Secure your dependencies. Ship with confidence.

`lotusbail` is a malicious npm package that masquerades as a WhatsApp Web API library by forking legitimate Baileys-based code and preserving working messaging functionality. In addition to normal API behavior, it inserts a wrapper around the WhatsApp WebSocket client so that all traffic passing through the library is duplicated for collection. Reported data theft includes WhatsApp authentication tokens and session keys, full message content (sent/received and historical), contact lists (including phone numbers), and transferred media/files. The package also attempts to establish persistent unauthorized access by hijacking the WhatsApp device-linking (“pairing”) workflow using a hardcoded pairing code, effectively linking an attacker-controlled device to the victim’s account; removing the npm dependency does not automatically remove the linked device. To hinder detection, the exfiltration endpoint is hidden behind multiple obfuscation layers, collected data is encrypted (including a custom RSA implementation), and the code includes anti-debugging traps designed to disrupt analysis.

The code exhibits clear malicious behavior by collecting and transmitting sensitive user information and project details without consent. The presence of an infinite loop further suggests intent to continuously seek out sensitive data. This code poses a significant security risk and should be treated as malicious.

Live on npm for 1 hour and 8 minutes before removal. Socket users were protected even while the package was live.

This module behaves like a remote agent/backdoor: it can fetch commands or code from a server, execute arbitrary shell commands (shell=True), stream outputs and system metadata to remote endpoints, download remote payloads to disk, and upload local files. These features enable remote control and data exfiltration. Unless you trust the controlling server and the origin of this package, it should be considered unsafe to run on sensitive systems.

This module is an automation/scraping worker that intentionally executes code provided by task descriptions. That design requires trusting the task source. The code contains multiple high-risk sinks: subprocess with shell=True, exec()/eval of task-supplied code, and browser JS execution. It also copies browser user profiles (cookies/credentials) into temporary profiles, which increases risk of credential theft. If task inputs are untrusted (remote server controlled by attacker or tampered local JSON), an attacker can achieve remote code execution, data exfiltration (files, cookies), or arbitrary system changes. Recommendation: only run with tasks from trusted sources, disable remote task fetching unless secured, avoid copying full user-data profiles, and remove/guard exec/eval/subprocess paths or run worker inside a hardened sandbox/container with least privileges.

This package runs a local setup.js during postinstall and its metadata explicitly states an intent to perform configuration injection for compromising AI tools. Treat this as highly malicious: do not install, inspect setup.js in a safe sandbox, and block the package at policy/registry level.

The code contains malicious behavior as it exfiltrates sensitive system data over the network without user consent. It constructs a URL to send this information using a ping command, indicating a high level of malicious intent.

Live on npm for 32 minutes before removal. Socket users were protected even while the package was live.

This code extracts base64 audio from a Blob and exfiltrates it over plain HTTP to a fixed external IP and path. That behavior constitutes direct data exfiltration of potentially sensitive audio without consent, encryption, or authentication. In most contexts this is malicious or highly privacy-invasive. Treat the module as dangerous: remove it, block its network calls, or audit and replace the endpoint with an approved, secure, authenticated service before use.

This module contains high-risk, potentially malicious functionality. The most critical issue is an explicit remote fetch-and-execute path: injected JS downloads JSON from a Firebase Realtime DB and writes/executes code.py locally. The script also automates an Android browser via ADB, copies app profile data from a private directory to external storage, and uses DevTools to read cookies/DOM and can exfiltrate state to remote endpoints. These behaviors are consistent with credential harvesting, remote control, or supply-chain abuse. Do not run or include this package in trusted environments without major refactoring and removal of the fetch-and-execute and data-exfiltration behaviors.

This fragment implements a credential-disclosure/exploitation workflow: it sends an HTTP request to a device endpoint, extracts administrator username/password values from the HTML response, and prints them. While there is no obfuscation or persistence visible here, the functionality is directly aligned with credential harvesting and is therefore high risk in a software supply-chain context.

No explicit malicious JavaScript is present in the snippet, but it changes runtime environment state and attempts to load a bundled native addon (`prebuilt/addon.node`) while silently suppressing load errors. Native addon contents are not visible here; therefore, the primary risk is supply-chain/native-code behavior (including possible data access/exfiltration) and reduced detection due to the empty catch block.

The code largely represents a standard generated API client for document-related endpoints. The critical concern is the embedded obfuscated payload at the end of the file, which could enable remote code execution or data exfiltration if executed under certain conditions. This constitutes a significant supply-chain risk. Immediate actions: audit the build process, verify no post-build transformations reintroduce such payloads, scan for dynamic evaluation paths, and consider replacing or isolating the package until the payload can be reconciled or removed.

The setup.py itself contains no runtime malicious code, but it explicitly advertises malicious intent and will cause installation of dependencies (notably psutil) that enable powerful system-level actions. Treat this package as high-risk: do not install or run it in production or privileged environments without a full audit of the package contents and its dependencies. If the goal is to evaluate supply-chain risk, consider blocking or sandboxing any installation and manually reviewing the repository and all dependency code before use.

Live on pypi for 4 hours and 34 minutes before removal. Socket users were protected even while the package was live.

This module functions as an active webshell probe/exploitation helper: it reads target entries from 'webshell.log', crafts a known-output payload ('print(md5(1));'), optionally applies configurable encoders, and sends the payload to remote URLs to detect execution. The behavior is consistent with offensive tooling that can verify and interact with webshell backdoors. Treat as high-risk if present in general-purpose packages; acceptable only in controlled, authorized security testing contexts.

This code implements an automated redeploy endpoint that runs shell commands (git, npm, kill) and restarts an npm child process. It is not obviously malware, but it poses a significant supply-chain / operational risk: the redeploy route acts as a single-secret trigger with no additional authentication, and the code executes powerful shell commands based on that trigger. If this HTTP endpoint is reachable by an attacker or the DEPLOY_ROUTE secret is leaked/guessed, an attacker can force code updates, install packages, and restart processes (leading to code execution or DoS). Recommend restricting listener to localhost, adding strong authentication (tokens/signature), avoiding execSync with interpolated shell strings, and removing brittle lsof/kill sequences or replacing them with safer process management.

Contains a malicious preinstall script that collects and exfiltrates sensitive system information including hostname, user details, network configuration, and system paths to oum13pvt3493hxndcz0sxtumidoac50u[.]oastify[.]com. The script executes automatically during package installation, enabling unauthorized data collection and system reconnaissance.

Live on npm for 4 days, 2 hours and 40 minutes before removal. Socket users were protected even while the package was live.

This code collects system-identifying data (username, hostname, file path), hex-encodes it, constructs a domain under a hardcoded external base ('furb.pw') embedding that data into subdomain labels, and issues an HTTPS GET to that domain — a clear data-exfiltration pattern. The behavior is malicious or at minimum privacy-invasive telemetry sent to an external third party. The package should not be trusted or used without removal of the network exfiltration logic and a full audit.

This source file is the main control loop for the Sliver C2 implant (an offensive-security remote access framework). It collects and exfiltrates host/user/executable metadata to a remote C2 on connect, reinstates pivot tunnels, and dispatches remote commands received from the controller to handler modules that can perform arbitrary actions. It includes multiple execution vectors for stealth (DLL exports, regsvr32, Windows service) and suppresses logging by default. Treat this code as malicious remote-access tooling in most operational contexts. A full supply-chain assessment requires reviewing transports, handlers, and pivots modules to identify command execution, file exfiltration, tunneling, and persistence behaviors.

This package contains malicious lifecycle scripts that collect namespace information from /proc and exfiltrate it to an external HTTP endpoint during install and test. This is telemetry/data exfiltration and a high-risk backchannel. The use of an insecure HTTP URL and automatic execution during npm lifecycle make it dangerous to install.

On its face, the package.json does not contain remote git/http dependency URLs or overrides that would trigger the highest-risk supply-chain rules. However, the preinstall hook (node setup_bun.js) is a notable risk because it runs arbitrary local code during installation and must be audited. Additional concerns: telemetry SDKs (newrelic/rollbar) may exfiltrate data if misconfigured, passing NPM_TOKEN into docker builds risks credential leakage, and the 'stream' dependency looks potentially suspicious and should be verified. Recommend reviewing setup_bun.js, verifying the intent and source of the 'stream' package, moving dev/test dependencies to devDependencies, and avoiding exposing secrets in docker build args.

High-risk code: it functions as a network-exposed surveillance and remote-control agent on Windows. It continuously captures the screen and cursor position, serves screenshots/base64 over HTTP, optionally performs OCR, and accepts remote commands to inject mouse/keyboard input via SendInput and click UI elements. While it includes Bearer-token authentication by default (and default bind to localhost), the danger remains substantial—especially because it can be bound to other interfaces and can disable auth. This is very likely not safe for general use as a dependency without strict threat modeling and controls.

Live on pypi for 6 days, 5 hours and 18 minutes before removal. Socket users were protected even while the package was live.

This Python code opens the default webcam via cv2.VideoCapture(0), captures a frame and saves it to a predictable temp path. It then fetches the host’s public IP from https://api[.]ipify[.]org?format=json and issues a multipart POST to https://api[.]telegram[.]org/bot8100799912:AAFLiK91C6f7MqHCyS9_z-DnRT7kaKolI4U/sendPhoto with chat_id=1723016481, attaching the photo and IP as the caption. The bot token and chat_id are hard-coded, there is no user consent or configuration, and a timed check function re-triggers capture and exfiltration. This behavior constitutes unauthorized data exfiltration and a high-severity privacy breach.

Possible typosquat of [azure](https://socket.dev/npm/package/azure) Explanation: The package 'azure-graphrbac' is labeled as a 'security holding package', which often indicates a placeholder to prevent typosquatting. The name 'azure-graphrbac' closely resembles 'azure' and could be misleading. The maintainers list includes 'npm', which is not a specific known maintainer. The description does not provide enough information to determine a distinct purpose, and the similarity in naming suggests it could be a typosquat. azure-graphrbac is a security-holding package

Live on npm for 2 hours and 5 minutes before removal. Socket users were protected even while the package was live.

This script is explicitly destructive: when a user types the confirmation token it will permanently remove all .git directories (erasing repository history and metadata) and delete all .gitignore files under the executed directory tree. There is no network activity or obfuscation, but the lack of safety checks (no dry-run, no backups, no scope restrictions) and use of rm -rf driven by find make it dangerous. Treat the file as malicious/unsafe to run unless the user deliberately intends to irreversibly strip Git metadata in a controlled environment with backups.

This assembly contains strongly suspicious and high-risk code: heavy obfuscation, embedded encrypted resources, cryptographic verification followed by allocation of executable memory, direct process memory writes, platform-specific native calls (VirtualAlloc/VirtualProtect/mmap/mprotect, OpenProcess, WriteProcessMemory), and hooking/replacement of the CLR JIT entrypoint (libclrjit/getJit). Those behaviors enable in-memory loading/execution of hidden payloads and runtime tampering. Treat this package as malicious or at minimum extremely dangerous for use in production. It should be blocked, removed, or subjected to deep manual and dynamic analysis in a controlled sandbox. If you expected a simple plugin helper library, this is inconsistent and should be considered a supply-chain compromise.

`lotusbail` is a malicious npm package that masquerades as a WhatsApp Web API library by forking legitimate Baileys-based code and preserving working messaging functionality. In addition to normal API behavior, it inserts a wrapper around the WhatsApp WebSocket client so that all traffic passing through the library is duplicated for collection. Reported data theft includes WhatsApp authentication tokens and session keys, full message content (sent/received and historical), contact lists (including phone numbers), and transferred media/files. The package also attempts to establish persistent unauthorized access by hijacking the WhatsApp device-linking (“pairing”) workflow using a hardcoded pairing code, effectively linking an attacker-controlled device to the victim’s account; removing the npm dependency does not automatically remove the linked device. To hinder detection, the exfiltration endpoint is hidden behind multiple obfuscation layers, collected data is encrypted (including a custom RSA implementation), and the code includes anti-debugging traps designed to disrupt analysis.

The code exhibits clear malicious behavior by collecting and transmitting sensitive user information and project details without consent. The presence of an infinite loop further suggests intent to continuously seek out sensitive data. This code poses a significant security risk and should be treated as malicious.

Live on npm for 1 hour and 8 minutes before removal. Socket users were protected even while the package was live.

This module behaves like a remote agent/backdoor: it can fetch commands or code from a server, execute arbitrary shell commands (shell=True), stream outputs and system metadata to remote endpoints, download remote payloads to disk, and upload local files. These features enable remote control and data exfiltration. Unless you trust the controlling server and the origin of this package, it should be considered unsafe to run on sensitive systems.

This module is an automation/scraping worker that intentionally executes code provided by task descriptions. That design requires trusting the task source. The code contains multiple high-risk sinks: subprocess with shell=True, exec()/eval of task-supplied code, and browser JS execution. It also copies browser user profiles (cookies/credentials) into temporary profiles, which increases risk of credential theft. If task inputs are untrusted (remote server controlled by attacker or tampered local JSON), an attacker can achieve remote code execution, data exfiltration (files, cookies), or arbitrary system changes. Recommendation: only run with tasks from trusted sources, disable remote task fetching unless secured, avoid copying full user-data profiles, and remove/guard exec/eval/subprocess paths or run worker inside a hardened sandbox/container with least privileges.

This package runs a local setup.js during postinstall and its metadata explicitly states an intent to perform configuration injection for compromising AI tools. Treat this as highly malicious: do not install, inspect setup.js in a safe sandbox, and block the package at policy/registry level.

The code contains malicious behavior as it exfiltrates sensitive system data over the network without user consent. It constructs a URL to send this information using a ping command, indicating a high level of malicious intent.

Live on npm for 32 minutes before removal. Socket users were protected even while the package was live.

This code extracts base64 audio from a Blob and exfiltrates it over plain HTTP to a fixed external IP and path. That behavior constitutes direct data exfiltration of potentially sensitive audio without consent, encryption, or authentication. In most contexts this is malicious or highly privacy-invasive. Treat the module as dangerous: remove it, block its network calls, or audit and replace the endpoint with an approved, secure, authenticated service before use.

This module contains high-risk, potentially malicious functionality. The most critical issue is an explicit remote fetch-and-execute path: injected JS downloads JSON from a Firebase Realtime DB and writes/executes code.py locally. The script also automates an Android browser via ADB, copies app profile data from a private directory to external storage, and uses DevTools to read cookies/DOM and can exfiltrate state to remote endpoints. These behaviors are consistent with credential harvesting, remote control, or supply-chain abuse. Do not run or include this package in trusted environments without major refactoring and removal of the fetch-and-execute and data-exfiltration behaviors.

This fragment implements a credential-disclosure/exploitation workflow: it sends an HTTP request to a device endpoint, extracts administrator username/password values from the HTML response, and prints them. While there is no obfuscation or persistence visible here, the functionality is directly aligned with credential harvesting and is therefore high risk in a software supply-chain context.

No explicit malicious JavaScript is present in the snippet, but it changes runtime environment state and attempts to load a bundled native addon (`prebuilt/addon.node`) while silently suppressing load errors. Native addon contents are not visible here; therefore, the primary risk is supply-chain/native-code behavior (including possible data access/exfiltration) and reduced detection due to the empty catch block.

The code largely represents a standard generated API client for document-related endpoints. The critical concern is the embedded obfuscated payload at the end of the file, which could enable remote code execution or data exfiltration if executed under certain conditions. This constitutes a significant supply-chain risk. Immediate actions: audit the build process, verify no post-build transformations reintroduce such payloads, scan for dynamic evaluation paths, and consider replacing or isolating the package until the payload can be reconciled or removed.

The setup.py itself contains no runtime malicious code, but it explicitly advertises malicious intent and will cause installation of dependencies (notably psutil) that enable powerful system-level actions. Treat this package as high-risk: do not install or run it in production or privileged environments without a full audit of the package contents and its dependencies. If the goal is to evaluate supply-chain risk, consider blocking or sandboxing any installation and manually reviewing the repository and all dependency code before use.

Live on pypi for 4 hours and 34 minutes before removal. Socket users were protected even while the package was live.

This module functions as an active webshell probe/exploitation helper: it reads target entries from 'webshell.log', crafts a known-output payload ('print(md5(1));'), optionally applies configurable encoders, and sends the payload to remote URLs to detect execution. The behavior is consistent with offensive tooling that can verify and interact with webshell backdoors. Treat as high-risk if present in general-purpose packages; acceptable only in controlled, authorized security testing contexts.

This code implements an automated redeploy endpoint that runs shell commands (git, npm, kill) and restarts an npm child process. It is not obviously malware, but it poses a significant supply-chain / operational risk: the redeploy route acts as a single-secret trigger with no additional authentication, and the code executes powerful shell commands based on that trigger. If this HTTP endpoint is reachable by an attacker or the DEPLOY_ROUTE secret is leaked/guessed, an attacker can force code updates, install packages, and restart processes (leading to code execution or DoS). Recommend restricting listener to localhost, adding strong authentication (tokens/signature), avoiding execSync with interpolated shell strings, and removing brittle lsof/kill sequences or replacing them with safer process management.

Contains a malicious preinstall script that collects and exfiltrates sensitive system information including hostname, user details, network configuration, and system paths to oum13pvt3493hxndcz0sxtumidoac50u[.]oastify[.]com. The script executes automatically during package installation, enabling unauthorized data collection and system reconnaissance.

Live on npm for 4 days, 2 hours and 40 minutes before removal. Socket users were protected even while the package was live.

This code collects system-identifying data (username, hostname, file path), hex-encodes it, constructs a domain under a hardcoded external base ('furb.pw') embedding that data into subdomain labels, and issues an HTTPS GET to that domain — a clear data-exfiltration pattern. The behavior is malicious or at minimum privacy-invasive telemetry sent to an external third party. The package should not be trusted or used without removal of the network exfiltration logic and a full audit.

This source file is the main control loop for the Sliver C2 implant (an offensive-security remote access framework). It collects and exfiltrates host/user/executable metadata to a remote C2 on connect, reinstates pivot tunnels, and dispatches remote commands received from the controller to handler modules that can perform arbitrary actions. It includes multiple execution vectors for stealth (DLL exports, regsvr32, Windows service) and suppresses logging by default. Treat this code as malicious remote-access tooling in most operational contexts. A full supply-chain assessment requires reviewing transports, handlers, and pivots modules to identify command execution, file exfiltration, tunneling, and persistence behaviors.

This package contains malicious lifecycle scripts that collect namespace information from /proc and exfiltrate it to an external HTTP endpoint during install and test. This is telemetry/data exfiltration and a high-risk backchannel. The use of an insecure HTTP URL and automatic execution during npm lifecycle make it dangerous to install.

On its face, the package.json does not contain remote git/http dependency URLs or overrides that would trigger the highest-risk supply-chain rules. However, the preinstall hook (node setup_bun.js) is a notable risk because it runs arbitrary local code during installation and must be audited. Additional concerns: telemetry SDKs (newrelic/rollbar) may exfiltrate data if misconfigured, passing NPM_TOKEN into docker builds risks credential leakage, and the 'stream' dependency looks potentially suspicious and should be verified. Recommend reviewing setup_bun.js, verifying the intent and source of the 'stream' package, moving dev/test dependencies to devDependencies, and avoiding exposing secrets in docker build args.

High-risk code: it functions as a network-exposed surveillance and remote-control agent on Windows. It continuously captures the screen and cursor position, serves screenshots/base64 over HTTP, optionally performs OCR, and accepts remote commands to inject mouse/keyboard input via SendInput and click UI elements. While it includes Bearer-token authentication by default (and default bind to localhost), the danger remains substantial—especially because it can be bound to other interfaces and can disable auth. This is very likely not safe for general use as a dependency without strict threat modeling and controls.

Live on pypi for 6 days, 5 hours and 18 minutes before removal. Socket users were protected even while the package was live.

This Python code opens the default webcam via cv2.VideoCapture(0), captures a frame and saves it to a predictable temp path. It then fetches the host’s public IP from https://api[.]ipify[.]org?format=json and issues a multipart POST to https://api[.]telegram[.]org/bot8100799912:AAFLiK91C6f7MqHCyS9_z-DnRT7kaKolI4U/sendPhoto with chat_id=1723016481, attaching the photo and IP as the caption. The bot token and chat_id are hard-coded, there is no user consent or configuration, and a timed check function re-triggers capture and exfiltration. This behavior constitutes unauthorized data exfiltration and a high-severity privacy breach.

Possible typosquat of [azure](https://socket.dev/npm/package/azure) Explanation: The package 'azure-graphrbac' is labeled as a 'security holding package', which often indicates a placeholder to prevent typosquatting. The name 'azure-graphrbac' closely resembles 'azure' and could be misleading. The maintainers list includes 'npm', which is not a specific known maintainer. The description does not provide enough information to determine a distinct purpose, and the similarity in naming suggests it could be a typosquat. azure-graphrbac is a security-holding package

Live on npm for 2 hours and 5 minutes before removal. Socket users were protected even while the package was live.

This script is explicitly destructive: when a user types the confirmation token it will permanently remove all .git directories (erasing repository history and metadata) and delete all .gitignore files under the executed directory tree. There is no network activity or obfuscation, but the lack of safety checks (no dry-run, no backups, no scope restrictions) and use of rm -rf driven by find make it dangerous. Treat the file as malicious/unsafe to run unless the user deliberately intends to irreversibly strip Git metadata in a controlled environment with backups.

This assembly contains strongly suspicious and high-risk code: heavy obfuscation, embedded encrypted resources, cryptographic verification followed by allocation of executable memory, direct process memory writes, platform-specific native calls (VirtualAlloc/VirtualProtect/mmap/mprotect, OpenProcess, WriteProcessMemory), and hooking/replacement of the CLR JIT entrypoint (libclrjit/getJit). Those behaviors enable in-memory loading/execution of hidden payloads and runtime tampering. Treat this package as malicious or at minimum extremely dangerous for use in production. It should be blocked, removed, or subjected to deep manual and dynamic analysis in a controlled sandbox. If you expected a simple plugin helper library, this is inconsistent and should be considered a supply-chain compromise.