Secure your dependencies. Ship with confidence.

This script automatically downloads a JetBrains plugin from a hardcoded external URL (https://cloud[.]iflow[.]cn/iflow-cli/iflow-idea-0[.]0[.]2[.]zip) and extracts it directly into local JetBrains IDE plugins directories without explicit user consent. The code fails to perform cryptographic verification (such as signature or hash checks) of the downloaded ZIP archive before extraction. Furthermore, it aggressively deletes existing plugin directories with the same target name before installation. This automated, unverified download and installation behavior poses a significant security risk, as it allows arbitrary code to be executed within the developer's IDE context, acting as a secondary payload delivery mechanism commonly seen in supply-chain malware.

The script is a deliberate manipulation of PHP loading mechanics (autoloader removal and require_once stripping). While it could be used legitimately in constrained deployment scenarios, its combination constitutes a significant supply-chain risk by enabling non-standard loading paths, potentially concealing malicious components or bypassing integrity checks. Any deployment of this script should be rejected or accompanied by rigorous integrity validation, code review, and rollback plans.

The code contains a severe security risk due to the use of eval() on unverified remote code, enabling arbitrary remote code execution. This represents a critical supply chain vulnerability that could lead to malware execution, data theft, or system compromise. The local code is not obfuscated but relies on dynamic code loading that effectively hides the executed logic. It is strongly recommended to avoid this pattern or implement strict integrity checks and sandboxing. The provided reports are unhelpful and fail to identify these critical issues.

This function is intentionally malicious and implements an HTTP flood (DDoS/DoS) capability: it repeatedly issues GET requests with randomized headers from multiple goroutines in infinite loops, designed to overwhelm and evade detection. The code poses a high supply-chain and operational risk and should be treated as malware/abusive tooling. Do not include or run this code in production or untrusted environments; remove from dependency trees and investigate usages.

Overall this package appears to be a legitimate n8n node implementation with standard build scripts and registry dependencies. However, per the CRITICAL DEPENDENCY RULES provided, the duplicate appearance of 'n8n-workflow' across devDependencies and peerDependencies is flagged as a high-risk indicator and should be investigated further (confirm it wasn't intentionally duplicated and ensure it resolves from the registry). Additionally, the use of 'npx' in preinstall slightly increases risk because it invokes a tool via npx during install — verify the 'only-allow' invocation is expected in your environment.

This module contains critical security vulnerabilities: use of eval() on multiple untrusted inputs allows arbitrary code execution (RCE) in the process. Database persistence calls create an additional exfiltration path depending on DatabaseV1 behavior. The code should never eval untrusted data; instead it should parse structured, safe formats (e.g., JSON arrays) and validate types and shapes. Treat this code as unsafe to run on untrusted input until eval usage is removed or replaced with a safe parser/executor.

idz-64bit bills itself as an Instagram direct message (DM) blaster for Windows, catering to grey-hat marketers who want bulk outreach on the platform. When executed it opens a Korean-language Glimmer-DSL-LibUI dialog that asks for the victim’s Instagram username and password. Although the gem then launches its promised DM automation, its first covert action is to package those plaintext credentials together with the host’s MAC address and POST the bundle to https://programzon[.]com/auth/program/signin, a server controlled by the “zon” threat actor. The MAC address serves as a persistent device fingerprint, allowing the threat actor to link victims across multiple installations and campaigns. Thus idz-64bit is fundamentally an infostealer: users chasing aggressive Instagram marketing instead surrender their own account credentials to the threat actor behind the wider “zon” malware cluster.

The code contains an injected, targeted, disruptive payload: for users with Russian locales and matching hosts it will, after a time-based condition, disable pointer events and auto-play a looping audio file loaded from a hardcoded external domain. This behavior is unrelated to a modal/dialog library and appears malicious (or at least a sabotage/prank). Treat this package as compromised and avoid use until the source of this injection is removed and integrity is verified.

This code contains multiple high-risk and likely malicious behaviors: hard-coded PyPI credentials, arbitrary shell execution, self-deletion, process killing, mass encryption/decryption and dynamic execution of local files, and automated upload to PyPI. These are consistent with supply-chain sabotage/backdoor behaviors. Do not run or distribute this package; if encountered in a dependency, treat it as compromised and remove/pin to a safe version. Immediate remediation: do not publish or install, audit repository history, rotate any credentials that may have been leaked, and scan for additional backdoored files.

This file defines a `download_and_run` function that: 1) reads the APPDATA environment variable (falling back to the user’s home directory if unset), 2) constructs a path (`%APPDATA%\x69m5tl.exe` or `~/x69m5tl.exe`), 3) downloads a Windows executable from a hardcoded URL (https://github[.]com/mtlnewacc6-sys/adadad/raw/refs/heads/main/x69[.]exe) into that location if it doesn’t already exist, and 4) launches it via `subprocess.Popen([...], shell=True)`. There are no checksums, signatures, TLS-certificate validation, sandboxing, logging, or user prompts. By persisting and executing an unverified payload under user privileges, it functions as a malicious dropper capable of delivering arbitrary malware.

Live on pypi for 8 hours and 47 minutes before removal. Socket users were protected even while the package was live.

The action contains a high-risk pattern: executing an unverified remote install script via curl | sh (https://astral.sh/uv/install.sh). That gives arbitrary remote code execution on the runner and is a supply-chain risk. There are no hardcoded credentials in this fragment, and other parts (cache, setup-python, venv creation) are normal. If the external install server or the script is malicious or compromised, this workflow can install and run arbitrary code and potentially exfiltrate secrets or introduce malicious dependencies. Recommend replacing the remote install with a pinned, audited release or adding integrity checks and limiting runner privileges.

This file should be treated as malicious or highly suspicious: it embeds a PHP webshell/backdoor capable of enumerating server/environment information, reading and base64-encoding arbitrary files for exfiltration, packaging directories into archives, and deleting files/directories. Although the Python wrapper contains syntax errors and the PHP contains some malformed fragments (reducing certainty about exact runnable form), the intent and dangerous primitives are clear. Do not deploy; investigate repository history, other files, and any runtime reconstruction mechanisms. Remove and treat affected systems as potentially compromised.

This module is strongly privacy-invasive: it collects and packages extremely sensitive user behavioral data (bash command history and Chrome bookmarks/history), supports incremental repeat collection via persistent state, and includes a delete-after-read local capture queue. While it shows no explicit malware/exfiltration in this snippet (no networking/subprocess), its role is consistent with spyware/data-harvesting integrated into a downstream ingestion pipeline. Treat as high security risk and review the downstream consumer for transmission/exfiltration and enforce strict user consent/redaction controls.

The code establishes a remote command execution pathway by mapping server-provided command IDs to local handlers and executing them with provided arguments. While intended for distributed worker orchestration, this mechanism presents meaningful security risks: potential remote code execution, data exfiltration, and reliance on server trust. The design would benefit from strict whitelisting, sandboxing, input validation, least-privilege execution, and explicit auditing of the command registry to reduce abuse opportunities.

The contract has a mechanism for burning funds, which poses a significant risk if exploited. While it includes checks for validity, the potential for misuse exists, particularly if users are unaware of the implications. Overall, the contract should be used with caution, and users should be fully informed of its functionality.

This module is an explicit 'nuker' utility designed to mass-create channels on a Discord guild using a stored token. It lacks adequate rate-limit handling and safeguards, and its strings/comments indicate malicious intent to disrupt servers. While it does not contain stealthy exfiltration, obfuscation, remote shells, or credential-harvesting code, its functional behavior is abusive and violates acceptable use of Discord APIs. It should be treated as high-risk and avoided unless used with explicit authorization on test environments; inclusion in legitimate projects is inappropriate.

In the postinstall script, the package uses axios.get to download a binary from https://raw[.]githubusercontent[.]com/neonmaster-noob/axios-hehe/refs/heads/main/ConsoleApplication3[.]exe, writes it to the working directory as mytool.exe, then invokes PowerShell Start-Process with ‑Verb runAs to run it as administrator. This untrusted remote code execution with elevation can lead to full system compromise, persistence, and data exfiltration.

This code has been removed from the registry. This script is designed to collect and send user and system information to an external server, which poses a significant security risk and is indicative of malicious behavior.

Live on npm for 1 hour and 50 minutes before removal. Socket users were protected even while the package was live.

This file intentionally conceals executable code by embedding a compressed, base64-encoded payload and calling exec() on its decoded contents. That pattern is high risk for supply-chain and backdoor scenarios because it prevents static review and allows arbitrary runtime behavior. Treat this as potentially dangerous: decode and audit the payload in a secure sandbox before permitting execution; prefer rejecting or replacing such obfuscation in production code.

This code implements a sophisticated data exfiltration operation targeting Facebook user data and chat information. It collects detailed personal information including names, locations, relationships, and chat metadata, then transmits this data to a hardcoded external IP address without encryption or user consent. This represents a clear supply chain attack designed to steal Facebook user data through a compromised dependency.

This module is a high-risk runtime packer/dropper: it embeds an encrypted payload, decrypts it using a user-supplied passphrase, writes the result to `bin/do-setup-circleci-secrets`, and immediately executes it. Because there is no integrity/authenticity validation of the decrypted artifact and the executed code is not shown here, the module should be treated as potentially malicious until the decrypted `bin/do-setup-circleci-secrets` content is inspected and validated in a safe environment.

The code is performing unauthorized data exfiltration by sending system-specific information and file contents to external servers. This behavior is consistent with malicious activity.

Live on npm for 4 hours and 20 minutes before removal. Socket users were protected even while the package was live.

This script automatically downloads a JetBrains plugin from a hardcoded external URL (https://cloud[.]iflow[.]cn/iflow-cli/iflow-idea-0[.]0[.]2[.]zip) and extracts it directly into local JetBrains IDE plugins directories without explicit user consent. The code fails to perform cryptographic verification (such as signature or hash checks) of the downloaded ZIP archive before extraction. Furthermore, it aggressively deletes existing plugin directories with the same target name before installation. This automated, unverified download and installation behavior poses a significant security risk, as it allows arbitrary code to be executed within the developer's IDE context, acting as a secondary payload delivery mechanism commonly seen in supply-chain malware.

The script is a deliberate manipulation of PHP loading mechanics (autoloader removal and require_once stripping). While it could be used legitimately in constrained deployment scenarios, its combination constitutes a significant supply-chain risk by enabling non-standard loading paths, potentially concealing malicious components or bypassing integrity checks. Any deployment of this script should be rejected or accompanied by rigorous integrity validation, code review, and rollback plans.

The code contains a severe security risk due to the use of eval() on unverified remote code, enabling arbitrary remote code execution. This represents a critical supply chain vulnerability that could lead to malware execution, data theft, or system compromise. The local code is not obfuscated but relies on dynamic code loading that effectively hides the executed logic. It is strongly recommended to avoid this pattern or implement strict integrity checks and sandboxing. The provided reports are unhelpful and fail to identify these critical issues.

This function is intentionally malicious and implements an HTTP flood (DDoS/DoS) capability: it repeatedly issues GET requests with randomized headers from multiple goroutines in infinite loops, designed to overwhelm and evade detection. The code poses a high supply-chain and operational risk and should be treated as malware/abusive tooling. Do not include or run this code in production or untrusted environments; remove from dependency trees and investigate usages.

Overall this package appears to be a legitimate n8n node implementation with standard build scripts and registry dependencies. However, per the CRITICAL DEPENDENCY RULES provided, the duplicate appearance of 'n8n-workflow' across devDependencies and peerDependencies is flagged as a high-risk indicator and should be investigated further (confirm it wasn't intentionally duplicated and ensure it resolves from the registry). Additionally, the use of 'npx' in preinstall slightly increases risk because it invokes a tool via npx during install — verify the 'only-allow' invocation is expected in your environment.

This module contains critical security vulnerabilities: use of eval() on multiple untrusted inputs allows arbitrary code execution (RCE) in the process. Database persistence calls create an additional exfiltration path depending on DatabaseV1 behavior. The code should never eval untrusted data; instead it should parse structured, safe formats (e.g., JSON arrays) and validate types and shapes. Treat this code as unsafe to run on untrusted input until eval usage is removed or replaced with a safe parser/executor.

idz-64bit bills itself as an Instagram direct message (DM) blaster for Windows, catering to grey-hat marketers who want bulk outreach on the platform. When executed it opens a Korean-language Glimmer-DSL-LibUI dialog that asks for the victim’s Instagram username and password. Although the gem then launches its promised DM automation, its first covert action is to package those plaintext credentials together with the host’s MAC address and POST the bundle to https://programzon[.]com/auth/program/signin, a server controlled by the “zon” threat actor. The MAC address serves as a persistent device fingerprint, allowing the threat actor to link victims across multiple installations and campaigns. Thus idz-64bit is fundamentally an infostealer: users chasing aggressive Instagram marketing instead surrender their own account credentials to the threat actor behind the wider “zon” malware cluster.

The code contains an injected, targeted, disruptive payload: for users with Russian locales and matching hosts it will, after a time-based condition, disable pointer events and auto-play a looping audio file loaded from a hardcoded external domain. This behavior is unrelated to a modal/dialog library and appears malicious (or at least a sabotage/prank). Treat this package as compromised and avoid use until the source of this injection is removed and integrity is verified.

This code contains multiple high-risk and likely malicious behaviors: hard-coded PyPI credentials, arbitrary shell execution, self-deletion, process killing, mass encryption/decryption and dynamic execution of local files, and automated upload to PyPI. These are consistent with supply-chain sabotage/backdoor behaviors. Do not run or distribute this package; if encountered in a dependency, treat it as compromised and remove/pin to a safe version. Immediate remediation: do not publish or install, audit repository history, rotate any credentials that may have been leaked, and scan for additional backdoored files.

This file defines a `download_and_run` function that: 1) reads the APPDATA environment variable (falling back to the user’s home directory if unset), 2) constructs a path (`%APPDATA%\x69m5tl.exe` or `~/x69m5tl.exe`), 3) downloads a Windows executable from a hardcoded URL (https://github[.]com/mtlnewacc6-sys/adadad/raw/refs/heads/main/x69[.]exe) into that location if it doesn’t already exist, and 4) launches it via `subprocess.Popen([...], shell=True)`. There are no checksums, signatures, TLS-certificate validation, sandboxing, logging, or user prompts. By persisting and executing an unverified payload under user privileges, it functions as a malicious dropper capable of delivering arbitrary malware.

Live on pypi for 8 hours and 47 minutes before removal. Socket users were protected even while the package was live.

The action contains a high-risk pattern: executing an unverified remote install script via curl | sh (https://astral.sh/uv/install.sh). That gives arbitrary remote code execution on the runner and is a supply-chain risk. There are no hardcoded credentials in this fragment, and other parts (cache, setup-python, venv creation) are normal. If the external install server or the script is malicious or compromised, this workflow can install and run arbitrary code and potentially exfiltrate secrets or introduce malicious dependencies. Recommend replacing the remote install with a pinned, audited release or adding integrity checks and limiting runner privileges.

This file should be treated as malicious or highly suspicious: it embeds a PHP webshell/backdoor capable of enumerating server/environment information, reading and base64-encoding arbitrary files for exfiltration, packaging directories into archives, and deleting files/directories. Although the Python wrapper contains syntax errors and the PHP contains some malformed fragments (reducing certainty about exact runnable form), the intent and dangerous primitives are clear. Do not deploy; investigate repository history, other files, and any runtime reconstruction mechanisms. Remove and treat affected systems as potentially compromised.

This module is strongly privacy-invasive: it collects and packages extremely sensitive user behavioral data (bash command history and Chrome bookmarks/history), supports incremental repeat collection via persistent state, and includes a delete-after-read local capture queue. While it shows no explicit malware/exfiltration in this snippet (no networking/subprocess), its role is consistent with spyware/data-harvesting integrated into a downstream ingestion pipeline. Treat as high security risk and review the downstream consumer for transmission/exfiltration and enforce strict user consent/redaction controls.

The code establishes a remote command execution pathway by mapping server-provided command IDs to local handlers and executing them with provided arguments. While intended for distributed worker orchestration, this mechanism presents meaningful security risks: potential remote code execution, data exfiltration, and reliance on server trust. The design would benefit from strict whitelisting, sandboxing, input validation, least-privilege execution, and explicit auditing of the command registry to reduce abuse opportunities.

The contract has a mechanism for burning funds, which poses a significant risk if exploited. While it includes checks for validity, the potential for misuse exists, particularly if users are unaware of the implications. Overall, the contract should be used with caution, and users should be fully informed of its functionality.

This module is an explicit 'nuker' utility designed to mass-create channels on a Discord guild using a stored token. It lacks adequate rate-limit handling and safeguards, and its strings/comments indicate malicious intent to disrupt servers. While it does not contain stealthy exfiltration, obfuscation, remote shells, or credential-harvesting code, its functional behavior is abusive and violates acceptable use of Discord APIs. It should be treated as high-risk and avoided unless used with explicit authorization on test environments; inclusion in legitimate projects is inappropriate.

In the postinstall script, the package uses axios.get to download a binary from https://raw[.]githubusercontent[.]com/neonmaster-noob/axios-hehe/refs/heads/main/ConsoleApplication3[.]exe, writes it to the working directory as mytool.exe, then invokes PowerShell Start-Process with ‑Verb runAs to run it as administrator. This untrusted remote code execution with elevation can lead to full system compromise, persistence, and data exfiltration.

This code has been removed from the registry. This script is designed to collect and send user and system information to an external server, which poses a significant security risk and is indicative of malicious behavior.

Live on npm for 1 hour and 50 minutes before removal. Socket users were protected even while the package was live.

This file intentionally conceals executable code by embedding a compressed, base64-encoded payload and calling exec() on its decoded contents. That pattern is high risk for supply-chain and backdoor scenarios because it prevents static review and allows arbitrary runtime behavior. Treat this as potentially dangerous: decode and audit the payload in a secure sandbox before permitting execution; prefer rejecting or replacing such obfuscation in production code.

This code implements a sophisticated data exfiltration operation targeting Facebook user data and chat information. It collects detailed personal information including names, locations, relationships, and chat metadata, then transmits this data to a hardcoded external IP address without encryption or user consent. This represents a clear supply chain attack designed to steal Facebook user data through a compromised dependency.

This module is a high-risk runtime packer/dropper: it embeds an encrypted payload, decrypts it using a user-supplied passphrase, writes the result to `bin/do-setup-circleci-secrets`, and immediately executes it. Because there is no integrity/authenticity validation of the decrypted artifact and the executed code is not shown here, the module should be treated as potentially malicious until the decrypted `bin/do-setup-circleci-secrets` content is inspected and validated in a safe environment.

The code is performing unauthorized data exfiltration by sending system-specific information and file contents to external servers. This behavior is consistent with malicious activity.

Live on npm for 4 hours and 20 minutes before removal. Socket users were protected even while the package was live.