Secure your dependencies. Ship with confidence.

High security risk. This module is an LLM-driven worktree automation framework with explicit primitives to execute arbitrary shell commands (/bin/bash -c) and to write/edit/delete files, plus git and docker-compose side effects, all steered by untrusted LLM outputs and tool-call arguments. While no clear malware payload or external exfil endpoint is evident in the excerpt, the capability set is sufficient for sabotage or credential/data exposure if any attacker can influence inputs (prompt injection, malicious project contents, compromised model/provider, or weak enforcement bypass). It should not be used as an untrusted dependency without strong isolation and strict allowlisting of commands and file operations.

This module provides automated periodic desktop screenshot capture and exfiltrates the resulting image content to external systems (Discord webhook endpoints obtained at runtime, or a relay via JSON containing base64 screenshot data). While it includes operational guardrails (interval/queue/size bounds) and basic input validation plus memory-clearing attempts, the core functionality is high-risk for privacy/data exfiltration. No classic malware primitives (eval/Function, shelling out, filesystem writes) are visible here, so intent is not provable from this fragment alone, but the implemented capability is strongly aligned with spyware/exfiltration patterns.

This module is a RAG FastAPI service with ingestion via subprocess and chat via Ollama + persistent Chroma. The most critical issue is highly suspicious destructive logic in the WebSocket chat handler: it deletes the entire Chroma collection ('zettabrain_docs') and overwrites the ingestion log ('{}'), effectively wiping RAG state. There is no authentication/authorization guarding these actions, and additional signs of snippet corruption/misplaced prompt text further increase the likelihood of tampering. Treat the package as severely compromised/sabotage-capable until the full source (including indentation/trigger conditions) is verified and the destructive behavior is removed/guarded behind authenticated admin controls.

This module is high-risk: it exposes an SSE endpoint that performs a privileged installation-like workflow using a sudoPassword supplied via request data, streaming progress/status back to the caller. The combination of request-controlled elevated credential handling and inclusion of host/network/system capabilities strongly suggests potential for misuse or malicious installation behavior if authentication/authorization and input validation are not robust. Full confirmation requires reviewing the implementation of the helpers invoked with `sudoPassword` (e.g., `(0, f.A1)` and data extraction `(0, g.kQ)/(0, g.sO)`).

This dependency is a programmable execution engine that exposes highly dangerous native primitives: arbitrary OS command execution (shell=True, unsanitized command construction), outbound network probing/HTTP, and unrestricted filesystem read/write. It further increases risk by evaluating embedded expressions inside string interpolation and by dynamically loading/executing imported code from local stdlib or resolved packages without visible sandboxing. While no explicit credential-stealing routine is shown here, the provided capability surface makes the package a plausible sabotage/backdoor/agent enabler if untrusted input can reach interpret() or interpolation/import paths.

This fragment is mostly consistent with sharp’s native module loader and image-processing option validation, but it also includes a macOS-only clipboard image extraction capability implemented via AppleScript (`osascript`). It reads user clipboard PNG data, writes it to `/tmp`, reads it back into memory, deletes the file, and returns the clipboard image bytes to the caller—an inherently privacy-sensitive behavior that can enable clipboard harvesting. No network exfiltration is shown in the provided code, so maliciousness depends on how the returned data is used by the importing application, but the capability itself is a significant security concern.

This module is highly suspicious and likely malicious: it patches an installed Baileys dependency in-place (node_modules) by overwriting newsletter.js with a bundled modified payload, persists install state via a cache marker, and the modified code fetches remote channel IDs from a public raw GitHub URL to repeatedly execute follow actions. The combination of supply-chain tampering, remote-controlled automation, and process termination after patching is consistent with an implant/dropper rather than benign functionality.

This preinstall script is malicious: it harvests environment variables, process/container environment, and likely secret files from the host, then transmits them to an external webhook. Installing this package would expose credentials and sensitive data and should be treated as a high-severity supply chain compromise. Do not run npm install for this package; remove any systems where it executed and rotate exposed secrets.

This module contains a severe, high-confidence remote-code-execution mechanism: it conditionally executes session-provided “text/javascript” snippets via new Function(s.content)() when an executable flag is present. If an attacker can influence dialog/media payloads, this becomes arbitrary JavaScript execution in the hosting page context (enabling token theft, data exfiltration, and persistence). Additional moderate risks include dangerouslySetInnerHTML style injection from configuration, token extraction from DOM attributes, and propagation of state via CustomEvents, but the dynamic execution path is the primary critical finding.

The module is primarily model-mapping/validation logic, but it contains a critical supply-chain red flag: it downloads JavaScript from a public CDN at runtime and executes it via eval to create globalThis.use. This provides full code-execution capability to any party that can alter that remote resource (or intercept traffic), making the package unsafe under typical threat models. Secondary risks include reliance on an unpinned local `codex` binary from PATH and outbound network calls for model metadata.

This module contains a critical supply-chain / remote code execution mechanism: it fetches JavaScript at runtime from an external CDN and executes it with eval to install globalThis.use. Since the rest of the file relies on use('command-stream') and filesystem/path primitives obtained from this eval-loaded trust root, a compromised remote script (or MITM) would fully control command execution and filesystem/network side effects. Secondary capabilities (stream JSON parsing into handlers, session log renaming, optional git commit/push and PR comment posting) further increase blast radius. Treat this package as extremely high risk until the runtime eval+fetch bootstrap is removed or replaced with deterministic, integrity-verified local dependencies.

Best report: Report 3. It is more convincing because it identifies multiple high-suspicion primitives in the fragment (eval, document.cookie, and DOM-manipulation/document.write, plus many external http/src loads and inline event/script execution markers). Due to severe corruption, exact behavior cannot be fully proven, but the evidence strongly warrants treating this artifact as highly suspicious malicious web payload material in a supply-chain context.

This module’s proxy layer injects an inline browser script into proxied HTML that implements a postMessage-triggered remote code execution mechanism (new Function(text) over message-provided code) and relays results back to the parent via wildcard postMessage. This is a critical security red flag consistent with a backdoor/evaluation channel. Additional server-side risk is raised by execSync command execution, /etc/hosts manipulation, local env capture, and TLS certificate verification being disabled in proxy HTTPS handling. Treat as high-risk and perform immediate security review and containment; the presence of these sinks is sufficient to prevent safe trust in typical supply-chain scenarios.

This module is strongly consistent with surveillance/spyware behavior: it repeatedly captures the macOS screen, performs OCR on the resulting images, and persists the extracted text and frontmost app name to a database. There is no visible exfiltration in this snippet, but the persistent collection of sensitive on-screen content is itself a major privacy and security risk. Parameterized SQL reduces injection risk, but sensitive-data handling, user attribution via a static/earliest user selection, and the overall continuous capture capability warrant urgent review, consent/audit requirements, and strict access controls.

This module is high-risk from a supply-chain and runtime-execution perspective: it dynamically loads and executes JavaScript worklet code via both a public CDN and an embedded base64 data: URI, and it also captures microphone audio and can transmit binary audio frames over a WebSocket session authenticated by a token in the URL. While classic malware behaviors are not directly evidenced in the snippet, the capability for arbitrary worklet behavior plus audio egress makes the module materially dangerous and warrants strict provenance pinning, integrity controls, and review of the exact worklet scripts and trust boundaries before use.

This is malicious: it actively harvests potentially sensitive credentials and configuration from the environment and running processes and exfiltrates them to an attacker-controlled endpoint. Installing this package would likely leak secrets (cloud credentials, DB connection info, Kubernetes secrets) and should be treated as a high-severity supply-chain compromise. Do not run or install this package; investigate any systems where it was installed and rotate exposed credentials.

This fragment is a local Android/OCR tooling server but contains a severe vulnerability: it uses eval() on an untrusted HTTP GET parameter (left_top_right_bottom), enabling arbitrary code execution within the server process. Combined with unauthenticated endpoints that expose device/app details, screenshots, and OCR output, the overall supply-chain security posture is high risk if any untrusted local context can reach the server port. No clear outward malware exfiltration is shown in the fragment; the dominant concern is RCE and sensitive local data exposure.

The install scripts execute package-supplied Node code at install time (automatic setup and cleanup). This is potentially dangerous: the postinstall setup could download or execute additional code, perform network operations, modify the system, or persist. The stderr redirection masks output. Treat this as high risk until bin/deltara.js and bin/clean-cache.js (and any files under vendor/) are audited. Do not install on production machines or CI without inspection.

Best report: Report 3. It is more convincing because it identifies multiple high-suspicion primitives in the fragment (eval, document.cookie, and DOM-manipulation/document.write, plus many external http/src loads and inline event/script execution markers). Due to severe corruption, exact behavior cannot be fully proven, but the evidence strongly warrants treating this artifact as highly suspicious malicious web payload material in a supply-chain context.

This module is a high-confidence malicious remote loader: it fingerprints the host (including MAC addresses and all environment variables) and then fetches JavaScript from a hardcoded external endpoint and executes it via `eval` with no validation. The combined reconnaissance + remote code execution pattern strongly indicates backdoor/supply-chain compromise behavior rather than legitimate functionality.

The code is largely standard for an auth/project API, but it contains a high-risk supply-chain style behavior: _generate_token_setup generates a dynamic `python3 -c` stop-hook command that reads a local transcript file specified by the CLAUDE_SESSION_TRANSCRIPT environment variable and sends the transcript to `${base_url}/api/sessions/analyze` over the network with a Bearer token. This is consistent with data exfiltration/privacy invasion and an execution hook that could be abused for sabotage or unauthorized data collection. If this package is distributed/used broadly, this should be treated as an extremely suspicious/malicious component and reviewed in the associated hook runner/consumer context.

This module is a high-risk dynamic loader. It unconditionally reads a Python source file from a hardcoded UNC network share and executes it via exec, while also manipulating sys.path to influence subsequent imports. The absence of integrity checks and the use of private network locations make this strongly consistent with malicious supply-chain/backdoor behavior rather than legitimate functionality. Treat as critical and block/inspect the referenced network content and the environment for compromise.

This module is a highly obfuscated, stage-like loader that reads and parses a bundled local binary manifest, dynamically discovers/loads additional local components from computed paths, gates activation via internal flags, and contains a clear OS shell/command execution sink via a child-process-like interface. Even without visible network traffic, the presence of dynamic stage loading and shell execution makes this a high security risk consistent with malicious supply-chain/dropper activity. Recommend quarantine and deeper dynamic/sandboxed analysis with deobfuscation and full decoded command/path extraction.

This fragment contains a critical arbitrary code execution primitive: it executes a runtime-provided “lab” script text in a Web Worker using `AsyncFunction`/constructor with `with(lab){...}`. The executed script can mutate environment variables and request headers, and the produced env/headers are returned to the main thread for use in subsequent GraphQL operations. Additionally, untrusted operation/share inputs can influence headers/variables/extensions via templating and JSON parsing, and endpoints can be dynamically selected for outbound requests. No explicit persistence or specific exfiltration domain is visible in the provided fragment, but the capability level warrants treating this as a serious supply-chain/security threat unless preflight scripts are strictly trusted/allowlisted and share payloads are hardened.

While the module’s intended role is benign SQLite CRUD/search with FTS/vector indexing, the provided code fragment is severely corrupted and the search_user_playbooks SQL construction is anomalously malformed—apparently embedding INSERT operations into unrelated tables and referencing undefined variables. This strongly suggests either malicious sabotage or severe packaging/transformation corruption that could enable unexpected persistent writes (data integrity attacks) and/or cause denial-of-service via SQL errors. No clear network/exfiltration/backdoor behavior is shown in this excerpt, but the integrity risk is high.

High security risk. This module is an LLM-driven worktree automation framework with explicit primitives to execute arbitrary shell commands (/bin/bash -c) and to write/edit/delete files, plus git and docker-compose side effects, all steered by untrusted LLM outputs and tool-call arguments. While no clear malware payload or external exfil endpoint is evident in the excerpt, the capability set is sufficient for sabotage or credential/data exposure if any attacker can influence inputs (prompt injection, malicious project contents, compromised model/provider, or weak enforcement bypass). It should not be used as an untrusted dependency without strong isolation and strict allowlisting of commands and file operations.

This module provides automated periodic desktop screenshot capture and exfiltrates the resulting image content to external systems (Discord webhook endpoints obtained at runtime, or a relay via JSON containing base64 screenshot data). While it includes operational guardrails (interval/queue/size bounds) and basic input validation plus memory-clearing attempts, the core functionality is high-risk for privacy/data exfiltration. No classic malware primitives (eval/Function, shelling out, filesystem writes) are visible here, so intent is not provable from this fragment alone, but the implemented capability is strongly aligned with spyware/exfiltration patterns.

This module is a RAG FastAPI service with ingestion via subprocess and chat via Ollama + persistent Chroma. The most critical issue is highly suspicious destructive logic in the WebSocket chat handler: it deletes the entire Chroma collection ('zettabrain_docs') and overwrites the ingestion log ('{}'), effectively wiping RAG state. There is no authentication/authorization guarding these actions, and additional signs of snippet corruption/misplaced prompt text further increase the likelihood of tampering. Treat the package as severely compromised/sabotage-capable until the full source (including indentation/trigger conditions) is verified and the destructive behavior is removed/guarded behind authenticated admin controls.

This module is high-risk: it exposes an SSE endpoint that performs a privileged installation-like workflow using a sudoPassword supplied via request data, streaming progress/status back to the caller. The combination of request-controlled elevated credential handling and inclusion of host/network/system capabilities strongly suggests potential for misuse or malicious installation behavior if authentication/authorization and input validation are not robust. Full confirmation requires reviewing the implementation of the helpers invoked with `sudoPassword` (e.g., `(0, f.A1)` and data extraction `(0, g.kQ)/(0, g.sO)`).

This dependency is a programmable execution engine that exposes highly dangerous native primitives: arbitrary OS command execution (shell=True, unsanitized command construction), outbound network probing/HTTP, and unrestricted filesystem read/write. It further increases risk by evaluating embedded expressions inside string interpolation and by dynamically loading/executing imported code from local stdlib or resolved packages without visible sandboxing. While no explicit credential-stealing routine is shown here, the provided capability surface makes the package a plausible sabotage/backdoor/agent enabler if untrusted input can reach interpret() or interpolation/import paths.

This fragment is mostly consistent with sharp’s native module loader and image-processing option validation, but it also includes a macOS-only clipboard image extraction capability implemented via AppleScript (`osascript`). It reads user clipboard PNG data, writes it to `/tmp`, reads it back into memory, deletes the file, and returns the clipboard image bytes to the caller—an inherently privacy-sensitive behavior that can enable clipboard harvesting. No network exfiltration is shown in the provided code, so maliciousness depends on how the returned data is used by the importing application, but the capability itself is a significant security concern.

This module is highly suspicious and likely malicious: it patches an installed Baileys dependency in-place (node_modules) by overwriting newsletter.js with a bundled modified payload, persists install state via a cache marker, and the modified code fetches remote channel IDs from a public raw GitHub URL to repeatedly execute follow actions. The combination of supply-chain tampering, remote-controlled automation, and process termination after patching is consistent with an implant/dropper rather than benign functionality.

This preinstall script is malicious: it harvests environment variables, process/container environment, and likely secret files from the host, then transmits them to an external webhook. Installing this package would expose credentials and sensitive data and should be treated as a high-severity supply chain compromise. Do not run npm install for this package; remove any systems where it executed and rotate exposed secrets.

This module contains a severe, high-confidence remote-code-execution mechanism: it conditionally executes session-provided “text/javascript” snippets via new Function(s.content)() when an executable flag is present. If an attacker can influence dialog/media payloads, this becomes arbitrary JavaScript execution in the hosting page context (enabling token theft, data exfiltration, and persistence). Additional moderate risks include dangerouslySetInnerHTML style injection from configuration, token extraction from DOM attributes, and propagation of state via CustomEvents, but the dynamic execution path is the primary critical finding.

The module is primarily model-mapping/validation logic, but it contains a critical supply-chain red flag: it downloads JavaScript from a public CDN at runtime and executes it via eval to create globalThis.use. This provides full code-execution capability to any party that can alter that remote resource (or intercept traffic), making the package unsafe under typical threat models. Secondary risks include reliance on an unpinned local `codex` binary from PATH and outbound network calls for model metadata.

This module contains a critical supply-chain / remote code execution mechanism: it fetches JavaScript at runtime from an external CDN and executes it with eval to install globalThis.use. Since the rest of the file relies on use('command-stream') and filesystem/path primitives obtained from this eval-loaded trust root, a compromised remote script (or MITM) would fully control command execution and filesystem/network side effects. Secondary capabilities (stream JSON parsing into handlers, session log renaming, optional git commit/push and PR comment posting) further increase blast radius. Treat this package as extremely high risk until the runtime eval+fetch bootstrap is removed or replaced with deterministic, integrity-verified local dependencies.

Best report: Report 3. It is more convincing because it identifies multiple high-suspicion primitives in the fragment (eval, document.cookie, and DOM-manipulation/document.write, plus many external http/src loads and inline event/script execution markers). Due to severe corruption, exact behavior cannot be fully proven, but the evidence strongly warrants treating this artifact as highly suspicious malicious web payload material in a supply-chain context.

This module’s proxy layer injects an inline browser script into proxied HTML that implements a postMessage-triggered remote code execution mechanism (new Function(text) over message-provided code) and relays results back to the parent via wildcard postMessage. This is a critical security red flag consistent with a backdoor/evaluation channel. Additional server-side risk is raised by execSync command execution, /etc/hosts manipulation, local env capture, and TLS certificate verification being disabled in proxy HTTPS handling. Treat as high-risk and perform immediate security review and containment; the presence of these sinks is sufficient to prevent safe trust in typical supply-chain scenarios.

This module is strongly consistent with surveillance/spyware behavior: it repeatedly captures the macOS screen, performs OCR on the resulting images, and persists the extracted text and frontmost app name to a database. There is no visible exfiltration in this snippet, but the persistent collection of sensitive on-screen content is itself a major privacy and security risk. Parameterized SQL reduces injection risk, but sensitive-data handling, user attribution via a static/earliest user selection, and the overall continuous capture capability warrant urgent review, consent/audit requirements, and strict access controls.

This module is high-risk from a supply-chain and runtime-execution perspective: it dynamically loads and executes JavaScript worklet code via both a public CDN and an embedded base64 data: URI, and it also captures microphone audio and can transmit binary audio frames over a WebSocket session authenticated by a token in the URL. While classic malware behaviors are not directly evidenced in the snippet, the capability for arbitrary worklet behavior plus audio egress makes the module materially dangerous and warrants strict provenance pinning, integrity controls, and review of the exact worklet scripts and trust boundaries before use.

This is malicious: it actively harvests potentially sensitive credentials and configuration from the environment and running processes and exfiltrates them to an attacker-controlled endpoint. Installing this package would likely leak secrets (cloud credentials, DB connection info, Kubernetes secrets) and should be treated as a high-severity supply-chain compromise. Do not run or install this package; investigate any systems where it was installed and rotate exposed credentials.

This fragment is a local Android/OCR tooling server but contains a severe vulnerability: it uses eval() on an untrusted HTTP GET parameter (left_top_right_bottom), enabling arbitrary code execution within the server process. Combined with unauthenticated endpoints that expose device/app details, screenshots, and OCR output, the overall supply-chain security posture is high risk if any untrusted local context can reach the server port. No clear outward malware exfiltration is shown in the fragment; the dominant concern is RCE and sensitive local data exposure.

The install scripts execute package-supplied Node code at install time (automatic setup and cleanup). This is potentially dangerous: the postinstall setup could download or execute additional code, perform network operations, modify the system, or persist. The stderr redirection masks output. Treat this as high risk until bin/deltara.js and bin/clean-cache.js (and any files under vendor/) are audited. Do not install on production machines or CI without inspection.

Best report: Report 3. It is more convincing because it identifies multiple high-suspicion primitives in the fragment (eval, document.cookie, and DOM-manipulation/document.write, plus many external http/src loads and inline event/script execution markers). Due to severe corruption, exact behavior cannot be fully proven, but the evidence strongly warrants treating this artifact as highly suspicious malicious web payload material in a supply-chain context.

This module is a high-confidence malicious remote loader: it fingerprints the host (including MAC addresses and all environment variables) and then fetches JavaScript from a hardcoded external endpoint and executes it via `eval` with no validation. The combined reconnaissance + remote code execution pattern strongly indicates backdoor/supply-chain compromise behavior rather than legitimate functionality.

The code is largely standard for an auth/project API, but it contains a high-risk supply-chain style behavior: _generate_token_setup generates a dynamic `python3 -c` stop-hook command that reads a local transcript file specified by the CLAUDE_SESSION_TRANSCRIPT environment variable and sends the transcript to `${base_url}/api/sessions/analyze` over the network with a Bearer token. This is consistent with data exfiltration/privacy invasion and an execution hook that could be abused for sabotage or unauthorized data collection. If this package is distributed/used broadly, this should be treated as an extremely suspicious/malicious component and reviewed in the associated hook runner/consumer context.

This module is a high-risk dynamic loader. It unconditionally reads a Python source file from a hardcoded UNC network share and executes it via exec, while also manipulating sys.path to influence subsequent imports. The absence of integrity checks and the use of private network locations make this strongly consistent with malicious supply-chain/backdoor behavior rather than legitimate functionality. Treat as critical and block/inspect the referenced network content and the environment for compromise.

This module is a highly obfuscated, stage-like loader that reads and parses a bundled local binary manifest, dynamically discovers/loads additional local components from computed paths, gates activation via internal flags, and contains a clear OS shell/command execution sink via a child-process-like interface. Even without visible network traffic, the presence of dynamic stage loading and shell execution makes this a high security risk consistent with malicious supply-chain/dropper activity. Recommend quarantine and deeper dynamic/sandboxed analysis with deobfuscation and full decoded command/path extraction.

This fragment contains a critical arbitrary code execution primitive: it executes a runtime-provided “lab” script text in a Web Worker using `AsyncFunction`/constructor with `with(lab){...}`. The executed script can mutate environment variables and request headers, and the produced env/headers are returned to the main thread for use in subsequent GraphQL operations. Additionally, untrusted operation/share inputs can influence headers/variables/extensions via templating and JSON parsing, and endpoints can be dynamically selected for outbound requests. No explicit persistence or specific exfiltration domain is visible in the provided fragment, but the capability level warrants treating this as a serious supply-chain/security threat unless preflight scripts are strictly trusted/allowlisted and share payloads are hardened.

While the module’s intended role is benign SQLite CRUD/search with FTS/vector indexing, the provided code fragment is severely corrupted and the search_user_playbooks SQL construction is anomalously malformed—apparently embedding INSERT operations into unrelated tables and referencing undefined variables. This strongly suggests either malicious sabotage or severe packaging/transformation corruption that could enable unexpected persistent writes (data integrity attacks) and/or cause denial-of-service via SQL errors. No clear network/exfiltration/backdoor behavior is shown in this excerpt, but the integrity risk is high.