Secure your dependencies. Ship with confidence.

[Skill Scanner] Backtick command substitution detected (AITech 9.1.4) [CI003]

The code exhibits clear signs of malicious behavior by exfiltrating system and project information to external servers. It poses a significant security risk due to unauthorized data transmission and potential privacy violations.

Live on npm for 12 days, 16 hours and 46 minutes before removal. Socket users were protected even while the package was live.

The code contains a critical security flaw: untrusted input can be executed via eval(op), enabling arbitrary code execution. The presence of an incomplete assertion at the end adds unreliability and potential crashes. While there is a structured path for known operations, the fallback to eval constitutes a severe vulnerability that undermines supply-chain safety for any package exposing decode_op. Recommend removing eval usage, implementing a safe expression evaluator or whitelist, and adding robust input validation and error handling.

This code is a high-confidence, weaponized UPnP/SSDP UDP exploit module intended for blind command injection/RCE against specific D-Link DIR routers. It fingerprints targets using UDP responses and, upon matching, launches a command loop/shell that repeatedly sends attacker-controlled commands embedded into an SSDP M-SEARCH protocol field. While the snippet includes a likely typo in check()’s final return and relies on wildcard-imported framework helpers (which may affect exact runtime behavior), the offensive payload construction and shell invocation clearly indicate dangerous intent.

This module itself is not obfuscated and contains no obvious hard-coded secrets or explicit malicious payloads. However it intentionally executes external code (registry files) and exposes registered Python callables to be invoked from request data. If an attacker can supply or modify the registry file, or can reach the server and the registry contains dangerous methods, they can achieve arbitrary code execution on the host. Recommended caution: only load trusted registry files, run behind authentication/authorization, and ensure the runtime transport is secured. For untrusted environments, treat this as high-risk functionality.

This module implements continuous microphone recording and cleartext UDP streaming of recorded audio to a remote host, then deletes local copies. The behavior is highly privacy-invasive and consistent with audio exfiltration/spyware. Without strong, explicit legitimate justification and additional protections (encryption, auth, consent, error handling and controls), this code should be considered dangerous and not used in production or on sensitive hosts.

This module is a deliberate destructive utility that corrupts all .zip files in a specified directory by truncating each archive to half its size and appending repeated junk data. While it lacks common malware features like networking or data exfiltration, the behavior is strongly indicative of sabotage and would be unacceptable in most software supply-chain contexts due to its potential to break builds, deployments, or artifact integrity.

This script is attempting to exfiltrate sensitive data (contents of /etc/passwd) to a remote server. This behavior is highly malicious and poses a significant security risk.

Live on npm for 1 hour and 25 minutes before removal. Socket users were protected even while the package was live.

The code is engaging in malicious behavior by exfiltrating environment variables to an external server. The use of obfuscation indicates an attempt to hide this behavior.

Live on npm for 30 minutes before removal. Socket users were protected even while the package was live.

This file implements a DNS-based command-and-control transport (Sliver implant DNS C2). It encodes, fragments and transmits encrypted payloads via DNS TXT queries to an operator-controlled parent domain and receives commands the same way. The code provides full C2 capabilities (session bootstrap, encrypted send/receive, block reassembly). It also includes weaknesses: insecure random number generator for nonces/IDs and an unbounded in-memory replay cache. Given its functionality, this code is malicious in the general software supply-chain context and poses a high security risk if present in a dependency.

This Python script implements a supply chain attack by automatically generating and mass-publishing spam packages to the npm registry. The malware operates in an infinite loop, publishing 100 packages per cycle by: (1) randomly selecting from hardcoded folder paths containing game/service-related templates, (2) copying and modifying template files (index.js, package.json, README.md) with dynamically generated content, (3) systematically replacing 'hack' keywords with 'new' to evade detection, (4) executing 'npm publish' commands via subprocess to automatically publish packages, (5) verifying publication success by checking npmjs[.]com URLs, and (6) generating SEO-optimized HTML links with external domain references for link manipulation. The script reads configuration data including domain names and keywords from text files, uses random string generation for package naming, and maintains output logs of successful publications. This represents a significant threat to npm ecosystem integrity through deliberate package registry pollution and constitutes malware due to its clear malicious intent to deceive users and abuse infrastructure.

Live on npm for 2 hours and 23 minutes before removal. Socket users were protected even while the package was live.

The provided code functions as a remote tunneling/agent that exposes powerful primitives: arbitrary file read/write, directory listing, remote command execution output forwarding, and HTTP/WebSocket proxying to localhost. In an environment where the gateway is untrusted or compromised, this module would enable data exfiltration, local service access, and remote file modification — effectively a backdoor. If this agent is intentionally installed and the gateway is trusted (e.g., a legitimate remote support/control server), the behavior may be acceptable. However, absent clear authentication/authorization controls in the shown fragment, this code presents a high-risk capability and should be treated as dangerous if used without strict access controls and auditability.

This module combines remote EVM signing/transaction functionality with an explicit MAIN-world CSP bypass that removes both enforcing and report-only CSP meta tags (including dynamically added ones). It also broadens interaction scope via content-script registration and broadcasts provider events to all tabs. While it does not show direct keylogging or system file access in this fragment, the CSP-defeat mechanism is a high-severity red flag consistent with malicious capability or policy evasion, making the overall supply-chain security risk high.

Cannot perform security analysis due to heavily obfuscated/corrupted source code and incomplete security report. The extreme level of obfuscation itself is a major red flag indicating potential malicious content.

The provided specification is a legitimate tool description for managing Feishu permissions and does not itself contain code-level indicators of malware, obfuscation, or backdoors. The main security risks are operational: acceptance and use of a high-privilege token without guidance on secure handling, and the absence of explicit API endpoints which creates uncertainty about where tokens/requests will be sent. Recommendations: keep the tool disabled by default; require explicit opt-in and documented network endpoints that must be verified to be official Feishu APIs; enforce least-privilege, short-lived tokens; implement logging redaction and audit trails; and perform code review on any implementation to ensure tokens are not logged, persisted insecurely, or proxied through third parties.

This fragment implements a remote-triggered emergency stop mechanism with clearly destructive behavior. An SSE payload that indicates ownership mismatch directly triggers cancellation of GitHub Actions and Azure DevOps builds using environment-provided credentials, followed by aggressive Docker Compose teardown (including volumes) and forceful local process termination (cgroup PID SIGKILLs and process-group SIGTERM/SIGKILL), then exits. While it could be intended for a legitimate runner takeover/self-protection workflow, the combination of remote data control plus high-impact disruption is strongly consistent with sabotage/hostile functionality if the SSE endpoint or signal can be influenced.

The code exhibits behaviors consistent with data exfiltration and unauthorized network communication. The use of obfuscation and dynamic DNS resolution further indicates potential malicious intent.

The source code implements functions that send highly sensitive payment card data, including security codes and passwords, to a suspicious and unknown external domain without safeguards or user consent. This behavior constitutes a high-risk data exfiltration and is indicative of malicious intent or a severe supply chain security compromise. The code is not obfuscated but poses a significant security risk. The existing reports are invalid and provide no useful information. This package should be considered dangerous and avoided.

This file is a concentrated collection of active exploit/deserialization payloads designed to detect or trigger known gadget chains and vulnerabilities across multiple platforms. While formatted as a testing catalog, its content is inherently dangerous: it includes explicit command-execution payloads, remote class-loading references, and authentication-bypass tokens. If found in a codebase or dependency, treat as high-risk—remove from production, restrict access, audit any use or transmission logs, and verify no unauthorized target interactions occurred. Only use in controlled, authorized testing environments.

This file contains a function that processes an input message by printing it locally and sending it via an HTTP POST request to an external API endpoint (https://api.example.com/bot<TOKEN>/sendMessage?chat_id=<CHANNEL_ID>&text=<MESSAGE>). The function uses hardcoded sensitive credentials—a bot token and channel ID—which, if compromised, could allow an attacker to exfiltrate data from systems where the code is deployed. By automatically forwarding any given message to a predetermined external channel, the function establishes a covert channel for data leakage, presenting a significant security risk.

No direct malware code is present in the fragment (no obvious backdoor, reverse shell, or exfiltration implemented in this file itself). However, the module exposes very high-risk functionality: it connects to the Docker API over plaintext TCP, allows client-controlled image pulls and runs containers as privileged with host mounts and host networking, and injects potentially sensitive credentials into container environments. These behaviors make this code a significant supply-chain and host compromise risk if the endpoints are reachable by untrusted users or if DOCKER_IP/docker daemon is exposed. Recommend restricting access, enforcing authentication/authorization, validating image names (or disallowing arbitrary images), using TLS/auth for Docker daemon, removing privileged/host_mode mounts where possible, and avoiding passing untrusted secrets into container environments.

This module is strongly indicative of malicious supply-chain credential theft. It reads a sensitive npm token from the environment and executes curl to POST that token to a hardcoded attacker-controlled endpoint. It also reads .npmrc, consistent with secret harvesting. The behavior is not aligned with legitimate package functionality.

The analyzed code implements a jammer/attack plugin that autonomously derives target addresses from message content and OCR-derived data and conducts UDP-based attacks within a configurable timeout window. This reveals explicit network-abuse capabilities and potential misuse in a supply-chain context, marking it as high-risk for inclusion in public dependencies without robust safeguards, access controls, and explicit authorization.

[Skill Scanner] Backtick command substitution detected (AITech 9.1.4) [CI003]

The code exhibits clear signs of malicious behavior by exfiltrating system and project information to external servers. It poses a significant security risk due to unauthorized data transmission and potential privacy violations.

Live on npm for 12 days, 16 hours and 46 minutes before removal. Socket users were protected even while the package was live.

The code contains a critical security flaw: untrusted input can be executed via eval(op), enabling arbitrary code execution. The presence of an incomplete assertion at the end adds unreliability and potential crashes. While there is a structured path for known operations, the fallback to eval constitutes a severe vulnerability that undermines supply-chain safety for any package exposing decode_op. Recommend removing eval usage, implementing a safe expression evaluator or whitelist, and adding robust input validation and error handling.

This code is a high-confidence, weaponized UPnP/SSDP UDP exploit module intended for blind command injection/RCE against specific D-Link DIR routers. It fingerprints targets using UDP responses and, upon matching, launches a command loop/shell that repeatedly sends attacker-controlled commands embedded into an SSDP M-SEARCH protocol field. While the snippet includes a likely typo in check()’s final return and relies on wildcard-imported framework helpers (which may affect exact runtime behavior), the offensive payload construction and shell invocation clearly indicate dangerous intent.

This module itself is not obfuscated and contains no obvious hard-coded secrets or explicit malicious payloads. However it intentionally executes external code (registry files) and exposes registered Python callables to be invoked from request data. If an attacker can supply or modify the registry file, or can reach the server and the registry contains dangerous methods, they can achieve arbitrary code execution on the host. Recommended caution: only load trusted registry files, run behind authentication/authorization, and ensure the runtime transport is secured. For untrusted environments, treat this as high-risk functionality.

This module implements continuous microphone recording and cleartext UDP streaming of recorded audio to a remote host, then deletes local copies. The behavior is highly privacy-invasive and consistent with audio exfiltration/spyware. Without strong, explicit legitimate justification and additional protections (encryption, auth, consent, error handling and controls), this code should be considered dangerous and not used in production or on sensitive hosts.

This module is a deliberate destructive utility that corrupts all .zip files in a specified directory by truncating each archive to half its size and appending repeated junk data. While it lacks common malware features like networking or data exfiltration, the behavior is strongly indicative of sabotage and would be unacceptable in most software supply-chain contexts due to its potential to break builds, deployments, or artifact integrity.

This script is attempting to exfiltrate sensitive data (contents of /etc/passwd) to a remote server. This behavior is highly malicious and poses a significant security risk.

Live on npm for 1 hour and 25 minutes before removal. Socket users were protected even while the package was live.

The code is engaging in malicious behavior by exfiltrating environment variables to an external server. The use of obfuscation indicates an attempt to hide this behavior.

Live on npm for 30 minutes before removal. Socket users were protected even while the package was live.

This file implements a DNS-based command-and-control transport (Sliver implant DNS C2). It encodes, fragments and transmits encrypted payloads via DNS TXT queries to an operator-controlled parent domain and receives commands the same way. The code provides full C2 capabilities (session bootstrap, encrypted send/receive, block reassembly). It also includes weaknesses: insecure random number generator for nonces/IDs and an unbounded in-memory replay cache. Given its functionality, this code is malicious in the general software supply-chain context and poses a high security risk if present in a dependency.

This Python script implements a supply chain attack by automatically generating and mass-publishing spam packages to the npm registry. The malware operates in an infinite loop, publishing 100 packages per cycle by: (1) randomly selecting from hardcoded folder paths containing game/service-related templates, (2) copying and modifying template files (index.js, package.json, README.md) with dynamically generated content, (3) systematically replacing 'hack' keywords with 'new' to evade detection, (4) executing 'npm publish' commands via subprocess to automatically publish packages, (5) verifying publication success by checking npmjs[.]com URLs, and (6) generating SEO-optimized HTML links with external domain references for link manipulation. The script reads configuration data including domain names and keywords from text files, uses random string generation for package naming, and maintains output logs of successful publications. This represents a significant threat to npm ecosystem integrity through deliberate package registry pollution and constitutes malware due to its clear malicious intent to deceive users and abuse infrastructure.

Live on npm for 2 hours and 23 minutes before removal. Socket users were protected even while the package was live.

The provided code functions as a remote tunneling/agent that exposes powerful primitives: arbitrary file read/write, directory listing, remote command execution output forwarding, and HTTP/WebSocket proxying to localhost. In an environment where the gateway is untrusted or compromised, this module would enable data exfiltration, local service access, and remote file modification — effectively a backdoor. If this agent is intentionally installed and the gateway is trusted (e.g., a legitimate remote support/control server), the behavior may be acceptable. However, absent clear authentication/authorization controls in the shown fragment, this code presents a high-risk capability and should be treated as dangerous if used without strict access controls and auditability.

This module combines remote EVM signing/transaction functionality with an explicit MAIN-world CSP bypass that removes both enforcing and report-only CSP meta tags (including dynamically added ones). It also broadens interaction scope via content-script registration and broadcasts provider events to all tabs. While it does not show direct keylogging or system file access in this fragment, the CSP-defeat mechanism is a high-severity red flag consistent with malicious capability or policy evasion, making the overall supply-chain security risk high.

Cannot perform security analysis due to heavily obfuscated/corrupted source code and incomplete security report. The extreme level of obfuscation itself is a major red flag indicating potential malicious content.

The provided specification is a legitimate tool description for managing Feishu permissions and does not itself contain code-level indicators of malware, obfuscation, or backdoors. The main security risks are operational: acceptance and use of a high-privilege token without guidance on secure handling, and the absence of explicit API endpoints which creates uncertainty about where tokens/requests will be sent. Recommendations: keep the tool disabled by default; require explicit opt-in and documented network endpoints that must be verified to be official Feishu APIs; enforce least-privilege, short-lived tokens; implement logging redaction and audit trails; and perform code review on any implementation to ensure tokens are not logged, persisted insecurely, or proxied through third parties.

This fragment implements a remote-triggered emergency stop mechanism with clearly destructive behavior. An SSE payload that indicates ownership mismatch directly triggers cancellation of GitHub Actions and Azure DevOps builds using environment-provided credentials, followed by aggressive Docker Compose teardown (including volumes) and forceful local process termination (cgroup PID SIGKILLs and process-group SIGTERM/SIGKILL), then exits. While it could be intended for a legitimate runner takeover/self-protection workflow, the combination of remote data control plus high-impact disruption is strongly consistent with sabotage/hostile functionality if the SSE endpoint or signal can be influenced.

The code exhibits behaviors consistent with data exfiltration and unauthorized network communication. The use of obfuscation and dynamic DNS resolution further indicates potential malicious intent.

The source code implements functions that send highly sensitive payment card data, including security codes and passwords, to a suspicious and unknown external domain without safeguards or user consent. This behavior constitutes a high-risk data exfiltration and is indicative of malicious intent or a severe supply chain security compromise. The code is not obfuscated but poses a significant security risk. The existing reports are invalid and provide no useful information. This package should be considered dangerous and avoided.

This file is a concentrated collection of active exploit/deserialization payloads designed to detect or trigger known gadget chains and vulnerabilities across multiple platforms. While formatted as a testing catalog, its content is inherently dangerous: it includes explicit command-execution payloads, remote class-loading references, and authentication-bypass tokens. If found in a codebase or dependency, treat as high-risk—remove from production, restrict access, audit any use or transmission logs, and verify no unauthorized target interactions occurred. Only use in controlled, authorized testing environments.

This file contains a function that processes an input message by printing it locally and sending it via an HTTP POST request to an external API endpoint (https://api.example.com/bot<TOKEN>/sendMessage?chat_id=<CHANNEL_ID>&text=<MESSAGE>). The function uses hardcoded sensitive credentials—a bot token and channel ID—which, if compromised, could allow an attacker to exfiltrate data from systems where the code is deployed. By automatically forwarding any given message to a predetermined external channel, the function establishes a covert channel for data leakage, presenting a significant security risk.

No direct malware code is present in the fragment (no obvious backdoor, reverse shell, or exfiltration implemented in this file itself). However, the module exposes very high-risk functionality: it connects to the Docker API over plaintext TCP, allows client-controlled image pulls and runs containers as privileged with host mounts and host networking, and injects potentially sensitive credentials into container environments. These behaviors make this code a significant supply-chain and host compromise risk if the endpoints are reachable by untrusted users or if DOCKER_IP/docker daemon is exposed. Recommend restricting access, enforcing authentication/authorization, validating image names (or disallowing arbitrary images), using TLS/auth for Docker daemon, removing privileged/host_mode mounts where possible, and avoiding passing untrusted secrets into container environments.

This module is strongly indicative of malicious supply-chain credential theft. It reads a sensitive npm token from the environment and executes curl to POST that token to a hardcoded attacker-controlled endpoint. It also reads .npmrc, consistent with secret harvesting. The behavior is not aligned with legitimate package functionality.

The analyzed code implements a jammer/attack plugin that autonomously derives target addresses from message content and OCR-derived data and conducts UDP-based attacks within a configurable timeout window. This reveals explicit network-abuse capabilities and potential misuse in a supply-chain context, marking it as high-risk for inclusion in public dependencies without robust safeguards, access controls, and explicit authorization.