Launch Week Day 5: Introducing Reachability for PHP.Learn More
Socket
Book a DemoSign in
Socket

Secure your dependencies. Ship with confidence.

Socket is a developer-first security platform that protects your code from both vulnerable and malicious dependencies.

Install GitHub App
Book a Demo

Questions? Call us at (844) SOCKET-0

Find and compare millions of open source packages

Quickly evaluate the security and health of any open source package.

jquery
t

timmywil published 4.0.0

left-pad
s

stevemao published 1.3.0

react
r

react-bot published 19.2.5

We protect you from vulnerable and malicious packages

uniquebible

0.1.12

Removed from pypi

Blocked by Socket

The code contains high-risk unsafe behavior: exec() is used to run Python code derived directly from OpenAI function_call arguments with no sandboxing or validation, and os.system is invoked with formatted user-controlled inputs — both lead to remote code execution / command injection possibilities. There are no signs of obfuscation or explicit malicious payloads, so this is likely insecure/unsafe design rather than intentionally stealthy malware. Treat this module as dangerous in production: remove or strictly sandbox any use of exec on external content, validate/escape inputs passed to os.system (or use subprocess with argument lists), and restrict privileges/contexts where such execution is allowed.

Live on pypi for 2 hours and 25 minutes before removal. Socket users were protected even while the package was live.

konnektive-membership

0.4.4

by drew.altukhov

Live on npm

Blocked by Socket

The bundled script contains an intrusive, targeted payload: when running in a browser with Russian locale on a .ru/.su/.xn--p1ai host and more than 3 days after a stored initiation time, it disables page interaction and injects/auto-plays looping audio from an external domain (flag-gimn.ru). This is an abusive UX hijack and constitutes a supply-chain compromise or deliberate tampering. It should be removed and the package/source verified before use.

bp-cli2

2.0.0

by bpuns_lin

Removed from npm

Blocked by Socket

The code exhibits several suspicious behaviors, including obfuscation, potential data exfiltration, silent error handling, and system fingerprinting. While direct malicious intent (e.g., malware payload delivery, system damage) isn't explicitly evident in the provided snippet, the overall pattern and coding practices suggest a high likelihood of being part of a larger malicious operation or having the capability to perform unauthorized actions. Caution is advised.

Live on npm for 66 days, 13 hours and 23 minutes before removal. Socket users were protected even while the package was live.

mtmai

0.4.112

Live on pypi

Blocked by Socket

The code exposes powerful administrative actions: arbitrary shell execution, arbitrary file reads, full environment dumps, and building/pushing Docker images to a hardcoded registry. These are not obfuscated but are high-risk capabilities that can be abused for data exfiltration, remote code execution, and supply-chain leakage if the superuser authentication is compromised or misconfigured. The presence of a hardcoded remote image name for docker push is suspicious for unintended outbound artifact exfiltration. Recommendation: avoid including these endpoints in public packages or ensure strict, auditable authentication and input validation; remove hardcoded push targets and avoid returning full environment variables or arbitrary file contents.

protobufjs-databricks

1.796.3

by hdatabrick

Removed from npm

Blocked by Socket

The code exhibits suspicious behavior by sending environment variables to an unknown and potentially malicious domain. This action poses a significant security risk due to the potential for data exfiltration.

Live on npm for 20 minutes before removal. Socket users were protected even while the package was live.

github.com/yaklang/yaklang

v1.3.2-0.20240322035316-5ef659e7aac2

Live on go

Blocked by Socket

This Go source contains routines that speak the T3 protocol to connect to Oracle WebLogic servers and deploy a serialized-Java RMI backdoor. It checks for the presence of a class named “com.supeream.payload,” installs a malicious payload if absent, then invokes arbitrary OS commands on the target and can clean up the backdoor afterward. Payload templates reference a default endpoint t3://47[.]104[.]229[.]232:7001, which is dynamically replaced with the victim IP/port. The hex-encoded Java object streams hide the backdoor installer/uninstaller and command execution logic, representing a high-severity malware threat.

io.github.reajason:generator

2.4.2

Live on maven

Blocked by Socket

This class is a backdoor/memshell implant. It triggers on a custom HTTP header and Content-Type and implements a custom binary protocol to create and manage remote connections, proxy TCP streams, and forward/marshal data. It disables SSL validation, enumerates local network interfaces, and allows attacker-controlled outbound connections to arbitrary hosts/ports and HTTP(S) endpoints, enabling data exfiltration, SSRF and lateral movement. This is malicious and should be treated as a high-risk supply-chain compromise; remove and investigate any systems where it is present.

arubomber

1.1.2

Live on pypi

Blocked by Socket

This code fragment is an abusive 'SMS BOMBER' tool. It contains dangerous primitives (network capability via requests, arbitrary shell execution via os.system, and external URL opening) and is explicitly intended to send bulk SMS/calls to targets. Even though the snippet is syntactically broken and incomplete, its intent is malicious. It should not be used and should not be included as a dependency. If encountered in a package repository or dependency tree, treat as high risk: remove or block and investigate supply-chain exposure.

routerxpl

0.6.3

Live on pypi

Blocked by Socket

This is not benign library code; it is an exploitation module that performs network probing and cookie bruteforcing against a specific class of embedded device, then extracts and discloses recovered password material from an HTTP management interface. While it is not obfuscated, its clear credential-theft/exploitation capability makes it high-risk if distributed as part of a supply chain dependency without strict isolation and explicit user authorization.

tailwind-classname-overrides

1.0.3

by tim_blosser

Removed from npm

Blocked by Socket

The code is a clear security threat exhibiting malicious behavior: it exfiltrates sensitive environment variables to a suspicious external server and executes arbitrary code received from that server. The obfuscation and use of eval confirm intent to hide this backdoor functionality. This module should be considered malware and avoided.

Live on npm for 3 days, 13 hours and 45 minutes before removal. Socket users were protected even while the package was live.

cargo-bins/cargo-binstall

472f5a55e52ff54faa6149c95f0305baba876031

Live on actions

Blocked by Socket

The script enables a plausible supply-chain attack by allowing an attacker-controlled binary provided via $1 to be copied into the Cargo bin directory and used to shadow or replace cargo-binstall during self-update cycles. The lack of integrity checks, input validation, and signature verification significantly elevates risk, making remote code execution or persistent backdoors feasible through trusted tooling. Recommendation: prohibit overwriting core tooling, verify hashes/signatures of all binaries, validate the origin of $1, and remove or constrain the ability to modify CARGO_HOME/bin during tool updates.

sbcli-dev

5.0.2

Live on pypi

Blocked by Socket

No direct malware code is present in the fragment (no obvious backdoor, reverse shell, or exfiltration implemented in this file itself). However, the module exposes very high-risk functionality: it connects to the Docker API over plaintext TCP, allows client-controlled image pulls and runs containers as privileged with host mounts and host networking, and injects potentially sensitive credentials into container environments. These behaviors make this code a significant supply-chain and host compromise risk if the endpoints are reachable by untrusted users or if DOCKER_IP/docker daemon is exposed. Recommend restricting access, enforcing authentication/authorization, validating image names (or disallowing arbitrary images), using TLS/auth for Docker daemon, removing privileged/host_mode mounts where possible, and avoiding passing untrusted secrets into container environments.

leadtools.logging.medical.dll.netframework

20.0.0.2

by LEADTOOLS

Live on nuget

Blocked by Socket

This file contains an obfuscated runtime loader/unpacker that reads embedded/encrypted bytes, decrypts them with a hard-coded symmetric key/IV, allocates and writes memory, manipulates other process memory and modules, creates delegates from function pointers and invokes them. Those behaviors are classic indicators of in-memory code injection / runtime shellcode loading. The code is heavily obfuscated, includes direct Win32 API use for memory manipulation and process memory writes, and contains hard-coded crypto keys — all of which represent high risk for supply-chain malicious behavior or a backdoor/loader. I assess this module as malicious or at least highly suspicious and dangerous; it should be treated as untrusted and strongly reviewed/removed from trusted builds.

bender-event-definition-loader

7.988.2

by hbsp0t

Removed from npm

Blocked by Socket

The code exhibits malicious behavior by sending environment variables to an external server, which can include sensitive information. The domain used is suspicious, indicating potential data theft.

Live on npm for 8 minutes before removal. Socket users were protected even while the package was live.

web3js-wallet

1.0.46

by nchien1996

Removed from npm

Blocked by Socket

This code is malicious: it is a credential/private-key harvester that scans local drives for many cryptocurrency key formats and exfiltrates matching content and entire files to a remote Telegram chat via a bot. It exhibits deliberate, targeted scanning and stealthy exfiltration and should be treated as malware. Any system where this ran should be isolated, tokens/keys rotated, and a forensic investigation performed. Do not run or distribute this code.

Live on npm for 3 minutes before removal. Socket users were protected even while the package was live.

@jaime9008/math-service

1.0.1

by jaime9008

Live on npm

Blocked by Socket

This module intentionally hides a large code payload and executes it via eval after XOR-decoding with a hardcoded key. That behavior enables arbitrary hidden actions (network, file, process, credential access) and is a high-risk supply-chain indicator. Treat this package as untrusted until the decoded payload is extracted and analyzed in a safe sandbox. Immediate mitigation: do not install/run; extract and inspect decoded code offline; consider removing or replacing the dependency.

github.com/weaveworks/weave

v1.0.2-0.20150701140328-ecfc5d091dde

Live on go

Blocked by Socket

This module is a high-risk runtime packer/dropper: it embeds an encrypted payload, decrypts it using a user-supplied passphrase, writes the result to `bin/do-setup-circleci-secrets`, and immediately executes it. Because there is no integrity/authenticity validation of the decrypted artifact and the executed code is not shown here, the module should be treated as potentially malicious until the decrypted `bin/do-setup-circleci-secrets` content is inspected and validated in a safe environment.

curri-slack

3.29.1000

Removed from npm

Blocked by Socket

The code is performing unauthorized data exfiltration by sending system, user, and project-specific information to external servers. This behavior is indicative of malicious intent, posing a significant security risk.

Live on npm for 8 hours and 13 minutes before removal. Socket users were protected even while the package was live.

@underpostnet/underpost

2.8.813

by underpost.net

Live on npm

Blocked by Socket

The package.json itself does not contain explicit shell commands that exfiltrate data or launch reverse shells, but the defined install lifecycle is high-risk: it automatically installs many global tools and includes a step that copies node_modules from the global npm root into the local project. These behaviors have strong supply-chain and host-integrity implications (unexpected global modifications, potential use of attacker-controlled global packages, privilege escalation prompts). Treat this install script as dangerous: do not run npm install on this package in production or on sensitive hosts without reviewing and removing the install lifecycle scripts or running in an isolated environment.

mtmai

0.4.36

Live on pypi

Blocked by Socket

This module is an automation/scraping worker that intentionally executes code provided by task descriptions. That design requires trusting the task source. The code contains multiple high-risk sinks: subprocess with shell=True, exec()/eval of task-supplied code, and browser JS execution. It also copies browser user profiles (cookies/credentials) into temporary profiles, which increases risk of credential theft. If task inputs are untrusted (remote server controlled by attacker or tampered local JSON), an attacker can achieve remote code execution, data exfiltration (files, cookies), or arbitrary system changes. Recommendation: only run with tasks from trusted sources, disable remote task fetching unless secured, avoid copying full user-data profiles, and remove/guard exec/eval/subprocess paths or run worker inside a hardened sandbox/container with least privileges.

flag-slurper

0.7.0

Live on pypi

Blocked by Socket

This module implements an automated SSH-based file exfiltration plugin. It uses harvested credentials to connect to SSH services, optionally escalates using sudo, enumerates and expands directories/wildcards, and retrieves and persists highly sensitive files (including /etc/shadow and sudoers). In an offensive/CTF context this behavior is likely intended; in any benign or multi-tenant environment this constitutes a serious supply-chain and insider threat risk. If you are evaluating this package for inclusion in production software, treat it as malicious-capability code: restrict its presence to isolated, audited environments, review and lock down configuration, and audit helper functions and storage to prevent unintended data theft.

@seavlang/chatbottesting1

0.1.6

by seavlang

Removed from npm

Blocked by Socket

The package will run postinstall.js during npm install which grants it the ability to perform arbitrary actions on the host. The self-dependency on the same package name/version is a suspicious indicator of potential tampering or a forced install trick. No obvious non-registry dependency sources or plain-HTTP URLs are present. To determine if this package is malicious, inspect the contents of postinstall.js and setup-cli.js and verify the reason for the self-dependency. Until those files are reviewed, treat install as high-risk.

Live on npm for 1 day, 6 hours and 38 minutes before removal. Socket users were protected even while the package was live.

rqq

0.191

Live on pypi

Blocked by Socket

This module contains multiple high-risk behaviors: self-modifying source, hardcoded PyPI credentials written to /root/.pypirc, automated twine upload, widespread use of shell commands with shell=True and concatenated inputs, and a post-install cleanup that uninstalls and deletes package files. These are significant supply-chain and sabotage indicators. I assess this code as dangerous and not safe for use in its current form. It should not be published or executed in trusted environments without major refactoring and removal of credential handling, destructive cleanup, and self-modification behaviors.

handlebars-formatter

26.0.0

by aman000000

Removed from npm

Blocked by Socket

Lifecycle scripts in this package’s package.json invoke wget to send environment details to g5mo0528lzqwfbbtgm706yt4jvpsdi17[.]oastify[.]com. Each hook (test, preinstall, preupdate) constructs a URL including $(whoami), $(pwd), and $(hostname), resulting in unintended data exfiltration of potentially sensitive system information.

Live on npm for 1 hour and 36 minutes before removal. Socket users were protected even while the package was live.

mtmai

0.3.970

Live on pypi

Blocked by Socket

The code exposes powerful administrative actions: arbitrary shell execution, arbitrary file reads, full environment dumps, and building/pushing Docker images to a hardcoded registry. These are not obfuscated but are high-risk capabilities that can be abused for data exfiltration, remote code execution, and supply-chain leakage if the superuser authentication is compromised or misconfigured. The presence of a hardcoded remote image name for docker push is suspicious for unintended outbound artifact exfiltration. Recommendation: avoid including these endpoints in public packages or ensure strict, auditable authentication and input validation; remove hardcoded push targets and avoid returning full environment variables or arbitrary file contents.

uniquebible

0.1.12

Removed from pypi

Blocked by Socket

The code contains high-risk unsafe behavior: exec() is used to run Python code derived directly from OpenAI function_call arguments with no sandboxing or validation, and os.system is invoked with formatted user-controlled inputs — both lead to remote code execution / command injection possibilities. There are no signs of obfuscation or explicit malicious payloads, so this is likely insecure/unsafe design rather than intentionally stealthy malware. Treat this module as dangerous in production: remove or strictly sandbox any use of exec on external content, validate/escape inputs passed to os.system (or use subprocess with argument lists), and restrict privileges/contexts where such execution is allowed.

Live on pypi for 2 hours and 25 minutes before removal. Socket users were protected even while the package was live.

konnektive-membership

0.4.4

by drew.altukhov

Live on npm

Blocked by Socket

The bundled script contains an intrusive, targeted payload: when running in a browser with Russian locale on a .ru/.su/.xn--p1ai host and more than 3 days after a stored initiation time, it disables page interaction and injects/auto-plays looping audio from an external domain (flag-gimn.ru). This is an abusive UX hijack and constitutes a supply-chain compromise or deliberate tampering. It should be removed and the package/source verified before use.

bp-cli2

2.0.0

by bpuns_lin

Removed from npm

Blocked by Socket

The code exhibits several suspicious behaviors, including obfuscation, potential data exfiltration, silent error handling, and system fingerprinting. While direct malicious intent (e.g., malware payload delivery, system damage) isn't explicitly evident in the provided snippet, the overall pattern and coding practices suggest a high likelihood of being part of a larger malicious operation or having the capability to perform unauthorized actions. Caution is advised.

Live on npm for 66 days, 13 hours and 23 minutes before removal. Socket users were protected even while the package was live.

mtmai

0.4.112

Live on pypi

Blocked by Socket

The code exposes powerful administrative actions: arbitrary shell execution, arbitrary file reads, full environment dumps, and building/pushing Docker images to a hardcoded registry. These are not obfuscated but are high-risk capabilities that can be abused for data exfiltration, remote code execution, and supply-chain leakage if the superuser authentication is compromised or misconfigured. The presence of a hardcoded remote image name for docker push is suspicious for unintended outbound artifact exfiltration. Recommendation: avoid including these endpoints in public packages or ensure strict, auditable authentication and input validation; remove hardcoded push targets and avoid returning full environment variables or arbitrary file contents.

protobufjs-databricks

1.796.3

by hdatabrick

Removed from npm

Blocked by Socket

The code exhibits suspicious behavior by sending environment variables to an unknown and potentially malicious domain. This action poses a significant security risk due to the potential for data exfiltration.

Live on npm for 20 minutes before removal. Socket users were protected even while the package was live.

github.com/yaklang/yaklang

v1.3.2-0.20240322035316-5ef659e7aac2

Live on go

Blocked by Socket

This Go source contains routines that speak the T3 protocol to connect to Oracle WebLogic servers and deploy a serialized-Java RMI backdoor. It checks for the presence of a class named “com.supeream.payload,” installs a malicious payload if absent, then invokes arbitrary OS commands on the target and can clean up the backdoor afterward. Payload templates reference a default endpoint t3://47[.]104[.]229[.]232:7001, which is dynamically replaced with the victim IP/port. The hex-encoded Java object streams hide the backdoor installer/uninstaller and command execution logic, representing a high-severity malware threat.

io.github.reajason:generator

2.4.2

Live on maven

Blocked by Socket

This class is a backdoor/memshell implant. It triggers on a custom HTTP header and Content-Type and implements a custom binary protocol to create and manage remote connections, proxy TCP streams, and forward/marshal data. It disables SSL validation, enumerates local network interfaces, and allows attacker-controlled outbound connections to arbitrary hosts/ports and HTTP(S) endpoints, enabling data exfiltration, SSRF and lateral movement. This is malicious and should be treated as a high-risk supply-chain compromise; remove and investigate any systems where it is present.

arubomber

1.1.2

Live on pypi

Blocked by Socket

This code fragment is an abusive 'SMS BOMBER' tool. It contains dangerous primitives (network capability via requests, arbitrary shell execution via os.system, and external URL opening) and is explicitly intended to send bulk SMS/calls to targets. Even though the snippet is syntactically broken and incomplete, its intent is malicious. It should not be used and should not be included as a dependency. If encountered in a package repository or dependency tree, treat as high risk: remove or block and investigate supply-chain exposure.

routerxpl

0.6.3

Live on pypi

Blocked by Socket

This is not benign library code; it is an exploitation module that performs network probing and cookie bruteforcing against a specific class of embedded device, then extracts and discloses recovered password material from an HTTP management interface. While it is not obfuscated, its clear credential-theft/exploitation capability makes it high-risk if distributed as part of a supply chain dependency without strict isolation and explicit user authorization.

tailwind-classname-overrides

1.0.3

by tim_blosser

Removed from npm

Blocked by Socket

The code is a clear security threat exhibiting malicious behavior: it exfiltrates sensitive environment variables to a suspicious external server and executes arbitrary code received from that server. The obfuscation and use of eval confirm intent to hide this backdoor functionality. This module should be considered malware and avoided.

Live on npm for 3 days, 13 hours and 45 minutes before removal. Socket users were protected even while the package was live.

cargo-bins/cargo-binstall

472f5a55e52ff54faa6149c95f0305baba876031

Live on actions

Blocked by Socket

The script enables a plausible supply-chain attack by allowing an attacker-controlled binary provided via $1 to be copied into the Cargo bin directory and used to shadow or replace cargo-binstall during self-update cycles. The lack of integrity checks, input validation, and signature verification significantly elevates risk, making remote code execution or persistent backdoors feasible through trusted tooling. Recommendation: prohibit overwriting core tooling, verify hashes/signatures of all binaries, validate the origin of $1, and remove or constrain the ability to modify CARGO_HOME/bin during tool updates.

sbcli-dev

5.0.2

Live on pypi

Blocked by Socket

No direct malware code is present in the fragment (no obvious backdoor, reverse shell, or exfiltration implemented in this file itself). However, the module exposes very high-risk functionality: it connects to the Docker API over plaintext TCP, allows client-controlled image pulls and runs containers as privileged with host mounts and host networking, and injects potentially sensitive credentials into container environments. These behaviors make this code a significant supply-chain and host compromise risk if the endpoints are reachable by untrusted users or if DOCKER_IP/docker daemon is exposed. Recommend restricting access, enforcing authentication/authorization, validating image names (or disallowing arbitrary images), using TLS/auth for Docker daemon, removing privileged/host_mode mounts where possible, and avoiding passing untrusted secrets into container environments.

leadtools.logging.medical.dll.netframework

20.0.0.2

by LEADTOOLS

Live on nuget

Blocked by Socket

This file contains an obfuscated runtime loader/unpacker that reads embedded/encrypted bytes, decrypts them with a hard-coded symmetric key/IV, allocates and writes memory, manipulates other process memory and modules, creates delegates from function pointers and invokes them. Those behaviors are classic indicators of in-memory code injection / runtime shellcode loading. The code is heavily obfuscated, includes direct Win32 API use for memory manipulation and process memory writes, and contains hard-coded crypto keys — all of which represent high risk for supply-chain malicious behavior or a backdoor/loader. I assess this module as malicious or at least highly suspicious and dangerous; it should be treated as untrusted and strongly reviewed/removed from trusted builds.

bender-event-definition-loader

7.988.2

by hbsp0t

Removed from npm

Blocked by Socket

The code exhibits malicious behavior by sending environment variables to an external server, which can include sensitive information. The domain used is suspicious, indicating potential data theft.

Live on npm for 8 minutes before removal. Socket users were protected even while the package was live.

web3js-wallet

1.0.46

by nchien1996

Removed from npm

Blocked by Socket

This code is malicious: it is a credential/private-key harvester that scans local drives for many cryptocurrency key formats and exfiltrates matching content and entire files to a remote Telegram chat via a bot. It exhibits deliberate, targeted scanning and stealthy exfiltration and should be treated as malware. Any system where this ran should be isolated, tokens/keys rotated, and a forensic investigation performed. Do not run or distribute this code.

Live on npm for 3 minutes before removal. Socket users were protected even while the package was live.

@jaime9008/math-service

1.0.1

by jaime9008

Live on npm

Blocked by Socket

This module intentionally hides a large code payload and executes it via eval after XOR-decoding with a hardcoded key. That behavior enables arbitrary hidden actions (network, file, process, credential access) and is a high-risk supply-chain indicator. Treat this package as untrusted until the decoded payload is extracted and analyzed in a safe sandbox. Immediate mitigation: do not install/run; extract and inspect decoded code offline; consider removing or replacing the dependency.

github.com/weaveworks/weave

v1.0.2-0.20150701140328-ecfc5d091dde

Live on go

Blocked by Socket

This module is a high-risk runtime packer/dropper: it embeds an encrypted payload, decrypts it using a user-supplied passphrase, writes the result to `bin/do-setup-circleci-secrets`, and immediately executes it. Because there is no integrity/authenticity validation of the decrypted artifact and the executed code is not shown here, the module should be treated as potentially malicious until the decrypted `bin/do-setup-circleci-secrets` content is inspected and validated in a safe environment.

curri-slack

3.29.1000

Removed from npm

Blocked by Socket

The code is performing unauthorized data exfiltration by sending system, user, and project-specific information to external servers. This behavior is indicative of malicious intent, posing a significant security risk.

Live on npm for 8 hours and 13 minutes before removal. Socket users were protected even while the package was live.

@underpostnet/underpost

2.8.813

by underpost.net

Live on npm

Blocked by Socket

The package.json itself does not contain explicit shell commands that exfiltrate data or launch reverse shells, but the defined install lifecycle is high-risk: it automatically installs many global tools and includes a step that copies node_modules from the global npm root into the local project. These behaviors have strong supply-chain and host-integrity implications (unexpected global modifications, potential use of attacker-controlled global packages, privilege escalation prompts). Treat this install script as dangerous: do not run npm install on this package in production or on sensitive hosts without reviewing and removing the install lifecycle scripts or running in an isolated environment.

mtmai

0.4.36

Live on pypi

Blocked by Socket

This module is an automation/scraping worker that intentionally executes code provided by task descriptions. That design requires trusting the task source. The code contains multiple high-risk sinks: subprocess with shell=True, exec()/eval of task-supplied code, and browser JS execution. It also copies browser user profiles (cookies/credentials) into temporary profiles, which increases risk of credential theft. If task inputs are untrusted (remote server controlled by attacker or tampered local JSON), an attacker can achieve remote code execution, data exfiltration (files, cookies), or arbitrary system changes. Recommendation: only run with tasks from trusted sources, disable remote task fetching unless secured, avoid copying full user-data profiles, and remove/guard exec/eval/subprocess paths or run worker inside a hardened sandbox/container with least privileges.

flag-slurper

0.7.0

Live on pypi

Blocked by Socket

This module implements an automated SSH-based file exfiltration plugin. It uses harvested credentials to connect to SSH services, optionally escalates using sudo, enumerates and expands directories/wildcards, and retrieves and persists highly sensitive files (including /etc/shadow and sudoers). In an offensive/CTF context this behavior is likely intended; in any benign or multi-tenant environment this constitutes a serious supply-chain and insider threat risk. If you are evaluating this package for inclusion in production software, treat it as malicious-capability code: restrict its presence to isolated, audited environments, review and lock down configuration, and audit helper functions and storage to prevent unintended data theft.

@seavlang/chatbottesting1

0.1.6

by seavlang

Removed from npm

Blocked by Socket

The package will run postinstall.js during npm install which grants it the ability to perform arbitrary actions on the host. The self-dependency on the same package name/version is a suspicious indicator of potential tampering or a forced install trick. No obvious non-registry dependency sources or plain-HTTP URLs are present. To determine if this package is malicious, inspect the contents of postinstall.js and setup-cli.js and verify the reason for the self-dependency. Until those files are reviewed, treat install as high-risk.

Live on npm for 1 day, 6 hours and 38 minutes before removal. Socket users were protected even while the package was live.

rqq

0.191

Live on pypi

Blocked by Socket

This module contains multiple high-risk behaviors: self-modifying source, hardcoded PyPI credentials written to /root/.pypirc, automated twine upload, widespread use of shell commands with shell=True and concatenated inputs, and a post-install cleanup that uninstalls and deletes package files. These are significant supply-chain and sabotage indicators. I assess this code as dangerous and not safe for use in its current form. It should not be published or executed in trusted environments without major refactoring and removal of credential handling, destructive cleanup, and self-modification behaviors.

handlebars-formatter

26.0.0

by aman000000

Removed from npm

Blocked by Socket

Lifecycle scripts in this package’s package.json invoke wget to send environment details to g5mo0528lzqwfbbtgm706yt4jvpsdi17[.]oastify[.]com. Each hook (test, preinstall, preupdate) constructs a URL including $(whoami), $(pwd), and $(hostname), resulting in unintended data exfiltration of potentially sensitive system information.

Live on npm for 1 hour and 36 minutes before removal. Socket users were protected even while the package was live.

mtmai

0.3.970

Live on pypi

Blocked by Socket

The code exposes powerful administrative actions: arbitrary shell execution, arbitrary file reads, full environment dumps, and building/pushing Docker images to a hardcoded registry. These are not obfuscated but are high-risk capabilities that can be abused for data exfiltration, remote code execution, and supply-chain leakage if the superuser authentication is compromised or misconfigured. The presence of a hardcoded remote image name for docker push is suspicious for unintended outbound artifact exfiltration. Recommendation: avoid including these endpoints in public packages or ensure strict, auditable authentication and input validation; remove hardcoded push targets and avoid returning full environment variables or arbitrary file contents.

Detect and block software supply chain attacks

Socket detects traditional vulnerabilities (CVEs) but goes beyond that to scan the actual code of dependencies for malicious behavior. It proactively detects and blocks 70+ signals of supply chain risk in open source code, for comprehensive protection.

Possible typosquat attack

Known malware

Git dependency

GitHub dependency

HTTP dependency

Obfuscated code

Suspicious Stars on GitHub

Telemetry

Protestware or potentially unwanted behavior

Unstable ownership

55 more alerts

Detect suspicious package updates in real-time

Socket detects and blocks malicious dependencies, often within just minutes of them being published to public registries, making it the most effective tool for blocking zero-day supply chain attacks.

GitHub app screenshot

Developers love Socket

Socket is built by a team of prolific open source maintainers whose software is downloaded over 1 billion times per month. We understand how to build tools that developers love. But don’t take our word for it.

Even more developer love
Install GitHub AppRead the docs

Security teams trust Socket

The best security teams in the world use Socket to get visibility into supply chain risk, and to build a security feedback loop into the development process.

Book a Demo

Questions? Call us at (844) SOCKET-0

Read the blog

Protect every package in your stack

Secure your team's dependencies across your stack with Socket. Stop supply chain attacks before they reach production.

View all integrations

RUST

crates.io

Rust Package Manager

PHP

Packagist

PHP Package Manager

GOLANG

Go Modules

Go Dependency Management

JAVA

Maven Central

JAVASCRIPT

npm

Node Package Manager

.NET

NuGet

.NET Package Manager

PYTHON

PyPI

Python Package Index

RUBY

RubyGems.org

Ruby Package Manager

SWIFT

Swift

AI

Hugging Face Hub

AI Model Hub

CI

GitHub Actions

CI/CD Workflows

EXTENSIONS

Chrome Web Store

Chrome Browser Extensions

EXTENSIONS

Open VSX

VS Code Extensions

Supply chain attacks are on the rise

Attackers have taken notice of the opportunity to attack organizations through open source dependencies. Supply chain attacks rose a whopping 700% in the past year, with over 15,000 recorded attacks.

Nov 23, 2025

Shai Hulud v2

Shai Hulud v2 campaign: preinstall script (setup_bun.js) and loader (setup_bin.js) that installs/locates Bun and executes an obfuscated bundled malicious script (bun_environment.js) with suppressed output.

Nov 05, 2025

Elves on npm

A surge of auto-generated "elf-stats" npm packages is being published every two minutes from new accounts. These packages contain simple malware variants and are being rapidly removed by npm. At least 420 unique packages have been identified, often described as being generated every two minutes, with some mentioning a capture the flag challenge or test.

Jul 04, 2025

RubyGems Automation-Tool Infostealer

Since at least March 2023, a threat actor using multiple aliases uploaded 60 malicious gems to RubyGems that masquerade as automation tools (Instagram, TikTok, Twitter, Telegram, WordPress, and Naver). The gems display a Korean Glimmer-DSL-LibUI login window, then exfiltrate the entered username/password and the host's MAC address via HTTP POST to threat actor-controlled infrastructure.

Mar 13, 2025

North Korea's Contagious Interview Campaign

Since late 2024, we have tracked hundreds of malicious npm packages and supporting infrastructure tied to North Korea's Contagious Interview operation, with tens of thousands of downloads targeting developers and tech job seekers. The threat actors run a factory-style playbook: recruiter lures and fake coding tests, polished GitHub templates, and typosquatted or deceptive dependencies that install or import into real projects.

Jul 23, 2024

Network Reconnaissance Campaign

A malicious npm supply chain attack that leveraged 60 packages across three disposable npm accounts to fingerprint developer workstations and CI/CD servers during installation. Each package embedded a compact postinstall script that collected hostnames, internal and external IP addresses, DNS resolvers, usernames, home and working directories, and package metadata, then exfiltrated this data as a JSON blob to a hardcoded Discord webhook.

Ready to dive in?

Get protected by Socket with just 2 clicks.

Install GitHub App
Book a Demo

Questions? Call us at (844) SOCKET-0

The latest from the Socket team

Get our latest security research, open source insights, and product updates.

View all articles