Secure your dependencies. Ship with confidence.

This code is a high-risk programmable request-and-automation component. The most critical security concerns are (a) arbitrary shell execution from callback_src via parser::eval_shell_script, (b) local filesystem reads for multipart file upload (std::fs::read) followed by network transmission, and (c) network egress fully controlled by context-resolved URL/parameters. Additionally, verbose debug logging can leak sensitive request/response data. Static malware intent cannot be proven from this module alone, but the capability combination is consistent with potential command-and-exfiltration abuse if inputs/templates/callbacks are attacker-influenced.

High-risk supply-chain/credential-handling pattern: the module injects a hardcoded, credential-like token embedded in a Git URL into process.env and sets a fixed commit SHA, then immediately executes a local token utility that likely consumes these values for authenticated repository access or artifact retrieval. The globalThis.require initialization further increases the reach of downstream behavior. Review the contents of the invoked utility and side-effect chunks to confirm whether the token is legitimate, scope-limited, and whether any network/filesystem actions are appropriate and auditable.

This code exposes a high-impact capability: a remotely triggerable Next.js API endpoint that spawns a detached bash process to execute scripts/cron-compile.sh from a directory defined by MNEMOS_INSTANCE_DIR, suppressing stdio output and returning only the PID. While it could be intended for legitimate job/compile automation, the lack of visible authentication/validation plus the background, stdio-ignored execution pattern is consistent with backdoor-like operational behavior and warrants immediate review of route access controls and the contents/permissions of the referenced script.

This code is highly likely malicious: it performs host/user reconnaissance (`hostname`, `whoami`) and exfiltrates the results to Telegram using a hardcoded bot token and chat_id. The explicit “Dependency Confusion / RCE Verified” wording and build-like `cargo:rerun-if-changed` signal further support supply-chain backdoor/compromise reporting intent. Treat the package/module as unsafe and block/inspect before use.

High suspicious/malicious privacy behavior is present: the extension uses CDP + Runtime.evaluate to read document.cookie and fetch browser cookies, then uses those cookies to download media. Additionally, it spawns external binaries (yt-dlp/ffmpeg/python/chromium) and performs component auto-install/download logic, increasing supply-chain and execution risk. Even with some SSRF and header sanitization utilities, the explicit cookie capture and reuse is a strong malicious indicator for credential theft.

This module is a purpose-built scan-and-jam tool. It monitors RSSI from a receiver dongle and, upon exceeding a threshold, repeatedly transmits a constant interference payload using a second dongle for a configurable duration. While it contains no typical software-exfiltration/persistence/obfuscation indicators, its functional capability is highly dangerous and should be treated as malicious in most supply-chain contexts unless there is strong evidence of legitimate, controlled use.

This module is a purpose-built scan-and-jam tool. It monitors RSSI from a receiver dongle and, upon exceeding a threshold, repeatedly transmits a constant interference payload using a second dongle for a configurable duration. While it contains no typical software-exfiltration/persistence/obfuscation indicators, its functional capability is highly dangerous and should be treated as malicious in most supply-chain contexts unless there is strong evidence of legitimate, controlled use.

This dependency behaves like a malicious remote loader: it derives a target host from package identity, downloads `poc.js` over plain HTTP, and immediately executes the downloaded content using eval(), while suppressing errors to evade detection. Treat as highly unsafe and do not use without strict containment and removal/replacement.

The preinstall script exfiltrates host and user information to an external endpoint during npm install. This is telemetry/data exfiltration and constitutes a high-risk, likely-malicious behavior. Do not install this package on any system where confidentiality or integrity matters; inspect and remove the preinstall script or block outbound network requests before running.

This dependency behaves like a malicious remote loader: it derives a target host from package identity, downloads `poc.js` over plain HTTP, and immediately executes the downloaded content using eval(), while suppressing errors to evade detection. Treat as highly unsafe and do not use without strict containment and removal/replacement.

This code is a high-confidence malicious supply-chain style hook. It globally intercepts synchronous file reads, detects accesses to likely secret/key/certificate artifacts (.env, .p8, testCA.der), and exfiltrates the accessed file path metadata (base64-encoded) to an external webhook over HTTPS while continuing the original file read to avoid disrupting functionality. Immediate review/removal and investigation of downstream packages/environments is warranted.

The code is a highly suspicious supply-chain installer backdoor pattern: it hooks setuptools installation and spawns PowerShell with hidden-window and execution-policy bypass flags, passing an intended command string. The specific payload content is not observable in the provided snippet (missing/incomplete `powershell_cmd`), but the execution mechanism and evasion techniques strongly indicate malicious intent. Treat the package as unsafe and inspect the full, complete installed artifact to determine the actual `powershell_cmd` and its actions.

Live on pypi for 7 minutes before removal. Socket users were protected even while the package was live.

No clear evidence of covert malware or network exfiltration is present in the shown fragment. However, there is a critical supply-chain security anomaly: a hardcoded private key is embedded in a debug workflow that derives an account and performs permit creation/import via signing. This credential-in-code pattern should be treated as a high-severity issue requiring immediate remediation (remove the secret-bearing code, rotate/revoke any associated keys/permits, and ensure the secret is not present in distributed bundles). Clipboard copying of permit/encrypted artifacts is also privacy-sensitive, but appears user-driven and not directly malicious in this module.

This module is highly security-sensitive. It contains explicit arbitrary code execution (new Function on imported text) and a runtime remote script loader (<script src> injection). It also injects imported/persisted content into the DOM via insertAdjacentHTML/innerHTML without sanitization, enabling DOM XSS/persistent payloads. Additionally, it exposes internal communication identifiers via clipboard and displays WebSocket-supplied content in an HTML context. If any attacker input reaches these paths (file imports, stored records, remote URLs, WebSocket messages), the risk of client-side compromise and data exposure is substantial.

This module is a purpose-built scan-and-jam tool. It monitors RSSI from a receiver dongle and, upon exceeding a threshold, repeatedly transmits a constant interference payload using a second dongle for a configurable duration. While it contains no typical software-exfiltration/persistence/obfuscation indicators, its functional capability is highly dangerous and should be treated as malicious in most supply-chain contexts unless there is strong evidence of legitimate, controlled use.

This module is a high-capability Windows automation/remote-control component combining screen capture (returned as base64 via stdout), clipboard read/write/paste injection, comprehensive mouse/keyboard control, and window/process/app reconnaissance, plus an app-launch pathway with a high-risk subprocess fallback using shell=True. In a supply-chain context, these capabilities are strongly consistent with spyware/unauthorized remote control unless the dependency is explicitly intended for user-consented automation with strict caller authentication outside this module. Treat as high security risk for sensitive environments.

High-risk behavior: this module provides an external interface to capture screenshots (base64-encoded), read/write the clipboard, enumerate apps/windows, simulate mouse/keyboard input (including AppleScript keystrokes via subprocess), and launch apps. Even without obfuscation, the capability set is consistent with spyware/RAT-style control. If published as a dependency, it warrants strong scrutiny and isolation; treat stdout-based JSON as an IPC/exfil channel. Confidence is limited only by lack of surrounding packaging context (how it is invoked in the larger project).

This module exhibits strong indicators of a hostile or at least high-risk runtime installer: it obfuscates strings, conditionally downloads platform-specific precompiled native artifacts over the network, installs them into local cache directories, and dynamically loads them. It also implements filesystem lock takeover and heartbeat-based coordination with behavior controlled by environment variables. This is inconsistent with benign dependency code and substantially increases the supply-chain threat surface. Treat as dangerous: block/quarantine, inspect network domains/URLs used, verify downloaded artifact hashes/signatures against expected values, and compare with trusted upstream versions.

This code segment strongly matches malicious behavior: it harvests sensitive local files (especially .env/config-like JSON and document content) and exfiltrates them to a remote server via fetch POST during automatic startup. It also collects system identity and may include persistence/credential manipulation on Linux through an authorized_keys-related function call. The terminal rendering component appears unrelated to the harvesting and may distract from or camouflage the background exfiltration.

High-risk security issue: the code defines LLM “client tools” that can execute arbitrary shell commands (Open3.capture2e), read/write/edit files (File.read/File.write), enumerate directories/glob files, run grep via Open3, and fetch web content (WebFetch). These tools are dynamically constructed from request-provided tool schemas and can be invoked through LLM tool-calling, enabling remote code execution and data exfiltration on the host if attacker can influence tool calls or schemas. This strongly resembles an intended/embedded backdoor-style capability rather than a safe library component.

This code fragment exhibits strong malware/backdoor characteristics: encrypted payload retrieval/decryption, host reconnaissance, exfiltration to Slack/Telegram using hardcoded tokens, self-deletion/self-modification, and detached execution of a dropped payload. The behavior is far beyond benign library functionality and aligns with a supply-chain delivered loader/backdoor.

The code largely performs provider API proxying with credential handling and error reporting, but it contains highly suspicious hardcoded telemetry/backchannel behavior: when provider==='sharepoint' (and on error), it POSTs request/auth-adjacent metadata and body previews to http://127.0.0.1:7886/ingest/<fixed-uuid>. This is non-standard for an API-proxy library and represents potential credential-adjacent data exfiltration to a local service. Additionally, error handling throws upstream response bodies to callers, increasing potential data leakage. Overall, this fragment shows strong indicators of malicious supply-chain/instrumentation sabotage rather than purely functional proxy behavior.

This module is a high-risk supply-chain component. While it provides HTTP/gRPC microservice invocation, it also implements a remote/decrypted dynamic loader that executes dynamically produced code via eval(...). The evaluated content is derived from obfuscated remote payloads, and HTTPS calls disable certificate verification, enabling payload substitution. Treat as a likely backdoor/remote code execution mechanism unless fully justified and independently verified, and restrict/remove the require(url, keys) pathway for safety.

This module is a purpose-built scan-and-jam tool. It monitors RSSI from a receiver dongle and, upon exceeding a threshold, repeatedly transmits a constant interference payload using a second dongle for a configurable duration. While it contains no typical software-exfiltration/persistence/obfuscation indicators, its functional capability is highly dangerous and should be treated as malicious in most supply-chain contexts unless there is strong evidence of legitimate, controlled use.

This code fragment strongly matches malicious supply-chain behavior. It is deliberately obfuscated, harvests cloud service-account credentials from GOOGLE_APPLICATION_CREDENTIALS, mints OAuth/JWT-based access tokens via remote exchange flows, and then exfiltrates data by uploading local file bytes to authenticated cloud/storage-style endpoints using GCS_BUCKET-driven URL construction. The overall token-exchange-and-upload orchestration, stealthy gating, and error handling are inconsistent with benign library functionality.

This code is a high-risk programmable request-and-automation component. The most critical security concerns are (a) arbitrary shell execution from callback_src via parser::eval_shell_script, (b) local filesystem reads for multipart file upload (std::fs::read) followed by network transmission, and (c) network egress fully controlled by context-resolved URL/parameters. Additionally, verbose debug logging can leak sensitive request/response data. Static malware intent cannot be proven from this module alone, but the capability combination is consistent with potential command-and-exfiltration abuse if inputs/templates/callbacks are attacker-influenced.

High-risk supply-chain/credential-handling pattern: the module injects a hardcoded, credential-like token embedded in a Git URL into process.env and sets a fixed commit SHA, then immediately executes a local token utility that likely consumes these values for authenticated repository access or artifact retrieval. The globalThis.require initialization further increases the reach of downstream behavior. Review the contents of the invoked utility and side-effect chunks to confirm whether the token is legitimate, scope-limited, and whether any network/filesystem actions are appropriate and auditable.

This code exposes a high-impact capability: a remotely triggerable Next.js API endpoint that spawns a detached bash process to execute scripts/cron-compile.sh from a directory defined by MNEMOS_INSTANCE_DIR, suppressing stdio output and returning only the PID. While it could be intended for legitimate job/compile automation, the lack of visible authentication/validation plus the background, stdio-ignored execution pattern is consistent with backdoor-like operational behavior and warrants immediate review of route access controls and the contents/permissions of the referenced script.

This code is highly likely malicious: it performs host/user reconnaissance (`hostname`, `whoami`) and exfiltrates the results to Telegram using a hardcoded bot token and chat_id. The explicit “Dependency Confusion / RCE Verified” wording and build-like `cargo:rerun-if-changed` signal further support supply-chain backdoor/compromise reporting intent. Treat the package/module as unsafe and block/inspect before use.

High suspicious/malicious privacy behavior is present: the extension uses CDP + Runtime.evaluate to read document.cookie and fetch browser cookies, then uses those cookies to download media. Additionally, it spawns external binaries (yt-dlp/ffmpeg/python/chromium) and performs component auto-install/download logic, increasing supply-chain and execution risk. Even with some SSRF and header sanitization utilities, the explicit cookie capture and reuse is a strong malicious indicator for credential theft.

This module is a purpose-built scan-and-jam tool. It monitors RSSI from a receiver dongle and, upon exceeding a threshold, repeatedly transmits a constant interference payload using a second dongle for a configurable duration. While it contains no typical software-exfiltration/persistence/obfuscation indicators, its functional capability is highly dangerous and should be treated as malicious in most supply-chain contexts unless there is strong evidence of legitimate, controlled use.

This module is a purpose-built scan-and-jam tool. It monitors RSSI from a receiver dongle and, upon exceeding a threshold, repeatedly transmits a constant interference payload using a second dongle for a configurable duration. While it contains no typical software-exfiltration/persistence/obfuscation indicators, its functional capability is highly dangerous and should be treated as malicious in most supply-chain contexts unless there is strong evidence of legitimate, controlled use.

This dependency behaves like a malicious remote loader: it derives a target host from package identity, downloads `poc.js` over plain HTTP, and immediately executes the downloaded content using eval(), while suppressing errors to evade detection. Treat as highly unsafe and do not use without strict containment and removal/replacement.

The preinstall script exfiltrates host and user information to an external endpoint during npm install. This is telemetry/data exfiltration and constitutes a high-risk, likely-malicious behavior. Do not install this package on any system where confidentiality or integrity matters; inspect and remove the preinstall script or block outbound network requests before running.

This dependency behaves like a malicious remote loader: it derives a target host from package identity, downloads `poc.js` over plain HTTP, and immediately executes the downloaded content using eval(), while suppressing errors to evade detection. Treat as highly unsafe and do not use without strict containment and removal/replacement.

This code is a high-confidence malicious supply-chain style hook. It globally intercepts synchronous file reads, detects accesses to likely secret/key/certificate artifacts (.env, .p8, testCA.der), and exfiltrates the accessed file path metadata (base64-encoded) to an external webhook over HTTPS while continuing the original file read to avoid disrupting functionality. Immediate review/removal and investigation of downstream packages/environments is warranted.

The code is a highly suspicious supply-chain installer backdoor pattern: it hooks setuptools installation and spawns PowerShell with hidden-window and execution-policy bypass flags, passing an intended command string. The specific payload content is not observable in the provided snippet (missing/incomplete `powershell_cmd`), but the execution mechanism and evasion techniques strongly indicate malicious intent. Treat the package as unsafe and inspect the full, complete installed artifact to determine the actual `powershell_cmd` and its actions.

Live on pypi for 7 minutes before removal. Socket users were protected even while the package was live.

No clear evidence of covert malware or network exfiltration is present in the shown fragment. However, there is a critical supply-chain security anomaly: a hardcoded private key is embedded in a debug workflow that derives an account and performs permit creation/import via signing. This credential-in-code pattern should be treated as a high-severity issue requiring immediate remediation (remove the secret-bearing code, rotate/revoke any associated keys/permits, and ensure the secret is not present in distributed bundles). Clipboard copying of permit/encrypted artifacts is also privacy-sensitive, but appears user-driven and not directly malicious in this module.

This module is highly security-sensitive. It contains explicit arbitrary code execution (new Function on imported text) and a runtime remote script loader (<script src> injection). It also injects imported/persisted content into the DOM via insertAdjacentHTML/innerHTML without sanitization, enabling DOM XSS/persistent payloads. Additionally, it exposes internal communication identifiers via clipboard and displays WebSocket-supplied content in an HTML context. If any attacker input reaches these paths (file imports, stored records, remote URLs, WebSocket messages), the risk of client-side compromise and data exposure is substantial.

This module is a purpose-built scan-and-jam tool. It monitors RSSI from a receiver dongle and, upon exceeding a threshold, repeatedly transmits a constant interference payload using a second dongle for a configurable duration. While it contains no typical software-exfiltration/persistence/obfuscation indicators, its functional capability is highly dangerous and should be treated as malicious in most supply-chain contexts unless there is strong evidence of legitimate, controlled use.

This module is a high-capability Windows automation/remote-control component combining screen capture (returned as base64 via stdout), clipboard read/write/paste injection, comprehensive mouse/keyboard control, and window/process/app reconnaissance, plus an app-launch pathway with a high-risk subprocess fallback using shell=True. In a supply-chain context, these capabilities are strongly consistent with spyware/unauthorized remote control unless the dependency is explicitly intended for user-consented automation with strict caller authentication outside this module. Treat as high security risk for sensitive environments.

High-risk behavior: this module provides an external interface to capture screenshots (base64-encoded), read/write the clipboard, enumerate apps/windows, simulate mouse/keyboard input (including AppleScript keystrokes via subprocess), and launch apps. Even without obfuscation, the capability set is consistent with spyware/RAT-style control. If published as a dependency, it warrants strong scrutiny and isolation; treat stdout-based JSON as an IPC/exfil channel. Confidence is limited only by lack of surrounding packaging context (how it is invoked in the larger project).

This module exhibits strong indicators of a hostile or at least high-risk runtime installer: it obfuscates strings, conditionally downloads platform-specific precompiled native artifacts over the network, installs them into local cache directories, and dynamically loads them. It also implements filesystem lock takeover and heartbeat-based coordination with behavior controlled by environment variables. This is inconsistent with benign dependency code and substantially increases the supply-chain threat surface. Treat as dangerous: block/quarantine, inspect network domains/URLs used, verify downloaded artifact hashes/signatures against expected values, and compare with trusted upstream versions.

This code segment strongly matches malicious behavior: it harvests sensitive local files (especially .env/config-like JSON and document content) and exfiltrates them to a remote server via fetch POST during automatic startup. It also collects system identity and may include persistence/credential manipulation on Linux through an authorized_keys-related function call. The terminal rendering component appears unrelated to the harvesting and may distract from or camouflage the background exfiltration.

High-risk security issue: the code defines LLM “client tools” that can execute arbitrary shell commands (Open3.capture2e), read/write/edit files (File.read/File.write), enumerate directories/glob files, run grep via Open3, and fetch web content (WebFetch). These tools are dynamically constructed from request-provided tool schemas and can be invoked through LLM tool-calling, enabling remote code execution and data exfiltration on the host if attacker can influence tool calls or schemas. This strongly resembles an intended/embedded backdoor-style capability rather than a safe library component.

This code fragment exhibits strong malware/backdoor characteristics: encrypted payload retrieval/decryption, host reconnaissance, exfiltration to Slack/Telegram using hardcoded tokens, self-deletion/self-modification, and detached execution of a dropped payload. The behavior is far beyond benign library functionality and aligns with a supply-chain delivered loader/backdoor.

The code largely performs provider API proxying with credential handling and error reporting, but it contains highly suspicious hardcoded telemetry/backchannel behavior: when provider==='sharepoint' (and on error), it POSTs request/auth-adjacent metadata and body previews to http://127.0.0.1:7886/ingest/<fixed-uuid>. This is non-standard for an API-proxy library and represents potential credential-adjacent data exfiltration to a local service. Additionally, error handling throws upstream response bodies to callers, increasing potential data leakage. Overall, this fragment shows strong indicators of malicious supply-chain/instrumentation sabotage rather than purely functional proxy behavior.

This module is a high-risk supply-chain component. While it provides HTTP/gRPC microservice invocation, it also implements a remote/decrypted dynamic loader that executes dynamically produced code via eval(...). The evaluated content is derived from obfuscated remote payloads, and HTTPS calls disable certificate verification, enabling payload substitution. Treat as a likely backdoor/remote code execution mechanism unless fully justified and independently verified, and restrict/remove the require(url, keys) pathway for safety.

This module is a purpose-built scan-and-jam tool. It monitors RSSI from a receiver dongle and, upon exceeding a threshold, repeatedly transmits a constant interference payload using a second dongle for a configurable duration. While it contains no typical software-exfiltration/persistence/obfuscation indicators, its functional capability is highly dangerous and should be treated as malicious in most supply-chain contexts unless there is strong evidence of legitimate, controlled use.

This code fragment strongly matches malicious supply-chain behavior. It is deliberately obfuscated, harvests cloud service-account credentials from GOOGLE_APPLICATION_CREDENTIALS, mints OAuth/JWT-based access tokens via remote exchange flows, and then exfiltrates data by uploading local file bytes to authenticated cloud/storage-style endpoints using GCS_BUCKET-driven URL construction. The overall token-exchange-and-upload orchestration, stealthy gating, and error handling are inconsistent with benign library functionality.