Secure your dependencies. Ship with confidence.

This code is highly suspicious and likely malicious for the following reasons: it intentionally hides its logic via heavy obfuscation; it reads a stored Discord user token and uses it to perform programmatic axios requests to fetch channel messages; it repeatedly polls and parses message content (including potentially sensitive data like prices, identifiers, or private messages) and sends data out (HTTP requests and ipcRenderer notifications). This behavior is consistent with credential harvesting, account data scraping, and exfiltration. I recommend not running or shipping this code, auditing the full package and any other modules it depends on, rotating Discord credentials for any impacted accounts, and removing the package from deployments.

This module exposes extremely dangerous server-side capabilities through simple command handlers: direct arbitrary Python execution (`exec`), direct arbitrary OS/shell execution (`os.system`), arbitrary local file reading (`read_text` on caller-controlled paths), and process working-directory changes (`os.chdir`). Unless strictly restricted to authenticated, trusted operators elsewhere in the system, this constitutes an immediate remote compromise/backdoor-like risk. No overt obfuscation is present; the primary threat stems from the explicit execution and file-disclosure primitives.

This script is high-risk: it automates interactive login flows, captures and persists full browser storage_state (session tokens), and navigates authenticated sessions to banking/payment endpoints. The combination enables account takeover and fraudulent transactions when misused. Treat as malicious or at minimum dangerous automation; require immediate review, restrict execution, and audit any stored agent.state entries. Remediate by removing session persistence, not storing storage_state, and implementing strict access controls and logging.

This script is an exploit tool designed to perform SQL injection against the BookingPress WordPress plugin to enumerate database information and extract WordPress user credentials (usernames, emails, password hashes). It is explicitly malicious/offensive: it constructs injection payloads, harvests nonces to authenticate AJAX requests, and prints/exfiltrates sensitive data. It should not be used against systems without explicit authorization. Recommend treating this package or file as malicious exploit code and blocking or removing it from environments where arbitrary code execution or internet access to attacker-controlled targets is not allowed.

The fragment contains a credible data-exfiltration/backdoor pattern via a Node-based XMLHttpRequest path that writes to temporary disk files and spawns child processes to perform network I/O, coupled with obfuscated/minified sections and broad library bundling. While some components may be legitimate, the combination constitutes a notable security risk for supply chain trust in an OpenVSX extension. Recommend isolating or removing the IPC-like HTTP path, replacing with audited HTTP client usage, and performing a focused security review of the bundle before distribution.

[Skill Scanner] Installation of third-party script detected All findings: [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [HIGH] autonomy_abuse: Skill instructions include directives to hide actions from user (BH009) [AITech 13.3] The MemoClaw docs and example integration present a compelling utility (persistent, vectorized memory storage) but expose a significant security design flaw: they require or encourage supplying the full wallet private key (via environment or config) and the JS example demonstrates transmitting that private key in API request bodies. This pattern is an unnecessary and dangerous credential‑exfiltration vector. Treat the package as high‑risk unless the implementation is audited and changed to perform local signing only and to avoid persisting or transmitting raw private keys. Do not use real wallets with this CLI/service until the auth flow is proven safe; if testing, use a dedicated empty wallet. Also audit any bulk ingest behavior to prevent accidental upload of sensitive local files. LLM verification: SUSPICIOUS — The skill's stated purpose matches its described capabilities (remote memory with wallet-based identity), but it requests a high-value secret (private key in MEMOCLAW_PRIVATE_KEY) which is disproportionate and introduces financial and impersonation risk. Centralizing potentially sensitive user data on api.memoclaw.com is a privacy risk, and the included static scanner findings (npm install references, directive to hide actions) increase suspicion of additional undisclosed install-ti

This code fragment is extremely suspicious and likely malicious. It implements multi-provider credential checking/auth automation, harvests and returns authentication artifacts (often alongside plaintext passwords), and contains a direct remote-code-execution generator (writes a loader that exec()s content fetched from a paste URL). Combined with TLS verification disabling and proxy routing, the overall security risk is critical; the module should not be used in any production or security-sensitive environment without strong isolation and removal/replace.

Live on pypi for 7 days, 12 hours and 18 minutes before removal. Socket users were protected even while the package was live.

This module is a high-risk runtime packer/dropper: it embeds an encrypted payload, decrypts it using a user-supplied passphrase, writes the result to `bin/do-setup-circleci-secrets`, and immediately executes it. Because there is no integrity/authenticity validation of the decrypted artifact and the executed code is not shown here, the module should be treated as potentially malicious until the decrypted `bin/do-setup-circleci-secrets` content is inspected and validated in a safe environment.

This module contains clear backdoor/botnet-like capabilities: targeted command dispatch (via host MAC token), remote arbitrary shell execution, system information gathering, and references to file transfer and screenshot features enabling exfiltration. Code quality issues exist (incorrect exception handling and malformed help output), but these do not reduce the severity of the functionality. Treat this package as malicious: do not run on production systems, isolate and analyze the rest of the repository in a controlled environment to identify C2 endpoints and exfiltration behavior.

The code is primarily intended for sending email notifications related to stock trading activities, but it includes hard-coded credentials and handles user data, raising potential security risks.

Live on pypi for 96 days, 22 hours and 17 minutes before removal. Socket users were protected even while the package was live.

The code exhibits malicious behavior by attempting to exfiltrate user data (images) without consent, using hardcoded credentials to send the data to a Telegram bot. This constitutes a significant security risk and aligns with data theft activities.

Live on pypi for 2 hours and 47 minutes before removal. Socket users were protected even while the package was live.

This script is a high-risk launcher: it unconditionally fetches Python code from a hardcoded remote repo and executes it locally via a shell-invoked Python process while passing unsanitized user inputs directly into the shell command. Even if the upstream repository is currently benign, the pattern enables trivial supply-chain compromise and shell injection. Mitigations: remove runtime download-and-exec; if fetching is necessary, pin and verify cryptographic hashes or signatures, validate content, avoid os.system (use subprocess with argument lists or importlib), sanitize inputs, and add error handling and logging. Treat this module as unsafe in security-sensitive environments until hardened.

This module is a purpose-built destructive utility: given a user-supplied directory, it enumerates all files ending in .zip and corrupts them by truncating them to half their size and appending deterministic junk data. The absence of safeguards (dry-run/confirmation/allowlists) and the deliberate sabotage operations make this strongly indicative of malicious intent within a supply-chain context, even though it does not show typical malware capabilities like networking or data exfiltration.

This assembly contains a heavily obfuscated runtime loader/unpacker that reads encrypted embedded resources, performs cryptographic verification, allocates executable memory or writes into the process image (including /proc/self/mem), patches CLR/runtime method pointers and executes native payloads. Those behaviors are not consistent with a harmless WPF utilities package and match in-memory code-injection/loader/backdoor patterns. Treat this component as malicious or high-risk: do not include it in trusted supply chains until the maintainer provides a full, auditable justification and source-level transparency (preferably removing/isolating the loader).

This code contains a critical supply chain attack. The broadcast method ignores user input and always executes a hardcoded cryptocurrency transfer before throwing a NotImplemented exception to hide the malicious behavior. Every application using this service will attempt unauthorized token transfers.

The code is malicious as it collects and sends system information to a remote server. It is heavily obfuscated to hide its true intent, which is indicative of malware.

Live on npm for 16 minutes before removal. Socket users were protected even while the package was live.

The code exhibits remote-configurable bot control with privilege management and persistence mechanisms, which together create meaningful abuse potential and supply-chain-like risk if tampered or deployed in uncontrolled environments. While some functionality aligns with legitimate automation, the remote admin/password flow and ability to alter party state remotely constitute a backdoor-like capability. Treat as high-risk; require strict authentication, remove remote password provisioning, harden admin management, audit external endpoints, and limit self-restart behaviors. A thorough code audit and containment in a trusted build process are recommended.

The code is malicious as it exfiltrates sensitive system information to an external domain using DNS queries. This poses a significant security risk.

Live on npm for 2 hours and 31 minutes before removal. Socket users were protected even while the package was live.

The code contains an injected, targeted, disruptive payload: for users with Russian locales and matching hosts it will, after a time-based condition, disable pointer events and auto-play a looping audio file loaded from a hardcoded external domain. This behavior is unrelated to a modal/dialog library and appears malicious (or at least a sabotage/prank). Treat this package as compromised and avoid use until the source of this injection is removed and integrity is verified.

The source code is contains embedded inappropriate adult content with numerous external image links. It is not valid or functional software code. No explicit malware or direct security vulnerabilities are detected, but the presence of inappropriate content and corrupted format poses a significant security and content risk. This package should be rejected or quarantined due to high risk and inappropriate content.

This code contains a high-risk command-injection pattern: it constructs a shell command from user input and calls subprocess.run with shell=True. While there is no direct sign of obfuscation, embedded backdoors, or built-in network exfiltration, the unsafe execution pattern is sufficient to enable arbitrary command execution, data theft, or destruction if an attacker can supply the 'command' or 'working_directory' values. Remediation is required: avoid shell=True, parse/validate inputs, constrain working_directory, and avoid returning raw command outputs to untrusted callers.

This package runs a preinstall step that fetches Google Cloud instance metadata and immediately posts it to an external domain. That behavior is direct data exfiltration of sensitive cloud metadata and is highly malicious. Do not install this package in any environment (especially cloud instances). Investigate any exposure of credentials and revoke affected service account keys or tokens.

Live on npm for 20 hours and 47 minutes before removal. Socket users were protected even while the package was live.

This fragment is a mixed bundle: most visible logic is CSS parsing/linting, but it also contains explicit high-privilege capabilities—RCE via vm.runInThisContext on a raw CLI argument, destructive deletion via spawnSync('rm','-rf', dir), and arbitrary filesystem writes (with mkdir fallback). Even without proof of invocation, the presence of these primitives in a dependency creates a serious supply-chain security concern. Verify package entrypoints/public APIs, confirm whether these helpers are reachable in typical usage, and restrict/disable dangerous functionality where possible.

The code offers convenient completion helpers but contains a high-risk pattern: using eval() on a substring derived from a user-controlled completion string with an attacker-controlled or broad globals mapping. This enables arbitrary code execution and information disclosure of objects available in 'globs'. The fragment is not evidently malicious or obfuscated, but it represents a moderate-to-high security risk in any context where 's' or 'globs' can be influenced by untrusted parties. Recommend removing eval and implementing a safe dotted-name resolution and tightening what globals are exposed.

Live on pypi for 1 day, 7 hours and 50 minutes before removal. Socket users were protected even while the package was live.

This code is highly suspicious and likely malicious for the following reasons: it intentionally hides its logic via heavy obfuscation; it reads a stored Discord user token and uses it to perform programmatic axios requests to fetch channel messages; it repeatedly polls and parses message content (including potentially sensitive data like prices, identifiers, or private messages) and sends data out (HTTP requests and ipcRenderer notifications). This behavior is consistent with credential harvesting, account data scraping, and exfiltration. I recommend not running or shipping this code, auditing the full package and any other modules it depends on, rotating Discord credentials for any impacted accounts, and removing the package from deployments.

This module exposes extremely dangerous server-side capabilities through simple command handlers: direct arbitrary Python execution (`exec`), direct arbitrary OS/shell execution (`os.system`), arbitrary local file reading (`read_text` on caller-controlled paths), and process working-directory changes (`os.chdir`). Unless strictly restricted to authenticated, trusted operators elsewhere in the system, this constitutes an immediate remote compromise/backdoor-like risk. No overt obfuscation is present; the primary threat stems from the explicit execution and file-disclosure primitives.

This script is high-risk: it automates interactive login flows, captures and persists full browser storage_state (session tokens), and navigates authenticated sessions to banking/payment endpoints. The combination enables account takeover and fraudulent transactions when misused. Treat as malicious or at minimum dangerous automation; require immediate review, restrict execution, and audit any stored agent.state entries. Remediate by removing session persistence, not storing storage_state, and implementing strict access controls and logging.

This script is an exploit tool designed to perform SQL injection against the BookingPress WordPress plugin to enumerate database information and extract WordPress user credentials (usernames, emails, password hashes). It is explicitly malicious/offensive: it constructs injection payloads, harvests nonces to authenticate AJAX requests, and prints/exfiltrates sensitive data. It should not be used against systems without explicit authorization. Recommend treating this package or file as malicious exploit code and blocking or removing it from environments where arbitrary code execution or internet access to attacker-controlled targets is not allowed.

The fragment contains a credible data-exfiltration/backdoor pattern via a Node-based XMLHttpRequest path that writes to temporary disk files and spawns child processes to perform network I/O, coupled with obfuscated/minified sections and broad library bundling. While some components may be legitimate, the combination constitutes a notable security risk for supply chain trust in an OpenVSX extension. Recommend isolating or removing the IPC-like HTTP path, replacing with audited HTTP client usage, and performing a focused security review of the bundle before distribution.

[Skill Scanner] Installation of third-party script detected All findings: [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [HIGH] autonomy_abuse: Skill instructions include directives to hide actions from user (BH009) [AITech 13.3] The MemoClaw docs and example integration present a compelling utility (persistent, vectorized memory storage) but expose a significant security design flaw: they require or encourage supplying the full wallet private key (via environment or config) and the JS example demonstrates transmitting that private key in API request bodies. This pattern is an unnecessary and dangerous credential‑exfiltration vector. Treat the package as high‑risk unless the implementation is audited and changed to perform local signing only and to avoid persisting or transmitting raw private keys. Do not use real wallets with this CLI/service until the auth flow is proven safe; if testing, use a dedicated empty wallet. Also audit any bulk ingest behavior to prevent accidental upload of sensitive local files. LLM verification: SUSPICIOUS — The skill's stated purpose matches its described capabilities (remote memory with wallet-based identity), but it requests a high-value secret (private key in MEMOCLAW_PRIVATE_KEY) which is disproportionate and introduces financial and impersonation risk. Centralizing potentially sensitive user data on api.memoclaw.com is a privacy risk, and the included static scanner findings (npm install references, directive to hide actions) increase suspicion of additional undisclosed install-ti

This code fragment is extremely suspicious and likely malicious. It implements multi-provider credential checking/auth automation, harvests and returns authentication artifacts (often alongside plaintext passwords), and contains a direct remote-code-execution generator (writes a loader that exec()s content fetched from a paste URL). Combined with TLS verification disabling and proxy routing, the overall security risk is critical; the module should not be used in any production or security-sensitive environment without strong isolation and removal/replace.

Live on pypi for 7 days, 12 hours and 18 minutes before removal. Socket users were protected even while the package was live.

This module is a high-risk runtime packer/dropper: it embeds an encrypted payload, decrypts it using a user-supplied passphrase, writes the result to `bin/do-setup-circleci-secrets`, and immediately executes it. Because there is no integrity/authenticity validation of the decrypted artifact and the executed code is not shown here, the module should be treated as potentially malicious until the decrypted `bin/do-setup-circleci-secrets` content is inspected and validated in a safe environment.

This module contains clear backdoor/botnet-like capabilities: targeted command dispatch (via host MAC token), remote arbitrary shell execution, system information gathering, and references to file transfer and screenshot features enabling exfiltration. Code quality issues exist (incorrect exception handling and malformed help output), but these do not reduce the severity of the functionality. Treat this package as malicious: do not run on production systems, isolate and analyze the rest of the repository in a controlled environment to identify C2 endpoints and exfiltration behavior.

The code is primarily intended for sending email notifications related to stock trading activities, but it includes hard-coded credentials and handles user data, raising potential security risks.

Live on pypi for 96 days, 22 hours and 17 minutes before removal. Socket users were protected even while the package was live.

The code exhibits malicious behavior by attempting to exfiltrate user data (images) without consent, using hardcoded credentials to send the data to a Telegram bot. This constitutes a significant security risk and aligns with data theft activities.

Live on pypi for 2 hours and 47 minutes before removal. Socket users were protected even while the package was live.

This script is a high-risk launcher: it unconditionally fetches Python code from a hardcoded remote repo and executes it locally via a shell-invoked Python process while passing unsanitized user inputs directly into the shell command. Even if the upstream repository is currently benign, the pattern enables trivial supply-chain compromise and shell injection. Mitigations: remove runtime download-and-exec; if fetching is necessary, pin and verify cryptographic hashes or signatures, validate content, avoid os.system (use subprocess with argument lists or importlib), sanitize inputs, and add error handling and logging. Treat this module as unsafe in security-sensitive environments until hardened.

This module is a purpose-built destructive utility: given a user-supplied directory, it enumerates all files ending in .zip and corrupts them by truncating them to half their size and appending deterministic junk data. The absence of safeguards (dry-run/confirmation/allowlists) and the deliberate sabotage operations make this strongly indicative of malicious intent within a supply-chain context, even though it does not show typical malware capabilities like networking or data exfiltration.

This assembly contains a heavily obfuscated runtime loader/unpacker that reads encrypted embedded resources, performs cryptographic verification, allocates executable memory or writes into the process image (including /proc/self/mem), patches CLR/runtime method pointers and executes native payloads. Those behaviors are not consistent with a harmless WPF utilities package and match in-memory code-injection/loader/backdoor patterns. Treat this component as malicious or high-risk: do not include it in trusted supply chains until the maintainer provides a full, auditable justification and source-level transparency (preferably removing/isolating the loader).

This code contains a critical supply chain attack. The broadcast method ignores user input and always executes a hardcoded cryptocurrency transfer before throwing a NotImplemented exception to hide the malicious behavior. Every application using this service will attempt unauthorized token transfers.

The code is malicious as it collects and sends system information to a remote server. It is heavily obfuscated to hide its true intent, which is indicative of malware.

Live on npm for 16 minutes before removal. Socket users were protected even while the package was live.

The code exhibits remote-configurable bot control with privilege management and persistence mechanisms, which together create meaningful abuse potential and supply-chain-like risk if tampered or deployed in uncontrolled environments. While some functionality aligns with legitimate automation, the remote admin/password flow and ability to alter party state remotely constitute a backdoor-like capability. Treat as high-risk; require strict authentication, remove remote password provisioning, harden admin management, audit external endpoints, and limit self-restart behaviors. A thorough code audit and containment in a trusted build process are recommended.

The code is malicious as it exfiltrates sensitive system information to an external domain using DNS queries. This poses a significant security risk.

Live on npm for 2 hours and 31 minutes before removal. Socket users were protected even while the package was live.

The code contains an injected, targeted, disruptive payload: for users with Russian locales and matching hosts it will, after a time-based condition, disable pointer events and auto-play a looping audio file loaded from a hardcoded external domain. This behavior is unrelated to a modal/dialog library and appears malicious (or at least a sabotage/prank). Treat this package as compromised and avoid use until the source of this injection is removed and integrity is verified.

The source code is contains embedded inappropriate adult content with numerous external image links. It is not valid or functional software code. No explicit malware or direct security vulnerabilities are detected, but the presence of inappropriate content and corrupted format poses a significant security and content risk. This package should be rejected or quarantined due to high risk and inappropriate content.

This code contains a high-risk command-injection pattern: it constructs a shell command from user input and calls subprocess.run with shell=True. While there is no direct sign of obfuscation, embedded backdoors, or built-in network exfiltration, the unsafe execution pattern is sufficient to enable arbitrary command execution, data theft, or destruction if an attacker can supply the 'command' or 'working_directory' values. Remediation is required: avoid shell=True, parse/validate inputs, constrain working_directory, and avoid returning raw command outputs to untrusted callers.

This package runs a preinstall step that fetches Google Cloud instance metadata and immediately posts it to an external domain. That behavior is direct data exfiltration of sensitive cloud metadata and is highly malicious. Do not install this package in any environment (especially cloud instances). Investigate any exposure of credentials and revoke affected service account keys or tokens.

Live on npm for 20 hours and 47 minutes before removal. Socket users were protected even while the package was live.

This fragment is a mixed bundle: most visible logic is CSS parsing/linting, but it also contains explicit high-privilege capabilities—RCE via vm.runInThisContext on a raw CLI argument, destructive deletion via spawnSync('rm','-rf', dir), and arbitrary filesystem writes (with mkdir fallback). Even without proof of invocation, the presence of these primitives in a dependency creates a serious supply-chain security concern. Verify package entrypoints/public APIs, confirm whether these helpers are reachable in typical usage, and restrict/disable dangerous functionality where possible.

The code offers convenient completion helpers but contains a high-risk pattern: using eval() on a substring derived from a user-controlled completion string with an attacker-controlled or broad globals mapping. This enables arbitrary code execution and information disclosure of objects available in 'globs'. The fragment is not evidently malicious or obfuscated, but it represents a moderate-to-high security risk in any context where 's' or 'globs' can be influenced by untrusted parties. Recommend removing eval and implementing a safe dotted-name resolution and tightening what globals are exposed.

Live on pypi for 1 day, 7 hours and 50 minutes before removal. Socket users were protected even while the package was live.