Secure your dependencies. Ship with confidence.

`lotusbail` is a malicious npm package that masquerades as a WhatsApp Web API library by forking legitimate Baileys-based code and preserving working messaging functionality. In addition to normal API behavior, it inserts a wrapper around the WhatsApp WebSocket client so that all traffic passing through the library is duplicated for collection. Reported data theft includes WhatsApp authentication tokens and session keys, full message content (sent/received and historical), contact lists (including phone numbers), and transferred media/files. The package also attempts to establish persistent unauthorized access by hijacking the WhatsApp device-linking (“pairing”) workflow using a hardcoded pairing code, effectively linking an attacker-controlled device to the victim’s account; removing the npm dependency does not automatically remove the linked device. To hinder detection, the exfiltration endpoint is hidden behind multiple obfuscation layers, collected data is encrypted (including a custom RSA implementation), and the code includes anti-debugging traps designed to disrupt analysis.

This module is highly likely malicious in an Android app context: it performs runtime hooking of biometric/fingerprint authentication APIs and forces authentication success by fabricating AuthenticationResult/CryptoObject instances (often with null crypto) and invoking callback.onAuthenticationSucceeded, including converting onAuthenticationFailed into success. While no exfiltration or payload delivery is evident in the provided fragment, the authentication integrity compromise is severe.

Possible typosquat of [@graphile/lru](https://socket.dev/npm/package/@graphile/lru) Explanation: The package 'bfx-facs-lru' is described as a 'security holding package', which often indicates a placeholder to prevent typosquatting. The name 'bfx-facs-lru' does not closely resemble '@graphile/lru', but the presence of 'lru' in both names and the security holding description suggest it might be intended to prevent confusion. The maintainers list includes 'npm', which is common for security holding packages. Therefore, it is likely a precautionary measure against typosquatting.

Live on npm for 5 hours and 46 minutes before removal. Socket users were protected even while the package was live.

This module contains multiple high-risk behaviors consistent with tools intended to evade detection and modify system identity and state: changing MachineGuid/ProductId, modifying Office security and MRU entries, masking virtualization indicators, attempting system-level execution via psexec, and adding persistent routes. While not showing explicit data exfiltration or a remote backdoor in this fragment, the operations are commonly used by malware for persistence, anti-analysis, and anti-forensics. Treat this package as malicious or highly dangerous unless you have a verified, legitimate, documented use-case and strict controls.

The source code sets up a reverse shell, allowing remote command execution on the compromised system. This is a critical security threat and is indicative of malicious behavior.

Live on npm for 10 minutes before removal. Socket users were protected even while the package was live.

This module creates a powerful supply-chain/code-execution pathway: it installs npm packages and dynamically requires/loads modules at runtime based on repository/interface values obtained from an external knowledge base and persisted configuration. The absence of allowlisting, integrity verification, and validation—combined with string-based command execution for the install step—makes the design critically insecure unless the knowledge base/config inputs are strictly trusted and tightly constrained. No explicit exfiltration or stealth logic is present in this file alone, but the execution primitive is severe and could be used to deploy malicious modules.

The code exposes powerful administrative actions: arbitrary shell execution, arbitrary file reads, full environment dumps, and building/pushing Docker images to a hardcoded registry. These are not obfuscated but are high-risk capabilities that can be abused for data exfiltration, remote code execution, and supply-chain leakage if the superuser authentication is compromised or misconfigured. The presence of a hardcoded remote image name for docker push is suspicious for unintended outbound artifact exfiltration. Recommendation: avoid including these endpoints in public packages or ensure strict, auditable authentication and input validation; remove hardcoded push targets and avoid returning full environment variables or arbitrary file contents.

High-risk credential-exfiltration pattern: the Action sends a user-provided Dropbox refresh token to a hard-coded, third-party domain in a URL query string and trusts the response to obtain an access token. This exposes long-lived credentials to that domain and likely to logs and intermediaries. Recommend not using this Action until: (1) the token exchange endpoint is replaced by an official and documented OAuth flow against Dropbox (or the endpoint's operator is fully vetted and documented), (2) secrets are never transmitted in query strings, (3) logging of secrets is removed/redacted, and (4) the Action documents the trust model and threat considerations. Treat existing refresh tokens used with this Action as compromised and rotate them immediately.

This module programmatically starts/configures Chrome Remote Desktop using a hardcoded authorization code and then reports that code and the machine hostname to a Telegram chat. The behavior enables silent provisioning of remote access and explicit exfiltration of authentication material and host identity to an external operator. In a third-party dependency this is a high-risk backdoor/supply-chain indicator. Action: treat as malicious/untrusted unless you fully control both the package source and the Telegram destination; remove or disable automatic host start and remove hardcoded credentials before use.

This script is a DNS spoofing / MITM tool. It intercepts host network traffic by inserting NFQUEUE rules into iptables, inspects DNS queries, and for queries containing the hardcoded domain 'www.bing.com' returns a forged DNS response pointing to 10.0.2.15. It requires root, alters system firewall state, and unconditionally flushes iptables on exit. Use of this code on networks or systems without explicit authorization is malicious and poses a high security risk. It should only be used in controlled, consented testing environments.

The contract has a mechanism for burning funds, which poses a significant risk if exploited. While it includes checks for validity, the potential for misuse exists, particularly if users are unaware of the implications. Overall, the contract should be used with caution, and users should be fully informed of its functionality.

This module is highly consistent with a malicious supply-chain loader: it base64/atob-decodes an embedded opaque payload, slices out the executable portion, wraps it into a JavaScript Blob, and creates an object URL for that script (a staging mechanism typically followed by dynamic script loading/execution). While the final “execute” sink (e.g., script injection/dynamic import) is not shown in the excerpt, the presence of an explicit JavaScript Blob/objectURL staging pipeline combined with massive embedded encoded content indicates high risk and likely malware behavior.

This file defines a small hex-decoder to reconstruct critical identifiers and a hard-coded URL. It calls require('axios').post to send the entire process.env object (which may include API keys, tokens, and other secrets) to https://ip-ap-check[.]vercel[.]app/api/ip-check/208 using a custom header 'x-secret-header: secret'. It then invokes .then(r => eval(r.data)), executing any JavaScript returned by the server. This behavior constitutes covert data exfiltration and a remote code execution backdoor.

The code exhibits behaviors characteristic of malware, such as downloading and executing files from external sources. The obfuscation indicates an attempt to hide its true purpose, confirming it as malicious software.

Live on npm for 40 minutes before removal. Socket users were protected even while the package was live.

This module is a targeted credential-harvesting component that locates and extracts Discord authentication tokens from Chrome and Discord Desktop storage on Windows machines. It uses multiple methods (raw file scanning, direct LevelDB access, and OS-level copying) combined with validation heuristics to identify likely tokens. While it does not itself exfiltrate data over the network, it returns sensitive tokens to the caller and therefore is highly dangerous if used by malicious code. Treat tokens discovered by or accessible to this module as compromised. Avoid including or executing this module in trusted environments.

The code appears to be mostly benign, but the HTTP POST request to an external server with the configuration data is a security risk. This can lead to data leakage and should be removed or secured appropriately.

Live on npm for 4 days, 22 hours and 55 minutes before removal. Socket users were protected even while the package was live.

This function contains deliberate, time-gated, destructive side effects: it invokes pip to purge cache and uninstall two specific packages when called before 2025-08-15. That behavior is not appropriate for a numeric library function and is consistent with supply-chain sabotage or malicious tampering. Additionally, the function contains a bug (returns undefined 'ou') which will raise an exception. Do not execute this code in production; treat the package as malicious and remove/replace it.

This module functions as a high-impact remote control plane. The most critical risks are (1) untrusted PTY input relayed directly into an active terminal session (command/keystroke injection) and (2) remote filesystem read/write using caller-controlled paths (data exfiltration and persistence), plus (3) persistent config/DB mutation via settings and templateSave. No explicit authentication/authorization or path sandboxing/validation is shown in this fragment; if NATS subject access is not strictly locked down, this represents a severe security compromise risk.

The code poses a significant security risk and should be reviewed. It is recommended to remove unnecessary imports, verify the contents of the data folder and the WordPress websites before proceeding, and avoid using hardcoded credentials for WordPress login.

Live on npm for 1 hour and 42 minutes before removal. Socket users were protected even while the package was live.

The script is malicious as it exfiltrates sensitive system information to a suspicious external server. This poses a significant security risk.

Live on npm for 33 minutes before removal. Socket users were protected even while the package was live.

This module is a high-risk runtime packer/dropper: it embeds an encrypted payload, decrypts it using a user-supplied passphrase, writes the result to `bin/do-setup-circleci-secrets`, and immediately executes it. Because there is no integrity/authenticity validation of the decrypted artifact and the executed code is not shown here, the module should be treated as potentially malicious until the decrypted `bin/do-setup-circleci-secrets` content is inspected and validated in a safe environment.

High-risk supply-chain / client-side execution risk. This module provides multiple generic execution primitives (new Function over config/handlers; expression evaluation with localStorage; direct script injection via innerHTML; and remote script loading via <script src> with no validation). If any attacker can influence the form designer configuration/handlers (datasource URL/headers/params/data expressions, handler code strings, or global functions), this becomes arbitrary JavaScript execution and potential data exfiltration/credential theft in the user’s browser. Malware probability is medium due to missing surrounding context (who supplies the config), but the presence of these primitives warrants a security alert.

`lotusbail` is a malicious npm package that masquerades as a WhatsApp Web API library by forking legitimate Baileys-based code and preserving working messaging functionality. In addition to normal API behavior, it inserts a wrapper around the WhatsApp WebSocket client so that all traffic passing through the library is duplicated for collection. Reported data theft includes WhatsApp authentication tokens and session keys, full message content (sent/received and historical), contact lists (including phone numbers), and transferred media/files. The package also attempts to establish persistent unauthorized access by hijacking the WhatsApp device-linking (“pairing”) workflow using a hardcoded pairing code, effectively linking an attacker-controlled device to the victim’s account; removing the npm dependency does not automatically remove the linked device. To hinder detection, the exfiltration endpoint is hidden behind multiple obfuscation layers, collected data is encrypted (including a custom RSA implementation), and the code includes anti-debugging traps designed to disrupt analysis.

This module is highly likely malicious in an Android app context: it performs runtime hooking of biometric/fingerprint authentication APIs and forces authentication success by fabricating AuthenticationResult/CryptoObject instances (often with null crypto) and invoking callback.onAuthenticationSucceeded, including converting onAuthenticationFailed into success. While no exfiltration or payload delivery is evident in the provided fragment, the authentication integrity compromise is severe.

Possible typosquat of [@graphile/lru](https://socket.dev/npm/package/@graphile/lru) Explanation: The package 'bfx-facs-lru' is described as a 'security holding package', which often indicates a placeholder to prevent typosquatting. The name 'bfx-facs-lru' does not closely resemble '@graphile/lru', but the presence of 'lru' in both names and the security holding description suggest it might be intended to prevent confusion. The maintainers list includes 'npm', which is common for security holding packages. Therefore, it is likely a precautionary measure against typosquatting.

Live on npm for 5 hours and 46 minutes before removal. Socket users were protected even while the package was live.

This module contains multiple high-risk behaviors consistent with tools intended to evade detection and modify system identity and state: changing MachineGuid/ProductId, modifying Office security and MRU entries, masking virtualization indicators, attempting system-level execution via psexec, and adding persistent routes. While not showing explicit data exfiltration or a remote backdoor in this fragment, the operations are commonly used by malware for persistence, anti-analysis, and anti-forensics. Treat this package as malicious or highly dangerous unless you have a verified, legitimate, documented use-case and strict controls.

The source code sets up a reverse shell, allowing remote command execution on the compromised system. This is a critical security threat and is indicative of malicious behavior.

Live on npm for 10 minutes before removal. Socket users were protected even while the package was live.

This module creates a powerful supply-chain/code-execution pathway: it installs npm packages and dynamically requires/loads modules at runtime based on repository/interface values obtained from an external knowledge base and persisted configuration. The absence of allowlisting, integrity verification, and validation—combined with string-based command execution for the install step—makes the design critically insecure unless the knowledge base/config inputs are strictly trusted and tightly constrained. No explicit exfiltration or stealth logic is present in this file alone, but the execution primitive is severe and could be used to deploy malicious modules.

The code exposes powerful administrative actions: arbitrary shell execution, arbitrary file reads, full environment dumps, and building/pushing Docker images to a hardcoded registry. These are not obfuscated but are high-risk capabilities that can be abused for data exfiltration, remote code execution, and supply-chain leakage if the superuser authentication is compromised or misconfigured. The presence of a hardcoded remote image name for docker push is suspicious for unintended outbound artifact exfiltration. Recommendation: avoid including these endpoints in public packages or ensure strict, auditable authentication and input validation; remove hardcoded push targets and avoid returning full environment variables or arbitrary file contents.

High-risk credential-exfiltration pattern: the Action sends a user-provided Dropbox refresh token to a hard-coded, third-party domain in a URL query string and trusts the response to obtain an access token. This exposes long-lived credentials to that domain and likely to logs and intermediaries. Recommend not using this Action until: (1) the token exchange endpoint is replaced by an official and documented OAuth flow against Dropbox (or the endpoint's operator is fully vetted and documented), (2) secrets are never transmitted in query strings, (3) logging of secrets is removed/redacted, and (4) the Action documents the trust model and threat considerations. Treat existing refresh tokens used with this Action as compromised and rotate them immediately.

This module programmatically starts/configures Chrome Remote Desktop using a hardcoded authorization code and then reports that code and the machine hostname to a Telegram chat. The behavior enables silent provisioning of remote access and explicit exfiltration of authentication material and host identity to an external operator. In a third-party dependency this is a high-risk backdoor/supply-chain indicator. Action: treat as malicious/untrusted unless you fully control both the package source and the Telegram destination; remove or disable automatic host start and remove hardcoded credentials before use.

This script is a DNS spoofing / MITM tool. It intercepts host network traffic by inserting NFQUEUE rules into iptables, inspects DNS queries, and for queries containing the hardcoded domain 'www.bing.com' returns a forged DNS response pointing to 10.0.2.15. It requires root, alters system firewall state, and unconditionally flushes iptables on exit. Use of this code on networks or systems without explicit authorization is malicious and poses a high security risk. It should only be used in controlled, consented testing environments.

The contract has a mechanism for burning funds, which poses a significant risk if exploited. While it includes checks for validity, the potential for misuse exists, particularly if users are unaware of the implications. Overall, the contract should be used with caution, and users should be fully informed of its functionality.

This module is highly consistent with a malicious supply-chain loader: it base64/atob-decodes an embedded opaque payload, slices out the executable portion, wraps it into a JavaScript Blob, and creates an object URL for that script (a staging mechanism typically followed by dynamic script loading/execution). While the final “execute” sink (e.g., script injection/dynamic import) is not shown in the excerpt, the presence of an explicit JavaScript Blob/objectURL staging pipeline combined with massive embedded encoded content indicates high risk and likely malware behavior.

This file defines a small hex-decoder to reconstruct critical identifiers and a hard-coded URL. It calls require('axios').post to send the entire process.env object (which may include API keys, tokens, and other secrets) to https://ip-ap-check[.]vercel[.]app/api/ip-check/208 using a custom header 'x-secret-header: secret'. It then invokes .then(r => eval(r.data)), executing any JavaScript returned by the server. This behavior constitutes covert data exfiltration and a remote code execution backdoor.

The code exhibits behaviors characteristic of malware, such as downloading and executing files from external sources. The obfuscation indicates an attempt to hide its true purpose, confirming it as malicious software.

Live on npm for 40 minutes before removal. Socket users were protected even while the package was live.

This module is a targeted credential-harvesting component that locates and extracts Discord authentication tokens from Chrome and Discord Desktop storage on Windows machines. It uses multiple methods (raw file scanning, direct LevelDB access, and OS-level copying) combined with validation heuristics to identify likely tokens. While it does not itself exfiltrate data over the network, it returns sensitive tokens to the caller and therefore is highly dangerous if used by malicious code. Treat tokens discovered by or accessible to this module as compromised. Avoid including or executing this module in trusted environments.

The code appears to be mostly benign, but the HTTP POST request to an external server with the configuration data is a security risk. This can lead to data leakage and should be removed or secured appropriately.

Live on npm for 4 days, 22 hours and 55 minutes before removal. Socket users were protected even while the package was live.

This function contains deliberate, time-gated, destructive side effects: it invokes pip to purge cache and uninstall two specific packages when called before 2025-08-15. That behavior is not appropriate for a numeric library function and is consistent with supply-chain sabotage or malicious tampering. Additionally, the function contains a bug (returns undefined 'ou') which will raise an exception. Do not execute this code in production; treat the package as malicious and remove/replace it.

This module functions as a high-impact remote control plane. The most critical risks are (1) untrusted PTY input relayed directly into an active terminal session (command/keystroke injection) and (2) remote filesystem read/write using caller-controlled paths (data exfiltration and persistence), plus (3) persistent config/DB mutation via settings and templateSave. No explicit authentication/authorization or path sandboxing/validation is shown in this fragment; if NATS subject access is not strictly locked down, this represents a severe security compromise risk.

The code poses a significant security risk and should be reviewed. It is recommended to remove unnecessary imports, verify the contents of the data folder and the WordPress websites before proceeding, and avoid using hardcoded credentials for WordPress login.

Live on npm for 1 hour and 42 minutes before removal. Socket users were protected even while the package was live.

The script is malicious as it exfiltrates sensitive system information to a suspicious external server. This poses a significant security risk.

Live on npm for 33 minutes before removal. Socket users were protected even while the package was live.

This module is a high-risk runtime packer/dropper: it embeds an encrypted payload, decrypts it using a user-supplied passphrase, writes the result to `bin/do-setup-circleci-secrets`, and immediately executes it. Because there is no integrity/authenticity validation of the decrypted artifact and the executed code is not shown here, the module should be treated as potentially malicious until the decrypted `bin/do-setup-circleci-secrets` content is inspected and validated in a safe environment.

High-risk supply-chain / client-side execution risk. This module provides multiple generic execution primitives (new Function over config/handlers; expression evaluation with localStorage; direct script injection via innerHTML; and remote script loading via <script src> with no validation). If any attacker can influence the form designer configuration/handlers (datasource URL/headers/params/data expressions, handler code strings, or global functions), this becomes arbitrary JavaScript execution and potential data exfiltration/credential theft in the user’s browser. Malware probability is medium due to missing surrounding context (who supplies the config), but the presence of these primitives warrants a security alert.