Secure your dependencies. Ship with confidence.

The code exhibits a dangerous remote code execution pattern: it downloads and immediately runs a remote Python payload without integrity checks, sandboxing, or input validation. This creates a severe supply-chain and runtime security risk. Recommended mitigations include removing dynamic downloads, validating payloads with cryptographic hashes or signatures, using safe subprocess invocations with argument lists, and implementing strict input sanitization. If remote functionality must remain, switch to a trusted-internal mechanism (e.g., plugin architecture with signed components, offline verification) and add robust error handling and logging.

This module is functionally a supervisor that uses pickle-based serialization over ZeroMQ. The code contains high-risk unsafe deserialization: it accepts pickle-formatted data from sockets (recv_multipart / recv_pyobj) and unpickles it without validation, then performs dynamic dispatch based on untrusted data. The temporary monkey-patch of torch.storage._load_from_bytes inside pickle_loads increases the attack surface for malicious payloads that embed torch storage objects. There are no authentication or integrity checks on incoming messages. Therefore the code is unsafe to use in untrusted-network environments: an attacker who can send messages to the supervisor sockets (or control SUPERVISOR_PIPE/SUPERVISOR_IDENT) can achieve remote code execution. No other explicit exfiltration, cryptomining, or backdoor code is present in this fragment, but the deserialization pattern makes arbitrary malicious behavior possible.

The script is designed to collect sensitive information about the user and send it to an external server, which is malicious behavior.

Live on npm for 26 days, 4 hours and 59 minutes before removal. Socket users were protected even while the package was live.

This preinstall script attempts to exfiltrate environment information (hostname and username) to a remote server at install time. This is malicious/spyware-like behavior (unauthorized telemetry/data exfiltration) and poses a high security risk. The script should be treated as malicious, avoid installing the package, and investigate any systems where it ran.

This code implements a high-risk remote-download-and-execute pattern: it obfuscates a PowerShell command that downloads a BAT file over HTTP to %TEMP% and executes it with execution-policy bypass and hidden UI. Treat as malicious or compromised until proven otherwise. Do NOT run this code in a production or trusted environment; block the URL, remove the code, and investigate any systems where it ran.

The code is a configuration loader with a critical insecure pattern: it eval()s configuration-provided 'filter' expressions when constructing logger handlers. That results in an arbitrary code execution vector if an attacker can modify the YAML config or influence which config file is loaded via environment. No direct hard-coded malware is present in the snippet, but the eval makes the module unsafe for use with untrusted configuration sources. Replace eval with a safe, explicit filter factory or validated parser and validate sink targets to mitigate the supply-chain/operational risk.

The code is potentially malicious as it writes and executes an unknown binary with elevated privileges. This behavior is indicative of malware and poses a high security risk.

Live on npm for 14 days, 5 hours and 59 minutes before removal. Socket users were protected even while the package was live.

This code poses a serious security risk and should not be used.

Live on npm for 23 minutes before removal. Socket users were protected even while the package was live.

This code collects system-identifying data (username, hostname, file path), hex-encodes it, constructs a domain under a hardcoded external base ('furb.pw') embedding that data into subdomain labels, and issues an HTTPS GET to that domain — a clear data-exfiltration pattern. The behavior is malicious or at minimum privacy-invasive telemetry sent to an external third party. The package should not be trusted or used without removal of the network exfiltration logic and a full audit.

This code exhibits high-risk behavior: it sends API keys in URL query parameters to a hardcoded numeric IP over plain HTTP, which can result in credential exfiltration. Additional issues include an exception-handling bug (returning undefined 'Non'), lack of timeouts/authentication/TLS, and unvalidated propagation of remote JSON. Treat this code as suspicious until the remote endpoint and purpose are verified. Remediation: use HTTPS, send keys in Authorization header or request body, avoid hardcoded IPs, add timeouts and proper error handling, validate returned JSON, and verify the owner of the remote service before trusting it.

Live on PyPI for 9 hours and 25 minutes before removal. Socket users were protected even while the package was live.

Overall this package appears to be a legitimate JupyterLab extension with normal build/setup scripts. However, there are two security concerns: 1) The resolutions override redirects @amphi/pipeline-components-manager to a local file: path (file:./../pipeline-components-manager). Per the provided critical rules, redirecting or resolving dependencies to non-registry sources (file:, git:, tarball:, etc.) and using resolutions/overrides for that is a known supply-chain attack vector and should be considered high-risk. 2) The inclusion of posthog-js introduces a telemetry/analytics capability that could exfiltrate usage data depending on runtime behavior. You should inspect the local package at ../pipeline-components-manager and any post-install or runtime code that initializes posthog to confirm there is no malicious behavior or data exfiltration. If you cannot verify the local filesystem package or if this package.json is published to a registry but the resolution forces a local path, treat this as a high supply-chain risk.

The code appears to implement a complex scraping and data manipulation tool, with a focus on web content and media. While scraping and media handling in itself is not inherently malicious, the obfuscated function at the beginning raises suspicions about the intent of the code. The hardcoded values and potential file operations also warrant caution. However, there is not enough evidence to conclusively determine the presence of malware without a clearer understanding of the URLs being accessed and the full context of the code's use.

Live on npm for 16 minutes before removal. Socket users were protected even while the package was live.

This code implements an insecure, unauthenticated RPC mechanism that allows remote clients to cause arbitrary code execution and exfiltrate files/system information. Using pickle over an untrusted network and invoking methods by client-supplied names are severe supply-chain/backdoor risks. Do not deploy or reuse this code in production; it should be treated as a backdoor/untrusted remote-execution component unless wrapped with strong authentication, authorization, sandboxing, and safe serialization.

The code is collecting and encrypting system information, then sending it to an external domain (spacehog.net) via DNS lookups and an HTTP GET request. This behavior is highly suspicious and indicative of potential data exfiltration. The hardcoded password and use of execSync add to the security concerns.

Live on npm for 18 minutes before removal. Socket users were protected even while the package was live.

This script performs potentially dangerous operations: it gathers local source and metadata and uploads them to remote services, reads credentials from environment variables and obtains a token which it forwards to a local service, and includes a hard-coded API key used to call an external execution endpoint. These behaviors constitute data-exfiltration and credential-leakage risks. While there is no explicit evidence of destructive malware (no reverse shell, no obfuscation, no direct system-damage commands), the presence of embedded secrets and automatic upload/execution of local code make this high-risk in terms of supply-chain or privacy/security exposure. I recommend not running this code in sensitive environments, removing hardcoded keys, and avoiding automatic upload of local source without explicit, authenticated, and audited consent.

Live on PyPI for 52 minutes before removal. Socket users were protected even while the package was live.

The source code is highly suspicious and likely malicious, as it attempts to exfiltrate sensitive data such as Chrome passwords and execute commands via Discord. The code is obfuscated, which is often used to hide malicious intent. The risk of data theft and unauthorized access is significant.

Live on npm for 2 days, 2 hours and 14 minutes before removal. Socket users were protected even while the package was live.

The script is making a request to a remote server, which can be potentially risky. The content of the response and the purpose of this request should be further investigated to determine if it poses any security risks.

Live on npm for 14 hours and 31 minutes before removal. Socket users were protected even while the package was live.

This code is malicious. It performs unauthorized data exfiltration of system network interface IP addresses and hostname to an attacker-controlled Discord webhook. This behavior constitutes malware and poses a high security risk. The code is clear and not obfuscated, but the embedded webhook and silent transmission of system information without user consent make it dangerous and privacy-invasive.

The code exhibits a dangerous remote code execution pattern: it downloads and immediately runs a remote Python payload without integrity checks, sandboxing, or input validation. This creates a severe supply-chain and runtime security risk. Recommended mitigations include removing dynamic downloads, validating payloads with cryptographic hashes or signatures, using safe subprocess invocations with argument lists, and implementing strict input sanitization. If remote functionality must remain, switch to a trusted-internal mechanism (e.g., plugin architecture with signed components, offline verification) and add robust error handling and logging.

This module implements privileged node and device management and exposes HTTP endpoints that accept user input used directly in shell commands and Docker operations. Main risks: command injection (unsanitized string interpolation into shell commands and os.popen), destructive device operations (partitioning, bind/unbind), supplying arbitrary images to be pulled and run as privileged containers, and use of an unencrypted/unprotected Docker TCP socket (tcp://...:2375). I assess this as not manifestly malware but a high-risk administrative component that must be strictly access-controlled and hardened (validate/sanitize inputs, avoid passing raw user values into shell/Docker operations, use secure Docker API access, avoid exposing endpoints publicly).

This module implements privileged node and device management and exposes HTTP endpoints that accept user input used directly in shell commands and Docker operations. Main risks: command injection (unsanitized string interpolation into shell commands and os.popen), destructive device operations (partitioning, bind/unbind), supplying arbitrary images to be pulled and run as privileged containers, and use of an unencrypted/unprotected Docker TCP socket (tcp://...:2375). I assess this as not manifestly malware but a high-risk administrative component that must be strictly access-controlled and hardened (validate/sanitize inputs, avoid passing raw user values into shell/Docker operations, use secure Docker API access, avoid exposing endpoints publicly).

The fragment strongly indicates a hidden, potentially malicious payload delivered via an opaque base64 blob with minimal visible logic. The risk of supply-chain compromise is high unless there is a transparent, verifiable decoding/execution pathway. Recommended actions: isolate the artifact, locate and review the exact decoding/execution code, search for eval-like constructs or dynamic imports, attempt to deobfuscate, and replace with auditable resources. If decoding/execution cannot be justified, remove the payload.

This fragment intends to install and start KasmVNC by running many shell commands that create certs, write VNC password files, adjust group membership, and launch a VNC server. The primary security issues are unsafe shell interpolation (command injection risk), programmatic persistence of a possibly predictable password, execution with sudo based on unvalidated env vars, starting a VNC server exposed on 0.0.0.0 with disabled/basic auth, and multiple unsafe filesystem operations performed via shell. There is no clear evidence of obfuscated or direct exfiltration malware, but the behavior can provide an unauthorized remote access vector (backdoor-like) if used maliciously. Do not run this code without fixing shell usage, validating inputs, using secure randomly generated passwords, enforcing proper file permissions, and not disabling authentication.

The code exhibits a dangerous remote code execution pattern: it downloads and immediately runs a remote Python payload without integrity checks, sandboxing, or input validation. This creates a severe supply-chain and runtime security risk. Recommended mitigations include removing dynamic downloads, validating payloads with cryptographic hashes or signatures, using safe subprocess invocations with argument lists, and implementing strict input sanitization. If remote functionality must remain, switch to a trusted-internal mechanism (e.g., plugin architecture with signed components, offline verification) and add robust error handling and logging.

This module is functionally a supervisor that uses pickle-based serialization over ZeroMQ. The code contains high-risk unsafe deserialization: it accepts pickle-formatted data from sockets (recv_multipart / recv_pyobj) and unpickles it without validation, then performs dynamic dispatch based on untrusted data. The temporary monkey-patch of torch.storage._load_from_bytes inside pickle_loads increases the attack surface for malicious payloads that embed torch storage objects. There are no authentication or integrity checks on incoming messages. Therefore the code is unsafe to use in untrusted-network environments: an attacker who can send messages to the supervisor sockets (or control SUPERVISOR_PIPE/SUPERVISOR_IDENT) can achieve remote code execution. No other explicit exfiltration, cryptomining, or backdoor code is present in this fragment, but the deserialization pattern makes arbitrary malicious behavior possible.

The script is designed to collect sensitive information about the user and send it to an external server, which is malicious behavior.

Live on npm for 26 days, 4 hours and 59 minutes before removal. Socket users were protected even while the package was live.

This preinstall script attempts to exfiltrate environment information (hostname and username) to a remote server at install time. This is malicious/spyware-like behavior (unauthorized telemetry/data exfiltration) and poses a high security risk. The script should be treated as malicious, avoid installing the package, and investigate any systems where it ran.

This code implements a high-risk remote-download-and-execute pattern: it obfuscates a PowerShell command that downloads a BAT file over HTTP to %TEMP% and executes it with execution-policy bypass and hidden UI. Treat as malicious or compromised until proven otherwise. Do NOT run this code in a production or trusted environment; block the URL, remove the code, and investigate any systems where it ran.

The code is a configuration loader with a critical insecure pattern: it eval()s configuration-provided 'filter' expressions when constructing logger handlers. That results in an arbitrary code execution vector if an attacker can modify the YAML config or influence which config file is loaded via environment. No direct hard-coded malware is present in the snippet, but the eval makes the module unsafe for use with untrusted configuration sources. Replace eval with a safe, explicit filter factory or validated parser and validate sink targets to mitigate the supply-chain/operational risk.

The code is potentially malicious as it writes and executes an unknown binary with elevated privileges. This behavior is indicative of malware and poses a high security risk.

Live on npm for 14 days, 5 hours and 59 minutes before removal. Socket users were protected even while the package was live.

This code poses a serious security risk and should not be used.

Live on npm for 23 minutes before removal. Socket users were protected even while the package was live.

This code collects system-identifying data (username, hostname, file path), hex-encodes it, constructs a domain under a hardcoded external base ('furb.pw') embedding that data into subdomain labels, and issues an HTTPS GET to that domain — a clear data-exfiltration pattern. The behavior is malicious or at minimum privacy-invasive telemetry sent to an external third party. The package should not be trusted or used without removal of the network exfiltration logic and a full audit.

This code exhibits high-risk behavior: it sends API keys in URL query parameters to a hardcoded numeric IP over plain HTTP, which can result in credential exfiltration. Additional issues include an exception-handling bug (returning undefined 'Non'), lack of timeouts/authentication/TLS, and unvalidated propagation of remote JSON. Treat this code as suspicious until the remote endpoint and purpose are verified. Remediation: use HTTPS, send keys in Authorization header or request body, avoid hardcoded IPs, add timeouts and proper error handling, validate returned JSON, and verify the owner of the remote service before trusting it.

Live on PyPI for 9 hours and 25 minutes before removal. Socket users were protected even while the package was live.

Overall this package appears to be a legitimate JupyterLab extension with normal build/setup scripts. However, there are two security concerns: 1) The resolutions override redirects @amphi/pipeline-components-manager to a local file: path (file:./../pipeline-components-manager). Per the provided critical rules, redirecting or resolving dependencies to non-registry sources (file:, git:, tarball:, etc.) and using resolutions/overrides for that is a known supply-chain attack vector and should be considered high-risk. 2) The inclusion of posthog-js introduces a telemetry/analytics capability that could exfiltrate usage data depending on runtime behavior. You should inspect the local package at ../pipeline-components-manager and any post-install or runtime code that initializes posthog to confirm there is no malicious behavior or data exfiltration. If you cannot verify the local filesystem package or if this package.json is published to a registry but the resolution forces a local path, treat this as a high supply-chain risk.

The code appears to implement a complex scraping and data manipulation tool, with a focus on web content and media. While scraping and media handling in itself is not inherently malicious, the obfuscated function at the beginning raises suspicions about the intent of the code. The hardcoded values and potential file operations also warrant caution. However, there is not enough evidence to conclusively determine the presence of malware without a clearer understanding of the URLs being accessed and the full context of the code's use.

Live on npm for 16 minutes before removal. Socket users were protected even while the package was live.

This code implements an insecure, unauthenticated RPC mechanism that allows remote clients to cause arbitrary code execution and exfiltrate files/system information. Using pickle over an untrusted network and invoking methods by client-supplied names are severe supply-chain/backdoor risks. Do not deploy or reuse this code in production; it should be treated as a backdoor/untrusted remote-execution component unless wrapped with strong authentication, authorization, sandboxing, and safe serialization.

The code is collecting and encrypting system information, then sending it to an external domain (spacehog.net) via DNS lookups and an HTTP GET request. This behavior is highly suspicious and indicative of potential data exfiltration. The hardcoded password and use of execSync add to the security concerns.

Live on npm for 18 minutes before removal. Socket users were protected even while the package was live.

This script performs potentially dangerous operations: it gathers local source and metadata and uploads them to remote services, reads credentials from environment variables and obtains a token which it forwards to a local service, and includes a hard-coded API key used to call an external execution endpoint. These behaviors constitute data-exfiltration and credential-leakage risks. While there is no explicit evidence of destructive malware (no reverse shell, no obfuscation, no direct system-damage commands), the presence of embedded secrets and automatic upload/execution of local code make this high-risk in terms of supply-chain or privacy/security exposure. I recommend not running this code in sensitive environments, removing hardcoded keys, and avoiding automatic upload of local source without explicit, authenticated, and audited consent.

Live on PyPI for 52 minutes before removal. Socket users were protected even while the package was live.

The source code is highly suspicious and likely malicious, as it attempts to exfiltrate sensitive data such as Chrome passwords and execute commands via Discord. The code is obfuscated, which is often used to hide malicious intent. The risk of data theft and unauthorized access is significant.

Live on npm for 2 days, 2 hours and 14 minutes before removal. Socket users were protected even while the package was live.

The script is making a request to a remote server, which can be potentially risky. The content of the response and the purpose of this request should be further investigated to determine if it poses any security risks.

Live on npm for 14 hours and 31 minutes before removal. Socket users were protected even while the package was live.

This code is malicious. It performs unauthorized data exfiltration of system network interface IP addresses and hostname to an attacker-controlled Discord webhook. This behavior constitutes malware and poses a high security risk. The code is clear and not obfuscated, but the embedded webhook and silent transmission of system information without user consent make it dangerous and privacy-invasive.

The code exhibits a dangerous remote code execution pattern: it downloads and immediately runs a remote Python payload without integrity checks, sandboxing, or input validation. This creates a severe supply-chain and runtime security risk. Recommended mitigations include removing dynamic downloads, validating payloads with cryptographic hashes or signatures, using safe subprocess invocations with argument lists, and implementing strict input sanitization. If remote functionality must remain, switch to a trusted-internal mechanism (e.g., plugin architecture with signed components, offline verification) and add robust error handling and logging.

This module implements privileged node and device management and exposes HTTP endpoints that accept user input used directly in shell commands and Docker operations. Main risks: command injection (unsanitized string interpolation into shell commands and os.popen), destructive device operations (partitioning, bind/unbind), supplying arbitrary images to be pulled and run as privileged containers, and use of an unencrypted/unprotected Docker TCP socket (tcp://...:2375). I assess this as not manifestly malware but a high-risk administrative component that must be strictly access-controlled and hardened (validate/sanitize inputs, avoid passing raw user values into shell/Docker operations, use secure Docker API access, avoid exposing endpoints publicly).

This module implements privileged node and device management and exposes HTTP endpoints that accept user input used directly in shell commands and Docker operations. Main risks: command injection (unsanitized string interpolation into shell commands and os.popen), destructive device operations (partitioning, bind/unbind), supplying arbitrary images to be pulled and run as privileged containers, and use of an unencrypted/unprotected Docker TCP socket (tcp://...:2375). I assess this as not manifestly malware but a high-risk administrative component that must be strictly access-controlled and hardened (validate/sanitize inputs, avoid passing raw user values into shell/Docker operations, use secure Docker API access, avoid exposing endpoints publicly).

The fragment strongly indicates a hidden, potentially malicious payload delivered via an opaque base64 blob with minimal visible logic. The risk of supply-chain compromise is high unless there is a transparent, verifiable decoding/execution pathway. Recommended actions: isolate the artifact, locate and review the exact decoding/execution code, search for eval-like constructs or dynamic imports, attempt to deobfuscate, and replace with auditable resources. If decoding/execution cannot be justified, remove the payload.

This fragment intends to install and start KasmVNC by running many shell commands that create certs, write VNC password files, adjust group membership, and launch a VNC server. The primary security issues are unsafe shell interpolation (command injection risk), programmatic persistence of a possibly predictable password, execution with sudo based on unvalidated env vars, starting a VNC server exposed on 0.0.0.0 with disabled/basic auth, and multiple unsafe filesystem operations performed via shell. There is no clear evidence of obfuscated or direct exfiltration malware, but the behavior can provide an unauthorized remote access vector (backdoor-like) if used maliciously. Do not run this code without fixing shell usage, validating inputs, using secure randomly generated passwords, enforcing proper file permissions, and not disabling authentication.