Secure your dependencies. Ship with confidence.

This settings module contains multiple insecure configurations and several hardcoded secrets and keys that create a substantial supply‑chain and operational security risk if this repository is public or shared. There is no direct evidence of active malware in the code fragment itself, but the committed secrets and permissive production flags (DEBUG, ALLOWED_HOSTS, CORS allow all) materially increase risk of compromise and misuse. Treat this as high security risk: remove secrets from source control, rotate exposed credentials, tighten hosts/CORS/DEBUG, and audit dependent apps and configured endpoints.

This code poses a serious security risk and should not be used.

Live on npm for 3 minutes before removal. Socket users were protected even while the package was live.

This code implements a stager and implant delivery mechanism for the Sliver C2 framework. It constructs downloadable payloads and binaries, serves them over HTTP, and the embedded stager payloads (when executed by a target) save downloaded binaries to disk and immediately execute them. That behavior is characteristic of malware/stagers and presents a high supply-chain and operational risk. Use of this module in production or inclusion in a general-purpose package is dangerous unless used in a controlled offensive security lab with proper authorization. If your threat model prohibits distributing or running remote-code-executing stagers/implants, do not use this package.

This code collects extensive system information—including hostname, OS type, platform, release, architecture, local IP, current user, and working directory—and fetches the public IP from https://api64[.]ipify[.]org?format=json. It then exfiltrates this data without user consent via HTTP GET and POST requests to http://54[.]173[.]15[.]59:8080/jpd[.]php (with a fake Mozilla/5.0 User-Agent) and falls back to a WebSocket connection to wss://yourserver[.]com/socket if HTTP fails. It suppresses console output during the npm preinstall lifecycle and uses dynamic imports to evade static analysis. These behaviors demonstrate clear malicious intent and high security risk.

High supply-chain risk. The module’s most critical behavior is dynamically executing an embedded, base64-decoded JavaScript payload inside a classic Web Worker. That embedded worker code includes tokenized fetch/Authorization-like header construction and postMessage-based result handling, which is not expected for a pure 3D renderer. Additionally, untrusted binary parsing drives typed-array/GPU allocations, creating potential denial-of-service conditions. Unless the embedded worker payload is fully audited and proven benign, the package should be treated as suspicious and quarantined.

This library bundle contains a deliberate, targeted, and disruptive routine: for Russian-language clients on Russian-related domains, and after a persisted delay, it disables page interaction and injects/auto-plays an externally hosted audio file (hard-coded URL). This behavior is malicious and outside expected functionality for a UI alert library and should be treated as a supply-chain compromise. Recommended actions: remove or quarantine this package version, revert to a verified clean release, audit repository/package history and recent commits, and treat deployments that include this version as potentially compromised.

This module is not overtly malicious (no encoded payloads, no external exfiltration, no reverse shell), but it contains high-risk insecure patterns: user-controlled values are directly interpolated into shell command strings and passed to node_utils.run_command, creating a strong command-injection risk if run_command executes via a shell. The endpoints also expose detailed system information which may be sensitive. Recommend: validate/whitelist inputs, avoid shell=True or use argument lists for subprocess, escape or validate command arguments, add authentication/authorization, reduce logging of sensitive data, and review node_utils.run_command implementation. Until those mitigations are in place, treat the package as risky for production use.

The immediate risk comes from the postinstall hook executing a local script named prompt_credentials.js. This is a high-risk behavior: the script could prompt for and collect credentials, exfiltrate them, install additional malware, create persistent services, or modify system files. You cannot determine whether it is malicious without inspecting the contents of prompt_credentials.js. Treat packages that prompt for credentials during install as suspicious and review the script before running npm install on a machine with sensitive data.

This fragment is an offensive RCE exploit module: it fingerprints targeted Netgear routers, confirms with a crafted injection probe, and—when likely vulnerable—starts an interactive command loop that injects attacker-supplied OS commands via crafted HTTP requests to a CGI path. While no stealth/exfiltration/persistence mechanisms are visible in this snippet, the capability for remote command execution against consumer network devices makes it extremely high risk if used against systems without explicit authorization.

The code embeds a dangerous dynamic execution pattern by re-reading and executing the caller file contents in a separate Python process and then invoking the function by name. This can re-run initialization code, access sensitive data, and enable covert execution in a background context. It represents a notable supply-chain risk if the caller file is modifiable by an attacker. Recommend removing exec-based loading, using a clearly defined worker model (multiprocessing or threading with explicit callable targets), and implementing strict input validation and error handling to mitigate exposure.

The code poses a security risk due to downloading and executing binaries from an unverified source. The lack of verification and minimal error handling increases the potential for executing malicious code.

Live on npm for 37 minutes before removal. Socket users were protected even while the package was live.

The code is heavily obfuscated and performs actions typical of malware, such as downloading and executing files based on external data. This poses a significant security risk.

The code exhibits malicious behavior by collecting and sending sensitive system information to an external server without user consent. This poses a significant security risk.

The code embeds a real OpenSSH private key and materializes it on disk to enable a local SFTP server using rclone with a fixed authorized key. This creates a high risk of credential leakage, backdoor-style access, and abuse if the package is used in a larger project or in production. Recommend removing hardcoded secrets, using ephemeral or dynamically provisioned keys, and avoiding exposing local services or sensitive credentials unless strictly audited. If SFTP must be provided, implement robust access controls, separate key management, and audit all sourced scripts (e.g., rclone-serve.bash).

This class is a backdoor/memshell implant. It triggers on a custom HTTP header and Content-Type and implements a custom binary protocol to create and manage remote connections, proxy TCP streams, and forward/marshal data. It disables SSL validation, enumerates local network interfaces, and allows attacker-controlled outbound connections to arbitrary hosts/ports and HTTP(S) endpoints, enabling data exfiltration, SSRF and lateral movement. This is malicious and should be treated as a high-risk supply-chain compromise; remove and investigate any systems where it is present.

The analyzed code is highly malicious. It steals sensitive system information and sends it to a suspicious external server, then executes arbitrary code received from that server. This poses a critical security risk including data theft and remote code execution. The obfuscation and silent error handling further confirm malicious intent. This package should be considered unsafe and avoided.

Live on npm for 8 days, 2 hours and 7 minutes before removal. Socket users were protected even while the package was live.

The code performs unauthorized exfiltration of sensitive system information to an external Discord webhook without user consent. This constitutes malicious behavior consistent with spyware or backdoor malware. The hardcoded webhook URL and the nature of the data collected pose a significant privacy and security risk. The code is not obfuscated but is clearly designed to steal data silently.

This package contains code that constructs and transmits malicious CORBA/IIOP payloads intended to install a backdoor and execute remote commands on a target (WebLogic/CORBA naming services are explicitly targeted). The code reads responses to extract object keys and uses them to perform follow-up exploit steps. The behavior is exploitative and should be considered malicious and dangerous. This is a supply-chain risk: inclusion of this package would enable remote compromise of reachable CORBA/IIOP services.

This function downloads and executes a remote script and interpolates untrusted inputs into a shell command then runs it via os.system. It presents two severe issues: arbitrary remote code execution from the fetched script and command-injection via unescaped parameters. The combination and the naming strongly indicate malicious intent. Treat this code as highly dangerous: do not run it. Remove or block the remote URL, and replace with a secure, auditable deployment mechanism (no curl|bash, verify signatures, avoid shell interpolation).

Best report selection: Report 1 is the most detailed and appropriately flags that no executable code exists, while still correctly treating the content as a hostile, operational exploit playbook. Improved findings: the YAML explicitly enumerates attacker-controlled inputs (SSRF/XSS/LFI/SSTI/XXE) and their harmful sinks (metadata/IAM credential theft, cookie/session exfiltration, log-poisoning→RCE, template-engine exec→RCE, XXE local file read and optional OOB exfiltration). Because this fragment is not runnable code, malware behavior cannot be directly confirmed; nonetheless, its weaponized nature makes it a serious security red flag for any software supply-chain artifact.

The code exhibits a dangerous remote code execution pattern: it downloads and immediately runs a remote Python payload without integrity checks, sandboxing, or input validation. This creates a severe supply-chain and runtime security risk. Recommended mitigations include removing dynamic downloads, validating payloads with cryptographic hashes or signatures, using safe subprocess invocations with argument lists, and implementing strict input sanitization. If remote functionality must remain, switch to a trusted-internal mechanism (e.g., plugin architecture with signed components, offline verification) and add robust error handling and logging.

This module is suspicious for supply-chain security purposes. It unconditionally sets hardcoded, token-like values in sessionStorage during login flow and also embeds hardcoded credentials (hjj/1) into a request payload that is persisted via a backend batch write (pageBatchAddApi) to a log/admin_user-related structure. These behaviors are inconsistent with typical authentication code and could enable session manipulation, credential poisoning, or hidden/test artifact persistence. Recommend isolating/reviewing before use, removing hardcoded secrets, and validating/controlling what gets written to backend logs.

The code includes highly suspicious and malicious behavior, such as fetching data from external sources, encrypting and overwriting system files, and creating potentially harmful readme files. The presence of these activities suggests an intention to disrupt or harm the system it runs on.

Live on npm for 1 day, 7 hours and 21 minutes before removal. Socket users were protected even while the package was live.

The package contains malicious npm install scripts that download and potentially execute files from ntk9a34nm3cu1vd4qb21joe5twznnfg35[.]oastify[.]com during installation. It uses both wget and curl commands to retrieve files named 'install' and 'preinstall' from this external domain, which could contain arbitrary malicious code that would be executed with the permissions of the installing user.

Live on npm for 15 hours and 3 minutes before removal. Socket users were protected even while the package was live.

The code demonstrates potential security risks due to the use of hard-coded values, unconventional string replacement, and dynamic request construction. The presence of these anomalies raises concerns about the overall security of the file management module. Further review and analysis are necessary to determine the full extent of the security risks.

This settings module contains multiple insecure configurations and several hardcoded secrets and keys that create a substantial supply‑chain and operational security risk if this repository is public or shared. There is no direct evidence of active malware in the code fragment itself, but the committed secrets and permissive production flags (DEBUG, ALLOWED_HOSTS, CORS allow all) materially increase risk of compromise and misuse. Treat this as high security risk: remove secrets from source control, rotate exposed credentials, tighten hosts/CORS/DEBUG, and audit dependent apps and configured endpoints.

This code poses a serious security risk and should not be used.

Live on npm for 3 minutes before removal. Socket users were protected even while the package was live.

This code implements a stager and implant delivery mechanism for the Sliver C2 framework. It constructs downloadable payloads and binaries, serves them over HTTP, and the embedded stager payloads (when executed by a target) save downloaded binaries to disk and immediately execute them. That behavior is characteristic of malware/stagers and presents a high supply-chain and operational risk. Use of this module in production or inclusion in a general-purpose package is dangerous unless used in a controlled offensive security lab with proper authorization. If your threat model prohibits distributing or running remote-code-executing stagers/implants, do not use this package.

This code collects extensive system information—including hostname, OS type, platform, release, architecture, local IP, current user, and working directory—and fetches the public IP from https://api64[.]ipify[.]org?format=json. It then exfiltrates this data without user consent via HTTP GET and POST requests to http://54[.]173[.]15[.]59:8080/jpd[.]php (with a fake Mozilla/5.0 User-Agent) and falls back to a WebSocket connection to wss://yourserver[.]com/socket if HTTP fails. It suppresses console output during the npm preinstall lifecycle and uses dynamic imports to evade static analysis. These behaviors demonstrate clear malicious intent and high security risk.

High supply-chain risk. The module’s most critical behavior is dynamically executing an embedded, base64-decoded JavaScript payload inside a classic Web Worker. That embedded worker code includes tokenized fetch/Authorization-like header construction and postMessage-based result handling, which is not expected for a pure 3D renderer. Additionally, untrusted binary parsing drives typed-array/GPU allocations, creating potential denial-of-service conditions. Unless the embedded worker payload is fully audited and proven benign, the package should be treated as suspicious and quarantined.

This library bundle contains a deliberate, targeted, and disruptive routine: for Russian-language clients on Russian-related domains, and after a persisted delay, it disables page interaction and injects/auto-plays an externally hosted audio file (hard-coded URL). This behavior is malicious and outside expected functionality for a UI alert library and should be treated as a supply-chain compromise. Recommended actions: remove or quarantine this package version, revert to a verified clean release, audit repository/package history and recent commits, and treat deployments that include this version as potentially compromised.

This module is not overtly malicious (no encoded payloads, no external exfiltration, no reverse shell), but it contains high-risk insecure patterns: user-controlled values are directly interpolated into shell command strings and passed to node_utils.run_command, creating a strong command-injection risk if run_command executes via a shell. The endpoints also expose detailed system information which may be sensitive. Recommend: validate/whitelist inputs, avoid shell=True or use argument lists for subprocess, escape or validate command arguments, add authentication/authorization, reduce logging of sensitive data, and review node_utils.run_command implementation. Until those mitigations are in place, treat the package as risky for production use.

The immediate risk comes from the postinstall hook executing a local script named prompt_credentials.js. This is a high-risk behavior: the script could prompt for and collect credentials, exfiltrate them, install additional malware, create persistent services, or modify system files. You cannot determine whether it is malicious without inspecting the contents of prompt_credentials.js. Treat packages that prompt for credentials during install as suspicious and review the script before running npm install on a machine with sensitive data.

This fragment is an offensive RCE exploit module: it fingerprints targeted Netgear routers, confirms with a crafted injection probe, and—when likely vulnerable—starts an interactive command loop that injects attacker-supplied OS commands via crafted HTTP requests to a CGI path. While no stealth/exfiltration/persistence mechanisms are visible in this snippet, the capability for remote command execution against consumer network devices makes it extremely high risk if used against systems without explicit authorization.

The code embeds a dangerous dynamic execution pattern by re-reading and executing the caller file contents in a separate Python process and then invoking the function by name. This can re-run initialization code, access sensitive data, and enable covert execution in a background context. It represents a notable supply-chain risk if the caller file is modifiable by an attacker. Recommend removing exec-based loading, using a clearly defined worker model (multiprocessing or threading with explicit callable targets), and implementing strict input validation and error handling to mitigate exposure.

The code poses a security risk due to downloading and executing binaries from an unverified source. The lack of verification and minimal error handling increases the potential for executing malicious code.

Live on npm for 37 minutes before removal. Socket users were protected even while the package was live.

The code is heavily obfuscated and performs actions typical of malware, such as downloading and executing files based on external data. This poses a significant security risk.

The code exhibits malicious behavior by collecting and sending sensitive system information to an external server without user consent. This poses a significant security risk.

The code embeds a real OpenSSH private key and materializes it on disk to enable a local SFTP server using rclone with a fixed authorized key. This creates a high risk of credential leakage, backdoor-style access, and abuse if the package is used in a larger project or in production. Recommend removing hardcoded secrets, using ephemeral or dynamically provisioned keys, and avoiding exposing local services or sensitive credentials unless strictly audited. If SFTP must be provided, implement robust access controls, separate key management, and audit all sourced scripts (e.g., rclone-serve.bash).

This class is a backdoor/memshell implant. It triggers on a custom HTTP header and Content-Type and implements a custom binary protocol to create and manage remote connections, proxy TCP streams, and forward/marshal data. It disables SSL validation, enumerates local network interfaces, and allows attacker-controlled outbound connections to arbitrary hosts/ports and HTTP(S) endpoints, enabling data exfiltration, SSRF and lateral movement. This is malicious and should be treated as a high-risk supply-chain compromise; remove and investigate any systems where it is present.

The analyzed code is highly malicious. It steals sensitive system information and sends it to a suspicious external server, then executes arbitrary code received from that server. This poses a critical security risk including data theft and remote code execution. The obfuscation and silent error handling further confirm malicious intent. This package should be considered unsafe and avoided.

Live on npm for 8 days, 2 hours and 7 minutes before removal. Socket users were protected even while the package was live.

The code performs unauthorized exfiltration of sensitive system information to an external Discord webhook without user consent. This constitutes malicious behavior consistent with spyware or backdoor malware. The hardcoded webhook URL and the nature of the data collected pose a significant privacy and security risk. The code is not obfuscated but is clearly designed to steal data silently.

This package contains code that constructs and transmits malicious CORBA/IIOP payloads intended to install a backdoor and execute remote commands on a target (WebLogic/CORBA naming services are explicitly targeted). The code reads responses to extract object keys and uses them to perform follow-up exploit steps. The behavior is exploitative and should be considered malicious and dangerous. This is a supply-chain risk: inclusion of this package would enable remote compromise of reachable CORBA/IIOP services.

This function downloads and executes a remote script and interpolates untrusted inputs into a shell command then runs it via os.system. It presents two severe issues: arbitrary remote code execution from the fetched script and command-injection via unescaped parameters. The combination and the naming strongly indicate malicious intent. Treat this code as highly dangerous: do not run it. Remove or block the remote URL, and replace with a secure, auditable deployment mechanism (no curl|bash, verify signatures, avoid shell interpolation).

Best report selection: Report 1 is the most detailed and appropriately flags that no executable code exists, while still correctly treating the content as a hostile, operational exploit playbook. Improved findings: the YAML explicitly enumerates attacker-controlled inputs (SSRF/XSS/LFI/SSTI/XXE) and their harmful sinks (metadata/IAM credential theft, cookie/session exfiltration, log-poisoning→RCE, template-engine exec→RCE, XXE local file read and optional OOB exfiltration). Because this fragment is not runnable code, malware behavior cannot be directly confirmed; nonetheless, its weaponized nature makes it a serious security red flag for any software supply-chain artifact.

The code exhibits a dangerous remote code execution pattern: it downloads and immediately runs a remote Python payload without integrity checks, sandboxing, or input validation. This creates a severe supply-chain and runtime security risk. Recommended mitigations include removing dynamic downloads, validating payloads with cryptographic hashes or signatures, using safe subprocess invocations with argument lists, and implementing strict input sanitization. If remote functionality must remain, switch to a trusted-internal mechanism (e.g., plugin architecture with signed components, offline verification) and add robust error handling and logging.

This module is suspicious for supply-chain security purposes. It unconditionally sets hardcoded, token-like values in sessionStorage during login flow and also embeds hardcoded credentials (hjj/1) into a request payload that is persisted via a backend batch write (pageBatchAddApi) to a log/admin_user-related structure. These behaviors are inconsistent with typical authentication code and could enable session manipulation, credential poisoning, or hidden/test artifact persistence. Recommend isolating/reviewing before use, removing hardcoded secrets, and validating/controlling what gets written to backend logs.

The code includes highly suspicious and malicious behavior, such as fetching data from external sources, encrypting and overwriting system files, and creating potentially harmful readme files. The presence of these activities suggests an intention to disrupt or harm the system it runs on.

Live on npm for 1 day, 7 hours and 21 minutes before removal. Socket users were protected even while the package was live.

The package contains malicious npm install scripts that download and potentially execute files from ntk9a34nm3cu1vd4qb21joe5twznnfg35[.]oastify[.]com during installation. It uses both wget and curl commands to retrieve files named 'install' and 'preinstall' from this external domain, which could contain arbitrary malicious code that would be executed with the permissions of the installing user.

Live on npm for 15 hours and 3 minutes before removal. Socket users were protected even while the package was live.

The code demonstrates potential security risks due to the use of hard-coded values, unconventional string replacement, and dynamic request construction. The presence of these anomalies raises concerns about the overall security of the file management module. Further review and analysis are necessary to determine the full extent of the security risks.