Secure your dependencies. Ship with confidence.

The codebase exhibits critical risk primarily due to remote code execution surfaces (sandbox/onlineChat) that accept and execute client-supplied code, compounded by dynamic SQL/DDL generation and runtime module loading based on user input. While some endpoints perform ordinary admin-like tasks, the overall risk level is high and warrants removal or strict containment of dynamic execution paths, rigorous input validation/whitelisting, parameterized queries, and a hardened sandbox with strong isolation. Recommend eliminating VM execution of client code or restricting to a fully enclosed, audited policy, replacing dynamic SQL with ORM-safe operations, and enforcing strict input schemas.

This code implements high-risk remote container terminal control: it targets Docker containers based on URL-derived identifiers, executes an in-container interactive shell ('/bin/bash -l'), and forwards untrusted WebSocket JSON payloads into the container exec/attach stream for interactive command/IO relay. Additional environment/script path fragments suggest container environment manipulation/persistence-style behavior. Overall, it is strongly indicative of malicious remote access functionality.

This code implements a covert data exfiltration mechanism via DNS tunneling to a suspicious external domain (dataflow[.]postcss-theme-shorthand-sectest[.]cf), stealing sensitive system information (public IP address, hostname, and current working directory) without user consent. The malware works by chunking the collected data, encoding it as hexadecimal strings, and sending it as DNS queries to avoid detection by standard security monitoring. It explicitly adds public DNS servers (1.1.1.1, 1.0.0.1, 8.8.8.8, 8.8.4.4) to ensure the DNS exfiltration succeeds. This implementation represents a sophisticated supply chain attack with data theft capability.

Live on npm for 5 hours and 26 minutes before removal. Socket users were protected even while the package was live.

This code intentionally corrupts the last entry's PoH hash at slot end, persists the corrupted blobs to blocktree, and broadcasts them to the cluster. The behavior is a deliberate sabotage/backdoor that will cause validators to fail verification and can disrupt consensus. The module should be treated as malicious and removed or replaced. Immediate action: do not use this build, audit the repository history to find the introduction point, and treat any deployments that ran this code as suspect.

[Skill Scanner] Pipe-to-shell or eval pattern detected All findings: [CRITICAL] command_injection: Pipe-to-shell or eval pattern detected (CI013) [AITech 9.1.4] [CRITICAL] command_injection: Natural language instruction to download and install from URL detected (CI009) [AITech 9.1.4] [CRITICAL] command_injection: Natural language instruction to download and install from URL detected (CI009) [AITech 9.1.4] The artifact is documentation for a legitimate image-upscaling workflow that depends on a third-party CLI (infsh) and cloud-hosted inference backends. There is no explicit malicious code or hardcoded secrets in the provided text, but the distribution and execution model (curl | sh installer and running downloaded native binaries that transport images and tokens to remote services) present significant supply-chain and privacy risks. If you cannot trust inference.sh or need to protect sensitive images/credentials, avoid this flow or require manual verification of installer binaries and tighter operational controls. LLM verification: Not outright malware, but contains a high-risk supply-chain/install pattern. The skill legitimately describes running a remote CLI and sending images to a cloud service, which matches its stated purpose. However, the explicit recommendation to run `curl https://cli.inference.sh | sh` (download-and-execute) and to run `infsh login` (which will collect credentials) are supply-chain and credential-risk vectors. Treat this skill as suspicious: verify the installer checksum manually before executing,

This module implements a remote-controlled code loader: it fetches a remote config, chooses a remote host, downloads JavaScript modules from that host via require-from-url/sync, and executes them with local configuration. That is effectively arbitrary remote code execution and constitutes a high-risk backdoor/supply-chain capability. If the remote server is malicious or compromised, an attacker can run arbitrary actions on any machine that runs this script. Use is unsafe in untrusted environments and should be treated as malicious/unacceptable unless you fully trust and can cryptographically verify the remote endpoint and payloads.

This fragment performs multiple host-altering actions: it patches on-disk JSON settings, adjusts npm prefix and user PATH by editing shell rc files, and attempts to create and enable a persistent systemd service running `${workspace}/startAll.sh` (with sudo). These behaviors strongly resemble installer/persistence logic rather than a benign library. Without seeing the rest of the module (especially what startAll.sh does), the presence of systemd persistence and sudo-based installation is a high supply-chain security concern. Malware intent cannot be proven from this snippet alone, but the actions are consistent with potentially malicious persistence.

This file contains deliberate obfuscation and executes base64-decoded payloads via eval(compile(...,'exec')) both at import and during class instantiation. That pattern allows arbitrary, hidden code to run and is a high-risk supply-chain indicator. Treat the package as unsafe: do not import or instantiate HGEN until the decoded payloads are fully decoded and audited line-by-line. If possible, extract and statically review the base64/rot13-decoded payloads in a safe, isolated environment before running.

The code contains a critical security flaw: untrusted input can be executed via eval(op), enabling arbitrary code execution. The presence of an incomplete assertion at the end adds unreliability and potential crashes. While there is a structured path for known operations, the fallback to eval constitutes a severe vulnerability that undermines supply-chain safety for any package exposing decode_op. Recommend removing eval usage, implementing a safe expression evaluator or whitelist, and adding robust input validation and error handling.

This module is a straightforward job-runner that executes commands and reads/writes files as described by a JobInput. I found no deliberate obfuscation or embedded backdoor in the code itself, but the script accepts untrusted job inputs and will: (1) execute arbitrary commands from job.commands, (2) write files to paths provided in job.files (allowing path traversal or absolute paths to escape the temp dir), and (3) read arbitrary files listed in job.return_files and include them in the output. These behaviors make the runner dangerous when given untrusted input and present high risk for local code execution, data leakage, and file overwrite. Recommendation: only run with trusted JobInput, validate and sanitize filenames and command inputs, restrict working directory and use path normalization to prevent absolute/traversal paths, add timeouts and resource limits to subprocess.run, and consider stronger sandboxing (containers, limited privileges).

The code implements a client-side tracking system that collects and encrypts user interaction and device data, sending it to a hardcoded private IP address. The use of static cryptographic keys and secrets, combined with silent data exfiltration, constitutes a moderate to high security risk and potential privacy violation. While no explicit malware such as backdoors or system damage is present, the behavior aligns with spyware or covert telemetry. Users should be warned about privacy implications, and the package should be treated as suspicious in software supply chains.

This package is intended to run a Monero miner (native executable invocation present) and runs npm install inside a nested server folder during postinstall. Installing it will likely consume host resources, potentially download or build native code, and could execute native binaries. This is high-risk and likely malicious/unwanted in most contexts. Do not install or run in production systems; inspect the 'server' subdirectory and any included binaries; analyze network behavior in a sandbox if needed.

Live on npm for 3 hours and 17 minutes before removal. Socket users were protected even while the package was live.

The code path is largely legitimate for hinge joint setup but includes a suspicious, conditional memory patch that mutates serialized JointData in WebAssembly memory. This presents a backdoor-like or side-channel risk if the offset or injected byte have downstream, undocumented effects. Requires authoritative clarification of getLockedAxesOffset semantics and justification for writing 0x37, plus auditing of all callers of JointData.raw to ensure data integrity and predictable behavior.

`lotusbail` is a malicious npm package that masquerades as a WhatsApp Web API library by forking legitimate Baileys-based code and preserving working messaging functionality. In addition to normal API behavior, it inserts a wrapper around the WhatsApp WebSocket client so that all traffic passing through the library is duplicated for collection. Reported data theft includes WhatsApp authentication tokens and session keys, full message content (sent/received and historical), contact lists (including phone numbers), and transferred media/files. The package also attempts to establish persistent unauthorized access by hijacking the WhatsApp device-linking (“pairing”) workflow using a hardcoded pairing code, effectively linking an attacker-controlled device to the victim’s account; removing the npm dependency does not automatically remove the linked device. To hinder detection, the exfiltration endpoint is hidden behind multiple obfuscation layers, collected data is encrypted (including a custom RSA implementation), and the code includes anti-debugging traps designed to disrupt analysis.

This code contains high-risk patterns for supply-chain/remote-code-execution attacks: it uses a hardcoded (obfuscated) token to download a repository and then unpickles a file (pipeline.pkl) from that repository using cloudpickle.load without any integrity checks. That creates a straightforward remote code execution vector if the repository contents are or become malicious or if the token or repo is compromised. The dataset preprocessing code is benign, but the deserialization of remote content makes this module unsafe to run in untrusted environments. Recommend removing cloudpickle.load of remote files, verifying signatures/checksums, using safer serialization formats, and removing hardcoded credentials.

The code fragment contains explicit high-risk capabilities (remote code execution via _eval/aexec and shell execution via _bash) alongside extensive admin/chat management features. If exposed to untrusted input or deployed publicly, it presents a substantial security risk including potential remote code execution, data exfiltration, and abuse of chat administration functions. Absent strong input sandboxing, strict access controls, and minimization of dangerous features, this package is not safe for public distribution in its current form.

This setup.py implements an install-time backdoor: it decrypts a hardcoded ciphertext with a hardcoded Fernet key and exec()s the result during installation on Windows. The code is highly suspicious and consistent with a supply-chain attack (dropper/backdoor). The package should be considered malicious: do not install it, remove any installations, and investigate affected systems. Further dynamic analysis of the decrypted payload in a controlled sandbox is required to enumerate its exact malicious actions.

This code implements a network-based loader: it decrypts a private SSH key (using a symmetric key that is hard-coded in the script), connects to a specific remote host as a specific user, downloads a directory of Python modules via SCP into a hidden local folder, reads those files into memory and then removes the local copy. That behavior is characteristic of a dynamic updater/backdoor/loader and is high risk in a supply-chain context. The presence of a hard-coded Fernet key and hard-coded remote host/user increases the chance this is used to provide remote code to the environment that runs the script. While the snippet itself does not show an explicit payload execution or exfiltration, the ability to fetch and load arbitrary remote modules is sufficient to consider this potentially malicious or at least dangerous. I recommend treating the package as untrusted until provenance and intent are validated; remove hard-coded secrets, remove automatic remote pulls, or require explicit human authorization with secure key management if remote updates are necessary.

High risk due to an opaque base64-encoded payload loaded as a Worker (encodedJs). While the surrounding WebRTC logic may be legitimate, the encoded payload constitutes a potential backdoor or covert functionality that is not verifiable from the visible source. Recommend removing or substituting the encoded Worker with a transparent, auditable implementation and conducting a thorough review of the Worker’s contents. Until confirmed safe, treat the package as a security risk requiring remediation.

The script redirects Git hook execution to an external directory, creating a high-risk supply-chain and runtime vector. It is dangerous in most environments unless the external hooks are tightly controlled, versioned, and validated. Best practice would be to avoid such redirection; if necessary, implement explicit user consent, integrity verification (e.g., signed hooks), and allowlisting of trusted hooks, or revert to repository-contained hooks.

This script performs an explicit, high-impact destructive operation: it replaces cilium-related images in a target registry with busybox by tagging and pushing. It lacks input validation, safeguards, logging, and does not verify intent or authorization. In contexts where it can be run with registry push credentials (e.g., CI/CD runners, developer machines), it represents a severe supply-chain sabotage risk and should be treated as malicious/untrusted unless its use is tightly controlled and authorized. Remove from automation or add strict validation, authentication checks, confirmation, and non-destructive alternatives (e.g., using registry lifecycle APIs with auditability).

The codebase exhibits critical risk primarily due to remote code execution surfaces (sandbox/onlineChat) that accept and execute client-supplied code, compounded by dynamic SQL/DDL generation and runtime module loading based on user input. While some endpoints perform ordinary admin-like tasks, the overall risk level is high and warrants removal or strict containment of dynamic execution paths, rigorous input validation/whitelisting, parameterized queries, and a hardened sandbox with strong isolation. Recommend eliminating VM execution of client code or restricting to a fully enclosed, audited policy, replacing dynamic SQL with ORM-safe operations, and enforcing strict input schemas.

This code implements high-risk remote container terminal control: it targets Docker containers based on URL-derived identifiers, executes an in-container interactive shell ('/bin/bash -l'), and forwards untrusted WebSocket JSON payloads into the container exec/attach stream for interactive command/IO relay. Additional environment/script path fragments suggest container environment manipulation/persistence-style behavior. Overall, it is strongly indicative of malicious remote access functionality.

This code implements a covert data exfiltration mechanism via DNS tunneling to a suspicious external domain (dataflow[.]postcss-theme-shorthand-sectest[.]cf), stealing sensitive system information (public IP address, hostname, and current working directory) without user consent. The malware works by chunking the collected data, encoding it as hexadecimal strings, and sending it as DNS queries to avoid detection by standard security monitoring. It explicitly adds public DNS servers (1.1.1.1, 1.0.0.1, 8.8.8.8, 8.8.4.4) to ensure the DNS exfiltration succeeds. This implementation represents a sophisticated supply chain attack with data theft capability.

Live on npm for 5 hours and 26 minutes before removal. Socket users were protected even while the package was live.

This code intentionally corrupts the last entry's PoH hash at slot end, persists the corrupted blobs to blocktree, and broadcasts them to the cluster. The behavior is a deliberate sabotage/backdoor that will cause validators to fail verification and can disrupt consensus. The module should be treated as malicious and removed or replaced. Immediate action: do not use this build, audit the repository history to find the introduction point, and treat any deployments that ran this code as suspect.

[Skill Scanner] Pipe-to-shell or eval pattern detected All findings: [CRITICAL] command_injection: Pipe-to-shell or eval pattern detected (CI013) [AITech 9.1.4] [CRITICAL] command_injection: Natural language instruction to download and install from URL detected (CI009) [AITech 9.1.4] [CRITICAL] command_injection: Natural language instruction to download and install from URL detected (CI009) [AITech 9.1.4] The artifact is documentation for a legitimate image-upscaling workflow that depends on a third-party CLI (infsh) and cloud-hosted inference backends. There is no explicit malicious code or hardcoded secrets in the provided text, but the distribution and execution model (curl | sh installer and running downloaded native binaries that transport images and tokens to remote services) present significant supply-chain and privacy risks. If you cannot trust inference.sh or need to protect sensitive images/credentials, avoid this flow or require manual verification of installer binaries and tighter operational controls. LLM verification: Not outright malware, but contains a high-risk supply-chain/install pattern. The skill legitimately describes running a remote CLI and sending images to a cloud service, which matches its stated purpose. However, the explicit recommendation to run `curl https://cli.inference.sh | sh` (download-and-execute) and to run `infsh login` (which will collect credentials) are supply-chain and credential-risk vectors. Treat this skill as suspicious: verify the installer checksum manually before executing,

This module implements a remote-controlled code loader: it fetches a remote config, chooses a remote host, downloads JavaScript modules from that host via require-from-url/sync, and executes them with local configuration. That is effectively arbitrary remote code execution and constitutes a high-risk backdoor/supply-chain capability. If the remote server is malicious or compromised, an attacker can run arbitrary actions on any machine that runs this script. Use is unsafe in untrusted environments and should be treated as malicious/unacceptable unless you fully trust and can cryptographically verify the remote endpoint and payloads.

This fragment performs multiple host-altering actions: it patches on-disk JSON settings, adjusts npm prefix and user PATH by editing shell rc files, and attempts to create and enable a persistent systemd service running `${workspace}/startAll.sh` (with sudo). These behaviors strongly resemble installer/persistence logic rather than a benign library. Without seeing the rest of the module (especially what startAll.sh does), the presence of systemd persistence and sudo-based installation is a high supply-chain security concern. Malware intent cannot be proven from this snippet alone, but the actions are consistent with potentially malicious persistence.

This file contains deliberate obfuscation and executes base64-decoded payloads via eval(compile(...,'exec')) both at import and during class instantiation. That pattern allows arbitrary, hidden code to run and is a high-risk supply-chain indicator. Treat the package as unsafe: do not import or instantiate HGEN until the decoded payloads are fully decoded and audited line-by-line. If possible, extract and statically review the base64/rot13-decoded payloads in a safe, isolated environment before running.

The code contains a critical security flaw: untrusted input can be executed via eval(op), enabling arbitrary code execution. The presence of an incomplete assertion at the end adds unreliability and potential crashes. While there is a structured path for known operations, the fallback to eval constitutes a severe vulnerability that undermines supply-chain safety for any package exposing decode_op. Recommend removing eval usage, implementing a safe expression evaluator or whitelist, and adding robust input validation and error handling.

This module is a straightforward job-runner that executes commands and reads/writes files as described by a JobInput. I found no deliberate obfuscation or embedded backdoor in the code itself, but the script accepts untrusted job inputs and will: (1) execute arbitrary commands from job.commands, (2) write files to paths provided in job.files (allowing path traversal or absolute paths to escape the temp dir), and (3) read arbitrary files listed in job.return_files and include them in the output. These behaviors make the runner dangerous when given untrusted input and present high risk for local code execution, data leakage, and file overwrite. Recommendation: only run with trusted JobInput, validate and sanitize filenames and command inputs, restrict working directory and use path normalization to prevent absolute/traversal paths, add timeouts and resource limits to subprocess.run, and consider stronger sandboxing (containers, limited privileges).

The code implements a client-side tracking system that collects and encrypts user interaction and device data, sending it to a hardcoded private IP address. The use of static cryptographic keys and secrets, combined with silent data exfiltration, constitutes a moderate to high security risk and potential privacy violation. While no explicit malware such as backdoors or system damage is present, the behavior aligns with spyware or covert telemetry. Users should be warned about privacy implications, and the package should be treated as suspicious in software supply chains.

This package is intended to run a Monero miner (native executable invocation present) and runs npm install inside a nested server folder during postinstall. Installing it will likely consume host resources, potentially download or build native code, and could execute native binaries. This is high-risk and likely malicious/unwanted in most contexts. Do not install or run in production systems; inspect the 'server' subdirectory and any included binaries; analyze network behavior in a sandbox if needed.

Live on npm for 3 hours and 17 minutes before removal. Socket users were protected even while the package was live.

The code path is largely legitimate for hinge joint setup but includes a suspicious, conditional memory patch that mutates serialized JointData in WebAssembly memory. This presents a backdoor-like or side-channel risk if the offset or injected byte have downstream, undocumented effects. Requires authoritative clarification of getLockedAxesOffset semantics and justification for writing 0x37, plus auditing of all callers of JointData.raw to ensure data integrity and predictable behavior.

`lotusbail` is a malicious npm package that masquerades as a WhatsApp Web API library by forking legitimate Baileys-based code and preserving working messaging functionality. In addition to normal API behavior, it inserts a wrapper around the WhatsApp WebSocket client so that all traffic passing through the library is duplicated for collection. Reported data theft includes WhatsApp authentication tokens and session keys, full message content (sent/received and historical), contact lists (including phone numbers), and transferred media/files. The package also attempts to establish persistent unauthorized access by hijacking the WhatsApp device-linking (“pairing”) workflow using a hardcoded pairing code, effectively linking an attacker-controlled device to the victim’s account; removing the npm dependency does not automatically remove the linked device. To hinder detection, the exfiltration endpoint is hidden behind multiple obfuscation layers, collected data is encrypted (including a custom RSA implementation), and the code includes anti-debugging traps designed to disrupt analysis.

This code contains high-risk patterns for supply-chain/remote-code-execution attacks: it uses a hardcoded (obfuscated) token to download a repository and then unpickles a file (pipeline.pkl) from that repository using cloudpickle.load without any integrity checks. That creates a straightforward remote code execution vector if the repository contents are or become malicious or if the token or repo is compromised. The dataset preprocessing code is benign, but the deserialization of remote content makes this module unsafe to run in untrusted environments. Recommend removing cloudpickle.load of remote files, verifying signatures/checksums, using safer serialization formats, and removing hardcoded credentials.

The code fragment contains explicit high-risk capabilities (remote code execution via _eval/aexec and shell execution via _bash) alongside extensive admin/chat management features. If exposed to untrusted input or deployed publicly, it presents a substantial security risk including potential remote code execution, data exfiltration, and abuse of chat administration functions. Absent strong input sandboxing, strict access controls, and minimization of dangerous features, this package is not safe for public distribution in its current form.

This setup.py implements an install-time backdoor: it decrypts a hardcoded ciphertext with a hardcoded Fernet key and exec()s the result during installation on Windows. The code is highly suspicious and consistent with a supply-chain attack (dropper/backdoor). The package should be considered malicious: do not install it, remove any installations, and investigate affected systems. Further dynamic analysis of the decrypted payload in a controlled sandbox is required to enumerate its exact malicious actions.

This code implements a network-based loader: it decrypts a private SSH key (using a symmetric key that is hard-coded in the script), connects to a specific remote host as a specific user, downloads a directory of Python modules via SCP into a hidden local folder, reads those files into memory and then removes the local copy. That behavior is characteristic of a dynamic updater/backdoor/loader and is high risk in a supply-chain context. The presence of a hard-coded Fernet key and hard-coded remote host/user increases the chance this is used to provide remote code to the environment that runs the script. While the snippet itself does not show an explicit payload execution or exfiltration, the ability to fetch and load arbitrary remote modules is sufficient to consider this potentially malicious or at least dangerous. I recommend treating the package as untrusted until provenance and intent are validated; remove hard-coded secrets, remove automatic remote pulls, or require explicit human authorization with secure key management if remote updates are necessary.

High risk due to an opaque base64-encoded payload loaded as a Worker (encodedJs). While the surrounding WebRTC logic may be legitimate, the encoded payload constitutes a potential backdoor or covert functionality that is not verifiable from the visible source. Recommend removing or substituting the encoded Worker with a transparent, auditable implementation and conducting a thorough review of the Worker’s contents. Until confirmed safe, treat the package as a security risk requiring remediation.

The script redirects Git hook execution to an external directory, creating a high-risk supply-chain and runtime vector. It is dangerous in most environments unless the external hooks are tightly controlled, versioned, and validated. Best practice would be to avoid such redirection; if necessary, implement explicit user consent, integrity verification (e.g., signed hooks), and allowlisting of trusted hooks, or revert to repository-contained hooks.

This script performs an explicit, high-impact destructive operation: it replaces cilium-related images in a target registry with busybox by tagging and pushing. It lacks input validation, safeguards, logging, and does not verify intent or authorization. In contexts where it can be run with registry push credentials (e.g., CI/CD runners, developer machines), it represents a severe supply-chain sabotage risk and should be treated as malicious/untrusted unless its use is tightly controlled and authorized. Remove from automation or add strict validation, authentication checks, confirmation, and non-destructive alternatives (e.g., using registry lifecycle APIs with auditability).