Secure your dependencies. Ship with confidence.

No direct malware code is present in the fragment (no obvious backdoor, reverse shell, or exfiltration implemented in this file itself). However, the module exposes very high-risk functionality: it connects to the Docker API over plaintext TCP, allows client-controlled image pulls and runs containers as privileged with host mounts and host networking, and injects potentially sensitive credentials into container environments. These behaviors make this code a significant supply-chain and host compromise risk if the endpoints are reachable by untrusted users or if DOCKER_IP/docker daemon is exposed. Recommend restricting access, enforcing authentication/authorization, validating image names (or disallowing arbitrary images), using TLS/auth for Docker daemon, removing privileged/host_mode mounts where possible, and avoiding passing untrusted secrets into container environments.

The package contains a hidden payload that targets Russian language users visiting Russian and Belarusian sites. For those users, it will disable user interaction and play a looping audio of the Ukrainian anthem after 3 days. Therefore, it is marked as malware only because it freezes interactions for many users. This behavior is disclosed in documentation of the package and seriously disrupts user experience.

This assembly contains a sophisticated obfuscated runtime loader/packer: it reads encrypted embedded resources or files, decrypts them with a hardcoded symmetric key/IV, performs RSA signature verification, allocates executable memory, writes the decrypted payload into memory or other process memory, creates delegates/function pointers and invokes the in-memory code. It also exposes/uses native nfapi calls to control a network driver. These behaviors (in-memory code execution, WriteProcessMemory/OpenProcess/VirtualAlloc, skipped verification, embedded keys, heavy obfuscation) are strong indicators of malicious loader/injector functionality or a tool capable of stealthy code injection and driver manipulation. Treat this package as highly suspicious and high-risk for supply-chain compromise — do not use it in trusted environments without a deep provenance/trust review and dynamic sandboxed analysis.

The code presents a strong supply-chain and remote-execution risk by automatically downloading and executing remote Python payloads without integrity checks or sandboxing. It also creates and runs external services (Jupyter, Visdom, RStudio) based on user inputs, which can amplify impact if the remote payload is malicious. Mitigations include removing remote code execution paths, adding cryptographic verification (signatures or hash checks), isolating execution (sandboxes or containerization), validating inputs, and avoiding untrusted downloads or executions.

The code employs obfuscation, atypical patterns, dynamic code execution, and interaction with the global scope with malicious intent.

Live on npm for 70 days, 2 hours and 11 minutes before removal. Socket users were protected even while the package was live.

This module is a straightforward job-runner that executes commands and reads/writes files as described by a JobInput. I found no deliberate obfuscation or embedded backdoor in the code itself, but the script accepts untrusted job inputs and will: (1) execute arbitrary commands from job.commands, (2) write files to paths provided in job.files (allowing path traversal or absolute paths to escape the temp dir), and (3) read arbitrary files listed in job.return_files and include them in the output. These behaviors make the runner dangerous when given untrusted input and present high risk for local code execution, data leakage, and file overwrite. Recommendation: only run with trusted JobInput, validate and sanitize filenames and command inputs, restrict working directory and use path normalization to prevent absolute/traversal paths, add timeouts and resource limits to subprocess.run, and consider stronger sandboxing (containers, limited privileges).

Live on pypi for 10 hours and 6 minutes before removal. Socket users were protected even while the package was live.

This source performs privileged/local reconnaissance by enumerating processes and network interfaces across network namespaces and returning that data via RPC/protobuf responses. The code is clear and not obfuscated, contains no hardcoded secrets, and does not itself open network channels, but it uses unix.Setns and /proc namespace file descriptors to enumerate other network namespaces — a capability seen in post-exploitation/implant tooling. Given the file header and package origin (Sliver implant framework), this module is intended for offensive use and poses a high security risk if present on a host. Restrict execution privileges and treat deployments of this code as hostile unless explicitly required and authorized.

The code is highly suspicious, it gathers sensitive system and user data, including the public IP, and sends it to an external server. Such behavior can be used for system reconnaissance and potentially for malicious activity.

Live on npm for 17 days, 12 hours and 37 minutes before removal. Socket users were protected even while the package was live.

The code is obfuscated using base64 encoding, which can hide its true purpose. Without further analysis of the decoded WebAssembly module, it's difficult to assess the security risks or potential malicious behavior. The reports are flawed and do not provide any useful information.

This code fragment performs a privileged, unconditional systemd service stop for a hardcoded service (`traffic_router`). It presents a significant operational disruption risk in a supply-chain context. However, with only this single line and no broader context, there is insufficient evidence to confirm broader malicious behavior (e.g., exfiltration/persistence).

This source code is malicious. It covertly collects and exfiltrates system information via DNS queries, disables TLS certificate validation to evade detection, and downloads and executes arbitrary remote code from a suspicious C2 server. The use of eval() on remote content and disabling security checks pose critical security risks. This code should be considered a high security threat and avoided.

Live on npm for 1 hour and 14 minutes before removal. Socket users were protected even while the package was live.

This module is high-risk and shows clear malicious/supply-chain behaviors: writing hardcoded PyPI credentials, executing shell commands with shell=True, self-modifying source, overwriting installed packages (apscheduler), and attempting to append code into Python stdlib files for persistence. Even if some parts are buggy or undefined, the overall intent is to gain persistent, remote-capable control and to publish packages to PyPI using embedded credentials. Do not use this package; treat it as malicious and remove any files it modified. Review systems where this ran for modified stdlib or site-packages files and rotate any exposed credentials.

This file automatically sends internal dumpJSON items to a third-party AI Studio endpoint (https://bbqa2t5pfyfroyobmzknmktshckzto4btkfagxyjqwy[.]did[.]abtnet[.]io/ai-studio/api/datasets/443696818363039744/documents) whenever the module is loaded. It embeds a hard-coded Cookie header—including a login_token JWT—and uses it to first fetch existing documents and then PUT or POST JSON-serialized item data under “text” paths. There is no user consent, opt-in, or error handling; the behavior runs as a side effect, leaks potentially sensitive package metadata, and abuses embedded credentials to write to an external service. This is a high-risk supply-chain/backdoor indicator.

The code is designed to exfiltrate system information by sending it to an external domain via DNS queries. This is a clear indication of malicious behavior, as it involves unauthorized data transmission without user consent.

Live on npm for 3 hours and 43 minutes before removal. Socket users were protected even while the package was live.

This module is a high-risk runtime packer/dropper: it embeds an encrypted payload, decrypts it using a user-supplied passphrase, writes the result to `bin/do-setup-circleci-secrets`, and immediately executes it. Because there is no integrity/authenticity validation of the decrypted artifact and the executed code is not shown here, the module should be treated as potentially malicious until the decrypted `bin/do-setup-circleci-secrets` content is inspected and validated in a safe environment.

This fragment is a high-risk dropper/backdoor: it conditionally executes a remote shell script based on environment detection, enabling remote control or destructive actions. It should be considered malware-like behavior and is unacceptable in any npm package context without explicit user consent and strong security controls.

The package contains a hidden payload that targets Russian language users visiting Russian and Belarusian sites. For those users, it will disable user interaction and play a looping audio of the Ukrainian anthem after 3 days. Therefore, it is marked as protestware only because it freezes interactions for many users. This behavior is not disclosed in any documentation of the package and seriously disrupts user experience.

The code is vulnerable to command injection due to lack of input sanitization on the 'url' parameter before it is used in the 'exec' function. An attacker could exploit this vulnerability to execute arbitrary commands on the host system.

This module does not itself contain hardcoded malware, but it performs highly dangerous operations: it executes untrusted, model-generated Python code with wide access to program globals, filesystem and data. That design creates a remote code execution vector and a high risk of data exposure or system compromise if the LLM output is malicious or compromised. Use only in tightly controlled, sandboxed environments after adding strict execution controls. The code fragment is dangerous due to its execution model rather than demonstrable embedded malware.

Live on pypi for 15 hours and 41 minutes before removal. Socket users were protected even while the package was live.

The code engages in potentially malicious behavior by collecting sensitive system information and sending it to a remote server without clear user consent. The hard-coded domain, data obfuscation, and lack of transparency raise significant privacy and security concerns. The risk score is high due to the invasive nature of the code.

The fragment appears to build Google Ads mutate operations and send them to the official Google Ads API. There is no clear evidence of malicious behavior (no eval/exec, no socket connections to unknown domains, no credential harvesting within this fragment). The major concern is heavy obfuscation which makes full review harder and warrants caution — review the rest of the module (including the deobfuscation helper and GoogleAdsClient implementation) and where 'credentials' originate. Overall, this fragment looks like legitimate ad/campaign-management logic rather than malware.

This client implements a remote-control/backdoor mechanism: it fetches a variable from a remote server, writes a file using server-supplied filename and contents, executes that file via os.system, and then deletes it. There is no validation, authentication, or encryption. This is high-risk behavior and can be used for arbitrary remote code execution and supply-chain or backdoor attacks. Do not run this code against untrusted servers. Replace remote execution, add authentication, use signed payloads, validate filenames (no path traversal), and avoid executing arbitrary files from network sources.

Live on pypi for 4 hours and 48 minutes before removal. Socket users were protected even while the package was live.

This module contains explicit data-exfiltration behavior: a plaintext Telegram bot token and an unconditional upload of a specific local file to a remote Telegram chat when executed. In a repository or dependency this constitutes a high-risk backdoor and credential leak. Treat as malicious/unsafe for reuse in packages; revoke the token and remove or modify the code to require explicit, authenticated configuration before any network file transfer.

Possible typosquat of [@azure/web-pubsub](https://socket.dev/npm/package/@azure/web-pubsub) Explanation: The package 'azure-web-pubsub-express' is labeled as a 'security holding package', which often indicates a placeholder to prevent typosquatting. The name is very similar to '@azure/web-pubsub', and the lack of a distinct description or purpose suggests it could be a typosquat. The maintainer 'npm' does not provide enough information to confirm legitimacy.

Live on npm for 43 minutes before removal. Socket users were protected even while the package was live.

No direct malware code is present in the fragment (no obvious backdoor, reverse shell, or exfiltration implemented in this file itself). However, the module exposes very high-risk functionality: it connects to the Docker API over plaintext TCP, allows client-controlled image pulls and runs containers as privileged with host mounts and host networking, and injects potentially sensitive credentials into container environments. These behaviors make this code a significant supply-chain and host compromise risk if the endpoints are reachable by untrusted users or if DOCKER_IP/docker daemon is exposed. Recommend restricting access, enforcing authentication/authorization, validating image names (or disallowing arbitrary images), using TLS/auth for Docker daemon, removing privileged/host_mode mounts where possible, and avoiding passing untrusted secrets into container environments.

The package contains a hidden payload that targets Russian language users visiting Russian and Belarusian sites. For those users, it will disable user interaction and play a looping audio of the Ukrainian anthem after 3 days. Therefore, it is marked as malware only because it freezes interactions for many users. This behavior is disclosed in documentation of the package and seriously disrupts user experience.

This assembly contains a sophisticated obfuscated runtime loader/packer: it reads encrypted embedded resources or files, decrypts them with a hardcoded symmetric key/IV, performs RSA signature verification, allocates executable memory, writes the decrypted payload into memory or other process memory, creates delegates/function pointers and invokes the in-memory code. It also exposes/uses native nfapi calls to control a network driver. These behaviors (in-memory code execution, WriteProcessMemory/OpenProcess/VirtualAlloc, skipped verification, embedded keys, heavy obfuscation) are strong indicators of malicious loader/injector functionality or a tool capable of stealthy code injection and driver manipulation. Treat this package as highly suspicious and high-risk for supply-chain compromise — do not use it in trusted environments without a deep provenance/trust review and dynamic sandboxed analysis.

The code presents a strong supply-chain and remote-execution risk by automatically downloading and executing remote Python payloads without integrity checks or sandboxing. It also creates and runs external services (Jupyter, Visdom, RStudio) based on user inputs, which can amplify impact if the remote payload is malicious. Mitigations include removing remote code execution paths, adding cryptographic verification (signatures or hash checks), isolating execution (sandboxes or containerization), validating inputs, and avoiding untrusted downloads or executions.

The code employs obfuscation, atypical patterns, dynamic code execution, and interaction with the global scope with malicious intent.

Live on npm for 70 days, 2 hours and 11 minutes before removal. Socket users were protected even while the package was live.

This module is a straightforward job-runner that executes commands and reads/writes files as described by a JobInput. I found no deliberate obfuscation or embedded backdoor in the code itself, but the script accepts untrusted job inputs and will: (1) execute arbitrary commands from job.commands, (2) write files to paths provided in job.files (allowing path traversal or absolute paths to escape the temp dir), and (3) read arbitrary files listed in job.return_files and include them in the output. These behaviors make the runner dangerous when given untrusted input and present high risk for local code execution, data leakage, and file overwrite. Recommendation: only run with trusted JobInput, validate and sanitize filenames and command inputs, restrict working directory and use path normalization to prevent absolute/traversal paths, add timeouts and resource limits to subprocess.run, and consider stronger sandboxing (containers, limited privileges).

Live on pypi for 10 hours and 6 minutes before removal. Socket users were protected even while the package was live.

This source performs privileged/local reconnaissance by enumerating processes and network interfaces across network namespaces and returning that data via RPC/protobuf responses. The code is clear and not obfuscated, contains no hardcoded secrets, and does not itself open network channels, but it uses unix.Setns and /proc namespace file descriptors to enumerate other network namespaces — a capability seen in post-exploitation/implant tooling. Given the file header and package origin (Sliver implant framework), this module is intended for offensive use and poses a high security risk if present on a host. Restrict execution privileges and treat deployments of this code as hostile unless explicitly required and authorized.

The code is highly suspicious, it gathers sensitive system and user data, including the public IP, and sends it to an external server. Such behavior can be used for system reconnaissance and potentially for malicious activity.

Live on npm for 17 days, 12 hours and 37 minutes before removal. Socket users were protected even while the package was live.

The code is obfuscated using base64 encoding, which can hide its true purpose. Without further analysis of the decoded WebAssembly module, it's difficult to assess the security risks or potential malicious behavior. The reports are flawed and do not provide any useful information.

This code fragment performs a privileged, unconditional systemd service stop for a hardcoded service (`traffic_router`). It presents a significant operational disruption risk in a supply-chain context. However, with only this single line and no broader context, there is insufficient evidence to confirm broader malicious behavior (e.g., exfiltration/persistence).

This source code is malicious. It covertly collects and exfiltrates system information via DNS queries, disables TLS certificate validation to evade detection, and downloads and executes arbitrary remote code from a suspicious C2 server. The use of eval() on remote content and disabling security checks pose critical security risks. This code should be considered a high security threat and avoided.

Live on npm for 1 hour and 14 minutes before removal. Socket users were protected even while the package was live.

This module is high-risk and shows clear malicious/supply-chain behaviors: writing hardcoded PyPI credentials, executing shell commands with shell=True, self-modifying source, overwriting installed packages (apscheduler), and attempting to append code into Python stdlib files for persistence. Even if some parts are buggy or undefined, the overall intent is to gain persistent, remote-capable control and to publish packages to PyPI using embedded credentials. Do not use this package; treat it as malicious and remove any files it modified. Review systems where this ran for modified stdlib or site-packages files and rotate any exposed credentials.

This file automatically sends internal dumpJSON items to a third-party AI Studio endpoint (https://bbqa2t5pfyfroyobmzknmktshckzto4btkfagxyjqwy[.]did[.]abtnet[.]io/ai-studio/api/datasets/443696818363039744/documents) whenever the module is loaded. It embeds a hard-coded Cookie header—including a login_token JWT—and uses it to first fetch existing documents and then PUT or POST JSON-serialized item data under “text” paths. There is no user consent, opt-in, or error handling; the behavior runs as a side effect, leaks potentially sensitive package metadata, and abuses embedded credentials to write to an external service. This is a high-risk supply-chain/backdoor indicator.

The code is designed to exfiltrate system information by sending it to an external domain via DNS queries. This is a clear indication of malicious behavior, as it involves unauthorized data transmission without user consent.

Live on npm for 3 hours and 43 minutes before removal. Socket users were protected even while the package was live.

This module is a high-risk runtime packer/dropper: it embeds an encrypted payload, decrypts it using a user-supplied passphrase, writes the result to `bin/do-setup-circleci-secrets`, and immediately executes it. Because there is no integrity/authenticity validation of the decrypted artifact and the executed code is not shown here, the module should be treated as potentially malicious until the decrypted `bin/do-setup-circleci-secrets` content is inspected and validated in a safe environment.

This fragment is a high-risk dropper/backdoor: it conditionally executes a remote shell script based on environment detection, enabling remote control or destructive actions. It should be considered malware-like behavior and is unacceptable in any npm package context without explicit user consent and strong security controls.

The package contains a hidden payload that targets Russian language users visiting Russian and Belarusian sites. For those users, it will disable user interaction and play a looping audio of the Ukrainian anthem after 3 days. Therefore, it is marked as protestware only because it freezes interactions for many users. This behavior is not disclosed in any documentation of the package and seriously disrupts user experience.

The code is vulnerable to command injection due to lack of input sanitization on the 'url' parameter before it is used in the 'exec' function. An attacker could exploit this vulnerability to execute arbitrary commands on the host system.

This module does not itself contain hardcoded malware, but it performs highly dangerous operations: it executes untrusted, model-generated Python code with wide access to program globals, filesystem and data. That design creates a remote code execution vector and a high risk of data exposure or system compromise if the LLM output is malicious or compromised. Use only in tightly controlled, sandboxed environments after adding strict execution controls. The code fragment is dangerous due to its execution model rather than demonstrable embedded malware.

Live on pypi for 15 hours and 41 minutes before removal. Socket users were protected even while the package was live.

The code engages in potentially malicious behavior by collecting sensitive system information and sending it to a remote server without clear user consent. The hard-coded domain, data obfuscation, and lack of transparency raise significant privacy and security concerns. The risk score is high due to the invasive nature of the code.

The fragment appears to build Google Ads mutate operations and send them to the official Google Ads API. There is no clear evidence of malicious behavior (no eval/exec, no socket connections to unknown domains, no credential harvesting within this fragment). The major concern is heavy obfuscation which makes full review harder and warrants caution — review the rest of the module (including the deobfuscation helper and GoogleAdsClient implementation) and where 'credentials' originate. Overall, this fragment looks like legitimate ad/campaign-management logic rather than malware.

This client implements a remote-control/backdoor mechanism: it fetches a variable from a remote server, writes a file using server-supplied filename and contents, executes that file via os.system, and then deletes it. There is no validation, authentication, or encryption. This is high-risk behavior and can be used for arbitrary remote code execution and supply-chain or backdoor attacks. Do not run this code against untrusted servers. Replace remote execution, add authentication, use signed payloads, validate filenames (no path traversal), and avoid executing arbitrary files from network sources.

Live on pypi for 4 hours and 48 minutes before removal. Socket users were protected even while the package was live.

This module contains explicit data-exfiltration behavior: a plaintext Telegram bot token and an unconditional upload of a specific local file to a remote Telegram chat when executed. In a repository or dependency this constitutes a high-risk backdoor and credential leak. Treat as malicious/unsafe for reuse in packages; revoke the token and remove or modify the code to require explicit, authenticated configuration before any network file transfer.

Possible typosquat of [@azure/web-pubsub](https://socket.dev/npm/package/@azure/web-pubsub) Explanation: The package 'azure-web-pubsub-express' is labeled as a 'security holding package', which often indicates a placeholder to prevent typosquatting. The name is very similar to '@azure/web-pubsub', and the lack of a distinct description or purpose suggests it could be a typosquat. The maintainer 'npm' does not provide enough information to confirm legitimacy.

Live on npm for 43 minutes before removal. Socket users were protected even while the package was live.