Secure your dependencies. Ship with confidence.

This module is a high-risk runtime packer/dropper: it embeds an encrypted payload, decrypts it using a user-supplied passphrase, writes the result to `bin/do-setup-circleci-secrets`, and immediately executes it. Because there is no integrity/authenticity validation of the decrypted artifact and the executed code is not shown here, the module should be treated as potentially malicious until the decrypted `bin/do-setup-circleci-secrets` content is inspected and validated in a safe environment.

This fragment performs targeted runtime tampering of an installed dependency and injects a high-risk capability: it extracts filesystem-like paths from assistant text, resolves them against environment/cwd/worktree-derived directories, reads the referenced files from disk, and sends their contents via Telegram session messaging. The absence of a strict safe-root allowlist makes it consistent with a prompt-driven local-file disclosure/exfiltration design. Immediate security review and removal of this behavior are strongly warranted.

This script establishes a stealthy, persistent SSH local port forward from the host (local port 9999) to remote host 67.202.15.57 targeting remote localhost:27017. On machines matching the specified hostnames, this effectively exposes or forwards access to a local service (likely a database on port 27017) to an external host, creating a backdoor/exfiltration channel. The hard-coded IP, root user, targeted hostnames, backgrounded nohup invocation, and output redirection are strong indicators of malicious or unauthorized behavior. Recommend removing/ quarantining this script, auditing SSH keys and authorized connections on affected hosts, and investigating connections to 67.202.15.57.

The payload exhibits hallmark traits of malicious supply‑chain risk: heavy obfuscation, dynamic payload decoding, environment/token-driven configuration, sandbox/profile manipulation, and external process execution with crafted environments. While some parts could serve legitimate sandbox tooling, the combination of obfuscation, remote coordination, and persistence-oriented actions constitutes a high risk of backdoor-like behavior or data exfiltration if distributed in a package. Treat as a potential security hazard requiring deep deobfuscation, controlled live analysis, and removal from any production supply chain until audited.

This code implements a session-replay / monitoring agent that intercepts XHR/fetch, captures request/response contents, DOM events, user inputs, and resources, computes hashes and sends detailed data (including base64-encoded binaries and cookies/localStorage values) to a hardcoded remote backend (https://malleon.io). While it could be used legitimately for debugging or analytics, it collects sensitive user data and exfiltrates it to an external service without safeguards visible in this fragment. Treat this as privacy-invasive and a supply-chain risk: do not include or run in production unless the endpoint and data collection practices are fully audited, consented to, and data is properly sanitized.

This module is a high-risk supply-chain installer/executor: it downloads a ZIP from a remote URL, extracts its contents to disk, chmods extracted files, and directly executes the resulting binary via execFileSync. No cryptographic integrity/authenticity verification is shown for the downloaded artifact, and the extraction logic does not visibly enforce that extracted paths remain within the intended directory, which raises the risk of ZIP-Slip/path traversal if the archive is malicious. Malware intent is not directly evidenced in the snippet, but the execution pipeline makes compromise highly consequential.

The best-supported interpretation from all three reports is that this snippet is intended to remove/disrupt a networking/service component: it deletes a network interface, performs an authenticated DELETE against a local admin API to remove a node entry, overwrites sensitive network configuration, deletes a token, and then executes a privileged Go removal routine. The hardcoded bearer credential and `sudo go run ./main.go` pattern are strong security red flags. Even if this could be legitimate administrative deprovisioning, it is high-risk automation without verification/controls, and the unreviewed `main.go` is an unresolved supply-chain execution sink.

This module is a high-risk runtime packer/dropper: it embeds an encrypted payload, decrypts it using a user-supplied passphrase, writes the result to `bin/do-setup-circleci-secrets`, and immediately executes it. Because there is no integrity/authenticity validation of the decrypted artifact and the executed code is not shown here, the module should be treated as potentially malicious until the decrypted `bin/do-setup-circleci-secrets` content is inspected and validated in a safe environment.

This module fragment is not overtly malicious (no direct backdoor or destructive actions) but embodies a high-risk data-exfiltration pattern: it sends full repository contents and user prompts to an external AI gateway without redaction, and logs/resends model outputs without strong validation. This creates substantial supply-chain and privacy risk (exposing secrets, intellectual property, or PII). Remediation: avoid sending raw repo contents to external services; implement strict redaction/allow-listing of files, filter secrets, minimize logging of prompts/responses, treat AIGateway as a high-sensitivity sink, and validate/sanitize model outputs before use.

Live on pypi for 5 days, 12 hours and 41 minutes before removal. Socket users were protected even while the package was live.

This script functions as an unauthenticated remote code execution server (backdoor). It deserializes network-provided pickle/dill payloads and executes a client-supplied callable, and it modifies sys.path from an environment variable enabling module hijacking. Running this code exposed to untrusted clients or networks allows immediate full compromise of the host process. Treat as malicious/unacceptably dangerous; do not run in production or on trusted machines unless fully reworked with strong authentication, strict input validation, sandboxing, and removal of dynamic sys.path injection.

This module is not overtly malicious (no encoded payloads, no external exfiltration, no reverse shell), but it contains high-risk insecure patterns: user-controlled values are directly interpolated into shell command strings and passed to node_utils.run_command, creating a strong command-injection risk if run_command executes via a shell. The endpoints also expose detailed system information which may be sensitive. Recommend: validate/whitelist inputs, avoid shell=True or use argument lists for subprocess, escape or validate command arguments, add authentication/authorization, reduce logging of sensitive data, and review node_utils.run_command implementation. Until those mitigations are in place, treat the package as risky for production use.

[Skill Scanner] Pipe-to-shell or eval pattern detected BENIGN: The improved report describes a legitimate competitive teardown workflow with public data sources and CLI automation. It produces standard market intelligence deliverables and maintains a reasonable security posture, aside from the general bootstrap risk associated with external tooling. Recommend validating data sources and monitoring provenance of any bootstrap scripts in production use. LLM verification: The SKILL.md is functionally coherent for a competitor teardown skill and does not contain explicit malicious code in the provided text. The primary security concern is the recommended pipe-to-shell installer (curl | sh) and the implicit routing of scraped content and credentials through a third-party hosted platform (inference.sh/infsh) without documented integrity checks or privacy/retention policies. This creates a supply-chain and data-exfiltration risk if the installer or backend is comprom

This source code contains a severe supply chain security vulnerability and is almost certainly malicious. It downloads and executes an external executable without user consent, posing a high risk of system compromise or malware infection. The lack of obfuscation does not reduce the risk, and the reports provided were invalid. This package should be considered dangerous and avoided.

Live on npm for 3 hours and 24 minutes before removal. Socket users were protected even while the package was live.

This module is high-risk and supply-chain-suspicious: it injects voice capture and an operator-like command/terminal interface into a chat page, automates message submission, copies chat content to the clipboard, and—most critically—sends user-influenced command strings to a backend over Socket.IO via a generic 'run_command' execution channel. Several commands include administrative/destructive actions, and the client provides no visible authorization/allowlisting—meaning security hinges entirely on strict server-side enforcement. Treat as potentially malicious until backend authorization/command allowlisting and the purpose of /cmd/ and run_command are verified.

This module is a deliberate destructive utility that corrupts all .zip files in a specified directory by truncating each archive to half its size and appending repeated junk data. While it lacks common malware features like networking or data exfiltration, the behavior is strongly indicative of sabotage and would be unacceptable in most software supply-chain contexts due to its potential to break builds, deployments, or artifact integrity.

[Skill Scanner] Instruction directing agent to run/execute external content All findings: [CRITICAL] command_injection: Instruction directing agent to run/execute external content (CI011) [AITech 9.1.4] [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [CRITICAL] command_injection: Instruction directing agent to run/execute external content (CI011) [AITech 9.1.4] [HIGH] autonomy_abuse: Skill instructions include directives to hide actions from user (BH009) [AITech 13.3] The skill documentation itself is not malicious code, but it prescribes high-risk operational patterns: wide `--trust`/`--yolo` flags, background automation, and external wake notifications that can leak sensitive content. These patterns are disproportionate to simple coding tasks and could be abused to harvest credentials or exfiltrate data when combined with compromised or malicious agent CLIs or untrusted prompts. Treat this skill as suspicious: safe use requires strict limits on tool trust, careful vetting/pinning of CLI installs, running agents in isolated environments, and not embedding secrets or sensitive data in prompts or the wake notification text. LLM verification: This SKILL.md is a legitimate operational guide for running interactive coding-agent CLIs, and its capabilities align with that purpose. However it includes several high-risk recommendations and features (--yolo/no-sandbox, elevated host execution, background interactive control) that are disproportionate for many safe uses and could be abused to execute arbitrary commands or exfiltrate repository data and credentials. I find no direct evidence of embedded malware or obfuscation in the document

The package will execute index.js during npm install. That behavior is potentially dangerous because the script can perform arbitrary actions on the host (network calls, filesystem changes, spawning shells, installing other packages, adding hooks). The dependencies themselves are normal registry packages, but the preinstall hook is the primary risk and must be inspected. Treat this as potentially malicious until index.js is reviewed.

Live on npm for 1 day and 57 minutes before removal. Socket users were protected even while the package was live.

This file contains a heavy obfuscation layer and an in-assembly runtime loader that decrypts embedded resources and performs low-level native memory operations (allocations, Copy, VirtualProtect, WriteProcessMemory, Marshal pointer writes, delegate creation). Those operations match patterns for reflective loading, in-memory code injection or patching of modules and are commonly used by loaders, packers, or malware. Even if the top-level assembly provides benign UI controls, the loader code is highly suspicious and should be treated as malicious or at least as a high-risk backdoor/supply-chain concern. Do not trust or run this assembly in production; further dynamic analysis in an isolated environment is required to see the decrypted payload and exact runtime actions.

The Python module itself is not directly implementing typical malware behaviors, but it creates a high-risk execution surface: it runs local shell scripts (some with sudo) with unvalidated inputs and passes secrets on the command line. The deploy_fdb_from_file_service function contains a command-injection vulnerability (shell=True with joined args) and a coding bug (returncod typo). Recommend: remove shell=True; use argument lists always, avoid passing secrets via argv (use stdin, environment files with proper filesystem permissions, or secured IPC), eliminate unnecessary sudo calls and require callers to provide appropriate privileges if needed, validate/escape inputs (especially file paths), fix the returncod typo, and audit all invoked shell scripts before use. Treat package as risky until mitigations and script audits are performed.

High likelihood of hidden or dual-use behavior due to extreme obfuscation, extensive use of reflection/DynamicMethod IL emission, cryptographic data handling, and registry-based persistence hooks. While not conclusively malicious in isolation, the pattern strongly suggests potential covert data handling, backdoors, or anti-analysis mechanisms within a supply-chain package. Treat as suspicious and require thorough auditing of the entire repository, including dependency graph, manifest resources, and any dynamic loader logic before adoption or deployment.

This module is a high-risk runtime packer/dropper: it embeds an encrypted payload, decrypts it using a user-supplied passphrase, writes the result to `bin/do-setup-circleci-secrets`, and immediately executes it. Because there is no integrity/authenticity validation of the decrypted artifact and the executed code is not shown here, the module should be treated as potentially malicious until the decrypted `bin/do-setup-circleci-secrets` content is inspected and validated in a safe environment.

This fragment performs targeted runtime tampering of an installed dependency and injects a high-risk capability: it extracts filesystem-like paths from assistant text, resolves them against environment/cwd/worktree-derived directories, reads the referenced files from disk, and sends their contents via Telegram session messaging. The absence of a strict safe-root allowlist makes it consistent with a prompt-driven local-file disclosure/exfiltration design. Immediate security review and removal of this behavior are strongly warranted.

This script establishes a stealthy, persistent SSH local port forward from the host (local port 9999) to remote host 67.202.15.57 targeting remote localhost:27017. On machines matching the specified hostnames, this effectively exposes or forwards access to a local service (likely a database on port 27017) to an external host, creating a backdoor/exfiltration channel. The hard-coded IP, root user, targeted hostnames, backgrounded nohup invocation, and output redirection are strong indicators of malicious or unauthorized behavior. Recommend removing/ quarantining this script, auditing SSH keys and authorized connections on affected hosts, and investigating connections to 67.202.15.57.

The payload exhibits hallmark traits of malicious supply‑chain risk: heavy obfuscation, dynamic payload decoding, environment/token-driven configuration, sandbox/profile manipulation, and external process execution with crafted environments. While some parts could serve legitimate sandbox tooling, the combination of obfuscation, remote coordination, and persistence-oriented actions constitutes a high risk of backdoor-like behavior or data exfiltration if distributed in a package. Treat as a potential security hazard requiring deep deobfuscation, controlled live analysis, and removal from any production supply chain until audited.

This code implements a session-replay / monitoring agent that intercepts XHR/fetch, captures request/response contents, DOM events, user inputs, and resources, computes hashes and sends detailed data (including base64-encoded binaries and cookies/localStorage values) to a hardcoded remote backend (https://malleon.io). While it could be used legitimately for debugging or analytics, it collects sensitive user data and exfiltrates it to an external service without safeguards visible in this fragment. Treat this as privacy-invasive and a supply-chain risk: do not include or run in production unless the endpoint and data collection practices are fully audited, consented to, and data is properly sanitized.

This module is a high-risk supply-chain installer/executor: it downloads a ZIP from a remote URL, extracts its contents to disk, chmods extracted files, and directly executes the resulting binary via execFileSync. No cryptographic integrity/authenticity verification is shown for the downloaded artifact, and the extraction logic does not visibly enforce that extracted paths remain within the intended directory, which raises the risk of ZIP-Slip/path traversal if the archive is malicious. Malware intent is not directly evidenced in the snippet, but the execution pipeline makes compromise highly consequential.

The best-supported interpretation from all three reports is that this snippet is intended to remove/disrupt a networking/service component: it deletes a network interface, performs an authenticated DELETE against a local admin API to remove a node entry, overwrites sensitive network configuration, deletes a token, and then executes a privileged Go removal routine. The hardcoded bearer credential and `sudo go run ./main.go` pattern are strong security red flags. Even if this could be legitimate administrative deprovisioning, it is high-risk automation without verification/controls, and the unreviewed `main.go` is an unresolved supply-chain execution sink.

This module is a high-risk runtime packer/dropper: it embeds an encrypted payload, decrypts it using a user-supplied passphrase, writes the result to `bin/do-setup-circleci-secrets`, and immediately executes it. Because there is no integrity/authenticity validation of the decrypted artifact and the executed code is not shown here, the module should be treated as potentially malicious until the decrypted `bin/do-setup-circleci-secrets` content is inspected and validated in a safe environment.

This module fragment is not overtly malicious (no direct backdoor or destructive actions) but embodies a high-risk data-exfiltration pattern: it sends full repository contents and user prompts to an external AI gateway without redaction, and logs/resends model outputs without strong validation. This creates substantial supply-chain and privacy risk (exposing secrets, intellectual property, or PII). Remediation: avoid sending raw repo contents to external services; implement strict redaction/allow-listing of files, filter secrets, minimize logging of prompts/responses, treat AIGateway as a high-sensitivity sink, and validate/sanitize model outputs before use.

Live on pypi for 5 days, 12 hours and 41 minutes before removal. Socket users were protected even while the package was live.

This script functions as an unauthenticated remote code execution server (backdoor). It deserializes network-provided pickle/dill payloads and executes a client-supplied callable, and it modifies sys.path from an environment variable enabling module hijacking. Running this code exposed to untrusted clients or networks allows immediate full compromise of the host process. Treat as malicious/unacceptably dangerous; do not run in production or on trusted machines unless fully reworked with strong authentication, strict input validation, sandboxing, and removal of dynamic sys.path injection.

This module is not overtly malicious (no encoded payloads, no external exfiltration, no reverse shell), but it contains high-risk insecure patterns: user-controlled values are directly interpolated into shell command strings and passed to node_utils.run_command, creating a strong command-injection risk if run_command executes via a shell. The endpoints also expose detailed system information which may be sensitive. Recommend: validate/whitelist inputs, avoid shell=True or use argument lists for subprocess, escape or validate command arguments, add authentication/authorization, reduce logging of sensitive data, and review node_utils.run_command implementation. Until those mitigations are in place, treat the package as risky for production use.

[Skill Scanner] Pipe-to-shell or eval pattern detected BENIGN: The improved report describes a legitimate competitive teardown workflow with public data sources and CLI automation. It produces standard market intelligence deliverables and maintains a reasonable security posture, aside from the general bootstrap risk associated with external tooling. Recommend validating data sources and monitoring provenance of any bootstrap scripts in production use. LLM verification: The SKILL.md is functionally coherent for a competitor teardown skill and does not contain explicit malicious code in the provided text. The primary security concern is the recommended pipe-to-shell installer (curl | sh) and the implicit routing of scraped content and credentials through a third-party hosted platform (inference.sh/infsh) without documented integrity checks or privacy/retention policies. This creates a supply-chain and data-exfiltration risk if the installer or backend is comprom

This source code contains a severe supply chain security vulnerability and is almost certainly malicious. It downloads and executes an external executable without user consent, posing a high risk of system compromise or malware infection. The lack of obfuscation does not reduce the risk, and the reports provided were invalid. This package should be considered dangerous and avoided.

Live on npm for 3 hours and 24 minutes before removal. Socket users were protected even while the package was live.

This module is high-risk and supply-chain-suspicious: it injects voice capture and an operator-like command/terminal interface into a chat page, automates message submission, copies chat content to the clipboard, and—most critically—sends user-influenced command strings to a backend over Socket.IO via a generic 'run_command' execution channel. Several commands include administrative/destructive actions, and the client provides no visible authorization/allowlisting—meaning security hinges entirely on strict server-side enforcement. Treat as potentially malicious until backend authorization/command allowlisting and the purpose of /cmd/ and run_command are verified.

This module is a deliberate destructive utility that corrupts all .zip files in a specified directory by truncating each archive to half its size and appending repeated junk data. While it lacks common malware features like networking or data exfiltration, the behavior is strongly indicative of sabotage and would be unacceptable in most software supply-chain contexts due to its potential to break builds, deployments, or artifact integrity.

[Skill Scanner] Instruction directing agent to run/execute external content All findings: [CRITICAL] command_injection: Instruction directing agent to run/execute external content (CI011) [AITech 9.1.4] [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [CRITICAL] command_injection: Instruction directing agent to run/execute external content (CI011) [AITech 9.1.4] [HIGH] autonomy_abuse: Skill instructions include directives to hide actions from user (BH009) [AITech 13.3] The skill documentation itself is not malicious code, but it prescribes high-risk operational patterns: wide `--trust`/`--yolo` flags, background automation, and external wake notifications that can leak sensitive content. These patterns are disproportionate to simple coding tasks and could be abused to harvest credentials or exfiltrate data when combined with compromised or malicious agent CLIs or untrusted prompts. Treat this skill as suspicious: safe use requires strict limits on tool trust, careful vetting/pinning of CLI installs, running agents in isolated environments, and not embedding secrets or sensitive data in prompts or the wake notification text. LLM verification: This SKILL.md is a legitimate operational guide for running interactive coding-agent CLIs, and its capabilities align with that purpose. However it includes several high-risk recommendations and features (--yolo/no-sandbox, elevated host execution, background interactive control) that are disproportionate for many safe uses and could be abused to execute arbitrary commands or exfiltrate repository data and credentials. I find no direct evidence of embedded malware or obfuscation in the document

The package will execute index.js during npm install. That behavior is potentially dangerous because the script can perform arbitrary actions on the host (network calls, filesystem changes, spawning shells, installing other packages, adding hooks). The dependencies themselves are normal registry packages, but the preinstall hook is the primary risk and must be inspected. Treat this as potentially malicious until index.js is reviewed.

Live on npm for 1 day and 57 minutes before removal. Socket users were protected even while the package was live.

This file contains a heavy obfuscation layer and an in-assembly runtime loader that decrypts embedded resources and performs low-level native memory operations (allocations, Copy, VirtualProtect, WriteProcessMemory, Marshal pointer writes, delegate creation). Those operations match patterns for reflective loading, in-memory code injection or patching of modules and are commonly used by loaders, packers, or malware. Even if the top-level assembly provides benign UI controls, the loader code is highly suspicious and should be treated as malicious or at least as a high-risk backdoor/supply-chain concern. Do not trust or run this assembly in production; further dynamic analysis in an isolated environment is required to see the decrypted payload and exact runtime actions.

The Python module itself is not directly implementing typical malware behaviors, but it creates a high-risk execution surface: it runs local shell scripts (some with sudo) with unvalidated inputs and passes secrets on the command line. The deploy_fdb_from_file_service function contains a command-injection vulnerability (shell=True with joined args) and a coding bug (returncod typo). Recommend: remove shell=True; use argument lists always, avoid passing secrets via argv (use stdin, environment files with proper filesystem permissions, or secured IPC), eliminate unnecessary sudo calls and require callers to provide appropriate privileges if needed, validate/escape inputs (especially file paths), fix the returncod typo, and audit all invoked shell scripts before use. Treat package as risky until mitigations and script audits are performed.

High likelihood of hidden or dual-use behavior due to extreme obfuscation, extensive use of reflection/DynamicMethod IL emission, cryptographic data handling, and registry-based persistence hooks. While not conclusively malicious in isolation, the pattern strongly suggests potential covert data handling, backdoors, or anti-analysis mechanisms within a supply-chain package. Treat as suspicious and require thorough auditing of the entire repository, including dependency graph, manifest resources, and any dynamic loader logic before adoption or deployment.