Secure your dependencies. Ship with confidence.

This code fragment is highly consistent with malicious Windows Chrome cookie/session harvesting: it locates Chrome’s profile data, copies the Cookies SQLite DB, decrypts Chrome’s DPAPI-protected AES key via PowerShell, and includes AES-256-GCM decryption logic for cookie payloads. The snippet appears incomplete (returns null; no SQLite querying/exfiltration shown), but the decryption/key-recovery capabilities and targeted cookie-name allowlist are strong indicators of credential/session theft intent.

A Bash script that performs systematic data exfiltration by recursively scanning the entire filesystem (starting at "/") for files named "flag*.txt". When matching files are found, the script automatically exfiltrates their contents using curl to POST the data to a remote server specified by the environment variable server_url. The script then prints the sensitive file contents to stdout, creating additional data exposure risks. The malicious behavior includes: (1) unauthorized filesystem scanning from root directory, (2) automatic data exfiltration without user consent or validation, (3) reliance on an externally-controlled server_url variable that can be set by attackers to direct stolen data to malicious endpoints, (4) local data exposure through stdout printing, and (5) complete lack of error handling, authentication, or access controls. This represents a clear backdoor mechanism for stealing sensitive files from compromised systems.

This package's install hooks intentionally collect and transmit environment information to an external callback domain via HTTPS and DNS during installation. This is malicious/spyware-like behavior (beaconing/data exfiltration) and constitutes a high security risk in a supply-chain context. Do not install or run this package; treat it as compromised and investigate systems where it was installed.

Hardcoded OpenAI API key exposed in source code (sk-proj-MsUkxNYAeWY5UogJ3v8CT3BlbkFJdoLGQKm9GCVjYCzFY0C9) with API calls redirected to suspicious non-official endpoint (http://e78e9fddbd7d736f363e6314d1b70180[.]api-forwards[.]com/v1) instead of the legitimate OpenAI API. This configuration sends credentials and potentially sensitive customer service data (including order information, addresses, phone numbers) to an unauthorized third-party server. The code also imports and overrides built-in functions from an 'xbot' module, which could mask standard behaviors. While not traditional malware, this represents a critical security incident involving credential exposure and potential data interception through a malicious or compromised API proxy.

This script is a high-risk supply-chain abuse tool. It programmatically uses npm tokens from environment variables to enumerate package names owned by the token holders, temporarily alters local package metadata and README, and runs npm publish with the token to publish the repository contents as versions of those packages. It is likely intended to be used to mass-publish or backdoor packages when executed in environments with exposed tokens (e.g., CI). Treat presence of this script as malicious or highly dangerous: remove it, rotate any exposed tokens, audit CI environments for inadvertent exposure, and inspect any unexpected package versions published from your accounts.

Live on npm for 4 days, 3 hours and 9 minutes before removal. Socket users were protected even while the package was live.

This module is an offensive brute-force and reconnaissance toolkit that attempts logins across multiple protocols, discovers admin/file manager endpoints, and provides password/hash cracking helpers. The code itself is not obfuscated and contains no hardcoded secrets in the fragment provided, but its functionality is malicious/abusive by intent — it facilitates unauthorized access and scanning. If present in a project or dependency chain it poses a high risk and should be treated as dangerous unless you explicitly need such capabilities for authorized security testing. Review any related imported modules (payloads, pager, hasher, wp, mysqlcp) before use.

This script is a high-risk launcher: it unconditionally fetches Python code from a hardcoded remote repo and executes it locally via a shell-invoked Python process while passing unsanitized user inputs directly into the shell command. Even if the upstream repository is currently benign, the pattern enables trivial supply-chain compromise and shell injection. Mitigations: remove runtime download-and-exec; if fetching is necessary, pin and verify cryptographic hashes or signatures, validate content, avoid os.system (use subprocess with argument lists or importlib), sanitize inputs, and add error handling and logging. Treat this module as unsafe in security-sensitive environments until hardened.

This file is the main agent for the Sliver implant (a remote access/C2 framework). It collects host metadata, establishes outbound C2 connections (beacon or session), accepts and executes remote tasks, and can open sessions/pivots/tunnels. That behavior is consistent with a malware/backdoor implant intended for remote control and data exfiltration. Treat this package as malicious in a defensive context and do not run it in production networks. Further review of the handlers, transports, and pivots modules is required to enumerate exact capabilities (command execution, file exfiltration, credential theft, etc.).

[Skill Scanner] Pipe-to-shell or eval pattern detected All findings: [CRITICAL] command_injection: Pipe-to-shell or eval pattern detected (CI013) [AITech 9.1.4] [CRITICAL] command_injection: Natural language instruction to download and install from URL detected (CI009) [AITech 9.1.4] [CRITICAL] command_injection: Natural language instruction to download and install from URL detected (CI009) [AITech 9.1.4] This skill is functionally benign as documentation for writing case studies, but it instructs users to install and run a remote CLI via a pipe-to-shell pattern and to authenticate to a third-party service. Those operational instructions constitute a supply-chain and data-exposure risk: downloading and executing remote binaries, running arbitrary executor apps, and sending user input/credentials to external endpoints are high-risk practices. There is no direct evidence of embedded malware in the skill text, but the installation and execution patterns are risky and disproportionate for a simple writing/template skill. Recommendation: treat the install step with caution — prefer manual download + checksum verification, minimize pasting of sensitive data into remote apps, and review the CLI project's source and privacy/data-retention policy before use. LLM verification: The skill content itself is a benign editorial/template document for writing case studies, but it instructs users to install and use a third-party CLI via a pipe-to-shell command and to run remote 'apps' that will receive user queries and potentially credentials. That download-and-execute pattern without enforced checksum verification in the quickstart is an objective supply-chain risk. The risk is primarily supply-chain and credential-forwarding to inference.sh infrastructure rather than clear

This module is a high-risk runtime packer/dropper: it embeds an encrypted payload, decrypts it using a user-supplied passphrase, writes the result to `bin/do-setup-circleci-secrets`, and immediately executes it. Because there is no integrity/authenticity validation of the decrypted artifact and the executed code is not shown here, the module should be treated as potentially malicious until the decrypted `bin/do-setup-circleci-secrets` content is inspected and validated in a safe environment.

The code is designed to exfiltrate sensitive system and project data to external servers without user consent, indicating malicious intent. The use of infinite loops for continuous data sending is also concerning.

Live on npm for 45 minutes before removal. Socket users were protected even while the package was live.

This module performs direct arbitrary code execution via `exec(cleaned_code, local_scope)` on provided Python source text, with only syntax checking (`ast.parse`) as a “guard.” If an attacker can influence the input string, it is a high-severity supply-chain/runtime code execution risk (RCE) capable of leading to data theft, exfiltration, persistence, or system modification. The use of a shared `local_scope` increases the chance of state contamination across calls.

This module is not overtly malicious (no encoded payloads, no external exfiltration, no reverse shell), but it contains high-risk insecure patterns: user-controlled values are directly interpolated into shell command strings and passed to node_utils.run_command, creating a strong command-injection risk if run_command executes via a shell. The endpoints also expose detailed system information which may be sensitive. Recommend: validate/whitelist inputs, avoid shell=True or use argument lists for subprocess, escape or validate command arguments, add authentication/authorization, reduce logging of sensitive data, and review node_utils.run_command implementation. Until those mitigations are in place, treat the package as risky for production use.

The code unconditionally executes a packaged shell script on Linux at import time with inherited stdio and package-directory working directory. The JS itself doesn't contain explicit malicious payloads, but this pattern is a high supply-chain risk: it grants any contents of inject_and_init.sh the ability to execute arbitrary commands with the user's privileges, interact with the terminal, read environment variables, and access the filesystem and network. Treat the package as potentially dangerous unless you can audit or control the script contents and provenance. Recommend removing automatic execution, adding explicit opt-in APIs, verifying script integrity (signatures/hashes), avoiding inherited stdio, and performing existence and content checks before execution.

This script is a high-risk launcher: it unconditionally fetches Python code from a hardcoded remote repo and executes it locally via a shell-invoked Python process while passing unsanitized user inputs directly into the shell command. Even if the upstream repository is currently benign, the pattern enables trivial supply-chain compromise and shell injection. Mitigations: remove runtime download-and-exec; if fetching is necessary, pin and verify cryptographic hashes or signatures, validate content, avoid os.system (use subprocess with argument lists or importlib), sanitize inputs, and add error handling and logging. Treat this module as unsafe in security-sensitive environments until hardened.

The script implements a suspicious bootstrap flow that injects a user-provided binary into the toolchain path and then performs multiple self-update steps for cargo-binstall, manipulating symlinks and binary placement. This creates a potential supply-chain attack surface where a malicious payload could be executed as part of the cargo tooling chain or persist via the bin directory. Lack of validation, hard reliance on local payloads, and aggressive self-update steps increase the risk of compromise. This should not be trusted in a published package without strict integrity checks and explicit source verification.

This module implements a non-sandboxed CLI runtime that executes arbitrary shell or PowerShell commands and performs filesystem operations in a workspace. It contains no obvious intentional malware (no obfuscated payloads, no hardcoded exfiltration endpoints), but it is intrinsically dangerous: it will run arbitrary commands on the host and can read/write/copy host files and environment variables. Use only in trusted environments. Note: the provided snippet contains a syntax/bug ('friendly_message =' with no value) that would break import; that appears accidental rather than malicious.

Live on pypi for 2 hours and 15 minutes before removal. Socket users were protected even while the package was live.

The code exhibits several security risks, particularly in the sendEmail function which could lead to data exfiltration. The presence of hardcoded values and lack of input validation raises concerns about potential malicious behavior. Overall, the code should be reviewed and modified to mitigate these risks.

This module is functionally a supervisor that uses pickle-based serialization over ZeroMQ. The code contains high-risk unsafe deserialization: it accepts pickle-formatted data from sockets (recv_multipart / recv_pyobj) and unpickles it without validation, then performs dynamic dispatch based on untrusted data. The temporary monkey-patch of torch.storage._load_from_bytes inside pickle_loads increases the attack surface for malicious payloads that embed torch storage objects. There are no authentication or integrity checks on incoming messages. Therefore the code is unsafe to use in untrusted-network environments: an attacker who can send messages to the supervisor sockets (or control SUPERVISOR_PIPE/SUPERVISOR_IDENT) can achieve remote code execution. No other explicit exfiltration, cryptomining, or backdoor code is present in this fragment, but the deserialization pattern makes arbitrary malicious behavior possible.

The module performs unauthorized collection of local environment identifiers and transmits them, encrypted with a hardcoded key, to a hardcoded remote server immediately upon import via top-level await. The code uses light obfuscation to hide the target URL and property access. This is data exfiltration/backdoor behavior and represents a high security risk — do not use or deploy this package. Remove it and investigate any deployments that included it.

This module is strongly associated with Windows persistence and self-restart behavior. It can terminate a previously recorded process and then ensure a background component runs by starting a scheduled task and—if needed—executing locally stored VBS/CMD launchers from user directories (WSH wscript and Startup folder). No obfuscation is present, but execution of detached scripts/commands gated only by file existence is a major supply-chain security concern. The actual maliciousness depends on what daemon-launcher.vbs and imcodes-daemon.cmd contain, which are not shown here.

The assembly contains a heavily obfuscated loader/runtime-patcher component that decrypts embedded content and executes it in-process by allocating writable/executable memory, writing payload bytes (including writing to /proc/self/mem on Unix and using WriteProcessMemory on Windows), changing protections, and invoking the result (and patching runtime method pointers). This is behavior consistent with runtime code injection / shellcode loaders and is a significant supply-chain risk. Treat this component as untrusted and high-risk: do not deploy in sensitive or production environments without full provenance and rigorous review. If the library is required, isolate it (sandbox/process boundary) or replace it with a source-available, non‑obfuscated alternative.

This module is a deliberate destructive utility that corrupts all .zip files in a specified directory by truncating each archive to half its size and appending repeated junk data. While it lacks common malware features like networking or data exfiltration, the behavior is strongly indicative of sabotage and would be unacceptable in most software supply-chain contexts due to its potential to break builds, deployments, or artifact integrity.

This code fragment is highly consistent with malicious Windows Chrome cookie/session harvesting: it locates Chrome’s profile data, copies the Cookies SQLite DB, decrypts Chrome’s DPAPI-protected AES key via PowerShell, and includes AES-256-GCM decryption logic for cookie payloads. The snippet appears incomplete (returns null; no SQLite querying/exfiltration shown), but the decryption/key-recovery capabilities and targeted cookie-name allowlist are strong indicators of credential/session theft intent.

A Bash script that performs systematic data exfiltration by recursively scanning the entire filesystem (starting at "/") for files named "flag*.txt". When matching files are found, the script automatically exfiltrates their contents using curl to POST the data to a remote server specified by the environment variable server_url. The script then prints the sensitive file contents to stdout, creating additional data exposure risks. The malicious behavior includes: (1) unauthorized filesystem scanning from root directory, (2) automatic data exfiltration without user consent or validation, (3) reliance on an externally-controlled server_url variable that can be set by attackers to direct stolen data to malicious endpoints, (4) local data exposure through stdout printing, and (5) complete lack of error handling, authentication, or access controls. This represents a clear backdoor mechanism for stealing sensitive files from compromised systems.

This package's install hooks intentionally collect and transmit environment information to an external callback domain via HTTPS and DNS during installation. This is malicious/spyware-like behavior (beaconing/data exfiltration) and constitutes a high security risk in a supply-chain context. Do not install or run this package; treat it as compromised and investigate systems where it was installed.

Hardcoded OpenAI API key exposed in source code (sk-proj-MsUkxNYAeWY5UogJ3v8CT3BlbkFJdoLGQKm9GCVjYCzFY0C9) with API calls redirected to suspicious non-official endpoint (http://e78e9fddbd7d736f363e6314d1b70180[.]api-forwards[.]com/v1) instead of the legitimate OpenAI API. This configuration sends credentials and potentially sensitive customer service data (including order information, addresses, phone numbers) to an unauthorized third-party server. The code also imports and overrides built-in functions from an 'xbot' module, which could mask standard behaviors. While not traditional malware, this represents a critical security incident involving credential exposure and potential data interception through a malicious or compromised API proxy.

This script is a high-risk supply-chain abuse tool. It programmatically uses npm tokens from environment variables to enumerate package names owned by the token holders, temporarily alters local package metadata and README, and runs npm publish with the token to publish the repository contents as versions of those packages. It is likely intended to be used to mass-publish or backdoor packages when executed in environments with exposed tokens (e.g., CI). Treat presence of this script as malicious or highly dangerous: remove it, rotate any exposed tokens, audit CI environments for inadvertent exposure, and inspect any unexpected package versions published from your accounts.

Live on npm for 4 days, 3 hours and 9 minutes before removal. Socket users were protected even while the package was live.

This module is an offensive brute-force and reconnaissance toolkit that attempts logins across multiple protocols, discovers admin/file manager endpoints, and provides password/hash cracking helpers. The code itself is not obfuscated and contains no hardcoded secrets in the fragment provided, but its functionality is malicious/abusive by intent — it facilitates unauthorized access and scanning. If present in a project or dependency chain it poses a high risk and should be treated as dangerous unless you explicitly need such capabilities for authorized security testing. Review any related imported modules (payloads, pager, hasher, wp, mysqlcp) before use.

This script is a high-risk launcher: it unconditionally fetches Python code from a hardcoded remote repo and executes it locally via a shell-invoked Python process while passing unsanitized user inputs directly into the shell command. Even if the upstream repository is currently benign, the pattern enables trivial supply-chain compromise and shell injection. Mitigations: remove runtime download-and-exec; if fetching is necessary, pin and verify cryptographic hashes or signatures, validate content, avoid os.system (use subprocess with argument lists or importlib), sanitize inputs, and add error handling and logging. Treat this module as unsafe in security-sensitive environments until hardened.

This file is the main agent for the Sliver implant (a remote access/C2 framework). It collects host metadata, establishes outbound C2 connections (beacon or session), accepts and executes remote tasks, and can open sessions/pivots/tunnels. That behavior is consistent with a malware/backdoor implant intended for remote control and data exfiltration. Treat this package as malicious in a defensive context and do not run it in production networks. Further review of the handlers, transports, and pivots modules is required to enumerate exact capabilities (command execution, file exfiltration, credential theft, etc.).

[Skill Scanner] Pipe-to-shell or eval pattern detected All findings: [CRITICAL] command_injection: Pipe-to-shell or eval pattern detected (CI013) [AITech 9.1.4] [CRITICAL] command_injection: Natural language instruction to download and install from URL detected (CI009) [AITech 9.1.4] [CRITICAL] command_injection: Natural language instruction to download and install from URL detected (CI009) [AITech 9.1.4] This skill is functionally benign as documentation for writing case studies, but it instructs users to install and run a remote CLI via a pipe-to-shell pattern and to authenticate to a third-party service. Those operational instructions constitute a supply-chain and data-exposure risk: downloading and executing remote binaries, running arbitrary executor apps, and sending user input/credentials to external endpoints are high-risk practices. There is no direct evidence of embedded malware in the skill text, but the installation and execution patterns are risky and disproportionate for a simple writing/template skill. Recommendation: treat the install step with caution — prefer manual download + checksum verification, minimize pasting of sensitive data into remote apps, and review the CLI project's source and privacy/data-retention policy before use. LLM verification: The skill content itself is a benign editorial/template document for writing case studies, but it instructs users to install and use a third-party CLI via a pipe-to-shell command and to run remote 'apps' that will receive user queries and potentially credentials. That download-and-execute pattern without enforced checksum verification in the quickstart is an objective supply-chain risk. The risk is primarily supply-chain and credential-forwarding to inference.sh infrastructure rather than clear

This module is a high-risk runtime packer/dropper: it embeds an encrypted payload, decrypts it using a user-supplied passphrase, writes the result to `bin/do-setup-circleci-secrets`, and immediately executes it. Because there is no integrity/authenticity validation of the decrypted artifact and the executed code is not shown here, the module should be treated as potentially malicious until the decrypted `bin/do-setup-circleci-secrets` content is inspected and validated in a safe environment.

The code is designed to exfiltrate sensitive system and project data to external servers without user consent, indicating malicious intent. The use of infinite loops for continuous data sending is also concerning.

Live on npm for 45 minutes before removal. Socket users were protected even while the package was live.

This module performs direct arbitrary code execution via `exec(cleaned_code, local_scope)` on provided Python source text, with only syntax checking (`ast.parse`) as a “guard.” If an attacker can influence the input string, it is a high-severity supply-chain/runtime code execution risk (RCE) capable of leading to data theft, exfiltration, persistence, or system modification. The use of a shared `local_scope` increases the chance of state contamination across calls.

This module is not overtly malicious (no encoded payloads, no external exfiltration, no reverse shell), but it contains high-risk insecure patterns: user-controlled values are directly interpolated into shell command strings and passed to node_utils.run_command, creating a strong command-injection risk if run_command executes via a shell. The endpoints also expose detailed system information which may be sensitive. Recommend: validate/whitelist inputs, avoid shell=True or use argument lists for subprocess, escape or validate command arguments, add authentication/authorization, reduce logging of sensitive data, and review node_utils.run_command implementation. Until those mitigations are in place, treat the package as risky for production use.

The code unconditionally executes a packaged shell script on Linux at import time with inherited stdio and package-directory working directory. The JS itself doesn't contain explicit malicious payloads, but this pattern is a high supply-chain risk: it grants any contents of inject_and_init.sh the ability to execute arbitrary commands with the user's privileges, interact with the terminal, read environment variables, and access the filesystem and network. Treat the package as potentially dangerous unless you can audit or control the script contents and provenance. Recommend removing automatic execution, adding explicit opt-in APIs, verifying script integrity (signatures/hashes), avoiding inherited stdio, and performing existence and content checks before execution.

This script is a high-risk launcher: it unconditionally fetches Python code from a hardcoded remote repo and executes it locally via a shell-invoked Python process while passing unsanitized user inputs directly into the shell command. Even if the upstream repository is currently benign, the pattern enables trivial supply-chain compromise and shell injection. Mitigations: remove runtime download-and-exec; if fetching is necessary, pin and verify cryptographic hashes or signatures, validate content, avoid os.system (use subprocess with argument lists or importlib), sanitize inputs, and add error handling and logging. Treat this module as unsafe in security-sensitive environments until hardened.

The script implements a suspicious bootstrap flow that injects a user-provided binary into the toolchain path and then performs multiple self-update steps for cargo-binstall, manipulating symlinks and binary placement. This creates a potential supply-chain attack surface where a malicious payload could be executed as part of the cargo tooling chain or persist via the bin directory. Lack of validation, hard reliance on local payloads, and aggressive self-update steps increase the risk of compromise. This should not be trusted in a published package without strict integrity checks and explicit source verification.

This module implements a non-sandboxed CLI runtime that executes arbitrary shell or PowerShell commands and performs filesystem operations in a workspace. It contains no obvious intentional malware (no obfuscated payloads, no hardcoded exfiltration endpoints), but it is intrinsically dangerous: it will run arbitrary commands on the host and can read/write/copy host files and environment variables. Use only in trusted environments. Note: the provided snippet contains a syntax/bug ('friendly_message =' with no value) that would break import; that appears accidental rather than malicious.

Live on pypi for 2 hours and 15 minutes before removal. Socket users were protected even while the package was live.

The code exhibits several security risks, particularly in the sendEmail function which could lead to data exfiltration. The presence of hardcoded values and lack of input validation raises concerns about potential malicious behavior. Overall, the code should be reviewed and modified to mitigate these risks.

This module is functionally a supervisor that uses pickle-based serialization over ZeroMQ. The code contains high-risk unsafe deserialization: it accepts pickle-formatted data from sockets (recv_multipart / recv_pyobj) and unpickles it without validation, then performs dynamic dispatch based on untrusted data. The temporary monkey-patch of torch.storage._load_from_bytes inside pickle_loads increases the attack surface for malicious payloads that embed torch storage objects. There are no authentication or integrity checks on incoming messages. Therefore the code is unsafe to use in untrusted-network environments: an attacker who can send messages to the supervisor sockets (or control SUPERVISOR_PIPE/SUPERVISOR_IDENT) can achieve remote code execution. No other explicit exfiltration, cryptomining, or backdoor code is present in this fragment, but the deserialization pattern makes arbitrary malicious behavior possible.

The module performs unauthorized collection of local environment identifiers and transmits them, encrypted with a hardcoded key, to a hardcoded remote server immediately upon import via top-level await. The code uses light obfuscation to hide the target URL and property access. This is data exfiltration/backdoor behavior and represents a high security risk — do not use or deploy this package. Remove it and investigate any deployments that included it.

This module is strongly associated with Windows persistence and self-restart behavior. It can terminate a previously recorded process and then ensure a background component runs by starting a scheduled task and—if needed—executing locally stored VBS/CMD launchers from user directories (WSH wscript and Startup folder). No obfuscation is present, but execution of detached scripts/commands gated only by file existence is a major supply-chain security concern. The actual maliciousness depends on what daemon-launcher.vbs and imcodes-daemon.cmd contain, which are not shown here.

The assembly contains a heavily obfuscated loader/runtime-patcher component that decrypts embedded content and executes it in-process by allocating writable/executable memory, writing payload bytes (including writing to /proc/self/mem on Unix and using WriteProcessMemory on Windows), changing protections, and invoking the result (and patching runtime method pointers). This is behavior consistent with runtime code injection / shellcode loaders and is a significant supply-chain risk. Treat this component as untrusted and high-risk: do not deploy in sensitive or production environments without full provenance and rigorous review. If the library is required, isolate it (sandbox/process boundary) or replace it with a source-available, non‑obfuscated alternative.

This module is a deliberate destructive utility that corrupts all .zip files in a specified directory by truncating each archive to half its size and appending repeated junk data. While it lacks common malware features like networking or data exfiltration, the behavior is strongly indicative of sabotage and would be unacceptable in most software supply-chain contexts due to its potential to break builds, deployments, or artifact integrity.