Secure your dependencies. Ship with confidence.

This script is functionally legitimate for provisioning GitHub Actions self-hosted GPU runners but contains several high-impact security risks. Primary concerns: it passes the full GitHub token into containers (exposing org-level credentials), mounts the host Docker socket into those containers (giving containers effectively full control over the host), and builds/executes docker commands via eval using unsanitized fields from the JSON spec (shell injection risk). If attacker-controlled inputs (spec file, image, or token) are present, an attacker could execute arbitrary host commands, exfiltrate secrets, or compromise the GitHub organization. Recommend refusing to run this script in untrusted environments, removing/avoiding docker.sock mount, avoiding eval (use arrays or exec directly), sanitizing spec values, limiting container network/capabilities, and using short-lived, least-privilege tokens or ephemeral registration mechanisms.

Live on pypi for 33 minutes before removal. Socket users were protected even while the package was live.

High risk of malicious activity and supply-chain abuse potential. The fragment demonstrates advanced obfuscation, dynamic code generation, native interop for loading/executing code, and cryptographic routines that can hide payloads or exfiltrate data. While portions of it may wrap legitimate PDF/barcode features, the surrounding patterns strongly indicate hidden functionality designed to evade static analysis and runtime protections. It warrants thorough, isolated sandbox testing and deobfuscation in a controlled environment before any deployment in production or within a supply chain.

This extension presents a severe security risk by acting as a dropper for a persistent remote code execution (RCE) payload. When configured, it offers to write an auto-executing Lua script (`dexmcp_autoexec.lua`) into the `autoexec` directories of supported third-party game executors (Volt, Seliware). This script uses `loadstring` to fetch and execute arbitrary remote code from `https://dexmcp-api[.]onrender[.]com/script` every time the game executor runs. This behavior is outside the scope of a standard editor extension and functions as a persistent backdoor. Additionally, the extension generates AI configuration rules that attempt to bypass AI safety guardrails by instructing the assistant to generate code with 'NO safety disclaimers'. Due to the unauthorized installation of remote code execution mechanisms in external applications, this package is classified as malware.

The script runs a local Node.js file, but the random naming convention suggests it could be malicious. The contents of te24xjoq.cjs should be inspected to assess any risks.

This assembly contains heavy obfuscation and an embedded runtime loader/unpacker that decrypts embedded resources and writes/execut es code into process memory (via VirtualAlloc/WriteProcessMemory/VirtualProtect or by writing to /proc/self/mem), patches function pointers and invokes dynamic methods. Those capabilities allow arbitrary native code execution inside the host process and are not appropriate for a benign image barcode decoder library. Treat this package as malicious or extremely high risk for supply chain compromise. Do not use in trusted environments until the embedded payloads and intent are fully audited and provenance verified.

This file is an intentionally obfuscated dynamic code loader that decodes and executes a marshalled code object at import time. That design is strongly suspicious and high risk for supply-chain compromise or backdoor delivery. Treat the package as unsafe until the embedded payload is decoded and analyzed in a sandbox. Immediate mitigation: do not run or import; isolate and decode payload under controlled conditions.

The code contains a high-risk remote command execution backdoor: a BotListener thread receives data over a TCP socket, parses it, and invokes server console commands via a BotSender with full permissions. This creates a potential remote control channel for attackers, enabling arbitrary commands, backdoor-like behavior, and possible data/exfiltration operations. While there is legitimate log forwarding to a Discord webhook, the remote control capability significantly elevates the security risk and could be exploited for malicious purposes. Recommend removing or securing the TCP command channel (authenticate, encrypt, or drop entirely), implementing strict access control, and auditing outbound webhook exposure.

This module provides direct capability for SFTP credential brute-forcing: it generates username/password combinations from user-supplied wordlists, attempts network logins in parallel, and prints any recovered valid credentials. The fragment shows no obfuscation or stealth mechanisms, but the functionality is explicitly offensive and high-risk if distributed as a dependency. Completeness is reduced by wildcard imports and an apparently truncated/invalid tail, so secondary behaviors in external helpers cannot be fully ruled out.

This file executes a shell command to read /etc/hosts and /etc/passwd, then base64-encodes the contents along with user and host information. It sends the data via an HTTP POST request to circuit-breaking[.]gtdzviif1qsdiowqm1h6foqqphv8j1jp8.oastify[.]example[.]com, demonstrating an unauthorized exfiltration of sensitive system details without user consent.

Live on npm for 16 days, 12 hours and 39 minutes before removal. Socket users were protected even while the package was live.

This source file is an intentional C2 implant bridge (part of Sliver). It enables remote operator-controlled tasking, arbitrary payload fetching over HTTP, and execution of commands/tasks on the host, while exfiltrating host state back to the operator. In a defensive/supply-chain context this represents a high-risk and likely malicious component; inclusion in non-offensive projects should be treated as a severe compromise. Recommended actions: block or isolate binaries using this code, remove from production codebases unless explicitly required for offensive testing, audit network endpoints and keys (AgentConfig.AESKey), and inspect RunCommand and util.PreludeEncrypt/Decrypt implementations and agent configuration for further risks.

[Skill Scanner] Pipe-to-shell or eval pattern detected All findings: [CRITICAL] command_injection: Pipe-to-shell or eval pattern detected (CI013) [AITech 9.1.4] [CRITICAL] command_injection: Natural language instruction to download and install from URL detected (CI009) [AITech 9.1.4] [CRITICAL] command_injection: Natural language instruction to download and install from URL detected (CI009) [AITech 9.1.4] The package documentation and examples are consistent with a legitimate storyboard creation skill that relies on hosted AI inference services. The primary security concern is supply-chain and data-exfiltration risk: the docs encourage a pipe-to-shell installer and rely on third-party hosted binaries and backends (dist.inference.sh and inference.sh). This creates a moderate security risk if the remote hosts or installer are compromised. There is no direct evidence in the provided file of embedded malware or obfuscated malicious code, but the installation and credential/data-upload patterns warrant caution: verify installers and checksums, inspect scripts before executing, and assume prompts/images/credentials may be transmitted to third-party services. LLM verification: The skill is functionally coherent: it documents a legitimate storyboard workflow that uses a third-party image-generation CLI (infsh). The primary security issues are supply-chain and data-exfiltration risks: (1) it instructs users to run an unpinned curl|sh installer that downloads and executes a binary from dist.inference.sh (objectively high-risk), and (2) it routes prompts, images, and login credentials to a third-party service rather than performing work locally. There is no direct evidenc

The code contains a severe security vulnerability by transmitting the user's private key in plaintext to an external server, which constitutes a critical supply chain security risk and potential malicious behavior. This flaw can lead to full compromise of user wallets and loss of funds. The code is not obfuscated and does not contain other malware behaviors, but the private key exfiltration alone justifies a high malware and security risk score. Users should avoid using this code or dependency due to this critical issue.

This Go source contains routines that speak the T3 protocol to connect to Oracle WebLogic servers and deploy a serialized-Java RMI backdoor. It checks for the presence of a class named “com.supeream.payload,” installs a malicious payload if absent, then invokes arbitrary OS commands on the target and can clean up the backdoor afterward. Payload templates reference a default endpoint t3://47[.]104[.]229[.]232:7001, which is dynamically replaced with the victim IP/port. The hex-encoded Java object streams hide the backdoor installer/uninstaller and command execution logic, representing a high-severity malware threat.

This code is dangerous and should not be present in a library shipped to users. It changes root credentials, enables password-based root SSH login, downloads and executes a remote binary, and exposes SSH over an ngrok tunnel — effectively creating a remote backdoor into the host. Even if intended for legitimate remote access in ephemeral notebook sessions, these operations are high-risk and inappropriate for packaged code. Treat this as malicious or at minimum as severely unsafe: do not run on sensitive or production hosts; remove or sandbox and review thoroughly before use.

This code contains a highly obfuscated in-memory loader that reads and decrypts embedded data and proceeds to allocate, write to, change protections of, and invoke unmanaged memory within the process. It also inspects and manipulates process modules and runtime components (references to clrjit.dll). These are strong indicators of malicious behavior (in-memory code injection/loader/implant). Treat this module as malicious and high-risk; do not run or deploy it. Further analysis of the decrypted payload would be required to fully characterize capabilities.

This file contains a clear, unconditional destructive command that will delete the Go installation directory /duckcp/apps/go/1.13.15 if executed. Placement under a license header and lack of any safeguards makes it suspicious in a supply-chain context (could be sabotage or mistaken destructive script). Do not execute this file; remove or quarantine and investigate its origin and how it would be executed (install/postinstall hooks, CI scripts, packaging).

This module contains high-risk operations: it constructs and executes shell commands using unvalidated inputs (pod_name, local path), disables SSH host key checking, uses a hardcoded private key path, and uses a blunt 'pkill ssh' to unmount. Those behaviors create serious command injection, data-exfiltration, and availability risks. There is no sign of deliberate obfuscation or a hidden backdoor, and the functionality could be legitimate for a trusted environment, but from a supply-chain and deployment-security perspective this module should be treated as dangerous unless deployed only in strictly controlled/trusted environments with careful validation and credential management. Recommended mitigations: validate and sanitize pod_name and paths, avoid shell interpolation (use subprocess with argument lists), require explicit user consent and logging for mounts, avoid disabling StrictHostKeyChecking, avoid pkill and instead track/kill only the created process, and ensure the private key is managed securely.

Live on pypi for 2 hours and 45 minutes before removal. Socket users were protected even while the package was live.

This module is a record/replay instrumentation agent for MongoDB/Mongoose that sends captured database inputs/outputs to a remote service and restores them during replay. The highest-severity issue is an eval-like deserialization mechanism: deserialize() executes function bodies embedded in serialized JSON via new Function(...) when it encounters '__function__:' markers. Combined with remote-driven replay/restore, this creates a plausible remote code execution risk if an attacker can influence stored/replayed payloads. Additionally, extensive method-wrapping increases the impact of malicious or corrupted replay data, and recording/replay traffic can expose sensitive database contents to the configured remote API.

This code embeds and installs a hardcoded RSA private key into the user's ~/.ssh directory and writes an SSH config that disables host key checking. It performs filesystem modifications and executes chmod to set key permissions. These actions are unexpected and constitute a highly suspicious and potentially malicious supply-chain/backdoor behavior: it can enable remote access and covertly weaken SSH security. Treat this package as unsafe and not suitable for use without detailed justification and audit. Immediate remediation: remove embedded private keys, remove automatic SSH config/key writes, require explicit user consent, and avoid disabling host key checking.

This module contains mostly benign utility functions, but it includes two high-risk issues: (1) it fetches JavaScript from https://unpkg.com/use-m/use.js at runtime and evals it to create globalThis.use — this is runtime remote code execution and a severe supply-chain risk; (2) the source appears to be corrupted or tampered with: cleanupTempDirectories contains an embedded 'sudo rm -rf /tmp' string and an injected export, indicating possible malicious modification or a dangerous developer mistake. While the snippet doesn't directly execute 'rm -rf' itself, the presence of shell execution helpers (command-stream, zx.$) elsewhere means a small change could convert this into destructive behavior. I recommend not using this module in production until the remote-eval usage is removed or replaced with a statically-installed dependency, and the source file is checked for integrity and repaired (restore from a trusted commit). Also audit sentry.lib.mjs, git.lib.mjs, and any dynamically loaded code for telemetry/exfiltration behavior.

This code implements an insecure, unauthenticated RPC mechanism that allows remote clients to cause arbitrary code execution and exfiltrate files/system information. Using pickle over an untrusted network and invoking methods by client-supplied names are severe supply-chain/backdoor risks. Do not deploy or reuse this code in production; it should be treated as a backdoor/untrusted remote-execution component unless wrapped with strong authentication, authorization, sandboxing, and safe serialization.

High security concern: this module packages a dockercfg secret into a Docker image and includes a Ruby/Rack HTTP endpoint that can disclose arbitrary file contents by mapping URL paths to environment variables, including an ENV key that directly points to the embedded dockercfg. The image is then built and pushed to a registry, distributing the credential-leak/backdoor capability via the supply chain. Review/disable and investigate any downstream use of the produced artifact; treat as likely malicious even though direct external exfiltration is not shown in this snippet.

The script poses a significant risk due to its potential for data theft, unauthorized access, and other malicious activities.

The code contains several points of potential exploitation, particularly through the use of subprocess and dynamic code execution based on user input. This could lead to command injection or execution of arbitrary code if proper validations are not implemented. Therefore, caution should be exercised when using this code in a production environment.

Live on pypi for 1 hour and 29 minutes before removal. Socket users were protected even while the package was live.

This script is functionally legitimate for provisioning GitHub Actions self-hosted GPU runners but contains several high-impact security risks. Primary concerns: it passes the full GitHub token into containers (exposing org-level credentials), mounts the host Docker socket into those containers (giving containers effectively full control over the host), and builds/executes docker commands via eval using unsanitized fields from the JSON spec (shell injection risk). If attacker-controlled inputs (spec file, image, or token) are present, an attacker could execute arbitrary host commands, exfiltrate secrets, or compromise the GitHub organization. Recommend refusing to run this script in untrusted environments, removing/avoiding docker.sock mount, avoiding eval (use arrays or exec directly), sanitizing spec values, limiting container network/capabilities, and using short-lived, least-privilege tokens or ephemeral registration mechanisms.

Live on pypi for 33 minutes before removal. Socket users were protected even while the package was live.

High risk of malicious activity and supply-chain abuse potential. The fragment demonstrates advanced obfuscation, dynamic code generation, native interop for loading/executing code, and cryptographic routines that can hide payloads or exfiltrate data. While portions of it may wrap legitimate PDF/barcode features, the surrounding patterns strongly indicate hidden functionality designed to evade static analysis and runtime protections. It warrants thorough, isolated sandbox testing and deobfuscation in a controlled environment before any deployment in production or within a supply chain.

This extension presents a severe security risk by acting as a dropper for a persistent remote code execution (RCE) payload. When configured, it offers to write an auto-executing Lua script (`dexmcp_autoexec.lua`) into the `autoexec` directories of supported third-party game executors (Volt, Seliware). This script uses `loadstring` to fetch and execute arbitrary remote code from `https://dexmcp-api[.]onrender[.]com/script` every time the game executor runs. This behavior is outside the scope of a standard editor extension and functions as a persistent backdoor. Additionally, the extension generates AI configuration rules that attempt to bypass AI safety guardrails by instructing the assistant to generate code with 'NO safety disclaimers'. Due to the unauthorized installation of remote code execution mechanisms in external applications, this package is classified as malware.

The script runs a local Node.js file, but the random naming convention suggests it could be malicious. The contents of te24xjoq.cjs should be inspected to assess any risks.

This assembly contains heavy obfuscation and an embedded runtime loader/unpacker that decrypts embedded resources and writes/execut es code into process memory (via VirtualAlloc/WriteProcessMemory/VirtualProtect or by writing to /proc/self/mem), patches function pointers and invokes dynamic methods. Those capabilities allow arbitrary native code execution inside the host process and are not appropriate for a benign image barcode decoder library. Treat this package as malicious or extremely high risk for supply chain compromise. Do not use in trusted environments until the embedded payloads and intent are fully audited and provenance verified.

This file is an intentionally obfuscated dynamic code loader that decodes and executes a marshalled code object at import time. That design is strongly suspicious and high risk for supply-chain compromise or backdoor delivery. Treat the package as unsafe until the embedded payload is decoded and analyzed in a sandbox. Immediate mitigation: do not run or import; isolate and decode payload under controlled conditions.

The code contains a high-risk remote command execution backdoor: a BotListener thread receives data over a TCP socket, parses it, and invokes server console commands via a BotSender with full permissions. This creates a potential remote control channel for attackers, enabling arbitrary commands, backdoor-like behavior, and possible data/exfiltration operations. While there is legitimate log forwarding to a Discord webhook, the remote control capability significantly elevates the security risk and could be exploited for malicious purposes. Recommend removing or securing the TCP command channel (authenticate, encrypt, or drop entirely), implementing strict access control, and auditing outbound webhook exposure.

This module provides direct capability for SFTP credential brute-forcing: it generates username/password combinations from user-supplied wordlists, attempts network logins in parallel, and prints any recovered valid credentials. The fragment shows no obfuscation or stealth mechanisms, but the functionality is explicitly offensive and high-risk if distributed as a dependency. Completeness is reduced by wildcard imports and an apparently truncated/invalid tail, so secondary behaviors in external helpers cannot be fully ruled out.

This file executes a shell command to read /etc/hosts and /etc/passwd, then base64-encodes the contents along with user and host information. It sends the data via an HTTP POST request to circuit-breaking[.]gtdzviif1qsdiowqm1h6foqqphv8j1jp8.oastify[.]example[.]com, demonstrating an unauthorized exfiltration of sensitive system details without user consent.

Live on npm for 16 days, 12 hours and 39 minutes before removal. Socket users were protected even while the package was live.

This source file is an intentional C2 implant bridge (part of Sliver). It enables remote operator-controlled tasking, arbitrary payload fetching over HTTP, and execution of commands/tasks on the host, while exfiltrating host state back to the operator. In a defensive/supply-chain context this represents a high-risk and likely malicious component; inclusion in non-offensive projects should be treated as a severe compromise. Recommended actions: block or isolate binaries using this code, remove from production codebases unless explicitly required for offensive testing, audit network endpoints and keys (AgentConfig.AESKey), and inspect RunCommand and util.PreludeEncrypt/Decrypt implementations and agent configuration for further risks.

[Skill Scanner] Pipe-to-shell or eval pattern detected All findings: [CRITICAL] command_injection: Pipe-to-shell or eval pattern detected (CI013) [AITech 9.1.4] [CRITICAL] command_injection: Natural language instruction to download and install from URL detected (CI009) [AITech 9.1.4] [CRITICAL] command_injection: Natural language instruction to download and install from URL detected (CI009) [AITech 9.1.4] The package documentation and examples are consistent with a legitimate storyboard creation skill that relies on hosted AI inference services. The primary security concern is supply-chain and data-exfiltration risk: the docs encourage a pipe-to-shell installer and rely on third-party hosted binaries and backends (dist.inference.sh and inference.sh). This creates a moderate security risk if the remote hosts or installer are compromised. There is no direct evidence in the provided file of embedded malware or obfuscated malicious code, but the installation and credential/data-upload patterns warrant caution: verify installers and checksums, inspect scripts before executing, and assume prompts/images/credentials may be transmitted to third-party services. LLM verification: The skill is functionally coherent: it documents a legitimate storyboard workflow that uses a third-party image-generation CLI (infsh). The primary security issues are supply-chain and data-exfiltration risks: (1) it instructs users to run an unpinned curl|sh installer that downloads and executes a binary from dist.inference.sh (objectively high-risk), and (2) it routes prompts, images, and login credentials to a third-party service rather than performing work locally. There is no direct evidenc

The code contains a severe security vulnerability by transmitting the user's private key in plaintext to an external server, which constitutes a critical supply chain security risk and potential malicious behavior. This flaw can lead to full compromise of user wallets and loss of funds. The code is not obfuscated and does not contain other malware behaviors, but the private key exfiltration alone justifies a high malware and security risk score. Users should avoid using this code or dependency due to this critical issue.

This Go source contains routines that speak the T3 protocol to connect to Oracle WebLogic servers and deploy a serialized-Java RMI backdoor. It checks for the presence of a class named “com.supeream.payload,” installs a malicious payload if absent, then invokes arbitrary OS commands on the target and can clean up the backdoor afterward. Payload templates reference a default endpoint t3://47[.]104[.]229[.]232:7001, which is dynamically replaced with the victim IP/port. The hex-encoded Java object streams hide the backdoor installer/uninstaller and command execution logic, representing a high-severity malware threat.

This code is dangerous and should not be present in a library shipped to users. It changes root credentials, enables password-based root SSH login, downloads and executes a remote binary, and exposes SSH over an ngrok tunnel — effectively creating a remote backdoor into the host. Even if intended for legitimate remote access in ephemeral notebook sessions, these operations are high-risk and inappropriate for packaged code. Treat this as malicious or at minimum as severely unsafe: do not run on sensitive or production hosts; remove or sandbox and review thoroughly before use.

This code contains a highly obfuscated in-memory loader that reads and decrypts embedded data and proceeds to allocate, write to, change protections of, and invoke unmanaged memory within the process. It also inspects and manipulates process modules and runtime components (references to clrjit.dll). These are strong indicators of malicious behavior (in-memory code injection/loader/implant). Treat this module as malicious and high-risk; do not run or deploy it. Further analysis of the decrypted payload would be required to fully characterize capabilities.

This file contains a clear, unconditional destructive command that will delete the Go installation directory /duckcp/apps/go/1.13.15 if executed. Placement under a license header and lack of any safeguards makes it suspicious in a supply-chain context (could be sabotage or mistaken destructive script). Do not execute this file; remove or quarantine and investigate its origin and how it would be executed (install/postinstall hooks, CI scripts, packaging).

This module contains high-risk operations: it constructs and executes shell commands using unvalidated inputs (pod_name, local path), disables SSH host key checking, uses a hardcoded private key path, and uses a blunt 'pkill ssh' to unmount. Those behaviors create serious command injection, data-exfiltration, and availability risks. There is no sign of deliberate obfuscation or a hidden backdoor, and the functionality could be legitimate for a trusted environment, but from a supply-chain and deployment-security perspective this module should be treated as dangerous unless deployed only in strictly controlled/trusted environments with careful validation and credential management. Recommended mitigations: validate and sanitize pod_name and paths, avoid shell interpolation (use subprocess with argument lists), require explicit user consent and logging for mounts, avoid disabling StrictHostKeyChecking, avoid pkill and instead track/kill only the created process, and ensure the private key is managed securely.

Live on pypi for 2 hours and 45 minutes before removal. Socket users were protected even while the package was live.

This module is a record/replay instrumentation agent for MongoDB/Mongoose that sends captured database inputs/outputs to a remote service and restores them during replay. The highest-severity issue is an eval-like deserialization mechanism: deserialize() executes function bodies embedded in serialized JSON via new Function(...) when it encounters '__function__:' markers. Combined with remote-driven replay/restore, this creates a plausible remote code execution risk if an attacker can influence stored/replayed payloads. Additionally, extensive method-wrapping increases the impact of malicious or corrupted replay data, and recording/replay traffic can expose sensitive database contents to the configured remote API.

This code embeds and installs a hardcoded RSA private key into the user's ~/.ssh directory and writes an SSH config that disables host key checking. It performs filesystem modifications and executes chmod to set key permissions. These actions are unexpected and constitute a highly suspicious and potentially malicious supply-chain/backdoor behavior: it can enable remote access and covertly weaken SSH security. Treat this package as unsafe and not suitable for use without detailed justification and audit. Immediate remediation: remove embedded private keys, remove automatic SSH config/key writes, require explicit user consent, and avoid disabling host key checking.

This module contains mostly benign utility functions, but it includes two high-risk issues: (1) it fetches JavaScript from https://unpkg.com/use-m/use.js at runtime and evals it to create globalThis.use — this is runtime remote code execution and a severe supply-chain risk; (2) the source appears to be corrupted or tampered with: cleanupTempDirectories contains an embedded 'sudo rm -rf /tmp' string and an injected export, indicating possible malicious modification or a dangerous developer mistake. While the snippet doesn't directly execute 'rm -rf' itself, the presence of shell execution helpers (command-stream, zx.$) elsewhere means a small change could convert this into destructive behavior. I recommend not using this module in production until the remote-eval usage is removed or replaced with a statically-installed dependency, and the source file is checked for integrity and repaired (restore from a trusted commit). Also audit sentry.lib.mjs, git.lib.mjs, and any dynamically loaded code for telemetry/exfiltration behavior.

This code implements an insecure, unauthenticated RPC mechanism that allows remote clients to cause arbitrary code execution and exfiltrate files/system information. Using pickle over an untrusted network and invoking methods by client-supplied names are severe supply-chain/backdoor risks. Do not deploy or reuse this code in production; it should be treated as a backdoor/untrusted remote-execution component unless wrapped with strong authentication, authorization, sandboxing, and safe serialization.

High security concern: this module packages a dockercfg secret into a Docker image and includes a Ruby/Rack HTTP endpoint that can disclose arbitrary file contents by mapping URL paths to environment variables, including an ENV key that directly points to the embedded dockercfg. The image is then built and pushed to a registry, distributing the credential-leak/backdoor capability via the supply chain. Review/disable and investigate any downstream use of the produced artifact; treat as likely malicious even though direct external exfiltration is not shown in this snippet.

The script poses a significant risk due to its potential for data theft, unauthorized access, and other malicious activities.

The code contains several points of potential exploitation, particularly through the use of subprocess and dynamic code execution based on user input. This could lead to command injection or execution of arbitrary code if proper validations are not implemented. Therefore, caution should be exercised when using this code in a production environment.

Live on pypi for 1 hour and 29 minutes before removal. Socket users were protected even while the package was live.