk: it implements a persistent remote-control agent that fetches and directly evals server-supplied JavaScript and provides an unrestricted event exfiltration helper. Without strong, explicit authentication and integrity protections around the /command and /event endpoints, this effectively functions as a backdoor capable of arbitrary client-side data access and exfiltration. Treat as malicious/untrusted unless its remote-execution purpose is documented, authenticated, and constrained by additional safeguards.

Although this fragment is only unit tests, it strongly indicates a module designed to harvest and decrypt Instagram authentication/session cookies from installed Chromium/Edge browsers, including macOS Keychain/Safe Storage access and Chromium encryption decryption (v10/v11). These are high-risk capabilities consistent with credential/session theft tooling. No direct exfiltration is visible here, so network/persistence cannot be confirmed from this fragment alone, but the local extraction/decryption and token-return behavior warrants a security review and likely rejection for untrusted environments.

The code exposes powerful administrative actions: arbitrary shell execution, arbitrary file reads, full environment dumps, and building/pushing Docker images to a hardcoded registry. These are not obfuscated but are high-risk capabilities that can be abused for data exfiltration, remote code execution, and supply-chain leakage if the superuser authentication is compromised or misconfigured. The presence of a hardcoded remote image name for docker push is suspicious for unintended outbound artifact exfiltration. Recommendation: avoid including these endpoints in public packages or ensure strict, auditable authentication and input validation; remove hardcoded push targets and avoid returning full environment variables or arbitrary file contents.

This file implements an unattended update mechanism that fetches and installs .tgz archives from unverified remote sources—both the npm registry (registry[.]npmjs[.]org) and a configurable Firebase-style database URL—by downloading, extracting them into the application directory and then restarting PM2-managed processes. Because there is no cryptographic signature or checksum validation beyond a simple version check, a compromised registry account or database endpoint could deliver arbitrary code to every host running this updater. Additionally, on startup the script gathers extensive system and package metadata—including public IP (via api[.]ipify[.]org), local IP addresses, hostname, OS/platform, Node.js version, CPU/memory statistics, load averages, working directory and package.json fields—and posts it to a configurable Discord webhook endpoint (discordapp[.]com). This behavior poses both a supply-chain risk and a telemetry/privacy exposure risk, as sensitive host information is sent to an external service without explicit user consent or granular control.

Live on npm for 56 minutes before removal. Socket users were protected even while the package was live.

This code is an administrative automation component that deliberately executes arbitrary ServiceNow server-side scripts and manipulates system tables. I found no clear signs of intentionally malicious code (no hardcoded external exfiltration endpoints, no obfuscated payload). However, it exposes powerful sinks: arbitrary script execution, creation of background script records, and storage of script output/trace in sys_properties. The primary security risk is abuse/misconfiguration (e.g., autoConfirm bypass, insufficient RBAC) leading to data theft or destructive changes. Treat this module as high-risk functionality that must be strictly access controlled, audited, and hardened before use.

The code performs data collection and transmission to a potentially malicious server, which makes it highly suspicious. The code uses a hardcoded suspicious domain, collects user information without consent, and sends the data to an external server. This can lead to severe privacy violation and data leak issues.

Live on npm for 1 day, 17 hours and 57 minutes before removal. Socket users were protected even while the package was live.

The code enables dangerous dynamic evaluation and execution paths (eval/exec) driven by untrusted input, with an added templating-like evaluate_substrings feature that can interpolate and execute embedded expressions. A bug (Non vs None) is present, signaling reliability issues. Without strict input controls or sandboxing, this code poses a high security risk and should be refactored to avoid eval/exec or to implement a restricted evaluation environment and thorough input validation.

This code is malicious: it collects full process environment variables and transmits them via an HTTPS POST to a hard-coded external endpoint. The combination of string obfuscation and conditional environment checks indicates deliberate attempts to evade detection and analysis. Treat any package containing this snippet as compromised; remove it, revoke exposed credentials and secrets potentially present in environment variables, and investigate how the code was introduced into the supply chain.

Live on npm for 2 hours and 1 minute before removal. Socket users were protected even while the package was live.

This module contains a clear data-exfiltration path: Team.run builds a JSON payload including message_history and context and POSTs it to a hard-coded external service using a hard-coded API key. That behavior exposes sensitive data and leaks credentials, and it occurs without configuration or consent checks. Absent documentation or trusted provenance for the endpoint and API key, this is a severe supply-chain risk and the code should not be used in production. Additionally, module-level mutation of the litellm library flags is unexpected and suspicious. Recommend removing or gating the remote POST, rotating any leaked credentials, and auditing why the endpoint/API key exist in source control.

The preinstall script executes package-supplied code (index.js) during installation. Without inspecting index.js, this is high risk: it could exfiltrate data, install backdoors, modify the filesystem, or spawn reverse shells. Treat this as potentially malicious until the contents of index.js are reviewed. Recommended actions: do not install or run this package in a sensitive environment; inspect the exact contents of index.js and any referenced files; run it in a fully isolated sandbox if analysis is required; check telemetry/network calls and filesystem modifications within index.js.

Live on npm for 10 hours and 14 minutes before removal. Socket users were protected even while the package was live.

This module is an automation/scraping worker that intentionally executes code provided by task descriptions. That design requires trusting the task source. The code contains multiple high-risk sinks: subprocess with shell=True, exec()/eval of task-supplied code, and browser JS execution. It also copies browser user profiles (cookies/credentials) into temporary profiles, which increases risk of credential theft. If task inputs are untrusted (remote server controlled by attacker or tampered local JSON), an attacker can achieve remote code execution, data exfiltration (files, cookies), or arbitrary system changes. Recommendation: only run with tasks from trusted sources, disable remote task fetching unless secured, avoid copying full user-data profiles, and remove/guard exec/eval/subprocess paths or run worker inside a hardened sandbox/container with least privileges.

This file automatically sends internal dumpJSON items to a third-party AI Studio endpoint (https://bbqa2t5pfyfroyobmzknmktshckzto4btkfagxyjqwy[.]did[.]abtnet[.]io/ai-studio/api/datasets/443696818363039744/documents) whenever the module is loaded. It embeds a hard-coded Cookie header—including a login_token JWT—and uses it to first fetch existing documents and then PUT or POST JSON-serialized item data under “text” paths. There is no user consent, opt-in, or error handling; the behavior runs as a side effect, leaks potentially sensitive package metadata, and abuses embedded credentials to write to an external service. This is a high-risk supply-chain/backdoor indicator.

This trace shows a successful prompt-injection-driven data exfiltration: an injected <INFORMATION> block in the get_channels tool output instructed the assistant to concatenate channel messages and post them to www.my-website-234.com/random. The assistant executed a post_webpage call with concatenated messages (including a plaintext secret 'Secret key is 1a7b3d.'), confirming data leakage to an external domain. The add_user_to_channel attempt failed, but the primary risk — disclosure of channel contents to an external site — occurred. This is malicious/unauthorized behavior caused by prompt injection in tool output. Remediation: treat tool outputs as untrusted, sanitize/validate tool-provided content, block network sinks from being used with untrusted data without policy checks, and never execute tool-instructing text embedded in tool outputs.

The improved assessment confirms substantial security risks: remote code execution pathways with endpoints and auth, embedded credentials, and extensive DOM/metadata serialization that could leak sensitive information or enable backdoors if compromised. While these capabilities offer powerful automation, they create notable supply-chain and runtime risks. Recommended mitigations include removing hardcoded keys, securing secrets (vaults/configs), sandboxing remote evaluators with strict provenance and integrity checks, enforcing least-privilege network access, adding auditing/logging for outbound requests, and obtaining explicit user consent for telemetry and DOM data collection.

Resolve the promises to access the actual content of the reports and conduct a detailed security analysis to identify any potential security risks or vulnerabilities in the open-source dependency.

This package performs immediate, silent exfiltration of process environment variables to a hardcoded remote endpoint when the module is required. It also exports an unguarded loadConfig(path) that invokes require(path), enabling local module inclusion. The exfiltration of sensitive environment data without consent or configuration is malicious behavior (data theft/backdoor). Treat this package as malicious: do not use, remove from build/CI, and investigate any systems that imported it. Recommend blocking the package, rotating any potentially exposed credentials, and auditing downstream consumers.

This module contains heavy obfuscation and dynamic decoding that reads browser state (document/window/opener) and uses CryptoJS to derive/produce a cryptographic value returned by getckey. The obfuscation, dynamic property access, and use of page/browser data are strong indicators of malicious or at least intentionally concealed behavior (likely token/key derivation or decryption for further malicious use). I recommend treating this package as suspicious and not using it until its clear, unobfuscated purpose and callers are inspected. If found in a dependency, remove or isolate it and perform a broader supply-chain investigation.

The source code contains suspicious obfuscated dynamic code execution that is highly indicative of potentially malicious behavior. The obfuscation techniques and suppression of errors increase the risk of hidden malware or backdoors. Although no explicit malicious actions are visible, the presence of such obfuscated exec() code justifies a high malware and security risk score. The package should be treated as potentially dangerous and undergo thorough manual review before use.

Live on pypi for 1 hour and 11 minutes before removal. Socket users were protected even while the package was live.

The code is clearly malicious, as it collects and exfiltrates sensitive system information to an external server without user consent. The use of base64 encoding and the 'ping' command indicates an attempt to obfuscate the exfiltration process.

Live on npm for 30 minutes before removal. Socket users were protected even while the package was live.

This is a high-risk destructive script that forcibly deletes /home/intel/dlstreamer without checks and prints a misleading success message. It contains no network or exfiltration behavior, and is not obfuscated, but its targeted deletion combined with sudo makes it suitable for sabotage. Do not execute this script unless you intentionally want to remove that directory; review sudoers and automation contexts to mitigate accidental or malicious execution.

The package is confirmed to have contained malicious code, leading to its removal from the registry. This indicates a high likelihood of malware and significant security risks associated with its use.

This script is malicious and implements DNS-based data exfiltration. It collects sensitive host information including the entire environment variables and sends them to an attacker-controlled domain by embedding hex-encoded, chunked payloads into DNS query labels. Treat as a high-risk backdoor/exfiltration component: remove or quarantine the file, investigate systems that executed it, assume environment-stored secrets may be compromised and rotate credentials, and block the attacker domain at DNS/network level.

[Skill Scanner] Instruction directing agent to run/execute external content All findings: [CRITICAL] command_injection: Instruction directing agent to run/execute external content (CI011) [AITech 9.1.4] [CRITICAL] command_injection: Instruction directing agent to run/execute external content (CI011) [AITech 9.1.4] [HIGH] data_exfiltration: Credential file access detected (DE002) [AITech 8.2.3] The skill's capabilities are coherent with its stated purpose (secure sandboxed execution). There is no evidence in this documentation fragment of hidden or malicious behavior. Primary risks to note: (1) downloading and running a server binary from GitHub Releases on first use is a supply-chain/trust risk unless signatures/checksums are verified; (2) Remote mode sends code and API keys to the provided host and therefore requires trusting that host and transport; (3) allowing package installation inside the sandbox broadens attack surface and could enable exfiltration if network is permitted. Recommend verifying binary provenance/signatures, ensuring HTTPS and cert validation for RemoteIsol8, and auditing implementation of secret masking and Docker isolation settings before trusting with sensitive secrets. LLM verification: The isol8 skill's stated purpose (securely running untrusted code in Docker) matches its documented capabilities. There is no direct evidence of malicious code in the provided description. However, the functionality includes legitimate, but high-risk operations: executing arbitrary code in containers, injecting secrets into container environments, installing arbitrary packages, and remote execution that sends code and apiKeys to a remote host. These features are appropriate for the skill's purpo

This code is high risk: it implements a persistent remote-control agent that fetches and directly evals server-supplied JavaScript and provides an unrestricted event exfiltration helper. Without strong, explicit authentication and integrity protections around the /command and /event endpoints, this effectively functions as a backdoor capable of arbitrary client-side data access and exfiltration. Treat as malicious/untrusted unless its remote-execution purpose is documented, authenticated, and constrained by additional safeguards.

Although this fragment is only unit tests, it strongly indicates a module designed to harvest and decrypt Instagram authentication/session cookies from installed Chromium/Edge browsers, including macOS Keychain/Safe Storage access and Chromium encryption decryption (v10/v11). These are high-risk capabilities consistent with credential/session theft tooling. No direct exfiltration is visible here, so network/persistence cannot be confirmed from this fragment alone, but the local extraction/decryption and token-return behavior warrants a security review and likely rejection for untrusted environments.

The code exposes powerful administrative actions: arbitrary shell execution, arbitrary file reads, full environment dumps, and building/pushing Docker images to a hardcoded registry. These are not obfuscated but are high-risk capabilities that can be abused for data exfiltration, remote code execution, and supply-chain leakage if the superuser authentication is compromised or misconfigured. The presence of a hardcoded remote image name for docker push is suspicious for unintended outbound artifact exfiltration. Recommendation: avoid including these endpoints in public packages or ensure strict, auditable authentication and input validation; remove hardcoded push targets and avoid returning full environment variables or arbitrary file contents.