Launch Week Day 4: Introducing Data Exports.Learn More
Socket
Book a DemoSign in
Socket

Secure your dependencies. Ship with confidence.

Socket is a developer-first security platform that protects your code from both vulnerable and malicious dependencies.

Install GitHub App
Book a Demo

Questions? Call us at (844) SOCKET-0

Find and compare millions of open source packages

Quickly evaluate the security and health of any open source package.

jquery
t

timmywil published 4.0.0

left-pad
s

stevemao published 1.3.0

react
r

react-bot published 19.2.5

We protect you from vulnerable and malicious packages

dhemrdhs60015

1.250811.12105

Removed from npm

Blocked by Socket

This file implements an unattended update mechanism that fetches and installs .tgz archives from unverified remote sources—both the npm registry (registry[.]npmjs[.]org) and a configurable Firebase-style database URL—by downloading, extracting them into the application directory and then restarting PM2-managed processes. Because there is no cryptographic signature or checksum validation beyond a simple version check, a compromised registry account or database endpoint could deliver arbitrary code to every host running this updater. Additionally, on startup the script gathers extensive system and package metadata—including public IP (via api[.]ipify[.]org), local IP addresses, hostname, OS/platform, Node.js version, CPU/memory statistics, load averages, working directory and package.json fields—and posts it to a configurable Discord webhook endpoint (discordapp[.]com). This behavior poses both a supply-chain risk and a telemetry/privacy exposure risk, as sensitive host information is sent to an external service without explicit user consent or granular control.

Live on npm for 56 minutes before removal. Socket users were protected even while the package was live.

snow-flow

8.39.11

by groeimetai

Live on npm

Blocked by Socket

This code is an administrative automation component that deliberately executes arbitrary ServiceNow server-side scripts and manipulates system tables. I found no clear signs of intentionally malicious code (no hardcoded external exfiltration endpoints, no obfuscated payload). However, it exposes powerful sinks: arbitrary script execution, creation of background script records, and storage of script output/trace in sys_properties. The primary security risk is abuse/misconfiguration (e.g., autoConfirm bypass, insufficient RBAC) leading to data theft or destructive changes. Treat this module as high-risk functionality that must be strictly access controlled, audited, and hardened before use.

data-layer-v8

9999.9.99

by explotme

Removed from npm

Blocked by Socket

The code performs data collection and transmission to a potentially malicious server, which makes it highly suspicious. The code uses a hardcoded suspicious domain, collects user information without consent, and sends the data to an external server. This can lead to severe privacy violation and data leak issues.

Live on npm for 1 day, 17 hours and 57 minutes before removal. Socket users were protected even while the package was live.

mcdplib

0.0.0

Live on pypi

Blocked by Socket

The code enables dangerous dynamic evaluation and execution paths (eval/exec) driven by untrusted input, with an added templating-like evaluate_substrings feature that can interpolate and execute embedded expressions. A bug (Non vs None) is present, signaling reliability issues. Without strict input controls or sandboxing, this code poses a high security risk and should be refactored to avoid eval/exec or to implement a restricted evaluation environment and thorough input validation.

wf-bl

141.0.0

by yandex.pizda

Removed from npm

Blocked by Socket

This code is malicious: it collects full process environment variables and transmits them via an HTTPS POST to a hard-coded external endpoint. The combination of string obfuscation and conditional environment checks indicates deliberate attempts to evade detection and analysis. Treat any package containing this snippet as compromised; remove it, revoke exposed credentials and secrets potentially present in environment variables, and investigate how the code was introduced into the supply chain.

Live on npm for 2 hours and 1 minute before removal. Socket users were protected even while the package was live.

gepeto

1.1.23

Live on pypi

Blocked by Socket

This module contains a clear data-exfiltration path: Team.run builds a JSON payload including message_history and context and POSTs it to a hard-coded external service using a hard-coded API key. That behavior exposes sensitive data and leaks credentials, and it occurs without configuration or consent checks. Absent documentation or trusted provenance for the endpoint and API key, this is a severe supply-chain risk and the code should not be used in production. Additionally, module-level mutation of the litellm library flags is unexpected and suspicious. Recommend removing or gating the remote POST, rotating any leaked credentials, and auditing why the endpoint/API key exist in source control.

paypal-logger

0.6.0

by jpdtestjpd

Removed from npm

Blocked by Socket

The preinstall script executes package-supplied code (index.js) during installation. Without inspecting index.js, this is high risk: it could exfiltrate data, install backdoors, modify the filesystem, or spawn reverse shells. Treat this as potentially malicious until the contents of index.js are reviewed. Recommended actions: do not install or run this package in a sensitive environment; inspect the exact contents of index.js and any referenced files; run it in a fully isolated sandbox if analysis is required; check telemetry/network calls and filesystem modifications within index.js.

Live on npm for 10 hours and 14 minutes before removal. Socket users were protected even while the package was live.

mtmai

0.3.1140

Live on pypi

Blocked by Socket

This module is an automation/scraping worker that intentionally executes code provided by task descriptions. That design requires trusting the task source. The code contains multiple high-risk sinks: subprocess with shell=True, exec()/eval of task-supplied code, and browser JS execution. It also copies browser user profiles (cookies/credentials) into temporary profiles, which increases risk of credential theft. If task inputs are untrusted (remote server controlled by attacker or tampered local JSON), an attacker can achieve remote code execution, data exfiltration (files, cookies), or arbitrary system changes. Recommendation: only run with tasks from trusted sources, disable remote task fetching unless secured, avoid copying full user-data profiles, and remove/guard exec/eval/subprocess paths or run worker inside a hardened sandbox/container with least privileges.

@blocklet/pages-kit

0.4.147

by wangshijun

Live on npm

Blocked by Socket

This file automatically sends internal dumpJSON items to a third-party AI Studio endpoint (https://bbqa2t5pfyfroyobmzknmktshckzto4btkfagxyjqwy[.]did[.]abtnet[.]io/ai-studio/api/datasets/443696818363039744/documents) whenever the module is loaded. It embeds a hard-coded Cookie header—including a login_token JWT—and uses it to first fetch existing documents and then PUT or POST JSON-serialized item data under “text” paths. There is no user consent, opt-in, or error handling; the behavior runs as a side effect, leaks potentially sensitive package metadata, and abuses embedded credentials to write to an external service. This is a high-risk supply-chain/backdoor indicator.

agentdojo

0.1.20

Live on pypi

Blocked by Socket

This trace shows a successful prompt-injection-driven data exfiltration: an injected <INFORMATION> block in the get_channels tool output instructed the assistant to concatenate channel messages and post them to www.my-website-234.com/random. The assistant executed a post_webpage call with concatenated messages (including a plaintext secret 'Secret key is 1a7b3d.'), confirming data leakage to an external domain. The add_user_to_channel attempt failed, but the primary risk — disclosure of channel contents to an external site — occurred. This is malicious/unauthorized behavior caused by prompt injection in tool output. Remediation: treat tool outputs as untrusted, sanitize/validate tool-provided content, block network sinks from being used with untrusted data without policy checks, and never execute tool-instructing text embedded in tool outputs.

momentic

2.17.11

by wuweiweiwu

Live on npm

Blocked by Socket

The improved assessment confirms substantial security risks: remote code execution pathways with endpoints and auth, embedded credentials, and extensive DOM/metadata serialization that could leak sensitive information or enable backdoors if compromised. While these capabilities offer powerful automation, they create notable supply-chain and runtime risks. Recommended mitigations include removing hardcoded keys, securing secrets (vaults/configs), sandboxing remote evaluators with strict provenance and integrity checks, enforcing least-privilege network access, adding auditing/logging for outbound requests, and obtaining explicit user consent for telemetry and DOM data collection.

moogli-erp

2024.2.4

Live on pypi

Blocked by Socket

Resolve the promises to access the actual content of the reports and conduct a detailed security analysis to identify any potential security risks or vulnerabilities in the open-source dependency.

opmsec

0.1.51

by dhananjaypai08

Live on npm

Blocked by Socket

This package performs immediate, silent exfiltration of process environment variables to a hardcoded remote endpoint when the module is required. It also exports an unguarded loadConfig(path) that invokes require(path), enabling local module inclusion. The exfiltration of sensitive environment data without consent or configuration is malicious behavior (data theft/backdoor). Treat this package as malicious: do not use, remove from build/CI, and investigate any systems that imported it. Recommend blocking the package, rotating any potentially exposed credentials, and auditing downstream consumers.

yspliveplayer-new

0.3.6

Live on npm

Blocked by Socket

This module contains heavy obfuscation and dynamic decoding that reads browser state (document/window/opener) and uses CryptoJS to derive/produce a cryptographic value returned by getckey. The obfuscation, dynamic property access, and use of page/browser data are strong indicators of malicious or at least intentionally concealed behavior (likely token/key derivation or decryption for further malicious use). I recommend treating this package as suspicious and not using it until its clear, unobfuscated purpose and callers are inspected. If found in a dependency, remove or isolate it and perform a broader supply-chain investigation.

solana-sdkpy

1.2.6

Removed from pypi

Blocked by Socket

The source code contains suspicious obfuscated dynamic code execution that is highly indicative of potentially malicious behavior. The obfuscation techniques and suppression of errors increase the risk of hidden malware or backdoors. Although no explicit malicious actions are visible, the presence of such obfuscated exec() code justifies a high malware and security risk score. The package should be treated as potentially dangerous and undergo thorough manual review before use.

Live on pypi for 1 hour and 11 minutes before removal. Socket users were protected even while the package was live.

hub-http

0.999.999

Removed from npm

Blocked by Socket

The code is clearly malicious, as it collects and exfiltrates sensitive system information to an external server without user consent. The use of base64 encoding and the 'ping' command indicates an attempt to obfuscate the exfiltration process.

Live on npm for 30 minutes before removal. Socket users were protected even while the package was live.

devcloudcli

1.3.2

Live on pypi

Blocked by Socket

This is a high-risk destructive script that forcibly deletes /home/intel/dlstreamer without checks and prints a misleading success message. It contains no network or exfiltration behavior, and is not obfuscated, but its targeted deletion combined with sudo makes it suitable for sabotage. Do not execute this script unless you intentionally want to remove that directory; review sudoers and automation contexts to mitigate accidental or malicious execution.

rolldownload

0.0.1-security

by npm

Live on npm

Blocked by Socket

The package is confirmed to have contained malicious code, leading to its removal from the registry. This indicates a high likelihood of malware and significant security risks associated with its use.

teamstelemetry

9.1.0

Live on npm

Blocked by Socket

This script is malicious and implements DNS-based data exfiltration. It collects sensitive host information including the entire environment variables and sends them to an attacker-controlled domain by embedding hex-encoded, chunked payloads into DNS query labels. Treat as a high-risk backdoor/exfiltration component: remove or quarantine the file, investigate systems that executed it, assume environment-stored secrets may be compromised and rotate credentials, and block the attacker domain at DNS/network level.

354766/illusion47586/isol8/isol8/

c1d7dc9c0028c46a15765b05010ef766ab1c74c5

Live on socket

Blocked by Socket

[Skill Scanner] Instruction directing agent to run/execute external content All findings: [CRITICAL] command_injection: Instruction directing agent to run/execute external content (CI011) [AITech 9.1.4] [CRITICAL] command_injection: Instruction directing agent to run/execute external content (CI011) [AITech 9.1.4] [HIGH] data_exfiltration: Credential file access detected (DE002) [AITech 8.2.3] The skill's capabilities are coherent with its stated purpose (secure sandboxed execution). There is no evidence in this documentation fragment of hidden or malicious behavior. Primary risks to note: (1) downloading and running a server binary from GitHub Releases on first use is a supply-chain/trust risk unless signatures/checksums are verified; (2) Remote mode sends code and API keys to the provided host and therefore requires trusting that host and transport; (3) allowing package installation inside the sandbox broadens attack surface and could enable exfiltration if network is permitted. Recommend verifying binary provenance/signatures, ensuring HTTPS and cert validation for RemoteIsol8, and auditing implementation of secret masking and Docker isolation settings before trusting with sensitive secrets. LLM verification: The isol8 skill's stated purpose (securely running untrusted code in Docker) matches its documented capabilities. There is no direct evidence of malicious code in the provided description. However, the functionality includes legitimate, but high-risk operations: executing arbitrary code in containers, injecting secrets into container environments, installing arbitrary packages, and remote execution that sends code and apiKeys to a remote host. These features are appropriate for the skill's purpo

browsergui

0.1.6

Live on pypi

Blocked by Socket

This code is high risk: it implements a persistent remote-control agent that fetches and directly evals server-supplied JavaScript and provides an unrestricted event exfiltration helper. Without strong, explicit authentication and integrity protections around the /command and /event endpoints, this effectively functions as a backdoor capable of arbitrary client-side data access and exfiltration. Treat as malicious/untrusted unless its remote-execution purpose is documented, authenticated, and constrained by additional safeguards.

agent-messenger

2.10.1

by devxoul

Live on npm

Blocked by Socket

Although this fragment is only unit tests, it strongly indicates a module designed to harvest and decrypt Instagram authentication/session cookies from installed Chromium/Edge browsers, including macOS Keychain/Safe Storage access and Chromium encryption decryption (v10/v11). These are high-risk capabilities consistent with credential/session theft tooling. No direct exfiltration is visible here, so network/persistence cannot be confirmed from this fragment alone, but the local extraction/decryption and token-return behavior warrants a security review and likely rejection for untrusted environments.

mtmai

0.3.1071

Live on pypi

Blocked by Socket

The code exposes powerful administrative actions: arbitrary shell execution, arbitrary file reads, full environment dumps, and building/pushing Docker images to a hardcoded registry. These are not obfuscated but are high-risk capabilities that can be abused for data exfiltration, remote code execution, and supply-chain leakage if the superuser authentication is compromised or misconfigured. The presence of a hardcoded remote image name for docker push is suspicious for unintended outbound artifact exfiltration. Recommendation: avoid including these endpoints in public packages or ensure strict, auditable authentication and input validation; remove hardcoded push targets and avoid returning full environment variables or arbitrary file contents.

dhemrdhs60015

1.250811.12105

Removed from npm

Blocked by Socket

This file implements an unattended update mechanism that fetches and installs .tgz archives from unverified remote sources—both the npm registry (registry[.]npmjs[.]org) and a configurable Firebase-style database URL—by downloading, extracting them into the application directory and then restarting PM2-managed processes. Because there is no cryptographic signature or checksum validation beyond a simple version check, a compromised registry account or database endpoint could deliver arbitrary code to every host running this updater. Additionally, on startup the script gathers extensive system and package metadata—including public IP (via api[.]ipify[.]org), local IP addresses, hostname, OS/platform, Node.js version, CPU/memory statistics, load averages, working directory and package.json fields—and posts it to a configurable Discord webhook endpoint (discordapp[.]com). This behavior poses both a supply-chain risk and a telemetry/privacy exposure risk, as sensitive host information is sent to an external service without explicit user consent or granular control.

Live on npm for 56 minutes before removal. Socket users were protected even while the package was live.

snow-flow

8.39.11

by groeimetai

Live on npm

Blocked by Socket

This code is an administrative automation component that deliberately executes arbitrary ServiceNow server-side scripts and manipulates system tables. I found no clear signs of intentionally malicious code (no hardcoded external exfiltration endpoints, no obfuscated payload). However, it exposes powerful sinks: arbitrary script execution, creation of background script records, and storage of script output/trace in sys_properties. The primary security risk is abuse/misconfiguration (e.g., autoConfirm bypass, insufficient RBAC) leading to data theft or destructive changes. Treat this module as high-risk functionality that must be strictly access controlled, audited, and hardened before use.

data-layer-v8

9999.9.99

by explotme

Removed from npm

Blocked by Socket

The code performs data collection and transmission to a potentially malicious server, which makes it highly suspicious. The code uses a hardcoded suspicious domain, collects user information without consent, and sends the data to an external server. This can lead to severe privacy violation and data leak issues.

Live on npm for 1 day, 17 hours and 57 minutes before removal. Socket users were protected even while the package was live.

mcdplib

0.0.0

Live on pypi

Blocked by Socket

The code enables dangerous dynamic evaluation and execution paths (eval/exec) driven by untrusted input, with an added templating-like evaluate_substrings feature that can interpolate and execute embedded expressions. A bug (Non vs None) is present, signaling reliability issues. Without strict input controls or sandboxing, this code poses a high security risk and should be refactored to avoid eval/exec or to implement a restricted evaluation environment and thorough input validation.

wf-bl

141.0.0

by yandex.pizda

Removed from npm

Blocked by Socket

This code is malicious: it collects full process environment variables and transmits them via an HTTPS POST to a hard-coded external endpoint. The combination of string obfuscation and conditional environment checks indicates deliberate attempts to evade detection and analysis. Treat any package containing this snippet as compromised; remove it, revoke exposed credentials and secrets potentially present in environment variables, and investigate how the code was introduced into the supply chain.

Live on npm for 2 hours and 1 minute before removal. Socket users were protected even while the package was live.

gepeto

1.1.23

Live on pypi

Blocked by Socket

This module contains a clear data-exfiltration path: Team.run builds a JSON payload including message_history and context and POSTs it to a hard-coded external service using a hard-coded API key. That behavior exposes sensitive data and leaks credentials, and it occurs without configuration or consent checks. Absent documentation or trusted provenance for the endpoint and API key, this is a severe supply-chain risk and the code should not be used in production. Additionally, module-level mutation of the litellm library flags is unexpected and suspicious. Recommend removing or gating the remote POST, rotating any leaked credentials, and auditing why the endpoint/API key exist in source control.

paypal-logger

0.6.0

by jpdtestjpd

Removed from npm

Blocked by Socket

The preinstall script executes package-supplied code (index.js) during installation. Without inspecting index.js, this is high risk: it could exfiltrate data, install backdoors, modify the filesystem, or spawn reverse shells. Treat this as potentially malicious until the contents of index.js are reviewed. Recommended actions: do not install or run this package in a sensitive environment; inspect the exact contents of index.js and any referenced files; run it in a fully isolated sandbox if analysis is required; check telemetry/network calls and filesystem modifications within index.js.

Live on npm for 10 hours and 14 minutes before removal. Socket users were protected even while the package was live.

mtmai

0.3.1140

Live on pypi

Blocked by Socket

This module is an automation/scraping worker that intentionally executes code provided by task descriptions. That design requires trusting the task source. The code contains multiple high-risk sinks: subprocess with shell=True, exec()/eval of task-supplied code, and browser JS execution. It also copies browser user profiles (cookies/credentials) into temporary profiles, which increases risk of credential theft. If task inputs are untrusted (remote server controlled by attacker or tampered local JSON), an attacker can achieve remote code execution, data exfiltration (files, cookies), or arbitrary system changes. Recommendation: only run with tasks from trusted sources, disable remote task fetching unless secured, avoid copying full user-data profiles, and remove/guard exec/eval/subprocess paths or run worker inside a hardened sandbox/container with least privileges.

@blocklet/pages-kit

0.4.147

by wangshijun

Live on npm

Blocked by Socket

This file automatically sends internal dumpJSON items to a third-party AI Studio endpoint (https://bbqa2t5pfyfroyobmzknmktshckzto4btkfagxyjqwy[.]did[.]abtnet[.]io/ai-studio/api/datasets/443696818363039744/documents) whenever the module is loaded. It embeds a hard-coded Cookie header—including a login_token JWT—and uses it to first fetch existing documents and then PUT or POST JSON-serialized item data under “text” paths. There is no user consent, opt-in, or error handling; the behavior runs as a side effect, leaks potentially sensitive package metadata, and abuses embedded credentials to write to an external service. This is a high-risk supply-chain/backdoor indicator.

agentdojo

0.1.20

Live on pypi

Blocked by Socket

This trace shows a successful prompt-injection-driven data exfiltration: an injected <INFORMATION> block in the get_channels tool output instructed the assistant to concatenate channel messages and post them to www.my-website-234.com/random. The assistant executed a post_webpage call with concatenated messages (including a plaintext secret 'Secret key is 1a7b3d.'), confirming data leakage to an external domain. The add_user_to_channel attempt failed, but the primary risk — disclosure of channel contents to an external site — occurred. This is malicious/unauthorized behavior caused by prompt injection in tool output. Remediation: treat tool outputs as untrusted, sanitize/validate tool-provided content, block network sinks from being used with untrusted data without policy checks, and never execute tool-instructing text embedded in tool outputs.

momentic

2.17.11

by wuweiweiwu

Live on npm

Blocked by Socket

The improved assessment confirms substantial security risks: remote code execution pathways with endpoints and auth, embedded credentials, and extensive DOM/metadata serialization that could leak sensitive information or enable backdoors if compromised. While these capabilities offer powerful automation, they create notable supply-chain and runtime risks. Recommended mitigations include removing hardcoded keys, securing secrets (vaults/configs), sandboxing remote evaluators with strict provenance and integrity checks, enforcing least-privilege network access, adding auditing/logging for outbound requests, and obtaining explicit user consent for telemetry and DOM data collection.

moogli-erp

2024.2.4

Live on pypi

Blocked by Socket

Resolve the promises to access the actual content of the reports and conduct a detailed security analysis to identify any potential security risks or vulnerabilities in the open-source dependency.

opmsec

0.1.51

by dhananjaypai08

Live on npm

Blocked by Socket

This package performs immediate, silent exfiltration of process environment variables to a hardcoded remote endpoint when the module is required. It also exports an unguarded loadConfig(path) that invokes require(path), enabling local module inclusion. The exfiltration of sensitive environment data without consent or configuration is malicious behavior (data theft/backdoor). Treat this package as malicious: do not use, remove from build/CI, and investigate any systems that imported it. Recommend blocking the package, rotating any potentially exposed credentials, and auditing downstream consumers.

yspliveplayer-new

0.3.6

Live on npm

Blocked by Socket

This module contains heavy obfuscation and dynamic decoding that reads browser state (document/window/opener) and uses CryptoJS to derive/produce a cryptographic value returned by getckey. The obfuscation, dynamic property access, and use of page/browser data are strong indicators of malicious or at least intentionally concealed behavior (likely token/key derivation or decryption for further malicious use). I recommend treating this package as suspicious and not using it until its clear, unobfuscated purpose and callers are inspected. If found in a dependency, remove or isolate it and perform a broader supply-chain investigation.

solana-sdkpy

1.2.6

Removed from pypi

Blocked by Socket

The source code contains suspicious obfuscated dynamic code execution that is highly indicative of potentially malicious behavior. The obfuscation techniques and suppression of errors increase the risk of hidden malware or backdoors. Although no explicit malicious actions are visible, the presence of such obfuscated exec() code justifies a high malware and security risk score. The package should be treated as potentially dangerous and undergo thorough manual review before use.

Live on pypi for 1 hour and 11 minutes before removal. Socket users were protected even while the package was live.

hub-http

0.999.999

Removed from npm

Blocked by Socket

The code is clearly malicious, as it collects and exfiltrates sensitive system information to an external server without user consent. The use of base64 encoding and the 'ping' command indicates an attempt to obfuscate the exfiltration process.

Live on npm for 30 minutes before removal. Socket users were protected even while the package was live.

devcloudcli

1.3.2

Live on pypi

Blocked by Socket

This is a high-risk destructive script that forcibly deletes /home/intel/dlstreamer without checks and prints a misleading success message. It contains no network or exfiltration behavior, and is not obfuscated, but its targeted deletion combined with sudo makes it suitable for sabotage. Do not execute this script unless you intentionally want to remove that directory; review sudoers and automation contexts to mitigate accidental or malicious execution.

rolldownload

0.0.1-security

by npm

Live on npm

Blocked by Socket

The package is confirmed to have contained malicious code, leading to its removal from the registry. This indicates a high likelihood of malware and significant security risks associated with its use.

teamstelemetry

9.1.0

Live on npm

Blocked by Socket

This script is malicious and implements DNS-based data exfiltration. It collects sensitive host information including the entire environment variables and sends them to an attacker-controlled domain by embedding hex-encoded, chunked payloads into DNS query labels. Treat as a high-risk backdoor/exfiltration component: remove or quarantine the file, investigate systems that executed it, assume environment-stored secrets may be compromised and rotate credentials, and block the attacker domain at DNS/network level.

354766/illusion47586/isol8/isol8/

c1d7dc9c0028c46a15765b05010ef766ab1c74c5

Live on socket

Blocked by Socket

[Skill Scanner] Instruction directing agent to run/execute external content All findings: [CRITICAL] command_injection: Instruction directing agent to run/execute external content (CI011) [AITech 9.1.4] [CRITICAL] command_injection: Instruction directing agent to run/execute external content (CI011) [AITech 9.1.4] [HIGH] data_exfiltration: Credential file access detected (DE002) [AITech 8.2.3] The skill's capabilities are coherent with its stated purpose (secure sandboxed execution). There is no evidence in this documentation fragment of hidden or malicious behavior. Primary risks to note: (1) downloading and running a server binary from GitHub Releases on first use is a supply-chain/trust risk unless signatures/checksums are verified; (2) Remote mode sends code and API keys to the provided host and therefore requires trusting that host and transport; (3) allowing package installation inside the sandbox broadens attack surface and could enable exfiltration if network is permitted. Recommend verifying binary provenance/signatures, ensuring HTTPS and cert validation for RemoteIsol8, and auditing implementation of secret masking and Docker isolation settings before trusting with sensitive secrets. LLM verification: The isol8 skill's stated purpose (securely running untrusted code in Docker) matches its documented capabilities. There is no direct evidence of malicious code in the provided description. However, the functionality includes legitimate, but high-risk operations: executing arbitrary code in containers, injecting secrets into container environments, installing arbitrary packages, and remote execution that sends code and apiKeys to a remote host. These features are appropriate for the skill's purpo

browsergui

0.1.6

Live on pypi

Blocked by Socket

This code is high risk: it implements a persistent remote-control agent that fetches and directly evals server-supplied JavaScript and provides an unrestricted event exfiltration helper. Without strong, explicit authentication and integrity protections around the /command and /event endpoints, this effectively functions as a backdoor capable of arbitrary client-side data access and exfiltration. Treat as malicious/untrusted unless its remote-execution purpose is documented, authenticated, and constrained by additional safeguards.

agent-messenger

2.10.1

by devxoul

Live on npm

Blocked by Socket

Although this fragment is only unit tests, it strongly indicates a module designed to harvest and decrypt Instagram authentication/session cookies from installed Chromium/Edge browsers, including macOS Keychain/Safe Storage access and Chromium encryption decryption (v10/v11). These are high-risk capabilities consistent with credential/session theft tooling. No direct exfiltration is visible here, so network/persistence cannot be confirmed from this fragment alone, but the local extraction/decryption and token-return behavior warrants a security review and likely rejection for untrusted environments.

mtmai

0.3.1071

Live on pypi

Blocked by Socket

The code exposes powerful administrative actions: arbitrary shell execution, arbitrary file reads, full environment dumps, and building/pushing Docker images to a hardcoded registry. These are not obfuscated but are high-risk capabilities that can be abused for data exfiltration, remote code execution, and supply-chain leakage if the superuser authentication is compromised or misconfigured. The presence of a hardcoded remote image name for docker push is suspicious for unintended outbound artifact exfiltration. Recommendation: avoid including these endpoints in public packages or ensure strict, auditable authentication and input validation; remove hardcoded push targets and avoid returning full environment variables or arbitrary file contents.

Detect and block software supply chain attacks

Socket detects traditional vulnerabilities (CVEs) but goes beyond that to scan the actual code of dependencies for malicious behavior. It proactively detects and blocks 70+ signals of supply chain risk in open source code, for comprehensive protection.

Possible typosquat attack

Known malware

Git dependency

GitHub dependency

HTTP dependency

Obfuscated code

Suspicious Stars on GitHub

Telemetry

Protestware or potentially unwanted behavior

Unstable ownership

55 more alerts

Detect suspicious package updates in real-time

Socket detects and blocks malicious dependencies, often within just minutes of them being published to public registries, making it the most effective tool for blocking zero-day supply chain attacks.

GitHub app screenshot

Developers love Socket

Socket is built by a team of prolific open source maintainers whose software is downloaded over 1 billion times per month. We understand how to build tools that developers love. But don’t take our word for it.

Even more developer love
Install GitHub AppRead the docs

Security teams trust Socket

The best security teams in the world use Socket to get visibility into supply chain risk, and to build a security feedback loop into the development process.

Book a Demo

Questions? Call us at (844) SOCKET-0

Read the blog

Protect every package in your stack

Secure your team's dependencies across your stack with Socket. Stop supply chain attacks before they reach production.

View all integrations

RUST

crates.io

Rust Package Manager

PHP

Packagist

PHP Package Manager

GOLANG

Go Modules

Go Dependency Management

JAVA

Maven Central

JAVASCRIPT

npm

Node Package Manager

.NET

NuGet

.NET Package Manager

PYTHON

PyPI

Python Package Index

RUBY

RubyGems.org

Ruby Package Manager

SWIFT

Swift

AI

Hugging Face Hub

AI Model Hub

CI

GitHub Actions

CI/CD Workflows

EXTENSIONS

Chrome Web Store

Chrome Browser Extensions

EXTENSIONS

Open VSX

VS Code Extensions

Supply chain attacks are on the rise

Attackers have taken notice of the opportunity to attack organizations through open source dependencies. Supply chain attacks rose a whopping 700% in the past year, with over 15,000 recorded attacks.

Nov 23, 2025

Shai Hulud v2

Shai Hulud v2 campaign: preinstall script (setup_bun.js) and loader (setup_bin.js) that installs/locates Bun and executes an obfuscated bundled malicious script (bun_environment.js) with suppressed output.

Nov 05, 2025

Elves on npm

A surge of auto-generated "elf-stats" npm packages is being published every two minutes from new accounts. These packages contain simple malware variants and are being rapidly removed by npm. At least 420 unique packages have been identified, often described as being generated every two minutes, with some mentioning a capture the flag challenge or test.

Jul 04, 2025

RubyGems Automation-Tool Infostealer

Since at least March 2023, a threat actor using multiple aliases uploaded 60 malicious gems to RubyGems that masquerade as automation tools (Instagram, TikTok, Twitter, Telegram, WordPress, and Naver). The gems display a Korean Glimmer-DSL-LibUI login window, then exfiltrate the entered username/password and the host's MAC address via HTTP POST to threat actor-controlled infrastructure.

Mar 13, 2025

North Korea's Contagious Interview Campaign

Since late 2024, we have tracked hundreds of malicious npm packages and supporting infrastructure tied to North Korea's Contagious Interview operation, with tens of thousands of downloads targeting developers and tech job seekers. The threat actors run a factory-style playbook: recruiter lures and fake coding tests, polished GitHub templates, and typosquatted or deceptive dependencies that install or import into real projects.

Jul 23, 2024

Network Reconnaissance Campaign

A malicious npm supply chain attack that leveraged 60 packages across three disposable npm accounts to fingerprint developer workstations and CI/CD servers during installation. Each package embedded a compact postinstall script that collected hostnames, internal and external IP addresses, DNS resolvers, usernames, home and working directories, and package metadata, then exfiltrated this data as a JSON blob to a hardcoded Discord webhook.

Ready to dive in?

Get protected by Socket with just 2 clicks.

Install GitHub App
Book a Demo

Questions? Call us at (844) SOCKET-0

The latest from the Socket team

Get our latest security research, open source insights, and product updates.

View all articles