Secure your dependencies. Ship with confidence.

This module performs dataset download, reads pickled blobs from the downloaded snapshot, deserializes them with pickle.load, and writes extracted video bytes to disk; it also builds prompts and sends them to an external judge API. The immediate, high-risk issue is the untrusted pickle deserialization: deserializing pickles from a remote snapshot can lead to arbitrary code execution (RCE). Secondary risks include possible path traversal via unsanitized video_name when writing files and data leakage to external model APIs. I rate this as a significant security risk for supply-chain/malicious dataset content. Avoid running unwrap_hf_pkl or prepare_dataset on untrusted snapshots without first verifying and sandboxing the pickles (prefer using safe formats, signature/integrity checks, or an isolated execution environment).

Live on pypi for 3 hours and 11 minutes before removal. Socket users were protected even while the package was live.

The analyzed code contains several high-risk patterns that could enable data leakage, remote control, or host compromise if misused. Notably: (a) arbitrary code execution in a Jupyter kernel via handleNotebookSessionContents, (b) downloading/executing an external installer with elevated privileges from GitHub, and (c) transmitting tokens and environment-derived data to external services. While these patterns may be intended for advanced monitoring, they require strict controls (least privilege, sandboxing, explicit consent, and integrity checks). Recommend treating as medium-to-high risk, with a need for formal threat modeling, code signing for external scripts, limited scope of kernel execution, and removal or hardening of host-level installers in production.

This file implements a DNS-based command-and-control transport (Sliver implant DNS C2). It encodes, fragments and transmits encrypted payloads via DNS TXT queries to an operator-controlled parent domain and receives commands the same way. The code provides full C2 capabilities (session bootstrap, encrypted send/receive, block reassembly). It also includes weaknesses: insecure random number generator for nonces/IDs and an unbounded in-memory replay cache. Given its functionality, this code is malicious in the general software supply-chain context and poses a high security risk if present in a dependency.

This module manipulates sys.path to ensure code is loaded from the project root, then reaches out to https://pastebin[.]com/raw/mPx5K6DN (via urllib.request with a 2 s timeout), writes the returned payload bytes into a file named current.py alongside __init__.py, immediately imports rootpath.current (thereby executing arbitrary remote code with the host process’s privileges), and finally unlinks current.py to hide the fetched payload. There is no integrity check, sandboxing, or user consent—this is high-risk remote-code-execution supply-chain backdoor behavior.

This fragment performs unguarded, targeted tampering with supply-chain integrity controls: it deletes infra/control/verify.go and attempts to remove 'VSign' from the Go module configuration in-place. While there is no evidence of exfiltration or network activity, the actions are strongly consistent with disabling verification/signing mechanisms and therefore represent a high security risk.

This file includes hardcoded credentials (a Telegram bot token and chat ID) and transmits newly created SSH usernames and passwords to a remote endpoint (e.g., example[.]com) without user consent.

This code is malicious or at minimum intentionally dangerous. It includes persistence measures (injecting SSH keys), sets up a proxy service (Shadowsocks) using embedded credentials, provisions offensive tooling (Metasploit container), and contains an explicit destructive task (breakOs) that will wipe critical system directories. The module provides unfettered remote command execution and file upload capabilities. Do not run this code on any system you care about; consider it hostile and remove or quarantine it.

The code unconditionally sends sensitive configuration (mongo_url) and user data to a hard-coded third-party API. This constitutes a high supply-chain and data-exfiltration risk. Treat the module as unsafe for production until the remote service is verified, credential leakage is prevented, and proper error handling and least-privilege controls are implemented.

The code exhibits a high-risk anti-pattern by using eval on user-supplied CLI input to mutate a settings object and then persisting that configuration to disk. This enables arbitrary code execution, unintended property manipulation, and potential leakage or misuse of sensitive configuration. Recommend removing eval entirely, replacing with a strict whitelist-based property updater, JSON parsing/validation, and proper authentication/permissions checks before writing to disk. Overall risk is high due to runtime code execution and disk persistence of configuration.

This file contains a hidden encrypted payload that is conditionally decrypted using host/environment-derived values and then executed with eval. That design is strongly indicative of a targeted backdoor/supply-chain implant. Because the decrypted code is not visible, the exact malicious actions cannot be enumerated statically, but the pattern allows arbitrary code execution and potential credential/exfiltration activity on any host where decryption succeeds. Treat this package as compromised and high-risk: remove or block the package, audit affected hosts for indicators of compromise, and rotate any potentially exposed credentials (npm configs, Artifactory keys, environment secrets).

The code exhibits clear signs of malicious behavior by collecting and transmitting sensitive system information to external servers without user consent. The use of suspicious domains and extensive data gathering indicates potential data exfiltration and unauthorized access.

The source code exhibits clear signs of malicious behavior, including downloading and executing files from an external domain, changing file permissions, and running the files with elevated permissions. The risk and malware scores should be high due to the potential for significant harm. The obfuscation score is lower, as the code is not heavily obfuscated but does contain some minor obfuscation techniques.

Live on npm for 7 minutes before removal. Socket users were protected even while the package was live.

The script contains a high-risk backdoor-like capability: when FMTR_DEV is enabled, it opens root SSH access with a hardcoded password, dumps environment data, and runs SSH in foreground with verbose logging. This undermines container isolation, enables remote compromise, and poses severe supply-chain security risks. It should be removed or replaced with secure, auditable behavior (e.g., disallow root SSH, use proper authentication via keys, avoid dumping environment, and validate inputs).

The analyzed fragment implements dynamic download and execution of an external binary from a remote release channel during a CI workflow. While this pattern can be legitimate for tooling, it introduces substantial supply-chain and runtime security risks due to lack of integrity verification, reliance on external binaries, and execution of downloaded code with elevated permissions in a CI environment. Recommend removing or hardening the dynamic download/execution path: use signed, verified binaries; implement checksum/signature verification; pin to a known-good hash; consider vendoring the tool or embedding it in the repository; restrict what inputs can influence the binary download; and add strict sandboxing or runner policies to prevent unintended data exposure or host compromise.

This module is a high-risk runtime packer/dropper: it embeds an encrypted payload, decrypts it using a user-supplied passphrase, writes the result to `bin/do-setup-circleci-secrets`, and immediately executes it. Because there is no integrity/authenticity validation of the decrypted artifact and the executed code is not shown here, the module should be treated as potentially malicious until the decrypted `bin/do-setup-circleci-secrets` content is inspected and validated in a safe environment.

The flagged file implements a React upload component that, upon user file selection, appends the file to a FormData and issues an unencrypted HTTP POST to http://kg[.]zhaodashen[.]cn/mt/admin/upload.jsp. There is no user consent prompt, file validation or use of HTTPS, and the hardcoded endpoint belongs to an unknown domain. This behavior constitutes unauthorized data exfiltration and a high-severity privacy breach, indicating malicious intent.

The code implements unauthorized analytics by intercepting CodeMirror usage and sending user identifiers and editor state to a suspicious external server without user consent. It contains bugs in fetch usage that may prevent proper data transmission but still represents a serious privacy violation and potential malware behavior. The override of a global constructor to inject this behavior is suspicious and obfuscates intent. Users should consider this code malicious and avoid using it.

Conclusion: This code fragment demonstrates strong obfuscation coupled with runtime payload decryption and unmanaged code loading capabilities, creating significant supply-chain and security risks. It warrants strict provenance verification, integrity checks (signatures/hashes), and comprehensive offline analysis in a secure sandbox prior to any use or distribution. The combination of hard-coded cryptographic material, memory-injection primitives, and dynamic loader patterns elevates the risk to a high level.

This code exhibits high-risk behavior: it reads a JWT from a user's browser localStorage via injected notebook JavaScript and transmits it to a hard-coded external endpoint, uses eval() on network-provided data (allowing remote code execution), and disables TLS verification for a request to the same endpoint. These patterns are consistent with credential exfiltration and remote-code-execution backdoors. Do not run this code in environments with sensitive credentials; treat it as malicious or at minimum extremely unsafe and refactor to remove eval, re-enable TLS verification, and avoid silent client-side token exfiltration.

The module acts as a local HTTP agent/relay that collects user_key and client IPs, calls local services, and regularly posts aggregated 'online_user_list' and related metadata to a hard-coded remote domain using an embedded API key. Even though no interactive shell or destructive code is obvious in the readable portions, the automatic exfiltration behavior (periodic heartbeat plus proxied remote calls) and hard-coded credentials/endpoints are characteristic of a backdoor/telemetry agent. Treat this package as suspicious: do not run in trusted environments until provenance is validated, remote endpoints and the embedded API_KEY are audited, and the garbled/corrupted file content is resolved to a clean source for full review.

A shell script modifies the SSH server configuration to allow root login without a password, moves an authorized_keys file from a temporary location into the root user’s SSH directory, and attempts to reload SSH. These actions collectively create a high-risk scenario by enabling potential unauthorized root access. No external domains or IP addresses have been observed.

Based on the provided manifest/README, Peekaboo's capabilities align with its stated purpose (macOS UI automation). No explicit signs of embedded malware, obfuscation, hardcoded secrets, or network exfiltration are present in this document. The primary risks are: (1) supply-chain/trust risk from a third-party Homebrew tap installer; (2) local abuse via high-privilege APIs (Accessibility/Screen Recording) and execution of untrusted .peekaboo.json scripts; and (3) local secret exposure via clipboard and stored config credentials. Recommend: verify and audit the Homebrew tap and package source before installation, inspect the binary/source if possible, restrict access to stored config files, and treat any automation scripts as untrusted input. Avoid running scripts from untrusted sources and limit granted macOS permissions to necessary scopes.

Possible typosquat of [azure](https://socket.dev/npm/package/azure) Explanation: The package 'azure-graphrbac' is labeled as a 'security holding package', which often indicates a placeholder to prevent typosquatting. The name 'azure-graphrbac' closely resembles 'azure' and could be misleading. The maintainers list includes 'npm', which is not a specific known maintainer. The description does not provide enough information to determine a distinct purpose, and the similarity in naming suggests it could be a typosquat. azure-graphrbac is a security-holding package

Live on npm for 12 hours and 44 minutes before removal. Socket users were protected even while the package was live.

This file gathers user data, environment variables, and sensitive system files (e.g., /etc/passwd or the Windows hosts file) and sends them via a POST request to a suspicious remote domain (example[.]com). The purpose is clearly data theft, indicating malicious intent and a significant security threat.

Live on npm for 14 days, 5 hours and 9 minutes before removal. Socket users were protected even while the package was live.

This module performs dataset download, reads pickled blobs from the downloaded snapshot, deserializes them with pickle.load, and writes extracted video bytes to disk; it also builds prompts and sends them to an external judge API. The immediate, high-risk issue is the untrusted pickle deserialization: deserializing pickles from a remote snapshot can lead to arbitrary code execution (RCE). Secondary risks include possible path traversal via unsanitized video_name when writing files and data leakage to external model APIs. I rate this as a significant security risk for supply-chain/malicious dataset content. Avoid running unwrap_hf_pkl or prepare_dataset on untrusted snapshots without first verifying and sandboxing the pickles (prefer using safe formats, signature/integrity checks, or an isolated execution environment).

Live on pypi for 3 hours and 11 minutes before removal. Socket users were protected even while the package was live.

The analyzed code contains several high-risk patterns that could enable data leakage, remote control, or host compromise if misused. Notably: (a) arbitrary code execution in a Jupyter kernel via handleNotebookSessionContents, (b) downloading/executing an external installer with elevated privileges from GitHub, and (c) transmitting tokens and environment-derived data to external services. While these patterns may be intended for advanced monitoring, they require strict controls (least privilege, sandboxing, explicit consent, and integrity checks). Recommend treating as medium-to-high risk, with a need for formal threat modeling, code signing for external scripts, limited scope of kernel execution, and removal or hardening of host-level installers in production.

This file implements a DNS-based command-and-control transport (Sliver implant DNS C2). It encodes, fragments and transmits encrypted payloads via DNS TXT queries to an operator-controlled parent domain and receives commands the same way. The code provides full C2 capabilities (session bootstrap, encrypted send/receive, block reassembly). It also includes weaknesses: insecure random number generator for nonces/IDs and an unbounded in-memory replay cache. Given its functionality, this code is malicious in the general software supply-chain context and poses a high security risk if present in a dependency.

This module manipulates sys.path to ensure code is loaded from the project root, then reaches out to https://pastebin[.]com/raw/mPx5K6DN (via urllib.request with a 2 s timeout), writes the returned payload bytes into a file named current.py alongside __init__.py, immediately imports rootpath.current (thereby executing arbitrary remote code with the host process’s privileges), and finally unlinks current.py to hide the fetched payload. There is no integrity check, sandboxing, or user consent—this is high-risk remote-code-execution supply-chain backdoor behavior.

This fragment performs unguarded, targeted tampering with supply-chain integrity controls: it deletes infra/control/verify.go and attempts to remove 'VSign' from the Go module configuration in-place. While there is no evidence of exfiltration or network activity, the actions are strongly consistent with disabling verification/signing mechanisms and therefore represent a high security risk.

This file includes hardcoded credentials (a Telegram bot token and chat ID) and transmits newly created SSH usernames and passwords to a remote endpoint (e.g., example[.]com) without user consent.

This code is malicious or at minimum intentionally dangerous. It includes persistence measures (injecting SSH keys), sets up a proxy service (Shadowsocks) using embedded credentials, provisions offensive tooling (Metasploit container), and contains an explicit destructive task (breakOs) that will wipe critical system directories. The module provides unfettered remote command execution and file upload capabilities. Do not run this code on any system you care about; consider it hostile and remove or quarantine it.

The code unconditionally sends sensitive configuration (mongo_url) and user data to a hard-coded third-party API. This constitutes a high supply-chain and data-exfiltration risk. Treat the module as unsafe for production until the remote service is verified, credential leakage is prevented, and proper error handling and least-privilege controls are implemented.

The code exhibits a high-risk anti-pattern by using eval on user-supplied CLI input to mutate a settings object and then persisting that configuration to disk. This enables arbitrary code execution, unintended property manipulation, and potential leakage or misuse of sensitive configuration. Recommend removing eval entirely, replacing with a strict whitelist-based property updater, JSON parsing/validation, and proper authentication/permissions checks before writing to disk. Overall risk is high due to runtime code execution and disk persistence of configuration.

This file contains a hidden encrypted payload that is conditionally decrypted using host/environment-derived values and then executed with eval. That design is strongly indicative of a targeted backdoor/supply-chain implant. Because the decrypted code is not visible, the exact malicious actions cannot be enumerated statically, but the pattern allows arbitrary code execution and potential credential/exfiltration activity on any host where decryption succeeds. Treat this package as compromised and high-risk: remove or block the package, audit affected hosts for indicators of compromise, and rotate any potentially exposed credentials (npm configs, Artifactory keys, environment secrets).

The code exhibits clear signs of malicious behavior by collecting and transmitting sensitive system information to external servers without user consent. The use of suspicious domains and extensive data gathering indicates potential data exfiltration and unauthorized access.

The source code exhibits clear signs of malicious behavior, including downloading and executing files from an external domain, changing file permissions, and running the files with elevated permissions. The risk and malware scores should be high due to the potential for significant harm. The obfuscation score is lower, as the code is not heavily obfuscated but does contain some minor obfuscation techniques.

Live on npm for 7 minutes before removal. Socket users were protected even while the package was live.

The script contains a high-risk backdoor-like capability: when FMTR_DEV is enabled, it opens root SSH access with a hardcoded password, dumps environment data, and runs SSH in foreground with verbose logging. This undermines container isolation, enables remote compromise, and poses severe supply-chain security risks. It should be removed or replaced with secure, auditable behavior (e.g., disallow root SSH, use proper authentication via keys, avoid dumping environment, and validate inputs).

The analyzed fragment implements dynamic download and execution of an external binary from a remote release channel during a CI workflow. While this pattern can be legitimate for tooling, it introduces substantial supply-chain and runtime security risks due to lack of integrity verification, reliance on external binaries, and execution of downloaded code with elevated permissions in a CI environment. Recommend removing or hardening the dynamic download/execution path: use signed, verified binaries; implement checksum/signature verification; pin to a known-good hash; consider vendoring the tool or embedding it in the repository; restrict what inputs can influence the binary download; and add strict sandboxing or runner policies to prevent unintended data exposure or host compromise.

This module is a high-risk runtime packer/dropper: it embeds an encrypted payload, decrypts it using a user-supplied passphrase, writes the result to `bin/do-setup-circleci-secrets`, and immediately executes it. Because there is no integrity/authenticity validation of the decrypted artifact and the executed code is not shown here, the module should be treated as potentially malicious until the decrypted `bin/do-setup-circleci-secrets` content is inspected and validated in a safe environment.

The flagged file implements a React upload component that, upon user file selection, appends the file to a FormData and issues an unencrypted HTTP POST to http://kg[.]zhaodashen[.]cn/mt/admin/upload.jsp. There is no user consent prompt, file validation or use of HTTPS, and the hardcoded endpoint belongs to an unknown domain. This behavior constitutes unauthorized data exfiltration and a high-severity privacy breach, indicating malicious intent.

The code implements unauthorized analytics by intercepting CodeMirror usage and sending user identifiers and editor state to a suspicious external server without user consent. It contains bugs in fetch usage that may prevent proper data transmission but still represents a serious privacy violation and potential malware behavior. The override of a global constructor to inject this behavior is suspicious and obfuscates intent. Users should consider this code malicious and avoid using it.

Conclusion: This code fragment demonstrates strong obfuscation coupled with runtime payload decryption and unmanaged code loading capabilities, creating significant supply-chain and security risks. It warrants strict provenance verification, integrity checks (signatures/hashes), and comprehensive offline analysis in a secure sandbox prior to any use or distribution. The combination of hard-coded cryptographic material, memory-injection primitives, and dynamic loader patterns elevates the risk to a high level.

This code exhibits high-risk behavior: it reads a JWT from a user's browser localStorage via injected notebook JavaScript and transmits it to a hard-coded external endpoint, uses eval() on network-provided data (allowing remote code execution), and disables TLS verification for a request to the same endpoint. These patterns are consistent with credential exfiltration and remote-code-execution backdoors. Do not run this code in environments with sensitive credentials; treat it as malicious or at minimum extremely unsafe and refactor to remove eval, re-enable TLS verification, and avoid silent client-side token exfiltration.

The module acts as a local HTTP agent/relay that collects user_key and client IPs, calls local services, and regularly posts aggregated 'online_user_list' and related metadata to a hard-coded remote domain using an embedded API key. Even though no interactive shell or destructive code is obvious in the readable portions, the automatic exfiltration behavior (periodic heartbeat plus proxied remote calls) and hard-coded credentials/endpoints are characteristic of a backdoor/telemetry agent. Treat this package as suspicious: do not run in trusted environments until provenance is validated, remote endpoints and the embedded API_KEY are audited, and the garbled/corrupted file content is resolved to a clean source for full review.

A shell script modifies the SSH server configuration to allow root login without a password, moves an authorized_keys file from a temporary location into the root user’s SSH directory, and attempts to reload SSH. These actions collectively create a high-risk scenario by enabling potential unauthorized root access. No external domains or IP addresses have been observed.

Based on the provided manifest/README, Peekaboo's capabilities align with its stated purpose (macOS UI automation). No explicit signs of embedded malware, obfuscation, hardcoded secrets, or network exfiltration are present in this document. The primary risks are: (1) supply-chain/trust risk from a third-party Homebrew tap installer; (2) local abuse via high-privilege APIs (Accessibility/Screen Recording) and execution of untrusted .peekaboo.json scripts; and (3) local secret exposure via clipboard and stored config credentials. Recommend: verify and audit the Homebrew tap and package source before installation, inspect the binary/source if possible, restrict access to stored config files, and treat any automation scripts as untrusted input. Avoid running scripts from untrusted sources and limit granted macOS permissions to necessary scopes.

Possible typosquat of [azure](https://socket.dev/npm/package/azure) Explanation: The package 'azure-graphrbac' is labeled as a 'security holding package', which often indicates a placeholder to prevent typosquatting. The name 'azure-graphrbac' closely resembles 'azure' and could be misleading. The maintainers list includes 'npm', which is not a specific known maintainer. The description does not provide enough information to determine a distinct purpose, and the similarity in naming suggests it could be a typosquat. azure-graphrbac is a security-holding package

Live on npm for 12 hours and 44 minutes before removal. Socket users were protected even while the package was live.

This file gathers user data, environment variables, and sensitive system files (e.g., /etc/passwd or the Windows hosts file) and sends them via a POST request to a suspicious remote domain (example[.]com). The purpose is clearly data theft, indicating malicious intent and a significant security threat.

Live on npm for 14 days, 5 hours and 9 minutes before removal. Socket users were protected even while the package was live.