Secure your dependencies. Ship with confidence.

This Python script is a Windows-only, heavily obfuscated infostealer. On launch it aborts on non-Windows hosts, then: • Fingerprints the machine (hostname, username, local/public IP via api[.]ipify[.]org, hardware IDs via registry/WMI, CPU/GPU, RAM, disk serials/usage) • Harvests Discord tokens and account metadata from the Discord desktop client plus Chromium-based browsers and Firefox, injecting JS into Discord's code to trap logins, gift codes and payments • Extracts saved passwords, cookies, browsing/download history and credit-card data from Chrome, Edge, Brave, Opera variants, Yandex, Firefox, etc. • Grabs Roblox .ROBLOSECURITY cookies and account info via browser_cookie3 and the Roblox API • Decrypts desktop crypto-wallets (MetaMask, Binance, Coinbase, Trust Wallet, Exodus, Atomic, etc.) using AES/GCM with DPAPI-unwrapped keys • Captures a full-screen screenshot and a webcam photo • Disables Task Manager via registry and poisons the Windows hosts file with hundreds of AV/security domains • Persists by copying itself into the user's Startup folder. Finally it zips all stolen data, uploads it to gofile[.]io, notifies the attacker via a hard-coded Discord webhook, and tags IPs via redtiger[.]shop. It also contains built-in JavaScript injection to further compromise the Discord desktop client and can auto-purchase Nitro via stolen payment methods.

Live on pypi for 2 hours and 3 minutes before removal. Socket users were protected even while the package was live.

The code performs unauthorized exfiltration of sensitive internal project data (package name, version, git commit hash) to a suspicious external server without user consent. This behavior is indicative of malicious intent, constituting a supply chain security threat. There is no obfuscation, but the data leak is serious and should be treated as a high-risk security incident.

This dependency is not a benign cookie utility: its set() function contains a conditional remote fetch and direct eval of fetched content, forming a backdoor/payload loader consistent with supply-chain malware. Treat the package as unsafe and do not deploy it without remediation (e.g., removal/replacement and investigation of downstream usage).

This is a high-suspicion Kubernetes deployment wrapper that unconditionally applies local manifests, including one named 'miner-nodes.yaml.' While the Bash script itself has no overt data theft or command-and-control behavior, it can facilitate supply-chain abuse by deploying whatever workloads are defined in the packaged YAML files to the operator’s active Kubernetes cluster/context. The likely risk depends on the miner and tx manifest contents, but the naming and deployment pattern warrant a security review and manifest inspection before use.

The code intentionally hooks into the core HTTP server to monitor and optionally proxy traffic, with clear data-exfiltration risk (headers and bodies encoded and emitted). The proxy path could enable undesired data routing to arbitrary IPs. While it may be part of a legitimate monitoring feature, the combination of hijacking core server behavior, logging sensitive data, and optional proxying constitutes a significant security risk and potential backdoor depending on deployment context. Treat as suspicious unless there is strong, vetted justification, robust access controls, and explicit user consent in production environments.

[Skill Scanner] Destructive bash command detected (rm -rf, chmod 777) All findings: [CRITICAL] command_injection: Destructive bash command detected (rm -rf, chmod 777) (CI004) [AITech 9.1.4] [CRITICAL] command_injection: Destructive bash command detected (rm -rf, chmod 777) (CI004) [AITech 9.1.4] [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] [HIGH] data_exfiltration: Credential file access detected (DE002) [AITech 8.2.3] [HIGH] data_exfiltration: Credential file access detected (DE002) [AITech 8.2.3] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] No direct malicious code or obfuscation is present in the provided skill instruction file. The instructions and capabilities align with the stated purpose (selecting and using Fabric patterns). The primary security concern is supply-chain risk: the skill instructs cloning and using an upstream GitHub repository without pinned commits or integrity checks, meaning a compromise of that repo or its dependencies could result in execution of malicious patterns or code. Recommend adding verification steps (pin commit SHA, verify signatures or checksums) and restricting execution of untrusted patterns or inspecting pattern contents before execution. LLM verification: Not overtly malicious based on provided content, but suspicious from a supply-chain and privilege perspective. The skill clones and executes unpinned external code (git clone + go install @latest), references local credential/config paths, and includes documentation showing rm -rf/backtick shell usage. These behaviors are coherent with the purpose but grant broad filesystem and network capabilities that are disproportionate for simple pattern selection and processing. Recommend treating as SUSPI

The code exhibits several characteristics of malware, including downloading files from an external server, executing them, and establishing persistence. The obfuscation further suggests an attempt to hide malicious intent.

Live on npm for 13 days, 1 hour and 15 minutes before removal. Socket users were protected even while the package was live.

The bundle contains an injected behavior that is unrelated to its stated functionality: it checks the client's timezone against a hardcoded list and, for matching timezones, constructs and displays a political message and automatically opens external URLs (including a Tor onion link and change.org) and shows an alert. This is unexpected, potentially harmful (forced popups/navigation), and constitutes a malicious or unauthorized modification of the package. Do not use this version; investigate source repository, verify integrity (checksums/signatures), and replace with a clean build.

[Skill Scanner] Installation of third-party script detected BENIGN: The skill description and examples are coherent with a legitimate PDF processing toolset. No malicious data flows, credential harvesting, or external network communication are indicated. Data flows are strictly local file I/O and standard library usage for PDF manipulation. LLM verification: The skill’s described capabilities are appropriate for PDF processing tasks. Primary security concerns are about supply-chain hygiene (unpinned OCR dependency and potential unvetted script installations). Mitigations: pin dependency versions, verify sources, and avoid auto-installation of third-party scripts in production. Overall assessment remains largely benign with important notes on dependency management to reduce risk.

The code presents clear indicators of malicious capability: in-process shellcode execution and memfd-based side-loading with LD_PRELOAD to run injected data in another process. This constitutes high-risk behavior suitable for backdoor or code execution tooling. The implementation lacks input validation, safeguards, or auditing hooks, making it a strong threat in supply-chain contexts. Hardening would require removing in-memory code execution, eliminating LD_PRELOAD-based injection paths, and adding strict input validation, provenance checks, and runtime protections.

This module adds an API endpoint that can execute an external CLI and run git commands using child_process, based on request data (including remote URLs and optional token) and deployment/environment configuration. It also writes configuration and sync state into a hidden directory under the user’s home (~/.mindos). While the intent may be legitimate “sync” automation, the presence of remotely triggerable command execution and token handling makes it a high supply-chain/sabotage risk if the API is reachable without strong authentication/authorization in the broader project.

The fragment indicates a webshell-like login bypass with a hardcoded credential and an unusual 404-triggered login flow. In an open-source package, this poses a high supply-chain risk and should be avoided or sanitized, removing hardcoded credentials and backdoor-like patterns. Treat as high-risk and require remediation or exclusion from production dependencies.

Possible typosquat of [azure](https://socket.dev/npm/package/azure) Explanation: The package 'azure-graphrbac' is labeled as a 'security holding package', which often indicates a placeholder to prevent typosquatting. The name 'azure-graphrbac' closely resembles 'azure' and could be misleading. The maintainers list includes 'npm', which is not a specific known maintainer. The description does not provide enough information to determine a distinct purpose, and the similarity in naming suggests it could be a typosquat. azure-graphrbac is a security-holding package

Live on npm for 1 hour and 54 minutes before removal. Socket users were protected even while the package was live.

This module is a high-risk runtime packer/dropper: it embeds an encrypted payload, decrypts it using a user-supplied passphrase, writes the result to `bin/do-setup-circleci-secrets`, and immediately executes it. Because there is no integrity/authenticity validation of the decrypted artifact and the executed code is not shown here, the module should be treated as potentially malicious until the decrypted `bin/do-setup-circleci-secrets` content is inspected and validated in a safe environment.

This preinstall script performs targeted data collection and exfiltrates sensitive environment and network information to an external domain during npm install. This is malicious/spyware behavior (data exfiltration/telemetry) and should be treated as malware. Do not install or run this package; consider it high risk.

The script collects and sends potentially sensitive information to a remote server, which poses a significant security risk and indicates malicious behavior.

Live on npm for 18 minutes before removal. Socket users were protected even while the package was live.

This package presents significant security risks due to complete code obfuscation. The binary/encoded nature prevents analysis of actual functionality and is highly suspicious for an open source dependency.

The provided code is highly malicious, with behaviors including downloading and executing external files, modifying system files, sending system data over the network, and connecting to suspicious domains. The code is also heavily obfuscated, making it difficult to analyze. Given these behaviors, the code poses a significant security risk.

Live on npm for 29 minutes before removal. Socket users were protected even while the package was live.

This file implements a high-impact automatic updater that, when enabled by a filesystem flag, will fetch PyPI metadata and, if a newer version exists, automatically install the 'simo' package and run multiple privileged/damaging maintenance commands (migrations, collectstatic, redis-cli flushall, supervisor restart). The code itself is not obfuscated and contains no direct data-exfiltration routines, but it creates a significant supply-chain and operational risk: automatic, unauthenticated upgrades from PyPI with no integrity verification and immediate execution of system-level commands can lead to remote code execution, data loss, service disruption, or full host compromise if an attacker controls the published package or the update path. Recommend disabling auto-updates, adding cryptographic verification/pinned versions, removing or gating destructive commands (redis-cli flushall), running upgrades in isolated environments, and adding logging/auditing and authorization checks before performing upgrades.

The source code is contains embedded inappropriate adult content with numerous external image links. It is not valid or functional software code. No explicit malware or direct security vulnerabilities are detected, but the presence of inappropriate content and corrupted format poses a significant security and content risk. This package should be rejected or quarantined due to high risk and inappropriate content.

The SweetAlert2 library code is mostly benign and serves as a UI modal dialog tool. However, it contains a suspicious and potentially malicious snippet that targets Russian users on certain domains to play an unsolicited audio prank, disabling pointer events and potentially disrupting user interaction. This behavior is unexpected and should be considered a moderate security risk and potential malware. The rest of the code shows no signs of malicious intent. The provided reports were invalid and unhelpful. Users should be cautious about this version of the library due to the embedded prank behavior.

This file implements a covert surveillance agent that: 1) prepends environment-controlled directories (SITE_ROOT, AGENT_PATH) to Python’s import path (supply-chain/import risk); 2) silently injects “export PROMPT_COMMAND='history -a'” into /etc/bash.bashrc and users’ ~/.bashrc to force real-time shell history flushing; 3) tracks user sign-in/sign-out via `who`, reads and aggregates shell histories (~/.bash_history, ~/.zsh_history, fish history) and session metadata into agent-controlled JSON logs under comm_path/<universal_id>/sessions; 4) monitors highly sensitive files/directories (/etc/passwd, /etc/shadow, /root/.ssh, /home, /var/www) via inotify and logs or alerts on access, writes, and deletions; 5) computes SHA-256 hashes of commands and flags those matching high-risk patterns (rm -rf, scp, curl, wget, sudo, chmod 777, systemctl stop, service stop); and 6) packages structured reports via get_delivery_packet()/pass_packet() calls to configured remote nodes, constituting an exfiltration channel. These behaviors constitute unauthorized host persistence, privacy violation, and potential data exfiltration, and should be treated as malware.

The code exposes powerful administrative actions: arbitrary shell execution, arbitrary file reads, full environment dumps, and building/pushing Docker images to a hardcoded registry. These are not obfuscated but are high-risk capabilities that can be abused for data exfiltration, remote code execution, and supply-chain leakage if the superuser authentication is compromised or misconfigured. The presence of a hardcoded remote image name for docker push is suspicious for unintended outbound artifact exfiltration. Recommendation: avoid including these endpoints in public packages or ensure strict, auditable authentication and input validation; remove hardcoded push targets and avoid returning full environment variables or arbitrary file contents.

This code extracts base64 audio from a Blob and exfiltrates it over plain HTTP to a fixed external IP and path. That behavior constitutes direct data exfiltration of potentially sensitive audio without consent, encryption, or authentication. In most contexts this is malicious or highly privacy-invasive. Treat the module as dangerous: remove it, block its network calls, or audit and replace the endpoint with an approved, secure, authenticated service before use.

This Python script is a Windows-only, heavily obfuscated infostealer. On launch it aborts on non-Windows hosts, then: • Fingerprints the machine (hostname, username, local/public IP via api[.]ipify[.]org, hardware IDs via registry/WMI, CPU/GPU, RAM, disk serials/usage) • Harvests Discord tokens and account metadata from the Discord desktop client plus Chromium-based browsers and Firefox, injecting JS into Discord's code to trap logins, gift codes and payments • Extracts saved passwords, cookies, browsing/download history and credit-card data from Chrome, Edge, Brave, Opera variants, Yandex, Firefox, etc. • Grabs Roblox .ROBLOSECURITY cookies and account info via browser_cookie3 and the Roblox API • Decrypts desktop crypto-wallets (MetaMask, Binance, Coinbase, Trust Wallet, Exodus, Atomic, etc.) using AES/GCM with DPAPI-unwrapped keys • Captures a full-screen screenshot and a webcam photo • Disables Task Manager via registry and poisons the Windows hosts file with hundreds of AV/security domains • Persists by copying itself into the user's Startup folder. Finally it zips all stolen data, uploads it to gofile[.]io, notifies the attacker via a hard-coded Discord webhook, and tags IPs via redtiger[.]shop. It also contains built-in JavaScript injection to further compromise the Discord desktop client and can auto-purchase Nitro via stolen payment methods.

Live on pypi for 2 hours and 3 minutes before removal. Socket users were protected even while the package was live.

The code performs unauthorized exfiltration of sensitive internal project data (package name, version, git commit hash) to a suspicious external server without user consent. This behavior is indicative of malicious intent, constituting a supply chain security threat. There is no obfuscation, but the data leak is serious and should be treated as a high-risk security incident.

This dependency is not a benign cookie utility: its set() function contains a conditional remote fetch and direct eval of fetched content, forming a backdoor/payload loader consistent with supply-chain malware. Treat the package as unsafe and do not deploy it without remediation (e.g., removal/replacement and investigation of downstream usage).

This is a high-suspicion Kubernetes deployment wrapper that unconditionally applies local manifests, including one named 'miner-nodes.yaml.' While the Bash script itself has no overt data theft or command-and-control behavior, it can facilitate supply-chain abuse by deploying whatever workloads are defined in the packaged YAML files to the operator’s active Kubernetes cluster/context. The likely risk depends on the miner and tx manifest contents, but the naming and deployment pattern warrant a security review and manifest inspection before use.

The code intentionally hooks into the core HTTP server to monitor and optionally proxy traffic, with clear data-exfiltration risk (headers and bodies encoded and emitted). The proxy path could enable undesired data routing to arbitrary IPs. While it may be part of a legitimate monitoring feature, the combination of hijacking core server behavior, logging sensitive data, and optional proxying constitutes a significant security risk and potential backdoor depending on deployment context. Treat as suspicious unless there is strong, vetted justification, robust access controls, and explicit user consent in production environments.

[Skill Scanner] Destructive bash command detected (rm -rf, chmod 777) All findings: [CRITICAL] command_injection: Destructive bash command detected (rm -rf, chmod 777) (CI004) [AITech 9.1.4] [CRITICAL] command_injection: Destructive bash command detected (rm -rf, chmod 777) (CI004) [AITech 9.1.4] [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] [HIGH] data_exfiltration: Credential file access detected (DE002) [AITech 8.2.3] [HIGH] data_exfiltration: Credential file access detected (DE002) [AITech 8.2.3] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] No direct malicious code or obfuscation is present in the provided skill instruction file. The instructions and capabilities align with the stated purpose (selecting and using Fabric patterns). The primary security concern is supply-chain risk: the skill instructs cloning and using an upstream GitHub repository without pinned commits or integrity checks, meaning a compromise of that repo or its dependencies could result in execution of malicious patterns or code. Recommend adding verification steps (pin commit SHA, verify signatures or checksums) and restricting execution of untrusted patterns or inspecting pattern contents before execution. LLM verification: Not overtly malicious based on provided content, but suspicious from a supply-chain and privilege perspective. The skill clones and executes unpinned external code (git clone + go install @latest), references local credential/config paths, and includes documentation showing rm -rf/backtick shell usage. These behaviors are coherent with the purpose but grant broad filesystem and network capabilities that are disproportionate for simple pattern selection and processing. Recommend treating as SUSPI

The code exhibits several characteristics of malware, including downloading files from an external server, executing them, and establishing persistence. The obfuscation further suggests an attempt to hide malicious intent.

Live on npm for 13 days, 1 hour and 15 minutes before removal. Socket users were protected even while the package was live.

The bundle contains an injected behavior that is unrelated to its stated functionality: it checks the client's timezone against a hardcoded list and, for matching timezones, constructs and displays a political message and automatically opens external URLs (including a Tor onion link and change.org) and shows an alert. This is unexpected, potentially harmful (forced popups/navigation), and constitutes a malicious or unauthorized modification of the package. Do not use this version; investigate source repository, verify integrity (checksums/signatures), and replace with a clean build.

[Skill Scanner] Installation of third-party script detected BENIGN: The skill description and examples are coherent with a legitimate PDF processing toolset. No malicious data flows, credential harvesting, or external network communication are indicated. Data flows are strictly local file I/O and standard library usage for PDF manipulation. LLM verification: The skill’s described capabilities are appropriate for PDF processing tasks. Primary security concerns are about supply-chain hygiene (unpinned OCR dependency and potential unvetted script installations). Mitigations: pin dependency versions, verify sources, and avoid auto-installation of third-party scripts in production. Overall assessment remains largely benign with important notes on dependency management to reduce risk.

The code presents clear indicators of malicious capability: in-process shellcode execution and memfd-based side-loading with LD_PRELOAD to run injected data in another process. This constitutes high-risk behavior suitable for backdoor or code execution tooling. The implementation lacks input validation, safeguards, or auditing hooks, making it a strong threat in supply-chain contexts. Hardening would require removing in-memory code execution, eliminating LD_PRELOAD-based injection paths, and adding strict input validation, provenance checks, and runtime protections.

This module adds an API endpoint that can execute an external CLI and run git commands using child_process, based on request data (including remote URLs and optional token) and deployment/environment configuration. It also writes configuration and sync state into a hidden directory under the user’s home (~/.mindos). While the intent may be legitimate “sync” automation, the presence of remotely triggerable command execution and token handling makes it a high supply-chain/sabotage risk if the API is reachable without strong authentication/authorization in the broader project.

The fragment indicates a webshell-like login bypass with a hardcoded credential and an unusual 404-triggered login flow. In an open-source package, this poses a high supply-chain risk and should be avoided or sanitized, removing hardcoded credentials and backdoor-like patterns. Treat as high-risk and require remediation or exclusion from production dependencies.

Possible typosquat of [azure](https://socket.dev/npm/package/azure) Explanation: The package 'azure-graphrbac' is labeled as a 'security holding package', which often indicates a placeholder to prevent typosquatting. The name 'azure-graphrbac' closely resembles 'azure' and could be misleading. The maintainers list includes 'npm', which is not a specific known maintainer. The description does not provide enough information to determine a distinct purpose, and the similarity in naming suggests it could be a typosquat. azure-graphrbac is a security-holding package

Live on npm for 1 hour and 54 minutes before removal. Socket users were protected even while the package was live.

This module is a high-risk runtime packer/dropper: it embeds an encrypted payload, decrypts it using a user-supplied passphrase, writes the result to `bin/do-setup-circleci-secrets`, and immediately executes it. Because there is no integrity/authenticity validation of the decrypted artifact and the executed code is not shown here, the module should be treated as potentially malicious until the decrypted `bin/do-setup-circleci-secrets` content is inspected and validated in a safe environment.

This preinstall script performs targeted data collection and exfiltrates sensitive environment and network information to an external domain during npm install. This is malicious/spyware behavior (data exfiltration/telemetry) and should be treated as malware. Do not install or run this package; consider it high risk.

The script collects and sends potentially sensitive information to a remote server, which poses a significant security risk and indicates malicious behavior.

Live on npm for 18 minutes before removal. Socket users were protected even while the package was live.

This package presents significant security risks due to complete code obfuscation. The binary/encoded nature prevents analysis of actual functionality and is highly suspicious for an open source dependency.

The provided code is highly malicious, with behaviors including downloading and executing external files, modifying system files, sending system data over the network, and connecting to suspicious domains. The code is also heavily obfuscated, making it difficult to analyze. Given these behaviors, the code poses a significant security risk.

Live on npm for 29 minutes before removal. Socket users were protected even while the package was live.

This file implements a high-impact automatic updater that, when enabled by a filesystem flag, will fetch PyPI metadata and, if a newer version exists, automatically install the 'simo' package and run multiple privileged/damaging maintenance commands (migrations, collectstatic, redis-cli flushall, supervisor restart). The code itself is not obfuscated and contains no direct data-exfiltration routines, but it creates a significant supply-chain and operational risk: automatic, unauthenticated upgrades from PyPI with no integrity verification and immediate execution of system-level commands can lead to remote code execution, data loss, service disruption, or full host compromise if an attacker controls the published package or the update path. Recommend disabling auto-updates, adding cryptographic verification/pinned versions, removing or gating destructive commands (redis-cli flushall), running upgrades in isolated environments, and adding logging/auditing and authorization checks before performing upgrades.

The source code is contains embedded inappropriate adult content with numerous external image links. It is not valid or functional software code. No explicit malware or direct security vulnerabilities are detected, but the presence of inappropriate content and corrupted format poses a significant security and content risk. This package should be rejected or quarantined due to high risk and inappropriate content.

The SweetAlert2 library code is mostly benign and serves as a UI modal dialog tool. However, it contains a suspicious and potentially malicious snippet that targets Russian users on certain domains to play an unsolicited audio prank, disabling pointer events and potentially disrupting user interaction. This behavior is unexpected and should be considered a moderate security risk and potential malware. The rest of the code shows no signs of malicious intent. The provided reports were invalid and unhelpful. Users should be cautious about this version of the library due to the embedded prank behavior.

This file implements a covert surveillance agent that: 1) prepends environment-controlled directories (SITE_ROOT, AGENT_PATH) to Python’s import path (supply-chain/import risk); 2) silently injects “export PROMPT_COMMAND='history -a'” into /etc/bash.bashrc and users’ ~/.bashrc to force real-time shell history flushing; 3) tracks user sign-in/sign-out via `who`, reads and aggregates shell histories (~/.bash_history, ~/.zsh_history, fish history) and session metadata into agent-controlled JSON logs under comm_path/<universal_id>/sessions; 4) monitors highly sensitive files/directories (/etc/passwd, /etc/shadow, /root/.ssh, /home, /var/www) via inotify and logs or alerts on access, writes, and deletions; 5) computes SHA-256 hashes of commands and flags those matching high-risk patterns (rm -rf, scp, curl, wget, sudo, chmod 777, systemctl stop, service stop); and 6) packages structured reports via get_delivery_packet()/pass_packet() calls to configured remote nodes, constituting an exfiltration channel. These behaviors constitute unauthorized host persistence, privacy violation, and potential data exfiltration, and should be treated as malware.

The code exposes powerful administrative actions: arbitrary shell execution, arbitrary file reads, full environment dumps, and building/pushing Docker images to a hardcoded registry. These are not obfuscated but are high-risk capabilities that can be abused for data exfiltration, remote code execution, and supply-chain leakage if the superuser authentication is compromised or misconfigured. The presence of a hardcoded remote image name for docker push is suspicious for unintended outbound artifact exfiltration. Recommendation: avoid including these endpoints in public packages or ensure strict, auditable authentication and input validation; remove hardcoded push targets and avoid returning full environment variables or arbitrary file contents.

This code extracts base64 audio from a Blob and exfiltrates it over plain HTTP to a fixed external IP and path. That behavior constitutes direct data exfiltration of potentially sensitive audio without consent, encryption, or authentication. In most contexts this is malicious or highly privacy-invasive. Treat the module as dangerous: remove it, block its network calls, or audit and replace the endpoint with an approved, secure, authenticated service before use.