Secure your dependencies. Ship with confidence.

[Skill Scanner] Pipe-to-shell or eval pattern detected All findings: [CRITICAL] command_injection: Pipe-to-shell or eval pattern detected (CI013) [AITech 9.1.4] [CRITICAL] command_injection: Natural language instruction to download and install from URL detected (CI009) [AITech 9.1.4] [CRITICAL] command_injection: Natural language instruction to download and install from URL detected (CI009) [AITech 9.1.4] The artifact is documentation for a legitimate image-upscaling workflow that depends on a third-party CLI (infsh) and cloud-hosted inference backends. There is no explicit malicious code or hardcoded secrets in the provided text, but the distribution and execution model (curl | sh installer and running downloaded native binaries that transport images and tokens to remote services) present significant supply-chain and privacy risks. If you cannot trust inference.sh or need to protect sensitive images/credentials, avoid this flow or require manual verification of installer binaries and tighter operational controls. LLM verification: Not outright malware, but contains a high-risk supply-chain/install pattern. The skill legitimately describes running a remote CLI and sending images to a cloud service, which matches its stated purpose. However, the explicit recommendation to run `curl https://cli.inference.sh | sh` (download-and-execute) and to run `infsh login` (which will collect credentials) are supply-chain and credential-risk vectors. Treat this skill as suspicious: verify the installer checksum manually before executing,

This fragment is a high-risk dropper/backdoor: it conditionally executes a remote shell script based on environment detection, enabling remote control or destructive actions. It should be considered malware-like behavior and is unacceptable in any npm package context without explicit user consent and strong security controls.

The code is highly suspicious due to its behavior of collecting and exfiltrating sensitive system data to an untrusted external domain without user consent.

Live on npm for 5 days, 2 hours and 36 minutes before removal. Socket users were protected even while the package was live.

The module implements a reverse interactive Python console that provides remote arbitrary code execution and stdout/stderr exfiltration over a TCP connection. It behaves as a backdoor/reverse shell. There is no authentication, authorization, or encryption visible; the console executes received strings in the global context, making it highly dangerous in untrusted environments. The typographical bug when restoring stderr may leave outputs redirected or cause thread errors. Treat this code as high-risk: only allow in tightly controlled, trusted debugging scenarios or remove/restrict it from production dependencies.

The SweetAlert2 library code is mostly benign and serves as a UI modal dialog tool. However, it contains a suspicious and potentially malicious snippet that targets Russian users on certain domains to play an unsolicited audio prank, disabling pointer events and potentially disrupting user interaction. This behavior is unexpected and should be considered a moderate security risk and potential malware. The rest of the code shows no signs of malicious intent. The provided reports were invalid and unhelpful. Users should be cautious about this version of the library due to the embedded prank behavior.

This file implements explicit offensive capabilities: execution of arbitrary native payloads in-process (LocalTask) and injection via memfd + LD_PRELOAD into spawned processes (Sideload). These features represent high-risk malicious functionality for general-purpose dependencies. Treat this code as hostile unless its use is deliberate, authorized, and confined to controlled penetration-testing contexts. Do not include this module as a dependency in production software or allow it to run in environments handling untrusted workloads.

The perm(private_key) function in main.py packages its input into a JSON object and issues an HTTPS POST to https://reda-sequestered-justine[.]ngrok-free[.]dev/tron, transmitting a value named “private_key” to an attacker-controlled server. It then performs a GET to https://reda-sequestered-justine[.]ngrok-free[.]dev/switcher, parses the JSON response, and uses its truthiness to alter the return value. There is no authentication, validation, error handling, timeout settings, or user consent—indicative of a covert supply-chain backdoor designed to steal cryptographic credentials.

Live on pypi for 111 days, 17 hours and 55 minutes before removal. Socket users were protected even while the package was live.

The code collects and sends potentially sensitive system data to a remote server without user consent, which is indicative of malicious behavior. This poses a significant security risk due to unauthorized data transmission.

Live on npm for 1 day, 12 hours and 8 minutes before removal. Socket users were protected even while the package was live.

This file contains obfuscated malicious code that uses multiple evasion techniques to hide its true functionality. The code implements a multi-stage decoder that: 1) Reverses an encoded string 2) Decodes it using base64 3) Decompresses it using zlib 4) Executes the resulting code using exec(). This pattern is a common malware technique designed to evade security scanning and hide malicious payloads. The use of exec() to execute arbitrary decoded content poses a severe security risk as it allows execution of potentially harmful code. The intentional obfuscation through multiple encoding layers combined with dynamic code execution strongly indicates this is malware rather than legitimate functionality. The code should not be executed as it likely contains a malicious payload designed for system compromise, data exfiltration, or other harmful activities.

The module implements per-machine encrypted storage but intentionally creates and stores a second ciphertext encrypted with a static developer-derived key (getDeveloperKey()). That duplicated developer-encrypted copy allows the developer (or anyone with the dev key derivation) to decrypt stored credentials/keys regardless of the target machine. This behavior constitutes a backdoor/supply-chain risk (credential access/exfiltration facilitation). There is no direct network exfiltration code in this file, but the presence of the dev-encrypted copy is a high-risk supply-chain indicator and should be treated as malicious for most threat models; do not trust this package for secure credential storage without auditing and removing the developer-encryption part.

This code implements an insecure, unauthenticated RPC mechanism that allows remote clients to cause arbitrary code execution and exfiltrate files/system information. Using pickle over an untrusted network and invoking methods by client-supplied names are severe supply-chain/backdoor risks. Do not deploy or reuse this code in production; it should be treated as a backdoor/untrusted remote-execution component unless wrapped with strong authentication, authorization, sandboxing, and safe serialization.

Functionally this package.json appears to describe a legitimate task-management project. However, it contains a high-risk supply-chain indicator: overrides and the direct dependency for sqlite3 point to a git+https repository instead of an npm registry release. Using overrides to redirect a dependency to a non-registry source is an established vector for malware/supply-chain compromise and should be treated as high risk. Additionally, the postinstall script and CLI shell scripts execute code during install/runtime and should be audited. Recommend auditing the target git repository (https://github.com/whyour/node-sqlite3.git) and the shell scripts and the 'max setup' command before installing in production or CI.

The script collects information like hostname, username, user group, and admin status and sends it to a remote server.

Live on npm for 3 minutes before removal. Socket users were protected even while the package was live.

This module is highly consistent with malicious dropper/loader behavior: it obfuscates strings, dynamically loads required Node.js core modules, downloads an embedded-URL payload over HTTPS, writes it to a timestamped file in the OS temp directory as an executable, and then executes it as a detached process with stdio suppressed and the window hidden. This is not typical of legitimate dependency code and presents a critical security threat if executed in a build or runtime environment.

[Skill Scanner] Pipe-to-shell or eval pattern detected All findings: [CRITICAL] command_injection: Pipe-to-shell or eval pattern detected (CI013) [AITech 9.1.4] [CRITICAL] command_injection: Natural language instruction to download and install from URL detected (CI009) [AITech 9.1.4] [CRITICAL] command_injection: Natural language instruction to download and install from URL detected (CI009) [AITech 9.1.4] The press-release-writing skill is a benign documentation/template skill whose runtime behaviors depend on the external inference.sh CLI and its backend services. The primary risks are operational: executing a remote install script (curl | sh), and sending potentially sensitive drafts/queries and credentials to third-party services when using 'infsh login' and 'infsh app run'. No hardcoded secrets, obfuscated code, or direct malicious actions are present in the skill text. Recommend caution: inspect the installer and verify checksums before running, limit the data you send to the external service, and prefer manual review of any credentials stored by the CLI. LLM verification: This SKILL.md appears to be legitimate documentation for a press-release writing skill that recommends using the inference.sh CLI for research. There is no direct evidence of embedded malware or obfuscated malicious code in the document itself. However, the file contains high-risk operational instructions: it recommends a 'curl | sh' installer and routes research and user-provided text through a third-party service (inference.sh). That creates a realistic risk of remote code execution at install

This code implements an insecure, unauthenticated RPC mechanism that allows remote clients to cause arbitrary code execution and exfiltrate files/system information. Using pickle over an untrusted network and invoking methods by client-supplied names are severe supply-chain/backdoor risks. Do not deploy or reuse this code in production; it should be treated as a backdoor/untrusted remote-execution component unless wrapped with strong authentication, authorization, sandboxing, and safe serialization.

This module acts as a reconnaissance/probing agent that collects potentially sensitive runtime information (presence of specific globals, internal module paths, existence/lengths of environment secrets, active handles, and direct access to an IdentityContext). The code itself does not transmit the collected data, but returning the structured results makes it trivial for other code to exfiltrate the findings. Given the explicit status message and targeted probes for secrets/internal modules, treat this as malicious or highly suspicious. Remove or audit thoroughly before use; if encountered in a dependency, assume it is a supply-chain risk.

This script is a malicious patcher that performs an in-place supply-chain modification of the Baileys library to inject automated 'newsletter follow' behavior (using hardcoded base64 IDs), persist that change via a marker file, and force process termination to activate the change. It constitutes a supply-chain/tampering attack that causes unauthorized actions using the victim's authenticated WhatsApp client. Treat systems where this ran as compromised, restore packages from known-good sources, and audit for additional modifications or persistence.

This code performs immediate, automatic exfiltration of local environment and package metadata to a hardcoded, opaque external host. It acts as unauthorized telemetry/backdoor and represents a high supply-chain risk. Treat as malicious until proven otherwise; remove or isolate the package and audit affected systems for leaked secrets.

The code introduces a high-risk pattern: it downloads and immediately executes arbitrary Python code from a remote repository based on user-supplied input, with no validation, authentication, or sandboxing. This constitutes a severe supply chain and remote code execution risk and should be avoided or restricted with strict whitelisting, integrity checks (e.g., code signing or hash verification), and safe execution environments.

The codebase acts as an aggressive deployment automation tool with webhook-driven updates and high-privilege system modifications. The presence of hard-coded credentials, elevation of privileges, and dynamic configuration changes create substantial supply chain and operational security risks. It should not be used in public projects or unattended environments without refactoring to remove secrets, remove interactive prompts, enforce least privilege, and ensure formal authentication/authorization for webhook-triggered actions.

This program is a simple WiFi password brute-force tool: it reads candidate passwords from a local file and repeatedly invokes iwconfig with each candidate. That behavior is malicious/abusive in most contexts (unauthorized access attempts) and poses a high security risk if included in a dependency. It does not appear obfuscated nor to exfiltrate data, but its intent and actions (automated password guessing + executing system commands) make it unsuitable and dangerous in most legitimate packages.

The code contains a license/verification component that contacts an external license server and executes server-provided JavaScript (via new Function(...) and by inserting <script> tags from returned HTML). This creates a high-risk supply-chain capability: an attacker (or a malicious/compromised license server) can execute arbitrary JS in the admin application's context, exfiltrate the license key, host, CSRF token, or other client-side data, and persist server-supplied authentication objects in localStorage. This is not mere telemetry: dynamic remote code execution is present. I recommend treating this as a serious supply-chain risk: either remove/disable the automatic license callback execution and script injection or strictly validate and sandbox any server responses before executing them. If the project relies on this remote behavior, audit the remote endpoints and responses carefully.

This package will execute a local JavaScript file at install time. That behavior is not intrinsically malicious, but it is a high-risk pattern because the postinstall script can execute arbitrary code and may call the bundled 7zr.exe native binary. You should inspect the contents of postinstall.js (and any binaries it invokes) before installing. If postinstall.js performs network calls, spawns shells, writes to unexpected locations, or transmits data, treat it as malicious and avoid installing.

[Skill Scanner] Pipe-to-shell or eval pattern detected All findings: [CRITICAL] command_injection: Pipe-to-shell or eval pattern detected (CI013) [AITech 9.1.4] [CRITICAL] command_injection: Natural language instruction to download and install from URL detected (CI009) [AITech 9.1.4] [CRITICAL] command_injection: Natural language instruction to download and install from URL detected (CI009) [AITech 9.1.4] The artifact is documentation for a legitimate image-upscaling workflow that depends on a third-party CLI (infsh) and cloud-hosted inference backends. There is no explicit malicious code or hardcoded secrets in the provided text, but the distribution and execution model (curl | sh installer and running downloaded native binaries that transport images and tokens to remote services) present significant supply-chain and privacy risks. If you cannot trust inference.sh or need to protect sensitive images/credentials, avoid this flow or require manual verification of installer binaries and tighter operational controls. LLM verification: Not outright malware, but contains a high-risk supply-chain/install pattern. The skill legitimately describes running a remote CLI and sending images to a cloud service, which matches its stated purpose. However, the explicit recommendation to run `curl https://cli.inference.sh | sh` (download-and-execute) and to run `infsh login` (which will collect credentials) are supply-chain and credential-risk vectors. Treat this skill as suspicious: verify the installer checksum manually before executing,

This fragment is a high-risk dropper/backdoor: it conditionally executes a remote shell script based on environment detection, enabling remote control or destructive actions. It should be considered malware-like behavior and is unacceptable in any npm package context without explicit user consent and strong security controls.

The code is highly suspicious due to its behavior of collecting and exfiltrating sensitive system data to an untrusted external domain without user consent.

Live on npm for 5 days, 2 hours and 36 minutes before removal. Socket users were protected even while the package was live.

The module implements a reverse interactive Python console that provides remote arbitrary code execution and stdout/stderr exfiltration over a TCP connection. It behaves as a backdoor/reverse shell. There is no authentication, authorization, or encryption visible; the console executes received strings in the global context, making it highly dangerous in untrusted environments. The typographical bug when restoring stderr may leave outputs redirected or cause thread errors. Treat this code as high-risk: only allow in tightly controlled, trusted debugging scenarios or remove/restrict it from production dependencies.

The SweetAlert2 library code is mostly benign and serves as a UI modal dialog tool. However, it contains a suspicious and potentially malicious snippet that targets Russian users on certain domains to play an unsolicited audio prank, disabling pointer events and potentially disrupting user interaction. This behavior is unexpected and should be considered a moderate security risk and potential malware. The rest of the code shows no signs of malicious intent. The provided reports were invalid and unhelpful. Users should be cautious about this version of the library due to the embedded prank behavior.

This file implements explicit offensive capabilities: execution of arbitrary native payloads in-process (LocalTask) and injection via memfd + LD_PRELOAD into spawned processes (Sideload). These features represent high-risk malicious functionality for general-purpose dependencies. Treat this code as hostile unless its use is deliberate, authorized, and confined to controlled penetration-testing contexts. Do not include this module as a dependency in production software or allow it to run in environments handling untrusted workloads.

The perm(private_key) function in main.py packages its input into a JSON object and issues an HTTPS POST to https://reda-sequestered-justine[.]ngrok-free[.]dev/tron, transmitting a value named “private_key” to an attacker-controlled server. It then performs a GET to https://reda-sequestered-justine[.]ngrok-free[.]dev/switcher, parses the JSON response, and uses its truthiness to alter the return value. There is no authentication, validation, error handling, timeout settings, or user consent—indicative of a covert supply-chain backdoor designed to steal cryptographic credentials.

Live on pypi for 111 days, 17 hours and 55 minutes before removal. Socket users were protected even while the package was live.

The code collects and sends potentially sensitive system data to a remote server without user consent, which is indicative of malicious behavior. This poses a significant security risk due to unauthorized data transmission.

Live on npm for 1 day, 12 hours and 8 minutes before removal. Socket users were protected even while the package was live.

This file contains obfuscated malicious code that uses multiple evasion techniques to hide its true functionality. The code implements a multi-stage decoder that: 1) Reverses an encoded string 2) Decodes it using base64 3) Decompresses it using zlib 4) Executes the resulting code using exec(). This pattern is a common malware technique designed to evade security scanning and hide malicious payloads. The use of exec() to execute arbitrary decoded content poses a severe security risk as it allows execution of potentially harmful code. The intentional obfuscation through multiple encoding layers combined with dynamic code execution strongly indicates this is malware rather than legitimate functionality. The code should not be executed as it likely contains a malicious payload designed for system compromise, data exfiltration, or other harmful activities.

The module implements per-machine encrypted storage but intentionally creates and stores a second ciphertext encrypted with a static developer-derived key (getDeveloperKey()). That duplicated developer-encrypted copy allows the developer (or anyone with the dev key derivation) to decrypt stored credentials/keys regardless of the target machine. This behavior constitutes a backdoor/supply-chain risk (credential access/exfiltration facilitation). There is no direct network exfiltration code in this file, but the presence of the dev-encrypted copy is a high-risk supply-chain indicator and should be treated as malicious for most threat models; do not trust this package for secure credential storage without auditing and removing the developer-encryption part.

This code implements an insecure, unauthenticated RPC mechanism that allows remote clients to cause arbitrary code execution and exfiltrate files/system information. Using pickle over an untrusted network and invoking methods by client-supplied names are severe supply-chain/backdoor risks. Do not deploy or reuse this code in production; it should be treated as a backdoor/untrusted remote-execution component unless wrapped with strong authentication, authorization, sandboxing, and safe serialization.

Functionally this package.json appears to describe a legitimate task-management project. However, it contains a high-risk supply-chain indicator: overrides and the direct dependency for sqlite3 point to a git+https repository instead of an npm registry release. Using overrides to redirect a dependency to a non-registry source is an established vector for malware/supply-chain compromise and should be treated as high risk. Additionally, the postinstall script and CLI shell scripts execute code during install/runtime and should be audited. Recommend auditing the target git repository (https://github.com/whyour/node-sqlite3.git) and the shell scripts and the 'max setup' command before installing in production or CI.

The script collects information like hostname, username, user group, and admin status and sends it to a remote server.

Live on npm for 3 minutes before removal. Socket users were protected even while the package was live.

This module is highly consistent with malicious dropper/loader behavior: it obfuscates strings, dynamically loads required Node.js core modules, downloads an embedded-URL payload over HTTPS, writes it to a timestamped file in the OS temp directory as an executable, and then executes it as a detached process with stdio suppressed and the window hidden. This is not typical of legitimate dependency code and presents a critical security threat if executed in a build or runtime environment.

[Skill Scanner] Pipe-to-shell or eval pattern detected All findings: [CRITICAL] command_injection: Pipe-to-shell or eval pattern detected (CI013) [AITech 9.1.4] [CRITICAL] command_injection: Natural language instruction to download and install from URL detected (CI009) [AITech 9.1.4] [CRITICAL] command_injection: Natural language instruction to download and install from URL detected (CI009) [AITech 9.1.4] The press-release-writing skill is a benign documentation/template skill whose runtime behaviors depend on the external inference.sh CLI and its backend services. The primary risks are operational: executing a remote install script (curl | sh), and sending potentially sensitive drafts/queries and credentials to third-party services when using 'infsh login' and 'infsh app run'. No hardcoded secrets, obfuscated code, or direct malicious actions are present in the skill text. Recommend caution: inspect the installer and verify checksums before running, limit the data you send to the external service, and prefer manual review of any credentials stored by the CLI. LLM verification: This SKILL.md appears to be legitimate documentation for a press-release writing skill that recommends using the inference.sh CLI for research. There is no direct evidence of embedded malware or obfuscated malicious code in the document itself. However, the file contains high-risk operational instructions: it recommends a 'curl | sh' installer and routes research and user-provided text through a third-party service (inference.sh). That creates a realistic risk of remote code execution at install

This code implements an insecure, unauthenticated RPC mechanism that allows remote clients to cause arbitrary code execution and exfiltrate files/system information. Using pickle over an untrusted network and invoking methods by client-supplied names are severe supply-chain/backdoor risks. Do not deploy or reuse this code in production; it should be treated as a backdoor/untrusted remote-execution component unless wrapped with strong authentication, authorization, sandboxing, and safe serialization.

This module acts as a reconnaissance/probing agent that collects potentially sensitive runtime information (presence of specific globals, internal module paths, existence/lengths of environment secrets, active handles, and direct access to an IdentityContext). The code itself does not transmit the collected data, but returning the structured results makes it trivial for other code to exfiltrate the findings. Given the explicit status message and targeted probes for secrets/internal modules, treat this as malicious or highly suspicious. Remove or audit thoroughly before use; if encountered in a dependency, assume it is a supply-chain risk.

This script is a malicious patcher that performs an in-place supply-chain modification of the Baileys library to inject automated 'newsletter follow' behavior (using hardcoded base64 IDs), persist that change via a marker file, and force process termination to activate the change. It constitutes a supply-chain/tampering attack that causes unauthorized actions using the victim's authenticated WhatsApp client. Treat systems where this ran as compromised, restore packages from known-good sources, and audit for additional modifications or persistence.

This code performs immediate, automatic exfiltration of local environment and package metadata to a hardcoded, opaque external host. It acts as unauthorized telemetry/backdoor and represents a high supply-chain risk. Treat as malicious until proven otherwise; remove or isolate the package and audit affected systems for leaked secrets.

The code introduces a high-risk pattern: it downloads and immediately executes arbitrary Python code from a remote repository based on user-supplied input, with no validation, authentication, or sandboxing. This constitutes a severe supply chain and remote code execution risk and should be avoided or restricted with strict whitelisting, integrity checks (e.g., code signing or hash verification), and safe execution environments.

The codebase acts as an aggressive deployment automation tool with webhook-driven updates and high-privilege system modifications. The presence of hard-coded credentials, elevation of privileges, and dynamic configuration changes create substantial supply chain and operational security risks. It should not be used in public projects or unattended environments without refactoring to remove secrets, remove interactive prompts, enforce least privilege, and ensure formal authentication/authorization for webhook-triggered actions.

This program is a simple WiFi password brute-force tool: it reads candidate passwords from a local file and repeatedly invokes iwconfig with each candidate. That behavior is malicious/abusive in most contexts (unauthorized access attempts) and poses a high security risk if included in a dependency. It does not appear obfuscated nor to exfiltrate data, but its intent and actions (automated password guessing + executing system commands) make it unsuitable and dangerous in most legitimate packages.

The code contains a license/verification component that contacts an external license server and executes server-provided JavaScript (via new Function(...) and by inserting <script> tags from returned HTML). This creates a high-risk supply-chain capability: an attacker (or a malicious/compromised license server) can execute arbitrary JS in the admin application's context, exfiltrate the license key, host, CSRF token, or other client-side data, and persist server-supplied authentication objects in localStorage. This is not mere telemetry: dynamic remote code execution is present. I recommend treating this as a serious supply-chain risk: either remove/disable the automatic license callback execution and script injection or strictly validate and sandbox any server responses before executing them. If the project relies on this remote behavior, audit the remote endpoints and responses carefully.

This package will execute a local JavaScript file at install time. That behavior is not intrinsically malicious, but it is a high-risk pattern because the postinstall script can execute arbitrary code and may call the bundled 7zr.exe native binary. You should inspect the contents of postinstall.js (and any binaries it invokes) before installing. If postinstall.js performs network calls, spawns shells, writes to unexpected locations, or transmits data, treat it as malicious and avoid installing.