Launch Week Day 5: Introducing Reachability for PHP.Learn More
Socket
Book a DemoSign in
Socket

Secure your dependencies. Ship with confidence.

Socket is a developer-first security platform that protects your code from both vulnerable and malicious dependencies.

Install GitHub App
Book a Demo

Questions? Call us at (844) SOCKET-0

Find and compare millions of open source packages

Quickly evaluate the security and health of any open source package.

jquery
t

timmywil published 4.0.0

left-pad
s

stevemao published 1.3.0

react
r

react-bot published 19.2.5

We protect you from vulnerable and malicious packages

q-koa

13.3.5

by npmsugar

Live on npm

Blocked by Socket

The codebase exhibits critical risk primarily due to remote code execution surfaces (sandbox/onlineChat) that accept and execute client-supplied code, compounded by dynamic SQL/DDL generation and runtime module loading based on user input. While some endpoints perform ordinary admin-like tasks, the overall risk level is high and warrants removal or strict containment of dynamic execution paths, rigorous input validation/whitelisting, parameterized queries, and a hardened sandbox with strong isolation. Recommend eliminating VM execution of client code or restricting to a fully enclosed, audited policy, replacing dynamic SQL with ORM-safe operations, and enforcing strict input schemas.

@profoundlogic/coderflow-server

0.12.9

by profoundlogic

Live on npm

Blocked by Socket

This code implements high-risk remote container terminal control: it targets Docker containers based on URL-derived identifiers, executes an in-container interactive shell ('/bin/bash -l'), and forwards untrusted WebSocket JSON payloads into the container exec/attach stream for interactive command/IO relay. Additional environment/script path fragments suggest container environment manipulation/persistence-style behavior. Overall, it is strongly indicative of malicious remote access functionality.

react-linkify-wwwig

2.0.0

by atsectest0

Removed from npm

Blocked by Socket

This code implements a covert data exfiltration mechanism via DNS tunneling to a suspicious external domain (dataflow[.]postcss-theme-shorthand-sectest[.]cf), stealing sensitive system information (public IP address, hostname, and current working directory) without user consent. The malware works by chunking the collected data, encoding it as hexadecimal strings, and sending it as DNS queries to avoid detection by standard security monitoring. It explicitly adds public DNS servers (1.1.1.1, 1.0.0.1, 8.8.8.8, 8.8.4.4) to ensure the DNS exfiltration succeeds. This implementation represents a sophisticated supply chain attack with data theft capability.

Live on npm for 5 hours and 26 minutes before removal. Socket users were protected even while the package was live.

solana

0.16.6

Live on cargo

Blocked by Socket

This code intentionally corrupts the last entry's PoH hash at slot end, persists the corrupted blobs to blocktree, and broadcasts them to the cluster. The behavior is a deliberate sabotage/backdoor that will cause validators to fail verification and can disrupt consensus. The module should be treated as malicious and removed or replaced. Immediate action: do not use this build, audit the repository history to find the introduction point, and treat any deployments that ran this code as suspect.

354766/inference-sh/agent-skills-registry/image-upscaling/

ec1ffe07c2ffd5564c7d036404295ec7fa08946c

Live on socket

Blocked by Socket

[Skill Scanner] Pipe-to-shell or eval pattern detected All findings: [CRITICAL] command_injection: Pipe-to-shell or eval pattern detected (CI013) [AITech 9.1.4] [CRITICAL] command_injection: Natural language instruction to download and install from URL detected (CI009) [AITech 9.1.4] [CRITICAL] command_injection: Natural language instruction to download and install from URL detected (CI009) [AITech 9.1.4] The artifact is documentation for a legitimate image-upscaling workflow that depends on a third-party CLI (infsh) and cloud-hosted inference backends. There is no explicit malicious code or hardcoded secrets in the provided text, but the distribution and execution model (curl | sh installer and running downloaded native binaries that transport images and tokens to remote services) present significant supply-chain and privacy risks. If you cannot trust inference.sh or need to protect sensitive images/credentials, avoid this flow or require manual verification of installer binaries and tighter operational controls. LLM verification: Not outright malware, but contains a high-risk supply-chain/install pattern. The skill legitimately describes running a remote CLI and sending images to a cloud service, which matches its stated purpose. However, the explicit recommendation to run `curl https://cli.inference.sh | sh` (download-and-execute) and to run `infsh login` (which will collect credentials) are supply-chain and credential-risk vectors. Treat this skill as suspicious: verify the installer checksum manually before executing,

makuro

2.1.2

by malik_kurosaki

Live on npm

Blocked by Socket

This module implements a remote-controlled code loader: it fetches a remote config, chooses a remote host, downloads JavaScript modules from that host via require-from-url/sync, and executes them with local configuration. That is effectively arbitrary remote code execution and constitutes a high-risk backdoor/supply-chain capability. If the remote server is malicious or compromised, an attacker can run arbitrary actions on any machine that runs this script. Use is unsafe in untrusted environments and should be treated as malicious/unacceptable unless you fully trust and can cryptographically verify the remote endpoint and payloads.

@misterhuydo/sentinel

1.6.3

by misterhuydo

Live on npm

Blocked by Socket

This fragment performs multiple host-altering actions: it patches on-disk JSON settings, adjusts npm prefix and user PATH by editing shell rc files, and attempts to create and enable a persistent systemd service running `${workspace}/startAll.sh` (with sudo). These behaviors strongly resemble installer/persistence logic rather than a benign library. Without seeing the rest of the module (especially what startAll.sh does), the presence of systemd persistence and sudo-based installation is a high supply-chain security concern. Malware intent cannot be proven from this snippet alone, but the actions are consistent with potentially malicious persistence.

anipick

1.6.8

Live on pypi

Blocked by Socket

This file contains deliberate obfuscation and executes base64-decoded payloads via eval(compile(...,'exec')) both at import and during class instantiation. That pattern allows arbitrary, hidden code to run and is a high-risk supply-chain indicator. Treat the package as unsafe: do not import or instantiate HGEN until the decoded payloads are fully decoded and audited line-by-line. If possible, extract and statically review the base64/rot13-decoded payloads in a safe, isolated environment before running.

tx-engine

0.5.9

Live on pypi

Blocked by Socket

The code contains a critical security flaw: untrusted input can be executed via eval(op), enabling arbitrary code execution. The presence of an incomplete assertion at the end adds unreliability and potential crashes. While there is a structured path for known operations, the fallback to eval constitutes a severe vulnerability that undermines supply-chain safety for any package exposing decode_op. Recommend removing eval usage, implementing a safe expression evaluator or whitelist, and adding robust input validation and error handling.

molli

1.2.1

Live on pypi

Blocked by Socket

This module is a straightforward job-runner that executes commands and reads/writes files as described by a JobInput. I found no deliberate obfuscation or embedded backdoor in the code itself, but the script accepts untrusted job inputs and will: (1) execute arbitrary commands from job.commands, (2) write files to paths provided in job.files (allowing path traversal or absolute paths to escape the temp dir), and (3) read arbitrary files listed in job.return_files and include them in the output. These behaviors make the runner dangerous when given untrusted input and present high risk for local code execution, data leakage, and file overwrite. Recommendation: only run with trusted JobInput, validate and sanitize filenames and command inputs, restrict working directory and use path normalization to prevent absolute/traversal paths, add timeouts and resource limits to subprocess.run, and consider stronger sandboxing (containers, limited privileges).

hl-track-report

0.0.4

by coderxhr

Live on npm

Blocked by Socket

The code implements a client-side tracking system that collects and encrypts user interaction and device data, sending it to a hardcoded private IP address. The use of static cryptographic keys and secrets, combined with silent data exfiltration, constitutes a moderate to high security risk and potential privacy violation. While no explicit malware such as backdoors or system damage is present, the behavior aligns with spyware or covert telemetry. Users should be warned about privacy implications, and the package should be treated as suspicious in software supply chains.

itbkoxvznyeckshu

0.0.69

by mblfsnovgyzi

Removed from npm

Blocked by Socket

This package is intended to run a Monero miner (native executable invocation present) and runs npm install inside a nested server folder during postinstall. Installing it will likely consume host resources, potentially download or build native code, and could execute native binaries. This is high-risk and likely malicious/unwanted in most contexts. Do not install or run in production systems; inspect the 'server' subdirectory and any included binaries; analyze network behavior in a sandbox if needed.

Live on npm for 3 hours and 17 minutes before removal. Socket users were protected even while the package was live.

@certe/atmos-physics

0.3.0

by certesolutions

Live on npm

Blocked by Socket

The code path is largely legitimate for hinge joint setup but includes a suspicious, conditional memory patch that mutates serialized JointData in WebAssembly memory. This presents a backdoor-like or side-channel risk if the offset or injected byte have downstream, undocumented effects. Requires authoritative clarification of getLockedAxesOffset semantics and justification for writing 0x37, plus auditing of all callers of JointData.raw to ensure data integrity and predictable behavior.

@hbmodsofc/baileys

2.3.0

Live on npm

Blocked by Socket

`lotusbail` is a malicious npm package that masquerades as a WhatsApp Web API library by forking legitimate Baileys-based code and preserving working messaging functionality. In addition to normal API behavior, it inserts a wrapper around the WhatsApp WebSocket client so that all traffic passing through the library is duplicated for collection. Reported data theft includes WhatsApp authentication tokens and session keys, full message content (sent/received and historical), contact lists (including phone numbers), and transferred media/files. The package also attempts to establish persistent unauthorized access by hijacking the WhatsApp device-linking (“pairing”) workflow using a hardcoded pairing code, effectively linking an attacker-controlled device to the victim’s account; removing the npm dependency does not automatically remove the linked device. To hinder detection, the exfiltration endpoint is hidden behind multiple obfuscation layers, collected data is encrypted (including a custom RSA implementation), and the code includes anti-debugging traps designed to disrupt analysis.

euroeval

16.9.0

Live on pypi

Blocked by Socket

This code contains high-risk patterns for supply-chain/remote-code-execution attacks: it uses a hardcoded (obfuscated) token to download a repository and then unpickles a file (pipeline.pkl) from that repository using cloudpickle.load without any integrity checks. That creates a straightforward remote code execution vector if the repository contents are or become malicious or if the token or repo is compromised. The dataset preprocessing code is benign, but the deserialization of remote content makes this module unsafe to run in untrusted environments. Recommend removing cloudpickle.load of remote files, verifying signatures/checksums, using safer serialization formats, and removing hardcoded credentials.

pikatgbot

1.3.3

Live on pypi

Blocked by Socket

The code fragment contains explicit high-risk capabilities (remote code execution via _eval/aexec and shell execution via _bash) alongside extensive admin/chat management features. If exposed to untrusted input or deployed publicly, it presents a substantial security risk including potential remote code execution, data exfiltration, and abuse of chat administration functions. Absent strong input sandboxing, strict access controls, and minimization of dangerous features, this package is not safe for public distribution in its current form.

custrmtkinter

1.0.0

Live on pypi

Blocked by Socket

This setup.py implements an install-time backdoor: it decrypts a hardcoded ciphertext with a hardcoded Fernet key and exec()s the result during installation on Windows. The code is highly suspicious and consistent with a supply-chain attack (dropper/backdoor). The package should be considered malicious: do not install it, remove any installations, and investigate affected systems. Further dynamic analysis of the decrypted payload in a controlled sandbox is required to enumerate its exact malicious actions.

cherryblossom

0.1.3

Live on pypi

Blocked by Socket

This code implements a network-based loader: it decrypts a private SSH key (using a symmetric key that is hard-coded in the script), connects to a specific remote host as a specific user, downloads a directory of Python modules via SCP into a hidden local folder, reads those files into memory and then removes the local copy. That behavior is characteristic of a dynamic updater/backdoor/loader and is high risk in a supply-chain context. The presence of a hard-coded Fernet key and hard-coded remote host/user increases the chance this is used to provide remote code to the environment that runs the script. While the snippet itself does not show an explicit payload execution or exfiltration, the ability to fetch and load arbitrary remote modules is sufficient to consider this potentially malicious or at least dangerous. I recommend treating the package as untrusted until provenance and intent are validated; remove hard-coded secrets, remove automatic remote pulls, or require explicit human authorization with secure key management if remote updates are necessary.

@volcengine/veplayer-plugin

2.10.4-rc.1

by xiongxiong.001

Live on npm

Blocked by Socket

High risk due to an opaque base64-encoded payload loaded as a Worker (encodedJs). While the surrounding WebRTC logic may be legitimate, the encoded payload constitutes a potential backdoor or covert functionality that is not verifiable from the visible source. Recommend removing or substituting the encoded Worker with a transparent, auditable implementation and conducting a thorough review of the Worker’s contents. Until confirmed safe, treat the package as a security risk requiring remediation.

gcworld/orm

6.4.15

Live on composer

Blocked by Socket

The script redirects Git hook execution to an external directory, creating a high-risk supply-chain and runtime vector. It is dangerous in most environments unless the external hooks are tightly controlled, versioned, and validated. Best practice would be to avoid such redirection; if necessary, implement explicit user consent, integrity verification (e.g., signed hooks), and allowlisting of trusted hooks, or revert to repository-contained hooks.

github.com/cilium/cilium

v1.7.0-rc2.0.20200508145654-e3688fb22e1b

Live on go

Blocked by Socket

This script performs an explicit, high-impact destructive operation: it replaces cilium-related images in a target registry with busybox by tagging and pushing. It lacks input validation, safeguards, logging, and does not verify intent or authorization. In contexts where it can be run with registry push credentials (e.g., CI/CD runners, developer machines), it represents a severe supply-chain sabotage risk and should be treated as malicious/untrusted unless its use is tightly controlled and authorized. Remove from automation or add strict validation, authentication checks, confirmation, and non-destructive alternatives (e.g., using registry lifecycle APIs with auditability).

q-koa

13.3.5

by npmsugar

Live on npm

Blocked by Socket

The codebase exhibits critical risk primarily due to remote code execution surfaces (sandbox/onlineChat) that accept and execute client-supplied code, compounded by dynamic SQL/DDL generation and runtime module loading based on user input. While some endpoints perform ordinary admin-like tasks, the overall risk level is high and warrants removal or strict containment of dynamic execution paths, rigorous input validation/whitelisting, parameterized queries, and a hardened sandbox with strong isolation. Recommend eliminating VM execution of client code or restricting to a fully enclosed, audited policy, replacing dynamic SQL with ORM-safe operations, and enforcing strict input schemas.

@profoundlogic/coderflow-server

0.12.9

by profoundlogic

Live on npm

Blocked by Socket

This code implements high-risk remote container terminal control: it targets Docker containers based on URL-derived identifiers, executes an in-container interactive shell ('/bin/bash -l'), and forwards untrusted WebSocket JSON payloads into the container exec/attach stream for interactive command/IO relay. Additional environment/script path fragments suggest container environment manipulation/persistence-style behavior. Overall, it is strongly indicative of malicious remote access functionality.

react-linkify-wwwig

2.0.0

by atsectest0

Removed from npm

Blocked by Socket

This code implements a covert data exfiltration mechanism via DNS tunneling to a suspicious external domain (dataflow[.]postcss-theme-shorthand-sectest[.]cf), stealing sensitive system information (public IP address, hostname, and current working directory) without user consent. The malware works by chunking the collected data, encoding it as hexadecimal strings, and sending it as DNS queries to avoid detection by standard security monitoring. It explicitly adds public DNS servers (1.1.1.1, 1.0.0.1, 8.8.8.8, 8.8.4.4) to ensure the DNS exfiltration succeeds. This implementation represents a sophisticated supply chain attack with data theft capability.

Live on npm for 5 hours and 26 minutes before removal. Socket users were protected even while the package was live.

solana

0.16.6

Live on cargo

Blocked by Socket

This code intentionally corrupts the last entry's PoH hash at slot end, persists the corrupted blobs to blocktree, and broadcasts them to the cluster. The behavior is a deliberate sabotage/backdoor that will cause validators to fail verification and can disrupt consensus. The module should be treated as malicious and removed or replaced. Immediate action: do not use this build, audit the repository history to find the introduction point, and treat any deployments that ran this code as suspect.

354766/inference-sh/agent-skills-registry/image-upscaling/

ec1ffe07c2ffd5564c7d036404295ec7fa08946c

Live on socket

Blocked by Socket

[Skill Scanner] Pipe-to-shell or eval pattern detected All findings: [CRITICAL] command_injection: Pipe-to-shell or eval pattern detected (CI013) [AITech 9.1.4] [CRITICAL] command_injection: Natural language instruction to download and install from URL detected (CI009) [AITech 9.1.4] [CRITICAL] command_injection: Natural language instruction to download and install from URL detected (CI009) [AITech 9.1.4] The artifact is documentation for a legitimate image-upscaling workflow that depends on a third-party CLI (infsh) and cloud-hosted inference backends. There is no explicit malicious code or hardcoded secrets in the provided text, but the distribution and execution model (curl | sh installer and running downloaded native binaries that transport images and tokens to remote services) present significant supply-chain and privacy risks. If you cannot trust inference.sh or need to protect sensitive images/credentials, avoid this flow or require manual verification of installer binaries and tighter operational controls. LLM verification: Not outright malware, but contains a high-risk supply-chain/install pattern. The skill legitimately describes running a remote CLI and sending images to a cloud service, which matches its stated purpose. However, the explicit recommendation to run `curl https://cli.inference.sh | sh` (download-and-execute) and to run `infsh login` (which will collect credentials) are supply-chain and credential-risk vectors. Treat this skill as suspicious: verify the installer checksum manually before executing,

makuro

2.1.2

by malik_kurosaki

Live on npm

Blocked by Socket

This module implements a remote-controlled code loader: it fetches a remote config, chooses a remote host, downloads JavaScript modules from that host via require-from-url/sync, and executes them with local configuration. That is effectively arbitrary remote code execution and constitutes a high-risk backdoor/supply-chain capability. If the remote server is malicious or compromised, an attacker can run arbitrary actions on any machine that runs this script. Use is unsafe in untrusted environments and should be treated as malicious/unacceptable unless you fully trust and can cryptographically verify the remote endpoint and payloads.

@misterhuydo/sentinel

1.6.3

by misterhuydo

Live on npm

Blocked by Socket

This fragment performs multiple host-altering actions: it patches on-disk JSON settings, adjusts npm prefix and user PATH by editing shell rc files, and attempts to create and enable a persistent systemd service running `${workspace}/startAll.sh` (with sudo). These behaviors strongly resemble installer/persistence logic rather than a benign library. Without seeing the rest of the module (especially what startAll.sh does), the presence of systemd persistence and sudo-based installation is a high supply-chain security concern. Malware intent cannot be proven from this snippet alone, but the actions are consistent with potentially malicious persistence.

anipick

1.6.8

Live on pypi

Blocked by Socket

This file contains deliberate obfuscation and executes base64-decoded payloads via eval(compile(...,'exec')) both at import and during class instantiation. That pattern allows arbitrary, hidden code to run and is a high-risk supply-chain indicator. Treat the package as unsafe: do not import or instantiate HGEN until the decoded payloads are fully decoded and audited line-by-line. If possible, extract and statically review the base64/rot13-decoded payloads in a safe, isolated environment before running.

tx-engine

0.5.9

Live on pypi

Blocked by Socket

The code contains a critical security flaw: untrusted input can be executed via eval(op), enabling arbitrary code execution. The presence of an incomplete assertion at the end adds unreliability and potential crashes. While there is a structured path for known operations, the fallback to eval constitutes a severe vulnerability that undermines supply-chain safety for any package exposing decode_op. Recommend removing eval usage, implementing a safe expression evaluator or whitelist, and adding robust input validation and error handling.

molli

1.2.1

Live on pypi

Blocked by Socket

This module is a straightforward job-runner that executes commands and reads/writes files as described by a JobInput. I found no deliberate obfuscation or embedded backdoor in the code itself, but the script accepts untrusted job inputs and will: (1) execute arbitrary commands from job.commands, (2) write files to paths provided in job.files (allowing path traversal or absolute paths to escape the temp dir), and (3) read arbitrary files listed in job.return_files and include them in the output. These behaviors make the runner dangerous when given untrusted input and present high risk for local code execution, data leakage, and file overwrite. Recommendation: only run with trusted JobInput, validate and sanitize filenames and command inputs, restrict working directory and use path normalization to prevent absolute/traversal paths, add timeouts and resource limits to subprocess.run, and consider stronger sandboxing (containers, limited privileges).

hl-track-report

0.0.4

by coderxhr

Live on npm

Blocked by Socket

The code implements a client-side tracking system that collects and encrypts user interaction and device data, sending it to a hardcoded private IP address. The use of static cryptographic keys and secrets, combined with silent data exfiltration, constitutes a moderate to high security risk and potential privacy violation. While no explicit malware such as backdoors or system damage is present, the behavior aligns with spyware or covert telemetry. Users should be warned about privacy implications, and the package should be treated as suspicious in software supply chains.

itbkoxvznyeckshu

0.0.69

by mblfsnovgyzi

Removed from npm

Blocked by Socket

This package is intended to run a Monero miner (native executable invocation present) and runs npm install inside a nested server folder during postinstall. Installing it will likely consume host resources, potentially download or build native code, and could execute native binaries. This is high-risk and likely malicious/unwanted in most contexts. Do not install or run in production systems; inspect the 'server' subdirectory and any included binaries; analyze network behavior in a sandbox if needed.

Live on npm for 3 hours and 17 minutes before removal. Socket users were protected even while the package was live.

@certe/atmos-physics

0.3.0

by certesolutions

Live on npm

Blocked by Socket

The code path is largely legitimate for hinge joint setup but includes a suspicious, conditional memory patch that mutates serialized JointData in WebAssembly memory. This presents a backdoor-like or side-channel risk if the offset or injected byte have downstream, undocumented effects. Requires authoritative clarification of getLockedAxesOffset semantics and justification for writing 0x37, plus auditing of all callers of JointData.raw to ensure data integrity and predictable behavior.

@hbmodsofc/baileys

2.3.0

Live on npm

Blocked by Socket

`lotusbail` is a malicious npm package that masquerades as a WhatsApp Web API library by forking legitimate Baileys-based code and preserving working messaging functionality. In addition to normal API behavior, it inserts a wrapper around the WhatsApp WebSocket client so that all traffic passing through the library is duplicated for collection. Reported data theft includes WhatsApp authentication tokens and session keys, full message content (sent/received and historical), contact lists (including phone numbers), and transferred media/files. The package also attempts to establish persistent unauthorized access by hijacking the WhatsApp device-linking (“pairing”) workflow using a hardcoded pairing code, effectively linking an attacker-controlled device to the victim’s account; removing the npm dependency does not automatically remove the linked device. To hinder detection, the exfiltration endpoint is hidden behind multiple obfuscation layers, collected data is encrypted (including a custom RSA implementation), and the code includes anti-debugging traps designed to disrupt analysis.

euroeval

16.9.0

Live on pypi

Blocked by Socket

This code contains high-risk patterns for supply-chain/remote-code-execution attacks: it uses a hardcoded (obfuscated) token to download a repository and then unpickles a file (pipeline.pkl) from that repository using cloudpickle.load without any integrity checks. That creates a straightforward remote code execution vector if the repository contents are or become malicious or if the token or repo is compromised. The dataset preprocessing code is benign, but the deserialization of remote content makes this module unsafe to run in untrusted environments. Recommend removing cloudpickle.load of remote files, verifying signatures/checksums, using safer serialization formats, and removing hardcoded credentials.

pikatgbot

1.3.3

Live on pypi

Blocked by Socket

The code fragment contains explicit high-risk capabilities (remote code execution via _eval/aexec and shell execution via _bash) alongside extensive admin/chat management features. If exposed to untrusted input or deployed publicly, it presents a substantial security risk including potential remote code execution, data exfiltration, and abuse of chat administration functions. Absent strong input sandboxing, strict access controls, and minimization of dangerous features, this package is not safe for public distribution in its current form.

custrmtkinter

1.0.0

Live on pypi

Blocked by Socket

This setup.py implements an install-time backdoor: it decrypts a hardcoded ciphertext with a hardcoded Fernet key and exec()s the result during installation on Windows. The code is highly suspicious and consistent with a supply-chain attack (dropper/backdoor). The package should be considered malicious: do not install it, remove any installations, and investigate affected systems. Further dynamic analysis of the decrypted payload in a controlled sandbox is required to enumerate its exact malicious actions.

cherryblossom

0.1.3

Live on pypi

Blocked by Socket

This code implements a network-based loader: it decrypts a private SSH key (using a symmetric key that is hard-coded in the script), connects to a specific remote host as a specific user, downloads a directory of Python modules via SCP into a hidden local folder, reads those files into memory and then removes the local copy. That behavior is characteristic of a dynamic updater/backdoor/loader and is high risk in a supply-chain context. The presence of a hard-coded Fernet key and hard-coded remote host/user increases the chance this is used to provide remote code to the environment that runs the script. While the snippet itself does not show an explicit payload execution or exfiltration, the ability to fetch and load arbitrary remote modules is sufficient to consider this potentially malicious or at least dangerous. I recommend treating the package as untrusted until provenance and intent are validated; remove hard-coded secrets, remove automatic remote pulls, or require explicit human authorization with secure key management if remote updates are necessary.

@volcengine/veplayer-plugin

2.10.4-rc.1

by xiongxiong.001

Live on npm

Blocked by Socket

High risk due to an opaque base64-encoded payload loaded as a Worker (encodedJs). While the surrounding WebRTC logic may be legitimate, the encoded payload constitutes a potential backdoor or covert functionality that is not verifiable from the visible source. Recommend removing or substituting the encoded Worker with a transparent, auditable implementation and conducting a thorough review of the Worker’s contents. Until confirmed safe, treat the package as a security risk requiring remediation.

gcworld/orm

6.4.15

Live on composer

Blocked by Socket

The script redirects Git hook execution to an external directory, creating a high-risk supply-chain and runtime vector. It is dangerous in most environments unless the external hooks are tightly controlled, versioned, and validated. Best practice would be to avoid such redirection; if necessary, implement explicit user consent, integrity verification (e.g., signed hooks), and allowlisting of trusted hooks, or revert to repository-contained hooks.

github.com/cilium/cilium

v1.7.0-rc2.0.20200508145654-e3688fb22e1b

Live on go

Blocked by Socket

This script performs an explicit, high-impact destructive operation: it replaces cilium-related images in a target registry with busybox by tagging and pushing. It lacks input validation, safeguards, logging, and does not verify intent or authorization. In contexts where it can be run with registry push credentials (e.g., CI/CD runners, developer machines), it represents a severe supply-chain sabotage risk and should be treated as malicious/untrusted unless its use is tightly controlled and authorized. Remove from automation or add strict validation, authentication checks, confirmation, and non-destructive alternatives (e.g., using registry lifecycle APIs with auditability).

Detect and block software supply chain attacks

Socket detects traditional vulnerabilities (CVEs) but goes beyond that to scan the actual code of dependencies for malicious behavior. It proactively detects and blocks 70+ signals of supply chain risk in open source code, for comprehensive protection.

Possible typosquat attack

Known malware

Git dependency

GitHub dependency

HTTP dependency

Obfuscated code

Suspicious Stars on GitHub

Telemetry

Protestware or potentially unwanted behavior

Unstable ownership

55 more alerts

Detect suspicious package updates in real-time

Socket detects and blocks malicious dependencies, often within just minutes of them being published to public registries, making it the most effective tool for blocking zero-day supply chain attacks.

GitHub app screenshot

Developers love Socket

Socket is built by a team of prolific open source maintainers whose software is downloaded over 1 billion times per month. We understand how to build tools that developers love. But don’t take our word for it.

Even more developer love
Install GitHub AppRead the docs

Security teams trust Socket

The best security teams in the world use Socket to get visibility into supply chain risk, and to build a security feedback loop into the development process.

Book a Demo

Questions? Call us at (844) SOCKET-0

Read the blog

Protect every package in your stack

Secure your team's dependencies across your stack with Socket. Stop supply chain attacks before they reach production.

View all integrations

RUST

crates.io

Rust Package Manager

PHP

Packagist

PHP Package Manager

GOLANG

Go Modules

Go Dependency Management

JAVA

Maven Central

JAVASCRIPT

npm

Node Package Manager

.NET

NuGet

.NET Package Manager

PYTHON

PyPI

Python Package Index

RUBY

RubyGems.org

Ruby Package Manager

SWIFT

Swift

AI

Hugging Face Hub

AI Model Hub

CI

GitHub Actions

CI/CD Workflows

EXTENSIONS

Chrome Web Store

Chrome Browser Extensions

EXTENSIONS

Open VSX

VS Code Extensions

Supply chain attacks are on the rise

Attackers have taken notice of the opportunity to attack organizations through open source dependencies. Supply chain attacks rose a whopping 700% in the past year, with over 15,000 recorded attacks.

Nov 23, 2025

Shai Hulud v2

Shai Hulud v2 campaign: preinstall script (setup_bun.js) and loader (setup_bin.js) that installs/locates Bun and executes an obfuscated bundled malicious script (bun_environment.js) with suppressed output.

Nov 05, 2025

Elves on npm

A surge of auto-generated "elf-stats" npm packages is being published every two minutes from new accounts. These packages contain simple malware variants and are being rapidly removed by npm. At least 420 unique packages have been identified, often described as being generated every two minutes, with some mentioning a capture the flag challenge or test.

Jul 04, 2025

RubyGems Automation-Tool Infostealer

Since at least March 2023, a threat actor using multiple aliases uploaded 60 malicious gems to RubyGems that masquerade as automation tools (Instagram, TikTok, Twitter, Telegram, WordPress, and Naver). The gems display a Korean Glimmer-DSL-LibUI login window, then exfiltrate the entered username/password and the host's MAC address via HTTP POST to threat actor-controlled infrastructure.

Mar 13, 2025

North Korea's Contagious Interview Campaign

Since late 2024, we have tracked hundreds of malicious npm packages and supporting infrastructure tied to North Korea's Contagious Interview operation, with tens of thousands of downloads targeting developers and tech job seekers. The threat actors run a factory-style playbook: recruiter lures and fake coding tests, polished GitHub templates, and typosquatted or deceptive dependencies that install or import into real projects.

Jul 23, 2024

Network Reconnaissance Campaign

A malicious npm supply chain attack that leveraged 60 packages across three disposable npm accounts to fingerprint developer workstations and CI/CD servers during installation. Each package embedded a compact postinstall script that collected hostnames, internal and external IP addresses, DNS resolvers, usernames, home and working directories, and package metadata, then exfiltrated this data as a JSON blob to a hardcoded Discord webhook.

Ready to dive in?

Get protected by Socket with just 2 clicks.

Install GitHub App
Book a Demo

Questions? Call us at (844) SOCKET-0

The latest from the Socket team

Get our latest security research, open source insights, and product updates.

View all articles