Secure your dependencies. Ship with confidence.

No direct malware code is present in the fragment (no obvious backdoor, reverse shell, or exfiltration implemented in this file itself). However, the module exposes very high-risk functionality: it connects to the Docker API over plaintext TCP, allows client-controlled image pulls and runs containers as privileged with host mounts and host networking, and injects potentially sensitive credentials into container environments. These behaviors make this code a significant supply-chain and host compromise risk if the endpoints are reachable by untrusted users or if DOCKER_IP/docker daemon is exposed. Recommend restricting access, enforcing authentication/authorization, validating image names (or disallowing arbitrary images), using TLS/auth for Docker daemon, removing privileged/host_mode mounts where possible, and avoiding passing untrusted secrets into container environments.

This module contains multiple high-risk surveillance and system-interaction primitives, notably global low-level keyboard/mouse hooks (potential keylogging), window/desktop capture (screenshot capability), and process memory interrogation (data harvesting). It also includes impersonated process launching and network drive/printer mapping using plaintext credentials. While the code may be intended as a Windows interop library, the specific combination of capabilities strongly aligns with spyware/abuse potential; therefore it warrants serious review and is not safe by default for sensitive environments.

This module zips a local directory and uploads it to a specific S3 bucket. The code contains hardcoded AWS credentials and a hardcoded bucket name, which is a severe security issue and could enable data exfiltration if these credentials are valid. There are additional problems: a likely return-value bug (undefined variable s3_ke), possible insufficient path-safety around symlinks, and verbose logging of paths. There is no evidence of obfuscation or active payloads like reverse shells or eval-based code execution. Treat this package as high-risk until credentials are removed/rotated and the code is corrected and reviewed.

Live on pypi for 5 days, 8 hours and 10 minutes before removal. Socket users were protected even while the package was live.

This module implements a remote-validated node: it collects system identifiers and sends them together with the stored x2Api credential to a remote validator before allowing operations. That behavior is a privacy/credential-exfiltration and availability risk (remote gating). The obfuscation of strings and control flow raises suspicion and hinders auditability. While not an obvious active malware (no reverse shell or destructive code), the credential exfiltration pattern makes this a notable supply-chain risk: treat the remote validator as untrusted until the endpoint and purpose are verified, avoid use in sensitive environments, and audit the unobfuscated package source, package metadata, and handler modules for additional network activity or persistence.

The code executes a bundled shell script with sudo during runtime, which is a high-risk supply-chain behavior. The snippet itself does not show explicit data exfiltration or obfuscation, but because it runs a privileged shell script with no validation or user prompt, it can perform arbitrary malicious actions depending on the script contents. Review the contents of bash/postinstall.sh and avoid running this package in environments where elevated privileges or sensitive data are present.

The code exhibits remote-configurable bot control with privilege management and persistence mechanisms, which together create meaningful abuse potential and supply-chain-like risk if tampered or deployed in uncontrolled environments. While some functionality aligns with legitimate automation, the remote admin/password flow and ability to alter party state remotely constitute a backdoor-like capability. Treat as high-risk; require strict authentication, remove remote password provisioning, harden admin management, audit external endpoints, and limit self-restart behaviors. A thorough code audit and containment in a trusted build process are recommended.

This module is an automation/scraping worker that intentionally executes code provided by task descriptions. That design requires trusting the task source. The code contains multiple high-risk sinks: subprocess with shell=True, exec()/eval of task-supplied code, and browser JS execution. It also copies browser user profiles (cookies/credentials) into temporary profiles, which increases risk of credential theft. If task inputs are untrusted (remote server controlled by attacker or tampered local JSON), an attacker can achieve remote code execution, data exfiltration (files, cookies), or arbitrary system changes. Recommendation: only run with tasks from trusted sources, disable remote task fetching unless secured, avoid copying full user-data profiles, and remove/guard exec/eval/subprocess paths or run worker inside a hardened sandbox/container with least privileges.

This snippet is strongly indicative of exploit/PoC automation against a WordPress REST API endpoint related to theme/plugin import/installation. It crafts JSON parameters including plugin PHP path references and sends them to the target endpoint, then prints the full server response to confirm effects. There is no evidence of local malware behavior in this fragment, but the outbound action and payload structure present a high security risk in real-world usage. Impact depends on the target system’s WordPress/plugin configuration and access controls.

[Skill Scanner] Pipe-to-shell or eval pattern detected All findings: [CRITICAL] command_injection: Pipe-to-shell or eval pattern detected (CI013) [AITech 9.1.4] [CRITICAL] command_injection: Natural language instruction to download and install from URL detected (CI009) [AITech 9.1.4] [CRITICAL] command_injection: Natural language instruction to download and install from URL detected (CI009) [AITech 9.1.4] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] This skill description is functionally consistent with its stated purpose: it uploads user-supplied Remotion TSX to inference.sh for server-side rendering and returns a video. There are no explicit malicious code patterns in the provided text. The main security risks are: (1) users uploading sensitive data or secrets in the 'code' or 'props' fields (everything is sent to a third-party service), and (2) the installer pattern (curl | sh) which relies on user verification of checksums. Recommend documenting a clear warning to never include secrets in inputs, encouraging checksum verification, and offering a self-hosting option if users cannot trust a third-party service. Overall I find no evidence of obfuscated or intentionally malicious code in this skill description, but the centralized remote execution model creates a moderate supply-chain/privacy risk. LLM verification: Summary: The skill’s stated purpose (remote rendering of Remotion TSX to MP4) matches its capabilities and examples. The primary security concerns are operational: (1) documentation suggests running curl | sh which executes a remote installer, and (2) the service accepts arbitrary TSX code and props that are sent to inference.sh/dist.inference.sh for rendering, creating a potential data-exfiltration/privacy risk if inputs contain secrets. I found no clear indicators of malware or obfuscation in

The code is designed to collect and transmit system information to external endpoints without user consent, which is indicative of malicious behavior. The hardcoded endpoints and the nature of the data being sent pose a significant security risk.

Live on npm for 15 hours and 58 minutes before removal. Socket users were protected even while the package was live.

This module contains clear capability to read an arbitrary local file (hardcoded path in main) and upload it to a remote Telegram chat using an embedded bot token and chat id. The embedded credential and automatic upload constitute a high risk of data exfiltration if the code is run or distributed. Treat the token as compromised, revoke it, and remediate by removing hardcoded secrets and adding authentication/confirmation and secure secret management before trusting or publishing this code.

This code contains multiple high-risk behaviors consistent with a supply-chain/backdoor pattern: it retrieves a GitHub token from a remote service, uses it to create a repository webhook pointing to a hardcoded external IP (which will receive future repository webhook payloads), stores credentials locally, and implements a periodic contact to the same remote IP (beacon). Even if some file I/O has bugs, the intent and network interactions present a serious risk of data exfiltration and unauthorized repository modification. Avoid running this code; treat the package as malicious or compromised.

This module implements a Discord token stealer and account-abuse toolkit. It enumerates LOCALAPPDATA and APPDATA to locate Discord and Chromium-based browser profiles, reads the “Local State” file to extract an encrypted master key, parses LevelDB files for strings prefixed with “dQw4w9WgXcQ:”, base64-decodes and AES-GCM-decrypts them via win32crypt.CryptUnprotectData to recover user tokens. Recovered tokens are validated by calling https://discordapp[.]com/api/v6/users/@me, then cached locally. The code exposes numerous functions that accept a user_token and perform actions on behalf of the victim—sending messages, adding reactions, generating invites, listing channels/guilds, fetching DM channels, etc.—via Discord API endpoints (e.g., https://discord[.]com/api/v9/...). This enables stealth credential theft, unauthorized account actions, and potential automated abuse if executed on a user’s system.

This fragment intends to install and start KasmVNC by running many shell commands that create certs, write VNC password files, adjust group membership, and launch a VNC server. The primary security issues are unsafe shell interpolation (command injection risk), programmatic persistence of a possibly predictable password, execution with sudo based on unvalidated env vars, starting a VNC server exposed on 0.0.0.0 with disabled/basic auth, and multiple unsafe filesystem operations performed via shell. There is no clear evidence of obfuscated or direct exfiltration malware, but the behavior can provide an unauthorized remote access vector (backdoor-like) if used maliciously. Do not run this code without fixing shell usage, validating inputs, using secure randomly generated passwords, enforcing proper file permissions, and not disabling authentication.

This module intentionally performs high-risk operations: installing user-specified packages, staging and uploading local code, and executing the agent module in-process. If the provided agent code or requirements are untrusted, they can execute arbitrary actions (data access, exfiltration, spawning processes, network calls). The code is not itself obfuscated or clearly malicious, but it provides functionality that can be abused as a supply-chain or remote-execution vector. Recommendations: only run this with trusted agent code and vetted requirements; avoid executing untrusted modules in-process; consider performing static checks, running the agent code inside a strongly isolated sandbox/container, and preventing upload of sensitive files beyond the explicit excludes.

Live on pypi for 8 hours and 46 minutes before removal. Socket users were protected even while the package was live.

The analyzed fragment demonstrates sophisticated, runtime interception and rewriting of iframe-loaded assets and engine resources. It maps and serves resources from blob URLs, overrides core DOM/network APIs, and reports engine-version details back to a parent frame to conditionally apply engine-specific hacks. This constitutes a high-risk, potentially malicious supply-chain vector or backdoor mechanism, especially if delivered in public dependencies without explicit opt-in. Recommended action is to treat as high-risk, audit provenance, and remove or disable interception unless a rigorous, transparent opt-in and security review are in place.

The module implements advanced (and powerful) serialization/unserialization logic. It contains multiple constructs that allow arbitrary code execution and filesystem/native interactions during unpickling (eval(), reconstruction of CodeType/FunctionType, file handle creation with writes, ctypes PyCapsule handling, and subprocess invocation in a helper). These behaviors are expected for a library like dill but make deserializing untrusted input unsafe. I found no explicit hardcoded secrets, network exfiltration endpoints, or intentionally obfuscated malicious payloads. Overall: not obviously malicious as a supply-chain backdoor, but inherently dangerous if used with untrusted data — treat pickles from untrusted sources as remote code execution hazards.

This code is malicious or at minimum highly malicious-looking: it harvests a wide range of sensitive local and cloud metadata (environment variables, /etc/passwd, command outputs, network interface details, EC2 metadata including IAM paths) and transmits the collected data to a hard-coded external host. The presence of EC2 metadata queries targeting IAM/security-credentials is particularly concerning for credential exfiltration. Treat this module as compromise-worthy: do not run on production or sensitive systems, remove and investigate any occurrences, and rotate any exposed secrets or cloud credentials if this ran in your environment.

Live on npm for 1 day, 6 hours and 28 minutes before removal. Socket users were protected even while the package was live.

The code exhibits clear signs of malicious behavior by collecting and transmitting sensitive system information to a suspicious domain. This poses a significant security risk.

Live on npm for 24 minutes before removal. Socket users were protected even while the package was live.

The snippet constitutes a backdoor-like payload: it fetches a remote script from a hardcoded URL and executes it with the system shell, granting broad remote control. This is a severe supply-chain/security risk if bundled with an application. Immediate remediation includes removing the exec-based remote code execution pattern, validating and sanitizing all code paths, and avoiding any dynamic execution of remote content.

The code is clearly malicious, engaging in data theft by collecting sensitive tokens and system information and sending it to an external server. The obfuscation further indicates an attempt to hide malicious intent.

Live on npm for 1 hour and 24 minutes before removal. Socket users were protected even while the package was live.

Possible typosquat of [azure](https://socket.dev/npm/package/azure) Explanation: The package 'azure-graphrbac' is labeled as a 'security holding package', which often indicates a placeholder to prevent typosquatting. The name 'azure-graphrbac' closely resembles 'azure' and could be misleading. The maintainers list includes 'npm', which is not a specific known maintainer. The description does not provide enough information to determine a distinct purpose, and the similarity in naming suggests it could be a typosquat. azure-graphrbac is a security-holding package

Live on npm for 49 minutes before removal. Socket users were protected even while the package was live.

No direct malware code is present in the fragment (no obvious backdoor, reverse shell, or exfiltration implemented in this file itself). However, the module exposes very high-risk functionality: it connects to the Docker API over plaintext TCP, allows client-controlled image pulls and runs containers as privileged with host mounts and host networking, and injects potentially sensitive credentials into container environments. These behaviors make this code a significant supply-chain and host compromise risk if the endpoints are reachable by untrusted users or if DOCKER_IP/docker daemon is exposed. Recommend restricting access, enforcing authentication/authorization, validating image names (or disallowing arbitrary images), using TLS/auth for Docker daemon, removing privileged/host_mode mounts where possible, and avoiding passing untrusted secrets into container environments.

This module contains multiple high-risk surveillance and system-interaction primitives, notably global low-level keyboard/mouse hooks (potential keylogging), window/desktop capture (screenshot capability), and process memory interrogation (data harvesting). It also includes impersonated process launching and network drive/printer mapping using plaintext credentials. While the code may be intended as a Windows interop library, the specific combination of capabilities strongly aligns with spyware/abuse potential; therefore it warrants serious review and is not safe by default for sensitive environments.

This module zips a local directory and uploads it to a specific S3 bucket. The code contains hardcoded AWS credentials and a hardcoded bucket name, which is a severe security issue and could enable data exfiltration if these credentials are valid. There are additional problems: a likely return-value bug (undefined variable s3_ke), possible insufficient path-safety around symlinks, and verbose logging of paths. There is no evidence of obfuscation or active payloads like reverse shells or eval-based code execution. Treat this package as high-risk until credentials are removed/rotated and the code is corrected and reviewed.

Live on pypi for 5 days, 8 hours and 10 minutes before removal. Socket users were protected even while the package was live.

This module implements a remote-validated node: it collects system identifiers and sends them together with the stored x2Api credential to a remote validator before allowing operations. That behavior is a privacy/credential-exfiltration and availability risk (remote gating). The obfuscation of strings and control flow raises suspicion and hinders auditability. While not an obvious active malware (no reverse shell or destructive code), the credential exfiltration pattern makes this a notable supply-chain risk: treat the remote validator as untrusted until the endpoint and purpose are verified, avoid use in sensitive environments, and audit the unobfuscated package source, package metadata, and handler modules for additional network activity or persistence.

The code executes a bundled shell script with sudo during runtime, which is a high-risk supply-chain behavior. The snippet itself does not show explicit data exfiltration or obfuscation, but because it runs a privileged shell script with no validation or user prompt, it can perform arbitrary malicious actions depending on the script contents. Review the contents of bash/postinstall.sh and avoid running this package in environments where elevated privileges or sensitive data are present.

The code exhibits remote-configurable bot control with privilege management and persistence mechanisms, which together create meaningful abuse potential and supply-chain-like risk if tampered or deployed in uncontrolled environments. While some functionality aligns with legitimate automation, the remote admin/password flow and ability to alter party state remotely constitute a backdoor-like capability. Treat as high-risk; require strict authentication, remove remote password provisioning, harden admin management, audit external endpoints, and limit self-restart behaviors. A thorough code audit and containment in a trusted build process are recommended.

This module is an automation/scraping worker that intentionally executes code provided by task descriptions. That design requires trusting the task source. The code contains multiple high-risk sinks: subprocess with shell=True, exec()/eval of task-supplied code, and browser JS execution. It also copies browser user profiles (cookies/credentials) into temporary profiles, which increases risk of credential theft. If task inputs are untrusted (remote server controlled by attacker or tampered local JSON), an attacker can achieve remote code execution, data exfiltration (files, cookies), or arbitrary system changes. Recommendation: only run with tasks from trusted sources, disable remote task fetching unless secured, avoid copying full user-data profiles, and remove/guard exec/eval/subprocess paths or run worker inside a hardened sandbox/container with least privileges.

This snippet is strongly indicative of exploit/PoC automation against a WordPress REST API endpoint related to theme/plugin import/installation. It crafts JSON parameters including plugin PHP path references and sends them to the target endpoint, then prints the full server response to confirm effects. There is no evidence of local malware behavior in this fragment, but the outbound action and payload structure present a high security risk in real-world usage. Impact depends on the target system’s WordPress/plugin configuration and access controls.

[Skill Scanner] Pipe-to-shell or eval pattern detected All findings: [CRITICAL] command_injection: Pipe-to-shell or eval pattern detected (CI013) [AITech 9.1.4] [CRITICAL] command_injection: Natural language instruction to download and install from URL detected (CI009) [AITech 9.1.4] [CRITICAL] command_injection: Natural language instruction to download and install from URL detected (CI009) [AITech 9.1.4] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] This skill description is functionally consistent with its stated purpose: it uploads user-supplied Remotion TSX to inference.sh for server-side rendering and returns a video. There are no explicit malicious code patterns in the provided text. The main security risks are: (1) users uploading sensitive data or secrets in the 'code' or 'props' fields (everything is sent to a third-party service), and (2) the installer pattern (curl | sh) which relies on user verification of checksums. Recommend documenting a clear warning to never include secrets in inputs, encouraging checksum verification, and offering a self-hosting option if users cannot trust a third-party service. Overall I find no evidence of obfuscated or intentionally malicious code in this skill description, but the centralized remote execution model creates a moderate supply-chain/privacy risk. LLM verification: Summary: The skill’s stated purpose (remote rendering of Remotion TSX to MP4) matches its capabilities and examples. The primary security concerns are operational: (1) documentation suggests running curl | sh which executes a remote installer, and (2) the service accepts arbitrary TSX code and props that are sent to inference.sh/dist.inference.sh for rendering, creating a potential data-exfiltration/privacy risk if inputs contain secrets. I found no clear indicators of malware or obfuscation in

The code is designed to collect and transmit system information to external endpoints without user consent, which is indicative of malicious behavior. The hardcoded endpoints and the nature of the data being sent pose a significant security risk.

Live on npm for 15 hours and 58 minutes before removal. Socket users were protected even while the package was live.

This module contains clear capability to read an arbitrary local file (hardcoded path in main) and upload it to a remote Telegram chat using an embedded bot token and chat id. The embedded credential and automatic upload constitute a high risk of data exfiltration if the code is run or distributed. Treat the token as compromised, revoke it, and remediate by removing hardcoded secrets and adding authentication/confirmation and secure secret management before trusting or publishing this code.

This code contains multiple high-risk behaviors consistent with a supply-chain/backdoor pattern: it retrieves a GitHub token from a remote service, uses it to create a repository webhook pointing to a hardcoded external IP (which will receive future repository webhook payloads), stores credentials locally, and implements a periodic contact to the same remote IP (beacon). Even if some file I/O has bugs, the intent and network interactions present a serious risk of data exfiltration and unauthorized repository modification. Avoid running this code; treat the package as malicious or compromised.

This module implements a Discord token stealer and account-abuse toolkit. It enumerates LOCALAPPDATA and APPDATA to locate Discord and Chromium-based browser profiles, reads the “Local State” file to extract an encrypted master key, parses LevelDB files for strings prefixed with “dQw4w9WgXcQ:”, base64-decodes and AES-GCM-decrypts them via win32crypt.CryptUnprotectData to recover user tokens. Recovered tokens are validated by calling https://discordapp[.]com/api/v6/users/@me, then cached locally. The code exposes numerous functions that accept a user_token and perform actions on behalf of the victim—sending messages, adding reactions, generating invites, listing channels/guilds, fetching DM channels, etc.—via Discord API endpoints (e.g., https://discord[.]com/api/v9/...). This enables stealth credential theft, unauthorized account actions, and potential automated abuse if executed on a user’s system.

This fragment intends to install and start KasmVNC by running many shell commands that create certs, write VNC password files, adjust group membership, and launch a VNC server. The primary security issues are unsafe shell interpolation (command injection risk), programmatic persistence of a possibly predictable password, execution with sudo based on unvalidated env vars, starting a VNC server exposed on 0.0.0.0 with disabled/basic auth, and multiple unsafe filesystem operations performed via shell. There is no clear evidence of obfuscated or direct exfiltration malware, but the behavior can provide an unauthorized remote access vector (backdoor-like) if used maliciously. Do not run this code without fixing shell usage, validating inputs, using secure randomly generated passwords, enforcing proper file permissions, and not disabling authentication.

This module intentionally performs high-risk operations: installing user-specified packages, staging and uploading local code, and executing the agent module in-process. If the provided agent code or requirements are untrusted, they can execute arbitrary actions (data access, exfiltration, spawning processes, network calls). The code is not itself obfuscated or clearly malicious, but it provides functionality that can be abused as a supply-chain or remote-execution vector. Recommendations: only run this with trusted agent code and vetted requirements; avoid executing untrusted modules in-process; consider performing static checks, running the agent code inside a strongly isolated sandbox/container, and preventing upload of sensitive files beyond the explicit excludes.

Live on pypi for 8 hours and 46 minutes before removal. Socket users were protected even while the package was live.

The analyzed fragment demonstrates sophisticated, runtime interception and rewriting of iframe-loaded assets and engine resources. It maps and serves resources from blob URLs, overrides core DOM/network APIs, and reports engine-version details back to a parent frame to conditionally apply engine-specific hacks. This constitutes a high-risk, potentially malicious supply-chain vector or backdoor mechanism, especially if delivered in public dependencies without explicit opt-in. Recommended action is to treat as high-risk, audit provenance, and remove or disable interception unless a rigorous, transparent opt-in and security review are in place.

The module implements advanced (and powerful) serialization/unserialization logic. It contains multiple constructs that allow arbitrary code execution and filesystem/native interactions during unpickling (eval(), reconstruction of CodeType/FunctionType, file handle creation with writes, ctypes PyCapsule handling, and subprocess invocation in a helper). These behaviors are expected for a library like dill but make deserializing untrusted input unsafe. I found no explicit hardcoded secrets, network exfiltration endpoints, or intentionally obfuscated malicious payloads. Overall: not obviously malicious as a supply-chain backdoor, but inherently dangerous if used with untrusted data — treat pickles from untrusted sources as remote code execution hazards.

This code is malicious or at minimum highly malicious-looking: it harvests a wide range of sensitive local and cloud metadata (environment variables, /etc/passwd, command outputs, network interface details, EC2 metadata including IAM paths) and transmits the collected data to a hard-coded external host. The presence of EC2 metadata queries targeting IAM/security-credentials is particularly concerning for credential exfiltration. Treat this module as compromise-worthy: do not run on production or sensitive systems, remove and investigate any occurrences, and rotate any exposed secrets or cloud credentials if this ran in your environment.

Live on npm for 1 day, 6 hours and 28 minutes before removal. Socket users were protected even while the package was live.

The code exhibits clear signs of malicious behavior by collecting and transmitting sensitive system information to a suspicious domain. This poses a significant security risk.

Live on npm for 24 minutes before removal. Socket users were protected even while the package was live.

The snippet constitutes a backdoor-like payload: it fetches a remote script from a hardcoded URL and executes it with the system shell, granting broad remote control. This is a severe supply-chain/security risk if bundled with an application. Immediate remediation includes removing the exec-based remote code execution pattern, validating and sanitizing all code paths, and avoiding any dynamic execution of remote content.

The code is clearly malicious, engaging in data theft by collecting sensitive tokens and system information and sending it to an external server. The obfuscation further indicates an attempt to hide malicious intent.

Live on npm for 1 hour and 24 minutes before removal. Socket users were protected even while the package was live.

Possible typosquat of [azure](https://socket.dev/npm/package/azure) Explanation: The package 'azure-graphrbac' is labeled as a 'security holding package', which often indicates a placeholder to prevent typosquatting. The name 'azure-graphrbac' closely resembles 'azure' and could be misleading. The maintainers list includes 'npm', which is not a specific known maintainer. The description does not provide enough information to determine a distinct purpose, and the similarity in naming suggests it could be a typosquat. azure-graphrbac is a security-holding package

Live on npm for 49 minutes before removal. Socket users were protected even while the package was live.