Secure your dependencies. Ship with confidence.

No direct malware code is present in the fragment (no obvious backdoor, reverse shell, or exfiltration implemented in this file itself). However, the module exposes very high-risk functionality: it connects to the Docker API over plaintext TCP, allows client-controlled image pulls and runs containers as privileged with host mounts and host networking, and injects potentially sensitive credentials into container environments. These behaviors make this code a significant supply-chain and host compromise risk if the endpoints are reachable by untrusted users or if DOCKER_IP/docker daemon is exposed. Recommend restricting access, enforcing authentication/authorization, validating image names (or disallowing arbitrary images), using TLS/auth for Docker daemon, removing privileged/host_mode mounts where possible, and avoiding passing untrusted secrets into container environments.

The main concern is the obfuscation of the code, which can hide malicious activities. The code seems to perform fingerprinting by gathering a variety of data points about the user's environment. Further analysis, such as deobfuscation and dynamic analysis, would be necessary to make a more informed assessment.

Live on npm for 2 hours and 8 minutes before removal. Socket users were protected even while the package was live.

This module contains a critical vulnerability: unconstrained eval() of attacker-controlled 'input.expr' with access to local variables (including a formatted request object). This yields remote code execution and potential data exfiltration. The code likely represents an insecure design/bug rather than intentionally malicious code, but it must be remediated before handling untrusted inputs. Also fix the apparent syntax error in getAttr.

While the execution of 'build.js' may be benign, the subsequent curl command raises significant security concerns as it could be used to exfiltrate data or send telemetry to an external server.

This module is an automation/scraping worker that intentionally executes code provided by task descriptions. That design requires trusting the task source. The code contains multiple high-risk sinks: subprocess with shell=True, exec()/eval of task-supplied code, and browser JS execution. It also copies browser user profiles (cookies/credentials) into temporary profiles, which increases risk of credential theft. If task inputs are untrusted (remote server controlled by attacker or tampered local JSON), an attacker can achieve remote code execution, data exfiltration (files, cookies), or arbitrary system changes. Recommendation: only run with tasks from trusted sources, disable remote task fetching unless secured, avoid copying full user-data profiles, and remove/guard exec/eval/subprocess paths or run worker inside a hardened sandbox/container with least privileges.

This code actively searches for an exposed Java object in the window environment and leverages Java reflection to obtain java.lang.Runtime, giving it the ability to execute arbitrary shell commands and load native libraries. It also performs local reconnaissance (id, ps) to discover package names. In an Android WebView that exposes a Java bridge to untrusted content, this is a high‑risk backdoor/post‑exploitation capability. Treat this code as malicious in most deployment contexts: do not expose Java bridges to untrusted pages and remove or audit any code that allows untrusted JS to call native functionality.

This fragment elevates and executes package-local shell scripts as root (sudo), preserving the environment (-E). That pattern is high risk for supply-chain attacks: if the bash directory or preinstall.sh can be altered by an attacker (or was malicious in the distributed package), arbitrary root code execution follows. The missing import for exec is likely a bug, but whether accidental or intentional, it increases uncertainty. Recommend: do not run these scripts with sudo; remove -E; validate and cryptographically verify script contents, avoid executing package-provided scripts as root, and fix the missing child_process import. Treat as security alert and audit the referenced bash/preinstall.sh before allowing execution.

This package attempts to covertly send environment and host information to an external numeric IP address during installation. This constitutes telemetry/data exfiltration and is a high security risk. The use of plain HTTP and an IP address, plus collecting user/host/current-directory data, strongly suggests malicious or at least privacy-invasive behavior. Do not install or run this package in sensitive environments.

The code initiates a detached child process that runs an external script (`smtp-connection/index.js`) with its I/O streams ignored. This pattern is suspicious as it can be used to execute code in the background without direct visibility or control from the parent process. While it could be for legitimate background operations, the combination of detachment, ignored I/O, and unreferencing the child process raises concerns about potential hidden malicious activity, such as data exfiltration or establishing persistent connections.

Live on npm for 1 day, 15 hours and 13 minutes before removal. Socket users were protected even while the package was live.

The provided file is a modified/tampered SweetAlert2 bundle containing a malicious payload: a locale- and host-targeted, delayed activation that disables page interaction and autoplays a looping audio file loaded from a third-party domain. This is a clear supply-chain compromise or malicious insertion. Immediate actions: do NOT use this package version; remove it from deployments; audit package integrity (compare with official upstream release, verify checksums/signatures); rotate any secrets that may have been exposed in environments where this version was deployed; notify maintainers and users. Replace with a clean, verified release and investigate how the compromise occurred.

This code is not obviously a self-contained malware dropper, but it provides a high-privilege execution surface: it runs arbitrary shell commands (shell=True) and writes/appends to files based on external plans or user input without sanitization. That makes it dangerous in contexts where steps/plans or inputs are untrusted or come from remote services. If upstream agents or data are compromised, this module can be abused to execute arbitrary code, modify repository or system files, or launch persistent processes. Recommend treating inputs as untrusted, adding strict validation/sanitization for commands and file paths, avoiding shell=True or using explicit argument lists, and adding allowlists and dry-run / manual approval for changes.

Live on pypi for 5 days, 10 hours and 8 minutes before removal. Socket users were protected even while the package was live.

This file implements a Slowloris-style Denial-of-Service tool: it opens multiple TCP connections to a target and periodically sends partial headers to keep connections alive, consuming server resources. There is no obfuscation or data-exfiltration behavior, but the code is intentionally disruptive and should not be used against systems without explicit authorization. The https option is not implemented, and there are minor coding issues (unused imports, list mutation during iteration). Treat this as malicious/offensive tooling and block or review usage according to policy.

The script functions as a cleanup utility targeting docker-gen/nginx artifacts and a related systemd unit. While it could be legitimate maintenance, the use of hardcoded, nonstandard unit path, incomplete cleanup markers, and unconditional disable without proper validation raises concerns about anti-forensic behavior and potential suppression of remnants after compromise. It warrants careful review in a supply-chain context to confirm intended behavior and ensure system integrity.

High security risk. The fragment contains an explicit remote-code-execution mechanism by compiling and executing server-fetched user-menu text with Function(...), followed by invocation of those actions in the browser. It also dynamically loads additional JS modules at runtime and renders server-derived content using innerHTML-based templating, and includes an optional shell-command execution feature via bash -c. No overt malware exfiltration is visible in this fragment, but the structural execution primitives are severe and suitable for supply-chain/backdoor behavior if the server endpoints/templates/modules are compromised or insufficiently authorized.

The code contains high-risk unsafe behavior: exec() is used to run Python code derived directly from OpenAI function_call arguments with no sandboxing or validation, and os.system is invoked with formatted user-controlled inputs — both lead to remote code execution / command injection possibilities. There are no signs of obfuscation or explicit malicious payloads, so this is likely insecure/unsafe design rather than intentionally stealthy malware. Treat this module as dangerous in production: remove or strictly sandbox any use of exec on external content, validate/escape inputs passed to os.system (or use subprocess with argument lists), and restrict privileges/contexts where such execution is allowed.

The script is designed to exfiltrate sensitive system information to an external server via DNS queries. The use of obfuscation and the method of data transmission indicate malicious intent.

Live on npm for 1 hour and 10 minutes before removal. Socket users were protected even while the package was live.

This module implements server-side RPC handlers of the Sliver implant framework that read/generate shellcode and DLL bytes, parse PE exports to compute reflective loader offsets, and forward marshalled requests containing executable payloads to remote implants via session.Request. There is no obfuscation or hidden credential theft, but the functionality enables remote arbitrary code execution, process migration, and DLL sideloading — operations that are malicious or dangerous outside an authorized red-team context. The code also contains some robustness issues (use of log.Fatal, limited validation when parsing PE files) that could affect availability.

MALICIOUS. This skill is purpose-built to let an AI agent conduct real-world web exploitation, steal cloud credentials and data, establish shells, and escalate access. Its capabilities are fundamentally incompatible with a benign helper skill and create high-risk autonomous attack and exfiltration behavior.

This module scans directories for .svg files and — when a file looks like SVG — attempts to ensure and execute an npm package (base64-decoded as 'svg-safety-tool') by installing it at runtime (or installing 'request') and then requiring it and calling its plugin function. That behavior presents a significant supply-chain and remote code execution risk: an attacker controlling the npm package (or the npm registry) could execute arbitrary code on systems that run this module. The base64-obfuscated package name, automatic installs, and invocation of third-party plugin code are strong red flags. I assess this as dangerous and not safe to use without strict controls (offline CI-approved deps, checksums/signatures, sandboxing).

Live on npm for 23 days, 9 hours and 48 minutes before removal. Socket users were protected even while the package was live.

The codebase acts as an aggressive deployment automation tool with webhook-driven updates and high-privilege system modifications. The presence of hard-coded credentials, elevation of privileges, and dynamic configuration changes create substantial supply chain and operational security risks. It should not be used in public projects or unattended environments without refactoring to remove secrets, remove interactive prompts, enforce least privilege, and ensure formal authentication/authorization for webhook-triggered actions.

This document is a step-by-step offensive guide demonstrating multiple confirmed JWT attacks (RS256→HS256 confusion, kid injection variants, jku/x5u replacement, and weak-key brute forcing). It contains actionable exploit examples that, when a server is misconfigured or vulnerable, enable authentication bypass and secret disclosure. The code snippets instruct reading sensitive files (e.g., /flag.txt) and using attacker-controlled keys or outputs as HMAC secrets, indicating clear malicious intent to compromise systems. Treat packages or code containing this content as malicious guidance; ensure servers strictly validate 'alg', sanitize and whitelist 'kid', avoid fetching keys from untrusted URLs, and use strong secrets.

This file implements a straightforward and functional reverse shell: it connects to a hardcoded remote IP:port, spawns /bin/sh, and pipes input/output between the shell and the network socket. This gives a remote actor arbitrary command execution and data exfiltration capabilities. The code is malicious in context and poses an immediate, high-risk threat. Remove/quarantine the file and treat systems that ran it as compromised.

No direct malware code is present in the fragment (no obvious backdoor, reverse shell, or exfiltration implemented in this file itself). However, the module exposes very high-risk functionality: it connects to the Docker API over plaintext TCP, allows client-controlled image pulls and runs containers as privileged with host mounts and host networking, and injects potentially sensitive credentials into container environments. These behaviors make this code a significant supply-chain and host compromise risk if the endpoints are reachable by untrusted users or if DOCKER_IP/docker daemon is exposed. Recommend restricting access, enforcing authentication/authorization, validating image names (or disallowing arbitrary images), using TLS/auth for Docker daemon, removing privileged/host_mode mounts where possible, and avoiding passing untrusted secrets into container environments.

The main concern is the obfuscation of the code, which can hide malicious activities. The code seems to perform fingerprinting by gathering a variety of data points about the user's environment. Further analysis, such as deobfuscation and dynamic analysis, would be necessary to make a more informed assessment.

Live on npm for 2 hours and 8 minutes before removal. Socket users were protected even while the package was live.

This module contains a critical vulnerability: unconstrained eval() of attacker-controlled 'input.expr' with access to local variables (including a formatted request object). This yields remote code execution and potential data exfiltration. The code likely represents an insecure design/bug rather than intentionally malicious code, but it must be remediated before handling untrusted inputs. Also fix the apparent syntax error in getAttr.

While the execution of 'build.js' may be benign, the subsequent curl command raises significant security concerns as it could be used to exfiltrate data or send telemetry to an external server.

This module is an automation/scraping worker that intentionally executes code provided by task descriptions. That design requires trusting the task source. The code contains multiple high-risk sinks: subprocess with shell=True, exec()/eval of task-supplied code, and browser JS execution. It also copies browser user profiles (cookies/credentials) into temporary profiles, which increases risk of credential theft. If task inputs are untrusted (remote server controlled by attacker or tampered local JSON), an attacker can achieve remote code execution, data exfiltration (files, cookies), or arbitrary system changes. Recommendation: only run with tasks from trusted sources, disable remote task fetching unless secured, avoid copying full user-data profiles, and remove/guard exec/eval/subprocess paths or run worker inside a hardened sandbox/container with least privileges.

This code actively searches for an exposed Java object in the window environment and leverages Java reflection to obtain java.lang.Runtime, giving it the ability to execute arbitrary shell commands and load native libraries. It also performs local reconnaissance (id, ps) to discover package names. In an Android WebView that exposes a Java bridge to untrusted content, this is a high‑risk backdoor/post‑exploitation capability. Treat this code as malicious in most deployment contexts: do not expose Java bridges to untrusted pages and remove or audit any code that allows untrusted JS to call native functionality.

This fragment elevates and executes package-local shell scripts as root (sudo), preserving the environment (-E). That pattern is high risk for supply-chain attacks: if the bash directory or preinstall.sh can be altered by an attacker (or was malicious in the distributed package), arbitrary root code execution follows. The missing import for exec is likely a bug, but whether accidental or intentional, it increases uncertainty. Recommend: do not run these scripts with sudo; remove -E; validate and cryptographically verify script contents, avoid executing package-provided scripts as root, and fix the missing child_process import. Treat as security alert and audit the referenced bash/preinstall.sh before allowing execution.

This package attempts to covertly send environment and host information to an external numeric IP address during installation. This constitutes telemetry/data exfiltration and is a high security risk. The use of plain HTTP and an IP address, plus collecting user/host/current-directory data, strongly suggests malicious or at least privacy-invasive behavior. Do not install or run this package in sensitive environments.

The code initiates a detached child process that runs an external script (`smtp-connection/index.js`) with its I/O streams ignored. This pattern is suspicious as it can be used to execute code in the background without direct visibility or control from the parent process. While it could be for legitimate background operations, the combination of detachment, ignored I/O, and unreferencing the child process raises concerns about potential hidden malicious activity, such as data exfiltration or establishing persistent connections.

Live on npm for 1 day, 15 hours and 13 minutes before removal. Socket users were protected even while the package was live.

The provided file is a modified/tampered SweetAlert2 bundle containing a malicious payload: a locale- and host-targeted, delayed activation that disables page interaction and autoplays a looping audio file loaded from a third-party domain. This is a clear supply-chain compromise or malicious insertion. Immediate actions: do NOT use this package version; remove it from deployments; audit package integrity (compare with official upstream release, verify checksums/signatures); rotate any secrets that may have been exposed in environments where this version was deployed; notify maintainers and users. Replace with a clean, verified release and investigate how the compromise occurred.

This code is not obviously a self-contained malware dropper, but it provides a high-privilege execution surface: it runs arbitrary shell commands (shell=True) and writes/appends to files based on external plans or user input without sanitization. That makes it dangerous in contexts where steps/plans or inputs are untrusted or come from remote services. If upstream agents or data are compromised, this module can be abused to execute arbitrary code, modify repository or system files, or launch persistent processes. Recommend treating inputs as untrusted, adding strict validation/sanitization for commands and file paths, avoiding shell=True or using explicit argument lists, and adding allowlists and dry-run / manual approval for changes.

Live on pypi for 5 days, 10 hours and 8 minutes before removal. Socket users were protected even while the package was live.

This file implements a Slowloris-style Denial-of-Service tool: it opens multiple TCP connections to a target and periodically sends partial headers to keep connections alive, consuming server resources. There is no obfuscation or data-exfiltration behavior, but the code is intentionally disruptive and should not be used against systems without explicit authorization. The https option is not implemented, and there are minor coding issues (unused imports, list mutation during iteration). Treat this as malicious/offensive tooling and block or review usage according to policy.

The script functions as a cleanup utility targeting docker-gen/nginx artifacts and a related systemd unit. While it could be legitimate maintenance, the use of hardcoded, nonstandard unit path, incomplete cleanup markers, and unconditional disable without proper validation raises concerns about anti-forensic behavior and potential suppression of remnants after compromise. It warrants careful review in a supply-chain context to confirm intended behavior and ensure system integrity.

High security risk. The fragment contains an explicit remote-code-execution mechanism by compiling and executing server-fetched user-menu text with Function(...), followed by invocation of those actions in the browser. It also dynamically loads additional JS modules at runtime and renders server-derived content using innerHTML-based templating, and includes an optional shell-command execution feature via bash -c. No overt malware exfiltration is visible in this fragment, but the structural execution primitives are severe and suitable for supply-chain/backdoor behavior if the server endpoints/templates/modules are compromised or insufficiently authorized.

The code contains high-risk unsafe behavior: exec() is used to run Python code derived directly from OpenAI function_call arguments with no sandboxing or validation, and os.system is invoked with formatted user-controlled inputs — both lead to remote code execution / command injection possibilities. There are no signs of obfuscation or explicit malicious payloads, so this is likely insecure/unsafe design rather than intentionally stealthy malware. Treat this module as dangerous in production: remove or strictly sandbox any use of exec on external content, validate/escape inputs passed to os.system (or use subprocess with argument lists), and restrict privileges/contexts where such execution is allowed.

The script is designed to exfiltrate sensitive system information to an external server via DNS queries. The use of obfuscation and the method of data transmission indicate malicious intent.

Live on npm for 1 hour and 10 minutes before removal. Socket users were protected even while the package was live.

This module implements server-side RPC handlers of the Sliver implant framework that read/generate shellcode and DLL bytes, parse PE exports to compute reflective loader offsets, and forward marshalled requests containing executable payloads to remote implants via session.Request. There is no obfuscation or hidden credential theft, but the functionality enables remote arbitrary code execution, process migration, and DLL sideloading — operations that are malicious or dangerous outside an authorized red-team context. The code also contains some robustness issues (use of log.Fatal, limited validation when parsing PE files) that could affect availability.

MALICIOUS. This skill is purpose-built to let an AI agent conduct real-world web exploitation, steal cloud credentials and data, establish shells, and escalate access. Its capabilities are fundamentally incompatible with a benign helper skill and create high-risk autonomous attack and exfiltration behavior.

This module scans directories for .svg files and — when a file looks like SVG — attempts to ensure and execute an npm package (base64-decoded as 'svg-safety-tool') by installing it at runtime (or installing 'request') and then requiring it and calling its plugin function. That behavior presents a significant supply-chain and remote code execution risk: an attacker controlling the npm package (or the npm registry) could execute arbitrary code on systems that run this module. The base64-obfuscated package name, automatic installs, and invocation of third-party plugin code are strong red flags. I assess this as dangerous and not safe to use without strict controls (offline CI-approved deps, checksums/signatures, sandboxing).

Live on npm for 23 days, 9 hours and 48 minutes before removal. Socket users were protected even while the package was live.

The codebase acts as an aggressive deployment automation tool with webhook-driven updates and high-privilege system modifications. The presence of hard-coded credentials, elevation of privileges, and dynamic configuration changes create substantial supply chain and operational security risks. It should not be used in public projects or unattended environments without refactoring to remove secrets, remove interactive prompts, enforce least privilege, and ensure formal authentication/authorization for webhook-triggered actions.

This document is a step-by-step offensive guide demonstrating multiple confirmed JWT attacks (RS256→HS256 confusion, kid injection variants, jku/x5u replacement, and weak-key brute forcing). It contains actionable exploit examples that, when a server is misconfigured or vulnerable, enable authentication bypass and secret disclosure. The code snippets instruct reading sensitive files (e.g., /flag.txt) and using attacker-controlled keys or outputs as HMAC secrets, indicating clear malicious intent to compromise systems. Treat packages or code containing this content as malicious guidance; ensure servers strictly validate 'alg', sanitize and whitelist 'kid', avoid fetching keys from untrusted URLs, and use strong secrets.

This file implements a straightforward and functional reverse shell: it connects to a hardcoded remote IP:port, spawns /bin/sh, and pipes input/output between the shell and the network socket. This gives a remote actor arbitrary command execution and data exfiltration capabilities. The code is malicious in context and poses an immediate, high-risk threat. Remove/quarantine the file and treat systems that ran it as compromised.