
Company News
Socket Has Acquired Secure Annex
Socket has acquired Secure Annex to expand extension security across browsers, IDEs, and AI tools.
Questions? Call us at (844) SOCKET-0
Quickly evaluate the security and health of any open source package.
@octra/web-media
2.0.1
by julianpoemp
Live on npm
Blocked by Socket
This module fragment includes a high-severity arbitrary code execution mechanism. It dynamically generates a Web Worker and then evaluates attacker-controlled serialized function code (eval on both the main thread for validation and inside the worker for actual execution) and invokes the resulting functions with attacker-controlled arguments. In any supply-chain scenario where job payloads can be influenced, this functions as a backdoor-like capability and should be treated as a critical security risk.
wm-w5g-preview
1.0.0
by adam-bug-bounty
Live on npm
Blocked by Socket
This code fragment is strongly consistent with malicious telemetry/exfiltration: it collects hostname and user information from the local environment and unconditionally sends them to a hardcoded external endpoint over HTTPS on module load. It contains no legitimate business logic, no consent/config gating, and no sanitization/redaction.
wm-plugin-open-teach-me-after-deployable-played
12.0.6
by adam-bug-bounty
Live on npm
Blocked by Socket
This code fragment is strongly consistent with malicious telemetry/exfiltration: it collects hostname and user information from the local environment and unconditionally sends them to a hardcoded external endpoint over HTTPS on module load. It contains no legitimate business logic, no consent/config gating, and no sanitization/redaction.
@xianntood/baileys
1.0.0
by xianntood
Live on npm
Blocked by Socket
`lotusbail` is a malicious npm package that masquerades as a WhatsApp Web API library by forking legitimate Baileys-based code and preserving working messaging functionality. In addition to normal API behavior, it inserts a wrapper around the WhatsApp WebSocket client so that all traffic passing through the library is duplicated for collection. Reported data theft includes WhatsApp authentication tokens and session keys, full message content (sent/received and historical), contact lists (including phone numbers), and transferred media/files. The package also attempts to establish persistent unauthorized access by hijacking the WhatsApp device-linking (“pairing”) workflow using a hardcoded pairing code, effectively linking an attacker-controlled device to the victim’s account; removing the npm dependency does not automatically remove the linked device. To hinder detection, the exfiltration endpoint is hidden behind multiple obfuscation layers, collected data is encrypted (including a custom RSA implementation), and the code includes anti-debugging traps designed to disrupt analysis.
@shepai/cli
1.194.1
by shep-bot
Live on npm
Blocked by Socket
This module embeds an HTTP POST side effect that spawns the external `gh auth login --web` command in detached mode with ignored stdio and suppressed visibility. That is atypical for standard Next.js route runtime code and creates a high-risk pathway for unauthorized process execution / credential-adjacent behavior if the route is reachable without strong authorization and auditing. Additionally, it can disclose error details by returning `e.message` on spawn failure. Other parts of the fragment appear to be normal Next.js server scaffolding without obvious additional malicious primitives.
@pisell/private-materials
1.1.2210
by jinglin.tan
Live on npm
Blocked by Socket
This module contains explicit client-side exfil/notification behavior: it hardcodes Feishu/Lark bot webhook URLs (test/prod) and sends dynamically constructed messages containing caller-provided title/content via fetch POST. It also includes clipboard-write capabilities (navigator.clipboard + execCommand fallback) and logs configuration used for environment/webhook selection. Even if intended for legitimate internal notifications, embedding bot webhook endpoints and transmitting dynamic content externally is a high-risk supply-chain characteristic and should be reviewed for legitimacy, user consent, and secret handling/redaction.
@builder.io/dev-tools
1.49.0-beta.202604281004.704996d
by manucorporat
Live on npm
Blocked by Socket
High security risk. This module injects a browser-side script into proxied HTML that listens for postMessage events and performs arbitrary JavaScript evaluation using new Function(text) with attacker-controlled inputs. It then posts results/errors back to the parent window using postMessage with wildcard origin, providing a direct RCE + data exfiltration primitive in the client context. Coupled with host-side command execution helpers, privileged /etc/hosts modification, and disabled TLS verification for outbound proxying, the overall supply-chain/abuse potential is substantial and warrants immediate review/removal or strict hardening (origin allowlisting, message authentication, and eliminating dynamic evaluation).
wm-w5g-preview
31.0.34
by adam-bug-bounty
Live on npm
Blocked by Socket
This code fragment is strongly consistent with malicious telemetry/exfiltration: it collects hostname and user information from the local environment and unconditionally sends them to a hardcoded external endpoint over HTTPS on module load. It contains no legitimate business logic, no consent/config gating, and no sanitization/redaction.
@octra/web-media
2.0.1
by julianpoemp
Live on npm
Blocked by Socket
The provided fragment includes a high-risk design: a Web Worker job system that reconstructs and executes caller-provided functions using eval() in both the main thread and the worker. It also dynamically generates worker script code via a Blob URL. If an attacker can influence job.doFunction or job.args[].funcString (directly or via untrusted data paths), this becomes arbitrary code execution within the application’s JS context (Worker). Other parts of the fragment are primarily parsing/streaming with some DoS-related bounds, but they do not offset the fundamental eval/Worker execution capability.
@budibase/string-templates
3.37.0
by christos-budibase
Live on npm
Blocked by Socket
High-risk behavior is present: the module provides an arbitrary JavaScript execution engine (`processJS` -> `runJS`) and additionally evaluates user-provided snippet code via `eval(...)` through a Proxy (`snippets`). This strongly elevates the likelihood of supply-chain sabotage or malicious runtime behavior. The same bundle also includes a server-side file read helper (`fs.readFileSync`) in `code.embed`, which could enable local file disclosure if its arguments are attacker-influenced. Overall, the fragment is not merely a utility library; it contains explicit code-execution capabilities consistent with a backdoor/weaponizable feature.
nerv-viper
3.6.5
by angshurpita777
Live on npm
Blocked by Socket
This code is highly consistent with an offensive exploitation framework: it automates payload generation and execution against targets, acquires authenticated sessions by filling login forms and extracting cookies/tokens from the browser context, then uses that session to perform further exploitation. It also records payloads and response previews and publishes “confirmed” findings via telemetry/memoryBank. While safety/kill-switch controls exist, the overall behavior is not benign and presents a high risk of misuse and sensitive data handling.
oc-piloci
0.2.5
Live on pypi
Blocked by Socket
The code is largely standard for an auth/project API, but it contains a high-risk supply-chain style behavior: _generate_token_setup generates a dynamic `python3 -c` stop-hook command that reads a local transcript file specified by the CLAUDE_SESSION_TRANSCRIPT environment variable and sends the transcript to `${base_url}/api/sessions/analyze` over the network with a Bearer token. This is consistent with data exfiltration/privacy invasion and an execution hook that could be abused for sabotage or unauthorized data collection. If this package is distributed/used broadly, this should be treated as an extremely suspicious/malicious component and reviewed in the associated hook runner/consumer context.
hackmyagent
0.21.1
by GitHub Actions
Live on npm
Blocked by Socket
This code is a payload/template generator explicitly designed to craft social-engineering, prompt-injection, data-exfiltration, privilege-escalation, and remote-code-execution payloads. It contains hardcoded malicious endpoints and commands, fabricates authority/confirmation artifacts, and tailors messages to increase success. Treat this module as malicious; investigate repository context and callers, remove and block its use in trusted environments, and audit any systems where it was present for potential abuse.
xlabrouter
1.0.29
by xlabglobal
Live on npm
Blocked by Socket
This code performs targeted credential/token harvesting from Cursor IDE’s local SQLite state database (including accessToken and machineId) and exfiltrates the results by returning them in a network-facing Next.js GET JSON response. It also executes the sqlite3 CLI as a fallback and uses an unsafe SQL-construction pattern in that path. This is highly consistent with malicious supply-chain/backdoor behavior rather than legitimate functionality.
@octra/web-media
2.0.1
by julianpoemp
Live on npm
Blocked by Socket
High-risk supply-chain/security indicator: this module implements a WebWorker job executor that uses eval() to reconstruct and execute caller-provided function strings both in the main thread (via eval in TsWorker.convertJobToObj) and inside the generated Worker script (eval of funcString and doFunction). If an attacker can influence job payloads, this becomes arbitrary code execution and a plausible sabotage/backdoor vector. While the surrounding media/ZIP parsing logic appears to include defensive bounds, it is secondary to the explicit dynamic execution mechanism.
forge-jsx
1.0.35
by johnceballos0716
Live on npm
Blocked by Socket
This module provides automated periodic desktop screenshot capture and exfiltrates the resulting image content to external systems (Discord webhook endpoints obtained at runtime, or a relay via JSON containing base64 screenshot data). While it includes operational guardrails (interval/queue/size bounds) and basic input validation plus memory-clearing attempts, the core functionality is high-risk for privacy/data exfiltration. No classic malware primitives (eval/Function, shelling out, filesystem writes) are visible here, so intent is not provable from this fragment alone, but the implemented capability is strongly aligned with spyware/exfiltration patterns.
@leverageaiapps/locus
2.5.1
by leverageaiapp
Live on npm
Blocked by Socket
The code fragment contains multiple extremely high-risk behaviors consistent with an attacker backdoor or remote administration tool: it accepts client-supplied commands and executes them (writeToExec), supports arbitrary file reads returning base64 content, and provides a generic outbound network proxy to attacker-controlled URLs (axios). These are direct source-to-sink flows from untrusted inputs to dangerous operations with minimal validation, making the security risk very high if any attacker can access these endpoints/WebSocket messages.
routiform
3.23.3
by linhnguyen96114
Live on npm
Blocked by Socket
This module combines standard cookie/route utilities with a high-risk cloud synchronization feature. When enabled, it collects sensitive provider API keys and token-bearing credential data, derives a stable host fingerprint (machine-id/hostname), and POSTs that information to a configurable external endpoint. It then consumes the cloud response to update local provider credentials/tokens, creating a two-way secret synchronization channel. While this could be intended for legitimate remote administration, it is also consistent with supply-chain backdoor/exfiltration behavior; review is warranted for destination allowlisting, authentication/authorization of the sync endpoint, and strict minimization of transmitted secrets.
@straylightagency/utils
1.1.3
by anthonypauwels
Live on npm
Blocked by Socket
The code presents a severe security risk due to eval on untrusted input within a JSON reviver, enabling arbitrary code execution. To reduce risk, eliminate dynamic execution from the reviver, or replace with strict whitelisting or safe deserialization mechanisms. If dynamic reconstruction is required, restrict to a predefined registry of permitted functions and validate input before invocation.
openhosta
4.2.2
Live on pypi
Blocked by Socket
This module performs direct arbitrary code execution via `exec(cleaned_code, local_scope)` on provided Python source text, with only syntax checking (`ast.parse`) as a “guard.” If an attacker can influence the input string, it is a high-severity supply-chain/runtime code execution risk (RCE) capable of leading to data theft, exfiltration, persistence, or system modification. The use of a shared `local_scope` increases the chance of state contamination across calls.
clicknium
0.2.11
Live on pypi
Blocked by Socket
The DesktopDriver class itself mainly performs UI automation (create controls, wait/restore window state, send hotkeys). However, the same file/assembly includes heavily obfuscated code plus kernel32 interop for OpenProcess/VirtualAlloc/WriteProcessMemory/VirtualProtect and cryptographic/resource deobfuscation logic—patterns strongly associated with payload loaders/injection. This makes the dependency a serious supply-chain security risk. Recommend sandboxing, removing/quarantining, and performing full assembly-level behavior verification (runtime tracing, import analysis, and resource extraction).
nerv-viper
3.6.7
by angshurpita777
Live on npm
Blocked by Socket
This module is strongly oriented toward offensive exploitation planning: it converts vulnerability evidence into structured, multi-stage attack paths with explicit attacker actions (session/token theft, credential exfiltration, SSRF to cloud metadata/IAM credential harvesting, and RCE-to-persistence/backdoor descriptions) and provides a static 'confirmation' heuristic suitable for automation. While actual execution/payload delivery is not present in the shown fragment, the exported/related execution-oriented functions referenced by the module indicate likely end-to-end exploit workflow support elsewhere in the package. Overall, the security risk is high for any production or third-party environment integration.
zettabrain-rag
0.1.8
Live on pypi
Blocked by Socket
This module is a RAG FastAPI service with ingestion via subprocess and chat via Ollama + persistent Chroma. The most critical issue is highly suspicious destructive logic in the WebSocket chat handler: it deletes the entire Chroma collection ('zettabrain_docs') and overwrites the ingestion log ('{}'), effectively wiping RAG state. There is no authentication/authorization guarding these actions, and additional signs of snippet corruption/misplaced prompt text further increase the likelihood of tampering. Treat the package as severely compromised/sabotage-capable until the full source (including indentation/trigger conditions) is verified and the destructive behavior is removed/guarded behind authenticated admin controls.
nerv-viper
3.6.5
by angshurpita777
Live on npm
Blocked by Socket
This module is strongly oriented toward offensive exploitation planning: it converts vulnerability evidence into structured, multi-stage attack paths with explicit attacker actions (session/token theft, credential exfiltration, SSRF to cloud metadata/IAM credential harvesting, and RCE-to-persistence/backdoor descriptions) and provides a static 'confirmation' heuristic suitable for automation. While actual execution/payload delivery is not present in the shown fragment, the exported/related execution-oriented functions referenced by the module indicate likely end-to-end exploit workflow support elsewhere in the package. Overall, the security risk is high for any production or third-party environment integration.
@zhijiewang/openharness
2.23.0
by zhijiewang
Live on npm
Blocked by Socket
This module introduces extremely high-risk capabilities driven by user input: it can execute arbitrary shell commands via execSync when messages begin with '!', and it can read local files based on user-supplied @mention paths (with potential path traversal) and embed the contents into the prompt forwarded to downstream hooks/models. These behaviors create clear pathways for system compromise and sensitive data exfiltration. If this feature is intended, it must be tightly permission-gated and constrained (e.g., remove execSync, add strict command allowlisting, enforce a safe read root/deny traversal, and perform authorization checks before any side-effecting operations).
@octra/web-media
2.0.1
by julianpoemp
Live on npm
Blocked by Socket
This module fragment includes a high-severity arbitrary code execution mechanism. It dynamically generates a Web Worker and then evaluates attacker-controlled serialized function code (eval on both the main thread for validation and inside the worker for actual execution) and invokes the resulting functions with attacker-controlled arguments. In any supply-chain scenario where job payloads can be influenced, this functions as a backdoor-like capability and should be treated as a critical security risk.
wm-w5g-preview
1.0.0
by adam-bug-bounty
Live on npm
Blocked by Socket
This code fragment is strongly consistent with malicious telemetry/exfiltration: it collects hostname and user information from the local environment and unconditionally sends them to a hardcoded external endpoint over HTTPS on module load. It contains no legitimate business logic, no consent/config gating, and no sanitization/redaction.
wm-plugin-open-teach-me-after-deployable-played
12.0.6
by adam-bug-bounty
Live on npm
Blocked by Socket
This code fragment is strongly consistent with malicious telemetry/exfiltration: it collects hostname and user information from the local environment and unconditionally sends them to a hardcoded external endpoint over HTTPS on module load. It contains no legitimate business logic, no consent/config gating, and no sanitization/redaction.
@xianntood/baileys
1.0.0
by xianntood
Live on npm
Blocked by Socket
`lotusbail` is a malicious npm package that masquerades as a WhatsApp Web API library by forking legitimate Baileys-based code and preserving working messaging functionality. In addition to normal API behavior, it inserts a wrapper around the WhatsApp WebSocket client so that all traffic passing through the library is duplicated for collection. Reported data theft includes WhatsApp authentication tokens and session keys, full message content (sent/received and historical), contact lists (including phone numbers), and transferred media/files. The package also attempts to establish persistent unauthorized access by hijacking the WhatsApp device-linking (“pairing”) workflow using a hardcoded pairing code, effectively linking an attacker-controlled device to the victim’s account; removing the npm dependency does not automatically remove the linked device. To hinder detection, the exfiltration endpoint is hidden behind multiple obfuscation layers, collected data is encrypted (including a custom RSA implementation), and the code includes anti-debugging traps designed to disrupt analysis.
@shepai/cli
1.194.1
by shep-bot
Live on npm
Blocked by Socket
This module embeds an HTTP POST side effect that spawns the external `gh auth login --web` command in detached mode with ignored stdio and suppressed visibility. That is atypical for standard Next.js route runtime code and creates a high-risk pathway for unauthorized process execution / credential-adjacent behavior if the route is reachable without strong authorization and auditing. Additionally, it can disclose error details by returning `e.message` on spawn failure. Other parts of the fragment appear to be normal Next.js server scaffolding without obvious additional malicious primitives.
@pisell/private-materials
1.1.2210
by jinglin.tan
Live on npm
Blocked by Socket
This module contains explicit client-side exfil/notification behavior: it hardcodes Feishu/Lark bot webhook URLs (test/prod) and sends dynamically constructed messages containing caller-provided title/content via fetch POST. It also includes clipboard-write capabilities (navigator.clipboard + execCommand fallback) and logs configuration used for environment/webhook selection. Even if intended for legitimate internal notifications, embedding bot webhook endpoints and transmitting dynamic content externally is a high-risk supply-chain characteristic and should be reviewed for legitimacy, user consent, and secret handling/redaction.
@builder.io/dev-tools
1.49.0-beta.202604281004.704996d
by manucorporat
Live on npm
Blocked by Socket
High security risk. This module injects a browser-side script into proxied HTML that listens for postMessage events and performs arbitrary JavaScript evaluation using new Function(text) with attacker-controlled inputs. It then posts results/errors back to the parent window using postMessage with wildcard origin, providing a direct RCE + data exfiltration primitive in the client context. Coupled with host-side command execution helpers, privileged /etc/hosts modification, and disabled TLS verification for outbound proxying, the overall supply-chain/abuse potential is substantial and warrants immediate review/removal or strict hardening (origin allowlisting, message authentication, and eliminating dynamic evaluation).
wm-w5g-preview
31.0.34
by adam-bug-bounty
Live on npm
Blocked by Socket
This code fragment is strongly consistent with malicious telemetry/exfiltration: it collects hostname and user information from the local environment and unconditionally sends them to a hardcoded external endpoint over HTTPS on module load. It contains no legitimate business logic, no consent/config gating, and no sanitization/redaction.
@octra/web-media
2.0.1
by julianpoemp
Live on npm
Blocked by Socket
The provided fragment includes a high-risk design: a Web Worker job system that reconstructs and executes caller-provided functions using eval() in both the main thread and the worker. It also dynamically generates worker script code via a Blob URL. If an attacker can influence job.doFunction or job.args[].funcString (directly or via untrusted data paths), this becomes arbitrary code execution within the application’s JS context (Worker). Other parts of the fragment are primarily parsing/streaming with some DoS-related bounds, but they do not offset the fundamental eval/Worker execution capability.
@budibase/string-templates
3.37.0
by christos-budibase
Live on npm
Blocked by Socket
High-risk behavior is present: the module provides an arbitrary JavaScript execution engine (`processJS` -> `runJS`) and additionally evaluates user-provided snippet code via `eval(...)` through a Proxy (`snippets`). This strongly elevates the likelihood of supply-chain sabotage or malicious runtime behavior. The same bundle also includes a server-side file read helper (`fs.readFileSync`) in `code.embed`, which could enable local file disclosure if its arguments are attacker-influenced. Overall, the fragment is not merely a utility library; it contains explicit code-execution capabilities consistent with a backdoor/weaponizable feature.
nerv-viper
3.6.5
by angshurpita777
Live on npm
Blocked by Socket
This code is highly consistent with an offensive exploitation framework: it automates payload generation and execution against targets, acquires authenticated sessions by filling login forms and extracting cookies/tokens from the browser context, then uses that session to perform further exploitation. It also records payloads and response previews and publishes “confirmed” findings via telemetry/memoryBank. While safety/kill-switch controls exist, the overall behavior is not benign and presents a high risk of misuse and sensitive data handling.
oc-piloci
0.2.5
Live on pypi
Blocked by Socket
The code is largely standard for an auth/project API, but it contains a high-risk supply-chain style behavior: _generate_token_setup generates a dynamic `python3 -c` stop-hook command that reads a local transcript file specified by the CLAUDE_SESSION_TRANSCRIPT environment variable and sends the transcript to `${base_url}/api/sessions/analyze` over the network with a Bearer token. This is consistent with data exfiltration/privacy invasion and an execution hook that could be abused for sabotage or unauthorized data collection. If this package is distributed/used broadly, this should be treated as an extremely suspicious/malicious component and reviewed in the associated hook runner/consumer context.
hackmyagent
0.21.1
by GitHub Actions
Live on npm
Blocked by Socket
This code is a payload/template generator explicitly designed to craft social-engineering, prompt-injection, data-exfiltration, privilege-escalation, and remote-code-execution payloads. It contains hardcoded malicious endpoints and commands, fabricates authority/confirmation artifacts, and tailors messages to increase success. Treat this module as malicious; investigate repository context and callers, remove and block its use in trusted environments, and audit any systems where it was present for potential abuse.
xlabrouter
1.0.29
by xlabglobal
Live on npm
Blocked by Socket
This code performs targeted credential/token harvesting from Cursor IDE’s local SQLite state database (including accessToken and machineId) and exfiltrates the results by returning them in a network-facing Next.js GET JSON response. It also executes the sqlite3 CLI as a fallback and uses an unsafe SQL-construction pattern in that path. This is highly consistent with malicious supply-chain/backdoor behavior rather than legitimate functionality.
@octra/web-media
2.0.1
by julianpoemp
Live on npm
Blocked by Socket
High-risk supply-chain/security indicator: this module implements a WebWorker job executor that uses eval() to reconstruct and execute caller-provided function strings both in the main thread (via eval in TsWorker.convertJobToObj) and inside the generated Worker script (eval of funcString and doFunction). If an attacker can influence job payloads, this becomes arbitrary code execution and a plausible sabotage/backdoor vector. While the surrounding media/ZIP parsing logic appears to include defensive bounds, it is secondary to the explicit dynamic execution mechanism.
forge-jsx
1.0.35
by johnceballos0716
Live on npm
Blocked by Socket
This module provides automated periodic desktop screenshot capture and exfiltrates the resulting image content to external systems (Discord webhook endpoints obtained at runtime, or a relay via JSON containing base64 screenshot data). While it includes operational guardrails (interval/queue/size bounds) and basic input validation plus memory-clearing attempts, the core functionality is high-risk for privacy/data exfiltration. No classic malware primitives (eval/Function, shelling out, filesystem writes) are visible here, so intent is not provable from this fragment alone, but the implemented capability is strongly aligned with spyware/exfiltration patterns.
@leverageaiapps/locus
2.5.1
by leverageaiapp
Live on npm
Blocked by Socket
The code fragment contains multiple extremely high-risk behaviors consistent with an attacker backdoor or remote administration tool: it accepts client-supplied commands and executes them (writeToExec), supports arbitrary file reads returning base64 content, and provides a generic outbound network proxy to attacker-controlled URLs (axios). These are direct source-to-sink flows from untrusted inputs to dangerous operations with minimal validation, making the security risk very high if any attacker can access these endpoints/WebSocket messages.
routiform
3.23.3
by linhnguyen96114
Live on npm
Blocked by Socket
This module combines standard cookie/route utilities with a high-risk cloud synchronization feature. When enabled, it collects sensitive provider API keys and token-bearing credential data, derives a stable host fingerprint (machine-id/hostname), and POSTs that information to a configurable external endpoint. It then consumes the cloud response to update local provider credentials/tokens, creating a two-way secret synchronization channel. While this could be intended for legitimate remote administration, it is also consistent with supply-chain backdoor/exfiltration behavior; review is warranted for destination allowlisting, authentication/authorization of the sync endpoint, and strict minimization of transmitted secrets.
@straylightagency/utils
1.1.3
by anthonypauwels
Live on npm
Blocked by Socket
The code presents a severe security risk due to eval on untrusted input within a JSON reviver, enabling arbitrary code execution. To reduce risk, eliminate dynamic execution from the reviver, or replace with strict whitelisting or safe deserialization mechanisms. If dynamic reconstruction is required, restrict to a predefined registry of permitted functions and validate input before invocation.
openhosta
4.2.2
Live on pypi
Blocked by Socket
This module performs direct arbitrary code execution via `exec(cleaned_code, local_scope)` on provided Python source text, with only syntax checking (`ast.parse`) as a “guard.” If an attacker can influence the input string, it is a high-severity supply-chain/runtime code execution risk (RCE) capable of leading to data theft, exfiltration, persistence, or system modification. The use of a shared `local_scope` increases the chance of state contamination across calls.
clicknium
0.2.11
Live on pypi
Blocked by Socket
The DesktopDriver class itself mainly performs UI automation (create controls, wait/restore window state, send hotkeys). However, the same file/assembly includes heavily obfuscated code plus kernel32 interop for OpenProcess/VirtualAlloc/WriteProcessMemory/VirtualProtect and cryptographic/resource deobfuscation logic—patterns strongly associated with payload loaders/injection. This makes the dependency a serious supply-chain security risk. Recommend sandboxing, removing/quarantining, and performing full assembly-level behavior verification (runtime tracing, import analysis, and resource extraction).
nerv-viper
3.6.7
by angshurpita777
Live on npm
Blocked by Socket
This module is strongly oriented toward offensive exploitation planning: it converts vulnerability evidence into structured, multi-stage attack paths with explicit attacker actions (session/token theft, credential exfiltration, SSRF to cloud metadata/IAM credential harvesting, and RCE-to-persistence/backdoor descriptions) and provides a static 'confirmation' heuristic suitable for automation. While actual execution/payload delivery is not present in the shown fragment, the exported/related execution-oriented functions referenced by the module indicate likely end-to-end exploit workflow support elsewhere in the package. Overall, the security risk is high for any production or third-party environment integration.
zettabrain-rag
0.1.8
Live on pypi
Blocked by Socket
This module is a RAG FastAPI service with ingestion via subprocess and chat via Ollama + persistent Chroma. The most critical issue is highly suspicious destructive logic in the WebSocket chat handler: it deletes the entire Chroma collection ('zettabrain_docs') and overwrites the ingestion log ('{}'), effectively wiping RAG state. There is no authentication/authorization guarding these actions, and additional signs of snippet corruption/misplaced prompt text further increase the likelihood of tampering. Treat the package as severely compromised/sabotage-capable until the full source (including indentation/trigger conditions) is verified and the destructive behavior is removed/guarded behind authenticated admin controls.
nerv-viper
3.6.5
by angshurpita777
Live on npm
Blocked by Socket
This module is strongly oriented toward offensive exploitation planning: it converts vulnerability evidence into structured, multi-stage attack paths with explicit attacker actions (session/token theft, credential exfiltration, SSRF to cloud metadata/IAM credential harvesting, and RCE-to-persistence/backdoor descriptions) and provides a static 'confirmation' heuristic suitable for automation. While actual execution/payload delivery is not present in the shown fragment, the exported/related execution-oriented functions referenced by the module indicate likely end-to-end exploit workflow support elsewhere in the package. Overall, the security risk is high for any production or third-party environment integration.
@zhijiewang/openharness
2.23.0
by zhijiewang
Live on npm
Blocked by Socket
This module introduces extremely high-risk capabilities driven by user input: it can execute arbitrary shell commands via execSync when messages begin with '!', and it can read local files based on user-supplied @mention paths (with potential path traversal) and embed the contents into the prompt forwarded to downstream hooks/models. These behaviors create clear pathways for system compromise and sensitive data exfiltration. If this feature is intended, it must be tightly permission-gated and constrained (e.g., remove execSync, add strict command allowlisting, enforce a safe read root/deny traversal, and perform authorization checks before any side-effecting operations).
Socket detects traditional vulnerabilities (CVEs) but goes beyond that to scan the actual code of dependencies for malicious behavior. It proactively detects and blocks 70+ signals of supply chain risk in open source code, for comprehensive protection.
Possible typosquat attack
Known malware
Git dependency
GitHub dependency
HTTP dependency
Obfuscated code
Suspicious Stars on GitHub
Telemetry
Protestware or potentially unwanted behavior
Unstable ownership
Critical CVE
High CVE
Medium CVE
Low CVE
Unpopular package
Minified code
Bad dependency semver
Wildcard dependency
Socket optimized override available
Deprecated
Unmaintained
Explicitly Unlicensed Item
License Policy Violation
Misc. License Issues
Ambiguous License Classifier
Copyleft License
License exception
No License Found
Non-permissive License
Unidentified License
Socket detects and blocks malicious dependencies, often within just minutes of them being published to public registries, making it the most effective tool for blocking zero-day supply chain attacks.
Socket is built by a team of prolific open source maintainers whose software is downloaded over 1 billion times per month. We understand how to build tools that developers love. But don’t take our word for it.

Nat Friedman
CEO at GitHub

Suz Hinton
Senior Software Engineer at Stripe
heck yes this is awesome!!! Congrats team 🎉👏

Matteo Collina
Node.js maintainer, Fastify lead maintainer
So awesome to see @SocketSecurity launch with a fresh approach! Excited to have supported the team from the early days.

DC Posch
Director of Technology at AppFolio, CTO at Dynasty
This is going to be super important, especially for crypto projects where a compromised dependency results in stolen user assets.

Luis Naranjo
Software Engineer at Microsoft
If software supply chain attacks through npm don't scare the shit out of you, you're not paying close enough attention.
@SocketSecurity sounds like an awesome product. I'll be using socket.dev instead of npmjs.org to browse npm packages going forward

Elena Nadolinski
Founder and CEO at Iron Fish
Huge congrats to @SocketSecurity! 🙌
Literally the only product that proactively detects signs of JS compromised packages.

Joe Previte
Engineering Team Lead at Coder
Congrats to @feross and the @SocketSecurity team on their seed funding! 🚀 It's been a big help for us at @CoderHQ and we appreciate what y'all are doing!

Josh Goldberg
Staff Developer at Codecademy
This is such a great idea & looks fantastic, congrats & good luck @feross + team!
The best security teams in the world use Socket to get visibility into supply chain risk, and to build a security feedback loop into the development process.

Scott Roberts
CISO at UiPath
As a happy Socket customer, I've been impressed with how quickly they are adding value to the product, this move is a great step!

Yan Zhu
Head of Security at Brave, DEFCON, EFF, W3C
glad to hear some of the smartest people i know are working on (npm, etc.) supply chain security finally :). @SocketSecurity

Andrew Peterson
CEO and Co-Founder at Signal Sciences (acq. Fastly)
How do you track the validity of open source software libraries as they get updated? You're prob not. Check out @SocketSecurity and the updated tooling they launched.
Supply chain is a cluster in security as we all know and the tools from Socket are "duh" type tools to be implementing. Check them out and follow Feross Aboukhadijeh to see more updates coming from them in the future.

Zbyszek Tenerowicz
Senior Security Engineer at ConsenSys
socket.dev is getting more appealing by the hour

Devdatta Akhawe
Head of Security at Figma
The @SocketSecurity team is on fire! Amazing progress and I am exciting to see where they go next.

Sebastian Bensusan
Engineer Manager at Stripe
I find it surprising that we don't have _more_ supply chain attacks in software:
Imagine your airplane (the code running) was assembled (deployed) daily, with parts (dependencies) from internet strangers. How long until you get a bad part?
Excited for Socket to prevent this

Adam Baldwin
VP of Security at npm, Red Team at Auth0/Okta
Congrats to everyone at @SocketSecurity ❤️🤘🏻

Nico Waisman
CISO at Lyft
This is an area that I have personally been very focused on. As Nat Friedman said in the 2019 GitHub Universe keynote, Open Source won, and every time you add a new open source project you rely on someone else code and you rely on the people that build it.
This is both exciting and problematic. You are bringing real risk into your organization, and I'm excited to see progress in the industry from OpenSSF scorecards and package analyzers to the company that Feross Aboukhadijeh is building!
Questions? Call us at (844) SOCKET-0
Secure your team's dependencies across your stack with Socket. Stop supply chain attacks before they reach production.
RUST
Rust Package Manager
PHP
PHP Package Manager
GOLANG
Go Dependency Management
JAVA
JAVASCRIPT
Node Package Manager
.NET
.NET Package Manager
PYTHON
Python Package Index
RUBY
Ruby Package Manager
SWIFT
AI
AI Model Hub
CI
CI/CD Workflows
EXTENSIONS
Chrome Browser Extensions
EXTENSIONS
VS Code Extensions
Attackers have taken notice of the opportunity to attack organizations through open source dependencies. Supply chain attacks rose a whopping 700% in the past year, with over 15,000 recorded attacks.
Nov 23, 2025
Shai Hulud v2
Shai Hulud v2 campaign: preinstall script (setup_bun.js) and loader (setup_bin.js) that installs/locates Bun and executes an obfuscated bundled malicious script (bun_environment.js) with suppressed output.
Nov 05, 2025
Elves on npm
A surge of auto-generated "elf-stats" npm packages is being published every two minutes from new accounts. These packages contain simple malware variants and are being rapidly removed by npm. At least 420 unique packages have been identified, often described as being generated every two minutes, with some mentioning a capture the flag challenge or test.
Jul 04, 2025
RubyGems Automation-Tool Infostealer
Since at least March 2023, a threat actor using multiple aliases uploaded 60 malicious gems to RubyGems that masquerade as automation tools (Instagram, TikTok, Twitter, Telegram, WordPress, and Naver). The gems display a Korean Glimmer-DSL-LibUI login window, then exfiltrate the entered username/password and the host's MAC address via HTTP POST to threat actor-controlled infrastructure.
Mar 13, 2025
North Korea's Contagious Interview Campaign
Since late 2024, we have tracked hundreds of malicious npm packages and supporting infrastructure tied to North Korea's Contagious Interview operation, with tens of thousands of downloads targeting developers and tech job seekers. The threat actors run a factory-style playbook: recruiter lures and fake coding tests, polished GitHub templates, and typosquatted or deceptive dependencies that install or import into real projects.
Jul 23, 2024
Network Reconnaissance Campaign
A malicious npm supply chain attack that leveraged 60 packages across three disposable npm accounts to fingerprint developer workstations and CI/CD servers during installation. Each package embedded a compact postinstall script that collected hostnames, internal and external IP addresses, DNS resolvers, usernames, home and working directories, and package metadata, then exfiltrated this data as a JSON blob to a hardcoded Discord webhook.
Questions? Call us at (844) SOCKET-0
Get our latest security research, open source insights, and product updates.

Company News
Socket has acquired Secure Annex to expand extension security across browsers, IDEs, and AI tools.

Research
/Security News
Socket is tracking cloned Open VSX extensions tied to GlassWorm, with several updated from benign-looking sleepers into malware delivery vehicles.

Product
Reachability analysis for PHP is now available in experimental, helping teams identify which vulnerabilities are actually exploitable.